AEPD (Spain) - EXP202210212

From GDPRhub
Revision as of 11:26, 4 September 2024 by Fb (talk | contribs)
AEPD - EXP202210212
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(c) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 28.05.2024
Published:
Fine: 300 EUR
Parties: n/a
National Case Number/Name: EXP202210212
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: lorea.mendi

The DPA fined a controller €300 for using a video surveillance camera for home security which captured a neighbor’s patio.

English Summary

Facts

A resident (the controller) installed a video surveillance camera that recorded a portion of their property. The camera had a 360 view and faced the controller’s porch. Part of the camera’s range included the neighbors’ patio and garden.

The data subject filed a complaint with the Spanish DPA (AEPD). The controller did not respond to the DPA’s notices about the case. On 1 June 2023, the DPA initiated sanctioning proceedings against the controller.

Holding

The DPA found that the controller had infringed Article 5(1)(c) GDPR and issued a €300 fine.

The principle of data minimisation, the DPA wrote, generally prohibits the capture of images of public life. Under limited circumstances, video cameras that capture some private space may be necessary to ensure security. In such cases, cameras should capture the minimum portion necessary for the preservation of security.

In this case, the controller had other means available to them which would not record the neighbor’s patio and yard so extensively. It thus did not meet the necessity standard and was found to infringe the principle of data minimisation.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/12

 File No.: EXP202210212

SANCTIONING PROCEDURE RESOLUTION

From the procedure instructed by the Spanish Data Protection Agency and based

on the following

BACKGROUND

FIRST: A.A.A. (hereinafter, the complaining party) on 09/16/2022 filed

a claim with the Spanish Data Protection Agency. The claim is
directed against B.B.B., with NIF ***NIF.1 (hereinafter, the respondent party). The
claim is based on the existence of indications that the video surveillance camera
that the respondent party has installed in the property on ***ADDRESS.1 street
violates the personal data protection regulations.

The complainant has stated that “in the adjoining house” “a video surveillance camera has been installed that may be focusing on her house due to the
position in which it is placed.” That she and her family, which includes
two minor children, feel intimidated and do not go about their daily lives due to
the pressure caused by feeling watched. She adds that “she does not know if the camera is

recording or receiving images instantly or if it is a camera without any
type of image reception” but that at no time has she given authorization to
the respondent party to install cameras that focus on her and her family, whether or
not they are recording.

She provides the following documents:

-Copy of the complaint filed on 09/07/2022 with the Civil Guard. In it, he declares
that on that day he noticed that the neighbour of the house next to his own “has installed
a video surveillance camera right on the roof of the entrance of said

house and that he presumes that it could perhaps be recording images of his house”.

That, previously, the camera was installed on the access door and that he has moved it to the
indicated place. That the camera is not wired, so it could be wireless.

- Photo report: Three photographs that allow to see where the video camera is located in the
house of the respondent party and its position in relation to that of the

complainant party.

The camera, of “Dome” format or similar - whose vision and recording index is 360
degrees - is attached to the roof of the porch of the respondent party's house right

where his house ends and that of the complainant begins, next to the dividing wall that

separates them. The dividing wall is half-height, slightly higher than the garden fence, so that the installed camera can record the garden or patio of the complainant's home. In the case of the respondent's home,
there is a porch next to the garden, at the right end of which the dividing wall is located.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/12

On 06/03/2023, a new letter was received from the complainant in which
it reports that the camera is still installed; that it does not know whether it is recording or not and

that the facts that were brought to the attention of the Agency on 16/09/2022 persist.

He provides four photographs: It is observed that the location of the camera remains the
same and that the complainant has installed a panel on the vertical of the dividing wall that
separates the houses in order to increase its height, which would reduce the
view of the video camera on his house. Despite this, due to its position and the
technical characteristics that it appears to have, the camera could capture images of the
outside patio of the complainant's house.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of December 5, on the
Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), said claim was forwarded to the respondent party so that
it could proceed to analyze it and inform this Agency within one month of the
actions carried out to comply with the requirements provided for in the data protection
regulations.

The transfer, which was carried out in accordance with the regulations of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was not collected by the recipient:

The transfer was carried out by post on 10/04/2022. It was “Returned to Origin for

Surplus (Not picked up at office)" on 10/14/2022. The two delivery attempts (dated 10/6 and 7/2022) had the same result: “03 Absent”. A notice was left in the
mailbox. This is stated in the Certificate of Impossibility of Delivery issued by Correos y
Telégrafos, S.A.E. (hereinafter, Correos)

The shipment was repeated on 10/20/2022. The certificate issued by Correos states
“It has been returned to Origin for 02 Incorrect address on 10/26/2022”. According to this
certificate, only one first delivery attempt was made, on 10/24/2022, with the result
“03. Absent”.

It was reiterated a second time by postal mail dated 11/02/2022 that It was

“Returned to Origin due to Surplus (Not picked up at office)” on 11/14/2020. Two delivery attempts were made - on 11/4 and 11/7/2022 - with the result “03 Absent”. A notice was left
in the mailbox.

No response has been received to this transfer letter.

THIRD: On 11/29/2022, in accordance with article 65 of the LOPDGDD,
the claim submitted by the claimant is admitted for processing, which is
notified, and recorded as received by the claimant, on 12/14/2022.

FOURTH: On 01/06/2023, the Director of the Spanish Data Protection Agency agrees to initiate sanctioning proceedings against the respondent party for the alleged
infringement of article 5.1.c) of the GDPR, as defined in article 83.5.a).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/12

The agreement to open the procedure is notified to the respondent party by
post with an absent result. In this regard, the file contains the
document Certification of Impossibility of Delivery issued by Correos on

07/07/2023, which certifies that the shipment addressed to the respondent at the
address “***ADDRESS.1” has been returned to origin due to surplus on
05/05/2023. It offers this information: The first delivery attempt is made on
06/26/2023, at 12:28, with a result of “03 Absent”. The second attempt is on
06/28/2023, at 15:58, with a result of “03 Absent”. “Notice was left in the mailbox”.

In accordance with the provisions of article 44.1 of the LPACAP, the notification was made
through an announcement published in the Official State Gazette (BOE),
Notification Supplement, dated 07/12/2023.

FIFTH: Having notified the start agreement in accordance with the rules established in the

LPACAP and having passed the period granted for the formulation of allegations, it has been
verified that no allegation has been received from the respondent party.

Article 64.2.f) of the LPACAP - a provision of which the respondent party was informed
in the agreement to open the procedure- establishes that, if no allegations are made in the period provided for regarding the content of the agreement to open the procedure, when

it contains a precise statement regarding the imputed liability, it may be considered a resolution proposal.

The agreement to open the procedure determined the facts in which the infringement of the GDPR attributed to the respondent party was specified and the sanction that

could be imposed. Therefore, taking into account that the respondent party has not
made allegations to the agreement to open the procedure, and in accordance with the provisions of
article 64.2.f) of the LPACAP, the aforementioned agreement to open the procedure is
considered in the present case a resolution proposal.

In view of all the actions taken, the Spanish Data Protection Agency in the present procedure considers the following facts to be proven:

PROVEN FACTS

FIRST: The complainant filed a complaint on 09/16/2022 in which
she states that in the house next to hers (house on the street of
***ADDRESS.1) a video surveillance camera has been installed that may be
focusing on her house due to the position in which it is placed and that she and her family,

among which there are two minor children, feel intimidated and do not
go about their daily lives due to the pressure caused by feeling watched.

SECOND: The facts stated by the complainant were reported by her to
the Civil Guard on 09/07/2022. She provides a copy of the complaint.

THIRD: There are seven photographs in the file provided with the claim that
clearly show these points:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/12

- Both houses are adjacent and the dividing wall is half-height.
- In the property of the claimant, the dividing wall is followed by the garden or
patio. In the property of the claimant there is a porch next to this wall.

- A video camera is installed on the roof of the porch, at the end that coincides with the
vertical line of the dividing wall, and in the part of it furthest from the house.
- The camera, spherical in shape, has the characteristics of the “Domo” model, with
360º viewing and recording capacity.
- The location of the camera and the characteristics of the construction

perfectly allow the recording of the garden/patio of the complainant's home.

FOURTH: The file provided by the respondent on 06/03/2023 contains four

photographs that show these points:

- That the location of the camera remains the same as that reflected in the
photographs provided with the claim.
- That a panel appears installed on the vertical line of the dividing wall that separates the
homes, on the side of the claimant's home, which attempts to

reduce the camera's range of vision of her home. Despite this, due to
the position and characteristics of the camera, it could continue to capture
images of the garden/outside patio of the claimant's home.

FIFTH: The respondent has not made any objections to the start agreement.

BASIS OF LAW

I
Competence

In accordance with the powers granted to each supervisory authority by article 58.2 of the GDPR and as established in articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency shall be governed by the provisions
of Regulation (EU) 2016/679, by this organic law, by the regulatory provisions issued in its development and, as long as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures."

II
The image is personal data

Article 4.1 of the GDPR defines personal data as “any information about an

identified or identifiable natural person («the data subject») […]”.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/12

Therefore, the image of a natural person is personal data, for
example, images generated by a camera or video camera system, and its

processing is subject to data protection regulations. It is worth mentioning the SAN of 21/03/2023, Rec. 330/2021, which states that the image of a person is personal data and indicates that it has “[…] declared on multiple occasions (SSAN of 19/12/2018, Rec. 286/2017 and of 27/12/2019, Rec. 786/2018) that
the image of a person constitutes personal data within the meaning of […] current

Article 4.1 of the General Data Protection Regulation (GDPR) to the extent that
it allows the identification of the affected person, as indicated by the judgment of the Court of Justice of the European Union of 11 December 2014 (case C-212/13)”.

III
Principles of data protection and data processing for video surveillance purposes

Article 6.1 of the GDPR establishes the assumptions that allow the processing of personal data to be considered lawful.

Regarding processing for video surveillance purposes, article 22 of the LOPDGDD
provides that natural or legal persons, public or private, may carry out
image processing through camera or video camera systems for the purpose of
preserving the security of persons and property, as well as their
facilities.

The processing of personal data is subject to the rest of the principles of
processing contained in article 5 of the GDPR. We will highlight the principle of
data minimisation contained in article 5.1.c) of the GDPR, which provides that personal
data will be “adequate, relevant and limited to what is necessary in relation

to the purposes for which they are processed”.

This means that, in a specific processing, only the appropriate personal data may be
processed; that are relevant and that are strictly necessary
to fulfil the purpose for which they are processed. The processing must be adjusted and
proportionate to the purpose for which it is directed. The relevance of the
data processing must be present both at the time of data collection and in the
subsequent processing of these.

In accordance with the above, the processing of excessive data must be restricted or
deleted.

The application of the principle of data minimization in the field of video surveillance
means that images of public roads cannot be captured, since the
processing of images in public places can only be carried out by the Security Forces and Corps with prior government authorization.

On some occasions, for the protection of private spaces where cameras have been
installed on facades or inside, it may be necessary, to guarantee the
security purpose, to record a portion of the public road.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/12

That is to say, cameras and video cameras installed for security purposes may not
obtain images of public roads unless it is essential for this purpose or

it is impossible to avoid this due to their location. And, in such extraordinary
cases, the cameras may only capture the minimum portion necessary to
preserve the safety of people and property, as well as the facilities.

In no case will the use of surveillance practices beyond the environment
object of the installation be permitted and, in particular, they may not affect the surrounding

public spaces, adjacent buildings and vehicles other than those that access the monitored space.

The cameras installed cannot take images of private third-party spaces
and/or public spaces without a duly accredited justified cause, nor can they affect

the privacy of pedestrians who circulate in the area.

Therefore, the placement of cameras towards the private property of neighbors with the purpose of intimidating them or affecting their private sphere without a justified
cause is not permitted.

Nor can images be captured or recorded in spaces owned by third parties
without the consent of their owners, or, where appropriate, of the people who are in them.

Likewise, it is disproportionate to capture images in private spaces, such

as changing rooms, lockers or workers' rest areas.

IV
Obligations regarding video surveillance

In accordance with the above, the processing of images through a video surveillance system, in order to comply with current regulations, must comply with the following
requirements:

1.- Natural or legal persons, public or private, may establish a video surveillance

system for the purpose of preserving the security of persons and property,
as well as their facilities.

It must be assessed whether the intended purpose can be achieved in another way that is
less intrusive to the rights and freedoms of citizens. Personal data should only

be processed if the purpose of the processing cannot reasonably be achieved by
other means (Recital 39 of the GDPR).

2.- The images obtained cannot be used for a subsequent purpose
incompatible with that which motivated the installation of the video surveillance system.

3.- The duty to inform those affected, as provided for in articles
12 and 13 of the GDPR and 22 of the LOPDGDD, must be complied with.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/12

In this regard, article 22 of the LOPDGDD provides for a “layered information” system in relation to video surveillance.

The first layer must refer, at least, to the existence of the treatment
(video surveillance); to the identity of the person responsible; to the possibility of exercising the
rights provided for in articles 15 to 22 of the GDPR and to the indication of where
to obtain more information on the processing of personal data.

This information will be contained in a device placed in a sufficiently visible

place and must be provided in advance.

The information in the second layer must be available in a place that is easily
accessible to the affected party, whether it is an information sheet in a reception area, ATM, etc.,
placed in a visible public space or on a web address and must refer to the other

elements of article 13 of the GDPR.

4.- The processing of images through the installation of camera or video camera
systems must be lawful and comply with the principles of proportionality and
data minimisation in the terms already indicated.

5.- The images may be kept for a maximum period of one month, unless
they must be kept to prove the commission of acts that threaten the
integrity of persons, property or facilities. In such a case, they must be made available
to the competent authority within a maximum period of 72 hours from the moment the existence of the recording
becomes known.

6.- The controller must keep a record of the processing activities carried out under his/her responsibility, which includes the information referred to in article 30.1 of the GDPR.

7.- The controller must carry out a risk analysis or, where appropriate, an impact assessment on data protection, to detect the risks derived from the implementation of the video surveillance system, assess them and, where appropriate, adopt the appropriate security measures.

8.- When a security breach occurs that affects the processing of cameras for

security purposes, provided that there is a risk to the rights and freedoms of natural persons, the AEPD must be notified within a maximum period of
72 hours.

A security breach is understood to be the accidental or unlawful destruction, loss or

alteration of personal data transmitted, stored or otherwise processed, or the
unauthorized communication or access to said data.

9.- When the system is connected to an alarm center, it may only be
installed by a private security company that meets the requirements

contemplated in article 5 of Law 5/2014 on Private Security, of April 4.

The Spanish Data Protection Agency offers access through its website
[https://www.aepd.es] to:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/12

• the legislation on personal data protection, including the
RGPD and the LOPDGDD (section “Reports and resolutions” / “regulations”),

• the Guide on the use of video cameras for security and other purposes,
• the Guide for compliance with the duty to inform (both available in the
section “Guides and tools”).

Also of interest, in the case of carrying out low-risk data processing, is the free tool Facilita (in the “Guides and tools” section), which, through

specific questions, allows the data controller’s situation to be assessed with respect to the
processing of personal data that it carries out and, where appropriate, generate various
documents, information and contractual clauses, as well as an annex with indicative security
measures considered minimum.

V
Violation of article 5.1.c) of the GDPR

The respondent party is accused of violating the principle of data
minimization established in article 5.1.c) of the GDPR, which states: “Personal data

shall be: […] adequate, relevant and limited to what is necessary in relation to the purposes
for which they are processed (“data minimisation”).”

The respondent party is considered the data controller, which is defined in Article 4.7 of the GDPR as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing.”

The principle of data minimization is binding on the data controller. Furthermore, the data controller is obliged, by virtue of the principle of proactive responsibility contained in Article 5.2 of the GDPR, to comply with the principles described in Article 5.1 - which is why the principle of data minimization is now relevant - and to be in a position to demonstrate compliance.

Recital 39 of the GDPR states regarding data minimization that “Personal data should only be processed if the purpose of the processing cannot reasonably be achieved by other means.”

In the present case, it has been proven through the documentation in the file that:

-In the defendant's home, next to the intersection of the latter and the claimant's home, almost vertically above the dividing wall that separates them, a video surveillance camera is installed. The camera is located on the roof of a porch of the defendant's home, at its right end, vertically above the dividing wall, of medium height, that separates both homes.

-The external characteristics of the installed camera coincide with those of the "Domo" model, with a 360-degree vision and recording index.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/12

It is therefore evident that the installed camera can capture images of the interior of the claimant's home: the patio or garden. Also, the respondent party
can place the camera in other parts of his home and guarantee the safety of

his person, property and facilities, without it being necessary in any case for such purpose to keep it in the place where it is located.

Therefore, it is proven that the respondent party has not respected the due
proportionality between the data processing that it carries out through its video camera and the purposes for which such processing is authorized by the GDPR:
the security of people, property and facilities. This purpose is incompatible with

the camera capturing images of the interior of a private home (article 22.2
LOPDGDD), such as, in the present case, the patio or garden of the complainant party's home.

In view of the above, it is concluded that the processing carried out by the respondent party through the video surveillance system installed in his home, at the location of which there is documentary evidence, violates the principle of minimisation of personal data established in article 5.1.c) of the GDPR.

VI
Classification of the infringement of article 5.1.c) of the GDPR

The infringement of article 5.1.c) of the GDPR, for which the respondent party is held responsible, is classified in article 83.5. of the GDPR, which states:

“Infringements of the following provisions shall be punishable, in accordance with
paragraph 2, by administrative fines of up to EUR 20,000,000 or,

in the case of an undertaking, an amount equivalent to up to 4% of the total annual global turnover of the
previous financial year, whichever is higher:
a) the basic principles for processing, including the conditions for
consent pursuant to Articles 5, 6, 7 and 9.”

The LOPDGDD, for the sole purpose of determining the limitation period for the
infringement, classifies the violation of Article 5.1.c) of the GDPR as very serious and sets a limitation period of three years for it. Article 72.1 of the LOPDGDD states:

“In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679, infringements that constitute a
substantial violation of the articles mentioned therein and, in particular, the
following are considered very serious and will be subject to a three-year statute of limitations:
a) The processing of personal data in violation of the principles and guarantees
established in article 5 of Regulation (EU) 2016/679.”

VII
Administrative fine

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/12

Data controllers are subject to the sanctioning regime
established in the GDPR and the LOPDGDD (article 70 LOPDGDD)

Among the corrective measures that the Agency, as a supervisory authority,
can adopt and that are detailed in article 58.2 of the GDPR, it includes (section i) the
possibility of imposing an administrative fine in accordance with article 83 of the GDPR.

In turn, article 83.1 of the GDPR requires supervisory authorities to ensure that the
administrative fines they impose for breaches of the GDPR are, in each

individual case, effective, proportionate and dissuasive. In addition, to determine its
amount, the GDPR provides some criteria or grading factors in article 83.2 of the
GDPR.

Article 83.5 of the GDPR provides for a fine of up to 20 million euros for the infringement of article 5.1.c) of the GDPR, for which the
respondent is held responsible.

In the particular case at hand, in consideration of the provisions of
articles 83.1 and 83.2 of the GDPR, it is agreed to impose an administrative fine of 300€ (three hundred
euros) on the respondent party for the infringement of article 5.1.c) of the GDPR.

VIII
Corrective measures imposed on the respondent party

Article 58.2 of the GDPR grants supervisory authorities the possibility of adopting
various corrective measures, including, section d), “ordering the controller or
processor to comply with the provisions of this Regulation, where appropriate, in a certain manner
and within a specified period”.

In this resolution, in light of the circumstances and in application of
Article 58.2.d) of the GDPR, the respondent party is ordered to:

-Remove the camera or video camera system from the location where it is
currently installed, as evidenced by the documentation in the file.

-Or, to proceed to adopt appropriate technical measures (such as a
privacy mask) to prevent viewing images of the complainant's home.

The respondent party must adopt the corrective measure ordered here and prove compliance to this Agency within 10 business days from the date this resolution became enforceable.

The respondent party is advised that failure to comply with the requirements of this agency may be considered an administrative violation in accordance with the provisions of the GDPR, as defined in its articles 83.5 and 83.6, with this non-compliance giving rise to the opening of a subsequent administrative sanctioning procedure.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/12

Therefore, in accordance with applicable legislation and having assessed the criteria for

graduating sanctions whose existence has been proven,

the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: TO IMPOSE on B.B.B., with NIF ***NIF.1, for an infringement of article 5.1.c)
of the GDPR, classified in article 83.5.a) of the GDPR, a fine of €300 (three hundred

euros).

SECOND: ORDER B.B.B., with NIF ***NIF.1, pursuant to article 58.2.d) of the
RGPD, to, within ten business days from the date this resolution becomes
enforceable, prove to this Agency the removal of the video camera from its
current location or the adoption of technical measures, such as the
privacy mask, to demonstrate that its video camera system cannot capture
images of the complainant's home adjacent to his/her own.

THIRD: NOTIFY this resolution to B.B.B., with NIF ***NIF.1

FOURTH: This resolution will be enforceable once the deadline for filing the
optional appeal for reconsideration ends (one month from the day following the
notification of this resolution) without the interested party having made use of this faculty. The sanctioned party is hereby notified that he/she must pay the sanction imposed once
this resolution is enforceable, in accordance with the provisions of article

98.1.b) of the LPACAP, within the voluntary payment period established in article 68 of the
General Collection Regulations, approved by Royal Decree 939/2005, of 29 July, in relation to article 62 of Law 58/2003, of 17 December, by means of its
payment, indicating the NIF of the sanctioned party and the procedure number that appears in
the heading of this document, in the restricted account number IBAN: ES00-0000-

0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX), opened in the name of the
Spanish Data Protection Agency in the banking entity CAIXABANK, S.A.
Otherwise, the collection will be carried out during the enforcement period.

Once the notification has been received and the resolution is enforceable, if the date of enforcement is between the 1st and 15th of each month, both inclusive, the deadline

to make the voluntary payment will be until the 20th of the following month or the next business day thereafter, and if it is between the 16th and last day of each month, both
inclusive, the payment deadline will be until the 5th of the second following month or the next business day thereafter.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure in accordance with article 48.6
of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the

interested parties may, at their discretion, lodge an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within a period of one month from
the day following notification of this resolution or directly
an administrative appeal before the Administrative Litigation Division of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/12

National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Administrative Litigation Jurisdiction, within a period of two months from the
day following notification. of this act, as provided for in article 46.1 of the

referred Law.

Finally, it is noted that, in accordance with the provisions of article 90.3 a) of the LPACAP,
the final resolution may be provisionally suspended by administrative means if the

interested party expresses his intention to file an administrative appeal.
If this is the case, the interested party must formally communicate this fact by
writing to the Spanish Data Protection Agency, submitting it through
the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-

web/], or through one of the other registries provided for in art. 16.4 of
the aforementioned Law 39/2015, of October 1. He must also transfer to the Agency the
documentation that proves the effective filing of the administrative appeal. If the Agency is not aware of the filing of the administrative appeal

within two months from the day following the notification of this resolution, it will terminate the precautionary suspension.

938-16012024
Mar España Martí

Director of the Spanish Data Protection Agency

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es