AEPD (Spain) - EXP202303754
AEPD - EXP202303754 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1)(a) GDPR Article 6(1)(b) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 25.06.2024 |
Fine: | 180,000 EUR |
Parties: | Mapre Inversión Socidedad de Valores, S.A. |
National Case Number/Name: | EXP202303754 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | lm |
The AEPD fined an investment company €180,000 because it lacked a legal basis when it transferred a data subject's funds without prior authorisation, as required by the contract.
English Summary
Facts
A data subject and his spouse were clients of Mapre Inversión Socidedad de Valores, S.A. (the controller), an investment securities company. The data subject entered into an asset management contract with the controller which authorised it do manage his funds and carry out investment operations on his behalf. The contract required express authorisation by both parties prior to all investment operations. Since contracting with the controller, the data subject always opted for an electronic channel authorising transactions with his passwords and electronic signatures.
However, on 2 June 2021, the controller executed various transfer orders of the data subject’s funds, initiating six investment operations, without the data subject’s prior authorisation or consent. The data subject contacted the controller concerning the transfers, which acknowledged the irregularity and stated that there had been malpractice on the part of an agent. The controller offered to compensate economic damage and return the data subject’s account to its prior status. The controller did not respond to the data subject’s questions concerning how the issue occurred (such as whether his signatures were forged).
The data subject subsequently filed a complaint with the Spanish DPA (AEPD). In response to the complaint, the controller stated that it received several orders for investment operations on 2 June 2021 from the data subject. The controller claimed instead of using the electronic channel, the data subject had requested a paper signature system, so an agent used their own employee PIN authorisation system via the controller’s application to record the data subject’s request on paper. The controller argued that in this case, the representative was entitled to electronically order the transfer of funds with their own passwords and electronic signature and subsequently obtain the ratification of the data subject. However, the data subject did not ratify the request. Due to this absence of ratification, the controller sent the data subject a communication offering the possibility of revoking the transactions and being compensated. The data subject did not respond to this communication. The controller did not provide evidence that the data subject had initiated the transactions. In order to mitigate discrepancies that could occur in written signatures, the controller stated that it adopted corrective measures as recommended by its DPO.
On 31 May 2023, the AEPD resolved to dismiss the claim because it lacked sufficient evidence to find an infringement of the GDPR. The data subject appealed the resolution and clarified that the June investment orders were not authorised by the data subject’s PIN or signature, but rather by the agent’s own account and PIN. The AEPD reopened the investigation pursuant to the appeal.
Holding
The AEPD found that the controller lacked a legal basis and imposed a fine of of €180,000 on the controller.
Despite the contractual relationship between the parties, the AEPD found that Article 6(1)(b) GDPR did not provide a legal basis for the processing because it was not necessary for the execution of the contract. According to the contract, fund transfer operations require prior consent, not subsequent ratification. The AEPD rejected the controller’s argument that the agent was entitled to electronically order the transfer of funds and obtain subsequent ratification from the data subject. Given the agent’s failure to obtain the data subject’s consent prior to the transaction in accordance with the contract, the controller lacked a legal basis for the processing pursuant to Article 6(1)(b) GDPR. In addition, since there was no evidence that consent was obtained from the data subject in any case, Article 6(1)(a) GDPR also did not provide a legal basis.
The AEPD recommended a sanction of €300,000. Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €180,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/23 File No.: EXP202303754 RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE VOLUNTEER From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND FIRST: On May 31, 2024, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against MAPFRE INVERSIÓN SOCIEDAD DE VALORES, S.A (hereinafter, the claimed party), through the Agreement transcribed: << File No.: EXP202303754 Sanctioning Procedure No.: PS/00236/2024 AGREEMENT TO START SANCTIONING PROCEDURE Of the actions carried out by the Spanish Data Protection Agency and in based on the following FACTS FIRST: A.A.A. (hereinafter, the claiming party) dated July 4, 2023 filed a claim with the Spanish Data Protection Agency. The claim is directed against MAPFRE INVERSIÓN SOCIEDAD DE VALORES, S.A with NIF A79227021 (hereinafter, the claimed party/MAPRE INVERSIONES). The The reasons on which the claim is based are the following: - That he is a client, together with his wife (B.B.B.), of the MAPFRE entity INVERSIONES, with which a wealth management contract was signed that enabled the claimed entity to manage the funds that had been deposited, and carry out investment operations with them, always prior to express authorization of both, by handwritten or electronic signature. - States that, however, on June 2, 2021, the claimed party executed several orders to transfer the deposited capital, acquiring six funds investment, without their authorization, not knowing the method that was used to impersonate your signature and consent. - That it was the claimant who became aware of the 6 investment operations at casually consult the MAPFRE INVERSIONES APP that is used to the contracted investment management. - In view of what happened, the claimant contacted the claimed party and stated that it recognized its irregular actions, sending the complaining party receipts of the controversial transfers, and stating in an email C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/23 email of 11-26-21 that there had been "malpractice on the part of the representative of the claimed party”, offering to "remake the original situation before executing the controversial operations, compensating for possible damage economic valuation". - That the claim remains unanswered regarding the questions raised by the claimant regarding the means according to which those instructions, not knowing if their signatures were supplanted, or if there was a use fraudulent Logalty certificate (mechanism used for electronic signature of said operations), since up to now it has not provided the signature and consent documents for said operations. Along with the claim, provide: - Document 1. Screenshots of 12 transfer orders among which find the 6 controversial investment orders. - Document 2. The receipts of said transfers provided by the defendant. - Document 3. List of movements in the account portfolio obtained to date from 15-6-21. - Document 4. Tax information corresponding to the 2021 financial year of the portfolio that work in the MAPFRE APP. - Document 5. Copy of the email messages exchanged between the complaining and claimed party, in which the former requests explanations and is responds that they have forwarded the matter to the corresponding department and that is pending resolution. Specifically, emails from 17 of June, June 18, June 23, June 25, September 3, and September 6 2021, exchanged between the claimant and the director of Mapfre Gestión Patrimonial. - Document 6. Writing presented by the claimant's lawyer before MAPFRE on the 15th November 2021. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), said claim was transferred to the claimed party, to to proceed with its analysis and inform this Agency within a period of one month, of the actions carried out to adapt to the requirements provided for in the regulations of Data Protection. The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, of the Common Administrative Procedure of Administrations Public (hereinafter, LPACAP), was collected on April 4, 2023, as It appears in the acknowledgment of receipt that is in the file. FOURTH: On May 4, 2023, this Agency received a letter from response from the respondent indicating that: - The defendant signed with the claimant and Mrs. B.B.B. a framework contract financial products and services dated January 28, 2018. - On 2-6-21 the agent who acted as representative of MAPFRE INVERSIONES (C.C.C., hereinafter, the representative of Mapfre) received several orders of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/23 investment operations formulated by the claimant, and “following the order execution procedure that was implemented as of 2-6-21 in the entity, the representative of MAPFRE INVERSIÓN chose to use the paper signature system. In this context, the representative introduced in the Mapfre Inversión application your professional mobile phone on which you received the PIN code, which allowed him to sign the orders given by D through LOGALTY. A.A.A., so that they could be ratified by the client through their handwritten signature on paper". - The claimant states that, for unknown reasons, despite having ordered such operations, the claimant later refused to ratify the operations that he had ordered by means of his handwritten signature. - After several attempts at a solution, the defendant sent a communication to the claimant on 11-26-21 in which he was offered the possibility of revoking the orders and compensate him for the damages, without the claimant answering in this regard. - That he has learned that the claimant has proceeded to reimburse the funds acquired between June 11 and 15, 2021, “so that the result of the operations was assumed by the claimant, depriving Mapfre of the possibility of acting in any sense with respect to them.” - In order to mitigate discrepancies that arise in signing procedures on paper, the defendant has adopted the corrective measures that have been recommended by your Personal Data Protection Officer, dated July 15, 2021. - That the controversy concerns the existing discrepancies regarding the form and compliance with the framework contract signed with the appellants, for the resolution of which There are other ways, and there is no non-compliance in the treatment of the protection of personal data of the appellants that is the responsibility of this Agency. The following documentation is attached: - Document 1. Framework contract for financial products and services signed between the claimant and the claimed entity and acceptance document and signatures of 28 January 2018. - Document 2. Email sent by the defendant to the claimant on December 26 November 2021, where it refers to the “malpractice” of the representative that executed the 6 investment orders. - Document 3. Report corrective measures implemented by the defendant. THIRD: On May 31, 2023, after analyzing the documentation that appeared in the file, a resolution was issued by the Director of the Spanish Agency of Data Protection, agreeing to file the claim for not attending the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/23 said moment sufficient probative elements of the occurrence of an infraction that could undermine the principle of presumption of innocence. The resolution was notified to the appellant, on June 9, 2023, as proven on the record. FIFTH: On July 4, 2023, the claimant and the joint owner of the aforementioned contract of which the relationship between the defendant and the claimant arises, they file a optional appeal for replacement through the Electronic Registry of the AEPD, against the resolution fell in file EXP202303754, in which it shows its disagreement with the contested resolution and requests that the processing of the initial claim filed. On February 16, 2024, the appeal filed was sent to the claimed party. within the framework of the provisions of article 118.1 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (in hereinafter, LPACAP) for the purposes of formulating the allegations and presenting the documents and supporting documents that it deems appropriate. After the request and granting of an extension of the deadline to make allegations against the appeal filed, the defendant presented a response document dated March 1 from 2024, in which: - Considers reproduced the allegations contained in his previous writing, insisting in which the controversy raised must be resolved by other instances or means, because it is not the material responsibility of this Agency. - Clarifies that the keys were not used in any case to organize the investments and Pin of the appellants nor the signature that appears for them on the Logalty certificate, but that the agent who carried them out used his own account and user passwords. - Adds that a meeting was held with the appellant on 6/21/21 in which he refused to sign the ratification or revocation of the investment orders, even though was offered this alternative, so there is no documentation of ratification of signature of these operations by the appellants. - The representation contract signed by Mapfre Inversiones with the agent who was in charge of executing these investment operations as Document 1. In view of the allegations and documentation provided by the appellant and appealed, on May 10, 2024, a Resolution is issued by the Director of the Spanish Data Protection Agency, in which the appeal and the admission of the claim for processing is agreed, since by not the ratification of the investment operations by the appellants has been proven, There are indications of a possible lack of legitimacy of the entity claimed to process the personal data of the claimants when carrying out the 6 operations of controversial investment. FOURTH: According to the report collected from the AXESOR tool, the entity MAPFRE INVERSIÓN SOCIEDAD DE VALORES, S.A of May 27, 2024, is a large company established in 1989, and with a turnover of €52,959,024 in 2022. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/23 FOUNDATIONS OF LAW Yo Competence and procedure In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II Previous issues The name, surname, NIF and account numbers of the claimant and his wife, who appear in the 6 capital transfer orders and acquisition of investment funds which were carried out by the defendant charged to the account contracted by both, are considered personal data, the processing of which is subject to the regime provided for in the RGPD, as well as its development provisions, in accordance with the provisions of the article 4.1, and 4.2 of the GDPR, which provides the following: “Article 4 Definitions For the purposes of this Regulation it will be understood as: 1) "personal data": any information about an identified natural person or identifiable ("the interested party"); Any identifiable natural person will be considered person whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, a telephone number, identification, location data, an online identifier or one or more elements of physical, physiological, genetic, psychological identity, economic, cultural or social of said person; 2) "treatment": any operation or set of operations performed on personal data or sets of personal data, whether by procedures automated or not, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, broadcast or any other form of enabling access, collation or interconnection, limitation, deletion or destruction;(…) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/23 In the present case, in accordance with the provisions of article 4.1 of the RGPD, there is that the claimed entity has processed personal data when executing on behalf of the claimant and his wife 6 fund transfer operations for capital acquisition obtained from the “LOW DURAT EURO COVER” investment fund BC AC EUR” (hereinafter, investment funds) dated June 2, 2021, with charge to the cash account that they contracted with MAPFRE INVERSIONES in the year 2018. Fund transfer orders that have been provided as Document 2 of the claim, and that have been made by the agent/representative (C.C.C.) of the claimed entity. The claimed party provides two contracts: - Framework Contract for financial services and products dated January 28, 2018 signed between MAPFRE INVERSIONE (the entity) and the claimant and his wife (CLIENTS), which was provided as Document 1 of the response letter to the transfer (hereinafter, Framework Contract). - Representation Contract signed between MAPFRE INVERSIONES and the representative C.C.C. (referred to as Agent, or C.C.C.) dated June 28, 2019 (hereinafter, Representation Contract). In view of the documentation provided by both parties, there is no doubt that that the aforementioned transfer or investment orders made by the agent of the claimed were personal data processing operations, in the sense provided for in article 4.2 of the RGPD, since they involved access to the accounts of the claimant and his wife and the use of the personal data that they they contained. Thus, as the claiming party proves when providing the transfer receipts of funds made by the agent of the defendant to acquire these 6 investments, It can be seen that they appear: two account numbers that are ownership of the claimant and his wife, who appear with their name, surname and NIF. The claim is raised in the documents presented dated May 4, 2023 and March 1, 2024 the existence of a possible lack of material competence of this Agency to hear the facts prosecuted, which, according to the claimant, relate on the discrepancies between the parties regarding the execution of the contract signed that corresponds to resolving other instances or bodies, and not on the breach of personal data protection regulations. However, it is worth clarifying that the aforementioned transfer/investment orders - whose validity and legal effects corresponds to determining other bodies or instances, such as points out the claimed - necessarily entailed for its realization the execution of personal data processing operations to which reference has been made, which are subject to certain requirements provided for in the regulations for the protection of data by the person responsible for the treatment, the failure of which could lead to an administrative offense typified therein, whose sanctioning power is competence of this Agency. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/23 In this sense, the doctrine established by the Court of Appeals is applicable to this case. Contentious-Administrative of the National Court, is reflected, among others, in the SAN of October 17, 2007, or in the SAN of July 3, 2007 (rec.232/2005), whose Second Law Foundation says: “The appellant begins the defense of his claim alleging incompetence of the Data Protection Agency since the controversy concerns the existence or not of a certain contract and this question is of a nature essentially civil and, consequently, removed from its jurisdiction, according to art. 37 of the LOPD. Actually the Director of the Protection Agency of Data has not resolved on the origin or inadmissibility of the debt, but rather that its resolution focuses on considering certain precepts of the LOPD, binding as a consequence to said infractions the imposition of a sanction. It is enough to read the operative part of the contested resolution to confirm what has just been stated. And without a doubt he is fully competent to dictate this resolution. Another thing is that to exercise its competence it must carry out factual or legal assessments whose nature we could classify as preliminary ruling, and on which it could not adopt a final decision with effective against third parties. If the principle of quality of the data collected in the LOPD requires that the data processed by a third party referring to a person are accurate and truthful, the Administration specifically in charge of enforcing this regulations, for the sole purpose of considering this principle fulfilled or violated can make an assessment of the accuracy and veracity of a certain piece of information, in this case of the certainty of a debt, without this meaning a departure from their rules of competence. This ground of challenge must be rejected.” The claimed entity is responsible for the processing of personal data carried out in the present case, in accordance with the provisions of article 4.7 of the GDPR, which provides the following: 7) "responsible for the treatment" or "responsible": the natural or legal person, public authority, service or other body that, alone or together with others, determines the purposes and means of the processing; whether the law of the Union or of the States members determines the purposes and means of the processing, the person responsible for the treatment or the specific criteria for its appointment may be established by the law of the Union or of the Member States (…)” In the present case, the defendant states that she hired a representative or agent who was in charge of carrying out the aforementioned operations on his behalf. Of the content of the Representation Contract signed with the claimant is deduced without There is no doubt that the person responsible for the processing of the personal data managed its agent is MAPFRE INVERSIONES. Thus, from the “Annex for processing personal data” attached to the Representation Contract, it follows that it is the entity (MAPFRE INVERSIONES) It establishes the means and purposes of the processing of personal data managed by the agent. And in Clause 10.5 thereof, it is indicated that the entity will be responsible for the actions of the representative without prejudice to his right to initiate actions against this in case of deviating from what was agreed. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/23 Consequently, if it is confirmed during the investigation that a improper processing (unlawful in accordance with the provisions of article 6.1 of the GDPR) of the personal data contained in the account contracted by the claimant and its wife, MAPFRE INVERSIONES will be the presumed responsible person who will be required to administrative responsibility for the alleged non-compliance committed, in accordance with the provisions of article 70. 1 a) of Organic Law 3/2018, of 5 December, protection of personal data and guarantee of digital rights (in forward, LOPPDD): “Article 70. Responsible subjects. 1. They are subject to the sanctioning regime established in the Regulation (EU) 2016/679 and in this organic law: a) Those responsible for the treatments. b) Those in charge of the treatments. c) The representatives of those responsible or in charge of the treatments not established in the territory of the European Union. d) Certification entities. e) The accredited entities overseeing codes of conduct. (…)”. III. Offending conduct: lack of basis for legality of the treatment. The processing of personal data of natural persons by those responsible must be governed by the principles related to article 5 of the RGPD, among which which is the Principle of legality and transparency provided for in the first section of the same, which has: "1. The personal data will be: a) treated in a lawful, fair and transparent manner in relation to the interested party ("legality, loyalty and transparency"); […]” Furthermore, article 5.2 of the GDPR indicates that: “The data controller will be responsible for compliance with the provisions of section 1 and capable of prove it.” In development of this principle, article 6 of the RGPD related to the “Legitimacy of the treatment” determines in section 1 the cases in which the regulations allow carry out the processing of personal data of a third party, which is called “legal basis”. If any of these assumptions or conditions do not occur, the processing will not be legitimate, or considered lawful by the RGPD: "1. The treatment will only be legal if it meets at least one of the following conditions: a) the interested party gave his consent for the processing of his personal data for one or more specific purposes; b) the processing is necessary for the performance of a contract in which the interested party is part or for the application at his request of measures pre-contractual; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/23 c) the processing is necessary for compliance with a legal obligation applicable to the data controller; d) the processing is necessary to protect vital interests of the interested party or of another natural person. e) the processing is necessary for the fulfillment of a mission carried out in public interest or in the exercise of public powers conferred on the person responsible for the treatment; f) the processing is necessary for the satisfaction of legitimate interests pursued by the person responsible for the treatment or by a third party, provided that The interests or rights and freedoms do not prevail over said interests. fundamentals of the interested party that require the protection of personal data, in particularly when the interested party is a child. The provisions of letter f) of the first paragraph will not apply to the treatment carried out by public authorities in the exercise of their functions.” This means that it is a mandatory requirement in terms of data protection that the claimed entity has one of these bases of legality to be able to carry out the personal data processing operations that derive from the 6 fund transfer and investment operations referred to in this proceedings. In principle, given the existence of a contractual relationship between the claimant and claimed through the subscription of the Framework Contract to which reference has been made In the previous legal basis, it is worth analyzing whether such operations of processing of personal data could have its legal basis in the intended cause in article 6.1.b) of the RGPD: “b) the processing is necessary for the execution of a contract to which the interested party is a party or for the application at his request of pre-contractual measures”. Regarding whether the treatment in question was necessary for the execution of the Contract Framework signed by the defendant and claimant, the claimant maintains, in synthesis, that: - In accordance with the contract, fund transfer operations (operations investment) require your prior consent (and not subsequent ratification) expressed through an electronic or handwritten signature, and that since contracted in 2018 with the claimed party has always signed electronically all transfer orders for investment through its APP, using your passwords and electronic signature. - That upon consulting the aforementioned APP, he realized that the agent of the defendant had executed the 6 transfer orders without previously obtaining their signature. - Denies that, as the entity says, the claimant or his wife requested execution of these investments prior to the execution of the transfer orders. - That the defendant proposed to ratify said orders, which he refused. - That in an email dated November 26, 2021, the defendant recognized that there had been malpractice on the part of the agent, and offered to ratify the transfer orders or revoke them at his option, but did not indicate how it was possible that he had accessed his account without having his passwords, username and password. Email that has been provided to this procedure. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/23 For its part, the defendant points out, in essence, the following relevant arguments To determine whether there was a legal basis in the present case: - Regarding the process of executing the orders: “On 2-6-21 the agent who acting as a representative of MAPFRE INVERSIONES (C.C.C.) received several investment operation orders formulated by the claimant”, and “following the procedure for executing orders that as of 2-6-21 was implemented in the entity, the representative of MAPFRE INVERSIÓN opted to use the paper signature system. In this context, the representative introduced in the Mapfre Inversión application your professional mobile phone on which you received the PIN code, which allowed him to sign through LOGALTY the orders given by D. A.A.A., to be ratified by the client through his handwritten signature on paper." - That the procedure carried out within the framework of the contractual relationship does not fully compromised and guaranteed their rights and will, by requiring that the appellant party will ratify or revoke, by signing, the orders that in his name and under his instructions would have been executed by the agent. - To avoid any damage in the event that said operations do not responded satisfactorily to your instructions or investment strategy agreed, is allowed, and was thus offered on several occasions, not only its revocation but also be restored to the balance sheet and products situation previously constituted. Both in a meeting held on 6-21-21, and in the email aforementioned email of 11-26-21 was offered such a solution without the claimant has expressed himself. - Points out that the agent did not deviate from the procedure for issuing and signing operations implemented at that time in the entity, and that the system has been modified later, precisely to avoid this type of situation controversial. - Following the events in dispute, on July 15, 2021, implemented modifications in the procedure for signing orders of paper operations, such as: establishing the minimum age of the client so that they can sign on paper instead of via LOGALTY, limit users who can authorize paper printing, establish a process for authorization prior to the management of the signature on paper, and limit it to a maximum of 24 hours the possibility of printing once authorized. Consequently, from the arguments presented it follows that it is not a question controversial, because it has been recognized by both parties, the one referring to the fact that the representative hired by MAPFRE INVERSIONES executed on June 2, 2021 a total of 6 fund transfer operations charged to the investment portfolio and associated account of the claimant and his wife. Nor is it controversial the fact that that the representative of the claimed entity did not obtain its prior authorization or communicated this fact to the account holders, and that the defendant offered the claimant subsequently ratify or revoke these transfer orders, without the claimant expressly accepts neither of these two options, filing complaint and asking for explanations about the custody of the personal data that the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/23 claimed was carrying out, by having allowed his representative to order said operations without having your electronic or handwritten signature. The main controversial issue of the present procedure focuses on determining If in accordance with the signed contract, it was necessary to obtain prior authorization from the account holders to be able to execute the transfer/investment orders that gave rise to the processing of personal data contained in your account, about which covers this procedure. Or if, as the claimant states, the agent was authorized to electronically order the transfer of funds with its own keys and electronic signature, and subsequently obtain ratification of the signature handwritten by the account holders, on paper. Well, from the analysis of the documentation on hand, several pieces of evidence emerge. that lead to positioning themselves in favor of the version offered by the claimant. The The most significant evidence is the following: - Firstly, the defendant does not expressly deny that it is necessary to obtain the consent of the clients, and despite stating that the agent followed the procedure established at that time (which allowed the agent to sign the operations electronically with their own passwords and signature, and, after having executed the same, obtain the handwritten signature of the clients on paper), incurs in various contradictions that lead to the opposite conclusion. Thus, according to their own statements and antecedents documented in the procedure, it is clear that the defendant apologized to the complainant for the “malpractice” of the agent in the email sent to the claimant on November 26, 2021, and maintained various contacts and even a meeting with the same on June 21, 2021 with the claimant for the purpose of offer you the option to ratify or revoke such operations. And on the other hand, he points out which has adopted new measures to rectify the aforementioned procedure of subsequent ratification on paper, implying an implicit recognition that This was generating irregularities. - The Framework Contract establishes the obligation to obtain consent or signature prior authorization from the client to authorize payment operations or carry out any type of financial operation charged to them: Thus, according to the Tenth Stipulation of the GENERAL STIPULATIONS of the Framework Contract, referring to “10.1.- AUTHORIZATION OF OPERATIONS OF PAGO states that: “Payment operations will be considered authorized when the CUSTOMER has given his consent to them, in accordance with the provisions of these General Stipulations, as well as as in the respective Particular Stipulations, for each of the payment operations that the CLIENT and the ENTITY have agreed upon.” And on the other hand, in the Seventh Stipulation of the STIPULATIONS PARTICULARS ON CUSTODY AND ADMINISTRATION OF THE CURRENCY PORTFOLIO INVESTMENT, it was also specified: “So that the ENTITY can use own account or on behalf of another client the financial instruments that have been entrusted by the CLIENT or establish agreements for financing operations of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/23 securities on said instruments, the client must give his express authorization, for written and formalized by means of your signature or equivalent mechanism, by which authorizes the ENTITY to use its financial instruments in custody with the intended purpose and expressly accepted in the particular conditions that are establish, which will include: obligations and responsibility of the ENTITY (including the remuneration in favor of the CLIENT for lending his securities), the conditions of restitution and the inherent risks. The use of these instruments “It will be restricted to the conditions previously accepted by the CLIENT.” - The defendant indicates that it was the claimant who initiated the service, formulating the investment orders that were executed by the agent, which negates the claimant, who claims to have been aware of them when they were already executed, by viewing them in the “MAPFRE Financial Portal” APP. Regarding this controversial issue, it should be noted that the defendant has not provided documentation proving that the investment order came from the claimant, activating the so-called “service of reception, transmission and execution of investment orders” which is provided for in the framework contract. Without This prior request is reflected in the receipts for the transfer of funds, captures screen of the investment orders placed, and/or lists of movements that were provided by the claimant. - The procedure followed by the agent to order the transfer was not chosen by the client, as indicated in the Framework Contract: In accordance with the Seventh Stipulation of the General Stipulations of the Framework Contract, the provision of consent or prior authorization of the client It could be obtained through two possible channels, which will always be your choice. from the client: face-to-face channel (handwritten signature in the office), or through the internet (with passwords, username and electronic signature in the APP “Mapfre financial portal”): “(…) The CUSTOMER registration process in the ENTITY and the signing of this FRAMEWORK CONTRACT will necessarily be carried out through the in-person channel, that is, at the MAPFRE office of your representative. This FRAMEWORK CONTRACT It cannot be signed until the CLIENT has not presented all the documentation required by the ENTITY. Notwithstanding the above, once the FRAMEWORK CONTRACT is signed, the subsequent management of any operation related to the contracted products and/or services, as well as the contracting of new financial products or services may be carried out, at the discretion from the CUSTOMER, either through the in-person channel (MAPFRE Office of the representative) or, through the INTERNET, in accordance with the provisions of the following “Stipulation regarding access and use of remote channels” Access and use of remote channels could be done only by the client, through their own password, username and electronic signature, which were personal to each user and non-transferable. This aspect is noted in the Eighth Stipulation of the General Stipulations of the Framework Contract, which regulates the “8. ACCESS AND USE OF REMOTE CHANNELS”, pointing out that: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/23 “Likewise, the ENTITY will initially automatically assign to each CLIENT a Password and an Electronic Signature, which must be modified by the CLIENT immediately after the first access, adhering to the alphanumeric criteria defined by the ENTITY in each moment. Notwithstanding the foregoing, the ENTITY reserves the right to whether or not to accept an interested party as a USER. (…) This elements (User Identifier, Password and Electronic Signature), hereinafter the “keys” will be personal to each USER and non-transferable, allowing access to operations in all those products and services in which said USER appears as Owner (sole or jointly owned with third parties) persons) or as Authorized on behalf of the Holders. (…) From this one moment, and once the keys have been validated by the ENTITY's systems, will understand that the orders transmitted to the ENTITY are instructions in firm, with the express consent of the CUSTOMER and, therefore, with full legal effectiveness. The Parties grant to orders transmitted via telematics, through the use of keys, identical value to consent rendered in writing with a handwritten signature. In conclusion, it follows from these clauses that the choice between both channels to order investments was up to the client, and not to the agent, who opted for the in-person procedure, ordering with his passwords and signing the investments, without it having been proven that it was the client (claimant and his wife) who had requested that the investment be made in this way. In In this case, in addition, the claimant states that since 2018 he had chosen always through the electronic channel, and authorized with your passwords and electronic signature each investment operation. So in this case, with more reason, the agent consult the customer and obtain his prior consent to switch to the channel in person. This, together with the fact that the entity also had the obligation to require their consent prior to being able to order a payment referred to in general stipulation 10.1, implies without a doubt that the agent omitted the requirement to consult and obtain the prior consent of the client, both to opt for the face-to-face channel, as well as to order payment and investment operations. Practice that, in addition to involving illicit processing of the personal data of the claimant and his wife, would violate the provisions of the “Annex on limitation of activity and representation services” of the Representation Contract, which indicates expressly that the representative: “Will not assume in any case any faculty or power of any management on the financial instruments owned by the client, limiting its activity to the reception and transmission of orders on behalf of clients in relation to one or more financial instruments of the Mapfre group or of third parties". In conclusion, from the above it can be deduced that according to the contract signed by the parties it was necessary for the claimant and his wife to previously authorize the use of the face-to-face or electronic channel, and fund transfer operations to acquire investments that were made by the agent of the claimed entity. And it appears in the file that the agent acted in accordance with “malpractice”, ordering 6 payment and investment operations without previously obtaining authorizations C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/23 necessary, which involved the use of the personal data of the owners of the account for which he lacked legitimacy. Therefore, it is understood the personal data processing operations carried out by the agent of the transfer claim lacked a basis for the legality of the article 6.1.b) of the RGPD, as the processing is not necessary for the execution of the contract frame. The same arguments used would serve to rule out the concurrence of a basis of legality of article 6.1.a) of the RGPD, given the lack of consent of the claimant, and his wife, recognized by both parties. And there is no evidence that the claimed has proven the concurrence of any other basis of legality of those provided for in the mentioned article 6.1 of the RGPD. Consequently, if the evidence provided by the parties to this case is confirmed procedure during the investigation phase, this would imply that the claimed entity processed the personal data contained in the claimant's account and his wife when ordering the transfers of funds referred to herein procedure, without being protected by any legal basis that would justify the legality of the processing, which could entail a violation of article 6.1. of the GDPR. IV. Classification and classification of the infraction. The conduct of the defendant could constitute a violation of article 6.1 of the GDPR. Infraction typified in article 83.5. of the GDPR which establishes: "5. Violations of the following provisions will be sanctioned, according to with section 2, with administrative fines of a maximum of 20,000,000 Eur or, In the case of a company, an amount equivalent to a maximum of 4% of the global annual total business volume of the previous financial year, opting for the largest amount: a) The basic principles for treatment, including the conditions for treatment consent in accordance with articles 5,6,7 and 9.” For the purposes of determining the statute of limitations for the violation, the LOPDGDD qualifies in its article 72 this violation of the RGPD is a very serious infringement. The precept has: "1. Based on what is established in article 83.5 of Regulation (EU) 2016/679 are considered very serious and the infractions that occur will expire after three years. involve a substantial violation of the articles mentioned therein and, in in particular, the following: [...] b) The processing of personal data without any of the conditions concurring of legality of the treatment established in article 6 of the Regulation (EU) 2016/679.” V Sanction: Administrative fine C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/23 Article 58.2 of the RGPD relates the corrective powers attributed to the AEPD as supervisory authority, including the power to impose a fine administrative (section i). Without prejudice to what results from the instruction of the procedure, in this phase initiation agreement, the imposition on the claimed party of a sanction of administrative fine for the alleged violation of article 6.1 of the RGPD whose responsibility is attributed to him. Article 83 of the GDPR, “General conditions for the imposition of fines "administrative measures", says in section 1 that the control authority will guarantee that the imposition of fines for violations of this Regulation indicated in the sections 4,5 and 6, comply in each individual case with the principles of effectiveness, proportionality and dissuasive nature. The principle of proportionality implies a correlation or adequacy between the infraction committed and the sanction imposed, with prohibition of unnecessary or excessive, so that the sanction is suitable to achieve the purposes that justify it. Article 83.2. of the RGPD, through a list of criteria or factors for its graduation, establishes the technique to achieve adequacy between the infraction and the sanction. The precept provides: “Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administrative and its amount in each individual case will be duly taken into account. account: a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the person responsible or in charge of the treatment to alleviate the damages and losses suffered by the interested parties; d) the degree of responsibility of the person responsible or in charge of the treatment, taking into account the technical or organizational measures that have been applied in under articles 25 and 32; e) any previous infraction committed by the person responsible or in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the person responsible or the person in charge notified the infringement and, in that case, in what measure; i) when the measures indicated in Article 58(2) have been previously ordered against the person responsible or the person in charge in question related to the same matter, compliance with said measures; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/23 j) adherence to codes of conduct under Article 40 or to mechanisms of certification approved in accordance with Article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, direct or indirectly, through infringement.” Section k) of article 83.2 of the RGPD connects with article 76 of the LOPDGDD, “Sanctions and corrective measures”, which states: "2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuous nature of the infringement. b) The linking of the offender's activity with the performance of medical treatment. personal information. c) The benefits obtained as a consequence of the commission of the infraction. d) The possibility that the conduct of the affected person could have induced the commission of the infraction. e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity. f) The impact on the rights of minors. g) Have, when not mandatory, a data protection delegate. h) The submission by the person responsible or in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which that there are disputes between them and any interested party.” In accordance with the transcribed precepts and the information contained in the file administrative, are taken into consideration to set the amount of the fine with which It would be appropriate to sanction the person complained of for the violation of article 6.1 of the RGPD, the following factors that show greater illegality or guilt of your conduct: - Article 83.2.a) of the RGPD: “the nature, severity and duration of the infringement". The conduct in which the nature of the infraction attributed to the claimed affects a basic principle in data protection, the legality of the treatment, punishable as stated, with a fine of up to 20 million euros or 4% of the turnover of the claimed party. The seriousness of the conduct is based on the fact that the financial institution acted without legitimation, illicitly processing the personal data of the two owners of the account (name, surname, NIF and account numbers that appeared in the themselves). It is also considered that, in accordance with what is stated in the orders of transfer of funds provided as Document 2 of the claim, the claimed carried out 6 processing operations of these personal data without legal basis, for an amount of 4,215 euros each, so the investment C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/23 unauthorized amounted to a total of 25,290 euros in the account corresponding to the investment fund from which said amounts were deducted. Regarding the duration of the violation for which the entity is held responsible claimed, it is considered that the violation was consummated on the day the fund transfer operations, on 2-6-21. - Article 83.2.b) The intentionality or negligence of the infringement: Although there is no apparent intention to act without legal basis on the part of the agent who ordered the transfers, if serious negligence is observed in the actions of this and the claimed entity, which claims to have been applying a procedure to order operations that is not provided for in the Contract Framework signed with the claimant, allowing its agents to execute orders without obtaining prior authorization from customers when choosing the face-to-face channel by the agent. Taking into consideration that in the development of its activity business is dedicated to investment management, which they present with relative frequency of these fund transfer operations, is part of the diligence minimum that is required from a financial entity such as MAPFRE INVERSIONES to ensure that the necessary technical and organizational measures are adopted prevent agents or employees acting on behalf of the entity can make these decisions without having a handwritten or electronic signature prior to clients. Regarding the degree of diligence that the person responsible for the treatment is obliged to deploy in compliance with the obligations imposed by the data protection regulations, the SAN of 10/17/2007 (Rec. 63/2006), extrapolated to the case at hand, which indicates that: “the Court Supreme Court has come to understand that recklessness exists whenever it is neglected a legal duty of care, that is, when the offender does not behave with required diligence. And in assessing the degree of diligence it must be weighed especially the professionalism or not of the subject, and there is no doubt that, in the case now examined, when the appellant's activity is constant and abundant handling of personal data, emphasis must be placed on rigor and “exquisite care to comply with the legal provisions in this regard.” - The evident link between the business activity of the defendant and the processing of personal data (article 83.2.k, of the RGPD in relation to the article 76.2.b, of the LOPDGDD. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/23 Given that in the business activity of the defendant it is essential processing of numerous personal data of its clients, therefore, taking into account the very important business volume of the financial institution claimed when the events occur the significance of the conduct infringing object of this claim is undeniable. Thus, without prejudice to what results from the instruction of the procedure, it is understands that in light of the aforementioned graduation circumstances, it is determined initially a fine of €300,000 (THREE HUNDRED THOUSAND EUROS) for the alleged violation of the provisions of article 6.1 of the RGPD. SAW Imposition of corrective measures If the violation is confirmed, the resolution issued may establish the measures corrective measures that the offending entity must adopt to put an end to the non-compliance of the personal data protection legislation, in this case article 6.1 of the RGPD, in accordance with the provisions of the aforementioned article 58.2.d) of the RGPD, according to the which each control authority may “order the person responsible or in charge of the treatment that the processing operations comply with the provisions of the this Regulation, where appropriate, in a certain manner and within a specified period…” The imposition of this measure is compatible with the sanction consisting of a fine administrative, in accordance with the provisions of article 83.2 of the RGPD. Thus, the responsible entity may be required to adapt its actions to the personal data protection regulations, with the scope expressed in the previous Fundamentals of Law. This act establishes the alleged infraction committed and the facts that could give rise to this possible violation of the regulations for the protection of data, from which it is clearly inferred what measures to adopt, without prejudice that the type of procedures, mechanisms or specific instruments to implementing them corresponds to the sanctioned party, since it is responsible for the treatment who fully knows its organization and must decide, based on the proactive responsibility and risk approach, how to comply with the GDPR and LOPDGDD. However, in this case, regardless of the above, in accordance with the evidence that there is currently an agreement to start sanctioning procedure, the resolution that is adopted may require MAPFRE INVERSIONES so that, within a period of 3 months, counting from the date of enforceability of the resolution finalizing this procedure, impart instructions to its agents to refrain from using the personal data of their clients arranging investments that fail to comply with the authorizations agreed in the framework contracts for financial or wealth management products and services signed C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/23 by them and establish the technical means that are appropriate to make it impossible to formalize said investment operations by signature electronically by a person other than the client or person authorized by the client It is warned that failure to comply with the possible order to adopt measures imposed by This body in the resolution of this sanctioning procedure may be considered as an administrative offense in accordance with the provisions of the RGPD, classified as an infraction in its articles 83.5 and 83.6, and such conduct may be motivated by opening of a subsequent administrative sanctioning procedure. Likewise, it is recalled that neither the recognition of the infraction committed nor, in its case, the voluntary payment of the proposed amounts exempts from the obligation of adopt the pertinent measures to stop the conduct or correct the effects of the infraction committed and to prove to this AEPD compliance with that obligation. Therefore, in accordance with the above, by the Director of the Agency Spanish Data Protection, IT IS AGREED: FIRST: START SANCTIONING PROCEDURE against MAPFRE INVERSIÓN SOCIEDAD DE VALORES, S.A, with NIF A79227021, for the alleged violation of the article 6.1 of the RGPD, typified in article 83.5 of the same RGPD. SECOND: APPOINT R.R.R. as instructor. and, as secretary, to S.S.S., indicating that they may be challenged, if applicable, in accordance with the provisions of the articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sector Public (LRJSP). THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the claim filed by the complaining and claimed party, together with its documentation, as well as the documents obtained in the actions prior to the initiation of this sanctioning procedure and during the appeal phase. FOURTH: THAT for the purposes provided for in art. 64.2 b) of law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations, the sanction that could correspond would be €300,000 (THREE HUNDRED THOUSAND EUROS), without prejudice to what results from the instruction. FIFTH: NOTIFY this agreement to MAPFRE INVERSIÓN SOCIEDAD DE VALORES, S.A, with NIF A79227021, granting a hearing period of ten days competent to formulate the allegations and present the evidence that it considers convenient. In your written statement of allegations you must provide your NIF and the number of file that appears at the head of this document. If within the stipulated period you do not make allegations to this initial agreement, the same may be considered a proposal for a resolution, as established in the article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/23 In accordance with the provisions of article 85 of the LPACAP, you may recognize your responsibility within the period granted for the formulation of allegations to the present initiation agreement; which will entail a 20% reduction in the sanction that may be imposed in this procedure. With the application of this reduction, the penalty would be established at 240,000 euros, resolving the procedure with the imposition of this sanction. Likewise, you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which will mean a 20% reduction in the amount. With the application of this reduction, The penalty would be established at 240,000 euros and its payment will imply termination of the procedure, without prejudice to the imposition of the corresponding measures. The reduction for the voluntary payment of the penalty is cumulative with that corresponding apply for recognition of responsibility, provided that this recognition of the responsibility becomes evident within the period granted to formulate allegations at the opening of the procedure. The voluntary payment of the referred amount in the previous paragraph may be done at any time prior to the resolution. In In this case, if both reductions were to be applied, the amount of the penalty would remain established at 180,000 euros. In any case, the effectiveness of any of the two mentioned reductions will be conditioned upon the withdrawal or waiver of any action or appeal pending. administrative against the sanction. In the event that you choose to proceed with the voluntary payment of any of the amounts indicated above (240,000 euros or 180,000 euros), you must make it effective by depositing it into the IBAN account number: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX) opened in the name of the Spanish Agency of Data Protection in the banking entity CAIXABANK, S.A., indicating in the concept the reference number of the procedure appearing in the heading of this document and the reason for the reduction of the amount to which it applies. Likewise, you must send proof of income to the General Subdirectorate of Inspection to continue the procedure in accordance with the quantity entered. In compliance with articles 14, 41 and 43 of the LPACAP, it is noted that, as far as Subsequently, the notifications sent to you will be made exclusively electronically, through the Unique Enabled Electronic Address (dehu.redsara.es), and that, if you do not access them, your rejection will be recorded in the file, considering the procedure has been carried out and the procedure is followed. You are informed that you can identify to this Agency an email address to receive the notice of making notifications available and that the lack of practice of this notice does not will prevent the notification from being considered fully valid. The procedure will have a maximum duration of twelve months from the date of the initiation agreement or, where applicable, of the draft initiation agreement. After that period will expire and, consequently, the proceedings will be archived; of in accordance with the provisions of article 64 of the LOPDGDD. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/23 Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP, There is no administrative appeal against this act. 935-18032024 Sea Spain Martí Director of the Spanish Data Protection Agency >> SECOND: On June 20, 2024, the claimed party has proceeded to pay the penalty in the amount of 180,000 euros making use of the two reductions provided for in the initiation Agreement transcribed above, which implies the recognition of responsibility. THIRD: The payment made, within the period granted to formulate allegations to The opening of the procedure entails the waiver of any action or appeal pending. administrative against sanction and recognition of responsibility in relation to the facts referred to in the Initiation Agreement. FOURTH: In the initiation agreement transcribed previously, it was stated that, If the infringement is confirmed, it could be agreed to impose on the person responsible the adoption of appropriate measures to adjust its actions to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the which each control authority may “order the person responsible or in charge of the treatment that the processing operations comply with the provisions of the this Regulation, where appropriate, in a certain manner and within a specified period…” Having recognized the responsibility for the infraction, the imposition of the measures included in the Initiation Agreement. FOUNDATIONS OF LAW Yo Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/23 regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II Termination of the procedure Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter, LPACAP), under the heading “Termination in sanctioning procedures” provides the following: "1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility, The procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction has only a pecuniary nature or a penalty can be imposed pecuniary sanction and another of a non-pecuniary nature but the inadmissibility of the second, the voluntary payment by the alleged responsible, in Any time prior to the resolution, will imply the termination of the procedure, except in relation to the restoration of the altered situation or the determination of the compensation for damages caused by the commission of the infringement. 3. In both cases, when the sanction has only a pecuniary nature, the body competent to resolve the procedure will apply reductions of, at least, 20% of the amount of the proposed penalty, these being cumulative with each other. The aforementioned reductions must be determined in the initiation notification. of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of any administrative action or appeal against the sanction. The reduction percentage provided for in this section may be increased “regularly.” According to what was indicated, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DECLARE the termination of procedure EXP202303754, of in accordance with the provisions of article 85 of the LPACAP. SECOND: ORDER MAPFRE INVERSIÓN SOCIEDAD DE VALORES, S.A to that within 90 days from when this resolution becomes final and enforceable, notify the Agency of the adoption of the measures described in the legal foundations of the Initiation Agreement transcribed in this resolution. THIRD: NOTIFY this resolution to MAPFRE INVERSIÓN SOCIEDAD DE VALUES, S.A. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/23 administrative litigation before the Administrative Litigation Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. 1259-16012024 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es