AEPD (Spain) - EXP202201247: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS-00304-2022 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00304-2022.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Cod...")
 
 
(2 intermediate revisions by 2 users not shown)
Line 90: Line 90:


=== Facts ===
=== Facts ===
The data subject affirms that their personal data were processed by the data controller with no consent for approving the buying of a car by the data subject's sister. The data controller defends that the data subject is co-owner of the car in dispute.
The data subject made a complaint against the data controller since their personal data was used for allowing the loan for their sister buying a car. The data subject affirms that their personal data were processed by the data controller with no consent and alleged that they were set as the guarantor of the buying without their knowledge. However, there was evidence proving that the data subject knew about the transaction and, as mentioned by the data controller, the data subject is actually the co-owner of the car in dispute, not its guarantor.


=== Holding ===
=== Holding ===
The DPA ruled that processing the personal data of a subject who is the co-owner of the car bought via contract is legitimate, considering Article 6 of the GDPR. Since the data subject is a part of the contract of ownership and does not act as a guarantor, there is a legitimate legal base for the processing of personal data.
The DPA ruled that processing the personal data of a subject who is the co-owner of the car bought via contract is legitimate, considering Article 6 of the GDPR. There is no need for consent of the data subject for the processing of personal data when they are part of a contract with the data controller. Since the data subject is a part of the co-owner of the car bought and does not act as a guarantor, the execution of a contract is a legitimate legal base for the processing of personal data. Thus, the DPA understood there was no breach of the GDPR.


== Comment ==
== Comment ==

Latest revision as of 13:17, 13 December 2023

AEPD - PS-00304-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 4(11) GDPR
Article 6 GDPR
Article 6(1) GDPR
Article 58(2) GDPR
Article 83(5) GDPR
Article 47 LOPDGDD
Article 48(1) LOPDGDD
Article 50 LOPDGDD
Article 6(1) LOPDGDD
Article 63(2) LOPDGDD
Article 65(4) LOPDGDD
Article 72(1)(b) LOPDGDD
Type: Complaint
Outcome: Rejected
Started: 14.01.2022
Decided:
Published: 28.11.2022
Fine: n/a
Parties: Data Subject
AUTOMOVILES FERSAN, S.A.
National Case Number/Name: PS-00304-2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: isabela.maria.rosal

Spanish DPA ruled that the processing of the personal data of the co-owner of a car bought via a loan is legitimate, even without their direct consent, highlighting that the data subject was not acting as a guarantor.

English Summary

Facts

The data subject made a complaint against the data controller since their personal data was used for allowing the loan for their sister buying a car. The data subject affirms that their personal data were processed by the data controller with no consent and alleged that they were set as the guarantor of the buying without their knowledge. However, there was evidence proving that the data subject knew about the transaction and, as mentioned by the data controller, the data subject is actually the co-owner of the car in dispute, not its guarantor.

Holding

The DPA ruled that processing the personal data of a subject who is the co-owner of the car bought via contract is legitimate, considering Article 6 of the GDPR. There is no need for consent of the data subject for the processing of personal data when they are part of a contract with the data controller. Since the data subject is a part of the co-owner of the car bought and does not act as a guarantor, the execution of a contract is a legitimate legal base for the processing of personal data. Thus, the DPA understood there was no breach of the GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/6










- File No.: EXP202201247




                RESOLUTION OF SANCTIONING PROCEDURE

From the procedure instructed by the Spanish Data Protection Agency and based

to the following

                                   BACKGROUND

FIRST: On January 14, 2022, A.A.A. (hereinafter, the complaining party)
filed a claim with the Spanish Data Protection Agency.


The claim is directed against AUTOMOVILES FERSAN, S.A. with NIF A03071248
(hereinafter, the claimed party).

The reasons on which the claim is based are the following:


The claimant states that the claimant has made use of her personal data
to include them in a vehicle purchase contract without your consent.

The complainant states that her personal data was used without her consent

to guarantee the sale of a vehicle acquired by his sister, in the processing
for its financing.

He indicates that his sister made the purchase of the vehicle with the claimed entity, to
which, said entity managed the procedures to formalize a loan contract
financed by BMW BANK GMBH, using the claimant's data, to

obtain sufficient guarantee and carry out the operation.

When a non-payment occurs by the purchasing party, the financial institution demands the
payment to the claimant, and by requiring this last justification for the required collection, said
financial institution provides documents, described by the claimant as false, in which

In addition to the personal data of his sister, as the buyer of the vehicle,
They also add the personal data of the claimant, as well as her signature.

Provides legal demand, and exclusive credit contract in the name of B.B.B. (sister
of the claimant)


SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), on February 3, 2022, said claim was transferred to
the claimed party, so that it could proceed with its analysis and inform this Agency in the
within one month, of the actions carried out to adapt to the requirements

provided for in the data protection regulations.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/6








The transfer, which was carried out in accordance with the rules established in Law 39/2015, of
October 1, of the Common Administrative Procedure of Administrations
Public (hereinafter, LPACAP), was collected on February 4, 2022 as

It appears in the acknowledgment of receipt that is in the file.

On March 3, 2022, this Agency received a response letter
indicating that AUTOMÓVILES FERSÁN, through BMW Group Financial Services,
has a clear protocol on the documentation that must be requested when
a person applies for financing, this protocol is strictly applied by

part of the dealership, and this applies to all its commercials.

The four brothers of the family intervene at different times in this operation.
family (…), appearing as guarantors of the operation.


It is stated that the operation was approved and was viable, with the co-ownership of
Mrs. B.B.B. and Mrs. A.A.A..

The relationship of Ms. A.A.A. and his family with AUTOMÓVILES FERSÁN, SA from a
Chronological point of view is as follows:


 October 25, 2018. Ms. C.C.C. (Sister of Mrs. A.A.A.) asks for a
budget to AUTOMÓVILES FERSÁN, proposing the purchase and sale contract of the
vehicle in the name of a company that is going to be established.

 October 29, 2018, Ms. C.C.C. Send the census registration and payroll of Ms.

B.B.B.

 November 8, 2018 – D. D.D.D. (Brother of the claimant) send by
mail the income 2017 (model100) from Ms. B.B.B..

 November 9, 2018, 9:00. Since the operation required an input
The option of having guarantors to guarantee the operation is valued very highly.

 November 9, 2018 - – D. D.D.D. Send payroll and registration by email
Mrs. B.B.B. and he writes to (…) (employee of the claimed entity):

"Hello (…), I am attaching the payroll and registration.
When they ask you for a guarantor, tell me what documentation I have to provide.

All the best".

 November 9, 2018, 6:45 p.m. Once the study of Ms. B.B.B.
(sister of the claimant) have to provide collateral or entry of ***AMOUNT.€.

THIRD: On April 14, 2022, in accordance with article 65 of the
LOPDGDD, the claim presented by the complaining party was admitted for processing.


FOURTH: On July 20, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against the claimed party,
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1,
of the Common Administrative Procedure of Public Administrations (in

hereinafter, LPACAP), for the alleged violation of article 6.1 of the RGPD, typified in
Article 83.5 of the GDPR.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/6









FIFTH: The aforementioned initiation agreement has been notified in accordance with the rules established in

Law 39/2015, of October 1, on the Common Administrative Procedure of the
Public Administrations (hereinafter, LPACAP), the claimed party presented a written
of allegations in which, in summary, he stated verbatim the following:

(…).



See Annex I. (…)



Annex II is sent. (…).

(…):


  (…).
  (…).

  (…).
  (…).


(…).



(…).

SIXTH: On August 11, 2022, the procedure instructor agreed to give
by reproducing for evidentiary purposes the claim filed by the claimant and
your documentation, the documents obtained and generated during the admission phase

processing the claim, and the report of previous investigation actions that
They are part of the procedure. Likewise, it is considered reproduced for the purposes
evidence, the allegations to the agreement to initiate the sanctioning procedure
referenced, presented by the claimed entity and the documentation that they
accompanies


SEVENTH: On August 30, 2022, a proposed resolution was formulated,
proposing that the Director of the Spanish Data Protection Agency
sanction AUTOMOVILES FERSAN, S.A. with NIF A03071248, for an infringement
of article 6.1 of the RGPD, typified in article 83.5 of the RGPD, and for the purposes of

prescription, by article 72.1 b) of the LOPDGDD, with a fine of 5,000 euros
(five thousand euros)

EIGHTH: On September 9, 2022, the claimed entity presents
allegations to the proposed resolution pointing out that the claim, in no way

moment he acts as a guarantor but as a co-owner.

It is further stated that:

• (…).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/6









• (…).


(…)

Of the actions carried out in this procedure and the documentation
recorded in the file, the following have been accredited:


                                PROVEN FACTS

FIRST: The claimant affirms that her personal data has been used by the
defendant without his consent to endorse the sale of a vehicle

purchased by his sister

Provides legal demand, and exclusive credit contract in the name of B.B.B. (sister
of the claimant)



SECOND: The claimed entity states that the claimant is a co-owner, since
He and his sister bought the vehicle that was the subject of the conflict.

Provides:

  (…)
  (…)
  (…)

  (…)

                           FOUNDATIONS OF LAW


                                           Yo

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47 and 48.1 of the Law

Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve
this procedure the Director of the Spanish Data Protection Agency.

Likewise, article 63.2 of the LOPDGDD determines that: “The procedures

processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures.”









C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/6








                                            II

Article 4.11 of the GDPR defines the consent of the interested party as “any

manifestation of free, specific, informed and unequivocal will by which the
interested party accepts, either by a declaration or a clear affirmative action, the
processing of personal data that concerns you.”



In this sense, article 6.1 of the LOPDGDD establishes that “in accordance with the
provided in article 4.11 of Regulation (EU) 2016/679, consent is understood to be
ment of the affected person any manifestation of free, specific, informed and ineligible will.

ambiguity by which he accepts, either through a statement or a clear action
“Yes, the processing of personal data that concerns you.”

For its part, article 6 of the RGPD establishes the following:

"1. The treatment will only be legal if at least one of the following conditions is met:

nes:

a) the interested party gave his consent for the processing of his personal data
for one or more specific purposes;

b) the processing is necessary for the execution of a contract in which the interested party

is part of or for the application at his request of pre-contractual measures;

c) the processing is necessary for compliance with a legal obligation applicable to the
responsible for the treatment;

d) the processing is necessary to protect vital interests of the interested party or another

Physical person;

e) the processing is necessary for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers conferred on the controller;

 f) the processing is necessary for the satisfaction of legitimate interests pursued
by the person responsible for the treatment or by a third party, provided that on said interests

interests or fundamental rights and freedoms of the interest do not prevail.
s that require the protection of personal data, particularly when the interest

sado be a child.

The provisions of letter f) of the first paragraph will not apply to the treatment
carried out by public authorities in the exercise of their functions.”


                                            III

In the present case, the complaining party denounces AUTOMOVILES FERSAN, S.A.

because they demand payment from him as a guarantor for a vehicle that his
sister B.B.B. despite the fact that, in the financing contract, only his sister appears and
not her.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/6








The claimed entity has provided documentation that allows it to prove that the
claimant is the joint owner of the vehicle that caused the requested debt and therefore,

requires payment not as guarantor but as co-owner. Specifically, it provides the
judicial claim for non-payment, in which both the claimant and the
B.B.B. as owners of the vehicle and the financing contract.

Therefore, after proving that the claimant is the joint owner of the vehicle and clarifying in

concept of what the debt is claimed from, we must consider that the entity
claimed is legitimized for the use of the personal data of the
claimant, based on the prior execution of a purchase and sale contract, and therefore
Therefore, a violation of article 6 of the RGPD indicated in the
legal basis II.


Therefore, after becoming aware of these facts, the Director of the Agency
Spanish Data Protection RESOLVES:

FIRST: PROCEED TO THE ARCHIVE of these proceedings.


SECOND: NOTIFY this resolution to the claimant and defendant.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, and in accordance with the provisions of the
arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may

optionally file an appeal for reconsideration before the Director of the Agency
Spanish Data Protection Agency within a period of one month from the day
following the notification of this resolution or directly contentious appeal
administrative before the Contentious-administrative Chamber of the National Court,
in accordance with the provisions of article 25 and section 5 of the provision

fourth additional to Law 29/1998, of July 13, regulating the Jurisdiction
Contentious-Administrative, within a period of two months from the following day
to the notification of this act, as provided for in article 46.1 of the aforementioned Law.



Sea Spain Martí
Director of the Spanish Data Protection Agency














C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es