| AEPD - PS/00076/2020 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(b) GDPR Article 83(5) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 08.09.2020 |
| Published: | 08.09.2020 |
| Fine: | 40000 EUR |
| Parties: | n/a |
| National Case Number/Name: | PS/00076/2020 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | Aditi Tripathi |
The AEPD fined the Spanish bank, BANKIA S.A. 50,000 euros for breach of Article 5.1(b) of the GDPR. The Defendant was charged with retaining personal data of the Claimant. Mitigating factors under Spanish Administrative Law were invoked, leading to a reduced fine of 40,000 euros.
English Summary
Facts
On 20/09/2019, the AEPD received a complaint against BANKIA SA for retaining the claimant's personal data despite the fact that the claimant ceased to be their client 16 years ago. On 5/11/2019 the AEPD asked BANKIA to remedy the situation however BANKIA claimed that their actions were in accordance with data protection regulations and did not solve the problem or update their data retention policy until March 2020.
Dispute
Did BANKIA SA violate the purpose limitation stipulated in Article 5.1(b) GDPR by retaining records of the claimant's personal data, 16 years after their last commercial relationship?
Holding
The AEPD held that BANKIA was charged with infringing Article 5.1(b) of the GDPR, for processing data in a manner that did not meet a specified, explicit and legitimate purpose. The blocked data was also accessible by workers from the office of BANKIA, which infringed Spanish Law on the Organic Law on Data Protection and Guarantee of Digital Rights (Article 32.2).
In determining the fine, the following aggravating factors under Article 83 GDPR were considered: unintentional but significant negligent action and the fact that basic personal identifiers (i.e. name, surname, address, telephone) of the claimant were affected. Nevertheless, an attenuating circumstances in the Spanish Law on the Common Administrative Procedure of Public Administration (Article 83) stated that the voluntary payment of the proposed penalty prior to the resolution of the proceedings, led to a reduction of 20% in the penalty.
On 20 August 2020, BANKIA S.A. paid 40,000 euros thereby applying the above-mentioned reduction. In doing so, BANKIA implied recognition of their responsibility and waived any action or appeal through administrative channels, against the sanction. Subsequently, the AEPD decided to terminate the procedure.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/10 968-150719 Procedure No.: PS/00076/2020 DECISION R/00387/2020 ON THE TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTEER In sanction procedure PS/00076/2020, conducted by the Agency Española de Protección de Datos a BANKIA, S.A., in view of the complaint submitted by A.A.A., and based on the following, BACKGROUND FIRST: On June 8, 2020, the Director of the Spanish Agency for Data Protection agreed to initiate disciplinary proceedings against BANKIA, S.A.. Notified the agreement to start and after analyzing the allegations presented, dated 5 The following motion for a resolution was issued in August 2020 transcribe: << Procedure No.: PS/00076/2020 From the procedure instructed by the Spanish Data Protection Agency and in based on the following: BACKGROUND FIRST: A.A.A. (hereinafter referred to as the Claimant) dated September 20, 2019 filed a complaint with the Spanish Data Protection Agency. The claim is directed against BANKIA, S.A. with NIF A14010342 (hereinafter, the claimed). The reasons on which the complaint is based are your personal data remained in the files despite having stopped being a client 16 years ago. The claimant states that he stopped being a client of Caja Madrid more than 16 years ago, Bankia and for personal reasons, has had to become a client again in order to solve an issue of an inheritance. In carrying out this management, the BANKIA office has informed you that being a client, with an internal number ***CLIENT.1 with data that were at an address of 2002. In order to resolve the issues that led him to contact BANKIA, has proceeded to modify the data concerning you, in an office of the entity but have not been able to explain why without having any product contracted, nor credit/debit card, current, savings or securities account, still had their personal data. C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/10 For this reason, he is filing a complaint with this body because he does not understand what it is like may have kept their data for so long, without being a customer. . SECOND: Upon receipt of the complaint, the Subdirectorate General for the Inspection of Data proceeded to carry out the following actions: On 5 November 2019, the claim was transferred to the claimed entity submitted by the complainant, for its analysis, as well as to inform the Agency on whether it had communicated with the complainant, and the decision adopted in this respect to remedy the situation that has arisen. The requested party states that the data remain blocked in accordance with the data protection policy that allows them to be maintained in this situation where they are not accessible. THIRD: On 8 June 2020, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against the respondent, in accordance with the provisions of Articles 63 and 64 of Law 39/2015 of 1 October on Procedure Common Administrative Framework for Public Administration (LPACAP), by alleged violation of Article 5.1(b) of the GPMR, as set forth in Article 83.5 of the GPMR FOURTH: Upon notification of the above-mentioned agreement to initiate proceedings, the respondent submitted a written in which it first of all expresses the defencelessness produced as consequence of the fixing of the amount of the penalty in the agreement inception, despite the fact that has not at any time had occasion to make known to that body what circumstances might be applicable in the present case. Secondly, it also states that it has approved, on the occasion of full application of the RGPD, a document entitled "Policy on the Retention of Information on Bankia, S.A." (the "Policy"), which aims to to determine the basic internal rules for the preservation of the information, the establishment of an obligation to retain information for the periods required in each case, as determined in that document, the establishment of essential information preservation measures to ensure the safety of this and provide a basic framework of internal regulation that facilitates a decisions in situations related to the conservation of the information. This Policy was updated and re-approved by agreement of the Council of Administration of 31 March 2020, and it determines the various deadlines for retention and blocking applicable to the personal data of the data subjects. In particular, in accordance with the provisions of the Policy, BANKIA will blocking of your customers' personal data once the various products or services contracted by them, by identifying and reserving their by taking technical and organisational measures to prevent
