AEPD (Spain) - EXP202313713

From GDPRhub
Revision as of 10:14, 11 June 2024 by Lm (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - EXP202313713
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Ley 39/2015, de 1 de octubre, del Procedimiento Administrativo Común de las Administraciones Públicas
Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales
Type: Complaint
Outcome: Upheld
Started: 29.01.2024
Decided:
Published: 23.05.2024
Fine: 56,000 EUR
Parties: IDFinance Spain, S.A.U.
National Case Number/Name: EXP202313713
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: lm

The DPA fined a controller €70,000 for failing to remove a contested debt from a data subject’s financial records. The controller acknowledged its fault and paid a reduced fine of €56,000 in accordance with national law.

English Summary

Facts

A data subject filed a complaint with the Spanish DPA (AEPD) against IDFinance Spain, S.A.U. (the controller), a financial technology company. The data subject alleged that the controller was unlawfully processing her data concerning an inaccurate debt in its credit information systems.

The data subject challenged the debt at issue in court in March 2023, where the case was ongoing. She had also filed a claim with the AEPD, in which the controller stated that it was deleting the data subject’s data from its credit information systems. However, in 27 August 2023, a report by ASNEF, the national association of credit financiers, included the challenged data concerning the data subject which was provided by the controller.

On 29 January 2024, the AEPD initiated sanctioning proceedings against the controller.

In its reply brief, the controller alleged that it had deleted the data subject’s data from the ASNEF file between March and May and that it had security measures to ensure only lawful data is transmitted to information systems. Nonetheless, it acknowledged that in this case, a technical error had occurred which caused the personal data to be re-uploaded on ASNEF. Upon realising the error, the controller immediately removed the data.

Holding

The AEPD considered that the processing here was erroneous and resulted from a confidentiality shortcoming due to a technical error. As a result, it found no legal basis for the processing in violation of Article 6(1) GDPR and recommended a fine of €70,000.

Article 20(1)(b) LOPDGDD creates a presumption of legality for the processing of data concerning debts which are certain, due and payable, whose existence has not been the object of a judicial or administrative complaint. However, the AEPD found that this did not extend a legal basis in this case because the debt was the object of complaints and because the debt was not certain or enforceable given the ongoing judicial processes.

In calculating the recommended fine, the AEPD considered that the linking of the controller’s activities as a financial institution with the processing of personal data was an aggravating circumstance, given the risk to the data subject (including because other entities offering financial services are implicated). It rejected the controller’s arguments that it is not a credit institution and thus the aggravating circumstances of Article 76(2) LOPDGDD should not apply. It also noted that the unintentional nature of the error does not exonerate the controller.

The AEPD recommended a sanction of €70,000. Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €56,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/13











File No.: EXP202313713

       RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE
                                    VOLUNTEER


From the procedure instructed by the Spanish Data Protection Agency and based
to the following


                                  BACKGROUND


FIRST: On January 29, 2024, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against IDFINANCE SPAIN,
S.A.U. (hereinafter the claimed part). Notified of the initiation agreement and after analyzing
the allegations presented, on April 26, 2024, the proposal for

resolution transcribed below:

<<



File No.: EXP202313713


       PROPOSED RESOLUTION OF SANCTIONING PROCEDURE


From the procedure instructed by the Spanish Data Protection Agency and based
to the following:

                                  BACKGROUND


FIRST: On August 28, 2023, A.A.A. (hereinafter, the complaining party)
filed a claim with the Spanish Data Protection Agency.

The claim is directed against ID FINANCE SPAIN, S.A.U. with NIF A66487190 (in
forward, the claimed part).


The reasons on which the claim is based are the following:

The complaining party states that the claimed entity includes its personal data
in credit information systems, in relation to a debt that is

contested and admitted for processing in the Court of First Instance number
Barcelona, and having filed a claim with this Agency (number of
file EXP202303972), in which the claimed entity indicated that it was deleting
credit information systems the claimant's data.


Provides admission to court proceedings, dated March 10, 2023; written on the
that the deletion of their data from the information systems was communicated


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/13








credit, May 5, 2023; and ASNEF report on the inclusion of your data
at the request of the claimed party, dated August 27, 2023.


SECOND: On October 6, 2023, in accordance with article 65 of the
LOPDGDD, the claim presented by the complaining party was admitted for processing.

THIRD: According to the report collected from the AXESOR tool, the entity
ID FINANCE SPAIN, S.A.U. is a large company established in 2015, whose
corporate purpose is the granting of non-mortgage loans or credits to any

person, with a number of employees of 146 people, and a turnover of
€178,771,000 in 2022.

FOURTH: On January 29, 2024, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against the claimed party,

in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1,
of the Common Administrative Procedure of Public Administrations (in
hereinafter, LPACAP), for the alleged violation of Article 6 of the RGPD, typified in the
Article 83.5 of the GDPR.

FIFTH: The aforementioned initiation agreement has been notified in accordance with the rules established in

Law 39/2015, of October 1, on the Common Administrative Procedure of the
Public Administrations (hereinafter, LPACAP), the claimed party presented a written
of allegations in which, in summary, he stated the following:

The classification of the aggravating factors provided for in the initial agreement is not applicable.

consider that this aggravating circumstance should be applied because ID FINANCE is a
credit institution, since it is outside the scope of application of Law 10/2014, of 26
of June, of organization, supervision and solvency of credit institutions.

ID FINANCE deleted the Claimant's data from the ASNEF file in

March/May 2023 and has technical and organizational security measures to
ensure that only customer data is communicated to security systems
credit information when they meet the legal requirements to do so. Without

However, it should be considered that it is always possible for some human error to occur and
even technical that affects the result of the management.




In this specific case, it was a technical error that caused the new data to be added.
of the Claimant in ASNEF, which were immediately deregistered by ID
FINANCE after knowing the origin of the error reported by the Claimant.




ID FINANCE has proceeded by taking all measures that were reasonably
effective and suitable to achieve the expected result, taking into account the

means at your disposal to delete the Claimant's data.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/13








In any case, this is a security incident related to confidentiality
of the Claimant's data caused by a technical error (misconfiguration of the

button in the file of the Claimant client) and it is not about any processing of
data provided in the ID FINANCE Processing Activities Register.




That is, since it is erroneous data processing, there is no legal basis
provided by ID FINANCE, since it was a security incident related
with the confidentiality of the data, which, after carrying out the appropriate investigations,

It was concluded that it was not necessary to communicate it to the AEPD due to the nature,
volume of people affected, type of data and scope of the incident; nor was it deemed necessary
inform the Claimant of this, since it was he himself who notified the incident.



SIXTH: On March 18, 2024, the instructor of the procedure considers
reproduced for evidentiary purposes the claim filed by A.A.A. and his
documentation, the documents obtained and generated during the admission phase to
processing of the claim, and the report of previous investigation actions that

They are part of the procedure.

Likewise, it is considered reproduced for evidentiary purposes, the allegations to the agreement of
initiation of the referenced sanctioning procedure, presented by IDFINANCE
SPAIN, S.A.U., and the documentation that accompanies them.


SEVENTH: On April 26, 2024, a copy of the file is sent to the party
claimed, of all the documents in the file up to that date.

Of the actions carried out in this procedure and the documentation
recorded in the file, the following have been accredited:


                                PROVEN FACTS

FIRST: On August 27, 2023, the personal data of the party has been included
claimant in the asset solvency file at the request of the claimed party, despite

because the debt is contested and admitted for processing in the First Court
Instance number 4 of Barcelona, on March 10, 2023.

SECOND: The claimed party affirms that it was a technical error and that the data of the
complaining party have been discharged from ASNEF, at their request.



                           FOUNDATIONS OF LAW

                                           Yo

                                     Competence

In accordance with the provisions of articles 58.2 and 60 of Regulation (EU) 2016/679
of the European Parliament and of the Council of April 27, 2016 on the protection

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/13








of natural persons with regard to the processing of personal data and the
free circulation of these data (GDPR), and as established in articles 47,
48.1, 64.2 and 68.1 and 68.2 of Organic Law 3/2018, of December 5, on Protection

of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD) is
competent to initiate and resolve this procedure the Director of the Agency
Spanish Data Protection.

Likewise, article 63.2 of the LOPDGDD determines that: “The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions

in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures.”

                                           II

                                  Previous issues

In the present case, the complaining party denounces the improper inclusion of its data
personal in assets solvency files, since the debt is not yet certain or
enforceable since it is questioned in an ongoing judicial process.


The complaining party affirms that the complained entity includes its personal data in
credit information systems, in relation to a debt that is
contested and admitted for processing in the Court of First Instance number 4 of
Barcelona, on March 10, 2023 and sends ASNEF report on the inclusion of
your data at the request of the claimed party, dated August 27, 2023.



The claimed party affirms that the reported events are a security incident
caused by a technical error (misconfiguration of the customer file button

Claimant).


                                           III
                                 Article 6.1 of the GDPR


The GDPR in its article 4.11 defines the consent of the interested party as “any
manifestation of free, specific, informed and unequivocal will by which the
interested party accepts, either by a declaration or a clear affirmative action, the
processing of personal data that concerns you.”


In relation to the legality of the processing of personal data, article 6.1
of the GDPR, establishes the following:

"1. Treatment will only be legal if at least one of the following is met
conditions:

a) the interested party gave his consent for the processing of his personal data

for one or more specific purposes;
b) the processing is necessary for the execution of a contract in which the interested party

is part of or for the application at his request of pre-contractual measures;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/13








c) the processing is necessary for compliance with a legal obligation applicable to the
responsible for the treatment;

d) the processing is necessary to protect vital interests of the interested party or another
Physical person;

e) the processing is necessary for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers conferred on the controller;

 f) the processing is necessary for the satisfaction of legitimate interests pursued
by the person responsible for the treatment or by a third party, provided that regarding said

interests do not prevail over the interests or fundamental rights and freedoms of the
interested party requiring the protection of personal data, in particular when the
interested is a child.

The provisions of letter f) of the first paragraph will not apply to the treatment
carried out by public authorities in the exercise of their functions.”

In relation to credit information systems, we must go to article 20.1
of the LOPDGDD, highlighting its section b), which establishes the following:

"1. Unless proven otherwise, the processing of personal data will be presumed lawful.
relating to the breach of monetary, financial or credit obligations by

common credit information systems when the following are met
requirements:

a) That the data has been provided by the creditor or by someone acting on their own behalf
or interest.

b) That the data refer to certain debts, due and payable, whose existence or
amount had not been the subject of an administrative or judicial claim by the debtor or
through a binding alternative dispute resolution procedure between the
parts.

c) That the creditor has informed the affected party in the contract or at the time of
require payment regarding the possibility of inclusion in said systems, with

indication of those in which he participates.

The entity that maintains the credit information system with data related to the
breach of monetary, financial or credit obligations must notify the
affected by the inclusion of such data and will inform you about the possibility of exercising the
rights established in articles 15 to 22 of Regulation (EU) 2016/679 within
of thirty days following notification of the debt to the system, remaining

data blocked during that period.
d) That the data is only kept in the system as long as the data persists.

non-compliance, with a maximum limit of five years from the expiration date of
the monetary, financial or credit obligation.

e) That the data referring to a specific debtor can only be
consulted when the person consulting the system maintained a contractual relationship
with the affected person that involves the payment of a pecuniary amount or this would have
requested the execution of a contract that involves financing, deferred payment or
periodic billing, as happens, among other cases, in those provided for in the

legislation on consumer credit contracts and real estate credit contracts.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/13








When the right to limit processing has been exercised before the system
of the data challenging its accuracy in accordance with the provisions of article 18.1.a) of the

Regulation (EU) 2016/679, the system will inform those who can consult it with
accordance with the previous paragraph about the mere existence of said circumstance, without
provide the specific data with respect to which the right has been exercised, in
both are resolved on the request of the affected party.

f) That, in the event that the request to conclude the contract is denied, or it
will not be held, as a consequence of the consultation carried out, whoever has
“After consulting the system, inform the affected person of the result of said consultation.”




For its part, article 20 of the LOPDGDD, relating to information systems
credit establishes the following:


"1. Unless proven otherwise, the processing of personal data will be presumed lawful.
relating to the breach of monetary, financial or credit obligations by

common credit information systems when the following are met
requirements:




a) That the data has been provided by the creditor or by someone acting on their own behalf
or interest.




b) That the data refer to certain debts, due and payable, whose existence or
amount had not been the subject of an administrative or judicial claim by the debtor or

through a binding alternative dispute resolution procedure between the
parts.




c) That the creditor has informed the affected party in the contract or at the time of
require payment regarding the possibility of inclusion in said systems, with
indication of those in which he participates.




The entity that maintains the credit information system with data related to the
breach of monetary, financial or credit obligations must notify the

affected by the inclusion of such data and will inform you about the possibility of exercising the
rights established in articles 15 to 22 of Regulation (EU) 2016/679 within
of thirty days following notification of the debt to the system, remaining

data blocked during that period.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/13








d) That the data is only kept in the system as long as the data persists.
non-compliance, with a maximum limit of five years from the expiration date of

the monetary, financial or credit obligation.




e) That the data referring to a specific debtor can only be
consulted when the person consulting the system maintained a contractual relationship
with the affected person that involves the payment of a pecuniary amount or this would have

requested the execution of a contract that involves financing, deferred payment or
periodic billing, as happens, among other cases, in those provided for in the
legislation on consumer credit contracts and real estate credit contracts.




When the right to limit processing has been exercised before the system
of the data challenging its accuracy in accordance with the provisions of article 18.1.a) of the

Regulation (EU) 2016/679, the system will inform those who can consult it with
accordance with the previous paragraph about the mere existence of said circumstance, without

provide the specific data with respect to which the right has been exercised, in
both are resolved on the request of the affected person.




f) That, in the event that the request to conclude the contract is denied, or it
will not be held, as a consequence of the consultation carried out, whoever has
Once the system has been consulted, inform the affected person of the result of said consultation.


2. The entities that maintain the system and the creditors, regarding the treatment
of the data referring to their debtors, will have the status of co-responsible for the
processing of the data, the provisions established by article 26 of the

Regulation (EU) 2016/679.



It will be up to the creditor to guarantee that the requirements for the

inclusion in the debt system, answering for its non-existence or inaccuracy.




3. The presumption referred to in section 1 of this article does not cover the
cases in which the credit information was associated by the entity that
maintain the system to information additional to that contemplated in said

section, related to the debtor and obtained from other sources, in order to carry out
outlining it, in particular through the application of techniques of
credit rating.”



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid Seeagpd.gob.es 8/13








                                           IV
                 Classification of the violation of article 6.1 of the GDPR


The inclusion of the personal data of the complaining party in solvency files
patrimonial, despite the fact that the debt is not yet certain or enforceable because it is
questioned in an ongoing judicial process, represents a violation of article 6.1 of the
GDPR.

However, the claimed party states that it is not a credit institution so it cannot

The aggravating circumstance of article 76.2 b) of the LOPDGDD must be applied. Then the
claimed party in response to the initial agreement further states that it has already given
drops the claimant which implies that it has the technical and security measures
necessary organizational measures, the events that concern us being the result of a technical error
(the deconfiguration of the button in the file of the Claimant client), and that it is not

This is no improper data processing.

In this sense, it must be indicated first of all that article 76.2 b) LOPDGDD,
considers as an aggravating circumstance the connection of the offender's activity with the carrying out
of personal data processing, which does not bind only credit institutions,
but also to the entities that provide financial services to users since their

activity involves the processing of personal data, which is why said aggravating circumstance
turns out to be applicable.

In relation to the consideration that this is a technical error, it is not a
argument that allows the claimed party to be exonerated from liability, nor

grants legitimacy in the processing of personal data since this has been a
illicit data processing, since the personal data of the complaining party has
been improperly registered in the ASNEF solvency file, despite the fact that the debt
object of registration is not true since it is being appealed judicially.


For all these reasons, the reported facts represent a violation of article 6.1 of the
RGPD, since the inclusion of personal data in solvency files for a
debt pending judicial resolution, involves processing personal data without
that it is established that the claimed party has carried out the necessary consideration that
allows you to determine the prevalence of your legitimate interest over the interests, rights
and freedoms of the complaining party, as this treatment is not covered by the

presumption of legality contemplated in article 20 of the LOPDGDD since the debt
required object of inclusion in the solvency files is not yet true or enforceable to the
find themselves in an ongoing judicial process.

                                           SAW

           Proposed sanction for violation of article 6.1 of the GDPR

Article 58.2 of the GDPR provides the following: “Each supervisory authority will have
of all the following corrective powers indicated below:


b) sanction any person responsible or in charge of the treatment with a warning
when the processing operations have violated the provisions of this
Regulation;


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/13








d) order the person responsible or in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where applicable,
in a certain way and within a specified period;


i) impose an administrative fine in accordance with Article 83, in addition to or instead of the
measures mentioned in this section, according to the circumstances of each case
particular;

Likewise, article 72.1 b) of the LOPDGDD states that “depending on what

established in article 83.5 of Regulation (EU) 2016/679, are considered very serious and
infringements that involve a substantial violation will prescribe after three years
of the articles mentioned in that one and in particular, the following:

b) The processing of personal data without any of the conditions of

legality of the treatment in article 6 of Regulation (EU) 2016/679.”

This violation may be punished with a fine of a maximum of €20,000,000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for the
of larger amounts, in accordance with article 83.5 of the RGPD.


Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the
following criteria established by article 83.2 of the RGPD:

The following are aggravating factors:


     In the present case we are dealing with negligent action (article 83.2 b) since
    that the personal data of the complaining party is included in files of
    solvency, despite the debt being included in the procedure
    judicial in progress. Furthermore, it must be taken into account that the data was kept

    of the claimant despite having knowledge of the judicial procedure.

     The link with the processing of personal data, by the
    recamada entity, being an entity that provides financial services to its
    users, according to article 76.2 b) of the LOPDGDD.


It is appropriate to graduate the sanction to be imposed on the accused and set it at the amount of €70,000
in accordance with article 58.2 of the GDPR.

                                          VII

                                 Adoption of measures

If the violation is confirmed, it could be agreed to impose on the person responsible the adoption of
appropriate measures to adjust its actions to the regulations mentioned in this
act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the

which each control authority may “order the person responsible or in charge of the
treatment that the processing operations comply with the provisions of the
this Regulation, where appropriate, in a certain manner and within a
specified period…”


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/13








In this specific case, it has been indicated by the claimed party that the personal data
of the complaining party are no longer in the solvency file.


However, the claimed party is required to, within a period of one month
since receiving the resolution of this sanctioning procedure, prove that
The necessary security measures have been adopted so that events such as the one that
We are concerned, that is, incorporating the personal data of your clients into data files.
financial solvency for a debt that is not certain, is not possible, not even as
consequence of a technical error.


The imposition of this measure is compatible with the sanction consisting of a fine
administrative, according to the provisions of art. 83.2 of the GDPR.

It is warned that failure to comply with the possible order to adopt measures imposed by

This body in the sanctioning resolution may be considered as a
administrative offense in accordance with the provisions of the RGPD, classified as
infringement in its article 83.5 and 83.6, and such conduct may be motivated by the opening of a
subsequent administrative sanctioning procedure.

In view of the above, the following is issued:


                           MOTION FOR RESOLUTION

That the Director of the Spanish Data Protection Agency sanction
IDFINANCE SPAIN, S.A.U., with NIF A66487190, for a violation of article 6 of the

RGPD, typified in article 83.5 of the RGPD, with a fine of 70,000 euros
(seventy thousand euros)

That the Director of the Spanish Data Protection Agency order
IDFINANCE SPAIN, S.A.U., with NIF A66487190, which by virtue of article 58.2.d) of the

RGPD, prove within one month of receiving the resolution of this
sanctioning procedure, it is proven that the personal data of the claimant is already
They do not appear in any financial solvency file at the request of the party
claimed for an untrue debt, and that new security measures are being applied
improvement that prevents improper registration in asset solvency files, for one
technical error.


Likewise, in accordance with the provisions of article 85.2 of the LPACAP, you will be
informs that it may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which
It will mean a 20% reduction in the amount. With the application of this

reduction, the penalty would be established at €56,000 (fifty-six thousand euros),
euros and its payment will imply the termination of the procedure, without prejudice to the
imposition of the corresponding measures. The effectiveness of this reduction will be
conditioned on the withdrawal or waiver of any action or resource pending
administrative against the sanction.


In the event that you choose to proceed with the voluntary payment of the specified amount
above, in accordance with the provisions of article 85.2 cited, you must do so
effective by depositing it into the restricted account IBAN number: ES00 0000 0000 0000

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/13








0000 0000 (BIC/SWIFT Code: XXXXXXXXXXXX) opened in the name of the Agency
Spanish Data Protection in the banking entity CAIXABANK, S.A., indicating

in the concept the reference number of the procedure that appears in the
heading of this document and the cause, for voluntary payment, of reduction of the
amount of the penalty. Likewise, you must send proof of entry to the
General Subdirectorate of Inspection to proceed to close the file.


In its virtue, you are notified of the above, and the procedure is made clear to you.
so that within a period of TEN DAYS you can allege whatever you consider in your defense and
present the documents and information that you consider pertinent, in accordance with
article 89.2 of the LPACAP.

                                                                              926-070623
B.B.B.
INSPECTOR/INSTRUCTOR


>>

SECOND: On May 16, 2024, the claimed party has proceeded to pay

of the penalty in the amount of 56,000 euros making use of the reduction provided in
the proposed resolution transcribed above.

THIRD: The payment made entails the waiver of any action or resource pending.
administrative against the sanction, in relation to the facts referred to in the

resolution proposal.

FOURTH: In the proposed resolution transcribed above, the
acts constituting an infringement, and it was proposed that, by the Director, the
responsible for adopting appropriate measures to adjust its actions to the

regulations, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to
which each control authority may “order the person responsible or in charge of the
treatment that the processing operations comply with the provisions of the
this Regulation, where appropriate, in a certain manner and within a
specified period…”



                           FOUNDATIONS OF LAW

                                           Yo

                                    Competence

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679

(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency

of data.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/13








Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions

regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."

                                           II
                             Termination of the procedure


Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter, LPACAP), under the heading
“Termination in sanctioning procedures” provides the following:


"1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction has only a pecuniary nature or a penalty can be imposed
pecuniary sanction and another of a non-pecuniary nature but the

inadmissibility of the second, the voluntary payment by the alleged responsible, in
Any time prior to the resolution, will imply the termination of the procedure,
except in relation to the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.


3. In both cases, when the sanction has only a pecuniary nature, the
body competent to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed penalty, these being cumulative with each other.
The aforementioned reductions must be determined in the initiation notification.
of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of

any administrative action or appeal against the sanction.

The reduction percentage provided for in this section may be increased
“regularly.”

In accordance with what has been stated, the Director of the Spanish Agency for the Protection of

Data RESOLVES:

FIRST: DECLARE the termination of procedure EXP202313713, of
in accordance with the provisions of article 85 of the LPACAP.


SECOND: ORDER to IDFINANCE SPAIN, S.A.U. so that within 1 month
Since this resolution is final and enforceable, notify the Agency of the
adoption of the measures described in the legal foundations of the
proposed resolution transcribed in this resolution.


THIRD: NOTIFY this resolution to IDFINANCE SPAIN, S.A.U..

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/13









Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure

Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.


                                                                                1331-16012024
Sea Spain Martí
Director of the Spanish Data Protection Agency

















































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es