AEPD (Spain) - PS/00247/2020: Difference between revisions
mNo edit summary |
m (Ar moved page AEPD - PS/00247/2020 to AEPD (Spain) - PS/00247/2020) |
(No difference)
|
Latest revision as of 14:22, 13 December 2023
AEPD - PS/00247/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 7 GDPR Article 13 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 26.10.2020 |
Published: | |
Fine: | 4000 EUR |
Parties: | ORGANIC AND NATUR 03, S.L |
National Case Number/Name: | PS/00247/2020 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Francesc Julve Falcó |
The Spanish DPA (AEPD) imposed a penalty of € 4000 on ORGANIC NATUR 03 S.L. for the infringement of Article 13 GDPR (data privacy policy) and a warning penalty for the infringement of Article 7 GDPR regarding the collection of customer consent.
English Summary
Facts
The Territorial Delegation of the Department of Health and Families of the Regional Government of Andalusia filed a complaint with the AEPD against ORGANIC AND NATUR 03 S.L. on the issue of a membership contract that incorporates pre-determined clauses regarding data protection, thus preventing effective negotiation and the express consent of the signatory client.
In the aforementioned contract it was indicated that the client authorised the transfer of all his/her data for the purpose of managing the credit, as well as, to send him/her commercial offers.
The fact that different data processing purposes were being accepted in the same clause without express consent for each one could mean a breach of the duty to inform the customer of the purposes of data processing.
Dispute
Are the failure to update the privacy policy and the failure to collect consent for each of the purposes of data processing infringements of Articles 13 GDPR and 7 GDPR respectively?
Holding
To determine the amount of the penalty, the AEPD took into account three criteria in Article 83(2) GDPR: unintentional negligence (paragraph b); the categories of personal data affected by the infringement (paragraph g); and the way in which the AEPD became aware of the infringement, which was reported by the complainant (paragraph h).
Account has also been taken of Article 76 (2) (b) LOPDGDD concerning the link between the activity of the offender and the processing of personal data.
In view of the above, a penalty of € 4000 was set for the infringement of Article 13 GDPR and a warning sanction for the infringement of Article 7 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/8 Procedure No.: PS / 00247/2020 938-051119 RESOLUTION OF SANCTIONING PROCEDURE In the sanctioning procedure PS / 00247/2020, instructed by the Spanish Agency for Data Protection, before the entity, ORGANIC AND NATUR 03, S.L., with CIF .: B93484913 (hereinafter, “the claimed entity”), by virtue of the complaint filed by the COUNCIL OF HEALTH AND FAMILIES OF THE ANDALUSIAN GOVERNMENT -TERRITORIAL DELEGATION IN *** LOCALIDAD.1, (hereinafter, “the body claimant ”), and based on the following: BACKGROUND FIRST: On 11/28/29, you have an entry in this Agency, complaint filed by the complaining body in which it indicated, among others, the following: "In this Consumer Service the corresponding reference file is processed to the claims filed against the company ORGANlC AND NATUR 03 S.L. After examining the documentation provided by the claimant, it is verified that in the sales contract includes the general conditions No. 8 and No. 9, which may contravene the provisions of articles 5 and 6 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights. It is an adhesion contract in which the consumer, when he lends his consent to be bound, accept each and every one of the clauses predisposed by the professional without the possibility of any negotiation. The stipulations state: 8.- For knowing the scope and content of Organic Law 15/99 for the protection of personal data, the buyer gives his informed consent for the personal data provided under this contract, and those derived from this relationship can be incorporated into the computerized files or not of ORGANIC AND NATUR 03 SL. Regardless of the foregoing, the buyer declares to have been informed and gives your consent so that: A) Within the credit and equity solvency studies of ORGANIC AND NATUR 03 SL., Or third parties acting on their behalf or to whom they have assigned the credit derived from the sale, can carry out the necessary investigations for the formalization of this contract and scoring procedures may be used. B) ORGANIC AND NATUR 03 SL, you can send all the information you have for convenient, provided that it bears reference to the corporate purpose of ORGANIC AND NATUR 03 SL, for the exercise of the rights recognized by the law of protection of personal data the buyer must contact ORGANIC AND NATUR 03 SL, in the registered office indicated on the obverse. 9. - Furthermore, the buyer expressly authorizes ORGANIC AND NATUR 03 SL. to that you can transfer your personal data to the financial entity to which you transfer this credit where appropriate, in order to manage it, as well as, to send you commercial offers from said financial institution that may be of interest to you. Yes you do not want it or if you wish to access, rectify or cancel your personal data, please C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/8 Address ORGANIC AND NATUR 03 SL at the address listed on the front of this document. We believe that it is not possible for all consumers who purchase products outside the commercial establishment of the company ORGANlC AND NATUR 03 SL. previously know the scope and content of Organic Law 3/2018 ”. Likewise, it is at all times unlikely that the company's sales representatives, in addition to expose to those attending the event the characteristics and virtualities of the product that intend to sell, fully inform them of the obligations of the company respecting the treatment of personal data in accordance with the legal regulation contained in the Organic Law. Nor is it credible that a The average consumer is trained to discern the meaning or the significance of a scoring procedure. As we consider that The clauses previously transcribed could be contrary to the provisions of the Organic Law Organic Law 3/2018 cited, a copy of the contract provided is sent by the claimant in order for that Agency to carry out the actions that in Right proceed. Likewise. We are interested in being informed of the result of such performances ”. SECOND: In view of the facts set forth in the claim and the documents provided by the claimant, the Subdirectorate General for Data Inspection proceeded to carry out actions for its clarification, under the powers of investigation granted to the control authorities in article 57.1 of the Regulation (EU) 2016/679 (RGPD). Thus, dated 01/20/20 and 07/24/20, requirements are addressed informative to the claimed entity. According to the certificate of the Electronic Notifications and Electronic Address Service Enabled, the request sent to the claimed entity on 01/20/20, through the NOTIFIC @ service, was accepted at destination on 01/31/20. According to the certificate of the Electronic Notifications and Electronic Address Service Enabled, the request sent to the claimed entity on 07/24/20, through the NOTIFIC @ service, was rejected on 08/04/20. THIRD: on 09/09/20, the Director of the Spanish Agency for the Protection of Data agreed to initiate a sanctioning procedure against the claimed entity, for infringement of articles 13) of the RGPD, punishable in accordance with the provisions of art. 83 of the aforementioned rule, by not having its personal data treatment policy adapted to the new regulations in force and article 7) of the RGPD, by not collecting, in a individualized, the consent of the client, for the treatment of their data personal, when its purpose is different from that pursued in the execution of the contract. FOURTH: On 09/20/20, the entity was notified of the initiation of the file claimed, which has not submitted to this Agency, any writing or allegation, within the period granted for this purpose. PROVEN FACTS 1º.- In article 8 of the “General Conditions”, of the adhesion contract between the claimed entity and the user, it is verified that it continues to do so C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/8 reference to the repealed Organic Law 15/1999, of December 13, on the Protection of Personal data. 2º.- Regarding the consent given by the user, which is referred to in the Article 9 of the "General Conditions", of the adhesion contract between the entity claimed and the user, it states that: "In addition, the buyer authorizes expressly ORGANIC AND NATUR 03 SL. to which you can transfer your data personal data to the financial entity to which this credit is assigned, if applicable, purpose of managing the same, as well as, to send you commercial offers of said financial entity that may be of interest to you (…) ”. FOUNDATIONS OF LAW I The Director of the Spanish Agency is competent to resolve this procedure of Data Protection, in accordance with the provisions of art. 58.2 of the GDPR in the art. 47 of LOPDGDD. II Regarding article 8 of the "General Conditions", of the adhesion contract between the claimed entity and the user, it is verified that the same is still done reference to the repealed Organic Law 15/1999, of December 13, on the Protection of Personal data. According to article 99 of the RGPD, the entry into force and application of the new RGPD was, "Twenty days after its publication in the Official Journal of the European Union (05/25/16)" and it would be applicable as of May 25, 2018 ”. Therefore, as of 05/25/18, the LO was repealed. 15/1999, (LOPD), applying obligatorily, from that date date, the current RGPD and as of 12/07/18 the new LOPDGDD. For its part, article 13 of the RGPD establishes the information that must be provide the interested party at the time of collection of their personal data. Information that does not appear in the "privacy policy" of the website at question. Therefore, the known facts are constitutive of an infraction, attributable to the claimed, for violation of article 13 of the RGPD, which establishes the information that must be provided to the interested party at the time of collection of their data personal. For its part, article 72.1.h) of the LOPDGDD, considers very serious, for the purposes of prescription, “the omission of the duty to inform the affected party about the treatment of your personal data in accordance with the provisions of articles 13 and 14 of the RGPD " This offense can be sanctioned with a fine of € 20,000,000 maximum or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the of greater amount, in accordance with article 83.5.b) of the RGPD. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/8 In accordance with the indicated precepts and for the purpose of setting the amount of the penalty to impose in the present case, it is considered that the sanction to be imposed should be adjusted in accordance with the following criteria established in article 83.2 of the RGPD: - The intentionality or negligence in the infraction. In the present case we are in the event of unintentional negligent action, (section b). - The categories of personal data affected by the infringement. (section g). - The way in which the supervisory authority learned of the infringement. The The way in which this AEPD has learned has been by filing the complaint by the complaining body, (section h). In accordance with the indicated precepts and for the purpose of setting the amount of the penalty to impose in the present case, it is considered that the sanction to be imposed should be adjusted in accordance with the following criteria established in article 76.2 of the LOPDGDD: - The linking of the offender's activity with the performance of treatment of personal data, (section b). The balance of the circumstances contemplated in article 83.2 of the RGPD, with Regarding the offense committed by violating the provisions of Article 13 of the RGPD, allows setting a penalty of 4,000 euros, (four thousand euros). III Regarding the consent given by the user, which is referred to in the Article 9 of the "General Conditions", of the adhesion contract between the entity claimed and the user, it states that: "In addition, the buyer authorizes expressly ORGANIC AND NATUR 03 SL. to which you can transfer your data personal data to the financial entity to which this credit is assigned, if applicable, purpose of managing the same, as well as, to send you commercial offers of said financial entity that may be of interest to you (…) ”. Well, article 6.1. of the RGPD, establishes that the treatment will only be lawful if meets at least one of the conditions indicated therein, including finds, in its section b), if the treatment is “necessary for the execution of a contract in which the interested party is a party or for the application at his request of pre-contractual measures ”, in which case, the sending of communications that keep intimate relationship with the end of the signed contract, would be ruled by this precept. However, for any other type of communication with the client, as in this case, to "send you commercial offers from the entity (...)", without specifying a specific purpose, and where, therefore, any type of commercial communication would fit whether or not related to the ultimate purpose of the signed contract, the provided in section a) of article 6.1 of the RGPD, where it is specified that, “the Treatment will only be lawful if the interested party gave their consent for the treatment of your personal data for one or more specific purposes ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/8 For its part, article 7 of the RGPD establishes, on consent, that: “1. When the treatment is based on the consent of the interested party, the person in charge must be able to demonstrate that he consented to the processing of his data personal. 2. If the consent of the interested party is given in the context of a written statement that also refers to other matters, the request for Consent will be presented in such a way that it is clearly distinguishable from others matters, in an intelligible and easily accessible way and using clear and simple language. Any part of the declaration that constitutes an infringement of the these Regulations. 3. The interested party will have the right to withdraw their consent in any moment. The withdrawal of consent will not affect the legality of the treatment based on consent prior to withdrawal. Before giving your consent, the interested party will be informed of it. It will be so easy to remove the consent how to give it. 4. When evaluating whether consent has been freely given, account shall be taken to the greatest extent possible of whether, among other things, the performance of a contract, including the provision of a service, is subject to the consent to the processing of personal data that are not necessary for the execution of said contract ”. In relation to these two cited articles, the recital should be taken into account (32) of the RGPD, as it indicates that: “Consent must be given through an act clear affirmative that reflects a manifestation of free will, specific, informed, and unequivocal of the interested party to accept the processing of personal data that concern you ... Therefore, silence, already ticked boxes or inaction does not they must constitute consent. Consent must be given for all processing activities carried out for the same or the same purposes. When the treatment has several purposes, consent must be given for all of them ... " Likewise, article 6.2 of the LOPDGDD establishes, on the treatment based on the consent of the affected party, that: “When it is intended to establish the treatment of data in the consent of the affected person for a plurality of purposes will be It must be specifically and unequivocally stated that said consent is grants for all of them ”. Well, in accordance with everything previously expressed, the data processing requires the existence of a legal basis that legitimizes it, as in this case, if it is necessary for the execution of a contract in which the interested party is a party, in which case the sending of correspondence, including commercial, that was linked to the execution of the contract would be subject to this precept. Not so, when sending commercial correspondence does not have the same purpose as that included in the contract, in which case, the valid consent of the interested party is necessary. This consent must be given for each of the purposes outside the contract signed by the client. Therefore, a generic acceptance is not valid, such as “sending of commercial correspondence of the entity ”, without giving the option to give consent individualized for each of them and above all, if they are unrelated to the purpose of the contract. Thus, the known facts could constitute an infraction, attributable to the defendant, for violation of article 7 of the aforementioned RGPD, to C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/8 carry out the collection of consent through a generic action for all purposes of data processing. For its part, article 72.1.c) of the LOPDGDD, considers very serious, for the purposes of prescription, "Failure to comply with the requirements of article 7 of the RGPD". This offense can be sanctioned with a fine of € 20,000,000 maximum or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the of greater amount, in accordance with article 83.5.b) of the RGPD. However, Article 58.2) of the RGPD provides that: “Each control authority have all of the following corrective powers listed below: b) sanction any person responsible or in charge of the treatment with warning when the treatment operations have infringed the provisions of this Regulation; (…); i) impose an administrative fine in accordance with article 83, in addition to or instead of the measures mentioned in this section, depending on the circumstances of each particular case, therefore, the sanction that could Corresponding would be a warning, without prejudice to what results from the instruction of this file, since in this case, it has not been verified that the entity claimed has sent commercial correspondence unrelated to the ultimate purpose of the conditions of the contract. Based on these criteria, it is considered appropriate to impose a sanction on the defendant of "APERCIBIMIENTO", for the violation of article 7 of the RGPD. Therefore, based on the foregoing, by the Director of the Agency Spanish Data Protection, RESOLVES FIRST: IMPOSE the entity, the entity ORGANIC AND NATUR 03, S.L., with CIF .: B93484913, two sanctions, regarding the privacy policy and collection of consent, consisting of: - 4,000 euros (four thousand euros), for the violation of article 13) of the RGPD, regarding its policy of treatment of the personal data of the clients. - Warning, for the violation of article 7) of the RGPD, regarding the collection of clients' consent for the processing of their data personal. SECOND: REQUEST the entity ORGANIC AND NATUR 03, S.L. so that, in the within a month from this act of notification, proceed to: - Take the necessary measures to adapt its policy on the treatment of personal data, as stipulated in article 13 of the RGPD, adapting it to the new regulations in force. - Take the necessary measures to obtain the client's consent to the processing of your personal data. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/8 THIRD: NOTIFY this resolution to the entity ORGANIC AND NATUR 03, S.L, and the claimant on the result of the claim. Warn the sanctioned person that the sanction imposed must be effective once this resolution is enforceable, in accordance with the provisions of article 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (LPACAP), within the voluntary payment period indicated in the Article 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, by entering the restricted account number ES00 0000 0000 0000 0000 0000, opened in the name of the Spanish Agency for Data Protection in the Bank CAIXABANK, S.A. or otherwise, it will be collected in a period executive. Notification received and once executive, if the execution date is found Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment volunteer will be until the 20th day of the following or immediately subsequent business month, and if between the 16th and the last day of each month, both inclusive, the payment term It will be until the 5th of the second following or immediate business month. In accordance with the provisions of article 82 of Law 62/2003, of 30 December, of fiscal, administrative and social order measures, the present Resolution will be made public, once it has been notified to the interested parties. The Publication will be made in accordance with the provisions of Instruction 1/2004, of 22 December, of the Spanish Agency for Data Protection on the publication of its Resolutions. Against this resolution, which puts an end to administrative proceedings, and in accordance with established in articles 112 and 123 of the LPACAP, the interested parties may file, optionally, an appeal for reconsideration before the Director of the Agency Spanish Data Protection Agency within a month from the day following notification of this resolution, or directly contentious appeal administrative before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and paragraph 5 of the provision Additional fourth of Law 29/1998, of 07/13, regulating the Jurisdiction Contentious-administrative, within a period of two months from the next day upon notification of this act, as provided in article 46.1 of the aforementioned text legal. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through letter addressed to the Spanish Agency for Data Protection, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronicaweb/], or through any of the other records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also forward the documentation to the Agency that certifies the effective filing of the contentious-administrative appeal. If the Agency was not aware of the filing of the contentious appeal- C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/8 administrative within a period of two months from the day following notification of the This resolution would terminate the precautionary suspension. Mar Spain Martí Director of the Spanish Agency for Data Protection. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es