Setelem collected a debt from a man ten times greater than the debt of a stranger. The AEPD fined him 250 thousand euros.
-
Setelem claims it was all due to ‘human error’
-
AEPD understands that the account number represents personal data that has been misused.
-
The fine was 250,000 euros, but was eventually reduced to 150,000 euros.
The Spanish Data Protection Agency (APED) has fined Celetem bank €250,000 for collecting a debt from an unknown third party to another person. As stated in the ruling (PDF), the applicant received ten receipts for the debt of another person during 2022 and 2023, which the AEPD considers to be an abuse of personal data.
Data. According to the ruling, on 20 October 2023, the applicant filed a claim with the AEPD against Celetem. Cetelem apparently debited “loan proceeds from an unknown third party” to its bank account. The first eight charges were filed in 2022 against Cetelem (refunds). It was also required to delete personal data, which was done. However, in September and October 2023, Cetelem again uploaded two more receipts.
According to Setelem, “the unlawful write-offs for 2022 and 2023 on the plaintiff’s account arose due to human error.”
Selling data. How can you re-make a payment if the data has been deleted? According to Cetelem, the bank deleted the data after the first claim, but “sold the debt to a third company in June 2023” and that contract still included the bank account number of the injured party. According to the bank, “the unlawful write-offs for 2022 and 2023 to the plaintiff’s account were due to human error.”
How does this number get there? That’s the key to the case. While Cetelem attributes the problem to human error and “errors in the initial transcription of the account number,” the document says, “the bank account check digits make it virtually impossible to erroneously ‘create’ a genuine account number.” According to the plaintiff, “the error is due to the fact that Celetem would have included the plaintiff’s bank account in the debtor’s contract without securing ownership of the account.”
Misuse of personal data. Since the affected party is not the owner of the debts and has no previous contractual relationship with the bank, AEPD understands that Cetelem “carries out this processing without lawfulness, since it does not have the consent of the interested party”. That is, the bank account information in this case is personal information that has been misused.
Fine. Thus, the AEPD decided to fine Cetelem 250,000 euros, 100,000 euros for using personal data without express authorization, 50,000 euros for negligence in deleting the number from the database but not from the contract with the debt company; and another 100,000 euros, since Cetelem is a banking institution and “obtaining the plaintiff’s bank account number, keeping it despite the right of deletion of the interested party, and finally transmitting it to a third party without effectively verifying the accuracy of the data.”
However, given that the bank does not intend to appeal the sanction and will pay it during the voluntary period, the amount of the sanction has been reduced to 150,000 euros.
Image | Setelem
In Hatake | Even Bank Security Isn’t Infallible: Five Ways Cybercriminals Get Access to Our Money