News
πͺπΈ A health insurance contractβ¦ without consent!
π’ Erroneous Subscription and Unjustified Bank Withdrawals: SANITAS and BBVA Sanctioned
Source : PS 00479-2023
π Facts:
π‘οΈ A health insurance contract was recorded without the complainant's consent with SANITAS and BBVA Seguros.
π° Bank withdrawals were made between March and May 2022 from their BBVA account.
π Origin of the Issue:
β οΈ A "human error" by an agent of BBVA Mediación Operador de Banca-Seguros (OBS) led to the contract being erroneously registered as an active subscription instead of a simple information request.
π Involvement of the Parties:
π₯ SANITAS and BBVA were deemed joint controllers of the data processing under their co-insurance agreement.
π¦ The OBS (Bank-Insurance Operator) acted as a data processor.
β οΈ No signature or explicit consent from the complainant was obtained.
βοΈ Identified Violations:
1οΈβ£ Lack of Consent – No Legal Basis (Article 6 GDPR)
π The insurance was subscribed without the client's explicit consent.
π β The OBS agent mistakenly recorded the subscription as valid.
2οΈβ£ Lack of Internal Control
π No robust validation mechanisms were in place before activating the policy.
3οΈβ£ Delayed Responses from BBVA and SANITAS
π
July 19, 2022 – A written complaint was submitted to BBVA (no response).
π
September 27, 2022 – A complaint was filed with the AEPD.
π
November 14, 2022 – The AEPD forwarded the complaint to BBVA (no response).
π
November 28, 2022 – BBVA finally canceled the contract retroactively to March 1, 2022, and refunded the deducted amounts.
β³ The case lasted over 8 months before being resolved.
π¨ Consequences and Corrective Measures:
π΄ Severity of the Violation:
πΉ Sensitive Data – SANITAS illegally processed health data, a particularly protected category (Article 9 GDPR).
πΉ Duration of the Violation – The illegal data processing lasted more than 8 months, worsening the case.
π Sanctions:
π° Administrative fine: €200,000 (reduced to €160,000).
π Required Corrective Actions:
β
Improvement of subscription processes to prevent human errors.
β
Implementation of mandatory digital signature verification.
π SANITAS' Commitments:
πΉ Strengthening security measures and continuous improvement of procedures.
π Conclusion:
β οΈ The AEPD sanctioned SANITAS for processing health data illegally without valid consent.
π An erroneous subscription should never lead to unauthorized bank withdrawals!