AEPD (Spain) - PS/00006/2022: Difference between revisions

From GDPRhub
(clarified the order in facts)
 
(One intermediate revision by one other user not shown)
Line 77: Line 77:
The Spanish DPA noted that it was a cross-border matter as the controller provided services in multiple EU Member States. Since the controller's main establishment was located in Spain, the Spanish DPA was the lead supervisory authority under the one stop-shop mechanism in [[Article 56 GDPR|Article 56(1) GDPR]], competent to handle the complaint.  
The Spanish DPA noted that it was a cross-border matter as the controller provided services in multiple EU Member States. Since the controller's main establishment was located in Spain, the Spanish DPA was the lead supervisory authority under the one stop-shop mechanism in [[Article 56 GDPR|Article 56(1) GDPR]], competent to handle the complaint.  


The DPA held that the controller failed to delete the data subject's account in due time, in breach of [[Article 17 GDPR]]. Moreover, the controller failed to notify the data subject once their account was deleted, in violation of [[Article 12 GDPR]].
Taking into account that the data subject submitted a total of six different erasure requests, the DPA held that the controller failed to delete the data subject's account in due time, in breach of [[Article 17 GDPR]]. Moreover, the controller failed to notify the data subject once their account was deleted, in violation of [[Article 12 GDPR]].


The DPA considered that the infringement was minor under [[Article 83 GDPR|Article 83(2) GDPR]] given several circumstances. Namely, the controller had no previous history of non-compliance, there were temporary lay-offs due to Covid-19 pandemic, the data subject sent some requests to a wrong e-mail address, the erasure had been dealt with in March 2019 even though the data subject had not been duly notified and, as soon as the controller became aware of the complaint, it informed the data subject of the deletion and modified its protocols to avoid a repetition of an incident of this nature.  
The DPA considered that the infringement was minor under [[Article 83 GDPR|Article 83(2) GDPR]] given several circumstances. Namely, the controller had no previous history of non-compliance, there were temporary lay-offs due to Covid-19 pandemic, the data subject sent some requests to a wrong e-mail address, the erasure had been dealt with in March 2019 even though the data subject had not been duly notified and, as soon as the controller became aware of the complaint, it informed the data subject of the deletion and modified its protocols to avoid a repetition of an incident of this nature.  

Latest revision as of 10:43, 13 December 2023

AEPD - AEPD PS-00006-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 12 GDPR
Article 17 GDPR
Type: Complaint
Outcome: Upheld
Started: 19.02.2019
Decided:
Published: 02.01.2023
Fine: n/a
Parties: COOLTRA MOTOSHARING, S.L.U.
National Case Number/Name: AEPD PS-00006-2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Teresa López

In an Article 60 GDPR procedure, the Spanish DPA reprimanded a controller for the failure to meet a data deletion request under Article 17 GDPR in a timely manner despite six different attempts by the data subject.

English Summary

Facts

In the process of registering for an account through the controller's website, a motorcycle sharing company, the data subject was asked for further personal information besides that already provided (driver's license and credit card details), and thus decided to delete their account. Since neither the controller's website nor the app provided for an account cancellation option, the data subject requested the deletion of all their data and payment details at the general information email address of the company.

After not receiving a response, the data subject used the customer service chat, which confirmed that the deletion of their data had been carried out. To formally register their request, the data subject was asked to email another generic mailbox, which did not accept incoming mail. The data subject then addressed the request to the controller's email address provided in the privacy policy for the exercise of data subject rights, but received no reply either. Despite all this, the data subject subsequently received various commercial messages from the controller.

On 19 February 2019, the data subject filed a complaint before the Italian DPA against the controller. On 19 October 2020, the data subject's complaint was forwarded and registered at the Spanish DPA because the controller's registered office and main establishment was located in Spain. The Spanish DPA was, therefore, the lead supervisory authority and the Italian DPA was a concerned authority for the purposes of Article 60 GDPR.

Holding

The Spanish DPA noted that it was a cross-border matter as the controller provided services in multiple EU Member States. Since the controller's main establishment was located in Spain, the Spanish DPA was the lead supervisory authority under the one stop-shop mechanism in Article 56(1) GDPR, competent to handle the complaint.

Taking into account that the data subject submitted a total of six different erasure requests, the DPA held that the controller failed to delete the data subject's account in due time, in breach of Article 17 GDPR. Moreover, the controller failed to notify the data subject once their account was deleted, in violation of Article 12 GDPR.

The DPA considered that the infringement was minor under Article 83(2) GDPR given several circumstances. Namely, the controller had no previous history of non-compliance, there were temporary lay-offs due to Covid-19 pandemic, the data subject sent some requests to a wrong e-mail address, the erasure had been dealt with in March 2019 even though the data subject had not been duly notified and, as soon as the controller became aware of the complaint, it informed the data subject of the deletion and modified its protocols to avoid a repetition of an incident of this nature.

Therefore, the DPA issued a reprimand (Article 58(2)(b) GDPR) against the controller instead of a fine.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/18










     File No.: PS/00006/2022

IMI Reference: A56ID 157580- Case Register 354215



                RESOLUTION OF SANCTIONING PROCEDURE


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following

                                  BACKGROUND

FIRST: A.A.A. (hereinafter, the complaining party) dated February 19, 2019

filed a claim with the Italian data protection authority. The
The claim is directed against COOLTRA MOTOSHARING S.L.U., with NIF B65874877
(hereinafter, COOLTRA). The reasons on which the claim is based are the following:

In the account registration process in the ECOOLTRA services available to

Through its web portal, the company requested information from the complaining party
after you have provided your driver's license and credit card details
credit. At that time, the complaining party decided to cancel his account. since
no way was offered to delete the profile either on the web or in the app, the part
claimant contacted COOLTRA through the email address

info@ecooltra.com and requested the deletion of all your data and payment details,
stored in their systems.

However, the company did not agree to respond to his request, and again requested the
same additional information multiple times. The complaining party resorted to the
"chat" with the Customer Service, and there they confirmed that the deletion of

their data had been realized. To formally register your request,
They urged us to send it to a mailbox, ciao@ecooltra.com, which turned out to not accept
input emails. The complaining party addressed the address rgpd@ecooltra.com,
indicated in the privacy policy for the exercise of rights of protection of
data, but received no reply either. Instead, later they have arrived

commercial messages from ECOOLTRA to your account.

The temporary description of what happened provided by the complaining party indicates what
Next:


On October 18, 2018, COOLTRA registered the claimant's account, but
requested additional information about his address and driver's license.

That same day the complaining party requested by email - no offer
no profile deletion function either on the website or through the app -
to info@ecooltra.com to delete your profile along with all your data and details of

payment stored on your website, without providing the additional information that
they had requested.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/18








On October 20, 2018, COOLTRA requested, once again, the information before
mentioned to finalize the record.


On October 21, 2018, COOLTRA requested, once again, the information before
mentioned to finalize the record.

On October 22, 2018, the complaining party requested by email - there was no
no profiling feature available either on the website or through the
application - to info@ecooltra.com that your request be granted according to your email dated 18

October 2018.

On October 28, 2018 COOLTRA requested, once again, the information before
mentioned to finalize the record.


On October 30, 2018, the complaining party requested by email - there was no
no profiling feature available on the website or through the
application - to info@ecooltra.com that your request be granted according to your emails
emails of October 18 and 22, 2018.

On October 30, 2018, the claimant contacted COOLTRA at

through the chat available on their website, in which they assured him that all his data
they had been erased. However, you were informed that your request for deletion
it should also be sent to ciao@ecooltra.com to be safe.

It seems that the emails sent to ciao@ecooltra.com are not delivered since that

account is not enabled to receive emails. The part
claimant wrote a message, once again, to info@ecooltra.com.

On November 22, 2018, the claimant received notices sent by mail
email from the COOLTRA website.


On November 23, 2018, the claimant sent an email to
rgpd@ecooltra.com - there is no delete profile feature available on the site
web or through the application - requesting according to the 'Privacy Policy' on the site
website that your profile is deleted along with all your data and payment details
stored on the website. He also attached his identification.


On December 24 and 31, 2018 and February 11 and 19, 2019, the claimant
received more announcements sent by email from the COOLTRA website.

Along with the claim, provide:


- Copy of your ID

- Copy of the COOLTRA privacy policy


- Screenshot with the aforementioned exchange of emails between the party
claimant and COOLTRA.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/18








SECOND: Through the "Internal Market Information System" (hereinafter
IMI), regulated by Regulation (EU) No. 1024/2012, of the European Parliament and of the
Council, of October 25, 2012 (IMI Regulation), whose objective is to promote the

cross-border administrative cooperation, mutual assistance between States
members and the exchange of information, as of October 19, 2020,
transmitted the aforementioned claim and was given a date of entry registration at the Agency
Spanish Data Protection Agency (AEPD) on October 22, 2020. The transfer of
This claim to the AEPD is made in accordance with the provisions of article
56 of Regulation (EU) 2016/679, of the European Parliament and of the Council, of

04/27/2016, regarding the Protection of Physical Persons with regard to the
Processing of Personal Data and the Free Circulation of these Data (in the
hereinafter, GDPR), taking into account its cross-border nature and that this Agency
is competent to act as main control authority, since COOLTRA
has its registered office and unique establishment in Spain.


The data processing that is carried out affects interested parties in various
Member states. According to the information incorporated into the IMI System, of
in accordance with the provisions of article 60 of the GDPR, acts as
“control authority concerned” only the Italian data protection authority
data.


THIRD: On January 26, 2021, in accordance with article 64.3 of the
Organic Law 3/2018, of December 5, Protection of Personal Data and
guarantee of digital rights (LOPDGDD), the claim was admitted for processing
submitted by the complaining party.


FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
matter, by virtue of the functions assigned to the control authorities in the
article 57.1 and of the powers granted in article 58.1 of the GDPR, and of

in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD, having knowledge of the following extremes:

1. Decision adopted regarding this claim

Upon receiving this claim, the COOLTRA DPD has reviewed all the

attached documentation, has contrasted it with the affected departments within
the organization (specifically, Legal, Marketing, Costumer Service and HR), has
checked the enclosed communications and has verified the operation of the
response system to the exercise of rights of those affected.


After collecting the information, a change in the protocol has been established.
current and is that the email rgpd@ecooltra.com will be managed directly
by the DPD, being until then initially managed by the Department of
Customer Service.


2. Proof of the response provided to the request of the complaining party, regarding
to the exercise of the rights regulated in articles 15 to 22 of the GDPR



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/18








COOLTRA representatives have verified that no express response was given to
the complaining party, beyond the indications of the Costumer department
Service via chat dated October 30, 2018 that he should go to the mail

ciao@ecooltra.com.

As stated in the entity:

The complaining party sent the first claims to the address
info@ecooltra.com, not being the address indicated in the Privacy Policy (this

was rgpd@ecooltra.com). Although unsubscriptions are also managed in this email, the
The volume of communications is so high that it can happen that some of them are passed, for
it is important that the exercise of rights be done through the established channels
in the Privacy Policy that is accessible on the COOLTRA home page.
Subsequently, via chat, he was told that he could request the cancellation without problems in the

address ciao@ecooltra.com. However, the complaining party erred in
enter the email, as it put ciao@ecooltra.it. Therefore, it was never received.

The complainant's profile remained active, although it was pending verification.
However, having accepted the sending of communications related to the service
cio kept receiving them.


In the communications an almost automatic link was provided to unsubscribe,
but it was not used.

Finally, the complaining party correctly sent the email to find out

unsubscribed to rgpd@ecooltra.com on November 28, 2018, but was not attended in
due to a specific error and because the company was in full implementation
of new protocols.

Subsequently, it was detected that this email had not been answered and the Department

Marketing simply removed him from the system, without proceeding to give him a response.
put. The withdrawal was made on March 1, 2019.

On February 17, 2021, an email has been sent to the claiming party.
keep informing of the cancellation of your data.


3. Report on the causes that have motivated the incidence that has originated the
claim

The claim filed by the claimant took place in the month of October of
year 2018, year of implementation of the GDPR, and when the law was not yet in force

Organic Law 3/2018, of December 5, Protection of Personal Data and
guarantee of digital rights.

The company was in a moment of full implementation of new processes,
there were still many practical doubts about how the new regulations would operate and,

although there was adequate external advice, COOLTRA still did not
he had named no DPD, something he did the following year.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/18








As the first relevant fact, it should be noted that the emails dated 18,
October 20 and 30, 2018 were all sent to info@ecooltra.com, and not by email
that was already indicated at that time in the privacy policy, which is that of

rgpd@ecooltra.com. (Previously there was also a policy stating the mail
ciao@ecooltra.com).

COOLTRA is a company that has more than 1,200,000 users, and despite the fact that
From the email info@ecooltra.com, a response is always given to users who
want to unsubscribe, it is not the channel indicated in the privacy policy to exercise

the rights of interested persons, which specifically indicates the email
rgpd@ecooltra.com since the exercises of user rights are channeled to
through a priority channel, in order to guarantee that full compliance is given
in time and form of each and every one of the requests and is answered, by
protocol, in less than 24 hours, as well as forwarded, if necessary, to the

Legal Department or DPD.

When the complaining party contacted Costumer Care and after explaining the situation,
he was instructed to send an email to ciao@ecooltra.com. This happened in
full process of implementation of data protection measures, and that the
workers had not yet received all the new organizational protocols and

security, for this reason he was provided with the old email enabled to carry out the cancellations
(ciao@ecooltra.com), which also worked, coexisting with the recently implemented
rgpd@ecooltra.com until 2020.

However, the claiming party made a mistake in the addressee and sent the email

email to ciao@ecooltra.it (.it and not .com), and therefore the address came out as
invalid. If you had sent the email to the correct address, the cancellation would have been
done right the first time.

In relation to the communications you received after requesting the withdrawal, the

Representatives of the entity state the following:

The claimant registered with a very particular service, the one that provided the
Possibility of using company mopeds parked in your catchment area
just by reserving them through the App for that purpose. By regulation, offering this
service obliges to request specific personal information, which allows not

not only verify the identity, but that the user has the corresponding permission to
driving.

That is why it is common for there to be users who have started to register,
have accepted the terms and conditions, but are in a provisional situation

because they have not sent all the documentation.

The user, when requesting the service, can accept the remission of information from
interest related to the service. In no case is indiscriminate "advertising" sent, if not
important communications for the correct execution of the service or communications

that contains objectively interesting information for the user (free kilometers,
contamination levels, etc.).



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/18








Especially at the beginning, when you have not yet submitted all the necessary information,
Communications are sent to remind you that the system has not allowed you to validate your
identity and suitability and that you are not yet an active user. In parallel, it

send communications directly related to the service (not for the sale of
alternative services of the company) or simply information of interest with the
objective of informing and retaining the user.

As the cancellation was not processed correctly and the service was subscribed to, he received some
communications (those that appear in the file, all related to the service

for which he registered), taking into account that he had accepted the same
previously and in the emails I had the clear option in the footer of
“unsubscribe”.

COOLTRA acknowledges that a mistake was made, because Ms. A.A.A. states that,

finally, he sent email correctly to rgpd@ecooltra.com and this was not
answered within the 30-day period required by law. However, the cancellation was finally
processed, specifically on March 1, 2019, the day the claimant was given
deregistration as stated in the COOLTRA user management platform.

This fact is that it was a specific error as has been verified by the company

that you have reviewed all the communications received and how they have been managed. And the
There are thousands of communications and all of them are recorded as having been managed
correctly.

During the first months of mandatory GDPR, two directions coexisted,

the ciao@ and the rgpd@. The change was not immediate, and the first months the
employees, accustomed, kept indicating the first. But this was not a
problem, because it worked correctly.

But in this case the complaining party made a mistake in the address of the ciao@ and the

address rgpd@, in tests, it was not attended in time due to not being very clear about the
receiver at that moment what should be done (almost everything was still received by ciao@).

The reality is that, with the entry into force of Organic Law 3/2018, of 5
December, and in application of the organizational and technical measures that
A clear action protocol was implemented, facilitated and improved in the event that

Any user would like to exercise their rights of access, rectification, opposition,
limitation and, where appropriate, portability or cancellation.

This protocol was implemented throughout the Department of Costumer Service, and
indicated that it was mandatory for any related application, regardless of the

channel, outside in the rgpd@, in the info@, by phone or by chat.

On the other hand, COOLTRA, to manage communications to its users, gave up
registration in an external management platform, from which the user cancellation circuit
became controlled by the marketing department, being the department

of the Costumer Service, which is in charge of forwarding the unsubscription requests of the users
to the marketing department.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/18








The entity considers that this system works perfectly since its implementation
given that the volume of cancellations and requests that are managed is enormous, and in both
years and two months of application has only failed in the case of the complaining party.


4. Report on the measures taken to prevent incidents from occurring
similar, dates of implementation and controls carried out to verify their effectiveness

COOLTRA has 1,200,000 users registered on its platform and the claim
of the claiming party is the only claim that COOLTRA has had since it

It started its activity in 2016.

With such a high number of users, the volume of unsubscribe requests is very
high: in 2018, 58,638 cancellations were processed, in 2019 66,313 cancellations and in the
year 2020 43,781 user cancellations. All this without counting the automatic cancellations

derived from the unsubscribe of the emails with information about the service.

During the month of January 2021, only in the email enabled for such
effect rgpd@cooltra.com 22 cancellations have been requested that have proceeded to be carried out in
a maximum period of 24 hours.


The Costumer Service team answers all the people who want to register
unsubscribe from the system, whether they request it from the email rgpd@cooltra.com,
as from the emails info@cooltra.com, hello@cooltra.com and
ciao@cooltra.com (specifically for Italy) and inform the department of
marketing so that the user unsubscribes from commercial communications.


The user can also unsubscribe from communications through the link of the
footer of their email. When requested through that channel, the process
It's automatic.


The entity considers that the protocols followed in COOLTRA and the measures
organizational and technical procedures established as a result of the entry into force of the LOPDGDD are
reliable since of 168,732 applications received since 2018, only one
person has filed a claim with the Data Protection Agency and
Said claim coincides with the months in which the company was

implementing all the security mechanisms so that compliance with the GDPR
and LOPDGDD were optimal.

As a result of this problem, it has been decided that it is the DPD who directly receives the
email rgpd@ecooltra.com, in order to filter those emails to which you should
Pay special attention and avoid doubts to Costumer Service and Marketing or delays

unnecessary in its management.

5. In relation to the transfer of the claim dated October 26, 2020

The representatives of the entity indicate that there are several circumstances that have

matched:

1.- First of all, we must bear in mind that COOLTRA is a company that
dedicated to renting motorcycles by the minute whose users are, in a proportion

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/18








quite important, coming from tourism, for this reason it is found in the main
European capitals.


Since the start of the SARS COVID 19 pandemic, COOLTRA has been seen
seriously affected in its sales, and has had to make a plan of
restructuring to adapt its workforce to the new world reality, resorting to
ERTES for a very important part of its workforce. This has made many
months of 2020 (and the ones we have been in 2021) the active personnel was seen, on occasions,
assuming tasks that were not his own and assuming some responsibilities that

They were not the usual ones, which undoubtedly entails malfunctions.

Even so, the Costumer Service Dept. has always remained active and the staff has
registration status almost completely, guaranteeing as always that the rights of the
affected were safe.


2.- In addition, it was decided by business on the same date (October 2020) to unify
all business lines under the same trade name "Cooltra", which includes
both the services offered by COOLTRA and by other brands and business lines
that the company has Therefore, the months from October to December 2020 were
months of structural changes, and this added to the fact that part of the employees were

in a situation of ERTE, partially collapsed certain Departments, especially the
Legal Dept.

3.- Between October 23 and 24, the DPD for companies in the
Group that had not yet registered it (previously, it was only registered in the company

Parent, which is the manager of the others, considering that the rest had no obligation
till the date).

Precisely with dates October 26-27, 2020, the same date that was issued by the
Agency the requirement not met, the DPO registrations of the rest of the

group, state and European companies.

The DPD warned the COOLTRA Legal Dept. that during the following days (between
26 and 29 October) would receive quite a few notifications from the AEPD, but they were
DPD discharge confirmations and the DPD himself was also notified, so
they would receive them and check that everything was correct.


Who is in charge of receiving official notifications in the case of COOLTRA is
***COMPANY.1, consultancy that handles COOLTRA's tax issues, since the
Most of the notifications received in this mailbox are from the AEAT.


On October 26, 2020, COOLTRA's external advisory office downloaded and forwarded to the
legal department 6 notifications in zip format from the AEPD, including
found 5 DPD discharges of those carried out the previous days and the requirement
that was not attended to and is now being answered.


The legal department when opening a pair and seeing that it was the confirmations of
discharge register that we had warned her about, she did not open any more, convinced that all
they were the same since a total of 12 were expected, and therefore he did not realize that between


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/18








the same was the claim and request for information E / 08509/2020. for that
reason the requirement went unnoticed and was not met.


Upon receipt of an email sent dated February 2, 2021 by Don
B.B.B., Data Inspector of the General Subdirectorate of Data Inspection of the
Spanish Data Protection Agency, to the email address info@cooltra.com,
Customer service proceeded to forward to the appropriate departments in
less than an hour from receipt.


This email was given the normal course, receiving the warning by the DPD for
telephone by Mr. B.B.B. and proceeding to respond to the request in time and
form.

FIFTH: On January 10, 2022, the Director of the AEPD adopted a

Proposal for a draft decision to initiate disciplinary proceedings. Following
the process established in article 60 of the GDPR, on January 12, 2022
transmitted through the IMI system this proposal for a draft decision as
informal consultation and concerned authorities were made aware that they had two
weeks from that time for comment.


SIXTH: On January 24, 2022, the Director of the AEPD adopted a project
decision to initiate disciplinary proceedings. Following the established process
in article 60 of the GDPR, that same day this
draft decision and the authorities concerned were informed that they had
four weeks from that time to raise pertinent objections and

motivated. Within the term for this purpose, the control authorities concerned shall not
presented pertinent and reasoned objections in this regard, for which reason it is considered
that all authorities agree with said draft decision and are
linked by it, in accordance with the provisions of section 6 of article 60
of the GDPR.


This draft decision was notified to COOLTRA in accordance with the established rules
in the LPACAP on February 4, 2022, as stated in the acknowledgment that
work on file.

SEVENTH: On July 20, 2022, the Director of the Spanish Agency for

Data Protection agreed to initiate a sanctioning procedure against COOLTRA in order to
issue a warning, in accordance with the provisions of articles 63 and 64 of the
LPACAP, for the alleged violation of Article 12 of the GDPR, typified in Article
83.5 of the GDPR, in which it is indicated that you have a period of ten days to present
allegations.


This start-up agreement, which was notified to COOLTRA in accordance with the rules
established in Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (LPACAP), was collected on July 21
of 2022, as stated in the acknowledgment of receipt that is in the file.


EIGHTH: Notification of the aforementioned initiation agreement in accordance with the established regulations
in the LPACAP and after the period granted for the formulation of allegations, the
has verified that no claim has been received from COOLTRA.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/18









Article 64.2.f) of the LPACAP -provision of which COOLTRA was informed in the
agreement to open the procedure - establishes that if no allegations are made

within the period provided for the content of the initiation agreement, when it
contains a precise pronouncement about the imputed responsibility, it may
be considered a motion for a resolution. In the present case, the agreement to initiate the
disciplinary file determined the facts in which the
imputation, the infringement of the GDPR attributed to COOLTRA and the sanction that could
impose. Therefore, taking into consideration that COOLTRA has not formulated

allegations to the agreement to start the file and in attention to what is established in the
Article 64.2.f) of the LPACAP, the aforementioned initiation agreement is considered in the
present case proposed resolution.

In view of all the proceedings, by the Spanish Agency for Data Protection

In this proceeding, the following are considered proven facts


                                PROVEN FACTS

FIRST: On February 18, 2018 at 6:27 p.m. an email was sent
from the address ecooltra@email.ecooltra.com to ***USER.1@gmail.com, with the

subject (in Italian the original) "Confirm your email" with the following text
(in Italian the original):
“Welcome to eCooltra
Press the button to confirm
CONFIRM"


SECOND: On October 18, 2018 at 6:27 p.m. an email was sent
from the address ***USUARIO.1@gmail.com to info@ecooltra.com, with the subject (in
Italian the original) “Deletion of the profile” in which you can read the following text (in
Italian the original): “I request the deletion of my profile, of all the data and of the method

payment registered on your site. Thank you, A.A.A. (…)

THIRD: On October 18, 2018 at 6:37 p.m. an email was sent
from the address ecooltra@email.ecooltra.com to ***USER.1@gmail.com, with the
subject (in Italian the original) "You are about to achieve freedom" and the message (in
Italian the original): “Now it's our turn! We are validating your data so that

you can access our website.
eCooltra and make the planet more eco-sustainable.
Can't wait and want to use the eCooltra today? Then get in
Contact us and we will check your details together at this time.
GET IN CONTACT WITH US"


FOURTH: On October 18, 2018 at 7:06 p.m. an email was sent
from the address registration@ecooltra.com to ***USER.1@gmail.com, with the
subject “[Ticket#(…)] eCooltra” and the message (in Italian the original):
Thank you for signing up! To activate your account, we need the following

information:
     Complete address: street, no., city, postal code
     Front and back photo of the current license (from which the date is shown
       until it will be valid)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/18









Since the photos uploaded to the app get confused and can't be distinguished
correctly the data according to the state, you can attach your driver's license. Tea

We ask that you register on the page attached below and provide the
certificate of your document, when you have the certificate we ask you to send it to
email so you can activate your account.

***URL.1


For any clarification, please do not hesitate to contact us!
Regards
C.C.C.”

FIFTH: On October 19, 2018 at 01:02 an email was sent

from the address ***USUARIO.1@gmail.com to info@ecooltra.com, with the subject (in
Italian the original) “Deletion of the profile” in which you can read the following text (in
Italian the original): “I request the deletion of my profile, of all the data and of the method
payment registered on your site. Thank you, A.A.A. (…)”.

SIXTH: On October 21, 2018 at 00:07 an email was sent from

the address ecooltra@email.ecooltra.com to ***USER.1@gmail.com, with the subject
(in Italian the original) "Complete your registration to start driving with us" in
which can be read the following text (in Italian the original):
"Hello!
Before you start driving, you must complete your registration. we need some

minutes of your time, so you can use eCooltra for the first time
Please check the following steps:
1. You have confirmed your email
2. You have entered the photo of your license and tax code (health card).
3. You have entered your payment details

COMPLETE REGISTRATION (…)”

SEVENTH: On October 22, 2018 at 00:07 an email was sent
from the address ecooltra@email.ecooltra.com to ***USER.1@gmail.com, with the
subject (in Italian the original) "A.A.A., there is little left" in which the following can be read
text (in Italian the original):

"Hello!
You are not far from being part of eCooltra! Remember that we need some data
so you can move around the city with our scooters.
Please check the following steps:
1. You have confirmed your email

2. You have entered the photo of your license and tax code (health card).
3. You have entered your payment details
COMPLETE REGISTRATION (…)”

EIGHTH: On October 22, 2018 at 11:52 p.m. an email was sent

from the address ***USUARIO.1@gmail.com to info@ecooltra.com, with the subject (in
Italian the original) “Fwd: Deletion of the profile” in which you can read the following
text (in Italian the original): “By continuing to receive emails, I request the
what I asked for."

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/18









NINTH: On October 29, 2018 at 00:08 an email was sent
from the address ecooltra@email.ecooltra.com to ***USER.1@gmail.com, with the
subject (in Italian the original) “A.A.A., you are one step away from feeling the wind on your face”
in which the following text can be read (in Italian the original):

"Hello!
More than 3,000 electric scooters await you to move around the city.
Please check the following steps:
1. You have confirmed your email
2. You have entered the photo of your license and tax code (health card).
3. You have entered your payment details

COMPLETE REGISTRATION (…)”

TENTH: On October 30, 2018 at 3:23 p.m., the claiming party contacted
contact with http://www.ecooltra.com/ through its chat, in which it indicates that
asked several days ago about the cancellation of his profile by email, but

to date it had not happened. And again ask for its cancellation. they tell him that he is
requested but please send an email to ciao@ecooltra.com for
there is evidence that you no longer want to use the account.

ELEVENTH: On October 30, 2018 at 4:26 p.m. an email was sent
email from the address ***USUARIO.1@gmail.com to info@ecooltra.com, with

the subject (in Italian the original) “Fwd: Delete the profile” in which you can read the
following text (in Italian the original): “I request again the deletion of my profile and
all personal data, otherwise, since the site does not allow it, I will have to
report it to the guarantor for privacy”.

TWELFTH: On November 3, 2018 at 02:24 an email was sent

email from mailer-daemon@googlemail.com to
***USER.1@gmail.com, with the subject (in English the original) "Notification of
delivery status (Failure)”, with the following text (in Italian and English the original): “There was
a problem during message delivery
at ciao@ecooltra.it. See technical details below or try submitting
new in a few minutes.

MORE INFORMATION
Response: The receiving server did not accept our connection requests. get
more information at https://support.google.com/mail/answer/7720 [ecooltra.it
37.152.88.55:generic:failed_precondition:connect error (0): error]”

THIRTEENTH: On November 5, 2018 at 09:36 an email was sent

email from the address ***USUARIO.1@gmail.com to info@ecooltra.com, with
the subject (in Italian the original) "Re: Deletion of the profile" in which you can read the
following text (in Italian the original): “You asked me to write to ciao@ecooltra.it,
but the mailbox does not accept emails.
On Tuesday, Oct 30, 2018 at 4:26 p.m. A.A.A. wrote: [Cited text hidden]”.


FOURTEENTH: On November 23, 2018 at 04:02 an email was sent
email from the address ecooltra@email.ecooltra.com to
***USUARIO.1@gmail.com, with the subject (in Italian the original) “A.A.A., the
Black Friday and we bring you a lot of discounts!”, with advertising by COOLTRA.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/18









FIFTEENTH: On November 23, 2018 at 6:05 p.m. an email was sent
email from the address ***USUARIO.1@gmail.com to rgpd@ecooltra.com, with
the subject (in Italian the original) “Fwd: Delete the profile” in which you can read the
following text (in Italian the original): “I see that my demands have not yet been

attended. I request the immediate deletion of all my data (including the
credit card and driver's license information). I'm waiting
confirmation. Otherwise, I will feel obliged to resort to the guarantor of the
privacy. Best regards".

SIXTEENTH: On November 23, 2018 at 6:09 p.m. an email was sent

email from the address ***USUARIO.1@gmail.com to rgpd@ecooltra.com, with
the subject (in Italian the original) "Re: Deletion of the profile" in which you can read the
following text (in Italian the original): “I also attach my identity document,
as indicated in its privacy policy. In which is attached a document with the
name “<4- Carta di identita.pdf>”.


SEVENTEENTH: On December 24, 2018 at 10:01 p.m. an email was sent
email from the address ecooltra@email.ecooltra.com to
***USUARIO.1@gmail.com, with the subject (in Italian the original) “Happy green
Christmas”, congratulating Christmas.


EIGHTEENTH: On December 31, 2018 at 8:01 p.m. an email was sent
email from the address ecooltra@email.ecooltra.com to
***USUARIO.1@gmail.com, with the subject (in Italian the original) “Good news
to start 2019”, with advertising by COOLTRA.

NINETEENTH: On February 12, 2019 at 02:00 an email was sent

email from the address ecooltra@email.ecooltra.com to
***USER.1@gmail.com, with the subject (in Italian the original) “AAA, win 1,000
free minutes”, with COOLTRA advertising.

TWELFTH: On February 19, 2019 at 9:04 p.m. an email was sent
from the address ***USER.1@gmail.com to rgpd@ecooltra.com, with the subject

(in Italian the original) “Last hour: 45 min. at 9.99 EUR, buy the MiniPack here”,
with COOLTRA advertising.


                          FUNDAMENTALS OF LAW


                                          Yo
                         Competition and applicable legislation

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), grants each

control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/18









Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions

in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures."


                                            II

                                   previous questions

In the present case, in accordance with the provisions of article 4.1 of the GDPR, there is
the processing of personal data, since COOLTRA performs
the collection and conservation of, among others, the following personal data of

natural persons: name and surname and email, among other treatments.

COOLTRA carries out this activity in its capacity as data controller, given
who is the one who determines the purposes and means of such activity, by virtue of article 4.7 of the
GDPR. In addition, it is a cross-border treatment, since COOLTRA is
established in Spain, although it provides services to other countries of the European Union


The GDPR provides, in its article 56.1, for cases of cross-border processing,
provided for in its article 4.23), in relation to the competence of the authority of
main control, that, without prejudice to the provisions of article 55, the authority of
control of the main establishment or of the only establishment of the person in charge or of the

The person in charge of the treatment will be competent to act as control authority
for the cross-border processing carried out by said controller or
commissioned in accordance with the procedure established in article 60. In the case
examined, as has been exposed, COOLTRA has its unique establishment in
Spain, so the Spanish Agency for Data Protection is competent to

act as the main supervisory authority.

For its part, the right to delete personal data is regulated in article
17 of the RGPD and the modalities of exercise of the rights of the interested parties are
detailed in article 12 of the GDPR.


                                            II
                                  Right of erasure

Article 17 “Right to erasure (“the right to be forgotten”)” of the GDPR establishes:


"one. The interested party shall have the right to obtain without undue delay from the person responsible for the
treatment the deletion of personal data that concerns you, which will be
obliged to delete without undue delay the personal data when any
of the following circumstances:
       a) the personal data is no longer necessary in relation to the purposes for which

       those that were collected or otherwise treated;
       b) the interested party withdraws the consent on which the treatment of
       in accordance with Article 6(1)(a) or Article 9(2),
       letter a), and this is not based on another legal basis;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/18








       c) the data subject opposes the processing in accordance with article 21, paragraph 1,
       and no other legitimate reasons for the treatment prevail, or the interested party
       object to the processing pursuant to Article 21(2);

       d) the personal data have been unlawfully processed;
       e) the personal data must be deleted for the fulfillment of a
       legal obligation established in the Law of the Union or of the States
       members that applies to the data controller;
       f) the personal data have been obtained in connection with the offer of services
       of the information society mentioned in article 8, paragraph 1.

(…)
3. Sections 1 and 2 will not apply when the treatment is necessary:
a) to exercise the right to freedom of expression and information;
b) for compliance with a legal obligation that requires data processing
imposed by the law of the Union or of the Member States that applies to the

responsible for the treatment, or for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers conferred on the person responsible;
c) for reasons of public interest in the field of public health in accordance with
Article 9, paragraph 2, letters h) and i), and paragraph 3;
d) for archiving purposes in the public interest, scientific or historical research purposes or
statistical purposes, in accordance with Article 89(1), to the extent that

the right indicated in paragraph 1 could make it impossible or hinder
seriously impair the achievement of the objectives of such treatment, or
e) for the formulation, exercise or defense of claims.”

In the present case, it is clear that the complaining party had requested COOLTRA the

deletion of your personal data on numerous occasions.

                                            IV.
                        Exercise of the rights of the interested party


Article 12 "Transparency of information, communication and modalities of
exercise of the rights of the interested party" of the GDPR establishes:

"one. The person in charge of the treatment will take the appropriate measures to facilitate the
interested all information indicated in articles 13 and 14, as well as any
communication pursuant to articles 15 to 22 and 34 relating to processing, in the form

concise, transparent, intelligible and easily accessible, with clear and simple language, in
particular any information directed specifically to a child. Information
shall be provided in writing or by other means, including, if applicable, by
electronics. When requested by the interested party, the information may be provided
verbally as long as the identity of the interested party is proven by other means.

2. The person responsible for the treatment will facilitate the exercise of their rights by the interested party.
under articles 15 to 22. In the cases referred to in article 11, paragraph
2, the person in charge will not refuse to act at the request of the interested party in order to exercise
your rights under articles 15 to 22, unless you can show that you do not
is in a position to identify the interested party.

3. The person responsible for the treatment will provide the interested party with information regarding their
proceedings on the basis of a request under articles 15 to 22, without
undue delay and, in any case, within one month of receipt
of the request. This period may be extended by another two months if necessary,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/18








taking into account the complexity and number of requests. The responsible
will inform the interested party of any of said extensions within a period of one month from
from receipt of the request, indicating the reasons for the delay. when the

interested party submits the application by electronic means, the information will be provided by
electronic means when possible, unless the interested party requests that it be
facilitate otherwise.
4. If the person responsible for the treatment does not process the request of the interested party, he will
will inform without delay, and no later than one month after receipt of the
application, the reasons for not acting and the possibility of presenting a

claim before a control authority and take legal action. (…)”

In the present case, it is clear that the complaining party requested the deletion of his account
and your personal data up to 6 times. The last one on the 23rd of
November 2018. And just on February 17, 2021 COOLTRA has sent a

email to the complaining party informing him of the cancellation of his data,
after receiving a request for information from this Agency, together with
the corresponding claim. However, it was not until March 1, 2019 that
COOLTRA removed the personal data of the claimant from its
systems.


Therefore, according to the evidence available at this time
resolution of the disciplinary procedure, it is considered that the known facts
are constitutive of an infraction, attributable to COOLTRA, for violation of the
Article 12 of the GDPR, in conjunction with Article 17 of the GDPR.


                                           V
                 Classification of the infringement of article 12 of the GDPR

The aforementioned infringement of article 12 of the GDPR supposes the commission of the infringements
typified in article 83.5 of the GDPR that under the heading "General conditions

for the imposition of administrative fines” provides:

Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of maximum EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for

the highest amount:
       (…)
       b) the rights of the interested parties in accordance with articles 12 to 22; (…)”

In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that:


"The acts and behaviors referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law”.


For the purposes of the limitation period, article 72 "Infractions considered very
serious” of the LOPDGDD indicates:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/18








"one. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
are considered very serious and will prescribe after three years the infractions that
a substantial violation of the articles mentioned therein and, in particular, the

following:
(…)

       k) The impediment or the obstruction or the repeated non-attention of the exercise
       of the rights established in articles 15 to 22 of Regulation (EU)
       2016/679. (…)”.


                                          SAW
                  Penalty for violation of article 12 of the GDPR

Without prejudice to the provisions of article 83 of the GDPR, the aforementioned Regulation provides

in section 2.b) of article 58 "Powers" the following:

"Each control authority will have all the following corrective powers
indicated below:
       (…)
       b) send a warning to any person in charge or person in charge of the treatment

       when the processing operations have infringed the provisions of the
       this Regulation; (…)”

For its part, recital 148 of the GDPR indicates:


“In the event of a minor infraction, or if the fine likely to be imposed
constitutes a disproportionate burden on a natural person, rather than
sanction by means of a fine, a warning may be imposed. should however
special attention should be paid to the nature, seriousness and duration of the infringement, to its
intentional nature, to the measures taken to alleviate the damages suffered,

to the degree of responsibility or any relevant prior infringement, to the manner in which
that the supervisory authority has become aware of the infringement, to compliance
of measures ordered against the person in charge or in charge, to adherence to codes of
conduct and any other aggravating or mitigating circumstances.”

According to the evidence available at the present time of

disciplinary procedure resolution, it is considered that the offense in question
is slight for the purposes of article 83.2 of the GDPR given that in the present case,
taking into account that there is no record in this Agency of COOLTRA for not
having duly attended to a right of deletion, to the circumstances so
exceptional circumstances that were the cause of such request not having been duly

attended, to the fact that the complaining party sent some of its requests to an address
email that was not indicated in the privacy policy
corresponding, to the fact that the deletion had been addressed in March 2019 although it did not
had been duly communicated to the complaining party and that, as soon as it had
knowledge of the claim, COOLTRA notified the claimant of the withdrawal

and modified its protocols to prevent an incident of these characteristics from being
repeat, it can be considered a reduction of guilt in the facts, so it is
considers it in accordance with the law not to impose a sanction consisting of an administrative fine
and replace it by directing a warning to COOLTRA.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/18











Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been accredited,
the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: ADDRESS COOLTRA MOTOSHARING S.L.U., with NIF B65874877, for

an infringement of Article 12 of the GDPR, typified in Article 83.5 of the GDPR, a
warning.

SECOND: NOTIFY this resolution to COOLTRA MOTOSHARING S.L.U.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.

In accordance with the provisions of article 60.7 of the GDPR, this information will be
resolution, once it is final, to the control authorities concerned and to the Committee

European Data Protection.

Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reversal before the

Director of the Spanish Agency for Data Protection within a period of one month from
count from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-administrative jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,

may provisionally suspend the firm resolution in administrative proceedings if the
The interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-

web/], or through any of the other registries provided for in art. 16.4 of the
aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative proceedings within a period of two months from the day following the

Notification of this resolution would terminate the precautionary suspension.


                                                                               938-181022
Mar Spain Marti
Director of the Spanish Data Protection Agency




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es