News
🇪🇸 A health insurance contract… without consent!
📢 Erroneous Subscription and Unjustified Bank Withdrawals: SANITAS and BBVA Sanctioned
Source : PS 00479-2023
📌 Facts:
🛡️ A health insurance contract was recorded without the complainant's consent with SANITAS and BBVA Seguros.
💰 Bank withdrawals were made between March and May 2022 from their BBVA account.
📌 Origin of the Issue:
⚠️ A "human error" by an agent of BBVA Mediación Operador de Banca-Seguros (OBS) led to the contract being erroneously registered as an active subscription instead of a simple information request.
📌 Involvement of the Parties:
👥 SANITAS and BBVA were deemed joint controllers of the data processing under their co-insurance agreement.
🏦 The OBS (Bank-Insurance Operator) acted as a data processor.
⚠️ No signature or explicit consent from the complainant was obtained.
⚖️ Identified Violations:
1️⃣ Lack of Consent – No Legal Basis (Article 6 GDPR)
📌 The insurance was subscribed without the client's explicit consent.
📌 ❌ The OBS agent mistakenly recorded the subscription as valid.
2️⃣ Lack of Internal Control
📌 No robust validation mechanisms were in place before activating the policy.
3️⃣ Delayed Responses from BBVA and SANITAS
📅 July 19, 2022 – A written complaint was submitted to BBVA (no response).
📅 September 27, 2022 – A complaint was filed with the AEPD.
📅 November 14, 2022 – The AEPD forwarded the complaint to BBVA (no response).
📅 November 28, 2022 – BBVA finally canceled the contract retroactively to March 1, 2022, and refunded the deducted amounts.
⏳ The case lasted over 8 months before being resolved.
🚨 Consequences and Corrective Measures:
🔴 Severity of the Violation:
🔹 Sensitive Data – SANITAS illegally processed health data, a particularly protected category (Article 9 GDPR).
🔹 Duration of the Violation – The illegal data processing lasted more than 8 months, worsening the case.
📌 Sanctions:
💰 Administrative fine: €200,000 (reduced to €160,000).
📌 Required Corrective Actions:
✅ Improvement of subscription processes to prevent human errors.
✅ Implementation of mandatory digital signature verification.
📌 SANITAS' Commitments:
🔹 Strengthening security measures and continuous improvement of procedures.
🏁 Conclusion:
⚠️ The AEPD sanctioned SANITAS for processing health data illegally without valid consent.
📜 An erroneous subscription should never lead to unauthorized bank withdrawals!