The Legal Office of the Spanish Data Protection Agency (hereinafter, the “AEPD”, its Spanish acronym, has issued a report (0195/2017) on a series of issues related to the impact that the full application, on 25 May 2018, of the Regulation (EU) 2016/679 of the European Parliament and of the European Parliament – the GDPR – will have on the data processing carried out by the entities associated with the consultant, the Spanish National Association of Credit Financial Institutions.

We will now summarize the most relevant points analyzed by the AEPD in terms of (i) cases of legitimacy for the processing of data (legitimate interest of the data controller) and (ii) right to the portability of data:

1. Cases of legitimacy for the processing or transfer of data protected by the legitimate interest (art. 6.1 (f) of the GDPR):

Article 6 of the GDPR provides for different legal bases that legitimize the processing of personal data. The AEPD analyses different cases in which the processing of data would be covered by the legitimate interest of the controller or a third party, i. e. on a legal basis other than the data subject’s consent or where processing was necessary for the performance of a contract or the application of pre-contractual measures.


– Data processing in order to analyze the creditworthiness of a customer for subsequent financing.

The AEPD analyzes two scenarios:

1. The one that would be carried out by the entity to assess the creditworthiness of the customer who specifically requests a particular financing product in order to determine the risk that it could generate and decide whether or not to conclude the contract: consent is not required since the treatment is based on a valid legal basis – Art. 6.1 (b) and (c) of the RGPD.

2. The one in which the risk assessment is carried out without the client having requested any financing product and which would also be used by the entity to offer the client that unsolicited product or service (for example, the preauthorization of a credit that has not been requested by the client):

The AEPD considers that it is NOT possible to protect access to asset and credit files in the legitimate interest in order to offer the customer some unsolicited products or services. Why is that? Because the obligation of institutions to obtain available information on the creditworthiness and risk level of a client or potential client may be based on the client’s request for the service, but not on the entity’s unilateral decision to carry out such profiling. Therefore, in order to carry out this treatment, it would require either the request for the product or service by the data subject, or the data subject’s consent to the treatment.

However, if the offer of products or services is made with data that comes solely from the information available to the entity in relation to the products or services contracted by the customer, without the same being supplemented with information originating from other sources (i.e., new consultations), it can be understood that the assessment of the risk and solvency carried out by the entity for these activities is protected by legitimate interest and it is NOT necessary to obtain the consent.

The transfer of data for the prevention of fraud – between companies within the same group and/or outside the group – (the AEPD analyses a case of transfers carried out through fraudulent access to a customer’s account): the prevention of fraud is one of the cases in which the legitimate interest based on article 6.1 (f) of the GDPR can be invoked and, in this respect, the transfer of data motivated by the need to know certain data in order to assess the commission of fraud, does NOT require consent as the rule of legitimate interest applies.

B. TREATMENT FOR MARKETING PURPOSES: advertising and commercial communications in line with the development of the business conducted by the entity of its own products and / or services.

Before resorting to the applicability of Article 6.1 (f) of the GDPR, it is necessary to differentiate the applicable regulatory regime according to the means used for the transmission of such communications:

– Electronic communications: Art. 21.2 of the Spanish Law of Services of the Society for Information authorizes the sending of commercial communications by these means, provided that there has been a previous contractual relationship and that they relate to products or services of your own company that are similar to those initially contracted with the customer. This is without prejudice to the right of the customer to object at any time.

– Communications sent by means other than electronic means: the AEPD considers that the provisions of article 21.2 of the Spanish Law of Services of the Society for Information are applicable in analogical terms, but requires the following:

– Applicable only to cases in which the interested party maintains a valid relationship with the entity.

– The products or services offered may be considered “similar” to those contracted by the client. What would be meant by “similar product or service”? Other products related to savings or credit, but excluding other “financial services” such as insurance, offering of products or services that are not related to the entity’s activity, or offering of products or services whose advertising action derives from the existence of a specific agreement with the advertiser referred to in the advertisement or affects non-financial products or services but offered by group companies or participated by the entity.

– Establishing, in addition, a simple procedure for the exercise of the right of opposition by the customer.

C. TRANSFER OF PERSONAL DATA WITHIN THE GROUP: Controllers who are part of a corporate group or affiliated entities of a central body may have a legitimate interest in transferring personal data within the corporate group for internal administrative purposes, including the processing of personal data of customers or employees.

D. NETWORK SECURITY: processing of personal data to the extent strictly necessary and proportionate to ensure network and information security (e. g. preventing unauthorized access to electronic communications networks and malicious code distribution, and curbing “denial of service” attacks and damage to computer and electronic communications systems), is protected by the legitimate interest of the controller or a third party.


The AEPD sets out the following considerations with regard to the exercise of the right to portability of data under Article 20 of the GDPR:

The right to the portability of data should be seen as a complementary right to the right of access, although the former is more limited than the latter: the right of access concerns all data being processed; whereas the right to portability concerns only processing carried out by the data subject’s will or authorization.

– Time period: the idea that the right should refer to “current data” should be rejected if it is to be considered as data relating to the present moment, without taking into account the data provided by the data subject or obtained through the use of the product or service previously contracted and which are being processed at the time of exercising the right.

– Material space: this should, of course, include data provided directly by the data subject (such as identifying data or data relating, for example, to direct debits from banks or contributions to savings and investment instruments), but also data directly related to the development of the service (such as account movements or payment history in asset products). What would be excluded? Data resulting from the application of the entity’s own techniques, such as those derived from customer ratings or customer profiling.

Time limit for exercising the right? Neither Article 20 of the GRPD nor its recital 68 sets out any special criteria. The AEPD considers that in asset products, the right to data portability could be exercised throughout the term of the contract relating to the product or service; in liability products, the time limit for these services is usually around two years prior to the time the information is requested and should therefore be applied.

The right to portability may only be exercised by the holders of financial products, and not by the persons authorized in those products.

by Belén Berlanga, partner, Adarve Abogados