News

🇪🇸🚨 Accessing Driving License Points Without Customer Consent: An Auto Insurance Company Fined 🚨

The AEPD has imposed a €300,000 fine for illegally accessing customers' driving license point balance.

📌 Facts:
🔹 A complaint was filed on February 14, 2022, with the AEPD against the insurance company Línea Directa Aseguradora.
🔹 The company illegally accessed customers' driving license point balance via its subcontractor Majorel, without valid consent.
🔹 Hidden objective: Offer insurance discounts to clients with a low point balance.

❌ Identified Violations:
1️⃣ Lack of legal basis for data processing (Article 6(1) of the GDPR)
📌 Access to data from the DGT (General Directorate of Traffic) was done without explicit consent.
📌 Clients were not informed that their data would be used to determine discounts.

2️⃣ Bypassing the DGT authentication system
📌 The subcontractor used customers’ credentials and entered a third-party email address to retrieve confidential data, without customers' knowledge.
📌 This fraudulent method was applied to multiple clients.

3️⃣ Failure to comply with contractual obligations with the subcontractor (Article 28(3) of the GDPR)
📌 Línea Directa Aseguradora did not provide clear instructions to its subcontractor regarding consent management.

⚖️ Administrative Sanction:
💰 €300,000 fine for GDPR violations:
• €100,000 for lack of a legal basis (Article 6(1)).
 • €200,000 for failing to supervise and verify subcontractor compliance (Article 28(3)).
📅 Mandatory compliance within 3 months.

📢 Conclusion:
✅ This case highlights the importance of complying with legal bases when collecting and processing personal data.
✅ Companies must closely monitor their subcontractors and impose strict obligations to avoid severe GDPR violations.
✅ Fraudulent access to government data can lead to severe sanctions and damage a company's reputation.