EQUIFAX IBERICA S.L. – Court Ruling (Spain, 2021)

In its decision AEPD - PS/00451/2019, the Spanish DPA (AEPD) fined Equifax, a credit agency, €75,000 for unlawful processing of data. Equifax appealed this decision with the Spanish National High Court (Audiencia Nacional, "AN"). The court declared that the decision issued by the AEPD, since the DPA had carried out a correct interpretation of the GDPR and the [https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 Spanish Data Protection Act]. Since the controller had failed to block the data included in the credit file for 30 days, as the Data Protection Act requires, the controller was processing the data unlawfully, and could therefore not rely on any legal basis. Additionally, the court noted that the controller had alleged that, since the Data Protection Act had entered recently into force, they had not been able to implement a proper blocking system, and they did not have the means at the time to block the data; so the controller had acknowledged that they had not carried out the blockage. The court also remarked that the fine was proportional, since the DPA had taken into account the circumstances of the case and had imposed a proportionate and justified fine, in accordance with Article 83(5) GDPR.