AEPD (Spain) - PS/00241/2022

From GDPRhub
Revision as of 16:16, 20 March 2023 by Ba (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - PS/00241/2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Partly Upheld
Started: 09.03.2021
Decided:
Published:
Fine: 100.000 EUR
Parties: Ibercaja
National Case Number/Name: PS/00241/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Bernardo Armentano

AEPD fines Ibercaja €100.000 for opening a bank account in the name of a minor during an inheritance process without having obtained the specific and unambiguous consent of the mother, in breach of Article 6(1) GDPR.

English Summary

Facts

A woman filed a complaint with the AEPD claiming that, during an inheritance process, the spanish bank Ibercaja shared her data and the data of her children with the lawyer of the other co-heirs and with a life insurance company. She also claimed that the bank opened an account in the name of her minor child for the deposit of inheritance funds without her knowledge. When asked to provide a proof of prior consent, the bank confirmed that there was no authorisation but alleged that the account was inactive and that is was necessary for the distribution and adjudication of the deceased's assets which were in its custody. It highlighted that the mother initiated the procedure.

Holding

The AEPD stated that the bank accounts do not necessarily have to opened in the same bank as the one of the deceased person, but rather in any other financial institution of the heirs' choice. It emphasised that, although the account were not active, the mere insertion of the minors' personal data into the bank's information systems was illegal since it was not authorized by their legal representative.

With regard to the argument that the mother requested the processing of the deceased's will, the DPA pointed out that this does not imply per se that the bank can use all the data in its possession for any purpose. It recalled that the GDPR requires controllers to obtain informed and unambiguous consent for each of the purposes of the personal data processing. Thus, the fact that the claimant provided her personal data with the intention of obtaining the bank balances does not allow it to process these data for other purposes, such as the creation of a bank account in the name of one of her minor children.

On this basis, the AEPD found a violation of Article 6 GDPR and fined Ibercaja €100.000. However, it considered that the transfer of data to unauthorised third parties was not proven.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.