Santander Consumer Finance S.A. – €50,000 Fine (Spain, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
On the 26 April 2023, the data subject filed a complaint with the AEPD for receiving postal advertising material despite having exercised their right to object to this. The data subject had sent a letter to the controller on the 27 February 2023, requesting that his personal data exclusively be used to manage his credit card. On the 7 March 2023, the controller responded to the data subject confirming the receipt of the request stating that in accordance with Article 21 and 18 GDPR, the controller has begun to give effect to the request. However, on the 23 April 2023, the data subject received advertising related to the granting of a loan contrary to his request. Following the data subject’s complaint, the AEPD requested information from the controller. On the 6 July 2023, the controller confirmed that the data subject had received another advertisement in the post after having objected to this form of processing of his personal data. The controller argued that a human error of an employee caused the violation. The employee responsible for manually unticking the boxes relevant to the processing had failed to untick three boxes which is why the advertisement reached the data subject. It argued that the mistake had then been corrected on the 9 June 2023 and that therefore the violation had been remedied. Further, the controller argued that a processor was responsible for the violation and therefore requested the dismissal of the proceedings. Controller responsibility With reference to Article 8 GDPR, the AEPD points out that the processor carries out their function on the instructions of the controller and that therefore violations of the GDPR are attributable to the controller. As Articles 5(2), 24, 28 and 32 GDPR set out, compliance monitoring of the processing is attributable to the controller regardless of the involvement of a processor. The AEPD established that the processor was acting on the instructions of the controller in sending the advertisements. G
GDPR Articles Cited
On the 26 April 2023, the data subject filed a complaint with the AEPD for receiving postal advertising material despite having exercised their right to object to this. The data subject had sent a letter to the controller on the 27 February 2023, requesting that his personal data exclusively be used to manage his credit card. On the 7 March 2023, the controller responded to the data subject confirming the receipt of the request stating that in accordance with Article 21 and 18 GDPR, the controller has begun to give effect to the request. However, on the 23 April 2023, the data subject received advertising related to the granting of a loan contrary to his request. Following the data subject’s complaint, the AEPD requested information from the controller. On the 6 July 2023, the controller confirmed that the data subject had received another advertisement in the post after having objected to this form of processing of his personal data. The controller argued that a human error of an employee caused the violation. The employee responsible for manually unticking the boxes relevant to the processing had failed to untick three boxes which is why the advertisement reached the data subject. It argued that the mistake had then been corrected on the 9 June 2023 and that therefore the violation had been remedied. Further, the controller argued that a processor was responsible for the violation and therefore requested the dismissal of the proceedings. Controller responsibility With reference to Article 8 GDPR, the AEPD points out that the processor carries out their function on the instructions of the controller and that therefore violations of the GDPR are attributable to the controller. As Articles 5(2), 24, 28 and 32 GDPR set out, compliance monitoring of the processing is attributable to the controller regardless of the involvement of a processor. The AEPD established that the processor was acting on the instructions of the controller in sending the advertisements. G
Related Enforcement Actions (0)
No other enforcement actions found for Santander Consumer Finance S.A. in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
22 August 2024
Authority
Agencia Española de Protección de Datos
Fine Amount
€50,000
GDPRhub ID
gdprhub-8376About this data
Cite as: Cookie Fines. Santander Consumer Finance S.A. - Spain (2024). Retrieved from cookiefines.eu
Last updated: