Banner1.jpg

AEPD (Spain) - EXP202303035

From GDPRhub
Revision as of 09:46, 13 January 2025 by Ao (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202303035 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/reposicion-ps-00217-2023.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Lan...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - EXP202303035
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Started: 20.01.2023
Decided: 03.01.2025
Published: 09.01.2025
Fine: 50,000 EUR
Parties: Banco Pichincha
National Case Number/Name: EXP202303035
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: ao

The DPA fined a bank €50,000 as its processor disclosed personal data to an impersonator even though the identity-verifying questions could not be answered correctly.

English Summary

Facts

On the 20 January 2023, the data subject filed a complaint against Banco Pichincha, the controller. The data subject had been experiencing issues with her mobile phone and asked her phone network provider for a copy of her SIM card and the calls which had been made. Upon receipt of the list of calls made, she noticed that three calls had been made to her bank which she had not made herself.

The data subject then tried to login to her online banking but her password generated an access error. She then contacted the bank’s customer support service in order to change her password. It turned out that someone had impersonated the data subject and accessed her account.

The impersonator had contacted the bank via telephone. The bank was obliged to ask certain security questions in order to identify the data subject as the rightful bank account holder. The bank had outsourced its customer service to another company, here the processor. The processor did not follow the required protocol for security questions as it continued the phone call even though the impersonator could not say how much money is supposed to be in the bank account as well as her what her exact profession was.

Upon the phone call, the password was changed and the impersonator was able to carry out financial transactions. A total of €50,000 was therefore missing from the data subject’s account.

The controller argued that it lawfully processed the data subject’s data and that instead the impersonator should be charged with unlawful processing of personal data.

Holding

The AEPD held that the ultimate responsibility for the processing of personal data remained with the controller as it determined the purpose of the processing. It further explained that if the controller was not held accountable this would mean that controllers would not be liable for the unlawful actions of processors.

With reference to the CJEU case Deutsche Wohnen, the AEPD reiterated that a controller does not have to be aware of the fact that they are infringing the GDPR in order to be sanctioned for this.

The AEPD concluded that the controller had processed the data subject’s personal data without any legal basis for this under Article 6(1) GDPR. The AEPD stated that the controller had been negligent in verifying the caller’s identity and issued an administrative fine of €50,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/8

 File no.: EXP202303035

RESOLUTION ON APPEAL FOR REPOSITION

Having examined the appeal for reconsideration filed by BANCO PICHINCHA ESPAÑA,
S.A. (hereinafter, the appellant) against the resolution issued by the Director

of the Spanish Data Protection Agency dated October 1, 2024, and based on the following

FACTS

FIRST: Ms. A.A.A. (hereinafter, the complainant) filed a claim with the Spanish Data Protection Agency on January 20,
2023. The claim is directed against BANCO PICHINCHA ESPAÑA, S.A. with NIF A85882330
(hereinafter, BANK).

The following information is provided in the letter received:

The complainant states that his telephone number ***TELÉFONO.1, of which he is the owner, was cloned by the company DIGI SPAIN TELECOM, S.L.U.

("DIGI"), since on September 4, 2021, without any security measures tending to
reliably identify the person who requested it, a third person,
impersonating the complainant, requested the cloning of the telephone, with the
purpose of making calls to the bank BANCO PICHINCHA ESPAÑA,
S.A. and thus carry out certain operations that involved a total of 50,000 euros
transferred from his bank account to other accounts.

A police report and claims made are included with the notification.

SECOND: In accordance with article 65.4 of the LOPDGDD, the claim was transferred to DIGI, so that it could proceed with its analysis and inform this Agency within one month of the actions taken to comply with the requirements provided for in the data protection regulations.

The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was recorded on March 8, 2023, as recorded in the acknowledgment of receipt in the file.

On April 5, 2023, this Agency received a response letter indicating
that “…in accordance with what was indicated by the Complainant in the complaint filed with
the AEPD, on September 7, 2021, because her phone was

giving her problems, she requested from her telephone operator a copy of her SIM card, as well
as a list of outgoing calls made from her telephone number,
verifying that three (3) calls had been made to the PIBANK Customer Service
phone, according to the Complainant, they had not been made by her.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/8

Subsequently, according to Ms. A.A.A., on September 28, 2021, she tried to
access PIBANK's Online Banking, finding out that her usual password
generated an access error, which is why she contacted PIBANK's Customer Service, through the contact number 911110000, in order to

recover her Online Banking passwords.

When a customer requests the recovery of passwords to the Entity's Online Banking,
the operator who answers the call has to ask a series of security questions
articulated as customer identification defense mechanisms,
asking the customer questions whose answers would be easy for them to remember,

but at the same time difficult for anyone else to guess. (…):
or (…)
or (…)
or (…)

or (…)
or (…)
or (…)

or (…)

(…).

(…).

In relation to the above, it should be noted that, at the time of the events, the Bank
had outsourced customer service to the entity GLOBAL
SALES SOLUTIONS LINE, S.L…who was responsible, among other things, for
answering incoming calls to the Entity…”.

“…Although, as has been shown, the Bank had reiterated on different occasions, and through different means, to its Provider what the procedure was for a client to recover their Online Banking passwords, as well as the specific instructions regarding the modus operandi of the operators in situations in which the client does not respond correctly and clearly to the questions asked, in the call made by the GSS operator to Ms.

A.A.A. On September 6, 2021 at 12:13 p.m., said operator does not strictly comply
with the protocol established by the Entity, since, (…), the operator
continues to ask more questions to the Complainant, finally initiating the process
of automatically sending the corresponding OTP code by SMS to the telephone number
that the Complainant provided to the Bank at the time of opening the account

(remember that said number was verified by the Complainant herself at the time
of contracting, as has been explained ut supra), and that would allow her to
change the Online Banking password.

In this regard, it is in the interest of the Entity to inform this Agency that,
despite the fact that it was a call that was later considered

fraudulent, a fact that the Bank later became aware of through the
communications made by the Complainant days later, the Bank made available to the Provider all the tools necessary to comply
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/8

strictly with the current regulations, and having not detected any indication of
irregularity that would lead it to distrust a possible fraudulent contract. In
this sense, the Bank considers that, if there is a breach, it would be

attributable to GSS, since article 28.10 RGPD establishes that: “if a
data processor infringes this Regulation when determining the purposes and
means of the processing, it will be considered responsible for the processing with respect to
said processing.”

In light of the above, and as has been evidenced, the Provider breached

the instructions provided by the Bank, and in this case must acquire the status of
data controller…”.

THIRD: On April 20, 2023, in accordance with article 65 of the
LOPDGDD, the claim filed by the complainant was admitted for processing.

FOURTH: On October 2, 2023, the Director of the Spanish Data Protection Agency
agreed to initiate sanctioning proceedings against the respondent party,
for the alleged violation of article 6.1 of the GDPR, classified in article 83.5 of the
GDPR.

FIFTH: Having notified the aforementioned agreement to start in accordance with the rules established in
the LPACAP, the respondent party submitted a written statement of allegations in which it requests that
it be considered submitted together with the accompanying documents, that they be admitted and
considering the previous allegations formulated, and after the appropriate procedures, that it be agreed:

- The archiving of the referenced file, nullifying the initiated sanctioning
procedure.
- In the event that the previous claim is not accepted by the Agency,
it is requested that the substantiated mitigating
circumstances be taken into account and, consequently, that the procedure be
concluded by means of a warning.
- In the hypothetical case that none of the previous claims
were accepted by the AEPD; ultimately, it is requested that
the amounts established in the Agreement be reduced, taking into account
the arguments stated in the body of the document.

In its allegations, in summary, the respondent party claims:

1.- In its first allegation, BANCO refers to the fact that it has had, at all times, sufficient and adequate legitimacy for the processing of the personal data of the complainant party as a result of the formalization, management and
execution of the contractual relationship maintained by both. In relation to the
impersonation, it considers that the Agency should impute an infringement of article 6 in
relation to article 7 of the GDPR to the person who obtained and used the data of the complainant party to obtain an illicit benefit. BANCO also points out that it proceeded

immediately to return the amounts stolen, despite the judicial
dismissal of the proceedings. Finally, reference is made to various
archive resolutions of the Spanish Data Protection Agency.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/8

2.- In its second allegation, BANCO proceeds to analyse the disproportionality of the
sanction, as well as the burdens applied in the grading of the sanction, pointing
out as mitigating factors for the purposes of reducing the administrative sanction:

- That the entity, acting in good faith, diligence and proactivity, resolved the
incident that is the subject of the claim in an effective manner.
- The failure to provide the personal data of the claimant to a third party
together with the procedures instituted by the company.
- The absence of alleged prior infringements.

- The high degree of cooperation in order to offer and make available to
this body all information that was at its disposal.
- That the entity never provided any personal data to the identity theft

maker.
- That the entity has never obtained any kind of benefit.

Finally, it states that the measures in force at the time of the events
met the most rigorous standards to deal with the risks and that they were
adequate and suitable taking into account the state of the art, the costs of
application, the nature, scope, context and purposes of the treatment, as well as
the risks to the rights and freedoms of natural persons.

However, the allegations presented were rejected.

SIXTH: On August 8, 2024, a resolution proposal was made,
proposing that BANCO PICHINCHA ESPAÑA, S.A., with NIF A85882330,

be sanctioned for an infringement of Article 6.1 of the GDPR, classified in Article 83.5 of the GDPR,
with a fine of €50,000 (FIFTY THOUSAND EUROS).

SEVENTH: Having been notified of the resolution proposal in accordance with the rules established
in the LPACAP, the respondent party submitted written allegations on August 21,

2024.

In its allegations, in summary, the respondent party states:

1. In its first allegation, BANCO insists that it has always processed the personal data
of Ms. A.A.A. (hereinafter, indistinctly, the

"Complainant") on an adequate legal basis in accordance with the provisions of
article 6 of the GDPR and points out that the person who processed the data
without sufficient legitimacy and, therefore, who should have had the
consent of the Complainant for its due processing was the
impersonator, with the AEPD committing an error as provided in the
Proposed Resolution.

Finally, in this same allegation it refers to the fact that the AEPD has not followed the
same criteria of the Court of Instruction (...) in relation to the dismissal, as well as
the principle of certainty and the principle of indubio pro reo.
1. In its second allegation, BANCO insists on the absence of any type of

responsibility for the actions carried out by GSS, as the person in charge of the
processing. 2. In its third allegation, BANCO refers to case law which has determined that an action cannot be sanctioned without a certain degree of intent, and that the existence of a culpable infringement constitutes a requirement for the imposition of a fine.

3. Finally, BANCO alleges the principle of proportionality, stating that the proposed sanction is not appropriate and, in the hypothetical case that it were appropriate, it would not be proportional to the factual situation at hand.

It concludes its written allegation by stating that it has attached two receipts of payments made to the AEPD, of €40,000 and €10,000 respectively, and the reasons why it has made said payments. It is clear that these are not a

recognition of the alleged facts, but rather the aim is to avoid
possible future accruals of interest.

EIGHTH: On October 1, the Director of the Spanish Data Protection Agency
issued a resolution imposing on BANCO PICHINCHA ESPAÑA, S.A.,

with NIF A85882330, for an infringement of article 6.1 of the GDPR, classified in
Article 83.5 of the GDPR, a fine of €50,000 (FIFTY THOUSAND EUROS).

NINTH: After notification of the aforementioned resolution in accordance with the rules established in the
LPACAP, the respondent party filed an appeal for reconsideration, within the legally established period, in which, in summary, it states that:

- In its first allegation, it insists that BANCO PICHINCHA
has not breached the provisions of article 6.1 of the
RGPD, with the lack of legitimacy falling on the third party who
supposedly impersonated the data owner.

- In its second allegation, BANCO PICHINCHA again argues that
it gave clear instructions to GSS on how to proceed with the processing of
personal data regarding the service provided by it and
as the data processor himself acknowledged the alleged facts,
liability cannot be placed on BANCO PICHINCHA.

- In its third allegation, it refers to an error in the assessment of the
evidence by this AEPD.
- In its last argument, it insists on the already alleged violation of the principle of
proportionality, limiting itself to transferring the literal meaning of the provisions of its resolution in relation to the provisions of
articles 83.4 and 83.5 of the GDPR, omitting any motivation in the
observation of the principle of proportionality.

LEGAL BASIS

I
Competence

The Presidency of the Spanish Data Protection Agency is competent to resolve this appeal, in accordance with the provisions of article 123
of Law 39/2015, of October 1, on the Common Administrative Procedure of Public
Administrations (hereinafter, LPACAP) and article 48.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of
Digital Rights (hereinafter, LOPDGDD).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/8

II
Grounds for the contested decision

In relation to the statements made in the appeal, which basically
reiterate those already made during the processing of this case, it should
be noted that these were already analysed and rejected in the contested

decision, the grounds for which remain fully valid.

In the present case, there are various calls to the bank BANCO to
carry out certain operations, after a change of credentials, which involved a
total of 50,000 euros transferred from the bank account of the claimant to other

accounts.

The operations carried out were not carried out within the scope of the BANK-client contractual relationship since they were carried out by a third party without their consent and without the BANK adequately verifying the identity of its interlocutor, which has led to the conclusion that the personal data of the complaining party has been processed without legitimacy.

It is clear that, both in the procedure for a client to recover his Online Banking passwords and in the specific instructions regarding the modus operandi of the operators in situations in which the client does not respond correctly and clearly to the questions asked (the supposed client indicated in the call that she did not know the balance in her bank account,
showing doubts in the answer to what her profession was...) did not prevent the initiation,
finally, of the process of automatically sending the corresponding OTP code by SMS
to the telephone number, allowing the change of the Online Banking password and the subsequent financial operations already mentioned.

The file states, and the respondent party states, that in the call made by the GSS operator to the complainant on September 6, the operator did not strictly comply with the protocol established by the BANK, since the "supposed client" indicated in the call that she did not know the balance in her bank account, as well as doubts about her profession.

Furthermore, the BANK acknowledges the error by transferring responsibility to the Supplier for
failing to comply with the instructions provided by the latter.

“…Although, as has been shown, the Bank had reiterated on different occasions, and through different means, to its Provider what the procedure was for a client to recover their Online Banking passwords, as well as the specific instructions regarding the modus operandi of the operators in situations in which the client does not respond correctly and clearly to the questions asked, in the call made by the GSS operator to Ms. A.A.A. On September 6, 2021 at 12:13 p.m., the operator did not strictly comply with the protocol established by the Entity, since, despite the fact that the
alleged client indicated in the call that she did not know the balance she had in her
bank account, showing doubts in the answer to what her profession was, the operator
continues to ask the Complainant more questions, finally initiating the process

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/8

of automatically sending the corresponding OTP code by SMS to the telephone number
that the Complainant provided to the Bank at the time of opening the account
(remember that said number was verified by the Complainant herself at the time
of contracting, as has been explained ut supra), and that would allow her to
change the Online Banking password.

In this regard, it is in the interest of the Entity to inform this Agency that,
despite the fact that it was a call that was later considered to be
fraudulent, a fact that the Bank later became aware of through the
communications made by the Complainant days later, the Bank made available to the Provider all the tools necessary to comply

strictly with the current regulations, and did not detect any indication of
irregularity that would lead it to distrust a possible fraudulent contract. In
this sense, the Bank considers that, if there were a breach, it would be
attributable to GSS, since article 28.10 RGPD establishes that: “if a
data processor infringes this Regulation when determining the purposes and

means of the processing, it will be considered responsible for the processing with respect to
such processing.”

In light of the above, and as has been evidenced, the Supplier failed to comply with
the instructions provided by the Bank, and in this case must acquire the status of
data controller…”.

However, it is the controller who must apply the appropriate technical and
organisational measures to ensure and be able to demonstrate that the
processing complies with the Regulation.

Ultimate responsibility for the processing remains with the controller,
who determines the existence of the processing and its purpose and not with the
processor.

III

Conclusion

Therefore, given that, in the present appeal for reconsideration, no new facts or legal arguments have been
provided that allow the validity of the contested decision to be reconsidered, and that the purpose of the appeal is to review the legality of the
administrative action, it is appropriate to agree to its dismissal, without prejudice to the fact that the
appellant may make a new claim by providing a copy of all the
relevant documents available to it, in relation to a possible infringement in the
Agency's area of competence.

VI
Late resolution

Due to reasons of operation of the administrative body, therefore not attributable to the appellant, to date the mandatory statement of this Agency regarding this appeal has not been issued.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/8

In accordance with the provisions of art. 24 of the LPACAP, the meaning of administrative silence in the procedures for challenging acts and provisions is

dismissal.

However, and despite the time elapsed, the Administration is obliged to issue an express resolution and to notify it in all procedures, regardless of their

form of initiation, as provided for in art. 21.1 of the aforementioned LPACAP.

In cases of dismissal due to administrative silence, the express resolution
after the expiration of the term will be adopted by the Administration without any
binding to the meaning of the silence, as provided for in art. 24.3 of the same law.

Therefore, it is appropriate to issue the resolution that ends the procedure of the appeal for reconsideration filed.

In view of the provisions cited and other generally applicable provisions, the Presidency of the
Spanish Data Protection Agency RESOLVES:

FIRST: TO DISMISS the appeal for reconsideration filed by BANCO
PICHINCHA ESPAÑA, S.A. against the Resolution of this Spanish Data Protection Agency issued on October 1, 2024, imposing on BANCO PICHINCHA ESPAÑA, S.A., with NIF A85882330, for an infringement of Article 6.1 of the GDPR, classified in Article 83.5 of the GDPR, a fine of €50,000 (FIFTY THOUSAND EUROS).

SECOND: NOTIFY this resolution to BANCO PICHINCHA ESPAÑA, S.A.

Against this resolution, which puts an end to the administrative procedure, an administrative appeal may be lodged within a period of two months from the day following notification of this act, as provided for in article 46.1 of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, before the
Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of the
referred legal text.

1245-21112023

Olga Pérez Sanjuán
The Deputy Director General of Data Inspection, in accordance with art. 48.2
LOPDGDD, due to vacancy in the position of President and Deputy.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es