CNIL (France) - SAN-2020-009

From GDPRhub
Revision as of 10:09, 10 December 2020 by Mh (talk | contribs)
CNIL - SAN-2020-0111
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 9(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 06.11.2020
Published:
Fine: 800000 EUR
Parties: n/a
National Case Number/Name: SAN-2020-0111
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Jackline

hello

English Summary

Facts

helo

Dispute

hi

Holding

bye

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                1/7










     Procedure No.: PS / 00207/2020


                RESOLUTION OF SANCTIONING PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following:

                                  BACKGROUND


FIRST: Mrs. A.A.A. (hereinafter, the claimant) dated April 9, 2019
filed a claim with the Spanish Agency for Data Protection. The
The claim is directed against Servicios Prescriptor y Medios de Pago, E.F.C., S.A.U.
with NIF A86373701 (hereinafter, the claimed one).


       The claimant states that the claimant requires the payment of a
treatment of which he had only requested a budget without formalizing any contract of
financing.

       He adds that his data was informed to the file of patrimonial solvency and
credit BADEXCUG.

       It states that the events took place on *** DATE.1.
       And, among other things, it provides the following documentation:
     Letters sent by TEAM4 dated October 18, November 5 and 12
       December 2018.
     Letter sent by EXPERIAN BUREAU DE CRÉDITO S.A. dated 15 of

       January 2019 informing the claimant of the inclusion of their data in the
       file BADEXCUG.
     Letter sent by ASNEF-EQUIFAX dated January 15, 2019
       informing the claimant of the inclusion of their data in the ASNEF file.

     Complaint filed with the Municipal Consumer Information Office of
       Madrid on December 12, 2018.

SECOND: In view of the facts reported in the claim and the
documents provided by the claimant, on May 6, 2019 it was agreed not to
admit for processing the claim presented by the claimant, in accordance with the

stipulated in article 65.2 of the LOPDGDD, after the analysis carried out on the
documents provided and the concurrent circumstances, there were no indications
reasons for the existence of an infringement within the Agency's competence
Spanish Data Protection.


THIRD: The claimant filed on May 20, 2019, an appeal for
replacement, providing new documentation, highlighting the contract, unsigned, of a
medical treatment that the affected party states that it was never carried out and of which
He had only requested a budget, finally opting for another
treatment of a smaller budget and for which no financing was necessary.
    And it provides, among others, the following documents:

     Stomach reduction operation budget.
     Request for a loan contract not signed by the claimant.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/7








     Newsletter of adherence to the insurance for death, unemployment, disability, etc.
        not signed.
     Communication from EVO FINANCE indicating the monthly payment plan.

     Request to the BANKIA entity for the refund of undue charges from
        EVO FINANCE and modification of SEPA direct debit order.

    On July 2, 2019, the Director of the Spanish Agency for the Protection of

Data, agrees to estimate the appeal for reconsideration filed by the claimant against the
Resolution of this Agency issued on May 6, 2019, having provided
new relevant documentation for the purpose of considering that the question raised
It could be contrary to current regulations on data protection.


FOURTH: Information requested from EQUIFAX IBERICA, S.L. (hereinafter, EQUIFAX)
on the data of the claimant informed to the ASNEF file, dated June 3
of 2020 is received in this Agency, response to the request sent by

EQUIFAX stating that there are no records of the claimant of any entity
in the file ASNEF.

    Information requested from EXPERIAN BUREAU de CRÉDITO, S.A. about the data
of the claimant informed to the BADEXCUG file, dated July 1, 2020,

receives in this Agency a response to the request sent by this company
indicating that currently there are no data reported to the BADEXCUG file of
the claimant, although in its historical file, there was a discharge reported by EVO
FINANCE on January 13, 2019, for an unpaid amount of € XXX, which was
Deregistration on June 23, 2019 as a result of the automatic update
weekly data file sent by the entity.


FIFTH: On August 11, 2020, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure to the claimed, by the
alleged infringement of Article 6 of the RGPD, typified in Article 83.5 of the RGPD.


SIXTH: Notified the initiation agreement, the claimed entity, by means of a written
On September 17 of this year, it made, in summary, the following allegations:

    "The claimed has a loan and credit agreement duly signed
through an electronic signature process with the intervention of a trusted third party
in which the loan applicant was identified and her consent was obtained

contractual, which was provided through the referred electronic signature process.
    1. Evo Finance loan and credit agreement in the name of the claimant

        duly signed electronically through a service provider
        electronic trusted by means of the consignment of an OTP code “One
        Time Pasword "

      1.1 Trusted electronic service of certified electronic contracting
          contracted by Prescriber Services with the service provider entity
          electronic trust Logalty Servicios de Tercero de Confianza, S.L.
          (hereinafter Logalty) aimed at proving the validity of the contract, the
          identity of the contractor and the provision of his consent.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/7








      Prescriber Services (formerly “Evo Finance”) has contracted with the entity
      trusted electronic service provider Logalty a service of
      Certified Electronic Contracting.

      Logalty is a provider of trusted electronic services and other services
      in accordance with the provisions of the RGPD.

      In accordance with article 30.2 of the Electronic Signature Law, Logalty is
      included in the list of trusted electronic service providers, both
      qualified as unqualified, from the Ministry of Economic Affairs and

      Digital transformation.
      All communications between Client and Logalty are made through
      telematic transactions signed electronically under a secure system of

      communications.
      Logalty's Certified Electronic Procurement includes as standard the

      certified copy of the document perfected by the parties, with mechanism of
      control of the integrity of the content and making a notarial deposit of the
      summary function of the content of all contracts

     To this, the following documentary evidence is provided as document No. 4:
    I. Loan and credit agreement dated 08/02/2018 in the name of the

           claimant with his DNI signed by electronic signature with stamp of
           Logalty, unique identifier and time stamp,

    II. General Conditions sent by email to the claimant and
           additionally accessible via the address *** URL.1, as specified
           indicated in the contract;

    III. Documentation provided by the claimant during the
           hiring: a) copy of your ID, b) payroll of the claimant
           corresponding to the month of June 2018 and c) savings account in your favor
           accrediting the bank account incorporated into the contract in the Order of
           direct debit SEPA direct debit, IBAN account.

    IV. Certificate issued by Logalty in accordance with the indicated
           previously accrediting the contractual perfection

    This specific agreement, as well as the definition of the perfection process
    electronic contract is collected in two different places in the

    contractual documentation that was sent by email to the claimant
    to your email address
    For all, one cannot expect to find that the contractual document that is

    Provides it comes signed in handwritten form in the boxes enabled by the
    loan applicant. The aforementioned boxes are blank since the act of the
    signature is constituted by the series of electronic evidences that are accredited with
    the certificate provided as a non-manipulable document with a unique identifier,
    digitally signed by Logalty and time-stamped including the evidences

    electronic data obtained during the contracting process as well as the contract
    subscribed electronically.

    In this regard, it is noted that as part of the services provided by Logalty
    there is the sending of two SMS in case of mobile signature for the
    perfection / signature of the contract by the recipient. The hiring certificate
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/7








    Electronic includes the contract downloaded by the client after receiving the email
    sent to your email address whose particular and general conditions
    were read and later accepted through the OTP code that was

    forwarded to your mobile phone number. The certificate carries a code of
    Unique identification matching the electronic timestamp listed on
    the right margin of the contract.

    In conclusion, the claimant electronically signed the Loan Agreement and
    Credit giving your consent to it and the treatment clause of
    personal data included in it

    As confirmation of the electronic signature of the loan contract Services
    Precriptor transferred the requested amount to the establishment designated by the
    claimant ”.

FIFTH: On October 26, 2020, the respondent was notified of the opening of the
trial period, taking as incorporated all the previous actions, as well as
such as the documents provided by the claimed entity.


                                 PROVEN FACTS


       1 On April 9, 2019, the claimant states that the claimed requires
the payment of a treatment for which you have only requested a budget without formalizing
any financing contract.


       2 On September 17, 2020, the respondent states that the complainant
accepted the particular and general conditions of the Loan and Credit Agreement
giving your consent through an electronic signature process whose validity
legal is the same as if it were handwritten. Proof of this is the certificate of

electronic contracting issued by Logalty.
       3 The name appears in the loan and credit contract dated 08/02/2018

of the claimant with their DNI signed by electronic signature with Logalty seal,
unique identifier and time stamp,
       It consists of the remission of the General Conditions sent by mail

electronic to the claimant and accessible additionally through the address
*** URL.1, as indicated in the contract;

       Likewise, the documentation provided by the claimant during the
hiring process: a) copy of your ID, b) payroll of the claimant
corresponding to the month of June 2018 and c) savings passbook in your favor
of the bank account incorporated into the contract in the direct debit order
direct SEPA, IBAN account.

       Likewise, the certificate issued by Logalty in accordance with the indicated
previously accrediting the contractual perfection.








C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/7








                            FOUNDATIONS OF LAW


                                              I

By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in arts. 47 and 48.1 of the LOPDPGDD, the Director of
The Spanish Agency for Data Protection is competent to resolve this

process.

                                             II


Law 39/2015, of Common Administrative Procedure of the Administrations
Public (LPACAP) establishes in its article 89.1 that “the end of the
procedure, with filing of the proceedings, without the need for the formulation
of the resolution proposal, when in the procedure instruction it is

I manifest that any of the following circumstances concur:

        a) The non-existence of the facts that could constitute the offense ”.


                                             III

The defendant is charged with committing an infraction for violation of Article 6 of the

RGPD, "Legality of the treatment", which indicates in its section 1 the cases in which
the processing of third party data is considered lawful:

        "1. The treatment will only be lawful if at least one of the following is met
terms:

      a) the interested party gave their consent for the processing of their data
      personal for one or more specific purposes;

      b) the treatment is necessary for the performance of a contract in which the
      interested is part or for the application at the request of this of measures
      pre-contractual;

      (…) "


       The offense is typified in Article 83.5 of the RGPD, which considers as such:

      "5. Violations of the following provisions will be sanctioned, in accordance

with paragraph 2, with administrative fines of maximum EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:


      a) The basic principles for the treatment, including the conditions for the
      consent in accordance with articles 5,6,7 and 9. "


       Organic Law 3/2018, on the Protection of Personal Data and Guarantee of
Digital Rights (LOPDGDD) in its article 72, under the heading "Infractions

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/7








considered very serious ”provides:

      "1. In accordance with the provisions of article 83.5 of the Regulation (E.U.)

2016/679 are considered very serious and will prescribe after three years the infractions that
suppose a substantial violation of the articles mentioned in that and, in
in particular, the following:

        (…)
       b) The processing of personal data without the concurrence of any of the

       conditions of legality of the treatment established in article 6 of the
       Regulation (EU) 2016/679. "

                                           IV


       In the present case, after a detailed study of the
documents in the present proceeding, and the claims of the defendant,
We must point out that the loan and credit agreement of
date 08/02/2018 the name of the claimant with her DNI signed by signature
Logalty stamped electronics, unique identifier and time stamping,

       It consists of the remission of the General Conditions sent by mail
electronic to the claimant and accessible additionally through the address
*** URL.1, as indicated in the contract.

       Likewise, the documentation provided by the claimant during the
hiring process: a) copy of your ID, b) payroll of the claimant

corresponding to the month of June 2018 and c) savings passbook in your favor
of the bank account incorporated into the contract in the direct debit order
direct SEPA, IBAN account.

       Likewise, the certificate issued by Logalty certifying the perfection
contractual.

       Therefore, the file of this sanctioning procedure proceeds.

       Considering the cited precepts and others of general application, the Director of the
Spanish Agency for Data Protection RESOLVES:


FIRST: ARCHIVE the sanctioning procedure PS / 00207/2020, instructed to
Prescriptor and Means of Payment Services, E.F.C., S.A.U. with NIF A86373701, for having
accredited person who used reasonable diligence, since the claimant formalized a
financing contract.

SECOND: NOTIFY this resolution to Prescriber Services and Media

Pago, E.F.C., S.A.U. with NIF A86373701

In accordance with the provisions of article 50 of the LOPDPGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDPGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may file, optionally, an appeal for reconsideration before the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/7









Director of the Spanish Agency for Data Protection within a month to
count from the day after notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the

National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the

day following notification of this act, as provided in article 46.1 of the
referred Law.

Mar Spain Martí

Director of the Spanish Agency for Data Protection



















































28001 - Madrid 6 sedeagpd.gob.es