AEPD (Spain) - PS/00241/2022

From GDPRhub
Revision as of 13:53, 21 March 2023 by SR (talk | contribs)
AEPD - PS/00241/2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Partly Upheld
Started: 09.03.2021
Decided:
Published:
Fine: 100.000 EUR
Parties: Ibercaja
National Case Number/Name: PS/00241/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Bernardo Armentano

AEPD fined Ibercaja - a bank - €100.000 for opening an account in the name of a minor during an inheritance process without having obtained the specific and unambiguous consent of the mother, in breach of Article 6(1) GDPR.

English Summary

Facts

A woman provided her personal data and the personal data of her children to the Spanish bank Ibercaja with the intention of obtaining balances of a deceased person and initiating an inheritance process. Subsequently, she filed a complaint with the AEPD claiming that, during the process, Ibercaja shared these data with the lawyer of the other co-heirs and with a life insurance company. She also claimed that the bank opened an account in the name of her minor child for the deposit of inheritance funds without her knowledge. When asked to provide a proof of prior consent, the bank confirmed that there was no authorisation but alleged that the account was inactive and that is was necessary for the distribution and adjudication of the deceased's assets. It highlighted that these assets were in its custody and that the mother requested the processing of the deceased's will.

Holding

The AEPD stated that the bank account do not necessarily have to opened in the same bank as the one of the deceased person, but rather in any other financial institution of the heirs' choice. The DPA emphasised that, although the account was not active, the mere insertion of the minors' personal data into the bank's information systems was illegal since it was not authorized by their legal representative.

With regard to the argument that the mother requested the processing of the deceased's will, the DPA pointed out that this does not imply per se that the bank can use all the data in its possession for any purpose. It recalled that the GDPR requires controllers to obtain informed and unambiguous consent for each of the purposes of the personal data processing. Thus, the fact that the claimant provided her personal data with the intention of obtaining the bank balances does not allow it to process these data for other purposes, such as the creation of a bank account in the name of one of her minor children.

On this basis, the AEPD found a violation of Article 6 GDPR and fined Ibercaja €100.000. However, it considered that the transfer of data to unauthorised third parties was not proven.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.