AEPD (Spain) - PS/00140/2021: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 51: Line 51:
|}}
|}}


The Spanish DPA fined a controller €25,000 (reduced to €20,000) for including the personal data of a data subject in a credit reporting agency without a lawful basis to do so, as the debt was not yet enforceable.  
The Spanish DPA fined a controller €25,000 (reduced to €20,000) for reporting the alleged debt of a data subject to a credit reporting agency without a lawful basis to do so, as the debt was not yet enforceable.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
A data subject filed a complaint with the Spanish DPA (AEPD), stating that a controller (an educational institution) was claiming them a debt and had included their personal data in a credit reporting agency, despite the existence of a request for arbitration.  
A data subject filed a complaint with the Spanish DPA (AEPD), stating that a controller (an educational institution) was claiming that they were owed a debt and had included their personal data regarding the alleged debt to a credit reporting agency, despite the existence of a request for arbitration by the data subject.


=== Holding ===
=== Holding ===

Revision as of 08:46, 16 June 2021

AEPD (Spain) - PS/00140/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5 GDPR
Article 6 GDPR
Article 20 LOPDGDD
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 07.06.2021
Fine: 25000 EUR
Parties: MASTER DISTANCIA S.A.
National Case Number/Name: PS/00140/2021
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA fined a controller €25,000 (reduced to €20,000) for reporting the alleged debt of a data subject to a credit reporting agency without a lawful basis to do so, as the debt was not yet enforceable.

English Summary

Facts

A data subject filed a complaint with the Spanish DPA (AEPD), stating that a controller (an educational institution) was claiming that they were owed a debt and had included their personal data regarding the alleged debt to a credit reporting agency, despite the existence of a request for arbitration by the data subject.

Holding

The Spanish DPA concluded that the controller had violated Article 6(1) GDPR as they could not rely in any of its legal basis for the processing.

Given the fact that the data subject had requested an arbitration, the debt was not enforceable. Article 20 of the Spanish Data Protection Act allows for the processing of personal data to include it in credit agencies, but requires that the debt is certain, due and enforceable. Therefore, the requirement was not fulfilled, as the debt was not enforceable.

Therefore, the controller processed data unlawfully and against Article 6(1) GDPR, as they could not rely in any legal basis.

For these reasons the Spanish DPA fined the controller €25,000, that were reduced to €20,000 due to early and voluntary payment.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                            1/12









     Procedure No.: PS / 00140/2021


RESOLUTION R / 00430/2021 OF TERMINATION OF THE PROCEDURE FOR PAYMENT
                                   VOLUNTARY



In the sanctioning procedure PS / 00140/2021, instructed by the Spanish Agency for
Data Protection to MASTER DISTANCIA S.A., considering the complaint presented by
A.A.A., and based on the following,



                                 BACKGROUND

FIRST: On April 14, 2021, the Director of the Spanish Agency for

Data Protection agreed to initiate a sanctioning procedure to MASTER DISTANCIA
S.A. (hereinafter, the claimed), through the Agreement that is transcribed:

<<





Procedure No.: PS / 00140/2021




           AGREEMENT TO START THE SANCTIONING PROCEDURE




Of the actions carried out by the Spanish Agency for Data Protection and in
based on the following:




                                     FACTS



FIRST: D. A.A.A. (hereinafter, the claimant) dated January 31, 2021

filed a claim with the Spanish Data Protection Agency. The
claim is directed against MASTER DISTANCIA S.A. with CIF A50715366 (in

forward, the claimed one).



The claimant states that the defendant claims a debt pending payment,

despite the existence of a request for arbitration against it before the Arbitration Board of
Consumption of the Government of the Principality of Asturias, having included your data

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/12








personal information in common credit information systems. In his writing of
claim, the claimant did not provide a document of admission to processing of the

request for arbitration, or subsequent report of inclusion in information systems
credit.




SECOND: On March 1, 2021, after analyzing the documentation that
was in the file, a resolution was issued by the Director of the Spanish Agency

of Data Protection, agreeing to file the claim, as it is not appreciated
elements that would allow investigating a violation of the rights recognized in
the jurisdiction of the Spanish Agency for Data Protection.




THIRD: On March 1, 2021, the defendant submitted a writing, registered
at this Agency on the same date, in which he makes an appeal for reconsideration to the

resolution, providing new evidence: document that
certifies the admission for processing of your request for arbitration before the Arbitration Board of

Consumption of the Government of the Principality of Asturias dated December 11, 2020
in front of MASTER DISTANCIA, S.A., as well as a report of inclusion in the system
ASNEF dated February 24, 2021 in which your personal data appears

registered by the claimed entity.



On March 31, 2021, the appeal for reconsideration filed by the

claimed against the Resolution of this Agency issued on March 1, 2021.








                            FOUNDATIONS OF LAW




                                             I

By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control and as established in articles 47, 64.2 and 68.1 of the LOPDGDD, the

Director of the Spanish Data Protection Agency is competent to initiate
this procedure.




                                             II
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/3








Article 58 of the RGPD, "Powers", indicates in point 2:

      “2 Each supervisory authority shall have all the following powers
corrective measures listed below:

      (…)

      “I) impose an administrative fine in accordance with article 83, in addition or in
place of the measures mentioned in this section, depending on the circumstances
of each particular case; "


                                               III




      The RGPD deals in its article 5 with the principles that must govern the
treatment of personal data, provision that provides:



      "1. The personal data will be:

      a) treated in a lawful, loyal and transparent manner with the interested party (<< legality,

         loyalty and transparency

      (…)



      2. The person responsible for the treatment will be responsible for compliance with the
provided in section 1 and capable of demonstrating it (<< proactive responsibility >>) "

       (The underlining is from the AEPD)




      Article 4 point 2) of the RGPD defines "treatment" as "any
operation or set of operations carried out on personal data or set of
personal data, whether by automated procedures or not, such as collection,
registration, organization, structuring, conservation, adaptation or modification,
extraction, consultation, use, communication by transmission, diffusion or any

another form of access authorization, (…) "



      Article 6 of the RGPD, “Legality of the treatment”, mentions in its section 1 the
cases in which the processing of third party data is considered lawful:



      "1. The treatment will only be lawful if it complies with at least one of the following

terms:

      a) the interested party gave their consent for the processing of their data
      personal for one or more specific purposes;
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/12








      b) the treatment is necessary for the performance of a contract in which the
      interested is part or for the application at the request of this of measures
      pre-contractual;

      (…) "




      At the same time, the LOPDGDD, in its article 20, under the heading of “Systems of
credit information ”provides:


      "1. Unless proven otherwise, the data processing will be presumed lawful
personal information related to the breach of monetary, financial or
credit by common credit information systems when the
following requirements:


      a) That the data have been provided by the creditor or by whoever acts on their behalf
account or interest.

      b) That the data refer to certain, overdue and enforceable debts, whose
existence or amount had not been the subject of an administrative or judicial claim for

the debtor or through an alternative dispute resolution procedure
binding between the parties.

      c) That the creditor has informed the affected party in the contract or at the time
to require payment about the possibility of inclusion in said systems, with
indication of those in which it participates.


      The entity that maintains the credit information system with related data
the breach of monetary, financial or credit obligations must notify
to the affected party the inclusion of such data and will inform them about the possibility of exercising
the rights established in articles 15 to 22 of Regulation (EU) 2016/679
within thirty days of notification of the debt to the system,

the data remaining blocked during that period.

      d) That the data is only kept in the system as long as the
default, with a maximum limit of five years from the expiration date of
the monetary, financial or credit obligation.


      e) That the data referring to a specific debtor can only be
consulted when whoever consults the system maintains a contractual relationship
with the affected party that involves the payment of a pecuniary amount or this would have
requested the conclusion of a contract that involves financing, deferred payment or
periodic billing, as happens, among other cases, in those provided for in the

legislation on consumer credit contracts and real estate credit contracts.

      When the right to the limitation of the
treatment of the data challenging its accuracy in accordance with the provisions of article
18.1.a) of Regulation (EU) 2016/679, the system will inform those who may
consult it in accordance with the previous paragraph about the mere existence of said

circumstance, without providing the specific data with respect to which
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/12








exercised the right, as long as it is resolved on the request of the affected.

      f) That, in the event that the request for the conclusion of the contract is denied, or

this will not be held, as a result of the consultation made, whoever has
After consulting the system, inform the affected party of the result of said consultation.

      2. The entities that maintain the system and the creditors, with respect to the
treatment of the data referring to its debtors, will have the status of

co-responsible for the processing of the data, being applicable what is established by
Article 26 of Regulation (EU) 2016/679.

      It will be up to the creditor to ensure that the requirements for
the inclusion in the debt system, responding to its non-existence or inaccuracy.


      3. The presumption referred to in section 1 of this article does not cover the
assumptions in which the credit information was associated by the entity that
keep the system to additional information to those contemplated in said
section, related to the debtor and obtained from other sources, in order to carry out
carry out a profiling of the same, in particular by applying techniques of

credit rating. " (The underlining is from the AEPD)
      The infringement of article 6 of the RGPD, in relation to its article 5.1.a) of which
the claimed person is held responsible, is sanctioned in article 83.5 of the RGPD which states:


      "Violations of the following provisions will be sanctioned, in accordance with
with section 2, with administrative fines of a maximum of 20,000,000 Eur or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:


      a) The basic principles for the treatment, including the conditions for the
consent in accordance with articles 5,6,7 and 9. "



      It must also be taken into account, for the purposes of prescription of infractions,
that the LOPDGDD classifies as very serious infractions those described in its article 72. 1
which includes “a) The processing of personal data violating the

principles and guarantees established in article 5 of Regulation (EU) 2016/679 "



                                            III




      The documentation in the file shows that the
claimed violated article 6.1 of the RGPD.



      The defendant's conduct contrary to the principle of legality has consisted of

communicate to a credit information system (the ASNEF file) a debt that,
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/12








Regarding the alleged debtor, the claimant, it was not true, expired or enforceable. So
establishes, "a contrary sensu", article 20.1 of the LOPDGDD. The illicit treatment of
the claimant's data, specified in the inclusion in a solvency file without

meet the conditions that are required to be adjusted to law, the
February 24, 2021, date of registration of the debt in the aforementioned file,



        The claimant has provided a document that certifies the admission for processing of his
Request for arbitration before the Consumer Arbitration Board of the Government of the Principality of

Asturias dated December 11, 2020 against MASTER DISTANCIA, S.A., thus
as a report of inclusion in the ASNEF system dated February 24, 2021 in the
that your personal data is registered by the claimed entity.




      As recital 40 of the RGPD clearly states “..For the treatment
is lawful, personal data must be processed with the consent of the
interested party or on any other legitimate basis established in accordance with Law, either
in this Regulation or by virtue of other Union or State law

members referred to in these Regulations, including the need to comply with the
legal obligation applicable to the person responsible for the treatment or the need to execute a
contract to which the interested party is a party or in order to take measures at the request
of the interested party prior to the conclusion of a contract. "



                                            IV




      In order to determine the administrative fine to be imposed, it is mandatory
refer to the provisions of articles 83.1 and 83.2 of the RGPD, provisions that
establish:




      "Each control authority will guarantee that the imposition of fines
administrative regulations pursuant to this article for the infractions of this
Regulations indicated in paragraphs 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive. "



      "Administrative fines will be imposed, depending on the circumstances of

each individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:

        a) the nature, severity and duration of the offense, taking into account the
        nature, scope or purpose of the processing operation in question
        as well as the number of affected stakeholders and the level of damage and

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/12








        damages they have suffered;

        b) intentionality or negligence in the infringement;

        c) any measure taken by the person in charge or in charge of the treatment
        to alleviate the damages suffered by the interested parties;


        d) the degree of responsibility of the person in charge of the
        treatment, taking into account the technical or organizational measures that have
        applied by virtue of articles 25 and 32;

        e) any previous infringement committed by the person in charge or the person in charge of the
        treatment;

         f) the degree of cooperation with the supervisory authority in order to establish
        remedy the violation and mitigate the possible adverse effects of the violation;


        g) the categories of personal data affected by the infringement;

        h) the way in which the supervisory authority learned of the infringement,
        in particular if the person in charge or the person in charge notified the infringement and, in such
        case, to what extent;

        i) when the measures indicated in article 58, paragraph 2, have been
        previously ordered against the person in charge or the person in charge

        in relation to the same matter, compliance with said measures;

        j) adherence to codes of conduct under article 40 or to mechanisms
        certification approved in accordance with article 42, and

        k) any other aggravating or mitigating factor applicable to the circumstances of the
        case, such as financial benefits obtained or losses avoided, direct
        or indirectly, through the infringement. "


      Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76,
"Sanctions and corrective measures", provides:


      "two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
The following may also be taken into account:

        a) The continuing nature of the offense.

        b) The linking of the activity of the offender with the performance of treatments
        of personal data.

        c) The benefits obtained as a result of the commission of the offense.

        d) The possibility that the affected person's conduct could have led to the
        commission of the offense.

        e) The existence of a merger process by absorption after the commission

        of the infringement, which cannot be attributed to the absorbing entity.

        f) Affecting the rights of minors.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/8








        g) Have, when not mandatory, a delegate for the protection of
        data.

        h) The submission by the person in charge or in charge, with character

        voluntary, to alternative dispute resolution mechanisms, in those
        assumptions in which there are controversies between those and any
        interested."


      In accordance with the transcribed precepts, and without prejudice to what results from the
instruction of the procedure, for the purpose of setting the amount of the fine
impose in the present case on the entity claimed by the offense typified in the

Article 83.5.a) of the RGPD for which the claimed person is responsible, in an assessment
initial, the following factors are estimated to be concurrent:

    - In the present case we are facing a serious negligent action (article 83.2 b)

    - Basic personal identifiers are affected (name, surname,

        domicile) (article 83.2 g)



    The balance of the circumstances contemplated in article 83.2 of the RGPD, with
regarding the offense committed by violating the provisions of article 6.1 of the
RGPD allows setting a penalty of 25,000 euros (twenty-five thousand euros), considered

as "very serious", for the purposes of prescription of the same, in the 72.1.a of the
LOPDGDD.


     Therefore, in accordance with the foregoing, by the Director of the Agency
Spanish Data Protection,



       HE REMEMBERS:






    1. INITIATE SANCTIONING PROCEDURE for MASTER DISTANCIA S.A. with

        CIF A50715366, for the alleged violation of article 6.1. of the GDPR typified
        in article 83.5.a) of the aforementioned RGPD.




    1. APPOINT D. B.B.B. as instructor. and as secretary to Dña. C.C.C., indicated
        Whereas any of them may be challenged, if applicable, in accordance with the
        established in articles 23 and 24 of Law 40/2015, of October 1, of Ré-

        Legal Regime of the Public Sector (LRJSP).



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/12








    2. INCORPORATE to the sanctioning file, for evidentiary purposes, the
       claim filed by the claimant and its attached documentation.




    3. THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1
       October, of the Common Administrative Procedure of the Administrations

       Public, the penalty that may correspond would be 25,000 euros
       (twenty-five thousand euros), without prejudice to what results from the instruction.




    4. NOTIFY this agreement to MASTER DISTANCIA S.A. with CIF
       A50715366, granting you a hearing period of ten business days so that
       formulate the allegations and present the evidence that it deems appropriate.

       In your statement of allegations you must provide your NIF and the number of
       procedure at the top of this document.




If within the stipulated period it does not make allegations to this initiation agreement, the same
may be considered a resolution proposal, as established in article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of

the Public Administrations (hereinafter, LPACAP).



In accordance with the provisions of article 85 of the LPACAP, in the event that the

penalty to be imposed would be a fine, you may recognize your responsibility within the
term granted for the formulation of allegations to the present initiation agreement; it
which will entail a reduction of 20% of the penalty to be imposed in

the present procedure. With the application of this reduction, the sanction would be
established at 20,000 euros, resolving the procedure with the imposition of this
sanction.




In the same way, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which

will mean a reduction of 20% of its amount. With the application of this reduction,
the penalty would be set at 20,000 euros and its payment will imply the termination of the
process.




The reduction for the voluntary payment of the penalty is cumulative to the corresponding
apply for the acknowledgment of responsibility, provided that this acknowledgment

of the responsibility is made manifest within the period granted to formulate
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/12








allegations at the opening of the procedure. The voluntary payment of the referred amount
in the preceding paragraph, it may be done at any time prior to the resolution. On

In this case, if both reductions should be applied, the amount of the penalty would be
set at 15,000 euros.




In any case, the effectiveness of either of the two mentioned reductions will be
conditioned to the withdrawal or resignation of any action or remedy in

administrative against the sanction.



In case you choose to proceed to the voluntary payment of any of the amounts


indicated above, 20,000 euros or 15,000 euros, you must make it effective
by entering the account number ES00 0000 0000 0000 0000 0000 open to
name of the Spanish Agency for Data Protection in Banco CAIXABANK,

S.A., indicating in the concept the reference number of the procedure that appears in
the heading of this document and the cause of reduction of the amount to which

welcomes.



Likewise, you must send the proof of admission to the Subdirectorate General of

Inspection to continue the procedure according to the quantity
entered.




The procedure will have a maximum duration of nine months from the date of
date of the initiation agreement or, where appropriate, the draft initiation agreement.
After this period, its expiration will occur and, consequently, the file of

performances; in accordance with the provisions of article 64 of the LOPDGDD.



Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP,

There is no administrative appeal against this act.



Mar Spain Martí


Director of the Spanish Agency for Data Protection





C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/12










>>

SECOND: On June 2, 2021, the defendant has proceeded to pay the
sanction in the amount of 20,000 euros making use of one of the two reductions
provided for in the Initiation Agreement transcribed above. Therefore, it has not been
accredited acknowledgment of responsibility.


THIRD: The payment made entails the waiver of any action or recourse in progress.
against the sanction, in relation to the facts referred to in the
Initiation Agreement.


                            FOUNDATIONS OF LAW

                                             I

By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in art. 47 of Organic Law 3/2018, of 5 of

December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection
is competent to sanction the infractions that are committed against said
Regulation; infractions of article 48 of Law 9/2014, of May 9, General
of Telecommunications (hereinafter LGT), in accordance with the provisions of the

article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the
information and electronic commerce (hereinafter LSSI), as provided in article
43.1 of said Law.


                                            II

Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), under the rubric
"Termination of sanctioning procedures" provides the following:
"1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility,

the procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction is solely of a pecuniary nature or it is possible to impose a
pecuniary sanction and other non-pecuniary sanction but the
inadmissibility of the second, the voluntary payment by the presumed responsible, in

any time prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or to the determination of the
compensation for damages caused by the commission of the offense.

3. In both cases, when the sanction is solely of a pecuniary nature, the

competent body to resolve the procedure will apply reductions of, at least,
20% on the amount of the proposed sanction, these being cumulative among themselves.
The aforementioned reductions must be determined in the notice of initiation
of the procedure and its effectiveness will be conditional on the withdrawal or resignation of
any action or appeal in administrative proceedings against the sanction.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/12








The percentage of reduction foreseen in this section may be increased

regulations. "

In accordance with the above, the Director of the Spanish Agency for the Protection of
Data RESOLVES:


FIRST: DECLARE the termination of procedure PS / 00140/2021, of
in accordance with the provisions of article 85 of the LPACAP.


SECOND: NOTIFY this resolution to MASTER DISTANCIA S.A.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure as prescribed by

the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.



                                                                                   937-240719
Mar Spain Martí
Director of the Spanish Agency for Data Protection






























C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es