AEPD (Spain) - EXP202405119: Difference between revisions

From GDPRhub
mNo edit summary
mNo edit summary
Line 66: Line 66:


=== Facts ===
=== Facts ===
On 22 April 2024, the Spanish DPA (AEPD) initiated sanctioning procedures against Watium S.L. (the controller). As part of its investigation, the AEPD twice requested the controller to provide information related to the complaint filed against it. The requests were collected by the controller on 23 November 2023 and 9 February 2024 respectively.
On 22 April 2024, the Spanish DPA (AEPD) initiated sanctioning procedures against Watium S.L. (the controller). As part of its investigation, the AEPD twice requested the controller to provide information related to the complaint filed against it. The requests were received by the controller on 23 November 2023 and 9 February 2024 respectively.


On 21 February 2024, the controller requested that the period for providing the documents and information be extended to 29 February 2024. Despite this request, the controller did not respond to the AEPD with the requested information.
On 21 February 2024, the controller requested that the period for providing the documents and information be extended to 29 February 2024. Despite this request, the controller did not respond to the AEPD with the requested information.

Revision as of 09:06, 28 May 2024

AEPD - EXP202405119
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 58(1) GDPR
Type: Investigation
Outcome: Violation Found
Started: 23.11.2023
Decided:
Published: 22.05.2024
Fine: 96,000 EUR
Parties: Watium S.L.
National Case Number/Name: EXP202405119
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: lm

The DPA fined a controller €160,000 for failing to respond to the DPA's requests for information. The controller acknowledged its fault and paid a reduced fine of €96,000 in accordance with national law.

English Summary

Facts

On 22 April 2024, the Spanish DPA (AEPD) initiated sanctioning procedures against Watium S.L. (the controller). As part of its investigation, the AEPD twice requested the controller to provide information related to the complaint filed against it. The requests were received by the controller on 23 November 2023 and 9 February 2024 respectively.

On 21 February 2024, the controller requested that the period for providing the documents and information be extended to 29 February 2024. Despite this request, the controller did not respond to the AEPD with the requested information.

Holding

Article 58(1)(e) GDPR empowers DPAs to order controllers to facilitate information in order for DPAs to conduct their investigation. The failure to comply with such requests for information constitutes a violation of Article 83(5)(e) GDPR.

Given these likely violations, the AEPD resolved to initiate sanction proceedings against the controller and recommended a sanction of €160,000. In calculating the sanction, the AEPD noted that this was a grave infraction warranting a high sanction. It also took account of the large size of the controller, aiming for the fine to be dissuasive and proportionate.

Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €96,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/8








     File No.: EXP202405119

       RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE

                                    VOLUNTEER

From the procedure instructed by the Spanish Data Protection Agency and based
to the following



                                  BACKGROUND

FIRST: On April 22, 2024, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against WATIUM S.L. (in

hereinafter, the claimed party), through the Agreement that is transcribed:

<<



File No.: EXP202405119


            AGREEMENT TO START SANCTIONING PROCEDURE


Of the actions carried out by the Spanish Data Protection Agency, and in
based on the following

                                      FACTS

FIRST: As a consequence of a claim presented to the Spanish Agency

of Data Protection against WATIUM S.L. with NIF B86459260 (hereinafter, the part
claimed), showing signs of a possible non-compliance with the rules in the
scope of the powers of the Spanish Data Protection Agency,
They initiated proceedings with file number EXP202309276.


In accordance with the provisions of article 65 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights
(LOPDGDD hereinafter), the claim was transferred to the person in charge or to the Delegate
of Data Protection that may have been designated, requesting that you send
to this Agency the information and documentation that was indicated.


The transfer, which was notified in accordance with the rules established in Law 39/2015, of
October 1, of the Common Administrative Procedure of Administrations
Public (hereinafter, LPACAP) through electronic means, was collected by the
claimed party dated July 27, 2023, as stated in the acknowledgment of receipt that
work in the file.


On August 24, 2023, in accordance with article 65 of the LOPDGDD,
The claim presented by the complaining party was admitted for processing.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/8








SECOND: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
issue, by virtue of the investigative powers granted to the authorities of

control in article 58.1 of Regulation (EU) 2016/679 (General Regulation of
Data Protection, hereinafter RGPD), and in accordance with the provisions of the
Title VII, Chapter I, Second Section, of the aforementioned LOPDGDD.

Within the framework of the investigative proceedings, the party was referred twice
claimed a request for information, related to the claim indicated in the

first section, so that, within a period of ten business days, it could be presented to this
Agency the information and documentation that were indicated.

THIRD: The aforementioned information requirement, which was notified in both
occasions in accordance with the standards established in the LPACAP through means

electronics, was collected by the claimed party on November 23, 2023
and February 9, 2024, as stated in the acknowledgments of receipt in the
proceedings.

FOURTH: With date February 21, 2024 and entry registration number
REGAGE24e00013639767, the claimed party presents a document in which it requests the

extension of the deadline granted to provide information and documentation
required until February 29, 2024.

FIFTH: Regarding the requested information, the claimed party has not sent
any response to this Spanish Data Protection Agency.


SIXTH: According to the report collected from the AXESOR tool, the entity
WATIUM S.L. is a company established in 2012, and with a volume of
business of ***AMOUNT.1 euros in 2022.



                          FOUNDATIONS OF LAW

                                           Yo
                                    Competence


In accordance with the powers that article 58.2 of the RGPD grants to each authority of
control and as established in articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD,
The Director of the Agency is competent to initiate and resolve this procedure.
Spanish Data Protection.


Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."


                                          II
                                Unfulfilled obligation


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/8








In accordance with the evidence available at the present time of
agreement to initiate the sanctioning procedure, and without prejudice to what results from the
instruction, it is considered that the claimed party has not provided the Agency

Spanish Data Protection Agency the information you requested.

With the indicated conduct of the claimed party, the investigative power that the
Article 58.1 of the RGPD confers on the control authorities, in this case, the AEPD,
has been hindered.


Therefore, the events described in the “Facts” section are considered to constitute
an infraction, attributable to the claimed party, due to violation of article 58.1 of the
RGPD, which provides that each supervisory authority will have, among its powers of
investigation:


“a) order the person responsible and the person in charge of the treatment and, where appropriate, the
representative of the person responsible or the person in charge, who provide any information
that is required for the performance of its functions.”

                                           III
                        Classification and classification of the offense


In accordance with the evidence available at the present time
agreement to initiate the sanctioning procedure, and without prejudice to what results from the
instruction, it is considered that the facts presented could constitute a
infringement, attributable to the claimed party.


This infraction is classified in article 83.5.e) of the RGPD, which considers as such: “no
provide access in breach of Article 58(1).”

The same article establishes that this violation can be punished with a fine.

of twenty million euros (€20,000,000) maximum or, in the case of a
company, of an amount equivalent to four percent (4%) maximum of the
total global annual business volume of the previous financial year, opting for the
of greater amount.

For the purposes of the limitation period for infringements, the alleged infringement

prescribes after three years, in accordance with article 72.1 of the LOPDGDD, which qualifies as
The following behavior is very serious:

“ñ) Do not facilitate access by data protection authority personnel
competent to personal data, information, premises, equipment and means of

processing that is required by the data protection authority for the
exercise of its investigative powers.”

                                           IV
                                 Sanction proposal


The fine imposed must be, in each individual case, effective, proportionate
and dissuasive, in accordance with the provisions of article 83.1 of the RGPD. In
Consequently, the sanction to be imposed must be graduated according to the criteria

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/8








established in article 83.2 of the RGPD, and with the provisions of article 76 of the
LOPDGDD, regarding section k) of the aforementioned article 83.2 RGPD. Also, for
To ensure consistent application of the GDPR, consideration must be given to

Guidelines 04/2022 formulated by the European Data Protection Committee on the
calculation of fines under the GDPR.

In light of the facts presented, without prejudice to what results from the instruction of the
procedure, it is considered appropriate to impute a sanction to the party
claimed for violation of article 58.1 of the RGPD typified in article 83.5 e)

of the GDPR. The sanction that would be imposed is an administrative fine for a
amount of 160,000.00 euros.

The following have been considered as circumstances for graduation of the sanction:
- The classification of the infraction carried out by the legislator himself in art. 83 of the

RGPD, placing it within the set of most serious infractions of the
sections 5 and 6 of this article, which have a higher sanctioning range.
- The nature of the infringement in accordance with art. 83.2.a), for the interests protected
and its place in the framework of personal data protection. By not providing a
response to the information request made, the powers of
investigation that the RGPD provides to the control authorities, hindering the

control function entrusted to them by the RGPD, and thus making supervision difficult
on the effective application of the regulations and compliance with the objectives that
pursue.
- The turnover of the responsible company, so that the fine is
effective, dissuasive and proportionate, in accordance with art. 83.1 of the GDPR.



Therefore, in light of the above,
By the Director of the Spanish Data Protection Agency, IT IS AGREED:


FIRST: START SANCTIONING PROCEDURE against WATIUM S.L., with NIF
B86459260, for the violation of article 58.1 of the RGPD, typified in art. 83.5 e) of the
cited GDPR.

SECOND: ORDER WATIUM S.L. that, according to the power of investigation
provided in article 58.1.a) of the RGPD, is provided, within a period of ten business days,

the information required in the requirements made within the framework of the
actions with file number EXP202309276 and which have been referred to in
the description of the facts of this initiation agreement.

THIRD: APPOINT R.R.R. as instructor. and, as secretary, to S.S.S.,

indicating that they may be challenged, if applicable, in accordance with the provisions of the
articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sector
Public (LRJSP).

FOURTH: INCORPORATE into the sanctioning file, for evidentiary purposes, the

information requirements issued by the General Subdirectorate of Inspection of
Data within the framework of the actions with file number EXP202309276 and the
accreditation of having been notified.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/8








FIFTH: THAT for the purposes provided for in art. 64.2 b) of the LPACAP, the sanction that
could correspond would be, for the alleged violation of article 58.1 of the RGPD,
typified in article 83.5 of said rule, administrative fine of an amount

160,000.00 euros, without prejudice to what results from the investigation.

SIXTH: NOTIFY this agreement to WATIUM S.L., with NIF B86459260,
granting him a hearing period of ten business days to formulate the
allegations and present the evidence you consider appropriate. In his writing of
allegations must provide your NIF and the file number that appears in the

heading of this document.

If within the stipulated period you do not make allegations to this initial agreement, the same
may be considered a proposal for a resolution, as established in the article
64.2.f) of the LPACAP.


The procedure will have a maximum duration of twelve months from the date
of the initiation agreement. After this period, its expiration will occur and, in
consequently, the archive of actions; in accordance with the provisions of the
article 64 of the LOPDGDD.


In accordance with the provisions of article 85 of the LPACAP, you may recognize your
responsibility within the period granted for the formulation of allegations to the
present initiation agreement; which will entail a 20% reduction in the
sanction that may be imposed in this procedure. With the application of this
reduction, the penalty would be established at 128,000.00 euros, resolving the

procedure with the imposition of this sanction.

Likewise, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which
will mean a 20% reduction in the amount. With the application of this reduction,

The penalty would be established at 128,000.00 euros and its payment will imply the
termination of the procedure, without prejudice to the imposition of the measures
corresponding.

The reduction for the voluntary payment of the penalty is cumulative with that corresponding
apply for recognition of responsibility, provided that this recognition

of the responsibility becomes evident within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount
in the previous paragraph may be done at any time prior to the resolution. In
In this case, if both reductions were to be applied, the amount of the penalty would remain
established at 96,000.00 euros.


In any case, the effectiveness of any of the two mentioned reductions will be
conditioned upon the withdrawal or waiver of any action or appeal pending.
administrative against the sanction.


In the event that you choose to proceed with the voluntary payment of any of the amounts
indicated above (128,000.00 euros or 96,000.00 euros), you must do so
cash by depositing it into the IBAN account number: ES00-0000-0000-0000-0000-0000
(BIC/SWIFT Code: CAIXESBBXXX) opened in the name of the Spanish Agency of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/8








Data Protection in the banking entity CAIXABANK, S.A., indicating in the
concept the reference number of the procedure appearing in the heading

of this document and the reason for the reduction in the amount to which it applies.

Likewise, you must send proof of income to the General Subdirectorate of
Inspection to continue the procedure in accordance with the quantity
entered.


Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP,
There is no administrative appeal against this act.


                                                                                972-110923
Sea Spain Martí
Director of the Spanish Data Protection Agency


 >>

SECOND: On May 16, 2024, the claimed party has proceeded to pay

of the penalty in the amount of 96,000 euros making use of the two reductions
provided for in the initiation Agreement transcribed above, which implies the
recognition of responsibility.

THIRD: The payment made, within the period granted to formulate allegations to

The opening of the procedure entails the waiver of any action or appeal pending.
administrative against sanction and recognition of responsibility in relation to
the facts referred to in the Initiation Agreement.




                           FOUNDATIONS OF LAW

                                           Yo

                                     Competence

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each

control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.


Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a

subsidiary, by the general rules on administrative procedures."

                                           II

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/8








                             Termination of the procedure


Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter, LPACAP), under the heading
“Termination in sanctioning procedures” provides the following:

"1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility,

The procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction has only a pecuniary nature or a penalty can be imposed
pecuniary sanction and another of a non-pecuniary nature but the
inadmissibility of the second, the voluntary payment by the alleged responsible, in

Any time prior to the resolution, will imply the termination of the procedure,
except in relation to the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.


3. In both cases, when the sanction has only a pecuniary nature, the
body competent to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed penalty, these being cumulative with each other.
The aforementioned reductions must be determined in the initiation notification.
of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of

any administrative action or appeal against the sanction.

The reduction percentage provided for in this section may be increased
“regularly.”


According to what was stated,
the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: DECLARE the termination of procedure EXP202405119, of
in accordance with the provisions of article 85 of the LPACAP.


SECOND: NOTIFY this resolution to WATIUM S.L..

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the

National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.



                                                                                936-040822
Sea Spain Martí
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/8


































































































C/ Jorge Juan, 6 www.aepd.es

28001 – Madrid sedeagpd.gob.es