ASNEF-EQUIFAX – €200,000 Fine (Spain, 2025)

ASNEF-EQUIFAX (the controller) is a national credit bureau. The controller included personal data related to a data subject’s debt in their system three times at the request of SD IBERIAN (the creditor). The latter is a company that purchases debt and microloans from banks, and had debt against the data subject. The controller informed the data subject of the inclusion of their data in their credit information system by mail, however, the data subject did not receive the mail because they were sent to the wrong address. The data subject later made three separate requests for the controller to erase the data under Article 17 GDPR. The controller claimed that the requests were forwarded to the creditor, who did not respond. The controller later deleted the information as a precautionary measure and informed the data subject. The data subject learned about the debt being included in the controller's system after consulting ASNEF (National Association of Financial Credit Institutions). The data subject filed a complaint with the DPA on 15 March 2023, and the DPA began sanctioning proceedings against the controller on 30 May 2024. The data subject argued that the data processing was unlawful, because it was included without verifying the accuracy of the debt or the lawfulness of including it in in the file. Furthermore, the controller did not inform the data subject when the data was included in the file. On the other hand, the controller argued that it had complied with its obligations under the GDPR and national data protection law. This included blocking the data as a precautionary measure and responding to the data subject in accordance with Article 12 GDPR. The controller does not have all the information regarding the debts, and therefore the creditor has the full responsibility of guaranteeing that the debts are lawfully included in the system. Furthermore, the controller argued that it did not process the data for the purposes of a credit information system, an