AEPD (Spain) - EXP202200436

From GDPRhub
AEPD - PS-00203-2022
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Fine: 3000 EUR
Parties: n/a
National Case Number/Name: PS-00203-2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The DPA fined a former employer €3000 for debiting the bank-account of a former employee for an external service. The DPA held that the controller had processed the personal data without a legal basis under Article 6 GDPR.

English Summary


The data subject used to be an employee of the controller. The data subject claimed that there had been three automatic withdrawals from her bank account without its consent. The data subject stated that the controller used the money from these withdrawals to pay for an external service from a third party, the SGAE, a non-profit focused on the defense and collective management of copyright. The data subject stated that this would explain how the controller got the details of its back-account. The controller didn’t reply to questions and information-requests of the DPA. The data subject filed a complaint at the Spanish DPA.


The DPA held that the controller had violated Article 6(1) GDPR because the controller had processed the data subject’s personal data without their authorisation. The controller used the bank-account of the data subject to debit the account of the data subject without being able to prove the legitimacy of this processing of personal data. The DPA fined the controller €3000 for this lack of a legal basis for processing.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

 File No.: EXP202200436
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following:
FIRST: Ms. A.A.A. (hereinafter, the complaining party) dated November 23
2021 filed a claim with the Spanish Data Protection Agency. The
claim is directed against MARIELI GABRIELA, S.L. with NIF B87330726 (in
hereafter, the party claimed). The grounds on which the claim is based are
The claimant states that they were charged to her bank account, without her
consent the amounts corresponding to: 03/11/2021: XX,XX and YY,YY; the
11/17/2021: XX,XX and 11/23/2021: YY,YY.
It adds that the charges made correspond to a service contracted by the
claimed with the company General Society of Authors and Publishers (SGAE).
He indicates that he does not currently have an employment relationship with the respondent, but his
data could have been provided by this since she was employed by her six years ago
Along with the claim is provided:
The receipts charged to the claimant's current account, on the following days: 3, 17 and 23
November 2021. In the previous ones, SGAE appears as the payer, as the
Marieli Gabriela, S.L. and as payer the claimant.
Likewise, it provides the payroll received from the claimed corresponding to the month of
January 2021.
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, of Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to the claimed party, to
to proceed with its analysis and inform this Agency within a month of the
actions carried out to adapt to the requirements set forth in the regulations of
Data Protection.
The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of
October 1, of the Common Administrative Procedure of the Administrations
(hereinafter, LPACAP) by electronic notification, was not collected by
the person in charge, within the period of making available, understanding rejected
in accordance with the provisions of art. 43.2 of the LPACAP on February 4, 2022,
as stated in the certificate in the file.
C/ Jorge Juan, 6
28001 – Madrid
Subsequently, the transfer, which was carried out in accordance with the rules established in the
Law 39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations (hereinafter, LPACAP) by certified mail,
was returned as refused; reiterating again the transfer by electronic means and
notified on February 22, 2022.
No response has been received to this transfer letter.
THIRD: In accordance with article 65 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights
(LOPDGDD), when submitted to the Spanish Agency for Data Protection
a claim, it must evaluate its admissibility for processing, and must notify the
the claimant party the decision on the admission or inadmissibility for processing, within the period of
three months from when the claim was received by this Agency. Yes, elapsed
this term, if said notification does not occur, it will be understood that the
processing of the claim in accordance with the provisions of Title VIII of the Law.
In this case, taking into account the foregoing and that the claim is
presented in this Agency, on November 23, 2021, it is reported that his
claim has been admitted for processing on February 23, 2022 after
three months since it entered the AEPD.
FOURTH: On May 30, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against the claimed party,
for the alleged infringement of Article 6.1 of the RGPD, typified in Article 83.5 of the
FIFTH: Notification of the aforementioned start-up agreement, through the postal service on the 9th of
June 2022, being unknown and from the BOE on the 13th of the same month year,
in accordance with the regulations established in Law 39/2015, of October 1, of the
Common Administrative Procedure of Public Administrations (hereinafter,
LPACAP) and after the term granted for the formulation of allegations, it has been
verified that no allegation has been received by the respondent.
In accordance with art. 42.1 of Law 39/2015, of October 1, on Procedure
Common Administrative of the Public Administrations, the notification was put to
provision of the interested party so that he could access the content of the same
Article 64.2.f) of the LPACAP - provision of which the respondent was informed
in the agreement to open the procedure - establishes that if no
allegations within the stipulated period on the content of the initiation agreement, when
it contains a precise statement about the imputed responsibility,
may be considered a resolution proposal. In the present case, the agreement
beginning of the sanctioning file determined the facts in which the
imputation, the infraction of the RGPD attributed to the claimed and the sanction that could
prevail. Therefore, taking into consideration that the respondent has not
formulated allegations to the agreement to initiate the file and in attention to what
established in article 64.2.f) of the LPACAP, the aforementioned initial agreement is
considered in this case proposed resolution.
C/ Jorge Juan, 6
28001 – Madrid