AEPD (Spain) - EXP202313713
AEPD - EXP202313713 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR Ley 39/2015, de 1 de octubre, del Procedimiento Administrativo Común de las Administraciones Públicas Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales |
Type: | Complaint |
Outcome: | Upheld |
Started: | 29.01.2024 |
Decided: | |
Published: | 23.05.2024 |
Fine: | 56,000 EUR |
Parties: | IDFinance Spain, S.A.U. |
National Case Number/Name: | EXP202313713 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | lm |
The DPA fined a controller €70,000 for failing to remove a contested debt from a data subject’s financial records. The controller acknowledged its fault and paid a reduced fine of €56,000 in accordance with national law.
English Summary
Facts
A data subject filed a complaint with the Spanish DPA (AEPD) claiming that IDFinance Spain, S.A.U. (the controller), financial technology company. The data subject alleged that the controller was unlawfully processing her data concerning an inaccurate debt in its credit information systems.
The data subject challenged the debt at issue in court in March 2023, where the case was ongoing. It had also filed a claim with the AEPD, in which the controller stated that it was deleting the data subject’s data from its credit information systems. However, in 27 August 2023, a report by ASNEF, the national association of credit financers, included the challenged data concerning the data subject which was provided by the controller.
On 29 January 2024, the AEPD initiated sanctioning proceedings against IDFinance Spain, S.A.U. (the controller), a financial technology.
In its reply brief, the controller alleged that it had deleted the data subject’s data from the ASNEF file between March and May and that it had security measures to ensure only lawful data is transmitted to information systems. Nonetheless, it acknowledged that in this case, a technical error had occurred which caused the personal data to be re-uploaded on ASNEF. Upon realising the error, the controller immediately removed the data.
Holding
The AEPD considered that the processing here was erroneous and resulted from a confidentiality shortcoming due to a technical error. As a result, there was no legal basis for the processing in violation of Article 6(1) GDPR.
Article 20(1)(b) LOPDGDD creates a presumption of legality for the processing of data concerning debts which are certain, due and payable, whose existence has not been the object of a judicial or administrative complaint. However, the AEPD found that this did not extend a legal basis in this case because the debt was the object of complaints and because the debt was not certain or enforceable given the ongoing judicial processes.
In calculating the recommended fine, the AEPD considered the linking of the controller’s activities as a financial institution with the processing of personal data an aggravating circumstance, given the risk to the data subject (including because other entities offering financial services are implicated). It rejected the controller’s arguments that it is not a credit institution and thus the aggravating circumstances of Article 76(2) LOPDGDD should not apply. The unintentional nature of the error does not exonerate the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/13 File No.: EXP202313713 RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE VOLUNTEER From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND FIRST: On January 29, 2024, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against IDFINANCE SPAIN, S.A.U. (hereinafter the claimed part). Notified of the initiation agreement and after analyzing the allegations presented, on April 26, 2024, the proposal for resolution transcribed below: << File No.: EXP202313713 PROPOSED RESOLUTION OF SANCTIONING PROCEDURE From the procedure instructed by the Spanish Data Protection Agency and based to the following: BACKGROUND FIRST: On August 28, 2023, A.A.A. (hereinafter, the complaining party) filed a claim with the Spanish Data Protection Agency. The claim is directed against ID FINANCE SPAIN, S.A.U. with NIF A66487190 (in forward, the claimed part). The reasons on which the claim is based are the following: The complaining party states that the claimed entity includes its personal data in credit information systems, in relation to a debt that is contested and admitted for processing in the Court of First Instance number Barcelona, and having filed a claim with this Agency (number of file EXP202303972), in which the claimed entity indicated that it was deleting credit information systems the claimant's data. Provides admission to court proceedings, dated March 10, 2023; written on the that the deletion of their data from the information systems was communicated C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/13 credit, May 5, 2023; and ASNEF report on the inclusion of your data at the request of the claimed party, dated August 27, 2023. SECOND: On October 6, 2023, in accordance with article 65 of the LOPDGDD, the claim presented by the complaining party was admitted for processing. THIRD: According to the report collected from the AXESOR tool, the entity ID FINANCE SPAIN, S.A.U. is a large company established in 2015, whose corporate purpose is the granting of non-mortgage loans or credits to any person, with a number of employees of 146 people, and a turnover of €178,771,000 in 2022. FOURTH: On January 29, 2024, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against the claimed party, in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (in hereinafter, LPACAP), for the alleged violation of Article 6 of the RGPD, typified in the Article 83.5 of the GDPR. FIFTH: The aforementioned initiation agreement has been notified in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP), the claimed party presented a written of allegations in which, in summary, he stated the following: The classification of the aggravating factors provided for in the initial agreement is not applicable. consider that this aggravating circumstance should be applied because ID FINANCE is a credit institution, since it is outside the scope of application of Law 10/2014, of 26 of June, of organization, supervision and solvency of credit institutions. ID FINANCE deleted the Claimant's data from the ASNEF file in March/May 2023 and has technical and organizational security measures to ensure that only customer data is communicated to security systems credit information when they meet the legal requirements to do so. Without However, it should be considered that it is always possible for some human error to occur and even technical that affects the result of the management. In this specific case, it was a technical error that caused the new data to be added. of the Claimant in ASNEF, which were immediately deregistered by ID FINANCE after knowing the origin of the error reported by the Claimant. ID FINANCE has proceeded by taking all measures that were reasonably effective and suitable to achieve the expected result, taking into account the means at your disposal to delete the Claimant's data. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/13 In any case, this is a security incident related to confidentiality of the Claimant's data caused by a technical error (misconfiguration of the button in the file of the Claimant client) and it is not about any processing of data provided in the ID FINANCE Processing Activities Register. That is, since it is erroneous data processing, there is no legal basis provided by ID FINANCE, since it was a security incident related with the confidentiality of the data, which, after carrying out the appropriate investigations, It was concluded that it was not necessary to communicate it to the AEPD due to the nature, volume of people affected, type of data and scope of the incident; nor was it deemed necessary inform the Claimant of this, since it was he himself who notified the incident. SIXTH: On March 18, 2024, the instructor of the procedure considers reproduced for evidentiary purposes the claim filed by A.A.A. and his documentation, the documents obtained and generated during the admission phase to processing of the claim, and the report of previous investigation actions that They are part of the procedure. Likewise, it is considered reproduced for evidentiary purposes, the allegations to the agreement of initiation of the referenced sanctioning procedure, presented by IDFINANCE SPAIN, S.A.U., and the documentation that accompanies them. SEVENTH: On April 26, 2024, a copy of the file is sent to the party claimed, of all the documents in the file up to that date. Of the actions carried out in this procedure and the documentation recorded in the file, the following have been accredited: PROVEN FACTS FIRST: On August 27, 2023, the personal data of the party has been included claimant in the asset solvency file at the request of the claimed party, despite because the debt is contested and admitted for processing in the First Court Instance number 4 of Barcelona, on March 10, 2023. SECOND: The claimed party affirms that it was a technical error and that the data of the complaining party have been discharged from ASNEF, at their request. FOUNDATIONS OF LAW Yo Competence In accordance with the provisions of articles 58.2 and 60 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/13 of natural persons with regard to the processing of personal data and the free circulation of these data (GDPR), and as established in articles 47, 48.1, 64.2 and 68.1 and 68.2 of Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD) is competent to initiate and resolve this procedure the Director of the Agency Spanish Data Protection. Likewise, article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures.” II Previous issues In the present case, the complaining party denounces the improper inclusion of its data personal in assets solvency files, since the debt is not yet certain or enforceable since it is questioned in an ongoing judicial process. The complaining party affirms that the complained entity includes its personal data in credit information systems, in relation to a debt that is contested and admitted for processing in the Court of First Instance number 4 of Barcelona, on March 10, 2023 and sends ASNEF report on the inclusion of your data at the request of the claimed party, dated August 27, 2023. The claimed party affirms that the reported events are a security incident caused by a technical error (misconfiguration of the customer file button Claimant). III Article 6.1 of the GDPR The GDPR in its article 4.11 defines the consent of the interested party as “any manifestation of free, specific, informed and unequivocal will by which the interested party accepts, either by a declaration or a clear affirmative action, the processing of personal data that concerns you.” In relation to the legality of the processing of personal data, article 6.1 of the GDPR, establishes the following: "1. Treatment will only be legal if at least one of the following is met conditions: a) the interested party gave his consent for the processing of his personal data for one or more specific purposes; b) the processing is necessary for the execution of a contract in which the interested party is part of or for the application at his request of pre-contractual measures; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/13 c) the processing is necessary for compliance with a legal obligation applicable to the responsible for the treatment; d) the processing is necessary to protect vital interests of the interested party or another Physical person; e) the processing is necessary for the fulfillment of a mission carried out in the interest public or in the exercise of public powers conferred on the controller; f) the processing is necessary for the satisfaction of legitimate interests pursued by the person responsible for the treatment or by a third party, provided that regarding said interests do not prevail over the interests or fundamental rights and freedoms of the interested party requiring the protection of personal data, in particular when the interested is a child. The provisions of letter f) of the first paragraph will not apply to the treatment carried out by public authorities in the exercise of their functions.” In relation to credit information systems, we must go to article 20.1 of the LOPDGDD, highlighting its section b), which establishes the following: "1. Unless proven otherwise, the processing of personal data will be presumed lawful. relating to the breach of monetary, financial or credit obligations by common credit information systems when the following are met requirements: a) That the data has been provided by the creditor or by someone acting on their own behalf or interest. b) That the data refer to certain debts, due and payable, whose existence or amount had not been the subject of an administrative or judicial claim by the debtor or through a binding alternative dispute resolution procedure between the parts. c) That the creditor has informed the affected party in the contract or at the time of require payment regarding the possibility of inclusion in said systems, with indication of those in which he participates. The entity that maintains the credit information system with data related to the breach of monetary, financial or credit obligations must notify the affected by the inclusion of such data and will inform you about the possibility of exercising the rights established in articles 15 to 22 of Regulation (EU) 2016/679 within of thirty days following notification of the debt to the system, remaining data blocked during that period. d) That the data is only kept in the system as long as the data persists. non-compliance, with a maximum limit of five years from the expiration date of the monetary, financial or credit obligation. e) That the data referring to a specific debtor can only be consulted when the person consulting the system maintained a contractual relationship with the affected person that involves the payment of a pecuniary amount or this would have requested the execution of a contract that involves financing, deferred payment or periodic billing, as happens, among other cases, in those provided for in the legislation on consumer credit contracts and real estate credit contracts. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/13 When the right to limit processing has been exercised before the system of the data challenging its accuracy in accordance with the provisions of article 18.1.a) of the Regulation (EU) 2016/679, the system will inform those who can consult it with accordance with the previous paragraph about the mere existence of said circumstance, without provide the specific data with respect to which the right has been exercised, in both are resolved on the request of the affected party. f) That, in the event that the request to conclude the contract is denied, or it will not be held, as a consequence of the consultation carried out, whoever has “After consulting the system, inform the affected person of the result of said consultation.” For its part, article 20 of the LOPDGDD, relating to information systems credit establishes the following: "1. Unless proven otherwise, the processing of personal data will be presumed lawful. relating to the breach of monetary, financial or credit obligations by common credit information systems when the following are met requirements: a) That the data has been provided by the creditor or by someone acting on their own behalf or interest. b) That the data refer to certain debts, due and payable, whose existence or amount had not been the subject of an administrative or judicial claim by the debtor or through a binding alternative dispute resolution procedure between the parts. c) That the creditor has informed the affected party in the contract or at the time of require payment regarding the possibility of inclusion in said systems, with indication of those in which he participates. The entity that maintains the credit information system with data related to the breach of monetary, financial or credit obligations must notify the affected by the inclusion of such data and will inform you about the possibility of exercising the rights established in articles 15 to 22 of Regulation (EU) 2016/679 within of thirty days following notification of the debt to the system, remaining data blocked during that period. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/13 d) That the data is only kept in the system as long as the data persists. non-compliance, with a maximum limit of five years from the expiration date of the monetary, financial or credit obligation. e) That the data referring to a specific debtor can only be consulted when the person consulting the system maintained a contractual relationship with the affected person that involves the payment of a pecuniary amount or this would have requested the execution of a contract that involves financing, deferred payment or periodic billing, as happens, among other cases, in those provided for in the legislation on consumer credit contracts and real estate credit contracts. When the right to limit processing has been exercised before the system of the data challenging its accuracy in accordance with the provisions of article 18.1.a) of the Regulation (EU) 2016/679, the system will inform those who can consult it with accordance with the previous paragraph about the mere existence of said circumstance, without provide the specific data with respect to which the right has been exercised, in both are resolved on the request of the affected person. f) That, in the event that the request to conclude the contract is denied, or it will not be held, as a consequence of the consultation carried out, whoever has Once the system has been consulted, inform the affected person of the result of said consultation. 2. The entities that maintain the system and the creditors, regarding the treatment of the data referring to their debtors, will have the status of co-responsible for the processing of the data, the provisions established by article 26 of the Regulation (EU) 2016/679. It will be up to the creditor to guarantee that the requirements for the inclusion in the debt system, answering for its non-existence or inaccuracy. 3. The presumption referred to in section 1 of this article does not cover the cases in which the credit information was associated by the entity that maintain the system to information additional to that contemplated in said section, related to the debtor and obtained from other sources, in order to carry out outlining it, in particular through the application of techniques of credit rating.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid Seeagpd.gob.es 8/13 IV Classification of the violation of article 6.1 of the GDPR The inclusion of the personal data of the complaining party in solvency files patrimonial, despite the fact that the debt is not yet certain or enforceable because it is questioned in an ongoing judicial process, represents a violation of article 6.1 of the GDPR. However, the claimed party states that it is not a credit institution so it cannot The aggravating circumstance of article 76.2 b) of the LOPDGDD must be applied. Then the claimed party in response to the initial agreement further states that it has already given drops the claimant which implies that it has the technical and security measures necessary organizational measures, the events that concern us being the result of a technical error (the deconfiguration of the button in the file of the Claimant client), and that it is not This is no improper data processing. In this sense, it must be indicated first of all that article 76.2 b) LOPDGDD, considers as an aggravating circumstance the connection of the offender's activity with the carrying out of personal data processing, which does not bind only credit institutions, but also to the entities that provide financial services to users since their activity involves the processing of personal data, which is why said aggravating circumstance turns out to be applicable. In relation to the consideration that this is a technical error, it is not a argument that allows the claimed party to be exonerated from liability, nor grants legitimacy in the processing of personal data since this has been a illicit data processing, since the personal data of the complaining party has been improperly registered in the ASNEF solvency file, despite the fact that the debt object of registration is not true since it is being appealed judicially. For all these reasons, the reported facts represent a violation of article 6.1 of the RGPD, since the inclusion of personal data in solvency files for a debt pending judicial resolution, involves processing personal data without that it is established that the claimed party has carried out the necessary consideration that allows you to determine the prevalence of your legitimate interest over the interests, rights and freedoms of the complaining party, as this treatment is not covered by the presumption of legality contemplated in article 20 of the LOPDGDD since the debt required object of inclusion in the solvency files is not yet true or enforceable to the find themselves in an ongoing judicial process. SAW Proposed sanction for violation of article 6.1 of the GDPR Article 58.2 of the GDPR provides the following: “Each supervisory authority will have of all the following corrective powers indicated below: b) sanction any person responsible or in charge of the treatment with a warning when the processing operations have violated the provisions of this Regulation; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/13 d) order the person responsible or in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, where applicable, in a certain way and within a specified period; i) impose an administrative fine in accordance with Article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each case particular; Likewise, article 72.1 b) of the LOPDGDD states that “depending on what established in article 83.5 of Regulation (EU) 2016/679, are considered very serious and infringements that involve a substantial violation will prescribe after three years of the articles mentioned in that one and in particular, the following: b) The processing of personal data without any of the conditions of legality of the treatment in article 6 of Regulation (EU) 2016/679.” This violation may be punished with a fine of a maximum of €20,000,000 or, In the case of a company, an amount equivalent to a maximum of 4% of the global total annual business volume of the previous financial year, opting for the of larger amounts, in accordance with article 83.5 of the RGPD. Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the following criteria established by article 83.2 of the RGPD: The following are aggravating factors: In the present case we are dealing with negligent action (article 83.2 b) since that the personal data of the complaining party is included in files of solvency, despite the debt being included in the procedure judicial in progress. Furthermore, it must be taken into account that the data was kept of the claimant despite having knowledge of the judicial procedure. The link with the processing of personal data, by the recamada entity, being an entity that provides financial services to its users, according to article 76.2 b) of the LOPDGDD. It is appropriate to graduate the sanction to be imposed on the accused and set it at the amount of €70,000 in accordance with article 58.2 of the GDPR. VII Adoption of measures If the violation is confirmed, it could be agreed to impose on the person responsible the adoption of appropriate measures to adjust its actions to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the which each control authority may “order the person responsible or in charge of the treatment that the processing operations comply with the provisions of the this Regulation, where appropriate, in a certain manner and within a specified period…” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/13 In this specific case, it has been indicated by the claimed party that the personal data of the complaining party are no longer in the solvency file. However, the claimed party is required to, within a period of one month since receiving the resolution of this sanctioning procedure, prove that The necessary security measures have been adopted so that events such as the one that We are concerned, that is, incorporating the personal data of your clients into data files. financial solvency for a debt that is not certain, is not possible, not even as consequence of a technical error. The imposition of this measure is compatible with the sanction consisting of a fine administrative, according to the provisions of art. 83.2 of the GDPR. It is warned that failure to comply with the possible order to adopt measures imposed by This body in the sanctioning resolution may be considered as a administrative offense in accordance with the provisions of the RGPD, classified as infringement in its article 83.5 and 83.6, and such conduct may be motivated by the opening of a subsequent administrative sanctioning procedure. In view of the above, the following is issued: MOTION FOR RESOLUTION That the Director of the Spanish Data Protection Agency sanction IDFINANCE SPAIN, S.A.U., with NIF A66487190, for a violation of article 6 of the RGPD, typified in article 83.5 of the RGPD, with a fine of 70,000 euros (seventy thousand euros) That the Director of the Spanish Data Protection Agency order IDFINANCE SPAIN, S.A.U., with NIF A66487190, which by virtue of article 58.2.d) of the RGPD, prove within one month of receiving the resolution of this sanctioning procedure, it is proven that the personal data of the claimant is already They do not appear in any financial solvency file at the request of the party claimed for an untrue debt, and that new security measures are being applied improvement that prevents improper registration in asset solvency files, for one technical error. Likewise, in accordance with the provisions of article 85.2 of the LPACAP, you will be informs that it may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which It will mean a 20% reduction in the amount. With the application of this reduction, the penalty would be established at €56,000 (fifty-six thousand euros), euros and its payment will imply the termination of the procedure, without prejudice to the imposition of the corresponding measures. The effectiveness of this reduction will be conditioned on the withdrawal or waiver of any action or resource pending administrative against the sanction. In the event that you choose to proceed with the voluntary payment of the specified amount above, in accordance with the provisions of article 85.2 cited, you must do so effective by depositing it into the restricted account IBAN number: ES00 0000 0000 0000 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/13 0000 0000 (BIC/SWIFT Code: XXXXXXXXXXXX) opened in the name of the Agency Spanish Data Protection in the banking entity CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the cause, for voluntary payment, of reduction of the amount of the penalty. Likewise, you must send proof of entry to the General Subdirectorate of Inspection to proceed to close the file. In its virtue, you are notified of the above, and the procedure is made clear to you. so that within a period of TEN DAYS you can allege whatever you consider in your defense and present the documents and information that you consider pertinent, in accordance with article 89.2 of the LPACAP. 926-070623 B.B.B. INSPECTOR/INSTRUCTOR >> SECOND: On May 16, 2024, the claimed party has proceeded to pay of the penalty in the amount of 56,000 euros making use of the reduction provided in the proposed resolution transcribed above. THIRD: The payment made entails the waiver of any action or resource pending. administrative against the sanction, in relation to the facts referred to in the resolution proposal. FOURTH: In the proposed resolution transcribed above, the acts constituting an infringement, and it was proposed that, by the Director, the responsible for adopting appropriate measures to adjust its actions to the regulations, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to which each control authority may “order the person responsible or in charge of the treatment that the processing operations comply with the provisions of the this Regulation, where appropriate, in a certain manner and within a specified period…” FOUNDATIONS OF LAW Yo Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/13 Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II Termination of the procedure Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter, LPACAP), under the heading “Termination in sanctioning procedures” provides the following: "1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility, The procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction has only a pecuniary nature or a penalty can be imposed pecuniary sanction and another of a non-pecuniary nature but the inadmissibility of the second, the voluntary payment by the alleged responsible, in Any time prior to the resolution, will imply the termination of the procedure, except in relation to the restoration of the altered situation or the determination of the compensation for damages caused by the commission of the infringement. 3. In both cases, when the sanction has only a pecuniary nature, the body competent to resolve the procedure will apply reductions of, at least, 20% of the amount of the proposed penalty, these being cumulative with each other. The aforementioned reductions must be determined in the initiation notification. of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of any administrative action or appeal against the sanction. The reduction percentage provided for in this section may be increased “regularly.” In accordance with what has been stated, the Director of the Spanish Agency for the Protection of Data RESOLVES: FIRST: DECLARE the termination of procedure EXP202313713, of in accordance with the provisions of article 85 of the LPACAP. SECOND: ORDER to IDFINANCE SPAIN, S.A.U. so that within 1 month Since this resolution is final and enforceable, notify the Agency of the adoption of the measures described in the legal foundations of the proposed resolution transcribed in this resolution. THIRD: NOTIFY this resolution to IDFINANCE SPAIN, S.A.U.. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/13 Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Administrative Litigation Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. 1331-16012024 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es