AEPD (Spain) - PS/00267/2021: Difference between revisions
From GDPRhub
No edit summary |
No edit summary |
||
| Line 34: | Line 34: | ||
|GDPR_Article_3=Article 15 GDPR | |GDPR_Article_3=Article 15 GDPR | ||
|GDPR_Article_Link_3=Article 15 GDPR | |GDPR_Article_Link_3=Article 15 GDPR | ||
|GDPR_Article_4= | |GDPR_Article_4=Article 82(2)(e) GDPR | ||
|GDPR_Article_Link_4= | |GDPR_Article_Link_4=Article 82 GDPR#2e | ||
|GDPR_Article_5= | |GDPR_Article_5= | ||
|GDPR_Article_Link_5= | |GDPR_Article_Link_5= | ||
Revision as of 15:40, 18 May 2022
| AEPD - PS/00267/2021 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 6 GDPR Article 12 GDPR Article 15 GDPR Article 82(2)(e) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 31.12.2020 |
| Decided: | |
| Published: | 13.05.2022 |
| Fine: | 170000 EUR |
| Parties: | MERCADONA S.A. |
| National Case Number/Name: | PS/00267/2021 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | n/a |
The Spanish DPA fined MERCADONA S.A. €170,000 for not replying to an access request and for deleting data without a legal basis.
English Summary
Facts
The controller is MERCADONA S.A. the biggest supermarket chain in Spain. The data subject suffered an accident in one of the controller's stores which was video surveilled by the controller. With the purpose of claiming damages against the controller, the data subject requested access to the video footage four days after the accident occurred via an online contact form provided by the controller. On the same day the data subject received an auto-response from the controller that her message has been sent successfully. Afterwards she also filed a complaint with the controller about the accident via email which included her name, email-address, telephone number, a description of the accident and the damages she suffered. The controller replied to this email by providing a reference number for the case. After the controller did not reply to her access request for over a month, the data subject's lawyer sent an email to the DPO of the controller following up on the access request. The DPO responded that it is not aware of any access request and that the video footage has already been deleted because it was obliged to erase the footage one month after it was recorded according to Article 6 of the general instruction 1/2006 of the AEPD (Spain) on the processing of personal data for surveillance purposes through camera or video camera systems. After having received this negative answer of the controller, the data subject lodged a complaint with the AEPD against the controller.
During the investigation of the AEPD it turned out that the access request did not reach the DPO's attention because of a human error in the management of the case. Furthermore, the controller compensated the data subject during the proceedings and the parties agreed to close the procedure before the DPA which resulted in the data subject withdrawing its complaint. The AEPD, however, decided to continue the investigation on its own (ex-officio) and render a decision. The controller objected to this approach, arguing that the AEPD dropped proceedings in similar cases before where only violations of Articles 15-22 GDPR where in question.
Holding
The AEPD fined MERCADONA S.A. €70,000 for violating Articles 12 and 15 GDPR by not replying to the access request of the data subject and €100,000 for violating Article 6 GDPR by deleting the video footage without a legal basis (in total: €170,000).
At first, the AEPD found that it was not bound by the agreement of the parties to close the proceedings and was allowed to continue the investigation on its own since there was nothing in the law that suggested otherwise. Furthermore, it found that the compensation of the data subject did not exonerate the controller from its liability arising from the violations of the GDPR.
At second, the AEPD rejected the controller's argument that it should have dropped the case because it had allegedly done so in previous similar cases. The AEPD found that this case is already different from the previous cases because it involves not only a violation of Article 15 GDPR but also Article 6 GDPR.
At third, the AEPD held that the controller violated Articles 12 and 15 GDPR by not replying to the access request. It found that the obligation under Article 6 of the general instruction 1/2006 to delete video footage after one month conflicts with the obligation to answer an access request at the latest one month after it was received under Article 12(3) GDPR. The AEPD concluded that the responsibility to answer an access request under the GDPR takes precedence since otherwise a controller could always evade the data subject's right to access by invoking the deletion obligation under the general instruction 1/2006.
At fourth, the AEPD held that the controller violated Article 6 GDPR because it deleted the video footage without a legal basis. The AEPD found that none of the requirements of Article 6(1) GDPR were met. Regarding Article 6(1)(f) GDPR the AEPD reasoned that the data subjects interest in obtaining the video footage as evidence outweighed the data protection considerations as well as the controller's obligation to delete the footage within one month under the general instruction 1/2006. To reinforce its reasoning, the AEPD referred to the opposite situation where a controller is under Article 6(1)(f) GDPR allowed to keep the video footage for a longer period than one month in order to defend against unfounded claims.
When determining the amount of the fine the AEPD considered as aggravating factors that the data subject was not able to use the video footage to enforce her claims against the controller, that the controller did only respond after the deletion and that the data which was processed was sensitive as it were images of the data subject. Moreover, the AEPD reasoned that the absence of a previous offence of the controller does not constitute a mitigating factor as previous violations consitute an aggravating factor according to Article 82(2)(e) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/61
•
File No: PS/00267/2021
DECISION ON DISCIPLINARY PROCEEDINGS
From the procedure conducted by the Spanish Data Protection Agency and on the
basis of the following
BACKGROUND
FIRST: A.A.A. (hereinafter, the claimant), on 31/12/2020, filed a complaint with the
Spanish Data Protection Agency. The complaint is directed against MERCADONA
S.A., with Tax Identification Number A46103834 (hereinafter, MERCADONA or the
respondent), for failure to comply with the claimant's right of access to her personal
data, as the request had not been answered within one month. The grounds on which
the complaint is based are as follows:
The claimant states that on ***DATE.1 she suffered an accident in an establishment of
the entity located at ***DIRECCION.1, and that, with the purpose of claiming damages,
she exercised her right of access to the images from the security cameras, using the
request form available on the website of the defendant, the one established in the
Privacy Policy, receiving a message about the conformity of the sending, which took
place on ***DATE.2.
She adds that, after a month without receiving a reply, she sent an e-mail to the DPD
of the entity, which replied denying receipt of the request for access and informing the
complainant that the images had been deleted. On this occasion, the complainant sent
the proof of sending the request for access, without receiving any further response.
The complainant also points out that on ***DATE.3 she filed a complaint with
MERCADONA itself about the accident, via its website, and received a reference for
the case, so she does not understand why the images, which were the only proof of the
facts, were deleted.
Together with the complaint, he submitted the following documentation, which is set out
in the Proven Facts:
. Printout of the completed right of access request form via the Respondent's website,
dated ***DATE.2.
. Screenshot of the response message to the previous request.
. Copy of the e-mail sent on ***DATE.4 by the complainant's representative to the DPD
of MERCADONA, requesting the images.
. Screen print of the e-mail sent by the complainant to the address
"conducta@mercadona.es", dated ***DATE.3, with the subject "Complaint D201...",
and MERCADONA's reply of ***DATE.5.
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December 2018,
of
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
2/61
December, on Personal Data Protection and guarantee of digital rights (hereinafter
LOPDGDD), this complaint was transferred to the respondent on 03/02/2021, so that it
could proceed with its analysis and inform this Agency, within a period of one month, of
the actions carried out to adapt to the requirements set out in the data protection
regulations.
In response to this transfer, the defendant reported as follows:
. MERCADONA began its response by presenting the facts of the case, confirming that
sending the request via the form available on the website does not generate an
acknowledgement of receipt and simply displays a response message indicating "the
message has been sent correctly". It also refers to the e-mail that was sent by the
complainant's representative to the DPD of the entity on the date
***DATE.6, and notes that this email was replied to informing "that the request had not
been received and that the images were no longer available (they had been deleted
more than 30 days after capture)".
It adds that, once it became aware of the complainant's request through the
aforementioned mail sent to the DPD, it reviewed the material and human processes
involved, both technical and managerial, without observing any deviation. This
verification led to the aforementioned response.
On 09/02/2021, having become aware of the complaint, it sent the claimant a burofax
in the same terms.
It then reports on some details regarding the procedure it follows for data subjects to
exercise their personal data protection rights, which are outlined in the First Proven
Fact, and indicates that a total of 229 requests for personal data protection rights have
been received and processed through the form during the year 2020.
On the other hand, MERCADONA points out that, on ***DATE.7, the complainant's
representative first contacted the entity for the sole purpose of reporting the incident
and communicating her intention to request compensation for it, without any reference
to the request for access made on ***DATE.2, which is the subject of the present
complaint.
The Respondent, on the other hand, understands that it cannot be inferred from the
communication made by the complainant through the complaints channel that it was a
request for the exercise of the right of access.
Based on the foregoing, the Respondent concludes that it acted at all times in
accordance with the regulations in force, according to the scheme established to
comply with the exercise of customers' rights. In this specific case, when it first became
aware of the request for access on ***DATE.4, it replied to the request on ***DATE.8,
responding to the only known address of the applicant.
With its reply, it provided a copy of the following documentation, which is set out in the
Proven Facts.
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
3/61
. Copy of a letter sent by MERCADONA to the complainant's representative, dated
***DATE.9, with the subject "Right of access".
. Copy of the mail sent by the complainant's representative to MERCADONA, of
***DATE.7, cited above.
THIRD: On 16/04/2021, the Director of the AEPD agreed to admit the complaint for
processing.
FOURTH: On 05/07/2021, the Subdirectorate General for Data Inspection accessed
the information available on the entity claimed in "Axesor". It appears that this entity
belongs to the "Commerce" sector (...).
FIFTH: On 19/07/2021, the Director of the Spanish Data Protection Agency agreed to
initiate disciplinary proceedings against MERCADONA, in accordance with the
provisions of articles 63 and 64 of Law 39/2015, of 1 October, on the Common
Administrative Procedure for Public Administrations (hereinafter, LPACAP), for the
alleged infringement of articles 12 and 6 of the GDPR, classified in articles 83.5.b) and
83.5.a) of the aforementioned Regulation, respectively; and classified as minor and
very serious for statute of limitations purposes in articles 74.c) and 72.1.b) of the
LOPDGDD.
In the opening decision, it was determined that the penalties that might be applicable,
in view of the evidence existing at the time of opening and without prejudice to the
outcome of the investigation, would amount to a total of 170,000 euros (70,000 euros
for the infringement of Article 12 and 100,000 euros for the infringement of Article 6,
both of the GDPR).
It was also warned that the infringements alleged, if confirmed, could lead to the
imposition of measures, in accordance with the provisions of the aforementioned
article.
58.2 d) of the GDPR.
SIXTH: Having been notified of the aforementioned agreement of initiation and having
extended the period granted to make allegations, the entity complained against
presented a letter dated 02/08/2021, in which it requested that the sanctioning
procedure be shelved in accordance with the following considerations:
1. Firstly, he refers to the accident suffered by the claimant, which, as he indicates,
was communicated to him by complaint of ***DATE.3 made through its website, and
points out that the internal investigation carried out by the entity itself after the transfer
process detected a human error in the management of the civil claim filed by the
claimant, which led to it not reaching the attention of the Data Protection Delegate
(DPD) or his team and the lack of attention to the request for access formulated.
As a result, the claimant was contacted, through her representative, and an agreement
was reached that compensates the damages suffered as a result of the accident and
those derived from the failure to attend to her right of access to her personal data, so
that the error in attending to the right has not caused her any damage and/or harm.
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
4/61
Furthermore, it states that disciplinary measures have been adopted internally, as well
as technical and organisational measures, to prevent a similar error from occurring in
the future and to ensure that requests made through the web form are sent to the DPD.
2. It considers it inappropriate to initiate sanctioning proceedings in a case referring
exclusively to the failure to respond to a request to exercise the rights established in
Articles 15 to 22 of the GDPR, and highlights the exceptional nature of such
proceedings, which has been highlighted by the AEPD in various actions
(E/10485/2019, TD/00120/2021 and RR/00506/2021), indicating that "whenever
possible, alternative mechanisms should be chosen to prevail in the event that they are
protected by the regulations in force...." and that there must be elements that justify the
initiation of the sanctioning procedure. In this regard, MERCADONA adds that, in the
present case, the agreement to initiate the procedure does not specify the specific
aspects that justify the initiation of the sanctioning procedure, nor how, through the
imposition of a sanction on the entity, the guarantees and rights of the complainant
could be restored, which, according to the Authority, would not be duly restored
through the procedure under article 64.1 of the LOPDGDD.
In this case, the facts refer exclusively to the failure to respond to a request for the right
of access, without there having been any breach of other provisions that would justify
the opening of sanctioning proceedings, in view of the factual circumstances set out in
the previous point, and the guarantees and rights of the interested party have been
restored.
Thus, it considers that the initiation agreement has not duly motivated the opening of
the procedure, contrary to the provisions of Article 35.8 of Law 39/2015, letters
h) and i), which may render the administrative act null and void in accordance with the
doctrine of the Supreme Court insofar as it may deprive the interested party of the
necessary means of defence or hinder jurisdictional control (STS 5701/1998, STS
1935/2003 or STS 8046/1999).
It stresses that, in the case of a discretionary act, the motivation must be more intense,
expressing the logical process that leads the Administration to take the decision (STS
7626/1998, citing in turn the SSTS of 15/06/1984, 13/07/1984 and 07/02/1987, among
others).
Finally, MERCADONA indicates that, if the purpose of opening the sanctioning
procedure is to ensure that the "guarantees and rights of the interested parties are duly
restored", as indicated in Ground II of the Agreement to initiate the Sanctioning
Procedure, this entity has taken actions to repair and mitigate the damages suffered by
the interested party, for not having responded in time to the right of access due to the
human error detected, and therefore the guarantees and rights of the claimant have
been duly restored.
It therefore considers that it is not appropriate to initiate disciplinary proceedings and
that, moreover, no justification has been given for that decision.
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
5/61
3. Considering the alleged human error, it invokes the principle of fault, pointing out
that there are no errors in the past.
It cites Article 28.1 of Law 40/2015, which establishes the Principle of liability of the
sanctioning power, and several precedents in which the AEPD has declared that the
principle of culpability constitutes an essential note in sanctioning matters and that so-
called strict liability has no place in administrative sanctioning law, so that the mere
commission of an administrative infringement is not sufficient when it comes to
proceeding to impose an administrative sanction, There must be wilful or negligent
conduct, whether serious or slight negligence or simple negligence, depending on the
degree of inattention, there being no negligence, and therefore no culpable and
punishable offence, "when the necessary diligence has been applied in complying with
the obligations required in terms of the LOPD" (PS/00724/2014).
As human error is involuntary, there is no culpability, as it would never be possible to
demand diligence of such a calibre that, in terms of result, it would be immune to any
human or technical failure, as this would completely empty the aforementioned
principle of culpability of its content, being no different from a mere imputation by way
of objective causation. This is reflected in several decisions of the Authority, such as
those handed down in the cases indicated with the numbers E/03468/2009, in which
the AEPD brings up case law doctrine of the AN and the SC on error and the
relationship with fault (".....no system is unfailing or immune to the existence of possible
errors, so that, once they have occurred, the importance and scope of the same must
be analysed, in order to avoid strict liability on the part of the subject of the obligation of
custody of the same"); E/00546/2010; E/01795/2011 ("....In the present case, there is
no requirement of malice or negligence with regard to the conduct of the companies
complained of, but rather we would be dealing with a case of error with an allegedly
infringing result, insofar as there could be a possible unlawful result, but not a willful
intention with regard to that result... In this sense, the Audiencia Nacional itself has
expressed itself in similar situations in judgments such as those handed down on 16
March 2004 and 2 March 2005, in which it states the following respectively.... We must
bear in mind that, as the National High Court makes clear, and insofar as there is no
willfulness in the act, that there has been no particularly harmful result in what
happened, and that there is no evidence of a lack of care in the generalised action of
the company denounced in its communications, it would be contrary to the nature of
the administrative sanctioning sphere, subject to the principles of minimum intervention
and proportionality, to impose a sanction in respect of the act produced, which can be
summarised as a mere error not deserving of sanctioning action").
In the present case, the entity has taken the necessary diligence in complying with the
obligations established in the data protection regulations and acts in all its processes
with the utmost diligence, and always within its commitment to transparency and
respect for regulatory compliance with regard to the processing of its customers' data.
Thus, it has established an intuitive and simple procedure in relation to the exercise of
Data Protection rights, which establishes the requirements set out in the RGPD and the
LOPDGDDD.
With regard to the information provided to customers on how to exercise their rights, it
has established a simple and straightforward process on which the institution reports
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
6/61
through different channels (posters at the entrances to the shops; a call to the
Customer Service freephone number; or the Privacy Policy published on the website,
which includes a link to the form for exercising rights).
In the present case, the complainant opted for the web form, whose requests are
received by the Customer Service Department.
And it details the processing process followed by the application, which is outlined in
the First Proven Fact.
This process contemplates that requests for the exercise of data protection rights are
communicated by the manager to the Data Protection Delegate, through a non-
automated procedure. This is the only non-automated step in the entire rights
management procedure and, to date, no error has ever occurred, neither of a technical
nor human nature, in the management of data protection requests, the established
system working perfectly, thanks to the special and constant training that the entity
provides to the professionals in charge of managing this type of request, through which
the great importance of the fundamental right to data protection and especially the
rights of data subjects is conveyed.
In relation to exercises of rights received through the web form, a total of 229 requests
for ARSOPL rights were received and satisfactorily processed during 2020 (January-
September: 188 and October-December: 41). The entity can affirm that it has not been
previously sanctioned by the AEPD in terms of data subjects' rights, and internally,
there is no record to date of any complaint to the DPD, nor any complaint form,
regarding the non-response or non-receipt of requests from data subjects.
However, additionally, the entity has proceeded to reinforce the instructions to the staff
in charge of handling data protection requests from data subjects, especially those sent
by data subjects through the Customer Service form and which the managers assigned
to process them receive in their folders, placing special emphasis on their
communication to the DPD until the procedure is fully automated, through a
communiqué sent by the Data Protection Delegate on 02/08/2021 August.
In view of the procedure established, MERCADONA concludes that it has at all times
observed the diligence and duty of care required of it, establishing the necessary
procedures to manage data subjects' requests and providing specific training to the
employees in charge of managing such requests and communicating them to the Data
Protection Delegate. In addition, preventive measures are implemented, such as
periodic controls carried out by the coordinators, in order to avoid incidents.
The contrary would be to assume strict liability on the part of the subject of the
obligation of custody of the same, despite the fact that there is no evidence of a lack of
care in the generalised action, the entity having shown the diligence and duty of care
required of it, through the implementation of formative and preventive control
measures. Furthermore, the importance and scope of the error should be taken into
account, which was not
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
7/61
The nature of the error, that given the large amount of data processed by the entity, no
system is unfailing or immune to the existence of possible errors, as has been the case
here, and that on the other hand, (technical) measures have been adopted to prevent
this from happening in the future.
4. MERCADONA considers that the principle of typicality has been infringed by the
following circumstances:
. When it is stated in the decision to initiate proceedings that Article 6 of the GDPR has
been infringed and that this could lead to the commission of the offence defined in
Article 83(5)(a) of the GDPR, the offending conduct is not specified at all.
. It is also indicated in the opening agreement that the facts could involve a breach of
the provisions of Article 6 of the GDPR, in relation to Article 22 of the LOPDGDD.
Article 6 of the GDPR has four paragraphs, which in turn have different sub-
paragraphs, and it is not specified which paragraph and letter of Article 6 is the one that
could have been allegedly violated.
The same applies to Article 22 of the LOPDGDD, which has eight paragraphs and does
not specify which specific paragraph(s) and section(s) might have been violated.
Furthermore, the relationship between Article 6 of the GDPR and Article 22 LOPDGDD
is also not explained.
. It is not explained in detail or is not adequately substantiated why the fact of having
erased images within the legally established time limit, because of a failure to respond
to a right of access due to human error, constitutes a breach of the conditions of
lawfulness, and specifically, which of them.
According to MERCADONA, all of this causes defencelessness and contributes to
legal uncertainty (Article 9.3 of the Constitution).
It cites the decision handed down by the AEPD in case E/02434/2020, in which it
states:
"In short, this principle implies, firstly, that punitive laws can only be applied to those conducts
that meet all the elements of the type described, i.e., that a conduct can be defined as "typical"
when there is identity or homogeneity between the act committed and the circumstances
described in the rule. The prohibition of analogy, for its part, implies that a sanction cannot be
imposed for an act that does not fit in with the literal nature of the type of offence, even if it
bears some kind of conceptual similarity or proximity to it".
In view of the foregoing, the defendant considers that the decision to initiate the
disciplinary proceedings does not comply in any way with the principle of
criminalisation since, firstly, the provisions allegedly infringed have not been specified,
nor has the relationship between them been explained; secondly, there is no identity
between them; and, thirdly, there is no evidence of the existence of the same offence.
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
8/61
between the act committed and the circumstances described in the law, since at no
time has there been any unlawful processing of data (art. 6 RGPD) nor has there been
any breach of the provisions of article 22 of the LOPDGDD, and thirdly, a sanction
cannot be imposed for an act that does not fit within the wording of the type of offence,
even if it bears some kind of conceptual similarity or proximity to it (prohibition of
analogy).
5. MERCADONA scrupulously complies with the provisions of article 22.3 of the
LOPDGDD regarding the obligation to conserve images captured by video surveillance
systems, as these images are permanently deleted more than 30 days after they are
captured.
In the case that is the subject of this complaint, due to human error, the claimant's
request for access was not processed correctly, but this in no way implies a breach of
the provisions of Article 22.3 LOPDGDD, which states the following:
"3. The data shall be deleted within a maximum period of one month from their capture, except
when they have to be kept to prove the commission of acts that threaten the integrity of
persons, property or installations. In this case, the images must be made available to the
competent authority within a maximum period of seventy-two hours from the time the existence
of the recording became known. The blocking obligation provided for in Article 32 of this
Organic Law shall not apply to such processing" .
In the AEPD's "Fichas prácticas de videovigilancia información general", updated in
2021, the following is indicated (provide screen print):
"The images shall be kept for a maximum period of one month from their capture, after which
they shall be deleted.
In the event of the recording of a crime or administrative offence to be brought to the attention
of an authority, the images shall accompany the report and shall be kept for the sole purpose of
making them available to that authority and may not be used for any other purpose.
Therefore, regarding the obligation of general erasure after a maximum of one month
has elapsed since the images were captured, the exception is given by the recording of
a crime or administrative offence that must be brought to the attention of the
authorities, and we cannot include other cases within this exception to the general rule,
as the LOPDGDD itself does not include them.
Article 22.3 LOPDGDD speaks of "(...) except when they have to be kept to prove the
commission of acts that threaten the integrity of persons, goods or installations", so it is
not referring to any act, but to those that involve conduct by a third party (committing an
act) against persons, goods or installations, i.e. an act must be committed by a person
that threatens the integrity of persons, goods or installations.
Let us remember that all exceptions must be interpreted restrictively and to hold
otherwise would violate both the principle of typicality and the prohibition of analogy,
since a sanction cannot be imposed for an act that does not fit within the literal wording
of the
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
9/61
type of infringement, even if it bears some conceptual similarity or proximity to it.
In a similar case (Procedure E/02434/2020) in which the Guardia Civil requested
images from a catering establishment "as these were decisive for the clarification of the
facts", and these had already been erased, the AEPD indicates that it is necessary to
analyse whether the conduct described constitutes an infringement and states that
"The aforementioned Article 22.3 LOPDGDD, must be put in connection with the
provisions of article 32 LOPDGG, "Blocking of data" and concludes that "the obligation
to "block" images obtained through video-surveillance systems is one of the exceptions
determined by the Legislator, so that the defendant could not be charged with an
administrative offence in the terms of art. 72n) LOPDGDD", and therefore the complaint
is archived:
"In accordance with the above, it can be concluded that there is no obligation to block the
images obtained through the system, nor does the Legislator require that they must necessarily
be kept for a period of one month, and this body lacks greater knowledge of the circumstances
that led to the deletion of the images (e.g. intentionality or simple human error), all of which
reasons make it advisable to order the archiving of the present proceedings".
If in the aforementioned case, in which the images were requested by the Guardia Civil
for the clarification of allegedly criminal acts, the Authority concluded that there was no
obligation on the part of the establishment to block the images, even less so in the
present case in which we are not dealing with the commission of a crime or
administrative offence, which would justify "making the images available to the
competent authority within a maximum period of seventy-two hours of becoming aware
of the existence of the recording", which is what is actually established in Article 22.3 of
the LOPDGDD, and not an obligation of conservation, not even partial.
In conclusion, there has been no breach of any provision establishing an obligation to
preserve images, since Article 22.3 LOPDGDD does not establish such an obligation,
but only establishes the obligation to communicate certain recordings to the authorities,
and sanctioning for this would be a violation of the Principle of Typicality and the
prohibition of analogy.
It is a different matter if, due to the failure to receive or process the request for the right
of access correctly, possible damages have been caused to the claimant, which have
already been repaired through the agreement reached with the claimant as explained
above, but in no way can the fact that the claimant filed a complaint against the
establishment for the purpose of claiming damages for civil liability (without actually
exercising a right of access to the images in said complaint and which did not refer to
the exercise of the previously exercised right of access) be linked to a legal obligation
to conserve the images, which, moreover, Art. 22.3 does not establish, since this
precept is limited to establishing the obligation to make available to the competent
authority within a maximum period of seventy-two hours those images that serve to
"accredit the commission of acts that threaten the integrity of persons, property or
installations" and not of any event that does not involve the recording of a crime or
administrative offence.
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
10/61
Therefore, it is clear that Article 22(3) does not establish an obligation to preserve
images that the organisation has not respected. Accepting the contrary would mean
that data controllers would be obliged to review all recordings on a daily basis in order
to preserve any recording in which a person may have fallen, fainted, etc., in addition to
notifying the competent authorities of such events which would not fall within their
competence, as in the present case, and penalising them for this would be a violation
of the Principle of Typicality and the prohibition of analogy.
The following documents were submitted with the allegations:
. Specification agreement addressed to the Systems Department to carry out a new
development on the corporate website that involves automating the sending of any
exercise of rights to the Data Protection Delegate.
With the aim of facilitating the exercise of rights, this document includes a "FAQ" to
explain how to exercise the right and a link to a form, "which by completing it will reach"
the legal team to manage the request.
. "Certification" from the Human Resources Department in relation to the imposition of
the internal disciplinary measure. It is said that the investigation carried out detected
that an employee of the Civil Liability Area in charge of the management of the claim
which is the subject of the present proceedings "had incurred in a lack of diligence in
his functions and which have originated the lack of attention to the right of access in
matters of video surveillance", for which reason "internal disciplinary measures were
applied to him for negligently failing to carry out the working methods established by
the company, having been duly trained for them".
. Communication from the DPD of the respondent entity addressed to the "processing
managers" of the Customer Service Department", sent by e-mail dated 02/08/2021. It
lists the channels for the exercise of rights and reports the following:
"As you know, if the data subject uses the web form for the exercise of a right, through an
automated procedure, the system assigns the request to a manager and sends it to his or her
folder.
IMPORTANT: Those requests for the exercise of data protection rights, as you know and as
you have been doing to date, must be sent immediately to the Data Protection Delegate
***EMAIL.1, so that a response can be given in due time and form to the Head (client) who
requests it. It is currently a process that is carried out manually, so the IT Department has been
asked to study and evaluate the automation project in order to avoid any human error in the
management".
. Documentation on a training for the "900 Line Area", carried out in May 2021, which
includes a section on personal data protection.
SEVENTH: On 29/07/2021, this Agency received a letter presented by the
representative of the claimant, in relation to the opening of the procedure
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
11/61
sanctioning, by means of which it communicates "that an agreement has been reached
with Mercadona, through which the damages and losses suffered by my client, both
material and immaterial in the area of civil liability, as well as in the area of data
protection due to the failure to comply with the right of access, the reason for the
complaint filed, have been duly and sufficiently compensated". On this basis, it
concludes by stating that the damages have been compensated and the claimant's
right has been satisfied, and requests "that my claim be considered to have been met
and, therefore, that the case be closed".
EIGHTH: On 02/03/2022 a motion for resolution was formulated in the following sense:
1. Sanction MERCADONA, for an infringement of Article 12, in relation to Article 15,
both of the RGPD, as defined in Article 83.5.b) and classified as minor for the purposes
of prescription in Article 74.c) of the LOPDGDD, with a fine of 70,000 euros (seventy
thousand euros).
2. That MERCADONA be sanctioned with a fine of 100,000 euros (one hundred
thousand euros) for an infringement of Article 6 of the RGPD, as defined in Article
83.5.a) and classified as very serious for statute of limitations purposes in Article
72.1.b) of the LOPDGDD.
3. That MERCADONA be ordered to adopt, within the period of time to be determined,
the measures necessary to adapt its actions to the personal data protection
regulations, with the scope expressed in Ground of Law IX of the proposed resolution.
NINTH: On 16/03/2022, a letter was received from the defendant entity in which it
formulated allegations to the proposed resolution, requesting once again that the
proceedings be closed and that the following requests be taken into account. It bases
its request on the following considerations:
1. He reiterated the same allegations as above regarding the appropriateness of
pursuing a procedure for failure to respond to a request for the exercise of rights,
which, in his opinion, is the procedure that corresponds by legal imperative, rather than
a disciplinary procedure; and pointed out that the former had a duration of six months
from the date of admission for processing on 16/04/2021, which elapsed without any
pronouncement being made.
It understands that the responsibilities must also be clarified within the framework of
the procedure regulated in Article 64.1 of the LOPDGDD; and that the same should be
followed even if it is not possible to satisfy the right, as is the case here, as the data
has been deleted, as the Agency has resolved in precedents that it describes as
similar, in which the AEPD has formally upheld the data subject's claim within the
procedure for the protection of rights, urging the respondent to provide a response but
without appreciating a "lack" of purpose and without purging responsibilities
(TD/00955/2018, TD/00830/2017 and TD/01272/2017). He adds that this is the
understanding of the European Data Protection Board (EDPC) in its Guidelines 3/2019
on the processing of personal data by video devices:
"Example: If the controller automatically deletes all images, for example within two days, it
cannot provide the images to the data subject after two days.
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
12/61
those two days. If a request is received by the responsible person after those two days, the
person concerned must be informed accordingly.
It also cites the proceedings followed by the AEPD under number E/02434/2020, which
refers to a request by the State Security Forces and Corps for images that were
decisive for the clarification of the alleged commission of a crime or administrative
offence, which the Agency closed, concluding that there was no obligation on the part
of the establishment to block the images and did not impose a sanction for this.
Furthermore, MERCADONA considers that there has been no breach of provisions
other than Article 12, paragraphs 2 and 3, in relation to Article 15 of the GDPR, which
would justify the initiation of sanctioning proceedings, and argues that the alleged
infringement is classified as "Failure to respond to requests to exercise the rights
established in Articles 15 to 22 of the Regulation".
Finally, it states that the same conduct is being sanctioned with two sanctions; and that
the guarantees and rights of the interested party have been restored for the possible
harm derived from the facts, as established in Article 82.1 of the GDPR.
2. MERCADONA insists on the allegations already made concerning the exceptional
nature of the penalty procedure; the actions taken to restore the guarantees and rights
of the interested party and to repair the damage, which are not achieved by the
imposition of a penalty; as well as the lack of reasoning, in the present case, of the
opening decision, unlike other cases in which it is justified by a general action of the
person responsible that would affect all persons in the same situation, and not a
specific error (PS/00003/2021), which does not even specify the paragraphs of Articles
12 and 6 of the GDPR that have been infringed.
As in the previous section, also in this section 2, MERCADONA disputes the
appropriateness of resolving the issues raised by means of a sanctioning procedure,
arguing on the contrary the volume of rights applications it has processed in recent
years; that it has not been previously sanctioned for this reason and there is no record
of any complaint before the DPD; and that the necessary measures have been adopted
to avoid similar errors, having fully automated the application management process,
which have been assessed as mitigating factors together with the fact that in this case
the anomaly only affects the complainant.
It considers that it is not sufficient to justify the opening of the disciplinary proceedings
by stating that by deleting the images there has been an infringement other than the
infringement of Articles 15 to 22 of the GDPR, or that the proceedings for failure to
comply with a right "lacked purpose" since the images did not exist.
Moreover, it mentions the possibility of resorting to other remedial powers set out in
Article 58(2) of the GDPR (warning, caution or other), depending on the circumstances
of each individual case.
It was only in the motion for a resolution that the AEPD first argued which specific
paragraphs of articles 12 and 6 of the GDPR were considered to have been allegedly
violated. And, with regard to the alleged violation
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
13/61
of Article 6 and its relationship with Article 22 of the LOPDGDD, it is also in the
proposed resolution when, despite acknowledging the non-application of Article 22
LOPDGDD, the AEPD explains the legal reasoning and ratifies the proposed sanction.
3. He reiterates that the complainant's request for access was not handled because it
was not brought to the attention of the DPD due to human error, already explained, in
his opinion, in his submissions on the opening of the procedure.
It again invokes the principle of culpability and the prohibition of strict liability in
administrative law on penalties, which are considered in various decisions of the
Agency itself, such as those indicated in its previous pleading and in judgments of the
Audiencia Nacional (such as those handed down on 16/03/2004 and 02/03/2005,
referring to an error in the movements of a bank account or a mistake in the sending of
correspondence to a person's address, where there was no wilful misconduct and there
is no evidence of a lack of care).
In such cases, the AEPD has assessed the specific circumstances, bearing in mind
that the mere commission of an administrative infringement -an objective type- is not
sufficient when proceeding to impose an administrative sanction (PS/00724/2014); that
no system is unfailing or immune to the existence of possible errors, so that, once they
have occurred, the importance and scope of the same must be analysed, in order to
avoid objective liability of the subject of the obligation of custody of the same
(E/01795/2011); whether or not there is voluntariness in the act, whether a particularly
harmful result has been produced or whether there is evidence of a lack of care in the
generalised action (E/03468/2009); or proportionality (SANs of 16/03/2004 and
02/03/2005).
With regard to the statements contained in the proposed resolution on this issue,
MERCADONA indicates that the Agency does not substantiate what the lack of
diligence consisted of. The only argument is that "it cannot be admitted that the actions
of the respondent entity, by not processing the request for access to personal data,
were diligent", which would have as a corollary the strict liability derived from any error,
absent-mindedness, forgetfulness, etc., of the worker who should have redirected the
request to the data subject. of the employee who had to redirect the request to the
DPD, without taking into account the specific circumstances of the case and the fact
recognised by the Authority itself that there were "adequate" procedures in place to
handle this type of request and that no errors had occurred in the past to justify the
change of procedure on the part of the person responsible, based on his diligence.
As evidence of the existence in this case of generalised due diligence, the AEPD itself
assesses as a mitigating circumstance the implementation of adequate procedures for
action in the management of requests for the exercise of rights, such that the
infringement is the consequence of an anomaly in the operation of these procedures
that only affects the respondent. This being the case, MERCADONA considers that the
error was not intentional, and adds that there has been no harmful result, as the entity
has proceeded to avoid the possible damages that could have been caused.
Finally, as regards the significance and extent of the error, the entity has pointed out that
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
14/61
The AEPD has not previously been sanctioned by the AEPD with regard to the rights of
data subjects, and internally, there is no record to date of any complaint to the DPD,
nor any complaint form, regarding the non-response or non-receipt of requests from
data subjects.
Despite being an "anomaly in operation", as defined by the AEPD itself, the entity has
modified the management procedure by eliminating the only non-automated step.
Thus, it has implemented a development, by means of a system of mail flow rules in
the Exchange Server (also known as transport rules). These rules contain a set of
conditions and actions that guarantee the automatic notification to the recipients of
Customer Service (L900) and the Data Protection Delegate of those requests for the
exercise of rights made through the web page form (automatic forwarding of a copy of
the original message to the ***EMAIL.1 mailbox).
As for its scope, it is clear from the AEPD that it only affects the respondent, which is
taken into account as a mitigating factor in the sanction. On this point, it should be
borne in mind that there has been no harmful result in what happened, since no
damages have been derived from the extrajudicial satisfaction of the claim for
compensation based on facts whose accreditation the images requested by the
claimant were intended to serve.
Furthermore, it has shown the diligence and duty of care required of it, through the
implementation of formative and preventive control measures, as evidenced by the lack
of errors in the past.
He also points out that he did not base the failure to comply with the right on the
deletion of the images, but on the human error indicated. The time limit had elapsed
only as a consequence of the request not having reached the DPD. Proof of this is that
a reply was given to the complainant on ***DATE.9, before the AEPD's request.
As for the storage period of the images, in the rest of the European countries, there are
either no storage periods, or they are less than 30 days, so that the situation raised by
the AEPD is even more evident and possible to materialise if the data subject does not
exercise his or her right of access before the deletion of the images takes place. Thus,
the European Data Protection Committee, ECDC, in Guidelines 3/2019, in relation to
storage periods and erasure obligations, states that:
"Personal data may not be kept for longer than necessary for the purpose for which they are
processed (Article 5(1)(c) and (e) of the GDPR). In some Member States, there may be specific
provisions for retention periods in respect of video-surveillance in accordance with Article 6(2)
of the GDPR.
Whether or not the retention of personal data is necessary should be controlled within a short
period of time. In general, the legitimate purposes of video surveillance are usually the
protection of property or the preservation of evidence. Damage can usually be recognised
within one or two days. In order to facilitate the demonstration of compliance with the data
protection framework, it is in the interest of the controller to make organisational arrangements
in advance (e.g. to appoint, if necessary, a representative for
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
15/61
examine and secure video material). Taking into account the principles of Article 5(1)(c) and (e)
of the GDPR, namely data minimisation and limitation of the retention period, personal data
should in most cases (e.g. for the purpose of detecting vandalism) be deleted, preferably
automatically, after a few days. The longer the retention period (especially when it exceeds 72
hours), the more arguments should be provided for the legitimacy of the purpose and the
necessity of retention'.
Even the ECDC gives the following example for a shop:
"Example: The owner of a small shop would normally notice any signs of vandalism the same
day. Consequently, a normal 24-hour retention period would be sufficient. Closed weekends or
longer holidays may nevertheless be grounds for a longer retention period. If damage is
detected it may also be necessary to keep the video images for a longer period in order to bring
claims against the offender".
4. The AEPD understands two different and independent conducts, when in fact one is
a consequence of the other, because if the images were deleted it was precisely
because there was no record of the request for access due to the error that had
occurred. And it concludes that the concurrent circumstances prevail over the
obligation to delete the images within a maximum period of one month from the time
they were captured, in violation of the provisions of article 6 of the GDPR.
In this regard, it points out firstly that when the complainant enquired about her request,
a reply was given, as it was the first time it had come to her attention, and the
maximum conservation period of 30 days had already elapsed, as in the similar cases
mentioned above.
Moreover, MERCADONA argues that deletion of data when it is no longer necessary
does not require a legitimate basis. Deletion occurs precisely because there is no
longer a legitimate basis for continuing to retain the data, since the maximum legal
period of one month has elapsed, and a legitimate basis is required for their
subsequent retention, not for their deletion as indicated by the AEPD. In other words, it
is the "expiry" of the legal retention period, the very compliance with the applicable rule,
which entails the deletion of the images, without the need to resort to any basis of
legitimisation to carry out such deletion. If the AEPD's argument is accepted, there
would have to exist in every Register of Processing Activities (including that of the
AEPD itself), a processing operation called "deletion of images" with its corresponding
basis of legitimisation, which makes no sense whatsoever.
Thirdly, it should be noted that we are dealing with a maximum conservation period, as
the AEPD itself indicates in its "practical video surveillance files" ("after which time the
data will be deleted"), in the proposed resolution and in many resolutions. Such as that
issued in procedure PS/00261/2020, which states the following:
"Regarding the obligation to retain images for a period not exceeding 30 days, the (GDPR), in
recital 39, announces the need to "ensure that the period of retention of personal data is limited
to a strict minimum", which in turn must be "adequate, relevant and limited to what is necessary
for the purposes for which they are processed". Article 22.3 of the LOPDGDD specifies - with
regard to processing for the purposes of
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
16/61
video-surveillance - that "the data shall be deleted at the latest within one month of their
collection".
The exception is given by the recording of a crime or administrative offence that must
be brought to the attention of the authorities ex Article 22.3 LOPDGDD, without us
being able to include other cases within this exception to the general rule, as the
LOPDGDD itself does not include them.
It should be remembered that all exceptions must be interpreted restrictively and to
hold otherwise would violate both the principle of typicality and the prohibition of
analogy, since a sanction cannot be imposed for an act that does not fit in with the
literal nature of the type of offence, even if it has some kind of similarity or conceptual
proximity to it.
In the Agreement to initiate sanctioning proceedings, the AEPD stated that it
considered that the facts set out could breach the provisions of Article 6 of the
Regulation, in relation to Article 22 of the LOPDGDD; and in the proposal it
acknowledges that it is not applicable to the present case.
Therefore, it is not understood what is the case analysed in the present proceedings
and why this entity is considered responsible for an alleged infringement of art. 6 of the
GDPR with respect to the same (attached extract from the Register of Processing
Activity corresponding to the processing of Video Surveillance).
The AEPD understands that "there are other circumstances that must be considered in
the analysis of the lawfulness or unlawfulness of the deletion or erasure of personal
data", directly linked to the particular situation of the claimant, but in no way can it be
maintained that, due to these particular circumstances, of which the organisation has
no reason to be aware, MERCADONA had a duty of retention. And this organisation
warns that no justification or motivation should be provided by the interested party for
the exercise of rights, and that the organisation should not make any assessment as to
whether there may be a legitimate interest of the interested party that could justify the
conservation of the images beyond the legal period. In the case of having received the
request, the entity would have provided the data subject with a copy of the images, but
not because the basis for legitimisation had changed, but because the data subject has
the right to request the images through the right of access regardless of the motivation.
In other words, MERCADONA did not have to make any weighting or assessment as
far as standing was concerned.
Reproduces again what is stated about retention and deletion periods in the above-
transcribed ECDC Guidelines 3/2019, with the addition of the following paragraph:
"If the controller uses video surveillance not only to monitor its premises but also to retain data,
it must ensure that the retention is indeed necessary to achieve the purpose. If so, the retention
period should be clearly defined and set individually for each particular purpose. It is the
responsibility of the controller to define the retention period in accordance with the principles of
necessity and proportionality and to demonstrate compliance with the provisions of the GDPR".
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
17/61
On the other hand, if a legal basis were needed to proceed with t h e deletion of the
data, at no point does the AEPD specify what it is or what it should be, of those listed in
Article 6 of the GDPR.
According to the respondent, the proposed resolution confuses the concepts of "basis
of legitimisation" with the "motives" or reasons that justified the conservation of the
images. That the complainant had an interest in the images, and a right to obtain them,
is beyond dispute, but the AEPD seems to ignore the fact that, if in the present case
the images were not kept, it was not because it was considered that the complainant
had no right to them or because it was considered that in any case the one-month
storage period should be applied, but because, quite simply, there was a specific error
in the handling of her request which prevented her replying in due time and form. The
interest that the data subject may have in the images cannot be confused with the
retention period of the images determined by the data controller or with the concept of
the basis of entitlement. If a data subject exercises the right of access during the period
in which the data controller retains the images, the request must be complied with, and
the images must be retained, even if there was a formal defect in the request, precisely
so that when this is remedied, the right can be satisfied. But in this case, the data
controller was not made aware of the request, so the images could not be kept.
Nor is the right of the organisation to keep the images if it deems it appropriate, for
example, because it was sued by the claimant, in the example given by the AEPD
itself, disputed, but this shows the confusion of the AEPD regarding the need for a
legitimate basis for keeping the images beyond the established legal period, with the
supposed need for a legitimate basis for deleting these images.
In fact, in the aforementioned Guidelines 3/2019, in relation to the right of access in
matters of video surveillance it is stated that:
"The data subject has the right to obtain confirmation from the controller as to whether or not his
or her personal data are processed...If, however, the data are still processed at the time of the
request (i.e. if the data are retained or otherwise continuously processed), the data subject
must obtain access and information in accordance with Article 15."
"Example: If the controller automatically deletes all images within e.g. two days, it cannot
provide the images to the data subject after those two days. If the controller receives a request
after those two days, the data subject must be informed accordingly.
In the present case, there is no conflict of rights to be weighed up by the controller, but
simply a request for a right of access that was not granted because the controller was
unaware of the data subject's request due to an isolated and specific error in the
procedure.
If MERCADONA deleted the images, it was because it was not aware of the data
subject's request for access, not because it assessed her request negatively and did
not grant access.
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
18/61
The AEPD has considered that the right to effective judicial protection of judges and
courts prevails. But it is not necessary to argue that the images should have been kept
for a period of more than 30 days. If the request had been received, the interested
party would have had a response in due time and form, without the need to keep the
images for longer than the established period or to seek any additional basis for
legitimisation.
Given that the DPD did not receive the original request, the data was deleted in
compliance with the established procedures. In other words, MERCADONA never
found itself and would never have found itself (had the error not occurred) in the
dilemma of whether or not to keep the data beyond the legal period, and therefore no
weighing up can be required in the face of an alleged collision of rights that has not
existed and will not exist. In the event that the request had been dealt with
satisfactorily, the images would have been handed over without further assessment.
Furthermore, if we accept that the data controller must analyse and assess the reasons
why the data subject requests the data, we are giving the data controller powers that
the law does not grant him/her.
Furthermore, when the AEPD states that "there is legal authorisation for the processing
of image data once the period established for their deletion has been exceeded, which
is covered by Article 24 of the Constitution and its implementing regulations", it seems
to introduce, for those cases in which a data protection right has not been exercised,
an obligation for data controllers to supervise all images, on a daily basis, to assess
whether it is necessary to keep any recordings in which a person may have fallen,
fainted, etc., and need them in order to exercise their right to effective judicial
protection, even in the absence of a request from the data subject. and needed to
exercise his or her right to effective judicial protection, even in the absence of a request
from the data subject. This reasoning cannot be shared or legally sustained, as it
means demanding obligations from data controllers that are not in the law and that go
beyond the purposes of a video surveillance system installed to guarantee the security
of persons and property, as well as the security of their installations. It is a different
matter if the data subject can request the images through the right of access and use
them as he or she sees fit (for example, to provide them in a legal proceeding), but in
no way can a general obligation of conservation for the controller be argued,
contradicting the maximum legal period of conservation of the images, to safeguard a
possible right of access to effective judicial protection of a person who has not
exercised a right of access in data protection.
It is clear that these purposes go beyond the purpose of the video surveillance system
to preserve the security of persons and property, as well as of its installations (Art 22.1
LOPDGDD).
However, the entity has proceeded to compensate the possible damages that the error
and, therefore, the non-availability of the images may have caused to the claimant.
For all the above reasons, no treatment has been carried out at any time.
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
19/61
data without a basis of lawfulness.
Nor has there been any breach of any provision establishing an obligation to conserve
images, since Article 22.3 LOPDGDD does not establish such an obligation, and
therefore penalising for this would be a violation of the principle of criminalisation and
the prohibition of analogy.
5. It invokes the principles of legal certainty, which obliges the ius puniendi of the State
to be subject to the principle of legality - Lex previa - and the principle of typicality - Lex
certa -.
On this basis, it expressly opposes the consideration of the alleged facts as constituting
the alleged offence under Article 6 of the RGPD and Article 72.1.b) of the LOPDGDD,
because, precisely, having kept them beyond the legal retention period would have
meant processing without a legitimate basis.
The offence of deleting images without a legitimate basis does not exist, it is not
criminalised in the law, as all the lawful bases detailed in Article 6 involve positive,
active data processing (processing data for a specific purpose, executing a contract,
fulfilling a legal obligation, etc.), not negative (deletion).
6. As regards the graduation of sanctions, it notes the following:
a) In relation to the infringement for failure to comply with the provisions of Article 12, in
conjunction with Article 15, both of the GDPR, the Respondent considers that the
following circumstances should be considered as mitigating and not aggravating:
. There is only one person affected, the duration of the infringement does not last over
time and was not of a general or structural nature, it is not a serious infringement and
the damage that the complainant could have suffered has been repaired, putting her in
the same situation she would have been in if she had used the images to file a
complaint.
. There is no intention or negligence in the infringement, since the infringement was "a
consequence of an anomaly in the functioning of the procedures" which, according to
the AEPD, the entity has implemented and which are adequate; the respondent has not
previously been sanctioned for failure to comply with a right and there is not even any
record of complaints at the level of the DPD or complaints forms, which shows that no
errors had occurred to date, thanks to the training it provides to its staff (it provides
documentation on training actions provided); and preventive measures have been
implemented, such as periodic controls and the automation of the process.
. The respondent has cooperated with the Agency and has not waited for the formal
request to modify its procedure.
. The categories of data concerned are image data and do not constitute special
categories of data, as they are processed solely for the purpose of ensuring the
security of persons, property and premises.
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
20/61
This is the understanding of the ECDC in its Guidelines 3/2019:
"Video surveillance systems typically collect massive amounts of personal data that may reveal
data of a highly personal nature and even special categories of data. Indeed, seemingly
insignificant data initially collected through video can be used to infer other information aimed at
achieving a different purpose (e.g. tracking a person's habits). However, video surveillance is
not always considered as processing of special categories of personal data".
The category 'of a particularly sensitive nature' does not exist. An 'ordinary' video
surveillance system does not allow for the prompt identification of data subjects,
basically because there is no other data that could allow for such identification, nor
does it use the data for purposes other than preserving the security of persons,
property and premises.
Moreover, in relation to the aggravating factors considered, it states that the data
processing it carries out is the minimum necessary to carry out its main activity, which
is the sale of food products, and that it is not possible to discriminate against the
capture of images of customers. As regards professionalism in relation to the
processing of data, it again notes that to date it has not been penalised for a lack of
attention to the rights of data subjects, nor has any internal complaint been lodged.
b) Regarding the aggravating factors considered to determine the sanction for non-
compliance with the provisions of article 6 of the GDPR, MERCADONA reiterates what
was expressed in relation to the previous infringement and adds, in relation to the
seriousness of the infringement and intentionality or negligence, that the complainant's
complaint to the establishment for the purposes of claiming damages for civil liability
cannot be linked to a legal obligation to keep the images, which, moreover, article 22.3
does not establish. MERCADONA is not obliged to keep the images of every event that
has occurred, without the person having requested the images, only in the eventuality
that he/she might request them. It cannot be affirmed that "MERCADONA suppressed
the images despite knowing that the claimant reported the accident and the damages
suffered to the entity, and requested, for this reason, access to said images" because
the entity was not aware of the request for access made.
It also invokes the principle of proportionality and requests, in the alternative, that a
warning or cautionary penalty be imposed or, in any event, that the proposed amount
be reconsidered, as it is not proportionate; finally, it points out that the same conduct
and facts (failure to exercise a right) are being punished by means of two different
penalties, which result in a disproportionate total amount if we consider that the error
has led to an 'anomaly in the operation of those procedures' which has affected a
single person.
7. MERCADONA considers that the reduction for acknowledgement of liability provided
for in article 85 of Law 39/2015, which the Agency limits to the period granted for
submitting allegations at the opening of the procedure, may be applied at any time prior
to the resolution.
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
21/61
According to MERCADONA, the aforementioned article should be considered to
regulate the voluntary and unilateral termination of the procedure by the party
concerned as a "block", determining the options, conditions and their consequences;
and that provision admits that the second form of voluntary termination of the
procedure, voluntary payment, may be made at "any time prior to the decision".
It considers that the proposed decision is the "natural" moment for the assumption of
responsibility by the person concerned, without any infringement or affectation of his
right to defence, contradiction and effective judicial protection. It is that proposal which
determines the proven facts, their classification in the type of offence and the sanction,
after the interested party has presented its allegations and evidence, without being
subject to the initial agreement.
This conclusion is supported by the recent STS 232/2021, of 18 February, (appeal
2201/2020) which deals with the possibility of challenging before the Courts sanctions
handed down in administrative proceedings in which the administrative authority has
recognised its liability and, for the purposes of availing itself of the reductions indicated
in art. 85 LPAC, withdraws or waives the exercise of any action or appeal in
administrative proceedings against the sanction.
In the Third Legal Basis it states:
"However, one thing is that in such cases the possibility of challenging the sanctioning decision
by means of contentious-administrative jurisdiction remains, and quite another that... the
difficulty of successfully challenging the sanctioning decision by means of contentious-
administrative jurisdiction is increased, because this will be the natural consequence of having
recognised their liability in application of the principles of good faith and binding on the acts
themselves (...).) in order for such a challenge to be successful, it will have to provide the court
with a solid explanation that fully justifies the reason why, having first assumed its responsibility
for the offence committed - which entails acknowledgement of the concurrence of the objective
and subjective elements of the offence, i.e., its participation in the criminalised acts and its guilt
- it then maintains the non-existence of the offence in court (...)".
In MERCADONA's opinion, it is clear from that ruling that the acknowledgement of
liability does not imply that the classification of the facts is correct; that it is in
consideration of the circumstances modifying the acknowledged liability, the exact
extent of the participation, whether it is culpable, wilful or merely a slight failure to
comply, the seriousness of the facts and their specific graduation, which may be settled
before the contentious-administrative jurisdiction without increasing the difficulty of
contesting them.
To maintain that liability can only be recognised during the time limit for submitting
allegations would imply, de facto, that the persons administered assume it in order to
benefit from the discount, even if they are only partially in agreement with the
agreement of initiation, transferring the dispute over the aspects in question to the
judicial process.
On the contrary, admitting such recognition at any time prior to the decision, when the
investigation has already been completed and the elements taken into consideration
have been established, eliminates litigation without undermining effective judicial
protection and the right of defence.
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
22/61
Furthermore, the Respondent understands that there is no legal basis for stating that
the time limit is that of allegations to the initiation agreement, because nothing is stated
in the legal text and because there are different "milestones" prior to the resolution,
namely, allegations to the initiation agreement, the hearing process, and the proposal
for resolution, which can be any of them.
This interpretation is supported by the public administrations themselves in different
sanctioning procedures, such as the Catalan Data Protection Agency (procedure
PS8/2019). It also cites report SSPI00043/17, of the Legal Office of the Regional
Government of Andalusia, in relation to Report HPPI00035/17, of 5 July 2017, of the
Legal Department of the Ministry of Finance and Public Administration, which admits
this possibility:
"(...) this interpretation allows us to consider that in this case there is no invalidating defect
either, as there is no harm to the administration, which must continue to carry out the procedure
without the possibility of its early termination. Likewise, it will always be more beneficial for the
administrative body to be able to avail itself of this possibility than not having the option to do
so. Moreover, as we have mentioned, it seems that the wording at least leaves doubts when it
establishes in Art. 85.2 that this can be done "at any time prior to the decision". Therefore, it
really seems that the wording of Art. 85 requires that the initiation agreement determines the
percentage of reduction, rather than the amount, which is why the initiation agreement must
always establish the percentage and, in those cases in which it is possible, the amount, given
that the latter will not always be possible".
Also by the Courts. The Judgment of the High Court of Justice of Madrid, Chamber for
Contentious-Administrative Matters, no. 79/2020, of 6 February, in which the non-
application of art. 85.1 LPACAP is denounced, declares:
"Finally, it should be remembered that art. 85 of Law 39/2015 provides that "when a sanctioning
procedure has been initiated, if the offender acknowledges his or her responsibility, the
procedure may be resolved with the imposition of the appropriate sanction". Section 3
establishes that, "when the sanction is solely of a pecuniary nature, the body competent to
resolve the procedure shall apply reductions of at least 20% of the amount of the proposed
sanction".
The plaintiff considers that, despite having acknowledged in the statement of allegations made
in the motion for a decision that he was responsible for the failure to declare the money seized,
and even having proposed a penalty of €100 000, the decision to impose a penalty ignores that
circumstance and imposes a fine on him which is totally disproportionate.
In response to this allegation, the State Attorney's Office argues that the circumstances
necessary for its application do not exist, since the statement of allegations of 13 November
2017 does not expressly refer to the recognition of liability, which must be prior to the resolution
of the case once the proposal has been received (...)".
Particularly enlightening is the Judgment of the Audiencia Nacional no. 625/2017,
dated 22/03/2019, which states;
"The sanctioning decision of 21 December 2018 did not take into account that by letters of 4
December - (allegations to the agreement to initiate the sanctioning proceedings) - and 11
December 2018 - (allegations to the Proposal for Resolution) - the applicant acknowledged
responsibility for the facts, requested payment from the amount seized, and twice waived the
lodging of an administrative appeal. These
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
23/61
The written pleadings show a clear intention to terminate the proceedings, in accordance with the
terms of Art.
85.1 of Law 39/2015, and to waive the administrative appeal, proceeding to payment, charged
to the guarantee. Hence, having fulfilled all the conditions required in the second and third
paragraphs of article 85, it was appropriate to accumulate two reductions of 20%".
MERCADONA adds that other regulations governing administrative sanctioning
procedures provide for the possibility of recognising liability at any time prior to the
resolution, and cites the following:
. Law 16/1987, of 30 July, on Land Transport Organisation (LOTT), which in Article
146.3 establishes:
"Payment of the financial penalty prior to the issuing of the sanctioning decision shall imply
conformity with the facts denounced and the waiver of the interested party to make allegations
and the termination of the procedure, although an express decision must be issued".
. Law 13/2017, of 8 November, of the Taxi of the Valencian Community, which in its
article 38.4 establishes;
"Once the sanctioning procedure has been initiated, if the offender acknowledges his or her
responsibility before a decision is issued, the amount of the financial penalty initially proposed
shall be reduced by fifty percent.
. Law 7/2014, of 23 July, on the Protection of Consumers and Users of the Balearic
Islands, which in Article 84 graduates the percentage of discount depending on the
procedural moment in which the recognition of liability occurs. And so:
"1. A reduction of fifty percent of the amount of the sanction corresponding to serious or minor
infringements shall be applied if the alleged offender agrees to the content of the initiating
decision and justifies payment of the aforementioned amount during the fifteen days following
its notification. In this case, it is understood that the interested party waives the right to make
allegations and lodge any type of subsequent appeal.
2. A reduction of twenty percent of the amount of the sanction corresponding to serious or
minor infringements shall be applied if the alleged offender agrees with the content of the
proposed decision and justifies payment of the aforementioned amount during the fifteen days
following its notification. In this case, it is understood that the interested party waives the right to
make allegations and to lodge any type of subsequent appeal".
. Municipal Ordinance on Consumer Affairs of the Madrid City Council, ANM 2011/17,
which in its article 59.1 establishes:
"1. Once a disciplinary proceeding has been initiated, if the offender explicitly acknowledges his
or her responsibility before the decision is taken, the proceeding may be resolved without
further formalities with the imposition of the appropriate fine. In this case, a 30 percent reduction
shall be applied to the total amount of the fine, which must be paid by the interested party
during the voluntary payment period".
Finally, the above interpretation of art. 85 LPACAP is found in article 3 of the recent
Royal Decree 137/2021, of 2 March 2021, which raises it to regulatory status by
establishing:
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
24/61
"In accordance with the provisions of art. 85.3 of Law 39/2015, of 1 October, in the disciplinary
proceedings referred to in art. 2, if, having initiated a disciplinary proceeding, at any time prior to
the resolution the alleged offender acknowledges his liability, the proceeding may be resolved
with the imposition of the appropriate sanction, and when the sanction is solely financial in
nature, the body competent to resolve and notify the resolution of the proceeding shall apply
reductions of up to 30% of the amount of the proposed sanction".
Therefore, in the event of the AEPD maintaining a sanction or financial penalties, if
voluntary payment and acknowledgement of responsibility is made at any time before
the resolution that implies the termination of the sanctioning procedure, the 40%
discount must be made.
From the actions carried out in the present proceedings and the documentation in the
file, the following have been accredited:
ESTABLISHED FACTS
1. MERCADONA has stated that it provides information on the procedure it follows for
interested parties to exercise their personal data protection rights through different
channels, such as the signs displayed in shops warning that they are in a "Video
Surveillance Area" (the contact address of the company's DPD is indicated); by calling
Customer Services free of charge, which sends an SMS informing them of this
procedure; and through the Privacy Policy available on the website, which includes a
link to the form provided for exercising these rights. According to the information
provided, the Privacy Policy provides the following information:
"You can send us a letter to MERCADONA, S.A. (Asesoría Jurídica Procesos) C/... or
if you have a digital signature issued by the Fábrica Nacional de Moneda y Timbre, via
the
customer
service
form
("https://infor.mercadona.es/es/atencion-al-
customer#destacadosFormulario")".
Once the form has been filled in and sent, the following text will appear automatically
"Thank you, your comment has been sent successfully".
MERCADONA also informs that the interested party, in turn, receives an email to the
email address provided, indicating: "MERCADONA. Your opinion helps us to continue
improving. Dear (name of recipient). Thank you for contacting our Customer Service
Department. Please be informed that we have received your e-mail. We invite you to
consult our frequently asked questions in case you have any further questions").
According to the information provided by MERCADONA, the application process
follows the following steps:
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
25/61
"i. The form is registered in the management system (Contact Centre). System managed by the
processing managers.
ii. Once the form is received, the system assigns the request to the manager, according to
certain criteria (typology, workload, productivity, etc. of the manager).
iii. Once the application (form) has been assigned, it is sent to the folder of the assigned
manager, which is accessed via username and password, including all the information and
documents sent by the Client, for processing.
It adds that "there are periodic controls carried out by the coordinators in order to avoid
incidents" and that "the system (Contact Centre) leaves traces and evidence of all the
movements that pass through the system, not allowing the accidental or voluntary
deletion of entries in the system".
2. On ***DATE.1, the claimant suffered an accident on the premises of the entity
located at ***DIRECCION.1.
3. On ***DATE.3, via the MERCADONA website, the complainant filed a complaint with
MERCADONA about the accident that had occurred, receiving a reference for the
case. This complaint was made by e-mail to the address "conducta@mercadona.es",
with the subject "Complaint D201...". This e-mail contains the complainant's name,
surname, e-mail address and telephone number. The commentary includes an account
of the accident suffered (...), the damage caused by the accident to the claimant (.... )
and the lack of attention to the claim by the defendant's insurer (.... ).
4. On ***DATE.5, the respondent company responded to the complaint described in
the previous Proven Fact by the same means, indicating that the complaint had been
sent to MERCADONA's Customer Service Department, to which future
communications should be addressed (a contact telephone number for this department
and a link to the company's website are indicated).
5. On ***DATE.2, the complainant exercised her right of access to the images from the
security cameras, using the application form available on the MERCADONA website,
under the "Customer Service" tab, as mentioned in the First Proven Fact. This request
contains the name and surname of the complainant, the complainant's postcode and e-
mail address, and the following text in the field entitled "How can we help you" (url:
"https://infor.mercadona.es/ en/atencion-al-cliente#destacadosFormulario"):
"I enclose a request for the right of access to the video surveillance recordings of the
MERCADONA shop ***DIRECCION.1, due to the accident that took place (...)".
As "Attachments" are indicated "DNI" of the claimant and "Request for right of access"
(in this letter it is indicated that the request is motivated by the accident that took place
on ***DATE.1).
6. In response to the complainant's request for the right of access, the complainant
received a reply message, also dated ***DATE.2, with the following text:
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
26/61
"Thank you, your comment has been sent successfully.
7. On ***DATE.7, the complainant's representative sent an e-mail to MERCADONA
with the following text:
"I am writing to you to establish an initial communication in order to inform you of the
documentation that I have at the moment, in relation to the accident... in which my client was
injured... Also in order to inform you of our intention to request the compensation that according
to the schedule corresponds".
8. On ***DATE.4, the complainant's representative sent an e-mail to the DPD of
MERCADONA, with the following text:
"More than a month ago, my client exercised her right of access to the video
surveillance images, through the channel established in your privacy policy (via the
customer
service
form:
https://info.mercadona.es/es/atencion-al-
customer#detailsForm), and she has still not received a reply.
Please send these images to him as they correspond to (...)".
9. On ***DATE.9, MERCADONA sent an e-mail to the complainant with the subject
"Right of access" and the following text:
"After checking internally, we inform you that we are not aware of any request for access to
images, nor of the documentation that according to data protection regulations is necessary to
manage any right of access, neither from your client (Ms...) nor from you.
We should add that we no longer have any of the images from the date requested (***DATE.1),
all in accordance with art. 6 of Instruction 1/2006, of 8 November, of the AEPD, which
establishes that "The data will be cancelled within a maximum period of one month from their
capture".
Yours sincerely.
Legal Div. MERCADONA Proceedings".
10. On 09/02/2021, MERCADONA sent the complainant a burofax in the same terms
as the letter described in the ninth proven fact.
THE LEGAL BASIS
I
By virtue of the powers that Article 58.2 of the GDPR recognises to each supervisory
authority, and in accordance with the provisions of Articles 47 and 48 of the
LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate
and resolve this procedure.
Article 63.2 of the LOPDGDD determines that: "The procedures processed by the
Spanish Data Protection Agency shall be governed by the provisions of the RGPD, in
this Organic Law, by the regulatory provisions issued in its development and, insofar
as they do not contradict them, subsidiarily, by the general rules on administrative
procedures".
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
27/61
II
During the investigation of the procedure, the complainant has informed this Agency
that she has reached an agreement with the entity complained of, whereby the
damages suffered in the area of civil liability and for the non-fulfilment of the right of
access have been compensated, requesting that her claim be considered to have been
met and that the present sanctioning procedure be closed.
In this regard, article 63.1 of Law 39/2015, of 1 October, on the Common
Administrative Procedure of Public Administrations (LPACAP) establishes that
"proceedings of a sanctioning nature shall always be initiated ex officio by agreement
of the competent body". In the same vein, Article 64.2 of the LOPDGDD provides that
proceedings aimed at determining the possible existence of an infringement of the
provisions of the GDPR "shall be initiated by means of an agreement adopted on its
own initiative or as a result of a complaint".
Thus, the fact that the claimant withdraws her complaint does not imply that the
sanctioning procedure initiated has been closed, given that the same is initiated and
processed in all its phases ex officio, with this Agency being responsible for
determining whether the personal data protection regulations have been breached and
the scope that should be given to said breach.
It is irrelevant, for these purposes, what agreement the claimant and the respondent
may have signed to repair the damages suffered by the claimant, as well as the internal
disciplinary measures that the respondent claims to have adopted.
In accordance with the foregoing, the position defended by MERCADONA in its
submissions cannot be accepted when it states that the aforementioned agreement
between the parties has restored the guarantees and rights of the interested party. The
"reparation" of the damage suffered to which MERCADONA refers cannot exonerate it
from liability arising from the breaches of the regulations that have occurred, the
application of which is obviously not conditioned by any agreements that may arise
between private individuals. Only when the data controller proves that "it is in no way
responsible for the event that has caused the damage" will it be exempt from liability, in
accordance with the provisions of article 82.3 of the GDPR.
Such compensation may compensate for the damages suffered by the claimant, but it
does not restore her guarantees and rights in a case arising from the exercise of the
right of access, which cannot be granted as the personal data to which the request
referred have been deleted.
On the other hand, where any imputable liability arises from the facts established, the
fact that the entity in question has not previously been sanctioned for infringements of
an identical nature, or the adoption of measures aimed at avoiding future
infringements, cannot serve as an argument for not opening the sanctioning procedure
to assess those liabilities and determine the applicable consequences, i.e. the
corrective powers that should be applied.
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
28/61
apply in each case.
The same can be said where the alleged infringement affects only one interested party.
Sanctioning proceedings are not reserved for cases, such as the one cited by
MERCADONA in its allegations, in which the conduct of the responsible entity is
configured as a general action affecting a number of parties in the same situation.
III
MERCADONA considers that the agreement to initiate the procedure has not
sufficiently justified the initiation of the procedure or specified the aspects justifying
such initiation, thereby limiting its rights of defence.
For the same reasons, MERCADONA considers that the principle of criminalisation has
been infringed. In this regard, MERCADONA argues that the decision to initiate
proceedings does not specify the infringing conduct, does not specify which
paragraphs and letters of Articles 6 and 22 are considered to have been infringed, and
does not explain why the fact of having deleted images within the legally established
time limit and not having responded to a right of access due to human error constitutes
a breach of the conditions of lawfulness. In his final submissions, he states that the
infringements and legal reasoning have not been specified until the motion for a
decision.
This Agency does not share the position expressed by the Respondent in relation to
the content of the agreement to initiate the present sanctioning procedure.
In the opinion of this Agency, the initiation agreement issued complies with the
provisions of Article 68.1 of the LOPDGDD, which establishes the minimum content
required, the elements that must be detailed in the aforementioned agreement to
determine its validity. According to this article, it is sufficient for the agreement to
initiate the procedure to specify the facts that motivate its initiation, identify the person
or entity against whom the procedure is directed, the infringement that may have been
committed and its possible sanction (in this case, of the different corrective powers
contemplated in Article 58.2 of the GDPR, the Agency considered it appropriate to
impose a fine, in addition to the adoption of measures to bring its actions into line with
the regulations, without prejudice to what may result from the investigation of the
procedure).
In the same sense, Article 64.2 of the LPACAP expressly establishes the minimum
content of the initiation agreement. According to this precept, among other details, it
must contain "the facts that motivate the initiation of the procedure, its possible legal
qualification and the sanctions that may correspond, without prejudice to what results
from the investigation".
In this case, not only are the aforementioned requirements amply met, but it goes
further by offering reasoning that justifies the possible legal classification of the facts
assessed at the outset and even mentions the circumstances that may influence the
determination of the sanction, which undoubtedly benefits the interested party, whose
right of defence is strengthened and favoured.
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
29/61
In relation to the request for the right of access made by the complainant, the rules
governing the formal aspects relating to the exercise of rights were reviewed, and it
was highlighted that the deadline for responding to the request had passed without the
complainant obtaining the response she was due from MERCADONA, concluding that
these facts could constitute an infringement of Article 83.5.b) of the RGPD and Article
74.c) of the LOPDGDD, for breach of the provisions of Article 12, paragraphs 2 and 3,
of the RGPD, in relation to Article 15 of the aforementioned Regulation, without
prejudice to the outcome of the investigation.
Moreover, the decision to initiate the procedure, after reproducing Article 6 of the
GDPR, which refers to the "lawfulness of the processing", emphasises that the removal
or "erasure" of the images to which the complainant's right of access refers constitutes
the processing of personal data.
On the deletion of images captured by video surveillance systems, paragraphs 1 to 3 of
Article 22 of the LOPDGDD are reproduced below.
The circumstances and purposes that determined the complainant's actions were
highlighted and it was emphasised that, despite this, MERCADONA proceeded to
delete the images requested by the complainant, in order to conclude that these facts
could constitute a breach of the provisions of Article 6 of the GDPR, in relation to
Article 22 of the LOPDGDD, constituting an infringement as defined in Article 83.5.a) of
the GDPR and 72.1.b) of the LOPDGDD ("The processing of personal data without
meeting any of the conditions of lawfulness of processing set out in Article 6 of
Regulation (EU) 2016/679").
In short, this Agency understands that the agreement to initiate proceedings has
allowed MERCADONA to know the facts that gave rise to the initiation of the
proceedings and their possible legal classification. Proof of this are the allegations
made by this entity, which are directly related to the above.
The alleged lack of defence cannot therefore be upheld. Defence with legal
significance arises only where the person concerned is unjustifiably prevented from
seeking protection of his rights and legitimate interests or where the infringement of
procedural or procedural rules results in the deprivation of the right to a defence, with
the consequent real and effective harm to the interests of the affected party by being
deprived of his right to allege, prove and, where appropriate, to reply to opposing
arguments (STC 31/1984, of 7 March, STC 48/1984, of 4 April, STC 70/1984, of 11
June, STC 48/1986, of 23 April, STC 155/1988, of 22 July, and STC 58/1989, of 16
March, among many others). It is worth mentioning STC 78/1999, of 26 April, which in
its Legal Basis 2, states:
"In order for a defence with constitutional relevance, which places the interested party at the
margin of any possibility of alleging and defending his or her rights in the proceedings, to be
considered a defence with constitutional relevance, it is not sufficient for a merely formal
infringement, as it is necessary that this formal infringement has a material effect of defence, an
effective and real impairment of the right of defence (STC 149/1998, legal ground 3), with the
consequent real and effective harm to the interested parties affected (SSTC 155/1988, legal
ground 4, and 112/1989, legal ground 2)".
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
30/61
In any event, as MERCADONA rightly points out in its allegations, it is the resolution
proposal issued once the procedure has been carried out that establishes the facts that
are considered proven and their exact legal classification, determines the infringement
that they may constitute, the person or persons responsible and the proposed sanction.
This proposal must be notified to the interested party, who is granted a period in which
to make allegations and submit the documents and information deemed relevant. In no
case shall a decision be adopted without the interested party having had the
opportunity to express his or her views on all the points considered.
Therefore, the submissions made by MERCADONA do not contain any arguments that
would change this approach and the conclusion reached.
MERCADONA, in this case, has seen that all the guarantees for the interested party
provided for in the procedural regulations have been respected.
IV
Pursuant to Article 55 of the GDPR, the Spanish Data Protection Agency is competent
to perform the functions assigned to it in Article 57 of the GDPR, including enforcing
the Regulation and promoting awareness among controllers and processors of their
obligations, as well as dealing with complaints lodged by a data subject and
investigating the grounds for such complaints.
Article 31 of the GDPR establishes the obligation of controllers and processors to
cooperate with the supervisory authority on request in the performance of its tasks. In
the event that they have appointed a data protection officer, Article 39 of the GDPR
confers on the latter the task of cooperating with the supervisory authority.
Similarly, the domestic legal system, in Article 65.4 of the LOPDGDD, has provided for
a mechanism prior to the admission for processing of claims made to the Spanish Data
Protection Agency, which consists of transferring them to the data protection officers
designated by the data controllers or data processors, for the purposes provided in
Article 37 of the aforementioned law, or to the latter when they have not been
designated, so that they may proceed to analyse the claims and respond to them within
a period of one month.
In accordance with these regulations, prior to the admission for processing of the
complaint that gave rise to this procedure, the complaint was transferred to the entity
responsible so that it could proceed with its analysis, provide this Agency with a
response within a period of one month and accredit that it had provided the claimant
with the appropriate response, in the event of the exercise of the rights regulated in
Articles 15 to 22 of the GDPR.
The result of this transfer was not satisfactory. Consequently, on 16/04/2021, for the
purposes set out in Article 64.2 of the LOPDGDD, the Spanish Data Protection Agency
agreed to admit for processing the complaint that gave rise to the present proceedings.
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
31/61
In the case of a claim for failure to respond to a request to exercise the rights
established in Articles 15 to 22 of the RGPD, in general, the procedure regulated in
Article 64.1 of the LOPDGDD is followed, according to which:
"Where the procedure relates exclusively to the failure to deal with a request for the exercise of
the rights laid down in Articles 15 to 22 of Regulation (EU) 2016/679, it shall be initiated by an
agreement on admissibility, which shall be adopted in accordance with the following Article.
In this case, the time limit for resolving the procedure shall be six months from the date on
which the claimant was notified of the decision to admit the claim for processing. Once this
period has elapsed, the interested party may consider their claim to have been upheld".
On the contrary, when the procedure does not relate exclusively to the fulfilment of a
request for the exercise of rights, it is appropriate to determine administrative liability in
the context of a sanctioning procedure, and it is the exclusive competence of this
Agency to assess whether there is administrative liability that should be determined in
a procedure of this nature and, consequently, to decide whether to initiate such a
procedure. Contrary to MERCADONA's allegations in its submissions, this
determination of responsibilities cannot be agreed in a proceeding for lack of attention
to rights.
This specific regime with regard to proceedings before data protection supervisory
authorities is also provided for in the GDPR. Chapter VIII of the GDPR is entitled
'Remedies, Liability and Sanctions', and the first article of Chapter VIII, Article 77(1),
provides for the right to lodge a complaint with a supervisory authority:
"Without prejudice to any other administrative or judicial remedy, every data subject shall have
the right to lodge a complaint with a supervisory authority, in particular in the Member State in
which he or she has his or her habitual residence, place of work or place of the alleged
infringement, if he or she considers that the processing of personal data relating to him or her
infringes this Regulation".
In turn, Article 79 of the same Regulation provides that 'without prejudice to any
available administrative or non-judicial remedy, including the right to lodge a complaint
with a supervisory authority pursuant to Article 77, every data subject shall have the
right to an effective judicial remedy where he/she considers that his/her rights under
this Regulation have been infringed as a result of the processing of his/her personal
data'.
Therefore, a 'complaint' from an individual may give rise to two types of proceedings,
one relating to breaches of the GDPR in general and the other to infringements of his
or her rights.
This distinction is also reflected in Title VIII of the LOPDGDD, which jointly regulates
the "proceedings in the event of a possible breach of data protection legislation". Thus,
its Article 63.1, "Legal regime", includes (a) procedures in the event of a breach of the
GDPR and the LOPDGDD itself and (b) those arising from a possible infringement of
data subjects' rights. The LOPDGDD does not provide for any additional type of
procedure in case of a possible breach of data protection law, so that all the functions
and powers that
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
32/61
The procedures provided by the GDPR to the supervisory authorities in Art. 57 and 58
GDPR will have to be exercised through these procedures in the event of a possible
breach of data protection law. No other procedures exist.
It follows, also taking into account art. 64 LOPDGDD, that when the procedure is
directed exclusively at the lack of attention to a request for the rights under articles 15
to 22 RGPD a complaint will be necessary, but that (art. 64.2 LOPDGDD) "[w]hen the
procedure is aimed at determining the possible existence of an infringement of the
provisions of Regulation (EU) 2016/679 and this organic law, it shall be initiated by
means of a commencement agreement adopted on its own initiative or as a result of a
complaint". In other words, both the GDPR and the LOPDGDD consider that a
complaint from an affected party may be the way or means of bringing a possible
infringement of data protection regulations to the attention of the supervisory authority,
but in no case does it restrict the supervisory authority's action to the specific and
concrete complaint of the affected parties.
To do otherwise would be inconsistent with the purpose and intention of the EU
legislator, expressly stated in the GDPR, that supervisory authorities should monitor
and enforce the GDPR, and with the provision in the GDPR that 'breaches' of data
protection law may be brought to light through 'complaints' which may go beyond the
individual complaints made.
In relation to this issue, MERCADONA has argued that in a case referring exclusively
to the failure to respond to a request for the exercise of rights, the procedure regulated
in Article 64.1 of the LOPDGDD, and it is not appropriate to open a disciplinary
procedure, the exceptional nature of which has been made clear by the AEPD in
various actions it cites, stating that "whenever possible, alternative mechanisms should
be chosen to prevail in the event that they are covered by the regulations in force..."
and that there must be elements that justify the initiation of the disciplinary procedure.
In this case, in the opinion of this Agency, as indicated in the opening agreement, there
are elements that justify the initiation of the sanctioning activity, considering that the
procedure provided for in article 64.1 of the aforementioned LOPDGDD would not duly
restore the guarantees and rights of the interested parties. In this case, the right
exercised was for the purpose of gaining access to images that the responsible entity
deleted before the complaint was filed, and therefore the processing of a procedure for
failure to address an exercise of the rights regulated in Articles 15 to 22 of the GDPR,
whose ultimate purpose is to resolve whether or not to address the right exercised, in
this case, whether or not to provide the complainant with images that no longer existed,
was pointless.
In addition, considering the circumstances described above, it appears that
MERCADONA's actions go beyond the failure to respond in time to the respondent's
request for access, and it was considered appropriate to analyse in this procedure the
scope, from the point of view of the protection of personal data, that should be given to
the processing of data consisting of the deletion of the images requested by the
complainant, their possible unlawfulness and the responsibility that this fact
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
33/61
may entail for the defendant entity. This is an extreme that can in no way be carried out
within the framework of the procedure regulated in article 64.1 of the LOPDGDD.
The respondent has also argued that there are similar precedents in which the AEPD
has followed the procedure regulated in Article 64.1 of the LOPDGDD and that the
CEPD itself, in its Guidelines 3/2019, pronounces in the same sense. However, both
the CEPD statement referred to by MERCADONA and the precedents cited, two of
which refer to requests to exercise rights formulated when the images had already
been deleted. In procedure number TD/01272/2017, the request for access is made on
14/04/2017 and requires images captured on 14/11/2016 (the complaint was rejected);
and file number TD/00955/2018 analyses a request dated 20/03/2018 in which the
interested party requests images captured on 25/11/2017 (the complaint was upheld as
the request for access was not answered by the data controller). The third precedent
cited, number TD/00830/2017, was upheld due to lack of response and, although the
complaint refers to access to images captured by a video surveillance system, the
request for access that gave rise to the complaint did not specify this object nor did it
refer to the date on which the alleged images were captured.
Thus, in those precedents there was no responsibility for the deletion of the data, one
of the cases being dismissed and in two of them only the lack of response within the
deadline was assessed, giving rise to a resolution that formally upholds the complaint
and obliges the entity complained of to duly respond to the respective complainant,
informing him/her in the sense expressed by the CEPD in those Guidelines (no data
exists).
With regard to the proceedings under number E/02434/2020, also cited by the
defendant, it should be noted that the decision to close the case took into account that
the facts transmitted were part of an alleged criminal conduct, for which there was a
legal case sub iudice, and that the circumstances that led to the removal of the images
were not known.
Finally, MERCADONA argues that there is no justification for initiating sanctioning
proceedings because only Article 12 has been breached in relation to the right of
access exercised, and argues that the alleged infringement is defined as "Failure to
respond to requests to exercise the rights established in Articles 15 to 22 of the
Regulation". As the respondent rightly states, this non-compliance constitutes an
infringement and gives rise to the determination of responsibilities. To understand that
this non-compliance can only be dealt with through the procedure for failure to comply
with rights is as much as to understand that this type of infringement does not apply in
any case.
Finally, it should be noted that no rule prevents the body exercising the sanctioning
power, when it determines the opening of a sanctioning procedure, always ex officio
(art. 63.1 Law 39/2015, of 1 October), from determining its scope in accordance with
the circumstances revealed, even if they do not strictly conform to the statements and
claims of the claimant. That is to say, the agreement to initiate the sanctioning
procedure is not constrained by the
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
34/61
complaint submitted by the individual. This does not occur in the case of procedures
processed at the request of the interested party, in which article 88.2 of the LPACAP
requires that the resolution be congruent with the requests made by the interested
party. Even in this case, the administration's power to initiate a new procedure ex
officio remains unaffected.
This same article 88 of the LPACAP, referring to the content of the decision, in section
1 establishes the obligation to decide on all the issues raised by the interested parties
and any others arising from the procedure, including related issues not raised by the
interested parties. This article expressly states the following:
"1. The decision terminating the procedure shall decide all the issues raised by the interested
parties and all other issues arising from the procedure.
In the case of related questions which have not been raised by the interested parties, the
competent body may rule on them, first making them known to the interested parties for a
period of no more than fifteen days, so that they may present the arguments they deem
relevant and provide, where appropriate, the means of proof.
In the sanctioning procedure, account shall also be taken of the facts that come to light
during its investigation, which shall be determined in the proposed decision, and may
lead to the modification of the charges contained in the agreement to initiate the
procedure or their legal qualification.
In this sense, when referring to the specialities of the decision in sanctioning
procedures, Article 90 of the LPACAP establishes:
"2. The decision may not accept facts other than those established in the course of the
proceedings, irrespective of their different legal assessment...".
V
The rights of individuals with regard to personal data protection are regulated in articles
15 to 22 of the RGPD and 13 to 18 of the LOPDGDD. The rights of access,
rectification, erasure, opposition, the right to limitation of processing and the right to
portability are contemplated.
The formal aspects relating to the exercise of these rights are set out in Articles 12 of
the GDPR and 12 of the LOPDGDD.
Article 12 "Transparency of information, communication and procedures for exercising
rights" of the GDPR provides as follows:
"The controller shall take appropriate steps to provide the data subject with any information
referred to in Articles 13 and 14, as well as any communication pursuant to Articles 15 to 22
and 34 concerning processing, in a concise, transparent, intelligible and easily accessible form,
in clear and plain language, in particular any information specifically addressed to a child. The
information shall be provided in writing or by other means, including, where appropriate, by
electronic means. Where requested by the data subject, information may be provided orally,
provided that the identity of the data subject is proved by other means.
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
35/61
2. The controller shall facilitate the data subject's exercise of his or her rights under Articles 15
to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the
request of the data subject for the purpose of exercising his or her rights under Articles 15 to
22, unless he or she can demonstrate that he or she is unable to identify the data subject.
3. The controller shall provide the data subject with information relating to its actions on the
basis of a request pursuant to Articles 15 to 22 without undue delay and in any event within one
month of receipt of the request. This period may be extended by a further two months if
necessary, taking into account the complexity and number of requests. The controller shall
inform the data subject of any such extension within one month of receipt of the request, stating
the reasons for the delay. Where the data subject submits the request by electronic means, the
information shall be provided by electronic means where possible, unless the data subject
requests otherwise.
4.If the controller does not act on the data subject's request, it shall inform the data subject
without delay, and at the latest within one month of receipt of the request, of the reasons for its
failure to act and of the possibility of lodging a complaint with a supervisory authority and of
taking legal action.
5.Information provided pursuant to Articles 13 and 14 as well as any communication and any
action taken pursuant to Articles 15 to 22 and 34 shall be free of charge. Where requests are
manifestly unfounded or excessive, in particular because of their repetitive character, the
controller may (a) charge a reasonable fee having regard to the administrative costs incurred in
providing the information or communication or taking the action requested, or (b) refuse to act
on the request. The controller shall bear the burden of demonstrating that the request is
manifestly unfounded or excessive.
6.Without prejudice to Article 11, where the controller has reasonable doubts as to the identity
of the natural person making the request referred to in Articles 15 to 21, the controller may
request the provision of additional information necessary to confirm the identity of the data
subject.
7.The information to be provided to data subjects pursuant to Articles 13 and 14 may be
transmitted in combination with standardised icons which provide an easily visible, intelligible
and clearly legible overview of the intended processing in an easily visible, intelligible and
clearly legible form. Icons presented in electronic form shall be machine-readable.
8.The Commission shall be empowered to adopt delegated acts in accordance with Article 92 to
specify the information to be presented through icons and the procedures for providing
standardised icons".
Article 12 "General provisions on the exercise of rights" states that
of the LOPDGDD, paragraphs 2 and 4, adds the following:
"The controller shall be obliged to inform the data subject of the means at his disposal to
exercise the rights to which he is entitled. The means must be easily accessible to the data
subject. The exercise of the right may not be refused on the sole ground that the data subject
has opted for another means".
"4. Proof of compliance with the duty to respond to the data subject's request to exercise his or
her rights shall lie with the data controller".
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
36/61
Account is also taken of the provisions of Recitals 59 et seq. of the GDPR.
In accordance with the provisions of these rules, the controller must provide
arrangements and mechanisms to facilitate the exercise of the data subject's rights,
which shall be free of charge (without prejudice to Articles 12(5) and 15(3) of the
GDPR); it is obliged to respond to requests made within one month at the latest, unless
it can demonstrate that it is unable to identify the data subject; and to state its reasons
if it does not comply with the request.
It follows from the foregoing that the data subject's request to exercise his or her rights
must be answered in any case, with the controller bearing the burden of proof of
compliance with this duty.
This obligation to act does not apply where the controller can demonstrate that it is not
in a position to identify the data subject (in the cases referred to in Article 11(2) of the
GDPR). In cases other than those provided for in this Article, where the controller has
reasonable doubts as to the identity of the data subject, the controller may request
additional information necessary to confirm the identity of the data subject.
In this respect, Recital 64 of the GDPR is expressed in the following terms:
"(64) The controller should use all reasonable measures to verify the identity of data subjects
requesting access, in particular in the context of online services and online identifiers. The
controller should not retain personal data for the sole purpose of being able to respond to
possible requests".
As regards the right of access, the GDPR stipulates in Article 15 as follows:
"The data subject shall have the right to obtain from the controller confirmation as to whether or
not personal data relating to him or her are being processed and, if so, the right of access to the
personal data and to the following information:
a) the purposes of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipients to whom the personal data have been or will be
disclosed, in particular recipients in third countries or international organisations;
d) if possible, the envisaged period of retention of personal data or, if not possible, the criteria
used to determine this period;
e) the existence of the right to request from the controller the rectification or erasure of personal
data or the restriction or objection to the processing of personal data relating to the data
subject;
f) the right to lodge a complaint with a supervisory authority;
g) where the personal data have not been obtained from the data subject, any available
information on their origin;
h) the existence of automated decisions, including profiling, as referred to in Article 22(1) and
(4), and, at least in such cases, meaningful information about the logic involved and the
significance and expected consequences of such processing for the data subject".
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
37/61
2. Where personal data are transferred to a third country or to an international organisation, the
data subject shall have the right to be informed of the appropriate safeguards pursuant to
Article 46 concerning the transfer.
3. The controller shall provide a copy of the personal data undergoing processing. The controller
may charge for any further copies requested by the data subject a reasonable fee based on the
administrative costs. Where the data subject makes the request by electronic means, and
unless the data subject requests otherwise, the information shall be provided in a commonly
used electronic format.
4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and
freedoms of others".
Like the other rights of the data subject, the right of access is a very personal right. It
allows the citizen to obtain information on how his or her data are being processed, the
possibility to obtain a copy of the personal data concerning him or her that are being
processed, as well as the information listed in the above-mentioned article.
In the present case, the complainant is a customer of the respondent entity. It is stated
that, on ***DATE.1, she visited the establishment of the responsible entity located at
***DIRECCION.1, for which reason her image was captured by the video-surveillance
system installed in that centre.
Subsequently, following the procedure provided by MERCADONA for the exercise of
personal data protection rights, the complainant exercised her right of access to her
personal data, specifically requesting the images captured by the security cameras (the
text of the request is as follows: "I attach a request for the right of access to the video
surveillance recordings of the MERCADONA establishment ***DIRECCION.1, (...)").
This right was exercised on ***DATE.2, using the form available on the Respondent's
website, under the "Customer Service" tab, attaching a file corresponding to the
request for access and a copy of the ID card.
In response to the submission of the above-mentioned form, the information system
sent the complainant a message with the text "Thank you, your comment has been
sent successfully".
After the established deadline, this request did not receive the legally required
response, which gave rise to the complaint that gave rise to the present procedure,
submitted on 31/12/2020.
The uncontested facts are (i) that the claimant exercised her right of access to her
personal data before MERCADONA, using one of the mechanisms provided by the
respondent itself, such as the form available on the company's website, which can also
be accessed via a link included in the Privacy Policy; and (ii) that this request for
access to personal data was not answered by the data controller within the established
period.
The aforementioned rules do not allow the request to be ignored as if it had not been
made, leaving it without the response that must necessarily be issued by the
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
38/61
The data subject shall be held responsible, even in the event that the data subject's
details do not exist in the entity's files or even in those cases in which they do not meet
the requirements, in which case the addressee of the request is also obliged to request
the rectification of the deficiencies observed or, where appropriate, reject the request,
stating the reasons for which the right in question should not be considered.
Therefore, the request that is made obliges the data controller, in any case, to give an
express reply to the data subject, informing him/her of the decision that has been taken
regarding the request for the exercise of rights, using any means that justifies the
receipt of the reply.
MERCADONA has not disputed that it received the complainant's request for the right
of access. However, it alleges an involuntary human error in the handling of the
request, which caused it not to reach the attention of the DPD or his team, and the
consequent lack of attention to the request. On this basis, he invoked the principle of
culpability, pointing out that so-called strict liability has no place in administrative
sanctioning law, so that the mere commission of an administrative infringement is not
sufficient when it comes to imposing an administrative sanction, as there must be wilful
or negligent conduct.
In this respect, it adds that it acts with the utmost diligence in all processes, that it has
a simple procedure for the exercise of rights through various channels, about which it
duly informs customers, and that it applies a procedure for processing applications that
has been error-free so far and about which it provides constant training to the persons
in charge, and which will be adjusted to avoid similar incidents.
According to the management process designed by MERCADONA, requests to
exercise rights are received by the Customer Service Department, which subsequently
transmits them to the DPD by means of a manual process. In this case, she alleges
that due to an involuntary human error, the complainant's request did not reach the
DPD, preventing it from being dealt with, and that this has given rise to the appropriate
disciplinary actions.
However, MERCADONA has not even explained what the alleged human error
consisted of. However, it appears from its written allegations that the claimant's request
was not dealt with because one of the managers of the Customer Service Department
("manager" in the terms of the entity itself) did not forward the request to the DPD. The
Agency understands that this is tantamount to not following up on the request, to not
processing it according to the internal channels designed by the same, which cannot
be admitted as an involuntary error.
The incident occurred within MERCADONA's sphere of responsibility and
MERCADONA must be held liable for it. In no way can the error alleged to have been
made be considered to exclude its liability, since, according to settled case law, the
existence of such an error cannot be considered to exist when it is attributable to the
person who suffers it or could have been avoided with the use of greater diligence. In
this case, the alleged error is incompatible with the diligence that the defendant is
obliged to observe.
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
39/61
This diligence must be shown in the specific case under analysis, in respect of which
the error is alleged, and not in the general circumstances alleged by MERCADONA to
justify its diligent action, such as having procedures for managing applications for the
exercise of rights or the absence of errors in the past, nor the fact of having taken
measures to avoid future incidents. Nor can the training provided to the Respondent's
employees be taken as a circumstance that prevents the claimant from being held
liable for the specific irregular conduct.
In the specific case of the claimant, it cannot be accepted that the actions of the
respondent entity, in not processing the request for access to personal data, were
diligent. To admit that MERCADONA cannot be held liable for not responding to an
exercise of data protection rights, based on an alleged involuntary error consisting of
not processing the request, would be tantamount to admitting that the application of the
RGPD and the LOPDGDD can be ignored, undermining the entire system for
exercising rights established therein, which expressly contemplates the obligation to
respond to such requests in all cases and the consequences of not complying with this
regulatory requirement.
In this respect, it should be remembered that when the error is the result of a lack of
diligence, the standard is applicable. The Audiencia Nacional in its ruling of 21
September 2004 (RCA 937/2003), pronounced in the following terms:
"Furthermore, as regards the application of the principle of culpability, it follows (following the
criterion of this Chamber in other judgments such as that of 21 January 2004 in appeal
1139/2001) that the commission of the offence provided for in Article 44.3.d) can be either
intentional or negligent. And in this sense, if the error is a sign of a lack of diligence, the type of
offence is applicable, because although the principle of culpability governs in sanctioning
matters, as can be inferred from a simple reading of Art. 130 of Law 30/1992, the fact is that the
expression "simple failure to comply" in Art. 130.1 of Law 30/1992, allows the imposition of the
sanction, without doubt in cases of malice, and also in cases of negligence, in which failure to
comply with the duty of care is sufficient".
In this line, it is worth citing the SAN of 21 January 2010, in which the Audiencia
explains:
"The appellant also maintains that there was no culpability in his actions. It is true that the
principle of culpability prevents the admission of strict liability in administrative sanctioning law,
but it is also true that the absence of intentionality is secondary, since this type of infringement
is normally committed through negligent or culpable action, which is sufficient to include the
subjective element of culpability. XXX's actions are clearly negligent because... it must be
aware of... the obligations imposed by the LOPD on all those who handle personal data of third
parties. XXX is obliged to guarantee the fundamental right to the protection of personal data of
its clients and hypothetical clients with the intensity required by the content of the right itself".
The principle of culpability is required in the sanctioning procedure and thus STC
246/1991 considers liability without fault inadmissible in the field of administrative
sanctioning law. However, the principle of fault does not imply that only intentional or
voluntary action can be sanctioned, and in this regard, Article 28 of Law 40/2015 on the
Legal Regime of the Public Sector, under the rubric
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
40/61
"Responsibility", provides as follows:
"1. Only natural and legal persons, as well as, when a law recognises their capacity to act,
groups of affected persons, unions and entities without legal personality and independent or
autonomous estates, who are responsible for them through intent or negligence, may be
sanctioned for acts constituting an administrative offence.
The facts set out in the preceding Fundamento show that MERCADONA did not act
with the diligence to which MERCADONA was obliged, that it acted with a lack of
diligence. The Supreme Court (Judgments of 16 and 22/04/1991) considers that from
the element of guilt it follows "...that the action or omission, classified as an
administratively punishable offence, must, in any case, be imputable to its author,
through malice or recklessness, negligence or inexcusable ignorance". The same Court
reasons that "it is not sufficient... for exculpation from a typically unlawful conduct to
invoke the absence of fault" but it is necessary "that the diligence that was required by
the person alleging its non-existence has been used" (STS 23 January 1998).
Also connected with the degree of diligence that the data controller is obliged to display
in complying with the obligations imposed by the data protection regulations is the SAN
of 17/10/2007 (Rec. 63/2006), which stated: "(...) the Supreme Court has understood
that imprudence exists whenever a legal duty of care is disregarded, i.e. when the
offender does not behave with the required diligence".
Furthermore, the Audiencia Nacional, in matters of personal data protection, has
declared that "simple negligence or failure to comply with the duties that the Law
imposes on the persons responsible for files or data processing to exercise extreme
diligence is sufficient..." (SAN 29/06/2001).
It is therefore concluded, contrary to the objections raised by the defendant, that the
subjective element is present in the infringement found.
Consequently, in accordance with the evidence set out above, the aforementioned
facts constitute a breach of the provisions of Article 12(2) and (3) of the GDPR, in
relation to Article 15 of the aforementioned Regulation, which gives rise to the
application of the corrective powers granted to the Spanish Data Protection Agency by
Article 58 of the aforementioned Regulation.
Not demanding responsibility from MERCADONA for these facts would be tantamount
to emptying the rules governing the exercise of rights in the area of personal data
protection of their content.
It is relevant that the images captured by a video surveillance system must be deleted
within a maximum period of one month, in accordance with Article 6 of Instruction
1/2006, of 8 November, of the Spanish Data Protection Agency, on the processing of
personal data for surveillance purposes through camera or video camera systems. This
is the same period provided for the data controller to resolve the request to exercise
the right of access to such images.
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
41/61
If we consider that the exercise of the right is subsequent to the capture of the images,
the date of expiry of the deadline for exercising the right will always be later than the
deadline for deleting the images. Therefore, if it were accepted that MERCADONA is
not responsible for the failure to comply with the right of access exercised by the
complainant, it would be tantamount to admitting that any data controller could evade
the data subject's right of access by claiming that the images had been deleted.
With regard to the precedents cited by the respondent, it should be noted that the two
cases in which the existence of an unintentional error was found are not similar to the
present case, as they refer to entry errors (E/01795/2011 and E/03468/2009). The third
of these precedents (PS/00724/2014) is resolved by this Agency, in relation to the
aspects highlighted by MERCADONA, according to the scheme followed in this act.
VI
MERCADONA, in addition to not providing access to the images of the security
cameras requested by the complainant, proceeded to delete them after 30 days had
elapsed since they were captured, as the company informed the complainant in an e-
mail addressed to her representative, who had previously warned of the lack of
response to the right of access ("We should add that none of the images from the
requested date are available (***DATE.1), all in accordance with art. 6 of Instruction
1/2006, of 8 November, of the AEPD, which establishes that "The data will be
cancelled within a maximum period of one month from their capture").
This erasure of the images constitutes processing of personal data, in accordance with
Article 4 of the GDPR, which, under the heading 'Definitions', provides as follows:
"(2) 'processing' means any operation or set of operations which is performed upon personal
data or sets of personal data, whether or not by automatic means, such as collection, recording,
organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise making available, alignment or
combination, restriction, erasure or destruction.
In short, we are dealing with a "processing of data" ("erasure or destruction" of images)
subject to the legitimisation regime regulated by Article 6 of the GDPR "Lawfulness of
processing", which states the following:
"Processing shall only be lawful if at least one of the following conditions is met:
a) the data subject consented to the processing of his or her personal data for one or more
specific purposes;
b) processing is necessary for the performance of a contract to which the data subject is party
or for the implementation of pre-contractual measures at the request of the data subject;
c) the processing is necessary for compliance with a legal obligation applicable to the
controller;
d) processing is necessary in order to protect the vital interests of the data subject or of another
person
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
42/61
physics;
e) the processing is necessary for the performance of a task carried out in the public interest or
in the exercise of official authority vested in the controller;
f) processing is necessary for the purposes of the legitimate interests pursued by the controller
or by a third party, provided that such interests are not overridden by the interests or
fundamental rights and freedoms of the data subject which require the protection of personal
data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities
in the exercise of their functions.
2. Member States may maintain or introduce more specific provisions in order to adapt the
application of the rules of this Regulation with regard to processing in compliance with
paragraph 1(c) and (e) by setting out more precisely specific processing requirements and other
measures ensuring lawful and fair processing, including other specific processing situations
within the meaning of Chapter IX.
3. The basis for the processing referred to in paragraph 1(c) and (e) shall be established by:
a) Union law, or
b) the law of the Member States which applies to the controller.
The purpose of the processing shall be determined in that legal basis or, as regards processing
referred to in paragraph 1(e), shall be necessary for the performance of a task carried out in the
public interest or in the exercise of official authority vested in the controller. That legal basis
may contain specific provisions to adapt the application of rules of this Regulation, inter alia: the
general conditions governing the lawfulness of processing by the controller; the types of data
processed; the data subjects concerned; the entities to which personal data may be disclosed
and the purposes of such disclosure; purpose limitation; data retention periods as well as
processing operations and procedures, including measures to ensure lawful and fair
processing, such as those relating to other specific processing situations within the meaning of
Chapter IX. Union or Member State law shall meet a public interest objective and be
proportionate to the legitimate aim pursued.
4. Where processing for a purpose other than that for which the personal data were collected is
not based on the consent of the data subject or on Union or Member State law which
constitutes a necessary and proportionate measure in a democratic society to safeguard the
purposes referred to in Article 23(1), the controller shall, in order to determine whether
processing for another purpose is compatible with the purpose for which the personal data were
originally collected, take into account, inter alia:
a) any link between the purposes for which the personal data were collected and the purposes
of the intended further processing;
b) the context in which the personal data have been collected, in particular as regards the
relationship between the data subjects and the controller;
c) the nature of the personal data, in particular where special categories of personal data are
processed in accordance with Article 9 or personal data relating to criminal convictions and
offences in accordance with Article 10;
d) the possible consequences for data subjects of the intended further processing;
e) the existence of appropriate safeguards, which may include encryption or pseudonymisation'.
In relation to the conservation of images captured by video surveillance systems, it is
necessary to take into account the provisions of Instruction 1/2006, of 8 November, of
the Spanish Data Protection Agency, on the processing of personal data for
surveillance purposes through camera or video camera systems.
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
43/61
With the application of the GDPR, it must be considered that most of Instruction 1/2006
has been displaced, since the content of the same, such as the legitimisation or the
rights of individuals, is displaced by what is established in this respect by the European
standard.
However, the provisions of Article 6 of the aforementioned Instruction, which regulates
the retention period and refers to the obligation to "cancel" the personal data (the
images) within a maximum period of one month from their capture, may be considered
to remain in force. An interpretation in accordance with the GDPR, which does not
contemplate the cancellation but rather the deletion of personal data, means that this
maximum storage period of one month will not be one of cancellation but of deletion,
except in those cases in which they must be kept to prove the commission of acts that
threaten the integrity of persons, goods or installations.
Article 22 of the LOPDGDD, section 3, to which reference was made in the agreement
to initiate the procedure, also establishes certain rules regarding the deletion of images
captured by video surveillance systems. However, as MERCADONA rightly points out
in its statement of allegations, this provision regulates cases other than the one
analysed in the present proceedings, related to "the processing of images through
camera or video camera systems for the purpose of preserving the security of persons
and property, as well as of its facilities". This provision regulates video-surveillance
processing whose legitimisation lies in the existence of a public interest purpose that
can be included in article 6.1.e) of the Regulation, and not in the mere legitimate
interests of a private individual.
In accordance with the above, MERCADONA's removal of the images requested by the
complainant could be understood to be in accordance with the provisions of the
aforementioned Instruction 1/2006, as it was carried out within a maximum period of
one month from the date they were captured, that is to say, from ***DATE.1.
However, in the present case, there are other circumstances that must be considered
in the analysis of the lawfulness or unlawfulness of the deletion or erasure of personal
data.
The claimant suffered an accident in one of MERCADONA's establishments on
***DATE.1 and, four days later, on ***DATE.3, she reported the incident to
MERCADONA, informing them of their responsibility in the incident (...), the damage
caused by the incident to the claimant (...) and her protest at the lack of attention given
to the incident by MERCADONA's insurer (...). The claimant's intention to be
compensated for the accident suffered is clear in the complaint, which MERCADONA is
on record as having received and responded to the complaint on ***DATE.5
acknowledging receipt and informing the Customer Service Department of its transfer.
Such circumstances motivated the complainant's interest in having a copy of the
images captured by the security camera system installed in the establishment in
question, for which she exercised the right of access described above, on ***DATE.2,
also received by the Department of
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
44/61
Customer Service. In this request for the right of access to the images of the video
surveillance system, the complainant once again informs the respondent entity that her
request is motivated by the accident that took place at the centre in question and on
the date indicated.
All these circumstances were known to MERCADONA. In addition, on
***DATE.7, the claimant's representative sent an e-mail to this entity, in relation to the
aforementioned claim, advising of her "desire to request the corresponding
compensation according to the schedule".
These actions are considered to be sufficiently indicative of the need to keep the
images, especially because they were not made available to the complainant in
accordance with the right of access exercised. However, despite all this, MERCADONA
proceeded to delete the images requested by the complainant.
It is understood that there was an interest on the part of the complainant that justified
the processing of the repeated images beyond the period of one month set by
Instruction 1/2006, at least until the images were handed over to the complainant and
for this sole purpose.
The same would be true if the complainant had filed a lawsuit and MERCADONA had
decided to keep the images for the defence of its rights, in which case it would be
understood that the data processing would comply with the provisions of Article 6.1.f) of
the GDPR (processing is considered lawful when "necessary for the purposes of the
legitimate interests pursued by the controller").
It is necessary to take into account the doctrine of the Constitutional Court regarding
the restrictions to the fundamental right to data protection, analysed in its Judgement
292/2000, of 30 November. In this judgement, after configuring the fundamental right to
the protection of personal data as an autonomous and independent right consisting of a
power of disposal and control over personal data, which empowers the individual to
decide which of these data to provide to a third party or which this third party may
collect, and which also allows the individual to know who possesses these personal
data and for what purpose, being able to oppose this possession or use, it analyses the
limits of the same, pointing out the following:
"More specifically, in the aforementioned judgments on data protection, this Court has declared
that the right to data protection is not unlimited, and although the Constitution does not
expressly impose specific limits on it, nor does it refer to the Public Authorities for its
determination as it has done with other fundamental rights, there is no doubt that they must be
found in the other fundamental rights and constitutionally protected legal assets, since this is
required by the principle of unity of the Constitution (SSTC 11/1981, of 8 April, F. 7; 196/1987,
of 11 December [RTC 1987, 196] , F. 6; and with regard to art. 18, STC 110/1984, F.
5)".
In relation to this question, it must be considered that the ultimate aim pursued by the
non-removal of the images requested by the complainant, the owner of the data in
question, is to obtain proof of the damage caused to her own person, as a
consequence of an accident that occurred in a MERCADONA centre in which she was
injured due to possible negligence on the part of that entity.
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
45/61
In this case, a collision between two fundamental rights arises: the right to privacy and
the right to
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
46/61
protection of personal data, derived from Article 18 of the Constitution and enshrined
as an autonomous right that informs the constitutional text by the aforementioned
Constitutional Court Ruling 292/2000, of 30 November; and the right to the effective
judicial protection of judges and courts, contained in Article 24.1 of the Spanish
Constitution ("All persons have the right to obtain the effective protection of judges and
courts in the exercise of their rights and legitimate interests, without, in any case, any
defencelessness"), which guarantees the access of all persons to judges and courts for
the defence of their rights.
The right to the protection of personal data yields in those cases in which it may entail
a reduction in the possibility of the data subject to provide the relevant means of proof
for his or her defence, thereby violating the guarantees derived from the
aforementioned right to effective protection and restricting the possibility of obtaining
the full development of this latter right.
Therefore, from the point of view of this Agency, there is a legal authorisation for the
processing of image data once the period established for their deletion has expired,
which is covered by Article 24 of the Constitution and its implementing regulations.
Following this premise, prevalence must be given to the right enshrined in Article 24 of
the Constitution, which guarantees citizens the effective judicial protection of judges
and courts, in the terms set out above.
As the Constitutional Court has consistently held (for example, STC 186/2000, of 10
July, citing many others) "the right to privacy is not absolute, as is none of the
fundamental rights, and may yield to constitutionally relevant interests, provided that
the restriction that it must undergo is necessary to achieve the intended legitimate aim,
proportionate to achieve it and, in any case, is respectful of the essential content of the
right".
The Constitutional Court has been demanding that any measure restricting rights must
be proportional. This is stated in Constitutional Court Ruling 14/2003 of 28 January:
"In other words, in accordance with the reiterated doctrine of this Court, the constitutionality of
any measure restricting fundamental rights is determined by strict observance of the principle of
proportionality. For the purposes of the present case, it is sufficient to recall that, in order to
check whether a measure restricting a fundamental right passes the proportionality test, it is
necessary to ascertain whether it meets the following three requirements or conditions: whether
the measure is likely to achieve the proposed objective (suitability test); whether, in addition, it
is necessary, in the sense that there is no other more moderate measure for the achievement of
that purpose with equal effectiveness (necessity test); and, finally, whether it is weighted or
balanced, as it derives more benefits or advantages for the general interest than harm to other
conflicting goods or values (proportionality test in the strict sense; SSTC 66/1995, of 8 May [
RTC 1995, 66], F. 5; 55/1996, of 28 March [RTC 1996, 55], FF. 7, 8 and 9; 270/1996, of 16
March [RTC 1996, 55], FF. 7, 8 and 9; 270/1996, of 16 March [RTC 1996, 57], FF. 8 and 9.
December [RTC 1996, 270], F. 4.e; 37/1998, of 17 February [RTC 1998, 37], F. 8; 186/2000,
of 10 July [RTC 2000, 186], F. 6)".
This principle of proportionality is respected in this case, in which the images
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
47/61
captured by MERCADONA's video surveillance cameras constitute valid and adequate
evidence for the defence of the claimant's interests.
In this respect, Article 299 of Law 1/2000, of 7 January, on Civil Proceedings, indicates
which are the means of evidence that may be used in court, establishing in its number
2 the following:
"Means of reproduction of speech, sound and image, as well as instruments for recording and
knowing or reproducing words, data, figures and mathematical operations carried out for
accounting or other purposes, relevant to the proceedings, shall also be admissible in
accordance with the provisions of this Act".
Article 265 determines the time at which such documents must be produced, providing
as follows:
1. Any claim or defence shall be accompanied by:
1o. The documents on which the parties base their right to the judicial protection they are seeking.
2o. The means and instruments referred to in paragraph 2 of Article 299, if they form the basis of
the claims for guardianship formulated by the parties.
(...)".
In this case, the proof of the causation of the damage, as well as the determination of
the person against whom the claim will be directed, is to be found in the images
captured by the cameras, whose contribution to the proceedings with the claim seems
necessary, so that the right to effective protection must prevail in this case over the
right to data protection.
The scope of the right to judicial protection in relation to evidence has been addressed,
among others, in STC 212/2013, of 16 December, in which reference is made, citing
STC 88/2014, of 28 May, to "the intimate relationship of the right to evidence with other
rights guaranteed in art. 24 CE. Specifically, in our constitutional doctrine we have
emphasised the connection of this specific constitutional right with the right to effective
judicial protection (art. 24.1 CE), the scope of which includes questions relating to
evidence (SSTC 89/1986, of 1 July, FJ 2; 50/1988, of 22 March, FJ 3; 110/1995, of 4
July, FJ 4; 189/1996, of 25 November, FJ 3; and 221/1998, of 24 November, FJ 3), and
with the right of defence (art. 24. 24.2 CE), of which it is inseparable (SSTC 131/1995,
of 11 September, FJ 2; 1/1996, of 15 January, FJ 2; and 26/2000, of 31 January, FJ 2)''
(STC 19/2001, of 29 January, FJ 4; and, in the same sense, STC 133/2003, of 30
June, FJ 3)". In the aforementioned SSTC 19/2001 and 133/2003, the Constitutional
Court pointed out that "it has been precisely this inseparable connection (with the other
fundamental rights mentioned, in particular the right to obtain effective judicial
protection), which has allowed us to affirm that the essential content of the right to use
the relevant means of proof is made up of the legal power recognised to those who
intervene as litigants in a process to provoke the procedural activity necessary to
achieve the conviction of the judicial body on the existence or non-existence of the
relevant facts for the decision of the conflict which is the object of the process (for all,
STC 37/2000, of 14 February, FJ 3)".
The arguments put forward by MERCADONA in its allegations to the motion for
resolution are based on the erroneous assumption that the entity
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
48/61
"did not have any record of the request for access", a circumstance to which he
repeatedly refers. However, as stated above, the request to exercise the right of
access was correctly received by the aforementioned entity.
And not only that. It is also proven that MERCADONA received the complaint about the
accident suffered by the claimant, addressed to the same department that received the
request for access to the images captured by the video surveillance system.
To comply with both of the complainant's initiatives entailed the conservation of the
images, even though this would have meant exceeding the legal time limit, and this
conservation would be in accordance with the principles of necessity and
proportionality in this specific case.
Therefore, this does not impose a general obligation on the responsible entity to
preserve and monitor all images in order to assess the need for preservation, which is
present in this case in view of the circumstances described above.
It should be borne in mind that that request for access and the complainant's complaint
were submitted to the entity responsible before the images were deleted, unlike the
case analysed in the ECDC Guidelines 3/2019 to which MERCADONA refers in its
allegations, which refers to a request for access made when the images had already
been deleted. Thus, it is not understood that MERCADONA alleges that the Agency
relies on circumstances that "the entity has no reason to be aware of", given that these
circumstances were known to MERCADONA.
It is true that MERCADONA's statement that it would have been different if it had
delivered the images to the complainant before the expiry of the legal conservation
period, but this was not the case due to the respondent's own conduct, and not
precisely because it had not received the request.
This same entity states in its allegations that "If a data subject exercises the right of
access during the period in which the data controller retains the images, it must be
complied with, and the images must be retained, even if there is a formal defect in the
request, precisely so that when this is rectified, the right can be satisfied".
He then adds, once again, "But in this case, the request did not reach the person
responsible, so it could not be kept", when we already know that the request for access
did reach him.
The defendant also understands its right to keep the images beyond the time limit for
the defence of its own rights.
On the other hand, it denies that there is in this case a collision of rights (protection of
personal data and effective judicial protection) that had to be weighed up by the data
controller and does so by arguing once again that this would not have occurred if it had
been aware of the data subject's request. It states that "If the request had been
received, the data subject would have had a response in due time and form, without
the need to keep the images longer than the established time or to seek any basis for
the request".
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
49/61
of additional standing", without considering that it did receive the request, that the fact
that it was not passed on internally to the unit responsible for processing it does not
mean that it did not receive the request and that all of this is within its exclusive sphere
of responsibility.
The conclusion set out here does not imply any change with respect to the general
obligation that the law imposes on data controllers to erase personal data when they
are no longer necessary for the purpose for which they were collected or, in the case of
images captured by video surveillance systems, when the established time limit has
elapsed.
The aforementioned reasons prevail over the obligation to delete the images within a
maximum period of one month after they were captured, with the result that, once the
need to retain and proportionality of retaining the images has been concluded, the
processing of personal data consisting of the deletion or suppression of such images is
carried out without a legal basis to legitimise it, in clear violation of the provisions of
Article 6 of the GDPR. This breach gives rise to the application of the corrective powers
that Article 58 of the aforementioned Regulation grants to the Spanish Data Protection
Agency.
The infringement of the provisions of Article 6 of the GDPR occurs independently of the
lack of attention to the right of access exercised by the complainant. The two
infringements are the result of separate conduct which must be punished separately.
VII
In the event of a breach of the precepts of the GDPR, among the corrective powers
available to the Spanish Data Protection Agency, as supervisory authority, Article 58.2
of the Regulation provides for the following:
"2 Each supervisory authority shall have all of the following remedial powers listed below:
(...)
(b) issue a warning to any controller or processor where processing operations have infringed
the provisions of this Regulation;".
(...)
(d) instruct the controller or processor to ensure that processing operations are carried out in
accordance with the provisions of this Regulation, where applicable, in a specified manner and
within a specified period of time;
(...)
(i) impose an administrative fine in accordance with Article 83, in addition to or instead of the
measures referred to in this paragraph, according to the circumstances of each individual
case;'.
Pursuant to Article 83(2) of the GDPR, the measure provided for in (d) above is
compatible with the sanction of an administrative fine.
VIII
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
50/61
In accordance with the evidence set out above, it is considered that the facts set out
above do not comply with the provisions of Articles 12, in relation to Article 15, both of
the GDPR; and with the provisions of Article 6 of the same Regulation; which entails
the commission of two infringements typified, respectively, in sections 5.a) and 5.b) of
the GDPR.
5(b) of Article 83 of the GDPR.
Article 83(5)(a) and (b) of the GDPR, under the heading 'General conditions for the
imposition of administrative fines', provides as follows:
"5. Infringements of the following provisions shall be punishable, in accordance with paragraph
2, by administrative fines not exceeding EUR 20 000 000 or, in the case of an undertaking, not
exceeding 4 % of the total annual aggregate turnover in the preceding financial year, whichever
is the greater:
a) the basic principles for processing, including the conditions for consent within the meaning of
Articles 5, 6, 7 and 9;
b) the rights of the persons concerned within the meaning of Articles 12 to 22".
On the other hand, Article 71 of the LOPDGDD considers any breach of this Organic
Law to be an infringement:
"The acts and conduct referred to in Article 83(4), (5) and (6) of Regulation (EU) 2016/679, as
well as those which are contrary to this organic law, shall constitute infringements."
Section 1.b) of Article 72 of the LOPDGDD considers this to be "very serious" for the
purposes of the statute of limitations:
"Pursuant to Article 83(5) of Regulation (EU) 2016/679, infringements which constitute a
substantial breach of the Articles mentioned therein, in particular the following, shall be
considered very serious and shall be subject to a three-year statute of limitations:
(b) the processing of personal data without one of the conditions for lawful processing set out in
Article 6 of Regulation (EU) 2016/679 being met.
And section c) of Article 74 of the LOPDGDD considers infringements of a merely
formal nature of the articles mentioned in Article 83.5 of the RGPD to be a "minor"
infringement for the purposes of the statute of limitations and, specifically:
"(c) failing to comply with requests to exercise the rights laid down in Articles 15 to 22 of
Regulation (EU) 2016/679, unless the provisions of Article
72.1.k) of this Organic Law".
In order to determine the administrative fine to be imposed, the provisions of Articles
83.1 and 83.2 of the GDPR must be observed, which state:
"Each supervisory authority shall ensure that the imposition of administrative fines under this
Article for the infringements of this Regulation referred to in paragraphs 4, 9 and 6 are in each
individual case effective, proportionate and dissuasive.
2. Administrative fines shall be imposed, depending on the circumstances of each individual
case, in addition to or instead of the measures referred to in points (a) to (h) and (j) of Article
58(2). When deciding on the imposition of an administrative fine and the amount thereof
C/ Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
51/61
in each individual case shall be duly taken into account:
a) the nature, gravity and duration of the infringement, taking into account the nature, scope or
purpose of the processing operation concerned as well as the number of data subjects
concerned and the level of damage they have suffered;
b) the intentional or negligent nature of the infringement;
c) any measures taken by the controller or processor to mitigate the damage suffered by data
subjects;
d) the degree of responsibility of the controller or processor, taking into account the technical or
organisational measures they have implemented pursuant to Articles 25 and 32;
e) any previous infringement committed by the controller or processor;
f) the degree of cooperation with the supervisory authority in order to remedy the infringement
and mitigate the possible adverse effects of the infringement;
g) the categories of personal data concerned by the infringement;
h) the manner in which the supervisory authority became aware of the breach, in particular
whether and to what extent the breach was notified by the controller or processor;
i) where the measures referred to in Article 58(2) have previously been ordered against the
controller or processor concerned in relation to the same matter, compliance with those
measures;
j) adherence to codes of conduct under Article 40 or to certification schemes approved under
Article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the case, such
as financial gain or loss avoided, directly or indirectly, through the infringement.
For its part, Article 76 "Sanctions and corrective measures" of the LOPDGDD
is available:
"The penalties provided for in Article 83(4), (5) and (6) of Regulation (EU) 2016/679 shall be
applied taking into account the graduation criteria set out in paragraph 2 of that Article.
2. In accordance with Article 83(2)(k) of Regulation (EU) 2016/679, the following may also be
taken into account:
a) The continuing nature of the infringement.
b) The link between the offender's activity and the processing of personal data.
c) Profits made as a result of the commission of the offence.
d) The possibility that the conduct of the person concerned could have led to the commission of
the infringement.
e) The existence of a process of merger by absorption subsequent to the commission of the
infringement, which cannot be imputed to the absorbing entity.
f) Affecting the rights of minors.
g) Have, where not mandatory, a data protection officer.
h) The submission by the data controller or data processor, on a voluntary basis, to alternative
dispute resolution mechanisms, in those cases in which there are disputes between them and
any interested party".
In addition to the above, consideration should be given to Article 83(1) of the GDPR,
according to which "Each supervisory authority shall ensure that the imposition of
administrative fines in accordance with this Article for infringements of this Regulation
as referred to in paragraphs 4, 5 and 6 are in each individual case effective,
proportionate and dissuasive".
In accordance with the above-mentioned provisions, for the purposes of setting the
amount of the penalty to be imposed, the following shall be applied
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
52/61
impose in the present case, it is considered that the penalty to be imposed should be
graduated in accordance with the following criteria set out in the transcribed precepts:
1. Infringement of Article 12, in conjunction with Article 15, both of the GDPR, as
defined in Article 83(5)(b) and classified as minor for the purposes of the statute of
limitations in Article 83(5)(b).
74.c) of the LOPDGDD:
The following graduation criteria are considered as aggravating factors:
. Article 83(2)(a) of the GDPR: '(a) the nature, gravity and duration of the breach,
taking into account the nature, scope or purpose of the processing operation
concerned as well as the number of data subjects concerned and the level of
damage they have suffered'.
. The nature of the infringement, insofar as the failure to respect the right of
access, by its content, has an impact on the complainant's ability to exercise
real control over her personal data.
In relation to the right of access and its configuration as a gateway to other
rights, the CJEU, in its ruling of 07/05/2009, handed down in Case C-553/07,
analysing the Directive at the time and equally valid now for the GDPR, states
the following:
"51 That right of access is indispensable to enable the data subject to exercise the
rights provided for in Article 12(b) and (c) of the directive, namely, where necessary,
where the processing does not comply with the provisions of the directive, to obtain
from the data controller rectification, erasure or blocking of the data (subparagraph
(b)), or to notify third parties to whom the data have been disclosed of any
rectification, erasure or blocking carried out, if this is not impossible or would involve a
disproportionate effort (subparagraph (c)). 52 The right of access is also a necessary
condition for the exercise by the data subject of the right to object to the processing of
his personal data, provided for in Article 14 of the Directive, as it is for the right to
bring an action for damages, provided for in Articles 22 and 23 of the Directive.
. The level of damages suffered by the interested parties, insofar as the failure
to comply with the right of access led to the non-delivery of the images
requested by the complainant, which prejudiced her ability to defend herself in
relation to the accident she had suffered in one of the respondent's centres.
. Article 83(2)(b) of the GDPR: "(b) intentional or negligent breach".
Negligence in the commission of the infringement, taking into account that
MERCADONA not only failed to respond to the right exercised by the complainant,
but did not even provide any response to the request made by the complainant
within the deadline. This response did not take place until after the images in
question had been deleted, so that the failure to exercise the right has led to a loss
of availability and control over the data.
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
53/61
This circumstance highlights MERCADONA's negligent conduct. In this respect,
we take into account what is stated in the Judgment of the Audiencia Nacional of
17/10/2007 (rec. 63/2006) which, based on the fact that these are entities whose
activity involves continuous data processing, indicates that "...the Supreme Court
has understood that imprudence exists whenever a legal duty of care is
disregarded, i.e. when the offender does not behave with the required diligence.
And in assessing the degree of diligence, the professionalism or otherwise of the
subject must be weighed up, and there is no doubt that, in the case under
examination, when the appellant's activity involves constant and abundant
handling of personal data, it is necessary to insist on rigour and exquisite care to
comply with the legal provisions in this respect".
It is a company that processes personal data systematically and continuously and
must take great care in complying with its data protection obligations.
This Agency understands that diligence must be deduced from conclusive facts,
which are duly accredited and directly related to the elements that make up the
infringement, in such a way that it can be deduced that the infringement has taken
place despite all the means available to the responsible party to avoid it. In this
case, MERCADONA's actions are not of this nature.
. Article 83(2)(g) of the GDPR: '(g) the categories of personal data concerned by
the breach'.
Although "Special categories of personal data", as defined by the GDPR in Article
9, have not been affected, the personal data to which the proceedings relate (the
complainant's image) is of a particularly sensitive nature, as it allows for the early
identification of data subjects and increases the risks to their privacy.
. Article 76.2.b) of the LOPDGDD: "b) The linking of the offender's activity with the
processing of personal data".
The strong link between the offender's activity and the processing of personal data,
especially with regard to the indiscriminate capture of images of customers by the
video surveillance systems installed in its establishments. Consideration is given to
the level of implementation of the entity and the activity it carries out, in which the
personal data of thousands of data subjects are involved. This circumstance
determines a higher degree of exigency and professionalism and, consequently, of
the responsibility of the entity complained of in relation to the processing of the
data.
. Article 83(2)(k) of the GDPR: '(k) any other aggravating or mitigating factor
applicable to the circumstances of the case, such as financial benefit gained or
loss avoided, directly or indirectly, through the infringement'.
. MERCADONA's status as a large company and its turnover. It is on record in
the proceedings that this entity has (...).
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
54/61
The following circumstances are also considered as extenuating circumstances:
. Article 83(2)(d) of the GDPR: '(d) the degree of responsibility of the controller or
processor, taking into account the technical or organisational measures which they
have implemented pursuant to Articles 25 and 32'.
The accused entity has adequate procedures in place for handling requests for the
exercise of rights, so that the infringement is the result of an anomaly in the
operation of those procedures which affects only the defendant.
Considering the factors set out above, the value of the fine for the infringement of
Article 12 of the GDPR is 70,000 euros (seventy thousand euros).
2. Infringement for failure to comply with the provisions of Article 6 of the RGPD,
typified in Article 83.5.a) and classified as very serious for statute of limitations
purposes in Article 72.1.b) of the LOPDGDD:
The following graduation criteria are considered as aggravating factors:
. Article 83(2)(a) of the GDPR: '(a) the nature, gravity and duration of the breach,
taking into account the nature, scope or purpose of the processing operation
concerned as well as the number of data subjects concerned and the level of
damage they have suffered'.
. The nature and seriousness of the infringement, insofar as the definitive
erasure of the images captured by the video surveillance system, in this case,
affects the complainant's ability to exercise real control over her personal data
insofar as it limits her ability to act in defence of her rights; and limits any
subsequent intervention by this Agency in order to remedy the lack of attention
to the right of access or by the courts with regard to the actions that the
complainant could bring against MERCADONA for possible compensation for
damages.
. The level of damages suffered by the complainant concerned, insofar as the
removal of the images has impaired her ability to defend herself, as expressed
in the previous paragraph.
MERCADONA argues that the complainant's complaint cannot be linked to a legal
obligation to keep the images and that it is not the obligation of the person in
charge to keep the images of every event that has occurred, without the person
having requested the images, just in case he/she might request them. However,
this is not the case here, in which the complainant had indeed requested the
images on the occasion of an accident that occurred in a centre of the
aforementioned entity.
. Article 83(2)(b) of the GDPR: "(b) intentional or negligent breach".
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
55/61
The negligence found in the commission of the infringement, bearing in mind that
MERCADONA deleted the images despite being aware that the complainant
reported the accident and the damage suffered to MERCADONA, and requested
access to those images for that reason.
According to the Respondent, this cannot be affirmed because "the entity was not
aware of the access request made". Once again, MERCADONA raises the issue
as if the request for access had not existed, despite the fact that it is not disputed
that MERCADONA received such a request. The fact that it was not properly
processed, as the request was not passed on internally to the person or unit
responsible for handling it, cannot be treated as something beyond the control of
the responsible entity itself.
In assessing this negligence, account is also taken of the circumstances set out in
paragraph 1 above.
. Article 83(2)(g) of the GDPR: '(g) the categories of personal data concerned by
the breach'.
As has already been pointed out, the personal data to which the proceedings refer
(image of the complainant) is of a particularly sensitive nature.
. Article 76.2.b) of the LOPDGDD: "b) The linking of the offender's activity with the
processing of personal data".
The strong link between the offender's activity and the processing of personal data,
already justified in relation to the previous offence.
. Article 83(2)(k) of the GDPR: '(k) any other aggravating or mitigating factor
applicable to the circumstances of the case, such as financial benefit gained or
loss avoided, directly or indirectly, through the infringement'.
. MERCADONA's status as a large company and its turnover, according to the
details set out above.
The following circumstances are also considered as extenuating circumstances:
. Article 83(2)(d) of the GDPR: '(d) the degree of responsibility of the controller or
processor, taking into account the technical or organisational measures which they
have implemented pursuant to Articles 25 and 32'.
The infringement is an anomaly affecting only the defendant.
Considering the factors set out in this second part, the value of the fine for the
infringement of Article 6 of the GDPR is 100,000 euros (one hundred thousand euros).
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
56/61
MERCADONA did not make any allegation on the factors for the graduation of the
sanctions in its submissions to the opening of the procedure. However, in its written
statement it emphasised that it had contacted the complainant, through her
representative, and reached an agreement that compensated the damages suffered as
a result of the accident and those arising from the failure to comply with her right of
access to her personal data.
Furthermore, it states that disciplinary measures were adopted internally, as well as
technical and organisational measures, to prevent a similar error from occurring in the
future and to ensure that requests made through the web form are sent to the DPD.
These measures are insufficient to "remedy the breach and mitigate the possible
adverse effects of the breach", according to the terms of Article 83(2)(f) of the GDPR,
or "to mitigate the damage suffered by data subjects" as a result of the breach,
according to paragraph 2(c) of the same article. Mitigating the adverse effects or
mitigating the damage caused by the infringements implies restoring the rights of the
data subjects, which in this case is not possible because of the deletion of the images.
Nor can the cessation of the conduct in breach of the legal system be considered as a
mitigating factor in any case.
On the other hand, it cannot be accepted that an out-of-court agreement between the
complainant and the respondent can avoid the application of the regulation and the
demand for the responsibilities resulting from the facts established. This would be
tantamount to emptying the personal data protection regulation of its content.
If we add to this that sanctions must be "in each individual case" effective,
proportionate and dissuasive, in accordance with the provisions of Article 83.1 of the
GDPR, this agreement cannot be admitted as a mitigating factor. It would be an
artificial reduction of the sanction that could lead to the understanding that infringing
the rule would not produce a negative effect proportional to the seriousness of the
infringing act.
On this issue of compensation for the damage alleged by the Respondent, reference is
made to what is indicated in Ground II.
Subsequently, in the allegations to the draft decision, MERCADONA questions the
aggravating circumstances considered and argues that these same aggravating
circumstances should be assessed as mitigating circumstances.
Thus, it alleges that there is only one affected party and that it is not a structural
infringement that lasts over time, despite the fact that these graduation factors have
already been considered by this Agency as mitigating factors; and it insists on the
"repair" of damages carried out and the measures adopted, on which this Agency has
already ruled, without MERCADONA providing any argument that undermines what
has been indicated in this resolution in this regard.
On the other hand, it denies the alleged negligence and its professionalism in the
processing of personal data, but again it does not put forward sufficient counter-
arguments to overcome the above.
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
57/61
In relation to the degree of diligence that should be required of MERCADONA, given its
level of professionalism and high level of involvement in the processing of personal
data, it should be noted that the entity itself, in its allegations in the opening of the
procedure, as an argument to justify the extent of the involuntary error alleged,
highlighted the large amount of personal data that it processes.
On the other hand, none of the factors considered is attenuated by the fact that the
defendant entity has not been subject to sanctioning proceedings before, a
circumstance that has been alleged by the defendant entity to be considered as an
attenuating circumstance.
In this respect, the NA Judgment of 05/05/2021, rec. 1437/2020, indicates:
"On the other hand, it considers that the fact that no previous infringement has been committed
should be taken into account as a mitigating circumstance. Article 83.2 of the GDPR establishes
that the imposition of the administrative fine must take into account, inter alia, the circumstance
"(e) any previous infringement committed by the controller or processor". This is an aggravating
circumstance; the fact that it does not meet the requirements for its application means that it
cannot be taken into consideration, but it does not imply or permit, as the plaintiff claims, its
application as a mitigating circumstance".
According to the aforementioned Article 83.2 of the GDPR, when deciding on the
imposition of an administrative fine and its amount, "any previous infringement
committed by the person responsible" must be taken into account. This is a regulatory
provision that does not include the absence of previous infringements as a factor in the
graduation of the fine, which should be understood as a criterion close to recidivism,
albeit broader.
The defendant also states that personal data relating to images do not constitute
special categories of data, which is already considered in this act, since otherwise the
proven facts would constitute an infringement other than the one alleged. However, this
does not imply that the personal image is considered to increase the risks to privacy in
the assessment of the infringement.
IX
Infringements in the matter in question may give rise to the imposition on the controller
of the obligation to take appropriate measures to bring its actions into compliancewith the
regulations referred to in this act, in accordance with the provisions of the
aforementioned Article 58(2)(d) of the GDPR, according to which each supervisory
authority may "order the controller or processor to bring processing operations into
compliance with the provisions of this Regulation, where applicable, in a specified
manner and within a specified period of time...".
In this case, the responsible entity should be required, within the period indicated in the
operative part, to adapt the processing operations it carries out and the mechanisms
and procedures it follows to deal with requests from data subjects to exercise their
rights, with the scope expressed in the grounds of law of this resolution, to the personal
data protection regulations. Thus, it shall establish mechanisms to ensure that the
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
requests for
58/61
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
59/61
In the case of requests for access to images captured by its video-surveillance
systems, the images to which these requests refer shall be deleted before the right has
been exercised and before the competent bodies can review, where appropriate, the
decisions adopted by MERCADONA in this regard.
It should be noted that failure to comply with the requirements of this body may be
considered a serious administrative offence for "failing to cooperate with the
supervisory authority" in response to the requirements made, and such conduct may
be assessed when opening an administrative sanctioning procedure with a financial
fine.
X
MERCADONA, in its statement of allegations to the proposed resolution, in the event
that voluntary payment and acknowledgement of liability is made at any time prior to
the resolution, requests the application of a 40% discount on the fine. However, as of
this date, there is no record that said entity has proceeded to voluntary payment, nor
has any letter been received by this Agency in which the entity acknowledges its
liability for the facts that have given rise to the proceedings.
In any event, this Agency does not share the interpretation of article 85 of Law 39/2015
(LPACPA) that MERCADONA puts forward in its statement of allegations, in relation to
the time at which liability must be recognised in order for the reduction provided for to
be applicable.
In the opinion of this Agency, this acknowledgement, as stated in the initiation
agreement, should be expressed at the start of the procedure, during the period for
submitting allegations at the start of the procedure. This is in accordance with the
provisions of the aforementioned article 85 of Law 39/2015, according to which the
acknowledgement of liability must occur "when the procedure is initiated" in order for
the reduction of 20% of the penalty to be applicable, unlike what is expressly
established in relation to the discount for voluntary payment of the penalty, which may
be applied when said payment is made at any time prior to the resolution. If the
aforementioned provision has distinguished the conditions in the two methods of
voluntary termination of the procedure indicated, no interpretation should equate these
conditions as if there were no differences in their regulation.
Article 85.2 of the LPACAP refers expressly and solely to voluntary payment, and not
to the recognition of liability, determining that such payment may be made at any time
prior to the resolution. Thus, it is not possible to distinguish or oblige where the Law
does not distinguish or oblige. Furthermore, Article 85.3 states that "In both cases,
when the sanction is solely of a pecuniary nature, the body competent to resolve the
procedure shall apply reductions of at least 20 % of the amount of the proposed
sanction, which may be cumulative. The aforementioned reductions must be specified
in the notification of the initiation of the procedure and their effectiveness shall be
conditional upon the withdrawal or waiver of any administrative action or appeal against
the sanction".
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
60/61
implies that both must be in the initiation agreement (reference of article 85.1 to 64 of
the LPACAP), so it does not contemplate that both reductions are in the resolution
proposal or that they can be paid cumulatively at any time prior to the resolution.
This is also the understanding of the Audiencia Nacional, Sala de lo Contencioso-
administrativo, Sección 1a, which in its Judgment of 05/02/2021, Rec. 41/2019,
indicates that voluntary payment can take place at any time prior to the resolution,
while the reduction for recognition of liability is linked to the agreement of initiation and
to the provision of article 64.2.d) of Law 39/2015:
"With regard to the infringement of the provisions of Articles 64 and 85 of Law 39/2015, which
provide for the possibility of recognising liability at the time of notification of the decision to
initiate the procedure (Article 64.2.d) and availing oneself of the reductions provided for in
Article 85, in the decision to initiate the procedure there is an express reference to those
articles, indicating that paragraphs 2 and 3 of Article 85 are not applicable; furthermore, at no
time has the applicant shown its willingness to acknowledge liability for the infringement
penalised and avail itself of the possibility established in those articles (voluntary payment may
be made at any time prior to the decision), and therefore this argument must also be
dismissed" .
The purpose is also different for each one of those modes of termination of the
procedure. In the case of the recognition of liability (Article 85.1), the aim is to achieve
greater efficiency in administrative action with a rapid completion of the procedure,
which is also associated with the waiver of the administrative appeal. This implies a
saving of time, effort and, therefore, of costs, which subsidises the recognition of
liability with a 20% reduction. The position defended by MERCADONA does not
achieve this aim, as the procedure would be carried out in its entirety, which is why this
reduction is not obtained.
In the case of voluntary payment (Article 85(2)) the purpose is different, since in this
case it is referred to as "at any time prior to the decision".
On this issue, the provisions of other sanctioning regimes, such as those mentioned by
MERCADONA in its allegations, do not condition the regulations applicable to this
procedure, nor do they prevail over them. Furthermore, some of the regulations cited
by MERCADONA in this regard do not establish that the recognition of liability entails
the application of a discount, even if it occurs after the proposed decision and before
the decision, as in the case of Law 16/1987, of 30 July, on Land Transport
Organisation (LOTT), article 146.3 of which only refers to voluntary payment:
"Payment of the financial penalty prior to the issuing of the sanctioning decision shall imply
conformity with the facts denounced and the waiver of the interested party to make allegations
and the termination of the procedure, although an express decision must nevertheless be
issued.
The case of Law 7/2014, of 23 July, on the Protection of Consumers and Users of the
Balearic Islands, is no different when it establishes the application of a
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
61/61
reduction "if the allegedly liable party agrees to the content of the resolution of initiation
and justifies the payment of the aforementioned amount during the fifteen days
following its notification"; although it expressly contemplates the application of a lower
reduction if the agreement is given in relation to the content of the proposed resolution,
which Law 39/2015 does not do.
MERCADONA also considers that its interpretation of the aforementioned provision is
supported by the courts, and cites three judgments. Two of these, STS 232/2021, of 18
February, (appeal 2201/2020), and that handed down by the High Court of Justice of
Madrid, Chamber for Contentious-Administrative Proceedings, no. 79/2020, of 6
February, do not contain the pronouncement expressed by the claimant. 79/2020, of 6
February, do not contain the pronouncement expressed by the respondent (the STS
establishes as a doctrine "the waiver or withdrawal required in Article 85 of Law
39/2015 to be able to benefit from the reduction in the amount of the penalty is
projected solely and exclusively on the actions or appeals against the penalty to be
exercised in administrative proceedings and not in judicial proceedings"); and the third
refers to a case in which the appellant acknowledged his liability in the statement of
allegations to the agreement to initiate the penalty proceedings.
On another note, it should be pointed out that the Report of the Legal Office of the
Junta de Andalucía cited in the allegations to the proposed resolution refers to the
voluntary payment of the penalty (article 85.2 of Law 39/2015) and not to the
acknowledgement of liability.
Therefore, in accordance with the applicable legislation and taking into account the
criteria for the graduation of the sanctions whose existence has been accredited,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: IMPOSE a fine of 70,000 euros (seventy thousand euros) on MERCADONA,
S.A., with tax identification number A46103834, for an infringement of Article 12, in
relation to Article 15, both of the RGPD, as defined in Article 83.5.b) and classified as
minor for statute of limitations purposes in Article 74.c) of the LOPDGDD.
SECOND: IMPOSE a fine of 100,000 euros (one hundred thousand euros) on
MERCADONA, S.A., for an infringement of Article 6 of the RGPD, typified in Article
83.5.a) and classified as very serious for the purposes of prescription in Article 72.1.b)
of the LOPDGDD, for a fine of 100,000 euros (one hundred thousand euros).
THIRD: TO REQUIRE MERCADONA, S.A., within one month of notification of this
resolution, to bring its actions into line with the personal data protection regulations,
with the scope expressed in Ground of Law IX, and to justify to this Spanish Data
Protection Agency the fulfilment of this requirement. The text of the resolution
establishes the infringements committed and the facts that have given rise to the
breach of the data protection regulations, from which it is clearly inferred what
measures are to be adopted, without prejudice to the fact that the type of procedures,
mechanisms or specific instruments to implement them corresponds to the sanctioned
party, since it is the data controller who is fully aware of its organisation and has to
decide, based on proactive responsibility and a risk-based approach, how to comply
with the GDPR and the LOPDGDDD.
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
62/61
FOURTH: TO NOTIFY MERCADONA S.A. of this resolution.
FIFTH: To warn the sanctioned party that they must pay the penalty imposed once this
resolution is enforceable, in accordance with the provisions of art. 98.1.b) of Law
39/2015, of 1 October, of the Common Administrative Procedure of Public
Administrations (hereinafter LPACAP), within the voluntary payment period established
in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005,
of 29 July, in relation to art. 62 of Law 58/2003, of 17 December, by means of payment,
indicating the NIF of the sanctioned party and the procedure number that appears in
the heading of this document, into the restricted account number ES00 0000 0000
0000 0000 0000 0000 0000 0000, opened in the name of the Spanish Data Protection
Agency at the bank CAIXABANK, S.A.. Otherwise, it will be collected during the
enforcement period.
Once the notification has been received and once enforceable, if the enforceability date
is between the 1st and 15th of each month, both inclusive, the deadline for voluntary
payment will be until the 20th of the following month or the immediately following
working day, and if it is between the 16th and the last day of each month, both
inclusive, the deadline for payment will be until the 5th of the second following month or
the immediately following working day.
In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution will be
made public once it has been notified to the interested parties.
Against this resolution, which puts an end to administrative proceedings in accordance
with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of
the LPACAP, the interested parties may lodge an appeal for reversal with the Director
of the Spanish Data Protection Agency within one month of the day following
notification of this resolution or directly lodge a contentious-administrative appeal with
the Contentious-Administrative Chamber of the National High Court, pursuant to the
provisions of Article 25 and section 5 of the fourth additional provision of Law 29/1998,
of 13 July, regulating the Contentious-Administrative Jurisdiction, within a period of two
months from the day following the notification of this act, in accordance with the
provisions of Article 46.1 of the aforementioned Law.
Finally, it should be noted that in accordance with the provisions of art. 90.3 a) of the
LPACAP, the final administrative decision may be suspended as a precautionary
measure if the data subject expresses his/her intention to file a contentious-
administrative appeal. If this is the case, the interested party must formally
communicate this fact in writing to the Spanish Data Protection Agency, submitting it
through the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registers provided for in art. 16.4 of the
aforementioned Law 39/2015, of 1 October. The documentation accrediting the
effective filing of the contentious-administrative appeal must also be sent to the
Agency. If the Agency is not aware of the lodging of the contentious-administrative
appeal within two months of the day following notification of this resolution, the
precautionary suspension will be deemed to have ended.
Mar España Martí
C/ Jorge Juan, 6
28001 - Madrid
938-100322
www.aepd.es
sedeagpd.gob.es
Director of the Spanish Data Protection Agency
63/61
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.e
