AEPD (Spain) - PS-00487-2021

From GDPRhub
Revision as of 14:27, 24 November 2022 by Carmen.villarroel (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD (Spain) - PS-00487-2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 08.12.2021
Fine: 40000 EUR
Parties: NBQ TECHNOLOGY, S.A.U.
National Case Number/Name: PS-00487-2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Carmen Villarroel

The Spanish DPA fined a controller €40,000 (reduced to €24,000) for including a data subject in a credit information system without verifying that the loan allegedly contracted by the data subject was valid or licit.

English Summary[edit | edit source]

Facts[edit | edit source]

A data subject filed a complaint before the Spanish DPA (AEPD) against a company, alleging that they had been included in a credit information system because of a fraudulent loan.

The data subject's wallet had been stolen in 2018, and they reported to the police a fraudulent loan that was contracted using their identity without the data subject's knowledge and consent.

The data subject tried to inform the controller and asked them to delete their personal data, but the company had already sold the credit to another company.

Holding[edit | edit source]

The Spanish DPA concluded that the controller had violated Article 6(1) GDPR, since it had not acted with due diligence in order to avoid situations as the one occurred. According to the DPA, the controller should have verified that the loan allegedly contracted by the data subject was valid or licit.

Therefore, the AEPD fined the controller €40,000, that were reduced to €24,000 due to acknowledgement of responsibility and early payment.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                           1/12








    File No.: EXP202100282



       RESOLUTION OF TERMINATION OF THE PROCEDURE BY PAYMENT
                                  VOLUNTARY


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following

                                BACKGROUND


FIRST: On November 15, 2021, the Director of the Spanish Agency
of Data Protection agreed to initiate a sanctioning procedure against NBQ
TECHNOLOGY, S.A.U. (hereinafter, the claimed party), through the Agreement that is
transcribe:


<<






File No.: EXP202100282






           AGREEMENT TO START THE SANCTIONING PROCEDURE




Of the actions carried out by the Spanish Agency for Data Protection and in
based on the following:




                                    FACTS




FIRST: D. A.A.A. (hereinafter, the complaining party) dated June 2, 2021
filed a claim with the Spanish Data Protection Agency. The
claim is directed against NBQ TECHNOLOGY, S.A.U. with NIF A65559296 (in

hereinafter, the claimed party or NBC). The reasons on which the claim is based are the
following.






C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/12








  The claimant states that they have denied him a financial operation because his
  personal data in credit information systems.




  It adds that said inclusion was motivated by the non-payment of a loan to the party

  claimed, which he did not hire, for which he exposes that he has been the victim of impersonation of
  identity.




  On the other hand, he points out that the claimed party informs him that the loan was assigned on the 23rd
  December 2020 to the entity Quartz Capital Fund S.C.A., being Working Capital
  Management España, S.L. the person in charge of the treatment, not having evidence of

  have received any type of communication in this regard.



  And, it provides, to justify the facts, the following documentation:




      - Complaint made to the police on March 23, 2021, in relation to the
         Identity theft for contracting a loan.




      - Complaint made to the police for the theft of his wallet, dated 2018.




      - Emails sent to the claimed ones stating the facts, as well
         such as the deletion of your personal data from the common systems of
         credit information dated March 30, April 22, and May 7, 2021.




SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in

hereinafter LOPDGDD), said claim was transferred to the claimed party, to
to proceed with its analysis and inform this Agency within a month of the

actions carried out to adapt to the requirements set forth in the regulations of
Data Protection.




  On July 26, 2021 a written response is received at this Agency
  stating that on February 3, 2021, the complaining party contacted
  the respondent informing that she had been the victim of identity theft to the

  C / Jorge Juan, 6 www.aepd.es
  28001 - Madrid sedeagpd.gob.es 12/3








having suffered the theft of your personal documentation, including your National Document
Identity, on May 5, 2018 and indicating the person who stole your

National Identity Document used your personal data to request a
loan with the claimed one.




Add, the claimed part that after the expiration date of the loan,
period of time in which the loan had to be repaid, the loan was defaulted

and, consequently, after a few months the debt was registered in the files of
patrimonial solvency.




Likewise, they state that NBQ as accredited by document number 1, the loan
It was assigned by means of a Contract for the Purchase and Sale and Assignment of the Loan Portfolio of
dated December 23, 2020 to the entity Quartz Capital Fund S.C.A.




On the other hand, they point out that the entity recommended the claimant to contact
contact with the new creditor entity and it was confirmed that their personal data

They were not registered in the name of NBQ in financial solvency files.
A screenshot of this end is attached as document number

two.



On the other hand, they state that NBQ was never aware that the claimant had

been the victim of identity theft during the time you were
creditor of the credit, since until months after having assigned the NBQ loan
he was not aware of such a circumstance. For all the above, they consider that they have

acted correctly and diligently within the scope of action available to it,
since once NBQ had knowledge of the facts, it made available to the

claimant all the tools so that the current creditor was
properly informed of the situation, being able to meet the client's request.




THIRD: On September 30, 2021, the Director of the Spanish Agency
of Data Protection agreed to admit to processing the claim presented by the party
claimant.








C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/12








                            FOUNDATIONS OF LAW




                                              I



        By virtue of the powers that article 58.2 of the RGPD recognizes to each

control authority, and as established in articles 47 and 48 of the LOPDGDD,
the Director of the Spanish Data Protection Agency is competent to initiate

and to solve this procedure.



                                              II




      The RGPD deals in its article 5 with the principles that must govern the
treatment of personal data and mentions among them that of "legality, loyalty and
transparency". The precept provides:




      "one. The personal data will be:

         a) Treaties in a lawful, loyal and transparent manner with the interested party; "



        Article 6 of the RGPD, "Legality of the treatment", details in its section 1 the
cases in which the processing of third-party data is considered lawful:




         "one. The treatment will only be lawful if it complies with at least one of the following
terms:

      a) the interested party gave their consent for the processing of their data
      personal for one or more specific purposes;

      b) the treatment is necessary for the performance of a contract in which the
      interested is part or for the application at the request of this of measures

      pre-contractual;

      (…) "



      The infringement for which the claimed entity is responsible is found
typified in article 83 of the RGPD that, under the heading "General conditions for

the imposition of administrative fines ”, it states:
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/12










      "5. Violations of the following provisions will be sanctioned, in accordance with
with section 2, with administrative fines of a maximum of 20,000,000 Eur or,

in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:



      a) The basic principles for the treatment, including the conditions for the

      consent in accordance with articles 5,6,7 and 9. "



       Organic Law 3/2018, on Protection of Personal Data and Guarantee of
Digital Rights (LOPDGDD) in article 72, under the heading "Infractions

considered very serious ”provides:



      "one. Based on what is established in article 83.5 of the Regulation (E.U.)

2016/679 are considered very serious and will prescribe after three years the infractions that
suppose a substantial violation of the articles mentioned in that one and, in
in particular, the following:




        (…)

        a) The processing of personal data without the concurrence of any of the
           conditions of legality of the treatment established in article 6 of the

           Regulation (EU) 2016/679. "



                                            III




       In accordance with the evidence available in the present
moment of agreement of initiation of the sanctioning procedure, and without prejudice to what
As a result of the instruction, it is considered that the claimed violated Art. 6.1 of the RGPD,

since it processed the claimant's personal data without having any
standing for it. The personal data were incorporated into the systems of
company information, without having proven that he had contracted

legitimately, had legal authorization for the collection and treatment
subsequent personal data of a third party, or there is any other cause that

make the treatment carried out lawful.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/12








       It is important to note that, as recognized by the complaining party, a third party
used the claimant's personal data to request a microcredit through

of the web portal https://www.quebueno.es, with the lender being the part
claimed.

       - The deposit was made in the account of a third party, which is the owner.

       Well, with respect to the facts that are the subject of this claim,
We must emphasize that the complained party has recognized this error and thus in its

Brief dated July 26, 2021, has stated that after the date of
loan maturity, period of time in which the loan had to be repaid,
the loan was unpaid and, consequently, after a few months the debt was

registered in the files of patrimonial solvency, and that later on date 23 of
December 2020, the loan was assigned through a Purchase and Sale Agreement and
Portfolio assignment to the entity Quartz Capital Fund S.C.A. and they also state that

their personal data were not registered in the name of NBQ in files of
patrimonial solvency. Thus, the claimed, when hiring, did not have the precautions
necessary to prove the legitimacy of the contractor.




       The lack of diligence displayed by the entity in complying with the
Obligations imposed by the personal data protection regulations

It is thus obvious. A diligent compliance with the principle of legality in the treatment
of third-party data requires that the person responsible for the treatment is in conditions

to prove it (principle of proactive responsibility).



      In accordance with the evidence available at this time
procedural, and without prejudice to what results from the instruction of the procedure, it is estimated

that the conduct of the complained party could violate article 6.1 of the RGPD
may be constitutive of the offense typified in article 83.5.a) of the aforementioned
Regulation 2016/679.




                                              IV



      In order to determine the administrative fine to be imposed, the provisions
visions of articles 83.1 and 83.2 of the RGPD, precepts that indicate:

      "Each control authority will guarantee that the imposition of fines

administrative in accordance with this article for the infractions of this
Regulations indicated in paragraphs 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive. "


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/12








      "Administrative fines will be imposed, depending on the circumstances of
each individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine

administrative and its amount in each individual case will be duly taken into account:

        a) the nature, severity and duration of the offense, taking into account the
        nature, scope or purpose of the processing operation in question
        as well as the number of affected stakeholders and the level of damage and
        damages they have suffered;

        b) intentionality or negligence in the infringement;

        c) any measure taken by the controller or processor

        to alleviate the damages suffered by the interested parties;

        d) the degree of responsibility of the person in charge or the person in charge of the
        treatment, taking into account the technical or organizational measures that have
        applied by virtue of articles 25 and 32;

        e) any previous infringement committed by the person in charge or the person in charge of the
        treatment;


         f) the degree of cooperation with the supervisory authority in order to establish
        remedy the violation and mitigate the possible adverse effects of the violation;

        g) the categories of personal data affected by the infringement;

        h) the way in which the supervisory authority learned of the infringement,
        in particular if the person in charge or the person in charge notified the infringement and, in such
        case, to what extent;

        i) when the measures indicated in article 58, paragraph 2, have been

        previously ordered against the person in charge or the person in charge
        in relation to the same matter, compliance with said measures;

        j) adherence to codes of conduct under article 40 or to mechanisms
        certification approved in accordance with article 42, and

        k) any other aggravating or mitigating factor applicable to the circumstances of the
        case, such as financial benefits obtained or losses avoided, direct

        or indirectly, through the infringement. "


      Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76,
      "Sanctions and corrective measures", provides:

      "two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
         The following may also be taken into account:


      a) The continuing nature of the offense.

      b) The linking of the activity of the offender with the performance of treatments
        of personal data.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/8








      c) The benefits obtained as a result of the commission of the offense.

      d) The possibility that the affected person's conduct could have led to the

        commission of the offense.

      e) The existence of a merger process by absorption subsequent to the commission of
        the infringement, which cannot be attributed to the absorbing entity.


      f) Affecting the rights of minors.

      g) Have, when not mandatory, a data protection officer.

      h) The submission by the person in charge or in charge, with character
      voluntary, to alternative dispute resolution mechanisms, in those

      assumptions in which there are controversies between those and any interested party. "

      In accordance with the transcribed precepts, and without prejudice to what results from the
instruction of the procedure, in order to fix the amount of the fine sanction to
impose the claimed entity as responsible for an infraction typified in the

Article 83.5.a) of the RGPD, in an initial assessment, they are considered concurrent in the
present case the following factors:

As aggravating factors:

- That the facts that are the subject of the claim are attributable to a lack of diligence

      of the claimed party (article 83.2.b, RGPD), a third party contracted on behalf of the
      claimant a loan with the claimed party, including a bank account and
      an address other than yours. Thus, the respondent did not verify the
      personality of the one who hired, did not take the necessary precautions so that these
      facts did not occur


- The evident link between the business activity of the claimed and the
      processing of personal data of clients or third parties (article 83.2.k, of the
      RGPD in relation to article 76.2.b, of the LOPDGDD)


      It is appropriate to graduate the sanction to impose on the claimed and set it at the amount of
€ 40,000 for the violation of article 83.5 a) RGPD and 72.1b) of the LOPDGDD.



Therefore, in accordance with the foregoing.

By the Director of the Spanish Data Protection Agency,



FIRST: INITIATE SANCTIONING PROCEDURE for NBQ TECHNOLOGY,

S.A.U. with NIF A-65559296, for the alleged violation of article 6.1. GDPR
typified in article 83.5.a) of the aforementioned RGPD.




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/12








SECOND: APPOINT D. R.R.R. as instructor. and as secretary to Ms. S.S.S.,
indicating that any of them may be challenged, if applicable, in accordance with the

established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime
Public Sector Legal (LRJSP).




THIRD: INCORPORATE to the sanctioning file, for evidentiary purposes, the
claim filed by the claimant and his documentation, the documents

obtained and generated by the General Subdirectorate for Data Inspection.



FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1

October, of the Common Administrative Procedure of Public Administrations, the
The penalty that may correspond would be 40,000 euros (forty thousand euros), without
detriment to what results from the instruction.




FIFTH: NOTIFY this agreement to NBQ TECHNOLOGY, S.A.U. with NIF A-
65559296, granting a hearing period of ten business days to formulate

the allegations and present the evidence that it deems appropriate. In his writing of
allegations, you must provide your NIF and the procedure number that appears in the
heading of this document.




If, within the stipulated period, no allegations are made to this initiation agreement, the same

It may be considered a resolution proposal, as established in article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
the Public Administrations (hereinafter, LPACAP).




In accordance with the provisions of article 85 of the LPACAP, in the event that the
penalty to be imposed would be a fine, you may recognize your responsibility within the

term granted for the formulation of allegations to the present initiation agreement; it
which will entail a reduction of 20% of the penalty to be imposed in
the present procedure. With the application of this reduction, the sanction would be

established at 32,000 euros, resolving the procedure with the imposition of this
sanction.




In the same way, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which

will mean a reduction of 20% of its amount. With the application of this reduction,
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/12








the sanction would be established at 32,000 euros and its payment will imply the termination of the
process.


The reduction for the voluntary payment of the penalty is cumulative to the corresponding
apply for the acknowledgment of responsibility, provided that this acknowledgment

of the responsibility is made manifest within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount
in the preceding paragraph, it may be done at any time prior to the resolution. In

In this case, if both reductions should be applied, the amount of the penalty would be
set at 24,000 euros.




In any case, the effectiveness of either of the two mentioned reductions will be
conditioned to the withdrawal or resignation of any action or recourse in
administrative against the sanction.




In case you choose to proceed to the voluntary payment of any of the amounts

mentioned above, 32,000 euros or 24,000 euros, you must make it effective

by entering account number ES00 0000 0000 0000 0000 0000 open to
name of the Spanish Agency for Data Protection in Banco CAIXABANK,

S.A., indicating in the concept the reference number of the procedure that appears in
the heading of this document and the cause of reduction of the amount to which
welcomes.




Likewise, you must send proof of admission to the Subdirectorate General of
Inspection to continue the procedure according to the quantity

entered.



The procedure will have a maximum duration of nine months from the date of

date of the initiation agreement or, where appropriate, the draft initiation agreement.
After this period, its expiration will occur and, consequently, the file of

performances; In accordance with the provisions of article 64 of the LOPDGDD.










C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/12








Finally, it is pointed out that in accordance with the provisions of article 112.1 of the
LPACAP, there is no administrative appeal against this act.




Mar Spain Martí

Director of the Spanish Agency for Data Protection






>>



SECOND: On December 1, 2021, the claimed party has proceeded to
payment of the sanction in the amount of 24,000 euros making use of the two reductions
provided for in the Initiation Agreement transcribed above, which implies the

acknowledgment of responsibility.

THIRD: The payment made, within the period granted to formulate allegations to
the opening of the procedure, entails the waiver of any action or appeal in the process
administrative against the sanction and the recognition of responsibility in relation to

the facts to which the Initiation Agreement refers.


                            FOUNDATIONS OF LAW


                                             I

By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in art. 47 of Organic Law 3/2018, of 5 of
December, Protection of Personal Data and guarantee of digital rights (in

hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection
is competent to sanction the infractions that are committed against said
Regulation; infractions of article 48 of Law 9/2014, of May 9, General
of Telecommunications (hereinafter LGT), in accordance with the provisions of the
article 84.3 of the LGT, and the offenses classified in articles 38.3 c), d) and i) and

38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the
information and electronic commerce (hereinafter LSSI), as provided in article
43.1 of said Law.

                                             II


Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter, LPACAP), under the rubric
"Termination of sanctioning procedures" provides the following:


"one. Initiated a sanctioning procedure, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/12









2. When the sanction is solely of a pecuniary nature or it is possible to impose a

pecuniary sanction and other non-pecuniary sanction but the
inadmissibility of the second, the voluntary payment by the presumed responsible, in
any time prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or the determination of the
compensation for damages caused by the commission of the offense.


3. In both cases, when the sanction is solely of a pecuniary nature, the
competent body to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed sanction, these being cumulative with each other.
The aforementioned reductions must be determined in the notice of initiation

of the procedure and its effectiveness will be conditional on the withdrawal or resignation of
any action or appeal in administrative proceedings against the sanction.

The reduction percentage provided for in this section may be increased
Regulatory. "


In accordance with the aforementioned, the Director of the Spanish Agency for the Protection of
Data
RESOLVES:


FIRST: DECLARE the termination of procedure EXP202100282, of
in accordance with the provisions of article 85 of the LPACAP.

SECOND: NOTIFY this resolution to NBQ TECHNOLOGY, S.A.U ..


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure

Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Contentious-administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the

day following notification of this act, as provided in article 46.1 of the
referred Law.


                                                                                 936-160721
Mar Spain Martí
Director of the Spanish Agency for Data Protection









C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es