AEPD (Spain) - PS/00206/2020: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 48: Line 48:
}}
}}


The Spanish Data Protection Agency (AEPD) imposed a 50,000 € fine on the Spanish medical company Centro de Investigación y Estudio para la Obesidad, S.L. (the defendant) for infringing the lawfulness of processing principle, as per Article 6 of the GDPR.
The Spanish Data Protection Agency (AEPD) imposed a €50000 fine on the Spanish medical company Centro de Investigación y Estudio para la Obesidad, S.L. (the defendant) for infringing the lawfulness of processing principle, as per Article 6 of the GDPR.


==English Summary==
==English Summary==
Line 59: Line 59:


===Holding===
===Holding===
Thus, the AEPD understood that the defendant has infringed the lawfulness principle included at Article 6 GDPR, as it did not have the corresponding legal basis to process the personal data of the claimant when it transferred them to the financing entity. Consequently, after considering some circumstances [(i) there is a wilful misconduct by the defendant, (ii) basic personal data have been affected, and (iii) there is a continuing nature of the infraction], the AEPD decided to impose a fine of 50,000 € to the defendant.
Thus, the AEPD understood that the defendant has infringed the lawfulness principle included at Article 6 GDPR, as it did not have the corresponding legal basis to process the personal data of the claimant when it transferred them to the financing entity. Consequently, after considering some circumstances [(i) there is a wilful misconduct by the defendant, (ii) basic personal data have been affected, and (iii) there is a continuing nature of the infraction], the AEPD decided to impose a fine of €50000 to the defendant.


==Comment==
==Comment==

Revision as of 15:58, 20 October 2020

AEPD - PS/00206/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 09.10.2020
Fine: 50000 EUR
Parties: Centro de Investigación y Estudio para la Obesidad, S.L.
National Case Number/Name: PS/00206/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: Miguel Garrido de Vega

The Spanish Data Protection Agency (AEPD) imposed a €50000 fine on the Spanish medical company Centro de Investigación y Estudio para la Obesidad, S.L. (the defendant) for infringing the lawfulness of processing principle, as per Article 6 of the GDPR.

English Summary

Facts

The decision is the consequence of a complaint submitted by a Spanish citizen (the claimant) stating that the defendant transferred her personal data to the financial institution Evo Finance E.F.C., S.A.U., and this one, in turn, to the debt-recovery company TEAM4 Collection & Consulting; additionally, the claimant states that her personal data had been included in the solvency and credit file BADEXCUG, and that she only went to the premises of the defendant in order to ask for a budget for a stomach reduction, but she did not accept the budget nor subscribed any agreement with the defendant.

Dispute

The defendant did not answer the AEPD request, so the AEPD started the corresponding sanction procedure.

Holding

Thus, the AEPD understood that the defendant has infringed the lawfulness principle included at Article 6 GDPR, as it did not have the corresponding legal basis to process the personal data of the claimant when it transferred them to the financing entity. Consequently, after considering some circumstances [(i) there is a wilful misconduct by the defendant, (ii) basic personal data have been affected, and (iii) there is a continuing nature of the infraction], the AEPD decided to impose a fine of €50000 to the defendant.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Page 1
1/8 Procedure No.: PS / 00206/2020938-300320RESOLUTION OF SANCTIONING PROCEDUREOf the procedure instructed by the Spanish Agency for Data Protection andbased on the following:BACKGROUNDFIRST: Ms. AAA (hereinafter, the claimant) dated April 9,2019 filed a complaint with the Spanish Agency for Data Protection. Theclaim is directed against CENTRO DE INVESTIGACIÓN Y ESTUDIO PARA LAOBESIDAD, SL with NIF B85626554 (hereinafter, the claimed one).The claimant states that the claimant has transferred her personal data withoutyour consent to the financial entity Evo Finance EFC, SAU and this in turn tothe recovery company TEAM4 Collection & Consulting (hereinafter, TEAM4).It adds that your data has been reported to the equity solvency file andcredit BADEXCUG. In turn, he maintains that he went to the clinic to request a quotefor a stomach reduction and he decided not to accept it at cost.On the other hand, he states that he did not sign anything.It states that the events took place on October 18, 2018.And, among other things, it provides the following documentation: Letters sent by TEAM4 dated October 18, November 5 and 12December 2018. Letter sent by EXPERIAN BUREAU DE CRÉDITO SA dated 15January 2019 informing the claimant of the inclusion of their data in thefile BADEXCUG. Letter sent by ASNEF-EQUIFAX dated January 15, 2019informing the claimant of the inclusion of their data in the fileBADEXCUG. Complaint filed with the Municipal Consumer Information Office ofMadrid on December 12, 2018.SECOND: In view of the facts reported in the claim and thedocuments provided by the claimant and the facts and documents of which he hasthis Agency, the Subdirectorate General for Data Inspectionproceeded to carry out preliminary investigation actions for theclarification of the facts in question, by virtue of the powers of investigationgranted to the control authorities in article 57.1 of the Regulation (EU)2016/679 (General Data Protection Regulation, hereinafter RGPD), andC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 2
2/8in accordance with the provisions of Title VII, Chapter I, Second Section, of the LawOrganic 3/2018, of December 5, Protection of Personal Data and guarantee ofdigital rights (hereinafter LOPDGDD).As a result of the investigation actions carried out, it is verifiedthat the person responsible for the treatment is the one claimed.The antecedents that appear are the following:On May 6, 2019, it was agreed not to admit theclaim submitted by the claimant.THIRD: The claimant filed on May 20, 2019, an appeal forreplacement, providing new documentation, highlighting the contract, unsigned, of amedical treatment that the affected party states that it was never carried out and of whichHe had only requested a budget, finally opting for anothertreatment of a smaller budget and for which no financing was necessary.And it provides, among others, the following documents: Stomach reduction operation budget. Request for a loan contract not signed by the claimant. Newsletter of adherence to the insurance for death, unemployment, disability, etc.not signed. Communication from EVO FINANCE indicating the monthly payment plan. Request to the BANKIA entity for the refund of undue charges fromEVO FINANCE and modification of SEPA direct debit order.On July 2, 2019, the Director of the Spanish Agency for the Protection ofData, agrees to estimate the appeal for reconsideration filed by the claimant against theResolution of this Agency issued on May 6, 2019.FOURTH: On July 15, 2019, the respondent was asked to provide thecorresponding supporting documentation of the services offered, the amounts, iffinancing and acceptance by the claimant was chosen and, where appropriate,financing contract with the entity EVOFINANCE EFC, SAU without anyIn response to the request of this Agency, the notification date is 15July 2019. Information requested from EQUIFAX IBERICA, SL (hereinafter, EQUIFAX)on the data of the claimant informed to the ASNEF file, dated 3June 2020 is received in this Agency, response to the requirementsent by EQUIFAX stating that there are no records of the claimantof any entity in the ASNEF file. Information requested from EXPERIAN BUREAU de CRÉDITO, SA about thedata of the claimant informed to the file BADEXCUG, dated 1July 2020 this Agency receives a reply to the request sentby this company indicating that currently there are no reported dataC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 3
3/8to the BADEXCUG file of the claimant, although in its historical file, there wasa discharge reported by EVO FINANCE on January 13, 2019, for aunpaid amount of € 738.76, which was canceled on June 23, 2019 asconsequence of the weekly automatic update of the data filesent by the entity.FIFTH: On July 20, 2020, the Director of the Spanish Agency forData Protection agreed to initiate a sanctioning procedure to the claimed, by thealleged infringement of Article 6 of the RGPD, typified in Article 83.5 a) of the RGPDand considered very serious in 72.1.a), for the purposes of prescription, setting a penaltyinitial 50,000 euros (fifty thousand euros).SIXTH: The practice of notification by the SE having been unsuccessfulCorreos y Telégrafos, SA, was notified by the Single Edictal Board of theBOE, on August 14, 2020.SEVENTH: Formally notified of the initiation agreement, the one claimed at the time ofThis resolution has not submitted a brief of allegations, so it isapplication of the provisions of article 64 of Law 39/2015, of October 1, of theCommon Administrative Procedure of Public Administrations, which in itsSection f) establishes that in case of not making allegations within the established periodon the content of the initiation agreement, it may be considered a proposal forresolution when it contains a precise pronouncement about the responsibilityimputed, for which a Resolution is issued.In view of all the actions, by the Spanish Protection Agencyof Data in this procedure, the following are considered proven facts:ACTSFIRST: It is established that the respondent has given the personal data of theclaimant to the financial entity Evo Finance EFC, SAU and this in turn to therecovery company TEAM4 Collection & Consulting (hereinafter, TEAM4),as a debtor of a credit operation that you never signed.SECOND: The claimant's details have been reported to the solvency fileequity and credit Badexcug.THIRD: They consist of letters sent by TEAM4 dated October 18,November and December 12, 2018 to the claimant.FOURTH: It is found that currently there are no data reported to the fileBadexcug of the claimant, although in its historical file, there was an informed dischargeby Evo Finance on January 13, 2019, for an unpaid amount of € 738.76,which was terminated on June 23, 2019 as a result of the updateweekly automatic data file sent by the entity.FIFTH: On July 20, 2020, this sanctioning procedure was initiated by theviolation of article 6 of the RGPD, being notified on the 14th of the same month and year.Not having made any allegations, the one claimed, to the initial agreement.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 4
4/8FOUNDATIONS OF LAWIBy virtue of the powers that article 58.2 of the RGPD recognizes to eachcontrol authority, and as established in articles 47 and 48 of the LOPDGDD,the Director of the Spanish Data Protection Agency is competent to initiateand to solve this procedure.IIThe defendant is charged with committing an infraction for violation of theArticle 6 of the RGPD, " Legality of the treatment ", which indicates in its section 1 thecases in which the processing of third party data is considered lawful:"one. The treatment will only be lawful if at least one of the following is metterms:a) the interested party gave their consent for the processing of their datapersonal for one or more specific purposes;b) the treatment is necessary for the performance of a contract in which theinterested is part or for the application at the request of this of measurespre-contractual;(…) "The offense is typified in Article 83.5 of the RGPD, which considers as such:"5 . Violations of the following provisions will be sanctioned, in accordancewith paragraph 2, with administrative fines of maximum EUR 20,000,000 or,in the case of a company, an amount equivalent to a maximum of 4% of thetotal annual global business volume of the previous financial year, opting forthe highest amount:a) The basic principles for the treatment, including the conditions for theconsent in accordance with articles 5,6,7 and 9. "Organic Law 3/2018, on the Protection of Personal Data and Guarantee ofDigital Rights (LOPDGDD) in its article 72, under the heading " Infractionsconsidered very serious ” provides:"one. Based on what is established in article 83.5 of the Regulation (EU)2016/679 are considered very serious and will prescribe after three years the infractions thatsuppose a substantial violation of the articles mentioned in that and, inin particular, the following:(…)C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 5
5/8a) The processing of personal data without the concurrence of any of theconditions of legality of the treatment established in article 6 of theRegulation (EU) 2016/679. "IIIThe documentation in the file accredits that the claimed,violated article 6.1 of the RGPD , every time he processed the dataclaims of the claimant without having any standing to do so.The defendant processed the claimant's data without legitimacy, sincecommunicated its data to the financial entity Evo for the financing of atreatment that was not carried out.It is noteworthy that the requested information about these facts is required,Although it appears that the notification was delivered on July 15, 2019, it has notreplied to this Agency and has not made any allegations to the Initiation Agreementof this sanctioning procedure, with the date of notification being 14August 2020.However, and this is the essential thing, the defendant has not accredited legitimacyfor the treatment of the claimant's data.IVThe determination of the sanction to be imposed in the present case requiresobserve the provisions of articles 83.1 and 83.2 of the RGPD, precepts that,respectively, provide the following :"Each supervisory authority will guarantee that the imposition of finesadministrative under this article for the infractions of thisRegulations indicated in paragraphs 4, 9 and 6 are in each individual caseeffective, proportionate and dissuasive. "" Administrative fines will be imposed, depending on the circumstances ofeach individual case, as an additional or substitute for the measures contemplated in theArticle 58, paragraph 2, letters a) to h) and j). When deciding to impose a fineadministrative and its amount in each individual case will be duly taken into account:a) the nature, severity and duration of the offense, taking into account thenature, scope or purpose of the processing operation in questionas well as the number of affected stakeholders and the level of damage anddamages they have suffered;b) intentionality or negligence in the infringement;c) any measure taken by the controller or processorto mitigate the damages suffered by the interested parties;d) the degree of responsibility of the person in charge of thetreatment, taking into account the technical or organizational measures that haveapplied by virtue of articles 25 and 32;e) any previous infringement committed by the person in charge or the person in charge of thetreatment;C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 6
6/8f) the degree of cooperation with the supervisory authority in order toremedy the violation and mitigate the possible adverse effects of the violation;g) the categories of personal data affected by the infringement;h) the way in which the supervisory authority learned of the infringement,in particular if the person in charge or the person in charge notified the infraction and, in suchcase, to what extent;i) when the measures indicated in Article 58 (2) have beenpreviously ordered against the person in charge or the person in chargein relation to the same matter, compliance with said measures;j) adherence to codes of conduct under article 40 or to mechanismscertification approved in accordance with Article 42, andk) any other aggravating or mitigating factor applicable to the circumstances of thecase, such as financial benefits obtained or losses avoided, director indirectly, through the infringement. " (The underlining is from the AEPD)In order to specify the amount of the penalty to be imposed on the one claimed byviolation of article 83.5.a) of the RGPD, it is essential to examine and assess whetherThe circumstances described in article 83.2 of the RGPD concur and if they intervenemitigating or aggravating the responsibility of the responsible entity.In accordance with the transcribed precepts, in order to set the amount of thesanction of a fine to be imposed in the present case, the claimed party is consideredas responsible for an infraction typified in article 83.5.a) of the RGPD, andestimate the following factors concurrent.As aggravating factors the following:- In the present case we are facing a negligent action on significant data thatallow the identification of a person (article 83.2 b).- Basic personal identifiers are affected (name, a number ofidentification, the line identifier) ​​(article 83.2 g).- Section k), in relation to article 76.2 of Organic Law 3/2018 , in thethat the continued nature of the offense is framed as aggravatingattributed to the claimed.This is why it is considered appropriate to graduate the sanction to be imposed on theclaimed and set it at the amount of € 50,000 for the violation of article 6 of the RGPD.Therefore, in accordance with the applicable legislation and the criteria ofgraduation of the sanctions whose existence has been accredited, the Director of theSpanish Agency for Data Protection RESOLVES:FIRST: IMPOSE THE RESEARCH AND STUDY CENTER FOR THEOBESIDAD, SL . , with NIF B85626554, for a violation of Article 6 of the RGPD,typified in Article 83.5 of the RGPD, a fine of 50,000 euros (fifty thousandeuros).SECOND: NOTIFY this resolution to CENTRO DE INVESTIGACIÓN YSTUDY FOR OBESITY, SLC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 7
7/8THIRD: Warn the sanctioned person that the sanction imposed by aOnce this resolution is enforceable, in accordance with the provisions of theart. 98.1.b) of Law 39/2015, of October 1, on Administrative ProcedureCommon of Public Administrations (hereinafter LPACAP), within the payment periodvoluntary established in art. 68 of the General Collection Regulations, approvedby Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,of December 17, by means of their entry, indicating the NIF of the sanctioned person and the numberof procedure that appears in the heading of this document, in the accountrestricted number ES00 0000 0000 0000 0000 0000 , opened in the name of the AgencySpanish Data Protection Agency in the bank CAIXABANK, SA. In caseOtherwise, it will be collected in the executive period.Once the notification has been received and once it is executed, if the date of execution isfinds between the 1st and 15th of each month, both inclusive, the deadline to carry out thevoluntary payment will be until the 20th of the following or immediately subsequent business month, and ifis between the 16th and last days of each month, both inclusive, the term of thePayment will be up to the 5th of the second following or immediate business month.In accordance with the provisions of article 50 of the LOPDGDD, theThis Resolution will be made public once it has been notified to the interested parties.Against this resolution, which puts an end to the administrative procedure in accordance with art.48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of theLPACAP, the interested parties may optionally file an appeal for reversalbefore the Director of the Spanish Agency for Data Protection within a period ofmonth from the day after notification of this resolution or directlycontentious-administrative appeal before the Contentious-Administrative Chamber of theNational High Court, in accordance with the provisions of article 25 and section 5 ofthe fourth additional provision of Law 29/1998, of July 13, regulating theContentious-administrative jurisdiction, within a period of two months from theday following notification of this act, as provided in article 46.1 of thereferred Law.Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of theLPACAP, the final resolution may be suspended in an administrative wayIf the interested party expresses his intention to file a contentious appeal-administrative. If this is the case, the interested party must formally communicate thismade by writing to the Spanish Agency for Data Protection,Presenting it through the Electronic Registry of the Agency[https://sedeagpd.gob.es/sede-electronica-web/], or through any of the restrecords provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. Toomust forward to the Agency the documentation that proves the effective filingof the contentious-administrative appeal. If the Agency is not aware of thefiling of the contentious-administrative appeal within a period of two months from theday after the notification of this resolution, would terminate theprecautionary suspension.
Mar España Martí
Director of the Spanish Agency for Data ProtectionC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 8
8/8