AEPD (Spain) - PS/00194/2020: Difference between revisions
No edit summary |
m (Ar moved page AEPD - PS/00194/2020 to AEPD (Spain) - PS/00194/2020) |
(One intermediate revision by one other user not shown) | |
(No difference)
|
Latest revision as of 14:09, 13 December 2023
AEPD - PS/00194/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 23.10.2020 |
Published: | |
Fine: | 2000 EUR |
Parties: | CABRERA & GIL ABOGADOS, S.L.P |
National Case Number/Name: | PS/00194/2020 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Francesc Julve Falcó |
An individual lodged a complaint with the Spanish DPA (AEPD) for considering the processing of his personal data by a law firm contrary to data protection regulations (Article 6 GDPR).
English Summary
Facts
A lawyer from the Cabrera y Gil law firm, sent a letter to a third company, providing the knowledge of the personal data and private address without the knowledge or consent of the data subject for that purpose, being that company totally unrelated to the applicant, without any corporate, labour or shareholder relationship or any other relation.
The law firm in question sent a reply to the AEPD's request for information, claiming that the procedure for security breach and/or leakage of confidential information and personal data of the company itself had been carried out.
They also justified that all processing of personal data was carried out for the purpose of providing legal defense and representation before the courts, as provided for in Article 24 of the Spanish Constitution. At the same time, they replied that the protection of information has been carried out in a correct manner, respecting the three basic principles: confidentiality. integrity and availability.
From the law firm, they defend that the processing of data serves a legitimate purpose as set out in Article 6 (1) (f) GDPR, since it is necessary to carry out their work of defence and legal representation.
Dispute
Is the processing of personal data for legal defense purposes a situation that complies with legitimate purposes, as stated in article 6 (1) (f) GDPR?
Holding
On 20/07/20, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the entity complained of for failing to comply with the provisions of the regulations in force and imposing on the entity complained of a sanction of EUR 2000 (two thousand euros) for the infringement of Article 6 of the RGPD.
Comment
On 29/07/20, the claimed entity has proceeded to pay the penalty in the amount of EUR 1600 (one thousand six hundred euros) using one of the two reductions (20%), as a voluntary payment option without recognition of liability.
Therefore, the company complained of desists from lodging any appeal against the sanction, but at the same time refuses to acknowledge its responsibility in the matter in question.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/10 Procedure No.: PS / 00194/2020 938-0419 RESOLUTION OF TERMINATION OF THE PROCEDURE BY EARLY PAYMENT In the sanctioning procedure PS / 00194/2020, instructed by the Spanish Agency for Data Protection, to the entity, CABRERA & GIL ABOGADOS, S.L.P. with CIF .: B84220193, (hereinafter, “the claimed entity”), by virtue of the complaint filed by A.A.A., (hereinafter, “the claimant”) and based on the following: BACKGROUND FIRST: On 03/19/19, you entered this Agency, complaint filed by the claimant in which it indicated, among others, the following: “On January 11, 2019, a lawyer from the Cabera y Gil law firm sent the letter that accompanied the company *** COMPANY.1 and to whom he subscribes, putting in his I know my personal data and home address without my knowledge and consent to this, said company being totally unrelated to the appearing party, without corporate, labor, shareholding or any other relationship ”. A copy of the letter sent by the Firm is attached to the claim document. de Abogados Cabrera & Gil, addressed to the claimant, with a copy ("w / copy"), to the entity *** COMPANY.1, in which they contact him, on behalf of his client, *** COMPANY.2, in relation to the lawsuit presented. SECOND: In view of the facts set forth in the claim and the documents provided by the claimant, the Subdirectorate General for Data Inspection proceeded to carry out actions for its clarification, under the powers of investigation granted to the control authorities in article 57.1 of the Regulation (EU) 2016/679 (RGPD). Thus, dated 05/15/19, an informative request is addressed to the claimed entity. THIRD: On 06/06/19, the claimed entity sends this Agency in writing in which, among others, it indicates: “We present the facts that are inserted in the claim: -a lawyer from the firm- cho de abogados Cabrera & Gil Abogados, S.L.P. has sent a burofax to the company *** COMPANY.1 addressed to the claimant (your personal data is indicated at the top nales: name. surname and postal address) on behalf of your client, the company *** COMPANY.2, of which he claims he was a partner in the past. The claimant criticizes that your personal data is being disclosed to the aforementioned company *** COMPANY.1 with which it does not maintain any type of relationship (neither corporate, labor nor shareholder). The first decision taken regarding this claim was to activate the protocol colo of security breach and / or leak of confidential information and personal data implemented by Cabrera & Gil Abogados SLP, which is provided as (document no. mere 2). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/10 This protocol contains the following action parameters: 1.- Whoever has had knowledge of an incident. related to personal data- them. report the situation internally without delay, communicating it to the management team tive. 2.- An internal audit will be carried out within the first 6 hours 3.- An external audit will be carried out if deemed necessary 4.- An estimate of the impact will be made. 5.- In the event that we are faced with a leak of personal data significant and / or seriously jeopardizing the rights or freedoms of the person. In accordance with the RGPD, the security violation will be notified to the AEPD 6.- Taking measures to mitigate the leak or security breach. 7.- Evaluation of the result and the effectiveness of the actions taken. The corresponding act has been drawn up of the activation of the action protocol whose certificate is attached as [document number 3) dated May 20, 2019: The agreements and assessments taken as a result of the activation of the protocol Color of breach and / or information leak are the following: The communication has been made by the AEPD. on May 10, 2019; Denun- ciant: A.A.A .; Data Processing Registry. *** COMPANY. 2 filing of requests lla. Facts: "- A lawyer from the law firm Cabrera & Gil Abogados S.L.P. has sent a burofax to the company *** COMPANY.1 addressed to the claimant (in the upper part above, your personal data is indicated: name, surname and postal address) in the name of his client, the company *** EMPRESA.2, of which they affirm that he was a partner in the past. The claimant criticizes that their personal data is being disclosed to the aforementioned company *** COMPANY.1, with which it does not have any type of relationship (or corporate estuary. neither labor nor stock). After conducting the internal audit, within the first six hours, it is determined that no no information has been stolen. There is no leak. They are not affected entities or persons. There is no information leak for which there is no responsible party. A.A.A. has been the subject of a complaint by the company *** COMPANY. 2 cu- We defend interests. It is attached as (Doc. 4) acknowledgment of receipt before the jurisdiction penal. and as (Doc. 5) complaint presented before the criminal jurisdiction. The presentation of said claim in the AEPD against “Cabrera & Gil Abogados. SLP ”is in response to and in retaliation for the complaint filed on February 28, 2019 in defense of the rights and interests of our client. one month before claim before the AEPD. A.A.A. is a partner of *** EMPRESA.2 and has been represented legal entity of the company *** COMPANY.2 is attached as (Doc. 6) power of attorney tion and in direct relationship with *** COMPANY.1 of which it has been and is the representative of done. The complaint is filed among other reasons for this in direct relation to unfair competition. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/10 Action protocols related to confidentiality agreements are reviewed. quality and treatment of data transferred by the company *** COMPANY.2 as responsible of transferred data and Cabrera & Gil SLP as assignee and in charge of the treatment of data to defend your rights. As well as internal agreements and other protocols with the dispatch personnel and the person responsible and authorized to carry the proceedings. It is provided as (Doc. 7) confidentiality agreement and data transfer between client as responsible and office as data controller. Be it by- as (Doc. 8), confidentiality agreement and data processing by la- boral assigned to the office signed by B.B.B .. Provided as (Doc. 9) Record of Treatment activities for clients with *** COMPANY. 2. All requests made to A.A.A. has been in quality and related to its representation of legal persons either *** COMPANY.2 or *** COMPANY.1 Article 19 of the LOPD is applicable. As we have said since February 28, 2019, a complaint before the criminal courts against A.A.A. so the personal data object of treatment have been obtained in legitimate interest. The claim is dated March 19, 2019, so this is one month after the filing of the complaint. The provisions regarding the lawfulness of the data. both the consent of the interested party who is *** COMPANY.2 and responsible treatment, as in relation to A.A.A. because it is covered by a provision legal, as is established in the Criminal Procedure Law article 277 in relation to compliance with the provisions of the articles of the Criminal Code and legitimation in the interests of law determined in the effective judicial protection of article 24 of the EC, all of in accordance with the articles in article 6.1 RGPD and 8 of the LOPD. The protection of the information has been carried out correctly, respecting the three basic principles: confidentiality. integrity and availability. Confidentiality, the information is accessible only by authorized personnel. c: B.B.B. and by C.C.C .. The integrity of the information, the information is correct and is free of modifications nests and mistakes. The complaint is precisely to denounce their responsibility as de facto representative with the company *** COMPANY.1 Disponibility. The information is accessible to authorized persons or systems zed when necessary. The management team does not consider the audit necessary external depending on gravity. size, filtration level. The impact estimate is level 0. It has been taken into account first, if in the leakage of information, whether or not there is personal data and their level. Reputational damages.- There are no reputational damages. Level 0. Regulatory consequences that entail financial, administrative, criminal, civil, deontological. Level 0. Economic valuation - level 0. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/10 We are not in the case of data of a significant personal nature and / or that seriously jeopardizes the rights or freedoms of the person, in accordance with the Re- European Data Protection Regulation. Therefore, it is not necessary to notify the violation. lation of security to the AEPD or notify the interested party. Taking measures to mitigate the leak or security breach. All the me- decisions taken by the management team. The evaluation of the result and the effectiveness of the actions taken. The effectiveness of The actions taken have been positive and were within the valid legality people, however, the implementation of more rigorous measures to prevent deal with any damage as far as possible. Second.- It is not found in the cases of exercises of the regulated rights in articles 15 to 22 of the RGPD. Third.- The facts provided to the contrary, object of the claim dated 19 March 2019 are the following already mentioned: A lawyer from the law firm CABRERA & GIL ABOGADOS S.L.P. has in- Viado a burofax & the company *** COMPANY.1. addressed by the claimant (in the upper part above, your personal data is indicated: name, surname and postal address) in the name of his client, the company *** EMPRESA.2, of which they affirm that he was a partner in the past. - The claimant criticizes that their personal data is being disclosed to the mentioned company *** COMPANY.1 with which it does not maintain any type of relationship (neither corporate, labor nor shareholder). The facts are motivated in response to the complaint dated February 28, 2019 that this office has presented before the criminal jurisdiction: On February 28, In 2019, the company *** EMPRESA.2 (complainant), filed a complaint, in the form of ma and with the requirements indicated in article 277 and concordant of the Law of Criminal Prosecution, against A.A.A. (defendant). From the point of view of data protection and its legitimacy to initiate it is fully justified from the evidentiary point of view, by the various documents related in the point first. The legitimacy of “Cabrera & Gil Abogados, S.L.P for the possession of personal data sonal. and its treatment, is justified from two aspects, by a hand, from the effective judicial protection that our client *** COMPANY.2 has to defend deed from unlawful actions and omissions by A.A.A. and whose “consent express consent 'is included in the confidentiality and data transfer agreement as responsible for treatment; on the other hand, it would be justified according to the interest legitimate. included in article 6 of the RGPD and 8 of the LOPD, and that the law of prosecution- criminal procedure in relation to the penal code (articles 252, 253 and 248.1) gives ture to that possession and transfer of personal data to the Judicial Bodies and to the investigation investigation of the facts in which other entities or persons are related legal or physical activities, such as the case of *** COMPANY.1, especially when it is the pia public administration through the DGT (General Directorate of Traffic) which ' puts on the track 'that A.A.A., is using an account of which is the owner together with *** EMPRESA.1 so that, causing deception in the DGT, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/10 gresen in it, money that corresponds to *** COMPANY. 2. It is provided as (Doc. 10) email from the D.G.T. The complaint is requested as diligence investigation of the account holders from the BBVA Bank. A.A.A. missing the truth when he 'hints' that he is not a member of *** COMPANY.2, causing an error in as far as the data may be inaccurate. This person has been and is a partner of *** COMPANY.2, and as we have said, he has been Legal representative of the company *** COMPANY. 2. On October 20, 2005, Power of attorney was granted to the defendant today, by the company *** EMPRESA.2, with full powers to manage its assets, by virtue of a deed power of attorney granted on said date, authorized before the Madrid Notary. The power of attorney was revoked due to the company's detection of improper use and for their own benefit, and their employment relationship was terminated, the object of which nuncia in the complaint. The data is treated in a lawful, loyal and transparent manner in relationship with the interested party. They have been collected for specific purposes. explicit and le- to defend the rights of our client by filing a complaint with date prior to filing the claim with the AEPD and they have not been treated subsequently inconsistently. In addition, the data as we have seen are adequate, pertinent and limited. to what is necessary in relation to the purposes for which they have been treated in accordance with the principle of data minimization; They are exact and updated data. The claimant criticizes that their personal data is being disclosed to the aforementioned company *** COMPANY.1 with which it does not have any type of relationship or corporate neither labor nor stock. Precisely the complaint also deals with conduct of unfair competition 248.1 of the Penal Code by A.A.A. regarding *** EM- PRESA.2 and in direct relationship with *** COMPANY.1 of which it has been and is representing you actually. The company *** EMPRESA.2, detected that the defendant, carried out work for companies sas of the competition, during the period in which he was as agent, and He was the de facto administrator of the entity *** COMPANY. 2. The defendant today, while he was the agent of the company *** COMPANY.2, created a shell company, *** COMPANY.1, through a single partner and administrator, D.D.D. being the object so- cial and commercial activity of this company, the same as that of my sponsored one. For This, he made use of reserved information that as a partner and attorney of *** EMPRE- SA.2, had in the sector. Specifically, and as noted before, *** COMPANY.2, received on the 2nd of March 2016. email from the DGT (General Traffic Directorate), in which It was indicated that after checking the bank details of *** COMPANY.2, these differed of the usual that consisted in said client. Later. my client found that the account was owned by A.A.A. and *** EM- DAM. 1. That is, the account provided by the defendant today to the client of my sponsor- The purpose of this was to benefit from the amount that would be received from the DGT. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/10 On this occasion, the defendant tried, through deception and confusion of a third party, in this case the DGT, to appropriate certain amounts that were directed to my sponsored by the provision of services in the scope of its activity, facilitating for this, an account number of which he was the owner, apparently, together with the company *** COMPANY.1, to charge for such services, without it being achieved since by part From the DGT a certificate was requested for my client to prove the alleged change of ownership of the account you used regularly. In the face of unfair competition conducts and under article 6 of the RGPD and 8 of the LOPD mentioned above. my client has the right to defend himself and to find out until where fraudulent business practices have come. Data transfers have been otherwise. those strictly necessary and directly related to their representation data: name. surname and address not using other data such as your D.N.I or other data related to your natural person. Being within the norm therefore by article 19 of the LOPD as business data. We consider relevant the legal basis by which, according to the article Article 65 of the LOPD there is no place for the opening of any sanctioning file because the claim is manifestly unfounded and in accordance with the article the 74 of the LOPD not to have caused damage to the affected by being protected our legitimacy for the treatment and transfer of data. in article 6 of the RGPD and 8 of the LOPD, falls within the established legitimate interest. The behavior before- described above, carried out by the defendant, is included in the crime of fraud of the Article 248.1 of the current CP. Crime with the aggravation of article 250.1.6º of the CP. What has been seen so far determines that, if such facts exist. after checking timely by the consultant, the action of the consultant consisting of communicating to the prosecutor or judges a possible criminal act would not only be protected by the legislation protection of data, but would be imposed by procedural legislation. The requested data transfer would be covered by a law: "(...) if the law contemplates the birth of an obligation between the parties the necessary corollary is that the law also It must also consider the need to know the circumstances necessary to der exercise the subjective rights that arise from said obligation. In consecuense my client, before the commission of a crime on his person, property or property committed by a third party, he must be able to know the circumstances necessary to exercise his rights, and if article 24 of the Constitution recognizes the right to judicial protection effective, developed, among other rules by the Civil Procedure Law, or the Law of Criminal Procedure will have to go to these, art. 399 of the LEC or 277 of the Criminal Procedure Law, to see the circumstances that a decision must have judicial order. or in this case a complaint and among them, there is, that they have to state "the data and circumstances of the plaintiff and the defendant, or in this case, that and the domicile or residence in which they may be located ", so it is conclude that the transfer of the requested data is covered by the exception tion provided for in the LOPD and does not require the consent of the interested party. In the present case. Obligations arise between the parties, according to art. 1089 of the Code civil (Cc), art.1092 Cc. And art. 1093 Cc. Thus. both the crime and the res- extra-contractual liability obligations arise between the parties. In the LEC art. 399 establishes the circumstances that the claim must contain: and among them we find is that the application must state "the data and circumstances of the actor and C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/10 of the defendant and the domicile or residence in which they may be located. " LECr the exercise of the action is exercised by complaint. according to art. 277 LECr. that requires that the name be recorded in it. surnames and neighborhood the defendant, that is, the law establishes the need to provide personal data of the person against whom the complaint is filed in order to be properly identified (either the name, surname, or other circumstances, photography, tattoos. characteristics personal cas etc.-). Although in our case in particular, it has only been provided name, surname and address. Basic data. The transfer of data has a legitimate interest: A second possibility that excepts the need for the consent of the interested party is constituted by the existence of an interest legitimate interest, provided that in a balancing exercise between said legitimate interest and the fundamental rights of those affected, the former prevail over the latter. So. the Judgment of the Court of Justice expressly declared the direct effect of the Title 7 f) 'of Directive 95/46 / EC. according to which: “Member States shall provide that the processing of personal data can only be carried out if (...) it is necessary for the satisfaction of the legitimate interest pursued by the data controller or by the third party or third parties to whom the data is communicated, provided that it does not prevail read the interest or the fundamental rights and freedoms of the interested party that requires They are protected under Article 1 (1) of this Directive ". The RGPD. considers as a legitimate cause for the processing of data the interest legitimate according to its article 6.1.f). So. to determine if the application would proceed of the aforementioned provision, the weighting rule provided therein shall be applied; that is, it is necessary to assess whether in the specific case under analysis, there will be a legitimate interest pursued by the data controller or by the third party or third parties to whom the data is communicated. that prevails over the interest or rights and fundamental freedoms of the interested party that require protection in accordance with the provisions put in article 1 of the RGPD. or if, on the contrary, fundamental rights or Interests of the interested parties to whom the data processing refers must prevail over the legitimate interest in which the person responsible or the third party intends to Mention the treatment or transfer of personal data. Before the commission of a crime, it is clear that the interests of my client prevail and not the other way around. Your- effective judicial fabric: In the present case. the legitimate interest invoked refers specifically to cially to the fundamental right to effective judicial protection (art. 24 CE). as far in which the illegal actions and omissions carried out by the "interested" and included in the supporting documentation are necessary to file the complaint. The scope of right to judicial protection in relation to the evidence has been addressed. among other. in STC 212/2013, of December 16. The scope of the right to judicial protection in relation to relationship with the test has been addressed. among other. in STC 21212013. of December 16 Cement. in which reference is made, citing STC 88/2014. May 28 at " intimate relationships of the right to evidence with other rights guaranteed in art. 24 CE. The relationship between the rights to protection of personal data and guardianship judicial has been. Likewise, analyzed in the Infamous of this AEPD 469/2011 of December 30, December 2011. in which the following is indicated: "In this point. It should be remembered that the AEPD has already had the opportunity to analyze the possible concurrence in a certain case of data processing of the rights Chos fundamental to the protection of personal data and judicial protection effective data controller. Thus, it has been considered, for example, that the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/10 treatment by a lawyer of the data of the opposing party of his client finds its protection in the recognition of the latter by article 24.1 of the Constitution of their right to effective judicial protection. which implies, according to section 2, the defense lawyer and the use of the pertinent means of proof for the defense of their right. The enforceability of the opponent's consent, in this case, A.A.A., for trafficking of your data, or by your lawyer would mean leaving the warehouse at the disposal of storage of the necessary information so that your client can fully exercise their right to effective judicial protection. Thus the lack of these data may logically imply camente, a reduction in the possibility of contribution by the interested party of "the media relevant evidence for his defense ”, violating another of the guarantees derived of the aforementioned right to effective protection and restricting the possibility of obtaining the full development of this right. For all of it. Although no provision with the force of Law expressly establishes the possibility of the treatment by lawyers and solicitors of the data referred to the opposition of his client within a certain judicial process, it is evident that he cha possibility brings direct cause of a norm of constitutional rank. regulatory in addition to one of the fundamental rights and public freedoms enshrined by the Constitution. and developed by the regulatory laws of each of the Orders Jurisdictional. in the precepts referring to the representation and defense of the tes. For all of it. it exists, from our point of view. a legal qualification for the data processing, which is covered by article 24 of the Constitution. tion and its implementing rules. FOURTH: On 07/20/20, the Director of the Spanish Agency for the Protection of Data agreed to initiate a sanctioning procedure against the claimed entity, by virtue of the powers established, for failing to comply with the provisions of current regulations and giving the claimed entity a penalty of 2,000 euros (two thousand euros) for the fraction of article 6 of the RGPD. FIFTH: On 07/29/20, the claimed entity has proceeded to pay the sanction in the amount of 1600 euros (one thousand six hundred euros) making use of one of the two reductions provided for in the Initiation Agreement transcribed above, submitting in this Agency writing in which, among others, it is indicated: “Voluntary payment option without acknowledgment of responsibility: That in accordance with the provisions of article 85 of the LPACAP, in the case of that the sanction to be imposed was a fine, may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the penalty proposal, which will mean a reduction of 20% of the amount thereof, equivalent in this case to € 400. With the application of this reduction, the sanction it would be set at € 1,600 and its payment would imply the termination of the procedure. The effectiveness will be conditioned to the withdrawal or resignation of any action or administrative appeal against the penalty. (…) With the application of this reduction, the penalty would be set at € 1,600, no recognizes the responsibility on the part of “Cabrera & Gil Abogados and desists C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/10 expressly, of any action or appeal in the administrative channel against the sanction". FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in art. 47 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection is competent to sanction the infractions that are committed against said Regulation- ment. II Article 85 of Law 39/2015, of October 1, on the Administrative Procedure Co- of the Public Administrations (hereinafter LPACAP), under the heading “Termi- nation in sanctioning procedures ”provides the following: "1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is solely of a pecuniary nature or it is possible to impose a pecuniary sanction and another of a non-pecuniary nature, but the improper dence of the second, the voluntary payment by the presumed responsible, in any moment prior to the resolution, will imply the termination of the procedure, except in Regarding the replacement of the altered situation or the determination of the compensation tion for damages caused by the commission of the offense. 3. In both cases, when the sanction is solely of a pecuniary nature, the I win competent to resolve the procedure will apply reductions of, at least, the 20% on the amount of the proposed penalty, these being cumulative among themselves. The said reductions must be determined in the notification of initiation of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of any action or appeal in administrative proceedings against the sanction. The reduction percentage provided for in this section may be increased by regulation. mentally. " In accordance with the above, the Director of the Spanish Agency for the Protection of Data RESOLVES: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/10 FIRST: DECLARE the termination of the procedure, PS / 194/2020, in accordance with with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to the entity, CABRERA & GIL ABOGADOS, S.L.P. In accordance with the provisions of article 50 of the LOPDGDD, this Re- solution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal contentious administrative before the Contentious-administrative Chamber of the Audien- National company, in accordance with the provisions of article 25 and section 5 of the Additional fourth section of Law 29/1998, of July 13, regulating the Jurisdiction Contentious-Administrative, within two months from the next day upon notification of this act, as provided in article 46.1 of the aforementioned Law. Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es