70.000 euros fine for Pelayo Insurance company for the non-consensual transfer of personal data

70.000 euros fine for Pelayo Insurance company for the non-consensual transfer of personal data

The 70.000 euros fine for Pelayo Insurance Company is a consecuence for the non-consensual transfer of personal data. It has been fined by The Spanish Data Protection Agency (AEPD) as the tranfer of personal data was to a third party without the client’s consent.

This act by Pelayo Mutua de Seguros y Reaseguros constitutes an infringement regulated by two articles of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals regarding the processing of personal data and on the free movement of such data (GDPR).

More specifically, it is based on articles 5.1.f) of the mentioned legislation, which states that the processing of data shall be carried out in a way that ensures security and protection, through integrity and confidentiality. For its part, and in relation to the precept, Article 32 indicates the security of the processing.

Lack of consent in the transfer of personal data

The claim against the insurer arose from a complaint filed by the client on 22 September 2021. In the complaint, she alleged that the insurer had transferred a large amount of her personal data, such as name, surname, ID card number, address, telephone number, information about the policy she had taken out, etc., to a third party without any consent.

This third party, the recipient of the personal data, was a person with whom the customer had signed an earnest money contract for the subsequent sale and purchase of her car.

In this context, she discovered that her personal data had been transferred when the car buyer sent her a copy of a document which contained her personal information and the insurance policy that she had taken out with Pelayo.

At the time the customer filed the complaint, the insurer initially justified that the transfer had been carried out in a legitimate manner since the third party was already aware of the data due to the contractual relationship related to the sale and purchase it had been maintaining with the injured party.

Infringement of the GDPR and breach of security measures

The AEPD has stated that the insurer has committed a breach of the principle of integrity and confidentiality regulated in article 5.1.f) of the GDPR.

According to this, personal data must be processed in a manner that ensures adequate security, including unauthorized processing by providing information to a third party without the data subject’s approval. This, as the AEPD pointed out, is due to a lack of diligence in complying with the principle of confidentiality.

In addition, there was a breach of security measures, thus violating another precept of the regulations in force. It was found that Pelayo, as the responsible party, did not deploy the measures that should have been adopted in this type of situation to guarantee and ensure the security of the data by inserting technical and organizational security measures that guarantee a level of security proportional to the risk in order to comply with the provisions of article 32 RGPD.

Consequences of transfering personal data without previous consent

In view of this situation, the AEPD imposed a fine of 50,000 euros for failing to comply with art. 5.1.f) and another of 20,000 euros for violating the provisions of article 32.

However, despite the breach of security measures, the entity was able to benefit from reductions based on voluntary payment and acknowledgement of responsibility, thus deducting 20% of the amounts.

Consequently, and with the application of both reductions, a total penalty of 42,000 euros has been imposed. Nevertheless, the judgement is not final, and the insurer has the possibility of appealing before the Litigation Chamber of the National High Court.

At Letslaw by RSM our team have a wide experience on Digital Law and Data Protection, among other services. Do not hesitate to contact us.