News

πŸ‡ͺπŸ‡Έ A health insurance contract… without consent!

Legal basis | 26/03/2025

πŸ“’ Erroneous Subscription and Unjustified Bank Withdrawals: SANITAS and BBVA Sanctioned

Source : PS 00479-2023

πŸ“Œ Facts:

πŸ›‘οΈ A health insurance contract was recorded without the complainant's consent with SANITAS and BBVA Seguros.
πŸ’° Bank withdrawals were made between March and May 2022 from their BBVA account.

πŸ“Œ Origin of the Issue:
⚠️ A "human error" by an agent of BBVA Mediación Operador de Banca-Seguros (OBS) led to the contract being erroneously registered as an active subscription instead of a simple information request.

πŸ“Œ Involvement of the Parties:
πŸ‘₯ SANITAS and BBVA were deemed joint controllers of the data processing under their co-insurance agreement.
🏦 The OBS (Bank-Insurance Operator) acted as a data processor.

⚠️ No signature or explicit consent from the complainant was obtained.

βš–οΈ Identified Violations:

1️⃣ Lack of Consent – No Legal Basis (Article 6 GDPR)
πŸ“Œ The insurance was subscribed without the client's explicit consent.
πŸ“Œ ❌ The OBS agent mistakenly recorded the subscription as valid.

2️⃣ Lack of Internal Control
πŸ“Œ No robust validation mechanisms were in place before activating the policy.

3️⃣ Delayed Responses from BBVA and SANITAS
πŸ“… July 19, 2022 – A written complaint was submitted to BBVA (no response).
πŸ“… September 27, 2022 – A complaint was filed with the AEPD.
πŸ“… November 14, 2022 – The AEPD forwarded the complaint to BBVA (no response).
πŸ“… November 28, 2022BBVA finally canceled the contract retroactively to March 1, 2022, and refunded the deducted amounts.

⏳ The case lasted over 8 months before being resolved.

🚨 Consequences and Corrective Measures:

πŸ”΄ Severity of the Violation:
πŸ”Ή Sensitive Data – SANITAS illegally processed health data, a particularly protected category (Article 9 GDPR).
πŸ”Ή Duration of the Violation – The illegal data processing lasted more than 8 months, worsening the case.

πŸ“Œ Sanctions:
πŸ’° Administrative fine: €200,000 (reduced to €160,000).

πŸ“Œ Required Corrective Actions:
βœ… Improvement of subscription processes to prevent human errors.
βœ… Implementation of mandatory digital signature verification.

πŸ“Œ SANITAS' Commitments:
πŸ”Ή Strengthening security measures and continuous improvement of procedures.

🏁 Conclusion:

⚠️ The AEPD sanctioned SANITAS for processing health data illegally without valid consent.
πŸ“œ An erroneous subscription should never lead to unauthorized bank withdrawals!

Back to news list

Explore all our areas of expertise:

]]>