| AEPD - AI-00128-2022 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 32 GDPR |
| Type: | Complaint |
| Outcome: | Other Outcome |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | AI-00128-2022 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | n/a |
The Spanish DPA held that a bank did not violate the GDPR when it was notified by the data subject of a possible fraudulent transaction as the bank had complied with its obligations under Article 32 GDPR.
English Summary
Facts
The data subject filed a complaint at the DPA against a bank (the controller) where the data subject had a bank account. The data subject stated that there had been a fraudulent withdrawal of €1,500, which did not match any transaction of the data subject.
After the data subject reported the withdrawal, the controller blocked the mobile application of the data subject for security reasons and reversed the transaction of €1,500. The controller also reported the incident to the police. After this, the controller launched an investigation.
The investigation unit of the DPA analysed the alleged fraudulent transaction and marked it as a ‘correct’ transaction, because no mistakes were found in the process.
The controller found that a facial recognition scan was used to facilitate the financial transaction as a form of biological authentication. To enable this facial recognition on a device, it is necessary to send a one-time password (OTP) key (by SMS) to a validated phone number of the user. OTPs allow for logging on to a service through a unique password that can only be used once. When this facial recognition (or other biometric authentication) is enabled, the user can approve transactions without additional two-factor authentication, and can simply use the biometric authentication option. The data subject was using this biometric option, according to the investigation unit.
The unit remarked that at the time of the transaction, the data subject had access to the information on the credit card, such as numbering, expiry date and CVV code. The data subject should also have been in the possession of the device on which biometric authentication was activated and could, therefore, also have authenticated the transaction by this enabled biometric authentication.
With regard to safety measures provided by the controller prior the transaction, the investigation unit found that the data subject was warned, both by e-mail and by a push notification, that online banking was registered on another mobile device with access to the bank account. The data subject was also warned with e-mail and push-notification that biometric authentication had been activated and that the data subject had been blocked after reporting the alleged fraudulent withdrawal.
It was also found that the OTP key to approve biometric authentication was send to a number that belonged to the data subject.
The investigation unit provided several screenshots as proof for these statements. After this assessment, the controller restored the original transaction of €1,500. The data subject complained at the customer service of the controller, but this complaint was denied.
Holding
After looking at the presented evidence, the DPA found no evidence of a breach that would fall under its jurisdiction. The DPA held that the controller had acted accordingly when notified by the data subject. Therefore, the DPA found no violation of Article 32 GDPR and ended the procedure.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/7 File No.: EXP202201718 RESOLUTION OF FILE OF ACTIONS Of the actions carried out by the Spanish Agency for Data Protection and based on the following: FACTS FIRST: Don A.A.A. (hereinafter, the complaining party) dated December 27 2021 filed a claim with the Spanish Data Protection Agency. The claim is directed against BANCO BILBAO VIZCAYA ARGENTARIA, S.A., with NIF A48265169 (hereinafter, the claimed party or BBVA). The grounds on which the claim is based are as follows: The claimant is the holder of an account opened in the claimed entity, which has associated with a debit card. It states that, on October 11, 2021, made a fraudulent charge on your card, corresponding to a purchase that the claimant had not made, of an amount of 1500 euros. As it is an amount high, the respondent entity proceeded, subsequently, to block the activity in the App of the claimant, for security. Provides a complaint filed with the Police, in date October 14, 2021, communication of the incident to the entity claimed, the October 14, 2021, screenshot regarding the fraudulent operation and claim before the OMIC, dated November 15, 2021. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, of Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), said claim was transferred to the claimed party, to to proceed with its analysis and inform this Agency within a month of the actions carried out to adapt to the requirements set forth in the regulations of Data Protection. The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations Public (hereinafter, LPACAP), was collected on February 14, 2022 as It is stated in the acknowledgment of receipt that is in the file. On February 23, 2022, this Agency received a written response that it did not provide any information on the claim that was forwarded to it. THIRD: On March 22, 2022, in accordance with article 65 of the LOPDGDD, the claim filed by the claimant was admitted for processing. FOURTH: The General Subdirectorate for Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in question, by virtue of the functions assigned to the control authorities in the article 57.1 and the powers granted in article 58.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/7 in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following extremes: 1. The claimant is a customer of the claimed party under a credit card agreement credit, subscribed from remote banking on 04/28/2017. Provide a copy of the contract card which contains an agreed limit of 1,800 euros. The party complained against indicates that it has analyzed the operations carried out through the credit card linked to the aforementioned contract, and in this case the operations have been carried out by biometric signature, for which it has been necessary to activate the biometric access on the mobile and activate the signature with biometrics. They provide a record of sending two SMS to the mobile number indicating it was validated by the claimant, SMS in which they inform you of the OTP keys to authenticate the request (date 11 October 2021, same date as the claimed charge). They indicate that to register the biometric signature it is necessary to enter an OTP key which was sent by SMS to the claimant's validated mobile phone. The signature with biometrics allows customers to use their fingerprint, iris, or facial recognition to sign some of the operations carried out through the entity's app. Once activated, clients can sign their operations without the need to receive an SMS with a signature key. They indicate that in the case at hand, the operation with controversial credit card, the second authentication factor was the signature biometric that had previously been activated by validating the OTP key. The respondent reports that, as a result of the incident filed by the claimant, on October 14, 2021, in compliance with current regulations restored the payment account to the state it was in before the operation questioned. They provide an annulment note for the amount of 1500 euros, dated 15 October 2021. Next, the claimed party initiates, through the specialized fraud area, the investigative work, collecting records and documentation, both internal and external to determine if it is an operation carried out correctly from the operational point of view. They conclude after the analysis of the evidence and the report of the payment service provider, that the reported electronic commerce operation by the claimant from a strictly operational point of view should be considered correct, since it was carried out without errors, and without it being considered an operation not authorized under the terms established in the Payment Services regulations. They emphasize that at the time of the purchase the claimant had to: (i) have the information contained in the card, this is numbering, expiration date and code CVV; (ii) having in his possession the validated device where the complaining party had sent the OTP key to activate the signature with biometrics; (iii) validate the operation using facial, iris or fingerprint recognition. They indicate that they communicated to the claimant the resolution of the incident and proceeded to reverse the payment made to the claimant's account. Given this, the claimant filed a complaint with the Customer Service Department expressing their disagreement with the previous resolution. On November 23, 2021, the application was dismissed. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es
