AEPD (Spain) - EXP202315853

From GDPRhub
Revision as of 13:52, 4 November 2024 by Ao (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202315853 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00380-2024.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - EXP202315853
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Law 39/2015
Type: Complaint
Outcome: Upheld
Started: 17.11.2023
Decided: 24.10.2024
Published:
Fine: 180,000 EUR
Parties: Ibercaja Banco
National Case Number/Name: EXP202315853
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Ao

The DPA fined a bank €180,000 for accessing the data of a former customer more than 47 times without any legal basis under Article 6(1) GDPR after the contractual relationship had ended .

English Summary

Facts

On the 17 September 2023, the data subject lodged a complaint with the Spanish DPA (AEPD) against Ibercaja Banco. The data subject claimed that although his contractual relationship with the bank had ended on the 23 February 2022, the bank accessed his file up to 47 times between March 2022 and January 2023.

The data subject had entered into a contractual relationship with the bank in order to pay off a mortgage. On the 23 February 2022, the debt was entirely paid off by transferring the property to a company. In the credit information system, the data subject was able to see a list of instances when the bank accessed his data from March until May 2023.

The data subject alerted the bank of this breach on the 29 March 2023 to which he received a response on the 29 May 2023 stating that the bank had initiated measures to block access to the data.

Following the complaint, the AEPD requested information from the bank on the 13 November 2023 and concluded on the 20 December 2023 that no infringement was found. It stated that the complaint is to be discarded due to the lack of rational indications of the existence of an infringement. The data subject appealed the decision on the 17 January 2024. The AEPD admitted the appeal on the 24 July 2024 stating that the bank had not demonstrated a legal basis for the access to the data of the data subject.

However, the bank recorded the full conclusion of the contract in May 2022 as the last month in which risk derived from the contract. The bank argued that it was justified in accessing the data as it had made a partial write-off of the debt and as it continued to finalise the loan payments.

Holding

The AEPD found that the bank had breached Article 6(1) GDPR by failing to demonstrate a legal basis for the data processing after the contract had ended. It detailed that within a period of six months pending the termination of the contractual relationship, measures must be taken to ensure that the processing of personal data is justified through Article 6(1) GDPR.

The AEPD in determining the amount of the fine they considered the duration of the infringement, the amount of the data the bank has access to, the level of intent through repeated access and any previous infringements committed by the bank.

The AEPD set the initial fine at €300,000 based on the bank’s annual turnover. Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €180,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/15

File No.: EXP202315853

RESOLUTION TO TERMINATE THE PROCEDURE FOR VOLUNTARY

PAYMENT

From the procedure instructed by the Spanish Data Protection Agency and based
on the following

BACKGROUND

FIRST: On October 1, 2024, the Director of the Spanish Data Protection Agency
agreed to initiate sanctioning proceedings against IBERCAJA BANCO,
S.A. (hereinafter, the respondent party), through the Agreement transcribed below:

<<
File No.: EXP202315853 (PS/00380/2024)

AGREEMENT TO START SANCTIONING PROCEDURE

From the actions carried out by the Spanish Data Protection Agency and based on the following:
FACTS

FIRST: On 09/17/23, Ms. A.A.A. (the complaining party), filed a
complaint with the Spanish Data Protection Agency.

The complaint was directed against the entity IBERCAJA BANCO, S.A. (Ibercaja) with
NIF.: A99319030, (the respondent party), for the alleged violation of the data protection regulations:

Regulation (EU) 2016/679, of the European Parliament and of the
Council, of 27/04/16, regarding the Protection of Natural Persons with regard to the
Processing of Personal Data and the Free Circulation of these Data
(RGPD), Organic Law 3/2018, of December 5, on the Protection of Personal Data
and Guarantee of Digital Rights (LOPDGDD).

The claim was based on the following points:

- That the contractual relationship he had with Ibercaja ended on 23/02/22 after the

cancellation of a mortgage contract, being notarized,

- That nevertheless, he was aware that the financial institution accessed his

personal data existing in the BADEXCUG EXPERIAN asset file,
on up to 47 occasions, from March 2022 to January 2023.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/15

- That he sent an email to the Ibercaja SAC on 29/03/23, to which the entity
responded on 29/05/23 informing that they were proceeding to block the data, although
the accesses to the file had already occurred.

The following documentation is attached to the claim:

- First page of the deed of sale, dated 02/23/22, with
cancellation of the mortgage charge, in which the claimant appears as one

of the sellers.

- Certificate, dated 02/23/22, issued by the representative of the defendant,
certifying that the claimant is, along with other persons, the holder of a
mortgage loan, as well as:

“3. That the parties reached an agreement by which the Debtors
undertook to pay the Loan Debt by selling the mortgaged property to the IBERCAJA group at market price, and
IBERCAJA undertook, once the sale was formalized and
its possession delivered, to issue a letter of payment and settlement of the Loan Debt. (…)

4. That the Debtors, in execution of the aforementioned, have
transferred the mortgaged property to (…), a company owned by
IBERCAJA, for its market value, and IBERCAJA has granted a letter of
payment and full settlement of the debt owed by the Debtors, referred to in the
first section, expressly waiving the right to exercise any
new action to claim it and to desist, where appropriate, from any
actions it has taken up to that time against the Debtors, whether judicial or extrajudicial, to claim the
aforementioned debt.”

- BADEXCUG Report, dated 03/24/23, which includes all the queries
made by the defendant party, from 04/01/18 to 01/08/23. This report
contains the details of other debts recorded in the file at the
request of IBERCAJA. However, it is noted that all of them are
cancelled prior to the events that motivate the procedure:

o Date subscriber identifier
o (…)
o 02/27/2022 00:29 ***NIF.1 IBERCAJA
o 02/27/2022 01:19 “ IBERCAJA

o (…)
o 07/17/2022 00:24 “ IBERCAJA
o 08/28/2022 00:31 “ IBERCAJA
o 08/28/2022 01:55 “ IBERCAJA

o 09/04/2022 00:20 “ IBERCAJA
o 09/04/2022 02:07 “ IBERCAJA
o 09/11/2022 00:24 “ IBERCAJA

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/15

o (…)
o 25/12/2022 02:46 “ IBERCAJA
o 01/01/2023 00:32 “ IBERCAJA

o 01/01/2023 02:00 “ IBERCAJA
o 08/01/2023 00:33 “ IBERCAJA
o 08/01/2023 02:36 “ IBERCAJA

- Complaint addressed, by email dated 03/29/23, to the
respondent. In said email, the consultation of your personal data is stated
monthly in an illegitimate manner, since you do not have any right to
credit since 02/23/22. Likewise, she requests that these practices cease immediately.

- Response received by the complainant, by email dated
03/29/23, in which she is informed that her personal data has been blocked in accordance with
Article 32 of the LOPDGDD.

- Report from the Central Risk Information Office of the Bank of Spain, dated
02/21/23, regarding the complainant's "aggregate risk report"

between the months of May 2022 to January 2023 and which highlights the
operations corresponding to the month of May 2022:

o "... Data on operations corresponding to personnel
Risk Drawn Amounts in euro units: XXXXXXXXXXXXXXXX…

Transfer of data for this operation suspended by application of
Article 66 of Law 44/2002 of November 22. IBERCAJA BANCO,
S.A…”

SECOND: On 13/11/23, in accordance with the mechanism prior to the admission for processing of

claims made to the AEPD, provided for in article
65.4 of the LOPDGDD, which consists of forwarding them to the data
protection delegates designated by the data controllers or processors, or
to these when they have not been designated, and for the purpose indicated in the
referred article, the claim was forwarded to the respondent party so that it could proceed to
analyze it and respond within one month.

The transfer, which was carried out in accordance with the rules established in Law 39/2015, of
October 1, on the Common Administrative Procedure of Public Administrations (LPACAP), was notified on 13/11/23, as shown in the
file.

THIRD: On 14/12/23, this Agency received a written response from the respondent to the request for information made, in which it is stated that:

- That the relationship with the claimant was the result of a mortgage loan formalized on 30/05/06, the non-payment of which led to a judicial debt collection procedure on 28/06/18. Subsequently, this judicial process

resulted in provisional execution. However, both procedures were resolved through extrajudicial satisfaction after the signing
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/15

of a settlement agreement between the parties, on 23/02/22. The resolutions issued in the framework of said procedures were last notified on 27/04/22.

- That in the settlement agreement signed between the parties, Ibercaja agreed to
make a partial write-off of the debt, since the value of the mortgaged property
transferred in payment did not cover the entire amount owed. After signing
said agreement, Ibercaja proceeded to regularize the situation of the loan,
eliminating the related information from the EXPERIAN-BADEXCUG file and the

CIRBE. The final cancellation took place on 05/29/23 by blocking the corresponding data in its database, as

THIRD: On 12/17/23, in accordance with article 65.5 of the LOPDGDD,
the claim submitted was admitted for processing, (AT/05840/2023).

FOURTH: On 12/20/23, after analyzing the documentation in the file, a resolution was issued by the Director of the Spanish Data Protection Agency in file AT/05840/2023, agreeing to file the claim due to the lack of rational indications of the existence of an infraction within the scope of the competence of the Spanish Data Protection Agency, and consequently, not proceeding to open a sanctioning procedure. The resolution was
notified to the appellant on 12/20/23, as shown in the file.

FIFTH: On 01/17/24, the claimant filed an optional appeal for reconsideration (RR/00038/2024) against the resolution issued in file
AT/05840/2023, in which it expresses its disagreement with the contested resolution,
requesting that the processing of the initial claim filed with the
AEPD continue, based on the fact that the respondent had made repeated inquiries
to its delinquency data in the BADEXCUG file, without having any contractual

relationship with it and that the reports and documentation presented were not correctly taken into account, since they were not adequately assessed, since, by
themselves, they had a key probative value of what it was saying.

SIXTH: On 07/24/24, the Directorate of the Data Protection Agency issued a decision in favor of the appeal for reconsideration (RR/00038/2024), on the basis that the respondent has not proven the legality of the access to the claimant's personal data, carried out in the BADEXCUG credit information system after having ended their contractual relationship.

LEGAL BASIS

I.
Competence

In accordance with the provisions of articles 58.2 and 60 of the GDPR and the provisions of
articles 47, 48.1, 64.2 and 68.1 and 68.2 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and

resolve this procedure. C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/15

Likewise, article 63.2 of the LOPDGDD determines that: “The procedures

processed by the Spanish Data Protection Agency shall be governed by the provisions
of Regulation (EU) 2016/679, by this organic law, by the regulatory
provisions issued in its development and, insofar as they do not contradict them,
on a subsidiary basis, by the general rules on administrative procedures.”

II.

Unfulfilled obligation

We must begin by recalling that article 4 of the GDPR defines, in its sections 1
and 2, the terms “personal data”; “processing” as follows:

“1) “personal data”: all information about an identified or identifiable
natural person (“the data subject”); An identifiable natural person is any person whose identity can be determined, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;

“2) “processing” means any operation or set of operations which is performed
on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation,

structuring, storage, adaptation or alteration, retrieval, consultation,
use, disclosure by transmission, dissemination or any other form of

access, alignment or combination, restriction, erasure or destruction;

For its part, the “Principle of legality” in the processing of personal data implies that
all data processing must have a legal basis that justifies it, that is, it must
be in accordance with a law and cannot be carried out in an arbitrary or unlawful manner,

(Article 5.1.a) of the GDPR), so it is required that it is proven that the owner of the data
consented to the processing of the same or that any other
legitimizing cause established in art. 6 of the GDPR exists. That is:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/15

“1. The processing will only be lawful if at least one of the following
conditions is met: a) the interested party gave his consent for the processing of his

personal data for one or more specific purposes; b) the processing is necessary for the performance of a contract to which the data subject is a party or
for the application at the request of the data subject of pre-contractual measures; c) the

processing is necessary for compliance with a legal obligation applicable
to the data controller; d) the processing is necessary to protect
the vital interests of the data subject or of another natural person; e) the processing is

necessary for the performance of a task carried out in the public interest or in
the exercise of official authority vested in the data controller; f) the

processing is necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that
such interests are not overridden by the interests or fundamental rights and freedoms of the data subject that require the protection of personal data,
in particular when the data subject is a child…”

In this regard, and in application to the case at hand, sections 20.1.e) of the
LOPDGDD, on “Credit information systems”, establishes that:

“1. Unless proven otherwise, the processing of personal data relating to the failure to comply with monetary, financial or credit obligations by common credit information systems shall be presumed to be lawful when the following requirements are met:

e) That the data referring to a specific debtor may only be consulted when the person consulting the system has a contractual relationship with the affected party that involves the payment of a monetary amount or the affected party has requested the conclusion of a contract that involves financing, deferred payment or periodic billing, as occurs, among other cases, in those provided for in the legislation on consumer credit contracts and real estate credit contracts.

When the right to limit the processing of data by challenging its accuracy has been exercised before the system in accordance with the provisions of

Article 18.1.a) of Regulation (EU) 2016/679, the system will inform those who
could consult it in accordance with the previous paragraph about the mere
existence of this circumstance, without providing the specific data regarding

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/15

which the right had been exercised, while the request of the affected party is being
resolved.

In the present case, from the information and documentation in the file
it is clear that there was a contractual relationship between the claimant and the defendant
through a mortgage loan, the non-payment of which gave rise to a judicial procedure for debt collection and
subsequently to a provisional enforcement procedure.

That both procedures were terminated on 02/23/22 by extra-procedural satisfaction as a result of the signing of a settlement agreement before a notary, and this is stated in the certificate dated 02/23/22, issued by the defendant, in which it certifies, among other issues, that the debtors proceeded to transfer the mortgaged property to a company owned by Ibercaja, as payment of the debt, for its market value. In said agreement, the defendant granted a letter of payment and a full settlement of the debt, expressly waiving any subsequent action to claim it and desisting from judicial or extrajudicial actions.

Furthermore, according to the reports of the Central Risk Office of the Bank of Spain (CRBE), the regularization of the mortgage contract concluded in May 2022, this being the last month in which the defendant entity declared the risk derived from the contract.

However, according to the claim filed and the documentation provided
by the claimant, it is noted that the respondent entity accessed the

personal data of the claimant contained in the Badexcug-Experian solvency files
on at least 47 occasions after the end of the contractual
relationship on 23/02/22. These accesses took place between March 2022 and
January 2023.

The respondent entity, in its response to the transfer of proceedings, justified said
accesses by arguing that, within the framework of the settlement agreement, the entity had
performed a partial write-off of the debt, since the value of the transferred property did
not cover the entire amount owed. He also stated that, after signing the agreement,
he proceeded to regularize the loan situation, eliminating the information on it

from both the EXPERIAN-BADEXCUG and CIRBE files, until the definitive
cancellation of the operation by blocking the information in his database on
05/29/23. However, such statements have not been supported by documentation
that refutes this claim.

Well, we have seen how data processing requires the existence of a

legal basis that legitimizes it and we see this in article 6.1 of the GDPR, which apart from
consent, establishes other possible bases that can legitimize the processing of
data without the need to have the authorization of its owner, such as when it is
necessary for the execution of a contract in which the affected party is a party or for the
application, at the request of the latter, of pre-contractual measures, or when it is necessary

for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that said interests do not prevail over the
interests or fundamental rights and freedoms of the affected party that require the
protection of such data or when it is necessary for the fulfillment of a

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/15

legal obligation applicable to the data controller, to protect vital interests. of the affected person or another natural person or for the fulfillment of a mission
carried out in the public interest or in the exercise of public powers conferred on the

data controller.

And in the particular case, when it refers to the processing of personal data in the area of credit information systems, article 20.1.e) of the LOPDGDD,
presumes a lawful processing of the personal data of an individual, when they are
consulted in the database of the solvency file by someone who

maintained a contractual relationship with the affected party that implies the payment of a
pecuniary amount or the latter had requested the conclusion of a contract that
involves financing, deferred payment or periodic billing.

Consequently, the consultation of the personal data of the claimant in the solvency file
without there being a valid contractual relationship or any other
legitimate cause that justifies such access could constitute an infringement attributable to
the entity claimed, for violation of article 6.1 of the RGPD. in relation to
article 20.1.e) of the LOPLDGDD.
VII.
Classification and qualification of the infringement

If confirmed, the aforementioned infringement of article 6.1 of the GDPR could entail the
commission of the infringements classified in article 83.5.a) of the GDPR, which considers
that the infringement of “the basic principles for processing, including the
conditions for consent pursuant to articles 5, 6, 7 and 9” is punishable,

in accordance with section 5 of the aforementioned article 83 of the aforementioned Regulation, “with
administrative fines of up to €20,000,000 or, in the case of a company,
an amount equivalent to a maximum of 4% of the total annual turnover
of the previous financial year, choosing the highest amount”.

The LOPDGDD in its article 71, indicates that:

“The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law, constitute infringements”.

And article 72.1.b, considers for the purposes of prescription, that they are “very serious”:

1. According to what is established in article 83.5 of Regulation (EU) 2016/679, infringements that imply a substantial violation of the articles

mentioned therein and, in particular, the following are considered very serious and will prescribe after three years: (…) b) The processing of
personal data without any of the conditions of legality of the processing established in article 6 of Regulation (EU) 2016/679. (…).

VIII

Proposed sanction

For the purposes of deciding on the imposition of an administrative fine and its amount, in accordance with the evidence available at the moment of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/15

the agreement to initiate sanctioning proceedings, and without prejudice to the outcome of the
instruction, it is considered that the sanction to be imposed should be graduated in accordance with
the following criteria established in article 83.2 of the GDPR, which states:

“2. Administrative fines shall be imposed, depending on the circumstances
of each individual case, as an additional or substitute for the measures
contemplated in article 58, section 2, letters a) to h) and j).

When deciding whether to impose an administrative fine and its amount in each individual case, due account shall be taken of:

(a) the nature, gravity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question,
as well as the number of data subjects affected and the level of
damage suffered by them; (b) the intent or negligence of the infringement; (c) any measures taken by the controller or processor to
mitigate the damage suffered by data subjects; (d) the degree of responsibility of the controller or processor,
taking into account any technical or organisational measures they have implemented pursuant to
Articles 25 and 32; (e) any previous infringements committed by the controller or processor; (f) the degree of cooperation with the
supervisory authority in order to remedy the infringement and mitigate any
adverse effects of the infringement; (g) the categories of personal data affected by the infringement; (h) the manner in which the supervisory authority became aware of the infringement, in particular whether and, if so, to what extent the controller or processor notified the infringement; (i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned in relation to the same matter, compliance with those measures; (j) adherence to codes of conduct pursuant to Article 40 or to certification arrangements approved pursuant to Article 42; (k) any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.”

In accordance with these provisions, for the purposes of setting the amount of the penalty

to be imposed in the present case for the infringement classified in article 83.5.a) and
article 6.1 of the GDPR, for which the respondent is held responsible, in an
initial assessment, the following factors are considered to be concurrent:

- The duration of the infringement, since it is found that the respondent accessed the

personal data of the complainant contained in the Badexcug-Experian solvency
files on at least 47 occasions after the termination of the contractual relationship on 23/02/22, taking place over 9
months, between March 2022 and January 2023. (art. 83.2.a of the GDPR).

- The close connection between the offender's activity and the processing of personal data.- The level of implementation of the entity and the activity it carries out, in which personal data of millions of interested parties are involved, are considered. This circumstance determines a greater

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/15

degree of demand and professionalism and, consequently, the responsibility of the entity claimed in relation to the processing of the data, (article 76.2.b of the LOPDGDD in relation to article 83.2.k).

- The intention or negligence in the infringement, since the defendant accessed

the personal data of the claimant on up to 47 occasions without the
corresponding legitimacy, without the degree of diligence that the data controller is obliged to display in compliance
with the obligations imposed by the data protection regulations, being able to cite the SAN of 17/10/2007. Although it was issued before the validity of the RGPD,
its pronouncement is extrapolable to the case that we analyze. The sentence,

after referring to the fact that the entities in which the development of their activity
entails a continuous processing of data of clients and third parties must
observe an adequate level of diligence, specified that "(...). the Supreme Court has understood that there is imprudence whenever a legal duty of care is
disregarded, that is, when the offender does not

behave with the required diligence. And in the assessment of the degree of diligence,
the professionalism or lack of the subject must be especially considered, and there is no
doubt that, in the case now examined, when the activity of the appellant
is of constant and abundant handling of personal data, it is necessary to
insist on the rigor and the exquisite care to comply with the legal provisions in this
regard” (art. 83.2.b RGPD).

- Any previous infringement committed by the person responsible or in charge of
the processing of the data, taking into consideration the resolution dated

01/30/23 issued by the Board of Directors of the Data Protection Agency, in the
sanctioning procedure PS/00241/2022, (art. 83.2.e.- RGPD).

The balance of the circumstances contemplated in arts. 83.2 of the RGPD and 76.2 of the

LOPDGDD, with respect to the infringement committed by violating the provisions of art. 6.1 of the GDPR, allows for an initial fine of 300,000 euros (three hundred thousand euros).

IX.
Adoption of measures.

The corrective powers that the GDPR attributes to the AEPD as a supervisory authority are
listed in its article 58.2, sections a) to j).

If the infringement is confirmed, the controller may be required to adopt
appropriate measures to adjust its actions to the regulations mentioned in this act, in
accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to which each
control authority may “order the controller or processor to
comply the processing operations with the provisions of this
Regulation, where appropriate, in a certain manner and within a specified
term…”.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/15

The imposition of this measure is compatible with the sanction consisting of an administrative fine,
as provided for in art. 83.2 of the GDPR.

The text of this agreement establishes the facts that have led to the
violation of data protection regulations, from which it is clearly inferred what measures to be adopted are, without prejudice to the fact that the types of
procedures, mechanisms or specific instruments to implement them
correspond to the sanctioned party, since it is the one who fully knows its organization
and must decide, based on proactive responsibility and risk approach, how to

comply with the RGPD and the LOPDGDD.

However, in the present case it is indicated that the measure to be adopted would be that, within
a period of 6 months, those measures are taken to guarantee that the processing of
personal data has the necessary legitimacy, fulfilling the requirements of

article 6.1 RGPD.

Please note that failure to comply with the order imposed by this body may be
considered an administrative infringement in accordance with the provisions of the GDPR,
classified as an infringement in its article 83.5 and 83.6, and such conduct may motivate the
opening of a subsequent administrative sanctioning procedure.

Therefore, in accordance with the above, by the Director of the Spanish Data Protection Agency,

IT IS AGREED:

FIRST: TO INITIATE SANCTIONING PROCEDURE against the entity IBERCAJA
BANCO, S.A. with CIF.: A99319030, for the alleged infringement of Article 6.1 of the
RGPD, classified in Article 83.5.a) of the RGPD.

SECOND: TO APPOINT Mr. B.B.B. as Instructor, and Mr. C.C.C. as Secretary,
indicating that any of them may be challenged, if applicable, in accordance with the
established in articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime
of the Public Sector (LRJSP).

THIRD: TO INCORPORATE into the sanctioning file, for evidentiary purposes, the

claim filed by the claimant and its documentation, the documents obtained and
generated by the General Subdirectorate of Data Inspection during the
investigation phase, all of them part of this administrative file.

FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations, the
penalty that may apply would be 300,000 euros (three hundred thousand euros),
without prejudice to the results of the instruction of this file.

FIFTH: NOTIFY the present agreement to initiate sanctioning proceedings to the

entity IBERCAJA BANCO, S.A., granting it a hearing period of ten business days to formulate the allegations and present the evidence it
deems appropriate. In its written allegations it must provide its NIF and the file number that appears in the heading of this document.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/15

If you do not make objections to this initiation agreement within the stipulated period, it
may be considered a resolution proposal, as established in article

64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP).

In accordance with the provisions of article 85 of the LPACAP, if the
sanction to be imposed is a fine, you may acknowledge your liability within the
period granted for the formulation of objections to this initiation agreement; which

will entail a 20% reduction of the sanction to be imposed in
this procedure, equivalent in this case to 60,000 euros. With the application of this reduction, the penalty would be set at 240,000 euros, and the procedure would be resolved with the imposition of this penalty.

Likewise, at any time prior to the resolution of this procedure, the proposed penalty may be voluntarily paid, which will mean a reduction of 20% of the amount of the penalty, equivalent in this case to 60,000 euros. With the application of this reduction, the penalty would be set at 240,000 euros and its payment will imply the termination of the procedure.

The reduction for the voluntary payment of the penalty is cumulative with that to be applied for the recognition of responsibility, provided that this recognition of responsibility is made clear within the period granted to formulate allegations at the opening of the procedure. The voluntary payment of the amount referred to in the previous paragraph may be made at any time prior to the resolution. In

this case, if both reductions were to be applied, the amount of the penalty would be set at 180,000 euros (one hundred and eighty thousand euros).

In any case, the effectiveness of either of the two reductions mentioned will be subject to the withdrawal or waiver of any action or appeal through administrative channels against the penalty.

If the decision is made to proceed with the voluntary payment of either of the amounts indicated above (240,000 euros or 180,000 euros), this must be made by depositing it in account number ES00 0000 0000 0000 0000 0000 opened in the name of the
Spanish Data Protection Agency at Banco CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the
heading of this document and the reason for the reduction of the amount to which it is subject.

Likewise, proof of payment must be sent to the Subdirectorate General of

Inspection to continue with the procedure in accordance with the amount
paid.

The procedure will have a maximum duration of twelve months from the date
of the start agreement or, where appropriate, the draft start agreement. After this

period, it will expire and, consequently, the proceedings will be filed; in
accordance with the provisions of article 64 of the LOPDGDD.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/15

Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP,
there is no administrative appeal against this act.

Mar España Martí
Director of the Spanish Data Protection Agency.

>>

SECOND: On October 16, 2024, the respondent party has proceeded to pay
the penalty in the amount of 180,000 euros using the two reductions
provided for in the Commencement Agreement transcribed above, which implies the
recognition of liability.

THIRD: The payment made, within the period granted to formulate allegations at
the opening of the procedure, entails the waiver of any action or appeal through administrative
course against the penalty and the recognition of liability in relation to
the facts referred to in the Commencement Agreement and its legal qualification.

FOURTH: The aforementioned initiation agreement indicated that, if

the infringement is confirmed, it may be agreed to impose on the person responsible the adoption of
appropriate measures to adjust its performance to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to which
each supervisory authority may “order the person responsible or in charge of the treatment that the treatment operations comply with the provisions of

this Regulation, where appropriate, in a certain manner and within a specified period…”.

Having recognized the responsibility for the infringement, the imposition of
the measures included in the initiation agreement is appropriate.

LEGAL BASIS

I
Competence

In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD) and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and

guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to
initiate and resolve this procedure.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures

processed by the Spanish Data Protection Agency shall be governed by the provisions
of Regulation (EU) 2016/679, by this organic law, by the regulatory
provisions issued in its development and, insofar as they do not contradict them,
on a subsidiary basis, by the general rules on administrative procedures."

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/15

II
Termination of the procedure

Article 85 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations
(hereinafter, LPACAP), under the heading
"Termination in sanctioning procedures" provides the following:

"1. Once a sanctioning procedure has been initiated, if the offender acknowledges his responsibility,

the procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction is of a purely monetary nature or it is possible to impose a monetary sanction and another of a non-monetary nature but the
inappropriateness of the second has been justified, voluntary payment by the presumed responsible party, at

any time prior to the resolution, will imply the termination of the procedure,
except in relation to the restoration of the altered situation or the determination of the
compensation for the damages and losses caused by the commission of the infringement.

3. In both cases, when the sanction is of a purely monetary nature, the competent body to resolve the procedure will apply reductions of at least

20% on the amount of the proposed sanction, which may be accumulated among themselves.
The aforementioned reductions must be determined in the notification of initiation
of the procedure and their effectiveness will be conditional on the withdrawal or waiver of
any action or appeal in administrative proceedings against the sanction.

The percentage of reduction provided for in this section may be increased
by regulation.”

In accordance with the above,
the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: DECLARE the termination of procedure EXP202315853, in
accordance with the provisions of article 85 of the LPACAP.

SECOND: ORDER IBERCAJA BANCO, S.A. so that within 6 months
from the date this resolution becomes final and enforceable, it notifies the Agency of the

adoption of the measures described in the legal grounds of the
Initiation Agreement transcribed in this resolution.

THIRD: NOTIFY this resolution to IBERCAJA BANCO, S.A..

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative process as prescribed by
art. 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure

of Public Administrations, interested parties may file an administrative appeal before the Administrative

Disputes Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/15

Administrative Disputes Jurisdiction, within two months from the

day following notification of this act, as provided for in article 46.1 of the

referred Law.

1259-151024
Mar España Martí

Director of the Spanish Agency Data Protection

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es