Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.



Spanish DPA fines top-rate Spanish Bank for ignoring the objection of a data subject to data processing

PrintMailRate-it

​​​​​​​​​​​​​​published on 4 November 2024 | reading time approx. 3 minutes


This case started on April 2023 and was resolved in August 2024.  Decision of the Authority was published on October 11, 2024.


On the 26 April 2023, the data subject filed a complaint with the AEPD (the Spanish Data Protection Authority) for receiving postal advertising material despite having exercised their right to object to this.

The data subject had sent a letter to the controller (subsidiary of the Spanish Bank) on the 27 February 2023, requesting that his personal data exclusively be used to manage his credit card. 

Shortly afterwards the controller (subsidiary of the Spanish Bank) responded to the data subject confirming the receipt of the request and stating that in accordance with Article 21 and 18 GDPR, the controller had begun to give effect to the request. However, on the 23 April 2023, the data subject received (unsolicited) advertising related to the granting of a loan, which was as well contrary to his request.

Following the data subject’s complaint, the AEPD requested information from the controller, who confirmed that the data subject had received another advertising via post after having objected to this form of processing of his personal data. The controller argued that a human error of an employee (identified by Santander as “a data processor”) caused the violation; according to this, a controller’s employee responsible for manually unticking the boxes relevant to the processing had failed to untick the adequate ones, and this is why the unsolicited advertising reached the data subject. 

The Spanish Bank argued that the mistake had then been corrected on the 9th of June 2023 and that therefore the violation had been promptly remedied. Further, the Spanish Bank argued that the mistake was attributable to a data processor (and not to Santander as data controller) and therefore requested the dismissal of the proceedings.

With reference to Article 8 GDPR, the AEPD points out that the processor carries out their function on the instructions of the controller and that therefore violations of the GDPR are attributable to the controller. The AEPD established that the processor was acting on the instructions of the controller in sending the advertisements. 

Thus, the AEPD held that the controller did not adopt the required diligence as it did not prevent the processing after the request had been made. Therefore, the The Spanish Bank argued that the mistake had then been corrected on the 9th of June 2023 and that therefore the violation had been promptly remedied.

Further, the Spanish Bank​ argued that the mistake was attributable to a data processor (and not to the ​Spanish Bank as data controller) and therefore requested the dismissal of the proceedings.​ was fined EURO 50,000 under Article 83(5)(a) GDPR for violating Article 6(1) GDPR. In setting the fine, the AEPD purported that the violation of Article 6(1) GDPR is of sufficient gravity to warrant the fine of EURO 50,000 in light of the controller’s annual turnover (we must add - needless to say - that, in practice, 50.000 EURO is less than nothing to the data controller).​

 DATA PROTECTION BITES

author

Contact Person Picture

Manuel Huerta

+34 91 535 99 77

Invia richiesta

 RÖDL & PARTNER SPAIN

​​​​​​Discover more about our offices in Spain. Read more »
Deutschland Weltweit Search Menu