AEPD (Spain) - PS/00282/2020: Difference between revisions

From GDPRhub
No edit summary
 
(One intermediate revision by one other user not shown)
Line 47: Line 47:
|}}
|}}


The AEPD fined a consultancy company €12,000 for having sent an unsolicited commercial communication to the complainant, after they had been previously fined for the same reason.
The AEPD fined a consultancy company €12,000 for sending an unsolicited commercial communication to the complainant, after they had been previously fined for the same reason.


==English Summary==
==English Summary==

Latest revision as of 14:25, 13 December 2023

AEPD - PS/00282/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law:
21(1) LSSI
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 12000 EUR
Parties: PROSAD CONSULTORES SL
National Case Number/Name: PS/00282/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: n/a

The AEPD fined a consultancy company €12,000 for sending an unsolicited commercial communication to the complainant, after they had been previously fined for the same reason.

English Summary

Facts

A Complainant filed a complaint with the AEPD pleading that Prosad Consultores, a consultancy company, had sent him an unsolicited commercial communications after they had been found guilty of infringement the prohibition of sending unsolicited commercial communications to the Complainant them-self and in a different proceeding from another complainant.

This email contained an advertisement of the services of the controller.

The Respondent alleged that they only had a database of emails that are not linked to names or person, and therefore that they do not know who they were sending the emails. They also alleged that they offer in their emails the possibility of exercising their privacy rights.

The Spanish Information Society Services Act (LSSI), that implements the e-Privacy Directive, establishes in its Article 21(1) a prohibition of of sending unsolicited commercial or marketing communications.

Dispute

Did the Respondent violated the Spanish Information Society Services Act by sending unsolicited commercial communications to the Complainant?

Holding

The AEPD fount that the Respondent had violated Article 21(1) LSSI by sending unsolicited commercial communications to the Complainant and fined them €12,000. The AEPD took into account the following factors when establishing the amount of the fine:

  • The repeated infringement, with regard the Complainant and different people.
  • The intentionality, as they consider as such the negative to implement measures to avoid that from happening.
  • There are no other infringements, and the infringement is not serious.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                             1/10








     Procedure No. PS / 00282/2020



               RESOLUTION OF SANCTIONING PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following



                                 BACKGROUND

FIRST: A.A.A. (hereinafter, the claimant) dated May 11, 2020
filed a claim with the Spanish Data Protection Agency. The
claim is directed against PROSAD CONSULTORES, S.L. with NIF B64106198 (in

ahead, the claimed one). The reasons on which the claim is based are:

“[…] On 05/10/2010 I received a commercial communication by email
at my address *** EMAIL.1, without having previously requested or expressly
authorized, and without a prior contractual relationship. […]


It is important to note that this same company has already been denounced by me and
sanctioned with a 600 fine by the AEPD for sending spam to this same account
email in Procedure PS / 00336/2016 (R / 03277/2016), which
shows absolute disregard for compliance with these regulations.


But not only that, this same company has also been sanctioned by the AEPD for
sending SPAM in procedures PS / 00451/2016 (R / 00277/2017) and
PS / 00176/2018 (R / 00955/2018).

In addition, surprisingly, this same company was noticed for sending SPAM

also in Procedure A / 00003/2019 (R / 00178/2019), in breach of the AEPD the
legal mandate of art. 39 bis section 2 of the LSSI by which the Agency can only
warn when the offender had not previously sanctioned or warned
as a consequence of the commission of infractions foreseen in the LSSI. […] »


Along with the claim, the following documentation is attached:

1. Communication received by the claimed at the email address
<*** EMAIL.1> sent from <*** EMAIL.2> on May 10, 2020.


2. Plain header of received mail.

SECOND: Prior to the admission for processing of this claim, a
transferred the defendant, in accordance with the provisions of article 65.4 of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter, LOPDGDD) on June 2, 2020,

resulting in expiration of the electronic notification for non-appearance of the holder in the
Folder or Enabled Electronic Address (DEH). The transfer was reiterated by mail
postcard on June 15, 2020, the notification being delivered on June 22,
2020.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/10









This communication recalled the obligation of legal persons and
entities without legal personality, as well as those who represent the subjects

obliged to interact with Public Administrations through the media
electronic, and this by virtue of article 14.2 of Law 39/2015, of October 1, of the
Common Administrative Procedure of Public Administrations (hereinafter,
LPACAP). Likewise, he was warned that this communication via postal mail had
an exceptional nature, and that from now on notifications would be made
electronically.


On July 9, 2020, this Agency receives a written reply from the
claimed in which it shows, substantially, that:

“[…] 1- Decisions adopted regarding this claim


A- Review the measures in force in our database and our shipments of
information to guarantee the digital rights of citizens.

2- Accreditation of the answers provided to the claimant, we attach a copy of the
response emails (Annex 1. It should be noted that in the last email

email sent there is an error in the date reported as the time of purchase
from the database, the correct date is 12/18/2013 instead of 10/28/2019,
We also attach a copy as Annex 2).

3- Causes that have motivated the incident that has originated the claim.


A. We do not know, because this email address has received our information
since 2013 without any incident having occurred.

4- Measures adopted to avoid similar incidents and controls to verify their

effectiveness.

A- We have implemented the current regulations regarding the duty of
confidentiality, especially in security in data storage and in the non-dissemination of
the same.


B- Although in our case there is no data processing since it is
exclusively from email addresses without further information, we have
put into practice the consent of the affected party either through a declaration or
a clear affirmative action on our possession of personal data
that concern you, solely and exclusively email address. It is not

Possible identification of the person who owns the email address.

C- Make sure that data of minors is not in our possession, even if
as these are emails, it is very difficult to verify them.


D- Include in mailings the possibility of the right of access, rectification and
elimination of the data of the recipient of the information.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/10








5- Above all, we want to make it clear that our database only contains
e-mail addresses, so there is no data processing nor is it put
the confidentiality of the recipients at risk. Although this is a handicap for

us when someone wants to unsubscribe and it turns out that they have redirected the
address to which we send the information to another from where we
request unsubscription. It is 99% of the problems we have with
receivers, since most of these do not remember having said redirection activated or
they do not inform us about it, so it is impossible for us to identify them.


At no time has the data been processed or disseminated, since we only have in
our database an email address of users without any
another piece of information and its usefulness is for sending information. […]. "

Despite what was stated in the letter, no documentation is attached.


THIRD: The claim was admitted for processing by resolution of the Director
of the Spanish Agency for Data Protection on September 2, 2020.

FOURTH: Through diligence dated September 21, 2019, they join the
file the anonymised resolutions relapsed in the procedures instructed to the

claimed PS / 00336/2016, PS / 00451/2016, PS / 00176/2018 and A-00003-2019.

FIFTH: On October 6, 2020, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure for the complained party, by the
alleged infringement of article 21.1 of Law 34/2002, of July 11, on Services of

the Information Society and Electronic Commerce (hereinafter, LSSI), typified
in article 38.4.d) of the aforementioned rule.

The electronic notification of the commencement agreement was made available to the defendant
on October 6, 2020 through the Electronic Notifications and Address Service

Enabled Electronics without the user accessing its content within 10 days
natural. In accordance with the provisions of article 43.2 of the LPACAP, the
Said notification must be understood as rejected.

SIXTH: Formally notified of the initiation agreement, the defendant has not submitted
brief of allegations, for which article 64.2.f) of the LPCAP applies, which

establishes that in case of not making allegations within the term provided on the
content of the initiation agreement, it may be considered a proposal for
resolution when it contains a precise statement about the responsibility
charged. Therefore, a resolution is issued.



In view of all the actions, by the Spanish Agency for Data Protection
In the present proceeding, the following are considered proven facts,



                                       FACTS

FIRST: On May 10, 2020 an email is received in the account <*** EMAIL.1>
from the account <*** EMAIL.2>.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/10









SECOND: The images provided of the received mail show that it is a

communication in which the PROSAD communication consultancy publicizes its
services.

THIRD: The defendant makes the statement in his letter of July 9, 2020,
that the claimant has been receiving their emails since 2013 without incident.


FOURTH: There are four firm resolutions issued by the
Director of the Data Protection Agency declaring the commission of infringement of the
Article 21.1 of the LSSI by the claimed party, in the sanctioning procedures
PS / 00336/2016 (resolution of January 17, 2017), PS / 00451/2016 (resolution of

February 13, 2017), PS / 00176/2018 (resolution of May 23, 2018), and
warning procedure A / 00003/2019 (resolution of April 15, 2019).

FIFTH: The sanctioning procedure PS / 00336/2016 originated in a
claim filed by the same claimant for sending communications

electronic unwanted by the same claimed to the same email account.


                            FOUNDATIONS OF LAW


                                             I

The competence to sanction the commission of the offenses typified in the
Articles 38.3 c), d) and i) and 38.4 d), g) and h) of the LSSI, corresponds to the Agency
Spanish Data Protection, according to article 43.1 of said Law.


                                            II

The defendant is charged with the commission of an infraction for violation of 21.1 of the
LSSI. The literal tenor of this article is as follows:


"one. The sending of advertising or promotional communications by
email or other equivalent electronic means of communication that
had not previously been requested or expressly authorized by the
recipients of the same.


"two. The provisions of the previous section will not apply when there is a
prior contractual relationship, provided that the provider had obtained lawfully
the recipient's contact details and will use them to send communications
commercial related to products or services of your own company that are

similar to those that were initially contracted with the client.

"In any case, the provider must offer the recipient the possibility of opposing the
processing of your data for promotional purposes using a simple procedure
and free, both at the time of data collection and at each of the

commercial communications that you direct.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/10








"When the communications had been sent by email, said
means must necessarily consist of the inclusion of an email address
email or other valid email address where this right can be exercised,

it is forbidden to send communications that do not include said address. "

The offense is typified in article 34.4 of the aforementioned rule, which provides:

4. The following are minor offenses:


[…] D) Sending commercial communications by email or other means of
equivalent electronic communication when such shipments do not comply with the
requirements established in Article 21 and does not constitute a serious offense. "

This offense can be sanctioned with a fine of up to € 30,000, in accordance with the

Article 39.1.c) of the LSSI.

For the purposes of the statute of limitations for infractions, the infraction indicated in the
The preceding paragraph prescribes after 6 months, in accordance with article 45 of the LSSI.

                                             III


Article 21.1 of the LSSI expressly prohibits commercial communications
aimed at the direct or indirect promotion of the goods or services of a company,
organization or person that carries out a commercial, industrial, artisanal or
professional, without the express consent of the recipient, although this prohibition

finds its exception in the second paragraph of the aforementioned article. This prohibition like this
referred to, part of a commercial communication concept that is classified as
service of the information society and to define these concepts, it will be
It is necessary to go to the annexes of the LSSI itself.


The LSSI, in its annex a), defines as an Information Society Service, “all
service normally provided for consideration, remotely, electronically and via
individual request of the recipient.

The concept of information society service also includes the
services not remunerated by their recipients, insofar as they constitute a

economic activity for the service provider.

They are services of the information society, among others and provided that they represent
an economic activity, the following:


[…]

4th The sending of commercial communications

[…] ”.


And later, in Annex f) it defines the concept of commercial communication of the
Following way:


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/10








"F) Commercial communication": any form of communication aimed at promoting,
direct or indirect, of the image or of the goods or services of a company,
organization or person that carries out a commercial, industrial, artisanal or

professional.

For the purposes of this Law, the
data that allow direct access to the activity of a person, company or
organization, such as domain name or email address, or
communications regarding the goods, services or image offered

when they are prepared by a third party and without economic consideration ”.

As can be seen, it will be in those cases in which the communication
commercial does not meet the requirements required by the concept of Company Services
of the Information, when it loses the character of commercial communication. On the one hand,

the data that allow direct access to the activity of a person, company or
organization, such as domain name or email address, and,
on the other, communications relating to the goods, services or image that are
offer when they are prepared by a third party and without economic consideration.

                                           IV


Once exposed, in the previous legal basis, the conceptual legal framework that
It is applicable to commercial communications sent by mail
electronic or equivalent electronic means of communication, it is necessary to indicate
that article 19.2 of the LSSI itself stipulates that "In any case, it will be applicable

Organic Law 15/1999, of December 13, on the Protection of Character Data
Personnel, and its implementing regulations, especially with regard to obtaining
of personal data, information to interested parties and the creation and maintenance of
personal data files ”.


From the aforementioned precept, it follows, therefore, that the regulations of
protection of personal data, although the referral made to the Law
15/1999 has to be interpreted as made to the current regulations in force: the
Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter
RGPD) and Organic Law 3/2018, of December 5, on Data Protection
Personal and guarantee of digital rights.


As a consequence of the foregoing, in relation to the consent of the recipient
for the processing of your data in order to send you communications
electronic means, it is necessary to consider the provisions of the regulations of
data protection and, specifically, in article 4.11) of the RGPD, which defines the

"Consent of the interested party" as "any manifestation of will, free,
specific, informed and unequivocal by which the interested party accepts, either through
a statement or a clear affirmative action, the processing of personal data that
they concern him; ”.


For its part, article 6.1.a) of the RGPD establishes the "Legality of the
treatment ”that:

"one. The treatment will only be lawful if at least one of the following is met

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/10








terms:

a) The interested party gave their consent for the processing of their personal data

for one or more specific purposes; "

In turn, article 7 of the RGPD determines the “Conditions for the
consent ”that:

"one. When the treatment is based on the consent of the interested party, the person in charge

must be able to demonstrate that he consented to the processing of his data
personal.

2. If the consent of the interested party is given in the context of a written statement
that also refers to other matters, the request for consent will be submitted

such that it is clearly distinguishable from other subjects, intelligibly and clearly
easy access and using clear and simple language. No part will be binding
of the declaration that constitutes an infringement of these Regulations.

3. The interested party will have the right to withdraw their consent at any time. The
Withdrawal of consent will not affect the legality of the treatment based on the

consent prior to its withdrawal. Before giving consent, the interested party
you will be informed of it. It will be as easy to withdraw consent as it is to give it.

4. When evaluating whether consent has been freely given, it will be taken into account in the
as much as possible the fact whether, among other things, the performance of a contract,

including the provision of a service, is subject to consent to the treatment of
personal data that are not necessary for the execution of said contract. "

Regarding the right of opposition, sections 2 to 4 of article 21 of the RGPD
have the following:


"two. When the processing of personal data is for marketing
direct, the interested party will have the right to object at any time to the treatment of
personal data concerning you, including profiling in the
insofar as it is related to the aforementioned marketing.


3. When the interested party opposes the treatment for direct marketing purposes,
personal data will no longer be processed for these purposes.

4. At the latest at the time of the first communication with the interested party, the
right indicated in sections 1 and 2 will be explicitly mentioned to the interested party

and it will be presented clearly and apart from any other information.

5. In the context of the use of information society services, and not
Notwithstanding the provisions of Directive 2002/58 / EC, the interested party may exercise his
right to object by automated means that apply specifications

techniques. "

Thus, in accordance with the transcribed precepts, the consent granted
for the receipt of advertising by electronic means of communication, in addition to

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/10








prior, free, specific and unequivocal, must be informed, offering the possibility
to oppose said treatment for promotional purposes and warning about the
right to withdraw consent at any time. This information as well
configured should be taken as a necessary budget to give validity to the
manifestation of the will of the affected party.


                                          V

In the present case, the assessment of the set of factual elements
in the sanctioning procedure, it is shown that PROSAD
CONSULTORES S.L. sent, on May 10, 2020, a commercial communication to the

Claimant's email account *** EMAIL.1 without authorization
prior and express of the recipient for it.

The statement thus made about the unsolicited nature or expressly
consented to by the receiver, is based on the antecedent of the claim

made by the same claimant on February 10, 2016 by
commercial communications received in the same email account and unsolicited
with respect to which the claimed person was identified as responsible. The referred
claim originated the instruction of a sanctioning procedure (PS / 00336/2016)
which ended with the imposition of a sanction for violation of article 21.1 of the LSSI
by resolution of the Director of the Spanish Agency for Data Protection of

January 16, 2017. Contrary to what was stated by the defendant in his brief of
reply, the owner of this email account had already revealed that
clearly your lack of consent to receive commercial communications from the
reclaimed. In addition, as mentioned above, Article 7 of the RGPD makes
The responsibility of the data controller shall be obliged to demonstrate that he has the
consent of the interested party, something with respect to which the complainant has not presented

no proof.

On the other hand, the facts described would not be covered in a relationship
prior contractual agreement that would allow the application of the exception contained in article
21.2 of the LSSI, since the defendant has never even argued that
such a contractual relationship may exist with the claimant.


                                          SAW

The corrective powers available to the Spanish Agency for the Protection of
Data, as a control authority, are established in article 58.2 of the RGPD. Between
they have the power to sanction with warning -article 58.2 b) -, the

Power to impose an administrative fine in accordance with article 83 of the RGPD
-article 58.2 i) -, or the power to order the person in charge of the treatment
that the processing operations comply with the provisions of the RGPD, when
proceed, in a certain way and within a specified period - article 58. 2
d) -.


According to the provisions of article 83.2 of the RGPD, the measure provided for in article 58.2
d) of the aforementioned Regulation is compatible with the sanction consisting of a fine
administrative.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/10








                                           VII

For the purposes of setting the sanction to impose on the claimed party, it is considered that

graduate the sanction to be imposed according to the following criteria established by the
Article 40 of the LSSI:

As aggravating factors:

 Recidivism due to the commission of infractions of the same nature, when there is

been declared by final resolution (article 40, letter c). The concurrence of this
circumstance would be credited to having issued four final resolutions that declare
the commission of infringement of article 21.1 by the defendant, in the
sanctioning procedures PS / 00336/2016 (resolution of January 17, 2017),
PS / 00451/2016 (resolution of February 13, 2017), PS / 00176/2018 (resolution of

May 23, 2018), and warning procedure A / 00003/2019 (resolution of
April 15, 2019).

 Existence of intentionality (article 40, letter a): taking into account the antecedents

reported in the previous paragraph, the conduct of the defendant would come to put
I manifest a lack of will in the implementation of measures that prevent the shipment
promotional communications not requested or expressly authorized by the
receiver and without the exception contemplated in article 21.2 of the LSSI.

As mitigating factors:


 The nature and amount of the damages caused (article 40, letter d): there is no
evidence of other damages suffered by the claimant, apart from the receipt no
requested of the communication.


Based on the foregoing, it is considered that the sanction that would correspond to impose is
TWELVE THOUSAND EUROS (€ 12,000).


Considering the aforementioned precepts and others of general application, the Director of the Agency

Spanish Data Protection RESOLVES:


FIRST: IMPOSE PROSAD CONSULTORES, S.L. with NIF B64106198, for
an infraction of Article 21.1 of the LSSI, typified in Article 38.4.d) of the LSSI,

a fine of TWELVE THOUSAND EUROS (€ 12,000.00).

SECOND: NOTIFY this resolution to PROSAD CONSULTORES, S.L .. and
inform the claimant

THIRD: Warn the sanctioned person that the sanction imposed must be effective

once this resolution is enforceable, in accordance with the provisions of the
Article 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, within the voluntary payment period indicated in the
Article 68 of the General Collection Regulations, approved by Royal Decree
939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/10








December, by entering the restricted account number ES00 0000 0000 0000 0000
0000, opened in the name of the Spanish Agency for Data Protection in the entity

banking CAIXABANK, S.A. or otherwise, it will be collected in
executive period.

Received the notification and once executive, if the date of execution is found
Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment

volunteer will be until the 20th of the following or immediately subsequent business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediate business month.

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to administrative proceedings (article 48.6 of the
LOPDGDD), and in accordance with the provisions of articles 112 and 123 of the Law
39/2015, of October 1, of the Common Administrative Procedure of the

Public Administrations, the interested parties may file, optionally,
appeal for reconsideration before the Director of the Spanish Agency for Data Protection
within a month from the day following notification of this
resolution or directly administrative contentious appeal before the Chamber of
Contentious-administrative of the National Court, in accordance with the provisions of the

Article 25 and in section 5 of the fourth additional provision of Law 29/1998, of
July 13, regulator of the Contentious-Administrative Jurisdiction, within the period of
two months from the day following the notification of this act, as
provided for in article 46.1 of the aforementioned legal text.


Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of Law 39/2015,
of October 1, of the Common Administrative Procedure of the Administrations
Public, the final resolution may be suspended provisionally through administrative channels if
the interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through

writing addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal-

administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.


                                                                                  812-151020
Mar Spain Martí

Director of the Spanish Agency for Data Protection







C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es