The Spanish data protection authority (AEPD) has fined the company for unlawful processing of personal data. The penalty is the result of proceedings initiated on the basis of a complaint by a person who was denied credit. The reason for the refusal was information regarding the applicant’s non-payment of his debts, which was included in the credit information system. The applicant indicated that in the past he had been the victim of identity theft, which had been used to defraud money. As a result, his details were included in the debtors’ register. The complainant informed the company and the police about this.
The AEPD found that NBQ Technology had no basis for processing the debt data. The data ended up in the company’s IT system illegally. The lack of due diligence and the direct link between the company’s business activities and the processing of customers’ personal data, which should entail a professional approach to the issue of performing operations on the data and their security, were also considered to be circumstances that incriminated the personal data controller.