AEPD (Spain) - PS/00183/2022
AEPD - PS-00183-2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(d) GDPR Article 16 GDPR §12(4)LOPDGDD §14 LOPDGDD |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | 25.000 EUR |
Parties: | n/a |
National Case Number/Name: | PS-00183-2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Michelle Ayora |
The Spanish DPA fined a bank €25,000 for a violation of Article 16 GDPR. The controller made a considerable delay in handling the requests for rectification of the data subject´s address.
English Summary
Facts
The data subject submitted a complaint before the Spanish DPA stating that in October 2017 they moved to a new address and notified CaixaBank (the controller). However, in 2020, they noticed that the controller was still making use of their old address. That year, the data subject requested the rectification of their address in July and one more time in September.
In the first answer, the controller asked the data subject to submit the request through one specific email address. On a second communication, it requested additional information from the data subject to proceed with the change. Finally, the controller notified them that the request was sent to the specialised department.
In the evidence submitted by the controller, there were some documents and communications sent to the new address and others to the old address.
The controller claimed that the DPA proceeding should be declared null due to procedural errors since the investigative body should not quantify the fine in the proposed decision, that being a violation of the right to an impartial judge. Secondly, the controller stated that the right of rectification was observed with no delay since there is evidence of communications with the data subject. Finally, regarding the two contracts with the old address, the controller manifested that the data subject supplied that address (the old one) when the contract was signed.
For these reasons, the controller requested that the investigative phase should be declared null and void, the fine should be dismissed and replaced with a reprimand.
Holding
Regarding the first claim, the Spanish DPA referred to the national administrative procedural law which foresees the possibility to reduce the penalties (in case of volunteering payment and admission of guilt) and stated that for the application of those reductions it is necessary to quantify the fine. Furthermore, according to national case law, the principle of separation between the investigative body and the sentencing body does not apply to administrative proceedings nor is the right to an impartial judge applicable in these proceedings. Additionally, the quantification of the fine cannot be seen as a serious violation of the fundamental rights of the defendant.
Regarding the violation of the right of rectification of Article 16 GDPR and Article 14 of LOPDGDD, the national data protection law, the DPA stated that Article 12(4) LOPDGDD obliges the controller to provide evidence of compliance with the requests related to the data subject’s rights foreseen in Articles 15 to 22 GDPR. Moreover, Article 72(1)(k) LOPDGDD, considers as a serious violations the repeated lack of attention to these requests. In the present case, in February 2021 (the date of the complaint), the address was not rectified yet for all the documents related to the data subject. In fact, the controller provided as evidence bank statements from 31 January 2021 and 31 May 2021 with the old address and other documents with the new address, showing that the controller was aware of the data subject’s new address.
Regarding the substitution of the fine with a reprimand, the DPA alluded to Recital 148 GDPR which stated that the applicable sanctions for the violation of the Regulation are fines.
Finally, the DPA imposed a fine of €25,000 on the controller for a violation of Article 16 GDPR, considering as aggravating factors the activity of the controller and the delay in the rectification requested.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/20 File No.: PS/00183/2022 RESOLUTION OF PUNISHMENT PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following: BACKGROUND FIRST: D.A.A.A. (hereinafter, the claimant party) dated February 8, 2021 filed a claim with the Spanish Data Protection Agency. The claim is directed against CAIXABANK S.A. with NIF A08663619 (hereinafter, the claimed party or CaixaBank). The grounds on which the claim is based are following: The complaining party states that he is a client of the claimed party, and that on 8 October 2017 updated their address data through their online access, but In the year 2020, he verifies that there are documents in which his former address, indicates that your only current address is ***ADDRESS.1. Well, he requested rectification of his postal address on July 10 and 28 September 2020 through your Mi Gestor de Caixabank.es space, without response by the respondent. Subsequently, on October 14, 2020, with registration number 8-724587XXXX You requested rectification of your postal address through servicios.cliente@caixabank.com. On October 30, 2020, the respondent requested additional information from the claimant in order to carry out the timely management. Likewise, on November 6, 2020, the claimant receives a response with a number of reference claim 8-726689XXXX, in which they inform you that they will send your request to the corresponding specialized department. As of February 8, 2021, the claimant states that his address has not yet has been rectified. Relevant documentation provided by the complaining party: - Provides a screenshot of CaixabankNow where there is a receipt of a loan in the name of the claimant with loan number ***CONTRATO.1, dated January 31, 2021 and addressed to the old postal address at ***ADDRESS.2. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, of Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), said claim was transferred to the claimed party, to to proceed with its analysis and inform this Agency within a month of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/20 actions carried out to adapt to the requirements set forth in the regulations of Data Protection. The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations Public (hereinafter, LPACAP), was collected on March 9, 2021 as It is stated in the acknowledgment of receipt that is in the file. On April 9, 2021, this Agency received a written response indicating that, in relation to the exercise of the right of rectification, the claimant was sent a new letter informing of the channels through which you can exercise your request. Provide a copy of the letter addressed to the claimant to his email dated 11/06/2020 where the reference 8-72668XXXXX appears, the statement that “[…] will forward your request to the corresponding specialized department […]”. Provide a copy of the document addressed to the claimant at the postal address ***ADDRESS.1 and dated 11/05/2020 where it is stated that after your request dated 10/31/2020 You are informed of the channels enabled for the modification of your data, which are through the CaixaBank Now online channel or in person. Copy of proof of Return/Surplus by the Post Office on the date 12/07/2020 regarding the sending of a certified letter addressed to the claimant to his mailing address at ***ADDRESS.1. It also appears in said proof in letter handwritten that on 12/01/2020 the addressee was absent. Provide a copy of the document addressed to the claimant at the postal address ***ADDRESS.1 and dated 04/09/2021 where it is stated that after your request dated 10/31/2020 You are informed of the channels enabled for the modification of your data, which are through the CaixaBank Now online channel or in person. THIRD: On April 22, 2021, in accordance with article 65 of the LOPDGDD, the claim filed by the claimant was admitted for processing. FOURTH: The General Subdirectorate for Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in question, by virtue of the functions assigned to the control authorities in the article 57.1 and the powers granted in article 58.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following extremes: On 10/13/2021, the respondent sends this Agency a response to the request. However, an Annex is provided with the name "E046742021_Anexos.pdf" with .pdf extension that is unreadable by any conventional reader of pdf files. After be required on successive occasions (03/10/2022 and 03/15/2022), dated 03/16/2022, the respondent presents the correctly viewable documentation: 1. That the claimant's address for all his contracts is ***ADDRESS.1. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/20 Provides screenshots with 4 contracts in the name of the claimant where it is stated, in all contracts, the same postal address mentioned in the field "Destination of correspondence". 2. The claimant has maintained contact with the Entity through the Service of CaixaBank Customer Service and the service for exercising rights in matters of Data Protection. That the only claim related to the exercise of rights at 8-72668XXXXX. That in this claim the claimant requests the rectification of your fiscal domicile by mail dated 10/30/2020. that the service customer service sends communication to the claimant indicating that the claim is will be managed by the specialized team. That once internally derived the claim, is identified with the ID (...) in the service of exercise of rights in matter of data protection. That in relation to this ID (...), a letter of response dated 11/05/2020 to the postal address of the claimant, already provided previously by the claimant. A list is provided with several contacts between the claimant and the claimed where, among others, it includes: In Customer Service: SR Number Date Reason Type Resolution reception 8-724587XXX 10/14/2020 Commission and in favor of the Client Spent Cancellation/ sale and Amortization 8-72668XXXX 02/11/2020 GDPR Referred to Requests exercise.derechos@caixabank.com A copy of the email dated 11/04/2020 sent claims.traslado.colaborador@caixabank.com and sent to “EXERCISE OF RIGHTS” where there is a note that states that through email dated 10/31/2020 sent by the claimant to servicios.cliente@caixabank.com and where the change of your mailing address is requested from ***ADDRESS.2 BY ***ADDRESS 1. A document is provided addressed to the claimant and dated 11/06/2020 already provided previously by the claimant. 3. Provides a list with various requests from the service for the exercise of rights in matter of data protection among which are the ID (...) mentioned with above and also: a. That regarding the request ID 588316 of the service of rights in matters of data protection request of the claimant is registered on 04/21/2021 in C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/20 regarding the cancellation of data. That on 04/23/2021 we proceed to give response. A copy of the response dated 04/23/2021 addressed to the claimant is provided to the postal address ***ADDRESS.1. b. That regarding the request ID (...) of the protection rights service of data, the claimant's request is registered on 04/21/2021 in relation to the data rectification. That on 04/23/2021 we proceed to give a response. A copy of the response dated 04/23/2021 addressed to the claimant is provided to the postal address ***ADDRESS.1. 4. In relation to the changes made to the correspondence data of the claimant, a history of changes is provided where only the date of the change, a generic description of the movement, office and user. not provided information about the detail of the change produced in the data of the claimant. On 04/01/2022, the respondent partially submits the additional documentation required. 1. The respondent states that there are no communications between the claimant and the Entity through the Mi Gestor channel between the dates 07/01/2020 and 09/30/2020. Provides a screenshot of some searches in the claimant's My Manager channel where it is stated that two searches are carried out, one for favorite documents and another for messages in the time range from the date 07/01/2020 to the date 03/22/2022 (documents) and 03/24/2022 (messages). There are zero results in both searches. 2. That the postal address ***ADDRESS.2 was provided by the claimant in the contract ***CONTRATO.2 which appears cancelled. That address ***ADDRESS.1 was provided by the claimant in the rest of its contracts. Provides a screenshot with the canceled contract ***CONTRATO.2 and, associated with this, the old postal address, as well as the contracts ***CONTRATO.3, ***CONTRACT.1, ***CONTRACT.4, ***CONTRACT.5, and associated to these, the new mailing address at ***ADDRESS.1. The required information is not provided in relation to how and when they occurred. the claimant's mailing address changes to the address ***ADDRESS.1. CONCLUSIONS In relation to the requests for rectification by the claimant and the responses by the claimant: 1. There are no records, with the information provided by the requested party, of communications to through the My Manager channel. 2. There is a response from the respondent dated 11/05/2020 after request by the claimant dated 10/31/2020. In this answer only C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/20 explain the channels enabled for the exercise of rights. This answer consists sent but not delivered because the claimant was absent at home. In relation to the origin of the different postal addresses and their effective rectification: 3. In the evidence provided by the claimant, it is recorded on 01/31/2021 the address ***ADDRESS.2 associated with the contract ***CONTRACT.1, contract that, in the evidence provided by the defendant as of 10/13/2021, is associated with the address ***ADDRESS.1. 4. Regarding the claimant's mailing address at ***ADDRESS.1, address to which he requested the rectification, the respondent does not provide the information requested in regarding how and when changes to that postal address have occurred, nor the reason for this change. Nor does the respondent provide information in relation to the fact that there has been a change to this address at any time. Without However, this address is used by the claimed address in some communications addressed to the claimant in November and December 2020 and in April 2021. 5. In relation to the postal address of the claimant in ***ADDRESS.1 the claimed does not provide the information requested in relation to how and when they occurred changes to that mailing address. It does state that the origin of that address is the claimant's contracts and that the address was provided by the claimant, but not provide evidence in this regard beyond the mere association of this address to said contracts, as extracted from the screen capture of the systems of the party claimed. FOURTH: On April 20, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against the claimed party, in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations (in hereinafter, LPACAP), for the alleged violation of Article 16 of the RGPD, typified in Article 83.5 of the RGPD. FIFTH: Notification of the initiation agreement, the claimed party, by means of documents presented on May 6 and June 3, 2022, requests that, in accordance with article 32.1 of the aforementioned LPACAP, the term initially granted for formulate allegations in accordance with article 53.1.a) of the LPACAP, and be provided with a copy of the documents that make up the administrative file. It is agreed to extend the term to formulate allegations by the maximum allowed legally and send the copy of the electronic file to the claimed party. SIXTH: On May 13, 2022, the respondent presents her allegations to the agreement to open the sanctioning procedure in which it requests that it be declared the nullity of full right of the procedure for the reasons detailed in the first allegation of your brief. Subsidiarily, request that the file be remembered of the procedure for non-existence of infringement of data protection regulations of personal. And, in the alternative with respect to the previous claims, that it is agreed to warn the claimed party (article 58.2.b) RGPD. In defense of their respective claims, they adduce the following arguments: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/20 <<First. - Of the defenselessness caused to my principal as a consequence of the fixing the amount of the sanction in the initial agreement that, in our opinion, would vitiate of nullity the same. Indeed, the first and fourth paragraphs of the operative part of the Initiation Agreement of this sanctioning procedure indicate verbatim that the criteria to be taken into account to graduate the amount will be determined of the sanction that, in the judgment of the Sanctioning Body, should be imposed in this case "without prejudice to what results from the investigation”, ruling in the following terms: “In accordance with the transcribed precepts, and without prejudice to what may result of the instruction of the procedure, in order to set the amount of the sanction of a fine to impose on the defendant as responsible for an infraction typified in article 83.5.b) of the RGPD, in an initial assessment, they are estimated to be concurrent in this case, as aggravating factors, the following factors: - The evident connection of the responsible for data processing. (art.83.2. k) of the RGPD in relation to art. 76.2 b of the LOPDGDD). - The time since the claimant requested the rectification until it was carried out (art. 83.2 a) of the RGPD).” In this way, the Sanctioning Body comes to determine in the act that supposes the start of the processing of the sanctioning procedure what is the sanctioning reproach that, in his opinion, it is appropriate to impose on my client, even evaluating the mitigating and concurrent aggravating circumstances in the case, despite the fact that Caixabank has not had the opportunity to no time to reveal before the aforementioned body what could be the circumstances that could be applicable in this case, given that, obviously, he could not have been aware of the opening of the procedure until has been notified of the agreement in which they are unilaterally appreciated by the Body Sanctioning the aforementioned circumstances. All this supposes, in the opinion of this Entity, conduct that significantly affects the application of the principles fundamental principles of criminal law that, with certain specifications, are applicable to sanctioning administrative procedure, as has been shown reiterated jurisprudence of our Constitutional Court. In summary, in this procedure the Sanctioning Body itself does in the Agreement Start an assessment (anticipated and lacking any motivation), of the responsibility of this Entity, even indicating, even if only for its mere mention, the concurrent aggravating circumstances in the case, even when formally intends to leave safe what finally proceeds based on the instruction. Well well, from the foregoing one can only draw the conclusion that, to be said with the greatest respect, the legality of the administrative action is seriously affected, every time the degree of culpability of the Entity in the alleged commission of the offending conduct, without being able to in any way moment to carry out any allegation that allows the Sanctioning Body assess, even minimally, the concurrent circumstances in the case in light of these allegations. All this leads to the generation of an absolute and total defenselessness to this part, which at no time can make use of its right in order to highlight the inaccuracy of the valuation carried out by the Sanctioning Body when determining a limine the amount of the sanction that "could correspond” for the, still, alleged violation of article 6.1 in relation to 5.1. a) both of the RGPD, since it was not yet a party to the procedure, for the simple reason that the sanction is fixed in the act by which it begins. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/20 Well, the fact that the Sanctioning Body establishes in the initial agreement the amount of the sanction that, in his opinion, should be imposed on this Entity, affects substantially to the impartiality of the performance of the Investigating Body, which is aware, before starting the processing of the procedure, of what is the criterion of the Body to which it will finally submit the file for the imposition of the sanction that “could correspond”, with respect to the amount of the same and the circumstances modifications of the responsibility that must be taken into account in its determination. Thus, the scope of action of the body is substantially affected. competent for instruction. On the other hand, the invocation that the Initiation Agreement makes of article 85 is not ignored of the LPACAP. However, in the opinion of this party, the rules established in the Article 85 are not applicable in the present case, since said rule is applicable to cases in which the sanctioning rule imposes a fine of a fixed and objective nature for the commission of an infraction, so that only It corresponds to the accused to debate the effective concurrence of the typical conduct. In consideration of the foregoing, this party understands that there is a radical defect in the processing of this sanctioning file that affects the nullity of the procedure, while the investigation phase has been contaminated by the action of the Sanctioning Body that, when assessing the amount of the sanction that proceed to impose, has compromised the impartiality of the Instructor, of which he is superior hierarchical, having evaluated the causes of aggravation of the responsibility to its concurrent trial in the case and has quantified what should be, in his opinion, the sanctioning reproach that must be imposed on this part. The consequence of all the above is that there is a radical defect in the processing of this sanctioning file, derived from an interpretation contrary to the Constitution of articles 64 and 85 of the LPACAP, which affects the nullity of the procedure, having violated the fundamental rights of my principal, as and as established in article 47.1 a) of the LPACAP. Second. - Actions and facts object of the file. The rectification rights exercised by the claimant have been timely served by CaixaBank, as it was already accredited in the response to the request for information that gives rise to this Home Agreement. On 11/04/2020 it was received in the mailbox exercise.de.derechos@caixabank.com a request for rectification through the CaixaBank Customer Service (DOCUMENT NUMBER TWO) Identified internally with application number 459887 A response letter was sent on November 5, 2020 (DOCUMENT NUMBER THREE) The shipment was sent to the address that the claimant claims as notification address (***ADDRESS.1) and was returned (DOCUMENT NUMBER 4) In relation to the right of rectification made on April 21, 2021: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/20 On April 21, 2021, the portal for the exercise of rights received a data rectification request Identified internally with application number 588319 A response letter was sent on April 23, 2021 (DOCUMENT NUMBER FIVE) Confirmation of receipt from the claimant dated April 30, 2021 (DOCUMENT NUMBER SIX) Please state that such a statement does not conform to reality, since It is recorded in our files that on May 3, 2021 the client appeared at office 6435- STORE COSO and the address of the contract was changed. It in accordance with the indications provided by the Entity in the response to the exercise of the right of rectification requested. To this end, we attach (DOCUMENT NUMBER EIGHT and DOCUMENT NUMBER NINE, respectively) the receipts corresponding to the interested contract, dated April 2021 and May 2021, where You can see the changes made. In the case of my client, CAIXABANK makes available to its clients two reinforced environments to carry out the modification of your postal address: your bank digital (through electronic means) and your bank branch (in person): As we have already indicated, following the information provided by my client, the claimant went to his office on May 3, 2021 and requested in person the change of address, which took place the same day. That is why the right of rectification was executed without undue delay, once duly identified the applicant, in accordance with the regulatory obligations and procedure that we have transferred to them. Consequently, in the opinion of my client, there is in no case a delay in the management and response to the exercises of rights raised by the claimant>>. SEVENTH: On May 19, 2022, the instructor of the procedure agreed perform the following tests: 1. The claim filed by A.A.A. and its documentation, the documents obtained and generated during the of admission to processing of the claim, and the report of previous actions of investigation that are part of procedure E/04674/2021. 2. Likewise, it is considered reproduced for evidentiary purposes, the allegations to the agreement of initiation of the referenced sanctioning procedure, presented by CAIXABANK S.A., and the documentation that accompanies them. Of the actions carried out in this procedure and the documentation in the file, the following have been accredited: PROVEN FACTS C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/20 1. The claimant, client of the respondent, states that on October 8, 2017 updated their address data through their online access, but in the year 2020 checks that there are documents showing your old address ***ADDRESS.2. 2. As stated by the respondent, he requested rectification of his postal address on the 10th of July and September 28, 2020 through the Mi Gestor space on Caixabank.es, no response from the party complained against. 3. On October 14, 2020, with registration number 8-724587XXXX, requested rectification of your postal address through servicios.cliente@caixabank.com. On October 30, 2020, the respondent requested additional information from the claimant in order to carry out the timely management. 4. On November 6, 2020, the claimant receives a response with a number of reference claim 8-72668XXXXX, in which they inform you that they will send your request to the corresponding specialized department. As of February 8, 2021, the claimant states that his address has not yet has been rectified. 5. The party complained against provides a screenshot of CaixabankNow where there is a receipt for a loan in the name of the claimant with a loan number *** CONTRACT.1, dated January 31, 2021 and addressed to your old postal address at ***ADDRESS.2. 6. Dated January 31, 2021, the address ***ADDRESS.2 associated with the contract *** CONTRACT.1, contract that, in the evidence provided by the claimed As of 10/13/2021, it is associated with the address ***ADDRESS.1. 7. It is recorded in document 8 provided by the respondent dated April 30, 2021 appears as postal address ***ADDRESS.2 associated with the contract ***CONTRACT.1, corresponding to the receipt dated April 30, 2021. 8. It appears in document 9 provided by the respondent dated May 31, 2021 appears as postal address C/ ***ADDRESS.1 associated with the contract *** CONTRACT.1, corresponding to the receipt dated May 31, 2021. EIGHTH: On July 4, 2022, a resolution proposal was formulated, proposing that the Director of the Spanish Data Protection Agency sanction CAIXABANK S.A. with NIF A08663619, for a violation of article 16 of the RGPD, typified in article 83.5.b of the RGPD, with an administrative fine of €25,000 (twenty five thousand euros). On July 19, 2022, the respondent presented arguments to the proposal for resolution in which it requests that the nullity be declared in full right of the procedure for the reasons detailed in the first allegation of his brief. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/20 Subsidiarily, it requests that the procedure be archived due to the non-existence violation of the personal data protection regulations. And with character subsidiary with respect to the previous claims, that it be agreed to warn the claimed (article 58.2.b) RGPD. In defense of their respective claims, they reaffirm their allegations to the initial agreement and consider reproduced the same, indicate that there is no any accreditation of the alleged "delay" in the response to the exercise of rights and, consequently, evidence of any charge that motivates a possible sanction to the Entity. Likewise, it states that the Resolution Proposal includes the same aggravating factors that were indicated in the Initiation Agreement, without upholding any of their allegations, and insists on the arguments put forward in the Initiation Agreement, namely: "being accredited that the claimed party did not exercise any right of rectification through the channel "My manager" in 2017, in the opinion of my client there is no delay between the request for rectification and the response provided, as you can already prove in the exercises of rights on 11/4/20 and 04/21/21, both answered within the term of one month indicated in article 12.3 of the RGPD. My principal, as responsible for the treatment of the claimant's data, proceeded in a timely manner to respond motivated to exercise their rights, complying at all times with the regulations applicable and facilitating the channels by which the claimant could modify their data. What's more, the modification of your address information was immediate at the time when that the claimant, on 5/3/21, went to his office and requested the change” FOUNDATIONS OF LAW Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47 and 48.1 of the Law Organic 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Agency for Data Protection will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations issued in its development and, as long as they do not contradict them, with a subsidiary, by the general rules on administrative procedures.” II The questions that the respondent has raised in her two briefs of allegations and that are unrelated to the merits of the matter on which the sanctioning procedure in question. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/20 In its allegations to the proposed resolution the one claimed, in addition to expressing that “reiterates” in full the allegations that it made in the face of the agreement to open the procedure, affects again the questions, unrelated to the merits of the matter, that already raised in his first pleadings brief. This Agency also reiterates what it stated in the motion for a resolution in response to the allegations put forward by the respondent against the initiation agreement. In the opinion of the respondent, the opening agreement is invalidated by the helplessness generated by the fact that the AEPD has set the amount of the sanction, instead of expressing only the limits of the possible sanction; because I don't know have motivated the aggravating circumstances and because through the initial agreement a assessment of the defendant's guilt without having had the opportunity to pronounce on it. It also adds that the initial agreement exceeds the content provided for in article 68 of the LOPDGDD and that, since the decision-making body has set the amount of the sanction in the agreement to open the procedure, has been seen compromised the impartiality of the examining body, which thus knows, before initiating the procedure, the criterion of the body to which the file must be submitted, what determines in his opinion a “clear break in the principle of phase separation instructor and sanction”. The respondent understands that the rules of article 85 of the LPACAP are not applicable to the present case but to the cases in which the sanctioning norm imposes a fixed and objective fine and that the application that has been made of this precept in the initial agreement does not respect its literal meaning, according to which the amount of the pecuniary sanction may be determined "initiated the sanctioning procedure", therefore that, maintains the entity, "it would be assimilating" "the very act of initiation with the fact that the procedure has been initiated”. The arguments put forward by the respondent cannot be admitted. The opening agreement is in accordance with the provisions of article 68 of the LOPDGDD, according to which it will suffice to specify the facts that motivate the opening, identify the person or entity against whom the procedure is directed, the infraction that he could have committed and his possible sanction. In the same sense, it is expressed Article 64.2 of the LPACAP that refers to the minimum content of the agreement of initiation. According to this precept, among other details, it must contain “the facts that motivate the initiation of the procedure, its possible legal qualification and the sanctions that may correspond, without prejudice to what results from the investigation.” Thus, In this case, not only the requirements mentioned in the precepts cited, but goes further, offering reasoning that justifies the possible legal qualification of the facts and the circumstances that may influence in determining the penalty. It cannot be ignored that article 85 of the LPACAP - which contemplates the possibility of apply reductions on the amount of the sanction in the event that the offender recognizes its responsibility and in case of voluntary payment of the sanction - obliges determine those reductions in the notification of the agreement to initiate the procedure, which necessarily implies that said agreement must establish the amount of the sanction corresponding to the imputed acts. End that justifies amply that it refers to the modifying circumstances of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/20 responsibility, since these directly affect the determination of the amount of The sanction. Contrary to the thesis defended by the defendant, article 85 of the LPACAP does not provide nor that the amount of the sanction is determined once the procedure has begun. On the contrary, it is the acknowledgment of responsibility and the voluntary payment of sanction what has to take place after that moment, but not the fixation of its amount. Regarding that according to which article 85 LPACAP could only be applied to assumptions in which the sanctioning norm imposes a fixed fine and objective and that the application that has been made of this precept in the initial agreement does not respect its literal meaning, it must be indicated that the AEPD has been applying article 85 LPACAP in the same way since the entry into force of the aforementioned law without the Chamber of the Administrative Litigation of the National Court, before which it is possible to appeal contentious administrative against its resolutions, has never pronounced itself in line with the criterion that this entity defends. Nor can it be admitted that having indicated in the initial agreement the sanctions that could correspond to that claimed for the imputed infractions is determinant of helplessness or involves a breach of the principle of separation of instruction and resolution phases, since this Agency is limited to complying with this to one of the requirements set forth in the standards outlined. to major abundance, also articles 68 of the LOPDGDD and 64.2 of the LPACAP require as content of the opening agreement that the sanction that could correspond. Thus, the alleged rupture "of the principle of separation of the instructional phase and sanction” that the claimed claim adduces -an extreme that this Agency denies- would be, if it existed, the consequence of the correct application that this Agency has been making of a legal precept, article 85 of the LPACAP. Regarding what was stated by the respondent that, having established the opening agreement the amount of the sanction and the modifying circumstances of the responsibility that could be appreciated, she has not had the opportunity to comment, we limit ourselves to pointing out that the administrative procedure begins precisely with the opening agreement and it is from then -not before- when article 53 of the LPACAP recognizes the interested party a series of rights, among them the one foreseen in article 53.1.e). Lastly, as regards the vice of nullity which, in the opinion of the respondent, suffers from the procedure as a result of the defenselessness that he claims to have suffered The following should be noted: First of all, the respondent does not specify in what section of article 47.1 of the LPACAP founds the nullity that it invokes. Secondly, the invoked nullity of the procedure in no case could based on section a) of article 47.1. of the LPACAP, in connection with the alleged rupture of the separation between the instruction phase and the resolution phase according to the article 24.2 of the C.E. This, because according to the SSTC 74/2004 and 175/2005, the principle enshrined in article 24.2 of the C.E. under which the instructor does not resolves, is not applicable to the administrative procedure, so that in this area We are not facing a right with constitutional rank. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/20 And finally, thirdly, in the event that it is intended to establish the nullity of the procedure in the reason included in section e) of article 47.1 of the LPACAP it seems appropriate to bring up STC 78/1999, of April 26, which in its Legal Basis 2, says: “Thus, according to reiterated constitutional doctrine that is synthesized in the foundation legal 3 of the STC 62/1998, "the estimation of an amparo appeal by the existence of breaches of procedural rules 'does not simply result from the assessment of the eventual violation of the right due to the existence of a defect procedural more or less serious, but it is necessary to prove the effective concurrence of a state of material or real defenselessness' (STC 126/1991, legal basis 5º; STC 290/1993, legal basis 4º). So that a helplessness can be estimated with constitutional relevance, which places the interested party outside any possibility of claim and defend their rights in the process, a violation is not enough merely formal, being necessary that a formal effect be derived from this formal infringement. defenseless material, an effective and real impairment of the right of defense (STC 149/1998, legal basis 3), with the consequent real and effective damage to the affected stakeholders (SSTC 155/1988, legal basis 4, and 112/1989, 2nd legal basis). In view of the foregoing, the request of the respondent to declare the nullity of the sanctioning administrative procedure that concerns us must be rejected. To end the chapter on the alleged radical nullity of the procedure that the claimed adduces in its defence, the following considerations should be added. One of them related to the fundamental right to an impartial judge guaranteed in the article 24.2 of the C.E. The respondent has referred in her two writings of allegations that the action of the AEPD has determined that it has "seen substantially affected the impartiality of the investigating body”, which is why We take this opportunity to specify that this alleged affectation of the impartiality of the instructor does not fit into that fundamental right guaranteed by article 24.2 of the C.E., for which reason the nullity of the procedure could not be founded on it either. under section a) of article 47.1 of the LPACAP. Regarding the right to an impartial judge, it should be noted that, furthermore, it is not that this guarantee is not transferable to the instructor - who is the one about whom the claimed pivots the much-desired nullity of the procedure - but not even recognizes this right within the framework of the administrative procedure. The STC 76/1990, legal basis 8, could not be clearer: “The right to [...] and to a process with all the guarantees -among them, the independence and impartiality of the judge - is a characteristic guarantee of the judicial process that does not extends to the administrative procedure, since the strict impartiality and independence of the organs of the judiciary is not, by essence, predicable with equal meaning and to the same extent of the administrative bodies (SSTC 175/1987 and 22/1990...”. (emphasis ours) Lastly, regarding the minimum content of the opening agreement foreseen in the article 64 of the LPACAP and the "manifest contradiction" in which, according to the entity, would have been incurred by saying that it "goes beyond" that minimum content, it is enough C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/20 point out that article 64.2 indicates that "it must contain at least", "b) [...] the sanctions that may correspond, without prejudice to what results from the investigation. So, as stated at the time, the agreement to open this procedure not only met the requirements of article 64.2 LPACAP - it established the facts that motivate the initiation of the procedure, its possible qualification and the sanctions that could correspond - but "went further" because it detailed, among other things, the modifying circumstances of the responsibility that were appreciated in that phase. With this, neither "a kind of benefit is granted to the company" nor are they "undermined" “the rights enshrined in article 24 of the Constitution.”, as we reproaches the claimed. Comment that is still striking if we take into account that one of the arguments put forward by the respondent in her allegations to the opening agreement was the poor argumentation of the circumstances modifications of the responsibility set forth in the aforementioned agreement. In short, the guarantees granted to the defendant in the administrative procedure sanctioning and the rules governing the procedure have been respected scrupulously. The extremes mentioned by the claimed in its two writings of allegations do not entail the violation of any fundamental right recognized in article 24.2 of the C.E. in which to support the concurrence of the reason for radical nullity of article 47.1.a) LPACAP. Based on the foregoing, the claim of the respondent to declare the nullity of the procedure. III Section d) of article 5.1. of the RGPD determine in terms of the "Principles regarding the treatment” that: “The personal data will be: (…) d) accurate and, if necessary, updated; all measures will be taken reasonable to eliminate or rectify without delay the personal data that are inaccurate with respect to the purposes for which they are processed (<exactness>)” For its part, regarding the "Principles of Data Protection", article 4.1 of the LOPDGDD determines: "4. Data accuracy. 1. In accordance with article 5.1.d) of Regulation (EU) 2016/679, the data will be accurate and, if necessary, updated. IV Article 16 of the RGPD, regarding the "Right of rectification" establishes that: “The interested party shall have the right to obtain, without undue delay, from the person responsible for the processing the rectification of personal data concerning you. Having in account the purposes of the treatment, the interested party will have the right to complement C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/20 personal data that is incomplete, including by means of a statement additional." In turn, article 12.4 of the aforementioned LOPDGDD, establishes as one of the “General provisions on the exercise of rights” that: "4. Proof of compliance with the duty to respond to the request to exercise their rights formulated by the affected party will fall on the person responsible”. For its part, article 14 of the LOPDGDD, under the heading, “Right of rectification”, provides that: "By exercising the right of rectification recognized in article 16 of the Regulation (EU) 2016/679, the affected party must indicate in their request what data is refers and the correction to be made. You must accompany, whenever accurate, supporting documentation of the inaccuracy or incompleteness of the data object of treatment.” Article 83 of the RGPD, under the heading "General conditions for the imposition of administrative fines”, states: "5. Violations of the following provisions will be sanctioned, in accordance with the section 2, with administrative fines of a maximum of 20,000,000 Eur or, in the case of of a company, of an amount equivalent to a maximum of 4% of the volume of Total annual global business of the previous financial year, opting for the one with the highest amount: b) the rights of the interested parties pursuant to articles 12 to 22.” The Organic Law 3/2018, on the Protection of Personal Data and Guarantee of the Digital Rights (LOPDGDD) in its article 74.c) establishes that: "They are considered minor and will prescribe after a year the remaining infractions of a merely formal nature of the articles mentioned in paragraphs 4 and 5 of article 83 of the Regulation (EU) 2016/679 and, in particular, the following: (...) c) Failure to respond to requests to exercise the rights established in articles 15 to 22 of Regulation (EU) 2016/679, unless the provisions in article 72.1.k) of this organic law.” And, for these purposes, obviously, the fact that the complaining party requested the rectification several times, and the claimed party did not proceed to make said rectification, which is why the established exception is applicable. Article 72.1k) of the LOPDGDD establishes that they are infractions considered very Serious “The impediment or the obstruction or the repeated non-attention of the exercise of the rights established in articles 15 to 22 of Regulation (EU) 2016/679.” v According to the available evidence, it must be taken into account that the lack of attention to the claimant's right to obtain without undue delay from the responsible for the treatment the rectification of the personal data that concerns him. Taking into account the purposes of the treatment, the interested party will have the right to supplement personal data that is incomplete, including through a additional statement. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/20 In the case analyzed here, it has been proven that the claimant exercised your right of rectification before the defendant entity, your request did not obtain the legally required response. Likewise, after the evidence obtained, it is verified in relation to the requests for rectification by the claimant and the answers by the claimed party: 1. There is no evidence, with the information provided by the respondent, of communications through from the My Manager channel. 2. There is a response from the respondent dated 11/05/2020 after request by the claimant dated 10/31/2020. In this answer only explain the channels enabled for the exercise of rights. This answer consists sent but not delivered because the claimant was absent at home. In relation to the origin of the different postal addresses and their effective rectification: 3. In the evidence provided by the claimant, it is recorded on 01/31/2021 the address ***ADDRESS.2 associated with the contract ***CONTRACT.1, contract that, in the evidence provided by the defendant as of 10/13/2021, is associated with the address ***ADDRESS.1. 4. Regarding the claimant's mailing address at ***ADDRESS.1, address to which he requested the rectification, the respondent does not provide the information requested in regarding how and when changes to that postal address have occurred, nor the reason for this change. Nor does the respondent provide information in relation to the fact that there has been a change to this address at any time. Without However, this address is used by the claimed address in some communications addressed to the claimant in November and December 2020 and in April 2021. 5. In relation to the postal address of the claimant in ***ADDRESS.1 the claimed does not provide the information requested in relation to how and when they occurred changes to that mailing address. It does state that the origin of that address is the claimant's contracts and that the address was provided by the claimant, but not provide evidence in this regard beyond the mere association of this address to said contracts, as extracted from the screen capture of the systems of the party claimed. On May 13, 2022, the respondent presents its allegations to the agreement of opening of this sanctioning procedure, stating: << Comply with us state that such a statement does not conform to reality, since it is stated in our files that on May 3, 2021 the client appeared at the office 6435- STORE COSO and the address of the contract was changed. it of in accordance with the indications provided by the Entity in the response to the exercise of the right of rectification requested. To this end, we attach (DOCUMENT NUMBER EIGHT and DOCUMENT NUMBER NINE, respectively) the receipts corresponding to the interested contract, dated April 2021 and May 2021, where you can see the modification made>>. Well, contrary to what the defendant states, it is stated in the document number 8 the old mailing address of the claimant ***ADDRESS.2 associated with the contract *** CONTRACT.1, corresponding to the receipt dated April 30, 2021. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/20 In short, there is evidence in the file of the lack of attention to the right to rectification of data, by Caixabank. It should be noted that in the receipt of dated April 30, 2021, provided by the respondent, there is still the old postal address and only on the receipt dated May 31, 2021, is when it appears and to the claimant's new mailing address. The behavior described violates article 16 of the RGPD and is subsumable in the type sanctioning article 83.5.b, of the RGPD. v The defendant has requested in its allegations that, in substitution of the fine administrative provision provided for in the start-up agreement, this Agency warns you and, subsidiarily, reduce the amount of the sanction of a fine established in the agreement of opening at 25,000 euros. Regarding the claim that a warning be addressed to him, we refer to Considering 148 of the RGPD that says: “In order to reinforce the application of the rules of this Regulation, any infringement of this must be punished with sanctions, including administrative fines, in addition to appropriate measures imposed by the supervisory authority in under this Regulation, or in substitution of these. In case of a minor infraction, or if the fine likely to be imposed constituted a burden disproportionate for a natural person, instead of sanctioning by means of a fine, impose a warning. However, special attention should be paid to the nature, seriousness and duration of the infraction, its intentional nature, the measures taken to alleviate the damages suffered, to the degree of liability or any relevant prior violation, to the manner in which the control authority has become aware of the infraction, compliance with measures ordered against the person in charge or in charge, adherence to codes of conduct and any other aggravating or mitigating circumstance. The imposition of sanctions, including administrative fines, must be subject to guarantees sufficient procedural requirements in accordance with the general principles of Union Law and of the Charter, including the right to effective judicial protection and to a process with all guarantees.” It is clear that the elements that They allow substituting the sanction of an administrative fine established by article 83.5. of RPGD for a warning. In determining the fine to be imposed on the person claimed for the infraction of article 16 RGPD for which you are responsible, typified in article 83.5.b) RGPD, the provisions of articles 83.1 and 83.2 of the RGPD must be observed, precepts that state: “Each control authority will guarantee that the imposition of administrative fines under this Article for infringements of this Regulation indicated in sections 4, 9 and 6 are in each individual case effective, proportionate and dissuasive.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/20 “Administrative fines will be imposed, depending on the circumstances of each individual case, in addition to or as a substitute for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administration and its amount in each individual case will be duly taken into account: a) the nature, seriousness and duration of the offence, taking into account the nature, scope or purpose of the processing operation in question, as well such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the controller or processor to alleviate the damages suffered by the interested parties; d) the degree of responsibility of the person in charge or of the person in charge of the treatment, taking into account the technical or organizational measures that they have applied under of articles 25 and 32; e) any previous infringement committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the person in charge or the person in charge notified the infringement and, if so, in what measure; i) when the measures indicated in article 58, section 2, have been ordered previously against the person in charge or the person in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under article 40 or mechanisms of certification approved in accordance with article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.” Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76, “Sanctions and corrective measures”, establishes: "two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuing nature of the offence. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/20 b) The link between the activity of the offender and the performance of treatment of personal information. c) The profits obtained as a result of committing the offence. d) The possibility that the conduct of the affected party could have induced the commission of the offence. e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity. f) Affectation of the rights of minors. g) Have, when not mandatory, a data protection officer. h) Submission by the person in charge or person in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which there are controversies between them and any interested party.” In the case analyzed, the concurrence of the following factors that They operate by aggravating the responsibility required of the entity because they show a greater unlawfulness of their conduct or greater culpability: - The evident link between the business activity of the defendant and the processing of personal data (article 83.2.k, of the RGPD in relation to article 76.2.b, of the LOPDGDD) The activity of the defendant requires that numerous personal data of its clients, therefore, given the very important volume of business of the claimed financial institution when the events occur, the significance that their offending conduct may have is undeniable. - The time from when the complaining party requested the rectification until it was carried out. out (art. 83.2 a) of the RGPD). So things, assessed the circumstances provided for in article 83.2 of the RGPD, sections. a) and k), the latter in relation to article 76.2.b) LOPDGDD, as of aggravating circumstances of the conduct examined, that the administrative fine to be imposed by the infringement of article 16 of the RGPD, typified in article 83.5.b RGPD, is set in €25,000. Therefore, in accordance with the applicable legislation and having assessed the criteria for graduation of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE CAIXABANK S.A., with NIF A08663619, for an infraction of Article 16 of the RGPD, typified in Article 83.5 of the RGPD, a fine of 25,000 euros (twenty-five thousand euros). SECOND: NOTIFY this resolution to CAIXABANK S.A. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/20 THIRD: Warn the sanctioned party that he must make the imposed sanction effective once Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter LPACAP), within the payment term voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, through its entry, indicating the NIF of the sanctioned and the number of procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened on behalf of the Agency Spanish Department of Data Protection in the banking entity CAIXABANK, S.A.. In case Otherwise, it will be collected in the executive period. Received the notification and once executed, if the date of execution is between the 1st and 15th of each month, both inclusive, the term to make the payment voluntary will be until the 20th day of the following month or immediately after, and if between the 16th and last day of each month, both inclusive, the payment term It will be until the 5th of the second following month or immediately after. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month from counting from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the firm resolution in administrative proceedings if the The interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact by writing addressed to the Spanish Agency for Data Protection, presenting it through Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would end the precautionary suspension. 938-120722 Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es