Legal basis considered invalid due to identity theft

The Spanish Supervisory Authority (AEPD) has recently imposed a 60,000 € fine in a controversial case with a cosmetic company (PS/00159/2019). Note that this resolution can be subject to appeal before the Spanish National Court (Audiencia Nacional).

The case originates upon a claim from a consumer alleging the multinational brand unlawfully processed her information without appropriately verifying her identity which resulted in having her data wrongly added in a debt register.

The resolution explains that an individual fraudulently made use of the claimant’s personal data to become one of the distributors engaged by the corporation to sell their products, so the scammer would benefit from receiving products from the brand without paying the amounts due.

It worth noting that although the scam was reported to the police by the victim, the criminal investigation in this case didn’t interrupt the administrative procedure before the AEPD.

The defendant exhibited the contract that was fraudulently filled in by the scammer with the victim’s details, including the online acceptance log and a screen shot of their systems.

Within the documentation submitted, the brand included the invoice and delivery note of the product; however, it is not clear how the delivery was verified. 

The AEPD concluded that the contract was invalid since it was not signed and the online acceptance log was not sufficient proof since the consumer denied its authenticity. At this point, is numerous the jurisprudence establishing that in these cases, the burden of proof relies on the controller. Since the corporation didn’t have a valid contract or consent from the consumer, the AEPD concluded that it didn’t had a legal basis, according to art. 6 GDPR, for processing her information and including her into a debt register.

Although the company collaborated with the regulator and was also harmed by the scam (since their products were delivered and never got paid), the AEPD stressed the fact that the controller did not put in place the necessary due diligence to verify the identity of the person.  

The AEPD has already taken this approach in other similar cases, where it also referred to the Accuracy (Quality) principle. There are other resolutions, in the context of social media networks, where the Regulator has attributed responsibility to the scammer who fraudulently used third party data to create false accounts, instead of penalizing the platform (R/02831/2012). But we’ll have to see how these cases evolve in the courts.

Companies contracting online with their clients should consider mechanisms to validate the identity of their users by using different elements to verify their identity and conducting regular checks to confirm the effectiveness of these measures. It is important to keep in mind that the growth of scams may also impact the exercise of data subject rights, especially the right to access and data portability; therefore, these safeguards must also be considered in this context.