Spain

NBQ Technology, S.A.U.

24,000 €

GDPR enforcement action by Spanish Data Protection Authority (aepd) on 2021-12-07.

Rank · Sector

#152

of 322 in Finance, Insurance and Consulting

Rank · Spain

#326

of 1,075

Rank · All fines

#991

of 3,050

Case details

Authority: Spanish Data Protection Authority (aepd)
Date: 2021-12-07
Controller / Processor: NBQ Technology, S.A.U.
Sector: Finance, Insurance and Consulting
Quoted Articles: Art. 6 (1) GDPR
Type of violation: Insufficient legal basis for data processing

Summary

The Spanish DPA (AEPD) has fined NBQ Technology, S.A.U..
A data subject filed a complaint with the DPA against the company after they had denied him a financial transaction due to alleged outstanding payments on a loan. As it turned out, an identity thief had obtained the data subject's data without authorization and applied for a loan from the data controller under pretense of the data subject's identity. The controller then approved the loan. Since the data processed in the course of granting the loan did not belong to the borrower but to the data subject, the AEPD found that the controller had no legal basis for processing the data. The processing was therefore unlawful and a breach of Art. 6 (1) GDPR was affirmed. The original fine of EUR 40,000 was reduced to EUR 24,000 due to the immediate payment and the admission of guilt.

Open original source Links to the regulator's original publication or another source.