AEPD (Spain) - PS/00249/2020: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS-00...") |
m (Ar moved page AEPD - PS/00249/2020 to AEPD (Spain) - PS/00249/2020) |
||
(6 intermediate revisions by one other user not shown) | |||
Line 7: | Line 7: | ||
|DPA_With_Country=AEPD (Spain) | |DPA_With_Country=AEPD (Spain) | ||
|Case_Number_Name=PS | |Case_Number_Name=PS/00249/2020 | ||
|ECLI= | |ECLI= | ||
Line 54: | Line 54: | ||
}} | }} | ||
The Spanish DPA maintains that a company can not process personal and health data for commercial purposes without the prior consent of the data subject, as this infringes Article 5 (1) (b) GDPR. | The Spanish DPA (AEPD) maintains that a company can not process personal and health data for commercial purposes without the prior consent of the data subject, as this infringes Article 5(1)(b) GDPR. | ||
== English Summary == | ==English Summary== | ||
=== Facts === | ===Facts=== | ||
The complainant | The complainant used the services of the defendant to download weekly menus. The complainant discovered days later that this company has used their personal data, full name and profile picture, and information about her cholesterol tests and her heart disease (hypothyroidism) to advertise their products, without her prior consent. | ||
The Spanish DPA tried to contact the company in question and there was no response so the sanctioning procedure was initiated. | The Spanish DPA tried to contact the company in question and there was no response so the sanctioning procedure was initiated. | ||
=== Dispute === | ===Dispute=== | ||
Is the processing of personal and health data for commercial purposes without prior consent a breach of Article 5 (1) (b) GDPR? | Is the processing of personal and health data for commercial purposes without prior consent a breach of Article 5(1)(b) GDPR? | ||
=== Holding === | ===Holding=== | ||
The Spanish DPA decided to impose a fine of | The Spanish DPA decided to impose a fine of € 3000 on the company in question for breach of data processing duties, as the complainant had not given their consent for their personal data or data on their state of health to be used for advertising purposes. | ||
In this case, the aggravating factors applied are that it is an unintentional but significant negligent action (Article 83(2)(b) GDPR) and that basic identifiers such as name, surname, and address are affected (Article 83(2)(g) GDPR), including also health data, when reporting the claimant's cholesterol tests, and their illness (hypothyroidism). | |||
==Comment== | |||
The sanctioned company made use of the following penalty reductions: recognition of its responsibility (20%) and voluntary and advance payment (20%). The penalty was therefore reduced from € 3000 to € 1800. | |||
==Further Resources== | |||
== Further Resources == | |||
''Share blogs or news articles here!'' | ''Share blogs or news articles here!'' | ||
== English Machine Translation of the Decision == | ==English Machine Translation of the Decision== | ||
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. | The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. | ||
Latest revision as of 14:22, 13 December 2023
AEPD - PS/00249/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(b) GDPR Article 83(5)(a) GDPR 72 (1) (a) LOPDGDD 72 (1) (a) LOPDGDD |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 24.10.2020 |
Published: | 24.10.2020 |
Fine: | 1800 EUR |
Parties: | n/a |
National Case Number/Name: | PS/00249/2020 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Francesc Julve Falcó |
The Spanish DPA (AEPD) maintains that a company can not process personal and health data for commercial purposes without the prior consent of the data subject, as this infringes Article 5(1)(b) GDPR.
English Summary
Facts
The complainant used the services of the defendant to download weekly menus. The complainant discovered days later that this company has used their personal data, full name and profile picture, and information about her cholesterol tests and her heart disease (hypothyroidism) to advertise their products, without her prior consent.
The Spanish DPA tried to contact the company in question and there was no response so the sanctioning procedure was initiated.
Dispute
Is the processing of personal and health data for commercial purposes without prior consent a breach of Article 5(1)(b) GDPR?
Holding
The Spanish DPA decided to impose a fine of € 3000 on the company in question for breach of data processing duties, as the complainant had not given their consent for their personal data or data on their state of health to be used for advertising purposes.
In this case, the aggravating factors applied are that it is an unintentional but significant negligent action (Article 83(2)(b) GDPR) and that basic identifiers such as name, surname, and address are affected (Article 83(2)(g) GDPR), including also health data, when reporting the claimant's cholesterol tests, and their illness (hypothyroidism).
Comment
The sanctioned company made use of the following penalty reductions: recognition of its responsibility (20%) and voluntary and advance payment (20%). The penalty was therefore reduced from € 3000 to € 1800.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Procedure No.: PS/00249/2020 RESOLUTION R/00437/2020 ON THE TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTEER In the sanctioning procedure PS/00249/2020, conducted by the Agency Spanish Data Protection Agency to VENU SANZ CHEF, S.L., in view of the complaint presented by A.A.A., and based on the following, BACKGROUND FIRST: On 3 September 2020, the Director of the Spanish Agency of Data Protection agreed to initiate sanctioning proceedings against VENU SANZ CHEF, S.L. (hereinafter, the claimed), by means of the Agreement which is hereby transcribed: << Procedure No.: PS/00249/2020 AGREEMENT ON THE INITIATION OF DISCIPLINARY PROCEEDINGS Of the actions carried out by the Spanish Agency for the Protection of Data and based on the following FACTS FIRST: A.A.A. (hereinafter the complainant) dated 21 January 2020 filed a complaint with the Spanish Data Protection Agency. The claim is directed against VENU SANZ CHEF, S.L. with NIF B54984752 (in the claimed one). The grounds on which the complaint is based are that the claimant contracted the services of the claimant to download weekly menus, discovering days later that this company has used your personal data full name and photo profile, and information about your cholesterol tests and your hypothyroidism to advertise their products, without their prior consent. SECOND: In view of the facts denounced, on 3 March 2020 the The Commission has transferred the present complaint to the one filed by Notification, and on the expiry of The deadline given for not having access to this document is reiterated by post on 10 March 2020, being returned for "absence from distribution", despite having been referred to the postal address indicated in the privacy policy of the claimant responsible for the processing. THIRD: On 4 April 2020, notification is given of the resolution by which the Director of the Spanish Data Protection Agency, agrees to admit this claim. LEGAL GROUNDS I By virtue of the powers conferred on each of the parties by Article 58(2) of the GPRS authority, and as established in articles 47 and 48.1 of the LOPDPGDD, the The Director of the Spanish Data Protection Agency is competent to resolve this procedure. II Article 6.1 of the RGPD, establishes the cases that allow to consider the processing of personal data is lawful. For its part, Article 5 of the RGPD establishes that personal data will be "(a) processed in a lawful, fair and transparent manner in relation to the data subject ("legality, fairness and transparency"); (b) collected for specified, explicit and legitimate purposes and not processed subsequently in a manner incompatible with those purposes; in accordance with Article 89, paragraph 1, the further processing of personal data for archiving purposes in public interest, scientific and historical research or statistical purposes are not will be considered incompatible with the initial purposes ("purpose limitation"); (c) adequate, relevant and limited to what is necessary in relation to the purposes for those who are processed ("data minimisation"); (d) accurate and, where necessary, updated; all measures shall be taken to delete or rectify without delay personal data that are inaccurate with respect to the purposes for which they are intended ("accuracy"); (e) maintained in such a way as to permit identification of the persons concerned for no longer than is necessary for the purposes of the processing personal; personal data may be kept for longer periods provided that they are processed exclusively for archiving purposes in the public interest, for scientific or historical research or statistical purposes, in accordance with Article 89(1), without prejudice to the implementation of technical and organisational measures This Regulation is designed to protect the rights and freedoms of the freedoms of the data subject ("limitation of the retention period"); (f) processed in such a way as to ensure appropriate security for the personal data, including protection against unauthorised or unlawful processing and against their accidental loss, destruction or damage, by implementing measures appropriate techniques or organisational arrangements ("integrity and confidentiality"). The controller is responsible for compliance with the provided for in paragraph 1 and capable of demonstrating it ("proactive responsibility"). Likewise, Article 32 of the LOPDGDD regulates the blocking of data, The following is established: "1. The data controller shall be obliged to block the data when proceed to their rectification or deletion. 2. The blocking of the data consists of the identification and reservation of the data, adopting technical and organisational measures, to prevent their processing, including its display, except for making the data available to judges and courts, the Public Prosecutor's Office or the competent public authorities, in data protection authorities in particular, in order to require possible responsibilities arising from the treatment and only for the duration of the themselves. After this period, the data must be destroyed. 3. Blocked data may not be processed for any other purpose of that indicated in the previous section. 4. When in order to comply with this obligation, the configuration of the information system does not allow blocking or an adaptation is required that involves a disproportionate effort, a safe copy of the information in such a way that there is digital or other evidence to enable prove the authenticity of the same, the date of the blocking and the non data during it. 5. The Spanish Data Protection Agency and the regional authorities within the scope of their respective competences, may to derogate from the blocking obligation laid down in this Article, in cases in which, given the nature of the data or the fact that they relate to a particularly high number of people affected, their mere preservation, even blocked, could generate a high risk for the rights of those concerned, as well as in cases where the retention of blocked data could involve a disproportionate cost for the controller". In the present case, the personal data of the complainant have been disclosed, making them accessible to third parties without their consent. Therefore, in accordance with the evidence available in the at the present time, and without prejudice to the outcome of the investigation, it is considered that From the facts denounced, it is clear that Article 5.1 b) of the RGPD has been violated, governing the principle of purpose limitation, according to which personal data will be collected for specific, explicit and legitimate purposes and will not be treated and the responsibility of the Member States for the implementation of the The proactive nature of the data controller's actions is such that compliance with them can be demonstrated. IV Article 72.1.a) of the LOPDGDD states that "in accordance with the provisions Article 83(5) of Regulation (EU) 2016/679 are considered very serious and will be subject to a three-year limitation period for infringements involving a substantial breach of the articles mentioned in that one and, in particular, the following ones: a) The processing of personal data in violation of the principles and guarantees set out in Article 5 of Regulation (EU) 2016/679 V Article 58(2) of the GPRS provides: "Each supervisory authority shall have all of the following corrective powers listed below: (b) to sanction any controller or person in charge of the processing with warning where processing operations have infringed the provisions of this Regulation; (d) order the controller or processor to carry out the processing operations treatment are in accordance with the provisions of this Regulation, where appropriate, in a certain way and within a specified time frame; (i) impose an administrative fine in accordance with Article 83, in addition to or in addition to place of the measures referred to in this paragraph, depending on the circumstances of each individual case; VI This infringement is punishable by a fine of up to or, in the case of an enterprise, an amount equivalent to a maximum of 4% of the total annual turnover for the previous financial year, opting for the in accordance with article 83.5 of the RGPD. Likewise, it is considered that the sanction to be imposed should be graduated in accordance with with the following criteria established in article 83.2 of the RGPD: The following are aggravating factors: In the present case we are dealing with unintentional but significant negligent action (Article 83.2 b) Basic personal identifiers (name, surname, address) are affected, according to Article 83.2 g), including also health data, when report on the claimant's cholesterol tests, and his cholesterol disease hypothyroidism. Therefore, in the light of the above, by the Director of Spanish Data Protection Agency, IT IS AGREED: FIRST: Initiate disciplinary proceedings against VENU SANZ CHEF, S.L, with NIF B54984752, for the presumed infringement of article 5.1 b) of the RGPD, typified in Article 83.5 a) of the RGPD, in relation to Article 72.1 a) of the LOPDGDD. SECOND: ORDER to VENU SANZ CHEF, S.L., with NIF B54984752, according with the provisions of Article 58.2(d) of the GPRS, so that the operations of treatment are in accordance with the provisions of the RGPD. THIRD: To appoint as instructor INSTRUCTOR.1 and, as secretary SECRETARY.1, indicating that any of them may be challenged, if appropriate, in accordance with the provisions of Articles 23 and 24 of Law 40/2015 of 1 October, of the Public Sector Legal System (LRJSP). FOURTH: TO INCORPORATE into the sanctioning file, for evidential purposes, the claim by the claimant and his documentation, the documents obtained and generated by the Subdirectorate General for Data Inspection during the investigation phase, as well as the report of previous Inspection actions. FIFTH: THAT for the purposes set forth in Article 64.2 b) of Law 39/2015, of 1 October, of the Common Administrative Procedure for Public Administrations, the Any penalty would be 3,000 euros (three thousand euros) without prejudice of what results from the instruction. SIXTH: TO NOTIFY the present agreement to VENU SANZ CHEF, S.L., with NIF B54984752, giving you a period of ten working days to present the allegations and submit the evidence it deems appropriate. In its brief of claims must provide their VAT number and the procedure number in the heading of this document. If you do not make representations to this initiating agreement within the stipulated time, the may be considered as a motion for resolution, as set out in the Article 64.2.f) of Law 39/2015 of 1 October on Administrative Procedure Commonwealth of Independent States (LPACAP). In accordance with Article 85 of the LPACAP, in the event of that the sanction to be imposed is a fine, may acknowledge its responsibility within of the time allowed for the submission of representations on this agreement to begin; it which will be accompanied by a 20% reduction in the penalty to be imposed in the present procedure. With the application of this reduction, the penalty would be 2,400, with the procedure being resolved by the imposition of this sanction. Similarly, at any time prior to the resolution of the The Commission will, in accordance with the present procedure, carry out the voluntary payment of the proposed penalty, which will which will lead to a 20% reduction in its amount. With the implementation of this reduction, the penalty would be set at 2,400 euros and its payment would involve termination of the procedure. The reduction for the voluntary payment of the penalty is cumulative with the one is to be applied for the recognition of responsibility, provided that this recognition of responsibility is shown within the time limit granted to make representations on the opening of the procedure. The payment of the amount referred to in the previous paragraph may be made at any moment before the resolution. In this case, if it is appropriate to apply both reductions, the amount of the penalty would be set at EUR 1 800. In any case, the effectiveness of either of the two above-mentioned reductions shall be conditional upon the withdrawal or waiver of any action or remedy in the administrative sanction against the sanction. If you choose to proceed with the voluntary payment of any of the amounts indicated above, ('2,400 or 1,800) must be paid by depositing it in the account nº ES00 0000 0000 0000 0000 open to name of the Spanish Data Protection Agency at CAIXABANK Bank, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the reason for the reduction in the amount to which welcomes. You must also send proof of payment to the Subdirectorate General of Inspection to continue the procedure in accordance with the quantity entered. The procedure will last a maximum of nine months from the date of the agreement to initiate or, where appropriate, the draft agreement to initiate Once this period has elapsed, it will expire and, consequently, the actions; in accordance with the provisions of Article 64 of the LOPDGDD Finally, it should be noted that in accordance with the provisions of Article 112.1 of the LPACAP, there is no administrative remedy against this act. Mar Spain Martí Director of the Spanish Data Protection Agency >> SECOND: On 22 September 2020, the claimant has paid of the penalty in the amount of EUR 1800 by making use of the two reductions provided for in the Agreement initialled above, which implies the recognition of responsibility. THIRD: The payment made, within the period granted to make representations to the opening of the procedure, entails the waiver of any action or appeal in administrative sanction and recognition of responsibility in relation to the facts referred to in the Home Agreement. LEGAL BASIS I By virtue of the powers conferred on each authority in Article 58(2) of the GPRS control, and in accordance with Article 47 of Organic Law 3/2018 of 5 December December, on the Protection of Personal Data and Guarantee of Digital Rights (en hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to penalise infringements committed against it Regulations; infringements of Article 48 of Law 9/2014 of 9 May, General of Telecommunications (hereinafter referred to as LGT), in accordance with the article 84.3 of the GLT, and the offences defined in articles 38.3 c), d) and i) and 38.4 d), g) and h) of Law 34/2002, of 11 July, on the services of the company information and electronic commerce (hereinafter referred to as the ISESA), as provided for in Article 43.1 of that Act II Article 85 of Law 39/2015 of 1 October on Administrative Procedure Commonwealth of Independent States (hereinafter LPACAP), under the heading "Termination in sanctioning proceedings" provides the following: "1. A sanctioning procedure has been initiated, if the offender acknowledges his responsibility, the procedure may be terminated with the imposition of the penalty as appropriate. 2. When the sanction is solely of a pecuniary nature or when it fits impose a financial penalty and a non-pecuniary penalty but it has been justified the unsuitability of the second, voluntary payment by the alleged perpetrator, in any time before the resolution, will imply the termination of the procedure, except as regards the restoration of the altered situation or the determination of compensation for damages caused by the commission of the infringement. 3. In both cases, when the sanction is solely of a pecuniary nature, the body competent to decide on the procedure shall apply reductions of, at less 20% of the amount of the proposed penalty, which may be cumulated each other. These reductions must be determined in the notification of initiation of the procedure and its effectiveness shall be conditional upon the withdrawal or waiver of any action or appeal in administrative proceedings against the sanction. The percentage of reduction provided for in this paragraph may be increased by regulation. In accordance with the above, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO DECLARE the termination of procedure PS/00249/2020, of in accordance with Article 85 of the LPACAP. SECOND: TO NOTIFY this resolution to VENU SANZ CHEF, S.L. In accordance with the provisions of Article 50 of the LOPDGDD, this The decision will be made public after it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as provided for by Article 114.1.c) of Law 39/2015, of 1 October, on Administrative Procedure The persons concerned may lodge an appeal with the administrative litigation before the Administrative Chamber of the Audiencia Nacional, in accordance with Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating Contentious-Administrative Jurisdiction, within two months from day following notification of this act, as provided for in Article 46(1) of the referred to Law. Mar España Martí Director of the Spanish Data Protection Agency