AEPD - PS/00451/2019

From GDPRhub
AEPD - PS/00451/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1)(f) GDPR
Type: Complaint
Outcome: Upheld
Decided: 09.06.2020
Published: 09.06.2020
Fine: 75000 EUR
Parties: n/a
National Case Number/Name: PS/00451/2019
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: Spanish DPA (in ES)
Initial Contributor: n/a

The Spanish data protection authority ('AEPD') issued a resolution against Equifax, a credit agency, fining the company €75,000 for violating Article 6(1)(f) of the GDPR .

English Summary[edit | edit source]

Facts[edit | edit source]

The complainant requested via email the deletion of his data from the National Association of Financial Credit Institutions' ('ASNEF') file.

Dispute[edit | edit source]

Holding[edit | edit source]

AEPD considered that Equifax Iberica's response was excessive since it did not proceed with the deletion. As a result, the AEPD concluded that Equifax Iberica's conduct amounts to a violation of Article 6(1)(f) of the GDPR, since the company did not comply with the obligation established under Article 20(1)(c) of Organic Law 3/2018, of 5 December 2018, on the Protection of Personal Data and Guarantee of Digital Rights, which provides for the data to remain blocked for 30 days.

Comment[edit | edit source]

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Product No.: PS/00451/2019
938-300320
DECISION ON DISCIPLINARY PROCEEDINGS
From the procedure instructed by the Spanish Data Protection Agency and based on the following:
BACKGROUND
FIRST: D. A.A.A. On 10 October 2019, in the name and on behalf of Mr. B.B.B. (hereinafter, the claimant) filed a complaint with the Spanish Data Protection Agency. The claim is directed against Equifax Iberica, S.L. with NIF B80855398 (hereinafter, the claimant). 
The claimant states that, on January 3, 2019, he submitted an e-mail requesting the cancellation of the inclusion of his data in the Asnef file from December 10, 2018. 
Subsequently, they replied that they were exercising the right of cancellation in excess and therefore did not proceed with the procedure as they exercised it on 9 December 2018. 
Thus, the claimant argues that the previous request for cancellation was for a tax debt and the entry of their data in the file of Judicial Incidents and not for which now exercises again the right of cancellation. Furthermore, the data have not been blocked for 30 days as stated in the Organic Law 3/2018 on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter LOPDGDD).
The claimant provides the following documentation:
•	Notifications of the inclusion of your data in the Asnef file of four debts corresponding to three credit institutions sent by Equifax Iberica, S.L. (hereinafter Equifax).
•	Equifax report of the data reported by the claimant to the Asnef file and query history.
•	Copy of the response of the entity Equifax to the suppression exercise dated 3 January 2019.
•	Copy of the response of the entity Equifax to the suppression exercise dated 9 January 2019.
•	Letter of complaint
•	Copy of authorization of representation by D. A.A.A.
On February 10, 2019, this Agency received a new letter, with registration number 06919/2019, from the claimant, clarifying that the complaint filed with this Agency was for the breach of Article 20 of the Organic Law 3/2018 on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter, LOPDGDD).
On 18 February 2019, the complainant was notified that his complaint was not admitted for processing because there was no rational evidence of the existence of an infringement within the scope of the Spanish Data Protection Agency's jurisdiction.
On February 27, 2019, this Agency received, with registration number 010185/2019, a letter of Appeal for Replacement from the claimant stating, among other things, that the entity Equifax has not complied with the provisions of Article 20.1.c of the LOPDGDD and emphasizing that it has not respected the blocking period of 30 days from its date of registration.
The claimant provides, in addition to the documentation presented in the claim, the following documentation:
•	Equifax report dated 10 December 2018. In which it is stated that on this date there was no data on the claimant in the Asnef or Asnef Empresas file
•	Communication sent by Equifax to the claimant informing that, after receiving his request to cancel his data from the file of Judicial Incidents and Complaints of Public Bodies, his data had been cancelled, and informing that the cancelled data were obtained from public sources.
•	Cancellation request mail addressed to the respondent dated January 3, 2019.
On April 1, 2019, the Director of the Spanish Data Protection Agency, granted the claimant's appeal for reconsideration.
SECOND: In view of the facts denounced in the complaint and the documents provided by the complainant, of the facts and documents of which this Agency has become aware, the Subdirectorate General of Data Inspection proceeded to carry out preliminary investigative actions for the clarification of the facts in question, by virtue of the powers of investigation granted to the supervisory authorities in Article 57.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I, Section Two of Organic Law 3/2018 of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD).
On April 4, 2019, the claim is transferred to EQUIFAX.
On April 24, 2019, this Agency received, under registration number 021042/2019, a letter of allegations from this entity stating, with respect to the causes that have motivated the claim, that on December 9, 2018, a request was received by e-mail for the cancellation of data, with supporting documentation, corresponding to tax debts that had caused the inclusion of the claimant's data in the file of Judicial Incidents and claims of Public Bodies. On December 18, 2018 it was cancelled and the claimant was notified on the same date. On January 3, 2019, Equifax offices received a new right of cancellation without providing any supporting documentation. In the response issued to the affected party, its request for cancellation was denied, based on the legal regulations on the matter, according to which the claimants cannot exercise the rights recognized by the data protection legislation in an indiscriminate, abusive and immoderate manner, since another cancellation request had been previously processed for the same reference holder. The response is prepared on 03/01/2019 and sent on 08/01/2019 by e-mail.
On the occasion of the transfer of the claim, they informed this Agency that they verified that on 5 April 2019 there were 4 entries in the Asnef file with data from Caixabank S.A, Nuevo Micro Bank and two from Caixabank Payments, and that after consulting the creditor entities, only one of the debts corresponding to Caixabank Payments was cancelled as a precautionary measure, ratifying the other three. On April 22, 2019, they sent a communication to the claimant on these issues and informed him that he could contact the creditors that had confirmed the debts to obtain more information about them.
And I attach, among others, the following documentation:
•	Report of records reported to the Asnef file and consultation history as of 5 April 2019.
•	Request for information from the creditors on the debts reported.
•	Response of the creditor entities.
•	Claimant's record report in the Asnef file dated April 22, 2019
•	Communication dated 22 April 2019 sent to the claimant about the situation in the Asnef file after its cancellation exercise and consultation with the creditor entities.
THIRD: On December 18, 2019, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the defendant, in accordance with the provisions of Articles 63 and 64 of Law 39/2015, of October 1, 2011, on the Common Administrative Procedure of Public Administrations (hereinafter referred to as LPACAP), for the alleged infringement of Article 6.1(f) of the RGPD, as defined in Article 83.5 of the RGPD.
FOURTH: Having been notified of the aforementioned agreement to initiate the proceedings, the party complained of requested an extension of the deadline and subsequently submitted a written statement of allegations in which, in summary, it stated that: "As a consequence of the non-blocking of the data, the AEPD considers that my represented party has proceeded to carry out data processing without a legitimate basis, and therefore considers the existence of a breach of Article 6.1 f) of the RGPD in relation to the data of the complainant.
In the case in question, the direct interpretation and application of Article 20.1 c) by the AEPD implies the exclusion of the weighting required by the legitimizing basis of Article 6.1.f) of the RGPD and, on the other hand, the addition of an additional requirement for the legitimizing of data processing established in Article 6.1 f) of the RGPD. Both facts, which as we have been pointing out, are contrary to the very spirit of the rule applied by the AEPD, to the RGPD itself and to the case law of the TJUE.
The data of the complainant were registered in ASNEF and accessible by the participating entities in the credit system on December 10, 2018, although they were sent telematically by the creditor entities on December 7 of the same year. The company I represent sent the complainant the information indicated in Article 14 of the RGPD on 11 December 2018.
Through this action, we understand that what the AEPD is actually doing is imposing an additional requirement, such as the blocking of data, to a processing of data based on legitimate interest and on a specific case regulated in the RGPD such as the obtaining of personal data from a source other than the data subject, and additionally, interpreting and applying a presumption as if it were a regulation and not a presumption in accordance with the Statement of Grounds of the LOPDGDD. 
To formulate in due course a motion for resolution in which the claims requested are upheld, declaring the actions to be null and void and the absence of responsibility on the part of my client". 
 
FIFTH: On January 22, 2020, the period for the practice of evidence began, and it was agreed: 1. to consider the complaint filed by the complainant and its documentation, the documents obtained and generated that form part of the file, as reproduced for evidential purposes, and 2. to consider the allegations to the agreement to initiate PS/00451/2019, presented by the denounced entity, as reproduced for evidential purposes.
SIXTH: On February 18, 2020, the Motion for Resolution for the alleged infringement of Article 6.1(f) of the RGPD, typified in Article 83.5 of the RGPD, with a fine of 75,000 Euros, was issued and notified to the respondent on February 19, 2020.
The defendant presented allegations to the Motion for Resolutions, with date of entry into this Agency on 11 March 2020, in which, in summary, it manifests the same facts and arguments set out in the allegations to the agreement of initiation, that is to say that the obligation to block the data during a period of 30 days when the data has not been directly obtained from the interested party, is not established in the conducts typified by the RGPD in its article 83 and therefore it would be responsible for an infraction that does not correspond to the typification made of the same.
 As a consequence, the defendant requests that the requested claims be granted, declaring the nullity of the proceedings and their filing and the absence of responsibility.
 
PROVEN FACTS
1.- The claimant's data were registered in the ASNEF file and were accessible by the institutions participating in the credit system on 10 December 2018, they were not blocked, being visible from the day following the registration of the data in the file. 
2.- The refusal to cancel the claimant's data on January 3, 2019 and again on January 9, 2019 is confirmed, alleging that according to Article 12.5 b) of Regulation (EU) 2016/679 General on Data Protection, the claimants cannot exercise the rights recognized by the data protection legislation in an indiscriminate, abusive and immoderate manner. There is no evidence that the claimant has consulted on any occasion with the creditor entities, prior to the refusal of cancellation, on the debts reported.
3.- As for the maintenance of the non-visible data for a period of thirty days marked by the LOPDGDD in its article 20.1.c, it is received in this Agency at the request of the inspection dated October 10, 2019 and registration number 047972/2019, a letter sent by the claimed:
"Although it is true that said LOPDGDD was applicable from the day after its publication in the BOE, that is, on December 7, 2018, for technical reasons and internal development at Equifax, it was not feasible to implement such changes in our systems until January 22, 2019, after which the 30-day block was effectively implemented".
LEGAL FOUNDATIONS 
I
The Director of the Spanish Data Protection Agency is competent to resolve this procedure, in accordance with the provisions of Article 58.2 of the RGPD and Articles 47 and 48.1 of the LOPDGDD. 
II
The defendant is accused of committing an infringement for breach of Article 6 of the RGPD, "Legality of processing", which indicates in its paragraph 1 the cases in which the processing of third party data is considered to be lawful: 
          "1. Treatment shall be lawful only if at least one of the following conditions is met: 
(f) processing is necessary for the fulfilment of a legitimate interest pursued by the controller or by a third party, provided that this interest is not overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child. The provisions of point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their duties. 
 The infringement is defined in Article 83.5 of the RGPD, which considers it as such: 
"“5. Infringements of the following provisions shall be punishable, in accordance with paragraph 2, by administrative fines of up to EUR 20,000,000 or, in the case of an undertaking, of up to 4% of its total annual turnover in the preceding business year, whichever is the greater 
a)	The basic principles for treatment, including conditions for consent under Articles 5, 6, 7 and 9. 
 Article 72 of the Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), under the heading "Infringements considered very serious" provides: 
"In accordance with the provisions of Article 83(5) of Regulation (EEC) No 2016/679, infringements that substantially violate the articles mentioned therein, and in particular the following, are considered very serious and shall be subject to a three-year limitation period: 
 (…) 
b)	The processing of personal data without meeting any of the conditions for the lawfulness of processing set out in Article 6 of Regulation (EU)2016/679.
III
The documentation in the file provides evidence that the defendant violated Article 6.1 f) of the RGPD, since it did not incorporate the obligation established in Article 20.1 c) of the LOPDGD to block the information for thirty days. 
Article 20.1 c) of the LOPDGDD states
"That the creditor has informed the affected party in the contract or at the time of requesting payment about the possibility of inclusion in such systems, indicating those in which he participates.
The entity that maintains the credit information system with data relating to the non-fulfilment of monetary, financial or credit obligations must notify the affected party of the inclusion of such data and inform him/her of the possibility of exercising the rights set out in Articles 15 to 22 of Regulation (EU) 2016/679 within 30 days of the notification of the debt to the system, with the data remaining blocked during this period. ”
Therefore, the data were visible from the first day of registration in the ASNEF file, contravening the visibility requirements of the LOPDGDD.
It is noted, as claimed, that the data reported on December 10, 2018, were not blocked the period required in the LOPDGDD being visible from the day after the registration of the data in the file.
Well, as the respondent acknowledges in its pleading, it states the following: "Although it is true that the said LOPDGDD was applicable from the day after its publication in the BOE, that is, on December 7, 2018, for technical reasons and internal development in Equifax, it was not feasible to implement such changes in our systems until January 22, 2019, after which date the 30-day block was effectively implemented".
It is clear, and this is the essential point, that the processing of the claimant's data is not legitimate, given that the assumptions established in Article 20.1 c) of the LOPDGDD were not met.
IV
In accordance with the provisions of Article 83.1 and 83.2 of the RGPD, in deciding whether to impose an administrative fine and the amount thereof in each individual case, account shall be taken of the aggravating and mitigating factors listed in the aforementioned article, as well as of any other factor that may be applicable to the circumstances of the case. 
     "Each supervisory authority shall ensure that the imposition of administrative fines under this Article for the infringements of this Regulation referred to in paragraphs 4, 9 and 6 is in each individual case effective, proportionate and dissuasive.  
       "Administrative fines shall be imposed in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j), depending on the circumstances of each individual case. In deciding whether to impose an administrative fine and the amount of the fine in each individual case, due account shall be taken of the circumstances of the case:
a)	the nature, seriousness and duration of the infringement, taking into account the nature, extent or purpose of the processing operation concerned, as well as the number of data subjects affected and the level of damages suffered;
b)	the intentionality or negligence of the infringement;
c)	any measure taken by the controller or processor to mitigate the damages suffered by the data subjects;
d)	the degree of responsibility of the person responsible or the processor, taking into account the technical or organisational measures they have implemented under Articles 25 and 32;
e)	any previous offence committed by the person responsible for or in charge of the processing;
f)	the degree of cooperation with the supervisory authority in order to remedy the infringement and to mitigate the possible adverse effects of the infringement; (g) the categories of personal data affected by the infringement;
h)	the manner in which the supervisory authority became aware of the infringement, in particular whether and to what extent the person responsible for or in charge of the infringement notified it;
i)	where the measures referred to in Article 58(2) have been ordered in advance against the person responsible for or in charge of the same case, compliance with those measures;
j)	adherence to codes of conduct pursuant to Article 40 or to certification schemes approved in accordance with Article 42, and
k)	any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement. 
With regard to article 83.2 (k) of the RGPD, the LOPDGDD, article 76, "Sanctions and corrective measures", provides: 
          "2. In accordance with Article 83(2)(k) of Regulation (EU) 2016/679, they may also be taken into account:
a)	The continuing nature of the infringement.
b)	Linking the offender's activity with the carrying out of treatment
of personal data.
c)	The benefits obtained as a result of the commission of the infringement.
d)	The possibility that the conduct of the affected person could have induced
commission of the offence.
e)	The existence of a post-commission takeover merger process
of the infringement, which cannot be attributed to the absorber.
f)	Affecting the rights of minors.
g)	To have, where not mandatory, a delegate for the protection of
data.
h)	The submission by the person in charge or in charge, with
The Committee will also be invited, on a voluntary basis, to mechanisms for the alternative resolution of conflicts, in cases where there are disputes between them and any interested party.
In accordance with the precepts transcribed, for the purposes of fixing the amount of the fine to be imposed in the present case for the infringement typified in article 83.5.a) of the RGPD for which the defendant is held responsible, the following factors are considered to be concurrent: As aggravating criteria: 
-	In the present case we are dealing with an unintentional but significant negligent action identified (article 83.2 b). 
-	The duration of the illegitimate processing of the data of the data subject by the requested party (Article 83.2 d). 
The balance of the circumstances referred to in Article 83.2 of the RGPD, with respect to the infringement committed by violating the provisions of Article 6 thereof, allows for the imposition of a penalty of 75,000 euros (seventy-five thousand euros), classified as "very serious", for the purposes of the prescription of the same, in Article 72.1.b) of the LOPDGDD.
            
Therefore, in accordance with the applicable legislation and having assessed the criteria for the graduation of the sanctions whose existence has been accredited, the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: TO IMPOSE on EQUIFAX IBERICA, S.L., with NIF B80855398, for an infringement of Article 6.1.f) of the RGPD, typified in Article 83.5 of the RGPD, a fine of 75,000.00 Euros (seventy-five thousand Euros).
SECOND: TO NOTIFY the present resolution to EQUIFAX IBERICA, S.L.
THIRD: To warn the sanctioned party that he/she must make the sanction imposed effective once this resolution is enforceable, in accordance with the provisions of article 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the voluntary payment period established in article. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of 29 July, in relation to art. 62 of Law 58/2003, of 17 December, by means of its payment, indicating the tax identification number of the sanctioned party and the procedure number that appears in the heading of this document, into the restricted account nº ES00 0000 0000 0000 0000, opened in the name of the Spanish Data Protection Agency in the banking institution CAIXABANK, S.A. Otherwise, it will be collected during the enforcement period.
Once the notification has been received and once it has been executed, if the date of execution is between the 1st and 15th of each month, inclusive, the period for making the voluntary payment will be up to the 20th of the following month or the immediately following working month, and if it is between the 16th and last day of each month, inclusive, the period for payment will be up to the 5th of the second following month or the immediately following working month.
In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. 
Against this resolution, which puts an end to the administrative procedure in accordance with Article 48.6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, data subjects may, optionally, lodge an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month from the day following notification of this decision or directly lodge an administrative appeal with the Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided for in Article 46.1 of the aforementioned Law.
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final resolution may be suspended as a precautionary measure through administrative channels if the interested party expresses its intention to file a contentious-administrative appeal. If this is the case, the interested party must formally notify this fact in writing to the Spanish Data Protection Agency, submitting it through the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other registers provided for in Article 16.4 of the aforementioned Law 39/2015, of October 1. You must also send the Agency the documentation that accredits the effective lodging of the contentious-administrative appeal. If the Agency is not aware of the lodging of the contentious-administrative appeal within two months from the day following the notification of the present resolution, it will terminate the precautionary suspension.
Mar Spain Marti
Director of the Spanish Data Protection Agency