AEPD (Spain) - EXP202301519
From GDPRhub
| AEPD - EXP202301519 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(f) GDPR Article 32(1) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | 70,000 EUR |
| Parties: | Banco Santander S.A. |
| National Case Number/Name: | EXP202301519 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | fb |
The DPA fined Banco Santander €70,000 after it disclosed excessive information about a data subject to a third party due to a lack of appropriate security measures.
English Summary
Facts
On 31 March 2005, a data subject bought a house through a mortgage loan granted by Banco Santander (the controller). This mortgage loan was guaranteed by two liens: a lien on the purchased house, and a lien on another house owned by a company, Gardeblock S.L. Given this dynamic, if the data subject were to default on the mortgage loan, Gardeblock would be entitled to such information.
On 27 June 2011, Gardeblock sold the house which partially guaranteed the data subject's mortgage. On 5 October 2021, it issued a request to the data subject asking them to pay the mortgage loan back and attached a certificate it had obtained from the controller, which contained an amortisation table of the data subject's mortgage loan with the bank.
However, the data subject's completed payment was not due until 2040 and Gardeblock sold the house voluntarily, not due to a default on the loan. The data subject thus filed a complaint with the Spanish DPA (AEPD) arguing that the controller had improperly facilitated his banking data to a third party.
The controller apologized to the data subject, noting that the mistaken sharing of the bank certificate resulted from an employee's error. It claimed that it had already adopted security measures in order to avoid these kinds of incidents.
Holding
The AEPD found that the controller infringed Articles 5(1)(f) and 32(1) GDPR, and issued a fine of €20,000.
First of all, the AEPD found that the controller provided the certificate to the company, a third party, even though no money was owed to it by the data subject at the moment. The AEPD held that this transfer of data was excessive and should not have occurred. Therefore, it found a violation of Article 5(1)(f) GDPR and issued a fine of €50,000.
Moreover, the AEPD noted that the controller failed to implement appropriate security measures. This led to a security incident since the controller, in its communication to the third party, attached additional information that the third party did not need to know. The AEPD did not uphold the controller’s argument regarding human error. It ruled that it is not enough to just have appropriate measures, but it is also necessary to appropriately enforce them. Therefore, the DPA found a violation of Article 32(1) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/24
File No.: EXP202301519
RESOLUTION OF SANCTIONING PROCEDURE
From the procedure instructed by the Spanish Data Protection Agency and based
to the following
BACKGROUND
FIRST: D. A.A.A. and B.B.B. (hereinafter the complaining party) dated 12/29/2022
filed a claim with the Spanish Data Protection Agency. The
claim is directed against BANCO SANTANDER, S.A. with NIF A39000013 (in
forward, the claimed part). The grounds on which the claim is based are:
following:
On 03/31/2005, he acquired a home through a mortgage guarantee loan
signed with the defendant whose duration was 35 years. In the loan deed,
in addition to the mortgage guarantee of the property itself and personal liability
of the purchasing borrowers, by the company Gardeblock, S.L. (as
added guarantee of repayment of the mortgage loan granted) was established
also a mortgage guarantee on a single-family home owned by said
trade. On 06/27/2011 and voluntarily, the company Gardeblock, S.L.
sold the single-family home that guaranteed the loan transaction to a third party
of the claiming party, with part of the amount obtained from the sale being allocated to
release the outstanding mortgage liability on the party's home
claimant. On 10/05/2021, the complaining party receives a judicial demand from the
mentioned commercial company, demanding payment of the amount that had been paid, despite the fact that the
sale was voluntary and the debt did not mature until the year 2040. Among the documentation
Accompanying the complaint was a bank certificate issued by the party
claimed, dated 06/25/2021, which contained a list with the amortization table of the
mortgage-backed loan signed by the claimant, which covered
from 06/21/2011 until the end of the loan, that is, the entire period
after the release of liability of Gardeblock, S.L. As a result of what happened,
the complaining party filed a claim with the claimed party, on ***DATE.1, by
provide bank details to third parties unrelated to the operation, receiving a response in
date ***DATE.2, in which the claimed party apologizes for what happened and indicates
the following: "We have opened an independent investigation to clarify the
facts and, if necessary, take the necessary measures (both disciplinary and
procedural) to prevent events like this from occurring again. After reviewing the
reported facts, unfortunately we have confirmed that, after a request
formal information on payments made by the company Gardeblock, S.L.
about a mortgage loan, the branch attached information due to human error
additional movements subsequent to the amortization finally carried out by said
company".
Along with the claim, provide accreditation of the representation, a copy of the deed
of the mortgage loan, copy of the certificate and the documentation attached to it
(amortization table), copy of the claim made and the response
received, documentation relating to communications maintained with the party
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/24
claimed requesting financial compensation for what happened and the
corresponding responses rejecting any type of compensation.
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), on 02/08/2023 said claim was communicated to the party
claimed, so that it could proceed with its analysis and inform this Agency within the period
of one month, of the actions carried out to adapt to the planned requirements
in data protection regulations.
The transfer, which was carried out in accordance with the rules established in the Law
39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations (hereinafter, LPACAP), was collected on 02/09/2023
as stated in the acknowledgment of receipt in the file.
The person complained about in writing dated 03/14/2023 stated:
That at the time a loan was granted to the claimant, guaranteed with
a mortgage on the home that was the object of acquisition and that was
to finance; that the aforementioned mortgage loan, in addition to being guaranteed by the aforementioned
housing was also guaranteed by a property that was owned by the company
Gardeblock, SL, which appeared in the loan deed as mortgagee, did not
debtor.
The company Gardeblock, S.L. sold the single-family home to a third party, which
guaranteed according to that Ninth Clause of the mortgage deed the loan
of the claiming party for up to 94,000 euros of principal, plus ordinary interest,
late payment interest and costs, and proceeded to release the mortgage liability
pending on the home of Gardeblock, S.L., through payment to me
represented of the amount of 85,344.01 euros, for which it was granted in favor of
that entity the deed of cancellation of the mortgage established, according to the
certificate issued by the bank attached to the claim.
That the claimant party received a judicial claim from that party
entity, among the documentation that accompanied the demand, there is a certificate
bank issued by the defendant, which contains a list with the table of
amortization of the loan with mortgage guarantee signed by the claiming party,
which spanned from June 21, 2011 until the end of the loan.
For this reason, the claimant filed a claim with the defendant for
provide bank details to third parties unrelated to the operation.
The Privacy Office responded to this complaint by apologizing,
stating that measures were taken to prevent it from happening again, all of this
as a consequence of having produced information by mistake that extends to
movements after the amortization of the loan by the aforementioned company.
The claimants have provided to the Agency, in addition to the certificate of the
cancellation of the mortgage of the Gardeblock company, two types of documents
different: one, which is identified as a Payment Schedule and another, as a Payment Schedule.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/24
issued operations; this second document in which the payments are reflected
of each of the amortization and interest installments should not have been delivered.
THIRD: On 03/29/2023, in accordance with article 65 of the LOPDGDD,
The claim presented by the complaining party was admitted for processing.
FOURTH: On 06/05/2023, the Director of the Spanish Protection Agency
of Data agreed to initiate sanctioning proceedings against the person complained of for the alleged
infringement for the alleged violation of articles 5.1.f) and 32.1 of the RGPD, classified
in articles 83.5.a) and 83.4.a) of the aforementioned RGPD.
FIFTH: Once the initiation agreement was notified, the defendant presented a written statement of allegations
on 06/22/2023 stating, in summary: that when the
incident the internal gap management procedure was put into operation
security and the review of the actions taken and the facts show that
the office employee who finally delivers the list of start and end amortizations
concluded the consultation process with the Department that was supposed to advise him,
human error occurring in the interpretation of the instructions received; that
The delivery of the certificate occurs due to a defective understanding by the
employee, even when advised, and this for the
fact that it is not a simple operation, but rather complex due to the presence in the
loan contract of a non-debtor mortgagee who is a party to the contract, an error that
It is understood that it may occur within the framework of legal relationships in this type of
contract; that we are faced with an excusable error and not a lack of diligence.
SIXTH: On 07/07/2023, the procedure instructor agreed to open
a period of test practice, agreeing to the following:
- Consider reproduced for evidentiary purposes the claims filed by
the claimants and their documentation, the documents obtained and generated
by the Inspection Services that are part of the file.
- Consider reproduced for evidentiary purposes, the allegations to the agreement of
initiation presented by the claimant and the accompanying documentation.
SEVENTH: On 04/04/2024, a Proposed Resolution was issued in the sense
that the Director of the AEPD would sanction the party complained of for infringement
of articles 5.1.f) and 32.1 of the RGPD, typified in articles 83.5.a) and 83.4.a) of the
GDPR, with fines of €50,000 (fifty thousand euros) and €20,000 (twenty thousand euros),
respectively.
The aforementioned Proposal was notified, accessing its content on 04/08/2024, as recorded
In acknowledgment of receipt, the claimed party in writing dated 04/22/2024 indicated that there had been
opted to proceed with the voluntary payment of sanctions in response to the reductions
is provided for in article 85 of the LPACAP, with waiver of any appeal
administrative, recognizing its responsibility in relation to the events that have
given rise to the procedure.
The claimed party attached proof of having paid the sanctions
with the double reduction, in response, first, to the recognition of responsibility and,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/24
second, by voluntary payment before the resolution of the
procedure, reduced to 42,000 euros.
In writing dated 05/03/2024, the instructor of the procedure informed the
claimed party that the recognition of responsibility had to be expressed
initiated the procedure, during the period to formulate allegations at the opening of the
procedure in accordance with the provisions of article 85 of Law 39/2015,
so that the planned reduction of 20% on the sanction would be applicable, unlike
in relation to the discount for voluntary payment of the penalty, which could be applied
when such payment occurs at any time prior to resolution; that he
Article 85.2 of the LPACAP refers expressly and solely to voluntary payment, and
not to the recognition of liability, determining that said payment may be
occur at any time prior to resolution. And that article 85.3 indicates
that “In both cases, when the sanction has only a pecuniary nature, the
body competent to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed penalty, these being cumulative with each other.
The aforementioned reductions must be determined in the initiation notification.
of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of
any administrative action or appeal against the sanction”, which would mean
that both must be in the initial agreement, so it does not contemplate that
both reductions are in the resolution proposal or can be paid
cumulatively at any time prior to resolution; that based on everything
This was granted a period of three days in order for them to express whether or not they accepted the
the only reduction to which they are entitled, indicated in the Resolution Proposal,
reduction by voluntary payment of the proposed sanctions before relapse
Resolution, making the corresponding deposit.
On 05/14/2024, the claimed party presented a written statement of allegations in
response to the instructor of the procedure stating in a single allegation that not even in the
article 85 of the LPACAP, nor in any other precept is there justification for the
limitation that is intended to be applied under section 1 of the aforementioned article, which
ruling of the TS of 06/10/2022 already indicates that article 85 effectively establishes and
distinguishes two ways of finishing the procedure, however these ways are not
distinguished by the existence of unknown time frames for their exercise
but for its subsequent effects and, finally, that the diction of article 85.3 LPACAP
supports the interpretation postulated by the claimed party.
EIGHTH: Of the actions carried out in this procedure, they have been
accredited the following,
PROVEN FACTS
FIRST. On 12/29/2022, the AEPD has a written entry from the complaining party in
who states that on 03/31/2005 he acquired a home through a loan with
mortgage guarantee signed with the claimed party. In the loan deed,
He also established with the company Gardeblock, S.L. mortgage guarantee on a
single-family home owned by said company. On date 06/27/2011 and in
voluntarily, the company Gardeblock, S.L. released his mortgage liability
pending payment on the claimant's home. On 10/05/2021, the
The complaining party receives a lawsuit from the aforementioned company, demanding payment of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/24
amount that had been paid, even though the sale was voluntary and the debt did not mature
until the year 2040. Among the documentation that accompanied the lawsuit, there was
a bank certificate issued by the claimed party, dated 06/25/2021, which contained
a list with the amortization table of the loan with mortgage guarantee
signed by the claiming party, which covered from the release of the
responsibility of Gardeblock, S.L. until the end of the loan. The part
claimant filed a claim with the claimed party for providing bank details
to third parties unrelated to the operation, receiving a response in which he apologizes for the
occurred and states the following: "We have opened an independent investigation to
clarify the facts and, if necessary, take the necessary measures (both
disciplinary as well as procedural) to prevent events like this from happening again.
occur. After reviewing the reported facts, we have unfortunately confirmed that,
following a formal request for information on payments made by the company
Gardeblock, S.L. about a mortgage loan, the branch attached by mistake
human additional information of movements after amortization finally
carried out by said company".
SECOND. The DNIs of the claimants are provided.
THIRD. A document issued by the claimed party is provided in which
MANIFESTS:
“(…)
That on November 14, 2011, through public deed granted before the
Notary D. C.C.C. to the XXX number of your protocol, cancellation of the load was granted
mortgage registered on the registered property number XXXX, after amortization
extraordinary loan of the previously described loan made in the amount of 85,344.01
euros. The loan amortization table is attached as an annex to this document.
since said date.
And for the record I issue this document, at the request of D.D.D. in
representation of Gardeblock, S.L., in Zaragoza on June 21, 2021.”
ROOM. The Table of Transactions Issued and Payment Schedule is provided.
of the loan granted.
FIFTH. There is a writing dated 11/08/2021 from the lawyer of the claimant addressed to the
party claimed in connection with the delivery without consent of documentation
confidential financial information to a third party (Gardeblock, S.L.), unrelated to the commercial relationship that
they maintain their representation with the claimed party, used to exercise actions
judicial proceedings unrelated to their interests.
SIXTH. There is a representation of the lawyer of the complaining party and emails
emails crossed between the lawyer and the claimed party dated 02/04/2022,
03/18/2022 and 04/27/2022, in which, among others, financial compensation is requested
for the damages caused.
SEVENTH. There is a document sent by the claimed party to the party's lawyer
claimant, dated 01/25/2022, stating that:
“(…)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/24
After reviewing the reported facts, we have unfortunately confirmed that after a
formal request for information on payments made by the Gardeblock company,
S.L., on a mortgage loan, the branch attached due to human error
additional information on movements after amortization finally
carried out by said company.
(…)”
EIGHTH. The defendant has provided Circular C.028/2021, the purpose of which is to inform
on the operation of the specialized Legal Advice Units that
It is provided to the Office Network and other Areas of Santander Spain.
NINETH. The defendant has provided Circular C.097-2019 so that the
Offices that could not obtain the information through the Santander tools, were
created the new Popular historical data service.
TENTH. There are screen prints related to the office's actions with the
Business Legal Assistance (AJN) department.
ELEVENTH. There is an email sent to AJN in which the following appears:
“From: E.E.E. <***EMAIL.1>
(…)
On this matter, tell you that the company Gardeblock S.l. through the lawyer
… (the powers were enough before reporting anything), he asked us for a certificate
where it was indicated that the company had amortized the mortgage of the part
claimant an amount from the sale of the property that had been transferred to them
as a guarantee. They provided us with sales deeds, a copy of the check and more.
documentation. With all this, internal legal advice was asked to tell us
what to do and the answer was that we asked the popular historian for more documentation
since we did not have enough information.
Everything was requested and we got a discrepancy in the amount they said they had
amortized and the one that appeared in popular historical records. We returned to consult with advice
legal and told us to certify with the amount that came to us,
providing us with the certificate model and the documentation that we had to
contribute to them, which was the amortization table from that date.
I attach all legal advice queries, as well as all the documentation that
we have obtained.
(…)”.
TWELFTH. The defendant has provided a final report regarding the incident and
Risk analysis; The incident is classified as moderate.
FOUNDATIONS OF LAW
Yo
Competence
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/24
control authority and as established in articles 47, 48.1, 64.2 and 6 8.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.
Likewise, article 63.2 of the LOPDGDD determines that: "The
Procedures processed by the Spanish Data Protection Agency will be governed
by the provisions of Regulation (EU) 2016/679, in this organic law, by the
regulatory provisions dictated in its development and, as far as they are not
contradict, on a subsidiary basis, by the general rules on the
administrative procedures."
II
Previous Question
The claimed party, notified of the Proposed Resolution dated
04/08/2024, in writing dated 04/22/2024 stated: “That, in accordance with what
provided for in the aforementioned Agreement, my client has chosen to proceed, within the
period granted, to the voluntary payment of sanctions in response to the reductions
provided for in article 85 of the LPACAP, with waiver if accepted
any appeal through administrative channels, recognizing their responsibility in relation
with the facts that have given rise to this procedure.
That as proven by the transfer receipt, which is attached, my
represented has made the payment of the penalty, with the double reduction provided for in
that precept, in attention, first, to the recognition of responsibility and,
second, which proceeds by payment voluntarily before the resolution is issued
of the procedure as long as at the same time a sanction has not been imposed
pecuniary, as a consequence of which, the penalty has been reduced to 42,000
euros”.
On 05/03/2024, the instructor of the procedure informed the party
claimed that the double reduction was not possible since the recognition of the
responsibility had to be manifested at the beginning of the procedure, during the period for
formulate allegations at the opening of the procedure in accordance with the provisions
in article 85.1 of Law 39/2015, so that the planned reduction of the
20% of the penalty, differentiating from the reduction for voluntary payment of the penalty,
which could apply when said payment occurs at any time prior to
the resolution and they were granted a period of three days in order to express whether they
accepted or not the only reduction to which they were entitled, indicated in the Proposal of
resolution.
The claimed party has argued that neither in article 85 of the LPACAP, nor in
There is no other precept justification for the limitation that is intended to be applied to the
protection of what is stated in article 85.1 of the LPACAP, agreeing that
such acknowledgment of responsibility must be made “initiated” by the procedure,
because it expressly says so in the aforementioned precept, but what it does not say
precept is that such recognition must be made only “at the beginning” of the procedure,
reason why this entity cannot accept such an interpretation that it considers
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/24
restrictive of his rights and, he goes to strengthen his argument to the ruling of the TS
1260/2022, October 6, 2022.
It should be noted that the Proposed Resolution issued on 04/04/2024,
In its operative part it stated that:
“That by the Director of the Spanish Data Protection Agency,
sanction BANCO SANTANDER, S.A., with NIF A39000013,
- For the violation of article 5.1.f), typified in article 83.5.a) of the aforementioned
GDPR, a fine of €50,000 (fifty thousand euros), and
- For the violation of article 32.1 of the RGPD, typified in article 83.4.a)
of the aforementioned RGPD, a fine of €20,000 (twenty thousand euros).
Likewise, in accordance with the provisions of article 85.2 of the LPACAP,
You are informed that you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which
It will mean a reduction of 20% of the total amount. With the application of
this reduction, the penalty would be established at €56,000 (fifty-six thousand
euros) and its payment will imply the termination of the procedure, without prejudice to the
imposition of the corresponding measures. The effectiveness of this reduction will be
conditioned upon the withdrawal or waiver of any action or appeal pending.
administrative against the sanction.”
On the other hand, article 85, Termination of sanctioning procedures,
of the LPACAP establishes that:
"1. A sanctioning procedure has been initiated, if the offender recognizes his
responsibility, the procedure may be resolved with the imposition of the sanction
that proceeds.
2. When the sanction is solely pecuniary in nature or fits
impose a pecuniary sanction and another of a non-pecuniary nature but it has been justified
the inadmissibility of the second, the voluntary payment by the alleged perpetrator, in
Any time prior to the resolution, will imply the termination of the procedure,
except in relation to the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.
3. In both cases, when the sanction has only a pecuniary nature,
The body competent to resolve the procedure will apply reductions of, at
least, 20% of the amount of the proposed sanction, these being cumulative
each other. The aforementioned reductions must be determined in the notification of
initiation of the procedure and its effectiveness will be conditioned on the withdrawal or
waiver of any administrative action or appeal against the sanction.
The reduction percentage provided for in this section may be increased
regulations.
The recognition of responsibility, as indicated in the Agreement of
initiation, the procedure must be declared initiated, during the period to formulate
allegations at the opening of the procedure. This is in accordance with the provisions of
the aforementioned article 85 of Law 39/2015, according to which the recognition of the
responsibility must occur “once the procedure has been initiated” for the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/24
planned reduction of 20% on the penalty, unlike what is established
expressly in relation to the discount for voluntary payment of the penalty, which
may be applied when said payment occurs at any time prior to the
resolution. If the aforementioned precept has distinguished the conditions in the two modes of
voluntary termination of the indicated procedure, no interpretation should
equalize these conditions as if there were no differences in their regulation.
Article 85.2 of the LPACAP refers expressly and solely to the payment
voluntary, and not to the recognition of responsibility, determining that said payment
may occur at any time prior to the resolution. Thus, it does not fit
distinguish or oblige where the Law does not distinguish or oblige. Furthermore, the
Article 85.3 indicates that “In both cases, when the sanction has only
pecuniary nature, the body competent to resolve the procedure will apply
reductions of at least 20% on the amount of the proposed penalty, being
these can be accumulated with each other. The aforementioned reductions must be determined in
the notification of initiation of the
procedure and its effectiveness will be conditioned on the withdrawal or resignation of
any administrative action or appeal against the sanction”, which means that
both must be in the initiation agreement (referral of article 85.1 to 64 of the
LPACAP), so it does not contemplate that both reductions are in the proposal
resolution or that can be paid cumulatively at any time
prior to the resolution.
This is also understood by the National Court, Contentious Chamber.
administrative, Section 1, which in its Judgment of 02/05/2021, Rec. 41/2019, indicates
that voluntary payment can occur at any time prior to the
resolution, while the reduction due to recognition of responsibility is
linked to the initiation agreement and the provision of article 64.2.d) of Law 39/2015: “In
regarding the violation of the provisions of articles 64 and 85 of Law 39/2015, which
contemplate the possibility of recognizing responsibility at the time of
notification of the resolution to initiate the procedure (art. 64.2.d) and take advantage of the
reductions provided for in article 85, in the agreement to initiate the procedure there are
an express reference to those articles, indicating that the
sections 2 and 3 of article 85; Furthermore, at no time has the plaintiff
shown their willingness to recognize responsibility for the sanctioned infraction and
take advantage of the possibility established in said articles (voluntary payment can
be made at any time prior to the resolution), so it is appropriate to reject
also this allegation.”
Finally, in relation to STS 1260/2022, of 10/06/2022, although
related to what is being elucidated in this sanctioning procedure,
the issue submitted for debate in the Fifth Section of the Contentious Chamber-
administrative process of the TS was a completely different matter: determining whether
the expiration of the procedure had actually occurred because the
deadline established for its processing, and linked to the above, if it should be understood
that the procedure had ended with the advance payment, with the reduction of the
20%, who had accepted the sanction, without the need for a subsequent resolution
express, or if, on the contrary, the termination of the procedure does not occur unless
when the express act is issued putting an end to it, that is, with the agreement of the
Council of Ministers that is the object of challenge in this process.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/24
For greater completeness, the First Foundation, Object of the appeal, is indicated
that: “(…) The proposed resolution includes the facts and qualifications already presented
above, even when the amount of liability caused to the
public domain, being notified to the interested party on April 19, 2021. The
The following day, May 14, he presents the sanctioned document in which he accepts the facts
accused, taking advantage of the power of voluntary payment of the proposed sanction, with
the reduction of 20 percent, being given a payment letter by the Organization of
Cuenca, which was attended by the sanctioned one (the emphasis is from the AEPD).
(…)”.
Therefore, not accepting the allegations made by the claimed party in
your letter of 05/14/12024, that the reductions requested be admitted with
after the issuance of the Proposed Resolution, it cannot be considered that
the interested party has legally taken advantage of neither of the two reductions provided
in the aforementioned article 85, with which you must enter the total amount of the fines
corresponding to the infractions committed, without any reduction, in accordance
with what is stated in the operative part of this Resolution.
III
First unfulfilled obligation: violation of article 5.1.f) of the RGPD
The claimed facts materialize in access to the party's data
claimant, as a consequence of the information transmitted to a third party by the
claimed in relation to a mortgage loan taken out by the complaining party, which
which could lead to the violation of data protection regulations
of a personal nature.
Article 5 of the GDPR, Principles relating to processing, states that:
"1. The personal data will be:
(…)”
f) treated in such a way as to ensure adequate safety of the
personal data, including protection against unauthorized processing or
unlawful and against its loss, destruction or accidental damage, through the application
of appropriate technical or organizational measures ("integrity and
confidentiality»).
(…)”
Likewise, in Considering 39 it is stated that “All measures must be taken
reasonable measures to ensure that data is rectified or deleted
personal information that is inaccurate. Personal data must be processed in a way that
ensures adequate security and confidentiality of personal data,
including to prevent unauthorized access or use of such data and the equipment
used in treatment.
The documentation in the file offers clear indications that the
claimed has violated article 5 of the RGPD, principles relating to processing, in
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/24
regarding the principle of data confidentiality contained in section 1, letter
f), when communicated to a third party, non-debtor mortgagee, list containing the
amortization table of loan with mortgage guarantee signed by the party
claimant, violating the duty of confidentiality and integrity of the data.
This duty must be understood to have the purpose of preventing
data leaks not consented to by the data owners and comes
regulated in the aforementioned article with reference to the principle of integrity and
Confidentiality as one of the principles of data protection:
In the response offered to the request for information made by the
AEPD, on 03/13/2023, ratified in the document of allegations to the agreement of
At the beginning, the defendant stated: “On October 5, 2021, the complaining party
receives a legal demand from the aforementioned company, demanding payment of the amount that
had paid, even though the sale was voluntary and the debt did not mature until the year
2040.
Among the documentation that accompanied the claim, there was a certificate
bank issued by the claimed party, on June 25, 2021, which contained
a list with the amortization table of the loan with mortgage guarantee
signed by the complaining party, which covered from June 21, 2011 until
termination of the loan, that is, the entire period after the release of the
responsibility of Gardeblock, S.L.”
And in writing dated 06/21/2023 it stated that “a delivery has occurred
inadequate data by the person in charge of delivering the certificate that originates
these actions due to their defective understanding of the advice received
in relation to a complex contractual relationship” (the underlinings correspond to the
AEPD).
Likewise, in the Report prepared as a result of the incident it is indicated that “…
from the moment the Bank releases from liability the property owned by
Gardeblock, it should be considered excessive to provide information regarding the contract and
"its movements since that date, as they have occurred."
The duty of confidentiality is an obligation that falls not only on the
responsible and in charge of the treatment but to anyone who intervenes in any
treatment phase and complementary to the duty of professional secrecy.
Therefore, the action carried out by the defendant allowing access to
the banking information of the complaining party by a third party constitutes the violation
of article 5.1.f) of the RGPD, an infringement classified in article 83.5.a) of the aforementioned
GDPR.
IV
Classification of the violation of article 5.1.f) of the RGPD
The infraction attributed to the person complained of is classified in the
article 83.5 a) of the GDPR, which considers that the violation of “the basic principles
for processing, including the conditions for consent under the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/24
articles 5, 6, 7 and 9” is punishable, in accordance with section 5 of the aforementioned
article 83 of the aforementioned Regulation, “with administrative fines of €20,000,000 as
maximum or, in the case of a company, an amount equivalent to 4% as
maximum of the total global annual turnover of the previous financial year,
opting for the highest amount.”
The LOPDGDD in its article 71, Infractions, states that: “They constitute
infractions the acts and conduct referred to in sections 4, 5 and 6 of the
article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the
present organic law.”
And in its article 72, it considers for the purposes of prescription, which are: “Infringements
considered very serious:
1. Based on what is established in article 83.5 of the Regulation (EU)
2016/679 are considered very serious and will prescribe after three years the infractions that
involve a substantial violation of the articles mentioned therein and, in
in particular, the following:
(…)
a) The processing of personal data violating the principles and guarantees
established in article 5 of Regulation (EU) 2016/679.
(…)”
V
Penalty for violation of article 5.1.f) of the RGPD
In order to establish the administrative fine that should be imposed, they must
The provisions contained in articles 83.1 and 83.2 of the RGPD must be observed, which
they point out:
"1. Each supervisory authority will ensure that the imposition of fines
administrative sanctions under this article for violations of this
Regulations indicated in sections 4, 5 and 6 are in each individual case
effective, proportionate and dissuasive.
2. Administrative fines will be imposed, depending on the circumstances
of each individual case, as an additional or substitute for the measures contemplated
in Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:
a) the nature, severity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question
as well as the number of interested parties affected and the level of damage and
damages they have suffered;
b) intentionality or negligence in the infringement;
c) any measure taken by the person responsible or in charge of the treatment
to alleviate the damages and losses suffered by the interested parties;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/24
d) the degree of responsibility of the person responsible or in charge of the
processing, taking into account the technical or organizational measures that have been
applied under articles 25 and 32;
e) any previous infraction committed by the person responsible or in charge of the
treatment;
f) the degree of cooperation with the supervisory authority in order to put
remedy the infringement and mitigate the possible adverse effects of the infringement;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority became aware of the infringement, in
particular whether the person responsible or the person in charge notified the infringement and, in that case,
what extent;
i) when the measures indicated in Article 58(2) have been
previously ordered against the person responsible or the person in charge in question
in relation to the same matter, compliance with said measures;
j) adherence to codes of conduct under Article 40 or to mechanisms
of certification approved in accordance with Article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the
case, such as financial benefits obtained or losses avoided, direct
or indirectly, through infringement.”
In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its
Article 76, “Sanctions and corrective measures”, establishes that:
"2. In accordance with the provisions of article 83.2.k) of the Regulation (EU)
2016/679 may also be taken into account:
a) The continuous nature of the infringement.
b) The linking of the offender's activity with the performance of treatments
of personal data.
c) The benefits obtained as a consequence of the commission of the infraction.
d) The possibility that the conduct of the affected person could have induced the
commission of the infraction.
e) The existence of a merger by absorption process after the commission
of the infringement, which cannot be attributed to the absorbing entity.
f) The impact on the rights of minors.
g) Have, when it is not mandatory, a delegate for the protection of
data.
h) Submission by the person responsible or in charge, with character
voluntary, to alternative conflict resolution mechanisms, in those
cases in which there are disputes between them and any
interested."
- In accordance with the transcribed precepts, and without prejudice to what results from
the instruction of the procedure, in order to set the amount of the sanction to be imposed
in the present case for the violation of article 5.1.f) of the RGPD, typified in the
article 83.5.a) of the RGPD for which the defendant is held responsible, in an assessment
initial, the following factors are considered concurrent, such as circumstances
aggravating factors:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/24
The nature, severity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question; the
The facts revealed affect a basic principle regarding the treatment of
personal data, such as their confidentiality, which the
norm sanctions with the greatest severity by enabling with its actions access to a
third party that was not legitimized with the damages that this may entail since the
banking information provided was used by the aforementioned company (the third party),
attaching them to the judicial complaint against the claiming party, demanding payment of the
amount that had been paid (article 83.2, a) of the RGPD).
The activity of the allegedly infringing entity is linked to the
processing of data of both clients and third parties. In the activity of the entity
claimed, it is essential to process the personal data of your
customers so, given its business volume, the significance of the
conduct that is the subject of this claim is undeniable (article 76.2.b) of the
LOPDGDD in relation to article 83.2.k).
The intention or negligence in the infringement; there is a serious lack of
diligence in the actions of the defendant since the transfer of the information to a
Third, it constitutes an illegal act for which he was not entitled. Also connected with
the degree of diligence that the data controller is obliged to display in
compliance with the obligations imposed by data protection regulations
the SAN of 10/17/2007 can be cited. Although it was issued before the validity of the
RGPD, its pronouncement can be perfectly extrapolated to the case we are analyzing.
The ruling, after alluding to the fact that the entities in which the development of their
activity entails continuous processing of customer data and third parties must
observe an adequate level of diligence, specified that “(...). the Supreme Court
It is understood that imprudence exists whenever a legal duty is neglected
of care, that is, when the offender does not behave with the required diligence. And in
When assessing the degree of diligence, special consideration must be given to
professionalism or not of the subject, and there is no doubt that, in the case now examined,
when the appellant's activity is constant and abundant handling of data
personal character, rigor and exquisite care must be insisted on in conforming to the
legal preventions in this regard” (article 83.2, b) of the RGPD).
The business volume of the defendant since it is one of the entities
leading financial institutions within the Spanish market, due to their business purpose (article
83.2, k) of the GDPR).
In accordance with the foregoing, it is considered appropriate to establish a sanction of
50,000 euros for violation of article 5.1.f) of the RGPD.
SAW
Second unfulfilled obligation: violation of article 32.1 of the RGPD
Article 32 of the GDPR “Security of processing” establishes that:
"1. Taking into account the state of the art, the application costs, and the
nature, scope, context and purposes of the processing, as well as risks of
variable probability and severity for people's rights and freedoms
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/24
physical, the person responsible and the person in charge of the treatment will apply technical and
appropriate organizational measures to guarantee a level of security appropriate to the risk,
which, if applicable, includes, among others:
a) pseudonymization and encryption of personal data;
b) the ability to guarantee the confidentiality, integrity, availability and
permanent resilience of treatment systems and services;
c) the ability to restore availability and access to data
personnel quickly in the event of a physical or technical incident;
d) a process of regular verification, evaluation and assessment of effectiveness
of the technical and organizational measures to guarantee the security of the
treatment.
2. When evaluating the adequacy of the security level, particular consideration will be given to
take into account the risks presented by data processing, in particular as
consequence of accidental or unlawful destruction, loss or alteration of data
personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to said data.
3. Adherence to a code of conduct approved pursuant to Article 40 or to a
certification mechanism approved pursuant to article 42 may serve as an element
to demonstrate compliance with the requirements established in section 1 of the
present article.
4. The controller and the person in charge of the treatment will take measures to
ensure that any person acting under the authority of the controller or
manager and has access to personal data can only process said data
following instructions from the person responsible, unless obliged to do so by virtue of the
Law of the Union or of the Member States”.
The GDPR defines personal data security breaches as
“all those security violations that cause the destruction, loss or
accidental or illicit alteration of personal data transmitted, preserved or processed
otherwise, or unauthorized communication or access to said data.”
The documentation in the file offers clear indications that the
claimed has violated article 32.1 of the RGPD, when an incident of
security, motivated by the absence of diligence in compliance with the measures
implemented of a technical and organizational nature.
It should be noted that the RGPD in the aforementioned provision does not establish a list of
the security measures that are applicable in accordance with the data that are
object of treatment, but establishes that the person responsible and the person in charge of the
treatment will apply technical and organizational measures that are appropriate to the risk
that the treatment entails, taking into account the state of the art, the costs of
application, the nature, scope, context and purposes of the processing, the risks of
probability and seriousness for the rights and freedoms of the persons concerned.
Likewise, security measures must be adequate and
proportionate to the risk detected, pointing out that the determination of the measures
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/24
technical and organizational measures must be carried out taking into account: pseudonymization and
encryption, the ability to guarantee the confidentiality, integrity, availability and
resilience, the ability to restore availability and access to data after a
incident, verification process (not audit), evaluation and assessment of the
effectiveness of the measures.
In any case, when evaluating the adequacy of the security level, the
particularly taking into account the risks presented by data processing, such as
consequence of accidental or unlawful destruction, loss or alteration of data
personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to said data and that could cause damages and losses
physical, material or immaterial.
In this same sense, recital 83 of the GDPR states that:
“(83) In order to maintain security and prevent the treatment from infringing the
provided in this Regulation, the person responsible or the person in charge must evaluate
the risks inherent to the treatment and apply measures to mitigate them, such as
encryption. These measures must guarantee an adequate level of security, including the
confidentiality, taking into account the state of the art and the cost of its application
regarding the risks and the nature of the personal data that must be
protect yourself. When assessing risk in relation to data security,
take into account the risks arising from the processing of personal data,
such as accidental or unlawful destruction, loss or alteration of personal data
transmitted, preserved or otherwise processed, or the communication or access is not
authorized to such data, which may in particular cause damage and harm
physical, material or immaterial.”
- In the case analyzed, as stated in the facts and within the framework of the
investigation file, the AEPD transferred the claim presented to the defendant
for analysis requesting the contribution of information related to the incident
claimed, confirming in your response the transfer of the bank certificate to the third party
applicant thereof, non-debtor mortgagee.
In this way, the claimed party indicated that “In relation to this, received
the claim of the interested parties, after reviewing the reported facts, the
response confirming that, unfortunately, the branch has attached by mistake
additional information on movements after amortization finally
carried out by said company, conveying our most sincere apologies, as
as a result of the response of the Privacy Office that the complainants join their
claim".
He has also stated that “it is evident that the Bank has carried out the
actions necessary to fulfill the obligation to implement appropriate measures
to ensure a level of security appropriate to the risk of the treatment, although in
In this specific case, an unintended result could not have been avoided for reasons
alien to the process”
It should be noted that the responsibility of the defendant is determined by
not having adopted the appropriate care and agility to avoid errors such as
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/24
indicated, since he is responsible for making decisions aimed at implementing and
effectively adapt appropriate organizational measures in order to guarantee
a level of security appropriate to the risk to ensure the confidentiality of the
data, restoring its availability and preventing access to it in case of
physical or technical incident.
In the email dated 11/09/2021 sent to Communications
Judicial Adm states that:
“(…)
With all this, internal legal advice was asked to tell us what to do.
and the response was that we requested more documentation from the popular historian since we did not
We had enough information.
Everything was requested and we got a discrepancy in the amount they said
have been amortized and the one that appeared in popular historical records. We consulted again with
legal advice and told us to certify with the amount that would cost us
us, providing us with the certificate model and the documentation that we had to
contribute to them, which was the amortization table from that date.
I attach all legal advice queries, as well as all the
documentation we have obtained.
(…)”.
What is not consistent with what was indicated by the party claimed in the Report
about the incident produced when it indicates that: “(…) This process is
implanted and its normal operation is confirmed, verifying that it is used by the
offices appropriately (in the incident we are analyzing the employee has
observed the existing procedure), so that it is possible to conclude the existence in
Banco Santander of a diligent and risk-appropriate measure that guarantees that in
The issuance of this type of certificates does not result in accidental or fortuitous access
of personal data to the wrong recipient, so in this incident
has produced a regrettable human error, conceptual and specific, in the interpretation
of the instructions received and, specifically, about who were the owners of the
mortgage loan.
However, from the aforementioned communication it appears that when in doubt or
discrepancy expressed by not squaring the amortized amount with the amount of the
checks received, the acting branch again requested advice from
AJN department and they were told the certificate they had to issue, facilitating the
model of the same and the documentation that had to be attached with it: the
amortization table from that date (the underlinings are from the AEPD).
It is true that the certificate delivered did not affect its content from the
initial of the amortization schedule, from the beginning of the loan until the moment of
the amortization by the company Gardeblock, S.L. to whom the certificate was delivered
complete, was therefore entitled to have it and receive it until that date, but not
of course, from that date, receive information on the amortization schedule
after the moment in which the company had made the payment, releasing its
mortgage liability estate.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/24
The measures established must be necessary to prevent this type of
incidents can occur and rigorously adjust to the procedures that
are implemented by the entity to avoid them since it is ultimately about preserving
the confidentiality of data in the actions and operations of its clients.
The claimed party must have a protocol, procedure, etc., which at the same time
implemented can guarantee security in the processing of information and
the data and prevent improper access to it, a situation
which in the present case has not occurred since the measures adopted have not
guaranteed that in the issuance of the certificate there has been no access to the
personal data by an improper recipient, the third party, providing information
improper.
Therefore, the taking of measures must include the impact that the
rights and freedoms could have an incident, it occurs accidentally,
human, natural or technological and aimed at both reducing the impact and
probability of the same, which must be constantly renewed and improved.
- The defendant also alleges that the ruling of the T.S. from 02/15/2022
clearly establishes that the obligation to adopt technical and organizational measures
aimed at guaranteeing confidentiality is an obligation of means and not of
results.
The defendant acknowledges that in his actions the existence of the incident of
security when additional information on subsequent movements is mistakenly attached
to the amortization finally carried out by the company - third in contention -.
It is true that the T.S. In its ruling it states that: “The obligation to adopt the
measures necessary to ensure the security of personal data cannot
be considered an obligation of result, which implies that a leak of
personal data to a third party there is liability regardless of the
measures adopted and the activity carried out by the person responsible for the file or the
treatment.
In result obligations there is a commitment consisting of the
fulfillment of a certain objective, ensuring the proposed achievement or result,
In this case, guarantee the security of personal data and the absence of
security leaks or breaches.
In the obligations of means the commitment that is acquired is to adopt
the technical and organizational means, as well as deploying diligent activity in its
implementation and use that tends to achieve the expected result with means
that can reasonably be classified as suitable and sufficient for its achievement,
For this reason, they are called "diligence" or "behavioral" obligations.
The difference lies in the responsibility in both cases, because while
that in the obligation of result one responds to a harmful result due to the failure of the
security system, whatever its cause and the diligence used. In the
obligation of means, it is enough to establish technically adequate measures and
implement and use them with reasonable diligence.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/24
In the latter, the sufficiency of the security measures that the
responsible must establish must be put in relation to the state of technology
at any given time and the level of protection required in relation to the data
treated, but a result is not guaranteed.”
But it is also true that the Court confirms that the design is not sufficient
of the necessary technical and organizational means, since it is also
Its correct implementation and use in an appropriate manner is necessary, which would
We must add diligent action that has not occurred in the present case.
Therefore, in accordance with the foregoing, it is estimated that the defendant
would be responsible for the violation of article 32.1 of the RGPD, an offense classified in
its article 83.4.a).
IX
Classification of the violation of article 32.1 of the RGPD
The violation of article 32 of the RGPD is classified in the article
83.4.a) of the aforementioned RGPD in the following terms:
"4. Violations of the following provisions will be sanctioned, according to
with paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
In the case of a company, an amount equivalent to a maximum of 2% of the
global total annual business volume of the previous financial year, opting for
the largest amount:
a) the obligations of the controller and the processor pursuant to Articles 8,
11, 25 to 39, 42 and 43.
(…)”
For its part, the LOPDGDD in its article 73, for the purposes of prescription, qualifies
of “Infringements considered serious”:
“Based on what is established in article 83.4 of Regulation (EU) 2016/679
are considered serious and will prescribe after two years the infractions that involve a
substantial violation of the articles mentioned therein and, in particular, the
following:
(…)
g) The bankruptcy, as a consequence of the lack of due diligence,
of the technical and organizational measures that have been implemented in accordance
as required by article 32.1 of Regulation (EU) 2016/679.”
(…)”
VIII
In order to establish the administrative fine that should be imposed, they must
The provisions contained in articles 83.1 and 83.2 of the RGPD must be observed, which
they point out:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/24
"1. Each supervisory authority will ensure that the imposition of fines
administrative sanctions under this article for violations of this
Regulations indicated in sections 4, 5 and 6 are in each individual case
effective, proportionate and dissuasive.
2. Administrative fines will be imposed, depending on the circumstances
of each individual case, as an additional or substitute for the measures contemplated
in Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:
a) the nature, severity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question
as well as the number of interested parties affected and the level of damage and
damages they have suffered;
b) intentionality or negligence in the infringement;
c) any measure taken by the person responsible or in charge of the treatment
to alleviate the damages and losses suffered by the interested parties;
d) the degree of responsibility of the person responsible or in charge of the
processing, taking into account the technical or organizational measures that have been
applied under articles 25 and 32;
e) any previous infraction committed by the person responsible or in charge of the
treatment;
f) the degree of cooperation with the supervisory authority in order to put
remedy the infringement and mitigate the possible adverse effects of the infringement;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority became aware of the infringement, in
particular whether the person responsible or the person in charge notified the infringement and, in that case,
what extent;
i) when the measures indicated in Article 58(2) have been
previously ordered against the person responsible or the person in charge in question
in relation to the same matter, compliance with said measures;
j) adherence to codes of conduct under Article 40 or to mechanisms
of certification approved in accordance with Article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the
case, such as financial benefits obtained or losses avoided, direct
or indirectly, through infringement.”
In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its
Article 76, “Sanctions and corrective measures”, establishes that:
"2. In accordance with the provisions of article 83.2.k) of the Regulation (EU)
2016/679 may also be taken into account:
a) The continuous nature of the infringement.
b) The linking of the offender's activity with the performance of treatments
of personal data.
c) The benefits obtained as a consequence of the commission of the infraction.
d) The possibility that the conduct of the affected person could have induced the
commission of the infraction.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid Seeagpd.gob.es 21/24
e) The existence of a merger by absorption process after the commission
of the infringement, which cannot be attributed to the absorbing entity.
f) The impact on the rights of minors.
g) Have, when it is not mandatory, a delegate for the protection of
data.
h) Submission by the person responsible or in charge, with character
voluntary, to alternative conflict resolution mechanisms, in those
cases in which there are disputes between them and any
interested."
In accordance with the transcribed precepts, and without prejudice to what results from the
instruction of the procedure, in order to set the amount of the sanction to be imposed in
the present case for the violation of article 32.1 of the RGPD, typified in article
83.4.a) of the RGPD for which the defendant is held responsible, in an initial assessment,
The following factors are considered concurrent, as aggravating circumstances:
The nature and severity of the violation; the facts revealed
affect a basic principle regarding the processing of personal data,
such as their safety, the violation of which the norm punishes
serious way; On the other hand, the management and purpose of the treatment is questioned
carried out by allowing access to the claimant's data, data of type
economic, as a consequence of the communication to a third party of information
relating to the mortgage loan signed by the claimant with the entity and that in
In no case should it have been transmitted due to the damages it could cause, such as
consequence of said delivery and made manifest by the claiming party upon being
used by the third party, contributing them to a legal claim against the claiming party
(article 83.2, a) of the RGPD).
The activity of the allegedly infringing entity is linked to the
processing of data of both clients and third parties. In the activity of the entity
claimed, it is essential to process the personal data of your
customers so, given its business volume, the significance of the
conduct that is the subject of this claim is undeniable (article 76.2.b) of the
LOPDGDD in relation to article 83.2.k).
The intention or negligence in the infringement; there is a serious lack of
diligence in the actions of the defendant since the transfer of the information to a
third constitutes an illegal act for which he was not entitled, violating the measures
organizational. Also connected with the degree of diligence that the person responsible for the
treatment is obliged to deploy in compliance with the obligations that
imposes data protection regulations, the SAN of 10/17/2007 can be cited. Yeah
well it was dictated before the validity of the RGPD, its pronouncement is perfectly
extrapolated to the case we analyze. The sentence, after alluding to the fact that the
entities in which the development of their activity entails continuous processing of
customer and third party data must observe an adequate level of diligence,
specified that “(...). The Supreme Court has been understanding that there is imprudence
whenever a legal duty of care is neglected, that is, when the offender fails
behaves with the required diligence. And in assessing the degree of diligence it must
The professionalism or otherwise of the subject must be especially considered, and there is no doubt that,
In the case now examined, when the appellant's activity is constant and
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/24
abundant handling of personal data, emphasis must be placed on rigor and
exquisite care to comply with the legal provisions in this regard” (article 83.2,
b) of the GDPR).
The business volume of the defendant since it is one of the entities
leading financial institutions within the Spanish market, due to their business purpose (article
83.2, k) of the GDPR).
In accordance with the foregoing, it is considered appropriate to establish a sanction of
20,000 euros for violation of article 32.1 of the RGPD.
x
The corrective powers that the RGPD attributes to the AEPD as a control authority
control are listed in article 58.2, sections a) to j).
Upon confirmation of the infractions committed, it is appropriate to agree to impose on the
responsible for adopting appropriate measures to adjust its actions to the
regulations mentioned in this act, in accordance with the provisions of the aforementioned article
58.2 d) of the RGPD, according to which each supervisory authority may “order the
responsible or in charge of the treatment that the treatment operations are
comply with the provisions of this Regulation, where applicable, in a manner
certain manner and within a specified period….” The imposition of this
measure is compatible with the sanction consisting of an administrative fine, as established
provided in art. 83.2 of the GDPR.
Therefore, it would be considered appropriate to order that the defendant within the period of
six months from the finality of the sanctioning resolution which, in any case, will be
dictate that the treatments object of this procedure be adapted to the regulations
applicable. The text of this agreement establishes the facts that
have given rise to the violation of data protection regulations, which is
clearly infers what measures to adopt, without prejudice to the type of
specific procedures, mechanisms or instruments to implement them
corresponds to the sanctioned party, since it is the one who fully knows its organization
and must decide, based on proactive responsibility and a risk approach, how
comply with the RGPD and the LOPDGDD. It is true that the interested party states that he has
updated the incident log with details relating to the violation of the
data security; However, in the present case it is pointed out, among others, as
measures to adopt to improve those already implemented to avoid incidents such as
produced that guarantee that in the issuance of this type of certificates no
cause access to personal data by third parties or improper recipients.
Therefore, in accordance with the applicable legislation and evaluated the criteria of
graduation of sanctions whose existence has been proven,
The Director of the Spanish Data Protection Agency RESOLVES:
FIRST: IMPOSE BANCO SANTANDER, S.A., with NIF A39000013,
- For a violation of article 5.1.f) of the RGPD, typified in article 83.5.a)
of the GDPR, a fine of €50,000 (fifty thousand euros).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/24
- For a violation of article 32.1 of the RGPD, typified in article 83.4.a)
of the GDPR, a fine of €20,000 (twenty thousand euros).
SECOND: ORDER BANCO SANTANDER, S.A., with NIF A39000013, which in
under article 58.2.d) of the RGPD, within a period of six months from when the
resolution is firm and executive, proves that it has proceeded to improve the measures
implemented to avoid incidents such as the one that occurred that guarantee that in the
issuance of certificates, access to personal data does not occur for a
third parties or improper recipients, in accordance with the provisions of article
5.1.f) and 32.1 of the RGPD.
THIRD: NOTIFY this resolution to BANCO SANTANDER, S.A.
FOURTH: This resolution will be enforceable once the deadline to file the
optional resource for replacement (one month counting from the day following the
notification of this resolution) without the interested party having made use of this power.
The sanctioned person is warned that he must make effective the sanction imposed once
This resolution is executive, in accordance with the provisions of art. 98.1.b)
of Law 39/2015, of October 1, on the Common Administrative Procedure of the
Public Administrations (hereinafter LPACAP), within the voluntary payment period
established in art. 68 of the General Collection Regulations, approved by Real
Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17
December, through your entry, indicating the NIF of the sanctioned person and the number of
procedure that appears in the heading of this document, in the account
restricted IBAN number: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code:
XXXXXXXXXXXX), opened in the name of the Spanish Data Protection Agency in
the banking entity CAIXABANK, S.A.. Otherwise, it will be
collection in executive period.
Once the notification is received and once enforceable, if the enforceable date is
between the 1st and 15th of each month, both inclusive, the deadline to make the payment
voluntary will be until the 20th of the following month or immediately following business month, and if
The payment period is between the 16th and last day of each month, both inclusive.
It will be until the 5th of the second following or immediately following business month.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within a period of one month to
count from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/24
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative means if the
interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative procedure within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.
Sea Spain Martí
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
