AEPD (Spain) - EXP202303035
AEPD - EXP202303035 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 20.01.2023 |
Decided: | 03.01.2025 |
Published: | 09.01.2025 |
Fine: | 50,000 EUR |
Parties: | Banco Pichincha |
National Case Number/Name: | EXP202303035 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | ao |
The DPA fined a bank €50,000 after its processor unlawfully disclosed personal data of its customer to an impersonator even though the impersonator could not correctly answer identity verification questions.
English Summary
Facts
On the 20 January 2023, the data subject filed a complaint against Banco Pichincha, the controller.
The data subject had been experiencing issues with her mobile phone and asked her phone network provider for a copy of her SIM card and the calls which had been made. Upon receipt of the list of calls made, she noticed that three calls had been made to her bank which she had not made herself.
The data subject then tried to login to her online banking but her password generated an access error. She then contacted the bank’s customer support service in order to change her password. It turned out that someone had impersonated the data subject and accessed her account.
The impersonator had contacted the bank via telephone. The bank was obliged to ask certain security questions in order to identify the data subject as the rightful bank account holder. The bank had outsourced its customer service to another company, here the processor. The processor did not follow the required protocol for security questions as it continued the phone call even though the impersonator could not say how much money is supposed to be in the bank account as well as what her exact profession was.
Upon the phone call, the password was changed and the impersonator was able to carry out financial transactions. A total of €50,000 was therefore missing from the data subject’s account.
The controller argued that it lawfully processed the data subject’s data and that instead the impersonator should be charged with unlawful processing of personal data.
Holding
The Spanish DPA (Agencia Española de Protección de Datos - AEPD) held that the ultimate responsibility for the processing of personal data remained with the controller as it determined the purpose of the processing. It further explained that if the controller was not held accountable this would mean that controllers would not be liable for the unlawful actions of processors.
With reference to the CJEU case Deutsche Wohnen, the AEPD reiterated that a controller does not have to be aware of the fact that they are infringing the GDPR in order to be sanctioned for it.
The AEPD concluded that the controller had processed the data subject’s personal data without any legal basis under Article 6(1) GDPR. The AEPD stated that the controller had been negligent in verifying the caller’s identity and issued an administrative fine of €50,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/8 File no.: EXP202303035 RESOLUTION ON APPEAL FOR REPOSITION Having examined the appeal for reconsideration filed by BANCO PICHINCHA ESPAÑA, S.A. (hereinafter, the appellant) against the resolution issued by the Director of the Spanish Data Protection Agency dated October 1, 2024, and based on the following FACTS FIRST: Ms. A.A.A. (hereinafter, the complainant) filed a claim with the Spanish Data Protection Agency on January 20, 2023. The claim is directed against BANCO PICHINCHA ESPAÑA, S.A. with NIF A85882330 (hereinafter, BANK). The following information is provided in the letter received: The complainant states that his telephone number ***TELÉFONO.1, of which he is the owner, was cloned by the company DIGI SPAIN TELECOM, S.L.U. ("DIGI"), since on September 4, 2021, without any security measures tending to reliably identify the person who requested it, a third person, impersonating the complainant, requested the cloning of the telephone, with the purpose of making calls to the bank BANCO PICHINCHA ESPAÑA, S.A. and thus carry out certain operations that involved a total of 50,000 euros transferred from his bank account to other accounts. A police report and claims made are included with the notification. SECOND: In accordance with article 65.4 of the LOPDGDD, the claim was transferred to DIGI, so that it could proceed with its analysis and inform this Agency within one month of the actions taken to comply with the requirements provided for in the data protection regulations. The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was recorded on March 8, 2023, as recorded in the acknowledgment of receipt in the file. On April 5, 2023, this Agency received a response letter indicating that “…in accordance with what was indicated by the Complainant in the complaint filed with the AEPD, on September 7, 2021, because her phone was giving her problems, she requested from her telephone operator a copy of her SIM card, as well as a list of outgoing calls made from her telephone number, verifying that three (3) calls had been made to the PIBANK Customer Service phone, according to the Complainant, they had not been made by her. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/8 Subsequently, according to Ms. A.A.A., on September 28, 2021, she tried to access PIBANK's Online Banking, finding out that her usual password generated an access error, which is why she contacted PIBANK's Customer Service, through the contact number 911110000, in order to recover her Online Banking passwords. When a customer requests the recovery of passwords to the Entity's Online Banking, the operator who answers the call has to ask a series of security questions articulated as customer identification defense mechanisms, asking the customer questions whose answers would be easy for them to remember, but at the same time difficult for anyone else to guess. (…): or (…) or (…) or (…) or (…) or (…) or (…) or (…) (…). (…). In relation to the above, it should be noted that, at the time of the events, the Bank had outsourced customer service to the entity GLOBAL SALES SOLUTIONS LINE, S.L…who was responsible, among other things, for answering incoming calls to the Entity…”. “…Although, as has been shown, the Bank had reiterated on different occasions, and through different means, to its Provider what the procedure was for a client to recover their Online Banking passwords, as well as the specific instructions regarding the modus operandi of the operators in situations in which the client does not respond correctly and clearly to the questions asked, in the call made by the GSS operator to Ms. A.A.A. On September 6, 2021 at 12:13 p.m., said operator does not strictly comply with the protocol established by the Entity, since, (…), the operator continues to ask more questions to the Complainant, finally initiating the process of automatically sending the corresponding OTP code by SMS to the telephone number that the Complainant provided to the Bank at the time of opening the account (remember that said number was verified by the Complainant herself at the time of contracting, as has been explained ut supra), and that would allow her to change the Online Banking password. In this regard, it is in the interest of the Entity to inform this Agency that, despite the fact that it was a call that was later considered fraudulent, a fact that the Bank later became aware of through the communications made by the Complainant days later, the Bank made available to the Provider all the tools necessary to comply C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/8 strictly with the current regulations, and having not detected any indication of irregularity that would lead it to distrust a possible fraudulent contract. In this sense, the Bank considers that, if there is a breach, it would be attributable to GSS, since article 28.10 RGPD establishes that: “if a data processor infringes this Regulation when determining the purposes and means of the processing, it will be considered responsible for the processing with respect to said processing.” In light of the above, and as has been evidenced, the Provider breached the instructions provided by the Bank, and in this case must acquire the status of data controller…”. THIRD: On April 20, 2023, in accordance with article 65 of the LOPDGDD, the claim filed by the complainant was admitted for processing. FOURTH: On October 2, 2023, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the respondent party, for the alleged violation of article 6.1 of the GDPR, classified in article 83.5 of the GDPR. FIFTH: Having notified the aforementioned agreement to start in accordance with the rules established in the LPACAP, the respondent party submitted a written statement of allegations in which it requests that it be considered submitted together with the accompanying documents, that they be admitted and considering the previous allegations formulated, and after the appropriate procedures, that it be agreed: - The archiving of the referenced file, nullifying the initiated sanctioning procedure. - In the event that the previous claim is not accepted by the Agency, it is requested that the substantiated mitigating circumstances be taken into account and, consequently, that the procedure be concluded by means of a warning. - In the hypothetical case that none of the previous claims were accepted by the AEPD; ultimately, it is requested that the amounts established in the Agreement be reduced, taking into account the arguments stated in the body of the document. In its allegations, in summary, the respondent party claims: 1.- In its first allegation, BANCO refers to the fact that it has had, at all times, sufficient and adequate legitimacy for the processing of the personal data of the complainant party as a result of the formalization, management and execution of the contractual relationship maintained by both. In relation to the impersonation, it considers that the Agency should impute an infringement of article 6 in relation to article 7 of the GDPR to the person who obtained and used the data of the complainant party to obtain an illicit benefit. BANCO also points out that it proceeded immediately to return the amounts stolen, despite the judicial dismissal of the proceedings. Finally, reference is made to various archive resolutions of the Spanish Data Protection Agency. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/8 2.- In its second allegation, BANCO proceeds to analyse the disproportionality of the sanction, as well as the burdens applied in the grading of the sanction, pointing out as mitigating factors for the purposes of reducing the administrative sanction: - That the entity, acting in good faith, diligence and proactivity, resolved the incident that is the subject of the claim in an effective manner. - The failure to provide the personal data of the claimant to a third party together with the procedures instituted by the company. - The absence of alleged prior infringements. - The high degree of cooperation in order to offer and make available to this body all information that was at its disposal. - That the entity never provided any personal data to the identity theft maker. - That the entity has never obtained any kind of benefit. Finally, it states that the measures in force at the time of the events met the most rigorous standards to deal with the risks and that they were adequate and suitable taking into account the state of the art, the costs of application, the nature, scope, context and purposes of the treatment, as well as the risks to the rights and freedoms of natural persons. However, the allegations presented were rejected. SIXTH: On August 8, 2024, a resolution proposal was made, proposing that BANCO PICHINCHA ESPAÑA, S.A., with NIF A85882330, be sanctioned for an infringement of Article 6.1 of the GDPR, classified in Article 83.5 of the GDPR, with a fine of €50,000 (FIFTY THOUSAND EUROS). SEVENTH: Having been notified of the resolution proposal in accordance with the rules established in the LPACAP, the respondent party submitted written allegations on August 21, 2024. In its allegations, in summary, the respondent party states: 1. In its first allegation, BANCO insists that it has always processed the personal data of Ms. A.A.A. (hereinafter, indistinctly, the "Complainant") on an adequate legal basis in accordance with the provisions of article 6 of the GDPR and points out that the person who processed the data without sufficient legitimacy and, therefore, who should have had the consent of the Complainant for its due processing was the impersonator, with the AEPD committing an error as provided in the Proposed Resolution. Finally, in this same allegation it refers to the fact that the AEPD has not followed the same criteria of the Court of Instruction (...) in relation to the dismissal, as well as the principle of certainty and the principle of indubio pro reo. 1. In its second allegation, BANCO insists on the absence of any type of responsibility for the actions carried out by GSS, as the person in charge of the processing. 2. In its third allegation, BANCO refers to case law which has determined that an action cannot be sanctioned without a certain degree of intent, and that the existence of a culpable infringement constitutes a requirement for the imposition of a fine. 3. Finally, BANCO alleges the principle of proportionality, stating that the proposed sanction is not appropriate and, in the hypothetical case that it were appropriate, it would not be proportional to the factual situation at hand. It concludes its written allegation by stating that it has attached two receipts of payments made to the AEPD, of €40,000 and €10,000 respectively, and the reasons why it has made said payments. It is clear that these are not a recognition of the alleged facts, but rather the aim is to avoid possible future accruals of interest. EIGHTH: On October 1, the Director of the Spanish Data Protection Agency issued a resolution imposing on BANCO PICHINCHA ESPAÑA, S.A., with NIF A85882330, for an infringement of article 6.1 of the GDPR, classified in Article 83.5 of the GDPR, a fine of €50,000 (FIFTY THOUSAND EUROS). NINTH: After notification of the aforementioned resolution in accordance with the rules established in the LPACAP, the respondent party filed an appeal for reconsideration, within the legally established period, in which, in summary, it states that: - In its first allegation, it insists that BANCO PICHINCHA has not breached the provisions of article 6.1 of the RGPD, with the lack of legitimacy falling on the third party who supposedly impersonated the data owner. - In its second allegation, BANCO PICHINCHA again argues that it gave clear instructions to GSS on how to proceed with the processing of personal data regarding the service provided by it and as the data processor himself acknowledged the alleged facts, liability cannot be placed on BANCO PICHINCHA. - In its third allegation, it refers to an error in the assessment of the evidence by this AEPD. - In its last argument, it insists on the already alleged violation of the principle of proportionality, limiting itself to transferring the literal meaning of the provisions of its resolution in relation to the provisions of articles 83.4 and 83.5 of the GDPR, omitting any motivation in the observation of the principle of proportionality. LEGAL BASIS I Competence The Presidency of the Spanish Data Protection Agency is competent to resolve this appeal, in accordance with the provisions of article 123 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP) and article 48.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, LOPDGDD). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/8 II Grounds for the contested decision In relation to the statements made in the appeal, which basically reiterate those already made during the processing of this case, it should be noted that these were already analysed and rejected in the contested decision, the grounds for which remain fully valid. In the present case, there are various calls to the bank BANCO to carry out certain operations, after a change of credentials, which involved a total of 50,000 euros transferred from the bank account of the claimant to other accounts. The operations carried out were not carried out within the scope of the BANK-client contractual relationship since they were carried out by a third party without their consent and without the BANK adequately verifying the identity of its interlocutor, which has led to the conclusion that the personal data of the complaining party has been processed without legitimacy. It is clear that, both in the procedure for a client to recover his Online Banking passwords and in the specific instructions regarding the modus operandi of the operators in situations in which the client does not respond correctly and clearly to the questions asked (the supposed client indicated in the call that she did not know the balance in her bank account, showing doubts in the answer to what her profession was...) did not prevent the initiation, finally, of the process of automatically sending the corresponding OTP code by SMS to the telephone number, allowing the change of the Online Banking password and the subsequent financial operations already mentioned. The file states, and the respondent party states, that in the call made by the GSS operator to the complainant on September 6, the operator did not strictly comply with the protocol established by the BANK, since the "supposed client" indicated in the call that she did not know the balance in her bank account, as well as doubts about her profession. Furthermore, the BANK acknowledges the error by transferring responsibility to the Supplier for failing to comply with the instructions provided by the latter. “…Although, as has been shown, the Bank had reiterated on different occasions, and through different means, to its Provider what the procedure was for a client to recover their Online Banking passwords, as well as the specific instructions regarding the modus operandi of the operators in situations in which the client does not respond correctly and clearly to the questions asked, in the call made by the GSS operator to Ms. A.A.A. On September 6, 2021 at 12:13 p.m., the operator did not strictly comply with the protocol established by the Entity, since, despite the fact that the alleged client indicated in the call that she did not know the balance she had in her bank account, showing doubts in the answer to what her profession was, the operator continues to ask the Complainant more questions, finally initiating the process C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/8 of automatically sending the corresponding OTP code by SMS to the telephone number that the Complainant provided to the Bank at the time of opening the account (remember that said number was verified by the Complainant herself at the time of contracting, as has been explained ut supra), and that would allow her to change the Online Banking password. In this regard, it is in the interest of the Entity to inform this Agency that, despite the fact that it was a call that was later considered to be fraudulent, a fact that the Bank later became aware of through the communications made by the Complainant days later, the Bank made available to the Provider all the tools necessary to comply strictly with the current regulations, and did not detect any indication of irregularity that would lead it to distrust a possible fraudulent contract. In this sense, the Bank considers that, if there were a breach, it would be attributable to GSS, since article 28.10 RGPD establishes that: “if a data processor infringes this Regulation when determining the purposes and means of the processing, it will be considered responsible for the processing with respect to such processing.” In light of the above, and as has been evidenced, the Supplier failed to comply with the instructions provided by the Bank, and in this case must acquire the status of data controller…”. However, it is the controller who must apply the appropriate technical and organisational measures to ensure and be able to demonstrate that the processing complies with the Regulation. Ultimate responsibility for the processing remains with the controller, who determines the existence of the processing and its purpose and not with the processor. III Conclusion Therefore, given that, in the present appeal for reconsideration, no new facts or legal arguments have been provided that allow the validity of the contested decision to be reconsidered, and that the purpose of the appeal is to review the legality of the administrative action, it is appropriate to agree to its dismissal, without prejudice to the fact that the appellant may make a new claim by providing a copy of all the relevant documents available to it, in relation to a possible infringement in the Agency's area of competence. VI Late resolution Due to reasons of operation of the administrative body, therefore not attributable to the appellant, to date the mandatory statement of this Agency regarding this appeal has not been issued. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/8 In accordance with the provisions of art. 24 of the LPACAP, the meaning of administrative silence in the procedures for challenging acts and provisions is dismissal. However, and despite the time elapsed, the Administration is obliged to issue an express resolution and to notify it in all procedures, regardless of their form of initiation, as provided for in art. 21.1 of the aforementioned LPACAP. In cases of dismissal due to administrative silence, the express resolution after the expiration of the term will be adopted by the Administration without any binding to the meaning of the silence, as provided for in art. 24.3 of the same law. Therefore, it is appropriate to issue the resolution that ends the procedure of the appeal for reconsideration filed. In view of the provisions cited and other generally applicable provisions, the Presidency of the Spanish Data Protection Agency RESOLVES: FIRST: TO DISMISS the appeal for reconsideration filed by BANCO PICHINCHA ESPAÑA, S.A. against the Resolution of this Spanish Data Protection Agency issued on October 1, 2024, imposing on BANCO PICHINCHA ESPAÑA, S.A., with NIF A85882330, for an infringement of Article 6.1 of the GDPR, classified in Article 83.5 of the GDPR, a fine of €50,000 (FIFTY THOUSAND EUROS). SECOND: NOTIFY this resolution to BANCO PICHINCHA ESPAÑA, S.A. Against this resolution, which puts an end to the administrative procedure, an administrative appeal may be lodged within a period of two months from the day following notification of this act, as provided for in article 46.1 of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of the referred legal text. 1245-21112023 Olga Pérez Sanjuán The Deputy Director General of Data Inspection, in accordance with art. 48.2 LOPDGDD, due to vacancy in the position of President and Deputy. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es