AEPD (Spain) - PS/00331/2022
AEPD - PS/00331/2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 25 GDPR Article 32 GDPR 32 bis 4 Ley 10/2010, de 28 de abril, de prevención del blanqueo de capitales y de la financiación del terrorismo 32.4 Ley 10/2010, de 28 de abril, de prevención del blanqueo de capitales y de la financiación del terrorismo |
Type: | Complaint |
Outcome: | Upheld |
Started: | 05.08.2021 |
Decided: | |
Published: | 28.07.2023 |
Fine: | 2,500,000 BGN |
Parties: | OPEN BANK, S.A. |
National Case Number/Name: | PS/00331/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Teresa López |
The DPA did not accept anti-money laundering verification obligations as an excuse for forcing a data subject to provide details on the origin of their money through unencrypted emails, resulting in a €2,500,000 fine on the controller.
English Summary
Facts
On 5 August 2021, the data subject filed a complaint with the Bavarian Data Protection Authority against Open bank (the controller).
The data subject complained that the controller had requested proof of origin for several amounts of money in their bank account. This was so that the controller could comply with anti-money laundering regulations.
The claimant was not provided with a mechanism to securely provide this information besides unencrypted mail. Despite expressing concerns about the data protection risks, the data subject was not offered an alternative to provide such information.
Holding
The Spanish DPA was competent to act as the lead supervisory authority as the controller has its registered office and main establishment in Spain.
The DPA found that the controller violated Article 25 GDPR.
First, the controller failed to include the processing of personal data for anti-money laundering verifications in its data protection impact assessment at the time of the incident. This omission led to a lack of appropriate technical and organizational measures to uphold data protection principles and comply with GDPR requirements.
Second, despite having a policy in place allowing information to be sent via postal mail or in person at bank offices, the communication sent to clients did not specify these options.
Third, the DPA emphasised that having protocols or templates alone is insufficient for compliance with data protection by design and default principles. Simply carrying out the obligatory Data Protection Impact Assessment as mandated by Article 32(4) GPDR Spanish (and also 32 bis.4 of Law 10/2010, of 28 April, on the prevention of money laundering and terrorism financing (LPBCFT)), is insufficient to fulfil the requirements of privacy by design outlined in Article 25 of the GDPR. This is because Article 25 GDPR obligations go beyond merely adhering to the data protection regulations specified in the LPBCFT, emphasizing that data protection by design entails more than just performing an impact assessment.
Finally, the DPA also noted the controller's failure to implement measures after the data subject's expressed concerns. OPENBANK did not implement remedial actions until over a year later.
The DPA also held that OPENBANK infringed Article 32 GDPR.
The controller did not offer a secure mean to provide the documentation and the documentation was sent without the appropriate security measures. The DPA stated that a standard e-mail cannot be considered an appropriate means to guarantee a level of security adequate to the risk in the sending of documentation containing personal financial data.
As a result of these infringements, the AEPD imposed a total fine of €2,500,000 on the controller. €1,500,000 for violating Article 25 GDPR and €1,000,000 for violating Article 32 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/77 File No.: EXP202101565 IMI Reference: A56ID 318964 - A60DD 432357 - Case Register 321773 RESOLUTION OF SANCTIONING PROCEDURE From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND FIRST: A.A.A. (hereinafter, the complaining party) filed a claim, dated August 5, 2021, before the Bavarian data protection authority (Bavarian Lander Office for Data Protection Supervision). The claim is directed against OPEN BANK, S.A. with NIF A-28021079 (hereinafter, OPENBANK). The reasons on which it is based The claim are as follows: The OPENBANK banking entity has asked the complaining party to prove the origin of various amounts received in your bank account, in compliance with regulations against money laundering. However, no mechanism has been offered to provide this information encrypted or by direct upload to the web portal. The The only valid option has been sending by e-mail. Along with the notification, the following is provided: - Copy of email sent from the address ***EMAIL.1 to ***EMAIL.2 (hereinafter, email of the complaining party) dated July 7, 2021. In this email, it is required to the complaining party to provide the necessary documentation to prove which is the origin of the funds from three deposits made by the claiming party, in compliance with anti-money laundering and anti-fraud legislation terrorist financing; and it is indicated that, in the event of not receiving this documentation within a period of 15 days, OPENBANK must block the execution of new payments into your account in accordance with current regulations. - Copy of email sent from the email of the complaining party to ***EMAIL.1 of date July 10, 2021. In this email the complaining party indicates that it contributes under protest the documentation corresponding to the year 2019 through an email unencrypted email because, as he indicated in a telephone conversation, he does not There is the possibility of sending this documentation electronically from another manner. - Automatic reply to the previous email dated July 10, 2021 sent by ***EMAIL.3 towards the complaining party indicating that their email has been received email and they will reply to you soon. SECOND: Through the “Internal Market Information System” (hereinafter IMI), regulated by Regulation (EU) No. 1024/2012, of the European Parliament and of the Council, of October 25, 2012 (IMI Regulation), whose objective is to promote the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/77 cross-border administrative cooperation, mutual assistance between States members and the exchange of information, the aforementioned claim was transmitted on the 24th August 2021 and was given an entry registration date at the Spanish Agency of Data Protection (AEPD) on August 30, 2021. The transfer of this claim to the AEPD is made in accordance with the provisions of article 56 of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/2016, regarding the Protection of Natural Persons with regard to the Processing of Personal Data and the Free Circulation of these Data (as far as hereinafter, RGPD), taking into account its cross-border nature and that this Agency is competent to act as the main supervisory authority, given that OPENBANK It has its headquarters and main establishment in Spain. The data processing carried out affects interested parties in several Member states. According to the information incorporated into the IMI System, in accordance with the provisions of article 60 of the RGPD, acts as “interested supervisory authority”, in addition to the German data protection authority data from Bavaria, the authorities of the Netherlands, Portugal and the authorities Germans from North Rhine-Westphalia, Hesse, Berlin and Baden-Württemberg. All them under article 4.22.b) of the RGPD, given that interested parties residing in the territory of these control authorities are substantially affected or are likely to be substantially affected by the treatment subject to this procedure. THIRD: On September 9, 2021, in accordance with the then current article 64.3 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), admitted for processing the claim presented by the complaining party. FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in issue, by virtue of the functions assigned to the control authorities in the article 57.1 and the powers granted in article 58.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following points: In response to a request for information formulated by this Agency, On May 19, 2022, OPENBANK provided, among other things, the following information: 1. Indication that OPENBANK has delegated the information request service to clients to the entity Santander Global Operations, S.A. (hereinafter, SGO), which belongs to the Santander group, and which acts in this case as in charge of the treatment. 2. Indication that they have defined an internal procedure called “Protocol of communications to clients due to AML/FT alerts: Opening and management of GAPS” to establish the form of action of SGO when it is necessary to request information or documentation supporting an unusual income. This procedure would apply in all countries in which OPENBANK provides service under the regime of free provision of services, which include C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/77 Spain and Germany. As indicated in the writing, this procedure consists of that “the Openbank call center (hereinafter, “call center”), will contact the client to request said information at the telephone number mobile phone registered in the Openbank database. Additionally, a email to the address registered in our database from the mailbox from ***EMAIL.4 to Spanish clients or from ***EMAIL.1 to clients Germans. In those cases in which the client requests information about other channels through which you can send the required documentation, informs that the following are available to you: (i) by postal mail and (ii) in person at any of the two branches that Openbank has in Madrid.". And it states that the communication model is provided for both contact channels, which would be the following: Dear Customer: The reason for our communication is to inform you that Openbank is obliged, in compliance with current legislation, to know the activity economic and origin of its clients' funds. A. For a specific operation: In this communication we ask you documentation that proves the origin of the funds that on […] deposited in Openbank for a total amount of [...] €. You can send us any document that justifies the origin of the aforementioned funds. B. For regular operations: In this communication we ask you documentation that proves the origin of the funds that are regularly has been entering from [...] and to date for a total amount of [...] €. You can send us any document that justifies the origin of the aforementioned funds. You can send this documentation to the following email address email: [***EMAIL.5 for Spanish customers or ***EMAIL.1 for customers Germans] indicating your full name in the email. We inform you that Openbank, acting as responsible for the processing of your personal data, will process the same for the compliance with the legal obligations to which Openbank is subject adopting sufficient technical and organizational measures to guarantee the security of the information. More information about your rights and data protection in [***URL.1 for Spanish clients or ***URL.2 for German clients] Remaining at your disposal for any clarifications you need, receive a best regard 3. Regarding the measures taken to guarantee the confidentiality of the documentation sent by the client to justify an unusual income, it is indicated, among other measures, the following: Finally, taking into account the security that we offer in our web pages and mobile applications, and that Openbank is a 100% bank digital we inform you that there are different processes in the entity, such as contracting a mortgage loan, personal loan or checking account, that allow clients to send us documentation through the area client's private address where they will be identified with their identification document identity and access code. In this sense, we would like to indicate that this C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/77 functionality is implemented and in operation to provide compliance with the AML/CFT obligation to apply measures to ensure Openbank's knowledge of its clients and ensure that documents, data and information available are up to date. We attach them as an example as Annex V: Update flow of KYC and customer documentation. And screen prints of the know your customer form are provided in which it is observed that, upon completing the completion of the form, the option to update the “Economic activity document” documents and “Address Verification” by uploading them at that time. 4. As “Annex IV: Contractual support for the service provided by SGO”, it is provided copy of a document called “ANNEX 12 SERVICE PREVENTION OF MONEY LAUNDERING”, which indicates that it is annexed to the framework contract of leasing of services between OPENBANK (as client) and SGO (as supplier) subscribed on January 1, 2020 for one year extendable for periods annual. This annex is dated October 16, 2020 and its purpose is “the provision by the Supplier to the Client of a Back Office service for the activities related to the prevention of money laundering and financing of terrorism”, with the following relevant content: - In the first clause: (…). - In the fifth clause, regarding the protection of personal data, indicates that (…). Furthermore, this fifth clause indicates that (…). And, in clause five.d) the following is indicated: (…). - The sixth clause, on cybersecurity requirements, includes the following section on data transfers: (…). - In the eleventh clause, on subcontracting, the following is indicated Regarding activities that cannot be subcontracted: (…). CONCLUSIONS OF PREVIOUS RESEARCH ACTIONS 1. Communications with clients for money laundering prevention alerts capital and terrorist financing are subcontracted to CGO both in Spain C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/77 like in Germany. They report that there is a protocol to carry out these communications indicating that, in these cases, the client is contacted using the telephone number that you have previously registered and, additionally, you are sent an email to the email address you have previously registered. 2. In accordance with this protocol, in the communication sent by mail email to request information from the client regarding money laundering alerts, The channels that would be offered to the client to send documentation would be the following: email, postal mail or in person at the offices of OPENBANK in Madrid. 3. OPENBANK has a way to upload documents securely (a through its website) for some procedures (for example, to update the documents “Economic activity document” and “Domicile verification” in the know your customer form). This way of uploading documents is not offers the client within the protocol for money laundering alerts, in accordance with what is indicated in the claim. FIFTH: On August 26, 2022, the Director of the AEPD adopted a draft decision to initiate sanctioning proceedings. Following the process established in article 60 of the GDPR, on August 30, 2022 it was transmitted through of the IMI system this draft decision and the authorities were informed interested parties who had four weeks from that moment to formulate objections relevant and motivated. Within the period for this purpose, the control authorities interested parties did not present relevant and reasoned objections in this regard, so It was considered that all the authorities were in agreement with said draft of decision and were bound by it, in accordance with the provisions of the section 6 of article 60 of the GDPR. This draft decision was notified to OPENBANK in accordance with the regulations established in Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (LPACAP) on August 29, 2022, as stated in the acknowledgment of receipt in the file. SIXTH: On October 3, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against OPENBANK, with in accordance with the provisions of articles 63 and 64 of the LPACAP, for the alleged infringement of Article 25 of the RGPD, typified in Article 83.4 of the RGPD, as well as by the alleged violation of article 32 of the RGPD, typified in article 83.4 of the RGPD. In said Startup Agreement, OPENBANK was told that it had a period of ten days to present allegations. This Commencement Agreement, which was notified to OPENBANK in accordance with the regulations established in Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (LPACAP), was collected on date 3 October 2022, as stated in the acknowledgment of receipt in the file. SEVENTH: On October 6, 2022, OPENBANK submitted a document through of which he requested an extension of the deadline to present allegations and that he be provided with copy of the file. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/77 EIGHTH: On October 14, 2022, the investigating body of the procedure agreed to the requested extension of the deadline up to a maximum of five days, in accordance with the provisions of article 32.1 of the LPACAP, and that it be sent to OPENBANK copy of the file. The aforementioned agreement was notified to OPENBANK on October 14, 2022, as It appears in the acknowledgment of receipt that is in the file. NINTH: On October 26, 2022, it was received at this Agency, on time and form, a letter from OPENBANK in which it alleged allegations to the Initiation Agreement, accompanied by the following documentation: 1.- Document “Communications protocol to clients for AML/FT alerts: OPENING AND MANAGEMENT OF GAPS (March 2021 version)”. 2.- Document “Communications protocol to clients for surveillance alerts transactional prevention of money laundering and terrorist financing (PBC/FT) (October 2022 version).” 3.- Document “Certificate on sections 3.10 and 3.11 of the Character Manual OPENBANK's internal policy on AML/CFT matters. 4.- Document “Impact Evaluation - Monitoring of clients and operations sensitive (version August 2021)”. 5.- Document “Impact Evaluation - Monitoring of clients and operations sensitive (version October 2022)”. 6.- Document “Approval report referring to Santander Global Operations, S.A.” 7.- Document “Internal security certificate issued by Santander Global Technology and Operations, S.L.” 8.- Document “EVALUATION (…)”. 9.- Document “VENDOR RISK ASSESSMENT - DP REPORT”. 10.- Uploading documentation to the client's private area. 11.- Images of “Section: Frequently Asked Questions on the Openbank website”. 12.- Document “Certificate of availability for uploading documents, issued on the 21st October 2022.” 13.- Document “Certificate of operational and customer analysis number shocked.” TENTH: On December 1, 2022, the investigating body of the procedure agreed to open a period of testing practice, considering themselves incorporated the claim filed by the complaining party and its documentation, the documents obtained and generated during the admission phase for processing of the claim, and the report of previous investigation actions that are part of the procedure E/09448/2021, being considered reproduced for evidentiary purposes, the allegations to the agreement to initiate the referenced sanctioning procedure, presented by OPENBANK, and the documentation that accompanied them. That same day, this Agency requested OPENBANK so that within a period of ten days skilled will present the following information: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/77 Provide documentary evidence regarding data protection from the design and by defect, for which OPEN BANK, S.A. is required to the impact assessment of data protection in force on 07/07/2021, date on which OPEN BANK, S.A. solicitous sending documentation to the complaining party, since in the attached documentation to the allegations of OPEN BANK, S.A. later versions are provided, specifically, the modified versions of August 2021 and October 2022. The opening of the trial period was notified to OPENBANK in accordance with the regulations established in Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (LPACAP) on December 1, 2022, as stated in the acknowledgment of receipt in the file. On December 19 and 28, 2022, OPENBANK has presented its response to the cited requirement. ELEVENTH: On April 11, 2023, diligence is formulated by the instructor of the procedure by which the document is incorporated into the file “2021 Annual Report” of the Santander Group, which includes the corporate structure of the Santander Group and its business volume. This report states that the volume of Total global annual business of Banco Santander, S.A. and dependent companies (Santander Group) in the financial year prior to the commission of the infringement, fiscal year 2020, was 44,279 million euros (see pages 555 and 843 of the aforementioned “2021 Annual Report”). TWELFTH: On May 23, 2023, the instructing body of the procedure issued a proposed resolution in which it was proposed, in accordance with the provided in articles 63 and 64 of the LPACAP, impose a fine of 1,500,000 euros to OPENBANK for violating article 25 of the GDPR, and a fine of 1,000,000 euros for the violation of article 32 of the RGPD, both classified in the article 83.4 of the GDPR. Likewise, he was told that he had a period of ten days to present allegations. This resolution proposal, which was notified to OPENBANK in accordance with the regulations established in Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (LPACAP), was collected on June 1 of 2023, as stated in the acknowledgment of receipt in the file. THIRTEENTH: On June 1, 2023, OPENBANK presents a letter to through which he requests the extension of the deadline to present allegations and that he be Provide a copy of the file. FOURTEENTH: On June 2, 2023, the instructing body of the procedure agrees to send to OPENBANK the copy of the file, which will be received by courier on June 8, 2023, as stated in the acknowledgment of receipt what is in the file FIFTEENTH: On June 5, 2023, the instructor body of the procedure denies the requested extension of the deadline to present allegations. The aforementioned agreement is notified to OPENBANK that same day, as stated in the acknowledgment receipt that is in the file. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/77 SIXTEENTH: On June 14, 2023, this Agency receives, in time and form, letter from OPENBANK in which it alleges allegations to the proposal of resolution. In these allegations, in summary, he stated that: - The content of the resolution proposal is the same as the initiation agreement of this sanctioning procedure, so it will reproduce the allegations already presented. - Money laundering prevention regulations do not apply. - There are no financial data. - The so-called “high level measures” are not required. - The non bis in idem principle is being violated, or alternatively there would be a medial contest of infractions. - OPENBANK complies with the principle of data protection by design. - OPENBANK has not violated article 32 of the GDPR. - The principle of proportionality is being violated. Of the actions carried out in this procedure and the documentation recorded in the file, the following have been accredited: PROVEN FACTS FIRST: In the document, unsigned, that accompanies the allegations to the agreement initiation of this procedure, called “PROTOCOL OF COMMUNICATIONS TO CUSTOMERS FOR AML/CFT ALERTS: OPENING AND GAPS MANAGEMENT”, it is indicated that the first approved version is from 04/03/2018 and that on 03/10/2021 the “Review, update and modification of some deadlines (reduction thereof)”. In point 4 of the aforementioned document, details: "4. FOLLOW-UP OF THE GAP REQUEST AND BLOCKING OF ACCOUNTS The following process and deadlines are established to be able to track the request for information regarding AML/FT alerts and establish the alerts in account, where applicable: D: SGO opens GAP requesting the Contact Center to contact the Client requesting information/documentation. In case the request is urgent or the size If the request does not fit in GAP, SGO will also send it by email to Contact Center recording this point in GAP. D+1: Contact Center contacts the client and requests the information/documentation following the First Communication model of Annex I. In the first instance, the Contact will be by telephone and an email will also be sent to the client. (See First Communication of Annex I) detailing the required documentation. Of If there is no valid email address, the request will be sent by email. Postcard. The Contact Center will register in the GAP both the sending of this communication and any contact with the customer, or the inability to make such contact, and will reassign the GAP to SGO. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/77 SGO reviews GAP and records in the GAP comment the date of the next review (D+15). D+15: If the required documentation has not been received on said SGO date will indicate to the Contact Center that it must reiterate the request for information to the client at via a comment and reassignment of the GAP. D+16: Contact Center contacts the customer again, following the same process used in D+1 but in this case using the Second Communication of the Annex I in which the client is warned of the possibility of blocking.”(…)” In Annex I of the aforementioned document, it is indicated: “(…)” SECOND: On July 7, 2021, an email was sent from the address ***EMAIL.1 to ***EMAIL.2. The content of the email is as follows (unofficial translation of the German original): “Dear Mr. A.A.A. The reason for our communication is to inform you that Openbank is obliged, in in accordance with current legislation, to know the economic activity and the origin of the funds from their clients. In this communication, we request the documents that prove the origin of the funds. Amounts deposited in Openbank (account ending in XXXX). - to (…) - he (…) - he (…) Please send us documents proving the origin of these funds. You can send us any document that justifies the origin of said funds (for example example, income tax, payroll, employment contract, contract sale if it is a real estate transaction). We guarantee the absolute confidentiality of the documentation you send us. If you do not receive the requested documentation within 15 days from the date of this notice, Openbank may, in compliance with the applicable regulations, prevent new deposits from being made to your accounts. If you have any questions about this, please do not hesitate to contact us every day from 08:00 to 22:00 at ***PHONE.1. Sincerely Your Openbank team” THIRD: On July 10, 2021, an email was sent from the party's email complainant to ***EMAIL.1. The content of the email is as follows (unofficial translation of the German original): “Dear Mr. or Mrs., I have had a demand money account at Openbank S.A./Madrid since last year. Now I have been asked to provide evidence of demand deposits of more than XXXXX euros, but also more than XXXX euros. I can understand this as part of the fight against "money laundering". However, the bank does not offer the possibility of upload data securely, for example through the customer portal. In its C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/77 Firstly, I am forced to transmit my personal data through a simple email unencrypted electronic. Despite asking, they only offered me this option, which I found forced to use. I ask you to check the process from the point of view of the protection of data and, where appropriate, take the appropriate measures. If you are not the competent authority, please refer the matter to me and send me a filing notice. Yours sincerely “A.A.A.” FOURTH: On July 13, 2021, the complaining party receives a automatic reply sent by ***EMAIL.3. The content of the email is as follows (unofficial translation from the German original): “Thank you for your request. We confirm that it has been duly received and We will send our response shortly. We remind you that our email hours are Monday to Sunday from 08:00 to 22:00. This is an automated response. If you have any questions, please contact contact ***EMAIL.4. Receive a cordial greeting, “OPENBANK” FIFTH: Document 4 provided by OPENBANK along with the allegations to the agreement The beginning of this sanctioning procedure is entitled “Evaluation of impact- Monitoring of clients and sensitive operations”, is not signed and indicates which is from August 2021. On page 41 it includes the following: SIXTH: Dated May 19, 2022, in response to the information request formulated by this Agency, OPENBANK stated: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/77 1.- That the service of requesting information from clients was delegated to the entity Santander Global Operations, S.A. (SGO), which belongs to the Santander group, and which acts in this case as the person in charge of the treatment, according to the contract dated 16 October 2020. In the document “Annex IV: Contractual support for the service provided by SGO” of the response to the information request of this Agency, in point 6.1 of the sixth clause of “ANNEX 12 SERVICE FOR THE PREVENTION OF MONEY LAUNDERING CAPITAL TO THE FRAMEWORK LEASING AGREEMENT FRAMEWORK SERVICES AND/OR EXECUTION AND/OR DEVELOPMENT OF SUBSCRIBED PROJECTS BETWEEN SANTANDER GLOBAL OPERATIONS S.A. AND OPEN BANK, S.A. SUBSCRIBED BETWEEN OPENBANK, S.A. AND SANTANDER GLOBAL OPERATIONS, S.A. ON THE 1ST OF JANUARY 2020” can be seen: 2.- That it had defined an internal procedure called “Protocol of communications to clients due to AML/FT alerts: Opening and management of GAPS” whose The purpose was to establish the update protocol for the management of requests for information to clients by Santander Global Technology and Operations (in hereinafter, “SGTO”), an entity belonging to the Santander Group in which Openbank This service is delegated as the person in charge of treatment. 3.- That this procedure for managing requests for information from clients is applied in all countries in which OPENBANK provides services under a free provision of services, including Spain and Germany. 4.- That this procedure consisted of “the call center of Openbank (hereinafter, “call center”), will contact the client to request said information to the mobile phone number registered in the Openbank database. Additionally, an email is sent to the address registered in our database from the ***EMAIL.4 mailbox to Spanish clients or from ***EMAIL.1 to German customers. In those cases in which the client requests information about other channels through which you can submit documentation requested, you are informed that you have the following at your disposal: (i) by postal mail and (ii) in person at any of the two branches that Openbank has in Madrid.". 5.- That the communication model for both contact channels was the following: (…). 1.Customers may send by email attaching the Encrypted documentation and password via phone call C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/77 SEVENTH: Document 5 provided by OPENBANK together with the allegations to the agreement to initiate this sanctioning procedure is titled “Evaluation of impact- Monitoring of clients and sensitive operations”, is not signed and indicates which is from October 2022. On page 4, in point “1. EXECUTIVE SUMMARY”, in the section “Name and description of the processing”, describes the data processing applicable to this case of the following form: “Monitoring of clients and operations in compliance with the AML/CFT regulations, specifically what is established in article 17, entities financial entities to examine with special attention any event or operation, with regardless of its amount, which, by its nature, may be related to the money laundering or the financing of terrorism, in particular any operation or pattern of behavior that is complex, unusual, or without an economic or legal purpose apparent, or that presents signs of simulation or fraud.” On page 15 of the aforementioned document, the risk is classified as follows: And on page 43 of the aforementioned document the following is included: EIGHTH: In the document, unsigned, that accompanies the allegations to the agreement of initiation of this procedure, called “PROTOCOL OF C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/77 COMMUNICATIONS TO CUSTOMERS FOR SURVEILLANCE ALERTS TRANSACTIONAL PREVENTION OF MONEY LAUNDERING AND FINANCING OF TERRORISM (PBC/FT)”, it is indicated that the first version approved is from 04/03/2018 and that on 03/10/2021 the “Review” was carried out updating and modifying some deadlines (reduction thereof).” The revision 3 of the document indicates that it was carried out on 05/06/2022 and consisted of the “Review updating and modifying the communications of Annex I”, while the revision 4 indicates was carried out on 10/17/2022 and consisted of the “Review and update of the protocol with the aim of adapting it to the new documentation upload process via private website, eliminating the need for the client to send it to an address of e-mail. Document reviewed together with the contact center and Operations Compliance". Point 4 of the aforementioned document details: "4. SENDING AND RECEIVING DOCUMENTATION BY CLIENTS TES In all cases (customers from Spain and passport countries -Germany, Netherlands- jos and Portugal) clients will be informed to upload the required documentation to the space enabled for this in the private area of the Openbank website indicating, within In the text field, the information that allows justifying the operation carried out. The contact center manager will provide assistance to customers when they have difficulties. instructions for uploading documentation. In case the customer has forgotten his username and/or password to access the Openbank website, you will be informed of the next steps. guide to reestablish it. In addition, a help guide has been prepared for managers and incorporated information for clients within the FAQ section of the Web." And in “Annex I- Communications to clients to request information and/or documents tion by an AML/CFT transactional surveillance alert” explains: “(…)” NINTH: As of October 13, 2022, OPENBANK had enabled within the private area of the bank's website (which requires a username and password) access) a space so that clients could provide the required documentation in compliance with the provisions of article 6 of Law 10/2010, of April 28, of prevention of money laundering and terrorist financing. TENTH: During the trial period, OPENBANK provided an Excel type file “DOCUMENTO_NUM._1.XLSX” without signature or date, in which in the tab “0.Sheet of Control” can be seen at the beginning and in red “Data Privacy Impact Assessment (DPIA)”. And in the tab “2. Life Cycle” of this file, under the title “Capture of Data”, is contemplated in the section “Processing activities or operations”. “Extraction of the client's transactional operations from the core systems of the Bank". (…): C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/77 2. Treatment life cycle General information affected personnel. It is necessary to indicate, broadly speaking, what the life cycle of the treatment would be like, from when the data is captured, how it is stored or classified, for what purpose it is used, the existence of assignments or transfers (whether to other national or international companies) and finally a description of how they are destroyed. Processing life cycle Data capture Storage / Use / processing Transfer of data or Destruction / classification Tracking and monitoring transfers to a third party Data is not destroyed, of the transactional profile are stored Extraction of client operations, through indefinite transfer of client data. However Client transactional processing activities or operations Data storage in analysis of their positions and through the tool limits the depth Banks core systems of internal fraud lists. operational in the different Edit historical information contracted products with which one consults Openbank and client weighting. Character data Character data Character data Character data identifying identifying identifying identifying Flow and processed data Economic data, Economic data, Economic data, Economic data, N/A financial and insurance financial and financial insurance and financial insurance and insurance GEOBAN (in charge of Participants in the activities or operations of alert monitoring) treatment (includes treatment managers) N/A N/A (Analysis of Sepblac operations N/A second level) Technology involved in the activities of the Partenon Office tools Norkom Editran tool N/A treatment (Excel). FIOC Application ELEVENTH: Banco Santander, S.A. has direct participation of 100% from Open Bank, S.A. (see page 816 of the “2021 Annual Report” of the Santander Group). The total global annual business volume of Banco Santander, S.A. and societies dependents (Santander Group) in the financial year prior to the commission of the infringement, fiscal year 2020, was 44,279 million euros (see pages 555 and 843 of the “2021 Annual Report”). TWELFTH: OPENBANK's total number of clients is greater than 1.7 million customers (Source: ***URL.3) THIRTEENTH: The number of requests, made by OPENBANK, for analysis of operations in compliance with art. 6 of Law 10/2010, of April 28, of prevention of money laundering and terrorist financing and the number of clients therefore impacted during the years 2020, 2021 and 2022 has been the following, according to what is stated in Document 13 that accompanies his allegations to the agreement to initiate this sanctioning procedure: FOUNDATIONS OF LAW Yo Competition and applicable regulations In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 and 68.2 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/77 of Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures.” II Previous Issues In the present case, in accordance with the provisions of article 4.1 and 4.2 of the RGPD, involves the processing of personal data, since OPENBANK, through the entity Santander Global Operations, S.A. as responsible for the treatment, carries out the collection, conservation and communication of, among others, the following personal data of natural persons: name, surname, number tax identity, email and the origin of the clients' income, among other treatments. OPENBANK carries out this activity in its capacity as data controller, given that he is the one who determines the ends and means of such activity, by virtue of article 4.7 of the GDPR. The GDPR provides, in its article 56.1, for cases of cross-border processing, provided for in its article 4.23), in relation to the competence of the authority of main control, that, without prejudice to the provisions of article 55, the authority of control of the main establishment or the sole establishment of the person responsible or the person in charge of the treatment will be competent to act as a control authority principal for the cross-border processing carried out by said controller or commissioned in accordance with the procedure established in article 60. In the case examined, as stated, OPENBANK has its main establishment in Spain, so the Spanish Data Protection Agency is competent to act as the main supervisory authority. For its part, article 25 of the GDPR regulates data protection from the design and by default, which the data controller will apply, both at the time of determine the means of treatment as at the time of the treatment itself and, On the other hand, article 32 of the RGPD regulates the security measures that must be be adopted to guarantee a level of security appropriate to the risk presented by the processing of personal data. III Allegations alleged C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/77 In relation to the allegations alleged in the proposed resolution of this sanctioning procedure, we proceed to respond to them according to the order exposed by OPENBANK. FIRST.- GENERAL CONSIDERATIONS REGARDING THE CONTENT OF THE MOTION FOR RESOLUTION OPENBANK alleges that the structure and content of the proposed resolution not only extremely complex and difficult to follow, but as a consequence of All of this, the AEPD incurs numerous contradictions. In this sense, he alleges that the proposed resolution dedicates the basis of right III to respond to the allegations alleged by OPENBANK to the agreement of the beginning of this sanctioning procedure, for the purpose of which it reproduces almost literally the allegations made by OPENBANK trying to counterargue, one by one, what is stated in each of them, but that, Subsequently, the proposed resolution reproduces in the legal foundations IV and following, practically literally and with minimal alterations, the content of the aforementioned initial agreement, without making any reasoning or addition to what has already been invoked by the Agency at the time the procedure was initiated. And alleges that what is stated in the legal basis III of the proposed resolution comes into open contradiction with what was mentioned based on its foundation of right IV, given that in the first of these grounds the AEPD denies supporting the argumentation or reasoning that is subsequently reproduced and used to ratify itself in its position on the following legal bases. He indicates that this leads first of all to an obvious conclusion: if the reasoning of The AEPD is exactly the same as that maintained in the initial agreement, OPENBANK cannot but confirm itself in each and every one of the allegations made prior to the aforementioned agreement. In this regard, this Agency recognizes that it is possible that the wording of the legal foundations subsequent to the one that responds to the allegations presented by OPENBANK could be improved, which is why a new wording that simplifies the reading of the resolution, while improving the motivation in relation to the commission of the infraction, as well as the sanction to be imposed and avoid possible confusion. SECOND.- ABOUT THE PREMISES SUPPORTED BY THE AEPD THROUGHOUT LENGTH OF THE PROCEDURE OPENBANK, in its allegations to the Initiation Agreement, showed how that (and the Proposal) was based on three essential arguments: (i) that OPENBANK was subject to compliance with the obligations of diligence due, as established in article 32 of Law 10/2010, of April 28, of prevention of money laundering and terrorist financing (hereinafter, the “LPBCFT”) and 60.2 of its development regulations, approved by Royal Decree 304/2014, of May 5 (hereinafter, the “RPBCFT”); (ii) that the AEPD considered that The information requested by OPENBANK from the complaining party was considered C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/77 of “financial data”, which required the adoption of reinforced measures and not valued by OPENBANK; and (iii) that “high-level” security measures had to be implemented. It is alleged that the proposed resolution does not contradict what was argued by OPENBANK, but denies the application by the Startup Agreement of the aforementioned premises, something that, in his opinion, directly contradicts the very fact of the reading of the proposal itself, given that the paragraphs transcribed by OPENBANK continue to appear, literally, in the foundations of law IV and following of same. In this regard, this Agency reiterates that: (i) the object of this procedure is not the violation of the provisions of the regulations on the prevention of money laundering but rather the violation of the provisions of Articles 25 and 32 of the GDPR, regulations applicable to data protection personal rights of natural persons, which is the responsibility of this Agency; (ii) the information requested by OPENBANK from the complaining party does have the consideration of “financial data”, which required the application of a series of measures reinforced to effectively apply data protection principles and integrate the necessary guarantees into the treatment in order to meet the requirements of the GDPR and protect the rights of the interested parties (in accordance with the provisions of the article 25 of the GDPR), as well as the application of technical and organizational measures appropriate to guarantee a level of security appropriate to the risk (in accordance with the provided in article 32 of the RGPD); (iii) that in the present case it is not a question of whether security measures should be implemented “high level” security, but rather that measures had to be implemented that guarantee a level of security appropriate to the risk to rights and freedoms of natural persons. However, this Agency recognizes that it is possible that the wording of the legal foundations subsequent to the one that responds to the allegations presented by OPENBANK could be improved, which is why a new wording that simplifies the reading of the resolution, while improving the motivation in relation to the commission of the infraction and the sanction to be imposed and avoid possible confusion. 1. On the applicability of the regulations for the prevention of money laundering OPENBANK alleges that, in relation to the alleged applicability to the obligations of due diligence of what is established in article 32 of the LPBCFT, the proposal of resolution establishes a premise: that the provisions of the regulations for the prevention of Money laundering and terrorist financing are irrelevant at present case, given that (i) “the classification of the facts is not motivated by a violation of articles 32 and 32 bis of Law 10/2010, as OPENBANK says in its allegations, but by articles 25 and 32 of the RGPD”; (ii) “is not the subject of the present procedure whether or not the provisions of article 32 or 32 bis of the LPBCFT, since it is not the competent authority for this and the legal right protected by the aforementioned regulations is different from the legal good protected by the regulations C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/77 “data protection”; and (iii) in relation to OPENBANK's invocation of the reports from the AEPD itself “what cannot be done is, as intended OPENBANK, use them to interpret the content of an article, 32.bis, in contrast to article 32, when article 32.bis did not exist on the date of the issuance of such reports, being added later by art. 3.15 of the Real Decree-law 7/2021, of April 27, in force as of 04/29/2021.” Regarding the first of the aforementioned issues, OPENBANK considers that A mere reading of the legal basis IV of the Proposed Resolution is enough to show how the AEPD continues to substantiate all the imputability of OPENBANK in its alleged non-compliance with article 32 of the LPBCFT and how said precept refers solely and exclusively to compliance by the obligated entities in matters of prevention of money laundering to the provisions relating to the obligations of special examination of operations and initial communication to the Executive Service of the Prevention Commission Money Laundering and Monetary Offenses (hereinafter, the “SEPBLAC”). In this regard, this Agency recognizes that it is possible that the wording of the legal foundations subsequent to the one that responds to the allegations presented by OPENBANK could be improved, which is why a new wording that simplifies the reading of the resolution, while improving the motivation in relation to the commission of the infraction and the sanction to be imposed and avoid possible confusion. Likewise, OPENBANK alleges that the proposed resolution errs in indicating that the provisions of articles 32 and 32 bis of the LPBCFT are outside of the powers of the AEPD, since these are two rules that regulate the obligations of the obligated subjects regarding the protection of personal data and not the substantive aspects of the anti-money laundering prevention regulations themselves. capitals. And that these precepts are formed as a special norm referring to protection of personal data in the environment of crime prevention regulations money laundering, in the same way that numerous sectoral regulations include data protection provisions regarding which the AEPD has never denied its competence, since they are nothing more than the particularization for a case or sector specific to the rules contained in the RGPD and the LOPDGDD. OPENBANK indicates that the aforementioned precepts are those that particularize the obligations that must be fulfilled by the obligated subjects to comply to the proactive responsibility duties established in the protection regulations of personal data in relation to data processing of this nature that must be carried out in compliance with the obligations established in the Law, and, in With regard to this case, with regard to compliance with the duty of knowledge of the origin of the funds established in the regulations of prevention of money laundering. That is, compliance with the principle of proactive responsibility, and in particular the of privacy from the design, is materialized in the adoption of the measures that establishes the LPBCFT itself, without it being admissible to disaggregate this law from its own RGPD, as if they were independent legal regulations referring to realities different. The LPBCFT indicates what these obligations are, clearly differentiating C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/77 evident (and in force at the time of the occurrence of the events that gave rise to the present file) among the obligations related to the treatments carried out in compliance with due diligence and those related to the treatments carried out to comply with the special operations examination, so that In the present case, the application of the provisions of article 32 bis of the LPBCFT. In this regard, this Agency wishes to point out that it cannot but agree with everything affirmed by OPENBANK in this sense. Although clarifying that the management of the regulatory compliance provided for in article 25 of the GDPR is not limited to the application of the precepts of the LPBCFT that particularize some of the obligations in regarding data protection, further reinforcing some of the obligations in relationship with certain treatments. In this way, OPENBANK alleges, compliance with the privacy principle from the design in the treatments carried out in compliance with Chapter II of the LPBCFT is translated into article 32 bis.4 of the law, which provides that “the subjects obligated parties must carry out an impact assessment on the data protection of the treatments referred to in this article in order to adopt technical measures and reinforced organizational structures to guarantee the integrity, confidentiality and availability of personal data. These measures must in any case guarantee the traceability of data access and communications.” And it is undeniable, in his opinion, that OPENBANK carried out the aforementioned evaluation of impact on data protection in relation to the aforementioned treatments, such as that he did not conceive and apply this obligation as a static process, but as a dynamic process, recording in the file the various evaluations carried out by OPENBANK, as well as the measures successively implemented by it, among which is currently the fact that the information for the Compliance with due diligence obligations will be facilitated in the private area of the client made available to him by OPENBANK. In this regard, this Agency wishes to point out that compliance with the privacy principle from the design to the treatments carried out in compliance with Chapter II of The LPBCFT translates into much more than what is indicated in article 32 bis.4 of the law. Everything indicated in article 25 of the RGPD applies to these treatments, as it applies to all subjects included in its scope of application. However, in the specific case of entities subject to the LPBCFT regime, the obligation to carry out an impact assessment in order to adopt reinforced measures to guarantee the integrity, confidentiality and availability of personal data (and at a minimum, guarantee the traceability of the accesses and communications of the data), is an obligation for adults, due to the very nature of the treatments carried out in compliance with Chapter II of the LPBCFT, which require greater protection given the greater risk to the rights and freedoms of Physical persons. It should also be noted that privacy by design is not limited to carry out the data protection impact assessments referred to in the LPBCFT. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/77 In the present case, the lack of design of the treatment by the of OPENBANK, since the data collection activity of clients in the so-called “treatment life cycle” of their Excel file data protection impact assessment document (provided during the trial period of this procedure); Therefore, by not even foreseeing this activity, the appropriate technical and organizational measures have not been applied to effectively apply data protection principles (among others, the confidentiality) and comply with the requirements of the GDPR and protect the rights of interested. Regarding the analyzes carried out by OPENBANK in the documents called “Impact Assessment - Monitoring of clients and sensitive operations”, in its August 2021 version, which was not even current at the time of the events that are the subject of the claim, which took place in the month of July 2021, it had only been foreseen as a possibility for clients to send information through an encrypted message sending the password through another channel. And even in The aforementioned document mentions that “an internal lawsuit has been requested so that Interested parties can upload documents directly through the website, once they have logged in.” However, it has been possible verify that the complaining party was never given that possibility, not even in the initial communication sent by OPENBANK nor subsequently when it requested a secure alternative route for sending that communication. It was also found that In the communication model that was sent to clients, none of these options, only mention was made of the possibility of replying to the email email that was sent without giving further instructions on how it could be protected such information. It is curious that, despite not providing any sufficiently secure means to its clients to provide the information to which they were obliged, both documents in their 2021 and 2022 versions they recognize that the risk inherent in such treatment It had a high impact on the rights and freedoms of the interested parties. And, however, it is only in the October 2022 version that OPENBANK indicates that “customers will identify themselves by means of a DNI and access code to the private area of customer". What is certain is that the communication directed to the client complied with the provisions of the document provided by OPENBANK as a protocol to request documentation to clients under the LPBCFT and the communication addressed to clients does not indicated no means of providing that information, beyond the possibility of respond to the aforementioned email. In any case, to comply with data protection from the design and therefore Indeed, it is not enough to simply have a protocol document or communication model, if later upon reviewing said documents it is found that they do not A forecast was made in conditions on the technical and organizational measures appropriate to effectively apply the principles of data protection and provide the necessary guarantees in the processing in order to comply with the requirements of the RGPD and protect the rights of the interested parties, as provided in article 25.1 of the GDPR. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/77 Nor is it sufficient to have documents that establish protocols or procedures. to follow, if later in practice when carrying out the treatment they are not also provided. little appropriate measures to implement data protection principles nor are they inter- great guarantees necessary to comply with the requirements of the GDPR. In the present case, it has been proven that in July 2021 the party was asked to complainant to send certain information, which could have a high impact for your rights and freedoms, by email, without giving you further information. nes on how he could send such information through a secure channel. It has also been proven that the complaining party had told the bank his concern in this regard and had requested that a safe means be provided to share such information. But, given the bank's refusal, he had no other option. tion than sending the requested information through a simple email, to his displeasure and despite having expressed his reluctance. And even the complaining party expressly gave that his concern be taken into account and a means be enabled safe in the future to share this type of information. However, in the August 2021 documents that OPENBANK provided together with their allegations to the initial agreement, no other means is foreseen. From the content of the documentation that appears in the file, it has been proven do: - That in “Annex I - Communications to clients to request information and/or documentation by PBC” of the document ““COMMUNICATION PROTOCOL- NES TO CUSTOMERS FOR AML/CFT ALERTS: OPENING AND MANAGEMENT OF GAPS”, dated March 2021, in the first communication addressed to the client, in which he is asked to prove the origin of the funds, there is no provision indicate a specific means by which you must provide such information to OPEN- BANK. And that in the second communication that is addressed to the client, it is not foreseen nor indicate a means by which to provide such documentation to the bank, but The text includes the threat that if the documentation is not received requested in the next 15 days OPENBANK may prevent the realization tion of new income into your accounts. - That on July 7, 2021, OPENBANK requested the complaining party to send documentation that accredited the origin of certain funds, under the threat that in 15 days they could prevent new deposits into your account, without indicate any means by which such information should be provided. - That on July 10, 2021, the complaining party provided the requested documentation. tada expressing his disagreement because when he asked about the form of send such information, they told him to do so by email, without further. And in this email that is sent, the complaining party indicates that it does not considers it a safe means, which is done through this medium because it is was forced to do so, and even he himself provides as an example of half-hearted I guarantee the possibility of sending it “through the client portal”, a possibility that it was not provided to you from OPENBANK. Also please check the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/77 process from the point of view of data protection and take measures timely. However, this email only received an acknowledgment of receipt automatic from the bank, on July 13, 2021. - In the document “Impact evaluation - Customer and operation monitoring - “sensitive information”, dated August 2021, it is expected that the interested party can respond to the email with an encrypted message sending the password via another channel. And it has been requested that it could be done directly through from the website section, once logged in. - In the document “Impact evaluation - Customer and operation monitoring - sensitive data”, October 2022, it is expected that clients will authenticate using your ID and access code to the private client area. - In the document “COMMUNICATIONS PROTOCOL TO CUSTOMERS BY TRANSACTIONAL MONEY PREVENTION SURVEILLANCE ALERTS CAPITAL CHALLENGE AND FINANCING OF TERRORISM (PBC/FT)”, from October 2022, it is indicated that clients will be informed to upload the document mention through the private area of the OPENBANK website. And in the “Annex I- Communications to clients to request information and/or documentation by an AML/CFT transactional surveillance alert” the client is instructed to send documentation through the “Customer Area” of the OPENBANK website. That is, the protocol in force at the time of the events (March 2021) does not pre- provided information on the method of sending the requested documentation. da, notwithstanding the risks to the rights and freedoms present in such treatment of data. In July 2021, the complaining party drew attention to this issue in the email which he sends on July 10, 2021 to OPENBANK. But the bank ignores it and not even In any case, he was given an answer to his concern, which clearly dealt with a question. protection of personal data, which also shows the lack of a process OPENBANK's internal system to channel these issues. In August 2021, OPENBANK foresees the possibility for clients to send the reference documentation through an encrypted email and providing the password. ña through another email (without specifying which one). And it is indicated that the possibility was requested that this documentation could be provided through the customer area of the OPENBANK website. And it is not until October 2022 that communication protocols and documents of the supposed impact assessment of this issue specifically incorporate that clients can provide the requested documentation through the website of OPENBANK, logging into your client area. That is, the solution was adopted to be able to provide this information through the client area a year and a half after the update protocol was adopted. March 2021 and more than a year after the complaining party had called drawn attention to this specific issue and that the document of alleged impact assessment of this issue would have already foreseen it as a possibility C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/77 which had to be followed up. All of this shows that OPENBANK did not apply a data protection approach of the design neither before nor during the performance of the treatment, so it is rejected. the present allegation. OPENBANK alleges that it is perfectly aware that the principle of privacy by design requires that reinforced measures to guarantee the rights of interested parties are carried out prior to the practice of the treatment, but that the obligation to obtain from the interested party information about the origin of the funds is provided for in the LPBCFT, whose validity is more than eight years prior to that of the GDPR. And that OPENBANK was obliged to carry out the processing of the data at referred to in this file long before they were adopted or the rules contained in the RGPD and the LOPDGDD become fully applicable. By Therefore, strict application of the principle can hardly be required (in the case of meaning that the measures had to be prior to the treatment), under penalty of failing to comply its obligations regarding the prevention of money laundering and financing of terrorism. In this regard, this Agency wishes to point out that Organic Law 15/1999, of 13 December, Protection of Personal Data was approved for more than 10 years before the LPBCFT and that the LPBCFT itself contained in its original wording a reference to the personal data protection regulations in its article 32. And that There is no doubt that the subjects to whom the LPBCFT was applicable were fully subject to the provisions of the regulations then in force on personal data protection. Regardless of whether there was an article 32 of the LPBCFT specific for the treatments of Chapter III of the aforementioned Law (which imposed a series of greater obligations for those responsible for treatment), this This did not prevent the regulations from applying to the rest of the treatments. protection of personal data in force at all times: initially, the LOPD of 1999, until the RGPD and the LOPDGDD became applicable, which displaced that. While it is true that the approach of the RGPD and the LOPDGDD was completely novel compared to the previous data protection regulations, it is no less true that OPENBANK had more than enough time throughout the three years (six years if counted from the adoption of the RGPD text) that elapsed between when approved the GDPR (April 2016), until the GDPR became applicable (May 2018, which allowed two long years for preparation and adaptation to the RGPD) and the facts that are the subject of the claim that gave rise to this procedure sanctioner (July 2021) to adapt their treatments to the provisions of the articles 25 and 32 of the GDPR (four years considering that they were recently adopted the measures so that clients could share the requested information through of your private area in October 2022). Of course, it would have been impossible to have a protection approach. data from the design before carrying out the treatment, when it took place many years before the GDPR existed, but it is undeniable that the principle of Data protection by design does not only imply that the measures should be prior to the treatment, but article 25 of the RGPD itself indicates “both in the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 24/77 at the time of determining the means of treatment and at the time of the treatment itself. treatment”, that is, not only beforehand but throughout that treatment takes place and whenever the means of treatment are determined, which is a decision that is also made over time, as they change the circumstances and possibilities of each moment. Furthermore, it should be noted that, without disregarding the legal obligations imposed through the LPBCFT, the legal obligations provided for in the GDPR are at least at the same level, especially when the latter protects a right fundamental. Obligations that must be fulfilled by OPENBANK, regardless of compliance with those accruing from the LPBCFT; and this without that compliance with the provisions of this last standard makes compliance impossible of those of the GDPR. OPENBANK is focusing on its risks, on the risks for the organization if not complies with the LPBCFT, and not on the risks to the rights and freedoms of its clients regarding data protection. Finally, OPENBANK alleges that article 32 of the LPBCFT is only applicable to the obligations contained in its Chapter III. And this to the point of urge the legislator to adopt a rule that specifically established the scope of said obligations regarding the protection of personal data in relationship with what was established in Chapter II of that Law, as finally stated materialized in article 32 bis of the LPBCFT, added by art. 3.15 of the Real Decree-law 7/2021, of April 27. And that only in this way can the conclusion reached by Report 195/2013 of the Legal Office of this AEPD when he indicates that “the interpretation that the high security level is the one referred to in article 32.5 of Law 10/2010 is only enforceable in relation to the files created to comply with the obligations established in the Chapter III of the aforementioned Law must be considered consistent with the fact that the Law itself establishes certain limitations to the affected party in relation only to said files, this required level being an additional guarantee established as a counterweight of the aforementioned limitations” and the fact that in Report 41/2018 the AEPD urged to the legislator the need to regulate data protection obligations in the framework for compliance with the duties of due diligence and special examination of operations, recommending the drafting of differentiated rules for each type of treatments. In summary, OPENBANK alleges that the arguments put forward by the AEPD must decline, given that it substantiates the alleged non-compliance by OPENBANK with the principle of privacy from the design and implementation of security measures security in a standard, article 32 of the LPBCFT, which is not applicable to the case, because the Agency itself had even indicated this. In this regard, this Agency agrees that it is not applicable to the obligations of the Chapter II of the LPBCFT article 32 of the LPBCFT, but rather article 32 bis of the same, which is why a new wording will be given to the legal foundations subsequent to the one that responds to the allegations presented by OPENBANK. IN CONCLUSION: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 25/77 1.- The management of regulatory compliance with article 25 of the RGPD, the Privacy by design is not exhausted by compliance with the data protection obligations provided for in the LPBCFT. 2.- The management of regulatory compliance with article 25 of the RGPD does not end by carrying out data protection impact assessments. 3.- OPENBANK had not foreseen the treatment activity consisting of the collection of financial data from clients for the prevention of money laundering of capitals. 4.- The data protection impact assessments carried out by the party claimant at the time the events occurred did not include the processing activity consisting of the collection of financial data from clients for the prevention of money laundering. 5.- Since this activity was not foreseen by OPENBANK, they had not been identified and evaluated the risks to the rights and freedoms of clients present in such treatment. 5.- By not identifying and evaluating the risks, they have not been established and applied the appropriate technical and organizational measures to effectively apply data protection principles (including confidentiality) and comply the requirements of the GDPR and protect the rights of data subjects (of all Your clients). 6.- All of the above clearly shows that OPENBANK did not comply with its obligation to apply article 25 of the GDPR, privacy from the design or before or during the treatment. 2. Regarding the reference made by the AEPD to the financial data OPENBANK alleges that the proposed resolution is clearly contradictory, given that it introduces in two consecutive paragraphs of the legal basis III two considerations that are diametrically opposed and that seem to base his reproach sanctioner. Thus, it is indicated that “it is not appropriate to determine the level of risk and the need for adopt appropriate security measures based on the financial data of in isolation, but in accordance with the provisions of the applicable data protection regulations. to the case, that is, depending on the type of treatment, as well as specifically, regarding the prevention of money laundering”, which seems to reinforce the idea, since previously refuted, that it is the nature of the treatment, and not that of the typology of the data, which justifies his reproach. But he immediately adds that “the factual circumstances of the present case determine that reinforced security measures must be adopted given that the processing of the personal financial data of the complaining party presents a C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 26/77 high level of risk.” That is, it is the nature of the data, considered financial, and not the purpose of the treatment, which justifies the adoption of certain measures that the AEPD considers not fulfilled. In this regard, this Agency wishes to point out that the analysis and adoption of measures technical and organizational measures to effectively apply the principles of data protection. data and integrate the necessary guarantees to comply with the requirements of the RGPD and protect the rights of data subjects (Article 25 of the GDPR) and to apply appropriate technical and organizational measures to ensure a level of security appropriate to the risk to the rights and freedoms of natural persons (article 32 of the RGPD), should not be done solely by virtue of the nature or purpose of the treatment that is carried out or solely by virtue of the typology of the data that is treated as if they were exclusive aspects, but must be carried out taking into account takes into account all the aspects that the treatment in question could entail. The analysis carried out by OPENBANK on the concept of “financial data” to determine terminate if the treatment we are facing entails a greater risk and if This category of data deserves special protection is not correct, since intends to separately assess the concept “financial data” of the regulations of LPBCFT, when the need for a data protection impact assessment and the consequent adoption of reinforced measures that guarantee the integrity and confidentiality confidentiality of personal data, as well as guaranteeing the traceability of accesses. processes and data communications are already established by the legal system. legal. In compliance with the LPBCFT, obligated entities can process data financial, but not only data of this category are also processed personal of diverse nature: identification, contact or economic (business, professional, investment...). Data protection in Compliance with the LPBCFT cannot be limited by the applicable criteria as to only one of these data, as OPENBANK tries to reason, when what it tries to protect is the access to the information that all this personal data entails, not only individually, but to their treatment together. OPENBANK indicates that the previously alleged is reinforced by the fact that the legal basis IV of the proposed resolution once again considers the reference to financial data made by recital 28 of the GDPR as essential to determine the need for OPENBANK to have established a additional measure in the collection of data related to the origin of funds. In this regard, this Agency wishes to point out that it does not understand the reference made to recital 28 of the RGPD, since it deals with the pseudonymization of the data. In any case, the reference to the financial data is decisive, given that they are data that deserve special protection as their treatment involves a greater risk to the rights and freedoms of natural persons. OPENBANK alleges that, regarding the reference made by the AEPD to the Guidelines of the Article 29 Working Group (hereinafter, “WG29”), suffice it to point out that the controversial treatment does not imply any type of “evaluation or scoring” of interested parties nor its contrast with “a credit reference database or a C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 27/77 database against money laundering and terrorist financing”, but only obtaining information on the origin of the funds corresponding to certain operations. In this regard, this Agency wishes to recall the content of the “Guidelines on the data protection impact assessment (DPIA) and to determine whether the treatment 'probably entails a high risk' for the purposes of Regulation (EU) 2016/679”, in what is of interest here: “In order to offer a more concrete set of treatment operations that require a DPIA due to their inherent high risk (…) the following nine criteria must be considered: 1. Evaluation or scoring, including profiling and prediction, especially of “aspects related to performance at work, economic situation, health, personal preferences or interests, reliability or behavior, situation or the movements of the interested party" (considerations 71 and 91). Some examples of this may include a financial institution that investigates its clients on a database credit reference data or in an anti-money laundering database and the financing of terrorism or fraud…” (emphasis added). This Agency considers that the activity carried out by OPENBANK under the provided in Chapter II of the LPBCFT, by which clients are requested to provide the “supports that justify a certain income, since they will allow clarify the origin of the funds that have been deposited into the client's account in OPENBANK” does fall within a financial institution that investigates your clients in a possible anti-money laundering and anti-fraud database. financing of terrorism, which is why they are operations that involve probably a higher risk. And so much so, that they are operations that probably entail greater risk, that the LPBCFT itself considered it convenient to incorporate the need to carry out a data protection impact assessment of the treatments to which referred to in said article in order to adopt reinforced technical and organizational measures to guarantee the integrity, confidentiality and availability of personal data. Likewise, OPENBANK alleges that the proposed resolution seems to indicate that OPENBANK has not carried out any evaluation of the impact of the treatment on the data protection, which comes into direct contradiction with the file administrative, which includes it, as well as the measures adopted to alleviate the risks on data protection derived from the processing. In this regard, this Agency wishes to remember that the purpose of this procedure is not is whether or not OPENBANK carried out an impact evaluation as required by the article 32 of the LPBCFT, but whether the organization had incorporated the principles of data protection by design and by default (Article 25 of the GDPR) and whether there were adopted appropriate security measures in relation to the risk to human rights and freedoms of the interested parties (article 32 of the RGPD). In the present case, the lack of design of the treatment by the of OPENBANK, since the data collection activity of clients in the so-called “treatment life cycle” of their Excel file data protection impact assessment document (provided during the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 28/77 trial period of this procedure); Therefore, by not even foreseeing this activity, the appropriate technical and organizational measures have not been applied to effectively apply data protection principles (among others, the confidentiality) and comply with the requirements of the GDPR and protect the rights of interested. Furthermore, this Agency reiterates what has already been answered in the allegation regarding the applicability of the regulations for the prevention of money laundering regarding the analysis of the content of the communications sent to the complaining party as well as of the documentation provided to the file, all of which shows that OPENBANK did not apply a data protection by design approach before or during carrying out the treatment. OPENBANK alleges that, both the European Legislation Manual on the Protection of Data such as the AEPD Risk Management Guide refer, when mentioning the financial data, to those related to payment methods, even when the proposal resolution seems to deny, in a categorical and unfounded manner, said statement. In this regard, this Agency wishes to recall the content of Chapter 9.2 of the Manual of European legislation on data protection, prepared by the Agency for European Union for Fundamental Rights, the Council of Europe, the Court European Human Rights and the European Data Protection Supervisor where it refers to “financial data”: “Although the financial data is not considered sensitive data under Convention 108 or the General Regulation of data protection, its processing requires special guarantees that guarantee the accuracy and security of data. In particular, electronic payment systems need to incorporate data protection measures, that is, protection of the privacy or data by design and by default.” The mention of the protection of privacy regarding electronic payment systems highlights the importance of these, but it does not exclude that, in the same way, other financial data may require special guarantees, as is the case in the present case with the data collected pursuant to the provisions of Chapter II of the LPBCFT. Regarding the Guide on risk management and impact assessment in personal data processing of the AEPD, there is a difference between three types of economic data that must be assessed when determining the level of risk of a certain treatment for performing the DPIA, differentiating between these three data categories: • Data related to the “[e]conomic situation, (e.g., without being exhaustive, personal income, monthly income, assets (movable/immovable property), Employment situation)". These data are assigned a “medium risk.” • Data related to the “[f]ancial status (e.g., without being exhaustive, only financial maturity, debt capacity, debt level (Loans personal property, mortgages), solvency lists, defaults, assets (investment funds) sion, returns generated, shares, accounts receivable, income received, etc.), liabilities (expenses on food, housing, education, health, taxes, payments of credits, credit cards or personal expenses, etc.; or debts u obligations)". These data are also assigned a “medium risk.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 29/77 • “Data on payment methods (e.g., without being exhaustive, credit cards and information). formation of access to virtual currency services). In the case of these data is assigned a “high risk.” OPENBANK added in its allegations to the agreement to initiate this procedure: sanctioning authority that, in the criteria established by the AEPD for carrying out A DPIA includes in number 4 “[t]reatments that involve the use of catheters. special categories of data referred to in article 9.1 of the GDPR, data related to to convictions or criminal offenses referred to in Article 10 of the GDPR or data that allows determining the financial situation or solvency of assets or “produce information about individuals related to special categories of data.” And that the high risk that should justify the implementation of what said Agreement What is called “high-level security measures” would only be predicable, in OPENBANK, of the information that: • It refers to means of payment, that is, referring to the related data with those instruments that allow the interested party to acquire goods and services or enable you to cancel debts that you may have with third parties, apart from the non-exhaustive list of the document. • The one that allows determining the financial situation or solvency of a person. sona. In this regard, this Agency considers that the documentation requested by OPENBANK by virtue of the provisions of Chapter II of the LPBCFT, that is, “the support documentary related to the origin of a fund in your bank account (e.g., your payroll, employment contract, purchase and sale contract if it is an operation real estate, donation or inheritance, the invoice for the services provided that are satisfied by the beneficiary of those, the resolution declaring the perception of a certain aid, etc.)” contains data related to the economic situation and financial status of clients, of which allow determine the financial situation or asset solvency of a person, so require greater protection. Finally, OPENBANK alleges that this Agency's conclusion according to which “the data in relation to three deposits into bank accounts should be considered as “financial data”, and the information related to the origin of this income, without having strictly financial nature, is closely related to these banking movements, therefore, when information is provided on the origin of the income, in turn the movements in the bank account of the company are revealed. claiming party that the activities originating those income produce”, lacks any support that accredits it. And that, in any case, it is evident that they would not be same - and it cannot be claimed to be - the data classified as “financial” (bank account deposits) than the remaining data (information related to the origin of these incomes), which the proposed resolution considers “intimately related” to banking movements. In this regard, this Agency insists that it considers that the information regarding the origin of income in clients' bank accounts is information that is closely related to such banking movements and that contains data related to the economic situation and financial status of clients, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 30/77 that allow determining the financial situation or capital solvency of a person, so they require greater protection in response to the risks in the rights and freedoms of the interested parties. In this sense, we cannot fail to indicate that personal financial data jointly considered (those sent by the client by themselves, to which can add those that the bank already has) can reveal multiple aspects about the client, such as the financial situation or asset solvency as we have indicated. Thus, Opinion 1/15 of the Court of Justice (Grand Chamber) of July 26, 2017 establishes that, “128 On the other hand, even though some of the PNR data, taken in isolation, do not appear to be able to reveal important information about the private life of the people affected, it remains true that, together considered, such data may reveal, among other things, a travel itinerary complete, travel habits, existing relationships between two or several people as well as information about the economic situation of air passengers, their habits food or your health status, and could even provide sensitive data on such passengers, as defined in Article 2(e) of the Agreement foreseen”, risk that is also included in the STJUE of August 1, 2022. In any case, the LPBCFT itself recognizes that they are operations that entail probably a greater risk, so it was considered convenient to incorporate the need to carry out a data protection impact assessment of the treatments referred to in said article in order to adopt technical measures and reinforced organizational structures to guarantee the integrity, confidentiality and availability of personal data. IN CONCLUSION, the documentation requested by OPENBANK pursuant to the provided in Chapter II of the LPBCFT, that is, “the documentary support related with the origin of a fund from your bank account (e.g., your payroll, employment contract, purchase and sale contract if it is a real estate transaction, donation or inheritance, the invoice for the services provided that are satisfied by the beneficiary of those, the resolution by which the perception of a certain aid, etc.)” contains financial data related to the situation economic and financial status of the clients, which allow determining the financial situation or asset solvency of a person, so their treatment require greater protection in response to the risks in rights and freedoms of the interested parties. Therefore, this claim is rejected. 3. Regarding the enforceability of the so-called “high level measures” OPENBANK alleges that in the agreement to initiate this procedure sanctioner had invoked the requirement of a “high” security level, which did not was enforceable since the entry into force of the GDPR, and the proposed resolution is limited to indicate that it reproduced the text of article 32 of the LPBCFT in its current wording at the time the events occurred (which only reinforces what has already been indicated in relation to its improper application). But it must also be added that, although C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 31/77 Unless otherwise indicated, the Initiation Agreement, and the Proposed Resolution do They intended to mimetically apply to OPENBANK the regime prior to full application of the GDPR, since they refer to a measure, data encryption, which was expressly associated in said regulation with the so-called “security measures”. high level security.” And at this point, the proposal once again denies, although, in its opinion, there is a evidence that contradicts it in the file, that OPENBANK carried out a evaluation of the impact of the treatment on the rights of the interested parties, to determine the scope of the measures to be adopted, placing all the blame on OPENBANK in the fact that only one of all its clients “drew the attention [of OPENBANK] on this point”, not being satisfactory, in the opinion of the Agency, the response given by OPENBANK to that one. And this leads OPENBANK to question whether what the AEPD considers violated In this case it is your duty to adopt technical and organizational measures aimed at alleviating the risks of treatment, after analyzing said risks to through a data protection impact assessment, something that (in his opinion) the AEPD will not be able to deny that OPENBANK has carried out, or the object of the reproach of the AEPD is that it has not given the interested party's “concern” the response that it Authority considers appropriate, even though it is not possible to deny (in its opinion) that OPENBANK did respond to the request. In this regard, this Agency wishes to point out that the present sanctioning procedure refers solely and exclusively to the fact that OPENBANK did not apply, before and during the carrying out the processing in question, data protection from the design and by default, to ensure compliance with the principles enshrined by the GDPR (Article 25 of the GDPR), and did not adopt appropriate security measures based of the risk to protect the rights and freedoms of the interested parties (article 32 of the RGPD), in relation to the processing of data that is the subject of this procedure. I know has also indicated, and for greater completeness, that data protection from the Design is not exhausted by carrying out an impact evaluation. The references made by this Agency to the LPBCFT are to be understood only to reinforce the violations of data protection regulations that this Agency I would have noticed. However, this Agency will give a new wording to the legal foundations later, as indicated above. Likewise, this Agency wishes to point out that it has reviewed the measures adopted by OPENBANK regarding the information shared by users to give compliance with the obligations provided for by the LPBCFT and the reality is that they are not provided a secure means for customers to provide requested information, information that, in relation to the risks, could have a high impact on the rights and freedoms of its clients if it materialized, as can be seen from the own analysis carried out by OPENBANK in its documents called “Impact Assessment - Monitoring of clients and sensitive operations”, both in its version of August 2021 as that of October 2022. The fact that even when the The complaining party drew attention to this point by sending an email C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 32/77 to the address indicated to send the financial documentation, without obtaining no response from OPENBANK, further evidences the lack of awareness on this issue, given that he was also not provided with an alternative means of not even when he requested it. That is, what this Agency considers violated in this case is not only that OPENBANK, at the time of the facts, had not been carried out before carrying out the treatment in question or during carrying out an analysis that would ensure compliance with the principles of data protection nor did it adopt measures appropriate to the risk for the freedoms and rights of the interested parties, but also that OPENBANK has not given the “concern” of the interested party an adequate response, all of which does nothing more than demonstrate the non-adoption of data protection principles from the design and default. Regarding the analyzes carried out by OPENBANK in the documents called “Impact Assessment - Monitoring of clients and sensitive operations”, in its August 2021 version, which was not even current at the time of the events that are the subject of the claim, which took place in the month of July 2021, it had only been foreseen as a possibility for clients to send information through an encrypted message sending the password through another channel. And even in The aforementioned document mentions that “an internal lawsuit has been requested so that Interested parties can upload documents directly through the website, once they have logged in.” However, it has been possible verify that the complaining party was never given that possibility, not even in the initial communication sent by OPENBANK nor subsequently when it requested a secure alternative route for sending that communication. It was also found that In the communication model that was sent to clients, none of these options, only mention was made of the possibility of replying to the email email that was sent without giving further instructions on how it could be protected such information. It is curious that, despite not providing any sufficiently secure means to its clients to provide the information to which they were obliged, both documents in their 2021 and 2022 versions they recognize that the risk inherent in such treatment It had a high impact on the rights and freedoms of the interested parties. And, however, it is only in the October 2022 version that OPENBANK indicates that “customers will identify themselves by means of a DNI and access code to the private area of customer". Finally, OPENBANK alleges that in no case has it failed to respond to the concerns of the complaining party nor can it be considered that they exist in said response any threat of any kind, as indicated in the Proposed Resolution. OPENBANK has limited itself to highlighting that the absence of information to the same in relation to the origin of the funds in the disputed income will require that OPENBANK proceeds to block the account, as there may be indications, due to non-compliance with the regulations on the prevention of money laundering, of the existence of illicit conduct on the part of his client. In this regard, this Agency wishes to point out that it has not been provided to the party complainant a satisfactory response to his concern, since he was not C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 33/77 provided an adequate means to provide the information requested by OPENBANK under Chapter II of the LPBCFT. In any case, it is worth clarifying at this time that, what OPENBANK calls “concern” on the part of the client, is nothing more than a person, his client, who intends your Fundamental Right to the Protection of Personal Data becomes effective Staff. As to whether there was any type of threat to the complaining party, we wish to remember the content of the customer communication model, effective in July 2021: “ Second communication: D+16 (…) In the event of not receiving the requested documentation in the next 15 days counting From the date of this communication, we inform you that Openbank can im- request the making of new deposits into your accounts in compliance with the regulations. is in force. (…)” (emphasis added) And the email sent to the complaining party on July 7, 2021 by OPENBANK said the following: “Dear Mr. A.A.A. (…) If you do not receive the requested documentation within 15 days from the date of this notice, Openbank may, in compliance with the applicable regulations, prevent new deposits from being made to your accounts. (…)” (emphasis is our) The content of the communications sent by OPENBANK to clients (among them, the complaining party), which requests the sending of the documentation in under Chapter II of the LPBCFT, contain a notice that if the aforementioned documentation within a period of 15 days, OPENBANK may prevent new income in your accounts. The dictionary of the Royal Spanish Academy explains that “threat” is a “said or fact that is threatened.” While “threatening” is that “said of something bad or harmful: Presenting itself as imminent to someone or something” and also “give indications of going to suffer something bad or harmful.” Blocking new deposits from customer accounts, of course it is something bad or harmful for those who suffer from it, no matter how much it may be, as OPENBANK says, “at there may be indications, due to non-compliance with the regulations on the prevention of money laundering of capital, of the existence of illicit conduct on the part of his client.” Including this information in communications directed to clients makes them The latter send the requested documentation even if they are not provided with the means appropriate for this (as the complaining party should have done), for fear of the possible unfavorable consequences for them, in this case, the blocking of their accounts. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 34/77 For all the above reasons, this allegation is rejected. THIRD.- ABOUT THE VIOLATION OF THE NON BIS IN IDEM O PRINCIPLE SUBSIDIARY TO THE EXISTENCE OF A MEDIA COMPETITION IN THE PRESENT CASE OPENBANK alleges that it is intended to be punished twice as a result of the same fact and for the violation of the same legal right, considering that it does not had established adequate security measures for the transmission (and consequent receipt by the former) of what was erroneously considered “data financial” and, at the same time, not having adopted such measures from the design of the treatment. Likewise, he alleges that, in the denied assumption that it was not considered that we were faced with a double sanction for the same act, resulting in violation the same protected legal asset, there was no doubt that the supposed absence of adequate security measures in the sending of documentation necessarily had its cause, in the opinion of the AEPD, inadequate analysis of risks carried out by OPENBANK, so that it would not have foreseen the implementation of such measures. In this way, if the violation of the non bis in principle was denied idem, what there was no doubt about was the existence of a medial competition between both violations. OPENBANK cites the proposed resolution of this sanctioning procedure in which the following is expressly stated in relation to the alleged violation of article 25 of the GDPR: “In this protocol, OPENBANK did not plan to offer its clients any communication channel with a high level of security, despite the fact that in the sixth clause of the contract with your treatment manager indicates that “the electronic transfers of Customer Information over networks Public or unsecured activities are carried out safely using security methods. appropriate encryption in accordance with Grupo Santander Policies.” By applying the aforementioned protocol, OPENBANK places the responsibility on the client. responsibility for secure communication, this being the one who must ensure the confidentiality and integrity of your personal data. In this point, Let us remember that, by virtue of the principle of proactive responsibility enshrined in article 5.2 of the RGPD, the controller, in In this case, OPENBANK is the one who must ensure the effective privacy and integrity of the personal data being processed.” OPENBANK indicates that the weight of the accusation of the alleged violation of the Article 25 of the RGPD is based on the fact that it had not established, in the opinion of the AEPD “no communication channel with a high level of security” transferring the interested party the responsibility of ensuring “the confidentiality and integrity of their personal information". That is to say, it is the Proposed Resolution itself that clearly indicates that the alleged lack of design of adequate technical and organizational measures refers, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 35/77 specifically, to the alleged lack of security measures in the shipment of the documentation, subsequently making an assessment about the supposed ineffectiveness of email encryption to ensure the integrity and data confidentiality. In this way, OPENBANK finds it certainly surprising that the company itself Proposal for a resolution states in a different place that in the present case it is not referring, when talking about the technical and organizational measures appropriate to the risk, to the measures related to the sending of documentation, whose supposed absence has been what has given rise to the communication directed by the party complainant to OPENBANK. In this regard, this Agency reiterates that a new wording will be given to the subsequent legal grounds, as indicated above. OPENBANK alleges that to support the alleged differentiation and, failing that, disconnection between both infractions, the AEPD points out in the legal basis III of the Proposed resolution, that the alleged violation of article 25 of the GDPR does not refer to the failure to take specific measures in the referral of the documents, but to the fact that said measures have not been communicated to the complaining party when it expressed concern about the way referral of those. However, OPENBANK understands that such an argument cannot be sustained, given that This alleged lack of communication would be caused by the fact that the measures of security whose violation is attributed to OPENBANK, and which were also subsequently implemented, did not exist at the time of the referral of such concern to OPENBANK. That is, we would simply find ourselves faced with the addition of a new element that does not alter the causal relationship between the infractions attributed to OPENBANK, given that the one now argued by the AEPD as the basis for the imputation of article 25 of the RGPD (lack of attention to the concern expressed by the interested party, who, even though might seem the opposite from reading the Proposal, if a response was given) it would bring its cause of the fact that, in the opinion of the AEPD, no security measures had been adopted. adequate security because OPENBANK had allegedly failed to carry out an adequate analysis of the risks of the treatment for the rights of the interested parties and adopted such technical and organizational measures. And all this would return us to the initial conclusion already expressed by OPENBANK: is imposing a double sanction for the same acts and the alleged violation of the same legal right or, at least, one of the alleged violations brings a direct cause and subsumes the other, to the point that if it is not If I had committed this one, the second one would not have been committed. And to this end, OPENBANK indicates that it is paradigmatic to observe how, despite its enormous effort, the Proposed Resolution does nothing more than ratify what was alleged Initiation Agreement, when the following is indicated on page 64 of the Proposal: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 36/77 “From the examination of the proven facts and the documentation in the file, two infringements can be clearly differentiated based on different facts and foundations. The commission of the violation of article 32 of the GDPR arises from OPENBANK's documentation requirement for clients (and specifically, the complaining party) following the communication provided for this purpose, in which the client is not informed of any secure means to provide the requested information. Not even when client requests the bank for an alternative means, as happened in the specific case of the complaining party, which had no choice but to send the aforementioned documentation by email since when contacting OPENBANK to that another option was provided, this did not happen. Therefore, no technical and organizational security measures were applied. appropriate by OPENBANK to carry out the treatment in question in general or even in response to the request made by the complaining party, data processing is carried out (remember that data collection is a processing operation according to article 4.2) of the GDPR), without the measures adequate security measures to guarantee the confidentiality of the treatment. On the other hand, the commission of the violation of article 25 of the RGPD is based on the fact that the OPENBANK protocol in force at the time of the events (March 2021) did not provide information on the method of sending the requested documentation. Lack of design is punished of an adequate system to comply with the principles of treatment, the GDPR requirements and guarantee the rights of data subjects.” That is, article 32 of the RGPD is considered violated because “it is not indicated to the client no secure means to provide the requested information” and by article 25 of the GDPR because the OPENBANK protocol “did not provide for providing information about the method of sending the requested documentation”, which is exactly what the same thing that has just been invoked as a reason for the imputation of article 32 of the GDPR. First of all, this Agency would like to point out that the violation of article 25 of the GDPR and the violation of article 32 of the RGPD, are violations that are classified as differentiated manner by violating different precepts that protect legal assets different, as will be explained below. Therefore it is something foreseen by the legislator, without the violation of one of the precepts preventing the other, which Furthermore, it does not per se violate the principle of non bis in idem. Likewise, although both infractions are classified as serious for the purposes of the prescription in the LOPDGDD, are outlined in different sections of article 73 of the LOPDGDD: “(…) d) The lack of adoption of those technical and organizational measures that are appropriate to effectively apply the protection principles of data from the design, as well as the non-integration of guarantees necessary in the treatment, in the terms required by article 25 of the Regulation (EU) 2016/679. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 37/77 e) Failure to adopt appropriate technical and organizational measures to ensure that, by default, only personal data will be processed necessary for each of the specific purposes of the treatment, in accordance with as required by article 25.2 of Regulation (EU) 2016/679. f) The lack of adoption of those technical and organizational measures that are appropriate to guarantee a level of security appropriate to the risk of the treatment, in the terms required by article 32.1 of the Regulation (EU) 2016/679. g) The bankruptcy, as a consequence of the lack of due diligence, of the technical and organizational measures that have been implemented in accordance as required by article 32.1 of Regulation (EU) 2016/679. (…)”. Therefore, these are perfectly differentiated infractions. Secondly, article 31 of Law 40/2015, of October 1, on the Regime Law of the Public Sector (hereinafter, LRJSP) establishes: “No sanctions may be imposed the facts that have been criminal or administrative, in cases in which appreciate the identity of the subject, fact and foundation.” In the present case, the infringement for violating the provisions of article 25 of the RGPD is determined by inadequate data protection from the design and by default, in under which “the data controller will apply both at the time of determine the means of treatment as at the time of the treatment itself, appropriate technical and organizational measures. These measures do not have to be strictly security measures, an issue that is covered specifically in article 32 of the RGPD regarding the specific treatment, for which “the person responsible and the person in charge of the treatment will apply technical measures and “appropriate organizational measures to guarantee a level of security appropriate to the risk.” Article 25 of the GDPR is violated when those measures have not been adopted technical and organizational measures that are appropriate to effectively apply the principles of data protection from the design, as well as the non-integration of the necessary guarantees in the treatment, in the terms required by article 25 of the Regulation (EU) 2016/679, which may or may not occur due to absence or deficiency about security measures. The technical and organizational measures to which reference article 25 of the GDPR to apply data protection principles From the design they are not limited to strictly security measures. This would simplify the essence and spirit that inspires the GDPR, as well as the will of the legislator, since compliance with the RGPD is not limited to the implementation of technical and organizational security measures; which would mean, in the present case, reduce the guarantee required by Article 25 of the GDPR to its achievement only with security measures, leaving without effect and de facto the guarantees established by le GDPR. In this sense, article 25 of the GDPR establishes: “Taking into account the state of the art, the cost of the application and the nature, scope, context and purposes of the processing, as well as the risks of varying probability and severity that the treatment entails for the rights and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 38/77 freedoms of natural persons, the person responsible for the treatment will apply, both at the time of determining the means of treatment as well as at the time of the treatment itself, appropriate technical and organizational measures, such as pseudonymization, designed to effectively apply the principles of data protection, such as data minimization, and integrate safeguards necessary in the treatment, in order to comply with the requirements of this Regulation and protect the rights of the interested parties” (emphasis is our) This Agency reiterates that there are multiple technical or organizational measures that do not are security and can be implemented by the person responsible for the treatment as a channel to guarantee this principle. However, article 32 of the GDPR includes the obligation to implement appropriate technical and organizational security measures to ensure a level of security appropriate to the risk. Of security. Just for security. Furthermore, its objective is to guarantee a level of security appropriate to the risk while that in the case of article 25 of the RGPD, the management of the regulatory compliance with all GDPR. Therefore, as can be seen, the two articles pursue different purposes and protect different legal rights, although they may be related. Regarding the examination of non bis in idem, the Judgment of the National Court of 23 of July 2021 (rec. 1/2017) provides that: “(…) In accordance with the legislation and jurisprudence set forth, the principle non bis in idem prevents punishing the same subject twice for the same act with support on the same foundation, the latter understood as the same interest legal protected by the sanctioning regulations in question. Indeed, When the triple identity of subject, fact and foundation exists, the sum of sanctions creates a sanction unrelated to the proportionality judgment made by the legislator and materializes the imposition of a sanction not legally provided for which also violates the principle of proportionality. But for it to be possible to speak of "bis in idem" a triple identity between the terms compared: objective (same facts), subjective (against the same subjects) and causal (for the same foundation or reason of punish): a) Subjective identity assumes that the affected subject must be the same, whatever the nature or judicial or administrative authority that prosecute and regardless of who the accuser or specific body is that has been resolved, or that it is tried alone or in conjunction with other affected. b) Factual identity assumes that the facts prosecuted are the same, and rules out the cases of real competition of infractions in which there is no before the same illegal act but before several. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 39/77 c) The identity of foundation or cause implies that the measures sanctions cannot occur if they respond to the same nature, that is That is, if they participate in the same teleological foundation, what happens between criminal and administrative sanctions, but not between punitive and merely coercive.” Taking as reference what was previously explained in this procedure sanctioning party, the non bis in idem principle has not been violated, since the violation of article 25 of the RGPD results in not having carried out adequate management of the regulatory compliance, while the violation of art. 32 of the GDPR boils down to absence and deficiency of security measures (security only) detected, present regardless of the request made by the complaining party. Although the complaining party had not made any request (many other clients will have limited themselves to sending the required documentation without considering anything) the measures security measures would, in themselves, be inadequate. And all this in the face of the allegations made by OPENBANK, which considers that in Both precepts require a single conduct, which is to implement security. appropriate. This is not true, since article 25 of the GDPR is not restricted to guarantee of security appropriate to the risk, but rather the adoption of measures that ensure the effective application of data protection principles and compliance with the requirements of the GDPR and protect the rights of data subjects. AND this not only through security measures, but through all types of measures appropriate technical or organizational Furthermore, this Agency reiterates what was stated in the aforementioned proposed resolution. tion. Regarding the violation of the provisions of article 25 of the RGPD, it is worth remembering that Data Protection by Design and by Default (PDDD) is a legal obligation, whose violation constitutes an infraction according to the provisions of article 83 of the GDPR. Data protection by design is part of the data management system. regulatory compliance, which involves conceiving and planning the treatment, verifying its compliance and being able to demonstrate it, all framed in a review process and continuous improvement, where privacy by design plays a fundamental role. Organizations must worry about establishing a true culture of data protection in the organization, where data protection is integrated into the regulatory compliance policies of those, from the very beginning of the design of the processing of personal data. For its part, the AEPD's “Privacy by Design Guide” defines it as follows: follows: “Privacy by design (hereinafter, PbD) involves using a risk management and proactive responsibility-oriented approach to establish strategies that incorporate privacy protection throughout the life cycle of the object (whether it is a system, a hardware or software product, a service or a process). The life cycle of the object means all the stages C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 40/77 that it goes through, from its conception to its withdrawal, passing through the phases development, putting into production, operation, maintenance and retirement.” And in the resolution of the sanctioning procedure PS/00001/2021, this Agency has considered that “Proactive responsibility implies the implementation of a model compliance and management of the GDPR that determines widespread compliance of data protection obligations. It includes the establishment, maintenance, updating and control of data protection policies in a organization, especially if it is a large company, - understood as the set of guidelines that govern the performance of an organization, practices, procedures and tools -, from privacy from the design and by default, that guarantee the compliance with the RGPD, that prevent the materialization of risks and that allows demonstrate compliance." In the present case, the lack of design of the treatment by the of OPENBANK, since the data collection activity of clients in the so-called “treatment life cycle” of their Excel file data protection impact assessment document (provided during the trial period of this procedure); Therefore, by not even foreseeing this activity, the risks present in the treatment are not identified or evaluated, it is not have applied the appropriate technical and organizational measures to effectively implement effective data protection principles (among others those provided for in article 5 of the GDPR, relating to confidentiality) and comply with the requirements of the GDPR and protect the rights of interested parties. It has also become clear that the organization did not have a appropriate procedure to properly respond to a customer's concern on a data protection issue, since in the present case the party In his email dated July 10, 2021, the complainant expressed his disagreement regarding to send the data via an unencrypted email. It even indicates that he asked OPENBANK but was offered no other option. Furthermore, the complaining party provides the solution that is later adopted by OPENBANK, as it said “…the bank does not offer the possibility to upload data securely, for example, to through the client portal (…)”. And he requested that they “check the process from the point of view of data protection and, where appropriate, take the appropriate measures.” However, it is not until the beginning of this sanctioning procedure that OPENBANK has reviewed this issue and adopted a new solution in order to comply with data protection regulations. Regarding the violation of article 32 of the RGPD, this is based on that the only communication channel for sending documents offered to clients (including the complaining party), as stated in the proven facts, was to reply to the email itself, and that said means of delivery was not a means appropriate depending on the risk that could exist for the rights and freedoms of the interested. In the specific case, OPENBANK did not provide its client with a means appropriate to provide the documentation even despite the warnings of the complaining party in this sense, so the shipment was made without the measures of adequate security. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 41/77 And this despite the fact that documents 4 and 5 presented by OPENBANK together with its allegations, called “Impact evaluation - Customer monitoring and sensitive operations”, version August 2021 and October 2022, respectively, in section “13. Security” the risk has been classified as high impact. Besides, In the October 2022 version, the following indication has been included on page 43 on “Control and residual risk”: “It has been ensured that the communication channels with clients as a result of issues related to the prevention of money laundering and financing of terrorism, you have the necessary technical measures to guarantee the protection of your personal data. Clients will identify themselves by means of their ID and access key to the private client area.” Subsidiarily, regarding the application of technical and organizational measures reinforced to the treatment in question, it can be stated that the fact that a treatment as a whole is not considered high risk and does not have to undergo a data protection impact assessment, does not mean that they should not be applied security measures appropriate to the greatest risk presented by any of the activities or stages of the processing in question, in accordance with the provisions of the article 32 of the GDPR. According to OPENBANK's approach, only certain reinforced security measures, to high-risk treatments, but This idea does not correspond to what is established in the RGPD where the measures must be appropriate to the risk present in each of the treatment phases. In the treatment cycle, which includes various and different activities, not all risk has to be uniform, there may be different levels of risks in the different stages of treatment, depending on the activities that constitute it. AND if in a phase there is a greater risk, although not all the treatment is of a greater risk risk, appropriate measures should be implemented. Consequently, these are two different facts with different legal bases. In Article 25 of the RGPD, the legal good that is protected is compliance with the RGPD, regarding the obligation to design the treatment in its entirety, identifying and assessing the risks to the rights and freedoms of the interested parties for the purposes of implement appropriate technical and organizational measures for effective application of the principles of data protection, to comply with the management of compliance with the GDPR; which has not happened in this case, as it has not even been evaluated (not even before nor during the performance of the treatment) the possibility for clients to send the information required under Chapter II of the LPBCFT and how to ensure the compliance with the provisions of the GDPR. And not even a response was given to the concern, to the problem raised by the complaining party regarding the protection of your personal data in this matter. The system did not even have a planned alarm at any issue that could affect the rights and freedoms of clients regarding data protection, this is a procedure implemented by the responsible for the treatment that was launched in the event of any failure of the system, whether alerted by a client, by an employee or detected by the company itself company. In this case it was the submission of documentation with financial data, but could have been any data protection issue raised that affected the rights and freedoms of the interested parties. On the contrary, the system limited itself to answering with an automatic response, without analyzing the substance of what was raised by the party complainant and without providing a satisfactory response (that is, without providing a appropriate means to share such information). And the person responsible for the treatment, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 42/77 OPENBANK also did not get to work after the request made by the client, implementing a system that would prevent leaving its clients helpless when they ask any question, any problem regarding the protection of data. It should be remembered that this is a fundamental right. Of risks in rights and freedoms of the interested parties. To avoid its materialization. If nothing is provides, in the terms of the preventive risk approach system established by the GDPR, sooner or later the risk is going to materialize. For its part, article 32 GDPR refers to the security of the processing, that is, to the protection of personal data subject to processing regarding the application of measures that guarantee a level of security appropriate to the risk, established by the person responsible for the treatment, a provision violated in the present case, where carried out a treatment by OPENBANK, in which the interested party a secure means to provide the information required by OPENBANK, which which caused that in the specific case of the complaining party had to send the documentation requested through a simple email, despite having requested the bank for an alternative means to do so, without this having been provided. All this despite the fact that OPENBANK in its documents recognizes that it was a risk of “high” impact on the rights and freedoms of the interested parties. For all the above reasons, this allegation is rejected. Regarding the existence of a medial competition of infractions, in addition to what has already stated, this Agency wishes to point out that article 29 of the LRJSP does not result from application to the sanctioning regime imposed by the RGPD, given that the RGPD has its own principle of proportionality. And this is because the GDPR is a closed and complete system. The GDPR is a European standard directly applicable in the Member States, which contains a new, closed, complete and global system intended to guarantee the protection of personal data uniformly throughout the Union European. In relation, specifically and also, to the sanctioning regime provided in the same, its provisions are applicable immediately, directly and integral, providing for a complete system without gaps that must be understood, be interpreted and integrated in an absolute, complete, integral manner, thus leaving the Its ultimate purpose is the effective and real guarantee of the fundamental right to Personal data protection. The opposite determines the loss of the guarantees of the rights and freedoms of citizens. In fact, a specific example of the lack of loopholes in the system of GDPR is article 83 of the GDPR that determines the circumstances that can operate as aggravating or mitigating circumstances with respect to an infringement (art. 83.2 of the RGDP) or that specifies the existing rule regarding a possible medial competition (art. 83.3 of the GDPR). To the above we must add that the RGPD does not allow the development or realization of its provisions by the legislators of the Member States, safe from what C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 43/77 the European legislator himself has specifically provided for, delimiting it in a very concrete (for example, the provision of art. 83.7 of the RGPD). The LOPDGDD only develops or specifies some aspects of the RGPD as far as it allows and with the scope that it allows. This is because the intended purpose of the European legislator is to implement a uniform system throughout the European Union that guarantees the rights and freedoms of natural persons, that corrects behavior contrary to the RGPD, that encourages compliance, which enables the free circulation of this data. In this sense, recital 2 of the GDPR determines that: “(2) The principles and rules relating to the protection of natural persons in With regard to the processing of your personal data, they must, Whatever their nationality or residence, respect their freedoms and fundamental rights, in particular the right to data protection of a personal nature. This Regulation aims to contribute to the full realization of an area of freedom, security and justice and of a union economic, to economic and social progress, to the reinforcement and convergence of economies within the internal market, as well as the well-being of Physical persons". (emphasis is ours) And recital 13 of the GDPR indicates that: “(13) To ensure a consistent level of protection of natural persons throughout the Union and avoid divergences that hinder the free flow of data within the internal market, a regulation is necessary that provide legal certainty and transparency to economic operators, including micro, small and medium-sized enterprises, and offer natural persons in all Member States the same level of enforceable rights and obligations and responsibilities for responsible and in charge of the treatment, in order to guarantee a consistent supervision of personal data processing and sanctions equivalents in all Member States, as well as effective cooperation between the supervisory authorities of the different Member States. The good functioning of the internal market requires that the free circulation of data personal property in the Union is not restricted or prohibited for reasons related with the protection of natural persons with regard to the processing of personal information". (emphasis is ours) In this system, the determining factor of the GDPR is not the fines. The corrective powers of the control authorities provided for in art. 58.2 of the RGPD conjugated with the provisions of art. 83 of the GDPR show the prevalence of corrective measures against fines. Thus, art. 83.2 of the GDPR says that “Administrative fines will be imposed, in depending on the circumstances of each individual case, in addition to or in lieu of the measures contemplated in article 58, paragraph 2, letters a) to h) and j). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 44/77 In this way the corrective measures, which are all those provided for in art. 58.2 of RGPD except the fine, have prevalence in this system, the fine being relegated economic to cases in which the circumstances of the specific case determine that a fine be imposed together with corrective measures or in lieu of the themselves. And all this with the purpose of forcing compliance with the RGPD, avoiding non-compliance, encourage compliance and ensure that infringement is not more profitable than non-compliance. Therefore, art. 83.1 of the RGPD prevents that “Each supervisory authority will guarantee that the imposition of administrative fines pursuant to this article for the infringements of this Regulation indicated in paragraphs 4, 5 and 6 are in each individual case effective, proportionate and dissuasive.” Fines must be effective, proportionate and dissuasive to achieve the purpose intended by the GDPR. For this system to work with all its guarantees, it is necessary that several elements are deployed in an integral and complete manner. The application of foreign rules to the RGPD regarding the determination of fines in each of the States members applying their national law, whether due to aggravating circumstances or extenuating circumstances not provided for in the RGPD -or in the LOPDGDD in the Spanish case allow it by the RGPD itself-, either by the application of a media competition other than the provided in the RGPD, would reduce the effectiveness of the system, which would lose its meaning, its teleological purpose, the will of the legislator, resulting in the fines imposed for different infractions they would cease to be effective, proportionate and dissuasive. And of This way would also deprive the interested parties of the effective guarantee of their rights and freedoms, weakening the uniform application of the GDPR. The mechanisms for the protection of the rights and freedoms of citizens and would be contrary to the spirit of the GDPR. The GDPR is endowed with its own principle of proportionality that must be applied in its strict terms. And this is because there is no legal loophole, there is no supplementary application of art. 29 of the GDPR. In addition to the above, it should be noted that there is no legal gap regarding the application of the media contest. Neither the RGPD allows nor the LOPDGDD requires the application supplementary provisions of art. 29 of the LRJSP. In Title VIII of the LOPDGDD related to “Procedures in case of possible violation of data protection regulations”, article 63 that opens the Title is provides that "The procedures processed by the Spanish Protection Agency of Data will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, in as long as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures.". Although there is a clear reference to the LPACAP, it does not a subsidiary application is established in no way with respect to the LRJSP that does not C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 45/77 contains in its articles any provision relating to administrative procedure some. In the same way that the AEPD is not applying the aggravating and mitigating circumstances provided in art. 29 of the LRJSP, since the RGPD establishes its own, therefore, There is no legal loophole or subsidiary application of the same, nor is it possible to apply section relating to media competition and for identical reasons. For its part, regarding the analysis of the specific case that is the object of this procedure sanctioning, it should be noted that without the application of art. 29 of the LRJSP For the reasons stated, there would be no media competition either. Article 29.5 of the LRJSP establishes that “When an infraction is committed necessarily derives the commission from another or others, only the “sanction corresponding to the most serious infraction committed.” Well, the medial competition takes place when in a specific case the commission of An infraction is a necessary means to commit a different one. The established facts determine the commission of two different infractions, without the violation of article 25 of the RGPD, as OPENBANK asserts, is the means necessary by which the violation of article 32 of the RGPD occurs. It is possible that in the application by the controller of the privacy by design and by default, in order to meet the requirements of the GDPR and protect the rights and freedoms of data subjects, incorporating an approach of data protection from the design and by default, technical measures are adopted and organizational security that do not guarantee a level of security adequate to the risk to the rights and freedoms of natural persons. And vice versa, a data controller may not perform an analysis in conditions of the measures that guarantee regulatory compliance with the organization, but that has adopted security measures that do are appropriate, because they serve that purpose and were already implemented. As previously indicated, in the present case, the lack of treatment design by OPENBANK, since it has not been including the activity of collecting customer data in the so-called “collection cycle”. treatment life” of your Excel file of impact evaluation document of data protection (provided during the trial period of this procedure); Therefore, since this activity is not even foreseen, the rules have not been applied. appropriate technical and organizational measures to effectively apply the data protection principles (among others, confidentiality) and comply with the GDPR requirements and protect the rights of data subjects. It has also become clear that the organization did not have a appropriate procedure to properly respond to a customer's concern on a data protection issue, since in the present case the party In his email dated July 10, 2021, the complainant expressed his disagreement regarding to send the data via an unencrypted email. It even indicates that C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 46/77 he asked OPENBANK but was offered no other option. Furthermore, the complaining party provides the solution that is later adopted by OPENBANK, as it said “…the bank does not offer the possibility to upload data securely, for example, to through the client portal (…)”. And he requested that they “check the process from the point of view of data protection and, where appropriate, take the appropriate measures.” However, it is not until the beginning of this sanctioning procedure that OPENBANK has reviewed this issue and adopted a new solution in order to comply with data protection regulations. Regarding the violation of article 32 of the RGPD, this is based on that the only communication channel for sending documents offered to clients (including the complaining party), as stated in the proven facts, was to reply to the email itself, and that said means of delivery was not a means appropriate depending on the risk that could exist for the rights and freedoms of the interested. In the specific case, OPENBANK did not provide its client with a means appropriate to provide the documentation even despite the warnings of the complaining party in this sense, so the shipment was made without the measures of adequate security. And this despite the fact that documents 4 and 5 presented by OPENBANK together with its allegations, called “Impact evaluation - Customer monitoring and sensitive operations”, version August 2021 and October 2022, respectively, in section “13. Security” the risk has been classified as high impact. Besides, In the October 2022 version, the following indication has been included on page 43 on “Control and residual risk”: “It has been ensured that the communication channels with clients as a result of issues related to the prevention of money laundering and financing of terrorism, you have the necessary technical measures to guarantee the protection of your personal data. Clients will identify themselves by means of their ID and access key to the private client area.” For all the above reasons, this allegation is rejected. FOURTH.- ABOUT OPENBANK'S COMPLIANCE WITH THE PRINCIPLE OF DATA PROTECTION BY DESIGN OPENBANK alleges that: • Privacy by design refers to the comprehensive analysis of the treatment and of the risks that it may bring for the rights and freedoms of the interested. In this way, this principle could only be considered to have been breached if it is proven that the sanctioned party had not carried out carried out that process, so that the fact that the result of it is not coincident with what the AEPD considers appropriate does not imply a lack of compliance with article 25 of the RGPD but, where appropriate, the infringement of another of their forecasts. The AEPD in its Proposed Resolution does not even make a minimum assessment about this allegation, which he completely ignores, trying again to link the alleged non-compliance with the principle of privacy by design with the simple fact that the interested party has not been offered an alternative means for sending C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 47/77 the documents that were requested by OPENBANK to prove the origin of the funds from three operations carried out therein, as imposed by the LPBCFT. In this regard, this Agency wishes to point out that article 25 of the RGPD does not entail only a “comprehensive analysis of the treatment and the risks that it may present” provide for the rights and freedoms of the interested parties”, but also requires that appropriate technical and organizational measures are applied to effectively apply data protection principles are effective and the necessary guarantees are integrated to comply with the requirements of the GDPR and protect the rights of data subjects. In In this sense, article 73. d) of the LOPDGDD considers a serious infringement for the purposes of the prescription “The lack of adoption of those technical and organizational measures that are appropriate to effectively apply the principles of protection of data from the design, as well as the failure to integrate the necessary guarantees in the treatment, in the terms required by article 25 of the Regulation (EU) 2016/679”. In the present case, it is not only that it was not offered to the interested party (nor to clients in general) an alternative means for sending documents requested under Chapter II of the LPBCFT, but rather it is that the responsible for the treatment did not foresee said treatment, which is evident in the impact assessment document valid in July 2021 (document provided during the evidence phase of this sanctioning procedure) in which The aforementioned treatment was not even contemplated (the sending of such documentation by part of the clients). And that only in August 2021 was such treatment incorporated in the client monitoring impact evaluation, although it was not until October 2022 that the possibility was incorporated for clients to send documentation to through the OPENBANK client area, a possibility raised by the party claimant already in July 2021 and that the same 2021 document provided as possibility to be implemented. And this is not even taking into account that the same 2021 impact assessment considered that the potential impact on human rights and freedoms of the interested parties was high. OPENBANK also alleges that the legal basis III of the Proposal Resolution adds an additional issue that was not in the Initiation Agreement and that is now incorporated into it in order to justify the change of focus in the imposition of this sanction: the lack of privacy by design is due to the fact that OPENBANK has not foreseen mechanisms that allow “feedback” to the analysis previously carried out and take into account the feedback that the person responsible for the treatment the interested parties can provide. That is, privacy by design not only requires an analysis of the risks derived from the treatment which, it must be said, in this case have not been materialized in any way, but requires modifying the circumstances and characteristics of this treatment based on the feedback received from the interested parties, so that, in response to a communication addressed to OPENBANK by an interested party Specifically, Article 25 of the GDPR will only be considered complied with if OPENBANK modifies the risk assessment previously carried out and also modifies the technical and organizational measures that the processing entails, even when C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 48/77 said feedback only refers to an alleged potential risk, and never accredited, referred by a single client. In this regard, this Agency wishes to point out that OPENBANK is correct in stating that the data protection from design and by default implies adopting the mechanisms necessary to continually reevaluate the treatments carried out, which It implies, among other measures, having “mechanisms that allow “feedback” to the analysis previously carried out and take into account the feedback that the person responsible for the treatment that the interested parties can provide”, if applicable. Regarding the need for the risks derived from the treatment to be materialize, it should be noted that Article 25 of the GDPR does not require that such risks occur, on the contrary, requires that appropriate measures be adopted precisely to prevent such risks from materializing. Finally, this Agency wishes to indicate that it is not intended that a communication made by a specific interested party “only article 25 of the GDPR if OPENBANK modifies the previously carried out risk assessment and It also modifies the technical and organizational measures that the treatment entails, even if said feedback only refers to an alleged potential risk, and never accredited, referred by a single client.” But in the present case neither has not even been given a course due to the problems presented by the party claimant nor has it been proven that mechanisms had been arbitrated to provide you with other means, more appropriate depending on the existing risk to your rights and freedoms, for which you could provide the information requested. What's more, in August 2021 the impact assessment document of customer monitoring had already indicated that the impact on rights and freedoms of the interested parties was high and that the possibility of Clients will provide the requested information through the bank's private area. But it was not until October 2022, more than a year later, that such a possibility was enabled. All this only shows that OPENBANK had not implemented in your organization a data protection approach by design and by default, at least in relation to the treatment that is the subject of this sanctioning procedure. OPENBANK alleges that it had carried out an adequate risk assessment derived from the treatment, establishing the appropriate measures to alleviate them and including adopting measures related to the issue analyzed herein file prior to the moment in which the complaining party contacted contact with it, even if its implementation was later. And that at the time the events that gave rise to the present occurred procedure, OPENBANK had carried out an impact assessment on the data protection in relation to treatments linked to compliance with the due diligence obligations provided for in the LPBCFT. That is, he had made a detailed analysis of the risks derived from the treatment and implemented the appropriate measures to mitigate these risks. In this sense, the fact that the AEPD considers a supposedly insufficient measure cannot imply that due to the itself denies that the measures were adopted, as seems to be indicated in the Resolution Proposal. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 49/77 In this regard, this Agency wishes to point out that document 4 provided together with the allegations to the agreement to initiate this sanctioning procedure indicates that it is dated August 2021, while the first email sent to the complaining party is from July 7, 2021. Therefore, this document is after the events claimed. Regarding the analysis of the risks carried out in the aforementioned document, this Agency reiterates what has already been indicated above about why the article is considered violated 25 of the GDPR. OPENBANK indicates that it has provided the various impact evaluations on the data protection that has been carried out in relation to this processing, although it does not can deny his surprise at the fact that it does not appear in the file administrative the one sent in response to the request for evidence made by that one and that was attached to the letter addressed by OPENBANK to that AEPD on date 19 December (page 699 of the administrative file), which is not accompanied by the aforementioned Impact evaluation. In this regard, this Agency wishes to point out that when the copy of the file is generated for sending to OPENBANK, the document with the impact evaluation at the time of the In fact, since it is an Excel file, its contents do not appear in the copy. generated, but it is incorporated into the information systems of this Agency and reference is made to its content both in the proven facts and on the legal foundations of this resolution. OPENBANK also alleges that the AEPD seems to deny the virtuality of the aforementioned documents, even going so far as to refer to qualifying as “alleged evaluation of impact” that which provided for the establishment of mechanisms so that documents could be provided by interested parties in their private area of the website and the OPENBANK App, something that is expressly stated in the evaluation carried out by OPENBANK. And at this point, OPENBANK wishes to clarify that the evaluations provided (its content, actually) may not coincide with what that AEPD expects, but in in no way can they be classified as “supposed” unless the Agency accredits have evidence that allows making such an assertion. Understand OPENBANK that the consideration made by that AEPD lacks the slightest foundation and represents a very serious accusation directed against OPENBANK which, as At the very least, it should have some support that allows converting a document adopted by OPENBANK in a “supposed” document. At the same time, hardly A document in which measures are incorporated can be classified as “supposed”. that, with greater or lesser speed, have been effectively implemented by OPENBANK. In this regard, this Agency wishes to point out that the documents provided by OPENBANK together with its allegations to the initiation agreement and during the evidence of this sanctioning procedure is not properly presented signed, making it impossible to prove their authenticity and integrity or guarantee your date. Nor has this Agency entered into evaluating the content of the cited documents as to whether or not they comply with the requirements demanded of a C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 50/77 personal data protection impact assessment in the terms required by the GDPR. Hence the qualification of “assumptions” that this Agency made in its resolution proposal. OPENBANK alleges that the AEPD does not in any way prove that the risks invoked by it throughout the procedure have not only materialized, what that in no case has happened, but that they exist in reality, since it focuses its foundation on the alleged insufficiency of email as a means of communication, despite the fact that OPENBANK has already demonstrated the validity of this means for the transmission of information. In this regard, this Agency reiterates that article 25 of the RGPD does not require that such risks occur, on the contrary, it requires that measures be adopted appropriate precisely to prevent such risks from materializing. Likewise, OPENBANK alleges that, taking into consideration that both the AEPD and the EDPB consider that the evaluation of the impact of treatment on the rights of interested parties must be a dynamic and successively reviewed process, OPENBANK carried out successive evaluations. However, the AEPD denies value any to the fact that this process implied the subsequent adoption of other measures complementary for the contribution of the documents, given that the continuous review of treatments, defended by the AEPD itself, is now considered by the AEPD a reactive process (even if at the time it occurred there was no any claim on the matter) and constituting a mere “patch”. And if for “patch” should be understood, according to the Dictionary of the Royal Spanish Academy, a “provisional, and in the long run unsatisfactory, solution given to some problem”, It seems that this apparently insufficient solution is the one that the AEPD considered applicable in this case. OPENBANK considers, at this point, that the Proposed Resolution cannot simultaneously maintain one idea and the opposite with the objective of sanctioning it: do not It is possible to say that OPENBANK did not adopt measures from the design to achieve the minimization of treatment risks through successive review of the impact evaluations carried out in relation to the treatment and, at the same time time, consider that the measures adopted as a consequence of that evaluation, that coincide with those that the AEPD considers appropriate, are a mere patch, it is That is, they are not satisfactory to solve the supposed problem posed in relation to the means used to send documents. Nor is it possible to blame OPENBANK for the fact that the measures were not implemented. “before the system is in operation”, referring again to the consideration of the measures implemented as a “patch”. As has already been said, OPENBANK is obliged to require its clients to provide proof of the origin of the funds, that is, to put the aforementioned “system” into operation, from the less the entry into force of the LPBCFT. And on that date there was no rule that made reference to the principle of privacy by design or the obligation to carrying out an impact assessment on data protection, without prejudice to that OPENBANK adopt the technical and organizational measures that it considered appropriate to mitigate any risk that the treatment could cause in the right to the protection of personal data of their clients. The AEPD seems C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 51/77 consider that OPENBANK had to be aware of a series of obligations that, However, they would not be adopted into a legal text until six years after the start of the treatment and were not fully applicable until eight years had elapsed since said date. OPENBANK considers that it is not reasonable to require obligations from it unknown or that proceeds to interrupt the compliance processes of the regulations for the prevention of money laundering, with the consequent non-compliance of this regulation, as a consequence of the entry into force of the RGPD, although in In any case, it reiterates that it carried out the corresponding impact evaluation on the data protection as well as the adoption of technical and organizational measures that They allowed us to mitigate any risks derived from the treatment. In this regard, this Agency recognizes that it is possible that the use of the term “patch” in your proposed resolution has not been the most accurate, which is why a new wording will be given, which does not prevent this Agency from maintaining that OPENBANK has not implemented data protection by design and by default, Regarding the treatment that is the subject of this sanctioning procedure, for all the reasons previously detailed in detail. The answer has been reactive and not proactive, and generated once the claim raised by the interested before the supervisory authority. Finally, this Agency reiterates that although it is true that the approach of the RGPD and The LOPDGDD was completely new with respect to the regulations for the protection of previous data, it is no less true that OPENBANK had more time than sufficient throughout the three years (six years if counted from the adoption of the RGPD text) that elapsed between the approval of the RGPD (April 2016), until that the RGPD was applicable (May 2018, which granted two long years for the preparation and adaptation to the RGPD) and the facts that are the subject of the claim to which it gave this sanctioning procedure takes place (July 2021) to adapt its treatments in accordance with the provisions of articles 25 and 32 of the RGPD (four years if you have Keep in mind that measures were recently adopted so that customers could share the requested information through your private area in October 2022). Of course, it would have been impossible to have a protection approach. data from the design before carrying out the treatment, when it took place many years before the GDPR existed, but it is undeniable that the principle of Data protection by design does not only imply that the measures should be prior to the treatment, but article 25 of the RGPD itself indicates “both in the at the time of determining the means of treatment and at the time of the treatment itself. treatment”, that is, not only beforehand but throughout that treatment takes place and whenever the means of treatment are determined, which is a decision that is also made over time, as they change the circumstances and possibilities of each moment. For all the above reasons, this allegation is rejected. FIFTH.- REGARDING THE ALLEGED VIOLATION BY OPENBANK OF THE ARTICLE 32 OF THE GDPR C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 52/77 It is alleged that the measure adopted by OPENBANK could not be considered contrary to established in article 32 of the RGPD, resulting in the existing measure at the time of events occur, that is, the sending of documentation proving the origin of funds, appropriate in view of the risks that the treatment could produce in the rights of clients. And that in no case could the conclusion be reached that the email did not was the appropriate means to carry out said shipments in view of the above by the National Cryptological Center, which, far from considering the use of email as undesirable, showed how the main providers of this service had adopted measures aimed at encrypting and authenticating emails electronics. However, it is recognized that the report from the National Cryptological Center indicated that There are users who make “careless” use of the email service. Without However, it alleges that it is not possible for OPENBANK to adopt the measures technical and organizational applicable to the data processing carried out by it taking into account the more or less careless use that users may make of the email services, since this implies moving to OPENBANK the responsibility for the actions of their clients, which in no way can considered in accordance with the principle of responsibility enshrined in our sanctioning regulations. It is alleged that in the face of these arguments, the Proposed Resolution, however carry out the reproduction of the content of the Home Agreement in its basis of right VIII, limits itself to refuting the allegations with the categorical statement that “this Agency if it doubts that email constitutes a means of communication secure way to send documentation when its confidentiality must be guaranteed, As is the case, this is the reason for the imputation of the violation of article 32 of the RGPD”, subsequently invoking what was stated in the aforementioned Center report National Cryptology. In this sense, OPENBANK alleges that, barring error on its part, in the numerous reports, resolutions, guides and directives from that AEPD, as well as in the emanating from the EDPB, there is no known indication that would allow OPENBANK consider that the use of email should be a measure that had to be prohibited regarding the receipt of personal data for subsequent processing. refers. There is no doubt that this measure constitutes the usual and customary technique of communication between subjects bound by data protection regulations, belonging to any sector of activity, and their clients and, however, they are not knows that it had been questioned by that AEPD until now sanctioning file. This represents a change in criteria that, at the very least, can be described as surprising for OPENBANK and which, however, implies the imposition of sanctions for a total amount of 2,500,000 euros. And this sanction is imposed based on the mere existence of a communication addressed to OPENBANK by a client in which the production is in no way credited, much less the materialization of a risk to your right to data protection. Thus, we would find ourselves facing what the ruling of the Contentious Chamber C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 53/77 Administrative of the National Court of December 23, 2022 (recourse 104/2021) qualifies as “a potential infraction that is not punishable by the regulations of data protection”. In this regard, this Agency wishes to point out that, in the present case, due to the special protection that the data provided by clients required, due to the greater risk that what it meant for their rights and freedoms, as explained in detail Previously, reinforced security measures had to be adopted. In the present case, this Agency considers that the sending of the requested information under Chapter II of the LPBCFT by a simple email was not an appropriate measure based on the risk to the rights and freedoms of Physical persons. And this not only because of the careless use that could be made of the mail electronic. The aforementioned report from the National Cryptological Center indicated that some of the measures referred to, adopted by the most important mail providers known, were susceptible to being attacked and that, even if they were establish communication satisfactorily, the mail servers through which Pass the email until reaching the destination, they would have access to its content. Hence concluded that “it follows that it is not enough to delegate email security electronic to the underlying technologies responsible for delivering it to your addressee". Nor was it foreseen in the client monitoring protocols to provide any type of customer assistance to encrypt sent documents or any other facility, for what information sent via email would be expected to Nor will it have such an additional security measure, which is not found either. widespread among users and requires certain technical knowledge. In this sense this Agency indicated that making security depend on the level of technical knowledge of the client himself and that he has the appropriate tools This involved a transfer of risk from OPENBANK to the client. Regarding the fact that OPENBANK should have adopted the measures based on the most or less careless that users can make of mail services electronic, this Agency considers that it implies a transfer of the risk to OPENBANK for the actions of its clients, but it is a more risky that probable and expected, that OPENBANK should have evaluated and tried to prevent produce, especially taking into account that the bank itself assessed that the impact that could have such treatment in the rights and freedoms of natural persons was high, as stated in the impact evaluation of August 2021. As to the fact that neither in the reports, resolutions, guides and directives of the AEPD nor of the EDPB is aware of any indication that would allow OPENBANK to consider that the use of email should be a measure that had to be outlawed in terms of receipt of personal data for subsequent processing is concerned, it is necessary remember that it is not the case that sending email constitutes a means not safe in any case and with respect to any treatment, but it is undeniable that in the present case it was not an appropriate means to share the information required under Chapter II of the LPBCFT, which required the adoption of certain reinforced measures. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 54/77 Regarding the fact that it is sanctioned with a fine of 2,500,000 euros on the basis of a communication addressed to OPENBANK by a client in which the materialization of a risk to your right to data protection, this Agency wishes to point out that the violation of article 32 of the RGPD, although it was known as a result of a complaint from an OPENBANK client, it is no less It is true that the infringement that is verified is not only with respect to that client but of all OPENBANK clients, since the only possibility provided to its clients for the sending of the documentation requested under the Chapter II of the LPBCFT until October 2022 was to send the aforementioned information through a simple email. And regarding the fact that the risk to their rights and freedoms, this Agency points out that article 32 of the GDPR does not require that such a risk materialize, on the contrary, it is about take appropriate measures to prevent such risk from materializing. Therefore, not In the present case, it is “a potential infraction that is not punishable by the data protection regulations”, but it has been found that the measures adopted for the sending of the documentation requested under Chapter II of the LPBCFT were not appropriate based on the increased risk that this information could imply for the rights and freedoms of natural persons. Finally, OPENBANK wants to clarify what it provided as Document number 9 together with his brief of allegations to the Startup Agreement (page 654 of the file administrative), certification issued by the Director of Technology and Operations of OPENBANK, which literally stated the following: “That in accordance with what is defined in the Technological Development Plan of Openbank, as of October 13, 2022, the entity has enabled within the area private of the web page (access username and password required) a space for clients to provide the required documentation in compliance with the provisions of article 6 of Law 10/2010, of April 28, prevention of money laundering and terrorist financing whose text reads like this: “Article 6. Continuous monitoring of the business relationship. The obligated subjects will apply continuous monitoring measures to the business relationship, including scrutiny of operations carried out throughout said relationship in order to guarantee that they coincide with the knowledge that the obligated subject has of the client and his business and risk profile, including source of funds and ensure that the documents, data and information available are up to date.” And that the proposed resolution is limited to indicating that OPENBANK does not accredit the date of making the described procedure available to its clients. In this regard, this Agency wishes to point out that it is certain that 13 of October 2022 the possibility that customers can provide the information required under Chapter II of the LPBCFT through its private area of the OPENBANK website. SIXTH.- ABOUT THE VIOLATION OF THE PRINCIPLE OF PROPORTIONALITY C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 55/77 OPENBANK alleges that the aggravating circumstances for the violation of article 25 of the RGPD and the Article 32 of the GDPR of the proposed resolution contains almost literally the same considerations, which, in his opinion, only highlights the absolute identity of the two conducts imputed to OPENBANK, thus The non bis in idem principle, already invoked previously, is applicable. In this regard, this Agency reiterates what has already been stated in its response to the alleged violation of the non bis in idem principle. OPENBANK points out that the AEPD considers that the sanction is proportional, given that is significantly lower than the 885 million euros that constitutes 2% of the turnover volume of Grupo Santander, to which OPENBANK belongs, in the year 2021. And that for this purpose it invokes the doctrine of the Court of Justice of the European Union in relation to the consideration of the term “company”, citing various sentences. However, OPENBANK considers it necessary to disagree with this consideration, given that the AEPD has in no way demonstrated at any time during the procedure that, beyond holding 100% of the share capital of OPENBANK, the Group Santander plays a decision-making role in OPENBANK's policies and, even less so, that their actions regarding compliance with data protection regulations (including conducting data protection impact assessments or determination of the technical or organizational measures to be adopted in relation to a certain treatment) proceeds or is even interfered with minimally by the Santander Group, this power of influence being the determining factor used by the jurisprudence invoked in the Proposed Resolution so that It is appropriate to apply the concept of company established in Union law and that, Therefore, the amount of the penalty can be calculated from the turnover volume of the Santander Group and not exclusively of OPENBANK. And in this sense, it is necessary to reiterate that it is up to the AEPD to accredit that decision-making power, beyond the ownership of the shareholding, without having no proof of charge has been made in this sense. On the contrary, as it will turn out evident to the naked eye by simply consulting their websites, the policies of privacy of OPENBANK and the other companies of the Santander Group are different, with OPENBANK having a data protection delegate who does not links maintained with those of the other companies of the Group. Therefore, it is not possible to carry out the calculation established in the Proposed Resolution and which, at most, must be carried out on OPENBANK's business volume, for more than that OPENBANK is a company that is part of the Santander Group. On the contrary, as will be evident at first glance by simply consulting their websites, the privacy policies of OPENBANK and the other Santander Group companies are different, with OPENBANK having a delegate of data protection that no connection maintains with those of the remaining Group companies. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 56/77 In this regard, this Agency wishes to remember that, as stated in the “Annual Report 2021” from the Santander Group, Banco Santander S.A. owns 100% of the stake direct from OPENBANK, as well as 100% of the voting rights in OPENBANK. Therefore, the decision-making power that Banco Santander S.A. has. about OPENBANK It is more than decisive, it is absolute. The fact of having policies of different privacy or a data protection officer without any connection with those of the remaining companies of the Group would not change this situation either. In this sense, article 39.1 “Functions of the data protection officer” of the GDPR states that: "1. The data protection officer will have at least the following functions: a) inform and advise the person responsible or in charge of the treatment and the employees who are in charge of the processing of the obligations that they are incumbent under this Regulation and other provisions of data protection of the Union or the Member States; b) supervise compliance with the provisions of this Regulation, in order other Union or State data protection provisions members and the policies of the controller or processor in matters of personal data protection, including the assignment of responsibilities, awareness and training of personnel who participate in treatment operations, and the corresponding audits; c) offer the advice requested about the evaluation of impact relating to data protection and monitor its application of accordance with article 35; d) cooperate with the supervisory authority; e) act as a contact point for the supervisory authority for issues relating to the treatment, including the prior consultation referred to in the article 36, and make consultations, where appropriate, on any other matter.” As can be seen, in none of these functions is there any reference to the fact that the data protection officer has some type of decision-making power, which is reserved to the person responsible for processing personal data, logically. Therefore, this claim is rejected. OPENBANK alleges that the Proposed Resolution considers that it is not appropriate to take into account takes into account the measures taken to allow the upload of related documents with the origin of the funds through the clients' private area, although it does not provide a single argument in this sense. And that, however, the AEPD is perfectly aware that such a measure was already agreed as corrective at the time of carrying out the impact assessment in the data protection carried out in August 2021 and recorded in the file, although, as the AEPD knows perfectly well, the implementation processes of technical measures within the framework of an organization like OPENBANK imply successive processes that extend over time. On the contrary, OPENBANK alleges that the proposal does not hesitate to consider that the The fact that this measure has been adopted must harm or aggravate the conduct of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 57/77 bank, given that, surprisingly, the AEPD understands that this corroborates the lack of OPENBANK's diligence, which is incomprehensible, given that it would harm the that adopts a process that is even more guaranteeing than that required for the benefit of those who do not takes any action in this regard. In this regard, this Agency wishes to point out that at the beginning of this sanctioning procedure (August 26, 2022), not even to the signing of the initial agreement in which the aggravating factors of the violations of the articles 25 and 32 of the GDPR (October 3, 2022), OPENBANK had not yet implemented the possibility for clients to provide the requested information in under Chapter II of the LPBCFT through its private area of the website, the which was newly enabled as of October 13, 2022, so it cannot be valued as mitigating. However, this circumstance has been taken into account account when assessing the duration of the infractions as well as to not impose measures that OPENBANK must adopt in this regard. Regarding the fact that having adopted this measure seems to harm the bank, this Agency wishes to reject such statement. It is not that it harms you but that it is Agency considers that the fact that in the impact assessment document of August 2021 the possibility of implementing such a measure would have already been requested, taking into account the possible high impact that such treatment could have on the rights and freedoms of natural persons and that it was not until October 2022, more than a year later, that such possibility was implemented, even though the implementation processes require certain deadlines, in the opinion of this Agency the mentioned deadlines have exceeded what is reasonable and has shown a negligent attitude by OPENBANK in this regard. Finally, this Agency wishes to highlight that of course this criterion in any “would harm anyone who adopts a process that is even more guaranteeing than that required in benefit of those who do not carry out any measure in this sense", but rather On the contrary, whoever did not adopt any measure in this sense would obviously have a greater reproach, his attitude would be assessed as even more seriously negligent, the The duration of the violation would be longer and in addition to the fine, measures would be imposed. to comply with the provisions of the RGPD. Regarding the number of people affected by the treatment, OPENBANK alleges that The Proposed Resolution contains two paragraphs that cannot be considered, in in no way acceptable on their own terms. In fact, the The argument made by the AEPD on this point is, in its entirety, the following: “OPENBANK describes the application of this criterion as “a prioriism lacking of the slightest foundation.” However, it obeys the purest logic to consider that a sanction cannot be graduated in the same way when, due to the lack of With appropriate measures, the treatment potentially affects nearly two million of clients, as in the present case. If a person were punished in the same way entity with a small number of interested parties that could be potential affected than a large company, then the principle of proportionality. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 58/77 Furthermore, OPENBANK alleges that according to the certificate provided by the bank, the number of clients impacted by this type of operations, an average of close to 13,000 interested parties in the last two years confirms that the lack of measures appropriate technical and organizational measures can put a large number of people at risk. people, most of whom email personal data relating to his assets without any measure to protect his confidentiality.” OPENBANK indicates that the most basic arithmetic rule allows us to conclude that it is not possible to refer, as terms equal or equivalent to two million clients and 13,000 (in total, and not as an annual average). However, from the reasoning from the AEPD it seems to be deduced that both terms are equal, given that the reproach which was incorporated in the Commencement Agreement, which only took into account the potential affectation of two million clients is maintained in the proposed Resolution that, However, he seems to consider that 13,000 is the figure that must be taken into account. AND Keep in mind that the ruling of the National Court of December 23, 2022, already mentioned, denies the AEPD the ability to impose sanctions for potential breaches of personal data protection regulations, The doctrine supported in said sentence being perfectly extrapolated to the present case. In this regard, this Agency reiterates that in the present case it is not about “potential breaches of personal data protection regulations” but that breaches of articles 25 and 32 of the RGPD have taken place, even when the risks that these articles are intended to avoid have not materialized, which is the purpose of such regulations. Regarding the number of people affected, this Agency will take into consideration that the number of potential affected is the total number of OPENBANK clients (two million of clients), which are those whom the bank could request to provide the documentation required under Chapter II of the LPBCFT, while the The number of interested parties directly affected has been 13,000 clients on average annually, which would give a total of 65,000 clients, taking into account that there would be 13,000 customers directly affected by year, since May 2018 (when it resulted from application of the RGPD) to October 2022 (when the possibility of providing the documentation through the private area of the bank's website), which would be the clients who OPENBANK has required to provide documentation under of what is provided for in Chapter II of the LPBCFT, who have not been provided with a appropriate means for shipment. Regarding the alleged aggravation of the sanction as a consequence of the alleged appreciated negligence, and regardless of whether the concurrence of that in its conduct, OPENBANK alleges that what was stated by the AEPD is It follows that the existence of fraud or negligence in the actions of a person responsible or treatment manager must be taken into consideration to aggravate your responsibility, when in reality this fact cannot simply be considered aggravating factor, but rather a sine qua non condition to be able to appreciate the concurrence of responsibility, as an essential element so that it can be subject of sanctioning reproach for a certain conduct. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 59/77 That is, with the reasoning carried out by the AEPD, the conclusion is reached that an element that, in any case, must be valued to appreciate the responsibility of an entity also operates as an aggravating factor. In this way, any violation of The data protection regulations are aggravated by the fact that responsibility in the insertion. In this regard, this Agency wishes to point out that the negligence appreciated in the conduct of OPENBANK is not the mere negligence required by our legal system, as a subjective element of the infringement. But it is negligence especially serious, since every time the company did not carry out an analysis in conditions of risks to the rights and freedoms of the interested parties, which could entail sharing the documentation required under the LPBCFT to through a medium that was not sufficiently secure, nor were security measures adopted. appropriate security measures to provide an environment that would not jeopardize the confidentiality of this information, not even when a client (as in the case specific of the complaining party) requested an alternative means of providing the required documentation, you were not provided with a response to your concern nor were you provided with a secure means of communication for this purpose, nor was an adequate course given to such request that would allow the suitability of the chosen means of communication to be re-evaluated by the entity to share such information. OPENBANK also alleges that the Proposed Resolution refers to the nature of the data being processed as an aggravating circumstance, limiting itself to indicating that it does not take into consideration the fact that they are qualified as “financial data”, something that OPENBANK considers distorted. However, at Regardless of the nature of such data, what cannot be denied is that the AEPD has considered to have occurred the infractions referred to in the Proposal for Resolution based on the nature of the data being processed, so that converts what has been considered an element of the type into a circumstance aggravating circumstance, thus violating the most basic principles of administrative law sanctioner. In this regard, this Agency rejects that in the present case the nature of the data object of treatment constitute an element of the offending type. The obligation to adopt data protection from design and by default, as well as the obligation to have appropriate security measures based on the risk for the rights and freedoms of natural persons, must be fulfilled regardless of the nature of the data being processed. What is certain is that in the present In this case, these are data that deserve special protection, so it is clear application of the aggravating circumstance detailed in section g) of article 83.2 of the RGPD. Finally, OPENBANK alleges that the AEPD takes into consideration the business or traffic of the bank repeatedly to aggravate the amount of the penalty. Thus, (i) the first of the circumstance is taken into consideration to reinforce the potential impact of the facts; (ii) at the same time, with respect to negligence, the conduct of the OPENBANK, understanding that due to its sector of activity, a special diligence; and (iii) finally, OPENBANK's business or traffic is considered to be linked to the performance of treatments, which must entail this triple aggravation derived from this fact. That is, in the opinion of the AEPD when an entity belonging to the banking sector commits an alleged infraction, his conduct must be C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 60/77 be triply aggravated by the mere fact of what their activity is, which can hardly be considered in accordance with the principle of proportionality. In this regard, this Agency wishes to point out that it only considers the turn or traffic of the bank to aggravate the amount of the sanction with respect to the aggravating factor contemplated in the article 76.2 of the LOPDGDD, on the linking of the offender's activity with the processing of personal data, whenever the business activity OPENBANK requires continuous processing of personal data. However, not It is less true that in assessing the degree of diligence required, the also the professionalism of the subject, so when the activity of the person responsible is “constant and abundant handling of personal data” requires a greater diligence, in accordance with the provisions of the Court's Judgment National of 10/17/2007 (Rec. 63/2006). IV Assessment of the test carried out The lack of a secure means of sending documentation in the “Protocol of communications to clients due to AML/FT alerts: OPENING AND MANAGEMENT OF GAPS March 2021 version”, argued in the initiation agreement, motivated the need to verify effective compliance with the data protection principles of the treatment in question, for which it was deemed appropriate to analyze the evaluation of impact of data protection carried out by OPENBANK. On the occasion of the allegations to the initiation agreement presented, the document 4.- “Impact Evaluation - Monitoring of clients and operations sensitive (version August 2021)”, and document 5.-, “Impact Assessment - Monitoring of clients and sensitive operations (version October 2022)”, both documents incorporated into the file of this procedure. However, none of these documents was in force at the time of the events, since The request made by OPENBANK to the complaining party occurred on July 7, 2021. Consequently, it was deemed appropriate to open a trial period. In the document provided by OPENBANK during the trial period, there is no contemplates in its risk assessment the data collection activity when its Clients were required to send documentation in compliance with the LPBCFT, as occurs in the alleged object of this sanctioning procedure. IV Special protection of data provided under Chapter II of the Law 10/2010, of April 28, on the prevention of money laundering and financing of terrorism (LPBCFT) The need for special protection of personal data of a nature financial is a criterion shared with the European Data Protection Committee (CEPD), which, in compliance with the objective of guaranteeing the coherent application of the General Data Protection Regulation (as attributed to article 70 of the GDPR) has developed guidance to provide a clear and transparent for setting sanctions by supervisory authorities C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 61/77 national laws (Guidelines 04/2022 on the calculation of administrative sanctions under the GDPR). In section 4.2.3 of the aforementioned Guidelines, the following is stated (translation not official): “Categories of personal data affected 58. Regarding the requirement to take into account the categories of personal data affected (Article 83(2)(g) GDPR), the GDPR clearly highlights the types of data that deserve special protection and therefore a response stricter in terms of fines. This refers, at a minimum, to the data types covered by articles 9 and 10 of the GDPR, and to data outside the scope of application of these articles whose dissemination causes immediate harm or distress to the interested party (e.g. location data, data on private communications, national identification numbers or financial data, such as summaries of transactions or credit card numbers).” For its part, article 32 bis of Law 10/2010, added by art. 3.15 of the Real Decree-Law 7/2021, of April 27, requires reinforced measures for subjects obliged to process personal data related to the scope of application standard: “… 4. The obligated subjects must carry out an impact evaluation on the data protection of the treatments referred to in this article in order to adopt reinforced technical and organizational measures to guarantee the integrity, confidentiality and availability of personal data. These measures must in "In any case, guarantee the traceability of data access and communications." (he emphasis is ours) In compliance with the LPBCFT, obligated entities can process data financial, but not only data of this category are also processed personal of diverse nature: identification, contact or economic (business, professional, investment...). Data protection in Compliance with the LPBCFT cannot be limited by the applicable criteria as only one of these data, when what you are trying to protect is access to the information that all these personal data represent, not only individually, but to their joint treatment. For its part, the “Guidelines on impact assessment relating to the protection of data (DPIA) and to determine whether the treatment "is likely to entail a high "risk" for the purposes of Regulation (EU) 2016/679", in what is of interest here they indicate: “In order to offer a more concrete set of treatment operations that require a DPIA due to their inherent high risk (…) the following nine criteria: 1. Evaluation or scoring, including the development of profiling and prediction, especially of “performance-related aspects.” at work, economic situation, health, personal preferences or interests, the reliability or behavior, situation or movements of the interested party» (considerations 71 and 91). Some examples of this may include an institution financial institution that investigates its clients in a credit reference database C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 62/77 or in a database against money laundering and terrorist financing or about fraud…” (emphasis added). The activity carried out by OPENBANK under the provisions of Chapter II of the LPBCFT, by which clients are asked to provide the “support that justifies a certain income, since they will allow clarifying the origin of the funds that have been entered into the client's account at OPENBANK” is part of a financial institution that researches its clients in a possible database against money laundering and terrorist financing, which is why they are operations that probably involve greater risk. And so much so, that they are operations that probably entail greater risk, that the LPBCFT itself considered it convenient to incorporate the need to carry out a data protection impact assessment of the treatments to which referred to in said article in order to adopt reinforced technical and organizational measures to guarantee the integrity, confidentiality and availability of personal data. For completeness, Chapter 9.2 of the Manual on European legislation on the subject of data protection, prepared by the European Union Agency for Fundamental Rights, the Council of Europe, the European Court of Rights Human and the European Data Protection Supervisor where it refers to the “financial data”: “Although financial data is not considered data sensitive under Convention 108 or the General Regulation for the Protection of data, its processing requires special guarantees that guarantee the accuracy and data security. In particular, electronic payment systems need incorporate data protection measures, that is, protection of privacy or the data from the design and by default.” The mention of privacy protection Regarding electronic payment systems, the importance of these is highlighted, but it does not exclude that, in the same way, other financial data may require special guarantees, as occurs in the present case with the data collected in by virtue of the provisions of Chapter II of the LPBCFT. Regarding the Guide on risk management and impact assessment in personal data processing of the AEPD, there is a difference between three types of economic data that must be assessed when determining the risk level of a certain treatment for performing the DPIA, differentiating between these three data categories: • Data related to the “[e]conomic situation, (e.g., without being exhaustive, personal income, monthly income, assets (movable/immovable property), Employment situation)". These data are assigned a “medium risk.” • Data related to the “[f]ancial status (e.g., without being exhaustive, only financial maturity, debt capacity, debt level (Loans personal property, mortgages), solvency lists, defaults, assets (investment funds) sion, returns generated, shares, accounts receivable, income received, etc.), liabilities (expenses on food, housing, education, health, taxes, payments of loans, credit cards or personal expenses, etc.; or debts u obligations)". These data are also assigned a “medium risk.” • “Data on payment methods (e.g., without being exhaustive, credit cards and information). formation of access to virtual currency services). In the case of these data is assigned a “high risk.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 63/77 The documentation requested by OPENBANK pursuant to the provisions of Chapter II of the LPBCFT, that is, “the documentary support related to the origin of a fund from your bank account (e.g. your payroll, employment contract, sales contract if It is a real estate transaction, donation or inheritance, the invoice for the services provided that are satisfied by the beneficiary of those, the resolution by the that the receipt of a certain aid is declared, etc.)” contains data related to the economic situation and financial status of clients, that allow determining the financial situation or capital solvency of a person, so they require greater protection. Information regarding the origin of income in clients' bank accounts is information that is closely related to such banking movements and containing data related to the economic situation and financial status of clients, of which they allow the financial situation or solvency to be determined assets of a person, which is why they require greater protection. In summary, all of the above means: 1.- That the personal data requested under Chapter II of the LPBCFT deserve special protection, due to the greater risk they imply for the rights and freedoms of natural persons. 2.- That the obligated subjects must carry out a protection impact evaluation of data for this type of processing, in order to adopt technical measures and reinforced organizational structures to guarantee the integrity, confidentiality and availability of personal data. SAW Data protection by design and by default Article 25 “Data protection by design and by default” of the GDPR establishes: “1.Taking into account the state of the art, the cost of the application and the nature, scope, context and purposes of the treatment, as well as the risks of varying probability and seriousness that the treatment entails for the rights and freedoms of people physical, the person responsible for the treatment will apply, both at the time of determining the means of treatment such as at the time of the treatment itself, technical measures and appropriate organizational measures, such as pseudonymization, designed to apply effective data protection principles, such as data minimization, and integrate the necessary guarantees in the treatment, in order to meet the requirements of the this Regulation and protect the rights of the interested parties. 2.The data controller will apply the technical and organizational measures with a view to ensuring that, by default, they are only processed the personal data that are necessary for each of the specific purposes of the treatment. This obligation will apply to the amount of personal data collected, to the extension of its treatment, its conservation period and its accessibility. Such C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 64/77 measures will in particular ensure that, by default, personal data are not accessible, without human intervention, to an indeterminate number of people physical. 3.A certification mechanism approved in accordance with Article 42 may be used as an element that certifies compliance with the obligations established in the sections 1 and 2 of this article.” This article is part of the general obligations that Chapter IV of the GDPR establishes the controller, imposing a design obligation at the time of determining the means of treatment, which must guarantee effectively comply with data protection principles. In the present case, the lack of design of the treatment by the of OPENBANK, since the data collection activity of clients in the so-called “treatment life cycle” of their Excel file data protection impact assessment document (provided during the trial period of this procedure) in force at the time of the events claimed; Therefore, since this activity is not even foreseen, the rules have not been applied. appropriate technical and organizational measures to effectively apply the data protection principles (among others, confidentiality) and comply with the GDPR requirements and protect the rights of data subjects. Regarding the analyzes carried out by OPENBANK in the documents called “Impact Assessment - Monitoring of clients and sensitive operations”, in its August 2021 version, which was not even current at the time of the events that are the subject of the claim, which took place in the month of July 2021, it had only been foreseen as a possibility for clients to send information through an encrypted message sending the password through another channel. And even in The aforementioned document mentions that “an internal lawsuit has been requested so that Interested parties can upload documents directly through the website, once they have logged in.” However, it has been possible verify that the complaining party was never given that possibility, not even in the initial communication sent by OPENBANK nor subsequently when it requested a secure alternative route for sending that communication. It was also found that In the communication model that was sent to clients, none of these options, only mention was made of the possibility of replying to the email email that was sent without giving further instructions on how it could be protected such information. It is curious that, despite not providing any sufficiently secure means to its clients to provide the information to which they were obliged, both documents in their 2021 and 2022 versions they recognize that the risk inherent in such treatment It had a high impact on the rights and freedoms of the interested parties. And, however, it is only in the October 2022 version that OPENBANK indicates that “customers will identify themselves by means of a DNI and access code to the private area of customer". C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 65/77 What is certain is that the communication directed to the client complied with the provisions of the document provided by OPENBANK as a protocol to request documentation to clients under the LPBCFT and the communication addressed to clients does not indicated no means of providing that information, beyond the possibility of respond to the aforementioned email. In any case, to comply with data protection from the design and therefore Indeed, it is not enough to simply have a protocol document or communication model, if later upon reviewing said documents it is found that they do not A forecast was made in conditions on the technical and organizational measures appropriate to effectively apply the principles of data protection and provide the necessary guarantees in the processing in order to comply with the requirements of the RGPD and protect the rights of the interested parties, as provided in article 25.1 of the GDPR. Nor is it sufficient to have documents that establish protocols or procedures. to follow, if later in practice when carrying out the treatment they are not also provided. little appropriate measures to implement data protection principles nor are they inter- great guarantees necessary to comply with the requirements of the GDPR. In the present case, it has been proven that in the current impact evaluation At the time of the claimed events, the treatment of the data provided by clients under the provisions of Chapter II of the LPBCFT. And that in July 2021 the complaining party was asked to send finished information, which could have a high impact on their rights and freedom. des, by email, without giving him further instructions on how he could send such information through a secure channel. It has also been proven that the complaining party had told the bank his concern in this regard and had requested that a safe means be provided to share such information. But, given the bank's refusal, he had no other option. tion than sending the requested information through a simple email, to his displeasure and despite having expressed his reluctance. And even the complaining party expressly gave that his concern be taken into account and a means be enabled safe in the future to share this type of information. However, in the August 2021 documents that OPENBANK provided together with their allegations to the initial agreement, no other means is foreseen. From the content of the documentation that appears in the file, it has been proven do: - That in “Annex I - Communications to clients to request information and/or documentation by PBC” of the document ““COMMUNICATION PROTOCOL- NES TO CUSTOMERS FOR AML/CFT ALERTS: OPENING AND MANAGEMENT OF GAPS”, dated March 2021, in the first communication addressed to the client, in which he is asked to prove the origin of the funds, there is no provision indicate a specific means by which you must provide such information to OPEN- BANK. And that in the second communication that is addressed to the client, it is not foreseen nor indicate a means by which to provide such documentation to the bank, but C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 66/77 The text includes the threat that if the documentation is not received requested in the next 15 days OPENBANK may prevent the realization tion of new income into your accounts. - That on July 7, 2021, OPENBANK requested the complaining party to send documentation that accredited the origin of certain funds, under the threat that in 15 days they could prevent new deposits into your account, without indicate any means by which such information should be provided. - That on July 10, 2021, the complaining party provided the requested documentation. tada expressing his disagreement because when he asked about the form of send such information, they told him to do so by email, without further. And in this email that is sent, the complaining party indicates that it does not considers it a safe means, which is done through this medium because it is was forced to do so, and even he himself provides as an example of half-hearted I guarantee the possibility of sending it “through the client portal”, a possibility that it was not provided to you from OPENBANK. Also please check the process from the point of view of data protection and take measures timely. However, this email only received an acknowledgment of receipt automatic from the bank, on July 13, 2021. - In the document “Impact evaluation - Customer and operation monitoring - “sensitive information”, dated August 2021, it is expected that the interested party can respond to the email with an encrypted message sending the password via another channel. And it has been requested that it could be done directly through from the website section, once logged in. - In the document “Impact evaluation - Customer and operation monitoring - sensitive data”, October 2022, it is expected that clients will authenticate using your ID and access code to the private client area. - In the document “COMMUNICATIONS PROTOCOL TO CUSTOMERS BY TRANSACTIONAL MONEY PREVENTION SURVEILLANCE ALERTS CAPITAL CHALLENGE AND FINANCING OF TERRORISM (PBC/FT)”, from October 2022, it is indicated that clients will be informed to upload the document mention through the private area of the OPENBANK website. And in the “Annex I- Communications to clients to request information and/or documentation by an AML/CFT transactional surveillance alert” the client is instructed to send documentation through the “Customer Area” of the OPENBANK website. That is, the protocol in force at the time of the events (March 2021) does not pre- provided information on the method of sending the requested documentation. gives. In July 2021, the complaining party drew attention to this issue in the email which he sends on July 10, 2021 to OPENBANK. But the bank ignores it and not even At any rate, he was given an answer to his concern, which clearly dealt with a question. protection of personal data, which also shows the lack of a process OPENBANK's internal system to channel these issues. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 67/77 In August 2021, OPENBANK foresees the possibility for clients to send the reference documentation through an encrypted email and providing the password. ña through another email (without specifying which one). And it is indicated that the possibility was requested that this documentation could be provided through the customer area of the OPENBANK website. And it is not until October 2022 that communication protocols and documents of the supposed impact assessment of this issue specifically incorporate that clients can provide the requested documentation through the website of OPENBANK, logging into your client area. That is, the solution was adopted to be able to provide this information through the client area a year and a half after the update protocol was adopted. March 2021 and more than a year after the complaining party had called drawn attention to this specific issue and that the document of alleged impact assessment of this issue would have already foreseen it as a possibility which had to be followed up. All of this shows that OPENBANK did not apply a data protection approach of the design neither before nor during the treatment. In article 25 of the RGPD, the legal good that is protected is compliance with the GDPR, regarding the obligation to design the treatment in its entirety, identifying and assessing the risks to the rights and freedoms of the interested parties the effects of implementing appropriate technical and organizational measures to effective application of data protection principles, to comply with management compliance with the GDPR; which has not happened in this case, as there has not even been evaluated (neither before nor during the treatment) the possibility that the Clients will submit the information required under Chapter II of the LPBCFT and How to ensure compliance with the provisions of the GDPR. And you don't even know responded to the concern raised by the complaining party regarding the protection of your personal data in this matter. The system did not even have a planned alarm at any issue that could affect the rights and freedoms of clients in terms of data protection, this is a procedure that was put running in the event of any failure of the system itself. On the contrary, the system was limited to respond with an automatic response, without analyzing the substance of what was raised by the complaining party and without providing a satisfactory response (that is, without providing an appropriate means of sharing such information). Therefore, in the present case, it is not only that the interest was not offered provided (nor to clients in general) an alternative means for sending documents. ments requested under Chapter II of the LPBCFT, but rather it is that in the impact evaluation document in force in July 2021 (document provided during the testing phase of this sanctioning procedure) it was not even con- tempered the aforementioned treatment (the sending of such documentation by the clients). tes). And that only in August 2021 was such treatment incorporated into the evaluation of impact of customer monitoring, although it was not until October 2022 that it was incorporated created the possibility for clients to send documentation through the customer service area. OPENBANK client, a possibility raised by the complaining party already in July 2021 and that the same 2021 document provided as a possibility to be implemented. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 68/77 gives. And this is not even taking into account that the same 2021 impact assessment considered that the possible impact on the rights and freedoms of the interested parties he was tall. In accordance with the evidence available at this time resolution of sanctioning procedure, it is considered that the known facts are constituting an infraction, attributable to OPENBANK, due to violation of article 25 of the GDPR. VII Classification of the violation of article 25 of the GDPR The aforementioned violation of article 25 of the RGPD implies the commission of the violations typified in article 83.4 of the RGPD that under the heading “General conditions for the imposition of administrative fines” provides: “Infringements of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, In the case of a company, an amount equivalent to a maximum of 2% of the global total annual business volume of the previous financial year, opting for the largest amount: a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, 42 and 43; (…)” For the purposes of the limitation period, article 73 “Infringements considered serious” of the LOPDGDD indicates: “Based on what is established in article 83.4 of Regulation (EU) 2016/679, are considered serious and will prescribe after two years the infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following: (…) d) The lack of adoption of those technical and organizational measures that are appropriate to effectively apply the principles of data protection from the design, as well as the non-integration of the necessary guarantees in the treatment, in the terms required by the article 25 of Regulation (EU) 2016/679. (…)” VIII Penalty for violation of article 25 of the GDPR For the purposes of deciding on the imposition of an administrative fine and its amount, in accordance with the evidence currently available resolution of the sanctioning procedure, it is considered appropriate to graduate the sanction to be imposed in accordance with the following criteria established in the article 83.2 of the GDPR: As aggravating factors: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 69/77 - The nature, severity and duration of the infraction, taking into account the nature, scope or purpose of the processing operation in question as well as the number of interested parties affected and the level of damage and damages they have suffered (section a): For not having applied certain measures appropriate technical and organizational measures, which guarantee the effective application of the principles of personal data protection, and integrate the guarantees necessary in order to comply with the requirements of the GDPR and protect the rights of two million potentially affected customers and 65,000 customers directly affected, at least from May 2018 to October 2022. Section 54.b.iv of CEPD Guidelines 04/2022 includes, as one of the circumstances to be assessed in the graduation of the sanction: “The number of specifically interested, but also potentially affected”, and, clarifies in relation to this criterion: “The higher the number of interested parties involved, the greater weight the control authority may have attributing this factor. In many cases it can also be considered that the infringement assumes "systematic" connotations and, therefore, can affect, even in different times, additional data subjects who have not submitted complaints or reports to the supervisory authority. The supervisory authority may, in Depending on the circumstances of the case, consider the relationship between the number of affected stakeholders and the total number of stakeholders in that context (e.g. example, the number of citizens, clients or employees) in order to evaluate “if the violation is systemic in nature.” - Intentionality or negligence in the infringement (section b): OPENBANK has been seriously negligent, since every time the company did not carry out a proper analysis on how to properly apply effective data protection principles and integrate guarantees necessary in sending the documentation requested to clients under of the LPBCFT, in order to comply with the requirements of the RGPD and protect the rights of the interested parties not even when a client (as in the specific case of the complaining party) drew attention to this issue, nor was it given a course appropriate to such request that would allow reevaluation of the adequacy of the means of communication chosen by the entity to share such information. By the way of the degree of diligence that the person responsible for the treatment is obliged to deploy in compliance with the obligations imposed by the regulations of data protection, the Judgment of the National Court of 10/17/2007 (Rec. 63/2006). Although it was issued before the GDPR came into force, its This statement can be perfectly extrapolated to the case at hand. The cited Judgment, after alluding to the fact that the entities in which the development of its activity involves continuous processing of customer and third party data must observe an adequate level of diligence, stated that “(...) the Supreme Court has been understanding that imprudence exists whenever disregards a legal duty of care, that is, when the offender fails to comply behaves with the required diligence. And in the assessment of the degree of diligence The professionalism or not of the subject must be especially considered, and it is not possible doubt that, in the case now examined, when the activity of the appellant is constant and abundant handling of personal data must insist on rigor and exquisite care to comply with preventions legal in this regard.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 70/77 - The categories of personal data affected by the infringement (section g): In the present case, it is requested that the origin of various amounts received in the interested party's account, which implies a greater risk to the rights and freedoms of the data subject, so These are data that deserve special protection. Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the following criteria established in section 2 of article 76 “Sanctions and measures “corrective measures” of the LOPDGDD: As an aggravating factor: - The linking of the offender's activity with the performance of treatment personal data (section b): The development of the business activity that OPENBANK performs requires continuous processing of personal data. The balance of the circumstances contemplated in article 83.2 of the RGPD and 76.2 of the LOPDGDD, with respect to the infraction committed by violating the provisions of the article 25 of the RGPD, allows imposing a penalty of €1,500,000 (one and a half million of euros). IX Security measures Article 32 “Security of processing” of the GDPR establishes: "1. Taking into account the state of the art, the application costs, and the nature, scope, context and purposes of the processing, as well as risks of variable probability and severity for people's rights and freedoms physical, the person responsible and the person in charge of the treatment will apply technical and appropriate organizational measures to guarantee a level of security appropriate to the risk, which, if applicable, includes, among others: a) pseudonymization and encryption of personal data; b) the ability to guarantee confidentiality, integrity, availability and resilience permanent treatment systems and services; c) the ability to restore the availability and access to personal data of quickly in case of physical or technical incident; d) a process of regular verification, evaluation and assessment of the effectiveness of the technical and organizational measures to guarantee the security of the treatment. 2. When evaluating the adequacy of the security level, particular consideration will be given to takes into account the risks presented by data processing, in particular as consequence of the accidental or unlawful destruction, loss or alteration of data personal data transmitted, preserved or otherwise processed, or the communication or unauthorized access to said data. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 71/77 3. Adherence to a code of conduct approved pursuant to Article 40 or to a certification mechanism approved pursuant to article 42 may serve as an element to demonstrate compliance with the requirements established in section 1 of the present article. 4. The controller and the person in charge of the treatment will take measures to ensure that any person acting under the authority of the person responsible or in charge and has access to personal data can only process said data following instructions of the person responsible, unless it is obliged to do so by virtue of the Law of the Union or the Member States. In the present case, neither in the March 2021 protocol nor in the email sent by OPENBANK to the complaining party on July 7, 2021, indicated no means of communication for sending the requested documentation by OPENBANK. The only communication channel for sending documents was reply to the email itself, since, furthermore, no other one offered the customer. In the specific case, OPENBANK did not provide its client with an appropriate means to provide the documentation even despite the warnings of the complaining party in this sense, so the shipment was made without adequate security measures. And this despite the fact that documents 4 and 5 presented by OPENBANK together with its allegations, called “Impact evaluation - Customer monitoring and sensitive operations”, version August 2021 and October 2022, respectively, in section “13. Security” the risk has been classified as high impact. Just in In the October 2022 version, the following indication has been included on page 43 on “Control and residual risk”: “It has been ensured that the communication channels with clients as a result of issues related to the prevention of money laundering and financing of terrorism, you have the necessary technical measures to guarantee the protection of your personal data. Clients will identify themselves by means of their ID and access key to the private client area.” In this sense, email cannot be considered an appropriate medium for guarantee a level of security appropriate to the risk in the sending of documentation that contains personal data of those provided under Chapter II of the LPBCFT, of which require special protection, taking into account the regulations on the prevention of money laundering, the nature of the data that is are dealing with and the GDPR. Regarding email security, the “Good Practices Report” of May 2021, CNN-CERT BP02, from the National Cryptological Center, a service assigned to the National Intelligence Center, whose mission is to contribute to the improvement of Spanish cybersecurity, includes a series of email vulnerabilities and of the various ways in which they can be attacked, as well as recommendations of security. Section 4.2 of said Report describes the “Security of communications via email”, with the following statements on pages 37 to 39: “The protocol involved in this sending process is SMTP. This protocol has been used since 1982 and when it was implemented, measures were not taken into account C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 72/77 security measures such as encryption or authentication of communications. This This means that the entire sending process described above would be carried out in text plane, that is, at any point in the transmission an attacker could see and manipulate the content of emails. Due to these shortcomings in SMTP they have gone developed various technologies and extensions that allow incorporating measures of security to guarantee authentication, integrity and encryption of communications via email. Some of the best known technologies are STARTTLS, SPF, DKIM and DMARC…Although the best-known email providers such as Google, Yahoo and Outlook encrypt and authenticate emails using this type of technologies, many organizations continue to make careless use of email electronic. Also keep in mind that these technologies must be implemented at both the source and destination so that they can be used. Likewise, some of these measures are susceptible to attack. For example, STARTTLS is susceptible to downgrade attacks, where an attacker on a man-in-the-middle situation may force you not to carry out the negotiation TLS (replacing the STARTTLS string would suffice). Even if TLS communication is established successfully, The mail servers through which the email passes until reaching the destination would have access to its content. Due to these facts, it follows that it is not enough to delegate email security to the underlying technologies in charge to send it to its recipient.” In light of the security deficiencies noted above, it is evident the need to adopt reinforced measures to appropriately guarantee the integrity and confidentiality of personal data sent by email, when personal data that deserve special protection is communicated, such as in the present case, measures that have not been applied, which has posed a risk higher for OPENBANK clients who submit personal data through this half. It should be noted that the GDPR does not establish a list of security measures that are applicable in accordance with the data that is the object of processing, but, By virtue of the principle of proactive responsibility of article 5.2 of the GDPR itself, the which entails the requirement that the person responsible for the treatment ensure the effective privacy and integrity of the data, both the person responsible and the person in charge of the treatment will apply technical and organizational measures that are appropriate to the risk that the treatment entails, taking into account the state of the art, the costs of application, the nature, scope, context and purposes of the processing, the risks of probability and seriousness for the rights and freedoms of the persons concerned. Furthermore, the person responsible must be able to demonstrate that he has implemented these measures and that they are appropriate to achieve the purpose persecuted Likewise, security measures must be appropriate and proportionate to the detected risk, pointing out that the determination of the technical measures and organizational measures must be carried out taking into account: pseudonymization and encryption, ability to guarantee confidentiality, integrity, availability and resilience, the ability to restore availability and access to data after an incident, process verification (not audit), evaluation and assessment of the effectiveness of the measures. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 73/77 In any case, when evaluating the adequacy of the security level, the particularly taking into account the risks presented by data processing, such as consequence of the accidental or unlawful destruction, loss or alteration of data personal data transmitted, preserved or otherwise processed, or the communication or unauthorized access to said data and that could cause damages and losses physical, material or immaterial. In this same sense, recital 83 of the GDPR states that: “(83) In order to maintain security and prevent processing from violating the provisions of this Regulation, the controller or processor must assess the risks inherent to the processing and apply measures to mitigate them, such as encryption. Are measures must ensure an adequate level of security, including the confidentiality, taking into account the state of the art and the cost of its application regarding the risks and the nature of the personal data that must be protect yourself. When assessing risk in relation to data security, take into account the risks arising from the processing of personal data, such as accidental or unlawful destruction, loss or alteration of personal data transmitted, preserved or otherwise processed, or the communication or access is not authorized to such data, which may in particular cause damage and harm physical, material or immaterial.” For all the above, the technical and organizational measures applied by OPENBANK in the request for information to its clients (and specifically to the complaining party), in compliance with anti-money laundering regulations, not guaranteed a level of security appropriate to the risk, as required by article 32 of the RGPD, by virtue of the nature of the personal data that is processed, which They deserve special protection in terms of their confidentiality and integrity. Subsidiarily, regarding the application of technical and organizational measures reinforced to the treatment in question, it can be stated that the fact that a treatment as a whole is not considered high risk and does not have to undergo a data protection impact assessment, does not mean that they should not be applied security measures appropriate to the risk presented by any of the activities or stages of the treatment in question, in accordance with the provisions of article 32 of the GDPR. In the treatment cycle, which includes various and different activities, not all risk has to be uniform, there may be different levels of risks in the different stages of treatment, depending on the activities that constitute it. AND If there is a high risk in a phase, although not all of the treatment is high risk, Appropriate measures should be implemented. In accordance with the evidence available at this time resolution of sanctioning procedure, it is considered that the known facts are constituting an infraction, attributable to OPENBANK, due to violation of article 32 of the GDPR. x C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 74/77 Classification of the violation of article 32 of the RGPD The aforementioned violation of article 32 of the RGPD implies the commission of the violations typified in article 83.4 of the RGPD that under the heading “General conditions for the imposition of administrative fines” provides: “Infringements of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, In the case of a company, an amount equivalent to a maximum of 2% of the global total annual business volume of the previous financial year, opting for the largest amount: a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, 42 and 43; (…)” For the purposes of the limitation period, article 73 “Infringements considered serious” of the LOPDGDD indicates: “Based on what is established in article 83.4 of Regulation (EU) 2016/679, are considered serious and will prescribe after two years the infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following: (…) f) The lack of adoption of those technical and organizational measures that are appropriate to guarantee a level of security adequate to the risk of the treatment, in the terms required by article 32.1 of the Regulation (EU) 2016/679. XI Penalty for violation of article 32 of the GDPR For the purposes of deciding on the imposition of an administrative fine and its amount, in accordance with the evidence currently available resolution of the sanctioning procedure, it is considered appropriate to graduate the sanction to be imposed in accordance with the following criteria established in the article 83.2 of the GDPR: As aggravating factors: - The nature, severity and duration of the infraction, taking into account the nature, scope or purpose of the processing operation in question as well as the number of interested parties affected and the level of damage and damages they have suffered (section a): For not having a means appropriate for sending the documentation requested under the LPBCFT, from May 2018 to October 2022, directly affecting the rights and freedoms of 65,000 interested parties and potentially two millions of customers. Section 54.b.iv of CEPD Guidelines 04/2022 includes, as one of the circumstances to be assessed in the graduation of the sanction: “The number of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 75/77 specifically interested, but also potentially affected”, and, clarifies in relation to this criterion: “The higher the number of interested parties involved, the greater weight the control authority may have attributing this factor. In many cases it can also be considered that the infringement assumes "systematic" connotations and, therefore, can affect, even in different times, additional data subjects who have not submitted complaints or reports to the supervisory authority. The supervisory authority may, in Depending on the circumstances of the case, consider the relationship between the number of affected stakeholders and the total number of stakeholders in that context (e.g. example, the number of citizens, clients or employees) in order to evaluate “if the violation is systemic in nature.” - Intentionality or negligence in the infringement (section b): OPEN- BANK has been seriously negligent in determining the means of delivery. sending the documentation required to clients under the LPBCFT, all time the company did not adopt appropriate security measures based on of the risk to the rights and freedoms of natural persons, not even when a customer (as in the specific case of the complaining party) called the attention to this issue, even when its own evaluation document impact assessment had indicated the need to adopt the sending of information tion requested under the LPBCFT through the private area of the website of the bank and had indicated that it was a high-impact treatment for rights and freedoms. Regarding the degree of diligence that the person responsible ble of the treatment is obliged to deploy in compliance with the obligatory imposed by data protection regulations, the Sen- ruling of the National Court of 10/17/2007 (Rec. 63/2006). Although it was dictated before the GDPR came into force, its pronouncement is perfectly extrapolated. ble to the case at hand. The aforementioned Judgment, after alluding to the fact that entities in which the development of their activity involves continuous work processing of customer and third party data must observe an adequate level of diligence, specified that “(...) the Supreme Court has understood that there are imprudence whenever a legal duty of care is neglected, i.e. when the offender does not behave with the required diligence. And in the assessment In the degree of diligence, professionalism or lack of professionalism must be especially considered. of the subject, and there is no doubt that, in the case now examined, when the activity life of the appellant is one of constant and abundant handling of data of a The personnel must insist on rigor and exquisite care in adjusting to the legal preventions in this regard.” Due to the high impact that this could have for those interested, OPENBANK was obliged to find solutions that do not pose a greater risk to the rights and freedoms of their clients and that guarantee the security of the data. - The categories of personal data affected by the infringement (section g): In the present case, it is requested that the origin of various amounts received in the account of the interested party, which, by facilitating that information without adequate security measures, could increase its vulnerability to possible attacks, which implied a greater risk for the rights and freedoms of the data subject. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 76/77 Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the following criteria established in section 2 of article 76 “Sanctions and measures “corrective measures” of the LOPDGDD: As an aggravating factor: - The linking of the offender's activity with the performance of treatment personal data (section b): The development of the business activity that OPENBANK performs requires continuous processing of personal data. The balance of the circumstances contemplated in article 83.2 of the RGPD and 76.2 of the LOPDGDD, with respect to the infraction committed by violating the provisions of the article 32 of the RGPD, allows imposing a penalty of €1,000,000 (one million euros). Therefore, in accordance with the applicable legislation and evaluated the criteria of graduation of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE OPEN BANK, S.A., with NIF A28021079, for the violation of the article 25 of the RGPD a fine of 1,500,000.00 (ONE MILLION FIVE HUNDRED THOUSAND EUROS), for the violation of article 32 of the RGPD a fine of 1,000,000.00 (UN MILLION EUROS), both classified in article 83.4 of the RGPD. SECOND: NOTIFY this resolution to OPEN BANK, S.A. THIRD: Warn the sanctioned person that he must make the sanction imposed effective once this resolution is executive, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter LPACAP), within the payment period voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by entering it, indicating the NIF of the sanctioned person and the number of procedure that appears in the heading of this document, in the account restricted IBAN number: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code: XXXXXXXXXXXX), opened in the name of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A.. Otherwise, it will be collection in executive period. Once the notification is received and once enforceable, if the enforceable date is between the 1st and 15th of each month, both inclusive, the deadline to make the payment voluntary will be until the 20th of the following month or immediately following business month, and if The payment period is between the 16th and last day of each month, both inclusive. It will be until the 5th of the second following or immediately following business month. In accordance with the provisions of article 76.4 of the LOPDGDD and given that the The amount of the sanction imposed is greater than one million euros, it will be subject to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 77/77 publication in the Official State Gazette of the information that identifies the offender, the violation committed and the amount of the penalty. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month to count from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registries provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. 938-010623 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es