PRA IBERIA, S.L. – €60,000 Fine (Spain, 2021)

A data subject lodged a complaint with the Spanish DPA (AEPD) stating that a credit company was requiring the payment of a series of debts on behalf of a bank without having contracted any services. The data subject also tried to access their right to access before the company to verify what data the controller had on them, without receiving any official answer. The AEPD requested the controller documentation to prove the existence of the contract. The controller provided the contract with the personal data and bank data, but was not able to provide a signed contract, a copy of the ID or a recording of the phone call in which the contract was made. The debt had been surrogated from another company, that sold their portfolio of debtors. When the data subject received such notification, they decided to exercise the right to access. The AEPD found that the bank account used for the purposes of the debt had only been active before the services had been contracted. The debt derived from the non-payment was generated five years after the cancellation of the account. The bank could neither prove that the initial transfers or the devolution of the money had been carried out. The AEPD concluded that the controller had violated Article 6 GDPR, since they were not able to prove that the data subject had validly entered the contract. Additionally, the AEPD found that the controller had violated the principle of accuracy from Article 5(1)(d) GDPR, since the personal data of the data subject that they were processing were not accurate and the controller did not act to solve this. The AEPD also found that the controller had not effectively answered to the access request submitted by the data subject, what implied a violation of Article 15 GDPR. The AEPD decided to fine the controller a total of €60,000: €30,000 for the violation of Article 6, and €30,000 for the violation of Article 15.