AEPD (Spain) - PS/00421/2020

From GDPRhub
Revision as of 10:11, 14 April 2021 by Cvl (talk | contribs)
AEPD - PS/00421/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law:
e-Privacy Directive
Article 21(1) LSSI
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 07.04.2021
Fine: 5000 EUR
Parties: BANCO DE SABADELL, S.A.
National Case Number/Name: PS/00421/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: Óscar Jacobo

The Spanish DPA (AEPD) fined a financial institution €5000 for breaching the Spanish Act implementing the e-Privacy Directive by sending direct commercial communications without consent.

English Summary

Facts

The client of a financial institution lodged a complaint before the Spanish DPA (AEPD) due to the delivery of a mail for commercial purposes, even though he had expressly rejected the delivery of commercial communications and promotional offers.

Dispute

Are the electronic communication sent by a financial entity to its clients to be considered as necessary for contract fulfilment or do they have commercial purposes (and thus would breach the principle of Article 21(1) of the Spanish Information Society Services Act (LSSI) regarding the delivery of electronic commercial communications to data subjects without prior authorization)?

Holding

The DPA rejected the argument of transaction-based customer communication and held that the mail had marketing purposes because the Controller publicizes its services, although the data subject had expressly indicated his refusal to receive advertising content.

As a result, the DPA considered that the financial entity violated Article 21(1) LSSI.

Furthermore, the commercial communication did not inform the recipient about his right to object to the processing of its data for marketing purposes.

As a consequence, the Spanish DPA imposed a fine of €5000.

Comment

It may seem that the Spanish DPA did not in-depth analyze the arguments expressed by the financial entity regarding whether the content included in the communication could be considered as necessary for contract fulfilment, particularly in the case of communications focus on reporting the maintenance of essential banking services during the lockdown.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                1/7










Procedure Nº: PS / 00421/2020


                RESOLUTION OF SANCTIONING PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


                                  BACKGROUND

FIRST: A.A.A. (hereinafter, the claimant) dated June 25, 2020
filed a claim with the Spanish Data Protection Agency. The
claim is directed against BANCO DE SABADELL, S.A. with NIF A08000143 (in

ahead, the claimed one).

The reasons on which the claim is based are that said financial entity with which the
claimant has contracted several financial products, on 06/17/20 he
sent a commercial email, despite the fact that in your online account you have marked
clearly you do not agree to receive advertising.


Together with the claim, it provides a screenshot where it is seen marked in the
COMMERCIAL INFORMATION AND PROMOTIONS section:

"I do NOT want to enjoy offers that are 100% adapted to my profile."


SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), with reference number E / 06046/2020, a transfer of
said claim to the defendant, on July 17, 2020, to proceed with its

analysis and inform this Agency within a month, of the actions taken
carried out to adapt to the requirements provided in the data protection regulations,
To date there is no reply in this regard.

THIRD: On November 30, 2020, the Director of the Spanish Agency
of Data Protection agreed to initiate a sanctioning procedure to the claimed, by the

alleged violation of article 21 of the LSSI, typified in article 38.4.d) of the
LSSI, which may be sanctioned with a fine of up to € 5,000, in accordance with article
39.1 c) of the LSSI.

FOURTH: Once the aforementioned Initiation Agreement was notified, the defendant presented allegations in

which indicated that on August 10, 2020, it responded to the request received on August 17, 2020.
July, stating that the communication sent to the claimant was not commercial
but operational.

Likewise, the claimed entity states that given the situation and the social scenario and

sanitary in which we found ourselves during the State of Alarm, novel and
exceptional, sent operational and contractual communications to its clients in the
reporting on new channels and new operational and communication options


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/7








due to the need to accompany our clients in the contractual execution
maintained with the Bank.


In no way attending to the emails sent does it appear that there was a
campaign or commercial communication for the purpose of offering, promoting or selling
products or services, but information on operational solutions to your efforts
banks that it had, motivated by the State of Alarm situation and the
closure or limitation of face-to-face operations at branches motivated by the
pandemic, as well as by the limitation of movements itself.


Consequently and in accordance with the foregoing and the content of the
communications sent, the respondent considers that the article has not been infringed
21 of the LSSI, as no advertising communications or
promotional.


Likewise, it considers that article 38.4 of the same text has not been infringed either.
legal, section d) that typifies the alleged infringement, as it is not a
commercial communication as required by the precept.

For this reason, it considers that no responsibility can be attributed to it since the only

purpose of the emails sent are to accompany our
clients in an exceptional situation, during the Alarm State that did not end
until June 21, 2020, without prejudice to subsequent restrictive regulations of the
mobility, informing them about new channels and operational options and
communication related to the maintenance of the contractual relationship, but in

no case for the offer or sale of products or services.

FIFTH: On February 2, 2021, the instructor of the procedure agreed to the
opening of a period of practical tests, taking as incorporated the
preliminary investigation actions, E / 06046/2020.


SIXTH: On February 7, 2021, a resolution proposal was formulated,
proposing that the Director of the Spanish Data Protection Agency dictate
sanctioning resolution against BANCO DE SABADELL, S.A. with NIF A08000143,
with a fine of € 5,000 (five thousand euros) for the violation of article 21 of the LSSI,
typified in article 38.4.d) of the LSSI.


SEVENTH: On February 19, 2021, allegations were presented against the
motion for a resolution stating the following:

“The Agency comes to state that it is a fact that the right of the claim was violated.

keep not receiving emails.

That right has not been violated, what the claimant requested or stated is her need
to enjoy offers: “I DO NOT want to enjoy offers that are 100% adapted
to my profile ”, but he has not expressed his refusal to receive emails from the Ban-

co for operational matters, as the email has been provided by the
own claimant to the entity as a means of communication with the Bank with the
purpose of the development and execution of the contractual relationship. "


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/7








The complainant also states that “in section 11 A of the conditions
to the contracts signed by the plaintiff, the following mention is included
regarding the use of email as a means of operational communication with the

Bank:

A.11. Communications.

The Holders expressly empower the Bank so that all communication,
information or notification, including details of movements, settlement of

interests and those related to the change or modification of conditions or rates, which
direct the Bank individually, can be facilitated or made available
of the Holders, at the address of the account, or through any other channel
face-to-face or through remote channels established by the Bank from time to time,
without the need to send them the physical documentation, except for those

documents that the Bank determines from time to time, warning of said
Publication to the Headlines.

For this purpose, the remote banking service is considered to be remote channels.
in case they have contracted it (currently called "BS Online"), the
Internet pages of the Bank, and any of the email addresses,

mobile phone or similar means that the Holders have communicated to the Bank in each
moment."

The parties expressly agree that communications and information
received by the Holders through remote channels will be equivalent to the referral

physical documentation referred to in the previous paragraph. Holders have
the right to request that the information be sent to them in paper format. "

EIGHTH: Of the actions carried out in the present procedure, the
accredited the following


                                      FACTS

FIRST: The receipt of advertising emails by
the financial entity with which the claimant has contracted several products
financial statements, despite the fact that in your online account you have clearly marked that you do not accept

receive publicity, as seen in the COMMERCIAL INFORMATION section
AND PROMOTIONS:

"I do NOT want to enjoy offers that are 100% adapted to my profile."


SECOND: The claimed entity states that the communication sent to the
claimant is not commercial but operational as a result of its
contractual relationship.

THIRD: The claimed, after receiving the proposed resolution of this

sanctioning procedure, reiterates that the email sent to the claimant
it was for operational reasons, acting in accordance with the contract that this
entity has signed with the claimant, since the email address to the
that the email was sent has been provided by the claimant to the financial institution,

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/7








as a means of communication with the Bank as a result of the relationship
existing contractual.


FOURTH: It is verified that the claimant has marked the box in her online account
relative to "I DO NOT want to enjoy offers that are 100% adapted to my profile" and
that therefore does not accept to receive publicity.

Despite this, the claimant, on June 17, 2020, received a commercial email
of the claimed entity, indicating: "Wherever you are, your bank is" and

reminding you that you can make transfers, pay taxes or consult
non-face-to-face movements (through remote banking that you already have
hired); informing you of the Bank's customer service phone number to
the procedures that you need related to your contracts already formalized; Y
reminding you that you should not provide access codes, as well as that the Bank in

no case will request them by email.

FIFTH: It is verified that the financial institution does not provide a link to the complainant
through which you can request to stop receiving advertising.

                            FOUNDATIONS OF LAW


                                            I
In accordance with the provisions of article 43.1, second paragraph, of the Law
34/2002, of July 11, on Services of the Information Society and Commerce
Electronic (hereinafter referred to as LSSI) is competent to initiate and resolve this

Sanctioning Procedure the Director of the Spanish Agency for the Protection of
Data.

                                            II


The facts presented, consisting of the sending of a commercial communication, are
constituting an infringement, by the defendant to the provisions of article 21
of the current Law 34/2002, of July 11, on Services of the Society of the
Information and Electronic Commerce (hereinafter LSSI), which provides the following:

"1. The sending of advertising or promotional communications by

email or other equivalent electronic means of communication that
had not previously been requested or expressly authorized by the
recipients of the same.

2. The provisions of the preceding section shall not apply when there is a

prior contractual relationship, provided that the provider had obtained lawfully
the recipient's contact details and will use them to send communications
commercial related to products or services of your own company that are
similar to those that were initially contracted with the client.


In any case, the provider must offer the recipient the possibility of opposing the
processing of your data for promotional purposes using a simple procedure
and free, both at the time of data collection and at each of the
commercial communications that you direct.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/7









When the communications have been sent by email, said
means must necessarily consist of the inclusion of an email address

email or other valid email address where this right can be exercised,
it is forbidden to send communications that do not include said address. "

The aforementioned offense is classified as minor in article 38.4.d) of the LSSI,
which qualifies as such "Sending commercial communications by email or
another equivalent electronic means of communication when such shipments do not

comply with the requirements established in article 21 and does not constitute a serious offense ”.

                                            III

In the present case, the violation of article 21 of the LSSI that is attributed to the

claimed must be classified as a minor offense, considering the number of
commercial messages sent to the claimant.

The respondent states that the communications have not been of a commercial nature
but to accompany their clients in an exceptional situation, during the
Alarm Status, informing them about new channels and operational options and

communication related to the maintenance of the contractual relationship, but in
no case for the offer or sale of products or services.

However, despite the goodwill of the claimed entity, it is a fact that
violated the right of the claimant not to receive emails, a will that

had expressly stated.

It is considered that the mail received by the claimant on June 17, 2020,
by the claimed entity, stating: "Wherever you are, your bank is"
informing you and offering your services, specifically, that you can perform

transfers, pay taxes or consult movements in a remote way (to
through the remote banking that you have already contracted); and you are informed of the number of
Bank customer service telephone number for the steps you need, you can
be considered a commercial content email where the entity is offering its
services to a customer who has indicated that they do not wish to receive advertising from you through
of emails despite the existing contractual relationship between them.


In addition, said financial institution does not provide the complainant with a link through which,
This can exercise its rights, among others, to stop receiving advertising, such and
as required in article 21.2 of the LSSI.


                                            IV

In accordance with the provisions of article 39.1.c) of the LSSI, minor offenses may
be sanctioned with a fine of up to € 30,000, establishing the criteria for its
graduation in article 40 of the same norm, whose literal tenor is the following:


"Article 40. Grading of the amount of sanctions.

The amount of the fines that are imposed will be graduated according to the following

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/7








criteria:

a) The existence of intentionality.


b) Period of time during which the offense has been committed.

c) The recidivism by commission of infractions of the same nature, when thus
has been declared by final resolution.


d) The nature and amount of the damages caused.

e) The benefits obtained by the infringement.

f) Billing volume affected by the infringement committed.


g) Adherence to a code of conduct or an advertising self-regulation system
applicable with respect to the offense committed, which complies with the provisions of article
18 or in the eighth final provision and that has been favorably informed by the
competent body or bodies. "


In relation to the criteria for graduation of sanctions contained in the transcript
Article 40 of the LSSI, it is considered that in this case the
criterion a) of the aforementioned article, inasmuch as there has been a lack of diligence
by the complainant when using the complainant's email address
to send you a commercial communication after confirming that it would be managed

your request for the deletion of personal data, whenever a
special knowledge of the requirements contained in article 21 of the LSSI to be
an entity accustomed to sending this type of message in the development of its
activity.


Accordingly, it is considered appropriate, in accordance with the seriousness of the
facts analyzed impose on the entity BANCO DE SABADELL, S.A., with NIF
A08000143, a fine of 5,000 euros.

Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been proven,


the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: IMPOSE BANCO DE SABADELL, S.A., with NIF A08000143, for a
violation of article 21 of the LSSI, typified in article 38.4.d) of the LSSI, a

fine of 5,000 euros (five thousand euros).

SECOND: NOTIFY this resolution to BANCO DE SABADELL, S.A ..

THIRD: Warn the sanctioned person that the sanction imposed by a

Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/7








by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number
procedure that appears in the heading of this document, in the account

restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency
Spanish Data Protection in the banking entity CAIXABANK, S.A .. In case
Otherwise, it will be collected in the executive period.

Received the notification and once executive, if the date of execution is found
Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment

volunteer will be until the 20th of the following or immediately subsequent business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediate business month.

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to

counting from the day after the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within two months from the

day following notification of this act, as provided in article 46.1 of the
referred Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the

interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the

documentation that proves the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.



Mar Spain Martí
Director of the Spanish Agency for Data Protection








C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es