Due diligence in the management of personal data

5月 2022

That very abstract concept: due diligence. In these times, our personal data is society’s most valuable weapon. We are surrounded by technology and what that means is accepting the terms and conditions of every web site we choose to enter.

However, under the presumption that as owners and holders of our personal data we must act with due care in its use and provision to third parties, the obligation is -or should be- greater for the recipients of our data.

In this sense, it is said that companies and third parties that use our data for commercial purposes must use and treat it with due diligence. But what is due diligence in Data Protection?

Recently, the Spanish Data Protection Agency (AEPD) has sanctioned an entity for infringing article 6.1 of the GDPR with the amount of 40,000 euros. The aforementioned legal precept states that the processing of data will only be lawful if at least one of the following conditions is met:

(a) the data subject consents to the processing of his or her personal data for one or more specified purposes;

(b) the processing is necessary for the performance of the contract in question to which the data subject is a party;

(c) processing is necessary for compliance with a legal obligation applicable to the controller;

(d) processing is necessary for the protection of the vital interests of the data subject (or of another natural person);

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child (this point does not apply to processing carried out by public authorities in the performance of their tasks).

In view of the aforementioned article, the sanction in question imposed by the AEPD is based on the fact that the personal data of the injured party were used by a third party for the fraudulent contracting of a loan without his consent, understanding that the entity in question did not act with due diligence. Thus, the Agency explain what the aforementioned term consists of.

“Due diligence is the attention to the legal duty of care. Being duly diligent implies, as regards that legal duty of care, preventing the materialization of the risk (identity fraud) by establishing in advance of the processing an effective system of appropriate measures to avoid it; such a system must be constantly evaluated. As the case law states, liability derives from the actions of the party responsible for being diligent and “cannot be considered to be excluded or attenuated by the fact that the possible fraudulent actions of a third party have been involved, since the liability of the plaintiff does not derive from the latter’s actions, but from its own”.

In this sense, the AEPD states that due diligence is made up of four elements:

Identify: which consists of assessing the actual and potential impact of data processing activities.

Preventing and mitigating: which would be done through tracking and monitoring.

Accountability: communicating how the negative consequences of improper data processing are addressed.

In this regard, due diligence should be adjust to the business environments in which the controller operates, as it encompasses both the adoption of technical and organizational measures appropriate to the processing in question, and the ability to demonstrate compliance.

Therefore, the controller should “be obliged to implement timely and effective measures and must be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Such measures must take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons”.

This underlines the tremendous importance not only of due diligence per se, but also of the possibility to demonstrate it. This is indispensable, since it would not be sufficient, as the National Court has established on several occasions, to allege the absence of fault. Therefore, it is also very important to anticipate through appropriate mechanisms when verifying the identity of the persons whose personal data is going to be processed by those who are legitimated to do so, in order to ensure that they are indeed legitimated to do so.

Below you will find the resolution of the Spanish Data Protection Agency for consultation purposes (available in Spanish).

Eduardo Zamora.