AEPD (Spain) - PS-00371-2021: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS-00371-2021 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00371-2021.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Cod...") |
No edit summary |
||
Line 81: | Line 81: | ||
}} | }} | ||
The AEPD held that sending someone notifications regarding monetary fines directed at another person constitutes a violation of [Article 5 GDPR#1f]. As the data was not rectified in time after receiving a complaint, it also resulted in a breach of [Article 32 GDPR]. | The AEPD held that sending someone notifications regarding monetary fines directed at another person constitutes a violation of <nowiki>[[Article 5 GDPR#1f]]</nowiki>. As the data was not rectified in time after receiving a complaint, it also resulted in a breach of <nowiki>[[Article 32 GDPR]]</nowiki>. | ||
== English Summary == | == English Summary == | ||
Line 89: | Line 89: | ||
=== Holding === | === Holding === | ||
The AEPD held that the controller violated [Article 5 GDPR#1f] by giving the data subject access to personal data of the third party, thus giving way to sanctions according to [Article 85 GDPR#5a]. | The AEPD held that the controller violated <nowiki>[[Article 5 GDPR#1f]]</nowiki> by giving the data subject access to personal data of the third party, thus giving way to sanctions according to <nowiki>[[Article 85 GDPR#5a]]</nowiki>. | ||
Furthermore, the AEPD held that the controller also breached [Article 32 GDPR] as the technical and organisational measures taken by the controller were considered insufficient. The AEPD assumed that with appropriate measures a timely rectification of the data during the three weeks between the complaint of the data subject to the controller and the sending of the second e-mail should have been possible. This violation gave way to sanctions according to [Article 83 GDPR#4a]. | Furthermore, the AEPD held that the controller also breached <nowiki>[[Article 32 GDPR]]</nowiki> as the technical and organisational measures taken by the controller were considered insufficient. The AEPD assumed that with appropriate measures a timely rectification of the data during the three weeks between the complaint of the data subject to the controller and the sending of the second e-mail should have been possible. This violation gave way to sanctions according to <nowiki>[[Article 83 GDPR#4a]]</nowiki>. | ||
However, the AEPD imposed no fines in either of the two violations. Instead, according to [Article 58 GDPR#2d], the AEPD reprimanded the controller and ordered them to take measures within 30 days to ensure that a situation similar to the one in question will not happen again. | However, the AEPD imposed no fines in either of the two violations. Instead, according to <nowiki>[[Article 58 GDPR#2d]]</nowiki>, the AEPD reprimanded the controller and ordered them to take measures within 30 days to ensure that a situation similar to the one in question will not happen again. | ||
== Comment == | == Comment == |
Revision as of 15:01, 17 December 2023
AEPD - PS-00371-2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR Article 58(2)(d) GDPR Article 60 GDPR Article 83(2) GDPR Article 83(4)(a) GDPR Article 83(5)(a) GDPR Article 63(2) LOPDGDD Article 71 LOPDGDD Article 72(1)(a) LOPDGDD Article 73(f) LOPDGDD |
Type: | Complaint |
Outcome: | Upheld |
Started: | 29.07.2019 |
Decided: | 27.04.2022 |
Published: | |
Fine: | n/a |
Parties: | HERTZ DE ESPAÑA, S.L. |
National Case Number/Name: | PS-00371-2021 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Marie |
The AEPD held that sending someone notifications regarding monetary fines directed at another person constitutes a violation of [[Article 5 GDPR#1f]]. As the data was not rectified in time after receiving a complaint, it also resulted in a breach of [[Article 32 GDPR]].
English Summary
Facts
On 5 July 2019 the data subject received an e-mail from Hertz España, a rental vehicle provider (the controller), containing information about monetary fines. These fines were directed at a third party, but sent to the data subject's e-mail address. Consequently, the data subject complained to the controller about this on the same day. In turn, the controller assured them on the 9 July 2019 that a rectification of the data had happened. However, the data subject received another e-mail directed at the third party on 29 July 2019. On the same day, the data subject submitted a complaint to the German data protection authority, which relayed it to the AEPD, the Spanish data protection authority. The complete deleting of the data subject's data from the third party's file was only achieved on 30 July 2023. The AEPD started an investigation and later initiated penalty proceedings. In its defense, the controller argued that the third party indicated the e-mail address of the data subject as their own themselves and that the error was most likely not made by an employee of the controller. Furthermore, the controller highlighted the uniqueness of the case and stated that it was a minor error with no lasting damage that was rectified as soon as possible. The controller also added that the data subject themselves only put the respective e-mail address into the controller's database on 7 February 2020, meaning the controller could not have confused the e-mail addresses of the data subject and the third party in 2019.
Holding
The AEPD held that the controller violated [[Article 5 GDPR#1f]] by giving the data subject access to personal data of the third party, thus giving way to sanctions according to [[Article 85 GDPR#5a]]. Furthermore, the AEPD held that the controller also breached [[Article 32 GDPR]] as the technical and organisational measures taken by the controller were considered insufficient. The AEPD assumed that with appropriate measures a timely rectification of the data during the three weeks between the complaint of the data subject to the controller and the sending of the second e-mail should have been possible. This violation gave way to sanctions according to [[Article 83 GDPR#4a]]. However, the AEPD imposed no fines in either of the two violations. Instead, according to [[Article 58 GDPR#2d]], the AEPD reprimanded the controller and ordered them to take measures within 30 days to ensure that a situation similar to the one in question will not happen again.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/15 File No.: PS/00371/2021 RESOLUTION OF SANCTIONING PROCEDURE From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND FIRST: Through the “Internal Market Information System” (hereinafter IMI), regulated by Regulation (EU) No. 1024/2012, of the European Parliament and of the Council, of October 25, 2012 (IMI Regulation), whose objective is to promote the cross-border administrative cooperation, mutual assistance between States members and the exchange of information, was received in this Spanish Agency of Data Protection (AEPD) a claim dated July 29, 2019, made by a data subject to the data protection authority of Berlin (Germany). He Transfer of this claim to the AEPD is carried out in accordance with the provisions in article 56 of Regulation (EU) 2016/679, of the European Parliament and of the Council jo, of 04/27/2016, relating to the Protection of Natural Persons with regard to to the Processing of Personal Data and the Free Circulation of these Data (in the cessive, RGPD), taking into account its cross-border nature and that this Agency is competent to act as the main supervisory authority. The aforementioned claim is made against HERTZ DE ESPAÑA, S.L. (hereinafter HER- TZ), with registered office and sole establishment in Spain, in relation to the rental of Firefly Car Rental cars, of which he was a customer in Malaga, which repeatedly sent him mindly notifications about traffic fines, speed limit violations, etc., caused by third parties, to your email address ***USER.1. I had informed customer service through fireflycustomercarespain@fireflyca- rrental.com about the erroneous email and the violation of data protection, and was promised a fix in early July. Provide email sent to your address in the name of A.A.A. ***ADDRESS.1. The data processing carried out affects interested parties in several States. two members. According to the information incorporated into the IMI System, in accordance with the provisions of article 60 of the RGPD, have declared themselves interested in the pre- this procedure, in addition to the supervisory authority of Berlin (Germany), the self- control authorities of: Denmark, Norway, Rhineland-Palatinate (Germany), Lower Sa- Ionia (Germany), Sweden, Portugal, France and Italy. SECOND: In view of the facts presented, the Subdirectorate General of Inspection of Data proceeded to carry out actions to clarify it, under the protection of the investigative powers granted to supervisory authorities in article 58.1 of the RGPD, being aware of the following extremes: Background C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/15 B.B.B., with address: ***ADDRESS.2, filed a claim against Hertz Spain ña, S.L., with NIF B28121549 and address at C/ JACINTO BENAVENTE, nº 2- EDF B-3ª PLANT - 28232 MADRID (MADRID). Reason why the sanctions have been sent to the email account ***USER.1 HERTZ representatives state that they have found an error in the database. contract data, where Ms. A.A.A., had been assigned as a con- tact in your rental contract, number (...) email ***USER.1. This email belongs to the complaining party, D. B.B.B. and not to Ms. A.A.A.. Consequently, there was an error in the database, where the person holding the rental contract had an email address assigned to it, ***USER.1, which belonged to a third party, the complaining party, D. B.B.B.. This error occurred at the time of data collection at the rental point, located at the Barcelona – El Prat Airport. Therefore, when the entity received the traffic sanctions on file, sent the informative emails to the email address assigned to the rental contract. ler, which turned out to be wrong. Reason why the right to rectification requested has not been correctly attended to. by the complaining party D.B.B.B. contacted the customer service of the brand Hertz España, S.L., Firefly Car Rental, on July 5, 2019, once received the first group of informative emails with a traffic fine, receiving a response to your rectification request on July 9, 2019, at 1:09 p.m. In the response sent from the email fireflycus- tomercarespain@fireflycarrentl.com, they apologized to D. B.B.B. and was informed that the email address had been deleted from Ms.'s file. A.A.A. The deletion of email from the sanctions file and the management program of Car+ contracts did not occur until July 30, which meant that, on July 29, July, a second email was sent to the address ***USER.1, with a second sanction linked to Ms. A.A.A.'s contract. According to the representatives of the entity, in the spirit of not incurring delays improper actions, Customer Service informed D. B.B.B. of that the data corresponding to the email had been rectified, as was the case in the file managed directly by this Service, although, and in parallel, the Service Customer Service department, following the established procedure, had requested the rectification of the data to the appropriate departments (sanctions file and program of Car+ contract management), which did not implement the change until July 30 of 2019, so, on this occasion, the rush to avoid incurring delays, entails C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/15 rum to be communicated to D. B.B.B. rectification of the required data days before that the effective deletion of the data occurred in all its systems. Since there was no time to delete the email data in the file sanctions and contract management program, when the second sanction was received. tion, on July 29, the informative communication was sent to D. B.B.B., implementing The final rectification of the data, in all systems, will take place on July 30. Detail of the measures adopted to address the right of rectification and to avoid allow new traffic sanctions to be sent to other clients The measures adopted by the entity for the complete deletion of the data object of rectification requested by D.B.B.B., that is, the deletion of his email ***USER.1, were the following: Yo. July 9, 2019, deletion of the email from the file assigned by Customer Service to the contract (...), whose owner is Ms. A.A.A., in which the email of the complaining party, D. B.B.B.. That same day, July 9, a request was made by the Security Service Customer Service for deleting the email in the file fine management and rental contract management program Car+. Yo. On July 30, 2019, the email data was deleted in the Car+ contract management file. iii. On July 30, 2019, the email data was deleted in the management file of the fines linked to the contract (...), in its moment ment signed by Ms. A.A.A. THIRD: On August 21, 2020, the Director of the AEPD adopted a draft decision to archive the proceedings. Following the established process in article 60 of the GDPR, on 08/31/2020 this draft decision and the authorities concerned were made aware that they had four weeks from that moment to formulate relevant objections and motivated. Within the period granted for this purpose, the Berlin supervisory authority presented its pertinent and motivated objections for the purposes of the provisions of the article 60 of the RGPD, in the sense that it considered that an archive of the actions but that the case was analyzed and a warning was issued given that a violation of the GDPR had occurred. FOURTH: On July 19, 2021, the Director of the AEPD adopted a project revised agreement to initiate sanctioning proceedings. Following the process is- established in article 60 of the RGPD, that same day this document was shared on the IMI system and the supervisory authorities concerned were made aware that they had two weeks from that moment to formulate relevant and reasoned objections. Once the period for this purpose has elapsed, the interested control authorities do not present There were pertinent and motivated objections in this regard, so it was considered that all C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/15 the supervisory authorities agreed with the revised draft decision and were bound by it, in accordance with the provisions of section 6 of the Article 60 of the GDPR. FIFTH: On August 16, 2021, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against HERTZ DE ESPAÑA, S.L., in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1- tuber, of the Common Administrative Procedure of Public Administrations (in hereinafter, LPACAP), for the alleged violation of article 32 of the RGPD and article 5.1.f) of the RGPD, typified, respectively, in article 83.4 and 83.5 of the RGPD. SIXTH: On January 14, 2022, the Director of the Spanish Agency for Data Protection issued a resolution to rectify errors in the aforementioned agreement. initiation of sanctioning proceedings and granted HERTZ DE ESPAÑA, S.L a new deadline for him to formulate the allegations and propose the evidence he considers appropriate. dents, in accordance with the provisions of section f) of article 64.2 of the LPA- CHAP. SEVENTH: The aforementioned resolution to rectify errors in the agreement was notified. At the beginning, HERTZ presented a written statement of allegations in which, in summary, it stated that: FIRST.- ABOUT THE SUPPOSED ERROR IN THE DATABASE OF CONTRACTS After an exhaustive internal investigation to delve into what happened, HERTZ has you doubt the existence of the error because of the following: - Contract number (...) with Ms. A.A.A., whose postal address, as indicated This is ***ADDRESS.1, dated May 21, 2019, having been this person who provided the email address motu proprio ***USER.1. - Subsequently, the email address ***USER.1 appears in the HERTZ contract database at a much later date, 7 February 2020, but this time associated with D. C.C.C. in the contract (...), whose postal address, as indicated by this one, is ***ADDRESS.2, having been provided by D.B.B.B. and that he appeared as an additional driver (he attached screen print of the contract record in the database as Document 2). - The fact of the uniqueness of this email address, which combines letters and numbers, the letters corresponding to the initials of the complaining party, leads us to conclude that it is very unlikely that the error was given at the time of entering them into the database by the personnel of HERTZ, but was provided by the person who signed contract number (...), of date May 21, 2019. - How is it feasible to issue traffic fines for violations that occur in 2019 to an email address provided in 2020? It is from every point impossible. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/15 Based on the above, it should be noted that any communication that had to be carried out carried out, as is the case of notifications of traffic fines by the corresponding outstanding infractions committed by Ms. A.A.A., was sent to the email address electronic provided at the time of contracting the car rental (year 2019), without that an error was possible given the uniqueness of the email address mentioned. This implies that the error in assigning the email address could be ruled out. email ***USER.1 to the contract (...) with Ms. A.A.A.. SECOND.- ABOUT THE SINGULARITY OF THE CASE. NON-EXISTENCE OF REITERA- TION OF CONDUCT BY HERTZ ESPAÑA. ISOLATED FACT, SUB- HEALED AND COMMUNICATED TO THE CUSTOMER. As the Agency points out in the Initiation Agreement (p. 10, paragraph): “it was a specific case (of which there is no similar history in this Agency” and which is would explain the fact that Mrs. A.A.A. provide the email address unique already mentioned. Furthermore, as the Agency knows, HERTZ proceeded to act immediately with the purpose of trying to provide a solution as soon as possible to the claim made by the complaining party. Specifically, the chronology of actions carried out by HER- TZ was the following: - On July 5, 2019, the complaining party sent an email to attention to the client indicating that the email address ***USER.1 is in- correct since it is not for A.A.A.. - On July 9, 2019 (i) your email was responded to indicating that has deleted the email address and we apologize and (ii) calls for the deletion of the email in the fines management file and in its Car+ rental contract management program. Even though the complaining party has received two emails, it understands We believe that it is also relevant that this situation has not occurred in no other case, nor that the complaining party has raised any other claim against HERTZ in relation to this matter. Therefore, no harm has occurred to the complaining party whose email address email appeared linked to Ms. A.A.A., who would have provided it in 2019, before the complaining party provided that same address in another con- vehicle rental deal that is in no way related to the first one. It is difficult to maintain with this new data, that it was a mistake in the introduction of the di- email address in the contract (...), but the email address electronic was provided to HERTZ, which would explain the uniqueness of the case. Even admitting that it was (which is not done), we agree with the Agency that This is a very minor case, which has not caused any damage and which C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/15 It was solved practically immediately. THIRD.- ABOUT WHAT IS REQUESTED BY THE BER- CONTROL AUTHORITY LÍN IN HIS OBJECTIONS. We understand that there is a disparity between what the Berlin Authority requests and what that the Agency agrees to. The Agency itself expresses in its Resolution what the control authority requested of Berlin in its pertinent and motivated objections is that: (sic) “the case will be analyzed and a warning was issued” (Third Fact, page 5), not that a procedure was initiated. sanctioning action against HERTZ. The Berlin authority has filed an objection in a case that, as is known to the Agency itself, would not be serious, and it is also necessary to remember that initially, The Agency had proposed archiving the proceedings. If the Berlin supervisory authority did not request the opening of sanction proceedings dor, it could be considered that, with the investigative powers attributed to the Agency, and having previously obtained from HERTZ “all the necessary information for the exercise of its functions” (article 58.2.1) of the RGPD), could direct a warning authorization to HERTZ in accordance with the corrective power attributed to it by the article 58.2.b) of the RGPD. However, we fully understand that the Agency has to act through the mechanisms available in our legal system and We also appreciate the fact that you consider issuing a warning in the terms indicated in the Startup Agreement. EIGHTH: On February 16, 2022, the instructor of the procedure formulated proposed resolution, in which he proposed that the Director of the AEPD address a warning to HERTZ DE ESPAÑA, S.L., with NIF B28121549, for an infringement of article 32 of the RGPD and article 5.1.f) of the RGPD, typified, respectively, in article 83.4 and 83.5 of the GDPR. And that HERTZ DE ESPAÑA, S.L. be ordered, with NIF B28121549, to adopt, within a period of thirty days, the measures aimed at guaranteeing ensure that situations such as the one that is the subject of this complaint do not occur again. mation. Likewise, HERTZ was granted a period of TEN DAYS for allegations to that he could allege whatever he considered in his defense and present the documents and information that you consider relevant. Once the aforementioned proposed resolution has been notified and the deadline for this purpose has elapsed, it has been verified that no allegation has been received from HERTZ. In view of everything that has been done, by the Spanish Data Protection Agency In this procedure, the following are considered proven facts: PROVEN FACTS FIRST: On July 5, 2019 at 11:36 a.m. an email is received from the address noreply@gesthispania.com to the address ***USER.1, with the subject “Notification of traffic fine”, addressed to A.A.A., address ***ADDRESS.1 and the si- C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/15 following text (in English): “Madrid 07-05-2019 Dear Customer, We are writing to you regarding your rental with Firefly in Spain (Registration ***NUMBER.1) from 05/21/2019 to 05/25/2019. We have received a notification from a local authority ((REMESA) SERVEI CATALA OF TRANSIT TARRAGONA) about a traffic violation during his period of registration. quiler. Please find attached a copy of the sanction (It is informational only and you will receive the official notification at your home). Therefore, we inform you that in compliance with Article 11 of the Royal Legislative Decree- tivo 6/2015, of October 30, which approves the consolidated text of the Law on Traffic, Motor Vehicle Circulation and Road Safety, we have identified you ted as the driver of the vehicle. Therefore, we will proceed to charge your credit card the sum of XX.XX euros (plus VAT, total: XX euros) corresponding to Hertz charges for identification mentioned as indicated in the Terms and Conditions of the Rental Agreement. ler. If you do not charge this amount to your credit card, we will proceed formally. mind to demand the amount of money mentioned above in the bank account from Hertz de España, S. L in the account number: 0000-0000-00-0000000000 (IBAN CODE: ES00 0000-0000-00-0000000000, SWIFT CODE: (…)XXX). It is now at the discretion of the authorities whether to issue a notification for payment of the fine itself. We inform you that we are not in a position to review or litigate any aspect of these cases. Any possible dispute must be raised directly to the competent authority, in case you contact you directly. Thank you for choosing Firefly. Kind regards". SECOND: On July 5, 2019 at 12:45 p.m., a response email is sent. put from the email address of the complaining party to fireflycusto- mercarespain@fireflycarrental.com with the following text (in English): “Sorry, always If you use the wrong email address, please correct your information, this address Email information is not from A.A.A. ***ADDRESS.1”. THIRD: On May 21, 2019 Ms. A.A.A. rented a car with Firefly Car Rental (HERTZ DE ESPAÑA, S.L.), from 05/21/2019 to 07/25/2019, rental contract number (...). This contract had been assigned in the HERTZ database, as email contact, the email ***USER.1, which belongs to the complaining party. keep FOURTH: On July 9, 2019 at 1:09 p.m., an email was sent from the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/15 address fireflycustomercarespain@fireflycarrentl.com to the address ***USER.1 with the following text (in English): “Good morning, Mr. B.B.B.; Thank you for contacting Firefly Spain. We have removed your email address from Mrs.'s profile. A.A.A. We don't know why it was added to it. We apologize for any inconvenience. Kind regards" FIFTH: On July 9, 2019, the email was deleted from the assigned file. by the Customer Service to the contract (...), whose owner is Ms. A.A.A., in which D. B.B.B.'s email was erroneously linked. That same day, July 9, a request was made by the Customer Service te stops the deletion of the email in the fine management file and in the Car+ rental contract management program. The deletion of email from the sanctions file and the management program of Car+ contracts did not occur until July 30, 2019, which made the day July 29, 2019, a second email was sent to the address ***USUA- RIO.1, with a second sanction linked to Ms. A.A.A.'s contract. Also the July 30, 2019 the email data was deleted from the management file of the fines linked to the contract (...), at the time signed by Ms. A.A.A. SIXTH: The email address ***USER.1 appears in the database. of HERTZ contracts on February 7, 2020, associated with D. C.C.C. on the contrary to (...), whose postal address, as indicated, is ***ADDRESS.2, having been provided by D.B.B.B. and that he appeared as an additional driver. FOUNDATIONS OF LAW Yo Competition and applicable regulations In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (Re- General Data Protection Regulation, hereinafter RGPD), grants each authorization control and in accordance with the provisions of articles 47 and 48.1 of the Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of rights. digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: “The procedures processed ted by the Spanish Data Protection Agency will be governed by the provisions of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/15 Regulation (EU) 2016/679, in this organic law, by the regulatory provisions- dictated in its development and, insofar as they do not contradict them, with a sub- subsidiary, by the general rules on administrative procedures.” II Previous issues In the present case, in accordance with the provisions of article 4.1 of the RGPD, there is the processing of personal data, since HERTZ carries out, in- Among other treatments, the collection, conservation, consultation and deletion of personal data. details of your clients, such as: name and surname, address and email address electronic. HERTZ carries out this activity in its capacity as data controller, given which is the one who determines the ends and means of such activity, by virtue of article 4.7 of the GDPR. Within the principles of processing provided for in article 5 of the GDPR, the integrity The quality and confidentiality of personal data is guaranteed in section 1.f) of the article. article 5 of the GDPR, while the security of the processing of this data is required regulated in article 32 of the GDPR. III Allegations alleged In relation to the allegations alleged to the agreement to initiate this proceeding, sanctioning procedure, we proceed to respond to them according to the order stated. by HERTZ. FIRST.- ABOUT THE SUPPOSED ERROR IN THE DATABASE OF CONTRACTS HERTZ claims that he doubts that there was an error on his part when recording the email address of the complaining party in Ms.'s contract. A.A.A., given that this contract is dated May 21, 2019 and that the claiming party appears as an additional driver in the contract (...), dated February 7, 2020. AND that, therefore, Ms. A.A.A. would have provided the email of the complaining party motu proprio. In this regard, this Agency would like to point out that it has not been verified at this time procedure the reason why the complaining party's email was associated with the Ms. contract A.A.A.. And it has been proven that the email in issue belongs to the complaining party. In any case, it appears that two emails have been sent with data personal information related to a traffic violation to an email address ownership of the complaining party. And one of these emails was sent with after the complaining party had notified HERTZ of this situation. SECOND.- ABOUT THE SINGULARITY OF THE CASE. NON-EXISTENCE OF REITERA- C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/15 TION OF CONDUCT BY HERTZ ESPAÑA. ISOLATED FACT, SUB- HEALED AND COMMUNICATED TO THE CUSTOMER HERTZ alleges that this was a specific case and that it would be explained by the fact that that Ms. A.A.A. Provide the email address already mentioned. No However, this Agency wishes to highlight that this point has not been proven and that it is irrelevant for the purposes of determining the existence or not of the infringements in question. Furthermore, HERTZ alleges that it proceeded to act immediately in order to try provide a solution as soon as possible to the claim made by the complaining party. AND that it is relevant that this situation would not have occurred in any other case, nor that the complaining party has raised any other claim against HERTZ in relation to this matter. It states that no harm has been caused to the complaining party. And that it is difficult to maintain ner that it was an error in entering the email address in the con- deal (...), but the email address was provided to HERTZ, which which would explain the uniqueness of the case. In this regard, this Agency wishes to point out again that the reasons why the di- email address of the complaining party was associated with the contract (...), has not been proven and that is irrelevant for the purposes of determining the existence of the infringements in question. HERTZ also alleges that, even admitting that it was (which is not done), he agrees with this Agency that it is a very minor case, which has not caused any damage and which was resolved practically immediately. In this regard, this Agency has nothing more to add. THIRD.- ABOUT WHAT IS REQUESTED BY THE BER- CONTROL AUTHORITY LÍN IN HIS OBJECTIONS HERTZ understands that there is a disparity between what the Berlin Authority requests and what this Agency agrees to, given that the Berlin supervisory authority in its objec- pertinent and motivated requests that: (sic) “the case be analyzed and a warning” (Third Fact, page 5), not that a sanctioning procedure was initiated. dor against HERTZ. And he alleges that, if the Berlin supervisory authority did not request the opening of proceedings, sanctioning authority, it could be considered that, with the investigative powers attributed to it, This Agency, could send a warning to HERTZ in accordance with the power rrective attributed to it by article 58.2.b) of the RGPD. However, it also adds that he perfectly understands that the Agency has to act through the mechanisms nisms available in our legal system and also appreciates the fact that consider issuing a warning under the terms indicated in the Initial Agreement. cio. In this regard, this Agency wishes to point out that, indeed, it must act through C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/15 the mechanisms available in our legal system (specifically, the LO- PDGDD), which is why this sanctioning procedure is being processed, there is no other different procedure. IV Integrity and confidentiality of personal data Article 5.1.f) “Principles relating to processing” of the GDPR establishes: "1. The personal data will be: (…) f) processed in such a way as to ensure adequate security of personal data. sonals, including protection against unauthorized or unlawful processing and against its accidental loss, destruction or damage, through the application of technical measures or appropriate organizational measures (“integrity and confidentiality”).” In accordance with the evidence available at the present time of resolution of the sanctioning procedure, it is considered that the personal data of one of the clients (Ms. A.A.A.), recorded in the HERTZ database, were independent duly exposed to a third party (the complaining party), violating the principles of integrity and confidentiality, on two occasions. The known facts are considered to constitute an infringement, attributable to HER- TZ, for violation of article 5.1.f) of the RGPD. V Classification of the violation of article 5.1.f) of the RPGD The aforementioned violation of article 5.1.f) of the RGPD implies the commission of the violations typified in article 83.5 of the RGPD that under the heading “General conditions for the imposition of administrative fines” provides: “Infringements of the following provisions will be sanctioned, in accordance with the section 2, with administrative fines of a maximum of EUR 20 000 000 or, trying- of a company, of an amount equivalent to a maximum of 4% of the volume of global annual total business of the previous financial year, opting for the highest amount: a) the basic principles for the treatment, including the conditions for consent ment under articles 5, 6, 7 and 9; (…)” In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that: “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contra- rias to this organic law.” For the purposes of the limitation period, article 72 “Infringements considered very serious” you see” of the LOPDGDD indicates: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/15 "1. Based on what is established in article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following: a) The processing of personal data violating the principles and guarantees established two in article 5 of Regulation (EU) 2016/679. (…)” SAW Security measures Article 32 “Security of processing” of the GDPR establishes: "1. Taking into account the state of the art, the application costs, and the nature za, the scope, context and purposes of the processing, as well as probability risks and severity for the rights and freedoms of natural persons, the responsibility sable and the person in charge of the treatment will apply appropriate technical and organizational measures. measures to guarantee a level of security appropriate to the risk, which, where appropriate, includes already, among others: a) pseudonymization and encryption of personal data; b) the ability to guarantee the confidentiality, integrity, availability and resilience permanent licensure of treatment systems and services; c) the ability to restore the availability and access to personal data of quickly in case of physical or technical incident; d) a process of regular verification, evaluation and assessment of the effectiveness of the technical and organizational measures to guarantee the security of the treatment. 2. When evaluating the adequacy of the security level, particular consideration will be given to ta the risks presented by data processing, in particular as a consequence of the accidental or unlawful destruction, loss or alteration of personal data transmitted stored, preserved or otherwise processed, or unauthorized communication or access. two to said data.” In accordance with the evidence available at the present time of resolution of the sanctioning procedure, it is considered that the decisive factor for failure to comply with security obligations occurs is the lack of guarantees. aunts regarding the security of the data processed. This will always be assumed if not implemented technical and organizational security measures or if the measures adopted all are not considered sufficient. In the present case, the complaining party received a second email, again including personal data of another client - with information on sanctions - on July 29, 2019, almost three weeks later that HERTZ had confirmed that his data had been rectified. Of According to HERTZ, this was due to a misunderstanding between the departments of Customer Service and sanctions and contract management. If they had been adopted sufficient technical and organizational measures, it could be assumed at first C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/15 that the email would have been assigned to the corresponding customer in the database data and that, in addition, the rectification of this email address in the database of customer data and in all relevant systems of the organization could be implemented in less time, so the complaining party would not have received send a second email with additional information. Therefore, the known facts are considered to constitute an infringement, attributed ble to HERTZ, for violation of article 32 of the RGPD. VII Classification of the violation of article 32 of the RGPD The aforementioned violation of article 32 of the RGPD implies the commission of typical violations. pified in article 83.4 of the RGPD that under the heading “General conditions for the imposition of administrative fines” provides: “Infringements of the following provisions will be sanctioned, in accordance with the section 2, with administrative fines of a maximum of EUR 10 000 000 or, trying- of a company, of an amount equivalent to a maximum of 2% of the volume of global annual total business of the previous financial year, opting for the highest amount: a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, 42 and 43; (…)” In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that “Consti- The acts and conduct referred to in sections 4, 5 and 6 are considered infractions. of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law.” For the purposes of the limitation period, article 73 “Infringements considered serious” of the LOPDGDD indicates: “Based on what is established in article 83.4 of Regulation (EU) 2016/679, considered serious and will prescribe after two years the infractions that involve a violation. substantial portion of the articles mentioned therein and, in particular, the following: (…) f) The lack of adoption of those technical and organizational measures that result have appropriate measures to guarantee a level of security appropriate to the risk of the treatment, in the terms required by article 32.1 of the Regulation (EU) 2016/679”. (…) VIII Penalty for violation of article 5.1.f) and article 32 of the RGPD Without prejudice to the provisions of article 83 of the RGPD, the aforementioned Regulation provides in section 2.b) of article 58 “Powers” the following: “Each supervisory authority shall have all the following corrective powers indicated: listed below: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/15 (…) b) send a warning to any person responsible or in charge of processing when the processing operations have infringed the provisions of the pre- sente Regulation; (…)” For its part, recital 148 of the GDPR indicates: “In the case of a minor infringement, or if the fine that would probably be imposed constitutes a disproportionate burden on a natural person, instead of sanction through fine, a warning may be imposed. However, special attention must be paid tion to the nature, severity and duration of the infringement, to its intentional nature, to the measures taken to alleviate the damages and losses suffered, to the degree of responsibility bility or to any relevant prior violation, to the manner in which the authority of control has been aware of the infraction, to compliance with ordered measures. against the person responsible or in charge, to adherence to codes of conduct and to any “any other aggravating or mitigating circumstance.” In accordance with the evidence available at the present time, solution of sanctioning procedure, it is considered that the violation in question is slight for the purposes of article 83.2 of the RGPD given that in the present case, considering because it was a specific case, the consequence of a specific error (of which similar antecedents exist in this Agency), and that was corrected shortly, but means to consider a decrease in guilt in the facts, which is why it is considered in accordance with the law, not impose a sanction consisting of an administrative fine and replacement. blame her for sending a warning to HERTZ. IX Imposition of measures Among the corrective powers provided in article 58 “Powers” of the GDPR, in the section 2.d) establishes that each control authority may “order the person responsible ble or processor that the processing operations comply with the provisions of this Regulation, where applicable, in a certain manner and within a specified period…”. In this sense, it is considered appropriate to issue a warning and with the corrective measure of article 58.2.d) of the RGPD, so that within 30 days it proceeds to adopt measures measures aimed at guaranteeing that situations such as the one in question do not occur again. subject of this claim. The text of the resolution establishes what infractions have been committed and the events that have given rise to the violation of the data protection regulations cough, from which it is clearly inferred what measures to adopt, without prejudice to that the type of procedures, mechanisms or specific instruments to implement tarlas corresponds to the sanctioned party, since it is the person responsible for the treatment who knows its organization fully and must decide, based on the responsibility active and risk-focused, how to comply with the RGPD and the LOPDGDD. Therefore, in accordance with the applicable legislation and evaluated the graduation criteria tion of sanctions whose existence has been proven, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/15 the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DIRECT HERTZ DE ESPAÑA, S.L., with NIF B28121549, for an infringement tion of article 32 of the RGPD and article 5.1.f) of the RGPD, typified, respectively, in article 83.4 and 83.5 of the RGPD, a warning. ORDER HERTZ DE ESPAÑA, S.L., with NIF B28121549, to be adopted, in the within thirty days, the measures to ensure that they do not occur again situations such as that of the subject of this claim. SECOND: NOTIFY this resolution to HERTZ DE ESPAÑA, S.L. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the inter- rescheduled may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month from the day following notification of this resolution or directly contentious appeal administrative before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the additional provision final fourth of Law 29/1998, of July 13, regulating the Contentious Jurisdiction- administrative, within a period of two months counting from the day following the notification. tion of this act, as provided for in article 46.1 of the aforementioned Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party do expresses his intention to file a contentious-administrative appeal. If so- If applicable, the interested party must formally communicate this fact in writing. addressed to the Spanish Data Protection Agency, presenting it through the Re- Electronic register of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or to through one of the remaining records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer the documentation to the Agency that proves the effective filing of the contentious-administrative appeal. If the Agency was not aware of the filing of the contentious-administrative appeal treatment within a period of two months from the day following notification of this resolution, would end the precautionary suspension. 938-100322 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es