AEPD (Spain) - EXP202202164: Difference between revisions

AEPD - EXP202202164
Authority:	AEPD (Spain)
Jurisdiction:	Spain
Relevant Law:	Article 5(1) GDPR Article 13 GDPR Article 83(5) GDPR Article 83(6) GDPR
Type:	Complaint
Outcome:	Upheld
Started:	16.01.2022
Decided:	28.09.2022
Published:	28.09.2022
Fine:	2,000 EUR
Parties:	n/a
National Case Number/Name:	EXP202202164
European Case Law Identifier:	n/a
Appeal:	Not appealed
Original Language(s):	Spanish
Original Source:	AEPD (in ES)
Initial Contributor:	mgrd

AEPD fined in €2,000 a website for non-GDPR compliant privacy policy, violating Article 13 GDPR.

English Summary

Facts

On January 16, 2022 the data subject complaint against ORI S.L. for not having a privacy policy on the website in which personal data are collected through multiple forms, only one of them informs about the processing of personal data.

During the procedure, the data subject included different screenshots of the website.

On March, 2022, AEDP sent a notification to the data controller to, within a period of one month, to inform of the actions taken to adapt to the requirements set forth in the data protection regulations.

On June, 2022, ORI replied stating that all the sections of the web page contained informative boxes where they are obliged to communicate to the users with the following concept: "I agree that my personal data provided in the contact form be electronically processed and used for the purpose of contacting me. I am aware that I can remove my consent at any time".

Holding

AEPD fined the data controller in €2,000 for non-GDPR compliant website without privacy policy, violating Article 13 GDPR.

On September 26, 2022, the data controller made the voluntary payment of the fine and acknowledged its liability, leading to a reduce of the fine to €1,200.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/10








     File No.: EXP202202164



       RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE
                                     VOLUNTEER

From the procedure instructed by the Spanish Data Protection Agency and based

to the following


                                   BACKGROUND


FIRST: On August 26, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against ORI, S.l. (onwards,
the claimed party), through the Agreement that is transcribed:

<<



File No.: EXP202202164



            AGREEMENT TO START SANCTIONING PROCEDURE

Of the actions carried out by the Spanish Data Protection Agency and in
based on the following


                                       FACTS

FIRST: A.A.A. (hereinafter, the complaining party) dated January 16, 2022
filed a claim with the Spanish Data Protection Agency. The
claim is directed against ORI, S.l. with NIF ***NIF.1 (hereinafter, ORI). The motives

on which the claim is based are the following:

Expresses the lack of privacy policy of the website where data is collected
personal data through multiple forms, only one informs about the treatment of
data, violating data protection regulations.


Along with the notification, the following is provided:

-Screenshot of a Google search for the domain ***URL.1, which offers
several results on Facebook, Instagram, tik tok...


-Screenshot of the detail of the BORME of ORI SL, in which they appear as the sole partner and
sole administrator B.B.B.

-Screenshot of the page “***URL.1/register/” on which a registration form appears

contact in which personal data is requested, and the privacy policy is not indicated.
privacy.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/10








-Screenshot of the page “***URL.1/hazte-soci” on which a registration form appears
contact in which personal data is requested, and the privacy policy is not indicated.
privacy.


-Screenshot of the page “***URL.1/solicita-tu-catalog/” in which a
contact form in which personal data is requested, and the policy is not indicated
of privacy, although the following text is added at the end of the questionnaire: “I accept that
my data provided in the contact form are processed electronically and
are used for the purpose of contacting me. I am aware that I can

revoke my consent at any time”

-Screenshot of the page “***URL.1/starter-kit/” on which a registration form appears
contact in which personal data is requested, and the privacy policy is not indicated.
privacy, although the following text is added at the end of the questionnaire: “I accept that my

Data provided in the contact form are processed electronically and are
used for the purpose of contacting me. I am aware that I can
revoke my consent at any time”

-Screenshot of the page “***URL.1/register/” on which a registration form appears
contact in which personal data is requested, with a link appearing at the end of it

to the privacy policy.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to ORI, so that

proceed to its analysis and inform this Agency within a period of one month, of the
actions carried out to adapt to the requirements provided for in the regulations of
Data Protection.

The transfer, which was carried out in accordance with the rules established in Law 39/2015, of

October 1, of the Common Administrative Procedure of Administrations
Public (hereinafter, LPACAP), was collected on 03/27/2022, as stated in the
acknowledgment of receipt that appears in the file.

No response has been received to this transfer letter.


THIRD: On April 16, 2022, in accordance with article 65 of the
LOPDGDD, the claim presented by the complaining party was admitted for processing.

FOURTH: On 06/09/2022, a letter was received from the ORI administrator in
which states that in all sections of the website ***URL.1 there are all

the information boxes where they are forced to communicate to users a box with
the following concept: “I accept that my data provided in the contact form
are processed electronically and are used for the purpose of contacting
with me. I am aware that I can revoke my consent at any time.
moment"


                           FOUNDATIONS OF LAW

                                           Yo

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/10








In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the

Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures

processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."


                                            II
In accordance with article 5.1 of the RGPD, the processing of personal data must be governed
by the following principles:

"1. The personal data will be:
    a) treated in a lawful, loyal and transparent manner with the interested party (…)

2. The person responsible for the treatment will be responsible for compliance with the provisions
in section 1 and capable of demonstrating it”

One of the manifestations of the principle of transparency is the right that the RGPD
grants the data owners to receive information and the corresponding obligation that

requires the person responsible for the treatment to provide the interested party with the information that
They detail articles 12, 13 and 14 of the GDPR.

These last two provisions contemplate two different assumptions: That the data is
obtained directly from the interested party (article 13), as happens in the forms of

collection of data that ORI has included in the website of which it is the owner, or that
the data is not obtained from the interested party (article 14).

Article 13 of the GDPR states:

"1. When personal data relating to him or her is obtained from an interested party, the

responsible for the treatment, at the time these are obtained, will provide you
all information indicated below:
a) the identity and contact details of the person responsible and, where applicable, their
representative;
b) the contact details of the data protection officer, if applicable;

c) the purposes of the processing for which the personal data are intended and the legal basis
of the treatment;
d) where the processing is based on Article 6, paragraph 1, letter f), the interest
legitimate of the person responsible or a third party;
e) the recipients or categories of recipients of the personal data, in their

case; f) where applicable, the intention of the controller to transfer personal data to a
third country or international organization and the existence or absence of a decision of
adequacy of the Commission, or, in the case of the transfers indicated in the
Articles 46 or 47 or Article 49, paragraph 1, second paragraph, reference to the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/10








adequate or appropriate safeguards and the means to obtain a copy of these or
to the fact that they have been lent.


2. In addition to the information mentioned in section 1, the person responsible for the
treatment will provide the interested party, at the time the data is obtained
personal, the following information necessary to guarantee data processing
loyal and transparent:
a) the period during which the personal data will be kept or, when it is not
possible, the criteria used to determine this period;

b) the existence of the right to request from the data controller access to the data
personal data relating to the interested party, and its rectification or deletion, or the limitation
of your treatment, or to oppose the treatment, as well as the right to portability
of the data
c) when the processing is based on Article 6(1)(a) or Article

9, paragraph 2, letter a), the existence of the right to withdraw consent in
at any time, without affecting the legality of the treatment based on the
consent prior to its withdrawal;
d) the right to file a claim with a supervisory authority;
e) if the communication of personal data is a legal or contractual requirement, or a
necessary requirement to sign a contract, and if the interested party is obliged to provide

personal data and is informed of the possible consequences of not
provide such data;
f) the existence of automated decisions, including profiling, to which
refers to article 22, paragraphs 1 and 4, and, at least in such cases, information
significant information about the applied logic, as well as the importance and consequences

foreseen of said treatment for the interested party.

3. When the data controller plans subsequent data processing
personal data for a purpose other than that for which they were collected, will provide the
interested party, prior to said further processing, information about that other purpose

and any additional information relevant under paragraph 2. 4. The
The provisions of paragraphs 1, 2 and 3 shall not apply when and to the extent
“that the interested party already has the information.”

Recitals 39 and 60 of the GDPR help clarify the scope of the right
of information provided to interested parties.


Recital 39 establishes: “All processing of personal data must be lawful and
loyal. For natural persons it must be completely clear that they are being collected,
using, consulting or otherwise processing personal data that they
concern, as well as the extent to which said data is or will be processed. The beginning

Transparency requires that all information and communication related to the treatment of
said data is easily accessible and easy to understand, and that a language is used
simple and clear. This principle refers in particular to the information of the
interested parties about the identity of the person responsible for the treatment and the purposes of the same and
to the added information to guarantee fair and transparent treatment with

regarding the affected natural persons and their right to obtain confirmation and
communication of personal data that concerns them that are subject to
treatment. Natural persons must be aware of the risks,
rules, safeguards and rights relating to the processing of personal data,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/10








as well as the way to assert your rights in relation to the treatment. In
In particular, the specific purposes of the processing of personal data must be
explicit and legitimate, and must be determined at the time of collection. […].”


Considering 60 clarifies that “The principles of fair and transparent treatment
require that the interested party be informed of the existence of the treatment operation and
its purposes. The person responsible for the treatment must provide the interested party with
additional information is necessary to guarantee fair treatment and
transparent, taking into account the specific circumstances and context in which

process personal data. The interested party must also be informed of the existence
of profiling and the consequences of such profiling. If the data
personal data are obtained from the interested parties, they must also be informed of whether they are
obliged to provide them and the consequences if they did not do so.”


In the present case, having examined the forms contained in the web pages of
ORI in which personal data is requested, it is observed that in at least five of
They are not informed of the company's privacy policy.

Therefore, in accordance with the evidence available at this time
agreement to initiate the sanctioning procedure, and without prejudice to what results from

the instruction, it is considered that the known facts could constitute a
infringement, attributable to ORI, for violation of article 13 of the RGPD

                                            III
If confirmed, the aforementioned violation of article 13 of the RGPD could mean the

commission of the infractions classified in article 83.5 of the RGPD that under the
The section “General conditions for the imposition of administrative fines” provides:

“Infringements of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,

In the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for
the largest amount:
       (…)
       b) the rights of the interested parties under articles 12 to 22;
       (…)”


In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.”


For the purposes of the limitation period, article 72 of the LOPDGDD indicates:

"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that involve

a substantial violation of the articles mentioned therein and, in particular, the
following:
       (…)


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/10








       h) The omission of the duty to inform the affected person about the treatment of their
       personal data in accordance with the provisions of articles 13 and 14 of the
       Regulation (EU) 2016/679 and 12 of this organic law.”


                                          IV
For the purposes of deciding on the imposition of an administrative fine and its amount,
in accordance with the evidence currently available
agreement to initiate the sanctioning procedure, and without prejudice to what results from the
instruction, it is considered appropriate to graduate the sanction to be imposed in accordance with

the criteria established in article 83.2 of the RGPD.

Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the
criteria established in section 2 of article 76 “Sanctions and corrective measures”
of the LOPDGDD.


If the infringement is confirmed, it could be agreed to impose on the person responsible that, within the period
that is specified in the sanctioning resolution, proceed to complete the
privacy on all pages that collect personal data, without prejudice to others that
could arise from the instruction of the procedure, in accordance with the provisions
in the aforementioned article 58.2 d) of the RGPD, according to which each control authority may

“order the person responsible or in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where applicable,
in a certain way and within a specified period….” The imposition of
This measure is compatible with the sanction consisting of an administrative fine, according to
The provisions of the art. 83.2 of the GDPR.


Please note that failure to comply with the requirements of this organization may be
considered as an administrative offense in accordance with the provisions of the RGPD,
classified as an infraction in its articles 83.5 and 83.6, and such conduct may be motivated by
opening of a subsequent administrative sanctioning procedure.


Therefore, in accordance with the above, by the Director of the Agency
Spanish Data Protection,
HE REMEMBERS:

FIRST: START SANCTIONING PROCEDURE against ORI, S.l., with NIF ***NIF.1,

for the alleged violation of Article 13 of the RGPD, typified in Article 83.5 of the
GDPR.

SECOND: APPOINT R.R.R. as instructor. and, as secretary, to S.S.S.
indicating that any of them may be challenged, if applicable, in accordance with the

established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime
Legal Department of the Public Sector (LRJSP).

THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the
claim filed by the complaining party and its documentation, as well as the

documents obtained and generated by the General Subdirectorate of Inspection of
Data in the actions prior to the start of this sanctioning procedure.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/10








FOURTH: THAT for the purposes provided for in art. 64.2 b) of law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations, the
sanction that could correspond would be, for the alleged violation of article 13 of the

RGPD, typified in article 83.5 of said regulation, administrative fine of amount
2,000.00 euros

FIFTH: NOTIFY this agreement to ORI, S.l., with NIF ***NIF.1, granting it
a hearing period of ten business days to formulate the allegations and
present the evidence you consider appropriate. In his brief of allegations

You must provide your NIF and the procedure number that appears in the heading
of this document.

If within the stipulated period you do not make allegations to this initial agreement, the same
may be considered a proposal for a resolution, as established in the article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of

Public Administrations (hereinafter, LPACAP).

In accordance with the provisions of article 85 of the LPACAP, you may recognize your
responsibility within the period granted for the formulation of allegations to the
present initiation agreement; which will entail a 20% reduction in the

sanction that may be imposed in this procedure. With the application of this
reduction, the penalty would be established at 1,600.00 euros, resolving the
procedure with the imposition of this sanction.

Likewise, you may, at any time prior to the resolution of this

procedure, carry out the voluntary payment of the proposed sanction, which
will mean a 20% reduction in the amount. With the application of this reduction,
The penalty would be established at 1,600.00 euros and its payment will imply termination
of the procedure.

The reduction for the voluntary payment of the penalty is cumulative with that corresponding

apply for recognition of responsibility, provided that this recognition
of the responsibility becomes evident within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount
in the previous paragraph may be done at any time prior to the resolution. In
In this case, if both reductions were to be applied, the amount of the penalty would remain

established at 1,200.00 euros.

In any case, the effectiveness of any of the two mentioned reductions will be
conditioned upon the withdrawal or waiver of any action or appeal pending.
administrative against the sanction.


In the event that you choose to proceed with the voluntary payment of any of the amounts
indicated above (1,600.00 euros or 1,200.00 euros), you must make it effective
by depositing it into account number ES00 0000 0000 0000 0000 0000 open to
name of the Spanish Data Protection Agency in the banking entity
CAIXABANK, S.A., indicating in the concept the reference number of the

procedure that appears in the heading of this document and the cause of
reduction of the amount to which it is accepted.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/10








Likewise, you must send proof of income to the General Subdirectorate of
Inspection to continue the procedure in accordance with the quantity

entered.

The procedure will have a maximum duration of nine months counting from the
date of the initiation agreement or, where applicable, of the draft initiation agreement.
After this period, its expiration will occur and, consequently, the file of

performances; in accordance with the provisions of article 64 of the LOPDGDD.

In compliance with articles 14, 41 and 43 of LPACAP, it is noted that, as far as
Subsequently, the notifications sent to you will be made exclusively
electronically, through the Unique Enabled Electronic Address (dehu.redsara.es) and the

Electronic Notification Service (notifications.060.es), and that, if you do not access
their rejection will be recorded in the file, considering the procedure completed and
following the procedure. You are informed that you can identify before this Agency
an email address to receive the notice of making available the
notices and that failure to comply with this notice will not prevent the notice

be considered fully valid.

Finally, it is noted that in accordance with the provisions of article 112.1 of the
LPACAP, there is no administrative appeal against this act.


                                                                               935-110422

Sea Spain Martí
Director of the Spanish Data Protection Agency


>>


SECOND: On September 26, 2022, the claimed party has proceeded to
payment of the penalty in the amount of 1,200 euros making use of the two reductions
provided for in the initiation Agreement transcribed above, which implies the
recognition of responsibility.


THIRD: The payment made, within the period granted to formulate allegations to
The opening of the procedure entails the renunciation of any action or appeal pending.
administrative against sanction and recognition of responsibility in relation to
the facts referred to in the Initiation Agreement.


FOURTH: In the initiation Agreement transcribed previously it was stated that,
If the infringement is confirmed, it could be agreed to impose on the person responsible the adoption of
appropriate measures to adjust its actions to the regulations mentioned in this
act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the

which each control authority may “order the person responsible or in charge of the
treatment that the processing operations comply with the provisions of the
this Regulation, where appropriate, in a certain manner and within a
specified period…”


Having recognized responsibility for the infraction, the imposition of penalties proceeds.
the measures included in the Initiation Agreement.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/10
















                           FOUNDATIONS OF LAW


                                            Yo

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the

Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures

processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."


                                            II

Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter, LPACAP), under the heading
“Termination in sanctioning procedures” provides the following:


"1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction is solely pecuniary in nature or a penalty can be imposed
pecuniary sanction and another of a non-pecuniary nature but the

inadmissibility of the second, the voluntary payment by the alleged responsible, in
Any time prior to the resolution, will imply the termination of the procedure,
except in relation to the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.


3. In both cases, when the sanction has only a pecuniary nature, the
body competent to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed penalty, these being cumulative with each other.
The aforementioned reductions must be determined in the initiation notification.
of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of

any administrative action or appeal against the sanction.

The reduction percentage provided for in this section may be increased
“regularly.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/10










According to what was indicated,
the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: DECLARE the termination of procedure EXP202202164, of

in accordance with the provisions of article 85 of the LPACAP.

SECOND: REQUIRE ORI, S.l. so that within a period of one month notify the
Agency the adoption of the measures described in the legal bases

of the Initiation Agreement transcribed in this resolution.

THIRD: NOTIFY this resolution to ORI, S.l..

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure

Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.


                                                                                 1259-070622
Sea Spain Martí

Director of the Spanish Data Protection Agency


























C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es