AEPD (Spain) - EXP202304146

From GDPRhub
AEPD - EXP202304146
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Article 12 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 08.07.2024
Published:
Fine: 72,000 EUR
Parties: Wenance Lending de España S.A.
National Case Number/Name: EXP202304146
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: fb

The DPA fined a fintech company €72,000 after its inadequate measures to verify its customer’s identity enabled fraudsters to take out a loan in the name of an unaware data subject.

English Summary

Facts

On 21 August 2020, the data subject saw a job posting online. In order to apply for this position, the data subject was requested to send a selfie of them holding their ID card.

After that, they received a request by the controller, a fintech company, to pay back a €200 loan.

Since the data subject believed they had never entered in a loan agreement with the controller, they contacted the latter. The controller informed the data subject that on 21 August 2020 it had received a loan request from them and transferred the amount to a bank account. The loan contract had been signed through an electronic signature.

In addition, on 12 August 2022 the data subject asked the controller to delete their data. The controller did not reply to the request.

As for the deletion request, the controller later argued that it could not delete the data since the contract was still in force.

Holding

First, the DPA investigation showed that the data subject was victim of a fraud. The data subject sent their picture and ID card to the defrauder. With this documents the latter digitally signed the loan contract with the controller. Therefore, the data subject never expressed their willingness to enter in such an agreement with the controller.

Second, the DPA noted that the anti-fraud measures taken by the controller were insufficient. More specifically, the controller argued that one of these measures is that the amount of money cannot be transferred to accounts that have been opened for less than 3 months.

However, in the case at hand, the controller transferred the money even though the account had been opened only one day before the loan contract was signed.

Thirdly, the DPA pointed out that this lack of checks led to the transfer of the money to a bank account not owned by the data subject. The DPA added that, in Spain, a bank transfer is successful even if the name in the bank transfer form is different from the account’s actual holder name.

Therefore, the DPA found that the controller had processed personal data without a proper legal basis, since the data subject had never entered in a contract with the controller. For these reasons, it found a violation of Article 6(1) GDPR.

Fourthly, as for the deletion request, the DPA noted that the controller should have replied to the request even if it believed that the request should have been rejected. Therefore, it found a violation of Article 12 GDPR.

On these grounds, the DPA issued a €72,000 fine.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/28

File No.: EXP202304146

SANCTIONING PROCEDURE RESOLUTION

From the procedure initiated by the Spanish Data Protection Agency and based
on the following

BACKGROUND

FIRST:

A.A.A. (hereinafter, the complaining party) filed a
complaint with the Spanish Data Protection Agency on February 8, 2023. The claim is
directed against WENANCE LENDING DE ESPAÑA, S.A. with NIF A67194746 (hereinafter, the respondent party, WELP or WENANCE). The reasons on which the claim is based are the following:

The complaining party states that WENANCE is imputing a debt to it that does not correspond to it, since it comes from the contracting of a loan made in an
allegedly fraudulent manner. The loan was contracted on August 21, 2020.

Along with the notification, a burofax is provided addressed by the claimant to WENANCE, dated August 12, 2022, in which it informs the claimant that it does not
recognize the debt, nor that it has contracted any credit with the defendant;
it also requires the claimant to stop processing its data in the future. It is deduced that

the burofax was sent by the claimant after having received a notification or
request for payment of the credit entered into.

To said burofax, the claimant attaches two complaints that it filed with the
National Police for these events (filed in October and December 2020). The
first of them contains facts that could explain a possible impersonation of

the claimant's identity:

“On August 21 [2020] I saw a job offer on the milanuncios page.
That in the advertisement they gave the telephone number ***TELEPHONE.1 to contact.

The declarant contacts this number, indicating that she should send a Selfie of herself
with the photo of the DNI front and back. That the declarant does so and does not
receive a response again.

That on the date [06/10/2020] her mother has received a call in which

a financial insurer tells her that she owes 200 euros plus interest on a loan
she had requested.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/28

That the declarant calls said company by telephone at ***TELEPHONE.2, who
informs her of her loan, stating that she owes 319 euros and that she has to return it.
And that there is an associate in Banco Santander, but it is not in her name.

That the declarant contacts the collections company “welp.es” by e-mail from where they provide her with the capture of the contract, which she provides herewith.”

In addition, the claimant provides a document called “Exercise of the right of deletion” addressed to the respondent party dated 02/02/2023.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), said claim was forwarded to WENANCE, so that it could proceed to analyze it and inform this Agency within one month of the actions taken to comply with the requirements provided for in the data protection regulations.

The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was collected on March 31, 2023 as stated in the

acknowledgement of receipt in the file.

On May 4, 2023, this Agency received a response letter indicating the
following:

- The claimant effectively contracted a loan with WENANCE dated August 21, 2020. A copy of the same is provided.

- At the time, she requested deletion of her personal data, but this could not be
accepted because the contract was still in force

- She claims that she considers the claimant's version "implausible" for several
reasons:

o In her opinion, it is impossible that on the same day that she gave her data to a

third party, the latter opened a current account at Banco Santander (for
the payment of the loan amount).

o WENANCE only allows the amount of the requested credit to be sent to
bank accounts that are more than three months old

o WENANCE makes, through its payment service provider, a
prior deposit to verify the ownership of the bank account

o In addition, it notes that the complainant provides a complaint from October
2020, but is nevertheless surprised that two and a half years
later there is no complaint or any type of judicial investigation

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/28

It provides a copy of the contract that would be signed electronically,
by sending it to an email address and subsequent confirmation

through a code sent by SMS to the mobile phone. The email address listed is:
***EMAIL.1. and the contact telephone line for sending the SMS: ***PHONE.1

THIRD: On May 8, 2023, in accordance with article 65 of the
LOPDGDD, the claim submitted by the complaining party was admitted for processing.

FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out preliminary investigation actions to clarify the facts in question, pursuant to the functions assigned to the control authorities in Article 57.1 and the powers granted in Article 58.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I, Section Two, of the LOPDGDD, having knowledge, in essence, of the following:

Date on which the claimed events took place:

- Opening of the allegedly fraudulent loan: 08/21/2020
- Dates of police reports: 10/06/20 and 12/16/2020
- Date of submission of the burofax for the right of deletion to WENANCE: 12/08/2022.

RESULT OF THE INVESTIGATION ACTIONS

After analyzing the evidence of electronic signature of the contract provided by the respondent party, it is observed that:

- It is a certificate issued by the trusted third party LLEIDANETWORKS
Serveis Telemàtics S.A. (hereinafter ***URL.1), which is a qualified electronic trust service provider in accordance with the provisions of the
eIDAS Regulation for the entire European Union and provides the qualified certified electronic delivery
service, as published on the website of the Ministry of Economic Affairs and Digital Transformation.

- The WELP CIF shown on the certificate is incorrect. The certificate shows: Welp.es (A12345678), when the actual WELP CIF is

A67194746. The contract between WELP and ***URL.1 will be requested later and it will be
confirmed that there is indeed a contract between them for certified electronic
delivery, although in said contract the CIF also contains a
typographical error: A97194746 instead of A67194746.

- The signature evidence specified in the certificate is the following:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/28

 2020-08-21 09:01:37 UTC-3: A certified process start type EMAIL has been sent to the email ***EMAIL.1.
 2020-08-21 09:03:00 UTC-3: A certified OTP notification type SMS has been sent to the phone ***PHONE.1.

 2020-08-21 09:03:26 UTC-3: Received an HTTPS request from IP ***IP.1
corresponding to the signing event.

- Analyzing the evidence provided along with the previous data, it is perceived that:

 The email to start the process has originated in UTC-3 and the signature footer of the contract
states Buenos Aires, Argentina. (Inspector's clarification: This origin is
common in electronic communications certificates with WELP issued by
***URL.1.)

 The data where the email with the documentation and the SMS with the contract signature code are sent are: ***EMAIL.1 and ***PHONE.1.
This phone number matches the phone number listed in the complaint
filed with the police by the complainant, the phone number with which he allegedly
contacted to send the photos and apply for the job.

 The data that appear in the SEPA Direct Debit Order as
Debtor are:

o Name and surname: A.A.A.
o Address: Street ***ADDRESS.1

o Bank: BANCO SANTANDER
o IBAN: ***IBAN.1
(Account number where the loan was received, whose holder is
supposedly the claimant)

Process of request to the claimant

On June 16, 2023, the claimant is requested additional information
to gather clarifications on the date and data provided for the job offer, on the means used to provide said data and on the results
obtained from any investigation related to the matter, originating from the
filing of police reports. No response has been received from the claimant.

Request to BANCO SANTANDER

On June 16, 2023, a request for information was sent to BANCO SANTANDER in which it requested, among other things, the data of the complainant that they have in their systems, information on all contracts entered into with the complainant, as well as the identification and contact information of the holder of the bank account ***ACCOUNT.1 and its registration and deregistration date.

(Remember that this bank account is the one to which WELP sent the amount of the credit granted).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/28

BANCO SANTANDER sends its response dated June 26, 2023,
in which it states that:

1.- The holder of the bank account ***ACCOUNT.1 corresponds to the client B.B.B.,
DNI ***NIF.1, as the only party/holder with registration date 08/20/2020 and cancellation
01/15/2021.
It provides a screenshot of the contracts of the client B.B.B. together with their registration and cancellation dates.

It is therefore observed that the account receiving the amount of the credit is not owned by
the complaining party.

2.- Provide the following details of the client B.B.B.:

- Email: ***EMAIL.2
- Telephone: ***PHONE.3
- Address: Street ***ADDRESS.2.
- Client since April 14, 2020.

3.- Provide the following details of the complaining party:

- Email: ***EMAIL.1
- Telephone: ***PHONE.1
- Address: Street ***ADDRESS.1.
- Client since June 30, 2021.

4.- Provide the active contracts of the complaining party. Among them is a current account whose number does not match the data provided by WELP.

Request for information from WELP.

On June 16, 2023, a request for information was sent to WELP in which it was asked, among other things, for the data of the complainant that it had in its systems, information on all contracts entered into with the complainant, as well as a detailed description of the procedure for the

contracting of this bank loan and a copy of the contacts maintained with the complainant and the claims received by it in relation to the
reported facts.

WELP sent its written statement of allegations on June 26, 2023 and expanded it on July 3, 2023, together with the following documentation:

1.- First written response to the request.

2.- Agreement on the appointment of WELP's DPO.

3.- “Documentary Set”: Document that includes the following documentation:

1- Details of the claimant:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/28

2- List of all contracted products.
3- Procedure for contracting WELP bank loans.
4- Procedure for contracting the loan originating the claim.

5- Agent Validation Annex, which validated the documentation manually.
6- Documentation collected in the formalization of the contract to verify the identity of the claimant.
7- Documents containing records and communications received by the claimant. Pages.

8- Contract signed between WELP and ***URL.1.

4.- Video with the audios of the communications held between the claimant and WENANCE in October 2020.

5.- Second written response to the request.

6.- Certificate from BANCO SANTANDER dated June 28, 2023, issuing the
amount of the loan to the account of the beneficiary “A.A.A.”, ***ACCOUNT.1.

Point 1.- Having requested the data of the claimant that they have in their
systems, WELP sends screenshots of the different systems where the data and/or information relating to the claimant are recorded. The following
information is noteworthy:

Email: ***EMAIL.1 and ***PHONE.1.

Telephones: (…). This last telephone number matches the one in SANTANDER's
systems.

IBAN: ***ACCOUNT.1.

Cases (incidents) dated 06/10/2020, 06/10/2020, 07/10/2020, 21/01/2021 and
21/06/2021.

Capture of incident, with the text “I am A.A.A. with Dni ***NIF.1 and I am

contacting you because I have to report that my identity has been stolen,
by signing a contract with you and the police have asked me to ask you for a
proof showing the debt that is in my name and the phone number from which it was
made in order to proceed with the complaint, I would like you to provide it to me. Many
thanks”

Transfer receipt dated 08/21/2020 in favor of ***NIF.1 CONCEPT
Welp - 235212

It also provides the signed contract (similar to the one provided in the response to the transfer) and

screenshots with information about said contract.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/28

Point 2.- Regarding the products contracted by the complainant, WELP
shows Welp Bronce SI Full Loan for the amount of €200 with a subscription date of
08/21/2020.

Point 3.- Having requested the Procedure for contracting bank loans, the
respondent indicates:

I. Loan application

The loan was requested online. The application could be made by any natural person with an Internet connection and access to the page who met the following requirements:
a. Be a legal resident in Spain.
b. Be of legal age.

c. Have a bank account in the name of the holder requesting the loan.
d. Demonstrate recurring income.
e. Have a telephone number.
f. Have an email address.

II. Classification of the application and request for documentation

Within Wenance's usual operations, when the consumer loan application was for a value of less than one thousand euros (€1,000), in accordance with Wenance's Manual for the
Prevention of Money Laundering and Financing of Terrorism and, specifically, with its Customer Acceptance Policy dated January 18, 2019, simplified due diligence measures were required, as established in article 16 h) of Royal Decree 304/2014, of May 5, approving the Regulation of Law 10/2010, of April 28, on the prevention of money laundering and the financing of terrorism, which stipulated the following:

"Obliged subjects may apply, depending on the risk, simplified due diligence measures regarding the following products or services: operations:
h) Consumer credit contracts for an amount less than 2,500 euros
provided that the repayment is made exclusively by charging a current account opened in the name of the debtor in a credit institution
domiciled in the European Union or in equivalent third countries»

Thus, in accordance with the above, Wenance carried out the following checks for
said loans:
a) completing an application form in which they provided the following
personal information:
1. Name and surname.

2. Identification number (DNI/NIE).
3. Date of birth.
4. Address.
5. Income.
6. Telephone.

7. Email.
8. Bank account number.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/28

b) Subsequently, if the clients met the requirements, they had to send the
following documentation, which would be subsequently verified by an agent
from the Sales department:

1. Photo of the DNI/NIE, both the front and the back.
2. Selfie holding the identity document in the hand.
3. Proof of income.
4. Proof of ownership of the bank account.

III. Validation

Once the documentation was received, the Sales Department Agent validated
that the data provided by the client matched the documentation
provided.
In addition, he verified that the client was the owner of the bank account, that the DNI/NIE
was valid and that the selfie photo matched the photo on the DNI/NIE, (…).

If the client met all the requirements, the loan application was approved.

IV. Contracting
Subsequently, the client received the contract by email for signature and was
sent a code via SMS to proceed with the signing of the contract.
Once the contract was signed, the operations

department issued a transfer order to the indicated account manually and the
requested amount was deposited.

Point 4.- Regarding the contracting of the claimant's loan, WELP
reports that it was requested online and simplified measures were applied since it did

not exceed one thousand euros:
a) completing the application form and indicating personal data.
b) Sending the following documentation:
1. Photo of the DNI/NIE, both the front and the back.
2. Selfie holding the identity document in the hand.

3. Proof of income and copy of the last pay slip.
4. Proof of ownership of the bank account.

“The loan was pre-approved and the documentation was verified by C.C.C., a former agent of the Sales department, who verified that the data provided by the client matched the attached documentation. In addition, she verified that the DNI data

matched those reflected in the bank account. Likewise, she verified that the DNI was valid and that the selfie photo matched the photo on the DNI/NIE.”

Point 5.- Regarding the security mechanisms and measures used by WELP
to ensure the authenticity of the data provided by the client, the respondent party

refers to a list of measures, taking into account what was explained in the previous points
regarding the applicable procedure:
“a) Request for a photocopy of the DNI.
b) Request for a photograph holding the document, in order to make a comparison between
the applicant and the bearer.

c) Request for the last payroll and bank receipt of payment, to manually compare
that the data contained in these corresponded with that of the
holder of the D.N.I.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/28

d) Telephone call to the number listed to check its
operation.
e) Validation of all documentation manually by the agent in charge

at that time. “
For this validation, WELP provides a copy of the Agent Validation Annex
(DOC#2.5) in which in Note 2 it can be seen: “doc ok 08/21/2020 15:53 by
C.C.C.” and “data ok 08/21/2020 16:33 by D.D.D.”
“f) Request for double authentication factor between the email provided and the
telephone, in order to mitigate the risk of falsification in the signing of the contract.

g) Manual transfer of the loan amount to the client's account.”

Point 6.- Once the documentation provided for the formalization of the contract has been requested,
WELP sends a photo of the front and a photo of the back of the ID of the
complainant, a photo of the complainant carrying the ID, proof of

income and a copy of the last payroll.

Both the proof of income provided for the formalization of the contract and the
copy of the last payroll are included in (DOC#2.6) and specify the
account number ***ACCOUNT.1, an account that has been verified not to belong to the
complainant. These documents could be images of the original documents

sent by the claimant in which the account number was subsequently
modified, before being sent for the loan contract.

The respondent has not provided proof of ownership of the bank account

which had supposedly been verified by the former Sales Department agent
C.C.C..

Point 7.- Having requested information on the checks carried out by Unnax
to verify the correspondence of the current account data with the data

provided in the loan application process, WELP explains that “After successive
checks by WENANCE, it has been verified that, on the date of
the loan contract by Ms. A.A.A., the verification service was not
performed by UNNAX REGULATORY SERVICES, E.D.E, S.L. (UNNAX), but
manually, as indicated in points 3 to 5”.

Point 8.- Regarding the contacts maintained with the complainant, WELP
provides documents containing records and communications received by the complainant
and a video with the audios of the communications maintained between the complainant
and WELP in October 2020.

It is verified that the exchange of emails has been carried out between the addresses
***EMAIL.1 and ***EMAIL.3.

In this exchange of emails it is seen that, in response to the request of the complainant

for proof showing the debt in his name and the telephone number from
which the complaint was made, WELP provides the amortization table of the loan. Subsequently, the complainant sends WELP a copy
of the police report, report 14741/20.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/28

WELP does not indicate any response to the burofax submitted by the complainant dated
August 12, 2022.

The video provided consists of four audios, recordings of the calls made
by the complainant or by her mother. The most relevant information from the calls
is the following:

 Audio 1 (06/10/22):

Call from the complainant's mother to WELP.
She claims that WELP has called her phone (the mother's, E.E.E.), insists that they have
never asked for a loan and requests that all her daughter's data be deleted.

 Audio 2 (06/10/22):

WELP reports that there is proof of a transfer. WELP asks if the
account ending in 3689 belongs to the complainant.
The complainant confirms that he does not have any account at Banco Santander: (…).
At minute 7:54, WELP says: "You have to report it because someone has your data.

We are going to track the phone of whoever did it because we have a verification call."

 Audio 3 (10/07/22):
WELP provides the email where the complainant has to send the complaint

 Audio 4 (10/08/22):
The complainant reports that they have filed a complaint with the police and have sent the
complaint by email to ***EMAIL.3.
At minute 14:06, the complainant asks: "This, since it has already been reported, there

will not be any problem, right?" to which WELP responds: "No, now the problem is with the
person who made the loan."

Point 9.- WELP expands its written allegations by providing a certificate from BANCO

SANTANDER dated June 28, 2023, which states the issuance of the
amount of the loan to the account of the beneficiary “A.A.A.”, ***ACCOUNT.1. (DOC#4)

WELP indicates that “the previous certificate is relevant for the purposes of demonstrating the
verification of the authenticity of the account carried out by WENANCE. This is because,
as the process was carried out 2 years ago and it is not possible to consult the manual
verification carried out by the agent assigned to the account, beyond the documents already
provided that are in the WENANCE computer system, through this certificate it is possible to prove, as of today, that the account registered in
the loan application is associated with the applicant and that it was to whom the transfer for the amount of the loan was made.”

It has been verified that this document is a certificate issued and signed by
SANTANDER and it reflects the data that were specified at the time of making the
transfer.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/28

Article 59 (Incorrect unique identifiers) of Royal Decree-Law 19/2018, of November 23, on payment services and other urgent financial measures (hereinafter, RDLSP) establishes that:

“1. When a payment order is executed in accordance with the unique identifier, it will
be considered correctly executed in relation to the beneficiary specified in said identifier.”

The extract from the 2020 complaints report of the Bank of Spain in relation to the
Unique Identifier indicates:

“The payment services regulations indicate that the unique identifier consists of a
combination of letters, numbers or signs specified by the payment service provider
to the user of said services, which the latter must provide in order to
unequivocally identify the other user of the payment service or the payment account
of that other user in a payment transaction, and which would be given by the account
number (IBAN) provided for the execution of the payment order.

Thus, in accordance with the provisions of article 59 of the RDLSP, when a payment order is
executed according to the unique identifier, said order will be considered
correctly executed in relation to the beneficiary indicated in said identifier,
the payment service provider not being responsible for the non-execution or
defective execution of the operation when the unique identifier provided by the
user was incorrect. However, in such cases, the payment service provider of the ordering party is required to make reasonable efforts to recover the funds, and may charge for such efforts the recovery costs that had been agreed in the framework contract.

The payment services regulations also do not establish the obligation of the entities to

check that the name of the beneficiary corresponds to that of the holder of the account number of the destination of the transfer or other additional data, beyond the coincidence of the beneficiary IBAN with that indicated in the payment order.”

Therefore, the certificate provided by WELP does not allow the ownership of the

bank account to be accredited.

The RDLSP regulations and the
extract from the 2020 complaints report of the Bank of Spain in relation to the
Unique Identifier are recorded in the SIGRID system as associated objects.

Deductions from the inspection report on the claims of the respondent party.

In summary, the statements made by the respondent party and which have been proven to be contradicted are shown:

.- “In short, it is impossible that with a mere photo of the complainant with the ID card, an online bank account was opened on the same day that said photo was provided.”

The bank account was previously created and it has been confirmed that the ownership of the account does not belong to the complainant.

.- “Furthermore, my client, also as a party obliged under the regulations on the
Prevention of Money Laundering, as recorded in its prevention manual

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/28

of money laundering and as part of its risk policy, only allows the
contracting of loans with persons with bank accounts that are at least 3 months old.”

It has been verified that the account was created on August 20, 2020, one day
before the contracting of the loan that is the subject of the claim.

.- “The above is also evident, since Unnax, through the payment provider,

duly accredited under the PSD2 directive, makes a deposit into the applicant's current account
(with prior permission) to check whether the current account data corresponds to that provided in the application process (ID, name and
surname, address, etc.) and to analyse expenses, income, etc. in order to analyse the applicant's solvency.”

The respondent party acknowledges that the validation to verify the correspondence of the current account data with the data provided in the loan application process was manual: “After successive checks by WENANCE, it has been
verified that, on the date of the loan contract by Ms. A.A.A.,
the verification service was not carried out by UNNAX REGULATORY SERVICES,

E.D.E, S.L. (UNNAX), but manually, […]”.

.- “Lastly (and not least), the complainant provides a complaint from
October 2020. Two and a half years later there is no complaint?
No judicial investigation? We are talking about €200 being received in the
current account ***ACCOUNT.1, which appears in the name of the complainant.”

The current account does not appear in the name of the complainant.

In addition, it has been verified that, in the recordings provided, WELP indicates to the
complainant that they are going to take internal action: "You have to report it because
someone has your data. We are going to trace the phone of whoever did it because we
have a verification call."

WELP also reassures the complainant: "This, as it has already been reported,
there will be no problem, right?" to which WELP responds: "No, now the problem is with
the person who made the loan."

.- “[…] this certificate allows us to prove, as of today, that the account registered in the loan application is associated with the applicant and that the transfer for the amount of the loan was made to the applicant.”

It has been verified that this document is a certificate issued and signed by SANTANDER and reflects the data specified at the time of making the transfer, but it does not allow us to prove the ownership of the bank account.

CONCLUSIONS

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/28

Claim for debt arising from the contracting of a loan made in an allegedly fraudulent manner.

The existence of a transfer from WELP to the beneficiary account of the loan has been demonstrated.

It has been confirmed that the account benefiting from the loan does not belong to the
complainant but to another person (B.B.B. DNI ***NIF.2) with a registration date of 08/20/2020 and
deregistration on 01/15/2021. The account was created on August 20, 2020, one day before

the contracting of the loan subject to the claim.

It has been verified that the email address and telephone number with which the
loan was contracted and which appear in WELP's databases do not match
the email address and telephone number that SANTANDER has in its databases and

which the complainant has used to contact WELP.

It has been established that WELP was aware of the alleged fraudulent contracting
since October 6, 2020.

WELP has not provided proof of ownership of the bank account that

it supposedly had to have manually reviewed for the contracting of the
loan.

Having requested a copy of the contacts maintained with the complainant in relation
to the reported events, WELP does not indicate any response to the burofax

submitted by the complainant dated August 12, 2022, although in the
response to the transfer it explained that the complainant requested the right to
delete the data, which could not be granted due to having an active and
unpaid contract between the parties.

It has been established that, in the recordings provided, the complainant requests that
all data relating to this loan be deleted.
The recordings warn that WELP was going to track the phone from which the contract was made, advise the complainant to file a complaint and reassure her that once the complaint has been filed there will be no problem.

The complainant has not received notification of the request (by post) as of the date of signature of this report, but it is evident that she provided a lot of
information (photos of ID, selfie with ID, payroll and proof of payroll transfer).

It has been shown that the statements provided by the respondent in her
allegations regarding the transfer are not correct.

It has been verified that the SANTANDER certificate presented by the respondent, to prove that the account registered in the loan application is

associated with the applicant, reflects the data that was specified at the time of making the transfer, but does not allow the ownership of the bank account to be proven.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/28

FIFTH: According to the report collected from the AXESOR tool, the entity
WENANCE LENDING DE ESPAÑA, S.A. is a company established in 2018,
and with a (…).

SIXTH: On July 20, 2023, the Director of the Spanish Data Protection Agency
agreed to initiate sanctioning proceedings against the respondent party,
for the alleged violation of Article 12 of the GDPR and Article 6.1 of the GDPR, classified
in Article 83.5 of the GDPR.

SEVENTH: There is reliable evidence of the receipt by the interested party of the aforementioned initiation agreement, which has been notified in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP). After the period granted for the formulation of allegations has elapsed, it has been noted that no allegations have been received from the respondent party.

Article 64.2.f) of the LPACAP - a provision of which the respondent party was informed in the agreement to open the procedure - establishes that if no allegations are made within the period provided for regarding the content of the initiation agreement, when it

contains a precise statement regarding the imputed liability, it may be considered a resolution proposal. In the present case, the agreement to initiate the sanctioning procedure determined the facts in which the charge was specified, the infringement of the GDPR attributed to the respondent and the sanction that could be imposed. Therefore, taking into consideration that the respondent party has not

made allegations to the agreement to initiate the procedure and in accordance with the provisions of article 64.2.f) of the LPACAP, the aforementioned agreement to initiate the procedure is
considered in the present case a resolution proposal.

In view of all the actions taken, the following facts are considered proven by the Spanish Data Protection Agency

in the present procedure:

PROVEN FACTS

FIRST. The complainant declares that on August 21, 2020, he saw a job offer on the
website “milanuncios”. The advertisement gave the telephone number

***TELEPHONE.1 to contact. After contacting that number, the complainant
claims to have sent a selfie of himself with the photo of the front and back of his ID.

SECOND. On 08/21/2020, WENANCE entered into a consumer credit contract, in which, as the borrower, the following data appear:

“1. Customer data
Name and surname: A.A.A.
Date of birth: XXXXXX
Address: ***ADDRESS.1

Mobile phone: ***PHONE.1
Email: ***EMAIL.1
NIF/NIE: ***NIF.1

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/28

THIRD. The formalization of the celebration of the contract referred to in the proven fact above was carried out through the following procedure:

According to the data that appear in the certificate issued by the telecommunications operator LLEIDANETWORKS Serveis Telemàtics S.A. as a trusted service provider, the following steps were followed for the celebration of the contract electronically:

- (…).

FOURTH. The credit amount was deposited in the current account with code
***ACCOUNT.1. According to the certificate from Banco Santander that appears in the file:

1.- The holder of the bank account ***ACCOUNT.1 corresponds to the client B.B.B.,
DNI ***NIF.2, (…).

2.- The following details of the client B.B.B. are provided:
- Email: ***EMAIL.2
- Telephone: ***TELEPHONE.2

- Address: ***ADDRESS.2.
- Client since XXXXXXXXX

This proves that the amount of the credit was deposited in a bank account owned by a person other than the claimant.

FIFTH. The procedure for granting the credit established by the respondent, depending on the amount of the same, was the following:

a) Completion of the application form indicating personal data.

b) Submission of the following documentation:

a. Photo of the DNI/NIE, both the front and the back.
b. Selfie holding the identity document in the hand.
c. Proof of income and copy of the last pay slip.
d. Proof of ownership of the bank account.

SIXTH: The respondent has not provided proof of ownership of the bank account that was supposedly verified by the former Sales department agent.

SEVENTH. In relation to the verification of the ownership of the bank account into
which the amount of the requested credit was to be paid, the respondent party stated that it had
contracted a payment provider, duly accredited under the PSD2 directive,
Unnax, a deposit into the applicant's current account (with prior permission) to
check whether the current account details correspond to those provided in the

application process (ID, name and surname, address, etc.) and to analyse the
expenses, income, etc. in order to analyse the applicant's solvency. However, he
subsequently claims that after successive checks by WENANCE, it was
proven that, on the date the loan was taken out by Ms.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/28

A.A.A., the verification service was not carried out by UNNAX REGULATORY
SERVICES, E.D.E, S.L. (UNNAX), but manually.

The respondent party does not provide any documentation on said verification.

EIGHTH. The respondent party claims to have a mechanism to prevent fraud,
consisting of requiring as a requirement that the bank account into which the
deposit is made is more than three months old. This requirement was not fulfilled,
since according to the documentation in the file the dates are the

following:

- Date of opening of the receiving account at Banco Santander: 08/20/2020

- Date of signing the loan agreement: 08/21/2020

- Date of deposit of the amount into the bank account: 08/21/2020

NINTH. There is a burofax addressed by the claimant to WENANCE, dated
August 12, 2022, by which it informs it that it does not recognize the debt, nor
that it has contracted any credit with the defendant; it also requires it to

stop processing its data in the future.

WENANCE acknowledges having received it, indicating that the deletion could not be accepted
because the execution of the contract is in force, in its opinion. As stated in the report on preliminary investigation actions, having requested a copy of the

contacts maintained with the complainant in relation to the reported events, WELP does not indicate any response to the burofax submitted by the complainant dated August 12, 2022.

LEGAL BASIS

I
Competence

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants to each supervisory authority and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to

initiate and resolve this procedure. Data Protection.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions

of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, on a
subsidiary basis, by the general rules on administrative procedures."

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/28

II.
Preliminary questions

In the present case, in accordance with the provisions of article 4.1 of the RGPD, there is evidence
of the processing of personal data, since WENANCE
LENDING DE ESPAÑA, S.A. carries out this activity in its capacity as controller of the
processing, since it is the one who determines the purposes and means of such activity, pursuant to
Article 4.7 of the GDPR: “Controller” or “controller”: the natural or legal person,
public authority, agency or other body which, alone or jointly with

others, determines the purposes and means of the processing; if the law of the Union or of the
Member States determines.

III

Applicable provisions

Article 5 of the GDPR deals with the principles governing the processing of
personal data, which provides:

“1. Personal data will be:

a) processed lawfully, fairly and in a transparent manner with the interested party (<<lawfulness, fairness and
transparency>>)

Section 2 of Article 5 of the GDPR establishes that “The data controller

will be responsible for compliance with the provisions of section 1 and able to
demonstrate it (<<proactive responsibility>>)”

Article 6 of the GDPR under the heading “Lawfulness of processing” specifies in its section
1 the cases in which the processing of third party data is considered lawful:

“1. Processing will only be lawful if it meets at least one of the following
conditions:

a) the interested party gave his consent for the processing of his personal data
for one or more specific purposes;

b) the processing is necessary for the execution of a contract to which the interested party
is a party or for the implementation at the request of the latter of pre-contractual measures;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/28

The provisions of letter f) of the first paragraph shall not apply to processing carried out by public authorities in the exercise of their functions.”

IV
Unfulfilled obligation

The respondent party in this initiation agreement is accused of infringing Article 6.1 of the GDPR.

The documentation in the file provides evidence that WENANCE
processed the personal data of the complainant (name, surname, address, date of birth, DNI number) without any of the grounds for the lawfulness of the processing established in Article 6.1 of the GDPR being met. Indeed, as will be explained
below, the respondent party has not provided documentation or information that

allows it to be verified that the credit was actually contracted by the complainant.

Recital 40 of the GDPR states on this issue:

“For processing to be lawful, personal data must be processed with the

consent of the data subject or on another legitimate basis established by law, either in this Regulation or by virtue of another Union or Member State law to which this Regulation refers, including the
need to comply with the legal obligation applicable to the controller or the
need to perform a contract to which the data subject is a party or in order to

take steps at the request of the data subject prior to entering into a contract.”

The administrative file contains a consumer credit contract,
corresponding, in whose particular conditions the following appear as “customer data”

:

“1. Customer data
Name and surname: A.A.A.
Date of birth: XXXXXXX
Address: ***ADDRESS.1

Mobile phone: ***PHONE.1
Email: ***EMAIL.1
NIF/NIE: ***NIF.1

The claimant has denied having given her consent to these contracts and

having provided her personal data to WENANCE. She has filed a complaint with the
Security Forces and Corps and has exercised her right to erasure against the
respondent party.

As will be detailed later, WENANCE did not take the necessary actions

to ensure that the person taking out the loan was really the claimant party.
Furthermore, it was not adequately ensured that the amount of the loan was
received by the person who was listed as the borrower

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/28

It should be noted that, pursuant to the principle of proactive responsibility
(Article 5.2 of the GDPR), which requires the controller of personal data
to comply with the principles that govern it, which is of interest here, the principle of legality,

and to be able to prove compliance, the burden of proof falls on the controller
that the processing of the personal data of the complainant was
covered by any of the circumstances of legality provided for in Article 6.1 of the
GDPR.

In the case at hand, the element of guilt, necessary for

penalty liability to arise, results from the lack of diligence demonstrated by the
respondent party in complying with article 6.1 of the GDPR.

As seen in the background of the claim and subsequent allegations in

the preliminary investigation phase, the arguments put forward by the
respondent party are basically the following:

- Execution of the loan contract and confirmation of the same through a
certified electronic signature system

WENANCE provides a consumer credit contract. It apparently contains the
data of the complainant. According to the data appearing in the certificate
issued by "the telecommunications operator LLEIDANETWORKS Serveis
Telemàtics S.A. as a trusted service provider, the following steps were
followed to conclude the contract electronically:

(…).

There is an appearance of a validly executed contract. However, as stated
in the report of preliminary investigation actions, analyzing the evidence

provided together with the previous data, it is perceived that:

- The data where the email with the documentation and the SMS with the contract signature code are sent are: ***EMAIL.1 and ***PHONE.1.

- This phone number coincides with the phone number that appears in the complaint

filed with the police by the complainant, the phone number with which she allegedly
contacted to send the photos and request the credit.

- However, these contact details do not coincide with those that the complainant
herself provided to BANCO SANTANDER (remember that she herself
was also a client of said bank). Nor with the complainant's phone number that is included in the
complaint.

In any case, the conclusion of the contract by electronic means only presupposes
that the alleged impersonator would have obtained and provided said contact details (e-
mail and telephone number for confirmation of the contract), and it is necessary that, either at the time of requesting the contract or at the time of remittance of the amount

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/28

granted, the respondent party ensured that the applicant for the credit coincided with the holder of the destination bank account.

- Ensuring the ownership of the destination account

According to the allegations of the respondent party, it had a double
mechanism to ensure that the amount of the credit requested was received in
a bank account owned by the person who actually requested it. These
mechanisms were the following:

- Making a prior deposit, so that said ownership is confirmed.
- The need for the bank account in which the amount is deposited to be
at least three months old.

Both are indeed basic precautions. Through the first, the confirmation of the ownership of the account is
received, so that the remittance of the requested amount to someone who is not the true owner is
avoided. And through the second, cases are avoided in which the impersonation of the ownership has been carried out in the bank account itself, so that until three months have passed since the
opening, a credit cannot be received in it. This last aspect is especially
important, since, as detailed in the factual narration, the credit was requested on the
same day that the claimant had sent her data to a third party,
presumably with fraudulent intentions in the latter's actions.

Well, both precautions were negligently ignored by the complainant.

In relation to the sending of a prior deposit to determine the ownership of the current account, (through its payment service provider), WENANCE has

stated, in its response to the inspection, that “After successive checks by WENANCE, it has been verified that, on the date of the contracting of the loan by Ms. A.A.A., the verification service was not carried out by UNNAX
REGULATORY SERVICES, E.D.E, S.L. (UNNAX), but manually, as indicated in
points 3 to 5”.

Thus, this verification was not carried out. And what is more important: from the
investigation carried out by this Agency, there is evidence that the destination current account was not owned by the complainant but by a third party. In
deed, according to the information provided by Banco Santander to the
inspection:

´
“1.- The holder of the bank account ***ACCOUNT.1 corresponds to the client
B.B.B., DNI ***NIF.2, as the only participant/holder with registration date
08/20/2020 and cancellation date 01/15/2021.

Provide a screenshot of the contracts of the client B.B.B. along with their
registration and cancellation dates.

2.- Provide the following details of the client B.B.B.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/28

- Email: ***EMAIL.2
- Telephone: ***TELEPHONE.1
- Address: ***ADDRESS.2

- Client since XXXXXXXX”

The absence of controls, therefore, allowed the amount of the credit to be
transferred to a person other than the one who claimed to have contracted.

In this respect, it is hardly necessary to refute the insufficiency of the
transfer certificate issued at the request of WENANCE by BANCO SANTANDER. In
effect, the only thing that would prove is that the transfer request was made in favor of
the claimant, and to the current account number ***ACCOUNT.1. That is,
as the inspector's report rightly points out:

“The payment services regulations also do not establish the obligation of the entities to
check that the name of the beneficiary corresponds to that of the holder of the account number
of the transfer destination or other additional data, beyond the
coincidence of the beneficiary's IBAN with that indicated in the payment order. Therefore, the
certificate provided by WELP does not allow the ownership of the bank account to be accredited.”

As regards the second mechanism, that is, the necessary 3-month seniority in the
bank account for the destination of the loan amount, the relevant dates are the
following:

- Contracting of the credit: 08/21/2020 (confirmed by the respondent party itself)

- Deposit of the loan amount (€200) in the bank account: 08/21/2020
(confirmed by the transfer certificate issued by Banco Santander)

- Opening date of the destination account no. ***ACCOUNT.1.: 08/20/2020
(confirmed by Banco Santander certificate)

This confirms that the bank account was opened only one day before
the contracting of the credit and the remittance to it of the contracted amount. The measure that the respondent party itself claims to have implemented was not
fulfilled.

It is important to highlight the necessary compliance with security measures such as those
detailed (but not complied with) by the complainant. Indeed, by
checking the ownership of the current account, the amount would have been avoided from being sent
to a person other than the one who had apparently requested the credit.

And by checking the age of the account, this situation would have also been avoided
even if the impersonator had (using the documentation
previously obtained) been able to open a current account in the name of the complainant,
since it would have been necessary to wait the three-month period.

Given the lack of measures that there is evidence of occurred in the operations of
the defendant, the result was not only the processing of data without any legitimacy on the part of the data controller,
but also the result of the non-payment by

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/28

the impersonator has led to the claim for liability of the
complainant itself, in whose name the improperly contracted credit appears. This is apart from
the possible inclusion in data processing on financial solvency.

For all these reasons, it is considered that WENANCE processed the personal data of the
complainant without legitimacy, since a consumer credit was contracted in its name
without it having given its response, or requested the contract, or any other basis for legitimacy of article 6.1 of the GDPR.

V
Classification and qualification of the infringement

According to the evidence in the file, it is considered to be proven

that the processing of the complainant's personal data carried out by
WENANCE, which signed a consumer credit contract in her name, was not
covered by any of the legal bases established in article 6.1 of the RGPD.

Therefore, the known facts constitute an infringement of article 6.1 of the
RGPD, classified in article 83.5.a) of the RGPD, a provision that provides:

“5. Infringements of the following provisions shall be punished, in accordance with
section 2, with administrative fines of up to EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual turnover of the previous financial year, whichever is higher:

a) The basic principles for processing, including the conditions for consent pursuant to Articles 5, 6, 7 and 9.”

In order to determine the limitation period for infringements, the provisions of

the LOPDGDD shall apply, which classifies the infringement charged to the defendant as very serious and sets a limitation period of three years for it. Article 72.1.a) of the LOPDGDD
provides:

“1. Pursuant to the provisions of Article 83.5 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered to be very serious and will be subject to a three-year statute of limitations:

[...]
b) The processing of personal data without any of the conditions for the lawfulness of processing established in Article 6 of Regulation (EU) 2016/679 being met.”

VI
Proposed sanction

The corrective powers attributed to this Agency as a supervisory authority are

listed in Article 58.2 of the GDPR, paragraphs a) to j).

The provision mentions among them the power to impose an administrative fine in accordance with Article 83 of the GDPR (Article 58.2. i). Also, the power to order the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/28

data controller to comply with the provisions of the GDPR, where appropriate, in a certain manner and within a specified period (Article 58.2. d).

In the present case, WENANCE is subject to an administrative fine in accordance with Article 58.2.i) of the GDPR for its infringement of Article 6.1 of the
GDPR. Article 83 of the GDPR, “General conditions for the imposition of administrative fines”, states in its section 1 that the supervisory authority shall ensure that the

imposition of fines for infringements of this Regulation indicated in sections 4, 5 and 6, complies in each individual case with the principles of effectiveness,
proportionality and deterrent effect.

The principle of proportionality requires a correlation between the infringement and the sanction,

with the prohibition of unnecessary or excessive measures, so that it must be
suitable to achieve the purposes that justify it. Article 83.2 of the GDPR determines the
technique to be followed to achieve this adequacy between the sanction and the infringement committed and
offers a list of criteria or factors that must be taken into account to
grade the sanction.

In relation to the facts established, the following factors are observed, which reflect a greater unlawfulness of the conduct and/or the culpability of the
offending entity:

- Circumstance of article 83.2.a) GDPR: a) the nature, seriousness and duration
of the infringement, taking into account the nature, scope or purpose of the
processing operation in question as well as the number of interested parties
affected and the level of damages they have suffered;

The particular seriousness of the infringing conduct must be made clear. Indeed,
the negligence that occurs in this case has produced a special impact on the
legal sphere and the life of the claimant, since she has been forced to
take actions such as the necessary filing of two complaints with the security forces and
bodies; the exercise of the right of deletion before the respondent, and
to endure recovery actions for a debt of which she was not the true owner. All

of this is caused by the unlawful processing carried out by the respondent party

- Circumstance of article 83.2.k) RGPD: In relation to article 76.2.b)
LOPDGDD: The obvious link between the business activity of the

respondent and the processing of personal data.

WENANCE's corporate purpose is, among others, the provision of financial
services to the public. The execution of the contracts that you enter into with consumers in the
development of this activity requires you to process numerous personal data of

your clients or even third parties, from identifying data - such as name,
surname and NIF -, bank details for direct debit of collections or payments and the
postal address. This characteristic of your activity requires you to take extreme diligence in

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/28

compliance with the obligations imposed by the personal data protection
regulations.

The concurrence of mitigating circumstances is not appreciated.

In accordance with the criteria of articles 83.1. and 83.2 of the GDPR, the infringement
of article 6.1 of the GDPR attributed to WENANCE is sanctioned with the imposition of
an administrative fine of €70,000 (SEVENTY THOUSAND euros)

VII
Exercise of the right to deletion

Along with the claim, a burofax addressed to WENANCE was attached, dated 12

August 2022, in which it communicates that it does not recognize the debt, nor that it
has contracted any credit with the defendant party; it also requires it to stop
processing its data in the future.

WENANCE acknowledges having received it, indicating that the deletion could not be accepted
because the execution of the contract was in force, in its opinion.

As stated in the report on preliminary investigations,
having requested a copy of the contacts maintained with the complainant in relation to
the reported events, WELP does not indicate any response to the burofax submitted by
the complainant dated August 12, 2022.

In this regard, article 17 of the GDPR establishes the following:

“1. The interested party shall have the right to obtain from the controller without undue delay the deletion of personal data concerning him or her, who shall be

obliged to delete personal data without undue delay when any of the
following circumstances apply:
a) the personal data are no longer necessary in relation to the purposes for which they
were collected or otherwise processed;

(b) the data subject withdraws consent on which the processing is based in accordance with

point (a) of Article 6(1) or point (a) of Article 9(2) and there is

no other legal basis for the processing;

(c) the data subject objects to the processing pursuant to Article 21(1) and there are

no overriding legitimate grounds for the processing, or the data subject objects to the

processing pursuant to Article 21(2);

(d) the personal data have been unlawfully processed;

(e) the personal data must be erased for compliance with a legal obligation under Union or Member State law to which the

controller is subject;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/28

f) the personal data have been obtained in relation to the offer of information society services referred to in Article 8, paragraph 1.”

In relation to the exercise of this right, paragraphs 2 and 3 of Article 12 of the
RGPD establish the following:

“2. The controller shall facilitate the exercise by the interested party of his or her rights
under Articles 15 to 22. In the cases referred to in Article 11, paragraph 2, the controller shall not refuse to act at the request of the interested party in order to exercise
his or her rights under Articles 15 to 22, unless he or she can demonstrate that he or she is not in a position to identify the interested party.

3. The controller shall provide the data subject with information concerning its actions

on the basis of a request pursuant to Articles 15 to 22 without
undue delay and in any event within one month of receipt of the
request. That period may be extended by a further two months if necessary,
taking into account the complexity and number of requests. The controller
shall inform the data subject of any such extension within one month of receipt of the request, stating the reasons for the delay. Where the
data subject submits the request by electronic means, the information shall be provided by
electronic means where possible, unless the data subject requests that it be provided
otherwise.”

According to the documentation in the file, it has been established that the respondent party has breached Article 12 of the Regulation since, regardless of the underlying reasons alleged by it in relation to the appropriateness of exercising the right to erasure, it should have responded to the complainant party within one month in relation to the request to exercise the right to erasure.

VIII
Right to erasure. Classification of the infringement

According to the evidence available in this file, it is proven that the complaining party did not respond to the exercise of the right to erasure

in accordance with the provisions of Article 12 of the GDPR

Therefore, the known facts could constitute an infringement of Article 12 of the GDPR, as defined in Article 83.5.a) of the GDPR, which provides:

“5. Infringements of the following provisions shall be punishable, in accordance with
paragraph 2, by administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global turnover of the previous financial year, whichever is higher:

b) the rights of interested parties pursuant to Articles 12 to 22;

In order to determine the limitation period for infringements, the provisions of the LOPDGDD will apply, which classifies the infringement charged to the respondent as very serious and fixed

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/28

for it a limitation period of three years. Article 72.1 of the LOPDGDD
provides:

“1. Pursuant to the provisions of Article 83.5 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered to be very serious and will be subject to a three-year statute of limitations:
[...]
k) The repeated impediment or obstruction or failure to comply with the exercise of the

rights established in Articles 15 to 22 of Regulation (EU) 2016/679.

IX
Proposed sanction

The corrective powers attributed to this Agency as a supervisory authority are
listed in Article 58.2 of the GDPR, paragraphs a) to j).

The provision mentions among them the power to impose an administrative fine in accordance
with Article 83 of the GDPR (Article 58.2. i). Also, the power to order the controller to comply with the provisions of the GDPR, where appropriate, in a certain manner and within a specified period (Article 58.2. d).

In the present case, WENANCE is subject to an administrative fine for the infringement of Article 12 of the GDPR pursuant to Article 58.2.i) of the GDPR.

Article 83 of the GDPR, “General conditions for the imposition of administrative fines”, states in its section 1 that the supervisory authority shall ensure that the imposition of fines for infringements of this Regulation indicated in paragraphs 4, 5 and 6 comply in each individual case with the principles of effectiveness,

proportionality and deterrence. The principle of proportionality requires a correlation between the infringement and the sanction,
with the prohibition of unnecessary or excessive measures, so that it must be
suitable to achieve the purposes that justify it. Article 83.2. of the GDPR determines the
technique to be followed to achieve this adequacy between the sanction and the infringement committed and

offers a list of criteria or factors that must be taken into account to
grade the sanction.

In accordance with the criteria of articles 83.1. and 83.2 of the GDPR, the infringement of
Article 12 of the GDPR attributed to WENANCE is sanctioned with the imposition of an

administrative fine of €2,000 (two thousand euros)

X
Adoption of measures

Once the infringements have been established, it is agreed to impose on the controller the adoption of
appropriate measures to adjust its performance to the regulations mentioned in this
act, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to which

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/28

each supervisory authority may “order the controller or processor to
comply processing operations with the provisions of this Regulation, where appropriate, in a

specific manner and within a specified period…”.

It is considered that the respondent party must be ordered to proceed to respond to the request for the right of deletion exercised by the complaining party, within one month from the administrative finality of this resolution.

It is noted that failure to comply with the possible order to adopt measures imposed by this body in the sanctioning resolution may be considered as an administrative infringement in accordance with the provisions of the GDPR, classified as an infringement in its article 83.5 and 83.6, and such conduct may motivate the opening of a subsequent administrative sanctioning procedure.

Therefore, in accordance with the above, the Director of the Spanish Data Protection Agency,

RESOLVES:

FIRST: TO IMPOSE on WENANCE LENDING DE ESPAÑA, S.A., with NIF
A67194746, for an infringement of Article 6.1 of the GDPR and an infringement of Article
12 of the GDPR, both classified in Article 83.5 of the GDPR,

- a fine of SEVENTY THOUSAND EUROS (€70,000) for the infringement of Article 6.1

of the GDPR
- a fine of TWO THOUSAND EUROS (€2,000) for the infringement of Article 12 of the
GDPR

SECOND: TO ORDER WENANCE LENDING DE ESPAÑA, S.A., with NIF

A67194746, that by virtue of Article 58.2.d) of the GDPR, within ONE MONTH,
proves that it has responded to the request for the right of deletion
exercised by the complaining party.

THIRD: NOTIFY this resolution to WENANCE LENDING DE ESPAÑA,
S.A.. with NIF A67194746

FOURTH: This resolution will be enforceable once the deadline for filing the
optional appeal for reconsideration ends (one month from the day following the
notification of this resolution) without the interested party having made use of this faculty.
The sanctioned party is warned that he must make effective the sanction imposed once

this resolution is enforceable, in accordance with the provisions of art. 98.1.b)
of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter LPACAP), within the voluntary payment period
established in art. 68 of the General Collection Regulations, approved by Royal
Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, by means of its payment, indicating the NIF of the sanctioned party and the procedure number that appears in the heading of this document, in the restricted account number IBAN: ESXX XXXX XXXX XXXX XXXX XXXX (BIC/SWIFT Code:
XXXXXXXXXXX), opened in the name of the Spanish Data Protection Agency at

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/28

the banking entity CAIXABANK, S.A.. Otherwise, it will be collected during the enforcement period.

Once the notification has been received and is enforceable, if the date of enforceability is between the 1st and 15th of each month, both inclusive, the deadline for making the voluntary payment will be until the 20th of the following month or the next business day thereafter, and if it is between the 16th and the last day of each month, both inclusive, the payment deadline will be until the 5th of the second following month or the next business day thereafter.

In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within one month from the day following notification of this resolution or directly file an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the day following notification of this act, as provided for in article 46.1 of the aforementioned Law.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final resolution may be provisionally suspended by administrative means if the interested party
expresses his intention to lodge an administrative appeal.

If this is the case, the interested party must formally communicate this fact by means of a
written document addressed to the Spanish Data Protection Agency, presenting it through
the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through one of the other registries provided for in art. 16.4 of
the aforementioned Law 39/2015, of October 1. He must also transfer to the Agency the

documentation that proves the effective filing of the administrative appeal. If the Agency is not aware of the filing of the administrative appeal
within two months from the day following the notification of this resolution, it will terminate the provisional suspension.

938-250923

Mar España Martí
Director of the Spanish Data Protection Agency

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es