Quick Facts
-
Fine Amount: €225,000 (reduced to €180,000 via voluntary payment)
-
Primary Violation: Non-compliance with supervisory authority order (GDPR Article 58.2)
- Relevant Period: Mar-24 > Dec-24
- Regulator: Office of the Comptroller of the Currency (OCC)
- Fine Date: 29-May-25
Overview
The Agencia Española de Protección de Datos (AEPD) initiated a sanctioning procedure against TRIVE CREDIT SPAIN, S.L. for failing to comply with a prior resolution requiring the company to address a data subject's access request under Article 15 of the General Data Protection Regulation (GDPR). The procedure stemmed from TRIVE's repeated non-response to AEPD requirements.
Details of the Case
The case originated from a data subject's (A.A.A.) exercise of their right of access to personal data held by TRIVE CREDIT SPAIN, S.L., a financial services company. On March 12, 2024, the AEPD issued a resolution in procedure EXP202315972, estimating the claim and requiring TRIVE to provide the claimant with certification of access or a motivated denial within 10 business days, with notification to the AEPD.
TRIVE failed to comply, leading to further AEPD requirements on August 23, 2024, and October 1, 2024, which also went unanswered. This non-compliance prompted the AEPD to start a sanctioning procedure on December 2, 2024, alleging a violation of GDPR Article 58.2, which mandates adherence to supervisory authority decisions.
TRIVE submitted allegations on December 18, 2024, arguing confusion due to similar parallel procedures, absence of intent, and abusive conduct by the claimant, while highlighting its data protection protocols. Despite these defenses, the AEPD issued a proposal on May 29, 2025, but the procedure ended upon TRIVE's voluntary payment
WORKED EXAMPLES
- Unattended Access Request (August 2023): On August 10, 2023, the claimant requested access to loan documents. TRIVE provided copies twice, but the claimant sent a near-identical request minutes later in a separate email chain, leading to confusion. This instance contributed to the initial claim, with TRIVE noting the claimant's prior suppression request in January 2023 blocked some data under LOPDGDD Article 32.
- Supporting details: Emails exchanged confirmed provision of available loans, but the claimant alleged incomplete response, escalating to AEPD complaint on September 19, 2023.
- Impact: Formed the basis for procedure EXP202315972, highlighting repeated access exercises (three in 2023 alone).
- Non-Compliance with Initial Resolution (March 2024): Following the AEPD's March 12, 2024, resolution granting the access claim, TRIVE was required to act within 10 business days. No certification or denial was provided, and the claimant reported non-fulfillment on July 19, 2024.
- Supporting details: Notification received by TRIVE on March 12, 2024; no appeal filed, making it final.
- Impact: Led to potential very serious infringement under GDPR Article 83.6, with prescription under LOPDGDD Article 72.1.m.
- Ignored AEPD Requirements (August-October 2024): AEPD sent requirements for compliance evidence on August 23, 2024, and October 1, 2024. TRIVE collected both but provided no response.
- Supporting details: Requirements demanded certification to the claimant within 5 days and notification to AEPD within 10 days.
- Impact: Directly triggered the sanctioning procedure on December 2, 2024, for GDPR Article 58.2 violation.
Fines and Penalties
The AEPD proposed a total fine of €225,000 for the infringement of GDPR Article 58.2. This was reduced to €180,000 following TRIVE's voluntary payment, which terminated the procedure.
Key Quotes
"PRIMERO: ESTIMAR la reclamación formulada por A.A.A. al considerar que se ha infringido lo dispuesto en el Artículo 15 del RGPD e instar al TRIVE CREDIT SPAIN, S.L., con NIF B87258091, para que, en el plazo de diez días hábiles desde que la presente resolución sea firme y ejecutiva, remita a la parte reclamante certificación por la que se atienda el derecho de Acceso ejercido o se deniegue motivadamente indicando las causas por las que no procede atender la petición." (From the March 12, 2024, AEPD resolution)
"FIRST: ESTIMATE the claim filed by A.A.A., considering that the provisions of Article 15 of the GDPR have been infringed, and urge TRIVE CREDIT SPAIN, S.L., with NIF B87258091, to, within the period of ten business days from when this resolution is final and enforceable, send to the claiming party certification by which the exercised right of Access is addressed or is denied in a motivated manner indicating the reasons why it is not appropriate to address the request."
"Transcurrido el plazo de la resolución inicial y de los sucesivos requerimientos, TRIVE no ha remitido respuesta a esta Agencia que acredite que ha atendido el derecho de acceso ejercido o que lo ha denegado motivadamente indicando las causas por las que no procede atender la petición." (From the sanctioning procedure antecedents)
"Once the period of the initial resolution and the subsequent requirements has elapsed, TRIVE has not sent a response to this Agency that proves that it has addressed the exercised right of access or that it has denied it in a motivated manner indicating the reasons why it is not appropriate to address the request."
"La actuación anómala y abusiva descrita originó dos procedimientos ante la AEPD prácticamente idénticos y que se han solapado temporalmente. Este caos generado por A.A.A. provocó en Trive un error involuntario al no contestar a la AEPD." (From TRIVE's December 18, 2024, allegations)
"The described anomalous and abusive action originated two procedures before the AEPD that are practically identical and that have overlapped temporally. This chaos generated by A.A.A. provoked in Trive an involuntary error in not responding to the AEPD."
Sources
