AEPD (Spain) - EXP202200436
|AEPD - PS-00203-2022
|Article 6(1) GDPR
|National Case Number/Name:
|European Case Law Identifier:
|AEPD (in ES)
The DPA fined a former employer €3000 for debiting the bank-account of a former employee for an external service. The DPA held that the controller had processed the personal data without a legal basis under Article 6 GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
The data subject used to be an employee of the controller. The data subject claimed that there had been three automatic withdrawals from her bank account without its consent. The data subject stated that the controller used the money from these withdrawals to pay for an external service from a third party, the SGAE, a non-profit focused on the defense and collective management of copyright. The data subject stated that this would explain how the controller got the details of its back-account. The controller didn’t reply to questions and information-requests of the DPA. The data subject filed a complaint at the Spanish DPA.
Holding[edit | edit source]
The DPA held that the controller had violated Article 6(1) GDPR because the controller had processed the data subject’s personal data without their authorisation. The controller used the bank-account of the data subject to debit the account of the data subject without being able to prove the legitimacy of this processing of personal data. The DPA fined the controller €3000 for this lack of a legal basis for processing.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/8 File No.: EXP202200436 RESOLUTION OF PUNISHMENT PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following: BACKGROUND FIRST: Ms. A.A.A. (hereinafter, the complaining party) dated November 23 2021 filed a claim with the Spanish Data Protection Agency. The claim is directed against MARIELI GABRIELA, S.L. with NIF B87330726 (in hereafter, the party claimed). The grounds on which the claim is based are following: The claimant states that they were charged to her bank account, without her consent the amounts corresponding to: 03/11/2021: XX,XX and YY,YY; the 11/17/2021: XX,XX and 11/23/2021: YY,YY. It adds that the charges made correspond to a service contracted by the claimed with the company General Society of Authors and Publishers (SGAE). He indicates that he does not currently have an employment relationship with the respondent, but his data could have been provided by this since she was employed by her six years ago months. Along with the claim is provided: The receipts charged to the claimant's current account, on the following days: 3, 17 and 23 November 2021. In the previous ones, SGAE appears as the payer, as the Marieli Gabriela, S.L. and as payer the claimant. Likewise, it provides the payroll received from the claimed corresponding to the month of January 2021. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, of Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), said claim was transferred to the claimed party, to to proceed with its analysis and inform this Agency within a month of the actions carried out to adapt to the requirements set forth in the regulations of Data Protection. The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations (hereinafter, LPACAP) by electronic notification, was not collected by the person in charge, within the period of making available, understanding rejected in accordance with the provisions of art. 43.2 of the LPACAP on February 4, 2022, as stated in the certificate in the file. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/8 Subsequently, the transfer, which was carried out in accordance with the rules established in the Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP) by certified mail, was returned as refused; reiterating again the transfer by electronic means and notified on February 22, 2022. No response has been received to this transfer letter. THIRD: In accordance with article 65 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (LOPDGDD), when submitted to the Spanish Agency for Data Protection a claim, it must evaluate its admissibility for processing, and must notify the the claimant party the decision on the admission or inadmissibility for processing, within the period of three months from when the claim was received by this Agency. Yes, elapsed this term, if said notification does not occur, it will be understood that the processing of the claim in accordance with the provisions of Title VIII of the Law. In this case, taking into account the foregoing and that the claim is presented in this Agency, on November 23, 2021, it is reported that his claim has been admitted for processing on February 23, 2022 after three months since it entered the AEPD. FOURTH: On May 30, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against the claimed party, for the alleged infringement of Article 6.1 of the RGPD, typified in Article 83.5 of the GDPR. FIFTH: Notification of the aforementioned start-up agreement, through the postal service on the 9th of June 2022, being unknown and from the BOE on the 13th of the same month year, in accordance with the regulations established in Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP) and after the term granted for the formulation of allegations, it has been verified that no allegation has been received by the respondent. In accordance with art. 42.1 of Law 39/2015, of October 1, on Procedure Common Administrative of the Public Administrations, the notification was put to provision of the interested party so that he could access the content of the same voluntarily. Article 64.2.f) of the LPACAP - provision of which the respondent was informed in the agreement to open the procedure - establishes that if no allegations within the stipulated period on the content of the initiation agreement, when it contains a precise statement about the imputed responsibility, may be considered a resolution proposal. In the present case, the agreement beginning of the sanctioning file determined the facts in which the imputation, the infraction of the RGPD attributed to the claimed and the sanction that could prevail. Therefore, taking into consideration that the respondent has not formulated allegations to the agreement to initiate the file and in attention to what established in article 64.2.f) of the LPACAP, the aforementioned initial agreement is considered in this case proposed resolution. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es