SD IBERIAN PORTFOLIOS, S.A – €200,000 Fine (Spain, 2025)

SD IBERIAN PORTFOLIOS, S.A (the controller) bought a credit from a data subject’s bank. The bank was informed of the data subject's insolvency proceedings. Data relating to the data subject's debt was included at the controller's request in ASNEF (Spanish National Registry of Financial Statistics, a public credit registry). The data subject requested ASNEF in November 2022 to erase the data, and in response ASNEF deleted the data as a precautionary measure. The data subject later filed an access request in 2023 and found out that the data was included in the ASNEF database again. The data was transferred despite the fact that said debt was exonerated following insolvency proceedings in 2021. The data subject requested the data to be deleted, and presented a complaint to the DPA in January 2023. In response, ASNEF temporarily removed the data for up to three months. In this case, the controller has a contract with SERVDEBT ESPAÑA, S.L (the processor) to manage proceedings of the debts bought by the controller. The controller argued that the data subject never sent a confirmation of debt forgiveness, and that it should not be expected to consult the public registry (Registro Público Concursal) every time it acquires a new credit. It is interesting to note that the controller is established in Luxembourg. However, the Luxembourgish DPA allowed the Spanish DPA to issue the decision, because the affected data subjects were in Spain (Article 56(2) GDPR and 56(5) GDPR). Furthermore, Article 77 GDPR allows the data subject to file a complaint to a supervisory authority of the Member State of their habitual residence. The DPA began the sanctioning proceedings against the controller in February 2025. According to the DPA, the processing did not meet the requirements under Spanish data protection law (Organic Law on Protection of Personal Data and Guarantee of Digital Rights or LOPDGDD). [https://www.boe.es/buscar/pdf/2018/BOE-A-2018-16673-consolidado.pdf Article 20 LOP