AEPD (Spain) - EXP202317282
AEPD - EXP202317282 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR Article 17(1)(d) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 10.10.2023 |
Decided: | |
Published: | 25.06.2024 |
Fine: | 150,000 EUR |
Parties: | Banco Cetelem, S.A. |
National Case Number/Name: | EXP202317282 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | lm |
The DPA found that a lender lacked a legal basis to erroneously place debt charges on a data subject’s bank account after it failed to verify that the account belonged to the debtor. It also did not comply with the data subject’s deletion request. The controller paid a reduced fine of €150,000 pursuant to national law.
English Summary
Facts
On 20 October 2023, a data subject filed a complaint with the Spanish DPA (AEPD) against Banco Cetelem, S.A. (the controller). It claimed that the controller, which was a lender, made numerous unsolicited charges on his bank between July and September 2022.
The data subject filed numerous complaints with the controller as well as a police report concerning the charges. On 8 August 2022, the data subject requested the deletion of his account data from the controller’s systems, as well as the reimbursement of the amount expended due to the unduly charged bills. The data subject also reproached the controller for attributing his bank account to a third party without previously requesting the relevant certificate of bank ownership from the third party.
One year later, in September 2023, the controller again charged the data subject with a new bill from the same unknown third party lender. The data subject complained about the charge, and the controller once again did the same thing in October 2023.
The controller claimed that the charges occurred as a result of human error during the initial transcription of the bank account. It informed the AEPD that the data subject’s bank account number had been erroneously attributed to a debtor’s contract and subsequently in the controller’s database. It stated that that it deleted the data subject’s account information from its database after the first claim the data subject filed, but that it then sold the debt to a third party company in June 2023 and that the contract still contained the incorrect account number.
Holding
The AEPD found that the controller infringed Articles 6(1) and 17 GDPR because it processed the data subject’s account number without a legal basis and failed to comply with the data subject’s deletion request.
Since 2022, the controller was processing the data subject’s bank account information in its debt contract with the debtor, in its databases, and in its transmission to a future debt buyer in June 2023. At no point during this period did the controller correct the issue. As a result, the controller was processing the data subject’s data without a legal basis in violation of Article 6(1) GDPR. The AEPD considered the processing in 2022 and 2023 (between which the data subject had made a deletion request) separately – thus, it found two Article 6(1) GDPR violations occurred on the separate processing occasions.
The AEPD also found that the controller violated Article 17(1)(d) GDPR when it failed to delete the data subject’s data pursuant to an erasure request. After it received the data subject’s deletion request and even though it alleged to have erased the data in 2022, the controller continued making charges on the data subject’s account in 2023.
The AEPD recommended a sanction of €250,000. Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €150,000.
Comment
The AEPD rejected the controller’s defense that human error resulted in an erroneous transcription of the bank account number, noting that it is extremely difficult to ‘accidentally’ create an authentic account number in error. Instead, the AEPD considered that the controller incorporated the data subject’s bank account information into the debtor’s contract without verifying that the debtor owned the account in question. Interestingly, though, security measures were not a substantive part of the AEPD's analysis or infringement findings.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/15 File No.: EXP202317282 RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE VOLUNTEER From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND FIRST: On May 21, 2024, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against BANCO CETELEM, S.A. (hereinafter, the claimed party), through the Agreement transcribed: << File No.: EXP202317282 AGREEMENT TO START SANCTIONING PROCEDURE Of the actions carried out by the Spanish Data Protection Agency and in based on the following FACTS FIRST: A.A.A. (hereinafter, the complaining party) dated October 20, 2023 filed a claim with the Spanish Data Protection Agency. The claim is directed against BANCO CETELEM, S.A. with NIF A78650348 (in forward, CETELEM). The reasons on which the claim is based are the following: The complaining party states that CETELEM loads payment receipts into its bank account. a loan from an unknown third party. Provide several extracts from said receipts, as well such as several claims before CETELEM along with their responses, including one police report. There is a first series of 8 receipts improperly charged to the claimant account no. ***ACCOUNT.1, between the months of July and September 2022, at a rate of two receipts per month. On August 8, 2022, the complaining party protested to CETELEM about the use improper access to your bank account, requesting the deletion of your account data banking; also requires an explanation about the obtaining of your data without relation prior contractual. He also criticized CETELEM for attributing his account bank to a third person, without previously requesting the certificate of ownership relevant bank. Additionally, the complaining party requested and obtained the return of the amount of receipts improperly collected. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/15 Again a year later, in September 2023, from CETELEM it is loaded into the account of the complaining party a new receipt from the same debtor. The part claimant submits a new claim to CETELEM on 09/21/23; nevertheless, CETELEM uploaded a new receipt again on 10/2/23. CETELEM reacted on 10/20/23 acknowledging receipt of the claim, and, in its response of 10/23/23, justifies his actions in that the account number of the claimant is the one who appears in the contract. At the same time, the complainant has also filed a complaint at the police station. ***LOCALITY.1 on September 18, 2023. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), said claim was transferred to the party claimed/ALIAS, to proceed with its analysis and inform this Agency in the within one month, of the actions carried out to adapt to the requirements provided for in the data protection regulations. The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, of the Common Administrative Procedure of Administrations Public (hereinafter, LPACAP), was collected on December 4, 2023, as stated in the acknowledgment of receipt in the file. THIRD: On December 22, 2023, CETELEM responds to the request of information from the AEPD. CETELEM informs that it deleted the claimant's account data from its database of data after the first claim, but that sold the debt to a third company in June 2023, and that the contract still incorrectly included the company number claimant's bank account. In CETELEM's opinion, responsibility for this new incident would correspond to the new company; However, it took steps to resolve the new series of improper charges to the claimant's account. Finally concludes that the charges improper amounts of 2022 and 2023 in the claimant's account have been due to errors humans. FOURTH: On December 29, 2023, in accordance with article 65 of the LOPDGDD, the claim presented by the complaining party was admitted for processing. FIFTH: According to the report collected from the AXESOR tool, the entity BANCO CETELEM, S.A. is a company established in 1988 and with a volume of business 64,855,216 euros in 2022. FOUNDATIONS OF LAW Yo Competence C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/15 In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II Unfulfilled obligation Initial treatment without legality article 6 Article 4.1 of the GDPR “Definitions” states that: “For the purposes of this Regulation it will be understood as: 1) "personal data": any information about an identified natural person or identifiable ("the interested party"); Any person will be considered an identifiable natural person whose identity can be determined, directly or indirectly, in particular by an identifier, such as a name, an identification number, data location, an online identifier or one or more elements of identity physical, physiological, genetic, mental, economic, cultural or social of said person.” Article 6 Legality of processing 1. Treatment will only be legal if at least one of the following is met conditions: a) the interested party gave his consent for the processing of his personal data for one or more specific purposes; b) the processing is necessary for the execution of a contract in which the interested party is part of or for the application at his request of pre-contractual measures; c) the processing is necessary for compliance with a legal obligation applicable to the responsible for the treatment; d) the processing is necessary to protect vital interests of the interested party or another Physical person; e) the processing is necessary for the fulfillment of a mission carried out in the interest public or in the exercise of public powers conferred on the controller; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/15 f) the processing is necessary for the satisfaction of legitimate interests pursued by the person responsible for the treatment or by a third party, provided that regarding said interests do not prevail over the interests or fundamental rights and freedoms of the interested party requiring the protection of personal data, in particular when the interested is a child. The provisions of letter f) of the first paragraph will not apply to the treatment carried out by public authorities in the exercise of their functions.” CETELEM has the bank account number of the complaining party. Through this identification number, the account holder is an identifiable natural person, Therefore, this data would be considered personal data, in accordance with the Article 4 of the GDPR. CETELEM recognizes in several of its writings that the number of bank account of the claiming party appears in the contract of a debtor, and, therefore therefore, also in the CETELEM database. For this reason, receipts are collected of this bank debtor in the claimant's bank account. Although CETELEM seems to point, in its defense, to errors in the initial transcription of the account number, the check digits of bank accounts practically They make it impossible to mistakenly “create” an authentic account number. This means, as indicated by the complainant, that this error is due to CETELEM would have incorporated the claimant's bank account into the debtor's contract, without ensure ownership of the account. In view of the above, it seems clear that CETELEM would initially have the number full account of the claimant's bank account, but does not satisfactorily clarify How could this information have appeared in a contract of a CETELEM client, taking into account that the claimant who does not have, nor has had a prior contractual relationship with this entity. Between the months of July and September 2022, CETELEMA improperly uploads series of 8 receipts in the claimant's account No. ***ACCOUNT.1, at a rate of two receipts per month. On August 8, 2022, the complaining party protested to CETELEM about the use improper access to your bank account, requesting the deletion of your account data banking. In September 2023, CETELEM will debit the account of the complaining party. a new receipt from the same debtor. The complaining party presents a new claim to CETELEM on 09/21/23; However, CETELEM again uploaded a new receipt on 10/2/23. CETELEM had the claimant's account number since 2022, the first in its database and in the debt contract, and in 2023 your account number in the following in the debtor's contract, without having rectified or deleted this information. CETELEM declares that it has also transferred the claimant's account to a third party. company in June 2023 with the sale of the debt. In this way, CETELEM would have processed the claimant's personal information without legality, given that there is no consent, nor is there any legal or contractual obligation, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/15 that justifies its treatment and as a consequence of this treatment, the claimant you have borne various charges of a debt on your account for several months in 2022 and 2023, of a debt whose owner was another person. III Classification and classification of the offense In accordance with the evidence available at the present time, and Without prejudice to what results from the instruction and according to the known facts, the claimant is identifiable through his bank account number in which CETELEM uploads a series of receipts. The claiming party is not the owner of the debts charged and does not have, nor has it had any prior contractual relationship with CETELEM. This means that CETELEM carries out this treatment without legality, as it does not have the consent of the interested party. The known facts could constitute an infringement, attributable to the party to CETELEM, of article 6 of the RGPD (Legitimacy of processing), for processing without basis of legitimation. This violation of the GDPR article is classified in article 83.5. a) as follows: "5. Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or, In the case of a company, an amount equivalent to a maximum of 4% of the global total annual business volume of the previous financial year, opting for the largest amount: a) the basic principles for the treatment, including the conditions for the consent in accordance with articles 5, 6, 7 and 9;” For the purposes of the limitation period for infringements, the alleged infringement prescribes after three years, in accordance with article 72.1.b of the LOPDGDD, which qualifies as The following behavior is very serious: “b) The processing of personal data without any of the conditions of legality of the treatment established in article 6 of Regulation (EU) 2016/679.” IV Sanction proposal This violation can be punished with an administrative fine of EUR 20,000,000. maximum or, in the case of a company, an amount equivalent to 4% as maximum of the total global annual turnover of the previous financial year, opting for the largest amount. Article 83.2 of the GDPR on general conditions for the imposition of fines administrative provisions established will be imposed, depending on the circumstances of each case C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/15 individually, as an additional or substitute for the measures contemplated in the article 58, section 2, letters a) to h) and j). In the present case, section a) would apply, which establishes: “a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question such as the number of interested parties affected and the level of damages that have suffered;” The nature and scope of the processing affects the economic rights of the claimant when CETELEM makes charges to his bank account. Article 76.2 of the LOPDGDD, relating to sanctions and corrective measures, establishes the following in letter b): "2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: b) The linking of the offender's activity with the performance of medical treatment. personal information". CETELEM is a banking entity, so it has a qualified connection in the processing of personal data, in particular, with accuracy in its treatment. In view of the above, a fine of €100,000 is proposed. V Unfulfilled obligation Right to erasure 17 1. d) of the GDPR For its part, article 17 of the RGPD, relating to the right of deletion, establishes what following in section 1 d): “The interested party will have the right to obtain without undue delay from the person responsible for the processing the deletion of personal data that concerns you, which will be obliged to delete personal data without undue delay when any of the following circumstances: (…) d) the personal data have been processed unlawfully; (…)” In September and October 2023, according to the bank receipts provided by the party claimant, CETELEM returned to make new charges to his account. Recognize CETELEM its breach of the requested right of deletion, when it declares that the rectification and deletion of the claimant's account took place only on the basis of data, but not in the contract that was the legal basis of the debt. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/15 The obligation on the part of the person responsible for the file to proceed with the deletion without delay of illicitly processed data is also included in article 5.1.d) of the GDPR: 1. Personal data will be: (…) d) accurate and, if necessary, updated; all measures will be taken reasonable grounds for the immediate deletion or rectification of personal data are inaccurate with respect to the purposes for which they are processed (“accuracy”); (…) 2. The person responsible for the treatment will be responsible for compliance with the provisions in section 1 and able to demonstrate it ("proactive responsibility"). In view of the facts described, it seems clear that CETELEM would only have limited delete the claimant's data only from the database, but not from the contract. CETELEM more than 1 year after the claim, has not adopted all the reasonable measures for the immediate deletion and rectification of data of the party claimant. SAW Classification and classification of the offense In accordance with the evidence available at the present time and without prejudice of what results from the instruction, it is considered that CETELEM has not suppressed effectively the claimant's account number in September and October 2023. According to its own statement, CETELEM would have only proceeded to delete the database, but not in the base contract of the improper charges, despite the exercise of the right of deletion without the consent of the interested party on August 8 of 2022. As a consequence of the improper treatment indicated, CETELEM has once again carried out unjustified charges from another person on the claimant's account. The known facts could constitute an infringement, attributable to the party to CETELEM, of article 17.1.d) of the RGPD, relating to the right of deletion, which establishes the following: “1) The interested party will have the right to obtain without undue delay from the person responsible for the processing the deletion of personal data that concerns you, which will be obliged to delete personal data without undue delay when any of the following circumstances: (…) d) the personal data have been processed unlawfully; (…)” This violation of the GDPR article is classified in article 83.5.b) as follows: "5. Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/15 In the case of a company, an amount equivalent to a maximum of 4% of the global total annual business volume of the previous financial year, opting for the largest amount: b) the rights of the interested parties under articles 12 to 22;” For the purposes of the limitation period for infringements, as it is a punctual breach of the right of deletion, the alleged infringement prescribes to the year, in accordance with article 74.1.c of the LOPDGDD, which qualifies as slight the following conduct: “c) Not responding to requests to exercise the rights established in the articles 15 to 22 of Regulation (EU) 2016/679, unless the provisions are applicable in article 72.1.k) of this organic law.” VII Sanction proposal This violation can be punished with an administrative fine of EUR 20,000,000. maximum or, in the case of a company, an amount equivalent to 4% as maximum of the total global annual turnover of the previous financial year, opting for the largest amount. Article 83.2 of the GDPR on general conditions for the imposition of fines administrative provisions established will be imposed, depending on the circumstances of each case individually, as an additional or substitute for the measures contemplated in the article 58, section 2, letters a) to h) and j). In the present case, it would be appropriate to apply sections a) and b) that establish: “a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question such as the number of interested parties affected and the level of damages that have suffered;” The effective suppression of the requested treatment has far exceeded the period of 1 year, which is considered an aggravating factor in liability. The breach of duty of accuracy of the data, has forced the complaining party to reiterate the deletion of their data, even the complaining party going so far as to file a complaint before the police, for fraud. “b) intentionality or negligence in the infringement.” The deletion of the account number of the complaining party only in the database, but not in the contract, would point to negligent behavior on the part of CETELEM. Article 76.2 of the LOPDGDD, relating to sanctions and corrective measures, establishes the following in letter b): "2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/15 b) The linking of the offender's activity with the performance of medical treatments. personal information". CETELEM is a banking entity, so it has a qualified connection in the processing of personal data, in particular, with accuracy in its treatment. In view of the above, a fine of €50,000 is proposed. VIII Unfulfilled obligation Second treatment without legality article 6 Article 4.2 of the GDPR “Definitions” establishes that: “For the purposes of this Regulation it will be understood as: 2) "treatment": any operation or set of operations performed on personal data or sets of personal data, whether by procedures automated or not, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, broadcast or any other form of enabling access, collation or interconnection, limitation, deletion or destruction;” (…) In September and October 2023, two new charges were made to the account again of the claimant for the same debtor, which means that CETELEM would not have proceeded to delete the data of the complaining party. CETELEM informs the AEAT in this regard in the previous actions, which has sold the debt to a third party company along with the contract that contains the erroneous data of the complaining party. It states that, as a consequence of the sale of the debt, the responsibility for the accuracy of the data would already be the responsibility of the new company and which, however, has had or take care of the resolution of the new incident of improper charges on the account of the claimant. With the transfer of the checking account number of the complaining party to a third party, makes CETELEM a new data processing (“communication by transmission”, the article 4.2 of the RGPD), for which it is necessary to comply again with the conditions of legality provided for in article 6 of the RGPD: 1. Treatment will only be legal if at least one of the following is met conditions: a) the interested party gave his consent for the processing of his personal data for one or more specific purposes; b) the processing is necessary for the execution of a contract in which the interested party is part of or for the application at his request of pre-contractual measures; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/15 c) the processing is necessary for compliance with a legal obligation applicable to the responsible for the treatment; CETELEM already lacks legality for account data in August 2022 current of the claimed part; does not have the consent of the interested party and the treatment carried out is not necessary for compliance with a legal obligation or contractual. This is information that should never have been available and whose deletion, requested by the interested. Since the year prior to this transfer, CETELEM has been aware of the lack of legality of this treatment, because the complaining party had already exercised its right to deletion due to illicit processing of your bank account number. CETELEM has kept the information improperly claimed and with the sale of the debt, would have carried out a new treatment, informing a third company the account data of the claimed party without the conditions of legality provided for in article 6.1.a) of the GDPR. IX Classification and classification of the offense In accordance with the evidence available at the present time, and Without prejudice to what results from the instruction, CETELEM recognizes before the AEPD the transfer of the account number of the complaining party to a third company, which is a new processing carried out with the manifest opposition of the interested party. The known facts could constitute an infringement, attributable to CETELEM, of article 6 of the RGPD (legality of processing), by processing consisting of the transfer of interested party data to third parties without the consent of the interested party. interested: This violation of the GDPR article is classified in article 83.5. a) as follows: "5. Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or, In the case of a company, an amount equivalent to a maximum of 4% of the global total annual business volume of the previous financial year, opting for the largest amount: a) the basic principles for the treatment, including the conditions for the consent in accordance with articles 5, 6, 7 and 9;” For the purposes of the limitation period for infringements, the alleged infringement prescribes after three years, in accordance with article 72.1.b of the LOPDGDD, which qualifies as The following behavior is very serious: “b) The processing of personal data without any of the conditions of legality of the treatment established in article 6 of Regulation (EU) 2016/679.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/15 x Sanction proposal This violation can be punished with an administrative fine of EUR 20,000,000. maximum or, in the case of a company, an amount equivalent to 4% as maximum of the total global annual turnover of the previous financial year, opting for the largest amount. Article 83.2 of the GDPR establishes that administrative fines will be imposed, in depending on the circumstances of each individual case, in addition to or in lieu of the measures referred to in Article 58, paragraph 2, letters a) to h) and j). For its part, Article 76 of the LOPDGDD, relating to sanctions and corrective measures, establishes that: "1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679 will be applied taking into account the graduation criteria established in section 2 of the aforementioned article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: “b) The linking of the offender's activity with the performance of treatment personal information". CETELEM is a banking entity, so it has a qualified connection in the processing of personal data, in particular, with accuracy in its treatment, so obtaining the account number is especially serious. bank of the claimant, its maintenance, despite the right of deletion of the interested party, and finally the transfer to a third party without effective verification of the accuracy of the data. In view of the above, a fine of €100,000 is proposed. XI Adoption of measures If the violation is confirmed, it could be agreed to impose on the person responsible the adoption of appropriate measures to adjust its actions to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the which each control authority may “order the person responsible or in charge of the treatment that the processing operations comply with the provisions of the this Regulation, where appropriate, in a certain manner and within a specified period…” The imposition of this measure is compatible with the sanction consisting of an administrative fine, as provided in art. 83.2 of the GDPR. It could then be agreed to adopt appropriate organizational measures to avoid errors in the future such as the one produced in this case within a period of 3 months, as well C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/15 such as the communication of suppression of the treatment to the company to which CETELEM transferred the data of the complaining party, due to the sale of the debt. It is warned that failure to comply with the possible order to adopt measures imposed by This body in the sanctioning resolution may be considered as a administrative offense in accordance with the provisions of the RGPD, classified as infringement in its article 83.5 and 83.6, and such conduct may be motivated by the opening of a subsequent administrative sanctioning procedure. Therefore, in accordance with the above, by the Director of the Agency Spanish Data Protection, HE REMEMBERS: FIRST: START SANCTIONING PROCEDURE against BANCO CETELEM, S.A., with NIF A78650348, for two alleged violations of articles 6 and one violation of article 17.1.d) of the RGPD, all of them classified in article 83.5 of the RGPD. SECOND: APPOINT B.B.B. as instructor. and, as secretary, to C.C.C., indicating that they may be challenged, if applicable, in accordance with the provisions of the articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sector Public (LRJSP). THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the claim filed by the complaining party and its documentation, as well as the documents obtained and generated by the General Subdirectorate of Inspection of Data in the actions prior to the start of this sanctioning procedure. FOURTH: THAT for the purposes provided for in art. 64.2 b) of law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations, the sanction that could correspond would be two hundred and fifty thousand euros (€250,000), one hundred thousand euros (€100,000) for the initial violation of art 6, fifty thousand (€50,000) for the violation of article 17.1.d) and one hundred thousand euros (€100,000) for the second violation of article 6, without prejudice to what results from the investigation. FIFTH: NOTIFY this agreement to BANCO CETELEM, S.A., with NIF A78650348, granting him a hearing period of ten business days to formulate the allegations and present the evidence that you consider appropriate. In his writing of allegations must provide your NIF and the file number that appears in the heading of this document. If within the stipulated period you do not make allegations to this initial agreement, the same may be considered a proposal for a resolution, as established in the article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, you may recognize your responsibility within the period granted for the formulation of allegations to the present initiation agreement; which will entail a 20% reduction in the sanction that may be imposed in this procedure. With the application of this C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/15 reduction, the penalty would be established at two hundred thousand euros (€200,000), resolving the procedure with the imposition of this sanction. Likewise, you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which will mean a 20% reduction in the amount. With the application of this reduction, The sanction would be established at two hundred thousand euros (€200,000) and its payment will imply the termination of the procedure, without prejudice to the imposition of the corresponding measures. The reduction for the voluntary payment of the penalty is cumulative with that corresponding apply for recognition of responsibility, provided that this recognition of the responsibility becomes evident within the period granted to formulate allegations at the opening of the procedure. The voluntary payment of the referred amount in the previous paragraph may be done at any time prior to the resolution. In In this case, if both reductions were to be applied, the amount of the penalty would remain established at one hundred and fifty thousand euros (€150,000). In any case, the effectiveness of any of the two mentioned reductions will be conditioned upon the withdrawal or waiver of any action or appeal pending. administrative against the sanction. In the event that you choose to proceed with the voluntary payment of any of the amounts indicated above two hundred thousand euros (€200,000), or one hundred and fifty thousand euros (€150,000) must be made effective by depositing it into the IBAN account number: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code: XXXXXXXXXXXX) open to name of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the cause of reduction of the amount to which it is accepted. Likewise, you must send proof of income to the General Subdirectorate of Inspection to continue the procedure in accordance with the quantity entered. The procedure will have a maximum duration of twelve months from the date of the initiation agreement. After that period has elapsed without it having been issued and notified resolution will expire and, consequently, the proceedings will be archived; in accordance with the provisions of article 64 of the LOPDGDD Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP, There is no administrative appeal against this act. Sea Spain Martí Director of the Spanish Data Protection Agency >> SECOND: On May 31, 2024, the claimed party has proceeded to pay of the penalty in the amount of 150,000 euros making use of the two reductions C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/15 provided for in the initiation Agreement transcribed above, which implies the recognition of responsibility. THIRD: The payment made, within the period granted to formulate allegations to The opening of the procedure entails the renunciation of any action or appeal pending. administrative against sanction and recognition of responsibility in relation to the facts referred to in the Initiation Agreement. FOURTH: In the initiation Agreement transcribed previously it was stated that, If the infringement is confirmed, it could be agreed to impose on the person responsible the adoption of appropriate measures to adjust its actions to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the which each control authority may “order the person responsible or in charge of the treatment that the processing operations comply with the provisions of the this Regulation, where appropriate, in a certain manner and within a specified period…” Having recognized responsibility for the infraction, the imposition of penalties proceeds. the measures included in the Initiation Agreement. FOUNDATIONS OF LAW Yo Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II Termination of the procedure Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter, LPACAP), under the heading “Termination in sanctioning procedures” provides the following: "1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility, The procedure may be resolved with the imposition of the appropriate sanction. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/15 2. When the sanction is solely pecuniary in nature or a penalty can be imposed pecuniary sanction and another of a non-pecuniary nature but the inadmissibility of the second, the voluntary payment by the alleged responsible, in Any time prior to the resolution, will imply the termination of the procedure, except in relation to the restoration of the altered situation or the determination of the compensation for damages caused by the commission of the infringement. 3. In both cases, when the sanction has only a pecuniary nature, the body competent to resolve the procedure will apply reductions of, at least, 20% of the amount of the proposed penalty, these being cumulative with each other. The aforementioned reductions must be determined in the initiation notification. of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of any administrative action or appeal against the sanction. The reduction percentage provided for in this section may be increased “regularly.” According to what was stated, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DECLARE the termination of procedure EXP202317282, of in accordance with the provisions of article 85 of the LPACAP. SECOND: ORDER BANCO CETELEM, S.A. so that within 3 months Since this resolution is final and enforceable, notify the Agency of the adoption of the measures described in the legal foundations of the Initiation agreement transcribed in this resolution. THIRD: NOTIFY this resolution to BANCO CETELEM, S.A.. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Administrative Litigation Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. 1259-16012024 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es