Post by account_disabled on Mar 6, 2024 19:24:32 GMT -8
According to the Data Protection Regulation, data processing will be lawful when there is consent from the owner; when it is, for example, necessary to satisfy the legitimate interests pursued by the data controller or when a contractual relationship exists . In this case, there was indeed a contractual relationship, but not with the third person who posed as the claimant. “The person who was using the data was a person outside the contractual relationship,” says the AEPD.
Law 10/2010 allows operations to be denied to clients if they do not identify themselves correctly, the ruling indicates. Furthermore, the bank's own protocols require identifying "if the Fax Lists person carrying the document is the same as the one that appears in the photograph of the document , (...), observing the holder himself physically and determining whether his appearance and age coincide with that of the person." photograph” and “ a superficial look at the DNI is not enough. "You have to look at it in detail."
Furthermore, "what is paradoxical is that the copy of the DNI that was provided at that time to carry out the operation was digitized by the same person who provided the money to the usurper, that is, that the DNI provided at the time of the provision was scanned and registered in the entity's database (...) Therefore, the above evidence is that on the same day of the cash delivery , the digitization was carried out by the branch employee in the the entity of the DNI used in the operation, without realizing that the person in front of them was not who they said they were, not guaranteeing the security of the data," the resolution reads.
Law 10/2010 allows operations to be denied to clients if they do not identify themselves correctly, the ruling indicates. Furthermore, the bank's own protocols require identifying "if the Fax Lists person carrying the document is the same as the one that appears in the photograph of the document , (...), observing the holder himself physically and determining whether his appearance and age coincide with that of the person." photograph” and “ a superficial look at the DNI is not enough. "You have to look at it in detail."
Furthermore, "what is paradoxical is that the copy of the DNI that was provided at that time to carry out the operation was digitized by the same person who provided the money to the usurper, that is, that the DNI provided at the time of the provision was scanned and registered in the entity's database (...) Therefore, the above evidence is that on the same day of the cash delivery , the digitization was carried out by the branch employee in the the entity of the DNI used in the operation, without realizing that the person in front of them was not who they said they were, not guaranteeing the security of the data," the resolution reads.