AEPD - PS/00335/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 02.02.2021 |
Fine: | 5.000 EUR |
Parties: | IDFINANCE SPAIN, S.L. |
National Case Number/Name: | PS/00335/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | CSO |
The Spanish DPA (AEPD) has sanctioned the fintech IDFINANCE SPAIN, S.L. for failing to comply with Article 5(1)(f) and Article 32 GDPR. The initial sanction for infringing Article 5(1)(f) was a fine of €5000 and a warning for the breach of Article 32. However, the AEPD closed the proceedings due to the voluntary and early payment of €3000.
English Summary
Facts
The respondent company sent an e-mail to the claimant requesting the return of a credit. To facilitate payment, the email included a link. When the complainant clicked on the link, he had access to another customer's personal data, not his own. Specifically, the complainant was able to see the other customer's personal identification, location, financial and contractual data.
Dispute
The claim is based on the alleged security breach in the respondent's systems and the consequent violation of the principle of confidentiality in the processing of personal data by the data controller. In this regard, the respondent alleged that it did not know how the claimant could have received the link by e-mail, since it is only generated to be sent via SMS.
Holding
The Spanish DPA (AEPD) maintains that the respondent did not adopt the necessary technical and organizational measures to guarantee the confidentiality of the information and to respect its own security protocols. This therefore breached Article 5(1)(f) GDPR and Article 32 GDPR.
The initial sanction for infringing Article 5(1)(f) was a fine of €5000 and the initial sanction for breach of Article 32 was a warning. However, the AEPD closed the proceedings due to the voluntary and early payment of €3000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/18 Procedure No.: PS / 00335/2020 RESOLUTION R / 00066/2021 TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTARY In the sanctioning procedure PS / 00335/2020, instructed by the Spanish Agency for Data Protection to IDFINANCE SPAIN, S.L., considering the complaint filed by A.A.A., and based on the following, BACKGROUND FIRST: On January 14, 2021, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure to IDFINANCE SPAIN, S.L. (hereinafter, the claimed), through the Agreement that is transcribed: << Procedure Nº: PS / 00335/2020 AGREEMENT TO INITIATE THE SANCTIONING PROCEDURE Of the actions carried out by the Spanish Agency for Data Protection and in based on the following ACTS FIRST: A.A.A. (hereinafter, the claimant) dated May 11, 2020 filed a claim with the Spanish Agency for Data Protection. The The claim is directed against IDFINANCE SPAIN, S.L. with NIF B66487190 (in forward, the claimed). The reasons on which the claim is based are the following: “The company IDFINANCE SPAIN (MoneyMan), has sent an email from debt recovery in which it offers a link to make the payment on its website, the link (*** URL.1), it does not give me access to my account, if not that of another client, being able to C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/18 apply for loans, consult all your personal data and information regarding loans from the entity in question. Attached capture of the data to which I have access, in addition to the mail that I have received, My biggest concern is that just as I have access to this information that I should not be able to see so freely, the same thing happens with my personal data and the from other clients. " Along with the claim, provide the following documents: 1. Mail sent on May 11, 2020 at 17:22 from the account <*** EMAIL.1> to <*** EMAIL.2> where you are informed of a balance in favor of MoneyMan and offered various payment methods, including the online payment service accessing the link object of the claim. 2. Screenshot of the contract “Loan History” page *** CONTRACT. 1 where there is a link to download the contract. 3. Screenshot of the page "My cards" where the cards are masked. central numbers of a debit card. 4. Screenshot of the “Contact information” page where the NIE appears, date of birth and email of a person with first and last name B.B.B. 5. Screenshot of the "Address and employment" page where address, employment status and information on net monthly income. SECOND: On May 13, 2020, the General Subdirectorate for Inspection of Data carried out a verification of the link object of the claim, collecting the following evidence: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/18 1. Download the document that contains the Terms and Conditions by which it is governed the loan contract signed between IDFINANCE SPAIN, S.L. and B.B.B .. 2. Print page that warns that “[…] your account has been blocked because You meet the requirements to be able to obtain a loan in Moneyman […] " 3. Printing of the “Loan History” page of the contract *** CONTRACT.1. 4. Printing of the page "My cards" showing masked numbers (except the last 4 digits) of a debit card. THIRD: In view of the facts denounced in the claim and the documents provided by the claimant, the Subdirectorate General for Inspection of Data proceeded, on June 3, 2020, to transfer the claim, of in accordance with the provisions of article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD). In this letter, the defendant was requested that, within the period of one month analyze the claim and find out about the causes that have motivated the incidence that has originated the claim, report on the measures adopted to avoid similar incidents, implementation dates and controls carried out to verify their effectiveness. The defendant submitted an answering brief on July 12, 2020 in which manifests the following: "[…] FIRST. - Received the claim of that Agency, this entity initiated the investigation of the facts, firstly, verifying that the systems do not would have produced any type of security breach that would have given access to personal data from the database. This verification was negative and it was found that there was no failure in the system that would allow a general dissemination of customer personal data. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/18 SECOND. - […] Once a client registers on the website, their Area is automatically created Username, which can only be accessed through your username and password unique. [...] […] When clients default, the agents of the Department of recovery initiate the different actions so that the clients comply with the payment of the loan. One of them is to send, via SMS, never by email, a link to make the payment directly to your User Area, which is what the claimant provides in the claim. THIRD. - Received the claim of Mr. A.A.A. proceeded to perform, as has explained above, an exhaustive investigation- Once the security breach was ruled out, the investigation of the events described was initiated in the claim of Mr. A.A.A .. […] This link is generated manually in the system, in the CRM where it is manage customer loans there is the option of sending the SMS with said link. We do not know how the claimant was able to receive this link by email since it is only generated to be sent via SMS. Nor have we been able to carry out the investigation of said email given that the claimant did not provide it in the claim. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/18 However, a search of the mailboxes has been carried out email from which notifications are sent to customers and there is no email sent neither to the claimant, nor to Mr. B.B.B. Likewise, a search of all the SMS sent by the system in the file of Mr. B.B.B. and the only phone number that appears is the one that belongs to said client, so it is technically impossible for that SMS has been sent to another phone number. Likewise, we have proceeded to extract from the database all the accesses that were made to said link, with the IP addresses, the browser and other data, in the It is appreciated that, despite the fact that the link has an expiration of 7 days, it is accessed it a high number of times, even being opened from the WhatsApp application. FOURTH.- In light of the foregoing regarding the facts described by Mr. A.A.A. in your claim, you actually had access to the link sent via SMS to the phone number of Mr. B.B.B. and to your User Area, and since IDFinance Spain S.L.U. scrupulously ensures the data protection rights of the interested parties, proceeded to take measures in order to protect the rights of Mr. B.B.B., that is, blocking your data in the systems until it can be known how Mr. A.A.A. had access to that link. […] That Agency is requested to request Mr. A.A.A. what the mail brings email you received with that link. […] " The defendant attaches to this document a document listing the accesses to the link made between April 24, 2020 until May 14, 2020. FOURTH: The claim was admitted for processing by resolution of the Director of the Spanish Agency for Data Protection dated September 25, 2020. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/18 FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD) recognizes each control authority, and as established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and to solve this procedure. II Article 5 of the RGPD, whose heading is entitled Principles relating to the treatment establishes in letter f) of its section 1 that personal data will be “treated as in such a way as to ensure adequate security, including protection against unauthorized or illegal treatment and against its loss, destruction or accidental damage, through the application of appropriate technical or organizational measures (“integrity and confidentiality ”)”. For its part, the LOPDGDD, in its article 5 provides that: "one. Those responsible and in charge of data processing as well as all people who intervene in any phase of this will be subject to the duty of confidentiality referred to in article 5.1.f) of Regulation (EU) 2016/679. 2. The general obligation indicated in the previous section will be complementary to the duties of professional secrecy in accordance with its applicable regulations. 3. The obligations established in the previous sections will be maintained even when the relationship between the obligated party and the person in charge of the treatment". C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/18 In relation to the measures mentioned in article 5.1.f) of the RGPD before transcribed, article 32 of the same rule provides that: "one. Taking into account the state of the art, the application costs, and the nature, scope, context and purposes of the treatment, as well as risks of variable probability and severity for the rights and freedoms of individuals physical, the controller and the person in charge of the treatment will apply technical measures and appropriate organizational arrangements to ensure a level of security appropriate to the risk, that in your case include, among others: a) pseudonymisation and encryption of personal data; b) the ability to guarantee confidentiality, integrity, availability and resilience permanent treatment systems and services; c) the ability to restore the availability and access to personal data of quick way in case of physical or technical incident; d) a process of regular verification, evaluation and assessment of the effectiveness of the technical and organizational measures to guarantee the security of the treatment. 2.When evaluating the adequacy of the security level, particular attention will be paid to takes into account the risks presented by the data processing, in particular as consequence of accidental or illegal destruction, loss or alteration of data personal data transmitted, preserved or otherwise processed, or the communication or unauthorized access to such data. 3.Adherence to a code of conduct approved in accordance with article 40 or to a certification mechanism approved under article 42 may serve as an element to demonstrate compliance with the requirements established in section 1 of the this article. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/18 4.The controller and the person in charge of the treatment will take measures to guarantee that any person acting under the authority of the controller or processor and have access to personal data can only process said data by following instructions of the person in charge, unless it is obliged to do so by virtue of the Right to the Union or the Member States. " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/18 III The claim is based on the alleged security breach in the systems of the claimed that it would have resulted in the making available to a third party of a link that would have freely allowed access to personal data of a identification, location and economic and contractual of another client user and by therefore a violation of the principle of confidentiality in data processing personal data by the person responsible for said treatment. As proof of these statements, the claimant provided the documents requested has referenced in the first fact of this agreement. In this way, the email provided would show that, despite the statements made by the claimed in its letter dated July 12, 2020 in the sense that the link It is only generated to be sent by SMS, on May 11, 2020 at 17:22 hours an email would have been sent from the account <*** EMAIL.1> to <*** EMAIL.2>. In this email appears the link *** URL.1 as access to the online payment of a monetary amount in favor of the claimed. Likewise, the claimant provides screenshots of the user account to which provides access to the link referred to in the previous paragraph and that does not correspond to yours, but that of another person and that allows access to personal data of a identification, location and economic, as well as a link that allows download the signed contract of the client with the claimed one. Free access to content of various pages of the user account from the referred link, as well as the possibility of downloading the contract, were confirmed by the checks made to which reference was made in the second event and which were forwarded as documentation attached to the transfer of the claim sent to the defendant on the day June 3, 2020. On the other hand, it is pointed out that, according to the list of accesses to the referred link provided by the defendant, it would have been accessed between April 24, 2020 and on May 14, 2020, a period of time clearly greater than 7 days of expiration established for said links indicated by the claimed in his writing. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/18 Taking into account that article 4.12) of the RGPD defines security violations of personal data such as “all those security violations that cause the destruction, loss or accidental or illegal alteration of personal data transmitted, conserved or otherwise treated, or the communication or access does not authorized to such data ”, those set forth in the preceding paragraphs would show that would have produced a violation of the security measures that would have allowed: 1º That the link had been communicated by a means (email) other than the SMS sent to the client's mobile phone that, according to what was stated by the claimed constitutes the procedure of action. 2º That the link had been active for a time greater than 7 days of expiration declared by the defendant in his answering brief. 3º That it has been possible to freely access, through the aforementioned link, the area of user without entering the username and password, so that the claimed as the only way to access said user area IV In accordance with the evidence available at the present time agreement to initiate the sanctioning procedure, and without prejudice to what results from the instruction, it is considered that the facts presented do not comply with the provisions of the Articles 5.1.f) and 32 of the RGPD, so they could involve the commission of paths infractions. The offense typified in article 5.1.f) is typified in article 83.5 of the RGPD, which provides the following: "Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of up to EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the highest amount: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/18 a) the basic principles for the treatment, including the conditions for the consent in accordance with articles 5, 6, 7 and 9; […] " For its part, the violation of article 32 of the RGPD is typified in article 83.4 of the cited standard, where it is determined that: "Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, in the case of a company, an amount equivalent to a maximum of 2% of the total annual global business volume of the previous financial year, opting for the highest amount: a) The obligations of the person in charge and the person in charge in accordance with articles 8, 11, 25 a 39, 42 and 43; […] " For the purposes of the statute of limitations for infractions, article 72.1 of the LOPDGDD, points out: "Based on what is established in article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: a) The processing of personal data violating the principles and guarantees established in article 5 of Regulation (EU) 2016/679. […] And for its part, article 73 of the LOPDGDD, which: "Based on what is established in article 83.4 of Regulation (EU) 2016/679, considered serious and will prescribe after two years the infractions that suppose a C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/18 substantial violation of the articles mentioned therein and, in particular, the following: […] G) The breach, as a consequence of the lack of due diligence, of the technical and organizational measures that have been implemented in accordance with required by article 32.1 of Regulation (EU) 2016/679. […] " V The corrective powers available to the Spanish Agency for the Protection of Data, as a control authority, are established in article 58.2 of the RGPD. Between They have the power to sanction with warning - article 58.2 b) -, the Power to impose an administrative fine in accordance with article 83 of the RGPD -article 58.2 i) -, or the power to order the person in charge of the treatment that the processing operations comply with the provisions of the RGPD, when proceed, in a certain way and within a specified period - article 58. 2 d) -. According to the provisions of article 83.2 of the RGPD, the measure provided for in article 58.2 d) of the aforementioned Regulation is compatible with the sanction consisting of a fine administrative. Without prejudice to the provisions of article 83 of the RGPD, the aforementioned Regulation provides in its art. 58.2 b) the possibility of sanctioning with warning, in relation to with what is stated in Recital 148: "In the event of a minor offense, or if the fine likely to be imposed constitutes a disproportionate burden for an individual, rather than sanction by fine may be imposed a warning. It must however pay special attention to the nature, severity and duration of the offense, its intentional character, to the measures taken to alleviate the damages suffered, the degree of responsibility or any relevant prior infringement, the way in which that the supervisory authority has had knowledge of the infraction, to the fulfillment of measures ordered against the person in charge or in charge, adherence to codes of conduct and any other aggravating or mitigating circumstance. " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 13/18 SAW In the present case, without prejudice to the results of the instruction, they have taken into account It has, in particular, the following elements. 1. As an aggravating circumstance, the link between the activity of the claimed person with the performance of personal data processing that their activity necessarily entails the processing of personal data of the clients (article 76.2.b) of the LOPDGDD). 2. As an extenuating circumstance, the cooperation shown by the claimed with the Spanish Agency for Data Protection in the transfer phase of the claim (article 83.2.f of the RGPD). Therefore, it is considered that the sanctions that should be imposed would be the following: For the violation of article 5.1.f) it is considered that the appropriate sanction is that of administrative fine. In this regard, the fine imposed must be, in each individual, effective, proportionate and dissuasive case, in accordance with the provisions of the Article 83.1 of the RGPD. Therefore, the sanction to be imposed should be adjusted according to with the criteria established in article 83.2 of the RGPD, and with the provisions of the Article 76 of the LOPDGDD, regarding section k) of the aforementioned article 83.2 RGPD. In Based on the foregoing, it is considered proportional to set the penalty to be imposed in the amount of five thousand euros (€ 5,000.00). For the violation of article 32, a sanction of warning, in accordance with the established in article 58.2 b) of the RGPD, in relation to what is stated in the Recital 148, cited above. On the other hand, if the existence of infringing conduct is confirmed, it could be agreed impose on the person in charge the adoption of adequate measures to adjust their actions to the regulations mentioned in this act, in accordance with the provisions of the aforementioned C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 14/18 Article 58.2 d) of the RGPD, according to which each supervisory authority may “order the responsible or in charge of the treatment that the treatment operations are comply with the provisions of this Regulation, where appropriate, of a determined manner and within a specified period […] ”. In such case, in the resolution adopted, this Agency may require the responsible so that within the period to be determined: Prove that you have verified and corrected the implementation of the technical or organizational security or both, that avoid the violation of the principle of confidentiality and the making available to third parties of personal data of the customers. Therefore, based on the foregoing, By the Director of the Agency Spanish Data Protection, AGREES: FIRST: INITIATE SANCTIONING PROCEDURE to IDFINANCE SPAIN, S.L., with NIF B66487190, for the alleged infractions of articles 5.1.f) and 32 of the RGPD, typified in articles 83.5 and 83.4, respectively, of the aforementioned rule. SECOND: APPOINTMENT to C.C.C. and secretary to D.D.D., stating that Any of them may be challenged, if applicable, in accordance with the provisions of the Articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sector Public (LRJSP). THIRD: INCORPORATE to the sanctioning file, for evidentiary purposes, the claim filed by the claimant and its documentation, as well as the documents obtained and generated by the General Subdirectorate of Inspection of Data. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 15/18 FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations (in hereinafter, LPACAP), the penalty that may correspond for the violation of article 5.1.f) of the RGPD would be FIVE THOUSAND EUROS (€ 5,000.00), and for that of article 32 of the same norm, a APPRECIATION. All this without prejudice to what results from the instruction. Likewise, the confirmation of the offending conduct may lead to the imposition of measures in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD. FIFTH: NOTIFY this agreement to IDFINANCE SPAIN, S.L., with NIF B66487190, granting you a hearing period of ten business days to formulate the allegations and present the evidence that it deems appropriate. In his writing of allegations, you must provide your NIF and the procedure number that appears in the heading of this document. If within the stipulated period it does not make allegations to this initiation agreement, the same It may be considered a resolution proposal, as established in article 64.2.f) of the LPACAP. In accordance with the provisions of article 85 of the LPACAP, in the event that the penalty to be imposed would be a fine, you may recognize your responsibility within the term granted for the formulation of allegations to the present initiation agreement; the which will entail a reduction of 20% of the sanction to be imposed in this procedure. With the application of this reduction, the sanction would be established in FOUR THOUSAND EUROS (€ 4,000.00), resolving the procedure with the imposition of this sanction. In the same way, you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which will mean a reduction of 20% of its amount. With the application of this reduction, the penalty would be established at FOUR THOUSAND EUROS (€ 4,000.00) and its payment will imply the termination of the procedure. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 16/18 The reduction for the voluntary payment of the penalty is cumulative to the corresponding apply for the recognition of responsibility, provided that this recognition of responsibility is made manifest within the period granted to formulate allegations at the opening of the procedure. The voluntary payment of the referred amount in the previous paragraph it may be done at any time prior to the resolution. In In this case, if both reductions should be applied, the amount of the penalty would be established in THREE THOUSAND EUROS (€ 3,000.00). In any case, the effectiveness of either of the two mentioned reductions will be conditioned to the withdrawal or resignation of any action or remedy in administrative against the sanction. In case you choose to proceed to the voluntary payment of any of the amounts mentioned above FOUR THOUSAND EUROS (€ 4,000.00) or THREE THOUSAND EUROS (€ 3,000.00), you must make it effective by entering account number ES00 0000 0000 0000 0000 0000 opened in the name of the Spanish Agency for the Protection of Data in the bank CAIXABANK, S.A., indicating in the concept the number reference of the procedure that appears in the heading of this document and the cause of reduction of the amount to which it is accepted. Likewise, you must send proof of admission to the Subdirectorate General of Inspection to continue the procedure according to the quantity entered. The procedure will have a maximum duration of nine months from the date of date of the initiation agreement or, where appropriate, the draft initiation agreement. After this period, its expiration will occur and, consequently, the file of performances; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP, There is no administrative appeal against this act. 935-200320 C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 17/18 Mar Spain Martí Director of the Spanish Agency for Data Protection >> SECOND: On January 23, 2021, the defendant has proceeded to pay the penalty in the amount of 3,000 euros making use of the two planned reductions in the Initiation Agreement transcribed above, which implies the recognition of the responsibility. THIRD: The payment made, within the period granted to formulate allegations to the opening of the procedure, entails the waiver of any action or appeal in the process administrative against the sanction and the recognition of responsibility in relation to the facts to which the Initiation Agreement refers. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in art. 47 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection is competent to sanction the infractions that are committed against said Regulation; infractions of article 48 of Law 9/2014, of May 9, General of Telecommunications (hereinafter LGT), in accordance with the provisions of the article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and 38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the information and electronic commerce (hereinafter LSSI), as provided in article 43.1 of said Law. II Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter, LPACAP), under the rubric "Termination of sanctioning procedures" provides the following: "one. Initiated a sanctioning procedure, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is solely of a pecuniary nature or it is possible to impose a pecuniary sanction and other non-pecuniary sanction, but the inadmissibility of the second, the voluntary payment by the presumed responsible, in any time prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or the determination of the compensation for damages caused by the commission of the offense. 3. In both cases, when the sanction is solely of a pecuniary nature, the competent body to resolve the procedure will apply reductions of, at least, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 18/18 20% of the amount of the proposed penalty, these being cumulative among themselves. The aforementioned reductions must be determined in the notice of initiation of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of any action or appeal in administrative proceedings against the sanction. The percentage of reduction foreseen in this section may be increased regulations. In accordance with the above, the Director of the Spanish Agency for the Protection of Data RESOLVES: FIRST: DECLARE the termination of procedure PS / 00335/2020, of in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to IDFINANCE SPAIN, S.L .. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. 936-031219 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es