AEPD (Spain) - PS/00500/2020
AEPD (Spain) - PS/00500/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 4(4) GDPR Article 6(1) GDPR Article 22(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 21.10.2021 |
Fine: | 3000000 EUR |
Parties: | CAIXABANK, CONSUMER FINANCE, EFC |
National Case Number/Name: | PS/00500/2020 |
European Case Law Identifier: | n/a |
Appeal: | Rejected AEPD (Spain) RR/00672/2021 |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Carmen Villarroel |
The Spanish DPA fined a bank €3,000,000 for carrying out profiling for marketing purposes without obtaining valid consent, since it was not specific nor informed.
English Summary
Facts
A data subject filed a complaint against Caixabank, a Spanish bank, alleging that the financial institution had transferred the data subject's personal data to a credit scoring company, despite the data subject and the bank having ended their relationship in 2014. The Spanish DPA (AEPD) launched an investigation and decided to investigate the way the bank was profiling their clients.
The bank, answering to a request made by the AEPD, declared that they were profiling their clients, as defined by Article 4(4) GDPR, in two ways: firstly, in order to determine their clients' creditworthiness and secondly for marketing purposes. According to the statements of the bank, the profiling for determining their clients' creditworthiness was based on a legal obligation deriving from insolvency and credit legislation. The profiling for marketing purposes was based on consent.
The personal data processed for these purposes were Identity data such as ID number and date of birth, financial data, sociodemographic metric such as postal code, country of birth, nationality, dwelling's type, age and civil status, economic data, such as revenue, salary, job, time being a client and risk score. Such data were provided by the data subjects themselves, from credit scoring entities and from other companies from the entity's group, and from the Spanish Bank's risk information centre.
Holding
The AEPD started remarking that, according to Article 5 GDPR, personal data shall be processed lawfully. Particularly, in the case of profiling, processing will be based on consent. The DPA relied on the "Guidelines on Automated individual decision-making and Profiling" from the A29WP to highlight the importance of obtaining valid consent in such a case:
Profiling can be opaque. Often it relies upon data that is derived or inferred from other data, rather than data directly provided by the data subject.
Controllers seeking to rely upon consent as a basis for profiling will need to show that data subjects understand exactly what they are consenting to, and remember that consent is not always an appropriate basis for the processing. In all cases, data subjects should have enough relevant information about the envisaged use and consequences of the processing to ensure that any consent they provide represents an informed choice.
The AEPD also highlighted Articles 6 and 7 GDPR, regarding consent, Recitals 32, 40 a 44 and 47, and the EDPB's "Guidelines 05/2020 on consent", specifically the sections regarding specific and informed consent.
After examining the way the bank was obtaining consent, the DPA determined that the controller was not providing data subject enough information about profiling, as all the information about the processing was placed inside the conditions of the credit contract.
Additionally, with the information provided, the data subject would not be able to understand properly what the processing consisted of and entailed. The information did not specify that the client could receive, this way, marketing from third companies and from unrelated products, nor that it could include the allowance of pre-granted credits. Data subjects did not receive either information about what particular personal data would be used for such processing, nor how detailed the profile was.
The controller did not provide either the option for a granular consent, since the data subject could not consent to every purpose of the processing individually. The total of the actual purposes was not even defined when offering the information about the purposes in the privacy policy. The personal data were also transferred to other companies of the group without consent or a valid agreement between them. In addition, the DPA concluded that the data subjects could not effectively know what kind of personal data was being processed for the profiling, since there was a difference in what was stated in the privacy policy and what the controller communicated to the DPA. The AEPD also remarked that the use of risk score data was not included by the bank in that list, neither was defined as another kind of profiling, therefore lacking information about such processing.
For all the above stated reasons, the DPA concluded that the controller had not obtained valid consent as defined in Article 4(7) GDPR, as it was, firstly, not specific, since purposes were not individually defined, nor they could be gradually consented, and secondly, not informed, since the provided information was not enough. Therefore, consent was not valid as a legitimate basis from Article 6(1) GDPR, in relation to Article 7 GDPR, and thus processing was unlawful.
On these grounds, the AEPD fined the controller €3,000,000. For this, they took into account:
- the risks that profiling poses to data subjects, since it is a particularly invasive practice,
- the link between the processing and the controller's business activities,
- the big size of the company,
- the high amount of personal data and processing activities,
- the high number of affected data subjects.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/133 Procedure No.: PS / 00500/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: On November 6, 2018, a letter from Mr. A.A.A., in which it denounces that the entity CAIXABANK, CONSUMER FINANCE, EFC has requested to the COMPANY. 1 information on the inscriptions relating to his person in the COMPANY file 2. It states that at present there is no contract nor has requested any service from any company of the CAIXABANK group. He points out that although was a CAIXA client, said relationship was formally terminated in 2014 with the termination of all existing contracts. Said claim was transferred to the Data Protection delegate of the person in charge, in accordance with the provisions of article 9.4 of Royal Decree-Law 5/2018, of 27 July, of urgent measures for the adaptation of Spanish law to the regulations of the European Union regarding data protection, receiving a response from CAIXABANK CONSUMER FINANCE EFC, S.A.U., in which an error of human and punctual character. It was indicated that, although the claimant was a client in the past, at the date of the claim it had ceased to be. Despite this, their data was included by mistake in a campaign of pre-granted credits. On February 6, 2019, the Director of the Spanish Agency for the Protection of Data agrees not to admit the submitted claim for processing, noting however in said resolution that “This is without prejudice to the fact that the Agency, applying the powers of investigation and corrections that it holds, can carry out subsequent actions relating to the data processing referred to in the claim. " Said resolution was appealed, claiming the claimant that said entity of which no is a client, since his relationship with her was punctual and limited in time within the framework of a sales contract with associated financing completed years before, you have used the assets solvency files in order to prepare a profile and offer you a financial service, without requesting your consent. Said appeal was upheld. SECOND: In view of this claim, dated October 16, 2019, the Director of the Spanish Data Protection Agency urged the Subdirectorate General of Data Inspection the initiation of preliminary investigation actions that reveal what form CAIXABANK CONSUMER FINANCE EFC, S.A.U is conducting profiling of the personal data of its clients in the context of their commercial activity, in order to verify its compliance with the personal data protection regulations. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/133 THIRD: On February 6, 2020, the General Subdirectorate for Inspection of Data formulates requirement to CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U. to provide the following information: List of activities for the processing of personal data of clients and / or potentials clients carried out in the development of CAIXABANK's commercial activity PAYMENTS & CONSUMER EFC, EP, S.A.U. that involve profiling (according to the definition set forth in article 4.4 of the RGPD, in particular with regard to the economic situation of the interested parties). For each of the treatment activities of personal data, input is requested: 1. Definition of the logic applied in profiling and the expected consequences of such treatment for the interested party. 2. Description of the purpose of the treatment and detail of the basis of legitimation of the Article 6.1 of the RGPD on which it is based. 3. Procedure followed to comply with the duty of information to the interested party (articles 13 and 14 of the GDPR) 4. Means used to collect consent in the event that the activity of treatment is covered by article 6.1.a of the RGPD. 5. Categories of interested parties and personal data subject to treatment. 6. Origin or origins of the personal data object of treatment (with indication of the basis of legitimacy that supports, where appropriate, the use of data collected from sources external - credit information systems, other companies of the business group, etc.-). 7. Where appropriate, list of treatment managers who participate in the activity of profiled on behalf of CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U. and copy of the contracts that govern said treatments. 8. Description of the technical and organizational security measures applied in under article 32 of the RGPD to the profiling activity. 9. If applicable, a copy of the Personal Data Protection Impact Assessment (EIPD) performed on profiling activity. 10. Number of interested parties whose personal data have been processed in the development of profiling activity by category (customer, potential customer) and year (2018 and 2019). FOURTH: On March 2, 2020, CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A. requests an extension of the term due to the impossibility of collecting and structure the required information within the established period. On March 3, 2020, the Deputy Director General of Data Inspection agrees to extend the deadline to respond for a period of five days, which must be computed from the day following the day on which the first term ends granted. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/133 FIFTH: On June 2, 2020, this Agency has a written entry of response to the request for information referred to in point SECOND. In this document the following is stated: In the first place, reference is made to the fact that “on March 14, 2020, it was published in the Official State Gazette (BOE) and Royal Decree 463/2020, of 14 March, declaring the state of alarm for the management of the situation of health crisis caused by COVID-19, which includes in its additional provision third, the suspension of administrative deadlines, applying the suspension of terms and the interruption of terms to the entire public sector defined in Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations Public; being, therefore, suspended the terms and interrupted the terms for the processing of procedures of public sector entities, decreeing that the computation of said terms will be resumed at the time of the end of the validity of this Royal Decree, extended, in turn, by Royal Decree 476/2020, of March 27, by which the state of alarm is extended declared by virtue of the antecedent legislative text, as well as its extensions successive. " Secondly, it makes some preliminary considerations, of which it must be the following stand out: - “CAIXABANK PAYMENTS & CONSUMER is the entity resulting from the merger by absorption between CaixaBank Payments, E.F.C., E.P., S.A.U., the absorbed company, and CaixaBank Consumer Finance, E.F.C., S.A.U., absorbing company; both wholly owned by CaixaBank, S.A. (hereinafter, also called “CaixaBank”). This merger took place in dated July 11, 2019, after having notified the non-opposition of Banco de España to the structural modification operation, under the provided for in Law 10/2014 of June 26, on management, supervision and solvency of credit institutions, as well as the corresponding procedure authorization from the Ministry of Economy and Business provided for in the Law 5/2015 of April 27, on the promotion of business financing. What As a result of the aforementioned operation, CaixaBank Consumer Finance, E.F.C., S.A. has been subrogated by universal succession in all rights and obligations, acquired and assumed, respectively, by CaixaBank Payments, E.F.C., E.P., S.A.U., modifying its corporate name to the current CaixaBank Payments & Consumer, E.F.C., E.P., S.A. " - “The main activity of CAIXABANK PAYMENTS & CONSUMER consists of the marketing of credit or debit cards (hereinafter, called “Cards”), credit accounts with or without a card (hereinafter, called “Credit Accounts”) and loans (hereinafter, called “Loans”), (hereinafter, all of them individually named "Product" and jointly, "Products"), directly or through third parties -whether agents or Prescribers-, with whom it has subscribed the corresponding agency or collaboration contracts. Specific: - Directly, CPC markets some of the aforementioned Products. - Indirectly, CPC markets through Prescribers and agents. " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/133 - "It is understood by" Prescriber "or" Prescribers ", those entities with which CPC has signed a collaboration agreement, based on which, these are undertake to offer their customers the possibility of contracting the Products of CPC to mainly finance the purchase price of the products and / or services marketed by them (Prescribers) at their points of sale, either in person or online (for example, establishments such as *** ESTABLISHMENT.1 or *** ESTABLISHMENT.2 and *** ESTABLISHMENT. 3). In particular, CPC Products marketed through Prescribers are Cards, Accounts Credit and Loans. " - “Finally, an agent is understood to be CaixaBank, S.A. (onwards, indistinctly the “Agent” or “CaixaBank”), entity with which CPC maintains an agency agreement, by virtue of which CaixaBank promotes and concludes, at Through its channels, the CPC Cards, as well as, where appropriate, loans of refinancing the debt derived from these Cards. " Regarding the personal data processing activities that in the development of its commercial operations involve the elaboration of profiles, according to the definition set forth in article 4.4 of the RGPD, in particular with regard to the situation data of the interested parties, indicates that they are the following: I. "Analysis of the repayment capacity or risk of non-payment of a interested in your Request for a Product: It consists of the evaluation by CPC part of a Product Request (Card, Credit Account or Loan, hereinafter the "Request") received from an interested party (in hereinafter, "Applicant" or "Applicants"). This evaluation involves a processing of personal data that is specified in the necessary assessment repayment capacity or solvency of the Applicant (probability of risk of default). Said assessment is carried out, within the framework of the Request received, in order to comply with the provisions of the regulations that, in quality of financial credit establishment and payment institution, It is applicable to CPC (Prudential and Solvency Regulations and Responsible Loan). " II. "Analysis of the capacity for repayment or risk of non-payment in the management of credit risk granted to customers: It consists of monitoring continuous capacity of repayment or risk of default of customers to who CAIXABANK PAYMENTS & CONSUMER has granted financing and, therefore, with which it maintains a credit risk with two purposes i) the management of the credit risk granted to them in compliance with certain legal obligations (specifically, the Prudential and Solvency Regulations and Responsible Lending, as as it is defined in section I.A.6 of this writing); and, ii) the commercial management in accordance with the consents obtained from holders of the data (clients) with the subsequent purpose of offering them products and services tailored to your needs, which may include assignment of “pre-granted” credit limits (pre-grant of a credit based on the information available to the Entity). " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/133 III. "Analysis and selection of target audience: It consists of the analysis and selection, prior to a certain commercial impact, of a target audience (made up of those clients of CAIXABANK PAYMENTS & CONSUMER that meet, where appropriate, the requirements designed to be impacted by a potential campaign in order to offer you Products). Said treatment is carried out in accordance with the consents obtained from the owners of the data (clients). " Regarding the categories of data holders that are treated in the execution of the detailed treatments, points out that “it only deals with data of interested parties who are Clients of the Entity or applicants for its Products. Does not perform data processing about interested parties that could be called “potential clients”, understood as These, data holders who have no current relationship with CPC or who previously did not have requested a Product through any of the established channels. " Third, the examination of what was stated by CPC regarding the activity called “analysis of the repayment capacity or risk of non-payment for the management of credit risk granted to clients during the contractual relationship ” highlight the following aspects: 1. Regarding the purposes and bases of legitimation of the treatment, it is stated that has two purposes: I. "The management of the credit risk granted, in compliance with certain legal obligations of the Prudential Regulations and of Solvency and Responsible Loan, applicable when the Product is a credit account since, by allowing the availability of credit consistently granted, this (Product) must adapt constantly to the updated solvency capacity of the interested party. As stated, the enabling title to carry out this purpose, give compliance with regulatory requirements, is the legal obligation, of in accordance with article 6.1 c) of the RGPD. II. Commercial management in the event that you have the consent of the data owner. Said treatment provides, among others, to be able to label the client in order to grant him a “pre-grant” (grant of a credit based solely on the information available to the Entity). In this case, only the data of those customers who have given your consent for profiling. " 2. Regarding the logic applied in profiling and the expected consequences of said treatment for the interested party sets out the following: “CAIXABANK PAYMENTS & CONSUMER uses a logic that has been defined in the financing process of the Entity. This financing process consists of of different policies explained below and based on which they are assigns customers (…). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/133 i. (…) This label is the one used by CPC to categorize its clients in relationship with the promotional activity that on them could make Loans or Credit Accounts. (…) • (…) • (…) • (…) • (…) As mentioned, this direct financing is for commercial purposes. so CPC only uses it in those clients who have consented to the treatment of your data. Those who have not consented, consequently, separate from the previous ones by including themselves -for the sole purpose of respecting what requested in relation to the processing of your data- in the subcategory of Direct financing - D - Not assessable. The implication of such a subcategory is, for Therefore, customers with this 1 - D LABEL cannot be included in commercial campaigns. ii. (…) • (…) • (…) • (…) • (…) Finally, also in this case, customers who have not authorized the treatment of your data in the subcategory Financing Prescriber - D - No assessable. These are, therefore, clients who have not given their consent to the profiling data processing. i. (…) (…) (…) (…) Finally, as in the other labels, there is the subcategory Extension of limits D - Not assessable that incorporates those clients who have not authorized the processing of your personal data and, consequently, cannot be object of commercial campaigns. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/133 i. (…) to) (…) b) (…) (…) • (…) • (…) • (…) • (…) 3. Regarding the personal data object of treatment, it is indicated that they are the following: - Identification: DNI / NIE / Passport and date of birth. - Financial: CPC internal data obtained or derived from the relationship existing contract between it and its client and consult solvency files and to the Risk Information Center (CIR) of the Banco del Banco de España. - Sociodemographic: postal code, country of birth and nationality, type of housing and seniority and marital status. - Socioeconomic: income and pay, employment status and profession, seniority bank and domiciled entity. - Others: risk score. 4. Regarding the origin of the personal data object of treatment, detail, for the categories of data indicated in the previous section, the following sources: - Data provided by the Applicant in the Product Application itself. - CPC data in relation to the Applicant in the event that it is already customer and provided that CPC has data on their payment behavior. - Data from external sources: in accordance with the regulations that result from application to CPC as a financial credit institution and payment institution, the following information is also incorporated: Information on the consolidated Group of Group entities CaixaBank. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/133 Result of consulting credit information systems. Result of the query to the Risk Information Center (CIR) of the Bank of Spain. (…) 5. Regarding the means used to collect consent in the event of that the treatment activity is covered by article 6.1.a of the RGPD, informs that the channels through which it collects consents for commercial purposes from its customers are listed below: a) Through the Prescribers. b) Through its CaixaBank Agent. a) “Through the Prescribers In relation to this channel, we can differentiate three (3) different ways of collecting: i. The first is through the employees of the Prescribers themselves, who, at the time of the formalization of the financing contracts with the clients who want to contract the Products offered by CAIXABANK PAYMENTS & CONSUMER, they are asked about each of the consents, for later translate the answer given by you for each of them in the Conditions Individuals of the financing contract signed for this purpose. In this regard, the three (3) tools provided by CAIXABANK PAYMENTS & CONSUMER to the Prescribers' sellers so that they can carry out the capturing the information necessary to process the operations of financing and, therefore, also to obtain the aforementioned consents, are the Web "*** WEB.1", the app of capture (its use is made through a tablet carried by the sellers of Prescribers who are constantly movement through the store) and the “Web Auto” (…), which are the software provided by part of CAIXABANK PAYMENTS & CONSUMER to the Prescribers, connected with the systems of that (CAIXABANK PAYMENTS & CONSUMER), so that your sellers process the financing operations by introducing of the personal and economic data of the clients and the contractual data of operations (TIN, APR, amortization months, etc.), as well as collecting the consents, which will later be reflected in the Conditions Individuals of the financing contracts that are formalized and delivered to the customers." Provide three screen prints that correspond to these three tools. In them it is observed that consent is requested for the following purposes, being able to choose whether or not in each modality: - “I authorize the CaixaBank Group to use my data for study and profiling " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/133 - "I authorize the sending of advertising and commercial offers from the Group CaixaBank by the following means ”, which in turn allows consent or not for each of the following sections): - Telemarketing - Electronic means such as SMS, email and others - Post mail - Commercial contacts through any channel of my manager - "I authorize the transfer of my data to third parties with whom the CaixaBank Group has agreements " - “I authorize the CaixaBank Group to use my biometric data (image, fingerprint fingerprint, etc.) in order to verify my identity and signature. This authorization is It will be complemented with the registration of biometric data to be used in each moment" A screenshot of the AUTO web tool is also provided in the which is allowed to consult more details. According to the printing provided the detail consists of the following: "Consents and protection of personal data The authorizations you provide now or have previously provided can be revoked at any time via www.caixabankpc.com/ exercise of rights. If you grant authorization (1) the offers that are sent to you will be adapted to your profile. Authorizations (2) (3) (4) and (5) refer to the channels through the that you agree to be contacted by the Caixabank group either by phone, by electronic means, by post and / or in person. If you do not authorize a channel, the Caixabank group will not be able to contact you to offer you products of your interest. If you provide the authorization (6) at the time the data is transferred, will inform you of which third party is the recipient of your data and if you do not agree agreement you can revoke that authorization. The authorization (7) is to be able to verify your identity / signature since in the Grupo Caixabank we use biometric recognition methods such as facial recognition systems, fingerprint reading and the like. " ii. "The second form of recruitment within this group is through the web portal CAIXABANK PAYMENTS & CONSUMER authorized to process the operation C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/133 financing by the client himself, which will have been redirected by clicking in a link incorporated in the website of the Prescriber in question. So by For example, the interested party who decides to apply for the card (...) will initiate the application in the Prescriber's own portal *** ESTABLISHMENT. 1 and will immediately be redirected to the web portal enabled for this purpose by and from CAIXABANK PAYMENTS & CONSUMER where the entire contracting procedure will be carried out. In this case, it is the client himself, through his computer / tablet, who marks the response for each of the planned treatments, which are then They will be transcribed in the Particular Conditions of the financing contract formalized. " Attached, as ANNEX DOCUMENT No. 13, is the screen that the client sees and in which the consents are collected, as well as ANNEX DOCUMENT No. 14, an example of how the consents granted by the client are reflected in the Particular Conditions of the financing contract. Annex 13 contains a printout of the screen in which the consents, which coincide with those described above in point relative to the prescribers channel. Annex 14 is called APPLICATION-CREDIT AGREEMENT. Is structured in various sections relating to personal data of the owner and co-owner, to the purchase, financing plan, etc. Of these sections, it is worth highlighting the indicated in the sections SUMMARY OF DATA PROCESSING AND AUTHORIZATIONS FOR DATA PROCESSING. The SUMMARY OF TREATMENTS section contains the following information: "The processing of your data with respect to which you can facilitate your authorization in the terms established in this contract are the following: "COMMERCIAL PURPOSES: A. Data processing by Caixabank Payments & Consumer and the Caixabank Group companies with study and profiling purposes to inform you of the products that are tailored to your interests / needs, as well as to the monitoring of the contracted services and products, carrying out surveys and design of new services and products. B. Data processing by Caixabank Payments & Consumer and the Caixabank Group companies with the purpose of communicating offers of products, services and promotions marketed by them, their own or third parties whose activities are included between banking, services of investment and insurance companies, shareholding, venture capital, real estate, road, sale and distribution of goods or services, consulting, leisure and charity-social services. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/133 C. Transfer of data by Caixabank Payments & Consumer and Caixabank Group companies to third parties with the purpose that they can send you communications commercial. Said third parties will be dedicated to the activities banking, investment and insurance services, holding shares, venture capital, real estate, roads, sales and distribution of goods and services, consulting services, leisure and charitable-social. OTHER PURPOSES A. Treatment of biometric data that you provide by Caixabank Payments & Consumer and the companies of the GrupoCaixabank, such as facial image, voice, fingerprints, graphs, etc., in order to verify your identity and signature with the help of biometric recognition methods. " In the AUTHORIZATIONS FOR DATA PROCESSING section there are a series of sections in each of which, both for the owner and for the co-owner, two boxes appear, one to mark yes and another to mark no, the various authorizations to carry out data processing. These authorizations, are as follows: A) "I authorize the processing of my data for the purpose of study and analysis by Caixabank Payments & Consumer and the companies of the Caixabank group. " B) "I consent to the processing of my data by Caixabank Payments & Consumer and the Caixabank group companies with the purpose for these to communicate offers of products, services and promotions through the channels I authorize. " In this case, the yes / no boxes are broken down for each of the following channels: Telemarketing, Electronic means such as SMS, email and others, Postal mail. Contacts (edit) commercials through any channel of my manager. C) “I authorize Caixabank Payments & Consumer and the Caixabank group companies give my data to third parties. " i. The third way is through the telephone call in which the sellers of the Prescribers and managers of CAIXABANK PAYMENTS & CONSUMER. In this case, the Prescriber's seller facilitates by telephone the CAIXABANK PAYMENTS & CONSUMER manager all customer data necessary to formalize the financing operation and it processes it. One time approved the contract, the client, through the Particular Conditions of the contract that you must sign, defines the granting of your consents marking freely and in handwriting your option on the boxes enabled for this purpose, as can be seen in DOCUMENT No. 14 attached to this writing ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/133 This document has been described in the previous point. a) “Through its Agent CaixaBank. Additionally, CPC is a beneficiary of the Consents granted, where appropriate, by customers to CaixaBank. We attach an example of the consent collection screens in the CaixaBank offices where it is the customer who, interacting directly with the device that the employee gives him (Tablet), proceeds to signal your preferences in relation to the processing of your data. " In the screen printing, which he incorporates in his writing, various authorizations for each of which there is the option to mark yes or no in its respective box. The authorizations refer, as in the previous cases: -To the use of the data for study and profiling purposes, clarifying that If authorized, the offers that are sent to you will be adapted to the profile of the interested. - To receive advertising and commercial offers. At this point it is also allowed choose the channels to receive advertising by checking the respective box. - To transfer the data to third parties with whom the Caixabank group has agreements. -The use of biometric data in order to verify my identity and signature. 6. Regarding the procedure followed to comply with the duty of information to the interested party (articles 13 and 14 of the RGPD) indicates that “Attached, as ANNEX DOCUMENT No. 12, copy of the general conditions that is provided to the interested in the framework of the contracting of a product and in which it is reported provided for in article 13; not being applicable, therefore, the provisions of the Article 14 of the RGPD. " The document contained in annex 12 called "GENERAL CONDITIONS OF THE APPLICATION-CREDIT AGREEMENT ”contains various sections, referring to section number 26 to the "Processing of personal data based on the execution of contracts, legal obligations and legitimate interest and Privacy Policy". This point is structured in turn in 10 sections, of which which interests to transcribe here the information contained in points 26.1 and 26.4. "26.1 Processing of personal data in order to manage Commercial Relations. The personal data of the Holder, both those that he himself provides, as well as those derived from commercial, business and contractual relationships that are established between the Holder and CaixaBank Payments & Consumer either in the commercialization of its own products and services, either in its capacity as mediator in the commercialization of third-party products and services (in hereinafter all referred to as Commercial Relations), or the Commercial Relations of CaixaBank Payments & Consumer and the companies of the CaixaBank Group with third parties and those made from them, will be incorporated into files owned by CaixaBank Payments & Consumer and C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 13/133 the CaixaBank Group companies that are holders of the Commercial Relations, to be treated in order to comply with and maintain them, verify the correctness of the operation and the commercial purposes that the Holder accept in this contract. These treatments include the digitization and registration of documents identification and signature of the Holder, and their making available to the internal network of CaixaBank Payments & Consumer, to verify the identity of the Owner in the management of their Commercial Relations. The treatments indicated, except those for commercial purposes whose Acceptance is voluntary for the Holder, they are necessary for the establishment and maintenance of Commercial Relations, and They will necessarily be understood as valid while said Relationships Commercials continue in force. Consequently, at the time of cancellation by the Holder of all Commercial Relations with CaixaBank Payments & Consumer and / or with the CaixaBank Group companies, the aforementioned data processing will cease, your data will be canceled in accordance with the provisions of the applicable regulations, keeping them CaixaBank duly limited its use until the derivative actions have been prescribed thereof" "26.4. Treatment and transfer of data for commercial purposes by CaixaBank and the CaixaBank Group companies based on consent. In the Particular Conditions of this contract it will be collected, under the heading authorizations for data processing, the authorizations that you grant or revoke us in relation to: (i) Data analysis and study treatments for commercial purposes by CaixaBank Payments & Consumer and companies of the CaixaBank Group. (ii) The treatments for the commercial offer of products and services by CaixaBank Payments & Consumer and the companies of the CaixaBank Group. (iii) The transfer of data to third parties. In order to put at your disposal a global offer of products and services, your authorization to (i) data analysis and study treatments, and (ii) for the commercial offer of products and services, if granted, It will include CaixaBank Payments & Consumer and the Group companies CaixaBank detailed in www.caixabank.es/empresasgrupo (the “companies of the Grupo CaixaBank ”) who may share and use them for the purposes indicated. The detail of the uses of the data that will be carried out in accordance with their authorizations is as follows: (i) Detail of the analysis, study and monitoring treatments for the offer and design of products and services tailored to the customer profile. Granting your consent to the purposes detailed here, you authorize us to: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 14/133 a) Proactively carry out risk analysis and apply on your data statistical and customer segmentation techniques, with a triple purpose: 1) Study products or services that can be adjusted to your profile and specific business or credit situation, all to make commercial offers tailored to your needs and preferences, 2) Track the products and services contracted, 3) Adjust recovery measures on defaults and incidents derived from the products and services contracted. b) Associate your data with those of other clients or companies with which you have some type of bond, both family or social, as well as their property relationship and administration, in order to analyze possible interdependencies economic in the study of service offers, risk requests and contracting of products. c) Carry out studies and automatic controls of fraud, defaults and incidents derived from the products and services contracted. d) Carry out satisfaction surveys by telephone or electronically. with the aim of evaluating the services received. e) Design new products or services, or improve the design and usability of existing, as well as define or improve user experiences in their relationship with CaixaBank Payments & Consumer and the Group companies CaixaBank. The treatments indicated in this point (i) may be carried out in a automated and entail the elaboration of profiles, with the purposes already indicated. For this purpose, we inform you of your right to obtain the human intervention in the treatments, to express their point of view, to get an explanation about the treatment decision automated, and to challenge said decision. (ii) Details of the treatments for the commercial offer of products and services of CaixaBank Payments & Consumer and the companies of the CaixaBank Group. By granting your consent to the purposes detailed here, you authorizes: Send commercial communications both on paper and by means electronic or telematic, related to the products and services that, in each moment: a) commercializes CaixaBank Payments & Consumer or any of the CaixaBank Group companies b) sell other companies owned by CaixaBank Payments & Consumer and third parties whose activities are included between banking, investment services and insurer, shareholding, venture capital, real estate, roads, for sale C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 15/133 and distribution of goods and services, consulting services, leisure and charity- social. The Holder may choose at any time the different channels or media through which that you want or not to receive the indicated commercial communications through your internet banking, through the exercise of your rights, or through your management in the CaixaBank branch network. The data that will be processed for the purposes of (i) data analysis and study, and (ii) for the commercial offer of products and services, they will be: a) All those provided in the establishment or maintenance of commercial or business relationships. b) All those generated in the contracting and operations of products and services with CaixaBank Payments & Consumer, with companies in the Grupo CaixaBank or with third parties, such as account movements or cards, details of direct debits, direct debits, claims derived from insurance policies, claims, etc. c) All those that CaixaBank Payments & Consumer or the companies of the Grupo CaixaBank obtain from the provision of services to third parties, when the service is intended for the Owner, such as the management of transfers or receipts. d) Whether or not you are a CaixaBank shareholder as stated in the records of this, or of the entities that according to the regulations regulator of the securities market must keep records of the values represented by book entries. e) Those obtained from the social networks that the Owner authorizes to consult. f) Those obtained from third parties as a result of requests for aggregation of data requested by the Holder. g) Those obtained from the Owner's browsing through the web service of CaixaBank Payments & Consumer and other websites this and / or the CaixaBank Group companies or mobile phone application of CaixaBank Payments & Consumer and / or the Group companies CaixaBank, in which it operates properly identified. These dates they can include information related to geolocation. h) Those obtained from chats, walls, videoconferences or any other means of communication established between the parties. The data of the Holder may be supplemented and enriched by data obtained from companies that provide commercial information, by data obtained from public sources, as well as statistical data, socioeconomic (hereinafter, "Additional Information") always verifying C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 16/133 that they comply with the requirements established in the current regulations on data protection. " 7. Regarding the number of interested parties whose personal data have been processed in the development of profiling activity by category (client, potential client) and year (2018 and 2019), (…). Finally, regarding the third activity that it carries out called “Analysis and selection of target audience ”states the following: 1. Regarding the definition of the logic applied in the profiling and the anticipated consequences of said treatment for the interested party, states that “The treatment activity called Commercial Profiling responds to the CPC's need to analyze, select and extract, prior to its impact commercial, the target audience to which commercial communications will be directed associated with a potential campaign. For this purpose, CPC selects and extracts the information of the clients to whom Potentially they will be sent the commercial communications of the campaign in question. For this, personal data from internal CPC sources are processed (Host, DataPool and DataWareHouse) of those of their clients who have authorized expressly commercial profiling treatment and subsequently have not revoked. On the aforementioned repositories (Host, DataPool and DataWareHouse), takes a list of clients based on the result obtained once the treatment based on the client's consent, detailed in the previous section (“II. Analysis of the repayment capacity or risk of non-payment for risk management of credit granted to clients ”) and on said list of clients, filters of selection based on identifying data such as age ranges, language of communication, sex, location or address, in order to proceed with the extraction of the target audience to which the campaign will be directed. Ultimately, the system generates a file with the selection of the target audience that meets the conditions set once the filters have been applied. It should be noted, however, that the selection criteria that, in essence, they constitute the logic applied to profiling, they do not become standardized parameters rather, they are segments that vary and are adjusted to the needs of the Product or characteristics associated with the commercial or promotional initiative of the intended launch, as well as the type or volume of the data that CAIXABANK PAYMENTS & CONSUMER has with respect to each of the interested. For its part, the consequence that the profiling activity carried out by CAIXABANK PAYMENTS & CONSUMER generates on the client, is limited to the fact that it will, or will not, become part of a list that could potentially be used in the framework of a commercial campaign. " 2. Regarding the description of the purpose of the treatment and detail of the base of legitimation of article 6.1 of the RGPD on which it is based, states that C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 17/133 "CAIXABANK PAYMENTS & CONSUMER treats the personal data of the interested parties associated with the Commercial Profiling activity in order to know if the themselves meet the necessary conditions for inclusion in a potential commercial campaign and improve the impact of your commercial campaigns. Definitely, Although expressed in different terms, the profiling process linked to this treatment activity is carried out with the aim of generating the list with the public objective that, in subsequent moments, can be exploited to impact customers through communications with commercial content. For its part, regarding the title enabling, is the one provided for in art. 6.1.a) of the RGPD (consent). 3. Regarding the procedure followed to comply with the duty of information to the interested party (articles 13 and 14 of the RGPD), refers to what was stated in the activity of treatment "Analysis of the repayment capacity or risk of non-payment for the management of credit risk granted to customers ”in which reference was made to the document Annex No. 12. 4. With regard to the means used to collect consent in In the event that the processing activity is covered by article 6.1.a of the RGPD, It also refers to those indicated in the treatment activity “Analysis of the repayment capacity or default risk for credit risk management awarded to customers. " 5. Exposes the following regarding the categories of interested parties and data personal object of treatment: “The category of interested parties that are the object of the treatment called Commercial Profiling It is that of clients with a current contract with CPC. The category of potential clients in no case is the object of this treatment activity " "The personal data subject to treatment are the following: - Identifiers: customer identifier, NIF / NIE / Passport, name and surname, date of birth, gender, postal address, email, telephone (landline or mobile) and communication language. Financial: products and services contracted and condition of owner / beneficiary / attorney-in-fact and the label resulting from the treatment described in the previous section II). " 6. Regarding the origin of the personal data object of treatment (with indication of the basis of legitimation that sustains, states that “The origin of the data of personal character object of treatment is the interested party and internal sources own of CAIXABANK PAYMENTS & CONSUMER, already described in point 1 of this section (III. Treatment: "Commercial Profiling"), as well as the labels detailed in the previous section (Analysis of the repayment capacity or risk of non-payment for the management of credit risk granted to clients). In this case, the The basis of legitimation is the consent of the interested party (art. 6.1.a RGPD). " 7. Regarding the number of interested parties whose personal data have been processed in the development of profiling activity by category (client, potential client) and year C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 18/133 (2018 and 2019), points out that “In the first place, it must be indicated that the numbers that are reflected below refer only to the category of customers, position that this profiling activity does not process data from potential clients, in accordance with what is stated in point b) of the Preliminary Considerations. (…). " SIXTH: Information is obtained on the volume of sales of the entity being the Turnover results for the year 2019 of € 872,976,000. Capital social account amounts to € 135,155,574. SEVENTH: On December 23, 2020, the Director of the Spanish Agency of Data Protection agreed to initiate a sanctioning procedure to the claimed, with in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged violation of Article 6 of the RGPD, typified in Article 83.5.a of the RGPD, stating that the corresponding sanction would amount to a total of 3,000,000.00 euros, without prejudice to the results of the instruction. EIGHTH: Once the aforementioned initiation agreement was notified, the investigated entity presented of December 2020 written, reiterated on January 4, 2021, requesting extension of term in order to present allegations. The extension of the deadline dated December 30, 2020, a brief of allegations was submitted on the January 19, 2021, in which you request the cancellation of the start-up agreement, subsidiarily the file of the proceedings and subsidiarily, in the event that it is consider you responsible for the infractions of article 6, that the warning or, failing that, that the amount of the sanction is imposed in its degree minimum. In any case, the consents obtained are not declared null and, if If this is the case, the AEPD orders the measures that in its opinion may be adequate to improve compliance with data protection regulations. The aforementioned entity bases its requests on the allegations that, briefly, are set out below, which is divided into two groups: A. In relation to the initiation agreement and the violation of principles of administrative action and the sanctioning procedure 1. It considers that for the Agency the complaint to which the fact refers first of the commencement agreement, it is relevant for its adoption, since in the SECOND factual antecedent, it is stated verbatim that “In view of this claim, with dated October 16, 2019, the Director of the Spanish Agency for the Protection of data urged the Subdirectorate General for Data Inspection to initiate actions previous research that reveal how CAIXABANK CONSUMER FINANCE EFC, S.A.U is profiling the personal data of its clients in the context of their commercial activity, in order to verify their suitability to the personal data protection regulations. " It points out that the facts that motivate the initiation of a sanctioning procedure are part of the minimum content of the initiation agreement (article 64.2.b of the Spanish Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations, hereinafter LPACAP) and that, despite the relevance that has the complaint in the Initiation Agreement, some details about the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 19/133 procedure followed with such Claim since, although it is mentioned that it was transferred to the Data Protection Delegate of the person responsible for the treatment, no refers to the date of the transfer (November 29, 2018); indicated erroneously that the transfer of the claim was carried out in accordance with provided for in article 65.4 of the LOPDGDD, when it was carried out in accordance with with the provisions of article 9.4 of Royal Decree-Law 5/2018 (BOE July 30, 2018, repealed on December 7, 2018 by the LOPDGDD and it is obvious that on February 7 of 2019, the AEPD agreed not to admit the aforementioned claim for processing. No motivation is attached by the Agency to the fact that a inadmissibility of processing a claim gives rise 8 months later to the beginning of a previous investigation actions. There is no direct connection between the content of the inadmissible claim and the initiation of preliminary actions. Since the object of the complaint not admitted for processing, was the fact that the complainant was included in a campaign of pre-granted credits and that such commercial communication was attributed to human error, qualified as punctual and exceptional, on the other partly, an error not related to the logic or the profiling process, but rather for having considered that the interested party was still a client of the Entity, measures were adopted at the time so that it did not happen again, an error that, in In any case, it did not generate any damage to the interested party or to third parties. Of a punctual and exceptional human error that had as the only consequence for the interested in its inclusion in a commercial campaign and in respect of which the Director of the AEPD agreed not to admit the claim for processing, apparently it follows that 8 months later, the same Director urge the Subdirectorate General of Inspection of Data to initiate preliminary investigation actions, in order to obtain information on the way in which CAIXABANK CONSUMER FINANCE EFC, S.A.U was “profiling the personal data of its customers in the context of its commercial activity ", in order" to verify its adequacy to the regulations of personal data protection". 2. Affirms that in general, the possibility of opening a period of information or of previous actions before initiating a sanctioning procedure is foreseen in Article 55 of the LPACAP, and corresponds exclusively to the competent body for initiate such an administrative procedure take that decision in its entirety, it is In other words, not merely agreeing on the beginning, it should also specify the scope of the investigation. In this case, such decision corresponds exclusively to the Director of the AEPD, as head of the administrative body. The information request raised on February 6, 2020 clearly exceeded the instructions on the previous actions taken by the Director of the Agency, in particular regarding the scope of the investigation, since what was urged by the Director of the AEPD, the October 16, 2019, was to find out how the data profiling was carried out personals of "CPC clients"; however, the information requirement completed surprisingly expanded its scope since the Inspector decided to also include to “potential customers”, a change that is undoubtedly significant that exceeds the attributions of the personnel who carry out the research activity, which come specified in article 53 of the LOPDGDD, since these must be limited to investigate what the head of the administrative body has decided should be object of previous investigation actions. We don't know if we have to continue attributing this circumstance to a new error in the processing or if it is practical C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 20/133 It is common for inspectors to arbitrarily decide on the scope of the previous investigation actions, ignoring the instructions of the owner of the administrative body; We hope, in any case, that the Agency will pronounce respect. 3. Affirms that, perhaps, the explanation for some of the doubts raised about the reasons why the Initiation Agreement has been issued lies in the fact that that the actions related to this have been fed by another procedure sanctioning against CAIXABANK, S.A. (procedure number: PS / 00477/2019), whose lengthy processing runs parallel to the actions related to the Agreement on Start, and in which it has also been the object of investigation, and resolution, the same collection of consents for profiling, so that we we would find before an alleged case of violation of the principle "non bis in idem", in the first place from the material perspective, which requires the Agency to avoid duplicity of sanctions for the same acts, that is, it could lead to the same conduct be sanctioned twice, since the conduct that gives rise to the Agreement Start (alleged lack of consent for profiling treatment) is the same that has already been subject to resolution by the AEPD on January 7, 2021 in the sanctioning procedure against CAIXABANK, S.A., for which the Agreement of Start, in the unlikely event that the procedure continues to be processed sanctioning action brought against CPC, could violate the principle “non bis in idem”, prohibited in our legal system. CPC is part of the CaixaBank Group. The way this has been articulated The Group responds to the regulation of the banking sector, which means that many treatments are carried out under a co-responsibility regime; in particular, that co-responsibility applies to the treatment identified in section 6.1. (TREATMENTS BASED ON CONSENT), with the letter A, described as “Analysis of your data for the elaboration of profiles that help us to offer you products that we think may interest you ”, in the privacy policy of CAIXABANK, S.A., in its version of December 17, 2020, publicly available at https://www.caixabank.es/particular/general/politica-privacidad.html, and in the Policy CPC Privacy Policy, available at https://www.caixabankpc.com/, at the bottom of the page in the link "Privacy Policy". There is an identity of the sanctioned subject, since CAIXABANK, S.A. and CPC are part of the CaixaBank Group, which as companies act under a co-responsibility regime regarding treatments that involve the elaboration of profiles for the same business activity, and in both cases the alleged infringement of the Article 6 of the RGPD on the same treatment and with material link to a same collection of consents; therefore, we are faced with an indisputable identity of the subject, fact and foundation, consequently what is adjusted to law would be proceed to file the agreement to initiate the sanctioning procedure initiated against CPC, in order for this Agency to comply with the legal system and not arbitrarily separate from your own administrative precedents (question on the that we will influence, from another perspective and in detail, later). 4. It alleges that Article 9.3 of the Constitution prohibits the arbitrary action of the public powers, and article 103 obliges the Public Administration to serve with objectivity of the general interests, considering that the agreement to initiate this C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 21/133 sanctioning procedure is an arbitrary action that does not objectively pursue the general interest, evidencing, in addition, a discriminatory treatment with respect to other managed. It is surprising to this part that, if the Agency had a special concern about the adaptation to the personal data protection regulations of the treatments carried out by financial entities, it would not have proceeded to propose a preventive audit plan since, as provided in article 54 of the LOPDGDD, the Presidency of the Spanish Data Protection Agency may agree to carry out preventive audit plans referring to the treatment of a specific sector of activity. Which causes us astonishment and raises doubts about the application of the principle of equal treatment is that for other sectors it seems that the Agency has been more sensitive and has preferred to carry out a more preventive in its supervisory activity. The administrative action of the AEPD is erratic based on the application of disparate criteria when deciding what mechanisms to use with one or other entities or sectors, especially considering account that the Director of the institution in public statements has equated certain sectors and, however, afterwards it has decided to apply performance criteria very different administrative. We are well aware that already in 2016 CAIXABANK, S.A. shared with the AEPD aspects that have now been sanctioned, or for which it is intended now sanction CPC, when it decided of its own accord to communicate to the authority a documentary structure related to the adaptation of the Caixabank Group to the RGPD, also expressly requesting a meeting or contacts, in order to obtain and adopt criteria and recommendations that the AEPD would have liked to convey in this regard; initial steps that were unsuccessful despite the insistence of CAIXABANK, S.A .. Thus, the Caixabank Group adopted a diligent and preventive attitude, and the The effect has been that the AEPD has adopted an exclusively punitive attitude with the Caixabank Group. Where, then, is the role that the AEPD must assume, according to the provisions of article 57.1.d of the RGPD, to “promote awareness of those responsible and in charge of the treatment about the obligations that they concern ”. 5. When the Director of the AEPD, in interviews with the media communication at the beginning of 2020, advanced the result of files sanctioners just initiated, violated the principle of presumption of innocence (question on which we will discuss in depth later), but it also lacked to the due discretion that an authority must maintain in relation to this type of matters, and even further, he also forgot the provisions of article 54.2 of the RGPD, which provides that: “The member or members and the staff of each supervisory authority shall be subject, in accordance with the law of the Union or of the States members, to the duty of professional secrecy, both during their mandate and after of the same, in relation to the confidential information of which they have had knowledge in the performance of their functions or the exercise of their powers. ”; So, to give three examples, we have the following interviews and public interventions of the Director of the AEPD, the Ilma. Ms. Mar España Martí: - On January 13, 2020, in an interview in "Cinco Días" by El País, it is used as holder of the same one of the statements of the Director of the AEPD: “There is files to large companies that can end in very high penalties " https://cincodias.elpais.com/cincodias/2020/01/10/legal/1578667140_483443.html C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 22/133 - On February 9, 2020, in another interview in “La Voz de Galicia”, it is used again as holder one of the declarations of the Directorate of the AEPD; in this case with full conviction that it will be sanctioned: “There will be sanctions very important for violating data protection " https://www.lavozdegalicia.es/noticia/sociedad/2020/02/08/marespana-habra- important-sanctions-violate- dataprotection / 00031581176394099239215.htm - On March 13, 2020, in the chronicle of the magazine “Elderecho.com” (from the editorial Lefebvre), on the XII Privacy Forum, organized by ISMS Forum, together with the Data Privacy Institute (DPI), held on March 3, 2020 at the Main Auditorium CaixaForum Madrid, a part of the intervention of the Director of the AEPD in the following terms, which already provided more details precise information on these planned sanctions: “We already have two or three procedures high-impact sanctions that will have a lot of media coverage in relationship with the financial sector, will be the first major quantitative fines by the Agency. " In relation to the last manifestation referenced, it is evident that the repercussion media is the main result sought by these sanctioning procedures against referred to, despite still being at that time in phases of very initial processing, an impact derived from the fact that they were going to involve "Significant quantitative fines", not so much for the result of protection of the right fundamental to the protection of personal data and data subjects, which is not that is in the background, but simply seems to have no relevance whatsoever in those sanctioning procedures; at least that conclusion can be drawn from what was expressed by the Director of the AEPD, since there does not seem to be a general interest to protect, nor damages to remedy, nor legal assets to preserve. Everything remains in the goal of achieving: "a lot of media coverage." It should be remembered that the request for information that was addressed to CPC took place on February 6, 2020 and the agreement to initiate the disciplinary proceedings against CAIXABANK, S.A. on January 21, 2020. As has been amply put in evidence, already at that very moment, the Director of the AEPD had the capacity to foresee that there would be very important sanctions; previously, just a month before, the December 2, 2019, the AEPD had agreed to start the procedure sanctioning the entity BBVA, which was resolved with the imposition of a total fine of five million euros; that is, in less than 3 months, actions were started in relation to financial entities and it was already known that all of them would result in large administrative fines, some fines with amounts not imposed until the moment, everything and that the RGPD and its sanctioning regime was already applicable from the May 25, 2018. Regarding the aforementioned violation of the fundamental right to the presumption of innocence, recognized by article 24.2 of the Spanish Constitution, the Constitutional Court has projected the content of this fundamental right in the administrative sanctioning procedures. For this purpose, SSTC 129 and 131, both of June 30, establish: “(…) the presumption of innocence governs without exceptions in the sanctioning system and must be respected in the imposition C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 23/133 of any sanctions, be they criminal or administrative (...), since the exercise de ius puniendi in its various manifestations is conditioned by article 24.2 of the Constitution to the game of evidence and to a contradictory procedure in which they can defend their own positions. " This principle is also expressly stated for the administrative sanctioning procedures in article 53.2.b) of the LPACAP. The presumption of innocence has a double essential meaning; on the one hand, it is a rule of judgment and, on the other, constitutes a rule of treatment, that is, in relation to with the treatment that must be given to the accused during the processing of the procedure sanctioner. In this sense, constitutional jurisprudence forces us to consider innocent to the accused and to treat him as such during the processing of the entire procedure, both inside and outside of it, which means that it cannot be punished before proven guilty. Thus, STC 25/2003, of 10 February, stresses that “the presumption of innocence, in addition to constituting a principle or An informing criterion of the criminal procedural order is, above all, a right fundamental by virtue of which a person accused of an offense cannot be considered guilty until the conviction is declared in this way ”. Ad extra, the presumption of innocence as a treatment rule implies that the Administration cannot harm the accused in other areas, precisely because be processing a sanctioning procedure against him or, in general, for being suspected of having committed an administrative offense. In the present case, we are before the initiation of a sanctioning procedure, preceded by a request for prior information of February 6, 2020. Well, Well, before the mandatory administrative period expired to respond to said requirement, specifically, on March 3, in an act of the ISMS Forum held in Madrid, as has already been described in detail above, the Director of the AEPD, highest authority of the institution, and competent person to resolve the present file, he publicly pointed out the existence of two or three High-impact sanctioning procedures that were to have a great impact media in relation to the financial sector. In accordance with articles 24.2, 103. 1 and 3 CE –and art. 6.1 of the European Convention of Human Rights-, any action of the Public Administration must obey the principles of objectivity and impartiality; however, in this case, without have still assessed the response to the request for information, since this was presented on June 2, 2020 (almost three months after the aforementioned statements of the Director), the person who has to resolve, and who, in addition, As the highest authority, inspectors and instructors report hierarchically to the AEPD, far from keeping any semblance of justice, decided (publicly) that there would be a sanction, and this without only having agreed to initiate the procedure sanctioner. It should be noted that the Director of the AEPD is not only the one who dictates the resolutions Instead, according to article 12.2 i) of the Organic Statute of the AEPD (RD 428/1993 of March 26), has as one of its functions that of “Initiating, promoting the instruction and resolve the disciplinary proceedings concerning those responsible for private files ". And it should also be noted that the AEPD is the only one of the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 24/133 so-called independent administrations that does not have the highest resolution of files to a collegiate body but to a single person. Therefore, there is no debate in the claim that it is your will alone that informs the urge instructor and the one who will determine the final resolution of the administrative file. Then Well, if the person who is going to resolve this sanctioning procedure himself, the person who has been promoting their instruction, in short, the highest authority of the institution, it was clear to me, before hearing what CPC had to say about it, that he was going to sanction him, and he was so clear as to say it in a public act, difficult is to understand that there has not been a flagrant infringement of the right fundamental to the presumption of innocence (article 24.2 of the Constitution). This in definitively, it should lead to the immediate nullity of the administrative actions. Likewise, the resolutions of sanctioning procedures of this Agency in which the person responsible for the treatment is sanctioned for infringement of the Article 6 RGPD (see PPSS 00235/2019, 00182/2019, 00415/2019) and that, taking into the status of a large company and business volume, among others, is not even close to sanctions reach the economic level of the sanction proposal contained in the this Initiation Agreement, since they are sanctions that have ranged between the € 60,000 and € 120,000. In this sense, it is not understood what this Agency relies on to modulate the economic sanctions since the Initiation Agreement neither motivates nor explains minimally the application of the criteria for graduation of the sanction, nor the fact of deviate from them in the proposed sanction, in the case of very similar. In line with the previous point, in a subsidiary manner, and in the unlikely assumption that this Agency resolved that it should sanction CPC for the infringements charged and did not accept these allegations, this representation understands that they would result of application the following criteria for assessing the sanctions established in the Article 83.2 RGPD (as mitigating circumstances): (a) Any measure taken by the responsible or in charge of the treatment to alleviate the damages suffered by stakeholders (art. 83.2.c) RGPD): CPC has made a significant effort during the last years - and especially since the entry into application of the GDPR and the merger held on July 11, 2019 - to provide your customers with the information pertinent on the treatment of your personal data in an appropriate way. The The clearest example of this initiative is constituted by the different versions of the privacy policies and clauses, a fact that reaffirms the proactivity and spirit of continuous improvement of CPC. This behavior demonstrates a clear exercise of transparency and loyalty, as well as proactive and diligent activity by CPC in relation to compliance with data protection regulations, in addition to demonstrate CPC's eagerness to repair potential errors, if any, at the time of Obtain the consent of the interested parties. The degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement (art. 83.2.f) GDPR): CPC has shown, at all times, its willingness to collaborate with the Agency in order to to improve those aspects of the treatments that are susceptible to improvement. As shown in this Brief, CPC has launched C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 25/133 a series of measures aimed at this improvement in the collection of consents. Thus, these circumstances must be valued by the Agency as mitigating. It fits remember that both CPC and its data protection officer have been, in all available to cooperate and have been proactive in responding to any requirements of the Agency. The degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement (art. 83.2.f) GDPR): CPC has shown, at all times, its willingness to collaborate with the Agency in order to to improve those aspects of the treatments that are susceptible to improvement. As shown in this Brief, CPC has launched a series of measures aimed at this improvement in the collection of consents. Thus, these circumstances must be valued by the Agency as mitigating. It fits remember that both CPC and its data protection officer have been, in all available to cooperate and have been proactive in responding to any requirements of the Agency. Omitting the criteria previously indicated, the Initiation Agreement refers, without justification or motivation, to the following criteria in relation to each imputed infringement, limiting itself to its simple enumeration, without even indicating its application as an aggravating or mitigating we are able to understand the intention of the AEPD (and we only have, given the disproportionate proposed penalties interpret as aggravating). Next, we refer to those criteria that are most notably far from reality: (a) The nature, seriousness and duration of the infringement (art. 83.2.a) RGPD): It results surprising that the AEPD proposes the imposition to CPC of a fine of such an amount elevated for issues that are not particularly serious: - We are not facing a case in which CPC has radically dispensed with the Obligations related to obtaining consents, without prejudice to the fact that the AEPD considers that certain issues should be corrected, which could make improvements to the way consents are collected. - No special categories of data are treated (art. 9 RGPD and 9 LOPDGDD). - To date, the sanctions imposed for violation of article 6 RGPPD have not reached the economic level proposed in this Initiation Agreement (with the exception of the sanction imposed on the entity BBVA, already referenced). - There is only one claim from a CPC client (claim, let's remember, inadmissible for processing) That said, even in the event that the Agency appreciates hypothetical indications of the commission of an infringement of the regulations on data protection personal, it should be taken into account that no damage or harm has been caused to CPC clients. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 26/133 The processing of personal data, in accordance with the operations explained with the maximum level of detail in the response to the request for information, are the necessary for the development of CPC's own activity, as well as for the corresponding purposes when the basis of legitimation of the treatment is the consent freely given by the interested party, and are carried out in accordance with the requirements demanded by the applicable regulations on data protection and the sectoral regulations. It should be highlighted the importance that the RGPD first and the LOPDGDD later have granted to the fact that the conduct of the data controller causes a serious and effective damage to the rights of those affected. In the present case We understand that no such damage has occurred and that, therefore, it is neither serious nor cash. The former Article 29 Working Group, in its Guidelines on the application and setting administrative fines for the purposes of Regulation 201 6/679 (WP 253, adopted on October 3, 2017), ratified by the European Protection Committee Data (hereinafter, "CEPD"), refers to this issue in the following terms: “If the interested parties have suffered damages, the level of the same. The processing of personal data may generate risks for individual rights and freedoms, as stated in recital 75: «The serious and serious risks to the rights and freedoms of natural persons variable probability, may be due to the processing of data that could cause Physical, material or immaterial damages, particularly in cases where that the treatment may give rise to problems of discrimination, usurpation of identity or fraud, financial loss, reputational damage, loss of confidentiality of data subject to professional secrecy, unauthorized reversal of the pseudonymization or any other significant economic or social damage; in the cases in which the interested parties are deprived of their rights and freedoms or are prevent exercising control over your personal data; in cases where the data personal treaties reveal ethnic or racial origin, political opinions, religion or philosophical beliefs, union membership and the processing of genetic data, data related to health or data on sexual life, or convictions and offenses criminal or related security measures; in the cases in which they are evaluated personal aspects, in particular the analysis or prediction of aspects related to the job performance, financial situation, health, preferences or interests personal, reliability or behavior, situation or movements, in order to create or use personal profiles; in the cases in which personal data of vulnerable people, particularly children; or in cases in which the treatment involves a large amount of personal data and affects a large number of interested ». Whether damages have been suffered or are likely to be suffered due to to the infringement of the Regulation, the supervisory authority must take this into account when when selecting the corrective measure, even if the supervisory authority lacks powers to grant specific compensation for damages suffered ”. Well, as we say, in the present case no harm has been proven. any for the rights of those affected, nor has the sole claimant been able to prove such damages, their claim having been inadmissible by the Agency. This This circumstance must be taken into special account when determining the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 27/133 hypothetical infraction and the sanction that, if applicable, could be imposed. It above is also credited by the fact that there have been no other complaints or legal actions for these events. That is, no damage has occurred any that could be the subject of an action before the jurisdictional bodies competent since CPC has acted, at all times, in full compliance with the regulations on personal data protection. (b) The intentionality or negligence appreciated in the commission of the infraction. There is no intentional conduct in relation to the violation of the regulations protection of personal data. CPC has acted diligently, establishing clear procedures in relation to the information put into disposition of clients and procedures for obtaining consent from the same. CPC has a desire for continuous improvement and transparency, a fact that is reflected in the evolution of the documents and in the improvement of the information contained in the themselves. (c) The high link of CPC activity with the performance of treatments of personal information. CPC is a subsidiary of the CaixaBank Group and, as a financial credit institution, its activity is consumer finance and means of payment; in no case, your main activity is the processing of personal data of its clients more beyond what is necessary for the development of that main activity, nor Nor does it benefit financially from the processing of the personal data of its customers. (d) High volume of data and processing that constitutes the object of the file. The volume of data corresponds to the essential to be able to carry out with CPC's activity is normal and, in no case, does the alleged infringement affect all the processing of personal data carried out by CPC, nor is it uses all the information relating to customers. 6. There is a breach of the principle of legitimate confidence in the Initiation Agreement. administrative action; As has already been described in these allegations, on November 2018, the AEPD transmitted the claim and made a request for information (Ref. E / 09305/2018) to the Data Protection Delegate following a complaint filed by D.A.A.A .. Based on the information provided by CPC and Based on the reasons stated, the AEPD, on February 7, 2019, agreed to the inadmissibility of processing the claim presented, a fact that generated the CPC legitimate confidence in their performance in accordance with the law; months later they start previous investigation actions, supposedly based on the Claim, resulting in the Initiation Agreement. We have already asked ourselves before: how is it possible to start a previous investigation actions based on a claim that has not been admitted for processing by the AEPD itself? This action can only be incardinated in a bankruptcy of trust legitimate, one of the essential principles of administrative action. Saying C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 28/133 principle, of jurisprudential construction first by the CJEU and then by the Court Supreme, and subsequently recognized in article 3 of Law 40/2015, of 1 October, of the Legal Regime of the Public Sector, is closely interrelated with the principle of good faith and legal security and implies that "the public authority cannot take action that is contrary to a reasonable expectation induced on stability in the decisions of the former, and based on which individuals have adopted certain decisions ”(STS 173/2020). On the other hand, there is as a reference the permissiveness with respect to other subjects. In this In this sense, the AEPD has made public other actions, of a preventive nature, that provide a series of recommendations to other sectors of activity, in relation to the relevant legality basis to apply in terms of profiling commercial; recommendations that CPC applies equivalently in the setting up your treatments. As we say, those recommendations for other sectors create a trust legitimate, reinforced by the AEPD's own conduct by refraining from sanctioning acts of an identical nature to those attributed to CPC, which would completely enervate the enforceable requirement of guilt "for legitimate and invincible belief of being acting lawfully ”(Sic. SAN of March 30, 1999). 50. In this sense too, the doctrine derived from the SAN of October 19, 2006 concludes that “(…) The relationship of those administered with the Administration must be based on legitimate confidence, confidence that can only be generated when you have predictability and security in the action of the Administration. (…) And no reproach can be made for the Administration -not even simple non-observance- to the one who adjusted his performance to his guidelines - he "observed" them fully ". 7. There is also an artificial and unlawful extension of the previous actions; As has been repeatedly described, the AEPD, in its own words, initiates a sanctioning procedure in view of an inadmissible claim being processed. The Previous investigation actions agreed by the AEPD supplanted the activity instructor, having been prolonged to near expiration. The Initiation Agreement rests, practically in its entirety, on charge elements collected during the pre-action phase. The preliminary investigation actions constitute an enabling mechanism of the performance of the Administration conferred upon it "in order to achieve a better determination of the facts and circumstances that justify the processing of the procedure "(article 67 of Organic Law 3/2018) or" in order to know the circumstances of the specific case and whether or not to initiate the procedure " (Article 55 LPACAP). The initiation of preliminary investigation actions has a very limited purpose: to combine an indicative base of elements of judgment (not evidence) that allow have a minimum certainty of the occurrence of the event, its typicality and the person responsible, and with it, the relevance of initiating a sanctioning procedure about it. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 29/133 From the moment the Administration is certain of the commission of the facts and the identity of the person responsible, even if it is not fully accredited, the itself is obliged, for the sake of due respect for the Constitution and the guarantees enshrined therein, to immediately initiate the appropriate procedure sanctioner. In this sense, the Supreme Court has shown, among others in the Judgment of December 26, 2007, that the preliminary investigation actions only will be worthy of such consideration (and therefore, of the legal regime applicable to the same) "to the extent that those preliminary or preparatory proceedings serve the purpose that really justifies them, that is, to gather the data and initial indications that serve to judge on the pertinence of giving way to the sanctioning file, and there is no denaturalize becoming a surreptitious alternative to the latter. " Similarly, the Judgment of the Supreme Court of June 9, 2006, has highlighted the need to safeguard the constitutional guarantees of the administered in cases such as the one in question: "As is the result of this rule, the prior information is not mandatory, having declared this Chamber in a judgment of November 6, 2000 that “if sufficient data is available to initiate the file, the information reserved should not be practiced, because it is unnecessary and because the rights fundamental defense of art. 24.2 of the C.E. demand that the granting the status of accused or expediente, thus avoiding the risk of use the delay to conduct interrogations in which the person being interrogated would be in a disadvantageous situation '". It is especially striking in this case, the time elapsed between the inadmissibility of processing the claim and the request for prior information, this is, more than a year; or the extension of the period of previous actions of investigation for a period of 14 months, yes, taking into account the already mentioned incidence of the pandemic. The Supreme Court itself, in its Judgment of May 6, 2015, establishes the following: "(...) this The Chamber has declared that this period prior to the initiation agreement «(...) must be necessarily brief and not to conceal an artificial way of carrying out acts of instruction and mask and reduce the duration of the subsequent file itself ”(judgment of 6 May 2015, appeal 3438/2012, F.J 2º ". In addition, during this period a parallel procedure has taken place sanctioning against CAIXABANK S.A. (matrix of the group to which CPC belongs), where coincidentally, an infringement of article 6 RGPD is also imputed, in relation to the same treatment. Thus, taking into account the inadmissibility for processing of the claim, the time elapsed until giving rise to the previous actions and the sanctioning proceeding against the CPC parent company, it follows that both the previous actions such as the agreement to initiate the sanctioning procedure subject to These allegations (Penalty Procedure) are the result of the information obtained in another administrative procedure. B. In relation to the alleged offense. The consent of the interested parties is specific and duly informed. At Initiation Agreement the AEPD values, erroneously, that the consent collected C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 30/133 by CPC for profiling purposes is not specific since the body administrative interprets that it does not meet the requirement of separation of the purposes and consequent provision of consent for each of them, to which is added the assessment that the consent given is not informed either. Thus, due to the absence of the requirements relating to the provision of consent specific and informed, presumably this would not be valid, implying, therefore, that the treatments based on the consent of the interested party would lack legitimation for an alleged breach of the provisions of article 6 of the RGPD. The foregoing is justified in the Initiation Agreement, based on five operational factors current CPC that, according to the AEPD, would not be aligned with the provisions of the applicable regulations regarding the protection of personal data. i. There is an alleged extension of the purposes of the treatment: it is affirmed by the AEPD that, when informing about the treatments for the "offer and design of products and services tailored to the client's profile ”, added purposes such as: - Adjust recovery measures on defaults and derived incidents of the products and services contracted; - Analyze possible economic interdependencies in the study of offers of services, risk requests and product contracting; - Assess the services received; - Design new products or services, or improve the design and usability of existing ones, as well as define or improve user experiences in their relationship with CaixaBank Payments & Consumer and the Group companies CaixaBank. ii. The data is communicated to the companies of the Group without legal basis: the Consent is requested for the CaixaBank Group, which according to the AEPD constitutes a communication of data to the companies of the Group, which in turn would constitute a specific purpose in itself which would therefore require a manifestation of Will of the interested party by which he consents that it can be carried out. iii. The interested party cannot know the data that will be processed for profiling: According to the AEPD, the information provided to the interested party includes data that does not are going to be processed and, however, you are allegedly not informed of the treatment of other data that will be the object of the same, such as consulting files solvency and the Risk Information Center of the Bank of Spain or the called “Risk Score”. iv. Data are processed in solvency files for profiling purposes for the purposes of credit rating without legal basis for the treatment. v. The interested party is not informed about the profiling operation related to the “Risk Score ”: according to the AEPD, the interested party is not informed about this new operation of outlined, nor on the legal basis that allows its realization, nor on the data used to carry it out. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 31/133 It is claimed that each of the above statements does not correspond to the reality claiming that: i. There is no extension of the purposes of the treatment. The AEPD argues that the requests for consent since, when informing about the analysis and study treatments data for commercial purposes, including treatments not compatible with said purpose and that, therefore, require a specific consent request. The truth is that this confusion is due to a slight error in the informative clause, in the that the mistake was made (corrected in the current CPC Privacy Policy, aligned in turn with that of CAIXABANK, S.A.), to list treatment operations that are not carried out based on the consent obtained for profiling; specific: - Track the products and services contracted: treatment necessary for the execution of the contractual relationship with the interested party; - Adjust recovery measures on defaults and incidents derived from the products and services contracted: treatment necessary for the execution of the contractual relationship with the interested party; - Associate your data with those of other clients or companies with which you have some type of bond, both family or social, as well as their property relationship and administration, in order to analyze possible interdependencies economic in the study of service offers, risk requests and contracting of products: treatment necessary for the execution of the contractual relationship with the interested party. In addition, it is a necessary treatment to comply with the obligations established in Law 10/2014, of 26 of June, on the Regulation, Supervision and Solvency of Credit Institutions, in the Law 44/2002, on Financial System Reform Measures, as well as for the compliance with the other obligations and principles of the regulations on responsible lending; - Carry out studies and automatic controls of fraud, defaults and incidents derived from the products and services contracted: Treatment carried out by be necessary for the satisfaction of the legitimate interest of CPC to avoid fraud that they suppose economic or reputational losses to him; - Carry out satisfaction surveys by telephone channel or electronically in order to assess the services received: Treatment necessary for the execution of the contractual relationship with the interested party; - Design new products or services or improve the design and usability of existing, as well as define or improve user experiences in their relationship with CPC and the CaixaBank Group companies: It is a treatment that It is not done with personal data but by analyzing statistics and data added after anonymization processes. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 32/133 This incident, after being detected, has been corrected by the CaixaBank Group and, by Therefore, also by CPC, through the development of a new Privacy Policy in which the treatments carried out are correctly and precisely detailed for analysis and study for commercial purposes. However, despite CPC recognizing the aforementioned circumstances, and regardless of whether it has been corrected, this is not intended to consequence that consents are being collected for different purposes under a single and unifying question, a fact that could effectively affect the principle of specificity of consent. Consent is only requested for the purpose of studying products or services that could be adjusted to the profile or specific commercial or credit situation of customers to send you commercial offers tailored to your needs and preferences. The fact that other additional purposes have been included when reporting on the The above purpose does not imply that different purposes are authorized en bloc: in the In the event that the interested party gives their consent to the profiling, only will process your data for the initial purpose based on the consent given. The rest of the purposes will be carried out only in the event that the requirements are met necessary so that the listed legal bases converge in each case previously. ii. The data is not communicated to the companies of the CaixaBank Group without legal basis The Initiation Agreement indicates that the fact of requesting the consents for the Grupo CaixaBank constitutes a communication of data to the companies of the Group. Said alleged communication of data to the companies of the Group would constitute a specific purpose in itself that would require, therefore, according to the AEPD, a manifestation of will of the interested party by which he consents that he can take finished. However, it should be noted that there is no data communication whatsoever since there is a co-responsibility regime between the companies of the Group CaixaBank, because there is an agreement to jointly determine the objectives and means of treatment object of the Initiation Agreement, as provided in article 26 of the GDPR. As specified by the CEPD, in its “Guidelines 07/2020 on the concepts of controller and processor in the GDPR ”(adopted on September 2, 2020), the The assessment of co-responsibility should be based on a factual analysis, rather than formal, on the influence on the determination of the purposes and means of the treatment; For example, stewardship may take the form of a decision made by two or more entities, or it may be the result of convergent decisions of two or more more entities in terms of essential ends and means. Therefore, the co-responsibility is based on decisions made by the different entities that want to act as joint controllers of the treatment; that is, it depends of their willingness to act jointly, without prejudice to the fact that, in cases C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 33/133 concrete, a norm may also expressly establish that co-responsibility. The situation of co-responsibility based on convergent decisions is derived from the jurisprudence of the Court of Justice of the European Union, so that consider that decisions converge in ends and means if they complement each other yes and are necessary for the treatment to take place, so that a criterion important to identify convergent decisions in this context is whether the treatment as a whole would not be possible without the participation of the entities co-responsible. Likewise, the CEPD indicates that the existence of co-responsibility does not imply necessarily equal responsibility of the different operators involved in the processing of personal data; on the contrary, the CJEU has clarified that those operators may be involved in different stages of treatment and with different degree of intervention, so that the level of responsibility of each of them must be evaluated taking into account all relevant aspects and circumstances of the particular case. Therefore, there is no communication of the data between the companies of the Group but a direct collection of them by companies in the field of co-responsibility. The consents object of the Initiation Agreement are managed within the framework of the mentioned co-responsibility. This is because it would not be operational for Group entities, not easy to handle for the interested parties themselves, to manage separately the consents for those treatments that are carried out jointly in the context of the activities of the CaixaBank Group for a same purpose and with the same means, in relation to data of which the entities of the Group are jointly responsible. However, the aforementioned co-responsibility does not respond only to doing more operational management of consents and to facilitate the management and understanding of the treatments carried out based on your consent but also to regulatory needs. In this sense, a large part of the CaixaBank Group entities, including CPC, a special diligence is required of them when granting an operation of active; diligence that translates into the duty to carry out an analysis in depth of the client's ability to borrow, as well as to meet the obligations derived from the contracting of its products. These obligations are set out in the regulations on transparency of operations and protection of the clientele (see articles 29.1 and 14 of Law 2/2011, of March 4, on the Economy Sustainable. and Law 16/2011, of June 24, on consumer credit contracts, respectively). Additionally, the aforementioned regulations also require taking into account the regulations specific information on risk management and internal control included in the legislation current on prudential regulation of credit institutions. The regulations on prudential regulation of credit institutions, or regulations on credit requirements C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 34/133 solvency, has been implemented and adapted to the Union legal system European through the following standards: - EU Regulation No. 575/2013, of June 26, 2013, on the requirements prudential of solvency and risks of credit institutions and companies of investment; - Directive 2013/36 / EU, of June 26, 2013, on access to the activity of the credit institutions and the prudential supervision of credit institutions and investment companies, transposed into Spanish law by Law 10/2014 and Royal Decree 84/2015. In accordance with the regulations listed, the entities and consolidable groups of credit institutions (1) must effectively control risks, both individually as an aggregate (2), a fact that implies that the Consolidated Group CaixaBank must carry out risk management in the joint or global scope of the mentioned Group. This management includes the admission of risks and, consequently, the study of the solvency and capacity of return of the applicant of an operation of active. (1) Circular 4/2017, of November 27, of the Bank of Spain, to entities of credit, on rules of public and reserved information and state models financial, defines the nature and content of the consolidable groups of entities of credit: Consolidable groups of credit institutions: These are those groups that have to comply with prudential requirements, on a consolidated or sub-consolidated basis, established in Regulation (EU) 575/2013 of the European Parliament and of the Council, of June 26, 2013 […]. (2) Article 40.1 of Law 10/2014 establishes the subjective scope of application of the Solvency regulations, this being applicable to: a) To credit institutions b) Consolidable groups and subgroups of credit institutions It should also be mentioned that the European Central Bank, in the exercise of its supervisory powers, carried out the inspection identified as OSI-2017-1- ESCAX-3084, in which he identified a deficient aspect in relation to the Requirements of the Prudential and Solvency Regulations applicable to the Group Consolidated CaixaBank, the non-integration of all the databases of the entities of the Consolidated Group. Due to the above, co-responsibility does not only imply benefits operational for the Group but is necessary for the proper compliance with the legal obligations of CPC and of the rest of the entities of the Consolidated Group CaixaBank. This necessarily implies that said co-responsibility will have implications not only in those treatments carried out in strict C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 35/133 compliance with mandatory legal obligations but also some carried out in basis for the consent of the interested parties. This would be the case of data analysis and study treatments for the purpose of commercial. It is necessary to take into account the type of products marketed by the CaixaBank Group and, specifically, by CPC. As reported in the response to Information requirement prior to the Initiation Agreement, CPC, while financial credit establishment, offers and markets loans. Therefore, and Although the treatment related to commercial profiling is carried out based on the consent of the interested party, it must be done in compliance with legal obligations applicable in each case. In other words, considering that personalized loan offers are binding on CPC (in the sense that, if the client accepts the offer, the product conditions will be those previously offered), when performing them CPC must also comply with the prudential and solvency regulations, even when the treatment It is done based on the consent of the interested party. It is for the above reasons that the CaixaBank Group chose to carry out a management centralized consent for commercial purposes, including the treatment data analysis and study; so the fact that consent is requested for the CaixaBank Group it does not constitute a communication of data to the companies of the Group, but is a consequence of co-responsibility in the terms set forth in the previous paragraphs iii. The duty to inform the interested parties is adequately fulfilled in relation to with the data that is processed for profiling In the Initiation Agreement it is considered that the interested party cannot know the data that will be treated for profiling since the information provided will include include data that will not be subject to such treatment and, however, always According to the AEPD, you are not informed of the processing of other data that will be the object of the same. Based on the foregoing, and according to the criteria of the AEPD, it is concluded that the consent given for profiling purposes is not properly reported, so this would not be valid. In this regard, it is necessary to take into account two factors: first, the fact that the categories of data being processed are not among the minimum information described in article 13 of the RGPD so that the consent be informed; secondly, and despite not being mandatory to report it, the The information provided does allow interested parties to know the data that will be treat for profiling. Next, both will be developed in greater depth. listed factors. Regarding the obligation to inform about the type of data object of treatment, it should be noted that neither article 13 RGPD, nor the corresponding Article 11 of the LOPDGDD, require that interested parties be provided with this information on C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 36/133 mandatory form; Yes, it is required under article 14 RGPD when the data is not obtained directly from the interested party, but this is not the case analyzed by the AEPD. Additionally, in the RGPD itself, by establishing in its recital 42 the information that the interested party must know for consent to be informed, it is determined that at least he must know the identity of the responsible for the treatment and the purposes of the treatment for which they are intended Personal information. Notwithstanding the foregoing, CPC decided to provide interested parties with information additional regarding the processing of your personal data. Thus, in addition to the minimum information established by article 13 RGPD, it was reported the categories of personal data being processed for the purpose of analysis and data study. Regarding said information provided, the AEPD considers that it is insufficient, erroneously stating that CPC does not report the consultation to solvency files and to the Central Bank of Risk Information of the Bank of Spain or the “Risk Score”. Is not It is true that such uses of the data are not reported, and we understand that this claim is due to the lack of analysis of the information provided in your set to stakeholders. The AEPD limits the information provided to interested parties in relation to the personal data object of treatment to the following: The data that will be processed for the purposes of (i) data analysis and study, and (ii) for the commercial offer of products and services will be: a) All those provided in the establishment or maintenance of relationships commercial or business. b) All those generated in the contracting and operations of products and services with CaixaBank Payments & Consumer, with the CaixaBank Group companies or with third parties, such as, account or card movements, receipt details direct debits, payroll direct debits, claims derived from insurance policies, claims, etc. c) All those that CaixaBank Payments & Consumer or the companies of the Group CaixaBank obtain from the provision of services to third parties, when the service has as a recipient to the Holder, such as the management of transfers or receipts. d) Whether or not you are a CaixaBank shareholder as recorded in the records of this, or of the entities that according to the regulations of the market of values must keep records of the values represented by means of book entries. e) Those obtained from the social networks that the Owner authorizes to consult. f) Those obtained from third parties as a result of requests for aggregation of data requested by the Owner. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 37/133 g) Those obtained from the Owner's navigations through the service of the website of CaixaBank Payments & Consumer and other websites of this and / or the Group companies CaixaBank or mobile phone application of CaixaBank Payments & Consumer and / or of the companies of the CaixaBank Group, in which it operates, duly identified. These Data may include information regarding geolocation. h) Those obtained from chats, walls, videoconferences or any other means of communication established between the parties. The data of the Holder may be complemented and enriched by data obtained of companies that provide commercial information, based on data obtained from sources public, as well as by statistical, socioeconomic data (hereinafter, "Information Additional ”) always verifying that they meet the requirements established in current regulations on data protection. The previous fragment, transcribed in the Initiation Agreement, is part of the conditional general that is provided to the interested party in the framework of the contracting of a product and in the one that is informed of the provisions of article 13 of the RGPD. However, the AEPD, by assess the information provided to interested parties regarding the typology of data object of treatment, has not taken into account the rest of the general conditions. Specifically, the transcribed fragment corresponds to point 26.4. (ii) of general conditioned. In this sense, it is indicated as a typology of data processed for the purpose of data analysis and study, “All those provided in the establishment or maintenance of commercial or business relationships ”(underlined excerpt in the fragment transcript herein). It could only be considered that not enough information is provided regarding to the categories of personal data being processed if provided exclusively this fragment of text to those interested, but it adds more information. In section 26.3 of the general conditions (prior to 26.4.ii transcribed in the Agreement Start) specifies in greater detail what data will be processed for the establishment o maintenance of commercial relations: “Payments & Consumer and, where appropriate, the CaixaBank Group companies, is obliged by different regulations and agreements to carry out certain treatments of data of the people with whom it maintains Business Relationships, as indicated in the following sections of this clause (hereinafter, “Treatments with Regulatory Purposes ”). These treatments are necessary for the establishment and maintenance of Commercial Relations with CaixaBank Payments & Consumer and / or with the companies of the CaixaBank Group, and the Holder's opposition to the themselves would necessarily entail the cessation (or non-establishment, where appropriate) of these relationships. In any case, Treatments for Regulatory Purposes are shall be limited exclusively to the stated purpose, without prejudice to other purposes or uses that the Holder authorizes according to the provisions of clause 26.4. of the present document" C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 38/133 Thus, in the transcribed fragment it is indicated that, due to the need to comply with specific regulations applicable to CPCs, the establishment and maintenance of commercial relationships with CPC will require specific data processing that is will be finalized later. In addition, in the same fragment it is indicated that said treatments will be limited to regulatory purposes, without prejudice to the fact that, in the case authorized by the interested party, they can also be used for other purposes. Regarding the categories of data that according to the AEPD are not included in the information provided to data subjects in relation to the categories of data object of treatment, these are effectively included in points 26.3.3 and 26.3.4 of the general conditioning. In this way, in point 26.3.3 it is reported about the query to files of credit information (among which are those necessary to obtain the “Risk Score ”, as will be explained later): 26.3.3 Communication with credit information systems. The Holder is informed that CaixaBank Payments & Consumer, in the study of the establishment of Commercial Relations, you can consult information on credit information systems. Likewise, in the event of non-payment of any of the Obligations derived from Commercial Relations, data related to non-payment may be communicated to these systems. And, in point 26.3.4, it is reported about the query to the Information Center of Risks of the Bank of Spain: 26.3.4. Communication of data to the Risk Information Center of the Bank of Spain The Holder of the right who assists CaixaBank Payments & Consumer is informed to Obtain reports from the Bank of Spain's Risk Information Center (CIR) on the risks that could be registered in the study of the establishment of Business relationships. […] Therefore, it is not true that, as the AEPD considers, information is not provided Enough about the data to be processed for profiling. Information provided to the interested parties should be analyzed as a whole and not only fragments of it. iv. It is not true that data on solvency files are processed for the purposes of profiling for credit rating purposes without legal basis for processing The Initiation Agreement refers to the provisions of the third section of article 20 of the LOPDGDD to determine that the treatment carried out by CPC of data works in solvency files for profiling purposes for rating purposes Credit is done without legal basis for the treatment. This part understands that the reference to the third section of the aforementioned article is It is due to an error since this refers to the treatment carried out by the entity C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 39/133 to maintain the credit information system, and as it was specified in the response to the Request for information dated June 2, 2020 between the activities carried out by CPC are missing systems maintenance credit information. Therefore, the reference to the third section of article 20 of the LOPDGDD does not it would be adequate in the present case. Notwithstanding the foregoing, this part can answer the possible question that can do the AEPD about what is the legitimizing basis for processing data works in solvency files for profiling purposes for rating purposes credit. In this sense, as stated in the response to the Request for information Prior to the Initiation Agreement, CPC can perform treatments focused on analyzing the capacity of repayment or risk of non-payment of the interested party based on two bases legal processing, depending on the factual event in question: - Exclusively compliance with legal obligations applicable to CPC: It would be the case (i) of the analysis of the repayment capacity or risk of non-payment of a interested in their request for a product, and (ii) the analysis of the capacity of return or risk of non-payment in the management of credit risk granted to clients. In these cases, CPC performs an assessment of the ability to return or solvency of the interested party in compliance with the Prudential and Solvency Regulations and of Responsible Loan, as stated in the response to the Request for information and in this Brief. - Consent of the interested party: It would be the case of the treatments carried out on the basis of to the consent of the interested party for the analysis and study of data with the commercial. The purpose of these treatments is to offer interested parties products and services tailored to your needs (including the possible allocation of limits of pre-granted credit), selecting the target audience before carrying out a certain business impact. However, it is necessary to take into account, as previously stated in the this writing, the nature of the products and services marketed by CPC, as well as the regulatory implications that this entails. The fact that certain treatments are carried out based on the consent of the interested party does not exclude that CPC must comply with the legal obligations associated with said treatments. In the case of the preparation of commercial offers adapted to the profile of the interested parties CPC must comply with the established legal obligations in the Prudential and Solvency Regulations and Responsible Lending since the Products marketed are credit accounts and loans. In this way and taking into account that in the realization of a personalized offer to a client it is binding on CPC (in the sense that, if the client accepts the offer, the services will be provided in the terms previously indicated by CPC), CPC has the obligation to, prior to making the offer, assess the ability to return and solvency of the interested party. Otherwise, CPC C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 40/133 would be in breach of the Prudential and Solvency and Loan Regulations Responsable. Therefore, even when the treatment is carried out based on the consent of the interested party, CPC must comply with the legal obligations established in the Regulations Prudential and Solvency and Responsible Loan; therefore, when performing a personalized offer to an interested party, CPC must assess their ability to return and solvency, consulting the data contained in information systems credit. v. It is not true that the interested party is not informed about the profiling operation relative to the "Risk Score" It is stated in the Initiation Agreement that CPC does not adequately inform the interested parties about the treatment related to obtaining the data called "Risk Score", considering that obtaining said data constitutes an operation of independent data profiling and should therefore also be reported in an independent way specific. (…). When informing interested parties about the processing of their data, it is not mentioned obtaining this specific data since, although it is obtained with the intervention of a processor, does not differ from simple analysis and data study carried out for both regulatory purposes and with commercial purposes. In this sense and in terms of the legal basis that allows its realization, it is the same than in the rest of the cases, that is, when it is carried out to carry out the assessment of the ability to return or solvency of the interested party exclusively within the framework of your request for a product or credit management granted to clients, the legal basis is compliance with legal obligations applicable to CPC. On the other hand, when it is carried out for commercial purposes, the legal basis of the treatment will be the consent of the interested party, taking into account that to carry out carry out the treatment of analysis and study of data for commercial purposes will be It is also necessary to observe the prudential and solvency regulations. As for the data used to obtain the "Risk Score", it is the data in credit information systems. Therefore, the interested parties are duly informed about the treatment carried out to obtain the “Risk Score”, by integrating said transaction of treatment within the analysis and study of data carried out for both regulatory and commercial purposes. According to each of the points previously exposed, it can be concluded that effectively the consent given for the profiling purposes analyzed complies with the requirement of separation of purposes and provision of consent for each of them, in addition to being duly informed, so this is valid. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 41/133 NINTH: In accordance with the provisions of article 77 of the LPACAP, on the date June 22, 2021, it is agreed to open a test practice period, Considering that the claim filed is reproduced for evidentiary purposes, the documentation corresponding to the transfer of the claim to the claimed entity, the appeal for reconsideration presented by the complaining party, as well as the documentation in the investigation file E / 10053/2019. Also, considers reproduced for evidentiary purposes, the allegations to the initiation agreement PS / 00500/2020 presented by CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U. It is agreed to incorporate into the file the privacy policy that appears in the website of the entity CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U. On the other hand, it is agreed to require said entity to provide the information and following documentation within 10 business days: Date of implementation of the new privacy policy and period during the that the previous one was in force. Copy of the co-responsibility agreement referred to in the new privacy policy and in the allegations to the initiation agreement presented. Documents in which information is provided to clients to obtain of the consent to carry out treatments for commercial purposes, such as, by way of example, the so-called “general conditions” and, if they have been subject to modifications, date on which these were produced. Contract made with the entity *** COMPANY.3 for the risk activity score. Caixabank group business volume in 2020. By means of diligence of July 2, 2021, a capture of screen with the privacy policy of CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U. listed on their website. The following is reproduced indicated in points 5 and 6.1 of said policy: "5. Data categories At CaixaBank Payments & Consumer we will process different personal data in order to manage the Contractual Relationships that you establish with us, to carry out the rest of the data processing that derives from your status as a client and, if you have given us your consent, to also carry out the processing of your data for the activities that are detailed in section 6.1. To facilitate your understanding, we have arranged the data that we process in the categories that detailed below. Not all the categories of data that we detail are used for all the treatments of data. In section 6, where we detail the data processing we carry out, you You will be able to consult specifically for each specific treatment the categories of data that are use, thus having the necessary information that allows you to exercise, if you wish, your rights recognized by the RGPD, especially those of opposition and revocation of the consent. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 42/133 The categories of data used by the different treatments set out in section 6 are the following: > Data that you have provided us when registering your contracts or during your relationship with us. These data are: identification and contact data: your identification document, name and surname, gender, postal, telephone and electronic contact information, residence address, nationality and date of birth, and language of communication. Socio-economic data: detail of professional or work activity, income or remuneration, family unit or circle, educational level, assets, tax data and tax data. financial data: products and services contracted, relationship with the product (condition of owner, authorized or representative), MiFID category. biometric data: facial pattern, voice biometrics or fingerprint pattern. > Data observed in the maintenance of products and services. These data are: financial data: the information of the notes and movements made in current accounts, including the type of operation, the issuer, the amount, and the concept, information on investments made and their evolution, information on financing, statements of operations with debit and credit cards, products contracted and payment history. It is important that you know that we will not process data observed in the maintenance of products and services that may contain information that reveals their origin ethnic or racial, your political views, your religious or philosophical convictions, your union membership, the processing of genetic data, biometric data aimed at uniquely identify you, data related to your health or data related to your life or sexual orientation ("Sensitive Data"). whether or not you are a CaixaBank shareholder. digital data: the data obtained from the communications that we have established between you and us in chats, walls, videoconferences, phone calls or equivalent means and the data obtained from your browsing through our pages web or mobile applications and the navigation you perform on them (device ID, Advertising ID, IP address and browsing history), if you have accepted the use of cookies and similar technologies on your browsing devices. geographic data: the geolocation data of your mobile device provided for the installation and / or use of our mobile applications, when there is one authorized in the configuration of the application itself. > Data inferred or deduced by CaixaBank Payments & Consumer from the analysis and treatment of the rest of the data categories. These data are: Clusters of clients into categories and segments based on their age, assets and estimated income, operations, consumption habits, preferences or propensities to product contracting, demographics and relationship with other customers or categorization according to the regulations on Markets in Financial Instruments (“MiFID”). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 43/133 scoring scores that assign probabilities of payment or non-payment or limits of risk. > Data that you have not provided us directly, obtained from sources accessible to the public, public records or external sources. These data are: financial and credit solvency data obtained from the Asnef and Badexcug files. data on risks maintained in the financial system obtained from the database of the Central Bank of Risk Information of the Bank of Spain (CIRBE). data of persons or entities that are included in laws, regulations, guidelines, resolutions, programs or restrictive measures regarding economic sanctions- financial institutions imposed by the United Nations, the European Union, the Kingdom of Spain, United Kingdom and / or the U. S. Department of the Treasury’s Office of Foreign Assets Control (OFAC). cadastral or statistical data obtained from companies that facilitate studies Socioeconomic and demographic statistics associated with geographic areas or codes postcards, not to specific people. digital data obtained from your browsing through third-party web pages (ID device, advertising ID, IP address, browsing history), if there is Accepted the use of cookies and similar technologies on your browsing devices. data from social networks or the internet, that you have made public or that authorize us to Consult." In point 6 of said privacy policy under the title "What treatments we carry out with your data ”, the following is stated: "The treatments that we will carry out with your data are diverse, and respond to different purposes and legal bases: > Treatments based on consent > Necessary treatments for the execution of the Contractual Relations > Necessary treatments to comply with regulatory obligations > Treatments based on the legitimate interest of CaixaBank Payments & Consumer " Section 6.1 of said privacy policy contemplates the following treatments based on consent: A. Analysis of your data for the elaboration of profiles that help us to offer you products that we think may interest you B. Commercial offer of products and services through the selected channels. C. Transfer of data to companies that are not part of the CaixaBank Group C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 44/133 D. Identification of clients and signature of documentation through the use of biometrics. In point 6.1 of the aforementioned privacy policy, the following is stated: "TREATMENTS BASED ON CONSENT. These treatments are legally based on your consent, as established in art. 6.1.a) of the RGPD. We may have requested that consent through different channels, for example, to through our electronic channels or in any of the CaixaBank Group companies. Yes For any reason, we have never asked for your consent, these treatments will not be applied to you. You can check the authorizations that you have consented to or denied us, and modify your decision at any time and free of charge on the CaixaBank website Payments & Consumer (www.caixabankpc.com) and in each of the companies in the CaixaBank Group, or in your private area of the CaixaBank website or mobile applications Payments & Consumer and at the CaixaBank offices. The treatments based on your consent are indicated below ordered from (A) to (D). We will indicate for each one of them: the description of the purpose (Purpose), if they are or no treatments carried out under a co-responsibility regime with other companies of the Group CaixaBank (Joint Controllers / Data Controller), and the categories of data used (Categories of processed data). A. Analysis of your data for the elaboration of profiles that help us to offer you products that we think may interest you. Purpose: The purpose of this data processing is to use the categories of data that We indicate below, to develop profiles that allow us to identify you with segments of customers with similar characteristics to yours and suggest products and services that we believe that they may interest you, as well as establishing the periodicity with which we we interact with you. Through this treatment we will analyze your data to try to deduce your preferences or needs and thus be able to make commercial offers that we believe may have more interest than generic offers. When the offers that we want to transmit to you consist of products that involve the payment of installments or financing, we will carry out a pre-assessment of solvency to calculate the limit of adequate credit to be offered, in accordance with the principles of responsibility in the offer of financing products required by the Bank of Spain. It is important that you know that this treatment, including the pre-assessment of solvency in the products with risk, is limited to the indicated purpose of suggesting products and services that we believe that you may be interested, and it is not used, in any case, to deny any product or service or credit limit. You always have at your disposal our complete catalog of products and services, and This treatment does not prejudge, limit or condition your access to them, which, in the event that You request them, they will be evaluated with you in accordance with the ordinary procedures of CaixaBank Payments & Consumer. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 45/133 We will only carry out this treatment of your data if you have given us your consent for it. Your consent will remain in effect as long as you do not withdraw it. If you cancel all your products or services with the CaixaBank Group companies, but forget withdraw your consent, we will do it automatically. Categories of data processed: The categories of data that we will process for this purpose, whose content is detailed in section 5, they are: > data that you have provided us > data observed in the maintenance of products and services, with the exception of data sensitive > data inferred or deduced by CaixaBank Payments & Consumer. > data that you have not provided us directly. Co-responsible for the treatment: The treatment of your data of the indicated categories, with the purpose of analysis for the elaboration of profiles that help us to offer you products that we think may interest you, are carried out under a co-responsibility regime by the following companies of the CaixaBank Group: > CaixaBank, S.A. > CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U. > CaixaBank Electronic Money, EDE, S.L. > VidaCaixa, S.A.U., insurance and reinsurance > Nuevo Micro Bank, S.A.U. > CaixaBank Equipment Finance, S.A.U. > Promo Caixa, S.A.U. > Comercia Global Payments, E.P. S.L. > Buildingcenter, S.A.U. > Imagintech S.A. You will find the list of companies that process your data, as well as the essential aspects of the joint responsibility treatment agreements at: www.caixabank.es/empresasgrupo. " Accessing from said link, the following text can be read: “In order to carry out the treatments indicated below, CaixaBank and The CaixaBank Group companies will process your data jointly, deciding in a manner brings together the objectives (“what the data is used for”) and the means used (“how it is used the data ”) being, therefore, jointly responsible for these treatments (Entities Co-responsible). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 46/133 The treatments for which CaixaBank and the CaixaBank Group companies will process together their data are the following (you can see the detail of the companies of the Group Caixabank that make up the perimeter of each of the treatments carried out in co-responsibility by clicking on each of the following links): Carry out the commercial activities of: (i) analysis of your personal data for the profiling to help us offer you products that we think may be interest you; (ii) commercial offer of products and services through the selected channels, and (iii) transfer of data to companies that are not part of the CaixaBank Group; Comply with the following regulations applicable to Group companies CaixaBank: (i) the regulations on the prevention of money laundering and financing of terrorism; (ii) regulations on tax matters; (iii) the obligations derived from the policies of sanctions and international financial countermeasures, as well as (iv) the obligations to grant and manage credit operations and the consultation and communication of risks to the Risk Information Center of the Bank of Spain (CIRBE). Carry out the analysis of the solvency and repayment capacity of the applicants of products that involve financing. In accordance with the provisions of the applicable regulations, the Co-Responsible Entities have signed a co-responsibility agreement for certain treatments, the elements of which essential are the following: (i) That, for certain treatments identified in the Privacy Policy, the Co-Responsible Entities will act in a coordinated or joint manner. (ii) That they have proceeded to determine the security, technical and organizational measures, appropriate to ensure a level of security appropriate to the risk inherent to the processing of personal data object of co-responsibility. (iii) That they have a single window mechanism for the exercise of the rights of the interested parties, assuming the commitment of the duty of collaboration and assistance in those cases in which it is appropriate. (iv) That they comply with the obligation to respect the duty of secrecy and keep the due confidentiality of personal data that is processed in the framework of the activities of Informed data processing. (v) Regardless of the terms of the joint responsibility agreement, the interested parties may exercise their rights regarding data protection against each of the responsible." TENTH: In response to what is requested by CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U, the period granted to provide documentation was extended by five business days. On July 12, 2021, a written response to the opening of the period was received practice test, which indicates that the date of publication of the new privacy policy is from January 18, 2021 and that said privacy policy replaces the previous one, which had been in force from July 21, 2019 until January 17, 2021. 28001 - Madrid 6 sedeagpd.gob.es 47/133 Said letter also states the following: “Attached as an Annex to this document is the joint responsibility agreement to which referenced in the aforementioned privacy policy, as well as in the allegations to Initiation agreement presented, previously provided during the Procedure Sanctioner PS / 00477/2019 to CAIXABANK, S.A. hereinafter, the "Penalty Procedure to CAIXABANK ”), and whose essential aspects are published in https://www.caixabank.es/particular/general/tratamiento -de-datosempresas-del-grupo.html. The aforementioned co-responsibility agreement defines the purposes and means of the treatments, as well as the basic rules to be observed by all the companies that make up these treatments in co-responsibility, and duly reflects the existing agreement regarding to the respective responsibilities in terms of data protection referred to in the Article 26 of the General Data Protection Regulation (EU) 2016/679; it's found pending signature pending the resolution of the request for the application of measures precautionary measures related to the Sanctioning Procedure against CAIXABANK, which could imply the modification of its content. " Regarding the information provided to the interested parties to obtain their consent, it is stated that “the information provided for the performance of treatments for commercial purposes, previously provided in the response to the Request for information received on February 6, 2020 (in hereinafter, the "Information Request"). Although they have been foreseen, no modifications have yet been made to the aforementioned information from your contribution in the response to the Request for information, pending of the resolution of the request for the application of precautionary measures related to the Sanctioning Procedure to CAIXABANK, which could affect the modifications of the mentioned documentation, planned at this time. This Annex also includes the information provided to interested parties for the obtaining your consent to carry out treatments for commercial purposes, when consent is collected from the banking channel (CAIXABANK). This documentation, previously provided in the course of the Penalty Procedure to CAIXABANK, was modified in March 2021, within the framework of the aforementioned actions aimed at the implementation of the new privacy policy. In relation to the contract with the entity *** EMPRESA.3, it is attached as annex III, “the contract of services carried out with the entity *** EMPRESA.3, previously provided in the response to the already mentioned Information request. Likewise, it is reported that the aforementioned contract has not undergone modifications since its contribution to the Spanish Protection Agency of data. Finally, regarding the volume of business of the Group or CAIXABANK it is indicated that “as of December 31, December 2020 is estimated at twelve thousand one hundred seventy-two million euros. Bliss Information is extracted from pages 248 and 249 (“Annex 6 - Annual bank information”) of the Consolidated Annual Accounts of the CaixaBank Group, available at https://www.caixabank.com/deployedfiles/caixabank_com/Estaticos/PDFs/Accionistasinversore s / In formacion_General / Consolidated_Annual_Accounts_CBK_2020_EN.pd " Provides as annex II the following documents: GENERAL CONDITIONS OF THE APPLICATION-CREDIT AGREEMENT, in whose heading appears the entity CaixaBank Payments & Consumer and the date C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 48/133 April 10, 2020. The content of said document coincides with the one sent after the requirement of the Data Inspection carried out on February 6, 2020 as Annex 12. This document is structured in various sections, of which number 26 contemplates in different sections various aspects of data processing such as the different treatments according to their basis of legitimation, the exercise of rights on the part of the interested parties or the period of conservation of the data among other issues. Thus, section 26.1 refers to the Treatments of personal data in order to manage the Relationships Commercial; section 26.3 to the processing of personal data with regulatory purposes, this section in turn is divided into various subsections such as those related to Treatments for the adoption of diligence measures due in the prevention of money laundering and financing of the terrorism (26.3.1), treatment for compliance with the management policy of International financial sanctions and countermeasures (26.3.2), communication with credit information systems (26.3.3.), communication of data to the Central Risk Information of the Bank of Spain (26.3.4), etc. Section 26.4 is refers to the Processing and transfer of data for commercial purposes by CaixaBank and the CaixaBank Group companies based on consent. The section 26.1 and 26.4 are transcribed in the fifth factual antecedent of the present motion for a resolution. Framework Agreement whose heading appears CaixaBank, and in which section 4.1 is indicates that “the person responsible for the processing of your personal data in contractual and business relationships is CaixaBank, S.A., with NIF A08663619 and Address at calle Pintor Sorolla, 2-4 Valencia. " Adding the following: "Co-responsible for treatment: In addition, for certain treatments that are report in detail in the aforementioned policy, CaixaBank and the companies of the Group CaixaBank will jointly process your data, jointly deciding the objectives (“what the data is used for”) and the means used (“how data are used data ”) being, therefore, jointly responsible for these treatments. The treatments for which CaixaBank and the CaixaBank Group companies will treat together their data are the following:> carry out commercial activities of: (i) analysis of your personal data for the elaboration of profiles that we help to offer you products that we think you may be interested in; (ii) offer commercial products and services through the selected channels, and (iii) assignment of data to companies that are not part of the CaixaBank Group; (…) You will find the list of companies that process your data, as well as the aspects essential of the treatment agreements in co-responsibility in: www.caixabank.es/empresasgrupo. " On the point. 4.5 of this document, entitled “What treatments do we carry out with your data ”, he points out regarding the treatments based on consent, the following purposes: - Analysis of your data for the elaboration of profiles that help us to offer you products that we think may interest you. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 49/133 - Make our commercial offer of products and services available to you through selected channels. - Transfer of data to companies that are not part of the CaixaBank Group to that they make commercial offers of products they sell. - Identification of clients and signature of documentation through the use of biometrics. - Application of personal conditions in jointly owned contracts. This document is not dated. In the information provided in the writing sent to this Agency, it is stated that “This Annex also includes the information provided to the interested parties to obtain their consent to carry out treatments for commercial purposes, when consent is collected from the banking channel (CAIXABANK). This documentation, previously provided in the course of the Procedure Sanctioning CAIXABANK, was modified in March 2021, within the framework of the mentioned actions aimed at the implementation of the new policy of Privacy." Screenshots in which the consent of the clients is requested. - A screenshot on the prescribing channel, which exactly matches the one described for said channel in point 5 of the fifth antecedent of the present motion for resolution. - Screen capture of new client office (face-to-face onboarding, in the which states the following: “delivers the tablet to the client so that he can fill out himself the consents ”and screenshots added to the new client Portal Web (digital onboarding). In both modalities, information is provided basic for the client on the processing of personal data indicating that the responsible for the treatment is: “Caixabank, with NIF A08663619 and address at Pintor Sorolla street, 2-4 Valencia. Co-responsible for the treatment “For certain activities Caixabank, S.A. and the Group companies Caixabank will process your data together. You will find the list of companies that process your data, as well as the essential aspects of the treatment agreements in co-responsibility in www.caixabank.es/empresasgrupo. " Regarding consents, it is indicated in both modalities that “You authorize the companies of the CaixaBank group to: Analyze your data to create profiles to help us offer you products that we think may interest you. If we have your consent, we will configure or design an offer of adjusted products and services to your characteristics as a client, by analyzing your data and profiling with your information. " Here are two boxes in which you can check yes or no. On other sections consent is requested to communicate the commercial offer C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 50/133 of products and services through the channels that are selected and to transfer the data to companies that are not part of the Caixabank Group with which they have agreements. Regarding the analysis treatments for profiling, it is provided also in both modalities the following information: "These treatments have your consent as a legal basis, as established in article 6.1.a of the General Data Protection Regulation. " It is reiterated to below the information offered in the privacy policy related to this type of treatments regarding the purpose, categories of data processed and joint controllers of the treatment. However, when it comes to data treaties indicates: "the categories of data that we will treat for this purpose The content of which is detailed in section 5 of our Privacy Policy. Privacy (www.Caixabank.es/privacy policy) are: data that you give us will have provided, data observed in the maintenance of the products and services with the exception of sensitive data, data inferred or deduced by Caixabank, data that you have not provided us directly. " Not listed in none of the screens describe this data. Co-responsibility agreement. This agreement is not dated or signed. The number 6 regarding its duration indicates that “This Agreement shall enter into force on the date of its signature and will remain in force indefinitely, without prejudice to the revision and necessary modifications of its terms and content for its adaptation, where appropriate, to current regulations that are applicable in each moment..." This agreement contains the following definition: “Co-responsible for the Treatment or Co-responsible: Means those responsible who jointly determine the objectives, purposes and means of the Treatment detailed in Annex 1. " In the aforementioned annex it mentions the following treatments object of co-responsibility regarding “commercial activities”: a) analysis of personal data for the elaboration of profiles that help us to offer products that we believe may be of interest to the customer Purpose: The purpose of this data processing is to use the categories of data indicated in the CaixaBank Privacy Policy (www.caixabank.com/politicaprivacidad) to create profiles that allow Co-responsible identify the customer with customer segments of similar characteristics to be able to offer you products and services that may interest you, as well as, to establish the periodicity with which the Joint Controllers relate with the. Legitimating base: The legitimizing base of this treatment is consent granted by the interested parties. b) Commercial offer of products and services through the selected channels. Purpose: The purpose of this data processing is to make available to the client communications of commercial offers related to products and services of its own or of third parties marketed by CaixaBank and / or the CaixaBank Group entities. Are C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 51/133 Communications will only be sent to the client through the channels that previously he has authorized us by giving his consent. Legitimating base: The legitimizing base of this treatment is consent granted by the interested parties. c) transfer of data to entities that are not part of the CaixaBank Group Purpose: The The purpose of this treatment is to transfer the data of the interested parties to entities that do not are part of the CaixaBank Group with which the Joint Controllers have agreements, with the purpose that they make them commercial offers of the products that they market. Legitimating base: The legitimizing base of this treatment is consent granted by the interested parties. " Then list the co-managers who would be the following: CAIXABANK, S.A CAIXABANK PAYMENTS & CONSUMER, E.F.C., E.P., S.A.U. CAIXABANK ELECTRONIC MONEY, EDE, S.L VIDACAIXA, S.A.U., DE SEGUROS Y REINSUROS NUEVO MICRO BANK, S.A.U CAIXABANK EQUIPMENT FINANCE, S.A.U PROMO CAIXA, S.A.U. COMERCIA GLOBAL PAYMENTS, E.P. S.L. BUILDINGCENTER, S.A.U. IMAGINTECH, S.A. In successive annexes other treatments object of co-responsibility are contemplated, whose legitimizing basis is in the fulfillment of legal obligations or the execution of contractual relationships. Contract signed with the entity *** COMPANY.3 for the risk activity score. As indicated in said contract, dated June 2, 2020, the contract signed on May 2, 2017 has been renewed, expanded in turn on May 2, 2019 to incorporate the services that are outlined in Annex I (not attached). They are parts in said contract CAIXABANK and CAIXABANK PAYMENTS & CONSUMER and the entities (…) designating the latter two jointly as a SUPPLIER. This document contains two clauses: The first clause of said contract relating to the modifying novation does not extinction of clause 15 of the contract, replaces the aforementioned clause with effect C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 52/133 retroactive to May 25, 2018, with new elements related to the person in charge treatment, in order to adapt the risk score services to the obligations regulations contained in the LOPDGDD and the RGPD In the second of the clauses, it is agreed to incorporate annex I (annex of services) a clause relating to specific aspects of the data processing of personal nature of the risk score service. Said clause refers to the description of the treatment, indicating that for the sole purposes of providing the CAIXABANK AND CAIXABANK PAYMENTS & CONSUMER “risk score” service make the following information available to the provider "(...)." They are drawn to then the following treatments by the provider: exploitation, consultation and destruction; the type of data (DNI (NIE / Passport) and categories of affected stakeholders (clients, non-client participants). Refering to purpose of the treatment it is indicated that the provider will use the data of character personal object of treatment solely and exclusively for the fulfillment of the ANNEX I, not being able to use them, in any case, for their own purposes. Annex I does not Attached. ELEVENTH: On 08/06/2021, a resolution proposal was issued in the following sense: FIRST: That the Director of the Spanish Data Protection Agency sanction CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U., with NIF A08980153, for a violation of Article 6.1 of the RGPD, typified in Article 83.5 of the RGPD, and classified as very serious for the purposes of prescription in article 73 of the LOPDGDD, with a fine of 3,000,000 euros (three million euros. SECOND: That the Director of the Spanish Agency for Data Protection proceed to impose on the entity CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U within the period to be determined, the adoption of the necessary measures to adapt procedures to personal data protection regulations through which it collects its clients' consent to create profiles with commercial purposes, with the scope expressed in Law Foundation VII. TWELFTH: Notified to the entity CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U the aforementioned resolution proposal, dated 08/13/2021 was entered in this Agency writing in which an extension of the term was requested to formulate allegations. Once the extension of the term was granted, on 09/03/2021 it entered into this Agency written allegations, in which the cancellation of the initiation agreement, alternatively the file of the proceedings and alternatively, in the event that you are considered responsible for the infractions of article 6 of the RGPD, that the warning is agreed or, failing that, that the amount is imposed of the corresponding sanction in its minimum degree. It also requests again that In any case, the consents obtained are not declared null and, if it were the case, the AEPD orders the measures that in its opinion may be adequate to improve compliance with data protection regulations. Declares reproduced in their entirety their allegations to the initiation agreement and formulates the considerations, also divided into two groups, which are briefly exposed to C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 53/133 continuation: A) IN RELATION TO THE NULLITY OF THE ACTIONS CPC alleges that it cannot share that the connection between the claim initially inadmissible for processing and the Agreement to Initiate this Penalty Procedure is support in "the request for information about the claimant to a solvency file patrimonial without your consent and the subsequent offer of a financial product, which assumes that the data of said person has been used improperly to carry carried out a profiling on the basis of which said product was offered ' On the one hand, it is stated that it is "assumed" that profiling has been carried out without consent, obviating that, as has already been explained in allegations previous, which are considered reproduced here, once the consent is obtained (for Therefore, consent is requested), to carry out the customization of the product offering based on customer data analysis (profiling), exists, in addition, a legal obligation on the part of CPC not to offer financial products that may not be suitable according to the profile of the economic and financial capacity of the potential recipient of the commercial offer; Therefore, before offering them, they must Verify aspects of solvency of the potential recipients of these products. For this reason, the profiling referred to in the AEPD, in which, among others, it is used information on solvency, the use of that type of data specifically would have its basis of legality in the fulfillment of a legal obligation by the person in charge of the treatment, although it is framed in a treatment for which previously has requested the consent of the interested party. In addition, it affirms that relevant information for the defense has been omitted since in the initiation agreement, no reference was made to the fact that the interested party filed an appeal of replacement to the inadmissibility of his claim and this was estimated by the AEPD. 2. Regarding the allegation on the alleged breach of article 55.1 of the LPACAP, in connection with article 53 of the LOPDGDD, whereby CPC considers that the data inspection would have exceeded the scope of the phase of previous investigation, indicates that the AEPD recognizes a new error, in this case It seems to be of "transcription" an error impossible to detect, nor to confirm by this part in any way, in such a way that the AEPD, highlighting its alleged error, deactivates a potential cause of nullity of the administrative procedure, thereby once again the need for information and actions in the framework of a sanctioning procedure must be characterized by its precision and rigor in all those circumstances that are relevant. "The AEPD affirms, in an added justification effort, that as such treatments of "potential customers" do not exist, since in fact CPC has reported it, not research actions have been carried out on this type of treatment, diverting attention from what is relevant, not so much the performances actually carried out, but rather those that purportedly wanted to be carried out exceeding the inspection activity of what was ordered by the Director of the AEPD; Another thing is that, by advancing in the investigative actions, there would have been had to renounce this objective, since there were no such treatments, which does not diminish C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 54/133 in any degree the excess initially raised. We don't know what if such treatments had existed, but it is reasonable to think that the investigation had been carried out outside the scope specified by the Director of the AEPD. 3. Regarding the alleged violation of the non bis in idem principle, CPC values that the The same collection of consents for the elaboration of profiles was the subject of investigation and sanction in the sanctioning procedure against CAIXABANK, S.A, number PS / 00477/2019, as long as there is identity of subject, fact and foundation, without that can accept the arguments of the AEPD, valuing as non-existent the co-responsibility for lack of accreditation of the same, since carrying out a processing of personal data based on joint responsibility is a decision own of the entities that want to act as joint controllers, except in those assumptions in which such a circumstance is predefined in a standard. He affirms that it generates an extraordinary confusion and insecurity not knowing how to identify what other instruments of accreditation of joint responsibility agreed between some of the CaixaBank Group entities for some data processing personal, for which they have jointly determined ends and means, all collected in the agreement and policies, should be provided in the opinion of the AEPD, and even more we are surprised that the burden of proof is reversed on this issue as it should it will be the AEPD who will provide evidence or proof that there is no co-responsibility of the treatment object of the Sanctioning Procedure, since CPC has provided solid and more than sufficient evidence that indeed there is such co-responsibility. Article 26 of the RGPD is very clear about it; the existence of co-responsibility is based on a mutual agreement of two or more data controllers on their respective responsibilities so that a specific treatment complies with the Regulation, and this agreement must obey the factual reality of the treatments, in as to that such managers jointly determine the objectives and means of the treatment; therefore, we are facing a decision that, in general, may or may not adopt two or more data controllers, so that such decision cannot be discretionally questioned by third parties as long as as long as there is a requirement that such managers have determined jointly the objectives and the means of treatment, as is the case of the Treatment object of the Proposal for Resolution. And the confusion increases when, as an argument to refute the violation of the principle non bis in idem, the AEPD refers to the fact that in the case of co-responsibility, that is, it has gone from "not being accredited but, to judgment of this Agency, its existence is not even admissible in e / present course ", to assess how it would act if it existed, arguing that several co-responsible parties could be punished for the same facts considering that the responsibility does not have to apply to a single subject, the latter question with which we can agree but which, evidently, if this is the case, it should have been processed in the same procedure or, at least, taking into account the responsibility quota when graduating the sanction corresponding, and therefore calculating the sanction based on such co-responsibility, question that we are not aware that has been taken into account, or perhaps yes, since the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 55/133 duality of arguments, a priori contradictory used by the AEPD, leads us to not know if the violation of the non bis in idem principle does not exist because there is no co-responsibility or because the AEPD has considered that there is co-responsibility and has chosen to sanction according to the part of the treatment carried out by each co-responsible; undoubtedly a clearer statement by the AEPD it would reduce the degree of defenselessness that as a whole generates for CPC the procedure processed by the AEPD. 4. Regarding the allegation about the arbitrary action of the AEPD in this procedure, none of the explanations and justifications developed by the AEPD are convincing, since the discriminatory treatment with respect to similar procedures, and we cannot admit that the AEPD resorts to an obvious and simple generic reference to which you have applied the elements established in the article 83 of the RGPD and article 76.2 of the LOPDGDD, explaining that they are listed in the own motion for a resolution, thus responding to a part of the allegation, without has entered to assess the examples of specific procedures that CPC transferred in their allegations to the Initiation Agreement, without giving explanation about "resolutions of sanctioning procedures of the AEPD in which the person responsible for / treatment for infringement of article 6 RGPD (vid, PPSS 00235/2019, 00182/2019, 00415/2019) and that, taking into account the condition of a large company and volume of business, among others, the sanctions are not even close to the economic level of the proposed sanction contained in this Initiation Agreement, since they are penalties that have ranged between € 60,000 and € 120,000 " It alleges that, as evidence of this differential treatment, it will focus on the "Plan of ex officio inspection on distance contracting in operators of telecommunications and energy marketers' whose results report was published by the AEPD on October 29, 2020; available at the following link https://www.aepd.es/es/prensa-y-comunicacion/notas-deprensa/aepd-publica- results-audit-contracting-telecommunications-energy. According to CPC, it is surprising, to say the least, that they opted for the preventive instrument of audit plans, precisely for the sector telecommunications. The Annual Report of the Spanish Data Protection Agency includes a table prepared by the AEPD in which the 10 areas of activity with the highest number of claims received in 2019 and their comparison with 2018. The information on the number of claims included in the aforementioned table of data, indicates that in both areas of activity the claims represent the same percentage, each of them 4% of the total claims (for 2019), and, if we take into account the absolute data, the claims in relation to "Financial entities / creditors", were in 2018 a total of 576, being for the "Telecommunications" sector in the same period 451 complaints. And, in the case of 2019, the claims presented were 464 in relation to “Entities financial / creditors "and 424 for the" Telecommunications "sector, that is, a incidence of claims practically the same, but surprisingly, in one case there was chooses to adopt a preventive measure ("Telecommunications"), and in another a measure punitive ("Financial institutions / creditors"), which results in an obvious treatment unequal, which is not justified, and which also has not been motivated by the AEPD. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 56/133 Quite the contrary, rightly the Director of the AEPD herself, in statements public, has come to equate both sectors in terms of claims received by the Agency, specifically in an interview published by "La Voz de Galicia ", of February 9, 2020, available at https://www.lavozdegalicia.es/noticia/sociedad/2020/02/08/mar-espana-habra- important sanctions-infringe-data-protection / 00031581176394099239215.htm, in the one that when asked which sectors received the most complaints, the Director replied that: "There are many complaints from the telecommunications, not because it is where the data processing is worst, but because it is one of the sectors where the consumer is most used to to file claims, and also from financial institutions, therefore, there is still understands less the unequal treatment of both sectors, for "Telecommunications" ordering preventive measures, and for the "Financial institutions / creditors' acting with punitive measures, when in the opinion of the Director of the AEPD they are equivalent sectors from the perspective of claims on protection of data received at the Agency. 5. With regard to the alleged violation of the fundamental right to presumption of innocence, CPC reiterates the allegations made in the initial agreement of the present sanctioning procedure, adding that “regarding the suggestion that is made to us in the Proposal for Resolution that the lack of impartiality of the administrative body alleged by CPC should have been accompanied by a formal challenge of the Director of the AEPD, the truth is that CPC has already assessed in its moment that the abstention assumptions of article 23.2 of the Law did not concur 40/2015, and, consequently, it was not proposed to request the challenge suggested in the Proposal for a Resolution, which does not invalidate that we consider that rationally there are indications of arbitrariness and defenselessness in that the aforementioned resolutions of other procedures, including the Resolution Proposal, seek notoriety and media impact, not said by us, but by the own Director of the AEPD in the media, that if these are not true statements, perhaps the Agency should have taken action against such media; Indeed, the regulation provides for assessed causes of abstention, which allow formally raise a challenge, but the fact remains that the fact is that such assumptions do not concur, does not prevent arbitrary actions or defenselessness, or even of deviation of power, for example, notoriety is sought, especially when the The mandate of the current Director of the AEPD has ended since last July 27 of 2019. " 6. Regarding the alleged artificial and unlawful extension of the previous actions reiterates the allegations made to the agreement to initiate the sanctioning procedure and affirms that the Inception Agreement rests, practically in its entirety, on elements of charge collected during the phase of previous actions, not complying with the purpose attributed to them by the legal system, as will be explained further forward, so that in fact, and not in law, they were carrying out instructional actions beyond the simple search for evidence to initiate sanctioning procedure, reaching its expiration date, that is to say, evidently such and As the instructor mentions in the Resolution Proposal, there was no agreement to beginning in which such instruction was sustained, therefore, these previous actions being C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 57/133 for its content contrary to law, and in fact precisely of that we complain, actions were advanced that could not yet be carried out. It is especially striking in this case, the time elapsed between the inadmissibility of processing the claim and the request for prior information, this is, more than a year, without taking into account the aforementioned lack of information regarding the Appeal for reconsideration of inadmissibility, which was upheld by the AEPD, without having knowledge of it this part; or the extension of the period of previous actions of research for a period of 14 months, yes, taking into account the incidence of the pandemic. The Supreme Court itself, in its Judgment of May 6, 2015, establishes the following: this Chamber has declared that the period prior to the initiation agreement «(...) must be necessarily brief and not to conceal an artificial way of carrying out acts of instruction and mask and reduce the duration of the subsequent file itself ”(judgment of 6 May 2015, appeal 3438/2012, F. J 29; this is what we mean when We use the expression of "artificial extension" of the previous actions in which Investigative acts related to the events were in fact carried out object of the Proposal for Resolution. B. IN RELATION TO THE ALLEGED INFRINGEMENT COMMITTED BY CPC The AEPD affirms that the information that is provided to the interested parties to obtain consent "is incomplete and insufficient", identifying a series of deficiencies in the aforementioned information in relation to the treatments whose purpose is "the offer and design of products and services adjusted to the profile of / client" Thus, with respect to the processing operation that involves carrying out "in a manner proactive risk analysis and apply statistical and technical data on customer segmentation "it is said that it is not indicated (i) what type of profile is going to be elaborated, (ii) the purpose of profiling. Regarding "monitoring the products and services contracted", The AEPD observes the same deficiency, that is, "the purpose or type of profile to be elaborated "; and regarding the operations to adjust measures recoveries on defaults and incidents derived from products and services contracted "initially only appreciates as a deficiency the fact that" it is not indicated what type of profile is going to be carried out "since the AEPD expressly states that "the purpose of the profile is indicated ' In relation to the lack of information on the type of profile, we must show our It is surprising that the AEPD raises such a lack of information since, not even in the guidelines of the CEPD or in other consulted documents of the AEPD itself, specific that such information should be provided on the "type of profile", and how added, it is worth mentioning that it is not defined or specified in these documents what list or catalog of types or categories of profiles should be used to indicate that intends to develop a specific "type of profile", nor is it argued that this will serve for the interested party has information that is relevant to decide to authorize, or no, the treatment. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 58/133 It is clear that all the profiles that can be developed in the context of the relationship of a client with a bank or financial entity will be related to that exercise. Therefore, there are no different "types of profile" to elaborate since they are all related to the relationship established between the entity and the client; maybe the AEPD, when referring to 'type of profile' (we insist that it is an unused concept in the CEPD guidelines and not in the AEPD documents), you want to refer to the "type of evaluation or judgment about a person", which in any case leads us to this assumption to the same answer, will be a profile derived from the relationship between the entity and the interested party. Different would be the case of a company whose main activity is to elaborate profiles, where perhaps a distinction of types of profiles would be accommodated, but this is not the case of CPC, whose main activities derive from its object social, not being part of it the elaboration of profiles as an activity general or main but rather instrumental and accessory in the framework of their business activities. In the Guidelines on Transparency under Regulation (EU) 2016/679 (W P 260 rev. 01), when the information to be provided on the Profiling refers to the provisions of the RGPD; that is, it is required provide information on the use of profiles, as well as "meaningful information on the underlying logic and the notable and anticipated consequences of the treatment for the interested party ", based on such a statement in a part of the content of recital 60: "the interested party must also be informed of the existence of the profiling and the consequences of such elaboration In any case, the WP260 refers to the aforementioned "Guidelines on decisions automated individual and profiling ", in order to" obtain guidance Additional information on how to implement transparency in the circumstances specific characteristics of profiling We must add that the annex to WP260 identifies the type of information that must be provided to the interested parties, depending on various circumstances that they can concur in the processing of personal data; thus, it is worth mentioning that in the first column does not refer to 'profile type' as a information to be provided to interested parties, referring exclusively to the "existence of automated decisions, including profiling, and, where appropriate, meaningful information about the applied logic, as well as the importance and expected consequences of said treatment for the interested party ", and referring in their Comments on the Guidelines on Individual Decision Guidelines automated and profiling. Therefore, in the Guidelines on Transparency under Regulation (EU) 2016/679 does not identify that the type of profile is information that in a way mandatory should be provided to interested parties, nor does it propose it as an orientation or a good practice; therefore, no mention is made of this type of information to comply with the principle of transparency of the GDPR. The CEPD does not consider that it is necessary to provide such information that the AEPD now requires in its Proposal of Resolution. In the Guidelines on Automated Individual Decisions and Preparation of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 59/133 profiles for the purposes of Regulation 2016/679 (WP251rev.01), when they are developed the general provisions on profiling and automated decisions, in the section dedicated to the principle of legality, loyalty and transparency, in what Regarding transparency, it refers to the fact that in the "Guidelines on transparency of the Article 29 Working Group "deals with more detail on the transparency, therefore it makes a general reference to the document analyzed in the previous section of our claims. The CEPD affirms that "people have different levels of understanding and can difficult to understand the complex techniques of the profiles and automated decisions "; that is, the CEPD advocates information free of complexities, alluding to the provisions of article 12.1 of the RGPD: "the data controller must provide interested parties with concise information, transparent, intelligible and easily accessible on the treatment of your data personal ", delves into this question when, alluding to a guide from the Office of the Australian Information Commissioner, stating that: 'Statements confidentiality should communicate practices on the handling of information from clear and simple, but also comprehensively and with sufficient specificity to be significant "The conclusion is that it must be reported in a "clear and simple"; more information does not necessarily mean more transparency, and this must be balanced by being comprehensive and providing exclusively the detail of what is really significant, avoiding, for Therefore, the well-known "information fatigue", for which the use of layers of information and different times when it can be reported more or less exhaustively and detail, they must be taken into account as we will analyze later. In this sense, the aforementioned guide from the Australian Information Commissioner also affirm that “the very technology that allows a greater collection of information staff also provides the opportunity to prepare confidentiality statements more dynamic, multi-layered and user-centric. "This last element has been a common denominator in the information that CPC and the CaixaBank Group have provided to its clients in relation to the processing of their personal data, and that Now with the aforementioned resolutions, the AEPD has clearly put itself in crisis, advocating an information model for stakeholders where it only has present completeness and detail (useful or not), where it is not clear where the level of understanding of the information provided must be placed, pretending that this adapts to the understanding of the AEPD itself, not so much of the people who they must actually receive that information. Let us remember that the CEPD refers expressly that "people have different levels of understanding and can difficult to understand the complex techniques of the profiles ". The guidelines that we are analyzing, with regard to the situations in which those responsible for the treatment "intend to rely on consent as a basis for profiling 'they say that the controller must demonstrate "that stakeholders understand exactly what they are consenting to." On In this regard, the CaixaBank Group has proactively verified this understanding through studies that have involved clients. But it is that, in addition, Group CaixaBank has not received complaints from interested parties who have evidence that the information provided to them in the different layers C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 60/133 informative information has generated significant doubts, not even this question is part of of the claim that gives rise to the Proposal for Resolution. And it should still be added that In this matter, the AEPD is reversing the burden of proof, since it does not provide any indication or evidence that the information provided is not understandable; remember that the CEPD believes that "stakeholders must have sufficient information on the use and the intended consequences of the treatment to ensure that any consent they give constitutes an informed choice. "This part wants to emphasize that the CEPD refers to "sufficient information" (not information exhaustive that would cause a reaction of not reading the informative notices), and that such information should be about "use and consequences"; not mentioning the CEPD the "type of profile" now required by the AEPD, considering that not reporting This information is a deficiency that has partially led him to conclude that the consent obtained by CPC is not valid. Referring to the "right to be informed," the CEPD insists that "those responsible for the treatment must ensure that they explain to people, clearly and simply, the operation of profiling "; fleeing, therefore, from complicated and extensive explanations, adding that what is relevant is that it is clear "to the user the fact that the treatment is for the purposes of both a) profiling and b) adoption of a decision based on the profile generated. "Let us remember that, as As has been accredited, CPC informs the interested parties both that they are elaborating profiles, as well as the decision made based on them, related to exclusively with the sending of commercial offers. And, in relation to other types of information that must be provided to the interested parties, It is very relevant to mention the reference made by the CEPD in these guidelines to the right of access (article 15 of the RGPD), so that as it is well expressed, "the Article 15 offers the interested party the right to obtain details of any data personnel used for profiling, including categories of data used to prepare a profile adding that, in addition to the general information, "the data controller has the duty to make the data used available as input data to create profiles, as well as to facilitate access to the information about the profile and details about the segments to which it has been assigned to the interested party "(perhaps by" type of profile "the AEPD refers to the" segments assigned to the client "); that is, in no case is such informational detail required by the AEPD of the information obligations of articles 13 and 14 but that, in In any case, such exhaustive information must be provided when the interested party has exercised the right of access recognized by article 15 of the RGPD, and it is here where the AEPD is confused by requiring that, in the different layers of information that are made available to all customers, types of information must be included that it is only reasonable and common sense that it is made available to customers as a result of a request for the right of access in relation to the treatment that includes the use of profiles. In addition, the CEPD itself establishes limits to the scope of the information that must be be provided in connection with profiling when you state that "the Recital 63 provides some protection for data controllers affected by the disclosure of trade secrets or intellectual property, which may be especially relevant in relation to profiling. "And it is that recital 63 establishes that the right of access "should not affect C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 61/133 negatively to the rights and freedoms of third parties, including secrets commercial or intellectual property and, in particular, property rights intellectual property that computer programs protect ». By extension, we interpret that Such protection extends to the algorithms used for profiling, which include, among other things, the specific data that is used, which does not hinders the provision of information on categories of data used, but not necessarily the exhaustive detail of such data, or how it is use, and it is not necessary to report on the result of the application of the aforementioned information analysis algorithms or techniques, which could be even protected by Law 1/2019, of February 20, on Business Secrets, but yes of the consequences that it can have for the interested parties; that is, the Regulation as a whole advocates a balanced model in terms of information to be provided in relation to profiling, taking into account both the rights and freedoms of the people whose data are subject to treatment such as the rights of those responsible for processing certain information that could constitute business secrets of a general nature, and, in particular, the commercial secrets referred to in the RGPD itself. In Annex I of the Automated Individual Decision Guidelines and profiling includes some good practice recommendations; We emphasize that these are recommendations from a set of good practices that should not be construed as mandatory or binding but, as as expressly stated at the beginning of the aforementioned annex •. "The following Good practice recommendations will help data controllers to comply with the requirements of the provisions of the GDPR on profiling and automated decisions "; that is, these are good practices that have as a purpose "to help" to comply with the provisions of the RGPD but, in no case, will pose as obligations for those responsible for processing. The good practices recommended by the CEPD, regarding the right to information, propose that, in addition to taking into account in general the envisaged in WP260 (transparency guidelines), when the processing of personal data involving automated individual decisions or profiling, the data controller must offer information significant on the applied logic, so that, as stated by the CEPD, recommends that "instead of offering a complex mathematical explanation of how algorithms or machine learning work, the person responsible for the Treatment should consider using clear and comprehensive ways to provide information to the interested party, for example: "(and here we add that it is exclusively of some guidelines, since they are just some examples): the categories of data that have been or will be used in the preparation of profiles or the decision-making process; (and here we add we, who do not know refers to the detail of all the data that will be used) the reasons why These categories are considered relevant; how the profiles used are made in the automated decision-making process, including the statistics used in the analysis; why this profile is relevant to the decision process automated; and how it is used for a decision regarding the data subject It must be taken into account that these recommendations do not apply in their entirety to the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 62/133 treatment affected by this Penalty Procedure since the object of the Proposed Resolution refers exclusively to the elaboration of profiles, not including decision-making based solely on treatment automated system that may produce legal effects on CPC's clients or that may similarly affect significantly since the purpose of profiling does not It is other than selecting customers to direct offers of products and services, for Therefore, a purely commercial purpose and that, in any case, the fact that a client is not included in a commercial campaign does not imply, of course, that is automatically excluded from the possibility of contracting or using the products or services offered by CPC to some of its clients since it always has the option to contact CPC in order to be interested in or request the service or product that is of interest to you. As you can easily deduce from the information that the CEPD recommends that are provided to the interested parties, it has not been mentioned, in any case, inform about the "type of profile", as the AEPD claims it should have been mandatorily informed by CPC, always without forgetting that, in any In this case, we are facing recommendations for good practices. Regarding the "Guidelines 5/2020 on consent in the sense of the Regulation (EU) 2016/679 ", refers to the CEPD" opines "(once again the scope of the guidelines is confirmed as recommendations and criteria for assist compliance) that at least the following information is required to obtain valid consent: i. the identity of the data controller, ii. the end of each of the processing operations for which the request consent, iii. what (type of) data is to be collected and used, iv. the existence of the right to withdraw consent, v. information on the use of data for automated decisions, in accordance with Article 22 (2) (c), where relevant, and saw. information on the possible risks of data transfer due to to the absence of a decision of adequacy and adequate guarantees, such and as described in article 46, " Here we do not find any reference to the "type of profile "referred to by the AEPD in the Resolution Proposal as a deficiency of the information provided by CPC to its clients. Finally, it states that it has analyzed documents published by the AEPD in relation to to treatments that involve the use of artificial intelligence, which include the reference to the use of such techniques for profiling and the result has been that neither in the document dedicated to the "Adequacy to the RGPD of treatments that incorporate Artificial Intelligence "(February 2020), nor in the" Requirements for Audits of Treatments that include AI ", you can find information on the types of profiles that could be elaborated, nor is referenced, when address issues related to the information to be provided to data subjects, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 63/133 that the "type of profile" is an issue that should be informed in a way specific to stakeholders. Therefore, with regard to the aforementioned lack of information on the "type of profile", we cannot agree that it is an informational deficiency that may have legal effects, since it is not required to provide such information in relation to the right to information, without prejudice to the fact that, based on the right to access such information could be provided, all and that is not the assumption object of the Proposal for Resolution. To all this must be added that there is no classification or catalog of types of profiles to apply, so that different Responsible parties could refer to the same profile in different ways, still creating more confusion in the stakeholders; therefore, the absence of such information does not can be considered an information deficiency that leads to the conclusion that the information provided by CPC is incomplete and insufficient and, consequently, Such circumstance cannot be used as a basis for declaring an infringement, nor the illegality of consents. Continuing with the treatments whose purpose is the "analysis, study and follow-up for the offer and design of products and services adjusted to the client ", it is stated by part of the AEPD that does not indicate the purpose in the treatments of letter a) and b) of the number 1. (according to the structure used in the "GENERAL CONDITIONS OF THE APPLICATION-CREDIT AGREEMENT). Nor can we share such a conclusion since the main purpose is reported, which is none other than the "analysis, study and monitoring for the offer and design of products and services adjusted to the profile of the client ", together with a grouping of treatment operations that are carried out carried out to analyze risks and segment clients based on their data personal, in order to: "Study products or services that can be adjusted" to the profile of the clients of CPC and specific commercial or credit situation, for the purposes of "making offers commercial' "Track the products and services contracted" The AEPD, in its guide "Risk management and impact assessment in treatment of personal data "(June 2021), affirms that, when determining with precision the purposes of a personal data processing, it may be possible to confuse the "purpose last of the treatment "with measures or processes (treatment operations) that are carried out in an instrumental way to achieve the purpose proposed by the responsible for the treatment. The ultimate purpose of the treatment object of the Proposal for Resolution is none other than the "analysis, study and monitoring for the offer and design of products and services adjusted to the client ", so that, to achieve this purpose, CPC has decided jointly, within the framework of co-responsibility of the aforementioned treatment, carry carry out various treatment operations to achieve some objectives intermediate. or, where appropriate, has used what are still instrumental means for the achievement of the ultimate purpose of the treatment. As a whole, CPC specifies and reports both the main purpose pursued as well as everything that implies the use of the personal data of its clients to achieve this end, in sufficient detail to be understood by the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 64/133 clients, without causing them the typical information fatigue due to excess information without real relevance to authorize the use of your personal data. There is no doubt that, as a result of the information that CPC provides to your customers, they know that their data will be used to offer them products CPC based on your profile. We do not understand what doubts the way in that you have been informed about the purpose; neither has the AEPD transmitted with clarity what is not understood or what could cause confusion to customers of CPC in relation to the use to be made of their data, if they consent to it. Clients know that in order for CPC to send them commercial offers, always prior consent, a profile will be created with your personal data, which includes assess your risks, so that the product offering is appropriate for your financial capacity, which also implies that CPC takes into account what characteristics have the products and services that you already have contracted (follow-up and incidents). Of course, any process that involves transferring information to a third party, in in this case clients, it is susceptible to be improved, both in the expression itself and in the techniques to be used to inform in the clearest and most efficient way possible; but from there to conclude that from the set of information that CPC provides to its clients derive deficiencies of such magnitude that they imply that the information is incomplete and insufficient there is an extraordinary margin of discretion on the part of the Agency, especially when it has not demonstrated, in any case, that the information on the end of the treatments is incomplete or insufficient, limiting to say that it is, without further argument, or at least not adjusting its arguments to law, as has been shown in these allegations, demanding informative content in relation to transparency and right of information to which neither the RGPD, nor the LOPDGDD, and that neither so They are only included in the recommendations of the CEPD. Therefore, the information that has been provided to its customers by CPC in relation to the treatments of "analysis, study and follow-up for the offer and product design ", complies with the obligations of transparency and information provided for in the regulation, being this complete and sufficient for customers to be aware of what use will be made of their personal data, as it has has been revealed in the set of previous allegations, although, such and as already claimed in the Home Agreement, in the Group's new "Privacy Policy" CaixaBank, under the heading "A. Analysis of your data for profiling to help us offer you products that we think may be of interest to you. " proceeded to incorporate improvements in relation to the information provided to the interested parties, precisely derived from the incidence that the AEPD is having by exercising its sanctioning power in the CaixaBank Group. Regarding the rest of the treatment operations carried out for the "analysis, study and monitoring for the offer and design of products and services adjusted to the client's profile "(letters b, c, d and e), on which the AEPD maintains that the categories of data used are not reported. In the initiation agreement the AEPD maintains that the interested party cannot know the data that will be processed for the outlined since the information provided includes data that does not C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 65/133 will be subject to such treatment and, however, according to the AEPD, you are not informed of the processing of other data that will be the object of the same. Reiterate here the allegations made to the initiation agreement that the categories of data object of the treatment are not among the minimum information described in the Article 13 of the RGPD so that consent is informed and that despite not being mandatory to report it the information provided as a whole does allow know the data to be processed for profiling. The AEPD, in relation to the configuration of the mechanism for the provision of the consent, states that "it has not been foreseen that the interested party expresses his option on all the purposes for which the data is processed. It is discussed in section (i) of treatments for "the offer and design of products and services adjusted to the profile of client ", assuming that in himself he already understands three different ends"; in this In this sense, we refer to what has already been expressed in regard to the ultimate goal of the treatment and the necessary distinction, according to the opinion of the AEPD, regarding the different operations or processes that are carried out in an instrumental way or as intermediate objectives. As we already argued at the time, "consent is only requested with the purpose of studying products or services that could be adjusted to the profile or specific commercial or credit situation of customers to send you offers commercial tailored to your needs and preferences. ' To what has already been alleged in relation to obtaining consent in the brief of response to the Initiation Agreement and the confusion arising from an error in the clause informative, we want to add that such circumstance does not obey, in any case, a intention of hiding information or confusing CPC clients, or any other type of intention of CPC to breach its obligations in terms of protection of data, not meeting the necessary requirement of guilt to be able to impose an administrative sanction since, as the AEPD well knows, the criterion jurisprudential that any sanction regardless of conduct must be ruled out guilty or negligent; so we want to show that, in no case, CPC has sought a result of disinformation, concealment or generation of confusion in their clients, considering that such consequences have not occurred, since no claims have been made by their clients in this regard-, starting the entire Sanctioning Procedure from a discretionary assessment, therefore, neither substantiated nor accredited by the AEPD, in that the information provided in relation to the treatments is not sufficient or clear, of which it is would lead to an uninformed obtaining of consent, an opinion that we cannot share, and that our clients have not formally raised, not even in the claim origin of this Penalty Procedure. The AEPD refers in its Resolution Proposal to the changes introduced in the CaixaBank Group Privacy Policy which, among other issues, adapts n the information about the treatments to the requirements of the AEPD and they try improve the information provided to CPC customers. To the AEPD such changes also do not satisfy him, stating that they do not meet the demands imposed by data protection regulations, in particular with regard to the treatment based on consent, identified as "analysis of your data for the elaboration of profiles that help us to offer you products that we believe C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 66/133 may interest you ", which corresponds to the treatment object of the Proposal for Resolution. To reach the above conclusion, the AEPD has limited itself to analyzing a paragraph of the new Privacy Policy, specifically the following: "Through this treatment we will analyze your data to try to deduce your preferences or needs and thus to be able to make commercial offers that we believe may be of more interest than generic offers from which it states that it only contains generic expressions, that: "They do not identify what type of preferences or needs it refers to" "or what type of offers can give rise "" without, on the other hand, being informed of the type of profile that is going to take place. It is simply unheard of that such informational content is required. With respect to "type of profile" we have already extended enough to show that it is not It is information that CPC is obliged to provide to attend to the requirements of the data protection regulations and that, in addition, not only form part of the recommendations made by the CEPD. As the AEPD must know, profiling is still an activity dynamic in terms of the results it can give. In this case, the "needs and preferences "can change, depending on many environment variables. Of course, despite this, it is more than reasonable to think that it is, in any case, of needs and preferences related to the products and services offered by CPC, that are perfectly delimited in its portfolio of products and services and in the own corporate purpose of the company, and that are known by its customers, since they are advertise by different means. Consequently, it does not seem that detailing such "needs and preferences" can contribute anything relevant to CPC clients within the framework of a Policy of Privacy, as long as they are aware of what CPC's business activity is, as well like the products and services you can offer. In any case, it does not provide the AEPD any legal basis to demand such specification since it does not refer to the legal precept or recommendation that allows you to conclude that they should be detailed such "needs and preferences that we insist can be deduced with character general relationship that CPC establishes with its clients. In the same way it happens with the supposed information deficiency regarding informs about the "type of offers" that can be made to customers, which is It is evident that they will be changing in terms of the type of offer and content, but that, as it cannot be otherwise, they will always be related to the activity CPC business. In this section, once again, the conclusion of the AEPD is absolutely discretionary since it does not refer to the legal precept or to the recommendation that allows you to conclude that the types of offers should be detailed ", which will obviously be commercial offers regarding the products and services of CPC, something that is so obvious to CPC clients that it causes a lot of surprise that the AEPD cannot understand and chooses to ask for a detail that the only thing What I would do would be to add changing and unnecessary information in the framework of a Privacy Policy. A different question would be that, before a right of access or even a consultation to CPC by their clients, at any time they can C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 67/133 provide more detailed information adapted to the reality of the moment in which such request for information is made. To all this it should be added that it is surprising that the AEPD has supported its analysis exclusively in a paragraph of the aforementioned policy; maybe with a reading comprehensive and systematic could improve your perception of the contents of the new Policy of the CaixaBank Group, which undoubtedly complies with the requirements imposed by data protection regulations on transparency and information. Therefore, we cannot agree that, in the words of the AEPD, the new Privacy Policy: "does not meet the requirements imposed by the regulations of Data Protection " We must state that, without prejudice to the negative assessment made by the AEPD of the Privacy Policy based on the analysis of a single paragraph thereof, in addition refers to the fact that such a policy is not enough to consider as corrected the deficiencies observed in the Initiation Agreement, based on the fact that the "GENERAL CONDITIONS OF THE CREDIT AGREEMENT APPLICATION" no reflect such changes, ignoring the difficulties that such changes may pose in complex organizations such as CPC, which must analyze and assess meticulously the time and manner in which the appropriate modifications, in particular when they affect the relationship with its clients, and that have an impact on both information systems and operating procedures of the organization, and even in compliance with other regulations that affect its business activity. In this sense, it should be added that CPC is designing the necessary adaptations derived from the new Privacy Policy of the CaixaBank Group. In addition, the aggravating factor is that the AEPD forgets complete that there is already a sanctioning procedure followed against CaixaBank, which affects this particular treatment (to the extent that it has been alleged that there is a violation of the non bis in idem principle) since it is carried out under the co-responsibility, which implies that changes must be coordinated with all the joint controllers since it is a data processing configured and determined by jointly, in particular in terms of their ends and means. Regarding the communication of data to the group companies, We must point out that the AEPD should update the formulas it uses in its writings, in particular those related to the resolutions since it affirms that such communication of data to group companies, as it is a purpose in itself, it says verbatim that "it requires a manifestation of the will of the interested party for the that he consents that it can be carried out "; so that for the AEPD the Consent is still the only basis of legality that covers a communication of data to third parties when it is well known that the RGPD does not establish as the only basis legal for the communication of data to third parties the consent of the interested party, being able to use, as long as it is appropriate, any of the conditions of legality provided in article 6 of the RGPD, therefore, not only through consent, concurring, once again, the lack of rigor of the AEPD in this Procedure Sanctioner when in this matter he is relying on the provisions of article 11.1 of Organic Law 15/1999, of December 13, on Data Protection of Personal Character, which provided that: "The personal data object of the treatment may only be communicated to a third party for the fulfillment of purposes C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 68/133 directly related to the legitimate functions of the transferor and the transferee with the prior consent of the interested party ' Having said the foregoing, we reiterate what has already been alleged in that there is no communication of data to third parties as long as there is a co-responsibility regime between various CaixaBank Group companies, which is based precisely on factual elements for those who are now taking formal measures; hence it is out of place and irrelevant to refer to the fact that the co-responsibility agreement provided It does not have a date and signature since it is a subsequent action to formalize a factual situation, which is also linked to regulatory requirements, as already stated has alleged. Although it has been included in the Proposal for a Resolution, we also transfer here the reminder of the 7/2020 Guidelines on data controller and processor in the RGPD, while the CEPD considers that: "The evaluation of joint responsibility should be carried out on the basis of a factual, rather than a formal, analysis of the real influence on the purposes and means of the treatment. All provisions Existing or planned should be verified taking into account the circumstances of facts relating to the relationship between the parties to which he adds that a criterion merely formal would not be enough. It is surprising that the first assessment of the AEPD for to rule that there is no co-responsibility is to say "that the agreement of co-responsibility provided lacks date and signature and, consequently, validity some ", therefore, prioritizing the formal element for the AEPD, separating itself from the opinion of the European data protection authorities, despite the fact that the AEPD It is part of the CEPD. Certainly the CEPD, for the sake of legal certainty and in order to guarantee the transparency and accountability, since the GDPR does not specify the way in which must take the co-responsibility agreement, recommends that such an agreement be formalize by means of a binding instrument, which seems to us a good recommendation (remember that the guidelines do not impose legal obligations); by This is why the CaixaBank Group and, consequently, CPC as part of it, has drawn up an agreement for this purpose, following such a recommendation that, in no case, assumes that the co-responsibility regime does not exist due to the fact that it is not signed, as stated by the AEPD. Additionally, and taking into account that the existence of co-responsibility does not depends on such a firm, as the CEPD believes, it is consistent with the situation that has not yet been signed, while the existence of such a co-responsibility is being questioned by the AEPD (although there is no provided any evidence of this, rather than their opinion), as well as timely and legitimate that the signature of the same depends on how it is finally resolved, now already on track jurisdictional, the sanctioning procedure against CaixaBank that affects the same processing of personal data object of the Proposed Resolution that is the origin of this brief of allegations by CPC and that is carried out based on a co-responsibility that, in the opinion of the AEPD, does not exist. In the first part of this writing, allegations and statements have already been made in in that the treatment object of the Proposal for Resolution is carried out carried out under a co-responsibility regime, so the alleged communication of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 69/133 data to third parties that the AEPD raises does not exist; therefore, it cannot be declared any infraction in this regard. As we said, we refer to the legations and made in this and previous writings, showing that the AEPD has limited to denying that such co-responsibility exists, without providing any element, or factual or legal, that supports such a claim, reversing the burden of proof that there is co-responsibility in CPC and in the CaixaBank Group, when it should be the AEPD who provides evidence on the non-existence of such co-responsibility Consequently, we cannot agree that the co-responsibility regime that affects the treatment object of the Proposed Resolution does not exist for the mere fact that it has not yet been signed. There are numerous factual elements presented, both by CPC and CaixaBank, which show that the treatment of Profiling of clients to direct commercial offers is carried out on a basis of co-responsibility despite the fact that the AEPD issues an opinion to the contrary well-founded. Therefore, it cannot be considered that there is a communication of data to third parties in this case. Regarding the statement of the AEPD that the consent given for the profiling purposes is not in accordance with the provisions of article 4.7 of the RGPD, We refer and reiterate the allegations already made to the Initiation Agreement, recalling what has already been stated in this Writing as to the fact that there is no multiplicity of purposes that have not been specified but one purpose main and a set of complementary or instrumental operations to reach the ultimate goal, operations that have been conveniently informed, of another Thus, the AEPD would not have been aware of them, all this without prejudice to the non-substantial errors that may have been made in the conditions and policies whose correction is being designed by the CaixaBank Group, while There is a regime of co-responsibility regarding the treatment object of the Motion for a Resolution. Of course, we must insist on the consideration that they must have the recommendations of the CEPD, insofar as they are an opinion, for authorized assumption, which should not be confused with the obligations arising from the data protection regulations, collected in general in the RGPD and, in your case, in the LOPDGDD; so that the minimum information content required by regulation are served by CPC, notwithstanding that this (CPC) consider it of interest to attend, as it does, to the recommendations and good practices proposed by the European data protection authorities, insofar as this is in improving the information received by its clients in relation to the use of their data personal information by CPC. As already stated in our allegations, we do not agree with the conclusion of the AEPD that the breach of article has been accredited 6.1 of the RGPD by CPC regarding the treatment object of the Motion for a Resolution. In our opinion, the legal foundations developed by the AEPD do not sufficiently prove such breach, or not to the extent that intends to give you the AEPD; That is why, to guarantee the defense of the interests of CPC, we consider it appropriate to refer to and analyze the factors which, according to the AEPD, influence the determination of the amount of the fine administrative proposal. In the first place, we want to express some general questions that we C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 70/133 seem relevant with respect to the use of criteria for graduation of the sanction. On trial From this part, there has been a clear separation from the administrative precedent since article 35.1 c) of the LP ACAP establishes that the acts that are separated from the criteria followed in previous actions must be motivated. This precept states I manifest that the AEPD must expressly justify its changes of criteria put that the principle of equality means that "the Administration must maintain in its resolves an equal criterion when it comes to identical or similar cases ”(Sic. STSJ of Catalonia, of January 15, 1999), this would affect a substantial change in the amount of the administrative fines, which has not been sufficiently credited and which has no basis, as will be seen, in the fact that the RGPD has modified the amounts of the administrative fines. In this sense, PS 0070/2019 serves as an example where facts are sanctioned similar in relation to the obtaining and granularity of the consent of the interested parties, in which a different application of the criteria that allow graduate the sanction, being, in both cases, financial entities, but with different volumes, both in number of interested parties and in business volume, among others. Thus, while in the Proposal for Resolution the AEPD considers that the following graduation criteria: The nature, severity and duration of the offense, taking into account the nature, scope or purpose of the processing operations in question. The intentionality or negligence appreciated in the commission of the offense. The high link of the activity of the offender with the performance of treatment of personal information. The condition of a large company of the responsible entity and its volume of business. The high number of data and treatments that constitute the object of the file. The high number of interested parties. In PS 0070/2019, we insist, regarding very similar facts charged against an important financial entity at the state level, surprisingly only take into account two graduation criteria, compared to the 6 of the Proposal for Resolution: The nature, severity and duration of the offense, taking into account the nature, scope or purpose of the processing operations in question; The intentionality or negligence appreciated in the commission of the offense. It is thus evident, in an evident and objective way, that a unequal treatment when establishing the amount of the administrative fine. Regarding the nature, severity and duration of the offense, taking into account the nature, scope or purpose of the processing operations in question, affirms the AEPD that it is the result of the procedure designed by CPC for the collection of consent in order to create profiles to direct offers commercial to your customers, we once again remind you that the treatment is carried out in co-responsibility regime and that, therefore, such procedure has been designed jointly within the framework of the Caixa Bank Group. The AEPD forgets to assess that, in any case, we start from a procedure designed and implemented; that is, it has been the object of analysis and reflection precisely to respond to the requirements of the regulations for the protection of data. It would seem that having a procedure would represent a C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 71/133 aggravating, implying that the non-existence of such a procedure might have led not to apply such aggravating factor, an incongruous situation in light of the principle of proactive responsibility established by the GDPR. In addition, the AEPD states that the aforementioned treatment "carries a significant risk for the rights of the interested parties taking into account the character especially intrusive of such data processing 'In this case, the AEPD does not argue in what that "significant risk" consists of, he just states it and adds that it is especially intrusive, also without any argumentation, which leads to the question that if the shipment of commercial communications to clients is especially intrusive 'what processing of personal data will not be particularly intrusive. We insist that we are not facing an assumption in which CPC has dispensed with radically from the obligations related to obtaining consents, Notwithstanding the fact that the AEPD considers that certain issues, which could lead to improvements in the way data are collected consents. The evidence is that there is a procedure designed with the Willingness to comply with data protection regulations. In this sense, it turns out of interest what is expressed in the Guidelines on the application and setting of fines administrative for the purposes of Regulation 2016/679 (WP 253) which indicates that "more than be an obligation of result ", these provisions introduce an obligation of media; that is, the data controller must carry out the evaluations necessary and reach the appropriate conclusions. Therefore, the question to which the supervisory authority must answer is to what extent the data controller He "did what could be expected to do" in view of the nature, purpose or the scope of the processing operation, in light of the obligations imposed by the Regulation. "The AEPD has not assessed, at any time, whether they have efforts to comply, everything and that it has been clear that indeed, from Before the full requirement of the RGPD, both CPC and the CaixaBank Group have dedicated human and material resources to adapt to the requirements of the regulations of data protection. Regarding the intentionality or negligence appreciated in the commission of the infraction, says the AEPD that "the defects indicated in the procedure by which the consent of their clients, given their evidence, should be warned and avoided when designing said procedure by an entity with the characteristics of CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U. We cannot disagree more with the formulation made by the AEPD for the application of this criterion, especially because it leaves in the air if the AEPD considers that CPC's conduct is intentional or negligent, a very relevant difference as We imagine that the AEPD will agree, to which we must add that, for discounted, in no case has CPC considered intentionally breaching, nor systematic, as the AEPD seems to suggest, with its obligations in terms of personal data protection. And, furthermore, in our opinion, CPC has acted diligently, establishing since initiation of clear procedures in relation to the information made available to the clients and the procedures for obtaining their consent. CPC C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 72/133 has a desire for continuous improvement and transparency, not concealment or generation of confusion in their clients, a fact that is reflected in the evolution of the documents and mechanisms used, and also in the improvement of the information contained in the themselves. Regarding the high link between the activity of the offender and the performance processing of personal data, we do not agree that it results from application to the case of CPC. The AEPD affirms a truism, as that "the operations that constitute the business activity developed by CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A. U. as an entity dedicated to the commercialization of credit or debit cards, credit accounts and loans, involve operations of personal data processing. "We do not understand what value such a statement has in in relation to the application of this aggravating factor as applied by the AEPD because, in Our opinion is separated from the intention of the legislator, which is directed to consider aggravates the fact that the processing of personal data is the main activity of a business nature, not an instrument; hence it refers to "high linkage ", otherwise it would be concluded that the mere fact of trying personal data would always be an aggravation. If the legislator had claimed he would not have qualified that such a link should be "high Hence, we affirm that, in no case, the main activity of CPC is the processing of personal data of its customers, since data is used personal in what is necessary for the development of their main activity of business, and neither that it benefits directly or indirectly in terms economic of the commercialization of the personal data of its clients; no We believe that the fact that, as the AEPD argues, "among its activities commercial communications is the sending of commercial communications to their clients third party entities with which it has commercial agreements "is an element definition to apply such criterion of aggravation of the amount of the administrative fine . In summary, the AEPD does not substantiate that the aggravating high linkage of the activity of the offender with the performance of personal data processing is applicable to the course. If the AEPD has assessed that it applies such criterion taking into account the volume of data and interested parties included in their treatments, then I would be reiterating the application aggravating factors since it also uses both the high volume of data and treatments, such as the high number of interested parties; As we have stated, the justification by the AEPD of the discharge linking the activity of the offender with the performance of data processing personal is insufficient, we do not know if the AEPD has taken into account the aforementioned volume of data, treatments and interested parties at the time of applying such aggravation and if, therefore, you would be applying the same aggravating factor more than once. Regarding the criterion of aggravation due to the condition of a large company of the entity responsible and its volume of business, we are surprised that the AEPD uses both the CPC's turnover, and at the same time the turnover of the CaixaBank Group; no we can agree that both business data are used as it implies that twice the same turnover is taken into account since the volume of CPC's business is, in turn, included in that of the CaixaBank Group. We are surprised that Yes, in the opinion of the AEPD, there is no co-responsibility in the treatment object of the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 73/133 resolution proposal, the Group's turnover figure is taken into account CaixaBank; therefore, we consider that the graduation criteria would be poorly applied. We want to state that we radically disagree that the AEPD does not has identified any mitigating factor in relation to the alleged infringement that it attributes to CPC; for which we proceed to identify, reiterating what has already been alleged in the brief of response to the Initiation Agreement, some of the facts and circumstances that should attenuate the graduation of the administrative fine proposed by the AEPD. CPC has made a significant effort in recent years - and especially since the entry into application of the RGPD and the merger carried out on July 11, 2019— to provide its clients with relevant information about the treatment of their personal data appropriately. The clearest example of this initiative is constitutes n the different versions of the policies and privacy clauses, fact which reaffirms the proactivity and spirit of continuous improvement of CPC. This behavior demonstrates a clear exercise of transparency and loyalty, as well as proactive and diligent activity by CPC in relation to compliance of the data protection regulations, in addition to demonstrating their desire to repair potential errors, if any. The degree of cooperation with the supervisory authority is not assessed either, since CPC has shown, at all times, their willingness to collaborate with the Agency in order to improve those aspects of the treatments that are susceptible to improvement. As has been revealed in this Brief, CPC has launched a series of measures aimed at this improvement in the collection of consents. That is how you are Circumstances must be assessed by the Agency as extenuating. Finally, it should be remembered that both CPC and its data protection delegate have been available to cooperate, despite the dates on which the AEPD has proceeded to notify the most significant administrative acts of this Procedure Sanctioner (end of December 2020 and beginning of August 2021) and at operational difficulties derived from the still active pandemic situation, having been proactive and diligent in responding to any requirements of the Agency. Nor has such an effort deserved to be considered as a mitigating factor. PROVEN FACTS FIRST: On November 6, 2018, you entered this Agency in writing of D.A.A.A., denouncing that the entity CAIXABANK, CONSUMER FINANCE, EFC had requested COMPANY.1 information about the inscriptions related to his person in the COMPANY.2 file, without being a client of said entity, since the relationship with the same it had been formally extinguished in 2014. Transferred the claim to the Data Protection Officer of the person in charge, a response is received in which admits a human and punctual error, since although the claimant was a client In the past, at the date of the claim it had ceased to be, however its data was included by mistake in a campaign of pre-granted credits. The claim was inadmissible for processing on February 6, 2019, without prejudice, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 74/133 as stated in the Resolution itself, that the AEPD, applying the powers investigation and corrective measures that it holds, could carry out subsequent Actions related to the data processing referred to in the claim. The decision of inadmissibility for processing was appealed by the claimant, alleging that there was no Being a client of the entity, it has used the financial solvency files with The purpose of creating a profile and offering you a financial service, without requesting your consent, estimating said resource. SECOND: It consists in the information provided by CAIXABANK PAYMENTS & CONSUMER, that there has been a merger by absorption between CaixaBank Payments, E.F.C., E.P., S.A.U., absorbed company, and CaixaBank Consumer Finance, E.F.C., S.A.U., absorbing company, remaining, as As a result of this operation, CaixaBank Consumer Finance, E.F.C., S.A. subrogated by universal succession in all rights and obligations, acquired and assumed, by CaixaBank Payments, E.F.C., E.P., S.A.U., modifying its company name to the current CaixaBank Payments & Consumer, E.F.C., E.P., S.A. " It also appears in said information that "the main activity of CAIXABANK PAYMENTS & CONSUMER consists of the commercialization of credit cards or debit (hereinafter referred to as "Cards"), credit accounts with or without a card (in hereinafter, called “Credit Accounts”) and loans (hereinafter, called “Loans”), (all of them individually named “Product” and jointly, "Products"), directly or through third parties - whether they are agents or Prescribers-, with whom you have signed the corresponding agency contracts or collaborative. Specifically: - Directly, CPC markets some of the mentioned Products. - Indirectly, CPC markets through Prescribers and agents. By "Prescriber" or "Prescribers", those entities with which CPC has signed a collaboration agreement, based on which they undertake to offer its clients the possibility of contracting CPC Products to, mainly, finance the purchase price of products and / or services marketed by them (Prescribers) in their points of sale, either in person or online (for example, establishments such as *** ESTABLISHMENT. 1 or *** ESTABLISHMENT.2 and *** ESTABLISHMENT.3). In particular, the Products of CPCs marketed through Prescribers are the Cards, the Accounts of Credit and Loans. Agent is understood to be CaixaBank, S.A. (hereinafter, interchangeably the "Agent" or “CaixaBank”), entity with which CPC has an agency agreement, by virtue of the which, CaixaBank promotes and concludes, through its channels, the CPC Cards, as well as, where appropriate, refinancing loans for the debt derived from these Cards. It also appears that the personal data processing activities that in the development of its commercial operations involve the elaboration of profiles, according to the definition set forth in article 4.4 of the RGPD, in particular with regard to the economic situation of the interested parties, are the following: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 75/133 I. "Analysis of the repayment capacity or risk of non-payment of a interested in your Request for a Product: It consists of the evaluation by CPC part of a Product Request (Card, Credit Account or Loan, hereinafter the "Request") received from an interested party (in hereinafter, "Applicant" or "Applicants"). This evaluation involves a processing of personal data that is specified in the necessary assessment repayment capacity or solvency of the Applicant (probability of risk of default). Said assessment is carried out, within the framework of the Request received, in order to comply with the provisions of the regulations that, in quality of financial credit establishment and payment institution, It is applicable to CPC (Prudential and Solvency Regulations and Responsible Loan). " II. "Analysis of the capacity for repayment or risk of non-payment in the management of credit risk granted to customers: It consists of monitoring continuous capacity of repayment or risk of default of customers to who CAIXABANK PAYMENTS & CONSUMER has granted financing and, therefore, with which it maintains a credit risk with two purposes: - the management of the credit risk granted to them in compliance of certain legal obligations (specifically, the Regulations Prudential and Solvency and Responsible Loan,); - commercial management in accordance with the consents obtained from the owners of the data (clients) with the subsequent purpose of offer them products and services tailored to their needs, which may include the assignment of "pre-granted" credit limits (pre-granting of a loan based on the information available to the Entity)." I. "Analysis and selection of target audience: It consists of the analysis and selection, prior to a certain commercial impact, of a target audience (made up of those clients of CAIXABANK PAYMENTS & CONSUMER that meet, where appropriate, the requirements designed to be impacted by a potential campaign in order to offer you Products). Said treatment is carried out in accordance with the consents obtained from the owners of the data (clients). " Affirms regarding the categories of data holders that are treated in the execution of the detailed treatments, which "deals only with data from interested parties who are Clients of the Entity or applicants for its Products. Does not perform data processing about interested parties that could be called “potential clients”, understood as These, data holders who have no current relationship with CPC or who previously did not have requested a Product through any of the established channels. " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 76/133 THIRD: The following is stated regarding the activity called “analysis of the repayment capacity or default risk for credit risk management granted to clients during the contractual relationship ”: 1. Regarding the purposes and bases of legitimation of the treatment. It is stated that has two purposes: I. "The management of the credit risk granted, in compliance with certain legal obligations of the Prudential Regulations and of Solvency and Responsible Loan, applicable when the Product is a credit account since by allowing the availability of credit consistently granted, this (Product) must adapt constantly to the updated solvency capacity of the interested party. As stated, the enabling title to carry out this purpose, give compliance with regulatory requirements, is the legal obligation, of in accordance with article 6.1 c) of the RGPD. II. Commercial management in the event that you have the consent of the data owner. Said treatment provides, among others, to be able to label the client in order to grant him a “pre-grant” (grant of a credit based solely on the information available to the Entity). In this case, only the data of those customers who have given your consent for profiling. " 2. Regarding the logic applied in profiling and the expected consequences of said treatment for the interested party, affirms that it uses a logic that has been defined in the Entity's financibility process. (…). 3. Regarding the personal data being processed, it is stated that they are the following: - Identification: DNI / NIE / Passport and date of birth. - Financial: CPC internal data obtained or derived from the relationship existing contract between it and its client and consult solvency files and the Risk Information Center (CIR) of the Banco del Banco de España. - Sociodemographic: postal code, country of birth and nationality, type of housing and seniority and marital status. - Socioeconomic: income and pay, employment status and profession, seniority bank and domiciled entity. - Others: risk score. 4. Details the following origins regarding the personal data object of treatment indicated in the previous section: - Data provided by the Applicant in the Product Application itself. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 77/133 - CPC data in relation to the Applicant in the event that it is already customer and provided that CPC has data on their payment behavior. - Data from external sources: in accordance with the regulations that result from application to CPC as a financial credit institution and payment institution, It also incorporates the following information: Information on the consolidated Group of Group entities CaixaBank Result of consulting credit information systems. Result of the query to the Risk Information Center (CIR) of the Bank of Spain. - (…). 5. Regarding the means used to collect consent in case that the processing activity is covered by article 6.1.a of the RGPD, affirms that the channels through which it collects consents for commercial purposes from their clients are listed below: a) Through the Prescribers. b) Through its CaixaBank Agent. a) “Through the Prescribers. In this channel there are three (3) different forms of capture: The first is through the employees of the Prescribers themselves, which, at the time of the formalization of the financing contracts with clients who want to contract the Products offered by CAIXABANK PAYMENTS & CONSUMER, they ask them about each of the consents, and then translate the response given on your part to each of them in the Particular Conditions of the financing contract subscribed for this purpose. The three (3) tools provided by CAIXABANK PAYMENTS & CONSUMER to the Prescribers' sellers so that they can carry out the capturing the information necessary to process the operations of financing and, therefore, also to collect the aforementioned consents, are the Web "*** WEB.1", the app of capture (its use is performed through a tablet carried by the Prescribers' sellers that are constantly moving through the store) and the “Web Auto” (…), which are the software provided by CAIXABANK PAYMENTS & CONSUMER to the Prescribers, connected with the systems of that (CAIXABANK PAYMENTS & CONSUMER), so that their sellers process the financing operations by entering personal data and economic data of the clients and the contractual data of the operations (TIN, APR, amortization months, etc.), as well as collect the consents, which later they will be reflected in the Particular Conditions of the contracts financing to be formalized and delivered to customers. " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 78/133 There are three screen prints in the file that correspond with these three tools. In them it is observed that the consent for the following purposes, being able to choose yes or no in each modality: - “I authorize the CaixaBank Group to use my data for study purposes and profiling " - "I authorize the sending of advertising and commercial offers from the Group CaixaBank by the following means ”, which in turn allows consent or not for each of the following sections): - Telemarketing - Electronic means such as SMS, email and others - Post mail - Commercial contacts through any channel of my manager - "I authorize the transfer of my data to third parties with whom the CaixaBank Group has agreements " - “I authorize the CaixaBank Group to use my biometric data (image, fingerprint fingerprint, etc.) in order to verify my identity and signature. This authorization It will be complemented with the registration of biometric data to be used in each moment" There is also a screenshot of the tool in the file AUTO website in which more details can be consulted. According to printing Obrante in the file the detail consists of the following: "Consents and protection of personal data Authorizations you lend now or have lent previously may be revoked at any time through www.caixabankpc.com/ejerciciode Rights. If you grant authorization (1), the offers that are sent to you will be adapted to your profile Authorizations (2) (3) (4) and (5) refer to the channels through which You agree to be contacted by the CaixaBank group either by phone, by means of electronically, by post and / or in person. If you do not authorize a channel, the CaixaBank group will not be able to contact you to offer you products of your interest. If you provide the authorization (6) at the time the data is transferred, you will be will inform which third party is the recipient of your data and if you do not agree You can revoke that authorization. The authorization (7) is to be able to verify your identity / signature since in the group CaixaBank use biometric recognition methods as systems facial recognition, fingerprint reading and the like. " The second form of recruitment within this group is through the CAIXABANK PAYMENTS & CONSUMER web portal enabled to process the financing operation by the client himself, which will have been redirected by clicking on a link incorporated in the Prescriber's website that C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 79/133 try. Thus, for example, the interested party who decides to apply for the card (…) will initiate the request in the Prescriber's own portal (…) and it will immediately be redirected to the web portal enabled for this purpose by and from CAIXABANK PAYMENTS & CONSUMER where the entire contracting procedure will be carried out. In this case, it is the client himself, through his computer / tablet, who marks the response for each of the planned treatments, which afterwards They will be transcribed in the Particular Conditions of the financing contract formalized. It appears in the document sent to this Agency as ANNEX No. 13, the screen that the client views and in which consent is obtained that coincide with those described above in the point relative to the channel prescribers. In the document submitted as ANNEX 14 shows an example of how reflect the consents granted by the client in the Conditions Individuals of the financing contract. This document is called APPLICATION-CREDIT CONTRACT and is structured in various sections relating to personal data of the owner and co-owner, to the purchase, to the plan of financing, etc. The SUMMARY OF TREATMENTS section of said document contains the Next information: "The processing of your data with respect to which you can facilitate your authorization in the terms established in this contract are the following: "COMMERCIAL PURPOSES: A. Data processing by Caixabank Payments & Consumer and the CaixaBank Group companies with study and profiling purposes to inform you of the products that are tailored to your interests / needs, as well as to the monitoring of the contracted services and products, carrying out surveys and design of new services and products. B. Data processing by Caixabank Payments & Consumer and the CaixaBank Group companies with the purpose of communicating offers of products, services and promotions marketed by them, their own or third parties whose activities are included between banking, services of investment and insurance companies, shareholding, venture capital, real estate, road, sale and distribution of goods or services, consulting, leisure and charity-social services. C. Transfer of data by Caixabank Payments & Consumer and CaixaBank Group companies to third parties with the purpose that they can send you commercial communications. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 80/133 Said third parties will be dedicated to banking activities, investment and insurance services, holding of shares, capital risk, real estate, roads, sale and distribution of goods and services, consulting services, leisure and charity-social. OTHER PURPOSES Processing of biometric data provided by Caixabank Payments & Consumer and GrupoCaixabank companies, such as facial image, voice, fingerprints, graphs, etc., in order to verify your identity and signature with the help of biometric recognition. " In the AUTHORIZATIONS FOR DATA PROCESSING section There are a series of sections in each of which, both for the holder As for the co-owner, two boxes appear, one to mark yes and the other to mark no, the various authorizations to carry out data processing. These authorizations are the following: A. "I authorize the processing of my data for the purpose of study and analysis by Caixabank Payments & Consumer and the Caixabank group companies. " B. "I consent to the processing of my data by Caixabank Payments & Consumer and the Caixabank group companies with the purpose for these to communicate offers of products, services and promotions through the channels I authorize. " In this case, the boxes yes / no are broken down for each of the following channels: Telemarketing, Electronic media such as SMS, email and others, Mail Postcard. Commercial contacts through any channel of my manager C. “I authorize Caixabank Payments & Consumer and the Caixabank group companies give my data to third parties. " The third way is through the telephone call in which the sellers of the Prescribers and the managers of CAIXABANK interact PAYMENTS & CONSUMER. In this case, the Prescriber's seller provides by phone to the CAIXABANK PAYMENTS & CONSUMER manager all the customer data necessary to formalize the financing operation and he processes it. Once the contract is approved, the client, through the Particular Conditions of the contract that must be signed, defines the granting their consents by handwriting their option on the boxes enabled for this purpose. Such particular conditions are contained in the document sent as annex 14 described in point previous. a) Through its CaixaBank Agent. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 81/133 Affirms that, additionally, CPC is the beneficiary of the consents granted, where appropriate, by customers to CaixaBank. It states that the collection of Consents in the CaixaBank branches are carried out by interacting with the own client with the device that the employee gives him (Tablet), pointing your preferences in relation to data processing. In the screen printing that he incorporates in his writing, it is appreciated that request various authorizations for each of which there is the option of mark yes or no in their respective box. The authorizations refer, as in the previous cases: - To the use of the data for study and profiling purposes, clarifying that if the offers sent to you are authorized, they will be adapted to the profile of the interested party. - To receive advertising and commercial offers. At this point it is also allowed choose the channels to receive advertising by checking the respective box. - To transfer the data to third parties with whom the Caixabank group has agreements. - To the use of biometric data in order to verify my identity and firm. 6. Regarding the procedure followed to comply with the duty of information to the interested party (articles 13 and 14 of the RGPD) it is stated that “Attached, as ANNEX DOCUMENT No. 12, a copy of the general conditions provided to the interested party in the framework of the contracting of a product and in which it is informed of the provisions of article 13; not resulting from application, therefore, what was foreseen in article 14 of the RGPD. " The document contained in annex 12 called "CONDITIONS GENERAL APPLICATION-CREDIT AGREEMENT ”contains various sections, referring section number 26 to the “Treatment of data from personal character based on the execution of contracts, legal obligations and legitimate interest and privacy policy ”. This point is structured in turn in 10 sections. The following information is included in points 26.1 and 26.4 "26.1 Processing of personal data in order to manage Commercial Relations. The personal data of the Holder, both those that he himself provides, as well as those derived from commercial, business and contractual relationships that are established between the Holder and CaixaBank Payments & Consumer either in the commercialization of its own products and services, either in its capacity as mediator in the commercialization of third-party products and services (in hereinafter all referred to as Commercial Relations), or the Commercial Relations of CaixaBank Payments & Consumer and the companies of the CaixaBank Group with third parties and those made from them, will be incorporated into files owned by CaixaBank Payments & Consumer and C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 82/133 the CaixaBank Group companies that are holders of the Commercial Relations, to be treated in order to comply with and maintain them, verify the correctness of the operation and the commercial purposes that the Holder accept in this contract. These treatments include the digitization and registration of documents identification and signature of the Holder, and their making available to the internal network of CaixaBank Payments & Consumer, to verify the identity of the Owner in the management of their Commercial Relations. The treatments indicated, except those for commercial purposes whose Acceptance is voluntary for the Holder, they are necessary for the establishment and maintenance of Commercial Relations, and They will necessarily be understood as valid while said Relationships Commercials continue in force. Consequently, at the time of cancellation by the Holder of all Commercial Relations with CaixaBank Payments & Consumer and / or with the CaixaBank Group companies, the aforementioned data processing will cease, your data will be canceled in accordance with the provisions of the applicable regulations, keeping them CaixaBank duly limited its use until the actions derived from it. " "26.4. Treatment and transfer of data for commercial purposes by CaixaBank and the CaixaBank Group companies based on the consent. In the Particular Conditions of this contract it will be collected, under the heading authorizations for data processing, the authorizations that you grant or revoke us in relation to: (i) Data analysis and study treatments for commercial purposes by CaixaBank Payments & Consumer and companies of the CaixaBank Group. (ii) The treatments for the commercial offer of products and services by CaixaBank Payments & Consumer and the companies of the CaixaBank Group. (iii) The transfer of data to third parties. In order to put at your disposal a global offer of products and services, your authorization to (i) data analysis and study treatments, and (ii) for the commercial offer of products and services, if granted, It will include CaixaBank Payments & Consumer and the Group companies CaixaBank detailed in www.caixabank.es/empresasgrupo (the “companies of the Grupo CaixaBank ”) who may share and use them for the purposes indicated. The detail of the uses of the data that will be carried out in accordance with their authorizations is as follows: (i) Detail of the analysis, study and monitoring treatments for the offer and design of products and services tailored to the customer profile. Granting your consent to the purposes detailed here, you authorize us to: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 83/133 a) Proactively carry out risk analysis and apply on your data statistical and customer segmentation techniques, with a triple purpose: 1) Study products or services that can be adjusted to your profile and specific business or credit situation, all to make commercial offers tailored to your needs and preferences, 2) Track the products and services contracted, 3) Adjust recovery measures on defaults and incidents derived from the products and services contracted. a) Associate your data with those of other clients or companies with which you have some type of bond, both family or social, as well as their property relationship and administration, in order to analyze possible interdependencies economic in the study of service offers, risk requests and contracting of products. b) Carry out studies and automatic controls of fraud, defaults and incidents derived from the products and services contracted. c) Conduct satisfaction surveys by telephone or electronic channel with the aim of evaluating the services received. d) Design new products or services, or improve the design and usability of existing, as well as define or improve user experiences in their relationship with CaixaBank Payments & Consumer and the Group companies CaixaBank. The treatments indicated in this point (i) may be carried out in a automated and entail the elaboration of profiles, with the purposes already indicated. For this purpose, we inform you of your right to obtain the human intervention in the treatments, to express their point of view, to get an explanation about the treatment decision automated, and to challenge said decision. (ii) Details of the treatments for the commercial offer of products and services of CaixaBank Payments & Consumer and the companies of the CaixaBank Group. By granting your consent to the purposes detailed here, you authorizes: Send commercial communications both on paper and by means electronic or telematic, related to the products and services that, in each moment: a) commercializes CaixaBank Payments & Consumer or any of the CaixaBank Group companies b) sell other companies owned by CaixaBank Payments & Consumer and third parties whose activities are included between banking, investment services and insurer, shareholding, venture capital, real estate, road, de C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 84/133 sale and distribution of goods and services, consulting services, leisure and charitable-social. The Holder may choose at any time the different channels or media by those who wish or not to receive the indicated commercial communications through of your internet banking, through the exercise of your rights, or through your management in the CaixaBank branch network. The data that will be processed for the purposes of (i) data analysis and study, and (ii) for the commercial offer of products and services, they will be: a) All those provided in the establishment or maintenance of commercial or business relationships. b) All those generated in the contracting and operations of products and services with CaixaBank Payments & Consumer, with CaixaBank Group companies or with third parties, such as, account or card movements, direct debit details, direct debits of payroll, claims derived from insurance policies insurance, claims, etc. c) All those that CaixaBank Payments & Consumer or the companies of the CaixaBank Group obtain from the provision of services to third parties, when the service is intended for the Owner, such such as the management of transfers or receipts. d) Whether or not you are a CaixaBank shareholder as stated in the records of this, or of the entities that according to the regulations governing the securities market must carry the records of the values represented by annotations in bill. e) Those obtained from the social networks that the Owner authorizes Consult. f) Those obtained from third parties as a result of requests of data aggregation requested by the Holder. g) Those obtained from the Owner's navigations through the service of the CaixaBank Payments & Consumer website and other websites of this and / or CaixaBank Group companies or mobile phone application of CaixaBank Payments & Consumer and / or of the Group companies CaixaBank, in which it operates properly identified. These dates they can include information related to geolocation. h) Those obtained from chats, walls, videoconferences or any other means of communication established between the parties. The data of the Holder may be supplemented and enriched by data obtained from companies that provide commercial information, by data C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 85/133 obtained from public sources, as well as statistical data, socioeconomic (hereinafter, "Additional Information") always verifying that they comply with the requirements established in the current regulations on data protection. " 7. In the information provided by CaixaBank Payments & Consumer, E.F.C., E.P., S.A. it is stated that “the number of interested parties (clients) whose data were treated in the development of the profiling activity associated with the Proactive Scoring activity for commercial purposes amounts to (…). " FOURTH: The information provided contains the following regarding the third activity carried out called "Analysis and selection of target audience": "1. Regarding the definition of the logic applied in the profiling and the anticipated consequences of said treatment for the interested party, states that “The treatment activity called Commercial Profiling responds to the CPC's need to analyze, select and extract, prior to its impact commercial, the target audience to which commercial communications will be directed associated with a potential campaign. For this purpose, CPC selects and extracts the information of the clients to whom Potentially they will be sent the commercial communications of the campaign in question. For this, personal data from internal CPC sources are processed (Host, DataPool and DataWareHouse) of those of their clients who have authorized expressly commercial profiling treatment and subsequently have not revoked. About the aforementioned repositories (Host, DataPool and DataWareHouse), a list of clients is taken based on the result obtained once carried out carry out the treatment based on the client's consent, detailed in the section above (“II. Analysis of the repayment capacity or risk of non-payment for the management of credit risk granted to customers ”) and on said list of clients, selection filters are applied based on identifying data such as age ranges, language of communication, sex, location or address, with the objective of proceeding with the extraction of the target audience to which the Bell. Ultimately, the system generates a file with the selection of the Target audience that meets the conditions set once the filters have been applied. It should be noted, however, that the selection criteria that, in essence, they constitute the logic applied to profiling, they do not become standardized parameters rather, they are segments that vary and are adjusted to the needs of the Product or characteristics associated with the commercial or promotional initiative of which its launch is intended, as well as the type or volume of the data that CAIXABANK PAYMENTS & CONSUMER has regarding each of the interested parties. For its part, the consequence that the profiling activity carried out by CAIXABANK PAYMENTS & CONSUMER generates on the client, it remains circumscribed to the fact that it will, or not, become part of a list that may potentially be employed in the framework of a commercial campaign. " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 86/133 2. Regarding the description of the purpose of the treatment and detail of the base of legitimation of article 6.1 of the RGPD on which it is based, states that "CAIXABANK PAYMENTS & CONSUMER treats the personal data of the interested parties associated with the Commercial Profiling activity in order to know if they meet the necessary conditions for their inclusion in a potential commercial campaign and improve the impact of your campaigns commercial. In short, although expressed in different terms, the process of profiling linked to this treatment activity is carried out with the aim of generate the list with the target audience that, in subsequent moments, may be exploited to impact customers through content communications commercial. For its part, regarding the qualifying title, it is the one provided for in art. 6.1.a) of the RGPD (consent). 3. Regarding the procedure followed to comply with the duty of information to the interested party (articles 13 and 14 of the RGPD) and the means used for the collection of consent when the treatment activity is covered by the article 6.1.a of the RGPD, refers to what is stated in the treatment activity “Analysis of the repayment capacity or default risk for credit risk management granted to clients ”in which reference was made to annexed document nº12. 4. Regarding the categories of interested parties and personal data object of treatment states the following: “The category of interested parties that are the object of the treatment called Profiling Commercial is that of clients with a current contract with CPC. The category of Potential clients are in no case the object of this treatment activity " "The personal data subject to treatment are the following: - Identifiers: customer identifier, NIF / NIE / Passport, name and surname, date of birth, gender, postal address, email, telephone (landline or mobile) and communication language. Financial: products and services contracted and condition of owner / beneficiary / attorney-in-fact and the label resulting from the treatment described in the previous section II). " 5. Regarding the origin of the personal data being processed (with indication of the basis of legitimation that sustains, states that “The origin of the personal data subject to treatment is the interested party and the internal sources of CAIXABANK PAYMENTS & CONSUMER, already described in point 1 of this section (III. Treatment: "Commercial Profiling"), as well as the labels detailed in the previous section (Analysis of the capacity of return or default risk for the management of credit risk granted to customers). In this case, the basis of legitimation is the consent of the interested party. (art. 6.1.a RGPD). " 6. Regarding the number of interested parties whose personal data have been processed in the development of the profiling activity by category (client, potential client) C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 87/133 and year (2018 and 2019), points out that “First of all, it must be indicated that the numbers reflected below refer only to the category of clients, since this profiling activity does not process data from potential clients, in accordance with the provisions of point b) of the Preliminary Considerations. (…). " FIFTH: It consists of the information obtained on the volume of sales of the entity that the result of the turnover during the year 2019 is € 872,976,000. The share capital amounts to € 135,155,574 SIXTH: It appears in the file that CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U. has modified the privacy policy on its website. It is established that point 6 of said privacy policy under the title "What treatments we carry out with your data ”, indicates the following: "The treatments that we will carry out with your data are diverse, and respond to different purposes and legal bases: > Treatments based on consent > Necessary treatments for the execution of the Contractual Relations > Necessary treatments to comply with regulatory obligations > Treatments based on the legitimate interest of CaixaBank Payments & Consumer " Section 6.1 of said privacy policy contemplates the following treatments based on consent: A. Analysis of your data for the elaboration of profiles that help us to offer you products that we think may interest you. B. Commercial offer of products and services through the selected channels. C. Transfer of data to companies that are not part of the CaixaBank Group. D. Identification of clients and signature of documentation through the use of biometrics. In point 6.1 of the aforementioned privacy policy, the following is stated: "TREATMENTS BASED ON CONSENT. These treatments are legally based on your consent, as established in the art. 6.1.a) of the RGPD. We may have requested that consent through different channels, for example, through our electronic channels or in any of the Group companies CaixaBank. If for any reason, we have never asked for your consent, these treatments will not apply to you. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 88/133 You can check the authorizations that you have consented to or denied us, and modify your decision at any time and for free on the website of CaixaBank Payments & Consumer (www.caixabankpc.com) and in each of the CaixaBank Group companies, or in their private area of the website or mobile applications of CaixaBank Payments & Consumer and at the CaixaBank offices. The treatments based on your consent are indicated below ordered from the (A) to (D). We will indicate for each of them: the description of the purpose (Purpose), whether or not they are treatments carried out under a co-responsibility regime with other companies of the CaixaBank Group (Joint Controllers / Data Controller), and the categories of data used (Categories of data processed). " Below is the following information regarding the content in letter A. “Analysis of your data for the elaboration of profiles that help us to offer you products that we think may interest you " Purpose: The purpose of this data processing is to use the categories of data that we indicate below, to create profiles that allow us identify you with customer segments with similar characteristics to yours and suggest products and services that we think may interest you, as well as establish the periodicity with which we interact with you. Through this treatment we will analyze your data to try to deduce your preferences or needs and thus be able to make commercial offers that we create that may be of more interest than generic offers. When the offers that we want to transmit to you consist of products that involve payment of installments or financing, we will carry out a pre-assessment of solvency to calculate the appropriate credit limit to offer you, in accordance with the principles of responsibility in the offer of financing products required by the Bank of Spain. It is important that you know that this treatment, including the pre-evaluation of solvency in products with risk, is limited to the indicated purpose of suggesting products and services that we believe may be of interest to you, and are not used, in no case, for denial of any product or service or credit limit. You always have at your disposal our complete catalog of products and services, and this treatment does not prejudge, limit or condition your access to themselves, which, if requested, will be evaluated with you in accordance with the ordinary procedures of CaixaBank Payments & Consumer. We will only carry out this treatment of your data if you have given us your consent to it. Your consent will remain in effect for as long as you do not remove it. If you cancel all your products or services with the Group companies CaixaBank, but you forget to withdraw your consent, we will automatically. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 89/133 Categories of data processed: The categories of data that we will process for this purpose, whose content is detailed in section 5, are: > data that you have provided us > data observed in the maintenance of products and services, with sensitive data exception > data inferred or deduced by CaixaBank Payments & Consumer. > data that you have not provided us directly. Co-responsible for the treatment: The treatment of your data of the categories indicated, with the purpose of analysis for the elaboration of profiles that we help to offer you products that we think you may be interested in, they do it in co-responsibility regime the following companies of the CaixaBank Group: > CaixaBank, S.A. > CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U. > CaixaBank Electronic Money, EDE, S.L. > VidaCaixa, S.A.U., insurance and reinsurance > Nuevo Micro Bank, S.A.U. > CaixaBank Equipment Finance, S.A.U. > Promo Caixa, S.A.U, > Comercia Global Payments, E.P. S.L. > Buildingcenter, S.A.U. > Imagintech S.A. You will find the list of companies that process your data, as well as the aspects essential of the treatment agreements in co-responsibility in: www.caixabank.es/empresasgrupo. " It is clear that the information provided regarding joint responsibility accessing said link is the following: “In order to carry out the treatments indicated below, CaixaBank and The CaixaBank Group companies will process your data jointly, deciding jointly the objectives (“what is the data used for”) and the means used ("how the data is used") being, therefore, jointly responsible for those treatments (Co-Responsible Entities). The treatments for which CaixaBank and the companies of the CaixaBank Group will process your data together, they are the following (you can see the detail of the Caixabank Group companies that make up the perimeter of each of the treatments that are carried out in co-responsibility by clicking on each of the following links): Carry out the commercial activities of: (i) analysis of your personal data for the elaboration of profiles that help us to offer you products that We think they may interest you; (ii) commercial offer of products and services C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 90/133 through the selected channels, and (iii) transfer of data to companies that do not they are part of the CaixaBank Group; Comply with the following regulations applicable to Group companies CaixaBank: (i) the regulations on the prevention of money laundering and financing of terrorism; (ii) regulations on tax matters; (iii) the Obligations derived from the policies of sanctions and countermeasures international financial institutions, as well as (iv) concession obligations and management of credit operations and the consultation and communication of risks to the Risk Information Center of the Bank of Spain (CIRBE). Carry out the analysis of the solvency and repayment capacity of the applicants for products that involve financing. In accordance with the provisions of the applicable regulations, the Entities Co-responsible parties have signed a co-responsibility agreement for certain treatments, the essential elements of which are the following: (i) That, for certain treatments identified in the Privacy Policy, The Co-Responsible Entities will act in a coordinated or joint manner. (ii) That they have proceeded to determine the security, technical and organizational, appropriate to ensure a level of security appropriate to the risk inherent to the processing of personal data that is the object of joint responsibility. (iii) That they have a single window mechanism for the exercise of the rights of the interested parties, assuming the commitment of the duty of collaboration and assistance in those cases where it is appropriate. (iv) That they comply with the obligation to respect the duty of secrecy and keep the due confidentiality of personal data that are processed within the framework of the reported data processing activities. (v) Regardless of the terms of the joint responsibility agreement, the Interested parties may exercise their rights in terms of data protection against to each of those responsible. " It is established that point 5 of the privacy policy, entitled categories of data, reports the following: "5. Data categories At CaixaBank Payments & Consumer we will process different personal data to be able to manage the Contractual Relationships that you establish with us, to carry out the rest of the data processing that derives from your condition client and, if you have given us your consent, to also carry out the treatment of your data for the activities detailed in section 6.1. To facilitate your understanding, we have arranged the data that we process in the categories that we detail below. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 91/133 Not all categories of data that we detail are used for all data processing. In section 6, where we detail the treatments of data that we carry out, you can consult specifically for each treatment specify the categories of data that are used, thus counting on the information necessary to allow you to exercise, if you wish, your rights recognized by the RGPD, especially those of opposition and revocation of consent. The categories of data used by the different treatments exposed in the Section 6 are as follows: > Data that you have provided us when registering your contracts or during your relationship with us. These data are: identification and contact data: your identification document, name and surname, gender, postal, telephone and electronic contact information, residence address, nationality and date of birth, and language of communication. Socio-economic data: detail of professional or work activity, income or salaries, family unit or circle, educational level, assets, data fiscal and tax data. financial data: products and services contracted, relationship with the product (condition of owner, authorized or representative), MiFID category. biometric data: facial pattern, voice biometrics or fingerprint pattern. > Data observed in the maintenance of products and services. These dates are: financial data: the information of the notes and movements that are made in current accounts, including the type of operation, the issuer, the amount, and the concept, information on investments made and their evolution, information on financing, statements of operations with credit cards debit and credit, contracted products and payment history. It is important that you know that we will not process data observed in maintenance of the products and services that may contain information that reveals their origin ethnic or racial, your political views, your religious or philosophical convictions, your union membership, the processing of genetic data, biometric data aimed at uniquely identify you, data related to health or data related to your life or sexual orientation ("Sensitive Data"). whether or not you are a CaixaBank shareholder. digital data: the data obtained from the communications that we have established between you and us in chats, walls, videoconferences, telephone calls or equivalent means and the data obtained from their navigating our web pages or mobile applications and the navigation that you carry out in them (device ID, advertising ID, address IP and browsing history), in the event that you have accepted the use of cookies and similar technologies on your browsing devices. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 92/133 geographic data: the geolocation data of your mobile device provided by the installation and / or use of our mobile applications, when you have authorized it in the configuration of the application itself. > Data inferred or deduced by CaixaBank Payments & Consumer from the analysis and treatment of the rest of the data categories. These data are: groupings of customers into categories and segments based on their age, equity and estimated income, operations, consumption habits, preferences or propensities to purchase products, demographics and relationship with others clients or categorization according to the regulations on Instrument Markets Financial ("MiFID"). scoring scores that assign probabilities of payment or non-payment or risk limits. > Data that you have not provided us directly, obtained from sources accessible to the public, public records or external sources. These data are: data on financial solvency and credit obtained from the Asnef files and Badexcug. data on risks maintained in the financial system obtained from the database of data from the Risk Information Center of the Bank of Spain (CIRBE). data of persons or entities that are included in laws, regulations, guidelines, resolutions, programs or restrictive measures regarding international economic-financial sanctions imposed by the Nations United States, the European Union, the Kingdom of Spain, the United Kingdom and / or the U. S. Department of the Treasury’s Office of Foreign Assets Control (OFAC). cadastral or statistical data obtained from companies that facilitate studies Socioeconomic and demographic statistics associated with geographic areas or ZIP codes, not specific people. digital data obtained from your browsing through third-party web pages (ID device, advertising ID, IP address, browsing history), in the case of that you have accepted the use of cookies and similar technologies in your navigation devices. data from social networks or the internet, that you have made public or that we authorize to consult. " CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U. states that the date of publication of the new privacy policy is on January 18, 2021 and that said privacy policy replaces the previous one, which had been in force since 21 July 2019 through January 17, 2021. SEVENTH; It also affirms in its response to the request of information made during the test period that the information is provided provided to carry out treatments for commercial purposes, previously provided in the response to the Request for information received on June 6, February 2020. It also states that “Although they have been planned, they have not yet made modifications to the aforementioned information since its contribution in the response to the Request for information, pending the resolution of the request C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 93/133 of application of precautionary measures related to the Penalty Procedure to CAIXABANK, which could affect the modifications of the aforementioned documentation, planned at this time. " It is established that said information is provided in the document called CONDITIONS GENERAL OF THE APPLICATION-CREDIT AGREEMENT, in which header The entity CaixaBank Payments & Consumer appears and the date April 10, 2020. The content of said document coincides with the one sent after the request of the Data Inspection carried out on February 6, 2020 as annex 12. This document is structured in various sections, of which number 26 contemplates in different sections various aspects of data processing such such as the different treatments according to their basis of legitimacy, the exercise of rights by the interested parties or the period of conservation of the data among others issues. Thus, section 26.1 refers to the Processing of character data personnel in order to manage Business Relationships; section 26.3 a processing of personal data for regulatory purposes, this This section in turn is divided into various subsections such as those relating to Treatments for the adoption of due diligence measures in the prevention of money laundering and financing of terrorism (26.3.1), treatment for the compliance with the sanctions management policy and financial countermeasures International (26.3.2), communication with credit information systems (26.3.3.), communication of data to the Risk Information Center of the Bank of Spain (26.3.4), etc. Section 26.4 refers to the Treatment and transfer of data with commercial purposes by CaixaBank and the companies of the CaixaBank Group based in consent. Sections 26.1 and 26.4 are transcribed in point 6 of the third proven fact. EIGHTH: It appears that it is attached to the brief in response to the request for information made during the trial period a document called Framework Agreement whose heading appears “CaixaBank”, and in which section 4.1 indicates that "the person responsible for the processing of your personal data in their relationships contractual and business is CaixaBank, S.A. with NIF A08663619 and address at Pintor Sorolla street, 2-4 Valencia. Adding the following: “Co-responsible for treatment: In addition, for certain treatments that are report in detail in the aforementioned policy, CaixaBank and the companies of the Group CaixaBank will jointly process your data, jointly deciding the objectives (“what the data is used for”) and the means used (“how data are used data ”) being, therefore, jointly responsible for these treatments. Treatments for which CaixaBank and the CaixaBank Group companies will treat jointly your data is as follows:> carry out the commercial activities of: (i) analysis of your personal data for the elaboration of profiles that help us to offer you products that we think may interest you; (ii) commercial offer of products and services through the selected channels, and (iii) transfer of data to companies that do not they are part of the CaixaBank Group; (…) You will find the list of companies that process your data, as well as the aspects essential of the treatment agreements in co-responsibility in: www.caixabank.es/empresasgrupo. " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 94/133 On the point. 4.5 of said document under the title "What treatments do we carry out with your data, indicates regarding the treatments based on consent the following purposes: “- Analysis of your data for the elaboration of profiles that help us to offer you products that we think may interest you. - Make our commercial offer of products and services available to you through selected channels. - Transfer of data to companies that are not part of the CaixaBank Group so that they can make commercial offers of products they sell. - Identification of clients and signature of documentation through the use of biometrics. - Application of personal conditions in jointly owned contracts. " This document is not dated. It is stated in the reply to the information request made during the trial period that has been included among the documentation sent “the information provided to the interested parties to obtain their consent to carry out treatments for commercial purposes, when consent is collected from the banking channel (CAIXABANK). This documentation, previously provided in the course of the Sanctioning Procedure to CAIXABANK, was modified in March 2021, in the framework of the aforementioned actions aimed at the implementation of the new policy Of privacy." NINTH: It is established that during the trial period the following documents: Screenshots in which the consent of the clients is obtained: A screenshot on the prescribing channel, which exactly matches the the one described for said channel in point 5 of the third proven fact of the present motion for a resolution. Screenshot of new client office registration (face-to-face onboarding, in the which states the following: “delivers the tablet to the client so that he can fill out himself the consents ”and screenshots added to the new client Portal Web (digital onboarding). In both modalities, information is provided basic for the client on the processing of personal data indicating that the responsible for the treatment is: “Caixabank, with NIF A08663619 and address at Pintor Sorolla street, 2-4 Valencia. Co-responsible for the treatment “For certain activities Caixabank, S.A. and the Group companies Caixabank will process your data together. You will find the list of companies that process your data, as well as the essential aspects of the treatment agreements in co-responsibility in www.caixabank.es/empresasgrupo. " Regarding consents, it is indicated in both modalities that “You authorize the companies of the CaixaBank group to: Analyze your data to create profiles to help us offer you products that we think may interest you. If we have your consent, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 95/133 we will configure or design an offer of adjusted products and services to your characteristics as a client, by analyzing your data and profiling with your information. " Below are two boxes in which you can check yes or no. On other sections consent is requested to communicate the commercial offer of products and services through the channels that are selected and to transfer the data to companies that are not part of the Caixabank Group with which they have agreements. Regarding the analysis treatments for profiling, it is provided also in both modalities the following information: These treatments have your consent as a legal basis, as established in article 6.1.a of the General Data Protection Regulation. It is reiterated to below the information offered in the privacy policy related to this type of treatments regarding the purpose, categories of data processed and joint controllers of the treatment. However, when it comes to data treaties indicates: "the categories of data that we will treat for this purpose whose content is detailed in section 5 of our Privacy Policy (www.Caixabank.es/privacy policy) are: data that you will give us provided, data observed in the maintenance of products and services With the exception of sensitive data, data inferred or deduced by Caixabank, data that you have not provided us directly. " It does not appear in any of the screens the description of this data. Co-responsibility agreement. Said Agreement is neither dated nor signed. Number 4 of said agreement, Regarding the duration, it states that “This Agreement shall enter into force on the date of your signature and will remain in force indefinitely, without prejudice to the review and necessary modifications of its terms and content for its adaptation in its case, to the current regulations that are applicable at all times ... " This agreement contains the following definition: “Co-responsible for the Treatment or Co-responsible: Means those responsible who jointly determine the objectives, purposes and means of the Treatment detailed in Annex 1. " At The aforementioned annex mentions the following treatments that are the object of co-responsibility regarding "commercial activities": a) analysis of personal data for the elaboration of profiles that we help to offer products that we think may be of interest to the customer F Purpose: The purpose of this data processing is to use the categories of data indicated in the CaixaBank Privacy Policy (www.caixabank.com/politicaprivacidad) to create profiles that allow Co-responsible identify the customer with customer segments of similar characteristics to be able to offer you products and services that may interest you, as well as, to establish the periodicity with which the Joint Controllers relate to him. Legitimating base: The legitimizing base of this treatment is consent granted by the interested parties. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 96/133 b) Commercial offer of products and services through the selected channels. Purpose: The purpose of this data processing is to make available to the client communications of commercial offers related to products and services own or third parties marketed by CaixaBank and / or the Group's entities CaixaBank. These communications will only be sent to the client by the channels that it has previously authorized us to give its consent. Legitimating base: The legitimizing base of this treatment is consent granted by the interested parties. c) transfer of data to entities that are not part of the CaixaBank Group Purpose: The purpose of this treatment is to transfer the data of the interested parties to entities that are not part of the CaixaBank Group with which the Co-responsible parties have agreements, with the purpose that they make them commercial offers of the products they sell. Legitimating base: The legitimizing base of this treatment is consent granted by the interested parties. " Then list the co-managers who would be the following: CAIXABANK, S.A CAIXABANK PAYMENTS & CONSUMER, E.F.C., E.P., S.A.U. CAIXABANK ELECTRONIC MONEY, EDE, S.L VIDACAIXA, S.A.U., DE SEGUROS Y REINSUROS NUEVO MICRO BANK, S.A.U CAIXABANK EQUIPMENT FINANCE, S.A.U PROMO CAIXA, S.A.U. COMERCIA GLOBAL PAYMENTS, E.P. S.L. BUILDINGCENTER, S.A.U. IMAGINTECH, S.A. In successive annexes other treatments subject to co-responsibility, whose legitimizing basis is in compliance with legal obligations or the execution of contractual relationships. Contract signed with the entity *** EMPRESA.3 for the risk score activity. As indicated in said contract, dated June 2, 2020, the contract signed on May 2, 2017, extended in turn on May 2, May 2019 to incorporate the services outlined in Annex I (which are not Attached). CAIXABANK and CAIXABANK PAYMENTS are parties to said contract & CONSUMER and the entities (…), designating the latter two jointly as a SUPPLIER. This document contains two clauses: The first clause of said contract relating to the modifying novation does not extinction of clause 15 of the contract, replaces the aforementioned clause with effect retroactive to May 25, 2018, with new elements related to the person in charge treatment, in order to adapt the risk score services to the obligations regulations contained in the LOPDGDD and the RGPD. In the second of the clauses, it is agreed to incorporate annex I (annex of services) a clause relating to specific aspects of the data processing of personal nature of the risk score service. Said clause refers to the description of the treatment, indicating that for the sole purposes of providing the CAIXABANK AND CAIXABANK PAYMENTS & CONSUMER “risk score” service C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 97/133 make the following information available to the provider "(...)." They are drawn to then the following treatments by the provider: exploitation, consultation and destruction; the type of data (DNI (NIE / Passport) and categories of affected stakeholders (clients, non-client participants). Refering to purpose of the treatment it is indicated that the provider will use the data of character personal object of treatment solely and exclusively for the fulfillment of the ANNEX I, not being able to use them, in any case, for their own purposes. Said annex not attached. TENTH: In the written reply to the request for information made During the trial period it is stated that the Group's turnover or CAIXABANK as of December 31, 2020 is estimated at twelve thousand one hundred seventy-two millions of euros. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/2016, regarding the Protection of Individuals with regard to the Processing of Personal and Free Data Circulation of this Data (General Data Protection Regulation, hereinafter RGPD) recognizes each Control Authority, and as established in the articles 47, 48, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and solve this procedure. Article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Agency for Data Protection will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in their development and, as long as they do not contradict them, in a subsidiary, by the general rules on administrative procedures. " II Beforehand, it is considered convenient to analyze the allegations made by CAIXABANK PAYMENTS & CONSUMER, E.F.C., E.P., S.A.U. (hereinafter CPC) at basis on which it requests the declaration of nullity of the proceedings. 1. The first one alleges insufficient motivation for the initiation agreement. It is alleged by CPC that there is no direct connection between the content of the claim inadmissible and the beginning of previous actions. This Agency cannot share such allegation, the connection between a claim in which a consultation treatment is alleged to a system of credit information and a commercial offer of a product, for which it has been carry out a profiling, all without consent of the claimant, and the initiation of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 98/133 Investigation actions of the AEPD on the procedures for obtaining the consent to profiling procedures carried out by CPC when that constitutes the legal basis that legitimizes said treatments. Regarding the fact that relevant information for the defense has been omitted, since in the initiation agreement, no reference was made to the fact that the interested party filed an appeal of replacement to the inadmissibility of his claim and that it was upheld by the AEPD, it should be noted that in the initiation agreement no reference was made to such fact, that the relevance given by CPC is not attributed, since the resolution itself of inadmissibility of the claim, of which communication is given to the defendant, warns that without prejudice to this result “the Agency, applying the powers of investigation and corrective measures that it holds, can carry out subsequent actions related to the data processing referred to in the claim ”. Notwithstanding the foregoing, said information was included in the proposed resolution for greater clarity of the antecedents that led to the initiation of proceedings research, so that CPC has been aware of it in the framework of the procedure being able to allege how much it has considered convenient. 2. The second refers to the alleged breach of article 55.1 of the LPACAP, in connection with article 53 of the LOPDGDD, considering that the inspection of data has been exceeded, without this being its function, by expanding the scope of the preliminary investigation actions defined by the head of the body administrative. This allegation is based on the fact that the scope of the investigation determined by the Director of the AEPD refers to clients, while the written for which information is required from CPC refers to "potential customers". It states CPC that although the Agency acknowledges that there has been a transcription error and that there are no such treatments, the fact that there are no such treatments does not decrease the initially raised excess, since although he does not know what would have happened if such treatments would have existed, “it is reasonable to think that the research carried out outside the scope specified by the Director of the AEPD " Again this Agency cannot share such reasoning. This Agency has acknowledged in the motion for a resolution that there has been an error in transcription in the requirement of the Subdirectorate of Inspection by which requested information from CPC, by referring not only to clients, but also also to "potential clients". However, no action has been taken on data processing not included in the scope of research set by the Director of the AEPD, the CPC itself has stated, in the information provided on the occasion of such requirement, that such treatments are not carried out with "potential clients" and consequently, it has not provided any information in this regard. On the other hand, CPC's claim that although it does not know what would have happened if such treatments would have existed, but “it is reasonable to think that the investigation would have been carried out out of the scope specified by the Director ”, lacks the most absolute basis. In the opinion of this Agency, in no way can it be admitted that a unfounded assumption constitutes a cause for annulment of the procedure. 3. The third of the allegations refers to an alleged violation of the non bis in idem principle, considering that the same collection of consents for the elaboration of profiles was investigated and sanctioned in the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 99/133 sanctioning procedure against CAIXABANK, S.A, number PS / 00477/2019. Understand that there is identity of subject, fact and foundation, since CPC forms part of the CaixaBank group, which means that many treatments are carried out in co-responsibility regime, in particular treatment based on the consent, described as "Analysis of your data for profiling to help us offer you products that we think may interest you ”, which appears in letter 6.1.A of the privacy policy of Caixabank, S.A. This Agency cannot accept such an allegation either. The resolution of PS / 00477/2019, limits its action to certain actions of the entity CAIXABANK, S.A., expressly excluding "the action that may be carried out by companies that make up the so-called “CaixaBank Group” for compliance with the principle of transparency or the specific procedures that have been enabled to collect the consent of their clients for the processing of personal data that they carry or intend to carry out, or in relation to the other aspects outlined. " To this must be added that the co-responsibility regime referred to not only is it not accredited but, in the opinion of this Agency, it is not even admissible its existence in the present case, as will be seen later. In this In this sense, it cannot be accepted that the Agency has reversed the burden of proof as CPC alleges, it is CPC who affirms the existence of joint responsibility to exonerate itself of her responsibility, and therefore it is up to her to accredit her existence. On the other hand, even in the event that there was co-responsibility in the treatment, which in the opinion of this Agency does not happen in the present case such and As indicated in the previous paragraph, the sanction for each of those responsible for the It itself would not imply an infringement of the principle non bis in idem. The regime of Stewardship does not determine that all liability applies to a single subject, but each co-controller will be responsible for the part of the treatment that carries finished. In this sense, the provisions of the CJEU in the Judgment of June 5, 2018, in case C-210/16. (Wirtschaftsakademie) “… The existence of a joint responsibility does not necessarily translate into an equivalent responsibility of the various agents involved in a processing of personal data. On the contrary, these agents may present a involvement in different stages of that treatment and to different degrees, so that the level of responsibility of each of them must be evaluated taking into account all the pertinent circumstances of the specific case. " 4. Fourth, an arbitrary action by the AEPD is alleged, proscribed by the Article 9.3 of the Spanish Constitution. CPC affirms that it is a performance arbitrary that does not objectively pursue the general interest, also evidencing a discriminatory treatment with other companies. It states that CAIXABANK, S.A. shared with the AEPD aspects for which it is now intends to sanction CPC, requesting a meeting or contacts in order to obtain and adopt criteria and recommendations that the AEPD would have liked to transfer to the In this regard, efforts that were unsuccessful despite the insistence of CAIXABANK, S.A., For which it understands that this group adopted a diligent attitude and C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 100/133 preventive, the effect being that the AEPD has adopted an exclusively punitive with the CAIXABANK group. Such allegations are not admissible. The GDPR introduces the principle of proactive responsibility as a fundamental element of compliance with its provisions, with said obligation incumbent on the person in charge. As established by the Article 24 of said rule, corresponds to the data controller to apply the appropriate technical and organizational measures in order to guarantee that the treatment is in accordance with the RGPD, or, in the terms of recital 74 of the same standard: “In particular, the person responsible must be obliged to apply appropriate measures and effective and must be able to demonstrate compliance of treatment activities with this Regulation, including the effectiveness of the measures ”. This is not required Agency to issue any opinion or assessment on compliance with the regulations of data protection of the treatments carried out by a person in charge at the request of this, except in the case of prior consultation provided for in article 36, case before the one that we are not in the present proceeding. On the other hand, although this The Agency has various channels so that those responsible can raise their doubts, the reports that could be issued through such channels lack binding, so it cannot be justified in the absence of an opinion of the AEPD on the treatments of the person in charge, the breach of the obligations of this. The allegations relating to the alleged unequal treatment between entities of one sector and another that focuses on the ex officio plan on hiring distance in telecommunications operators and energy marketers. What the name of the plan itself indicates, its objective is distance contracting and not only in the telecommunications sector, but also in the energy sector in the that this type of contracting is also used. The realization of said plan actions does not derive from the percentage of claims received during a year specific in one sector or another, but its realization was included in the 2015-2019 strategic plan of the AEPD, in view of the problems that this type of contracting raises, in particular in aspects such as identity theft or the fraudulent hiring, as the plan itself states. It is a general problem, which justifies an ex officio action by this Agency and not by a specific breach of data protection regulations by a entity, as in the present case. On the other hand, the fact that carrying out an ex officio plan by the AEPD does not imply that the entities of the sector object thereof are not sanctioned in the event that a claim is received that determines the origin of investigation actions and, where appropriate sanctioning. In this sense, it should be remembered that this Agency has the obligation to publish their resolutions, just look at the ones that appear on their website, to verify that it does not limit its punitive action to certain sectors of activity. CPC also bases the alleged discrimination of treatment with respect to other interested parties in the affirmation that the procedural resolutions are repeated sanctioners of the AEPD in which the person responsible for the treatment is sanctioned for infringement of article 6 RGPD (see PPSS 00235/2019, 00182/2019, 00415/2019) and that, taking into account the condition of a large company and volume of business, between others, the sanctions are not even close to the economic level of the proposed sanction contained in the Initiation Agreement, since they are sanctions that have ranged C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 101/133 between € 60,000 and € 120,000. He also states that it is not understood what it is based on the Agency to modulate economic sanctions since the Initiation Agreement does not motivates or minimally explains the application of the graduation criteria of the sanction, nor the fact of deviating from them in the proposed sanction, in the case of of very similar facts. It alleges that the motion for a resolution has not been value these specific examples. Nor can these assertions be accepted. To determine the sanction to be imposed on In each case, this Agency takes into account the elements established in Article 83 of the RGPD, as well as those established in article 76.2 of the LOPDGDD, said elements, as is known, not only refer to the offending type, the condition of large company or turnover, so CPC's claim that others procedures in which these three elements coincide and the sanction is less, carried out without greater precision to justify the alleged discrimination in treatment with respect to other interested parties, it cannot be taken into account as a cause that Determine the voidability of a procedure. However, it should be added that such elements are the only thing these procedures have in common with the one now processed, since the other elements of graduation of the sanction that have been considered to determine the sanction in this procedure and the contents in the resolutions referred to by CPC are not comparable, nor by the nature and seriousness of the offense, nor by the number of affected (only the claimant in the aforementioned cases), to mention only some of the aggravating factors taken into account in this proceeding and which did not occur in the assumptions to which CPC refers. Regarding what was stated by CPC regarding the agreement to initiate this procedure, it should be remembered that the initiation agreement itself lists the circumstances that could influence the determination of the sanction. In this sense, the agreement to initiate the procedure is in accordance with the provisions of article 64.2.b of the LPACAP, according to which the initiation agreement must contain at least: b) “the facts that motivate the initiation of the procedure, its possible classification and the sanctions that may correspond, without prejudice to what results from the instruction. " In this sense, article 68 of the LOPDGDD is also expressed, according to which it will be enough that the agreement to initiate the procedure specifies the facts that motivate the opening, identify the person or entity against whom the procedure, the infraction that could have been committed and its possible sanction. At present assumption the initiation agreement goes even further by mentioning the possible circumstances that could influence the determination of the sanction, always without detriment to what results from the instruction, which is why they are not developed in the aforementioned agreement, although they are indicated for the sake of a better possibility of defense by the entity against which the procedure is directed and, where appropriate, to make use of the provisions of article 85 of the LPACAP, paying voluntarily and obtaining the reductions of the sanction established by said precept. 5. Fifth, the defenselessness produced to CPC by violating its presumption is alleged of innocence, which is based on the following way “we are before the beginning of a sanctioning procedure, preceded by a request for prior information of February 6, 2020. Well, before the administrative period expired mandatory to respond to said requirement, specifically, on March 3, in an act of ISMS Forum held in Madrid, as already described in C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 102/133 detail above, the Director of the AEPD, the highest authority of the institution, and competent person to resolve this file, publicly pointed out about the existence of two or three high-impact sanctioning procedures that were going to have a lot of media coverage in relation to the financial sector. " Reiterates in another paragraph, after considering that in accordance with articles 24.2, 103. 1 and 3 CE –and art. 6.1 of the European Convention on Human Rights-, any action of the Public Administration must obey the principles of objectivity and impartiality; “However, in this case, without having yet assessed the response to the Information request, since it was presented on June 2, 2020 (almost three months after the Director's aforementioned statements), the person who has to resolve, and who, in addition, as the highest authority, depend hierarchically inspectors and instructors of the AEPD, far from keeping any appearance of justice decided (publicly) that there would be sanction, and this without having agreed to initiate the sanctioning procedure. " In this regard, it should first be noted that CPC's assertion that there was a decision already taken before the procedure itself sanctioner lacks the slightest factual support. Such an interpretation cannot be admitted, the Director's statements made in the framework of statements on the significance of the sanctioning proceedings in progress due to the amount of fines, nor did it predetermine the decision to be taken in said procedures, nor much least it could refer to an entity such as CPC, with respect to which not only had initiated a sanctioning procedure, but had not even presented still the documentation that later justified the opening of this process. It should be remembered here that, in the sanctioning administrative sphere, impartiality of the adjudicatory body is linked to the right of the interested party to a process with all the guarantees. It is guaranteed with the reasons for abstention or challenge and with the due separation between the investigation and resolution phases of the procedure sanctioner, separation between phases that is scrupulously respected in all procedures of this nature followed in the AEPD. For the sake of legal certainty, the reasons for abstention or disqualification have been regulated by an exhaustive list of circumstances that respond to reasons objective, thus avoiding that the interested parties can appreciate causes of abstention or objection based on own or particular criteria. In our administrative order, the appearance of partiality is estimated by the objectively justified concurrence of the reasons regulated in articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP): “Article 23. Abstention. 1. The authorities and personnel at the service of the Administrations in which they some of the circumstances indicated in the following section will refrain from intervene in the procedure and communicate it to their immediate superior, who will resolve what is appropriate. 2. The following are reasons for abstention: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 103/133 a) Have personal interest in the matter in question or in another in whose resolution that of the former could influence; be an administrator of a company or interested entity, or have pending litigation issue with an interested party. b) Have a marital bond or assimilable de facto situation and the kinship of consanguinity within the fourth degree or affinity within the second, with any of the interested parties, with the administrators of entities or companies interested parties and also with the advisors, legal representatives or agents who intervene in the procedure, as well as share a professional office or be associated with these for advice, representation or mandate. c) Having an intimate friendship or manifest enmity with any of the people mentioned in the previous section. d) To have intervened as an expert or as a witness in the procedure in question. e) Have a service relationship with a natural or legal person directly interested in the matter, or having provided professional services in the last two years any type and in any circumstance or place. " "Article 24. Challenge. 1. In the cases provided for in the preceding article, a challenge may be filed by the interested parties at any time during the processing of the procedure. 2. The challenge will be raised in writing in which the cause or causes in that is founded ”. Ultimately, it is about the person making the decision not having any personal interest in the matter and has not intervened in the procedure as an expert or witness, so that he can resolve according to the general interest, without any type of influence unrelated to that interest that may lead you to decide in a certain way. On the other hand, in accordance with the doctrine of our Constitutional Court, that is claimed from public servants is not personal and procedural impartiality that is required of judicial bodies, but rather that they act with objectivity and submission to the right. Thus, in STC 174/2005, of July 4, the following is declared: “In this regard, remember that although this Court has reiterated that, in principle, the requirements derived from the right to a process with all the guarantees apply to the sanctioning administrative procedure, however, has also been made special incidence in which said application must be carried out with the required modulations to the extent necessary to preserve the essential values found in the basis of art. 24.2 CE and the legal security guaranteed by art. 9.3 CE, as long as they are compatible with their own nature (by all, STC 197/2004, of November 15, FJ 2). More specifically, and with regard specifically to the guarantee of impartiality, it has been pointed out that it is one of the cases in which it is necessary modulate its projection in the administrative sanctioning procedure, since said guarantee “cannot be predicated of the sanctioning Administration in the same C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 104/133 meaning that with respect to judicial bodies ”(STC 2/2003, of January 16, FJ 10), therefore, “without prejudice to the prohibition of any arbitrariness and the subsequent review judicial sanction, the strict impartiality and independence of the organs of the judicial power is not, in essence, predicable to the same extent of an organ administrative law ”(STC 14/1999, of February 22, FJ 4), concluding that the independence and impartiality of the judge, as a requirement of the right to a trial With all guarantees, it is a characteristic guarantee of the judicial process that is not It extends without further ado to the administrative sanctioning procedure (STC 74/2004, of 22 April, FJ 5) ". And STC 14/1999, of February 22, states the following: "An erroneous understanding of the content of the constitutional requirements of judicial impartiality and its alleged transfer in totum to whoever intervenes in the administrative procedure sanctioner as Instructor, leads the appellant to affirm the injury of his right to a process with all the guarantees. (…) It should be reiterated here again, as we did in STC 22/1990 (4th legal basis), that "without prejudice to the interdiction of all arbitrariness and subsequent judicial review of the sanction, the strict impartiality and independence of the organs of the judiciary is not, essence, predicable to the same extent of an administrative body. " Instructor can be claimed, ex arts. 24 and 103 C.E., it is not that he acts in the situation of personal and procedural impartiality that is constitutionally required of the organs judicial when they exercise jurisdiction, but act objectively, in the sense that we have given to this concept in SSTC 234/1991, 172/1996 and 73/1997, is that is, performing their duties in the procedure with personal disinterest. TO This purpose addresses the possibility of challenge established by art. 39 of the Law Organic 12/1985, of the Disciplinary Regime of the Armed Forces (hereinafter L.O.R.D.F.A.) which refers to art. 53 of the Military Procedural Law, whose catalog of causes bears, in this area, evident similarity, with that provided for in the Organic Law of the Judicial Power, although those listed in both obey, according to exposed, to different foundations. (…) None of the reasons given can be attended, not only because, in general, and as stated before, no the doctrine can be transferred without more to the administrative sanctioning area constitutional law elaborated on the impartiality of judicial bodies, but because in the present case, and in view of the configuration of the legal causes of challenge, it is not possible to appreciate the concurrence of any element that the Instructor withdrawal due to loss of the necessary objectivity. It is not observed in the Instructor questioned, nor has the interested party provided any justified data to the Regarding, the presence of direct or indirect personal interest in the resolution of the sanctioning file (…) ”. In this regard, it must be taken into account that, to declare the nullity of the actions for the reasons alleged, it is necessary to fully demonstrate the concurrence of one of those reasons that may have been able to influence effectively in the decision adopted through the present resolution. It is considered appropriate to record in this act the non-attendance of any of the causes of abstention or recusal established in the transcribed precepts, That allows to conclude that the alleged lack of impartiality does not exist. Has no interest personnel in the object of the procedure; no bond, friendship or enmity with him interested; nor has he intervened as an expert or witness in the procedure. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 105/133 In the present case, although CPC alleges lack of impartiality of the body resolutory, has not formally raised the challenge of the Director of the AEPD, acknowledging in his allegations that "he already valued at the time that there were no the cases of abstention of article 23.2 of Law 40/2015, and, consequently, it was not proposed to request the challenge suggested in the Proposal for Resolution ”. On the other hand, this resolution is adopted in accordance with the Law, according to criteria objectives, and without the adjudicatory body having prejudged the matter in question through prior formal actions or through your intervention in previous phases of the procedure. This intervention has not taken place in any way, beyond the adoption of the agreement to open the procedure as established by the regulations applicable procedural. Neither the statements of the Director of the AEPD referred to by CPC, nor no other circumstance has broken the impartiality of the investigating body, which has disposed of all the powers conferred by the regulations in question and full freedom to dictate your resolution proposal. On the other hand, the instruction of the procedure has been in accordance with the regulations procedural, without being able to appreciate any irregularity in the processing of the procedure, in which, in addition, all the guarantees of the interested party, including the presumption of innocence. The intervention of the Director in the event held on 03/03/2020 is related, with the adoption of the agreements to open the procedures referred to CPC in their allegations, both from the financial sector. The reference to these agreements as having a broad impact for the affected sectors and with media relevance has to do with the news regulated in the RGPD and, in particular, those related to new model of compliance and supervision. In relation to the latter, they stand out the important amounts contemplated in the Regulation in order to what, how This rule is intended, may have a dissuasive character. 6. Sixthly, it is stated that there is a breach of the principle of legitimate expectations in administrative action, which is based on the fact that as a result of the complaint that refers to the first factual antecedent of the initiation agreement, the AEPD gave transfer of the same on November 29, 2018 to the Delegate for the Protection of Data, and that on February 7, 2019, it agreed to the inadmissibility for processing of the claim presented fact that generated on CPC the legitimate confidence of its acting in accordance with the law; months later, preliminary actions of investigation, allegedly based on the Claim, resulting in the Initiation Agreement. In this regard, as stated in the first factual background, the The claim presented constitutes a fact that gives rise to the action of investigation of the inspection, not on the specific fact denounced, but on the way in which said entity carries out the profiling treatment in its treatments based on consent. The inadmissibility decision itself reveals that the AEPD can carry out other actions with respect to the treatments object of complaint. Thus, it is stated in said resolution that “This without prejudice to the fact that the Agency, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 106/133 applying the investigative and corrective powers that it holds, can carry out subsequent actions related to the data processing referred to in the claim. " On the other hand, CPC forgets that the decision of inadmissibility can be appealed by the claimant, as happened in the present case and be upheld. To this it should be added that at no time did this Agency state that the treatments carried out by CPC were in accordance with the provisions of the data protection regulations, limiting itself to initially accepting the allegation that it was a specific error, Notwithstanding that the Director of the AEPD, in view of the claim, ordered an investigation into the way in which CPC carried out the treatments of outlined when its legitimizing basis is consent. 7. The last of the allegations refers to an alleged artificial extension of the previous actions stating that “The previous investigative actions agreed by the AEPD supplanted the instructional activity, having been prolonged to near expiration. " And that the "The Startup Agreement rests, practically in its entirety, in charge elements collected during the previous actions. " As stated in the judgment of the Supreme Court of May 6, 2015 brought up by CPC “Article 69.2 prescribes, by regulating the procedures initiated ex officio, that "prior to the initiation agreement, the body may competent to open a period of prior information in order to know the circumstances of the specific case and whether or not to initiate the procedure. " meager regulation of said period highlights that the legal purpose is limited to frame an administrative verification activity without setting a specific deadline of duration and without regulating or limiting the actions that the Administration in said period. In pureness, the only meaning of declaring open a period of prior information is to legally frame a performance administrative that in any case could be carried out by the Administration under its powers of control or supervision in the field in question. This is the Administration can initiate procedures of a very diverse nature ex officio, including those that are destined to verify the fulfillment of requirements -as in the present case- or the sanctioners, and prior to the initiation of one of such files can carry out verifications whose scope will depend on the existing material regulation in this field, that is, of the obligations to which the individual and the specific powers of control attributed to the Administration in this matter in order to check if there are indications that may lead to the convenience of initiating a formal file of non-compliance, sanctioning, or of another nature. Well, if said checking activity initial is possible under the protection of the powers of inspection or control held by the Administration in various material areas, all the more you will be able to do it if formally opens a period of prior information whose only meaning would be, as It has been indicated before, to frame said verification action within a legal framework explicit." It should be noted here that although article 69.2 of Law 39/2015 referred to in the judgment, does not set a specific term for such actions, article 67.2 of the LOPDGDD does, setting it at 12 months from the date of the agreement by the one who decides its initiation; no consequence has to be made by the Administration use of all the time available to carry out such actions as long as there is no C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 107/133 exceeds the same, assuming that the expiration of the actions of investigation. Regarding the fact that the previous investigative actions supplanted the activity The instructor does not explain CPC what specific procedure carried out within the framework of the preliminary investigation actions is actually an administrative procedure that should have been held within the sanctioning procedure, nor what procedure or procedures specific measures of the sanctioning procedure have been supplanted by the actions previous procedures, nor which procedures of the procedure have been avoided due to previous actions carried out. On the contrary, preliminary investigative actions were carried out perfectly justified, in order to achieve a better determination of the facts and circumstances (article 67 LOPDGDD), during which information was collected necessary for the determination of the facts, without carrying out during the course of the same procedures, some of the sanctioning procedure, which began in based on the evidence obtained and with the sole purpose of applying the regulatory provisions established. During the investigation phase, an information request was sent to CPC requesting a list of the personal data processing carried out in development of their commercial activity that involve profiling, providing the following information regarding each treatment: definition of the logic applied to profiling and the expected consequences of such processing for the interested; description of the purpose of the treatment and basis of legitimacy on which it is sustains; procedure followed to comply with the duty of information to interested; means used to collect consent in the event that the treatment activity is covered by article 6.1.a of the RGPD; categories of interested parties and personal data subject to treatment; origin of personal data object of treatment; where appropriate, list of managers who participate in the activity treatment and copy of the contracts that govern the order; description of the technical and organizational security measures applied by virtue of article 32 of the GDPR to profiling activity; where appropriate, a copy of the impact assessment of protection of personal data and the number of data subjects whose personal data have been treated in the development of the profiling activity by category (customer, potential client) and year (2018 and 2019). It cannot be said, in view of the foregoing, that in this case the previous actions were not necessary or were not carried out to gather data and evidence on the facts committed and those responsible. III The actions outlined in the antecedents of this resolution have as object to analyze the procedure for obtaining consent in the profiling procedures carried out by CaixaBank Payments & Consumer, E.F.C., E.P., S.A (CPC) when that constitutes the legal basis that legitimizes said treatments. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 108/133 Consequently, the conclusions that could be derived from the present proceeding will not imply any pronouncement on other aspects related to said treatment, such as the intervention of caregivers, the adequacy of impact evaluations provided to the provisions of the RGPD or the measures of established security regarding said treatment, nor about other treatments of outlined whose legal basis, according to CPC, is to comply with regulatory requirements. IV Article 4.4 of the RGPD defines “profiling” as “any form of automated processing of personal data consisting of using personal data to evaluate certain personal aspects of a natural person, in particular to analyze or predict aspects related to professional performance, situation economic, health, personal preferences, interests, reliability, behavior, location or movements of said natural person " As all data processing must comply with the principles established in the Article 5 of the RGPD. Said article provides that “1. The personal data will be: a) treated in a lawful, loyal and transparent manner in relation to the interested party ("lawfulness, loyalty and transparency ”); In accordance with the provisions of letter a) of said precept, personal data they must be treated in a lawful manner. The aforementioned is taken into account in this regard in recital 40 of the RGPD, according to which: “For the treatment to be lawful, the Personal data must be processed with the consent of the interested party or on any other legitimate basis established in accordance with Law, either in the present Regulation or by virtue of another law of the Union or of the Member States to which referred to in this Regulation, including the need to comply with the legal obligation applicable to the controller or the need to perform a contract in the that the interested party is a party or in order to take measures at the request of the interested party prior to the conclusion of a contract. " The provisions of the Guidelines on individual decisions are taken into account automated and profiling for the purposes of Regulation 2016/679, adopted by the Working Group on Data Protection of article 29 on 3 October 2017, last revised and adopted on February 6, 2018 and approved by the European Data Protection Committee at its first meeting plenary session, which by referring to consent as the legal basis for the treatment recalls that “Profiling can be opaque and is often based on in data derived or inferred from other data, rather than in information provided directly by the interested party. Those responsible for the treatment who intend rely on consent as the basis for profiling should demonstrate that stakeholders understand exactly what they are consenting to, and They should remember that consent is not always an adequate basis for treatment. In all cases, stakeholders must have sufficient information on the use and the intended consequences of the treatment to ensure that any consent they give constitutes an informed choice. " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 109/133 The number 11 of article 4 of the RGPD defines consent as “All manifestation of free, specific, informed and unequivocal will by which the interested party accepts, either through a statement or a clear affirmative action, the processing of personal data concerning you " For their part, articles 6 and 7 of the RGPD refer, respectively, to the “Legality of the treatment ”and the“ Conditions for consent ”: Article 6 of the RGPD. "1. The treatment will only be lawful if at least one of the following is met terms: a) the interested party gave their consent for the processing of their personal data for one or more specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is part of or for the application at his request of pre-contractual measures; c) the treatment is necessary for the fulfillment of a legal obligation applicable to the responsible for the treatment; d) the treatment is necessary to protect vital interests of the interested party or another Physical person; e) the treatment is necessary for the fulfillment of a mission carried out in the interest public or in the exercise of public powers conferred on the data controller; f) the treatment is necessary for the satisfaction of legitimate interests pursued by the person responsible for the treatment or by a third party, provided that on said interests do not override the interests or fundamental rights and freedoms of the interested party who require the protection of personal data, in particular when the interested is a child. The provisions of letter f) of the first paragraph will not apply to the treatment carried out by public authorities in the exercise of their functions. 2. Member States may maintain or introduce more specific provisions in order to adapt the application of the rules of this Regulation with respect to the treatment in compliance with section 1, letters c) and e), setting moreover specifies specific treatment requirements and other measures that ensure a lawful and equitable treatment, including other specific situations of treatment according to chapter IX. 3. The basis of the treatment indicated in section 1, letters c) and e), must be established by: a) Union law, or b) the law of the Member States that applies to the controller. The purpose of the treatment must be determined in said legal basis or, as C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 110/133 relating to the treatment referred to in paragraph 1, letter e), will be necessary for the fulfillment of a mission carried out in the public interest or in the exercise of powers public conferred to the person in charge of the treatment. Said legal basis may contain specific provisions to adapt the application of the rules of this Regulation, among others: the general conditions that govern the legality of the treatment by the person in charge; the types of data being processed; the interested affected; the entities to which personal data may be communicated and the purposes of such communication; the limitation of the purpose; the terms of conservation of the data, as well as operations and treatment procedures, including measures to guarantee a lawful and equitable treatment, such as those related to other specific treatment situations in accordance with Chapter IX. Union law or Member States will meet a public interest objective and will be proportional to the legitimate end pursued. 4. When the treatment for a purpose other than that for which the data were collected personal data is not based on the consent of the interested party or on the Law of the Union or of the Member States that constitutes a necessary measure and proportional in a democratic society to safeguard the stated objectives in article 23, paragraph 1, the data controller, in order to determine if the treatment for another purpose is compatible with the purpose for which they were collected initially personal data, will take into account, among other things: a) any relationship between the purposes for which the data was collected personal and the purposes of the planned further processing; b) the context in which the personal data was collected, in particular for what Regarding the relationship between the interested parties and the person responsible for the treatment; c) the nature of the personal data, specifically when categories are processed special personal data, in accordance with article 9, or personal data relating to convictions and criminal offenses, in accordance with article 10; d) the possible consequences for the data subjects of the planned further processing; e) the existence of adequate guarantees, which may include encryption or pseudonymisation ”. Article 7 of the RGPD. "1. When the treatment is based on the consent of the interested party, the person in charge must be able to demonstrate that he consented to the processing of his data personal. 2. If the consent of the interested party is given in the context of a written statement that also refers to other matters, the request for consent will be submitted such that it is clearly distinguishable from other subjects, intelligibly and clearly easy access and using clear and simple language. No part will be binding of the declaration that constitutes an infringement of these Regulations. 3. The interested party will have the right to withdraw their consent at any time. The C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 111/133 Withdrawal of consent will not affect the legality of the treatment based on the consent prior to its withdrawal. Before giving consent, the interested party you will be informed of it. It will be as easy to withdraw consent as it is to give it. 4. When evaluating whether consent has been freely given, it will be taken into account in the as much as possible the fact whether, among other things, the performance of a contract, including the provision of a service, is subject to consent to the treatment of personal data that are not necessary for the execution of said contract ”. It takes into account what is expressed in recitals 32, 40 to 44 and 47 of the RGPD in relationship with the provisions of articles 6 and 7 above. From what is expressed in these recitals, the following should be noted: (32) Consent must be given by a clear affirmative act that reflects a manifestation of free, specific, informed, and unequivocal will of the interested party accept the processing of personal data concerning you, as a written statement, including by electronic means, or an oral statement. This could include checking a box on a website on the internet, choosing parameters technicians for the use of information society services, or any other statement or conduct that clearly indicates in this context that the data subject accepts the proposal for the treatment of your personal data. Therefore, the silence, the Check boxes or inaction should not constitute consent. The Consent must be given for all processing activities carried out with the same or the same ends. When the treatment has several purposes, the consent for all of them. If the consent of the interested party has to be given to following a request by electronic means, the request must be clear, concise and not unnecessarily disturbing the use of the service for which it is provided. (42) When the treatment is carried out with the consent of the interested party, the responsible for the treatment must be able to demonstrate that he has given his consent to the treatment operation. In particular in the context of a written statement made on another matter, there must be assurances that the interested party is aware of the fact that he gives his consent and of the extent to which that makes. In accordance with Council Directive 93/13 / EEC, the a model declaration of consent previously prepared by the responsible for the treatment with an intelligible and easily accessible formulation that use clear and simple language, and do not contain abusive clauses. So that consent is informed, the interested party must know at least the identity of the person responsible for the treatment and the purposes of the treatment to which they are intended personal data. Consent should not be considered freely provided when the interested party does not have a true or free choice or cannot deny or withdraw your consent without suffering any harm. (43) (…) It is presumed that consent has not been freely given when it is not allow the separate authorization of the different data processing operations personal despite being appropriate in the specific case, or when compliance with a contract, including the provision of a service, is dependent on consent, even when this is not necessary for such compliance. It is necessary to take into account, also what is established in article 6 of the LOPDGDD: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 112/133 "Article 6. Treatment based on the consent of the affected party 1. In accordance with the provisions of article 4.11 of Regulation (EU) 2016/679, The consent of the affected party is understood to be any manifestation of free will, specific, informed and unequivocal for which it accepts, either through a declaration or a clear affirmative action, the processing of personal data that concern. 2. When it is intended to base the treatment of the data on the consent of the affected for a plurality of purposes, it will be necessary to record in a specific and unequivocal that said consent is granted for all of them. 3. The execution of the contract may not be subject to the consent of the affected party processing of personal data for purposes that are not related to the maintenance, development or control of the contractual relationship ”. The provisions of the European Data Protection Committee are also taken into account in the document ““ Guidelines 05/2020 on consent under the Regulation 2016/679 ”approved on May 4, 2020, which updates the Guidelines on consent under Regulation 2016/679, adopted by the Group of Article 29 and that were approved by the European Committee of Data Protection in its first plenary meeting. From what is stated in said document, here it is interesting to highlight some of the criteria related to the validity of consent, specifically on the "specific" and "informed" elements: “3.2. Specific manifestation of will “Article 6, paragraph 1, letter a), confirms that the consent of the interested party to the processing of your data must be given "for one or more specific purposes" and that a The interested party can choose with respect to each of said purposes. The requirement that the Consent must be 'specific' is intended to ensure a level of control and transparency for the interested party. This requirement has not been modified by the GDPR and remains closely linked to the consent requirement "informed". At the same time, it must be interpreted in line with the requirement of "Dissociation" to obtain "free" consent. In short, to meet the character of "specific" the data controller must apply: i. the specification of the purpose as a guarantee against deviation of use, ii. disassociation in consent requests, and iii. a clear separation between the information related to obtaining the consent to data and information processing activities relating to other matters. Ad. i): In accordance with article 5, section 1, letter b), of the RGPD, the obtaining valid consent is always preceded by the determination of an end specific, explicit and legitimate for the planned processing activity. The need of specific consent in combination with the notion of limitation of the purpose contained in article 5, paragraph 1, letter b), functions as a guarantee against to the gradual expansion or blurring of the purposes for which the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 113/133 data processing once an interested party has given their authorization to the initial data collection. This phenomenon, also known as deviation of the use, poses a risk to data subjects as it may lead to use unforeseen personal data by the person responsible for the treatment or third parties and the loss of control by the interested party. If the data controller relies on article 6, paragraph 1, letter a), the interested parties must always give their consent for a specific purpose for the data processing. In line with the concept of purpose limitation, with article 5, paragraph 1, letter b), and with recital 32, the consent can cover different operations, provided that these operations have a same end. Needless to say, specific consent can only be obtained when the interested parties are expressly informed about the purposes envisaged for the use of the data concerning them. Without prejudice to the provisions on the compatibility of purposes, the consent must be specific to each purpose. Those interested will give their consent understanding that they have control over their data and that these will only be treated for such specific purposes. If a controller processes data based on the consent and, in addition, you wish to process said data for another purpose, you must obtain the consent for that other purpose, unless there is another legal basis that reflects better the situation. (…) Ad. ii) Consent mechanisms should not only be separated in order to comply with the requirement of 'free' consent, but must also comply with that of "specific" consent. This means that a controller seeking consent for several different purposes should facilitate the possibility of opt for each purpose, so that users can give specific consent for specific purposes. Ad. iii) Finally, those responsible for the treatment must provide, with each request separate consent form, specific information about the data to be processed for each purpose, in order that the interested parties know the repercussion of the different options they have. In this way, interested parties are allowed to give a specific consent. This issue overlaps with the requirement that responsible provide clear information, as previously stated in section 3.3 ”. 3.3 Informed manifestation of will. “The GDPR reinforces the requirement that consent must be informed. From In accordance with article 5 of the GDPR, the requirement of transparency is one of the fundamental principles, closely related to the principles of loyalty and legality. Providing information to the interested parties before obtaining their consent is essential for them to make informed decisions, understand what it is that are authorizing and, for example, exercising their right to withdraw their consent. If he responsible does not provide accessible information, user control will be illusory and consent will not constitute a valid basis for data processing. If the requirements for informed consent are not met, the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 114/133 Consent will not be valid and the person responsible may be in breach of article 6 of RGPD. 3.3.1 Minimum content requirements for consent to be "informed" In order for consent to be informed, it is necessary to inform the interested party certain elements that are crucial to be able to choose. Therefore, the CEPD is of the opinion that At least the following information is required to obtain valid consent: i. the identity of the data controller, ii. the end of each of the processing operations for which the request consent, iii. what (type of) data is to be collected and used, iv. the existence of the right to withdraw consent, v. information on the use of data for automated decisions in accordance with Article 22 (2) (c), where relevant, and saw. information on the possible risks of data transfer due to the absence of an adequacy decision and guarantees adequate, as described in article 46. " 1. In the present case, CPC requests consent in the various channels of prescribers and agents for study and profiling purposes. So consent it is requested in the following terms: "I authorize the CaixaBank Group to use my data for study and profiling purposes ”. Regarding the information on the purposes of said treatment, the documentation provided is that contained in the Screenshots sent and the document provided as annex 12 called "GENERAL CONDITIONS OF THE APPLICATION-CONTRACT OF CREDIT ”whose content in this point has already been transcribed in the proven facts of the present resolution of the sanctioning procedure, and that, as stated, facilitates the interested party within the framework of contracting a product. As expressed in said document, the details of the uses of the data that are will be carried out in accordance with your authorizations is the following: (i) “Detail of the analysis, study and monitoring treatments for the offer and design of products and services tailored to the customer profile. Granting your consent to the purposes detailed here, you authorize us to: a) Proactively carry out risk analysis and apply on their technical data statistics and customer segmentation, with a triple purpose: 1) Study products or services that can be adjusted to your profile and specific commercial or credit situation, all this to make offers commercial tailored to your needs and preferences, 2) Track the products and services contracted, 3) Adjust recovery measures on defaults and incidents derived from the products and services contracted. b) Associate your data with those of other clients or companies with which you have any C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 115/133 type of bond, both family or social, as well as due to its property relationship and administration, in order to analyze possible economic interdependencies in the study of service offers, risk requests and product contracting. c) Carry out studies and automatic controls of fraud, defaults and incidents derived from the products and services contracted. d) Carry out satisfaction surveys by telephone or electronically with the objective of evaluating the services received. e) Design new products or services, or improve the design and usability of existing, as well as define or improve the experiences of users in their relationship with CaixaBank Payments & Consumer and the companies of the CaixaBank Group. " In the opinion of this Agency the information contained in the document CONDITIONS GENERAL APPLICATION-CREDIT AGREEMENT, above transcribed no provides the interested party with enough information so that he can know the scope of the profiling treatments carried out. In this regard it should be remembered that the Guidelines on individual decisions automated systems and profiling for the purposes of Regulation 2016/67, by Analyze the relevant legal bases for profiling points out what following regarding the provisions of Article 6, paragraph 1, letter a) - Consent "Those responsible for the treatment that intend to be based on consent as Basis for profiling should demonstrate that stakeholders understand exactly what they are consenting to, and they should remember that consent is not always a suitable basis for treatment. In all cases, the interested parties should have sufficient information on the intended use and consequences of the treatment to ensure that any consent they give constitutes a informed choice. " Also the same document when referring to the rights of the interested parties, first mention: "1. Articles 13 and 14 - Right to be informed Taking into account the basic principle of transparency that underpins the GDPR, the data controllers must ensure that they explain to people in a manner clear and simple operation of profiling or decisions automated. " However, in the present case, only one information is provided to the interested party. generic information on the different profiling treatments. So the first of them does reference to the “study of products or services that can be adjusted to your profile and specific commercial situation, to make commercial offers adjusted to your needs and preferences ”. With this information the interested party cannot know exactly what the treatment you are consenting to consists of. Of such information It cannot be deduced that the products to be offered are exclusively those of CPC, as said entity alleges, so it could include offers from other entities of the group or other types of products or services not related to the activity of said entity. Nor does it follow from such information that the offer of products and services may even include the assignment of “pre-granted” credit limits, such and C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 116/133 as stated in the information provided by CPC to the AEPD on the occasion of the Information request made by the Inspection. Nor, as it is analyzed later on, you are adequately informed of the data that will be used to carry out the profiling treatment. With the information provided, the interested party does not You can know the scope of the treatment you are consenting to or the level of detail of the profile to be elaborated nor its exhaustiveness. The same information gaps that is provided to the interested party are observed in other profiling treatments listed in the above transcribed information provided in said document. CPC alleges that the CaixaBank Group has proactively verified this understanding through studies that have involved clients, however it does not prove it. Secondly, as the mechanism for the provision of the consent, it is not foreseen that the interested party expresses his option on all the purposes for which the data is processed, It is discussed in section (i) of treatments for "The offer and design of products and services adjusted to the client's profile", assuming that in itself it already comprises three different ends: 1. Study products or services that can be adjusted to your profile and situation commercial or specific credit, all this to make you adjusted commercial offers to your needs and preferences, 2) Track the products and services contracted, 3) Adjust recovery measures on defaults and incidents derived from the contracted products and services. To this are added other purposes such as “analyzing possible interdependencies economic in risk requests and product contracting ”,“ assess the services received "or" design new products or services, or improve the design and usability of existing ones, as well as define or improve user experiences in their relationship with CaixaBank Payments & Consumer and the companies of the CaixaBank Group ”. The enumeration of the treatments that the aforementioned entity carries out, actually supposes an extension of the purposes, which in some cases are not even identified, so the consent given cannot be considered specific as it has not been dissociated consent requests sufficiently. It is alleged by CPC that this confusion is due to a slight error in the clause informative, to list treatment operations that are not carried out based on the consent obtained for profiling; points out that this incidence, after being detected, has been corrected by the CaixaBank Group and, therefore, also by CPC, by means of the elaboration of a new Privacy Policy in which they are detailed correctly and precisely the treatments carried out for the analysis and study for commercial purposes. However, this privacy policy, regardless of whether it is adjusted or not to the provisions of the data protection regulations, on which this Agency does not pronounce on this procedure, it has been in force since on January 18, 2021 without any other information documents having been modified C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 117/133 to the interested party, as CPC informs in its response to the request for information of this Agency during the trial period, in particular the CONDITIONS GENERAL OF THE APPLICATION-CREDIT AGREEMENT, which has been done before reference and that constitute the mechanism to provide information to the interested parties. 2. In the various documents in which consent is requested, it is requested for “the CaixaBank group”, which constitutes a communication of data to the group companies, communication that constitutes a specific purpose in itself considered, which requires a manifestation of the will of the interested party by which he agrees that it can be carried out. It is alleged by CPC that no data communication occurs since there is a co-responsibility regime between the companies of the CaixaBank Group, for there is an agreement to jointly determine the objectives and means of the treatment object of this procedure, as provided in article 26 of the GDPR. It is also alleged that such co-responsibility is also due to regulatory needs. In this sense, he cites articles 29.1 of Law 2/2011, of 4 March, Sustainable Economy. and 14 of Law 16/2011, of June 24, of consumer credit contracts. In this regard, it should be recalled that the 7/2020 Guidelines on responsible and data controller in the RGPD, adopted on July 7, 2021, state that Article 26 of the GDPR, which reflects the definition of Article 4.7 of the GDPR, provides that “When two or more managers jointly determine the objectives and means of treatment, will be jointly responsible for the treatment ”. Generally speaking, there is co-responsibility with respect to an activity of specific treatment when different parties jointly determine the purpose and means of this processing activity. Therefore, evaluate the existence of joint controllers requires examining whether the determination of the purposes and means that characterize a person in charge is decided by more than one party. "Together" must be interpreted in the sense of "together with" or "not alone", in different ways and combinations, as explained below. The assessment of co-responsibility should be carried out on the basis of a factual, rather than formal, analysis of the real influence on the ends and means of the treatment. All existing or planned provisions must be verified taking into account take into account the factual circumstances relating to the relationship between the parties. A A mere formal criterion would not be sufficient for at least two reasons: In some cases, the formal appointment of a co-responsible, for example, provided by law or in a contract, he would be absent; In other cases, it may be that the appointment formally does not reflect the reality of the arrangements, by formally entrusting the role of liable to an entity that is not really in a position to "determine" the purposes and means of treatment. Not all treatments in which several entities participate give rise to co-responsibility. The general criterion for co-responsibility is the joint participation of two or more entities in determining the purposes and means of a treatment. More specifically, co-responsibility should include the determination of the objectives, on the one hand, and the determination of the means, other. If each of these elements is determined by all entities C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 118/133 interested parties, should be considered jointly responsible for the treatment in question. " In the present case, the co-responsibility agreement provided lacks date and signature and, consequently, of any validity. In this sense, the agreement itself, in its number 6 regarding its duration indicates that “This Agreement shall enter into force in the date of its signature ”. In this sense, the aforementioned Guidelines 7/2020 indicate that “The GDPR does not specify the legal form of the agreement between joint controllers. On for the sake of legal certainty, and in order to guarantee transparency and accountability accounts, the European Data Protection Committee recommends that said agreement is in the form of a binding document, such as a contract or other legal act binding in accordance with EU or Member State law when that the controllers are submitted. " It should also be added that there is no excuse the absence of signing the agreement in the supposed wait for the Agency to make a pronouncement on the measures to be adopted in the framework of another procedure sanctioning against another entity (CaixaBank) in case it should be modified, such as pointed out in the allegations to the initial agreement or, as it now points out in the allegations to the proposed resolution, that said signature is made dependent on resolve the same sanctioning procedure against CaixaBank through the courts. Neither is any factual element provided that would allow it to be considered that jointly by all the group companies the purposes and means of the treatment specific to which this procedure refers, that is, the operations of profiling for the offer to CPC customers of certain products, which are part of its commercial activity, as indicated by said entity in the information provided. Nor is it admissible that such co-responsibility is due to reasons regulatory. Article 29 1, of Law 2/2011, of March 4, on the Economy Sustainable, provides that "Credit institutions, before the contract is signed credit or loan, should evaluate the solvency of the potential borrower, on the basis of sufficient information. For this purpose, said information may include the provided by the applicant, as well as the result of consulting files automated data, in accordance with current legislation, especially in matter of protection of personal data. " Article 14 of Law 16/2011, of June 24, of consumer credit agreements It establishes that “1. The lender, Before the credit agreement is executed, you must evaluate the solvency of the consumer, on the basis of sufficient information obtained by the media suitable for this purpose, including the information provided by the consumer, upon request of the lender or intermediary in granting credit. For the same purpose, you may consult the files of patrimonial solvency and credit, to which the article refers 29 of Organic Law 15/1999, of December 13, on Data Protection of Personal nature, under the terms and with the requirements and guarantees provided in said Organic Law and its implementing regulations. In the case of credit institutions, for the evaluation of the solvency of the consumer will also take into account the specific rules on the management of risks and internal control that are applicable to them according to their specific legislation. " From the literal wording of both precepts it is evident that such obligations refer to at the time a credit or loan agreement is entered into, not the activity by which an entity offers such credits or loans to its clients, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 119/133 products that they, moreover, have not requested. Much less can it be accepted that such regulatory obligations justify a communication of data to all group companies, from the moment the interested party consents to such profiling treatment regardless of whether it is subsequently carried out or not. On the other hand, as has already been pointed out previously, this Agency has not invested the burden of proof as claimed by CPC, it is said entity that has alleged the existence of co-responsibility in the treatment corresponding to said entity to prove it, the mere allegation of its existence and the presentation of a document is not enough lacking validity to prove that there is co-responsibility. This Agency has sufficiently clarified the reasons why it considers that there is no co-responsibility in the previous paragraphs, so it is not a mere unsubstantiated contrary opinion. 3. Among the crucial elements for the consent to be valid, the aforementioned Guidelines on consent under Regulation 2016/679 make reference to the information to the interested party about what types of data are to be collected and be used. In the information that CPC has provided to this Agency, specifically in the GENERAL CONDITIONS OF THE APPLICATION-CREDIT AGREEMENT, indicates that the personal data being processed are the following: "The data that will be processed for the purposes of (i) data analysis and study, and (ii) for the commercial offer of products and services will be: a) All those provided in the establishment or maintenance of relationships commercial or business. b) All those generated in the contracting and operations of products and services with CaixaBank Payments & Consumer, with the CaixaBank Group companies or with third parties, such as, account or card movements, receipt details direct debits, payroll direct debits, claims derived from insurance policies, claims, etc. c) All those that CaixaBank Payments & Consumer or the companies of the Group CaixaBank obtain from the provision of services to third parties, when the service has as a recipient to the Holder, such as the management of transfers or receipts. d) Whether or not you are a CaixaBank shareholder as recorded in the records of this, or of the entities that according to the regulations of the market of values must keep records of the values represented by means of book entries. e) Those obtained from the social networks that the Owner authorizes to consult. f) Those obtained from third parties as a result of requests for aggregation of data requested by the Owner. g) Those obtained from the Owner's navigations through the service of the website of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 120/133 CaixaBank Payments & Consumer and other websites of this and / or the Group companies CaixaBank or mobile phone application of CaixaBank Payments & Consumer and / or of the companies of the CaixaBank Group, in which it operates, duly identified. These Data may include information regarding geolocation. h) Those obtained from chats, walls, videoconferences or any other means of communication established between the parties. The Owner's data may be complemented and enriched by data obtained from companies that supply commercial information, by data obtained from public sources, as well as by data statistical, socioeconomic (hereinafter, "Additional Information") always verifying that they comply with the requirements established in the current regulations on data protection. " From this information it follows that the interested party cannot know the data that will be processed for profiling, the information provided includes data that, in accordance with the information provided about the data to be used for the treatment of profiling and its origin, will not be subject to such treatment and, however, will not You are informed of the processing of other data that will be the object of the same, such as the consultation of solvency files and the Central Bank of Risk Information of the Bank of Spain or the so-called Risk score. CPC's claims cannot be shared when it claims compliance adequately with the duty to inform the interested parties in relation to the data that are treated for profiling, noting, firstly, that the categories of data object of treatment are not among the minimum information described in the Article 13 of the RGPD so that consent is informed. In this regard, the provisions of the European Protection Committee must be reiterated here. of Data in the document ““ Guidelines 05/2020 on consent under the Regulation 2016/679 ”, to which reference has been previously made, in particular not it is possible but to reproduce again what was indicated in point Ad. iii) according to which “Finally, those responsible for the treatment must facilitate, with each request for separate consent, specific information about the data that will be processed for each purpose, in order that the interested parties know the repercussion of the different options they have. In this way, interested parties are allowed to give a specific consent. This issue overlaps with the requirement that responsible provide clear information, as previously stated in section 3.3 ”. The aforementioned point 3.3, which is also transcribed above points out that “the requirement of transparency is one of the fundamental principles, closely related to the principles of fairness and lawfulness. Supply information to the interested parties before obtaining their consent is essential so that they can make informed decisions, understand what they are authorizing, and therefore For example, exercise your right to withdraw your consent ”, in point 3.1.1. lists the minimum content requirements for consent to be 'informed', one of them being the one relating to “what (type of) data is going to be collected and used”. Nor can the allegation that the information provided allows interested parties to know the data that will be processed for profiling, since the fragment transcribed by the AEPD corresponds to point 26.4. (ii) of general conditioning, but the rest of the conditioning has not been taken into account. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 121/133 It indicates that in section 26.3 of the general conditions (prior to 26.4.ii transcribed in the Initiation Agreement) specifies in greater detail what data will be processed for the establishment or maintenance of commercial relationships. CPC points out that point 26.3 informs that “CaixaBank Payments & Consumer and, where applicable, the CaixaBank Group companies are bound by different regulations and agreements to carry out certain processing of people's data with which it maintains Commercial Relations, as indicated in the sections following this clause (hereinafter, “Treatments with Purpose Regulatory ”). These treatments are necessary for the establishment and maintenance of Commercial Relations with CaixaBank Payments & Consumer and / or with the CaixaBank Group companies, and the Holder's opposition to them would necessarily entail the cessation (or non-establishment, where appropriate) of these relations. In any case, Treatments with Regulatory Purposes will be limited exclusively for the stated purpose, without prejudice to other purposes or uses that The Holder authorizes according to the provisions of clause 26.4. of this document. " CPC adds that point 26.3.3 informs about consulting files of credit information (among which are those necessary to obtain the “Risk Score ”, as will be explained later) and point 26.3.4. informs about the consult the Risk Information Center of the Bank of Spain, transcribing both of them: “26.3.3 Communication with credit information systems. The Holder is informed that CaixaBank Payments & Consumer, in the study of the establishment of Commercial Relations, you can consult information on credit information systems. Likewise, in the event of non-payment of any of the Obligations derived from Commercial Relations, data related to non-payment may be communicated to these systems. 26.3.4. Communication of data to the Risk Information Center of the Bank of Spain The Holder of the right who assists CaixaBank Payments & Consumer is informed to Obtain reports from the Bank of Spain's Risk Information Center (CIR) on the risks that could be registered in the study of the establishment of Business relationships. […] " In this regard, it should be noted that the first of the fragments mentioned by CPC in its allegations, this is point 26.3 of the general conditions refers as it mentions in its title to the processing of character data personnel for regulatory purposes, being clear also in its content that it is refers to them and not to commercial purposes, for which the information It is offered in number 26.4. In the same way, points 26.3.3 and related to the communication with credit information systems, and 26.3.4, referring to the communication to the Risk Information Center of the Bank of Spain, included within the general section relating to processing for purposes regulatory, without making any reference to that such data may be object of treatment within the framework of treatments for commercial purposes based on consent. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 122/133 Point 26.4 is entitled precisely "Treatment and transfer of data for purposes commercial by Caixabank and the Caixabank Group companies based on the consent ”, and from that point on, the information related to such treatments. Thus, in point ii of the aforementioned point 26.4, it is expressly stated “The data that will be processed for the purposes of (i) data analysis and study, and (ii) for the commercial offer of products and services will be: a) All those provided in the establishment or maintenance of relationships commercial or business. b) All those generated in the contracting and operations of products and services with CaixaBank Payments & Consumer, with the CaixaBank Group companies or with third parties, such as, account or card movements, receipt details direct debits, payroll direct debits, claims derived from insurance policies, claims, etc. c) All those that CaixaBank Payments & Consumer or the companies of the Group CaixaBank obtain from the provision of services to third parties, when the service has as a recipient to the Holder, such as the management of transfers or receipts. d) Whether or not you are a CaixaBank shareholder as recorded in the records of this, or of the entities that according to the regulations of the market of values must keep records of the values represented by means of book entries. e) Those obtained from the social networks that the Owner authorizes to consult. f) Those obtained from third parties as a result of requests for aggregation of data requested by the Owner. g) Those obtained from the Owner's navigations through the service of the website of CaixaBank Payments & Consumer and other websites of this and / or the Group companies CaixaBank or mobile phone application of CaixaBank Payments & Consumer and / or of the companies of the CaixaBank Group, in which it operates, duly identified. These Data may include information regarding geolocation. h) Those obtained from chats, walls, videoconferences or any other means of communication established between the parties. The Owner's data may be complemented and enriched by data obtained from companies that supply commercial information, by data obtained from public sources, as well as by data statistical, socioeconomic (hereinafter, "Additional Information") always verifying that they comply with the requirements established in the current regulations on data protection. " Consequently, CPC's allegations cannot be accepted in any way, they are not adequately informs about the data that may be processed in the framework of business activities based on consent, information provided by the person in charge expressly lists the alleged data that may be used for said treatment for commercial purposes based on the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 123/133 consent, without making any reference to data as relevant as the query to solvency files and the treatment called risk score. The information must be provided as stated in article 12 of the RGPD in a concise, transparent way, intelligible and easily accessible. It is inadmissible that the interested party should interpret the information that is provided to you, to know what data will be processed for a operation based on your consent by accessing information related to other types of processing whose basis is not consent. The allegations indicate that the legitimizing basis for the treatment of these two data, the consultation of solvency files and the risk score, is in the consent of the interested party. CPC claims that the fact that certain treatments are carried out based on the consent of the interested party does not exclude that they must comply with the legal obligations established in the Prudential and Solvency Regulations and Responsible Loan given that the products sold are accounts of credit and loans. Therefore, even when the treatment is carried out based on the consent of the interested party, CPC must comply with the legal obligations established in the Prudential and Solvency Regulations and Responsible Loan; so, at make a personalized offer to an interested party, CPC must assess their capacity of return and solvency, consulting the data contained in systems of credit information. Such allegation is not admissible, the offer of such products constitutes an activity exclusively commercial, without article 20 of the LOPDGDD, relative to the credit information systems, enable the consultation of such systems without the consent of the interested party more than in the supposed content in letter e) of his first number, according to which the data referring to a specific debtor only can be consulted when “whoever consults the system maintains a relationship contract with the affected party that involves the payment of a pecuniary amount or this had requested the conclusion of a contract that involves financing, payment deferred or periodic billing, as happens, among other cases, in the provided for in the legislation on consumer credit agreements and credit agreements real estate. " This is not a request for such services, but an offer that CPC makes of them, without the interested party having previously requested it. Consequently, the absence of consent of the interested party for access to the credit information systems determines illegitimate treatment. And in this sense It should be remembered that consent must be informed, so that without due information, including knowing the data to be processed, the consent becomes invalid. With regard to the data called “risk score”, from the information provided it seems It can be inferred that this is another data profiling operation, carried out by a in charge of the treatment, (…). This Agency considers that the interested in this new profiling operation, nor on the legal basis that allows its realization, nor on the data used to carry it out. CPC alleges that the data called "Risk Score" is obtained from the analysis carried out by the supplier *** EMPRESA.3, (…), noting that when informing the interested in the processing of their data, there is no mention of obtaining this concrete data since, even if it is obtained with the intervention of a manager treatment, does not differ from the simple analysis and study of data carried out C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 124/133 both for regulatory and commercial purposes and that its base legal, when carried out for commercial purposes, will be the consent of the interested party, taking into account that in order to carry out the analysis and study of data for commercial purposes it will also be necessary to observe the prudential and solvency regulations. It is added that regarding the data used to obtain the “Risk Score”, it is the workforce in information systems credit. This Agency does not share this allegation either, it cannot be considered that duly informs the interested parties when said treatment operation is integrated within the analysis and study of data carried out for commercial purposes. The called risk score constitutes in itself a profiling operation, without inform the interested parties of the data used for said operation or of its result, which constitutes data to be used in other profiling operations carried out by the person in charge for commercial purposes. Regarding the data used to carry out the profiling operation called risk score, which as indicated are those that work in credit information systems, Neither is its treatment possible without the consent of the interested party, unless they concur the circumstances provided for in article 20.1.e of the LOPDGDD, which has previously been aforementioned, which does not happen in the present case in which its use for profiling for commercial purposes. Consequently, said treatment becomes invalid insofar as it lacks a legitimate basis by not requesting the Informed consent of the interested party so that it can be carried out. In this sense, the Guidelines on automated individual decisions and Profiling for the purposes of Regulation 2016/679 indicates that “The Transparency of treatment is a fundamental requirement of the GDPR. The profiling process is usually invisible to the person concerned. It works creating derived or inferred data about people ("new" personal data that have not been directly provided by the interested parties themselves). People have different levels of understanding and may find it difficult to understand complex techniques of profiling and decision-making processes automated. According to article 12, paragraph 1, the data controller must provide the data stakeholders concise, transparent, intelligible and easily accessible information about the processing of your personal data. With regard to the data obtained directly from the interested party, these must be provided at the time they are obtained (article 13); regarding the data Obtained indirectly, the information must be provided within the established deadlines in article 14, paragraph 3 " More specifically, it must be reiterated that the aforementioned guidelines, in the point relating to the legal bases of the treatment, in particular that relating to consent, indicate that “The WG29 guidelines on consent generally address the consent as the basis of treatment. Explicit consent is one of the exceptions to the prohibition on automated decisions or the preparation of profiles defined in article 22, paragraph 1. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 125/133 Profiling can be opaque and is often data driven derived or inferred from other data, rather than information provided directly by the interested party. Those responsible for the treatment that intend to be based on consent as Basis for profiling should demonstrate that stakeholders understand exactly what they are consenting to, and they should remember that consent is not always a suitable basis for treatment. In all cases, the interested parties should have sufficient information on the intended use and consequences of the treatment to ensure that any consent they give constitutes a informed choice. " From all this it can be concluded that the consent given for the purposes of profiling described in the facts of this agreement is not in accordance with the provisions in article 4.7 GDPR. It is not specific, because it does not meet the requirement of separation of the purposes and provision of consent for each of them, nor is it duly informed. The absence of such requirements determines that it does not is valid so that the treatments based on it lack legitimacy thus contravening the provisions of article 6 of the RGPD. Consequently, in accordance with the findings set forth, the aforementioned facts could suppose a possible violation of article 6 of the RGPD, in relation to with article 7 of the same legal text and article 6 of the LOPDGDD, which gives rise to the application of the corrective powers that article 58 of the RGPD grants to the Agency Spanish Data Protection. V In the event of an infringement of the provisions of the RGPD, between the corrective powers available to the Spanish Agency for the Protection of Data, as a control authority, article 58.2 of said Regulation contemplates the following: “2 Each supervisory authority shall have all the following corrective powers listed below: (…) d) order the person in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, where appropriate, in a certain way and within a specified time frame; (…) i) impose an administrative fine in accordance with article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each particular case;". According to the provisions of article 83.2 of the RGPD, the measure provided for in the letter d) above is compatible with the sanction consisting of an administrative fine. SAW In the present case, the breach of article 6.1 has been proven. of the RGPD with the scope expressed in the previous Fundamentals of Law, as C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 126/133 that, supposes the commission of an infraction typified in article 83.5 of the same rule that under the heading "General conditions for the imposition of fines administrative ”provides the following: 5. "Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the highest amount: a) the basic principles for the treatment, including the conditions for the treatment consent in accordance with articles 5, 6, 7 and 9 " In this regard, the LOPDGDD, in its article 71 establishes that “They constitute offenses the acts and conducts referred to in sections 4, 5 and 6 of the Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the present organic law ”. For the purposes of the limitation period, article 72 of the LOPDGDD indicates: Article 72. Violations considered very serious "1. Based on what is established in article 83.5 of Regulation (EU) 2016/679 are considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: (…) a) The processing of personal data without the concurrence of any of the conditions of legality of the treatment established in article 6 of the Regulation (EU) 2016/679. (…) " In order to determine the administrative fine to be imposed, the provisions of articles 83.1 and 83.2 of the RGPD, provisions that state: "1. Each supervisory authority will guarantee that the imposition of fines administrative regulations pursuant to this article for the infractions of this Regulations indicated in paragraphs 4, 9 and 6 are in each individual case effective, proportionate and dissuasive. 2. Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administrative and its amount in each individual case will be duly taken into account: a) the nature, severity and duration of the offense, taking into account the nature, scope or purpose of the processing operation in question as well C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 127/133 such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the controller or processor to mitigate the damages and losses suffered by the interested parties; d) the degree of responsibility of the person in charge or the person in charge of the treatment, taking into account the technical or organizational measures that have been applied by virtue of of articles 25 and 32; e) any previous infringement committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority learned of the infringement, in in particular if the person in charge or the person in charge notified the infringement and, if so, in what measure; i) when the measures indicated in article 58, paragraph 2, have been ordered previously against the person in charge or the person in charge in relation to the same issue, compliance with said measures; j) adherence to codes of conduct under Article 40 or to mechanisms of certification approved in accordance with Article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, direct or indirectly, through the offense. " For its part, article 76 "Sanctions and corrective measures" of the LOPDGDD has: "1. The penalties provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679 will be applied taking into account the graduation criteria established in section 2 of the aforementioned article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 The following may also be taken into account: a) The continuing nature of the offense. b) The linking of the activity of the offender with the performance of treatment of personal information. c) The benefits obtained as a result of the commission of the offense. d) The possibility that the affected person's conduct could have induced the commission of the offense. e) The existence of a merger by absorption process after the commission of the infringement, which cannot be attributed to the absorbing entity. f) Affecting the rights of minors. g) Have, when not mandatory, a data protection officer. h) The submission by the person in charge or in charge, on a voluntary basis, to alternative dispute resolution mechanisms, in those cases in which there are controversies between those and any interested party. " In this case, considering the seriousness of the violation found, the imposition of fine. The request made by CAIXABANK PAYMENTS & C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 128/133 CONSUMER EFC, EP, S.A.U so that other corrective powers are imposed, specifically, the warning, taking into account the provisions of recital 148 of the RGPD according to which “In order to reinforce the application of the rules of this Regulation, any infraction of this must be punished with sanctions, including administrative fines, in addition to adequate measures imposed by the supervisory authority by virtue of this Regulation, or in substitution of these. On case of a minor offense, or if the fine likely to be imposed constitutes a disproportionate burden for a natural person, instead of a sanction by means of fine may be imposed a warning. It must nevertheless be paid special attention to the nature, severity and duration of the offense, its character intentional, to the measures taken to alleviate the damages suffered, to the degree liability or any prior relevant infringement, to the way in which the control authority has had knowledge of the infringement, to the fulfillment of measures ordered against the person in charge or in charge, adhering to codes of conduct and any other aggravating or mitigating circumstance. " For the same reasons, and considering the graduation criteria of the sanctions that are indicated below, the petition for imposition of a sanction in its minimum degree. Nor is it possible to admit the allegation that, in the use of the criteria of graduation of the sanction, this Agency is separated from the administrative precedent must motivate the change of criteria according to article 35.1.c) of the LACAP. According CPC serves as an example PS / 0070/2019 stating that an application is appreciated different from the criteria that allow the sanction to be graduated, since, according to CPC similar imputed facts only take into account two criteria of graduation compared to those contained in the proposed resolution of this process. This Agency, to determine the sanction to impose in each case, takes into account the elements established in article 83 of the RGPD, as well as the established in article 76.2 of the LOPDGDD, justifying the application of each one of them depending on the circumstances of each specific case. In accordance with the transcribed precepts, in order to set the amount of the fine sanctions to be imposed in the present case on the defendant, as responsible for offenses typified in article 83.5.a) and b) of the RGPD, the fine should be graduated that would correspond to impose for the imputed infraction as follows: Infringement for breach of the provisions of article 6 of the RGPD, in relation to with article 7 of the same legal text and article 6 of the LOPDGDD, typified in the article 83.5.a) and classified as very serious for the purposes of prescription in article 72.1.b) of the LOPDGDD: It is estimated that the following factors concur as aggravating factors that reveal greater unlawfulness and / or culpability in the conduct of the entity CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U .: - The nature, severity and duration of the offense, taking into account the nature, scope or purpose of the processing operations in question; the offense results from the procedure designed by said entity for the collection of the consent to carry out profiles for commercial purposes to their clients, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 129/133 that involves a significant risk to the rights of the data subjects taking into account note the particularly intrusive nature of such data processing. This entity alleges that “We are not facing a case in which CPC has radically dispensed with the obligations related to obtaining consents, without prejudice to the fact that the AEPD considers that it would be necessary to correct certain issues, which could lead to improvements in the way in which they collect the consents. " It also alleges that the Agency does not argue that consists of this significant risk and the intrusive nature of the treatment, which leads to wonder if sending commercial communications to customers is particularly intrusive, which processing of personal data will not be especially intrusive This Agency considers that it is an infringement that affects the procedure through which consent is obtained and which affects in particular two essential elements of this, that is, that consent is specific and informed. It is therefore not a question of mere improvements in the procedure, but rather that the Failure to comply with these two requirements determines that the consent accrues invalid. Nor is it a mere sending of commercial communications, but of performing profiling treatments. - The intentionality or negligence appreciated in the commission of the offense; the defects indicated in the procedure by which the consent of their clients, given their evidence they should be warned and avoided when designing said procedure by an entity with the characteristics of CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U. - The high link between the activity of the offender and the performance of processing of personal data. The operations that constitute the activity business developed by CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U. as an entity dedicated to the commercialization of credit cards or debit, credit accounts and loans, involve operations of treatment of personal information. This entity affirms that in no case, its main activity is the treatment of personal data of your customers beyond what is necessary for the development of that main activity, nor does it benefit financially from the processing of the personal data of its clients. To this In this regard, it should be taken into account that among its commercial activities find the one for sending commercial communications to your entity clients third parties with which it has commercial agreements. It also states that the AEPD departs from the intention of the legislator who is directed to consider aggravating the fact that the processing of personal data is the main activity of a business nature, not an instrument; hence refers to "high linkage", otherwise it would be concluded that the The mere fact of processing personal data would always be an aggravation. If he The legislator would have intended it to do so and would not have qualified that such a link should be "high C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 130/133 This Agency does not share such an interpretation. Article 76.2.b of the LOPDGG establishes as a criterion for graduation of the offense “the linkage of the activity of the offender with the performance of personal treatments ”. Saying precept does not make any reference to its being high, as stated by CPC, but rather to the fact that such a link exists, an element that this Agency has valued as high for the reasons stated. - The status of a large company of the responsible entity and its volume of business. The volume of business of the entity according to the information obtained has been € 872,976,000 during the year 2019. For information purposes you must also It should be noted that the turnover of the CaixaBank Group as of December 31, 2020 it is estimated at twelve thousand one hundred seventy-two million euros. This Agency does not share the allegation that they have been used to determine tion of the fine, both CPC's turnover figure and that of the Group CaixaBank, in which that one would already be included. The Group's turnover CaixaBank is mentioned for informational purposes to highlight that the fine is pro- proportional and dissuasive, as required by article 83.1 of the RGPD. - High volume of data and treatments that constitutes the object of the proceedings. It deals with a large volume of data and the following typologies: data identifying, financial, sociodemographic and socioeconomic, which allow carry out an exhaustive profile of the interested parties. - High number of interested parties. The number of stakeholders (clients) whose data were treated in the development of the profiling activity associated with the Proactive Scoring activity for commercial purposes amounts to (…). It requests that the effort made during the recent years, especially since the entry into application of the RGPD, to provide its clients with relevant information about the processing of their data adequately and the implementation of a series of measures aimed at that improvement in the collection of consents. It also alleges that CPC has been proactive and diligent in responding to any requirements of the Agency. In the opinion of this Agency to provide information to its clients, it is an obligation that derives from the RGPD and that must be done in the manner required by it, therefore, the fact to provide information to its clients, regarding the treatment object of the this procedure, this Agency considers precisely that it is not appropriate, not it can be considered as a mitigating factor. Regarding the measures adopted, these focus on modifying the privacy policy on their website, without However, the information provided to the client when obtaining consent is found in the document called GENERAL CONDITIONS OF THE APPLICATION-CREDIT AGREEMENT, document that has not been modified as the CPC itself recognizes in its response to the request made during the period evidence, so it cannot be considered that sufficient measures have been taken to remedy the infringement or mitigate its possible adverse effects. For him On the contrary, different information is provided in said document and in the privacy, so that the information provided to the interested party is not uniform. On the other hand, meeting the information requirements of the Administration does not C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 131/133 constitutes a mitigating factor contemplated in the data protection regulations. Considering the exposed factors, the valuation of the fine for the The offense charged is 3,000,000 euros. VII In accordance with the provisions of article 58.2.d) of the RGPD, each authority control may “order the person in charge of the treatment that the processing operations comply with the provisions of this Regulation, where appropriate, in a certain way and within a specified period… ”. In this case, considering the circumstances expressed in relation to the appreciated breaches, it is necessary to require CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U. so that, within the period indicated in the part operative, adapt to the personal data protection regulations the procedures by which consent is obtained to create profiles for commercial purposes with the scope and in the sense expressed in the Fundamentals of Law of this act. It is noted that not meeting the requirements of this body may be considered as a serious administrative offense by “not cooperating with the Authority of control ”before the requirements made, being able to assess such conduct to the time of the opening of an administrative procedure punishable by a fine pecuniary. Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of sanctions whose existence has been proven, the Director of the Spanish Agency for Data Protection RESOLVES FIRST: Impose on the entity CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U., with NIF A08980153, for an infringement of Article 6.1 of the RGPD, typified in Article 83.5 of the RGPD, and classified as very serious for the purposes of prescription in the Article 73 of the LOPDGDD, with a fine of 3,000,000 euros (three millions of euros). SECOND: Require the entity CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U within 6 months adopt the necessary measures to adapt to the personal data protection regulations the procedures through which collects their clients' consent to create profiles for the purpose commercial, with the scope expressed in Law Foundation VII. Within the term indicated, CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U, must justify before this Spanish Data Protection Agency the attention of this request. THIRD: NOTIFY this resolution to CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 132/133 FOURTH: Warn the sanctioned person that the sanction imposed by a Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter LPACAP), within the payment period voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency Spanish Data Protection in the banking entity CAIXABANK, S.A .. In case Otherwise, it will be collected in the executive period. Received the notification and once executive, if the date of execution is found Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment volunteer will be until the 20th of the following or immediately subsequent business month, and if between the 16th and the last day of each month, both inclusive, the payment term it will be until the 5th of the second following or immediately subsequent business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to counting from the day after the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Agency for Data Protection, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web /], or through any of the other records provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal- administrative. If the Agency is not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. 938-131120 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 133/133 C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es