AEPD - PS/00068/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR 20 of the Spanish Law on Personal Data Protection and Guarantee of the Digital Rights (LOPDGDD) |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 20.07.2020 |
Fine: | 18.000 |
Parties: | Banco Bilbao Vizcaya Argentaria, S.A. (BBVA) |
National Case Number/Name: | PS/00068/2020 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD decision (in ES) |
Initial Contributor: | Miguel Garrido de Vega |
20 July 2020 - The Spanish Data Protection Agency (AEPD) decided to early finish the sanction procedure against Banco Bilbao Vizcaya Argentaria, S.A. (the defendant) for the infringement of Article 6(1) of the GDPR, as the defendant agreed to an early and guilty voluntary payment of the corresponding part (18,000 €) of the fine suggested by the AEPD (30,000 €).
English Summary
Facts
The decision is the consequence of a sanction procedure started by the AEPD against the defendant due to a complaint submitted by a Spanish citizen stating that the defendant had unlawfully checked his/her personal data at the Equifax debtors list, as there was no previous contract relationship between the defendant and the claimant. The complaint included the answer of Equifax to the right of access exercised by the Spanish citizen, proving that the defendant had checked his/her personal data.
Dispute
The defendant answered to the AEPD investigation requests stating that there was a contract relationship with the claimant: in 1993, the claimant appeared as "authorized person" in a contract for the obtainment of a shopping centre commercial card, and in 1998 the claimant had also subscribed a loan agreement with the defendant. The AEPD started the corresponding investigation procedure, and it determined that (i) the claimant did not appear as a party to the commercial card contract, but as an "authorized person", (ii) the defendant did not have any copy of the loan agreement subscribed with the claimant, (iii) against the claim of the claimant before the Bank of Spain, the defendant stated that the claimant did not appear anymore as "authorized person", and it blocked his/her personal data, (iv) the loan agreement was cancelled in 1999 and the commercial card contract was cancelled in 2019, as the claimant did not acknowledge any relation with such, (v) the defendant declared that the only reason in order to check the claimant's personal data at the debtors list of Equifax was to "guarantee the best resolution" for the claim, always acting under its internal contracting policies and respecting the law. The AEPD started the corresponding sanction procedure.
Holding
Without prejudice to the results of the final investigations corresponding to the sanction procedure, the AEPD understood that the defendant could have breached the lawfulness of processing principle as per article 6(1) GDPR, as well as article 20 of the Spanish Law on Personal Data Protection and Guarantee of Digital Rights (debtors data can only be checked as long as the checking party has a contract relationship with the debtor implying the payment of any amount): on the basis of the available evidences, the defendant did not take the due diligences to avoid such situation, and it did not prove the lawfulness of the data processing. Consequently, after considering some aggravating circumstances [(i) there is a negligence/intentionality by the defendant, and (iii) basic personal data have been affected], the AEPD understood that, in case the sanction procedure resulted in a successful decision, this infringement would be fined with 30,000 € to the defendant. In this sense, the AEPD offered the defendant the possibility to settle the issue before the decision takes place by agreeing to a voluntary payment of part of the fine with two possible discounts: (i) acknowledging of its liability (24,000 €) and early voluntary payment (18,000 €). The defendant agreed to both concepts, so it paid 18,000 € and the sanction procedure was closed by the AEPD.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Page 1 1/13936-031219 Procedure No.: PS / 00068/2020RESOLUTION R / 00279/2020 OF TERMINATION OF THE PAYMENT PROCEDUREVOLUNTARYIn the sanctioning procedure PS / 00068/2020, instructed by the AgencySpanish Data Protection to BANCO BILBAO VIZCAYA ARGENTARIA, SA ,having regard to the complaint filed by AAA , and based on the following,BACKGROUNDFIRST: On March 12, 2020, the Director of the Spanish Agency forData Protection agreed to initiate sanctioning procedure to BANCO BILBAOVIZCAYA ARGENTARIA, SA (hereinafter, the claimed), through the Agreement thatis transcribed:<<Procedure No.: PS / 00068/2020935-240719PENALTY PROCEDURE STARTING AGREEMENTOf the actions carried out by the Spanish Agency for the Protection ofData and based on the following:ACTSFIRST: D. AAA (hereinafter, the claimant) dated September 17,2019 filed a claim with the Spanish Agency for Data Protection. Theclaim is directed against Banco Bilbao Vizcaya Argentaria, SA with NIFA48265169 (hereinafter “BBVA”).The complaint states that the BBVA financial institution has consultedyour data in the Asnef and Badexcug files without any contractual relationshipC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 2 2/13prior with them.Attached to the claim is Equifax and Experian's answer to the right ofaccess exercised by the claimant dated September 16, 2019, where it appearsin the history of consultations, of the last six months, that the BBVA entity made aConsultation dated September 6, 2019.SECOND: In view of the facts reported in the claim and thedocuments provided by the claimant and the facts and documents of which it hasThis Agency, the General Sub-Directorate for Data Inspection, had knowledgeproceeded to carry out preliminary investigation actions for theclarification of the facts in question, under the powers of investigationgranted to supervisory authorities in article 57.1 of Regulation (EU)2016/679 (General Data Protection Regulation, hereinafter RGPD), andpursuant to the provisions of Title VII, Chapter I, Second Section, of the LawOrganic 3/2018, of December 5, Protection of Personal Data and guarantee ofdigital rights (hereinafter LOPDGDD).As a result of the investigation actions carried out, it is foundthat the data controller is BBVA.Also, the following points are found:On November 26, 2019, BBVA states that the facts that havemotivated this claim are:1.- “ On January 30, 2019, BBVA sent the AEPD the communication that on 29January 2019, the entity sent the claimant in writing, communicating, betweenother things, that on February 19, 1998 you signed a Loan policy withArgentaria, currently BBVA, and on February 12, 1993 a contract was signedPrecious Galleries Card in which you intervene as a PersonAuthorized ”. Said brief is provided.2.- As the claimant did not agree with the contractscited, requested information and documentation in this regard. The Customer ServiceC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 3 3/13BBVA client, told him that they were looking for the loan contract, whichuntil then it had not been located, and as for the card contractGalleries Preciados, where the claimant was listed as authorized and not the owner, theCustomer Service asked you to provide your representation in order toattend to your claim. This document is attached.3.- In addition, before the claim filed by the claimant before the Bank ofSpain. BBVA, presented a statement of allegations proving that it was no longer listed asperson authorized in the card contract and blocking the personal data of thecomplainant. Said writings are provided.4.- In relation to the claim filed with the AEPD, they state that theSeptember 27, 1999 the loan agreement was canceled and on September 18In 2019, the Galerías Preciados Card contract was canceled, since the claimant did notacknowledged having any relation to this last contract.5.- They add that, “after analyzing the specific case, it has been verified that onSeptember 2019 BBVA consulted the personal data of the claimant in thefinancial solvency and credit information files in order to guarantee thebetter resolution of the claims presented to the Entity by the claimant.Consequently, since until September 18, 2019, the claimantmaintained a contractual relationship with BBVA, consulting the information filesof capital solvency and credit was carried out within the operating marginsusual contractual, and within and within the strictest legislation in force " .FUNDAMENTALS OF LAWIBy virtue of the powers that article 58.2 of the RGPD recognizes to eachcontrol authority, and as established in articles 47 and 48 of the LOPDGDD,The Director of the Spanish Agency for Data Protection is competent to initiateand to solve this procedure.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 4 4/13IIArticle 58 of the RGPD, " Powers ", says:"2 Each supervisory authority shall have all the following powerscorrective indicated below:(…)b) sanction any person responsible or responsible for the treatment with warningwhen the processing operations have violated the provisions of thisRegulation;(...)d) order the data controller or processor that the operations oftreatment complies with the provisions of this Regulation, where appropriate,in a certain way and within a specified period.(…)i) impose an administrative fine pursuant to article 83, in addition to or instead ofmeasures mentioned in this section, depending on the circumstances of the caseparticular(…) ”IIIThe RGPD deals in its article 5 with the principles that must govern thetreatment of personal data and mentions among them that of " legality, loyalty andtransparency". The precept provides:"1 . The personal data will be:a) Treated in a lawful, loyal and transparent manner in relation to theinterested (<< legality, loyalty and transparency >>); ”Article 6 of the RGPD, “ Lawfulness of treatment ”, details in its section 1 theAssumptions in which the processing of third-party data is considered lawful:C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 5 5/13"one. The treatment will only be lawful if at least one of the following is metterms:a) the interested party gave their consent for the processing of their datapersonal for one or more specific purposes;b) the treatment is necessary for the execution of a contract in which theinterested party or for the application at the request of this measurespre-contractual;(…) ”The infringement for which the claimed entity is responsible is foundtypified in article 83 of the RGPD that, under the heading " General conditions forthe imposition of administrative fines ”, states:"5 . Violations of the following provisions will be sanctioned, in accordancewith paragraph 2, with administrative fines of maximum EUR 20,000,000 or,In the case of a company, an amount equivalent to a maximum of 4% of thetotal global annual turnover of the previous financial year, opting forthe largest amount:a) The basic principles for treatment, including conditions forconsent pursuant to articles 5,6,7 and 9. "Organic Law 3/2018, on the Protection of Personal Data and Guarantee ofDigital Rights (LOPDGDD) in its article 72, under the heading “ Infractionsconsidered very serious ” states:"one. In accordance with the provisions of article 83.5 of Regulation (EU)2016/679 are considered very serious and will prescribe after three years the infractions thatsuppose a substantial violation of the articles mentioned therein and, inIn particular, the following:(…)b) The processing of personal data without any of theconditions of lawfulness of the treatment established in article 6 of theRegulation (EU) 2016/679. ”C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 6 6/13IVThe documentation in the file provides evidence that BBVA,violated article 6.1 of the RGPD.Likewise, article 20 of the LOPDGDD, provides in its section e) “that thedata referring to a specific debtor can only be consulted whenWhoever consults the system maintains a contractual relationship with the affected party whoinvolves the payment of a monetary amount or this would have requested the celebrationof a contract involving financing, deferred payment or periodic invoicing such asit happens, among other cases, in those provided for in the legislation ofconsumer credit and real estate credit contracts ” .Therefore, according to the above, in order to consult the data it is necessary tothat the interested party has hired or requested the hiring, which is not the case.The record shows that the claimant intervenes as a PersonAuthorized; and in this sense it does not sign any contract with the entity.Based on the above, in the case analyzed, it is questionedthe diligence used by BBVA.The Administrative Litigation Chamber of the National Court, inassumptions such as the one presented here, has considered that when the owner of thedata denies the hiring the burden of proof corresponds to those who affirm theirexistence and the person responsible for the data processing of third parties must collect andkeep the necessary documentation to prove the owner's consent.We cite, for all, the SAN of 05/31/2006 (Rec. 539/2004), Law FoundationFourth.However, and this is the essential, BBVA does not accredit the legitimacy for thetreatment of the claimant's data.Respect for the principle of legality that is at the core of the fundamental rightof personal data protection requires that it be proven that theresponsible for the treatment deployed the essential diligence to prove thatextreme. If this Agency does not act like this - and this Agency does not demand it, who is responsible for ensuringfor compliance with the regulatory regulations of the data protection right ofpersonal character - the result would be to empty the principle of lawfulness of content.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 7 7/13VIn order to determine the administrative fine to be imposed, theprovisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate :"Each supervisory authority will guarantee that the imposition of finesadministrative under this article for violations of thisRegulations indicated in sections 4, 9 and 6 are in each individual caseeffective, proportionate and dissuasive. "" Administrative fines will be imposed, depending on the circumstances ofeach individual case, as an additional or substitute for the measures contemplated in theArticle 58, paragraph 2, letters a) to h) and j). In deciding the imposition of a fineadministrative and its amount in each individual case will be duly taken into account:a) the nature, seriousness and duration of the offense, taking into account thenature, scope or purpose of the treatment operation in questionas well as the number of affected parties and the level of damages anddamages they have suffered;b) the intent or negligence of the infraction;c) any action taken by the controller or processorto mitigate the damages suffered by the interested parties;d) the degree of responsibility of the person in charge or the person in charge of thetreatment, taking into account the technical or organizational measures that haveapplied under articles 25 and 32;e) any previous infraction committed by the person in charge or the person in charge of thetreatment;f) the degree of cooperation with the supervisory authority in order to putremedy the violation and mitigate the possible adverse effects of the violation;g) the categories of personal data affected by the infringement;h) the way in which the supervisory authority became aware of the infringement,in particular if the person in charge or the person in charge notified the infraction and, in suchcase, to what extent;i) when the measures indicated in Article 58 (2) have beenpreviously ordered against the person in charge or the person in chargein relation to the same matter, compliance with said measures;j) adherence to codes of conduct under article 40 or to mechanismsof certification approved in accordance with article 42, andC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 8 8/13k) any other aggravating or mitigating factor applicable to the circumstances of thecase, such as financial benefits obtained or losses avoided, director indirectly, through the infringement. "Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76," Sanctions and corrective measures" provides:"two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679The following may also be taken into account:a) The continued nature of the offense.b) The link of the activity of the offender with the performance of data processingpersonal.c) The benefits obtained as a consequence of the commission of the infraction.d) The possibility that the conduct of the affected party could have induced the commission ofthe offense.e) The existence of a merger by absorption process subsequent to the commission of theinfringement, which cannot be attributed to the absorbing entity.f) Affecting the rights of minors.g) Have, when not required, a data protection officer.h) The submission by the person responsible or in charge, on a voluntary basis, toalternative dispute resolution mechanisms, in those cases in whichthere are controversies between those and any interested party. ”In accordance with the precepts transcribed, and without prejudice to what results from theinstruction of the procedure, in order to fix the amount of the fine sanction to imposein the present case, the claimed party is considered responsible for an infringementtypified in article 83.5.a) of the RGPD , in an initial assessment, they are considered concurrentthe following factors.As aggravating the following:-The intent or negligence of the offense (article 83.2 b).-Basic personal identifiers (name, surname, NIF) are affected(article 83.2 g).That is why it is considered appropriate to graduate the sanction to be imposed on the claimed andfix it at the amount of € 30,000 for the violation of article 6.1 of the RGPD.Therefore, in light of the above,C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 9 9/13By the Director of the Spanish Agency for Data Protection,HE REMEMBERS:1. INITIATE SANCTIONING PROCEDURE at Banco Bilbao VizcayaArgentaria, SA with NIF A48265169, for the alleged violation of the article6.1. of the RGPD, in relation to article 20 e) of the LOPDGDD, typifiedin article 83.5.a) of the aforementioned GDPR.2. TO appoint D. BBB as instructor and Dña. CCC as secretary ,indicating that any of them may be challenged, if applicable,in accordance with the provisions of articles 23 and 24 of Law 40/2015, of 1October, Legal Regime of the Public Sector (LRJSP).3. INCORPORATE into the sanctioning file, for evidentiary purposes, theclaim filed by the claimant and its attached documentation, theinformation requirements that the General Inspection Subdirectorate ofData sent to the entity claimed in the preliminary investigation phase andtheir respective acknowledgments of receipt.4. THAT for the purposes provided in art. 64.2 b) of law 39/2015, of 1 ofOctober, of the Common Administrative Procedure of the AdministrationsPublic, the sanction that could correspond would be 30,000 euros(thirty thousand euros), without prejudice to what results from the instruction.5. NOTIFY this agreement to Banco Bilbao Vizcaya Argentaria, SAwith NIF A48265169, granting it a hearing period of ten daysable to formulate the allegations and present the evidence thatconsider convenient. In your brief of allegations you must provide yourNIF and the procedure number that appears in the heading of thisdocument.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 10 10/13If, within the stipulated period, no allegations are made to this initial agreement, the samemay be considered a resolution proposal, as established in the article64.2.f) of Law 39/2015, of October 1, of the Common Administrative Procedure ofPublic Administrations (hereinafter, LPACAP).In accordance with the provisions of article 85 of the LPACAP, in the event that thesanction to impose were a fine, you can recognize your responsibility within theterm granted for the formulation of allegations to this initial agreement; thewhich will entail a reduction of 20% of the sanction to be imposed inthe present procedure. With the application of this reduction, the sanction would remainestablished at 24,000 euros, resolving the procedure with the imposition of thissanction.In the same way, you may, at any time prior to the resolution of thisprocedure, carry out the voluntary payment of the proposed sanction, whichIt will mean a reduction of 20% of its amount. With the application of this reduction,the sanction would be established at 24,000 euros and its payment will imply the termination of theprocess.The reduction for the voluntary payment of the sanction is cumulative to the one that correspondsapply for the acknowledgment of responsibility, provided that this acknowledgmentof the responsibility is revealed within the term granted to formulateallegations to the opening of the procedure. Voluntary payment of the referred amountin the previous paragraph it may be done at any time prior to the resolution. InIn this case, if both reductions were to apply, the amount of the sanction would beestablished at 18,000 euros.In any case, the effectiveness of any of the two mentioned reductions will beconditioned to the withdrawal or resignation of any action or resource in processadministrative against the sanction.In the event that you choose to proceed to the voluntary payment of any of the amountspreviously indicated, 24,000 euros or 18,000 euros, must make it effectiveby entering the account number ES00 0000 0000 0000 0000 0000 opened atname of the Spanish Agency for Data Protection in the CAIXABANK Bank,SA, indicating in the concept the reference number of the procedure that appears inC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 11 11/13the heading of this document and the reason for reducing the amount to whichwelcomes.Likewise, you must send the proof of income to the General Subdirectorate ofInspection to continue the procedure in accordance with the quantityentered.The procedure will have a maximum duration of nine months from thedate of the initiation agreement or, if applicable, the draft initiation agreement.After this period will expire and, consequently, the file ofperformances; in accordance with the provisions of article 64 of the LOPDGDD.Finally, it is pointed out that pursuant to the provisions of article 112.1 of the LPACAP,There is no administrative appeal against this act. Mar España Martí Director of the Spanish Agency for Data Protection>>C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 12 12/13SECOND : On June 18, 2020, the requested party has paid thesanction in the amount of 18,000 euros making use of the two planned reductionsin the Initiation Agreement transcribed above, which implies the recognition of theresponsibility.THIRD : The payment made, within the period granted to make allegations tothe opening of the procedure, implies the renunciation of any action or recourse in processadministrative against the sanction and the recognition of responsibility in relation tothe facts referred to in the Home Agreement.FUNDAMENTALS OF LAWIBy virtue of the powers that article 58.2 of the RGPD recognizes to each authority ofcontrol, and as established in art. 47 of Organic Law 3/2018, of 5 ofDecember, on Personal Data Protection and guarantee of digital rights (inhereinafter LOPDGDD), the Director of the Spanish Agency for Data Protectionis competent to sanction the infractions that are committed against saidRegulation; infractions of article 48 of Law 9/2014, of May 9, GeneralTelecommunications (hereinafter LGT), in accordance with the provisions of thearticle 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and38.4 d), g) and h) of Law 34/2002, of July 11, on services of the society of theinformation and electronic commerce (hereinafter LSSI), as provided in the article43.1 of said Law.IIArticle 85 of Law 39/2015, of October 1, of the Administrative ProcedureCommon of Public Administrations (hereinafter, LPACAP), under the heading" Termination in sanctioning procedures " provides the following:"one. Initiated a sanctioning procedure, if the offender acknowledges hisresponsibility, the procedure may be resolved with the imposition of the sanctionthat proceed.2. When the sanction is solely pecuniary or fitsimpose a pecuniary and a non-pecuniary sanction but it has been justifiedthe inadmissibility of the second, the voluntary payment by the alleged responsible, inany time prior to the resolution, will imply the termination of the procedure,except with regard to the replacement of the altered situation or the determination of thecompensation for the damages caused by the commission of the offense.3. In both cases, when the sanction is solely pecuniary in nature,the competent body to resolve the procedure will apply reductions of, toless, 20% on the amount of the proposed sanction, these being cumulativeeach. The aforementioned reductions must be determined in the notification ofinitiation of the procedure and its effectiveness will be conditioned to the withdrawal orwaiver of any administrative action or recourse against the sanction.The reduction percentage provided in this section may be increasedby regulation.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 13 13/13According to what was stated,the Director of the Spanish Agency for Data Protection RESOLVES :FIRST: DECLARE the termination of procedure PS / 00068/2020 , ofin accordance with the provisions of article 85 of the LPACAP.SECOND: NOTIFY this resolution to BANCO BILBAO VIZCAYAARGENTARIA, SA .In accordance with the provisions of article 50 of the LOPDGDD, thisResolution will be made public once the interested parties have been notified.Against this resolution, which ends the administrative procedure as prescribed bythe art. 114.1.c) of Law 39/2015, of October 1, of the Administrative ProcedureCommon of Public Administrations, interested parties may file an appealadministrative litigation before the Contentious-administrative Chamber of theNational Court, in accordance with the provisions of article 25 and section 5 ofthe fourth additional provision of Law 29/1998, of July 13, regulating theContentious-Administrative Jurisdiction, within a period of two months fromday after notification of this act, as provided in article 46.1 of thereferred Law. Mar España Martí Director of the Spanish Agency for Data Protection