AEPD (Spain) - PS/00335/2020

From GDPRhub
Revision as of 14:30, 13 December 2023 by Ar (talk | contribs) (Ar moved page AEPD - PS/00335/2020 to AEPD (Spain) - PS/00335/2020)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - PS/00335/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 02.02.2021
Fine: 5.000 EUR
Parties: IDFINANCE SPAIN, S.L.
National Case Number/Name: PS/00335/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: CSO

The Spanish DPA (AEPD) has sanctioned the fintech IDFINANCE SPAIN, S.L. for failing to comply with Article 5(1)(f) and Article 32 GDPR. The initial sanction for infringing Article 5(1)(f) was a fine of €5000 and a warning for the breach of Article 32. However, the AEPD closed the proceedings due to the voluntary and early payment of €3000.

English Summary

Facts

The respondent company sent an e-mail to the claimant requesting the return of a credit. To facilitate payment, the email included a link. When the complainant clicked on the link, he had access to another customer's personal data, not his own. Specifically, the complainant was able to see the other customer's personal identification, location, financial and contractual data.

Dispute

The claim is based on the alleged security breach in the respondent's systems and the consequent violation of the principle of confidentiality in the processing of personal data by the data controller. In this regard, the respondent alleged that it did not know how the claimant could have received the link by e-mail, since it is only generated to be sent via SMS.

Holding

The Spanish DPA (AEPD) maintains that the respondent did not adopt the necessary technical and organizational measures to guarantee the confidentiality of the information and to respect its own security protocols. This therefore breached Article 5(1)(f) GDPR and Article 32 GDPR.

The initial sanction for infringing Article 5(1)(f) was a fine of €5000 and the initial sanction for breach of Article 32 was a warning. However, the AEPD closed the proceedings due to the voluntary and early payment of €3000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                            1/18











     Procedure No.: PS / 00335/2020

RESOLUTION R / 00066/2021 TERMINATION OF THE PROCEDURE FOR PAYMENT
                                   VOLUNTARY


In the sanctioning procedure PS / 00335/2020, instructed by the Spanish Agency for
Data Protection to IDFINANCE SPAIN, S.L., considering the complaint filed by
A.A.A., and based on the following,


                                 BACKGROUND

FIRST: On January 14, 2021, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure to IDFINANCE SPAIN,

S.L. (hereinafter, the claimed), through the Agreement that is transcribed:

<<





Procedure Nº: PS / 00335/2020




           AGREEMENT TO INITIATE THE SANCTIONING PROCEDURE



Of the actions carried out by the Spanish Agency for Data Protection and in

based on the following




                                     ACTS



FIRST: A.A.A. (hereinafter, the claimant) dated May 11, 2020

filed a claim with the Spanish Agency for Data Protection. The
The claim is directed against IDFINANCE SPAIN, S.L. with NIF B66487190 (in
forward, the claimed). The reasons on which the claim is based are the following:




“The company IDFINANCE SPAIN (MoneyMan), has sent an email from

debt recovery in which it offers a link to make the payment on its website, the
link (*** URL.1), it does not give me access to my account, if not that of another client, being able to


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/18








apply for loans, consult all your personal data and information regarding

loans from the entity in question.



Attached capture of the data to which I have access, in addition to the mail that I have received,

My biggest concern is that just as I have access to this information that
I should not be able to see so freely, the same thing happens with my personal data and the

from other clients. "



Along with the claim, provide the following documents:




1. Mail sent on May 11, 2020 at 17:22 from the account <*** EMAIL.1> to
<*** EMAIL.2> where you are informed of a balance in favor of MoneyMan and offered

various payment methods, including the online payment service
accessing the link object of the claim.




2. Screenshot of the contract “Loan History” page
*** CONTRACT. 1 where there is a link to download the contract.




3. Screenshot of the page "My cards" where the cards are masked.
central numbers of a debit card.




4. Screenshot of the “Contact information” page where the NIE appears,
date of birth and email of a person with first and last name

B.B.B.




5. Screenshot of the "Address and employment" page where address,
employment status and information on net monthly income.




SECOND: On May 13, 2020, the General Subdirectorate for Inspection of
Data carried out a verification of the link object of the claim, collecting

the following evidence:



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/18








1. Download the document that contains the Terms and Conditions by which it is governed
the loan contract signed between IDFINANCE SPAIN, S.L. and B.B.B ..




2. Print page that warns that “[…] your account has been blocked because

You meet the requirements to be able to obtain a loan in Moneyman […] "



3. Printing of the “Loan History” page of the contract *** CONTRACT.1.




4. Printing of the page "My cards" showing masked numbers (except
the last 4 digits) of a debit card.




THIRD: In view of the facts denounced in the claim and the
documents provided by the claimant, the Subdirectorate General for Inspection of

Data proceeded, on June 3, 2020, to transfer the claim, of
in accordance with the provisions of article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in

hereinafter LOPDGDD). In this letter, the defendant was requested that, within the period of
one month analyze the claim and find out about the causes that have motivated

the incidence that has originated the claim, report on the measures adopted
to avoid similar incidents, implementation dates and controls
carried out to verify their effectiveness.




The defendant submitted an answering brief on July 12, 2020 in which
manifests the following:




"[…] FIRST. - Received the claim of that Agency, this entity initiated the
investigation of the facts, firstly, verifying that the systems do not

would have produced any type of security breach that would have given access to
personal data from the database.




This verification was negative and it was found that there was no failure in the
system that would allow a general dissemination of customer personal data.




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/18








SECOND. - […]




Once a client registers on the website, their Area is automatically created
Username, which can only be accessed through your username and password

unique. [...]



[…] When clients default, the agents of the Department

of recovery initiate the different actions so that the clients comply with the payment
of the loan.




One of them is to send, via SMS, never by email, a link to
make the payment directly to your User Area, which is what the claimant provides

in the claim.



THIRD. - Received the claim of Mr. A.A.A. proceeded to perform, as has

explained above, an exhaustive investigation-




Once the security breach was ruled out, the investigation of the events described was initiated
in the claim of Mr. A.A.A ..




[…]



This link is generated manually in the system, in the CRM where it is

manage customer loans there is the option of sending the SMS with said
link.




We do not know how the claimant was able to receive this link by email
since it is only generated to be sent via SMS. Nor have we

been able to carry out the investigation of said email given that the claimant did not provide it in
the claim.





C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/18








However, a search of the mailboxes has been carried out
email from which notifications are sent to customers and there is no

email sent neither to the claimant, nor to Mr. B.B.B.




Likewise, a search of all the SMS sent by the
system in the file of Mr. B.B.B. and the only phone number that appears is
the one that belongs to said client, so it is technically impossible for that SMS

has been sent to another phone number.



Likewise, we have proceeded to extract from the database all the accesses that were

made to said link, with the IP addresses, the browser and other data, in the
It is appreciated that, despite the fact that the link has an expiration of 7 days, it is
accessed it a high number of times, even being opened from the

WhatsApp application.



FOURTH.- In light of the foregoing regarding the facts described by Mr. A.A.A. in

your claim, you actually had access to the link sent via SMS to the
phone number of Mr. B.B.B. and to your User Area, and since IDFinance

Spain S.L.U. scrupulously ensures the data protection rights of the
interested parties, proceeded to take measures in order to protect the rights of Mr.
B.B.B., that is, blocking your data in the systems until it can be known

how Mr. A.A.A. had access to that link.



[…] That Agency is requested to request Mr. A.A.A. what the mail brings

email you received with that link.



[…] "




The defendant attaches to this document a document listing the accesses to the
link made between April 24, 2020 until May 14, 2020.




FOURTH: The claim was admitted for processing by resolution of the Director
of the Spanish Agency for Data Protection dated September 25, 2020.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/18











                             FOUNDATIONS OF LAW



                                              I




By virtue of the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD) recognizes each

control authority, and as established in articles 47 and 48 of the LOPDGDD,
the Director of the Spanish Data Protection Agency is competent to initiate

and to solve this procedure.



                                              II




Article 5 of the RGPD, whose heading is entitled Principles relating to the treatment
establishes in letter f) of its section 1 that personal data will be “treated as

in such a way as to ensure adequate security, including protection against
unauthorized or illegal treatment and against its loss, destruction or accidental damage,

through the application of appropriate technical or organizational measures (“integrity and
confidentiality ”)”.




For its part, the LOPDGDD, in its article 5 provides that:



"one. Those responsible and in charge of data processing as well as all

people who intervene in any phase of this will be subject to the duty of
confidentiality referred to in article 5.1.f) of Regulation (EU) 2016/679.




2. The general obligation indicated in the previous section will be complementary to the
duties of professional secrecy in accordance with its applicable regulations.




3. The obligations established in the previous sections will be maintained even
when the relationship between the obligated party and the person in charge of the

treatment".

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/18









In relation to the measures mentioned in article 5.1.f) of the RGPD before

transcribed, article 32 of the same rule provides that:




"one. Taking into account the state of the art, the application costs, and the
nature, scope, context and purposes of the treatment, as well as risks of
variable probability and severity for the rights and freedoms of individuals

physical, the controller and the person in charge of the treatment will apply technical measures and
appropriate organizational arrangements to ensure a level of security appropriate to the risk,

that in your case include, among others:



a) pseudonymisation and encryption of personal data;




b) the ability to guarantee confidentiality, integrity, availability and resilience
permanent treatment systems and services;




 c) the ability to restore the availability and access to personal data of

quick way in case of physical or technical incident;



d) a process of regular verification, evaluation and assessment of the effectiveness of the

technical and organizational measures to guarantee the security of the treatment.



2.When evaluating the adequacy of the security level, particular attention will be paid to

takes into account the risks presented by the data processing, in particular as
consequence of accidental or illegal destruction, loss or alteration of data

personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to such data.




3.Adherence to a code of conduct approved in accordance with article 40 or to a
certification mechanism approved under article 42 may serve as an element
to demonstrate compliance with the requirements established in section 1 of the

this article.




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/18










 4.The controller and the person in charge of the treatment will take measures to guarantee that
any person acting under the authority of the controller or processor and

have access to personal data can only process said data by following

instructions of the person in charge, unless it is obliged to do so by virtue of the Right to
the Union or the Member States. "






























































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/18








                                             III




The claim is based on the alleged security breach in the systems of the
claimed that it would have resulted in the making available to a third party of a

link that would have freely allowed access to personal data of a
identification, location and economic and contractual of another client user and by
therefore a violation of the principle of confidentiality in data processing

personal data by the person responsible for said treatment.



As proof of these statements, the claimant provided the documents requested

has referenced in the first fact of this agreement.



In this way, the email provided would show that, despite the statements made by the

claimed in its letter dated July 12, 2020 in the sense that the link
It is only generated to be sent by SMS, on May 11, 2020 at
17:22 hours an email would have been sent from the account <*** EMAIL.1> to

<*** EMAIL.2>. In this email appears the link *** URL.1 as access to the
online payment of a monetary amount in favor of the claimed.




Likewise, the claimant provides screenshots of the user account to which
provides access to the link referred to in the previous paragraph and that does not correspond to

yours, but that of another person and that allows access to personal data of a
identification, location and economic, as well as a link that allows
download the signed contract of the client with the claimed one. Free access to content

of various pages of the user account from the referred link, as well as the
possibility of downloading the contract, were confirmed by the checks

made to which reference was made in the second event and which were forwarded
as documentation attached to the transfer of the claim sent to the defendant on the day
June 3, 2020.




On the other hand, it is pointed out that, according to the list of accesses to the referred link
provided by the defendant, it would have been accessed between April 24, 2020 and

on May 14, 2020, a period of time clearly greater than 7 days of
expiration established for said links indicated by the claimed in his writing.





C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/18








Taking into account that article 4.12) of the RGPD defines security violations
of personal data such as “all those security violations that

cause the destruction, loss or accidental or illegal alteration of personal data
transmitted, conserved or otherwise treated, or the communication or access does not

authorized to such data ”, those set forth in the preceding paragraphs would show that
would have produced a violation of the security measures that would have allowed:




1º That the link had been communicated by a means (email) other than the
SMS sent to the client's mobile phone that, according to what was stated by the
claimed constitutes the procedure of action.




2º That the link had been active for a time greater than 7 days of
expiration declared by the defendant in his answering brief.




3º That it has been possible to freely access, through the aforementioned link, the area of
user without entering the username and password, so that the

claimed as the only way to access said user area




                                            IV



In accordance with the evidence available at the present time

agreement to initiate the sanctioning procedure, and without prejudice to what results from the
instruction, it is considered that the facts presented do not comply with the provisions of the
Articles 5.1.f) and 32 of the RGPD, so they could involve the commission of paths

infractions. The offense typified in article 5.1.f) is typified in article 83.5 of the
RGPD, which provides the following:




"Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of up to EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the

total annual global business volume of the previous financial year, opting for
the highest amount:






C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/18








a) the basic principles for the treatment, including the conditions for the

consent in accordance with articles 5, 6, 7 and 9; […] "



For its part, the violation of article 32 of the RGPD is typified in article 83.4 of the

cited standard, where it is determined that:



"Violations of the following provisions will be sanctioned, in accordance with the

paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
in the case of a company, an amount equivalent to a maximum of 2% of the

total annual global business volume of the previous financial year, opting for
the highest amount:




a) The obligations of the person in charge and the person in charge in accordance with articles 8, 11, 25 a
39, 42 and 43; […] "




For the purposes of the statute of limitations for infractions, article 72.1 of the
LOPDGDD, points out:




"Based on what is established in article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that suppose

a substantial violation of the articles mentioned therein and, in particular, the
following:




a) The processing of personal data violating the principles and guarantees
established in article 5 of Regulation (EU) 2016/679. […]






And for its part, article 73 of the LOPDGDD, which:




"Based on what is established in article 83.4 of Regulation (EU) 2016/679,
considered serious and will prescribe after two years the infractions that suppose a



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/18








substantial violation of the articles mentioned therein and, in particular, the
following:




[…] G) The breach, as a consequence of the lack of due diligence, of

the technical and organizational measures that have been implemented in accordance with
required by article 32.1 of Regulation (EU) 2016/679. […] "




                                            V



The corrective powers available to the Spanish Agency for the Protection of

Data, as a control authority, are established in article 58.2 of the RGPD. Between
They have the power to sanction with warning - article 58.2 b) -, the
Power to impose an administrative fine in accordance with article 83 of the RGPD

-article 58.2 i) -, or the power to order the person in charge of the treatment
that the processing operations comply with the provisions of the RGPD, when
proceed, in a certain way and within a specified period - article 58. 2

d) -.




According to the provisions of article 83.2 of the RGPD, the measure provided for in article 58.2
d) of the aforementioned Regulation is compatible with the sanction consisting of a fine
administrative.




Without prejudice to the provisions of article 83 of the RGPD, the aforementioned Regulation
provides in its art. 58.2 b) the possibility of sanctioning with warning, in relation to

with what is stated in Recital 148:



"In the event of a minor offense, or if the fine likely to be imposed

constitutes a disproportionate burden for an individual, rather than
sanction by fine may be imposed a warning. It must however
pay special attention to the nature, severity and duration of the offense, its

intentional character, to the measures taken to alleviate the damages suffered,
the degree of responsibility or any relevant prior infringement, the way in which

that the supervisory authority has had knowledge of the infraction, to the fulfillment
of measures ordered against the person in charge or in charge, adherence to codes of
conduct and any other aggravating or mitigating circumstance. "


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/18










                                             SAW




In the present case, without prejudice to the results of the instruction, they have taken into account
It has, in particular, the following elements.




1. As an aggravating circumstance, the link between the
activity of the claimed person with the performance of personal data processing

that their activity necessarily entails the processing of personal data of the
clients (article 76.2.b) of the LOPDGDD).




2. As an extenuating circumstance, the cooperation shown by the
claimed with the Spanish Agency for Data Protection in the transfer phase of

the claim (article 83.2.f of the RGPD).



Therefore, it is considered that the sanctions that should be imposed would be the

following:



 For the violation of article 5.1.f) it is considered that the appropriate sanction is that of

administrative fine. In this regard, the fine imposed must be, in each
individual, effective, proportionate and dissuasive case, in accordance with the provisions of the
Article 83.1 of the RGPD. Therefore, the sanction to be imposed should be adjusted according to

with the criteria established in article 83.2 of the RGPD, and with the provisions of the
Article 76 of the LOPDGDD, regarding section k) of the aforementioned article 83.2 RGPD. In

Based on the foregoing, it is considered proportional to set the penalty to be imposed in the amount of
five thousand euros (€ 5,000.00).




 For the violation of article 32, a sanction of warning, in accordance with the
established in article 58.2 b) of the RGPD, in relation to what is stated in the
Recital 148, cited above.




On the other hand, if the existence of infringing conduct is confirmed, it could be agreed
impose on the person in charge the adoption of adequate measures to adjust their actions

to the regulations mentioned in this act, in accordance with the provisions of the aforementioned
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 14/18








Article 58.2 d) of the RGPD, according to which each supervisory authority may “order the

responsible or in charge of the treatment that the treatment operations are
comply with the provisions of this Regulation, where appropriate, of a
determined manner and within a specified period […] ”.




In such case, in the resolution adopted, this Agency may require the

responsible so that within the period to be determined:



 Prove that you have verified and corrected the implementation of the

technical or organizational security or both, that avoid the violation of the principle of
confidentiality and the making available to third parties of personal data of the
customers.







Therefore, based on the foregoing, By the Director of the Agency
Spanish Data Protection, AGREES:






FIRST: INITIATE SANCTIONING PROCEDURE to IDFINANCE SPAIN, S.L.,
with NIF B66487190, for the alleged infractions of articles 5.1.f) and 32 of the

RGPD, typified in articles 83.5 and 83.4, respectively, of the aforementioned rule.



SECOND: APPOINTMENT to C.C.C. and secretary to D.D.D., stating that

Any of them may be challenged, if applicable, in accordance with the provisions of the
Articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sector

Public (LRJSP).



THIRD: INCORPORATE to the sanctioning file, for evidentiary purposes, the

claim filed by the claimant and its documentation, as well as the
documents obtained and generated by the General Subdirectorate of Inspection of

Data.





C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 15/18








FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations (in

hereinafter, LPACAP), the penalty that may correspond for the violation of article
5.1.f) of the RGPD would be FIVE THOUSAND EUROS (€ 5,000.00), and for that of article 32 of

the same norm, a APPRECIATION. All this without prejudice to what results from the
instruction.




Likewise, the confirmation of the offending conduct may lead to the imposition of
measures in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD.




FIFTH: NOTIFY this agreement to IDFINANCE SPAIN, S.L., with NIF
B66487190, granting you a hearing period of ten business days to formulate
the allegations and present the evidence that it deems appropriate. In his writing of

allegations, you must provide your NIF and the procedure number that appears in the
heading of this document.




If within the stipulated period it does not make allegations to this initiation agreement, the same
It may be considered a resolution proposal, as established in article

64.2.f) of the LPACAP.






In accordance with the provisions of article 85 of the LPACAP, in the event that the
penalty to be imposed would be a fine, you may recognize your responsibility within the
term granted for the formulation of allegations to the present initiation agreement; the

which will entail a reduction of 20% of the sanction to be imposed in
this procedure. With the application of this reduction, the sanction would be
established in FOUR THOUSAND EUROS (€ 4,000.00), resolving the procedure with

the imposition of this sanction.




In the same way, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which
will mean a reduction of 20% of its amount. With the application of this reduction,

the penalty would be established at FOUR THOUSAND EUROS (€ 4,000.00) and its payment
will imply the termination of the procedure.




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 16/18








The reduction for the voluntary payment of the penalty is cumulative to the corresponding

apply for the recognition of responsibility, provided that this recognition
of responsibility is made manifest within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount

in the previous paragraph it may be done at any time prior to the resolution. In
In this case, if both reductions should be applied, the amount of the penalty would be

established in THREE THOUSAND EUROS (€ 3,000.00).



In any case, the effectiveness of either of the two mentioned reductions will be

conditioned to the withdrawal or resignation of any action or remedy in
administrative against the sanction.




In case you choose to proceed to the voluntary payment of any of the amounts
mentioned above FOUR THOUSAND EUROS (€ 4,000.00) or THREE THOUSAND EUROS

(€ 3,000.00), you must make it effective by entering account number ES00 0000
0000 0000 0000 0000 opened in the name of the Spanish Agency for the Protection of
Data in the bank CAIXABANK, S.A., indicating in the concept the number

reference of the procedure that appears in the heading of this document and
the cause of reduction of the amount to which it is accepted.




Likewise, you must send proof of admission to the Subdirectorate General of
Inspection to continue the procedure according to the quantity

entered.






The procedure will have a maximum duration of nine months from the date of
date of the initiation agreement or, where appropriate, the draft initiation agreement.

After this period, its expiration will occur and, consequently, the file of
performances; in accordance with the provisions of article 64 of the LOPDGDD.




Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP,
There is no administrative appeal against this act.






                                                                                   935-200320
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 17/18








Mar Spain Martí

Director of the Spanish Agency for Data Protection




>>

SECOND: On January 23, 2021, the defendant has proceeded to pay the
penalty in the amount of 3,000 euros making use of the two planned reductions

in the Initiation Agreement transcribed above, which implies the recognition of the
responsibility.

THIRD: The payment made, within the period granted to formulate allegations to
the opening of the procedure, entails the waiver of any action or appeal in the process

administrative against the sanction and the recognition of responsibility in relation to
the facts to which the Initiation Agreement refers.

                            FOUNDATIONS OF LAW

                                             I


By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in art. 47 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection

is competent to sanction the infractions that are committed against said
Regulation; infractions of article 48 of Law 9/2014, of May 9, General
of Telecommunications (hereinafter LGT), in accordance with the provisions of the
article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the

information and electronic commerce (hereinafter LSSI), as provided in article
43.1 of said Law.

                                            II

Article 85 of Law 39/2015, of October 1, on Administrative Procedure

Common of Public Administrations (hereinafter, LPACAP), under the rubric
"Termination of sanctioning procedures" provides the following:
"one. Initiated a sanctioning procedure, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.


2. When the sanction is solely of a pecuniary nature or it is possible to impose a
pecuniary sanction and other non-pecuniary sanction, but the
inadmissibility of the second, the voluntary payment by the presumed responsible, in
any time prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or the determination of the

compensation for damages caused by the commission of the offense.

3. In both cases, when the sanction is solely of a pecuniary nature, the
competent body to resolve the procedure will apply reductions of, at least,
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 18/18








20% of the amount of the proposed penalty, these being cumulative among themselves.

The aforementioned reductions must be determined in the notice of initiation
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of
any action or appeal in administrative proceedings against the sanction.


The percentage of reduction foreseen in this section may be increased
regulations.

In accordance with the above, the Director of the Spanish Agency for the Protection of

Data RESOLVES:

FIRST: DECLARE the termination of procedure PS / 00335/2020, of
in accordance with the provisions of article 85 of the LPACAP.


SECOND: NOTIFY this resolution to IDFINANCE SPAIN, S.L ..

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal

administrative litigation before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the

referred Law.


                                                                                   936-031219
Mar Spain Martí
Director of the Spanish Agency for Data Protection























C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es