AEPD (Spain) - EXP202317282

From GDPRhub
Revision as of 14:26, 9 July 2024 by Lm (talk | contribs)
AEPD - EXP202317282
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Article 17(1)(d) GDPR
Type: Complaint
Outcome: Upheld
Started: 10.10.2023
Decided:
Published: 25.06.2024
Fine: 150,000 EUR
Parties: Banco Cetelem, S.A.
National Case Number/Name: EXP202317282
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: lm

The DPA found that a lender lacked a legal basis when it erroneously charged debts on a bank account after it failed to verify that the account belonged to the debtor. It also did not comply with the data subject’s deletion request. The controller paid a reduced fine of €150,000 pursuant to national law.

English Summary

Facts

On 20 October 2023, a data subject filed a complaint with the Spanish DPA (AEPD) against Banco Cetelem, S.A. (the controller). It claimed that the controller, which was a lender, made numerous unsolicited charges on his bank between July and September 2022.

The data subject filed numerous complaints with the controller as well as a police report concerning the charges. On 8 August 2022, the data subject requested the deletion of his account data from the controller’s systems, as well as the reimbursement of the amount expended due to the unduly charged bills. The data subject also reproached the controller for attributing his bank account to a third party without previously requesting the relevant certificate of bank ownership from the third party.

One year later, in September 2023, the controller again charged the data subject with a new bill from the same unknown third party lender. The data subject complained about the charge, and the controller once again did the same thing in October 2023.

The controller claimed that the charges occurred as a result of human error during the initial transcription of the bank account. It informed the AEPD that the data subject’s bank account number had been erroneously attributed to a debtor’s contract and subsequently in the controller’s database. It stated that that it deleted the data subject’s account information from its database after the first claim the data subject filed, but that it then sold the debt to a third party company in June 2023 and that the contract still contained the incorrect account number.

Holding

The AEPD found that the controller infringed Articles 6(1) and 17 GDPR because it processed the data subject’s account number without a legal basis and failed to comply with the data subject’s deletion request.

Since 2022, the controller was processing the data subject’s bank account information in its debt contract with the debtor, in its databases, and in its transmission to a future debt buyer in June 2023. At no point during this period did the controller correct the issue. As a result, the controller was processing the data subject’s data without a legal basis in violation of Article 6(1) GDPR. The AEPD considered the processing in 2022 and 2023 (between which the data subject had made a deletion request) separately – thus, it found two Article 6(1) GDPR violations occurred on the separate processing occasions.

The AEPD also found that the controller violated Article 17(1)(d) GDPR when it failed to delete the data subject’s data pursuant to an erasure request. After it received the data subject’s deletion request and even though it alleged to have erased the data in 2022, the controller continued making charges on the data subject’s account in 2023.

The AEPD recommended a sanction of €250,000. Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €150,000.

Comment

The AEPD rejected the controller’s defense that human error resulted in an erroneous transcription of the bank account number, noting that it is extremely difficult to ‘accidentally’ create an authentic account number in error. Instead, the AEPD considered that the controller incorporated the data subject’s bank account information into the debtor’s contract without verifying that the debtor owned the account in question. Interestingly, though, security measures were not a substantive part of the AEPD's analysis or infringement findings.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/15











File No.: EXP202317282


       RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE
                                    VOLUNTEER


From the procedure instructed by the Spanish Data Protection Agency and based
to the following



                                  BACKGROUND

FIRST: On May 21, 2024, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against BANCO CETELEM,
S.A. (hereinafter, the claimed party), through the Agreement transcribed:


<<

File No.: EXP202317282



            AGREEMENT TO START SANCTIONING PROCEDURE

Of the actions carried out by the Spanish Data Protection Agency and in
based on the following


                                      FACTS


FIRST: A.A.A. (hereinafter, the complaining party) dated October 20, 2023

filed a claim with the Spanish Data Protection Agency. The
claim is directed against BANCO CETELEM, S.A. with NIF A78650348 (in
forward, CETELEM). The reasons on which the claim is based are the following:

The complaining party states that CETELEM loads payment receipts into its bank account.

a loan from an unknown third party. Provide several extracts from said receipts, as well
such as several claims before CETELEM along with their responses, including one
police report. There is a first series of 8 receipts improperly charged to the
claimant account no. ***ACCOUNT.1, between the months of July and September 2022,
at a rate of two receipts per month.


On August 8, 2022, the complaining party protested to CETELEM about the use
improper access to your bank account, requesting the deletion of your account data
banking; also requires an explanation about the obtaining of your data without relation
prior contractual. He also criticized CETELEM for attributing his account

bank to a third person, without previously requesting the certificate of ownership
relevant bank. Additionally, the complaining party requested and obtained the return
of the amount of receipts improperly collected.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/15









Again a year later, in September 2023, from CETELEM it is loaded into the
account of the complaining party a new receipt from the same debtor. The part
claimant submits a new claim to CETELEM on 09/21/23; nevertheless,
CETELEM uploaded a new receipt again on 10/2/23.


CETELEM reacted on 10/20/23 acknowledging receipt of the claim, and, in its
response of 10/23/23, justifies his actions in that the account number of the
claimant is the one who appears in the contract.

At the same time, the complainant has also filed a complaint at the police station.

***LOCALITY.1 on September 18, 2023.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to the party

claimed/ALIAS, to proceed with its analysis and inform this Agency in the
within one month, of the actions carried out to adapt to the requirements
provided for in the data protection regulations.

The transfer, which was carried out in accordance with the rules established in Law 39/2015, of
October 1, of the Common Administrative Procedure of Administrations

Public (hereinafter, LPACAP), was collected on December 4, 2023,
as stated in the acknowledgment of receipt in the file.

THIRD: On December 22, 2023, CETELEM responds to the request of
information from the AEPD.


CETELEM informs that it deleted the claimant's account data from its database
of data after the first claim, but that sold the debt to a third company
in June 2023, and that the contract still incorrectly included the company number
claimant's bank account.

In CETELEM's opinion, responsibility for this new incident would correspond to the

new company; However, it took steps to resolve the new series of
improper charges to the claimant's account. Finally concludes that the charges
improper amounts of 2022 and 2023 in the claimant's account have been due to errors
humans.

FOURTH: On December 29, 2023, in accordance with article 65 of the

LOPDGDD, the claim presented by the complaining party was admitted for processing.

FIFTH: According to the report collected from the AXESOR tool, the entity
BANCO CETELEM, S.A. is a company established in 1988 and with a volume
of business 64,855,216 euros in 2022.


                          FOUNDATIONS OF LAW

                                          Yo
                                    Competence

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/15









In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each

control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.


Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."


                                             II
                                  Unfulfilled obligation
                          Initial treatment without legality article 6

Article 4.1 of the GDPR “Definitions” states that:


“For the purposes of this Regulation it will be understood as:
1) "personal data": any information about an identified natural person or
identifiable ("the interested party"); Any person will be considered an identifiable natural person
whose identity can be determined, directly or indirectly, in particular by

an identifier, such as a name, an identification number, data
location, an online identifier or one or more elements of identity
physical, physiological, genetic, mental, economic, cultural or social of said person.”



                             Article 6 Legality of processing

1. Treatment will only be legal if at least one of the following is met
conditions:

a) the interested party gave his consent for the processing of his personal data

for one or more specific purposes;

b) the processing is necessary for the execution of a contract in which the interested party
is part of or for the application at his request of pre-contractual measures;


c) the processing is necessary for compliance with a legal obligation applicable to the
responsible for the treatment;

d) the processing is necessary to protect vital interests of the interested party or another
Physical person;


e) the processing is necessary for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers conferred on the controller;


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/15








f) the processing is necessary for the satisfaction of legitimate interests pursued
by the person responsible for the treatment or by a third party, provided that regarding said
interests do not prevail over the interests or fundamental rights and freedoms of the

interested party requiring the protection of personal data, in particular when the
interested is a child.

The provisions of letter f) of the first paragraph will not apply to the treatment
carried out by public authorities in the exercise of their functions.”


CETELEM has the bank account number of the complaining party. Through
this identification number, the account holder is an identifiable natural person,
Therefore, this data would be considered personal data, in accordance with the
Article 4 of the GDPR. CETELEM recognizes in several of its writings that the number of
bank account of the claiming party appears in the contract of a debtor, and, therefore

therefore, also in the CETELEM database. For this reason, receipts are collected
of this bank debtor in the claimant's bank account.

Although CETELEM seems to point, in its defense, to errors in the initial transcription
of the account number, the check digits of bank accounts practically
They make it impossible to mistakenly “create” an authentic account number.


This means, as indicated by the complainant, that this error is due to CETELEM
would have incorporated the claimant's bank account into the debtor's contract, without
ensure ownership of the account.


In view of the above, it seems clear that CETELEM would initially have the number
full account of the claimant's bank account, but does not satisfactorily clarify
How could this information have appeared in a contract of a CETELEM client,
taking into account that the claimant who does not have, nor has had a prior contractual relationship
with this entity.


Between the months of July and September 2022, CETELEMA improperly uploads series
of 8 receipts in the claimant's account No. ***ACCOUNT.1, at a rate of two receipts per
month. On August 8, 2022, the complaining party protested to CETELEM about the use
improper access to your bank account, requesting the deletion of your account data
banking.


In September 2023, CETELEM will debit the account of the complaining party.
a new receipt from the same debtor. The complaining party presents a new
claim to CETELEM on 09/21/23; However, CETELEM again uploaded a
new receipt on 10/2/23.


CETELEM had the claimant's account number since 2022, the first in its
database and in the debt contract, and in 2023 your account number in the following
in the debtor's contract, without having rectified or deleted this information.
CETELEM declares that it has also transferred the claimant's account to a third party.

company in June 2023 with the sale of the debt.

In this way, CETELEM would have processed the claimant's personal information without
legality, given that there is no consent, nor is there any legal or contractual obligation,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/15








that justifies its treatment and as a consequence of this treatment, the claimant
you have borne various charges of a debt on your account for several months in
2022 and 2023, of a debt whose owner was another person.


                                           III
                        Classification and classification of the offense

In accordance with the evidence available at the present time, and
Without prejudice to what results from the instruction and according to the known facts, the

claimant is identifiable through his bank account number in which
CETELEM uploads a series of receipts.

The claiming party is not the owner of the debts charged and does not have, nor has it had
any prior contractual relationship with CETELEM. This means that CETELEM carries out

this treatment without legality, as it does not have the consent of the interested party.

The known facts could constitute an infringement, attributable to the party
to CETELEM, of article 6 of the RGPD (Legitimacy of processing), for processing without
basis of legitimation.


This violation of the GDPR article is classified in article 83.5. a) as follows:

"5. Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the

global total annual business volume of the previous financial year, opting for
the largest amount:

a) the basic principles for the treatment, including the conditions for the
consent in accordance with articles 5, 6, 7 and 9;”



For the purposes of the limitation period for infringements, the alleged infringement
prescribes after three years, in accordance with article 72.1.b of the LOPDGDD, which qualifies as
The following behavior is very serious:


“b) The processing of personal data without any of the conditions of
legality of the treatment established in article 6 of Regulation (EU) 2016/679.”

                                           IV
                                 Sanction proposal


This violation can be punished with an administrative fine of EUR 20,000,000.
maximum or, in the case of a company, an amount equivalent to 4% as
maximum of the total global annual turnover of the previous financial year,
opting for the largest amount.


Article 83.2 of the GDPR on general conditions for the imposition of fines
administrative provisions established will be imposed, depending on the circumstances of each case


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/15








individually, as an additional or substitute for the measures contemplated in the article
58, section 2, letters a) to h) and j).


In the present case, section a) would apply, which establishes:
“a) the nature, severity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question
such as the number of interested parties affected and the level of damages that

have suffered;”


The nature and scope of the processing affects the economic rights of the
claimant when CETELEM makes charges to his bank account.
Article 76.2 of the LOPDGDD, relating to sanctions and corrective measures, establishes

the following in letter b):

"2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
may also be taken into account:

b) The linking of the offender's activity with the performance of medical treatment.

personal information".
CETELEM is a banking entity, so it has a qualified connection in the

processing of personal data, in particular, with accuracy in its
treatment.


In view of the above, a fine of €100,000 is proposed.

                                            V
                                 Unfulfilled obligation
                       Right to erasure 17 1. d) of the GDPR


For its part, article 17 of the RGPD, relating to the right of deletion, establishes what
following in section 1 d):

“The interested party will have the right to obtain without undue delay from the person responsible for the
processing the deletion of personal data that concerns you, which will be

obliged to delete personal data without undue delay when any
of the following circumstances:
(…)
d) the personal data have been processed unlawfully;
(…)”


In September and October 2023, according to the bank receipts provided by the party
claimant, CETELEM returned to make new charges to his account. Recognize
CETELEM its breach of the requested right of deletion, when it declares that
the rectification and deletion of the claimant's account took place only on the basis of
data, but not in the contract that was the legal basis of the debt.





C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/15








The obligation on the part of the person responsible for the file to proceed with the deletion without
delay of illicitly processed data is also included in article 5.1.d) of the
GDPR:


1. Personal data will be:
(…)

d) accurate and, if necessary, updated; all measures will be taken
reasonable grounds for the immediate deletion or rectification of personal data

are inaccurate with respect to the purposes for which they are processed (“accuracy”);
(…)

2. The person responsible for the treatment will be responsible for compliance with the provisions
in section 1 and able to demonstrate it ("proactive responsibility").


In view of the facts described, it seems clear that CETELEM would only have limited
delete the claimant's data only from the database, but not from the contract.
CETELEM more than 1 year after the claim, has not adopted all the
reasonable measures for the immediate deletion and rectification of data of the party
claimant.


                                           SAW
                        Classification and classification of the offense

In accordance with the evidence available at the present time and without prejudice

of what results from the instruction, it is considered that CETELEM has not suppressed
effectively the claimant's account number in September and October
2023. According to its own statement, CETELEM would have only proceeded to delete
the database, but not in the base contract of the improper charges, despite the
exercise of the right of deletion without the consent of the interested party on August 8

of 2022.

As a consequence of the improper treatment indicated, CETELEM has once again carried out
unjustified charges from another person on the claimant's account.

The known facts could constitute an infringement, attributable to the party

to CETELEM, of article 17.1.d) of the RGPD, relating to the right of deletion, which
establishes the following:

“1) The interested party will have the right to obtain without undue delay from the person responsible for the
processing the deletion of personal data that concerns you, which will be

obliged to delete personal data without undue delay when any
of the following circumstances:
(…)
d) the personal data have been processed unlawfully;
(…)”


This violation of the GDPR article is classified in article 83.5.b) as follows:
"5. Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/15








In the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for
the largest amount:


b) the rights of the interested parties under articles 12 to 22;”

For the purposes of the limitation period for infringements, as it is a
punctual breach of the right of deletion, the alleged infringement prescribes to the
year, in accordance with article 74.1.c of the LOPDGDD, which qualifies as slight the following

conduct:

“c) Not responding to requests to exercise the rights established in the articles
15 to 22 of Regulation (EU) 2016/679, unless the provisions are applicable
in article 72.1.k) of this organic law.”


                                           VII
                                 Sanction proposal

This violation can be punished with an administrative fine of EUR 20,000,000.
maximum or, in the case of a company, an amount equivalent to 4% as

maximum of the total global annual turnover of the previous financial year,
opting for the largest amount.

Article 83.2 of the GDPR on general conditions for the imposition of fines
administrative provisions established will be imposed, depending on the circumstances of each case

individually, as an additional or substitute for the measures contemplated in the article
58, section 2, letters a) to h) and j).

In the present case, it would be appropriate to apply sections a) and b) that establish:
“a) the nature, severity and duration of the infringement, taking into account the

nature, scope or purpose of the processing operation in question
such as the number of interested parties affected and the level of damages that
have suffered;”


The effective suppression of the requested treatment has far exceeded the period of 1
year, which is considered an aggravating factor in liability. The breach of
duty of accuracy of the data, has forced the complaining party to reiterate the
deletion of their data, even the complaining party going so far as to file a complaint
before the police, for fraud.


“b) intentionality or negligence in the infringement.”

The deletion of the account number of the complaining party only in the database, but
not in the contract, would point to negligent behavior on the part of CETELEM.


Article 76.2 of the LOPDGDD, relating to sanctions and corrective measures, establishes
the following in letter b):

"2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679

may also be taken into account:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/15









b) The linking of the offender's activity with the performance of medical treatments.
personal information".

CETELEM is a banking entity, so it has a qualified connection in the
processing of personal data, in particular, with accuracy in its
treatment.

In view of the above, a fine of €50,000 is proposed.



                               VIII Unfulfilled obligation
                        Second treatment without legality article 6

Article 4.2 of the GDPR “Definitions” establishes that:

“For the purposes of this Regulation it will be understood as:


2) "treatment": any operation or set of operations performed on
personal data or sets of personal data, whether by procedures
automated or not, such as the collection, registration, organization, structuring,
conservation, adaptation or modification, extraction, consultation, use,

communication by transmission, broadcast or any other form of enabling
access, collation or interconnection, limitation, deletion or destruction;” (…)

In September and October 2023, two new charges were made to the account again
of the claimant for the same debtor, which means that CETELEM would not have

proceeded to delete the data of the complaining party. CETELEM informs the
AEAT in this regard in the previous actions, which has sold the debt to a third party
company along with the contract that contains the erroneous data of the complaining party.

It states that, as a consequence of the sale of the debt, the responsibility for the
accuracy of the data would already be the responsibility of the new company and which, however, has had

or take care of the resolution of the new incident of improper charges on the account
of the claimant.

With the transfer of the checking account number of the complaining party to a third party,
makes

CETELEM a new data processing (“communication by transmission”, the article
4.2 of the RGPD), for which it is necessary to comply again with the conditions of
legality provided for in article 6 of the RGPD:

1. Treatment will only be legal if at least one of the following is met

conditions:

a) the interested party gave his consent for the processing of his personal data
for one or more specific purposes;

b) the processing is necessary for the execution of a contract in which the interested party

is part of or for the application at his request of pre-contractual measures;


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/15








c) the processing is necessary for compliance with a legal obligation applicable to the
responsible for the treatment;


CETELEM already lacks legality for account data in August 2022
current of the claimed part; does not have the consent of the interested party and the
treatment carried out is not necessary for compliance with a legal obligation or
contractual.

This is information that should never have been available and whose deletion, requested by the

interested. Since the year prior to this transfer, CETELEM has been aware of the lack of
legality of this treatment, because the complaining party had already exercised its right to
deletion due to illicit processing of your bank account number.

CETELEM has kept the information improperly claimed and with the sale of

the debt, would have carried out a new treatment, informing a third company
the account data of the claimed party without the conditions of legality provided for in
article 6.1.a) of the GDPR.


                                           IX

                        Classification and classification of the offense

In accordance with the evidence available at the present time, and
Without prejudice to what results from the instruction, CETELEM recognizes before the AEPD the
transfer of the account number of the complaining party to a third company, which is a

new processing carried out with the manifest opposition of the interested party.

The known facts could constitute an infringement, attributable to
CETELEM, of article 6 of the RGPD (legality of processing), by processing
consisting of the transfer of interested party data to third parties without the consent of the interested party.

interested:


This violation of the GDPR article is classified in article 83.5. a) as follows:

"5. Violations of the following provisions will be sanctioned, in accordance with the

paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for
the largest amount:


a) the basic principles for the treatment, including the conditions for the
consent in accordance with articles 5, 6, 7 and 9;”

For the purposes of the limitation period for infringements, the alleged infringement
prescribes after three years, in accordance with article 72.1.b of the LOPDGDD, which qualifies as

The following behavior is very serious:

“b) The processing of personal data without any of the conditions of
legality of the treatment established in article 6 of Regulation (EU) 2016/679.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/15










                                           x

                                 Sanction proposal

This violation can be punished with an administrative fine of EUR 20,000,000.
maximum or, in the case of a company, an amount equivalent to 4% as
maximum of the total global annual turnover of the previous financial year,
opting for the largest amount.


Article 83.2 of the GDPR establishes that administrative fines will be imposed, in
depending on the circumstances of each individual case, in addition to or in lieu of
the measures referred to in Article 58, paragraph 2, letters a) to h) and j). For its part,
Article 76 of the LOPDGDD, relating to sanctions and corrective measures, establishes

that:

"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation
(EU) 2016/679 will be applied taking into account the graduation criteria
established in section 2 of the aforementioned article.


2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
may also be taken into account:

“b) The linking of the offender's activity with the performance of treatment
personal information".


CETELEM is a banking entity, so it has a qualified connection in the
processing of personal data, in particular, with accuracy in its
treatment, so obtaining the account number is especially serious.
bank of the claimant, its maintenance, despite the right of deletion of the

interested party, and finally the transfer to a third party without effective verification of the
accuracy of the data.

In view of the above, a fine of €100,000 is proposed.



                                           XI
                                 Adoption of measures

If the violation is confirmed, it could be agreed to impose on the person responsible the adoption of
appropriate measures to adjust its actions to the regulations mentioned in this

act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the
which each control authority may “order the person responsible or in charge of the
treatment that the processing operations comply with the provisions of the
this Regulation, where appropriate, in a certain manner and within a
specified period…” The imposition of this measure is compatible with the sanction

consisting of an administrative fine, as provided in art. 83.2 of the GDPR.
It could then be agreed to adopt appropriate organizational measures to
avoid errors in the future such as the one produced in this case within a period of 3 months, as well


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/15








such as the communication of suppression of the treatment to the company to which CETELEM
transferred the data of the complaining party, due to the sale of the debt.


It is warned that failure to comply with the possible order to adopt measures imposed by
This body in the sanctioning resolution may be considered as a
administrative offense in accordance with the provisions of the RGPD, classified as
infringement in its article 83.5 and 83.6, and such conduct may be motivated by the opening of a
subsequent administrative sanctioning procedure.


Therefore, in accordance with the above, by the Director of the Agency
Spanish Data Protection,
HE REMEMBERS:

FIRST: START SANCTIONING PROCEDURE against BANCO CETELEM, S.A.,

with NIF A78650348, for two alleged violations of articles 6 and one violation
of article 17.1.d) of the RGPD, all of them classified in article 83.5 of the RGPD.

SECOND: APPOINT B.B.B. as instructor. and, as secretary, to C.C.C.,
indicating that they may be challenged, if applicable, in accordance with the provisions of the

articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sector
Public (LRJSP).

THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the
claim filed by the complaining party and its documentation, as well as the

documents obtained and generated by the General Subdirectorate of Inspection of
Data in the actions prior to the start of this sanctioning procedure.

FOURTH: THAT for the purposes provided for in art. 64.2 b) of law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations, the
sanction that could correspond would be two hundred and fifty thousand euros

(€250,000), one hundred thousand euros (€100,000) for the initial violation of art 6, fifty thousand
(€50,000) for the violation of article 17.1.d) and one hundred thousand euros (€100,000) for the
second violation of article 6, without prejudice to what results from the investigation.

FIFTH: NOTIFY this agreement to BANCO CETELEM, S.A., with NIF

A78650348, granting him a hearing period of ten business days to formulate
the allegations and present the evidence that you consider appropriate. In his writing of
allegations must provide your NIF and the file number that appears in the
heading of this document.


If within the stipulated period you do not make allegations to this initial agreement, the same
may be considered a proposal for a resolution, as established in the article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP).

In accordance with the provisions of article 85 of the LPACAP, you may recognize your

responsibility within the period granted for the formulation of allegations to the
present initiation agreement; which will entail a 20% reduction in the
sanction that may be imposed in this procedure. With the application of this


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/15








reduction, the penalty would be established at two hundred thousand euros (€200,000),
resolving the procedure with the imposition of this sanction.


Likewise, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which
will mean a 20% reduction in the amount. With the application of this reduction,
The sanction would be established at two hundred thousand euros (€200,000) and its payment
will imply the termination of the procedure, without prejudice to the imposition of the
corresponding measures.


The reduction for the voluntary payment of the penalty is cumulative with that corresponding
apply for recognition of responsibility, provided that this recognition
of the responsibility becomes evident within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount

in the previous paragraph may be done at any time prior to the resolution. In
In this case, if both reductions were to be applied, the amount of the penalty would remain
established at one hundred and fifty thousand euros (€150,000).

In any case, the effectiveness of any of the two mentioned reductions will be
conditioned upon the withdrawal or waiver of any action or appeal pending.

administrative against the sanction.

In the event that you choose to proceed with the voluntary payment of any of the amounts
indicated above two hundred thousand euros (€200,000), or one hundred and fifty thousand
euros (€150,000) must be made effective by depositing it into the IBAN account number:

ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code: XXXXXXXXXXXX) open to
name of the Spanish Data Protection Agency in the banking entity
CAIXABANK, S.A., indicating in the concept the reference number of the
procedure that appears in the heading of this document and the cause of
reduction of the amount to which it is accepted.


Likewise, you must send proof of income to the General Subdirectorate of
Inspection to continue the procedure in accordance with the quantity
entered.

The procedure will have a maximum duration of twelve months from the date

of the initiation agreement. After that period has elapsed without it having been issued and notified
resolution will expire and, consequently, the proceedings will be archived;
in accordance with the provisions of article 64 of the LOPDGDD

Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP,

There is no administrative appeal against this act.

Sea Spain Martí
Director of the Spanish Data Protection Agency


>>

SECOND: On May 31, 2024, the claimed party has proceeded to pay
of the penalty in the amount of 150,000 euros making use of the two reductions

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/15








provided for in the initiation Agreement transcribed above, which implies the
recognition of responsibility.


THIRD: The payment made, within the period granted to formulate allegations to
The opening of the procedure entails the renunciation of any action or appeal pending.
administrative against sanction and recognition of responsibility in relation to
the facts referred to in the Initiation Agreement.

FOURTH: In the initiation Agreement transcribed previously it was stated that,

If the infringement is confirmed, it could be agreed to impose on the person responsible the adoption of
appropriate measures to adjust its actions to the regulations mentioned in this
act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the
which each control authority may “order the person responsible or in charge of the
treatment that the processing operations comply with the provisions of the

this Regulation, where appropriate, in a certain manner and within a
specified period…”

Having recognized responsibility for the infraction, the imposition of penalties proceeds.
the measures included in the Initiation Agreement.



                           FOUNDATIONS OF LAW

                                           Yo
                                     Competence


In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and

guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions

in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."

                                           II

                            Termination of the procedure

Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter, LPACAP), under the heading
“Termination in sanctioning procedures” provides the following:


"1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/15








2. When the sanction is solely pecuniary in nature or a penalty can be imposed
pecuniary sanction and another of a non-pecuniary nature but the

inadmissibility of the second, the voluntary payment by the alleged responsible, in
Any time prior to the resolution, will imply the termination of the procedure,
except in relation to the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.


3. In both cases, when the sanction has only a pecuniary nature, the
body competent to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed penalty, these being cumulative with each other.
The aforementioned reductions must be determined in the initiation notification.
of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of

any administrative action or appeal against the sanction.

The reduction percentage provided for in this section may be increased
“regularly.”


According to what was stated,
the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: DECLARE the termination of procedure EXP202317282, of
in accordance with the provisions of article 85 of the LPACAP.


SECOND: ORDER BANCO CETELEM, S.A. so that within 3 months
Since this resolution is final and enforceable, notify the Agency of the
adoption of the measures described in the legal foundations of the
Initiation agreement transcribed in this resolution.


THIRD: NOTIFY this resolution to BANCO CETELEM, S.A..

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the

National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.



                                                                             1259-16012024
Sea Spain Martí
Director of the Spanish Data Protection Agency





C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es