AEPD (Spain) - EXP202307696

From GDPRhub
AEPD - EXP202307696
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(2) GDPR
Article 6(1) GDPR
Article 8 GDPR
Article 21 GDPR
Type: Complaint
Outcome: Upheld
Started: 26.04.2024
Decided: 22.08.2024
Published: 11.10.2024
Fine: 50,000 EUR
Parties: Santander Consumer Finance S.A.
National Case Number/Name: EXP202307696
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: ao

The DPA fined Santander €50,000 for processing a data subject’s personal data for advertisement purposes even after the data subject objected to the respective processing.

English Summary

Facts

On the 26 April 2023, the data subject filed a complaint with the AEPD for receiving postal advertising material despite having exercised their right to object to this.

The data subject had sent a letter to the controller on the 27 February 2023, requesting that his personal data exclusively be used to manage his credit card.

On the 7 March 2023, the controller responded to the data subject confirming the receipt of the request stating that in accordance with Article 21 and 18 GDPR, the controller has begun to give effect to the request. However, on the 23 April 2023, the data subject received advertising related to the granting of a loan contrary to his request.

Following the data subject’s complaint, the AEPD requested information from the controller.

On the 6 July 2023, the controller confirmed that the data subject had received another advertisement in the post after having objected to this form of processing of his personal data.

The controller argued that a human error of an employee caused the violation. The employee responsible for manually unticking the boxes relevant to the processing had failed to untick three boxes which is why the advertisement reached the data subject. It argued that the mistake had then been corrected on the 9 June 2023 and that therefore the violation had been remedied.

Further, the controller argued that a processor was responsible for the violation and therefore requested the dismissal of the proceedings.

Holding

Controller responsibility

With reference to Article 8 GDPR, the AEPD points out that the processor carries out their function on the instructions of the controller and that therefore violations of the GDPR are attributable to the controller. As Articles 5(2), 24, 28 and 32 GDPR set out, compliance monitoring of the processing is attributable to the controller regardless of the involvement of a processor. The AEPD established that the processor was acting on the instructions of the controller in sending the advertisements.

Gravity of the violation and setting the fine

The AEPD held that the controller did not adopt the required diligence as it did not prevent the processing after the request had been made.

Therefore, on the 12 April 2024, the controller was fined €50,000 under Article 83(5)(a) GDPR for violating Article 6(1) GDPR. In setting the fine, the AEPD purported that the violation of Article 6(1) GDPR is of sufficient gravity to warrant the fine of €50,000 in light of the controller’s annual turnover.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1 / 19
 File No.: EXP202317578 (PS/00546/2023)
RESOLUTION OF THE SANCTIONING PROCEDURE
From the actions carried out by the Spanish Data Protection Agency and
based on the following:
BACKGROUND
FIRST: On 09/26/23, A.A.A., (hereinafter, the complaining party)...