The Spanish Supreme Courts confirms Equifax's liability

The case involves Equifax Ibérica S.L., which was sanctioned by the Spanish Data Protection Agency (AEPD) for violating data protection laws. The violation pertained to the inclusion of personal data in credit information files without proper notification to the affected individual. Specifically, Equifax had a contract with Testa Residencial SOCIMI S.A. to send payment demand letters before including individuals' data in credit solvency files. However, the letters sent by Equifax did not inform the individuals that their data would be included in such files if they failed to pay their debts. This omission led to the inclusion of the complainant's data in the Asnef credit file without the required prior notification.

The Spanish Supreme Court enacted a judgment on 16 October 2024 dismissing the appeal filed by Equifax Ibérica S.L. and confirming the 50,000 euros fine The court concluded that Equifax had failed to fulfil its contractual and legal obligations to properly notify individuals about the potential inclusion of their data in credit information files, as required by the relevant data protection regulations.

In the contract between Equifax and Testa it was specifically agreed that Equifax (as data processor) is obliged to make the request for payment prior to the inclusion of data in the financial solvency and credit files, the Asnef file, which must contain the information that in the event of non-payment, it would be included in the financial solvency and credit file, and it has the obligation to check whether the letter issued by Testa contains this information.

However, in this case, Equifax sent the letter to the complainant with the logo and signature of the creditor entity, Testa, requesting payment of the debt, but without the warning that in the event of non-payment, it would be included in the credit and equity solvency file.

The Supreme Court emphasized that the obligation to inform individuals about this possibility is a crucial requirement under Article 20.1.c) of Spanish Organic Law 3/2018 on Data Protection and Guarantee of Digital Rights (LOPDGDD) and Article 6.1.f) of the General Data Protection Regulation (GDPR). The Supreme Court also noted that the responsibility for this notification could not be shifted solely to the creditor (Testa Residencial) and that Equifax, as the entity managing the data processing, had a duty to comply with these legal requirements. The Supreme Court's interpretation of the contract and the legal provisions led to the conclusion that Equifax had indeed violated the data protection laws, justifying the imposed sanction.