AEPD (Spain) - PS/00127/2020: Difference between revisions
From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00...") |
No edit summary |
||
Line 48: | Line 48: | ||
}} | }} | ||
The Spanish DPA issued a warning to Iberia Líneas Aéreas de España for not informing their workers in accordance with Article 13 GDPR regarding a fingerprint clocking-in system. | |||
== English Summary == | ==English Summary== | ||
=== | ===Facts=== | ||
Iberia Líneas Aéreas de España installed a new fingerprint clocking-in system for their workers. They did it following the guidance of the General Labour Confederation. However, Iberia did not inform their workers about the aspects of the general information duty included in Article 13 GDPR. | |||
===Dispute=== | |||
=== Holding === | Is this a violation of Article 13 GDPR? | ||
===Holding=== | |||
progress | progress | ||
== Comment == | ==Comment== | ||
''Share your comments here!'' | ''Share your comments here!'' | ||
== Further Resources == | ==Further Resources== | ||
''Share blogs or news articles here!'' | ''Share blogs or news articles here!'' | ||
== English Machine Translation of the Decision == | ==English Machine Translation of the Decision== | ||
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. | The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. | ||
Revision as of 15:16, 6 April 2021
AEPD - PS/00127/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 13 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 05.04.2021 |
Fine: | None |
Parties: | IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPERADORA UNIPERSONAL |
National Case Number/Name: | PS/00127/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD decision (in ES) |
Initial Contributor: | n/a |
The Spanish DPA issued a warning to Iberia Líneas Aéreas de España for not informing their workers in accordance with Article 13 GDPR regarding a fingerprint clocking-in system.
English Summary
Facts
Iberia Líneas Aéreas de España installed a new fingerprint clocking-in system for their workers. They did it following the guidance of the General Labour Confederation. However, Iberia did not inform their workers about the aspects of the general information duty included in Article 13 GDPR.
Dispute
Is this a violation of Article 13 GDPR?
Holding
progress
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/12 Procedure Nº: PS / 00127/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: The claim filed by Ms. A.A.A. (hereinafter the claimant), It has an entry dated 04/29/2019 in the Spanish Agency for Data Protection. The claim is directed against IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. UNIPERSONAL OPERATOR, with NIF A85850394 (hereinafter, the claimed one). The reasons on which the claim is based are: that on 01/24/2019 the C.G.T (Confederación General del Trabajo) asked the company to follow a series of guidelines: creation and notification of the mandatory file and obligation to duly inform the workers before the collection of the fingerprints of the service agents auxiliaries for a new signing system that would be implemented in the near future. The 02/27/2019 Iberia replies that it is a lawful and adequate treatment, in addition of measures for safe treatment. However, to date there has been no provided no document to workers who register their fingerprint. SECOND: The Subdirectorate General for Data Inspection proceeded to transfer the claim to the defendant to report on the facts and the measures taken, having knowledge of the following points: On 06/18/2019, the claim submitted for analysis was transferred to the defendant of the decision taken in this regard. Likewise, it was required so that within the period of one month send the Agency certain information: - Copy of the communications, of the adopted decision that has been sent to the claimant regarding the transfer of this claim, and accreditation that the claimant has received the communication of that decision. - Report on the causes that have motivated the incidence that has originated the claim. - Report on the measures adopted to prevent the occurrence of similar incidents. - Any other that you consider relevant, etc. On 07/19/20196 the respondent responded to the request for information answering the questions raised and providing the following documentation: - Letter from the CGT dated 01/24/2019. - Response from IBERIA on 01/29/2019. - Letter from CGT dated 03/18/2019. - Analysis of Impact on privacy on the treatment in question. - Communication to all employees on 05/25/2018. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/12 - Privacy policy for IBERIA employees. - Screenshots of the Intranet and the app for employees of the business. Subsequently, on 09/12/2019, the defendant was asked to provide the study of Impact evaluation; giving an answer the next day noting that the aforementioned The report could only be provided in MS Excel format, not having been accepted as valid in the electronic office, reason for which it proceeded to present it through the Agency physical record. THIRD: On 10/09/2019, in accordance with article 65 of the LOPDGDD, the Director of the Spanish Agency for Data Protection agreed to admit for processing the claim filed. FOURTH: On 09/30/2020, the Director of the Spanish Protection Agency of Data agreed to initiate a sanctioning procedure for the claimed party, for the alleged infringement of article 13 of the RGPD, sanctioned in accordance with the provisions of article 58.2.b) of the RGPD. FIFTH: Notified the initiation agreement, the claimed on 10/15/2010 presented brief of allegations stating in summary the following: that it was reiterated in the allegations made in writing dated 07/19/2019 and stated that there had been prepared and communicated to the staff informative note on biometric treatment using fingerprint or facial recognition systems for access control. SIXTH: On 10/21/2020 a test practice period began, remembering the following - To consider reproduced for evidentiary purposes the claim filed by the claimant and its documentation, the documents obtained and generated by the Inspection services that are part of file E / 05886/2019. - To consider reproduced for evidentiary purposes, the allegations to the agreement of beginning presented by the claimed and the documentation that accompanies them. SEVENTH: On 02/26/2020 a Resolution Proposal was issued to the effect that by the Director of the AEPD the claimed person will be sanctioned for violation of article 13 of the RGPD, typified in article 83.5.a) of the RGPD, with warning of in accordance with article 58.2.b) of the RGPD. After the period legally indicated at the time of this Resolution, the The complainant had not submitted any written allegation whatsoever. EIGHTH: Of the actions carried out in the present procedure, there have been accredited the following: PROVEN FACTS FIRST: The claimant submitted a written entry dated 04/29/2019 in the Spanish Agency for Data Protection, stating that on 01/24/2019 C.G.T (General Labor Confederation) asked the company for information on the implementation of the access system and follow a series of guidelines on the itself: creation and modification of the mandatory file and obligation to inform duly to the workers before the collection of the fingerprints of the Auxiliary service agents for a new signing system that will be implemented in C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/3 a near future; On 02/27/2019, the complainant indicated that it was a lawful treatment, adequate and safe; without any document being provided to the workers that register your fingerprint. SECOND: Letter from CGT of 01/24/2019 has been provided stating its Disagreement with the guidelines followed by the complainant when collecting fingerprints fingerprints for the implementation of our signing system in the company, without at no time had the workers or the creation and notification of the mandatory file. THIRD: The respondent's response is stated stating that the replacement of the magnetic cards for the use of the fingerprint limited exclusively to the area of airport ramp and the workers who work there implies a lawful treatment protected in the public interest of the claimed, adequate and secure data sensitive personnel involved; that the defendant has already informed this type of treatment within its privacy policy available from May 2018 to through the internet. FOURTH: On 03/18/2019 CGT indicated that the information provided by the company to inform his workers was quite scarce from what he understood that it was insufficient despite being said to respond to appropriate treatment and needs of the same. FIFTH: On 09/13/2019 the respondent provided an Impact Assessment of the treatment carried out on the treatment of the fingerprint for access control. SIXTH: On 10/15/2020, the complainant has provided an informative communication Complementary to employees Informative Note on data processing biometric through fingerprint recognition systems or facial recognition for access control. FOUNDATIONS OF LAW I The Director of the Agency is competent to resolve this procedure Spanish Data Protection, in accordance with the provisions of art. 58.2 of RGPD and in art. 47 and 48.1 of LOPDGDD. II The legitimacy for the treatment of the fingerprint for the control of the workers by the employer we must look for it in article 9 and 6 of the RGPD. Article 9 of the RGPD establishes in its sections 1 and 2.b) the following: "one. The processing of personal data that reveal the origin is prohibited ethnic or racial, political opinions, religious or philosophical convictions, or union membership, and the treatment of genetic data, biometric data directed to uniquely identify a natural person, data related to health or data relating to the sexual life or sexual orientations of a natural person. 2. Section 1 shall not apply when one of the following circumstances: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/12 b) the treatment is necessary for the fulfillment of obligations and the exercise of specific rights of the person responsible for the treatment or interested in the field of labor law and security and protection social, insofar as it is authorized by the law of the Union of the Member States or a collective agreement under the law of the Member States to establish adequate guarantees of respect for the fundamental rights and interests of the interested party. " Article 6.1.b) of the RGPD indicates: "one. The treatment will only be lawful if at least one of the following is met terms: (…) b) the treatment is necessary for the performance of a contract in which the interested is part or for the application at the request of this of measures pre-contractual. " The defendant has legitimacy, based on the indicated regulations, to carry out the labor control of its workers and as long as it meets the requirements indicated in the fifth Law Foundation. III The facts that motivate the claim presented and that are the subject of the This procedure is materialized in the request made by the claimant to the claimed in relation to the implementation of a new access system and the Obligation to duly inform workers. The facts claimed imply the violation of what is stated in article 13 of the RGPD, by not duly informing of the planned treatment in relation to the fingerprint check-in control, in accordance with the pronouncements established in the aforementioned article. This article determines the information that must be provided to the interested party in the moment of the collection of your data, establishing the following: "Article 13. Information that must be provided when personal data is obtained from the interested party. 1. When personal data relating to him are obtained from an interested party, the responsible for the treatment, at the time these are obtained, will provide all the information indicated below: a) the identity and contact details of the person in charge and, where appropriate, of their representative; b) the contact details of the data protection officer, if applicable; c) the purposes of the treatment to which the personal data are destined and the basis legal treatment; d) when the treatment is based on article 6, paragraph 1, letter f), the legitimate interests of the person in charge or of a third party; C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/12 e) the recipients or categories of recipients of personal data, in your case; f) where appropriate, the intention of the person responsible to transfer personal data to a third country or international organization and the existence or absence of a Commission adequacy decision, or, in the case of transfers indicated in articles 46 or 47 or article 49, paragraph 1, second paragraph, reference to adequate or appropriate guarantees and means of obtaining a copy of these or the fact that they have been loaned. 2. In addition to the information mentioned in section 1, the person responsible for the treatment will facilitate the interested party, at the time the data is obtained personal information, the following information necessary to guarantee data processing loyal and transparent: a) the period during which the personal data will be kept or, when not where possible, the criteria used to determine this deadline; b) the existence of the right to request the data controller for access to the personal data relating to the interested party, and its rectification or deletion, or the limitation of its treatment, or to oppose the treatment, as well as the right to data portability; c) when the treatment is based on article 6, paragraph 1, letter a), or the Article 9, paragraph 2, letter a), the existence of the right to withdraw the consent at any time, without affecting the legality of the treatment based on consent prior to withdrawal; d) the right to file a claim with a supervisory authority; e) if the communication of personal data is a legal or contractual requirement, or a necessary requirement to enter into a contract, and if the interested party is obliged to provide personal data and is informed of the possible consequences of not providing such data; f) the existence of automated decisions, including profiling, to referred to in article 22, paragraphs 1 and 4, and, at least in such cases, meaningful information about the applied logic, as well as the importance and expected consequences of said treatment for the interested party. 3. When the person responsible for the treatment plans the subsequent treatment of personal data for a purpose other than that for which it was collected, will provide the interested party, prior to said further processing, information on that other purpose and any additional relevant information pursuant to section 2. 4. The provisions of sections 1, 2 and 3 shall not apply when and in the extent to which the interested party already has the information ”. IV In the present case, the claimant declares to write to the defendant requesting that workers be duly informed before the collection of fingerprints for the implementation of a new time control system, without that any answer was obtained. However, the documentation provided to the file contains the answer offered to the claimant, as stated in the second precedent, stating that C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/12 the replacement of the established system by the use of the limited fingerprint exclusively to the airport ramp area and the workers who there they worked implied a lawful, adequate and secure treatment of personal data sensitive parties involved and that it had informed through its privacy policy to through the intranet. In relation to the issues raised in this case, first of all It should be noted that the implementation of a time control system based on the fingerprint by the employer, must be informed to employees of complete, clear, concise manner and, in addition, the aforementioned information must be completed with reference to both the legal bases that cover this type of control of access, as well as the basic information referred to in article 13 of the GDPR. In the case under review, although the response of the respondent to the writing is counted presented by the claimant stating that the system to be implemented was safe and relevant, both the information transmitted by the respondent and the system used to communicate the access and time control system is not the most adequate given the quality and specialty of the data that was requested, being able to have made a greater effort in its information policy on the planned treatment, formulating it in a much more detailed and complete way, as well as responding to certain casuistry such as the cases of workers who are they will refuse to provide their fingerprint. However, it should be noted that the entity in the allegations to the agreement of initiation of the procedure provided a complementary communication aimed at the employees Informative Note on the processing of biometric data through fingerprint recognition or facial recognition systems for the access control, in accordance with the regulations on the protection of data and, likewise, the mandatory impact assessment relative to the data protection regulated in article 35 of the RGPD, providing the document correspondent. Secondly, it should be noted that the installation of a control based on the collection and treatment of the employee's fingerprint implies the processing of your personal data since personal data is all that information about an identified or identifiable natural person of in accordance with article 4.1 of the RGPD. As for the fingerprint, it is also data that must be classified as biometric data and in accordance with article 4.14 of the RGPD have this consideration when they have been “obtained from a technical treatment specific, relating to the physical, physiological or behavioral characteristics of a natural person that allow or confirm the unique identification of said person, such as facial images or fingerprint data ”. This means that, in accordance with article 9.1 of the RGPD, in the case present, the specific regime provided for special categories is applied to them of data provided for in article 9 of the RGPD. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/12 In this sense, recital 51 of the RGPD highlights the nature of restrictive with which the processing of these data can be admitted: “(51) ... Such personal data should not be processed, unless it is allowed its treatment in specific situations contemplated in this Regulation, given that Member States may lay down provisions specific data protection in order to adapt the application of the rules of this Regulation to the fulfillment of a legal obligation or to the fulfillment of a mission carried out in the public interest or in the exercise of powers public conferred to the person responsible for the treatment. In addition to the requirements specific to that treatment, the general principles and other rules of this Regulation, especially with regard to the conditions of legality of the treatment. Exceptions to the general prohibition of treatment of these special categories of personal data, among other things when the interested party gives their explicit consent or in the case of specific needs, in particular when the treatment is carried out in the framework of legitimate activities by certain associations or foundations whose The objective is to allow the exercise of fundamental freedoms. And recital 52 indicates that “(52) Likewise, exceptions to the prohibition to treat special categories of personal data when established by the Law of the Union or Member States and provided that appropriate guarantees are given, in order to to protect personal data and other fundamental rights, when it is in the interest public, in particular the processing of personal data in the field of legislation labor law, legislation on social protection, including pensions and for the purposes of safety, supervision and health alert, prevention or control of diseases communicable and other serious threats to health ... " In accordance with these considerations, the processing of biometric data from special categories will require, in addition to the concurrence of one of the bases legal provisions established in article 6 of the RGPD, any of the exceptions provided in article 9.2 of the RGPD. The analysis of the legal basis of legitimacy to carry out this treatment comes of article 6 of the RGPD, regarding the legality of the treatment, which in its section 1, letter b) states: “The treatment will be lawful if at least one of the following is met conditions: (…) b) the treatment is necessary for the execution of a contract in the that the interested party is part of or for the application at his request of measures pre-contractual (…) ”. By virtue of this precept, the treatment would be lawful and would not require the consent, when the data processing is carried out for the fulfillment of contractual relationships of a labor nature. On the other hand, and as highlighted in recital 51 of the same RGPD, insofar as biometric data is of a special category in the cases of biometric identification (art. 9.1 RGPD), it will be necessary for one of the the exceptions provided in article 9.2 of the RGPD that would allow lifting the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/8 general prohibition of the treatment of these types of data established in the article 9.1. At this point, special mention must be made of letter b) of article 9.2 of the RGPD, according to which the general prohibition of biometric data processing does not it will be applied when “the treatment is necessary for the fulfillment of obligations and the exercise of specific rights of the person responsible for the treatment or of the interested party in the field of labor law and social security and protection, to the extent authorized by the Union law of the Member States or a collective agreement in accordance with the law of the Member States that establishes adequate guarantees of respect for fundamental rights and the interests of the interested". In Spanish law, article 20 of the Consolidated Text of the Statute of workers (TE), approved by Royal Legislative Decree 2/2015, of 23 October, foresees the possibility for the employer to adopt surveillance measures and control to verify compliance with the labor obligations of their workers: "3. The employer may adopt the measures he deems most appropriate in surveillance and control to verify compliance by the worker with his obligations and labor duties, keeping in their adoption and application the consideration due to their dignity and taking into account, where appropriate, the actual capacity of the workers with disabilities ”. The possibility of using data-based systems is undeniable biometric to carry out access and time control, although it does not seem that is or should be the only system that can be used: thus the use of cards personal codes, the use of personal codes, the direct visualization of the marking, etc., which may constitute, by themselves or in combination with any of the the other systems available, equally effective measures to carry out the control. In any case, prior to the decision on the start-up of such a control system and taking into account its implications, processing of biometric data aimed at uniquely identifying a natural person, it would be mandatory to carry out an impact assessment regarding the protection of personal data to evaluate both the legitimacy of the treatment and its proportionality as the determination of the existing risks and the measures to mitigate them in accordance with the provisions of article 35 RGPD. In the present case, it must be stated that the entity has accredited the mandatory impact assessment related to data protection regulated in the Article 35 of the RGPD, providing the corresponding document, since the 09/13/2019 presented the document Impact Evaluation of the treatment carried out cape. V C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/12 On the other hand, biometric data is closely linked to a person, since they can use a certain unique property of an individual for your identification or authentication. According to Opinion 3/2012 on the evolution of biometric technologies, “Biometric data irrevocably changes the relationship between the body and the identity, as they make the characteristics of the human body legible by machines and are subject to further use. " In relation to them, the Opinion specifies that it is possible to distinguish different types of treatments by stating that “Biometric data can be processed and stored in different ways. Sometimes the biometric information captured from a person is stored and treated raw, allowing the source from which it came to be recognized without special knowledge; for example, a photograph of a face, a photograph of a fingerprint or voice recording. Other times, raw biometric information captured is treated in such a way that only certain characteristics or traits are extracted and they are saved as a biometric template. " The processing of these data is expressly permitted by the RGPD when the employer has a legal basis, which is usually his own Work contract. In this regard, the STS of July 2, 2007 (Rec. 5017/2003), that he has understood the legitimate treatment of biometric data carried out by the Administration for the time control of its public employees, without it being necessary the prior consent of the workers. However, the following should be noted: O The worker must be informed about these treatments. O The principles of limitation of the purpose, necessity, proportionality and data minimization. In any case, the treatment must also be adequate, pertinent and not excessive in relation to that purpose. Therefore, biometric data other than necessary for that purpose should be suppressed and creation will not always be justified. of a biometric database (Opinion 3/2012 of the Art. 29 Working Group). O Use of biometric templates: Biometric data must be stored as biometric templates whenever possible. The template should be taken from a way that is specific to the biometric system in question and not used by other data controllers of similar systems in order to ensure that a person can only be identified in biometric systems that have a legal basis for this operation. O The biometric system used and the security measures chosen must ensure that reuse of the biometric data in question is not possible for another purpose. O Mechanisms based on encryption technologies should be used, in order to prevent unauthorized reading, copying, modification or deletion of biometric data. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/12 O Biometric systems should be designed so that they can be revoked the identity bond. O You must choose to use data formats or specific technologies that make it impossible to interconnect biometric databases and disclose data not verified. O Biometric data should be deleted when they are not linked to the purpose that motivated their treatment and, if possible, they should be implemented automated data deletion mechanisms. SAW Article 83.5 b) of the RGPD, considers that the infringement of “the rights of the interested parties according to articles 12 to 22 ”, is punishable, in accordance with the paragraph 5 of the aforementioned article 83 of the aforementioned Regulation, “with fines administrative fees of € 20,000,000 maximum or, in the case of a company, a an amount equivalent to a maximum of 4% of the total global annual business volume of the previous financial year, opting for the one with the highest amount ”. The LOPDGDD in its article 71, Infractions, states that: “The acts and conducts referred to in the paragraphs 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law ”. The LOPDGDD in its article 72 indicates for the purposes of prescription: "Infractions considered very serious: "one. Based on the provisions of article 83.5 of the Regulation (EU) 2016/679 are considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned in that and, in in particular, the following: (…) h) The omission of the duty to inform the affected party about the treatment of their personal data in accordance with the provisions of articles 13 and 14 of the Regulation (EU) 2016/679 and 12 of this organic law. (…) " VII The sanctioning procedure that concerns us shows that in the installation of a new fingerprint attendance control system to be implemented had been carried out without duly informing with all the guarantees indicated in the data protection regulations, specifically in accordance with the provisions in article 13 of the RGPD, being able to have incurred in the violation of the same. Therefore, the conduct of the defendant would constitute a violation of the provisions in article 13 of the RGPD. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/12 On the other hand, the RGPD, without prejudice to the provisions of its article 83, contemplates the possibility of resorting to the sanction of warning to correct the processing of personal data that does not conform to your forecasts. Likewise, it is contemplated that the resolution issued will establish the measures that is appropriate to adopt so that the conduct ceases, the effects of the offense are corrected that had been committed, the adequacy of the information offered to users to the requirements contemplated in article 13 of the RGPD, as well as the contribution of Proof of compliance with what is required. However, it should be noted that in the allegations to the agreement to initiate the In this procedure, the complainant has provided a copy of the communication made to all workers and that it came to complement the information provided with previously Informative Note on the processing of biometric data through fingerprint recognition or facial recognition systems for the access control, in accordance with those indicated in article 13 of the RGPD, by Therefore, it is not appropriate to urge the adoption of additional measures since proven that the defendant has adopted reasonable measures and prevent them from returning to incidents such as the one that gave rise to the claim occur. Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of sanctions whose existence has been proven, The Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPERATOR, with NIF A85850394, for an infraction of article 13 of the RGPD, typified in the Article 83.5 of the RGPD, a warning sanction. SECOND: NOTIFY this resolution to IBERIA LÍNEAS AÉREAS DE SPAIN, S.A. OPERATOR, with NIF A85850394. In accordance with the provisions of article 50 of the LOPDGDD, the This Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties may file, optionally, an appeal for reversal before the Director of the Spanish Agency for Data Protection within a period of month from the day following notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, the firm resolution may be suspended in an administrative way If the interested party expresses his intention to file a contentious appeal- C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/12 administrative. If this is the case, the interested party must formally communicate this made by writing to the Spanish Data Protection Agency, Presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the rest records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. Too must forward to the Agency the documentation that proves the effective filing of the contentious-administrative appeal. If the Agency is not aware of the filing of the contentious-administrative appeal within a period of two months from the day after the notification of this resolution, I would terminate the precautionary suspension. Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es