ASNEF-EQUIFAX – €200,000 Fine (Spain, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
ASNEF-EQUIFAX was fined EUR 200,000 for mishandling a person's debt information. The company included this information in their records without properly notifying the individual, which is against the rules. This case shows that companies must ensure they have accurate information and communicate clearly with individuals about their data.
What happened
ASNEF-EQUIFAX included a person's debt information in their system without verifying its accuracy or notifying the individual correctly.
Who was affected
A person whose debt information was included in ASNEF-EQUIFAX's records without proper notification.
What the authority found
The Spanish DPA ruled that ASNEF-EQUIFAX processed personal data unlawfully by failing to inform the individual and verify the accuracy of the debt.
Why this matters
This ruling emphasizes the need for companies to ensure accurate data processing and proper communication with individuals. Businesses must verify information before including it in their records.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
ASNEF-EQUIFAX (the controller) is a national credit bureau. The controller included personal data related to a data subject’s debt in their system three times at the request of SD IBERIAN (the creditor). The latter is a company that purchases debt and microloans from banks, and had debt against the data subject. The controller informed the data subject of the inclusion of their data in their credit information system by mail, however, the data subject did not receive the mail because they were sent to the wrong address. The data subject later made three separate requests for the controller to erase the data under Article 17 GDPR. The controller claimed that the requests were forwarded to the creditor, who did not respond. The controller later deleted the information as a precautionary measure and informed the data subject. The data subject learned about the debt being included in the controller's system after consulting ASNEF (National Association of Financial Credit Institutions). The data subject filed a complaint with the DPA on 15 March 2023, and the DPA began sanctioning proceedings against the controller on 30 May 2024. The data subject argued that the data processing was unlawful, because it was included without verifying the accuracy of the debt or the lawfulness of including it in in the file. Furthermore, the controller did not inform the data subject when the data was included in the file. On the other hand, the controller argued that it had complied with its obligations under the GDPR and national data protection law. This included blocking the data as a precautionary measure and responding to the data subject in accordance with Article 12 GDPR. The controller does not have all the information regarding the debts, and therefore the creditor has the full responsibility of guaranteeing that the debts are lawfully included in the system. Furthermore, the controller argued that it did not process the data for the purposes of a credit information system, an
Related Enforcement Actions (0)
No other enforcement actions found for ASNEF-EQUIFAX in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
19 May 2025
Authority
Agencia Española de Protección de Datos
Fine Amount
€200,000
GDPRhub ID
gdprhub-9409About this data
Cite as: Cookie Fines. ASNEF-EQUIFAX - Spain (2025). Retrieved from cookiefines.eu
Last updated: