AEPD (Spain) - PS/00388/2022: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00388/2022 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00388-2022.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__...")
 
(I made edits just to improve the text, but it was well written.)
Line 61: Line 61:
}}
}}


The Spanish DPA fined Caixabank €25,000 for a violation of Article 32.1 GDPR for failing to take appropriate technical and organisational measures to verify the identity of the data subject before granting access to personal data.
The Spanish DPA fined Caixabank €25,000 for failing to take appropriate technical and organisational measures to verify the identity of the costumer before granting access to personal data, in violation of [[Article 32 GDPR|Article 32(1) GDPR]].


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The complainant asked Caixabank (the controller) several times for information about the bank account held by her minor daughter.  
The data subject was a minor represented by a mother who was trying to obtain information regarding her child's bank account.


The controller informed the complainant that it could not process her request because the e-mail address from which she was writing was not registered in the bank's database. The complainant insisted and finally the controller told her that the information on her daughter's bank account was blocked. The controller also told the complainant that they would contact her again to give her more information.
However, caixabank, the controller, informed that it could not process the requests because the e-mail address from which she was writing was not registered in the bank's database. The mother insisted and finally the controller told her that the information on her daughter's bank account was blocked. The controller also told her that they would contact her again to provide more information.  


That same day, the controller phoned the complainant. Without any identity check, the employee provided the complainant with information about the bank account of another of her daughters, about which the complainant had not requested any information. After clarifying the error, the employee informed the complainant that the bank account about which she had initially requested information had been cancelled and that she should go to a controller's branch to obtain more information. Finally, the controller informed the complainant about the status of her daughter's bank account, as she had initially requested.
That same day, the controller called her and, without any identity verification, provided information related the bank account of her other daughter, about which she had not asked anything. After clarifying the mistake, the controller told the mother that the bank account about which she had initially requested information had been cancelled and that she would have to go to a physical branch to learn why.  


The complainant reported to the Spanish DPA about the lack of response to her request for access and the lack of appropriate security measures to determine the person holding the bank account.
Finally, the mother managed to get the information she wanted. After that, she filed a complaint with the Spanish DPA for the lack of response to her request and the for lack of appropriate security measures in relation to the verification of the identity of the holder of the bank account.


=== Holding ===
=== Holding ===
The DPA pointed out that the complainant had to insist several times to obtain information about her daughter's bank account. However, the DPA concluded that the entity finally provided the requested information, including the transcript of two telephone calls. Therefore, the DPA did not see any breach of the right of access.
While recognizing that the complainant had to insist several times to obtain information about her daughter's bank account, the DPA concluded that the controller provided the requested information, including the transcript of two telephone calls. Therefore, it did not find any breach of the right of access.


The DPA did hold that the controller failed to comply with its obligation to have adequate technical and organisational measures in place, since it provided information about the second daughter's bank account without accrediting the identity of the applicant. The controller argued that it was a human error that should not be punishable and that the information was only disclosed to the mother of the child, who had the legitimacy to access the information. However, the DPA pointed out that the controller's protocol did fail, allowing access to the data of third parties.
However, the DPA did hold that the controller failed to comply with its obligation to have adequate technical and organisational measures in place, since it provided information about the second daughter's bank account without first carrying out any the identity authentication.  
 
The DPA rejected the controller's arguments in the sense that it was a mere human error and that the information was only disclosed to the actual mother of the child. In the DPA's view, the controller's protocol did fail, allowing access to the data of third parties.
 
Therefore, the DPA imposed a fine of €25,000 for a violation of [[Article 32 GDPR|Article 32(1) GDPR]].


== Comment ==
== Comment ==

Revision as of 10:17, 18 July 2023

AEPD - PS/00388/2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 32(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 04.07.2023
Fine: 25,000 EUR
Parties: Caixabank, S.A.
National Case Number/Name: PS/00388/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: CSO

The Spanish DPA fined Caixabank €25,000 for failing to take appropriate technical and organisational measures to verify the identity of the costumer before granting access to personal data, in violation of Article 32(1) GDPR.

English Summary

Facts

The data subject was a minor represented by a mother who was trying to obtain information regarding her child's bank account.

However, caixabank, the controller, informed that it could not process the requests because the e-mail address from which she was writing was not registered in the bank's database. The mother insisted and finally the controller told her that the information on her daughter's bank account was blocked. The controller also told her that they would contact her again to provide more information.

That same day, the controller called her and, without any identity verification, provided information related the bank account of her other daughter, about which she had not asked anything. After clarifying the mistake, the controller told the mother that the bank account about which she had initially requested information had been cancelled and that she would have to go to a physical branch to learn why.

Finally, the mother managed to get the information she wanted. After that, she filed a complaint with the Spanish DPA for the lack of response to her request and the for lack of appropriate security measures in relation to the verification of the identity of the holder of the bank account.

Holding

While recognizing that the complainant had to insist several times to obtain information about her daughter's bank account, the DPA concluded that the controller provided the requested information, including the transcript of two telephone calls. Therefore, it did not find any breach of the right of access.

However, the DPA did hold that the controller failed to comply with its obligation to have adequate technical and organisational measures in place, since it provided information about the second daughter's bank account without first carrying out any the identity authentication.

The DPA rejected the controller's arguments in the sense that it was a mere human error and that the information was only disclosed to the actual mother of the child. In the DPA's view, the controller's protocol did fail, allowing access to the data of third parties.

Therefore, the DPA imposed a fine of €25,000 for a violation of Article 32(1) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/23








     File No.: PS/00388/2022



                RESOLUTION OF SANCTIONING PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following

                                   BACKGROUND


FIRST: Ms. A.A.A. (hereinafter the claimant) on 06/01/2021 filed
claim before the Spanish Data Protection Agency. The claim is
directed against CAIXABANK S.A. with NIF A08663619 (hereinafter, the claimed party).
The reasons on which the claim is based are the following: that since 02/11/2021,

has requested on several occasions from the respondent entity information about a
account of his youngest daughter, of whom he has exclusive guardianship and custody, appearing in
said account as legal representatives the father and mother of the minor. manifest
that, after receiving a response indicating that they could not provide said information to a
email address that was not registered in its database, in
dated 02/25/2021 calls the claimed entity reiterating its request for information and

the operator indicates that said information is blocked, although it sends a
e-mail to the coordination department so that they can contact the claimant and
provide more information about it. That same day he receives a call from the director
from a different office to provide you with information about another of your daughters, so
that the claimant transmits the error and indicates that, in addition, it had not been

previously identified with your ID. Finally, the aforementioned director confirms that the
account of the daughter for whom, if she asked, it was canceled and that she had to
Go to the corresponding office for more information. As of 02/26/2021
goes to said office, where the father of the minor works and who is in
divorce proceedings and, after several reluctances, they finally tell him that the account was

canceled by the father of the minor and that a transfer was made to one of the accounts
of this. On 03/03/2021, you request access to certain documentation related to
the account, as well as the recordings of the calls made on said matter to the
SAC, without having been provided with the recordings. It also presents several
claims (on 03/23, 24 and 31/2021) showing their disagreement with the
cancellation of your daughter's account, stating only the signature of the father for it, as well as

as for the obstruction when requesting information, without having received
answer.

Provide the following documentation:
- DNI of the claimant's youngest daughter

- Copy of various emails between 02/11 and 23/2021 requesting
information about the canceled bank account addressed to the director of the branch of
BANKIA, S.A. Where was this account opened?
- Copy of the email from the claimant's lawyer sent to the director of the
branch of BANKIA, S.A. where this account had been opened requesting various

information, including recordings of the claimant dated
02/25/2021. This document states that the requested information has been provided
by the entity except for recordings.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/23








- Copy of the email dated 04/23/2021 with a claim addressed to
BANKIA, S.A.
- Forwarding a copy of the previous email to the entity CAIXABANK, S.A. behind the

merger by acquisition of BANKIA, S.A. by CAIXABANK, S.A.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
forward LOPDGDD), on 07/01/2021 the claim was transferred to the party
claimed, so that it proceeds to its analysis and informs this Agency within the term

of one month, of the actions carried out to adapt to the foreseen requirements
in the data protection regulations.

The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of
October 1, of the Common Administrative Procedure of the Administrations

Public (hereinafter, LPACAP), was collected on 07/01/2021 as stated in the
acknowledgment of receipt in the file.

On 07/30/2021, this Agency received a letter from the defendant stating that in
The bank account in question was listed as the owner of the claimant's daughter, a minor
age, appearing as authorized in it, in their capacity as parents of the minor

their parents.

Regarding the recording of the calls, it was made available to the
claimant through the office if desired a transcript of the same.


Regarding the fact of receiving a call from CaixaBank office ***OFFICE.1
to inform him about another of his minor daughters, of which he had not requested in
no information, it was an involuntary error of the service operator
telephone customer service, who referred the instruction to the office where it is
opened an account in the name of another of his daughters. There is the mail sent by the

operator to the office ***OFFICE.1 in which you request this office to contact
contact with the claimant regarding the account opened in the name of her other daughter
being the interest of the client information related to the account opened in the name of the
youngest daughter.

The error in any case is involuntary and does not imply any type of transfer of data to

third parties, in addition to the fact that the recipient of the information, the claimant, has the right to
the information in her capacity as mother as legal representative. In no case will
has caused harm to the affected party.

After the response to the transfer of the claim, it again requests the

recordings and they are not provided. According to her, the recordings show that she
He never identified himself with his ID but with that of his daughter who is the owner of the account in
controversy. He suspects that the request for information on the
your daughter's account (and which has been canceled by the father of the one you are in the process of
divorce) tries to hide this information by giving you the account information of the

another daughter (which they attribute to a mistake)

THIRD: On 10/25/2021, in accordance with article 65 of the LOPDGDD,
The claim presented by the complaining party was admitted for processing.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/23









FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in

matter, by virtue of the functions assigned to the control authorities in the
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter GDPR), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD, having knowledge of the following extremes:


It is confirmed, according to the DNI, that the daughter of the claimant and whose account was canceled

only by one of the parents, is under 14 years of age.

Regarding access to the information requested by the claimant from the entity, this was
provided with the exception of the recordings, about which the respondent party informed
the claimant that they made it available at the ***OFFICE.2 branch of BANKIA,

S.A., at ***ADDRESS.1, ***LOCATION.1, in which the account was located
of the minor, according to the response of the Customer Service (in
hereinafter, SAC) that appears in the documentation presented by the claimed party. No

there is evidence that the claimant has appeared at this office for
pickup.

Copies of the recordings of the calls were requested from the claimed party
telephone calls made by the claimant to the SAC, dated 03/16/2022 and numbers

log REGAGE22e00007574995, REGAGE22e00007575005,
REGAGE22e00007575017, REGAGE22e00007575028 and REGAGE22e00007843841

response brief sent by the claimed party presenting the recordings
requested.

After analyzing the recordings, the following conclusions can be drawn:

  - Call from 02/25/2021 at 10:27 a.m.: It is verified that in the first call to
    Customer Service The claimant only provided the DNI of her youngest daughter. The check
    This daughter's bank account was blocked, so the customer service agent

    could not access the data of this account. The agent indicates that he will forward the
    incidence to "coordination" by email and that you would receive a

    call with the information they can provide.
  - Call of 02/25/2021 at 12:38 p.m.: In the second recording, the claimant

    states that they have been called by the SAC (one hour after the call from the
    previous paragraph) to inform you, incomprehensibly, about your daughter's data

    elderly. Regarding the access to the data of the account of his minor daughter, it is verified
    that the account no longer exists and the personal data relating to this account
    are blocked since the customer service agent is no longer aware of

    data of any account with the DNI of the claimant, nor of her youngest daughter.

Requested from the claimed party the possible active products of the eldest daughter of the
claimant and to confirm the cancellation date of the products that are no longer
were active, on 06/01/2022 a letter sent by

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/23








CAIXABANK informing that the only product of this claimant's daughter was
canceled on 01/10/2020. A copy of the cancellation document is attached.

Regarding the association of his other daughter with the claimant according to the call received
Customer Service on 02/25/2021 (after your first call), and that the

claimant finds it incomprehensible, it has not been possible to determine the cause of the
identification error that the claimed party attributes to an inadvertent error on the part of
of the SAC agent, but what is verified, according to the information reflected

in the previous paragraph, is that once the contractual relationship with the party
claimant of the claimant's eldest daughter in January 2020, her personal data
were not blocked and have continued to be processed by the SAC, at least until the

02/25/2021, the day you receive a phone call from the SAC to inform you of the data
of this daughter, instead of what is related to the checking account of the youngest daughter for which
had interested.

Regarding the cancellation of the bank account of the claimant's youngest daughter, in

Annex number four included in the claim filed with this Agency, consists
the reply from the director of the branch ***OFFICE.2 of BANKIA, S.A., in the
***ADDRESS.1, ***LOCATION.1, dated 03/03/2021, in which it informs the

claimant that the checking account of her youngest daughter was canceled with
date of 01/28/2020 by the other parent, being transferred the outstanding balance in that

account to his checking account.
Regarding this cancellation, it is verified that, although for the opening of the account

current originally in the entity Banco Mare Nostrum-Caja Murcia (acquired
subsequently by Bankia and finally by CaixaBank) the signatures were requested

of both parents, for the cancellation order requested from CaixaBank
only the father's, a worker at the CaixaBank branch where the
account of the claimant's youngest daughter. Therefore, it is found that the part

The defendant canceled the checking account of the claimant's youngest daughter only
with the consent of the minor's father and without the knowledge of the claimant.

FIFTH: Notified of the initiation agreement, the defendant requested the extension on 09/08/2022
of the term to answer; extension that was granted by writing dated
09/09/2022.


The defendant on 09/15/2022 submitted a written statement stating, in summary:
the defenselessness that caused the amount of the sanction to be set in the
start; the non-existence of infringement of article 15 of the RGPD considering that the
right of access was attended in accordance with the regulations for the protection of
Personal data; the non-existence of infringement of article 32.1 of the GDPR and

that in his capacity as legal representative of minors, access to information
of said accounts, by the claimant, is absolutely legitimate; that
Agency pronounces itself on civil issues, when it is itself the one that has
established that these issues do not fall within its sphere of competence; that the
aggravating factors that, improperly and inappropriately, this Agency considers concurrent

are not applicable and, on the contrary, there are extenuating circumstances that have not been
considered.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/23








SIXTH: On 03/21/2023, it was agreed to open an internship period for
tests, remembering the following:


       - Consider reproduced for evidentiary purposes the claims filed by
       the claimants and their documentation, the documents obtained and generated
       by the Inspection Services that are part of the file.
       - Consider reproduced for evidentiary purposes, the allegations to the agreement of
       start presented by the defendant.


SEVENTH: On 04/05/2023, a Resolution Proposal was issued in the sense of
that the Director of the Spanish Data Protection Agency sanction the
claimed for violation of article 15 of the GDPR, typified in article 83.5.a) of the
GDPR, with a fine of 35,000 euros (thirty-five thousand euros) and, for a violation of the
Article 32.1 of the GDPR typified in Article 83.4.a) of the GDPR, with a fine of

€25,000 (twenty-five thousand euros). An Annex with the documents was attached
members of the administrative file.

       The defendant requested on 04/11/2023 a copy of the file, which was sent to him
by writing on 04/13/2023. I also request the 04/19/2023 extension of the deadline
for allegations that was granted by writing of the instructor dated

04/21/2023.

       The defendant on 04/27/2023 submitted a brief of allegations in which he considered
reproduced those formulated throughout the procedure and, in addition, reiterated that it did not
there was a violation of article 15 of the GDPR, nor any infringement of article 32 of the

aforementioned Regulation, requesting the file of the procedure.

EIGHTH: Of the actions carried out in this procedure, there have been
the following accredited:


                                PROVEN FACTS

FIRST. On 06/01/2022 there is a written entry from the claimant in the AEPD
stating that he had requested information from the defendant on several occasions

an account of his daughter B.B.B., a minor, of whom he has guardianship and custody
exclusive and both parents being representatives; after receiving an answer that
could not provide such information to an email address by not

be registered in the database, he addresses the defendant reiterating his request
of information and the operator indicates that said information is blocked,
although he sends an email to the coordination department so that they can contact the

claimant and offer more information in this regard; that day he receives a call from
director of a different branch providing him with information about another of his daughters,

warning you of the mistake made; Finally, the director confirms that the account of the
daughter for whom he was asking was canceled and that he had to go to the branch
appropriate for more information; The father of the woman works in said office.

minor of the one who is in divorce proceedings; finally they inform him that the
The account was canceled by the father and the funds were transferred to one of the
accounts of it; has requested access to documentation relating to the account, as well as to

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/23








the recordings of the calls made on said matter to the SAC, without being
have provided the recordings; He has also filed briefs showing his

disagreement with the cancellation of his daughter's account, as only the signature of the
father to do so, as well as for the obstruction when requesting information, without
that you have received a response.


SECOND. There is evidence of emails exchanged with the Director of the branch
of the defendant requesting information on the minor's account.

In the e-mail of 02/11/2021 it is indicated:
"(...)

Through this e-mail I request information about the bank account of
my daughter B.B.B...., with DNI..., since I was listed as the Holder of it together with
C.C.C. and I do not know both the account number and other information and/or incidents
that may have occurred.
(…)”


On 02/18/2021, the claimant addressed the Director of the branch again, stating:
"(...)
By means of this e-mail I inform you that I am still waiting for you to
reports…
(…)”


On 02/23/2021, he obtained a response from the Director of the branch with the following tenor:
"I beg your pardon, but we cannot give information through this channel to a
email address that we do not know in our database…”


On 02/23/2021, the claimant addressed the previous one again:
“In response to your previous email and, however, understanding that it remains
credited my personal information so much that I already included you in my previous email with
regarding my National Identity Document, as well as that of my daughter, please
reports as soon as possible if I have to make the request attaching and

scanning a signed letter with all my information and my request for information (given
the situation in prevention due to COVID infections is usually the usual practice), or if
on the contrary, you grant me an appointment in your office to discuss this matter in the
schedule that best suits you, however, I would appreciate, given the situation, my great
concern, as well as the delay in your negative answer to obtain said
information, as soon as possible.


THIRD. On 02/23/2021, the claimant sent an e-mail to the Service of
Customer Service in relation to the cancellation of the contract my first account of your
daughter, contract no. ***CONTRACT.1, indicating:


"By means of this e-mail, I the claimant, with DNI..., send you the Written
of the Claim that I present as a claimant as of today duly
signed, as well as the annexed documents that accompany it…”

ROOM. The Complaint Document of 03/23/2021 has been provided, informing the

claimed the incidents produced that are included in the first and
also copies of the DNIs of the claimant and of her youngest daughter B.B.B..
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/23









FIFTH. The Order of the Court for Violence against Women No. 1 of
*** LOCALIDAD.1, procedure for preliminary provisional measures in which part

device it is collected that:

"(...)
- The guardianship and custody of the daughter is attributed to the mother, being the parental authority
shared by both parents.
(…)”


SIXTH. On 03/01/2021, the legal representation of the claimant sent, in its
name and representation, email to the claimant requesting all the
documentation related to the cancellation of the contract My first account no.
*** CONTRACT.1, whose owner is the minor. He also requested a copy of the

recordings of the telephone calls of 02/25/2021.

SEVENTH. There is a response from the defendant dated 03/03/2021 stating: "That
in response to the claimant's request in which she requests information about
current and/or canceled bank accounts of your daughter B.B.B.… in our entity and
Having consulted the records held by this branch, I inform you that:

There is only one registered Child Savings Book open in the Entity
Banco Mare Nostrum dated October 19, 2017 with customer account code no.
***CONTRACT.2 being the owner B.B.B. ..., with ID ... and as legal representatives
D.C.C.C. with DNI... and the claimant, with DNI...
Said account was canceled while already in Bankia with an account number

***CONTRACT.1, dated January 28, 2020 by the legal representative D.C.C.C.
That the balance resulting from the cancellation amounted to €480.00, an amount that was transferred
to a checking account opened in this entity whose ownership corresponds to D.C.C.C.”.

EIGHTH. The Child Savings Booklet contract No. ***CONTRATO.2 where

The minor B.B.B. and as representatives of the parents, signed in
***LOCATION.1 on 10/19/2017.

NINETH. Contributed contract cancellation My first account, from 01/28/2020
signed by the father of the minor and which states: "In accordance with the
agreed in contract no. *** CONTRACT.1 My first Account dated October 19

2017 the client has requested on January 28, 2020 the cancellation of the same”.

TENTH. There is a letter from the claimant dated 03/11/2021 addressed to the claimant
requesting a copy of the recordings of the calls made to the
customer service on 02/25/2021.


ELEVENTH. There is a written response offered by the defendant to the claimant
dated 04/09/2021, in which he states:
"(...)
With regard to a possible breach of the data protection regulations in the

call you received from the office ***OFFICE.1, we have requested a report from the Center
Telephone Service and they tell us that in the call of 02/25/2021 at 10:27
hours, the operator, after asking for the minor's ID number, let him know that he was not


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/23








there were open products in his name, so he did not see any
information, but that the managing office would call her to provide it.
Apparently, said operator carried out a query of canceled accounts to
name of B.B.B. to find out the identification of all the participants,
verifying that you were the holder of accounts in the office ***OFFICE.1, therefore

asked this to get in touch with you, although making a mistake in
regarding the identification of the minor.
In the file of this claim there is a transcript of the
calls that the office ***OFFICE.2 can be delivered, if desired.
(…)”


TWELFTH. There is a response offered by the defendant to the claimant in writing
dated 07/29/2021, in which he states:
"In relation to your request, we reiterate the content of the reply made by
he
Customer Service on April 9, 2021, which answers your

application. In the part related to data and their interest in knowing if there had been "a
possible crime of data protection", as indicated by the aforementioned
Service
of Customer Service, no type of crime has been committed, given that being you
the
mother of both minors in her capacity as legal representative has the right to

know the information of both, being an involuntary error on the part of the operator
who attended you, by providing the notice for them to contact you, to the office where you appear
opened the account of his daughter D.D.D. and not to the office of his other daughter B.B.B., in which
I was interested.

THIRTEENTH. Figure provided by the claimed the email sent by the

operator to the office ***OFFICE.1, without date, in which he requests that they contact
with the claimant in relation to the account opened in the name of her daughter D.D.D..

FOURTEENTH. The claimant in writing of 11/09/2021 reiterates "her REQUEST for
require the AEPD to CaixaBank the recordings and transcription of the calls of
date 02/25/2021. The AEPD will check the telephone recordings and the

transcription thereof, which in my call to Caixabank Customer Service
of that day at 10:27 a.m. at no time did I identify myself with my personal ID
and just provide the name and ID of my youngest daughter with ID .., so it turns out
the response provided by Caixabank is totally inconsistent, since in no way
moment the operator was able to link my ID with that of my other daughter, since in
I had never made it easier…”


FIFTEENTH. On 03/15/2022, the claimant at the request of the AEPD provided
copies of recordings of telephone calls made to Customer Service
of Bankia to the number *** TELEPHONE.1 dated 02.25.2021 made from the
Mobile number ***PHONE.2 of the claimant. They do not mention

any request from the account of D.D.D., daughter of the claimant, but information regarding
to B.B.B., the claimant's youngest daughter.

SIXTEENTH. Contract cancellation is also provided My first account,
of 01/10/2020 signed by the mother and whose owner was D.D.D. and in which it is stated:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/23








"In accordance with what was agreed in contract no. ***CONTRACT.3 My first account
dated January 8, 2015 the client has requested on January 10, 2020 the
cancellation of the same.

SEVENTEENTH. And in a letter dated 05/31/2022, the defendant reported that: “D.D.D.

with DNI ***NIF.1 does not currently have any valid product in this Entity.
In our systems it appears that he was the owner of a single product, contract number
***CONTRACT.3 (My first account), which was canceled on January 10, 2020”.

.
                           FUNDAMENTALS OF LAW


                                           Yo
       In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the

Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

       Likewise, article 63.2 of the LOPDGDD determines that: "The

procedures processed by the Spanish Data Protection Agency will be governed
by the provisions of Regulation (EU) 2016/679, in this organic law, for the
regulatory provisions dictated in its development and, as soon as they are not
contradict, on a subsidiary basis, by the general rules on the
administrative procedures."


                                           II
       The denounced facts materialize in the absence of a response to the
request for access to the data and account information of the minor daughter requested
by his mother, with breach of the security measures to determine the
owner of the requested data (since the data of his other daughter's account is provided),
which could violate data protection regulations.


       Article 58 of the GDPR, Powers, states:

       "2. Each supervisory authority shall have all the following powers
corrections listed below:


       (…)
       i) impose an administrative fine in accordance with article 83, in addition to or in
       instead of the measures mentioned in this paragraph, according to the
       circumstances of each particular case;
       (…)”



       In the first place, article 15, Right of access of the interested party, establishes
that:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/23








       "1. The interested party shall have the right to obtain from the data controller
confirmation of whether or not personal data concerning you is being processed and, in such
case, right of access to personal data and the following information:


       a) the purposes of the treatment;
       b) the categories of personal data concerned;
       c) the recipients or categories of recipients to whom they were communicated
       o personal data will be communicated, in particular recipients in
       third countries or international organizations;

       d) if possible, the expected period of conservation of personal data or,
       if not possible, the criteria used to determine this term;
       e) the existence of the right to request from the controller the rectification or
       deletion of personal data or limitation of data processing
       personal information relating to the interested party, or to oppose said treatment;

       f) the right to file a claim with a control authority;
       g) when the personal data has not been obtained from the interested party, any
       available information on its origin;
       h) the existence of automated decisions, including the elaboration of
       profiles, referred to in article 22, sections 1 and 4, and, at least in such
       cases, significant information about the logic applied, as well as the

       importance and the expected consequences of such processing for the
       interested.

       2. When personal data is transferred to a third country or to a
international organization, the interested party shall have the right to be informed of the

adequate guarantees under article 46 relating to the transfer.

       3. The controller will provide a copy of the personal data
treatment object. The person in charge may receive for any other copy requested
by the interested party a reasonable fee based on administrative costs. when the

The interested party submits the application by electronic means, and unless he requests
otherwise provided, the information will be provided in an electronic format of
Common use.

       4. The right to obtain a copy mentioned in section 3 will not affect
negatively to the rights and freedoms of others”.


       While, in the LOPDGDD, regarding the right of access, in its article
13 provides that:

       "1. The right of access of the affected party will be exercised in accordance with the

established in article 15 of Regulation (EU) 2016/679.
       When the controller processes a large amount of data relating to the data subject and
he exercises his right of access without specifying whether it refers to all or part
of the data, the person in charge may request, before providing the information, that the
concerned, specify the data or processing activities to which the request refers

application.

       2. The right of access shall be deemed granted if the person responsible for the
treatment will provide the affected party with a system of remote, direct and secure access to the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/23








personal data that guarantees, permanently, access to its entirety. TO
such effects, the communication by the person in charge to the affected party of the way in which this
will be able to access said system, it will be enough to have the exercise request considered
of the right
       However, the interested party may request the information from the person responsible.

referring to the points provided for in article 15.1 of Regulation (EU) 2016/679
not included in the remote access system.

       3. For the purposes established in article 12.5 of Regulation (EU) 2016/679
The exercise of the right of access may be considered repetitive in more than one
occasion during the period of six months, unless there is legitimate cause for it.


       4. When the affected party chooses a means other than the one offered that implies
a disproportionate cost, the request will be considered excessive, so said
affected will assume the excess costs that his choice entails. In this case, just
The person responsible for the treatment will be required to satisfy the right of access without

undue delays".


                                           II
       1. In the first place, it alleges the claimed defenselessness derived from the setting of the
amount of the sanction in the initiation agreement since the sanctioning body proceeds to ab

initio to set the amounts of the imputed sanctions, considering that this implies
reprehensible behavior for affecting the exercise of their rights.

       It should be noted that the National Court in the Judgment of 09/12/2022,
How well should the defendant know for being the appellant of the litigation-
administrative procedure raised and which was dismissed, ruled on these and other

issues such as the incompetence of the person signing the resolution:

       “FOURTH.- Secondly, it advocates the full nullity of the
resolution appealed for violation of the appellant's right to judicial protection
effective and defense, having established in the start agreement "in audita parte" the
amount of the penalty to be imposed, which ultimately coincides with that contained in the

sanctioning resolution. In addition, there is a contamination of the performance
inspector by the body competent to resolve, which ab initio shows the
examining body the terms to which, in its opinion, the result of the
procedure.
       Points out that Law 29/2015, of October 1, on Procedure
Common Administrative of the Public Administrations, does not introduce any novelty

in article 64 on the regulatory regime of the agreements to initiate proceedings
sanctions and that the literalness of art. 85 does not imply, in his opinion, an authorization
to prejudge the case in the initiation agreement, with the consequent bankruptcy of the
rights of the defendant in the procedure.
       Regarding the determination of the sanction ab initio, the start agreement of 7

October 2020- pages 43 and following of the procedure- in addition to the
appointment of instructor, the list of facts, qualification of the same,
indicates on your device 4 "WHAT for the purposes provided in article 64.2.b) of the law
39/2015, of October 1, Common Administrative Procedure of the
Public Administrations (hereinafter LPACAP), the sanction that could

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/23








correspond would be an administrative fine of €50,000, without prejudice to the
that results from the instruction.
       In addition, in its device 5, it is agreed to notify the aforementioned agreement to BANKIA
S.A. granting him a hearing period of ten business days to formulate the
allegations and propose the evidence that it deems appropriate, and it is indicated that "Of

In accordance with the provisions of article 85 of the LPACAP, in the event that the
sanction to be imposed outside of the fine, he may acknowledge his responsibility within the
term granted for the formulation of allegations to the present initiation agreement; it
which will entail a reduction of 20% of the sanction that should be imposed in
this procedure (...) In the same way, you can at any time before
to the resolution of this procedure, carry out the voluntary payment of the

proposed sanction, in accordance with the provisions of article 85.2 of the
LPACAP, which will mean a reduction of 20% of its amount (...). The reduction
of the voluntary payment of the sanction is cumulative to the one that corresponds to apply for the
acknowledgment of responsibility, provided that this acknowledgment of responsibility
responsibility is revealed within the period granted to formulate

allegations at the opening of the procedure".
       Well, the aforementioned article 64, establishes in its section 2. that the agreement of
initiation into procedures of a sanctioning nature must contain, "at
less", so here we are interested:
       "b) The facts that motivate the initiation of the procedure, its possible
rating and sanctions that may correspond, without prejudice to what is

of the instruction (...)".
       d) Competent body for the resolution of the procedure (...), indicating the
possibility that the alleged perpetrator can voluntarily acknowledge his
responsibility, with the effects provided for in article 85".
       That is to say, the record in the initiation agreement of, at least, the
facts, their possible classification and the possible sanctions to be imposed, as well as

inform, from the start, of the possibility of applying the reductions allowed by the
Article 85 of the LPACAP, which presupposes an initial provisional determination of the
sanctions that may correspond, without prejudice to what results from the instruction.
       Indication referred to in section d) of the aforementioned article 64.2, which is not
contemplated in the initiation agreement regulated in article 13 of the Royal Decree
1398/1993, of August 4, which approves the Rules of Procedure

for the Exercise of the Sanctioning Power, repealed by the repealing Provision
sole of Law 39/2015.
       For its part, Article 85 LPACAP determines:
       1. Initiated a disciplinary procedure, if the offender acknowledges his
responsibility, the procedure may be resolved with the imposition of the sanction
which proceeds

       2. When the sanction is solely pecuniary in nature or fits
impose a pecuniary penalty and another of a non-pecuniary nature but it has been justified
the inadmissibility of the second, the voluntary payment by the presumed perpetrator, in
any moment prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or the determination of the

compensation for damages caused by the commission of the offence.
       3. In both cases, when the sanction is solely pecuniary,
the body competent to resolve the procedure will apply reductions of, at least
least 20% of the amount of the proposed sanction, these being cumulative
each other. The aforementioned reductions must be determined in the notification of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/23








initiation of the procedure and its effectiveness will be conditioned to the withdrawal or
resignation of any action or appeal in administrative proceedings against the sanction".
       Thus, in view of the aforementioned precepts and following the criteria of the
SAN, Sec. 3, of June 19, 2019 (Rec. 447/2018) in a case similar to that
present: "There is therefore no legal impediment for the agreement of

initiation contains an initial and provisional specification of the sanction(s) that may
match the facts investigated within those provided by law, which does not
implies a reduction in the rights of the filer, since this is done "without prejudice to what
results from the instruction (...) and, this initial and provisional realization, for the sake of the
speed and efficiency in administrative work, comes to allow voluntary payment
from the very moment of the beginning (...). There is no legal basis for understanding that

the concretion of the sanction and the game of the voluntary payment cannot take place until
the proposed resolution after the corresponding instruction".
       That is, the competence to determine the agreement to start the procedure
sanctioner determines the obligation that said agreement must contain all
of the circumstances provided for by the applicable regulations, including the determination

provisional sanction that may correspond, which will be without prejudice to what
results from the instruction of the procedure. Instruction of the procedure whose
competence corresponds to the instructor and the secretary, who were designated in the
device 2 of the aforementioned agreement, indicating that any of them may be challenged,
where appropriate, in accordance with the provisions of articles 23 and 24 of Law 40/2015, of 1
October, of the Legal Regime of the Public Sector (LRJSP).

       It is therefore up to the interested party, in view of the sanctioning agreement,
request the evidence that you deem appropriate, make allegations, etc., without being able to
assess the existence of defenselessness and assess the alleged violation; Besides, the
plaintiff has at no time shown its willingness to recognize the
responsibility for the penalized offense and benefit from the effects provided for in the
Article 85 of the LPACAP.”


       2. Secondly, regarding the possible controversy raised in relation to
with the cancellation of the account of the minor exercised by the father without the assistance of
the mother, who enjoyed his guardianship and custody, is a matter that exceeds the
competencies of this management center.


       3. The GDPR allows it to be exercised before the data controller
the rights of access, rectification, opposition, deletion (“right to be forgotten”),
limitation of treatment, portability and not being subject to decisions
individualized.

       If the person in charge does not process the request, he must inform of the reasons for

their non-action and the possibility of claiming before a Control Authority, if they have not
got answer.

       In the present case, although the claimant had to address numerous
occasions to the defendant so that the right of access to information could be processed

related to the account of his youngest daughter B.B.B., it can be considered
considered in the light of the proven facts in which the response offered to the
claimant on 03/03/2021:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/23








       "That in response to the request of the claimant in which she requests us
information about current and/or canceled bank accounts of your daughter B.B.B.… at
our entity and having consulted the records held by this branch, we

He reported that:
       There is only one registered Child Savings Book open in the
Entity Banco Mare Nostrum dated October 19, 2017 with account code
client nº ***CONTRACT.2 being the owner B.B.B. ..., with ID ... and as representatives
legal D.C.C.C. with DNI... and the claimant, with DNI...
       Said account was canceled while already in Bankia with an account number

***CONTRACT.1, dated January 28, 2020 by the legal representative D.C.C.C..
That the balance resulting from the cancellation amounted to €480.00, an amount that was transferred
to a checking account opened in this entity whose ownership corresponds to D.C.C.C.”.

       And also that "The Child Savings Booklet contract No.

***CONTRACT.2 where the minor B.B.B. and as representatives
parents, signed in ***LOCATION.1 on 10/19/2017”.

       On the other hand, as already happened with the bank information related to the minor,
the recordings of the two calls made to the SAC by the claimant had to
be requested both on 03/01/2021, by the legal representation, and on 03/11/2021

by the claimant, not obtaining a response until 04/09/2021 in writing in the
that he was told that the transcription of the same was made available to him:

       "(...)
       In the file of this claim there is a transcript of

calls that the office ***OFFICE.2 can be delivered, if desired.
       (…)”

       Therefore, it has been established that the defendant sent the claimant the
information requested in connection with banking information relating to your minor daughter

B.B.B. and, regarding the recordings containing the conversations held
with the SAC operator, the transcription of the same was made available,
Therefore, the exercise of the aforementioned right is considered fulfilled.

       From the foregoing it can be deduced that the defendant has not violated the article
15 of the GDPR, infringement typified in article 83.5 a) of the GDPR.


                                          IV.
       Secondly, article 32 of the GDPR "Security of treatment",
states that:


       "1. Taking into account the state of the art, the application costs, and the
nature, scope, context and purposes of processing, as well as risks of
variable probability and severity for the rights and freedoms of individuals
physical, the person in charge and the person in charge of the treatment will apply technical and
appropriate organizational measures to guarantee a level of security appropriate to the risk,

which may include, among others:

       a) the pseudonymization and encryption of personal data;


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/23








       b) the ability to ensure the confidentiality, integrity, availability and
       permanent resilience of treatment systems and services;
       c) the ability to restore availability and access to data

       quickly in the event of a physical or technical incident;
       d) a process of regular verification, evaluation and assessment of effectiveness
       technical and organizational measures to guarantee the safety of the
       treatment.

       2. When evaluating the adequacy of the level of security, particular attention should be paid to

take into account the risks presented by data processing, in particular as
consequence of the destruction, loss or accidental or illegal alteration of data
personal information transmitted, preserved or processed in another way, or the communication or
unauthorized access to such data.


       3. Adherence to an approved code of conduct pursuant to article 40 or to a
certification mechanism approved under article 42 may serve as an element
to demonstrate compliance with the requirements established in section 1 of the
present article.

       4. The person in charge and the person in charge of the treatment will take measures to

ensure that any person acting under the authority of the controller or the
manager and has access to personal data can only process such data
following the instructions of the person in charge, unless it is obliged to do so by virtue of the
Law of the Union or of the Member States”.



                                            V
       The violation of article 32 of the GDPR is typified in article
83.4.a) of the aforementioned GDPR in the following terms:


       "4. Violations of the following provisions will be penalized, according to
with paragraph 2, with administrative fines of maximum EUR 10,000,000 or,
in the case of a company, an amount equivalent to a maximum of 2% of the
total annual global business volume of the previous financial year, opting for
the highest amount:


       a) the obligations of the person in charge and the person in charge according to articles 8,
       11, 25 to 39, 42 and 43.
       (…)”

       For its part, the LOPDGDD in its article 73, for prescription purposes, qualifies

of "Infringements considered serious":

       "Based on what is established in article 83.4 of Regulation (EU) 2016/679
are considered serious and will prescribe after two years the infractions that suppose a
substantial violation of the articles mentioned therein and, in particular, the

following:

       (…)


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/23








       g) The breach, as a consequence of the lack of due diligence,
       of the technical and organizational measures that have been implemented in accordance with
       to what is required by article 32.1 of Regulation (EU) 2016/679”.
       (…)”


       1. The GDPR defines personal data breaches as
all those security violations that cause the destruction, loss or
accidental or illegal alteration of personal data transmitted, stored or processed
otherwise, or unauthorized disclosure of or access to such data.”

       From the documentation in the file, there are clear indications of

that the defendant has violated article 32 of the GDPR, when an incident of
security when providing the account details of a third party (daughter of the claimant),
by telephone without first verifying the identity of the person to whom
provided the data


       It should be noted that the GDPR in the aforementioned precept does not establish a list of
the security measures that are applicable according to the data that is
object of treatment, but it establishes that the person in charge and the person in charge of the
treatment will apply technical and organizational measures that are appropriate to the risk
that entails the treatment, taking into account the state of the art, the costs of
application, the nature, scope, context and purposes of the treatment, the risks of

probability and seriousness for the rights and freedoms of the persons concerned.

       In addition, security measures must be adequate and
proportionate to the risk detected, noting that the determination of the measures
technical and organizational procedures must be carried out taking into account: pseudonymization and
encryption, the ability to ensure confidentiality, integrity, availability and

resiliency, the ability to restore availability and access to data after a
incident, verification process (not audit), evaluation and assessment of the
effectiveness of the measures.

       In any case, when evaluating the adequacy of the security level,
particular account of the risks presented by data processing, such as

consequence of the destruction, loss or accidental or illegal alteration of data
personal information transmitted, preserved or processed in another way, or the communication or
unauthorized access to said data and that could cause damages
physical, material or immaterial.

       In this sense, recital 83 of the GDPR states that:


       "(83) In order to maintain security and prevent processing from infringing what
provided in this Regulation, the person in charge or in charge must evaluate
the risks inherent to the treatment and apply measures to mitigate them, such as the
encryption. These measures must ensure an adequate level of security, including the

confidentiality, taking into account the state of the art and the cost of its application
regarding the risks and nature of the personal data to be
protect yourself. When assessing risk in relation to data security, considerations should be
take into account the risks arising from the processing of personal data,
such as the destruction, loss or accidental or unlawful alteration of personal data

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/23








transmitted, stored or processed in another way, or communication or access not
authorized to said data, susceptible in particular to cause damages
physical, material or immaterial.


       2. As indicated in previous foundations of the manifestations of the
claimant and the documentation provided to the file, it can be deduced that after
request access to your daughter's data without being answered, on 02/25/2021 call
by telephone to the customer service of the defendant reiterating his request for
information, being informed by the acting operator that the account was

cancelled, sending an e-mail to the coordination department so that they can contact
with the claimant and offer her information in this regard and, that same day, the
claimant receives a call from the director of an office other than the one he had
assigned the account to provide him with information about another of his daughters, without
request any proof of your identity.


       The infringed precept establishes how the security of the
treatment in relation to the specific security measures that must be
implement, in such a way that taking into account the state of the art, the costs
of application, and the nature, scope, context and purposes of the processing, as well as
as risks of variable probability and severity for the rights and freedoms of

natural persons, the person in charge and the person in charge of the treatment will apply measures
appropriate technical and organizational measures to ensure a level of security that is
appropriate to the risk and that includes, among other issues, guaranteeing that requested
data relating to a person, access to them coincide and are those relating to the
same of those that are the owner and not those corresponding to a third person, although

This is also the daughter of the claimant and with an account opened in the same entity.

       The same claimed in writing of 07/29/2021 acknowledges the infringement committed
stating that: "In relation to your request we reiterate the content of the
response made by the Customer Service Department on April 9,

2021, which responds to your request. In the part related to data and their interest in
know if there had been a "possible data protection crime", as stated
indicated to you by the aforementioned Customer Service, no
type of crime, since you are the mother of both minors in your condition as
legal representative has the right to know the information of both, being an error
involuntary on the part of the operator who attended you, by providing the notice so that you

contacted, to the office where the account of his daughter D.D.D. and not to the
office of her other daughter B.B.B., in which she was interested.”

       And in the recordings that were finally sent at the request of the inspector
plaintiff does not record, in light of hearing them, that the claimant requested

nor will he provide any information about his daughter D.D.D. since the information for which I was
interested had to do with the account of his other daughter, of whom he had his custody and
custody B.B.B.; information that had been requested both in previous and
later writings.


       The defendant has argued that a human error cannot be converted into a
security breach since the claimant accessed data that she had
legitimate right to access, although they were not what he had requested.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/23








       However, it is not about turning a bug into a security incident,
rather, the protocol, procedure, system or measures established by the defendant
have failed, allowing access to third-party data that had not been

requested by the claimant.

       3. The liability of the defendant is determined by the bankruptcy of
security manifested by the claimant, since he is responsible for taking
decisions aimed at effectively implementing the technical and
appropriate organizational measures to guarantee a level of security appropriate to the risk

to ensure the confidentiality of the data, restoring its availability and preventing
access to them in the event of a physical or technical incident.

       4. In a brief of allegations to the Proposal, the defendant insists that the
has infringed article 32.1 of the GDPR and that it has not occurred in any case

filtration or improper access to the data and that in this sense the sentence of the T.S. of
02/15/2022 clearly establishes that the obligation imposed by article 32 of
adopt technical and organizational measures aimed at guaranteeing confidentiality
it is an obligation of means and not of results.

       However, the defendant himself in his brief maintains that there was an error in

management by giving the claimant documentation different from that requested.

       On the other hand, it is true that T.S. In its judgment it states that: "The obligation
to adopt the necessary measures to guarantee the security of the data
cannot be considered an obligation of result, which implies that

produced a leak of personal data to a third party there is responsibility with
independence of the measures adopted and the activity carried out by the
responsible for the file or treatment.
       In the obligations of result there is a commitment consisting of the
fulfillment of a certain objective, ensuring the achievement or proposed result,

In this case, guarantee the security of personal data and the absence of
security leaks or breaches.
       In obligations of means, the commitment acquired is to adopt
technical and organizational means, as well as deploy diligent activity in its
implantation and use that tends to achieve the expected result with
that can reasonably be classified as suitable and sufficient for its achievement,

for this reason they are called obligations "of diligence" or "of behavior".
       The difference lies in the responsibility in both cases, because while
that the obligation of result responds to a harmful result due to the failure of the
security system, whatever its cause and the diligence used. In the
obligation of means is enough to establish technically appropriate measures and

implement and use them with reasonable care.
       In the latter, the sufficiency of the security measures that the
responsible has to establish has to be related to the state of technology
at all times and the level of protection required in relation to the data
treated, but a result is not guaranteed.”


       But it is also true that the Court confirms that the design is not enough
of the necessary technical and organizational means, since it is also
Its correct implementation and proper use are necessary.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/23









       Therefore, in accordance with the foregoing, it is estimated that the defendant
would be responsible for the infringement of article 32.1 of the GDPR, an infringement typified in

its article 83.4.a).

                                            SAW
       In order to establish the administrative fine that should be imposed, the
observe the provisions contained in articles 83.1 and 83.2 of the GDPR, which
point out:


       "1. Each control authority will guarantee that the imposition of fines
administrative proceedings under this article for violations of this
Regulations indicated in sections 4, 5 and 6 are in each individual case
effective, proportionate and dissuasive.


       2. Administrative fines will be imposed, depending on the circumstances
of each individual case, as an addition to or substitute for the measures contemplated
in article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administration and its amount in each individual case shall be duly taken into account:


       a) the nature, seriousness and duration of the offence, taking into account the
       nature, scope or purpose of the processing operation in question
       as well as the number of stakeholders affected and the level of damage and
       damages they have suffered;
       b) intentionality or negligence in the infraction;

       c) any measure taken by the controller or processor
       to alleviate the damages and losses suffered by the interested parties;
       d) the degree of responsibility of the controller or the person in charge of the
       processing, taking into account the technical or organizational measures that have
       applied under articles 25 and 32;

       e) any previous infringement committed by the person in charge or in charge of the
       treatment;
       f) the degree of cooperation with the supervisory authority in order to put
       remedy the breach and mitigate the potential adverse effects of the breach;
       g) the categories of personal data affected by the infringement;
       h) the way in which the supervisory authority became aware of the infringement, in

       particularly if the person in charge or the person in charge notified the infringement and, in such a case,
       what extent;
       i) when the measures indicated in article 58, paragraph 2, have been
       previously ordered against the person in charge or in charge in question
       in relation to the same matter, compliance with said measures;

       j) adherence to codes of conduct under article 40 or to mechanisms
       of certification approved in accordance with article 42, and
       k) any other aggravating or mitigating factor applicable to the circumstances of the
       case, such as the financial benefits obtained or the losses avoided, direct
       or indirectly, through the infringement.


       In relation to letter k) of article 83.2 of the GDPR, the LOPDGDD, in its
Article 76, "Sanctions and corrective measures", establishes that:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/23








       "2. In accordance with the provisions of article 83.2.k) of the Regulation (EU)
2016/679 may also be taken into account:


       a) The continuing nature of the offence.
       b) Linking the activity of the offender with the performance of processing
       of personal data.
       c) The benefits obtained as a consequence of the commission of the infraction.
       d) The possibility that the conduct of the affected party could have led to the
       commission of the offence.

       e) The existence of a merger process by absorption after the commission
       of the infringement, which cannot be attributed to the absorbing entity.
       f) The affectation of the rights of minors.
       g) Have, when it is not mandatory, a data protection delegate
data.

       h) The submission by the person in charge or in charge, with character
       voluntary, alternative conflict resolution mechanisms, in those
       cases in which there are controversies between them and any
       interested."

       - In accordance with the precepts transcribed, for the purpose of setting the amount of the

sanction to be imposed in the present case for the infringement of article 32.1 of the GDPR,
typified in article 83.4.a) of the GDPR for which the defendant is held responsible, in
an initial assessment, the following factors are considered concurrent as
aggravating circumstances:


       The nature, seriousness and duration of the infringement: the facts disclosed
manifestly seriously affect a fundamental issue in terms of protection of
data such as the establishment of necessary technical and organizational measures and
adequate and whose violation is classified as serious; It is obvious that the measures of
technical and organizational nature implemented affect the security of the treatment,

because data related to a person, a minor, is requested and ends up providing
and allowing access to data from a different one, sister of the previous one, of which it does not
any information was requested.

       As previously indicated, the data of minors has been affected.
(article 83.2, g) of the GDPR).


       The activity of the allegedly infringing entity is linked to the
data processing of both clients and third parties. In the activity of the entity
claimed, the processing of personal data is essential, therefore,
Given the company's volume of business, the significance of the conduct that is the object of the

This claim is undeniable (article 76.2.b) of the LOPDGDD in relation to the
article 83.2.k).

       The intentionality or negligence in the infraction; since the defendant has acted
with serious lack of diligence in their actions by allowing access to data that was not

they had requested. Connected with the degree of diligence that the person in charge of the
treatment is obliged to deploy in compliance with the obligations that
imposed by the data protection regulations, the SAN of 10/17/2007 can be cited. Yeah
Although it was issued before the GDPR entered into force, its pronouncement is perfectly

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/23








extrapolated to the assumption that we analyse. The ruling, after alluding to the fact that the
entities in which the development of their activity entails a continuous treatment of
data of clients and third parties must observe an adequate level of diligence,

specified that "(...) the Supreme Court has been understanding that there is imprudence
whenever a legal duty of care is neglected, that is, when the offender does not
behaves with the required diligence. And in assessing the degree of diligence must
especially the professionalism or not of the subject should be considered, and there is no doubt that,
in the case now examined, when the appellant's activity is constant and
copious handling of personal data must insist on rigor and

exquisite care to comply with the legal provisions in this regard” (article 83.2,
b) of the GDPR).

       Volume of business or activity of the entity, since it is one of the three
leading financial entities in the national market with a net profit during the

financial years of 2021 and 2022 of 4,801 and 3,145 million euros respectively
(article 83.2, k) of the GDPR).






       As extenuating circumstances:

        - The existence of a merger process by absorption after the commission
of the infringement, which cannot be attributed to the absorbing entity. On 03/25/2021

Granted deed of merger by absorption of Bankia (absorbed entity) and Caixabank
(absorbing entity) with extinction of the first and block transfer by succession
universality of all its assets, liabilities, rights and obligations.

       In accordance with these factors, it is deemed appropriate to impose on the defendant a

penalty of 25,000 euros.

                                          IX
       The corrective powers that the GDPR attributes to the AEPD as authority of
control are listed in article 58.2, sections a) to j).


       Article 83.5 of the GDPR establishes a sanction of an administrative fine (article
58.2.i) for the conducts that are typified therein, without prejudice to the fact that, as provided in the
article 83.2 of the GDPR, administrative fines can be imposed together with
other corrective measures provided for in article 58.2 of the GDPR.


       Having confirmed the infringement, it is appropriate to impose on the person responsible the
adoption of appropriate measures to adjust its performance to the aforementioned regulations
in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR,
according to which each control authority may “d) order the person in charge or in charge
of the processing that the processing operations comply with the provisions of the

this Regulation, where appropriate, in a certain way and within a certain
specified period”.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/23








       In the present case, the defendant is required so that within a period of one month
from the notification of this resolution:


       - Accredit the adoption of adequate measures to avoid that in the future
incidents such as those that have caused the opening of this
disciplinary procedure, avoiding security incidents such as the one mentioned in the
provide documentation from third parties from which it had not been requested
any information.


       It is noted that not meeting the requirement can be considered as a
administrative offense in accordance with the provisions of the GDPR, classified as
infraction in its article 83.5 and 83.6, being able to motivate such conduct the opening of a
subsequent administrative sanctioning procedure.









       Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been accredited,

       The Director of the Spanish Data Protection Agency RESOLVES:


FIRST: IMPOSE CAIXABANK S.A., with NIF A08663619, for a violation of the
article 32.1 of the GDPR typified in article 83.4.a) of the GDPR, a penalty of
€25,000 (twenty-five thousand euros).

SECOND: NOTIFY this resolution to CAIXABANK S.A.


THIRD: Warn the penalized person that they must make the imposed sanction effective
Once this resolution is enforceable, in accordance with the provisions of Article
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved

by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of its income, indicating the NIF of the sanctioned and the number
of procedure that appears in the heading of this document, in the account
restricted IBAN number: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code:
CAIXESBBXXX), opened on behalf of the Spanish Data Protection Agency in

the banking entity CAIXABANK, S.A. Otherwise, it will proceed to its
collection in executive period.

       Once the notification has been received and once executed, if the execution date is
between the 1st and 15th of each month, both inclusive, the deadline for making the

voluntary payment will be until the 20th day of the following or immediately following business month, and if
is between the 16th and the last day of each month, both inclusive, the term of the
Payment will be until the 5th of the second following or immediate business month.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/23








       In accordance with the provisions of article 50 of the LOPDGDD, the
This Resolution will be made public once the interested parties have been notified.


       Against this resolution, which puts an end to the administrative process in accordance with art.
48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the
LPACAP, interested parties may optionally file an appeal for reversal
before the Director of the Spanish Data Protection Agency within a period of one
month from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the

National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.


       Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the
LPACAP, the firm resolution may be temporarily suspended in administrative proceedings
If the interested party expresses his intention to file a contentious appeal-
administrative. If this is the case, the interested party must formally communicate this
made by writing to the Spanish Agency for Data Protection,

presenting it through the Electronic Registry of the Agency
[https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other
records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. Also
must transfer to the Agency the documentation that proves the effective filing
of the contentious-administrative appeal. If the Agency were not aware of the

filing of the contentious-administrative appeal within a period of two months from the
day following the notification of this resolution, would terminate the
injunction suspension



                                                                      Mar Spain Marti
                              Director of the Spanish Data Protection Agency






















C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es