AEPD (Spain) - PS/00028/2022

From GDPRhub
AEPD - PS-00028-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Article 33 GDPR
72, 73, 77 Spanish Data Protection Act
Type: Complaint
Outcome: Upheld
Started: 31.03.2021
Decided:
Published: 03.02.2023
Fine: n/a
Parties: Getafe City Council
National Case Number/Name: PS-00028-2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Mapez

The Spanish DPA imposed a warning to a local administration for violating Articles 5(1)(f), 32 and 33 GDPR. The administration had mistakenly published an Excel sheet containing personal data, which was also not properly removed after the data subject notified both the administration and the DPA.

English Summary

Facts

On 31 March 2021, the City Council of Getafe (controller) published an Excel sheet on its website. This Excel sheet contained personal data of vehicle owners who had requested an address change. The Excel sheet included several categories of data, such as name, surname, tax identification number, ID number and vehicle registration number. The Excel sheet had thirty-six entries, but the vast majority of the data subjects that were mentioned were included several times in the list. It later turned out that seventeen people were affected by the breach. The controller had wanted to publish a call for a plenary session, but instead published this Excel document by accident.

On 31 March 2021, the data subject informed both the controller and the Spanish DPA of this breach. After this, the controller unlinked the Excel sheet from its website, so that it would not be available when navigating the controller website. There was therefore no way to reach the Excel sheet any longer by navigating the controller's website. It became clear later that no specialised IT personnel had worked on this solution.

However, the Excel sheet itself was not deleted from the internet and stayed online as an "orphan document". This meant that the Excel sheet could still be accessed, when typing the exact URL of the Excel sheet in the browser. People, who were aware of the exact URL, could therefore potentially still access the Excel sheet. The DPA confirmed that it was still possible to access the file on the controller's website on 1 December 2021. The controller deleted the file on 24 January 2022.

Despite the fact that the Excel sheet stayed online for several months after the initial complaint, the controller stated that it was unlikely that any data had been retrieved by unauthorised third parties, because the Excel sheet could only be accessed through the exact URL and not through any linking on the controller's website. This was also the reason why the controller decided not inform the affected data subjects. Also, the controller had not identified any serious harm as a result of this data breach.

Holding

First, the DPA found a violation of Article 5(1)(f) GDPR, since the publication of the Excel sheet enabled unauthorised access to the personal data of the data subjects, in violation of the principle of confidentiality.

Second, the DPA found a violation of Article 32 GDPR. The DPA held Article 32 GDPR requires the controller to have a complete protocol that must not only prevent the occurrence of the contingency, but, once it has occurred, react to the materialisation of the risk, so that the controller can guarantee the security of the processing. In this case, the controller failed to notice that the Excel sheet stayed online on the controller's website. The DPA also considered the fact that the controller did not involve IT services in this process, which the DPA considered 'obvious' in a situation like this. Furthermore, the DPA found that the controller had failed to make an appropriate assessment of the risks as a result of the breach. The controller also should have considered potential further risks as a result of the breach. The controller's argument that no data subjects were affected by the breach was disregarded by the DPA.

Third, the DPA found a violation of Article 33 GDPR, because the controller failed to assess the level of severity of the data breach after it had occurred. In this case, the DPA found that there were risks to the rights and freedoms of data subjects because of the breach. The controller should have notified the DPA, regardless of the fact whether harm had been caused to the data subjects.

On the basis of Articles 72 and 73 of the Spanish Data Protection Act - LOPDGDD, the DPA classified the infringements of Articles 32 and 33 GDPR as "serious" offences, whilst the violation of Article 5(1)(f) GDPR was considered a "very serious" offence. The DPA issued warnings for all of the above violations.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

AEPD - PS/00305/2022
Authority:
 AEPD (Spain)
Jurisdiction:
Spain
Relevant Law:
Article 6(1) GDPR
Type:
Complaint
Outcome:
Partly Upheld
Started:
Decided:
Published:
22.02.2023
Fine:
24,000 EUR
Parties:
MAPFRE ESPAÑA COMPAÑÍA DE SEGUROS Y REASEGUROS, S.A.
National Case Number/Name:
PS/00305/2022
European Case Law Identifier:
n/a
Appeal:
Unknown
Original Language(s):
Spanish
Original Source:
AEPD (in ES)
Initial Contributor:
CSO
The Spanish DPA fined Mapfre, an insurance company, for a violation of Article 6 GDPR for processing personal data for an insurance policy without a legal basis. The initial fine was €30,000, but the procedure was closed after the voluntary payment of €24,000 by the controller.
The controller in this decision is Mapfre, a Spanish insurance company.   
In June 2021, the data subject requested access to his personal data. After two months, the controller had not provided an answer.    
According to the information which was later provided by the controller, the data subject was listed as the holder of nine insurance policies and had been responsible for submitting three insurance claims. However, the data subject claimed that he never had any contract with the controller. He requested the controller to block his data and provide him the proof that he took the insurance policies and authorised the processing of his data. In response, the controller stated that the personal data had been blocked. Additionally, The controller stated that the personal data it possessed was either provided by the data subject himself or had been generated as a result of his relationship with the controller.    
On 9 September 2022, the data subject filed a complaint with the Spanish DPA. During the proceeding, the latter requested information from the controller. This additional information revealed that the data subject was registered in the controller's systems as a policyholder of one single automobile insurance. However, there were also eight other policies in which the data subject was mentioned as an employee of the 'Usual driver'. According to the controller, the data subject had acted as the responsible person/manager for the eight insurance policies where the employer was the policyholder. The data subject was the person of contact of the controller regarding these eight insurance policies.   
It appeared that the single insurance where the data subject was mentioned as the policyholder had been a mistake. However, according to the controller, the data subject had to be aware of all the insurance policies. With regard to the single policy, where the data subject himself was the policyholder, the controller stated that the data subject had submitted a copy of his ID, driving licence and other documentation in order to formalise the insurance. Regarding the eight other policies where the data subjects was mentioned as the regular driver, the controller stated that the data subject had underwritten these insurance policies and therefore had to be aware of their existence.  
The controller also stated that the single policy was concluded by an insurance agent and that this insurance agent had not acted according to the instructions provided by the controller.
The main issue stems from the single policy in which the data subject was mentioned as the policyholder. The DPA confirmed that the insurance agent, who had sold this insurance, was a processor acting on behalf of the controller. However, the DPA also determined that it was the controller who was liable for this issue. The fact that this processor did not comply with the technical instructions from the controller did not exonerate the controller from its liability.
Since the controller was liable for the processing, the DPA determined that the controller had processed the data of the data subject without being able to demonstrate that it had the legal authority to do so. Therefore, the controller would have to prove that the data subject had actually applied for the insurance and that all the requirements were fulfilled. However, the controller was apparently not able to do so. In the single insurance policy, the data subject was mentioned as the policyholder, despite the fact that he never consented to the contract for this insurance. Therefore, there was no legitimate basis for the processing. This resulted in a violation of Article 6(1) GDPR.
The initial penalty for this violation was €30,000, but the procedure was ended after the voluntary payment of €24,000 by the controller, in accordance with Spanish administrative law.
The data subject requested 'the blocking of his personal data' in this decision. This refers to Article 32 of the Spanish data protection Act.
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/18
     File No.: EXP202203956
       RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT
                                    VOLUNTEER
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following
                                  BACKGROUND
FIRST: On September 9, 2022, the Director of the Spanish Agency
of Data Protection agreed to start a sanctioning procedure against MAPFRE
SPAIN COMPAÑÍA DE SEGUROS Y REASEGUROS, S.A. (hereinafter the part
claimed). Notified of the initiation agreement and after analyzing the allegations presented,
On November 25, 2022, the proposed resolution was issued, which
is transcribed below:
<<
File No.: EXP202203956
      PROPOSED RESOLUTION OF SANCTION PROCEDURE
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following:
                                  BACKGROUND
FIRST: D.A.A.A. (hereinafter, the claimant) on February 28,
2022 filed a claim with the Spanish Data Protection Agency. The
claim is directed against Mapfre España Insurance and Reinsurance Company,
S.A. with NIF A28141935 (hereinafter, the claimed party or Mapfre). The reasons in
on which the claim is based are as follows:
The claimant states that, in June 2021, it requested the
Mapfre company that will provide you with the data they had about you, in their
databases.
Subsequently, after more than two months without receiving a response, he contacted the
claimed via email and they informed him that they had answered his request,
providing him with a copy, which was sent to an address that was not his.
He adds that he appears as the holder of nine policies and as responsible for three
claims, when you have never formalized any contract with Mapfre, any insurance, or
He has given no accident report.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/18
On the other hand, it indicates that it communicated these facts to the defendant and requested the blocking of
of your data. In addition, he requested that they provide him with the documents that supposedly
would have signed to contract said policies, to give the parties, and to authorize the
treatment of your data.
Thus, Mapfre told him that his data had been blocked and
later they send you a letter informing you that your data was
provided by him or generated as a result of the management or development of his
relationship with Mapfre.
And, among other things, it provides the following documentation:
1. Letter addressed to the defendant dated June 2, 2021, requesting the
Right of access.
2. Response of the defendant dated June 18, 2021 to an address
different from yours, informing you of the data that appears in your applications and
are subject to treatment, appearing as the holder of nine policies and as
responsible for three accidents.
3. Letter dated September 13, 2021 requesting Mapfre to block
your personal data, and also requests: a copy of the contracting documents,
       of authorization, consent for the use of your data and copy of the parts
       of accidents that have been given to your name and cancellation of your data.
4. Email from Mapfre dated October 8, 2021, informing you
       that your data has been deleted from Mapfre.
5. Mapfre's response dated December 10, 2021, where it was
inform that the data communicated was provided by the claimant
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
forward LOPDGDD), said claim was transferred to the claimed party, for
to proceed with its analysis and inform this Agency within a month of the
actions carried out to adapt to the requirements established in the regulations of
Data Protection.
The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of
October 1, of the Common Administrative Procedure of the Administrations
Public (hereinafter, LPACAP), was collected on March 31, 2022 as
It appears in the acknowledgment of receipt that is in the file.
On May 4, 2022, this Agency received a written response
indicating:
<<From the investigations carried out, it can be deduced that the claimant was registered in
our systems as a single auto policyholder, and how
habitual driver of various policies of the company FURCORENT.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/18
For clarification purposes, it should be specified that, based on the information we have been able to
know, the claimant provided his professional services as a manager or
collaborator of the company FURCORENT, S.L., policyholder of said policies, and
intervened on his behalf and for the management of the policies contracted with my
represented multiple times.
Taking into account the foregoing, it is appropriate to indicate that, as my client has
tried to clarify to the claimant one of the policies - specifically, the number *** POLICY.1-
was signed by the claimant as policyholder, a circumstance that the interested party
cannot be ignored given that, although the request for quotation was promoted by the
company FURCORENT, S.L., it was the claimant himself who directly sent
copy of your ID, driver's license and other documentation necessary to
formalize the policy to my represented.
We attach as document no. 7 a copy of the email sent by D. A.A.A.
to the mediator of the policy, accompanying a copy of your ID and driving license.
The remaining policies were subscribed by FURCORENT, S.L., which included the
claimant as habitual driver of the insured vehicles, a fact that is not
the claimant may be unaware given that, based on what was declared to us at the time
and subsequently confirmed by the mediator of the policies, had intervened in the
subscription process and development of said contracts as manager of said
company to which he provided his services.
In this sense, from the analysis of the background information related to the facts to which
that the claim refers to, it has been verified that all the personal data
related to the claimant were obtained by my client directly from
claimant or through the company FURCORENT, S.L. to which he had been lending his
services as a manager, and treated within the framework of contractual relations in the
that the claimant was listed, either as a policyholder, or as a regular driver,
respecting at all times the regulations on the processing of personal data and
without harming their rights and freedoms in this matter.
In any case, once my client receives the request for deletion made by the claimant, the appropriate
made by the claimant, the appropriate measures have been adopted for the
deletion and blocking of your personal data, attending at all times your
rights and without causing any harm to the interested party>>.
THIRD: In accordance with article 65 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights
(LOPDGDD), when submitted to the Spanish Data Protection Agency
(hereinafter, AEPD) a claim, it must evaluate its admissibility for processing,
must notify the claimant of the decision on the admission or non-admission to
procedure, within three months from the date the claim was entered into this
Agency. If, after this period, there is no such notification, it will be understood
that the processing of the claim continues in accordance with the provisions of Title
VIII of the Law. Said provision is also applicable to the procedures
that the AEPD would have to process in the exercise of the powers assigned to it
attributed by other laws.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/18
In this case, taking into account the foregoing and that the claim is
filed with this Agency, on February 28, 2022, it is communicated that your
The claim has been admitted for processing on May 28, 2022, having elapsed
three months from the time it entered the AEPD.
FOURTH: On September 9, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate disciplinary proceedings against the claimed party,
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1,
of the Common Administrative Procedure of Public Administrations (in
hereinafter, LPACAP), for the alleged infringement of Article 6.1 of the GDPR, typified in
Article 83.5 of the GDPR.
FIFTH: Notified of the aforementioned start-up agreement in accordance with the rules established in
Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP), the claimed party submitted a written
of allegations in which, in summary, it states that: "First, MAPFRE ESPAÑA
has a sufficient legal basis for the processing of the personal data of the
claimant. This basis of legality is based on the contractual relationship established with
the policyholder, FURCORENT company, and consequently with all the
figures involved in this, as indicated in article 99 of Law 20/2015,
management, supervision and solvency of insurance companies and
reinsurance companies (LOSSEAR), where it is stated: "insurance companies
may process data of policyholders, insured, beneficiaries or third parties
injured parties, as well as their successors without the need for their
consent for the sole purpose of guaranteeing the full development of the insurance contract and compliance with the
insurance contract and compliance with the obligations established in this Law and
in the development provisions". The contractual relationship is established with the
company FURCORENT through the issuance of the different policies and the
perfection of the contract through the payment of the first premium of these
according to the article. 15 of Law 50/1980, of October 8, on Insurance Contracts
(LCS).
MAPFRE ESPAÑA as required by articles 10, 11, 12, 93 and 94 of the LCS,
Prior to entering into the contract with FURCONRENT, you must request
certain information of the policyholder that allows him to assess the risk
(risk statement). This declaration is effective for the entire life of the
contract (aggravations, risk reduction, exclusions, inaccurate statements,
falsehood, etc.). At this point the FURCONRENT policyholder was aware of his
obligation to declare true data knowing that the factors related to the
policyholder, owner, drivers and the vehicle are taken into account for the
risk assessment and premium calculation. Consequently, in the event of
reserve or inaccuracy in your statement the insurer's benefit will be reduced
proportionally to the difference between the agreed premium and that which would have been applied if the true entity of the risk
applied if the true entity of the risk was known. that have been omitted due to bad faith, MAPFRE
due to bad faith, MAPFRE SPAIN will be released from the payment of the benefit.
Document 1 This information includes, but is not limited to, the statement of the following
figures, which the company FURCORENT identifies as follows: - Taker of
the policy: the company FURCORENT. - Owner of the asset to be insured: the company FURCORENT.
FURCORENT. - Policy payer: the company FURCORENT. - Regular driver
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/18
the claimant. identifying as an employee. MAPFRE ESPAÑA accredits through
Document 2 the date on which the registration in our systems of the data of the
claimant, precisely one day before the issuance of the policies requested by the
FURCORENT company. Therefore, your discharge is due solely and exclusively to the
communication of your data by the company FURCORENT as a regular driver. HE
attached as Document 3 the email of the company FURCORENT to
mediator requesting the quote (premium determination), and the conversations of
WhatsApp in which he requests various broadcasts. The list of policies issued to
request of the company FURCORENT are the following contained in the Document
4 listed in the following order: - *** POLICY.2. Attached as document PN1
- Attached as document PN2 - *** POLICY.4. attached as
document PN3 - *** POLICY.5. Attached as document PN4 - *** POLICY.6. HE
attached as document PN5 - *** POLICY.7. Attached as document PN6 - *** POLICY.8.
*** POLICY.8. Attached as document PN7 - *** POLICY.9. attached as
document PN8 Likewise, the payment of the corresponding receipts is accredited,
through Document 5. Second: In the particular clauses of each of the policies issued (Document 4), expressly
policies issued (Document 4), expressly states: "In the event that the data
provided refer to natural third parties other than the
Policyholder/Insured/Affected, he guarantees to have collected and have the
their prior consent for the communication of their data and having them
informed prior to its inclusion in this document, of the
purposes of treatment, communications and other terms provided therein and in the Additional
in the Additional Data Protection Information. It can be concluded, therefore, that
It is the POLICYHOLDER who has the obligation to inform and obtain the
consent to transfer your data to MAPFRE ESPAÑA of the figures of the policy
that communicates to the insurer. The sequence by which communication occurs
to MAPFRE SPAIN of the data of the habitual driver is the following: The manager of
FURCORENT uses the WhatsApp channel, through the telephone number
***TELEPHONE.1 included in all policies to contact the MAPFRE mediator
SPAIN and provide the necessary information in the elaboration of the budget and the
policy issuance. In these conversations it becomes clear that the manager of
the company FURCORENT requests the issuance of these and identifies as the driver
habitual to the employee of his company the claimant. Attached as Document 6
conversation in which the Manager of the company unequivocally identifies the
claimant as driver. Likewise, it is FURCORENT, through the mail
email ***EMAIL.1, the one that sends the DNI and the driving license of the claimant.
The manager states that it is the claimant himself who is sending this email. to be
of an employee or collaborator. Document 7. Therefore, the lawful origin is presumed
of the data communicated, and of the documents provided. By way of observation,
We want to state that in the hypothetical case of employment relationship or
collaboration, any company could have a copy of the DNI (format
document), but usually does not have a driver's licence, unless it is
ask your employee or collaborator, expressly, for a purpose
determined, and the person gives it freely to respond to that need. He
Document 7 evidence, that in the event that it was not the claimant who contributed
this documentation directly to the defendant, the company did have both
documents. Furthermore, it is the FURCORENT company that must
certify the origin of the data and documents sent to MAPFRE ESPAÑA and the
basis of legality that it has to communicate them. Third, in the exercise of the right to
access made by the claimant, on June 2, 2021, and later on June 9, 2021.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/18
August, not only requests general information on the data contained in MAPFRE
SPAIN (with which it states that it has not had, nor does it have any relationship), declares in
their first communication to have a special interest in knowing if "there has been any
part with your data or any information that could damage your reputation
as a driver for insurance purposes. In its second request, it also states
require: - those policies in which you appear as a driver - the accident reports
who have communicated with your data - data relating to your accident rate
and if there has been any change in your assessment as a driver. attached as
Documents 8 and 9, the aforementioned requests, from which it can be deduced that the
terminology used by the claimant regarding the figures of the policy, (not
mentioned in the attention of your right of access), in what refers to your
condition of regular driver, which in the event that the company FURCORENT
has used the data of the claimant without the corresponding authorization, the latter
least he was aware of the situation. Fourth, as an exception to cases
previously mentioned, whose basis of legality is based on the relationship
contract between the company FURCORENT and MAPFRE ESPAÑA, is the policy
0***POLICY.101 in which the claimant not only appears as a habitual driver,
also as policyholder and attached as Document 10
In this case, the manager of the FURCONET company sends the file via WhatsApp
technique of the vehicle to be insured indicating that it is again included as a driver
to the claimant Document 11. From the investigations carried out, it is concluded
that the mediator (who, under the Mediation Law, has with MAPFRE ESPAÑA
a treatment manager contract) in this case, has breached the
technical instructions for issuance and contracting (Document 12) established by
MAFPRE. In the same way, he has breached his obligations as manager of
treatment, with the purpose, we understand, of offering a different price to that
would obtain if it complied with the norms of Document 13 order of treatment. No
We found evidence of a possible operational error. It is provided as information
Additional Document 14 that shows the communications between the
mediator and the Manager of the company, to quote and issue different policies Measures
adopted to prevent similar situations from occurring - In the event that the
issuance of the last policy responds to non-compliance by the mediator, and not to
an operational error, disciplinary measures will be taken against the mediator who has
breached its obligations as MAPFRE ESPAÑA data processor.
It will be instrumentalized through an audit that reveals the reality of
what happened. - Analyze the adequacy of existing operational controls. -
Reinforce the awareness and training of mediators For all of the above,
REQUESTS that you consider this document submitted together with the documentation
accompanies it, please admit it, process it, and consequently and in accordance with the
provisions of Organic Law 3/2018, of December 3 on Data Protection
Personal and guarantee of digital rights, proceed by that Spanish Agency
of Data Protection to resolve declaring the absence of responsibility of
MAPFRE in the facts of which it brings cause".
SIXTH: On October 3, 2022, the procedure instructor agreed to
perform the following tests:
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/18
1. The claim filed by D.
   A.A.A. and its documentation, the documents obtained and generated during the phase
   admission to process the claim.
2. Likewise, it is considered reproduced for evidentiary purposes, the allegations to the agreement
   initiation of the referenced sanctioning procedure, presented by Mapfre
   Spain Compañía de Seguros y Reaseguros, S.A., and the documentation that they
   accompanies.
SEVENTH: A list of documents in the file is attached as an annex.
procedure.
Of the actions carried out in this procedure and of the documentation
in the file, the following have been accredited:
                                PROVEN FACTS
FIRST: The claimant states that he appears as the holder of nine insurance policies
insurance and as responsible for three accidents, when he has never formalized any
contract with Mapfre, no insurance, nor has he given any accident report.
SECOND: The claimed entity states that in the policies ***POLIZA.2;
*** POLICY.3; 2***POLICY.4; *** POLICY.5; *** POLICY.6; *** POLICY.7; *** POLICY.8;
*** POLICY.9 The policyholder is the company FURCORENT and the driver
usual of the same is the claimant identifying himself as an employee, except in the
policy 0***POLIZA.101 in which the claimant not only appears as a driver
habitual, also as policyholder.
THIRD: The Exclusive Insurance Agent Contract appears in the file
formalized with Mapfre by the Agent on March 25, 2015.
                           FUNDAMENTALS OF LAW
                                           I
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, 2015.
Organic Law 3/2018, of December 5, Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures."
                                          II
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/18
In relation to the allegations made by the claimed party, that the mediator
has a treatment manager contract with Mapfre and that in this case, it has
breached the technical issuance and contracting instructions established by
Mapfre, in relation to policy 0***POLIZA.101, in which the claimant not only
appears as a habitual driver, but also as a policyholder, you must
state that Royal Decree-Law 3/2020, of February 4, on urgent measures for
which incorporates into the Spanish legal system various directives of the Union
Union in the field of public procurement in certain sectors; insurance; private
private; pension plans and funds; of the tax field and tax litigation,
establishes in its article 203 the Condition of person in charge or in charge of the treatment.
1. For the purposes provided in Organic Law 3/2018, of December 5, as well as in
Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27
of 2016, regarding the protection of natural persons with regard to the
processing of personal data and the free movement of such data: a) Agents
insurance and bancassurance operators will have the status of managers of the treatment of the insurance company with
of the treatment of the insurance company with which they had entered into the
corresponding agency contract, under the terms provided in title I. b) The
insurance brokers and reinsurance brokers will have the status of
responsible for the treatment regarding the data of the people who come to them. c) The external collaborators
them. c) The external collaborators referred to in article 137 will have the
status as processors of insurance agents or brokers with
those who have entered into the corresponding commercial contract. In this case, just
may process the data for the purposes provided in article 137.1. 2. In the event
provided for in letter a) of section 1, in the agency contract must be
record the points provided for in article 28.3 of Regulation (EU) 2016/679 of the
European Parliament and of the Council, of April 27, 2016. Similarly, in the
course provided for in section 1.c) must be included in the commercial contract
entered into with external collaborators the ends provided for in article 28.3
of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27
2016. 3. Insurance companies may not keep the data that
provided by insurance mediators, and that do not result in the conclusion of a contract
insurance, being obliged to eliminate them unless there is another legal basis that
allows legitimate data processing in accordance with Regulation (EU) 2016/679
of the European Parliament and of the Council, of April 27, 2016.
Therefore, the insurance agent will have the status of data processor
before the insurance company with which the corresponding
Agency agreement.
In the case examined, the regulations set forth and the statements
made by the claimed party, it can be inferred that the latter acts as the party responsible for the
treatment.
In article 4.8 of the GDPR, the person in charge of the treatment is defined as the person
physical or legal entity, public authority, service or other body that processes personal data on behalf of the data controller.
personal on behalf of the data controller.
All processing of personal data carried out by a manager must be governed by a
contract or other legal act under Union or State law
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/18
members entered into between the person in charge and the person in charge, as stipulated in the
Article 28, paragraph 3, of the GDPR.
In this regard, Guidelines 07/2020 on the concepts of "responsible for the
treatment" and "in charge of the treatment" in the RGPD, adopted by the CEPD, on 7
July 2021, detail the following:
"Although the elements provided for in Article 28 of the Regulation constitute its
essential content, the contract must serve so that the person in charge and the person in charge
clarify, by means of detailed instructions, how these will be applied in practice
fundamental elements. Therefore, the treatment contract should not be limited to
reproduce the provisions of the GDPR, but must include more information
specific and specific information about how the requirements will be met and the degree of
security that will be required for the processing of personal data object of the treatment contract.
treatment contract. Far from being a merely formal exercise, negotiation and
stipulation of the conditions of the contract serve to specify the details of the
treatment."
They add that "In general, the treatment contract establishes who is the party
determinant (the controller) and who, the party that follows the
instructions (the person in charge of the treatment)". Now, "If a party decides in the
practice how and why personal data is processed, that party will be the one
responsible for the treatment, even if the contract stipulates that it is the person in charge".
To determine the responsibility of the claimed party, it is necessary to take into account
that, if a processor infringes the Regulation when determining the purposes and
means of treatment, will be considered responsible for the treatment with respect to
said treatment (article 28, paragraph 10, of the GDPR).
Regarding the "Ends and means" the aforementioned guidelines include the following
considerations:
"(...)
Dictionaries define the word end as an "anticipated result that is pursued
or that guides the planned action" and the word medium as the "way in which
obtains a result or achieves an objective".
(...)
The determination of ends and means is equivalent to deciding, respectively, the
why and how of treatment: in a particular treatment operation, the controller is the party that determines why and how of treatment.
The controller is the party that determines why the processing takes place.
treatment (i.e. "for what purpose" or "for what") and how this objective will be achieved
(ie, what means will be used to achieve it). A natural or legal person who
thus influences the processing of personal data participates, therefore, in the
determination of the purposes and means of such treatment in accordance with the
definition provided for in article 4, point 7, of the GDPR.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/18
The data controller must decide both on the end and on the means
treatment, as described below. Consequently, it cannot
limit itself to determining the end: it must also make decisions about the means of the
treatment. In contrast, the party acting as processor can never determine
the end of the treatment. In practice, if a data controller uses a
person in charge to carry out the treatment on behalf of that person, the person in charge
You will usually be able to make some of your own decisions about how to do this. He
CEPD recognizes that the person in charge of the treatment can enjoy a certain margin of
maneuver to make some decisions about treatment. In this sense, it is
necessary to clarify what degree of influence on the "why" and "how" entails that
an entity is considered responsible for the treatment and to what extent can the
person in charge of treatment to make their own decisions.
(...)"
In this case, taking into account the above, it can be concluded that the
The mere fact that the data processor fails to comply with Mapfre's instructions does not
release the defendant from liability. It has not proven that the
person in charge of the treatment was acting as the person in charge, since the
Treatment has been carried out following the instructions of the person in charge.
Thus, the claimed party violated article 6.1 of the GDPR, since it made the
treatment, without proving that he had contracted legitimately, had
of your consent for the collection and subsequent processing of your personal data, or there is
personal, or there is some other cause that makes the treatment carried out lawful.
Consequently, it has processed the personal data of the party
claimant without having proven that he has the legal authorization to do so.
Article 6.1 of the GDPR states that processing "will be lawful if it is necessary for the
performance of a contract to which the interested party is a party.
It was therefore essential that the claimed party accredit before this Agency that the
claimant had taken out said policy.
The claimed party has contributed to this Agency the issued policies: *** POLICY.2;
*** POLICY.3; 2***POLICY.4; *** POLICY.5; *** POLICY.6; *** POLICY.7; *** POLICY.8;
*** POLICY.9, in which all of them appear as policyholder the
company FURCORENT and as their habitual driver the claimant
identifying as an employee.
However, Mapfre certifies that the policy 0***POLIZA.101 contains the part
claimant as policyholder.
In its defense, the requested entity has stated that the mediator has with Mapfre
a treatment manager contract and that, in this case, has breached the
technical instructions for issuance and contracting established by Mapfre, providing the
custom treatment contract
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/18
Well, the responsibility falls on the data controller (Mapfre), not
on the person in charge (the agent) except in the case of article 28.3 of the
GDPR in which the person in charge was acting as responsible
Therefore, it is considered that the claimed entity has violated article 6 of the GDPR,
for carrying out a processing of personal data without legitimacy.
                                            II
Article 6.1 of the GDPR establishes the assumptions that allow the use of
processing of personal data.
"1. Processing will only be lawful if it meets at least one of the following
conditions:
a) the interested party gave his consent for the processing of his personal data
for one or more specific purposes;
b) the treatment is necessary for the execution of a contract in which the interested party
is part of or for the application at the request of the latter of pre-contractual measures;
c) the processing is necessary for compliance with a legal obligation applicable to the
responsible for the treatment;
d) the processing is necessary to protect the vital interests of the data subject or of another
Physical person.
e) the processing is necessary for the fulfilment of a mission carried out in the public interest or in the exercise of public powers.
public or in the exercise of public powers conferred on the data controller;
f) the treatment is necessary for the satisfaction of legitimate interests pursued
by the person in charge of the treatment or by a third party, provided that on said interests do not outweigh the interests of the data controller
interests do not outweigh the interests or fundamental rights and freedoms of the
interested party that require the protection of personal data, in particular when the interested party is a child.
interested is a child.
The provisions of letter f) of the first paragraph shall not apply to the treatment
carried out by public authorities in the exercise of their functions."
On this question of the legality of the treatment, Recital 40 also affects
of the aforementioned GDPR, when it provides that "For the treatment to be lawful, the
Personal data must be processed with the consent of the interested party or on
some other legitimate basis established in accordance with Law, either in the present
Regulation or by virtue of another Law of the Union or of the Member States to which
referred to in this Regulation, including the need to comply with the legal obligation
applicable to the data controller or the need to perform a contract with
to which the interested party is a party or in order to take measures at the request of the
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/18
concerned prior to the conclusion of a contract".
It should be noted that in one of the insurance contracts, as acknowledged by the party
claimed, the claimant party appears as the policyholder, and did not consent to the contracting
therefore, there is no legitimizing basis for those included in article 6
of the GDPR.
The GDPR applies to personal data, which is defined as "personal data":
any information about an identified or identifiable natural person ("data subject");
An identifiable natural person shall be considered any person whose identity can be
be determined, directly or indirectly, in particular by means of an identifier, such as
for example a name, an identification number, location data, a
online identifier or one or more elements of physical identity,
physiological, genetic, psychological, economic, cultural or social of said person.
Hence, the claimant's data was processed without a legitimizing basis.
                                            IV.
In accordance with the evidence available at the present time of
agreement to start the disciplinary procedure, and without prejudice to what results from the
instruction, it is considered that the facts exposed fail to comply with the provisions of the
article 6.1. of the RGPD, for which it could suppose the commission of an infraction
typified in article 83.5 of the GDPR, which provides the following:
 Violations of the following provisions will be penalized, in accordance with the
paragraph 2, with administrative fines of maximum EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:
a) the basic principles for the treatment, including the conditions for the
consent under articles 5, 6, 7 and 9;
b) the rights of the interested parties in accordance with articles 12 to 22; [...]".
The LOPDGDD, for the purposes of the prescription of the infringement, qualifies in its article 72.1
very serious infringement, in this case the limitation period is three years,
<<b) the processing of personal data without the fulfilment of any of the conditions of
legality of the treatment established in article 6 of Regulation (EU) 2016/679>>
                                            V
In order to determine the administrative fine to be imposed, the
provisions of articles 83.1 and 83.2 of the GDPR, precepts that state:
"Each control authority will guarantee that the imposition of administrative fines
under this Article for infringements of this Regulation
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/18
indicated in sections 4, 9 and 6 are effective in each individual case,
proportionate and dissuasive."
"Administrative fines will be imposed, depending on the circumstances of each individual case, in addition to or in
individual case, in addition to or in lieu of the measures contemplated in
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administration and its amount in each individual case shall be duly taken into account:
        a) the nature, seriousness and duration of the offence, taking into account the
        nature, scope or purpose of the processing operation in question
        as well as the number of stakeholders affected and the level of damage and
        damages they have suffered;
        b) intentionality or negligence in the infraction;
        c) any measure taken by the controller or processor
        to alleviate the damages and losses suffered by the interested parties;
        d) the degree of responsibility of the controller or the person in charge of the
        processing, taking into account the technical or organisational measures that have
        applied under articles 25 and 32;
        e) any previous infringement committed by the person in charge or in charge of the
        treatment;
         f) the degree of cooperation with the supervisory authority in order to put
        remedy the breach and mitigate the potential adverse effects of the breach;
        g) the categories of personal data affected by the infringement;
        h) the way in which the supervisory authority became aware of the infringement,
        in particular if the person in charge or the person in charge notified the infringement and, in such a
        case, to what extent;
        i) when the measures indicated in article 58, paragraph 2, have been
        previously ordered against the person in charge or in charge in question
        in relation to the same matter, compliance with said measures;
        j) adherence to codes of conduct under article 40 or to mechanisms
        of certification approved in accordance with article 42, and
        k) any other aggravating or mitigating factor applicable to the circumstances of the
        case, such as the financial benefits obtained or the losses avoided, directly or indirectly, through the
        or indirectly, through the infraction."
Regarding section k) of article 83.2 of the GDPR, the LOPDGDD, article 76,
"Sanctions and corrective measures", provides:
       "2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
may also be taken into account:
      (a) The continuing nature of the offence.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 14/18
      b) Linking the activity of the offender with the performance of processing
of personal data.
      c) The benefits obtained as a consequence of the commission of the infraction.
      d) The possibility that the conduct of the affected party could have led to the
commission of the offence.
      e) The existence of a merger by absorption process subsequent to the commission of
the infringement, which cannot be attributed to the absorbing entity.
      f) The affectation of the rights of minors.
      g) Have, when it is not mandatory, a data protection delegate.
      h) The submission by the person in charge or in charge, with character
voluntary, alternative conflict resolution mechanisms, in those
cases in which there are controversies between those and any interested party."
From the documentation provided, it can be deduced that only one
only policy in which the claimant appears as the policyholder. In the others,
By virtue of the sectoral regulations, it is possible to be exempted from liability because the
claimant as habitual driver of vehicles of the company taking the insurance
and she provided her ID and driver's license, which is why the penalty should be reduced to
impose on the defendant.
Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the
following criteria established in article 83.2 of the GDPR:
As a mitigation:
     The degree of cooperation with the supervisory authority in order to remedy
        to the breach and mitigate the potential adverse effects of the breach. They have
        adopted the appropriate measures aimed at deleting and blocking your personal data.
        personal. (article 83.2 c) of the GDPR)
As aggravating factors:
     That it is a company whose main activity is linked to the
       processing of personal data, in accordance with the provisions of article
       76.2.b) of the LOPDGDD. The development of business activity
       The defendant performs requires continuous data processing
       of clients, by dedicating themselves to the sale and management of insurance.
                                            SAW
It is appropriate to graduate the sanction to be imposed on the defendant and set it at the amount of 30,000
€ for violation of article 83.5 a) GDPR.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 15/18
In view of the foregoing, the following is issued
                           PROPOSED RESOLUTION
That the Director of the Spanish Agency for Data Protection sanctions
MAPFRE ESPAÑA ESPAÑA COMPAÑÍA DE SEGUROS Y REASEGUROS, S.A., with NIF
A28141935, for a violation of Article 6.1 of the GDPR, typified in Article 83.5
of the GDPR, with a fine of 30,000 euros (thirty thousand euros).
Likewise, in accordance with the provisions of article 85.2 of the LPACAP, you will be
informs you that it may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which
It will mean a reduction of 20% of the amount of the same. With the application of this
reduction, the sanction would be established at 24,000 euros and its payment will imply the
completion of the procedure. The effectiveness of this reduction will be conditioned by the
withdrawal or waiver of any administrative action or appeal against the
sanction.
In case you choose to proceed to the voluntary payment of the specified amount
above, in accordance with the provisions of the aforementioned article 85.2, you must do it
effective by depositing it in the restricted account no. ES00 0000 0000 0000 0000 0000 0000 0000 0000 0000
0000 open in the name of the Spanish Data Protection Agency in the entity
bank CAIXABANK, S.A., indicating in the concept the reference number of the
procedure that appears in the heading of this document and the cause, for
voluntary payment, reduction of the amount of the sanction. You must also send the
Proof of admission to the Sub-Directorate General of Inspection to proceed to close
The file.
By virtue of this, you are notified of the foregoing, and the procedure is revealed.
so that within TEN DAYS you can allege whatever you consider in your defense and
present the documents and information that it deems pertinent, in accordance with
Article 89.2 of the LPACAP.
C.C.C.
INSPECTOR/INSTRUCTOR
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 16/18
                                     EXHIBIT
File index EXP202203956
02/28/2022 Claim by A.A.A.
03/31/2022 Transfer of claim to MAPFRE ESPAÑA ESPAÑA COMPAÑÍA DE SEGUROS AND
REINSURANCE, S.A.
05/03/2022 Response to A.A.A.
05/04/2022 Allegations of MAFRE ESPAÑA COMPAÑIA DE SEGUROS Y REASE-
GUROS S.A.
05/04/2022 Allegations of MAPFRE ESPAÑA, COMPAÑÍA DE SEGUROS Y RE-
INSURANCE, S.A.
05/28/2022 Communication to A.A.A.
09/09/2022 A. opening to MAPFRE ESPAÑA COMPAÑÍA DE SEGUROS Y REASE-
GUROS, S.A.
09/12/2022 Info. Complainant to A.A.A.
09/23/2022 Communication from MAPFRE ESPAÑA COMPAÑIA DE SEGUROS Y REASEGUR-
ROS S.A.
09/23/2022 Written by A.A.A.
10/03/2022 Notification p. evidence to MAPFRE ESPAÑA COMPAÑÍA DE SEGUROS Y RE-
INSURANCE, S.A.
>>
SECOND: On December 13, 2022, the claimed party has proceeded to the
payment of the penalty in the amount of 24,000 euros using the reduction provided for in the motion for a
provided for in the motion for a resolution transcribed above.
THIRD: The payment made entails the waiver of any action or resource in the
against the sanction, in relation to the facts referred to in the
resolution proposal.
                         FUNDAMENTALS OF LAW
                                        I
                                  Competence
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, 2018, hereinafter GDPR.
Organic Law 3/2018, of December 5, Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions of the LOPDGDD.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 17/18
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures".
                                            II
                             Termination of the procedure
Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common for Public Administrations (hereinafter LPACAP), under the heading
"Termination in disciplinary proceedings" provides the following:
"1. Initiated a disciplinary procedure, if the offender acknowledges his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.
2. When the sanction has only a pecuniary nature or it is possible to impose a
pecuniary sanction and another of a non-pecuniary nature but the inadmissibility of the second, the
inadmissibility of the second, the voluntary payment by the presumed perpetrator, in
any moment prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or the determination of the
compensation for damages caused by the commission of the offence.
3. In both cases, when the sanction is solely pecuniary in nature, the
The competent body to resolve the procedure will apply reductions of at least
20% of the amount of the proposed penalty, these being cumulative among themselves.
The aforementioned reductions must be determined in the notification of initiation
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of
any administrative action or resource against the sanction.
The percentage reduction provided for in this section may be increased
according to regulations."
According to what has been stated,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: DECLARE the termination of procedure EXP202203956, in
in accordance with the provisions of article 85 of the LPACAP.
SECOND: NOTIFY this resolution to MAPFRE ESPAÑA ESPAÑA COMPAÑÍA DE
SEGUROS Y REASEGUROS, S.A.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.
Against this resolution, which puts an end to the administrative process as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the National Court, in
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 18/18
day following the notification of this act, as provided for in article 46.1 of the
referred Law.
                                                                                          968-171022
Mar Spain Marti
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es