AEPD (Spain) - EXP202305050: Difference between revisions
No edit summary |
m (Ar moved page AEPD (Spain) - AEPD 00204-2023 to AEPD (Spain) - EXP202305050) |
(No difference)
|
Latest revision as of 10:44, 13 December 2023
AEPD - AEPD 00204-2023 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 58(1) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 02.08.2023 |
Fine: | 20,000 EUR |
Parties: | QUALITY-PROVIDER S.A. |
National Case Number/Name: | AEPD 00204-2023 |
European Case Law Identifier: | n/a |
Appeal: | Appealed - Confirmed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | João Pedro Teixeira |
The Spanish DPA imposed a fine of €20,000 on a data services company that refused to grant access to its premises for an on-site inspection, in breach of Article 58(1) GDPR.
English Summary
Facts
QUALITY-PROVIDER S.A, the controller, provides data services and processes personal data as part of its core activities. The Spanish DPA, prompted by a data subject's complaint, initiated proceedings to investigate alleged violations of the GDPR in relation to activities carried out through the controller's website. During the investigations, the DPA requested the controller to provide some information and documents relating to the investigated facts.
However, the controller refused to provide the information, claiming that the request did not include a copy of the data subject's national identity card, which prevented it from reliably identifying the person and the data concerned.
Then, the DPA decided to carry out an on-site inspection and informed the controller that its representatives should cooperate with the inspectors, facilitating access to the files.
Again, the controller refused to comply with the request, arguing that: a) the Spanish DPA was not competent for the inspection and was not a public body like the other European supervisory authorities; b) the Director of the Spanish DPA could not initiate the proceedings as the position had been extinguished by a decree; c) that Spain had not transposed Directive (EU) 2019/1937 on the protection of persons who report breaches of EU law and that this directive should have been applied directly. Moreover, the controller stated that it would record the inspection and expose the recording in court.
Holding
The DPA recalled that Article 51(1) GDPR stipulates that each Member State must establish one or more independent public authorities responsible for monitoring the application of the GDPR and that, in Spain, one of these authorities is the AEPD. Also, according to Article 58(2) GDPR and the provisions of the LOPDGDD, the Director of the Spanish DPA is competent to initiate and resolve this procedure.
As for the decree that extinguished the position of Director of the AEPD, the DPA clarified that the General Sub-Directorate for Data Inspection is the equivalent body in its organic structure and maintains its powers.
Finally, the DPA pointed out that the main objective of the Directive (EU) 2019/1937 was to guarantee that employees could denounce infringements in the context of work, which was not the case.
After rejecting all the aforementioned arguments, the DPA held that the controller ilegally prevented it staff from having access to the personal data, information, premises, equipment and means of processing, which was necessary for the exercise of its investigative powers.
Therefore, the DPA found a violation of Article 58(1) GDPR and issued a fine of €20,000 on the controller. When determining the ammount of the fine, the DPA took into account the degree of intentionality of the offence, as provided for by Article 83(2)(b) GDPR, and also the link between the company's activity and the processing of personal data, as provided for by Article 76(2)(b) GDPR.
Comment
The controller appealed the decision, but the appeal was dismissed by the DPA. In short, the DPA understood that the controller did not provide new facts or legal arguments that would allow the reconsiderarion of the decision. This decision can be found at: https://www.aepd.es/es/documento/reposicion-ps-00204-2023.pdf.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/18 File No.: EXP202305050 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: As a consequence of a claim filed with the Spanish Agency of Data Protection against QUALITY-PROVIDER S.A. with NIF A87407243 (in hereinafter, QUALITY) as the owner of the Inglobaly.com portal, appreciating signs of a possible non-compliance with the provisions of Regulation (EU) 2016/679 (Regulation General of Data Protection, hereinafter RGPD), proceedings were initiated with file number EXP202213771. In accordance with the provisions of article 65 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (LOPDGDD hereinafter), the claim was transferred to the person in charge or to the Delegate of Data Protection that in his case has been designated, requesting him to send to this Agency the information and documentation indicated. In response to this request for information, QUALITY, by registered writing of entry dated January 3, 2023 and registration number REGAGE23e00000616695, states that she is unable to provide the information related to file EXP202213771 since the complaining party does not provide a photocopy of the national identity document for the purposes of power identify it, which prevents them from knowing and reliably identifying which person physics it is about and, therefore, know what data it is about. On February 21, 2023, the claim was admitted for processing, having Three months have elapsed since it entered this Agency. SECOND: The General Subdirectorate of Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in matter, by virtue of the investigative powers granted to the authorities of control in article 57.1 of Regulation (EU) 2016/679 (General Regulation of Data Protection, hereinafter GDPR), and in accordance with the provisions of the Title VII, Chapter I, Second Section, of the aforementioned LOPDGDD. Within the framework of the investigation actions, QUALITY was informed that Inspectors from the Spanish Data Protection Agency would appear at its headquarters dated March 27 to carry out an inspection visit, considering the presence of representatives of the entity is essential, in order to collaborate in the inspection, as well as facilitate access to their files. Bliss The communication was registered on March 15, 2023. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/18 THIRD: The communication of the inspection visit, which was notified in accordance with the norms established in Law 39/2015, of October 1, on the Procedure Common Administrative Office of Public Administrations (hereinafter, LPACAP), was collected by QUALITY on March 15, 2023, as stated in the acknowledgment of receipt that works in the file. FOURTH: QUALITY, by registered writing of entry dated March 22, 2023 and with registration number REGAGE23e00018591646, informs that the The administrator of the company is subject to the right not to declare and that both he and the Legal Department of the company, will attend the call on March 27 of 2023 at 10 a.m., at its registered office at Calle Goya 18 and that they will not allow the entrance to the residence of the inspectors of this Agency. This refusal is based on Royal Decree 389/2021, of June 1, which approves the Statute of the Spanish Data Protection Agency (hereinafter RD 389/2021), specifically in the sole additional provision that suppresses the following governing bodies: a) The director of the Spanish Data Protection Agency. b) The General Data Protection Registry. c) Data Inspection. As well as in the Sole Repealing Provision and the Sole Final Provision by which Royal Decree 428/1993, of March 26, which approves the Statute of the Spanish Agency for Data Protection and its entry into vigor. It argues that the preamble to RD 389/2021 establishes that the AEPD will have its own legal personality and full public and private capacity and that, observing the homonyms of the rest of the European Organizations, all are defined as public entities only, for which reason this Agency is classified as a semi-public-private company, affirming that there is no legal or private security. In the same way, it affirms that the Government and this Agency have not proceeded to transpose Directive (EU) 2019/1937 of the European Parliament and of the Council of October 23 of 2019 on the protection of persons who report violations of the Law of the Union, which is directly applicable and prevails over any Law and Royal National Decree. Likewise, they request the identification and accreditation of the inspectors with their names, surnames and supporting National Identity Documents as a condition for that they be attended, in order to be able to challenge them and take measures against them, in case of lack of respect and education. It also accuses this Agency of systematically breaking the Law. Finally, it warns that this Agency is not going to access any data and they are not going to provide any information. It also informs that all collaboration exhibited in court and warns in advance that the access of inspectors to the company's registered office and they will be recorded. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/18 FIFTH: QUALITY is the owner of the Inglobaly.com portal, through which it carries out personal data processing activities. SIXTH: According to the report collected from the AXESOR tool, the entity QUALITY-PROVIDER S.A. is an SME (Microenterprise), established in 2015, and with a business volume of 558,381 euros in the year 2021. SEVENTH: On May 24, 2023, the Director of the Spanish Agency for Data Protection agreed to initiate sanction proceedings against QUALITY, in accordance with to the provisions of articles 63 and 64 of Law 39/2015, of October 1, of Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged infringement of Article 58.1 of the GDPR, typified in the Article 83.5 of the GDPR Regulation (EU) 2016/679 (General Regulation of Data Protection, hereinafter GDPR). EIGHTH: The aforementioned initiation agreement was collected by QUALITY on May 26 of 2023, as stated in the acknowledgment of receipt that is in the file. NINTH: Dated June 6, 2023 and entry registration number REGAGE23e00036059423, QUALITY presents a written statement of allegations to the start. As a preliminary allegation, it states that there is an inadequacy of the procedure initiated by the Spanish Data Protection Agency for the processing of this file. Remember that, on December 17, 2019, Directive (EU) 2019/1937, of the European Parliament and of the Council, entered into force October 23, 2019, regarding the protection of people who report on infringements of Union Law and that it recognizes explicit and positive about what Union Law is. It also points out that said Directive directly modifies Directive 2002/58/EC of the European Parliament and of the Council, of July 12, 2002, regarding the treatment of personal data and the protection of privacy in the information sector electronic communications and the GDPR and delimits the scope of competences related to to Union Law, establishing as the Union's own sovereignty the scope of personal data and, therefore, the GDPR, establishing a procedure different and distinct from the one initiated by this Agency. It goes on to state that the most significant implications of this Directive are which, first of all, creates a system of conflict resolution and simplification different administrative; and, secondly, its entry into force makes obsolete the LOPDGDD, which should have been adapted from the moment it entered into Directive (EU) 2019/1937 is in force. This means that any procedure relating to data protection must be carried out in accordance with the procedure imposed by said Directive and, therefore, through ASPERTIC/VIADENUNCIA, which in January of 2020 notified the European Commission that it would constitute a mailbox for complaints external for the purposes of the Directive. It affirms in the same way that the provision made by the Directive, regarding the integration of the matter of data protection in the field of competences of the national authority of the Law of the Union, also comes to empty of competence to state agencies and institutions, such as the Spanish Agency for the Protection of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/18 Data, for the purpose that said faculties become part, total or partially, from the scope of competences of the national institution or authority competent, as designated by the Union in its Directive (EU) 2019/1937, which must carry out and perform the functions provided for in the aforementioned Directive. Lastly, it reports that QUALITY has adapted to said Directive and considers that there is an inadequacy of the procedure initiated, as well as a manifest incompetence of the Spanish Data Protection Agency for the processing of this procedure, for which he requests that he declare himself incompetent and withdraw from his processing. As the first and only allegation, he declares that he does not have anyone's personal data, that Up to now, the AEPD has not been able to demonstrate the data or files that belong to QUALITY and who persists in something that he has not been able to demonstrate, being demonstrated its lack of legal rigor and transparency. Next, QUALITY asserts that the Director of the Spanish Agency for Data Protection signs the Agreement to initiate this file illegally and irregular since his position, already expired, disappears irreversibly with the Royal Decree 389/2021, of June 1, which approves the Statute of the AEPD, have been appointed in 2015, have a term of 5 years and have not been revoked from his position or re-elected, exercising his position in fraud of the Law. above, concludes that the Director cannot sign any requirement, agreement or sanction until the appointment of a successor and not having rectified the Real Decree leaves this Agency unfit. With respect to the obstruction of the inspection activity, QUALITY maintains that said obstruction has not existed because section c) of the aforementioned Royal Decree 389/2021, of June 1, suppresses the Data Inspection. In addition, it affirms that the AEPD is persecuting them and they want to prepare non-existent tests through the illegality. They allege that on March 27, the inspectors did not appear because they knew that would be recorded and their alleged continued infractions would be demonstrated and the outrages committed up to now by this Organism. QUALITY exposes that, despite having previously warned that they would not be at our disposition that day, dated March 15, 2023, two inspectors of the Spanish Agency for Data Protection at its headquarters for the purpose to carry out an inspection. As for March 27, 2023, they continue, no inspector from this Agency appeared at its registered office, after warning that both the Administrator of the company as well as its Legal Department would attend the call and not would allow Agency inspectors to enter the home. re-insure that this failure to appear was due to fear of being recorded and knowing what they would commit an offense or offence. In addition, they reiterate that they do not own files or data therefore it would be impossible to collaborate with this Agency, that this Agency is not competent to carry out any inspection because its functions are suppressed and that there have been no tests related to previous complainants who have been C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/18 refused to identify themselves before QUALITY, as well as that they have not read written and for this reason, this Agency has not been able to contradict them in their allegations and evidence. Finally, QUALITY states that, according to the LPACAP, the resolution has been communicated outside the period of six months allowed by said rule and appointment various articles of this, to conclude by requesting that the previous allegation be upheld and, secondarily, in case of being rejected, proceed to file the file sanctioning. TENTH: On June 16, 2023, a resolution proposal was formulated, in the that it was proposed that the Director of this Agency sanction QUALITY for an infringement of Article 58.1 of the GDPR, typified in Article 83.5 of the GDPR, with a fine of €20,000.00. This proposed resolution was notified reliably to the claimed party. ELEVENTH: Dated June 28, 2023 and entry registration number REGAGE23e00042424332, QUALITY presents a brief of allegations to the Proposal resolution. As a previous allegation, it is ratified in all manifestations set forth in previous writings. Regarding the response of this Agency referring to the statement of QUALITY that Director's position has expired, QUALITY says it has been unable to find SAN 5570/2022, of December 9, 2022 within the CENDOJ. Besides, QUALITY reproduces the sole article and the sole repealing provision of the Royal Decree 389/2021, of June 1, which approves the Statute of the AEPD, as well as as sections 1, 2 and 3 of article 3 of the Statute of the AEPD. With this argues that, in order for this Agency to continue exercising its functions, First, an acting president had to have been appointed or else power was extended to the Director, whose position, they reiterate, was abolished. Additionally, QUALITY reproduces article 38 of the AEPD Statute on incompatibilities of the staff of the Spanish Data Protection Agency and says have evidence and data. It also reproduces article 53 of the GDPR, on conditions applicable to the members of the supervisory authority, after which it says that "It is curious that Doña Mar España Martí was irregularly appointed by the government in your case, we are in the case, that the Supreme Court and the Union Union, specifically, the European Committee itself, have not allowed the appointment as they did with you, of the new president for being incorrect and irregular". Likewise, QUALITY indicates that Organic Law 15/1999, of December 13 is repealed in all its articles by the RGPD and the LOPDGDD. QUALITY returns to insist that the charges have been dropped, as well as the Data Inspectorate, arguing that, consequently, the entire new statute of the AEPD depends on the new President to be appointed, but the position of Director has been abolished. On the other hand, QUALITY points out that in Fundamental II we tell them that the procedure will have a maximum duration of twelve months from the date of Commencement agreement while in the file with number EXP202300740 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/18 We inform you that this procedure will have a maximum duration of nine months. from the date of your Initiation Agreement. QUALITY argues that, due to existing inconsistencies, believes it is better to be guided by the LPACAP, Law 40/2015, of 1 October, of the Legal Regime of the Public Sector and its development provisions, without prejudice to the specialties of the disciplinary procedure, of which QUALITY deduces that the procedure will expire after six months from its initiation without notification of the resolution. QUALITY also reproduces article 42 of the LOPDGDD that develops the cases subject to prior authorization from the data protection authorities, in which, in its first section, it establishes the procedure related to transfers international for a maximum duration of six months. It also reproduces the articles 48, on the Presidency of the Spanish Data Protection Agency, and 75, on interruption of the prescription of the infraction, of the aforementioned LOPDGDD. Furthermore, QUALITY asserts that, during these proceedings, it has reiterated on various occasions that it does not have personal data from anyone and that this Agency does not has been able to demonstrate up to now which data or files belong to it, leaving thus demonstrated its lack of legal rigor and transparency. Regarding the signature of the Director of this Agency, QUALITY insists that her position disappears irreversibly with Royal Decree 389/2021, of June 1, by the that the Statute of the AEPD is approved. He affirms that his position, which lasts determined of five years, has expired, therefore, the license must be revoked. position and later re-elected, but that none of this has occurred. The date of termination is on July 24, 2020 and, since there have been no re-election or publication in the BOE, they add, is exercising his position in fraud of Law. Consequently, they conclude, he cannot sign any requirement or sanction some. Along these lines, QUALITY adds that, in order to continue exercising his position, the Government, should have been modified in a subsequent Royal Decree, which has not carried out, the extension of the position of Mar España Martí, and it has not been published said extension of the charge, therefore, understands QUALITY that it is still valid with all its consequences Royal Decree 389/2021, of June 1. It goes on to point out that said Royal Decree 389/2021, of June 1, annuls the position of Director and therefore, it has expired and its signature lacks legitimate value, not The Director may sign sanctions and agreements for having been removed from office, there being an alleged fraud of law, by not being able to sign documents until the appointment of a successor, leaving this body incapable and affirming that it is a proven fact that has not been discussed by the AEPD, nor questioned, making a erroneous interpretation of the new statute of the AEPD. It also argues that the ECHR condemns Spain and makes it ugly for the "unjustified and prolonged breach of the law" for not renewing the CGPJ and QUALITY maintains that “The European Court of Human Rights affirms that the consequences derived of the dysfunction in the renewal of the General Council of the Judiciary are enormous with regard to the ordinary functioning of the judiciary and that there is a chain of disturbances throughout the judicial system.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/18 It uses the same way as SAN 5570/2022, of December 9, 2022 cited in the Proposal for a resolution of this disciplinary procedure, "demonstrates the erroneous application and interpretation of the Judge who dictates it" because, as he affirms, it is a "judgment caught with tweezers" and suffers from "lack of legal argumentation" that is not may apply in this proceeding because it lacks effective judicial protection. Thus, it concludes that "the charges expired and suppressed in the Royal Decree 389/2021, of June 1, cannot be in force until the new one is elected. President of the AEPD, if they are not re-elected and said communication is published in the BOE, a fact that has not been carried out by the government. Before this sentence that is of direct application, an interim president must be appointed until the new definitive appointment, therefore, Doña Mar España Martí must cease in her functions immediately and present his resignation”. Regarding the obstruction of the inspection performance, QUALITY denies said obstruction because it affirms that there is no inspection action, that the AEPD persecuted and they want to prepare non-existent evidence through illegality, insisting that the inspectors of this Agency did not appear on the 27th of March, because they are not authorized and because they knew they would be recorded and demonstrate their alleged continued infractions and the infraction/crime that they would commit They also point out that they do not own files or data, so that it is impossible for them to collaborate with this Organism. They continue their allegations pointing out the lack of motivation in the assessment of the sanction. Thus, QUALITY considers that the application of Article 83.2.b) of the GDPR, on the intentionality or negligence in the infringement, lacks substantiation legal since negligence is not demonstrated nor what was the intentionality on the part of QUALITY when attending the meeting on March 27. Below, QUALITY reproduces article 53.1.c) and g) of the LPACAP, relating to the rights not to present original documents and to act assisted by an advisor when they deem it convenient in defense of their interests, and insists that they only defend their rights and interests and that this Agency is not entitled to perform any data inspection since its functions are suppressed. Regarding the duration of the procedures, QUALITY once again refers to the LPACAP, specifically article 21, which determines the obligation to issue express resolution and notify it within the maximum term set by the regulation governing the corresponding procedure, a term that may not exceed six months unless a norm with the rank of Law establishes a higher one or so is provided for in the Law of the European Union. QUALITY also alleges a lack of motivation on the part of this Agency. So, name the article 35 and reproduces article 87, on complementary actions, of the LPACAP, and requests the corresponding complementary actions, because, according to what he says, "it is not proceeded by said Agency, for all this, this part is in a lack of protection of rights, committed by the instructor of the case. All this leads to nullity and filing of actions, therefore, you have to proceed to File of the Present Sanctioning Procedure.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/18 QUALITY reproduces article 63.3. of the LPACAP, according to which it will not be possible to initiate new procedures of a sanctioning nature for acts or conduct classified as as offenses in which the offender persists continuously, as long as there has not been a first sanctioning resolution, with an executive nature. It also reproduces Article 74 of the LPACAP, according to which matters incidental that arise in the procedure, including those that refer to the nullity of actions, will not suspend the processing of this, except for the challenge. QUALITY says that the AEPD Inspectors, by not showing up or being able to identify them on March 27, they deprived him of the reason for recusing them or well to one of them. Therefore, it concludes, there was a violation of rights fundamental. Next, it reproduces article 47.1.a), e) and g), according to which they are null and void right the acts of the Public Administrations that harm the rights and liberties susceptible to constitutional protection, the dictates disregarding totally and absolutely of the legally established procedure or of the norms that contain the essential rules for the formation of the will of the organs collegiate and any other that is expressly established in a provision with law rank. In this regard, QUALITY points out that "This part adds the constant persecution for the AEPD against QUALITY, have not shown that it is the owner of any file, it is initiate procedures for the protection of rights for requesting the accreditation of whoever performs said acts, following the instructions of the European Regulation of Data Protection and this Agency unjustifiably dedicates itself to skipping the Law and apply the Laws according to their interests.” QUALITY then reproduces article 48.3 of the LPACAP, according to which the performance of administrative actions outside the time established for them only will imply the annulment of the act when so imposed by the nature of the term or term, as well as article 86 of the GDPR. Finally, QUALITY points out that the CJUE 02/25/2021 condemns Spain to pay 15 million for failing to transpose a directive on time. Upon expiration of the period set in the reasoned opinion of the Commission, he continues, Spain had not adopted the measures necessary to guarantee the transposition of the directive nor communicated said measures. For all of the above, QUALITY requests that this file be archived disciplinary action and that they be notified of said file in its entirety. TWELFTH: Dated July 10, 2023 and entry registration number REGAGE23e00046234948, QUALITY, upon receipt of the requested copy of this file, presents a new brief of allegations to the Proposed resolution of the this file in which, first of all, everything stated in its previous registered writing of entry in this Agency on June 28, 2023. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/18 Secondly, QUALITY insists that the Director must present immediate resignation and dismissal, referring again to the sentence of the ECtHR to Spain in the face of the "unjustified and prolonged breach of the law" for not renewing the CGPJ, which, according to QUALITY, ratifies his argument and produces a lack of judicial protection effective. Thirdly, QUALITY claims to be surprised that the name of the company now appears claimant and accuses this Agency of attempting, fraudulently, "in a case that we are discussing obstruction of the inspection performance (deleted), introduce the case of this Lady, as an excuse”. Therefore, it requests that, automatically and ex officio, "said Lady be removed" from this procedure. Once again, QUALITY demands that all files be canceled sanctions or in progress by this Agency against him, when meeting, reiterates, signed by a director whose position is suspended by Royal Decree 389/2021, of June 1, which approves the Statute of the AEPD. Fourthly, QUALITY refers to news related to the sanction imposed by this Agency to CaixaBank for providing a mother, who did not identify herself, data on your daughter's account. He considers it contradictory that CaixaBank is sanctioned for not request the accreditation of the DNI and they themselves do it, appreciating that the sanction between the two cases is not proportional. Finally, QUALITY requests that this file be filed disciplinary action, proceed immediately and ex officio to the suspension of all open and penalizing procedures by this Agency, for lacking, it says, signature authorized by the Director, having her position suppressed and expired. In view of all the proceedings, by the Spanish Agency for Data Protection In this proceeding, the following are considered proven facts: PROVEN FACTS FIRST: The communication to QUALITY of the inspection visit by Inspectors from the Spanish Data Protection Agency to its registered office, to which we refer to in the second and third precedents, was notified in accordance with the provided in the LPACAP on March 15, 2023. SECOND: On March 22, 2023, QUALITY communicates in writing that it does not will allow the inspectors of this Agency to enter, expressing their refusal to allow this Agency to access any data and to provide any information. THIRD: Notification of the agreement to start this procedure sanction was collected by QUALITY on May 26, 2023. FOURTH: QUALITY has submitted allegations to the agreement to initiate this disciplinary procedure included in the ninth antecedent. FIFTH: Notification of the proposed resolution of this procedure sanction was collected by QUALITY on June 16, 2023. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/18 SIXTH: QUALITY has submitted allegations to the proposed resolution of this sanctioning procedure collected in the eleventh and twelfth records. FUNDAMENTALS OF LAW Yo Competence In accordance with the powers that article 58.2 of the RGPD grants to each authority of control and as established in articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD, The Director of the Agency is competent to initiate and resolve this procedure Spanish Data Protection. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with character subsidiary, by the general rules on administrative procedures." II Arguments to the initiation agreement In response to the allegations presented by QUALITY, it should be noted that following. In the first place, regarding the so-called prior allegation by QUALITY, related with Directive (EU) 2019/1937, it should be noted that article 1 thereof states which aims to strengthen the application of Union law and policies in specific areas by establishing common minimum standards that provide a high level of protection for persons reporting on infringements of Union Law, the scope of personal application being the collected in its article 4 where it is limited to complainants who work in the private or public sector and who have obtained information about violations in a job context. Likewise, in its article 17 it is stated that all processing of personal data carried out in application of this Directive, including the exchange or transmission of personal data by the competent authorities, will be carried out in accordance with Regulation (EU) 2016/679 and Directive (EU) 2016/680. Thus, the main objective of this Directive is to protect those who denounce infractions or irregularities in a company through a specific channel without there are reprisals. For its part, the first paragraph of article 1 of the GDPR states that the Regulation establishes the rules relating to the protection of natural persons in what regarding the processing of personal data and the rules relating to the free circulation of such data. It adds its second section that protects the rights and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/18 fundamental freedoms of natural persons and, in particular, their right to Protection of personal data. With regard to the material scope of the GDPR, it is limited to the stipulated in its article 2 where it is specified in its first section that it is of application to the totally or partially automated processing of personal data, as well as well as the non-automated processing of personal data contained or intended for be included in a file. Furthermore, article 51.1 of the GDPR stipulates that each Member State establish that it is the responsibility of one or more public authorities (hereinafter "control authority") supervise the application of the this Regulation, in order to protect the rights and freedoms rights of natural persons with regard to processing and to facilitate the free circulation of personal data in the Union, developing the functions of each control authority in its article 57. For its part, the LOPDGDD in its article 47 establishes the functions and powers of the Spanish Agency for Data Protection, among which is to supervise the application of the GDPR and Title VIII regulates the procedures in case of Possible violation of data protection regulations. Therefore, Directive (EU) 2019/1937, contrary to what was stated by QUALITY, does not modifies the GDPR or makes the LOPDGDD obsolete, but rather it is a rule with an object and scope of application clearly different from that of the GDPR and, therefore, from the LOPDGDD. Thus, what was alleged by QUALITY regarding the inadequacy of the procedure initiated by the Spanish Data Protection Agency for the processing of this file, is completely without foundation. Next, it indicates as the first and only allegation that it does not have personal data from anyone, accusing the AEPD of a lack of legal rigor and transparency. In this regard, points out that the alleged infraction for which this disciplinary procedure is initiated It is not related to the legitimacy of the possible treatments that you can carry out, but with the hindrance so that this Agency can exercise the powers of investigation recognized by article 58.1 of the GDPR and 53.1 of the LOPDGDD, as It is developed in the motivation of the initiation agreement. On the other hand, the activity of QUALITY's processing of personal data is accredited in resolutions signatures of this Agency, such as the sanction procedure EXP202103457. The following argument used by QUALITY focuses on the expiration of the charge of the Director of the Spanish Data Protection Agency. Well, the SAN 5570/2022, of December 9, 2022, already extensively analyzes this matter, ruled the following: "Exposed the positions of the parties, we must start from article 53, section 3, of the GDPR, insofar as it indicates that the members of the control authority "will consider terminated their functions in case of termination of the mandate, resignation or retirement compulsory, in accordance with the law of the Member State concerned". C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/18 In the internal sphere, article 36.1 of Organic Law 15/1999, of December 13 (LOPD), which is the legislation in force when the appointment of the Director of the AEPD, establishes that the Director of the AEPD will be appointed by Royal Decree, for a period of four years and section 3 of the same precept, indicates that before the expiration of said period, the Director of the AEPD will only cease, at their own request or by separation agreed by the Government for serious non-compliance obligations, supervening incapacity for the exercise of his function, incompatibility or conviction for an intentional crime. In other words, after that 4-year term has elapsed, the Government can dismiss the Director without necessity of cause, but this does not imply that when that term expires his position automatically ceases to be effective and to have any functions or competence, since that does not expressly result from the aforementioned LOPD, nor from the Organic Law 3/2018. of December 5 (LOPDCDD), in its art. 48 regarding the Presidency of the AEPD. This has been understood and has been done by all the governments that proceed to cease expressly to the Directors of the AEPD by Royal Decree, even when their term of appointment had expired, without their positions ceasing to have effectiveness, in office, until their respective terminations and contemporaneous appointments of his successors in office, to avoid gaps in the institution. This obeys the principles of responsibility and continuity of the institutions, to prevent the institution from being rendered inoperative when the Appointment of a new person. The legislator could have expressly established the automatic forecast of decay of the position, that is, that the effectiveness in the position ceases in the same time of compliance with the deadline, but it has not done so either in the LOPD or in the current LOPDGDD, nor in RD 389/2021, of June 1, 2021, by which the new Statute of the AEPD is approved, which precisely in article 12.3 establishes "the incumbent person of the outgoing Presidency will continue in office until the inauguration of the new person holding the Presidency", without establishing any limitation regarding the exercise of their functions or powers during the period in office, which was not established in the previous regulations either. Therefore, not having established limitations to the performance of the Director of the AEPD in office, unlike what, by way of example, happens in the article 21.2 of Law 50/1997, of November 27, of the Government, which establishes that the Government "continues in office until the inauguration of the new Government, with the limitations established in this Law", the Director of the AEPD holds competence to issue the contested resolution, as well as the agreement to initiate the sanctioning procedure. Thus, the condition under which the Director of the AEPD issued the appealed act.” Regarding the fact that the obstruction to the inspection work of this Agency does not exist due to that Royal Decree 389/2021, of June 1, suppresses the Data Inspection, forgets QUALITY that, although the Data Inspectorate as a governing body is suppressed, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/18 instead, the General Subdirectorate of Data Inspection is the equivalent body in the organic structure of this Agency, defined in article 27 of said Royal I decree its powers and functions, and therefore, this Sub-directorate maintains their powers are in force as stated in said article. Regarding the inspection that was attempted on March 15, 2023, Proceedings appear in file EXP202213771 indicating that QUALITY was notified of the inspection on March 8 at 11:44 a.m. by phone call telephone number ***TELEPHONE.1, without recording any call or email to cancel it. Having appeared on said date at the registered office of QUALITY and informing the people present that the place where the Inspectors rents offices for events to different companies, including finds QUALITY, given the refusal to provide any type of information, the Acting inspectors leave the premises. On March 15, 2023, a letter was sent to QUALITY indicating that on the 27th March 2023, inspectors from this Agency will appear in order to carry out an inspection visit. QUALITY, by registered writing of entry with dated March 22, 2023 communicates that they will not allow the entry to the home of the inspectors from this Agency will not provide any information. under his refusal to inspect, the inspectors did not go to the headquarters. Finally, regarding QUALITY's assertion that the resolution has been communicated outside the period allowed by the Law, it is noted that, on May 24, of 2023 it was agreed by the Director of the Spanish Data Protection Agency on commenced this disciplinary procedure, where it was reported that the procedure will have a maximum duration of twelve months from the date of said Agreement, in accordance with the provisions of article 64 of the LOPDGDD. By Therefore, no resolution has yet been rendered, and the term that prevails by the principle of normative specialty is the one indicated in the aforementioned Initiation Agreement. II Allegations to the Resolution Proposal In response to the allegations to the resolution proposal of this file presented by QUALITY, the following should be noted. In the first place, regarding the so-called prior allegation by QUALITY, in which it ratifies all the statements set forth in previous writings, it should be noted that a large part of the allegations presented against the proposed resolution of this file, reproduce the same arguments used against the agreement of beginning and, therefore, have already been refuted by this Agency in the previous Foundation of Law. Regarding QUALITY's claim that it has been unable to find the SAN 5570/2022, of December 9, 2022, within the CENDOJ, we include the following link where you can access its publication in CENDOJ: https://www.poderjudicial.es/search/AN/openDocument/ 2f1d10beac9183daa0a8778d75e36f0d/20221229 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/18 On the other hand, regarding the supposed inconsistency that QUALITY points out when This Agency indicated that this procedure has a maximum duration of twelve months from the date of the initiation agreement, while in the file with number EXP202300740 we inform you that its maximum duration was nine months, it is clarified that article 64 of the LOPDGDD has been modified by final provision 9.4 of Law 11/2023, of May 8, entering said modification in force as of May 10, 2023. Therefore, from that date the maximum duration of the disciplinary procedure has become from twelve months to count from the date of the initiation agreement. Since the date of the start agreement was May 24, 2023, the maximum duration of this file, as stated reported, is 12 months. Regarding the statement of QUALITY regarding the lack of motivation in the assessment of the sanction to apply article 83.2.b) of the GDPR, on the intentionality or negligence in the infringement, QUALITY itself communicated in writing that he was subject to the right not to declare and that he would not allow entry to the home of the inspectors of this Agency. QUALITY accepts its rights not to present original documents and to act assisted by an advisor, according to article 53.1.c) and g) of the LPACAP, however, these rights do not conflict with the powers of this Agency, in particular to carry out inspections, require the exhibition or the sending of the necessary documents and data, examine them in the place where they are located deposited or where the treatments are carried out and obtain a copy of them, in accordance with the provisions of article 53.1 of the LOPDGDD. Regarding the mention made by QUALITY of article 63.3 of the LPACAP, it is worth point out that the present disciplinary procedure has its origin in the obstruction of the inspection activity of this Agency carried out within the framework of the file number EXP202213771, therefore, it has not been initiated by facts or conduct classified as offenses in whose commission the offender persists continued. With respect to what was indicated by QUALITY that when the inspectors of this Agency nor being able to identify them on March 27, he was deprived of the reason for recusal, it becomes clear that it was the refusal to inspect QUALITY, communicated in writing, which caused the inspectors not to go to their headquarters as was provided. In addition, the mere identification of the inspectors does not lead to their recusal, which would only take place, where appropriate, in accordance with the provisions of articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP). QUALITY also requests that the name of the claimant disappear in the current procedure, so it is clarified that the claimant of the file EXP202213771 is not a participant in this proceeding, stating his name only in the request for information that this Agency notified to QUALITY and that was incorporated into this proceeding for evidentiary purposes, as was stated in the Commencement Agreement. Lastly, regarding QUALITY's allusion to the sanction of this Agency against CaixaBank for providing a mother, who did not identify herself, with her daughter's account details, it is pointed out again that the infringement that is the basis of this disciplinary procedure C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/18 It is not related to the legitimacy of the possible treatments that you can carry out, therefore, its purpose is not to determine the need for QUALITY to request the accreditation of the identity of third parties or the way, where appropriate, to do so, but rather it is limited to the obstruction of the inspection activities of this Agency. IV. breached obligation In accordance with the available evidence, it is considered that QUALITY prevents the staff of the Spanish Data Protection Agency from accessing the personal data, information, premises, equipment and means of treatment that are required for the exercise of their investigative powers. With the indicated conduct of QUALITY, the power of investigation that the article 58.1 of the GDPR confers on the control authorities, in this case, the AEPD, it has been seen hindered. Regarding what was alleged by QUALITY to refuse to provide access to the information required by the inspectors of this Agency, it should be noted that article 53.1 of the LOPDGDD under the heading "Scope of research activity" stipulates the following: "1. Those who carry out the research activity may collect the information necessary for the fulfillment of their functions, carry out inspections, require the display or dispatch of the necessary documents and data, examine them on the spot where they are deposited or where the treatments are carried out, obtain a copy of them, inspect the physical and logical equipment and request the execution of treatments and programs or procedures of management and support of the treatment subject to investigation. Likewise, in article 27.2 of the aforementioned RD 389/2021 the functions of The General Sub-Directorate of Data Inspection, among which is found in its section b) The exercise of the investigative powers defined in article 51 of Organic Law 3/2018, of December 5. Therefore, the facts described in the "Proven facts" section are considered constituting an infringement, attributable to QUALITY, for violation of article 58.1 of the GDPR, which provides that each control authority will have, among its powers of investigation: “a) order the person responsible and the person in charge of the treatment and, where appropriate, the representative of the manager or manager, who provide any information that it requires for the performance of its functions; b) carry out investigations in form of data protection audits; c) carry out a review of the certificates issued under article 42, paragraph 7; d) notify the responsible or the person in charge of the treatment the alleged infractions of the present Regulation; e) obtain from the person in charge and the person in charge of the treatment access to all personal data and all the information necessary for the exercise of their functions; f) obtain access to all the premises of the person in charge and of the person in charge of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/18 processing, including any data processing equipment and means, of accordance with the procedural law of the Union or of the Member States.” V Classification and classification of the offense In accordance with the evidence available, the facts stated are considered to constitute an infringement, attributable to QUALITY. This infringement is typified in article 83.5.e) of the GDPR, which considers as such: "no facilitate access in breach of article 58, section 1.” The same article establishes that this infraction can be sanctioned with a fine. twenty million euros (€20,000,000) maximum or, in the case of a company, of an amount equivalent to four percent (4%) maximum of the total annual global business volume of the previous financial year, opting for the of greater amount. For the purposes of the limitation period for infringements, the alleged infringement prescribes after three years, in accordance with article 72.1 of the LOPDGDD, which qualifies as the following behavior is very serious: "ñ) Failing to facilitate access by data protection authority personnel competent to personal data, information, premises, equipment and means of treatment that are required by the data protection authority for the exercise of its investigative powers. o) The resistance or obstruction of the exercise of the inspection function by the authority of competent data protection.” SAW sanction imputed The fine imposed must be, in each individual case, effective, proportionate and dissuasive, in accordance with the provisions of article 83.1 of the GDPR. In Consequently, the sanction to be imposed must be graduated according to the criteria established in article 83.2 of the GDPR, and with the provisions of article 76 of the LOPDGDD, with respect to section k) of the aforementioned article 83.2 GDPR. Based on the information available, it is appreciated that the circumstances concur Justifications for the following aggravating factors: - Article 83.2.b) of the GDPR: intentionality or negligence in the infringement. The obstruction to the inspection activity of this Agency is intentional and manifest, expressly declaring QUALITY that it will not provide access to this Agency to any data or information, nor will it allow the access of the inspectors, sending their collaboration with the courts. - Article 76.2.b) of the LOPDGDD, in accordance with the provisions of article 83.2.k) of the GDPR: linking the activity of the infringer with the performance of data processing personal information. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/18 QUALITY maintains a personal data processing activity through the Inglobaly.com portal, through which it manages a personal database and offers various services to third parties related to such data. In accordance with the facts exposed, it is considered that it is appropriate to impute a sanction to QUALITY for the violation of article 58.1 of the GDPR typified in article 83.5 e) of the GDPR. The sanction that corresponds to impose is an administrative fine for a amount of 20,000.00 euros. Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of sanctions whose existence has been accredited, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE QUALITY-PROVIDER S.A., with NIF A87407243, for a infringement of Article 58.1 of the GDPR, typified in Article 83.5 of the GDPR, a fine of 20,000.00 euros (TWENTY THOUSAND euros). SECOND: NOTIFY this resolution to QUALITY-PROVIDER S.A. THIRD: Warn the penalized person that they must make the imposed sanction effective Once this resolution is enforceable, in accordance with the provisions of Article art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter LPACAP), within the payment term voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by means of its income, indicating the NIF of the sanctioned and the number of procedure that appears in the heading of this document, in the account restricted IBAN number: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX), opened on behalf of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A. Otherwise, it will proceed to its collection in executive period. Once the notification has been received and once executed, if the execution date is between the 1st and 15th of each month, both inclusive, the term to make the payment voluntary will be until the 20th day of the following or immediately following business month, and if between the 16th and the last day of each month, both inclusive, the payment term It will be until the 5th of the second following or immediately following business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reversal before the Director of the Spanish Agency for Data Protection within a period of one month from count from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/18 day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the firm resolution in administrative proceedings if the The interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registries provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative proceedings within a period of two months from the day following the Notification of this resolution would terminate the precautionary suspension. 938-010623 Mar Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es