ID Finance – €180,000 Fine (Spain, 2024)

In September and December 2022, a data subject requested that ID Finance Spain, S.A.U. (the controller), a financial technology company that provides loans, delete their personal data from its credit information systems. The data subject stated that it had never applied for a loan from the controller and attached a police report to its request to demonstrate that they had reported the alleged fraud to the police. The controller only responded to the latter request, when it refused to delete the data on the basis that the data subject had an unpaid debt and, ignoring the attached police report, stated that a police report was required for all deletion requests. On 23 January 2023, a data subject filed a complaint with the Spanish DPA (AEPD), seeking deletion of their data. The complaint also argued that the controller unlawfully transmitted their data to the national association of credit financiers ASNEF-EQUIFAX’s solvency files. The controller argued that its processing was based on consent and produced a contract and debt certificate. Neither document was signed by the data subject. In addition to the unsigned contract, the controller claimed that it verified the identity of the loan applicant based on: * SMS messages with the phone number listed by the applicant. The AEPD’s investigation revealed that the phone number provided in the loan application did not belong to the data subject. * Responses from an IP address. The AEPD noted that the controller did not verify whether or not the IP address belonged to the data subject. * A certificate of bank title. The AEPD’s investigation revealed that the bank account listed in the loan application did not belong to the data subject. * Verification of the loan applicant’s name and national identification number. The controller serviced DEYDE Calidad de Datos, S.L., a processor which cross-referenced the name and national ID provided in the application against the State Agency of Tax Administration’s census. This pro