AEPD (Spain) - PS/00060/2021

From GDPRhub
AEPD (Spain) - PS/00060/2021
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Decided: 04.05.2021
Published: 01.07.2021
Fine: 1000 EUR
Parties: n/a
National Case Number/Name: PS/00060/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA fined an individual €1000 for using the personal data of another individual to enter into a contract for a microloan without their consent.

English Summary


A Spanish court lodged a complaint with the Spanish DPA (AEPD) after delivering a judgment in which it was accredited that an individual had contracted a microloan using the personal data of another person without their consent, for what the individual was convicted.

The AEPD launched an investigation.


The AEPD concluded that the individual had processed the personal data of a data subject without a legal basis to do so, as they had contracted a microloan using their personal data and without their consent.

Therefore, the AEPD found that the individual had violated Article 6(1) GDPR, and fined them €1000. The DPA took into account that the infringement had been committed intentionally.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


     Procedure No.: PS / 00060/2021


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following:


FIRST: The claim presented by the Court has been received at this Agency
of First Instance and Instruction No. 1 of *** LOCALIDAD.1, dated 18
December 2019. The claim is directed against D. A.A.A. with NIE *** NIE.1 (in

forward, the claimed one).

The claim presented by the Court by virtue of what was agreed in the
procedure, Trial on minor crimes nº *** PROCEDURE.1, in which it is dictated
judgment against the defendant for the crime of fraud in obtaining a microcredit to

through the web portal *** URL.1 and for which the complainant made use of the data
third party personals.
Date on which the claimed events took place: April 16, 2019

Documentation provided by the claimant:

- Sentence nº *** JUDGMENT.1 on the minor crime of fraud.

SECOND: In view of the facts denounced in the claim and the

documents provided by the claimant and the facts and documents of which he has
this Agency, the Subdirectorate General for Data Inspection, has come to know
proceeded to carry out preliminary investigation actions for the
clarification of the facts in question, by virtue of the powers of investigation
granted to the control authorities in article 57.1 of the Regulation (EU)

2016/679 (General Data Protection Regulation, hereinafter RGPD), and of
in accordance with the provisions of Title VII, Chapter I, Second Section, of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter LOPDGDD).

On January 21, 2020, in procedure E / 00577/2020 the Agency

Spanish Data Protection Agency agreed to carry out the present actions of
investigation in relation to the facts reflected in the claim in order to
correctly identify the claimed person.

- It is proven, according to Sentence No. *** JUDGMENT.1 that the claimant
used third-party data to apply for a microloan.

- Requested from the entity Nbq Technology, S.A.U., lender of the micro loan that
led to the trial for misdemeanor fraud, which reported whether the
data provided in the loan application to a financial solvency file and
credit. On February 17, 2020 it is received at this Agency, with registration number

C / Jorge Juan, 6
28001 - Madrid 2/6

007283/2020, written reply to the request stating that the data of the
presumed owner of the loan had not been included in any solvency file
equity and credit because they received, just 8 days after maturity

credit, police report of the alleged fraud.
- The court requested the identification data of the claimed, dated July 2
of 2020 is received in this Agency, with registration number 022961/2020, written of

reply informing of them.
- It is stated in Judgment No. *** JUDGMENT 1 that the defendant has been sentenced to

the penalty of two months of fine at the rate of eight euros per day of quota (which makes
a total of 480 euros) and the payment of procedural costs.

THIRD: On March 1, 2021, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure for the complained party, by the

alleged violation of Article 6.1 of the RGPD, typified in Article 83.5 a) of the
GDPR. Said agreement was notified by post on March 18, 2021 and through
of the BOE bulletin board on April 9, 2021.

FOURTH: Formally notified of the initiation agreement, the one claimed at the time of the

This resolution has not submitted a brief of allegations, so it is
application of what is stated in article 64 of Law 39/2015, of October 1, of the
Common Administrative Procedure of Public Administrations, which in its
section f) establishes that in case of not making allegations within the established period
on the content of the initiation agreement, it may be considered a proposal for
resolution when it contains a precise pronouncement about the responsibility

imputed, for which a Resolution is issued.

In view of all the actions, by the Spanish Agency for Data Protection
In this proceeding, the following are considered proven facts:


FIRST: It is established that the defendant according to sentence nº *** JUDGMENT.1

of the Court of First Instance and Instruction No. 1 of *** LOCALIDAD.1, dated 9
December 2019, made use of the personal data of third parties to obtain
of a micro loan through the web portal *** URL.1.

SECOND: On March 1, 2021, this sanctioning procedure was initiated by the
alleged violation of article 6.1 of the RGPD, being notified on March 18 and

April 2021. Not having made any allegations, the defendant, to the initial agreement.

                           FOUNDATIONS OF LAW


       By virtue of the powers that article 58.2 of the RGPD recognizes to each
control authority, and as established in articles 47 and 48 of the LOPDGDD,

C / Jorge Juan, 6
28001 - Madrid 3/6

the Director of the Spanish Data Protection Agency is competent to initiate
and to solve this procedure.


      The General Data Protection Regulation deals in its article 5 with the
principles that must govern the processing of personal data and mentions between
they the one of "legality, loyalty and transparency". The precept provides:

      "1. The personal data will be:
         a) Treaties in a lawful, loyal and transparent manner with the interested party; "

      Article 6 of the RGPD, "Legality of the treatment", details in its section 1 the
cases in which the processing of third party data is considered lawful:

      "1. The treatment will only be lawful if it complies with at least one of the following
      a) the interested party gave their consent for the processing of their data
      personal for one or more specific purposes;
      b) the treatment is necessary for the performance of a contract in which the

      interested is part or for the application at the request of this of measures
      (…) "

      The violation of article 6.1 of the RGPD is typified in article 83

of the RGPD that, under the heading "General conditions for the imposition of fines
administrative ”, he points out:

      "5. Violations of the following provisions will be sanctioned, in accordance with
with section 2, with administrative fines of a maximum of 20,000,000 Eur or,

in the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for
the highest amount:

      a) The basic principles for the treatment, including the conditions for the
consent in accordance with articles 5,6,7 and 9. "

      Organic Law 3/2018, on Protection of Personal Data and Guarantee of
Digital Rights (LOPDGDD) in its article 72.1.b) qualifies this infringement, for the purposes
prescription, as a very serious offense.

      The documentation in the file provides evidence that according to
includes judgment nº *** JUDGMENT 1 of the Court of First Instance and
Instruction No. 1 of *** LOCALIDAD.1, dated December 9, 2019, the claimed
processed the data of a third party to request a microcredit, without complying with any
of the legal authorizations that appear in article 6 of the RGPD.

      In short, there is evidence in the file that the defendant treated the
personal data of the third party without standing for it. The behavior described violates the
article 6.1. of the RGPD and is subsumed in the sanctioning type of article 83.5.a, of the

C / Jorge Juan, 6
28001 - Madrid 4/6



      In order to determine the administrative fine to be imposed, the provisions
visions of articles 83.1 and 83.2 of the RGPD, precepts that indicate:

      "Each control authority will guarantee that the imposition of fines
administrative regulations pursuant to this article for the infractions of this
Regulations indicated in paragraphs 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive. "

      "Administrative fines will be imposed, depending on the circumstances of
each individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:
        a) the nature, severity and duration of the offense, taking into account the

        nature, scope or purpose of the processing operation in question
        as well as the number of affected stakeholders and the level of damage and
        damages they have suffered;
        b) intentionality or negligence in the infringement;
        c) any measure taken by the person in charge or in charge of the treatment

        to alleviate the damages suffered by the interested parties;
        d) the degree of responsibility of the person in charge or the person in charge of the
        treatment, taking into account the technical or organizational measures that have
        applied by virtue of articles 25 and 32;
        e) any previous infringement committed by the person in charge or the person in charge of the

         f) the degree of cooperation with the supervisory authority in order to establish
        remedy the violation and mitigate the possible adverse effects of the violation;
        g) the categories of personal data affected by the infringement;
        h) the way in which the supervisory authority learned of the infringement,
        in particular if the person in charge or the person in charge notified the infringement and, in such

        case, to what extent;
        i) when the measures indicated in article 58, paragraph 2, have been
        previously ordered against the person in charge or the person in charge
        in relation to the same matter, compliance with said measures;
        j) adherence to codes of conduct under article 40 or to mechanisms

        certification approved in accordance with article 42, and
        k) any other aggravating or mitigating factor applicable to the circumstances of the
        case, such as financial benefits obtained or losses avoided, direct
        or indirectly, through the infringement. "

      Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76,
"Sanctions and corrective measures", provides:

      "two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
The following may also be taken into account:

        a) The continuing nature of the offense.

C / Jorge Juan, 6
28001 - Madrid 5/6

       b) The linking of the activity of the offender with the performance of treatments
of personal data.

       c) The benefits obtained as a result of the commission of the offense.

       d) The possibility that the affected person's conduct could have led to the
commission of the offense.

       e) The existence of a merger process by absorption after the commission
of the infringement, which cannot be attributed to the absorbing entity.

       f) Affecting the rights of minors.

       g) Have, when not mandatory, a delegate for the protection of

       h) The submission by the person in charge or in charge, with character
voluntary, to alternative dispute resolution mechanisms, in those
assumptions in which there are controversies between those and any interested party. "

       In accordance with the transcribed precepts, in order to set the amount of the
sanction of a fine to be imposed on the defendant as responsible for an offense

typified in article 83.5.a) of the RGPD, in an initial assessment, they are estimated
concurring in the present case, as aggravating factors, the following factors:

      - In the present case we are facing an intentional action. (art.83.2. b) of the

       Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of the sanctions whose existence has been accredited, the Director of the
Spanish Agency for Data Protection RESOLVES:

FIRST: IMPOSE D. A.A.A., with NIE *** NIE.1, for a violation of Article
6.1 of the RGPD, typified in Article 83.5 of the RGPD, a fine of 1,000 euros (one thousand

SECOND: NOTIFY this resolution to D.A.A.A.

THIRD: Warn the sanctioned person that the sanction imposed by a
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved

by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of their entry, indicating the NIF of the sanctioned and the number
procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency
Spanish Data Protection in the banking entity CAIXABANK, S.A .. In case

Otherwise, it will be collected in the executive period.

C / Jorge Juan, 6
28001 - Madrid 6/6

Received the notification and once executive, if the date of execution is found
Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment

volunteer will be until the 20th of the following or immediately subsequent business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
it will be until the 5th of the second following or immediately subsequent business month.

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the

Director of the Spanish Agency for Data Protection within a month to
counting from the day after the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-administrative jurisdiction, within two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,

may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [

web /], or through any of the other records provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal-
administrative. If the Agency is not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the

notification of this resolution would terminate the precautionary suspension.

Mar Spain Martí
Director of the Spanish Agency for Data Protection

C / Jorge Juan, 6
28001 - Madrid