AEPD (Spain) - PS/00241/2022

From GDPRhub
AEPD - PS/00241/2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Partly Upheld
Started: 09.03.2021
Decided:
Published:
Fine: 100.000 EUR
Parties: Ibercaja
National Case Number/Name: PS/00241/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Bernardo Armentano

AEPD fined Ibercaja - a bank - €100.000 for opening an account in the name of a minor during an inheritance process without having obtained the specific and unambiguous consent of the mother, in breach of Article 6(1) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

A woman provided her personal data and the personal data of her child (data subject) to the Spanish bank Ibercaja (data controller) with the intention of obtaining balances of a deceased person and initiating an inheritance process. During the process, the controller opened an account in the name of the minor data subject to transfer part of the funds that the deceased person had in the bank. Upon learning about the bank account, the mother filed a complaint with the AEPD claiming that the controller did not ask for her consent. The controller confirmed that there was no authorisation but alleged that the account was inactive and that is was necessary for the distribution and adjudication of the deceased's assets requested by the mother.

Holding[edit | edit source]

The AEPD considered that the opening of the account by the controller was not necessary for the performance of the service requested by the mother, as she she could choose to open it in any other financial institution. The DPA pointed out the mother's request to initiate the inheritance procedure does not imply per se that the bank can use the child's data for other purpose such as opening a bank account. It emphasised that, although the account was not active, the mere insertion of the data subject's personal data into the bank's information systems was illegal since it was not authorized by their legal representative.

It recalled that the GDPR requires controllers to obtain informed and unambiguous consent for each of the purposes of the personal data processing. Thus, the fact that the claimant provided her personal data with the intention of obtaining the bank balances does not allow it to process these data for other purposes, such as the creation of a bank account in the name of one of her minor children.

On this basis, the AEPD found a violation of Article 6 GDPR and fined Ibercaja €100.000.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.