AEPD (Spain) - PS-00028-2022
|AEPD - PS-00028-2022|
|Relevant Law:||Article 5(1)(f) GDPR|
Article 32 GDPR
Article 33 GDPR
72, 73, 77 Spanish Data Protection Act
|Parties:||Getafe City Council|
|National Case Number/Name:||PS-00028-2022|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
The Spanish DPA imposed a warning to a local administration for violating Articles 5(1)(f), 32 and 33 GDPR. The administration had mistakenly published an Excel sheet containing personal data, which was also not properly removed after the data subject notified both the administration and the DPA.
English Summary[edit | edit source]
Facts[edit | edit source]
On 31 March 2021, the City Council of Getafe (controller) published an Excel sheet on its website. This Excel sheet contained personal data of vehicle owners who had requested an address change. The Excel sheet included several categories of data, such as name, surname, tax identification number, ID number and vehicle registration number. The Excel sheet had thirty-six entries, but the vast majority of the data subjects that were mentioned were included several times in the list. It later turned out that seventeen people were affected by the breach. The controller had wanted to publish a call for a plenary session, but instead published this Excel document by accident.
On 31 March 2021, the data subject informed both the controller and the Spanish DPA of this breach. After this, the controller unlinked the Excel sheet from its website, so that it would not be available when navigating the controller website. There was therefore no way to reach the Excel sheet any longer by navigating the controller's website. It became clear later that no specialised IT personnel had worked on this solution.
However, the Excel sheet itself was not deleted from the internet and stayed online as an "orphan document". This meant that the Excel sheet could still be accessed, when typing the exact URL of the Excel sheet in the browser. People, who were aware of the exact URL, could therefore potentially still access the Excel sheet. The DPA confirmed that it was still possible to access the file on the controller's website on 1 December 2021. The controller deleted the file on 24 January 2022.
Despite the fact that the Excel sheet stayed online for several months after the initial complaint, the controller stated that it was unlikely that any data had been retrieved by unauthorised third parties, because the Excel sheet could only be accessed through the exact URL and not through any linking on the controller's website. This was also the reason why the controller decided not inform the affected data subjects. Also, the controller had not identified any serious harm as a result of this data breach.
Holding[edit | edit source]
First, the DPA found a violation of Article 5(1)(f) GDPR, since the publication of the Excel sheet enabled unauthorised access to the personal data of the data subjects, in violation of the principle of confidentiality.
Second, the DPA found a violation of Article 32 GDPR. The DPA held Article 32 GDPR requires the controller to have a complete protocol that must not only prevent the occurrence of the contingency, but, once it has occurred, react to the materialisation of the risk, so that the controller can guarantee the security of the processing. In this case, the controller failed to notice that the Excel sheet stayed online on the controller's website. The DPA also considered the fact that the controller did not involve IT services in this process, which the DPA considered 'obvious' in a situation like this. Furthermore, the DPA found that the controller had failed to make an appropriate assessment of the risks as a result of the breach. The controller also should have considered potential further risks as a result of the breach. The controller's argument that no data subjects were affected by the breach was disregarded by the DPA.
Third, the DPA found a violation of Article 33 GDPR, because the controller failed to assess the level of severity of the data breach after it had occurred. In this case, the DPA found that there were risks to the rights and freedoms of data subjects because of the breach. The controller should have notified the DPA, regardless of the fact whether harm had been caused to the data subjects.
On the basis of Articles 72 and 73 of the Spanish Data Protection Act - LOPDGDD, the DPA classified the infringements of Articles 32 and 33 GDPR as "serious" offences, whilst the violation of Article 5(1)(f) GDPR was considered a "very serious" offence. The DPA issued warnings for all of the above violations.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
AEPD - PS/00305/2022 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 6(1) GDPR Type: Complaint Outcome: Partly Upheld Started: Decided: Published: 22.02.2023 Fine: 24,000 EUR Parties: MAPFRE ESPAÑA COMPAÑÍA DE SEGUROS Y REASEGUROS, S.A. National Case Number/Name: PS/00305/2022 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: CSO The Spanish DPA fined Mapfre, an insurance company, for a violation of Article 6 GDPR for processing personal data for an insurance policy without a legal basis. The initial fine was €30,000, but the procedure was closed after the voluntary payment of €24,000 by the controller. The controller in this decision is Mapfre, a Spanish insurance company. In June 2021, the data subject requested access to his personal data. After two months, the controller had not provided an answer. According to the information which was later provided by the controller, the data subject was listed as the holder of nine insurance policies and had been responsible for submitting three insurance claims. However, the data subject claimed that he never had any contract with the controller. He requested the controller to block his data and provide him the proof that he took the insurance policies and authorised the processing of his data. In response, the controller stated that the personal data had been blocked. Additionally, The controller stated that the personal data it possessed was either provided by the data subject himself or had been generated as a result of his relationship with the controller. On 9 September 2022, the data subject filed a complaint with the Spanish DPA. During the proceeding, the latter requested information from the controller. This additional information revealed that the data subject was registered in the controller's systems as a policyholder of one single automobile insurance. However, there were also eight other policies in which the data subject was mentioned as an employee of the 'Usual driver'. According to the controller, the data subject had acted as the responsible person/manager for the eight insurance policies where the employer was the policyholder. The data subject was the person of contact of the controller regarding these eight insurance policies. It appeared that the single insurance where the data subject was mentioned as the policyholder had been a mistake. However, according to the controller, the data subject had to be aware of all the insurance policies. With regard to the single policy, where the data subject himself was the policyholder, the controller stated that the data subject had submitted a copy of his ID, driving licence and other documentation in order to formalise the insurance. Regarding the eight other policies where the data subjects was mentioned as the regular driver, the controller stated that the data subject had underwritten these insurance policies and therefore had to be aware of their existence. The controller also stated that the single policy was concluded by an insurance agent and that this insurance agent had not acted according to the instructions provided by the controller. The main issue stems from the single policy in which the data subject was mentioned as the policyholder. The DPA confirmed that the insurance agent, who had sold this insurance, was a processor acting on behalf of the controller. However, the DPA also determined that it was the controller who was liable for this issue. The fact that this processor did not comply with the technical instructions from the controller did not exonerate the controller from its liability. Since the controller was liable for the processing, the DPA determined that the controller had processed the data of the data subject without being able to demonstrate that it had the legal authority to do so. Therefore, the controller would have to prove that the data subject had actually applied for the insurance and that all the requirements were fulfilled. However, the controller was apparently not able to do so. In the single insurance policy, the data subject was mentioned as the policyholder, despite the fact that he never consented to the contract for this insurance. Therefore, there was no legitimate basis for the processing. This resulted in a violation of Article 6(1) GDPR. The initial penalty for this violation was €30,000, but the procedure was ended after the voluntary payment of €24,000 by the controller, in accordance with Spanish administrative law. The data subject requested 'the blocking of his personal data' in this decision. This refers to Article 32 of the Spanish data protection Act. Share blogs or news articles here! English Machine Translation of the Decision[edit | edit source] The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. 1/18 File No.: EXP202203956 RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTEER Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: On September 9, 2022, the Director of the Spanish Agency of Data Protection agreed to start a sanctioning procedure against MAPFRE SPAIN COMPAÑÍA DE SEGUROS Y REASEGUROS, S.A. (hereinafter the part claimed). Notified of the initiation agreement and after analyzing the allegations presented, On November 25, 2022, the proposed resolution was issued, which is transcribed below: << File No.: EXP202203956 PROPOSED RESOLUTION OF SANCTION PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following: BACKGROUND FIRST: D.A.A.A. (hereinafter, the claimant) on February 28, 2022 filed a claim with the Spanish Data Protection Agency. The claim is directed against Mapfre España Insurance and Reinsurance Company, S.A. with NIF A28141935 (hereinafter, the claimed party or Mapfre). The reasons in on which the claim is based are as follows: The claimant states that, in June 2021, it requested the Mapfre company that will provide you with the data they had about you, in their databases. Subsequently, after more than two months without receiving a response, he contacted the claimed via email and they informed him that they had answered his request, providing him with a copy, which was sent to an address that was not his. He adds that he appears as the holder of nine policies and as responsible for three claims, when you have never formalized any contract with Mapfre, any insurance, or He has given no accident report. C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/18 On the other hand, it indicates that it communicated these facts to the defendant and requested the blocking of of your data. In addition, he requested that they provide him with the documents that supposedly would have signed to contract said policies, to give the parties, and to authorize the treatment of your data. Thus, Mapfre told him that his data had been blocked and later they send you a letter informing you that your data was provided by him or generated as a result of the management or development of his relationship with Mapfre. And, among other things, it provides the following documentation: 1. Letter addressed to the defendant dated June 2, 2021, requesting the Right of access. 2. Response of the defendant dated June 18, 2021 to an address different from yours, informing you of the data that appears in your applications and are subject to treatment, appearing as the holder of nine policies and as responsible for three accidents. 3. Letter dated September 13, 2021 requesting Mapfre to block your personal data, and also requests: a copy of the contracting documents, of authorization, consent for the use of your data and copy of the parts of accidents that have been given to your name and cancellation of your data. 4. Email from Mapfre dated October 8, 2021, informing you that your data has been deleted from Mapfre. 5. Mapfre's response dated December 10, 2021, where it was inform that the data communicated was provided by the claimant SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in forward LOPDGDD), said claim was transferred to the claimed party, for to proceed with its analysis and inform this Agency within a month of the actions carried out to adapt to the requirements established in the regulations of Data Protection. The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations Public (hereinafter, LPACAP), was collected on March 31, 2022 as It appears in the acknowledgment of receipt that is in the file. On May 4, 2022, this Agency received a written response indicating: <<From the investigations carried out, it can be deduced that the claimant was registered in our systems as a single auto policyholder, and how habitual driver of various policies of the company FURCORENT. C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/18 For clarification purposes, it should be specified that, based on the information we have been able to know, the claimant provided his professional services as a manager or collaborator of the company FURCORENT, S.L., policyholder of said policies, and intervened on his behalf and for the management of the policies contracted with my represented multiple times. Taking into account the foregoing, it is appropriate to indicate that, as my client has tried to clarify to the claimant one of the policies - specifically, the number *** POLICY.1- was signed by the claimant as policyholder, a circumstance that the interested party cannot be ignored given that, although the request for quotation was promoted by the company FURCORENT, S.L., it was the claimant himself who directly sent copy of your ID, driver's license and other documentation necessary to formalize the policy to my represented. We attach as document no. 7 a copy of the email sent by D. A.A.A. to the mediator of the policy, accompanying a copy of your ID and driving license. The remaining policies were subscribed by FURCORENT, S.L., which included the claimant as habitual driver of the insured vehicles, a fact that is not the claimant may be unaware given that, based on what was declared to us at the time and subsequently confirmed by the mediator of the policies, had intervened in the subscription process and development of said contracts as manager of said company to which he provided his services. In this sense, from the analysis of the background information related to the facts to which that the claim refers to, it has been verified that all the personal data related to the claimant were obtained by my client directly from claimant or through the company FURCORENT, S.L. to which he had been lending his services as a manager, and treated within the framework of contractual relations in the that the claimant was listed, either as a policyholder, or as a regular driver, respecting at all times the regulations on the processing of personal data and without harming their rights and freedoms in this matter. In any case, once my client receives the request for deletion made by the claimant, the appropriate made by the claimant, the appropriate measures have been adopted for the deletion and blocking of your personal data, attending at all times your rights and without causing any harm to the interested party>>. THIRD: In accordance with article 65 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (LOPDGDD), when submitted to the Spanish Data Protection Agency (hereinafter, AEPD) a claim, it must evaluate its admissibility for processing, must notify the claimant of the decision on the admission or non-admission to procedure, within three months from the date the claim was entered into this Agency. If, after this period, there is no such notification, it will be understood that the processing of the claim continues in accordance with the provisions of Title VIII of the Law. Said provision is also applicable to the procedures that the AEPD would have to process in the exercise of the powers assigned to it attributed by other laws. C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/18 In this case, taking into account the foregoing and that the claim is filed with this Agency, on February 28, 2022, it is communicated that your The claim has been admitted for processing on May 28, 2022, having elapsed three months from the time it entered the AEPD. FOURTH: On September 9, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate disciplinary proceedings against the claimed party, in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (in hereinafter, LPACAP), for the alleged infringement of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR. FIFTH: Notified of the aforementioned start-up agreement in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), the claimed party submitted a written of allegations in which, in summary, it states that: "First, MAPFRE ESPAÑA has a sufficient legal basis for the processing of the personal data of the claimant. This basis of legality is based on the contractual relationship established with the policyholder, FURCORENT company, and consequently with all the figures involved in this, as indicated in article 99 of Law 20/2015, management, supervision and solvency of insurance companies and reinsurance companies (LOSSEAR), where it is stated: "insurance companies may process data of policyholders, insured, beneficiaries or third parties injured parties, as well as their successors without the need for their consent for the sole purpose of guaranteeing the full development of the insurance contract and compliance with the insurance contract and compliance with the obligations established in this Law and in the development provisions". The contractual relationship is established with the company FURCORENT through the issuance of the different policies and the perfection of the contract through the payment of the first premium of these according to the article. 15 of Law 50/1980, of October 8, on Insurance Contracts (LCS). MAPFRE ESPAÑA as required by articles 10, 11, 12, 93 and 94 of the LCS, Prior to entering into the contract with FURCONRENT, you must request certain information of the policyholder that allows him to assess the risk (risk statement). This declaration is effective for the entire life of the contract (aggravations, risk reduction, exclusions, inaccurate statements, falsehood, etc.). At this point the FURCONRENT policyholder was aware of his obligation to declare true data knowing that the factors related to the policyholder, owner, drivers and the vehicle are taken into account for the risk assessment and premium calculation. Consequently, in the event of reserve or inaccuracy in your statement the insurer's benefit will be reduced proportionally to the difference between the agreed premium and that which would have been applied if the true entity of the risk applied if the true entity of the risk was known. that have been omitted due to bad faith, MAPFRE due to bad faith, MAPFRE SPAIN will be released from the payment of the benefit. Document 1 This information includes, but is not limited to, the statement of the following figures, which the company FURCORENT identifies as follows: - Taker of the policy: the company FURCORENT. - Owner of the asset to be insured: the company FURCORENT. FURCORENT. - Policy payer: the company FURCORENT. - Regular driver C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/18 the claimant. identifying as an employee. MAPFRE ESPAÑA accredits through Document 2 the date on which the registration in our systems of the data of the claimant, precisely one day before the issuance of the policies requested by the FURCORENT company. Therefore, your discharge is due solely and exclusively to the communication of your data by the company FURCORENT as a regular driver. HE attached as Document 3 the email of the company FURCORENT to mediator requesting the quote (premium determination), and the conversations of WhatsApp in which he requests various broadcasts. The list of policies issued to request of the company FURCORENT are the following contained in the Document 4 listed in the following order: - *** POLICY.2. Attached as document PN1 - Attached as document PN2 - *** POLICY.4. attached as document PN3 - *** POLICY.5. Attached as document PN4 - *** POLICY.6. HE attached as document PN5 - *** POLICY.7. Attached as document PN6 - *** POLICY.8. *** POLICY.8. Attached as document PN7 - *** POLICY.9. attached as document PN8 Likewise, the payment of the corresponding receipts is accredited, through Document 5. Second: In the particular clauses of each of the policies issued (Document 4), expressly policies issued (Document 4), expressly states: "In the event that the data provided refer to natural third parties other than the Policyholder/Insured/Affected, he guarantees to have collected and have the their prior consent for the communication of their data and having them informed prior to its inclusion in this document, of the purposes of treatment, communications and other terms provided therein and in the Additional in the Additional Data Protection Information. It can be concluded, therefore, that It is the POLICYHOLDER who has the obligation to inform and obtain the consent to transfer your data to MAPFRE ESPAÑA of the figures of the policy that communicates to the insurer. The sequence by which communication occurs to MAPFRE SPAIN of the data of the habitual driver is the following: The manager of FURCORENT uses the WhatsApp channel, through the telephone number ***TELEPHONE.1 included in all policies to contact the MAPFRE mediator SPAIN and provide the necessary information in the elaboration of the budget and the policy issuance. In these conversations it becomes clear that the manager of the company FURCORENT requests the issuance of these and identifies as the driver habitual to the employee of his company the claimant. Attached as Document 6 conversation in which the Manager of the company unequivocally identifies the claimant as driver. Likewise, it is FURCORENT, through the mail email ***EMAIL.1, the one that sends the DNI and the driving license of the claimant. The manager states that it is the claimant himself who is sending this email. to be of an employee or collaborator. Document 7. Therefore, the lawful origin is presumed of the data communicated, and of the documents provided. By way of observation, We want to state that in the hypothetical case of employment relationship or collaboration, any company could have a copy of the DNI (format document), but usually does not have a driver's licence, unless it is ask your employee or collaborator, expressly, for a purpose determined, and the person gives it freely to respond to that need. He Document 7 evidence, that in the event that it was not the claimant who contributed this documentation directly to the defendant, the company did have both documents. Furthermore, it is the FURCORENT company that must certify the origin of the data and documents sent to MAPFRE ESPAÑA and the basis of legality that it has to communicate them. Third, in the exercise of the right to access made by the claimant, on June 2, 2021, and later on June 9, 2021. C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/18 August, not only requests general information on the data contained in MAPFRE SPAIN (with which it states that it has not had, nor does it have any relationship), declares in their first communication to have a special interest in knowing if "there has been any part with your data or any information that could damage your reputation as a driver for insurance purposes. In its second request, it also states require: - those policies in which you appear as a driver - the accident reports who have communicated with your data - data relating to your accident rate and if there has been any change in your assessment as a driver. attached as Documents 8 and 9, the aforementioned requests, from which it can be deduced that the terminology used by the claimant regarding the figures of the policy, (not mentioned in the attention of your right of access), in what refers to your condition of regular driver, which in the event that the company FURCORENT has used the data of the claimant without the corresponding authorization, the latter least he was aware of the situation. Fourth, as an exception to cases previously mentioned, whose basis of legality is based on the relationship contract between the company FURCORENT and MAPFRE ESPAÑA, is the policy 0***POLICY.101 in which the claimant not only appears as a habitual driver, also as policyholder and attached as Document 10 In this case, the manager of the FURCONET company sends the file via WhatsApp technique of the vehicle to be insured indicating that it is again included as a driver to the claimant Document 11. From the investigations carried out, it is concluded that the mediator (who, under the Mediation Law, has with MAPFRE ESPAÑA a treatment manager contract) in this case, has breached the technical instructions for issuance and contracting (Document 12) established by MAFPRE. In the same way, he has breached his obligations as manager of treatment, with the purpose, we understand, of offering a different price to that would obtain if it complied with the norms of Document 13 order of treatment. No We found evidence of a possible operational error. It is provided as information Additional Document 14 that shows the communications between the mediator and the Manager of the company, to quote and issue different policies Measures adopted to prevent similar situations from occurring - In the event that the issuance of the last policy responds to non-compliance by the mediator, and not to an operational error, disciplinary measures will be taken against the mediator who has breached its obligations as MAPFRE ESPAÑA data processor. It will be instrumentalized through an audit that reveals the reality of what happened. - Analyze the adequacy of existing operational controls. - Reinforce the awareness and training of mediators For all of the above, REQUESTS that you consider this document submitted together with the documentation accompanies it, please admit it, process it, and consequently and in accordance with the provisions of Organic Law 3/2018, of December 3 on Data Protection Personal and guarantee of digital rights, proceed by that Spanish Agency of Data Protection to resolve declaring the absence of responsibility of MAPFRE in the facts of which it brings cause". SIXTH: On October 3, 2022, the procedure instructor agreed to perform the following tests: C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/18 1. The claim filed by D. A.A.A. and its documentation, the documents obtained and generated during the phase admission to process the claim. 2. Likewise, it is considered reproduced for evidentiary purposes, the allegations to the agreement initiation of the referenced sanctioning procedure, presented by Mapfre Spain Compañía de Seguros y Reaseguros, S.A., and the documentation that they accompanies. SEVENTH: A list of documents in the file is attached as an annex. procedure. Of the actions carried out in this procedure and of the documentation in the file, the following have been accredited: PROVEN FACTS FIRST: The claimant states that he appears as the holder of nine insurance policies insurance and as responsible for three accidents, when he has never formalized any contract with Mapfre, no insurance, nor has he given any accident report. SECOND: The claimed entity states that in the policies ***POLIZA.2; *** POLICY.3; 2***POLICY.4; *** POLICY.5; *** POLICY.6; *** POLICY.7; *** POLICY.8; *** POLICY.9 The policyholder is the company FURCORENT and the driver usual of the same is the claimant identifying himself as an employee, except in the policy 0***POLIZA.101 in which the claimant not only appears as a driver habitual, also as policyholder. THIRD: The Exclusive Insurance Agent Contract appears in the file formalized with Mapfre by the Agent on March 25, 2015. FUNDAMENTALS OF LAW I In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, 2015. Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with character subsidiary, by the general rules on administrative procedures." II C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/18 In relation to the allegations made by the claimed party, that the mediator has a treatment manager contract with Mapfre and that in this case, it has breached the technical issuance and contracting instructions established by Mapfre, in relation to policy 0***POLIZA.101, in which the claimant not only appears as a habitual driver, but also as a policyholder, you must state that Royal Decree-Law 3/2020, of February 4, on urgent measures for which incorporates into the Spanish legal system various directives of the Union Union in the field of public procurement in certain sectors; insurance; private private; pension plans and funds; of the tax field and tax litigation, establishes in its article 203 the Condition of person in charge or in charge of the treatment. 1. For the purposes provided in Organic Law 3/2018, of December 5, as well as in Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27 of 2016, regarding the protection of natural persons with regard to the processing of personal data and the free movement of such data: a) Agents insurance and bancassurance operators will have the status of managers of the treatment of the insurance company with of the treatment of the insurance company with which they had entered into the corresponding agency contract, under the terms provided in title I. b) The insurance brokers and reinsurance brokers will have the status of responsible for the treatment regarding the data of the people who come to them. c) The external collaborators them. c) The external collaborators referred to in article 137 will have the status as processors of insurance agents or brokers with those who have entered into the corresponding commercial contract. In this case, just may process the data for the purposes provided in article 137.1. 2. In the event provided for in letter a) of section 1, in the agency contract must be record the points provided for in article 28.3 of Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016. Similarly, in the course provided for in section 1.c) must be included in the commercial contract entered into with external collaborators the ends provided for in article 28.3 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27 2016. 3. Insurance companies may not keep the data that provided by insurance mediators, and that do not result in the conclusion of a contract insurance, being obliged to eliminate them unless there is another legal basis that allows legitimate data processing in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016. Therefore, the insurance agent will have the status of data processor before the insurance company with which the corresponding Agency agreement. In the case examined, the regulations set forth and the statements made by the claimed party, it can be inferred that the latter acts as the party responsible for the treatment. In article 4.8 of the GDPR, the person in charge of the treatment is defined as the person physical or legal entity, public authority, service or other body that processes personal data on behalf of the data controller. personal on behalf of the data controller. All processing of personal data carried out by a manager must be governed by a contract or other legal act under Union or State law C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/18 members entered into between the person in charge and the person in charge, as stipulated in the Article 28, paragraph 3, of the GDPR. In this regard, Guidelines 07/2020 on the concepts of "responsible for the treatment" and "in charge of the treatment" in the RGPD, adopted by the CEPD, on 7 July 2021, detail the following: "Although the elements provided for in Article 28 of the Regulation constitute its essential content, the contract must serve so that the person in charge and the person in charge clarify, by means of detailed instructions, how these will be applied in practice fundamental elements. Therefore, the treatment contract should not be limited to reproduce the provisions of the GDPR, but must include more information specific and specific information about how the requirements will be met and the degree of security that will be required for the processing of personal data object of the treatment contract. treatment contract. Far from being a merely formal exercise, negotiation and stipulation of the conditions of the contract serve to specify the details of the treatment." They add that "In general, the treatment contract establishes who is the party determinant (the controller) and who, the party that follows the instructions (the person in charge of the treatment)". Now, "If a party decides in the practice how and why personal data is processed, that party will be the one responsible for the treatment, even if the contract stipulates that it is the person in charge". To determine the responsibility of the claimed party, it is necessary to take into account that, if a processor infringes the Regulation when determining the purposes and means of treatment, will be considered responsible for the treatment with respect to said treatment (article 28, paragraph 10, of the GDPR). Regarding the "Ends and means" the aforementioned guidelines include the following considerations: "(...) Dictionaries define the word end as an "anticipated result that is pursued or that guides the planned action" and the word medium as the "way in which obtains a result or achieves an objective". (...) The determination of ends and means is equivalent to deciding, respectively, the why and how of treatment: in a particular treatment operation, the controller is the party that determines why and how of treatment. The controller is the party that determines why the processing takes place. treatment (i.e. "for what purpose" or "for what") and how this objective will be achieved (ie, what means will be used to achieve it). A natural or legal person who thus influences the processing of personal data participates, therefore, in the determination of the purposes and means of such treatment in accordance with the definition provided for in article 4, point 7, of the GDPR. C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/18 The data controller must decide both on the end and on the means treatment, as described below. Consequently, it cannot limit itself to determining the end: it must also make decisions about the means of the treatment. In contrast, the party acting as processor can never determine the end of the treatment. In practice, if a data controller uses a person in charge to carry out the treatment on behalf of that person, the person in charge You will usually be able to make some of your own decisions about how to do this. He CEPD recognizes that the person in charge of the treatment can enjoy a certain margin of maneuver to make some decisions about treatment. In this sense, it is necessary to clarify what degree of influence on the "why" and "how" entails that an entity is considered responsible for the treatment and to what extent can the person in charge of treatment to make their own decisions. (...)" In this case, taking into account the above, it can be concluded that the The mere fact that the data processor fails to comply with Mapfre's instructions does not release the defendant from liability. It has not proven that the person in charge of the treatment was acting as the person in charge, since the Treatment has been carried out following the instructions of the person in charge. Thus, the claimed party violated article 6.1 of the GDPR, since it made the treatment, without proving that he had contracted legitimately, had of your consent for the collection and subsequent processing of your personal data, or there is personal, or there is some other cause that makes the treatment carried out lawful. Consequently, it has processed the personal data of the party claimant without having proven that he has the legal authorization to do so. Article 6.1 of the GDPR states that processing "will be lawful if it is necessary for the performance of a contract to which the interested party is a party. It was therefore essential that the claimed party accredit before this Agency that the claimant had taken out said policy. The claimed party has contributed to this Agency the issued policies: *** POLICY.2; *** POLICY.3; 2***POLICY.4; *** POLICY.5; *** POLICY.6; *** POLICY.7; *** POLICY.8; *** POLICY.9, in which all of them appear as policyholder the company FURCORENT and as their habitual driver the claimant identifying as an employee. However, Mapfre certifies that the policy 0***POLIZA.101 contains the part claimant as policyholder. In its defense, the requested entity has stated that the mediator has with Mapfre a treatment manager contract and that, in this case, has breached the technical instructions for issuance and contracting established by Mapfre, providing the custom treatment contract C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/18 Well, the responsibility falls on the data controller (Mapfre), not on the person in charge (the agent) except in the case of article 28.3 of the GDPR in which the person in charge was acting as responsible Therefore, it is considered that the claimed entity has violated article 6 of the GDPR, for carrying out a processing of personal data without legitimacy. II Article 6.1 of the GDPR establishes the assumptions that allow the use of processing of personal data. "1. Processing will only be lawful if it meets at least one of the following conditions: a) the interested party gave his consent for the processing of his personal data for one or more specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is part of or for the application at the request of the latter of pre-contractual measures; c) the processing is necessary for compliance with a legal obligation applicable to the responsible for the treatment; d) the processing is necessary to protect the vital interests of the data subject or of another Physical person. e) the processing is necessary for the fulfilment of a mission carried out in the public interest or in the exercise of public powers. public or in the exercise of public powers conferred on the data controller; f) the treatment is necessary for the satisfaction of legitimate interests pursued by the person in charge of the treatment or by a third party, provided that on said interests do not outweigh the interests of the data controller interests do not outweigh the interests or fundamental rights and freedoms of the interested party that require the protection of personal data, in particular when the interested party is a child. interested is a child. The provisions of letter f) of the first paragraph shall not apply to the treatment carried out by public authorities in the exercise of their functions." On this question of the legality of the treatment, Recital 40 also affects of the aforementioned GDPR, when it provides that "For the treatment to be lawful, the Personal data must be processed with the consent of the interested party or on some other legitimate basis established in accordance with Law, either in the present Regulation or by virtue of another Law of the Union or of the Member States to which referred to in this Regulation, including the need to comply with the legal obligation applicable to the data controller or the need to perform a contract with to which the interested party is a party or in order to take measures at the request of the C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/18 concerned prior to the conclusion of a contract". It should be noted that in one of the insurance contracts, as acknowledged by the party claimed, the claimant party appears as the policyholder, and did not consent to the contracting therefore, there is no legitimizing basis for those included in article 6 of the GDPR. The GDPR applies to personal data, which is defined as "personal data": any information about an identified or identifiable natural person ("data subject"); An identifiable natural person shall be considered any person whose identity can be be determined, directly or indirectly, in particular by means of an identifier, such as for example a name, an identification number, location data, a online identifier or one or more elements of physical identity, physiological, genetic, psychological, economic, cultural or social of said person. Hence, the claimant's data was processed without a legitimizing basis. IV. In accordance with the evidence available at the present time of agreement to start the disciplinary procedure, and without prejudice to what results from the instruction, it is considered that the facts exposed fail to comply with the provisions of the article 6.1. of the RGPD, for which it could suppose the commission of an infraction typified in article 83.5 of the GDPR, which provides the following: Violations of the following provisions will be penalized, in accordance with the paragraph 2, with administrative fines of maximum EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the highest amount: a) the basic principles for the treatment, including the conditions for the consent under articles 5, 6, 7 and 9; b) the rights of the interested parties in accordance with articles 12 to 22; [...]". The LOPDGDD, for the purposes of the prescription of the infringement, qualifies in its article 72.1 very serious infringement, in this case the limitation period is three years, <<b) the processing of personal data without the fulfilment of any of the conditions of legality of the treatment established in article 6 of Regulation (EU) 2016/679>> V In order to determine the administrative fine to be imposed, the provisions of articles 83.1 and 83.2 of the GDPR, precepts that state: "Each control authority will guarantee that the imposition of administrative fines under this Article for infringements of this Regulation C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 13/18 indicated in sections 4, 9 and 6 are effective in each individual case, proportionate and dissuasive." "Administrative fines will be imposed, depending on the circumstances of each individual case, in addition to or in individual case, in addition to or in lieu of the measures contemplated in Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administration and its amount in each individual case shall be duly taken into account: a) the nature, seriousness and duration of the offence, taking into account the nature, scope or purpose of the processing operation in question as well as the number of stakeholders affected and the level of damage and damages they have suffered; b) intentionality or negligence in the infraction; c) any measure taken by the controller or processor to alleviate the damages and losses suffered by the interested parties; d) the degree of responsibility of the controller or the person in charge of the processing, taking into account the technical or organisational measures that have applied under articles 25 and 32; e) any previous infringement committed by the person in charge or in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to put remedy the breach and mitigate the potential adverse effects of the breach; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular if the person in charge or the person in charge notified the infringement and, in such a case, to what extent; i) when the measures indicated in article 58, paragraph 2, have been previously ordered against the person in charge or in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under article 40 or to mechanisms of certification approved in accordance with article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or the losses avoided, directly or indirectly, through the or indirectly, through the infraction." Regarding section k) of article 83.2 of the GDPR, the LOPDGDD, article 76, "Sanctions and corrective measures", provides: "2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: (a) The continuing nature of the offence. C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 14/18 b) Linking the activity of the offender with the performance of processing of personal data. c) The benefits obtained as a consequence of the commission of the infraction. d) The possibility that the conduct of the affected party could have led to the commission of the offence. e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity. f) The affectation of the rights of minors. g) Have, when it is not mandatory, a data protection delegate. h) The submission by the person in charge or in charge, with character voluntary, alternative conflict resolution mechanisms, in those cases in which there are controversies between those and any interested party." From the documentation provided, it can be deduced that only one only policy in which the claimant appears as the policyholder. In the others, By virtue of the sectoral regulations, it is possible to be exempted from liability because the claimant as habitual driver of vehicles of the company taking the insurance and she provided her ID and driver's license, which is why the penalty should be reduced to impose on the defendant. Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the following criteria established in article 83.2 of the GDPR: As a mitigation: The degree of cooperation with the supervisory authority in order to remedy to the breach and mitigate the potential adverse effects of the breach. They have adopted the appropriate measures aimed at deleting and blocking your personal data. personal. (article 83.2 c) of the GDPR) As aggravating factors: That it is a company whose main activity is linked to the processing of personal data, in accordance with the provisions of article 76.2.b) of the LOPDGDD. The development of business activity The defendant performs requires continuous data processing of clients, by dedicating themselves to the sale and management of insurance. SAW It is appropriate to graduate the sanction to be imposed on the defendant and set it at the amount of 30,000 € for violation of article 83.5 a) GDPR. C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 15/18 In view of the foregoing, the following is issued PROPOSED RESOLUTION That the Director of the Spanish Agency for Data Protection sanctions MAPFRE ESPAÑA ESPAÑA COMPAÑÍA DE SEGUROS Y REASEGUROS, S.A., with NIF A28141935, for a violation of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR, with a fine of 30,000 euros (thirty thousand euros). Likewise, in accordance with the provisions of article 85.2 of the LPACAP, you will be informs you that it may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which It will mean a reduction of 20% of the amount of the same. With the application of this reduction, the sanction would be established at 24,000 euros and its payment will imply the completion of the procedure. The effectiveness of this reduction will be conditioned by the withdrawal or waiver of any administrative action or appeal against the sanction. In case you choose to proceed to the voluntary payment of the specified amount above, in accordance with the provisions of the aforementioned article 85.2, you must do it effective by depositing it in the restricted account no. ES00 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 open in the name of the Spanish Data Protection Agency in the entity bank CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the cause, for voluntary payment, reduction of the amount of the sanction. You must also send the Proof of admission to the Sub-Directorate General of Inspection to proceed to close The file. By virtue of this, you are notified of the foregoing, and the procedure is revealed. so that within TEN DAYS you can allege whatever you consider in your defense and present the documents and information that it deems pertinent, in accordance with Article 89.2 of the LPACAP. C.C.C. INSPECTOR/INSTRUCTOR C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 16/18 EXHIBIT File index EXP202203956 02/28/2022 Claim by A.A.A. 03/31/2022 Transfer of claim to MAPFRE ESPAÑA ESPAÑA COMPAÑÍA DE SEGUROS AND REINSURANCE, S.A. 05/03/2022 Response to A.A.A. 05/04/2022 Allegations of MAFRE ESPAÑA COMPAÑIA DE SEGUROS Y REASE- GUROS S.A. 05/04/2022 Allegations of MAPFRE ESPAÑA, COMPAÑÍA DE SEGUROS Y RE- INSURANCE, S.A. 05/28/2022 Communication to A.A.A. 09/09/2022 A. opening to MAPFRE ESPAÑA COMPAÑÍA DE SEGUROS Y REASE- GUROS, S.A. 09/12/2022 Info. Complainant to A.A.A. 09/23/2022 Communication from MAPFRE ESPAÑA COMPAÑIA DE SEGUROS Y REASEGUR- ROS S.A. 09/23/2022 Written by A.A.A. 10/03/2022 Notification p. evidence to MAPFRE ESPAÑA COMPAÑÍA DE SEGUROS Y RE- INSURANCE, S.A. >> SECOND: On December 13, 2022, the claimed party has proceeded to the payment of the penalty in the amount of 24,000 euros using the reduction provided for in the motion for a provided for in the motion for a resolution transcribed above. THIRD: The payment made entails the waiver of any action or resource in the against the sanction, in relation to the facts referred to in the resolution proposal. FUNDAMENTALS OF LAW I Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, 2018, hereinafter GDPR. Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of the LOPDGDD. C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 17/18 in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with character subsidiary, by the general rules on administrative procedures". II Termination of the procedure Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common for Public Administrations (hereinafter LPACAP), under the heading "Termination in disciplinary proceedings" provides the following: "1. Initiated a disciplinary procedure, if the offender acknowledges his responsibility, The procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction has only a pecuniary nature or it is possible to impose a pecuniary sanction and another of a non-pecuniary nature but the inadmissibility of the second, the inadmissibility of the second, the voluntary payment by the presumed perpetrator, in any moment prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or the determination of the compensation for damages caused by the commission of the offence. 3. In both cases, when the sanction is solely pecuniary in nature, the The competent body to resolve the procedure will apply reductions of at least 20% of the amount of the proposed penalty, these being cumulative among themselves. The aforementioned reductions must be determined in the notification of initiation of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of any administrative action or resource against the sanction. The percentage reduction provided for in this section may be increased according to regulations." According to what has been stated, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DECLARE the termination of procedure EXP202203956, in in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to MAPFRE ESPAÑA ESPAÑA COMPAÑÍA DE SEGUROS Y REASEGUROS, S.A. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. Against this resolution, which puts an end to the administrative process as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Administrative Litigation Chamber of the National Court, in National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 18/18 day following the notification of this act, as provided for in article 46.1 of the referred Law. 968-171022 Mar Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es