AEPD (Spain) - EXP202307898: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202307898 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00378-2023.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code...")
 
mNo edit summary
 
(3 intermediate revisions by 2 users not shown)
Line 25: Line 25:
|Date_Published=
|Date_Published=
|Year=
|Year=
|Fine=3,000
|Fine=7,500
|Currency=EUR
|Currency=EUR


Line 61: Line 61:
}}
}}


The DPA imposed a €3,000 fine for sending commercial emails to the data subject after she unsubscribed from them and for providing an inexistent email address on its website for data protection related issues.
The DPA imposed a €7,500 fine for sending commercial emails to the data subject after she unsubscribed from them and for providing an inexistent email address on its website for data protection issues.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject downloaded an app called “Shop Buo” on her phone and uninstalled it the same day. He started receiving emails from the same company (“controller”). She unsubscribed from the newsletter via the link included in the commercial email and received confirmation of the unsubscription.  
The data subject downloaded an app called “Shop Buo” on her phone and uninstalled it the same day. She started receiving emails from the same company (“controller”). She unsubscribed from the newsletter via the link included in the commercial email and received confirmation of the unsubscription.  


The next month, she received another commercial email from the controller. The data subject then sent an email to the address provided on the controller’s website but he received an email indicating that the email address does not exist.  
The next month, she received another commercial email from the controller. The data subject then sent an email to the address provided on the controller’s website but she received an email indicating that the email address does not exist.  


She therefore decided to lodge a complaint with the Spanish DPA (“AEPD”).
She therefore decided to lodge a complaint with the Spanish DPA (“AEPD”).
Line 77: Line 77:
Secondly, the AEPD pointed out that [[Article 21 GDPR|Article 21 GDPR]] provides the data subject with the right to object to the processing of their personal data. The DPA held that the fact that the controller provided an email address which did not actually exist or could not be accessed constitutes a breach of [[Article 21 GDPR|Article 21 GDPR]]. The AEPD imposed a 5,000€ fine for the infringement of this Article.  
Secondly, the AEPD pointed out that [[Article 21 GDPR|Article 21 GDPR]] provides the data subject with the right to object to the processing of their personal data. The DPA held that the fact that the controller provided an email address which did not actually exist or could not be accessed constitutes a breach of [[Article 21 GDPR|Article 21 GDPR]]. The AEPD imposed a 5,000€ fine for the infringement of this Article.  


Therefore, the AEPD imposed a €3,000 fine in total for the infringement of Spanish national law and [[Article 21 GDPR|Article 21 GDPR]].
Therefore, the AEPD imposed a €7,500 fine in total for the infringement of Spanish national law and [[Article 21 GDPR|Article 21 GDPR]].


== Comment ==
== Comment ==

Latest revision as of 14:51, 10 April 2024

AEPD - EXP202307898
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 21 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 7,500 EUR
Parties: Rounded Technologies, S.L.
National Case Number/Name: EXP202307898
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: nzm

The DPA imposed a €7,500 fine for sending commercial emails to the data subject after she unsubscribed from them and for providing an inexistent email address on its website for data protection issues.

English Summary

Facts

The data subject downloaded an app called “Shop Buo” on her phone and uninstalled it the same day. She started receiving emails from the same company (“controller”). She unsubscribed from the newsletter via the link included in the commercial email and received confirmation of the unsubscription.

The next month, she received another commercial email from the controller. The data subject then sent an email to the address provided on the controller’s website but she received an email indicating that the email address does not exist.

She therefore decided to lodge a complaint with the Spanish DPA (“AEPD”).

Holding

Firstly, the AEPD considered that under Article 21 of the Spanish Law 34/2002 on Information Society Services and Electronic Commerce (Ley 34/2002, de 11 de julio, de Servicios de la Sociedad de la Información y Comercio Electrónico (LSSI)), the sending of promotional communications by email that have not been previously requested or expressly authorized by the recipients of said communications is prohibited. The AEPD considered it appropriate to impose a €2,500 fine for the infringement of this Article.

Secondly, the AEPD pointed out that Article 21 GDPR provides the data subject with the right to object to the processing of their personal data. The DPA held that the fact that the controller provided an email address which did not actually exist or could not be accessed constitutes a breach of Article 21 GDPR. The AEPD imposed a 5,000€ fine for the infringement of this Article.

Therefore, the AEPD imposed a €7,500 fine in total for the infringement of Spanish national law and Article 21 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/12








     Procedure No.: EXP202307898 (PS/00378/2023)

                RESOLUTION OF SANCTIONING PROCEDURE


Of the actions carried out by the Spanish Data Protection Agency and in
based on the following
                                  BACKGROUND


FIRST: On 04/27/23, Mr. A.A.A. (hereinafter, the complaining party), presents
written claim to the Spanish Data Protection Agency.

The claim is directed against the entity ROUNDED TECHNOLOGIES, S.L., with
CIF.: B01673862, (hereinafter, the claimed party), for the alleged violation of the
data protection regulations: Regulation (EU) 2016/679, of the Parliament

European Parliament and of the Council, of 04/27/16, regarding the Protection of Natural Persons
regarding the Processing of Personal Data and the Free Circulation of
these Data (RGPD), Organic Law 3/2018, of December 5, on the Protection of
Personal Data and Guarantee of Digital Rights (LOPDGDD) and Law 34/2002,
of July 11, Information Society Services and Electronic Commerce

(LSSI).

The facts stated by the claimant are the following:

       “I downloaded the “Shop Buo” app, it didn't appeal to me and I uninstalled it the same day.

       I started receiving commercial emails from the same company on the 11th, 14th (2)
       and March 15, 2023. Cancellation process from the newsletter on 03 15 23 through the
       link that they have in the commercial email and I receive instant confirmation
       confirmation of withdrawal.

       To my surprise, on 04/27/23, I received another commercial email again.

       Then I access the website https://www.shopbuo.com/politica-deprivacidad and
       I find the email hola@pulpo.club as a privacy contact, so
       Before starting this procedure, I send an email to that address demanding the
       immediate cessation of commercial communications, however I receive
       email indicating that the email address does not exist, so they won't let me

       no choice but to open this claim. I have observed that the website
       www.shopbuo.com does not have a legal notice and above all the protection email
       data does not work.”

Along with the claim documents, the following documentation is attached:


    - Copy of the “Privacy Policy” of the website www.shopbuo.com,
       (https://www.shopbuo.com/politica-de-privacidad), where you can read among
       other issues, the following:

           or “(…) Contact us: Do not hesitate to contact us if

               do you have any questions. Via Email: hola@pulpo.club. Through this
               link: https://shopbuo.com.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/12








    - Copy of the emails received by the claimant on 03/11/23
       and 03/14/23, from the email address ***EMAIL.1@support.shopbuo.com
       containing advertising messages. In these emails you can read the
       following message at the end of it:


           or “(…) Do you need help? Contact us We would love for you to stay,
               but you can <<unsubscribe>> if you do not want to receive more
               emails like this one. For more information visit: www.shopbuo.com

    - Copy of the email received by the claimant on 03/15/23, sent

       from the email address services@support.shopbuo.com, containing the
       acknowledgment of receipt of having unsubscribed from the email and indicating
       that you will not receive any other emails from “Boo”.

    - Copy of the email received on 04/27/23, from the address of
       email hello@buo.so, containing advertising messages. In said email

       You can read the following message, at the end of it:

           or “(…) Do you need help? Contact us We would love for you to stay,
               but you can <<unsubscribe>> if you do not want to receive more
               emails like this one. For more information, consult: www.shopbuo.com.”


    - Copy of email sent on 04/27/23 from the email address
       of the claimant to the email address hola@pulpo.club in which you can
       read the following message:

           or “Hello, I unsubscribed on March 15 and I continue receiving emails, I would not like

               file a complaint with the AEPD, so I give them a period of 3 days
               so that they can confirm my cancellation AGAIN and assure me that I will not
               receive any other email.”

    - Copy of the response received on the same day 04/27/23 from the address of

       mail “Mail Delivery Subsystem <mailer-daemon@googlemail.com> with the
       following message written in English (translated into Spanish): “Address not
       found. Your message was not delivered to hola@pulpo.club because it was not
       could not find the address or cannot receive mail.”

    - Copy of the email received by the claimant on 05/10/23, from the

       email address, hello@buo.so containing an advertising message. In
       In this email you can read the following message, at the end of it:

           or “(…) Do you need help? Contact us We would love for you to stay,
               but you can <<unsubscribe>> if you do not want to receive more

               emails like this one. For more information, consult: www.shopbuo.com.”

SECOND: On 06/09/23, in accordance with the provisions of article 65.4
of the LOPDGDD, by this Agency, said claim was transferred to the
claimed party to proceed with its analysis and report, within a period of one month,
about what was stated in the statement of claim.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/12








The transfer, which was carried out in accordance with the rules established in Law 39/2015, of
October 1, of the Common Administrative Procedure of Administrations
Public (LPACAP), according to the certificate of the Electronic Notifications Service and

Electronic Address, was sent to the claimed party on 06/09/23 through the
electronic notification service, “NOTIFIC@”, being rejected
automatic on 06/20/23.

Although the notification was validly carried out by electronic means, it was deemed
Once the procedure was carried out in accordance with the provisions of article 41.5 of the LPACAP, the

a copy by postal mail to the address indicated in the Central Commercial Registry
as corporate address: ***ADDRESS.1, was returned to its destination on 07/26/23, with the
“unknown” message.

THIRD: On 07/27/23, by the Director of the Spanish Agency for

Data Protection agreement is issued to admit the claim processing
presented, in accordance with article 65 of the LPDGDD Law.

FOURTH: On 09/12/23, this Agency carried out the following
checks completed, with respect to the indications included in the
advertising emails:


a).- If you click on the option <<you can cancel the subscription>>, included in the
advertising emails sent by the claimed party, the following appears
message written in English, (translated into Spanish):


              “Do you want to unsubscribe from our emails?
                   You will stop receiving emails from us.

                               <<Cancel subscription>>


 Disclaimer: This email was sent via Crisp to
                              the website: shopbuo.com

   We are not responsible for any abuse of that website. We respect all
 email unsubscribe requests. If the website abuses
    from your email inbox, contact the website

  first. If you are still receiving emails after doing so, please contact
                             Crisp at: abuse@crisp.chat”

If you click on the <<cancel subscription>> option, the following message appears
written in English (translated into Spanish):


                      Unsubscribe from emails!
     Understood! You will not receive any more emails. —Subscribe again?

 Disclaimer: This email was sent via Crisp to

                               the website: shopbuo.com

   We are not responsible for any abuse of that website. We respect all
 email unsubscribe requests. If the website abuses

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/12








    from your email inbox, contact the website
  first. If you are still receiving emails after doing so, please contact
                              Crisp at: abuse@crisp.chat

b).- If you access the website https://www.shopbuo.com, you verify that,

through the link at the top of them <<download the app>>,
https://www.shopbuo.com/soy-un-consumidor, a QR code appears that makes it possible to
Download the app, “Shop Buo”.

It is noted that in the “Privacy Policy” of the website
https://www.shopbuo.com/politica-de-privacidad, if you wish to contact him

responsible through the email indicated on the page (hola@pulpo.club),
You receive an instant response message indicating,

       “Your message was not delivered to hola@pulpo.club because it could not be found
       the address or mail cannot be received.”


FIFTH: On 05/10/23, the Director of the Spanish Agency for the Protection of
Data agreed to initiate sanctioning proceedings against the claimed party in accordance with the
provided in articles 63 and 64 of Law 39/2015, of October 1, of the
Common Administrative Procedure of Public Administrations (LPACAP), by
the alleged violations of article 21.1 of the LSSI, classified as “mild” in art.

38.4.d) of said regulation and article 21 of the RGPD, typified in article 83.5.b) of
the aforementioned standard.

In the opening agreement it was determined that the sanction that could correspond,
taking into account the evidence existing at that time and without prejudice to what may result
of the instruction would amount to a total of 2,500 euros (two thousand five hundred euros), in which

case of violation of article 21 of the LSSI and 5,000 euros (five thousand euros), in the
case of violation of article 21 of the GDPR. Likewise, it was noted that the
Imputed infractions, if confirmed, may lead to the imposition of security measures.
in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD.

Furthermore, the claimed party was informed that, if within the stipulated period it did not carry out

allegations to this initial agreement, it could be considered a proposal of
resolution, as established in article 64.2.f) of the LPACAP.

This initiation agreement, which was notified to the claimed party in accordance with the rules
established in Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (LPACAP), was collected on 06/10/23.


SIXTH: The aforementioned initiation agreement has been notified in accordance with the rules established in
the LPACAP and after the period granted for the formulation of allegations has elapsed, it has been
verified that no allegation has been received regarding the initiation of the file, in
this Agency.


Article 64.2.f) of the LPACAP - provision of which the claimed party was informed
in the agreement to open the procedure - establishes that if no
allegations within the stipulated period regarding the content of the initiation agreement, when
This contains a precise statement about the imputed responsibility,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/12








may be considered a proposal for a resolution. In the present case, the agreement
beginning of the sanctioning file determined the facts in which the
imputation, the violation of the LSSI attributed to the defendant and the sanction that could be

impose Therefore, taking into consideration that the claimed party has not
made allegations to the agreement to initiate the file and in response to what
established in article 64.2.f) of the LPACAP, the aforementioned initial agreement is
considered in the present case proposed resolution.

In view of everything that has been done, by the Spanish Data Protection Agency

In this procedure, the following are considered proven facts:

                                PROVEN FACTS

Sole: In the statement of claim, the claimant states that after

uninstall the “Shop Buo” app from his mobile, he started receiving commercial emails from the
same company. That you processed the cancellation of the newsletter through the link that was included in the
commercial email receiving the acknowledgment of receipt of having correctly processed the
low. However, after that he received new emails again
advertising of the same company, presenting, to corroborate it, the following
documents:


    - Copy of the emails received by the claimant on 03/11/23
       and 03/14/23, from the claimed entity containing advertising messages.

    - Copy of the email received by the claimant on 03/15/23, sent

       by the claimed entity, containing the acknowledgment of receipt of having given
       unsubscribe from the email and indicating that they would not receive any further email
       electronic “Boo”.

    - Copy of the email received on 04/27/23, from the address of the

       claimed entity containing advertising messages.

    - Copy of the email sent on 04/27/23 by the claimant to the entity
       claimed requesting again the deletion of your data so as not to receive again
       more promotional emails.


    - Copy of the response received on the same day 04/27/23 from the address of
       mail “Mail Delivery Subsystem <mailer-daemon@googlemail.com> with the
       following message written in English (translated into Spanish): “Address not
       found. Your message was not delivered to hola@pulpo.club because it was not
       could not find the address or cannot receive mail.”


    - Copy of the email received by the claimant on 05/10/23, from the
       claimed entity containing an advertising message.

                           FOUNDATIONS OF LAW


                                           YO.
                                     Competence.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/12








Regarding the advertising messages sent, it is competent to resolve this
Sanctioning Procedure, the Director of the Spanish Agency for the Protection of
Data, in accordance with the provisions of art. 43.1, second paragraph, of the LSSI.


The fourth additional provision of the LOPDGDD establishes, on the "Procedure in
relation to the powers attributed to the AEPD by other laws", which: "What
provided in Title VIII and in its development regulations will apply to the
procedures that the Spanish Data Protection Agency had to process
in the exercise of the powers attributed to it by other laws."


About the processing of personal data and the “Privacy Policy” of the website
https://www.shopbuo.com, is competent to resolve this procedure, the
Director of the Spanish Data Protection Agency, by virtue of the powers that
Art 58.2 of the RGPD recognizes each Control Authority and, as established in

the arts. 47, 64.2 and 68.1 of the LOPDGDD Law.
                                           II.
                                Summary of the facts:

According to the claimant, after downloading the “Shop Buo” app, he began to receive
commercial emails from the company in question and after unsubscribing, through

of the link included in the emails and receiving confirmation of the cancellation followed
receiving advertising emails from the company. After which, he accessed the
“Privacy Policy” of the website https://www.shopbuo.com
(https://www.shopbuo.com/politica-deprivacidad), and tried to contact the
responsible for it through the email indicated for this purpose,

hola@pulpo.club but received an instant response informing him that
said email address was invalid or did not exist.

                                          III.-1
   Classification of the infringement committed by sending commercial communications


The fact that the defendant sends advertising emails to the complainant
having requested that they not send him more advertising constitutes a violation
of what is established in article 21 of the LSSI, as it establishes the following:

       "1. Sending advertising or promotional communications is prohibited

       by email or other equivalent means of electronic communication
       that had not previously been requested or expressly authorized by
       the recipients of these.

       2. The provisions of the previous section will not apply when there is a

       prior contractual relationship, provided that the provider had obtained
       lawfully authorizes the contact details of the recipient and will use them to send the
       commercial communications referring to products or services of its own
       company that are similar to those that were initially subject to
       contracting with the client.


       In any case, the provider must offer the recipient the possibility of
       oppose the processing of your data for promotional purposes through a


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/12








       simple and free procedure, both at the time of data collection
       as in each of the commercial communications that I send to you.

       When the communications have been sent by email,
       said means must necessarily consist of the inclusion of an address

       email or other valid electronic address where you can
       exercise this right, being prohibited the sending of communications that
       do not include said address.”
                                          III.-2
                                        Sanction


The aforementioned violation of article 21 of the LSSI is classified as minor in the
art. 38.4.d) of said standard, which qualifies as such, “The sending of communications
commercial by email or other means of electronic communication
equivalent when said shipments do not meet the requirements established in the
article 21 and does not constitute a serious infraction.”


In accordance with these criteria, it is considered appropriate to impose a penalty of 2,500
euros, (two thousand five hundred euros), for the violation of article 21 of the LSSI, by sending
advertising messages to the claimant, having previously opposed it.

                                         IV.-1

  About the processing of personal data on the website and the “Privacy Policy”

It has been observed that in the “Privacy Policy” of the website
https://www.shopbuo.com/politica-de-privacidad, if you wish to contact him
responsible for the site, through the email indicated on the page
(hola@pulpo.club), you receive an automatic response message indicating that said

email address is incorrect or does not exist.

In this regard, the GDPR establishes in art. 21, “Right of opposition”, the following:

       "1. The interested party will have the right to object at any time, for
       reasons related to your particular situation, to which personal data that you

       concern are subject to treatment based on the provisions of article
       6, paragraph 1, letters e) or f), including profiling on the basis of
       such provisions. The data controller will stop processing the data
       personal data, unless compelling legitimate reasons for the processing are proven.
       that prevail over the interests, rights and freedoms of the
       interested party, or for the formulation, exercise or defense of claims.


       2. When the processing of personal data aims to
       direct marketing, the interested party will have the right to oppose in all
       moment to the processing of personal data that concerns you, including the
       profiling to the extent that it is related to the aforementioned

       marketing.

       3. When the interested party objects to processing for marketing purposes
       directly, personal data will no longer be processed for these purposes.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/12








       4. At the latest at the time of the first communication with the interested party,
       The right indicated in sections 1 and 2 will be explicitly mentioned when
       interested and will be presented clearly and apart from any other

       information.

       5. In the context of the use of information society services,
       and notwithstanding the provisions of Directive 2002/58/EC, the interested party may
       exercise your right to object by automated means that apply
       Technical specifications.


       6. When personal data are processed for scientific research purposes or
       historical or statistical purposes in accordance with Article 89(1), the
       interested party will have the right, for reasons related to their situation
       in particular, to oppose the processing of personal data that concerns him,

       unless necessary for the fulfillment of a mission carried out by
       reasons of public interest.”

That is, the person who owns the personal data can exercise before the person responsible
of the processing a series of rights regarding said data, and therefore, the fact
that the email address indicated by the person responsible for the website,

hola@pulpo.club to be able to contact him does not actually exist or is not
can access it, represents a violation of article 21 of the RGPD, giving rise,
Furthermore, to the application of the corrective powers that article 58 of the aforementioned
Regulation granted to the Spanish Data Protection Agency.


                                         IV.-2
                                        sanction

If confirmed, failure to comply with the indicated precept could lead to the commission of
an infraction classified in article 83.5.b) of the RGPD, which under the rubric

“General conditions for the imposition of administrative fines” provides the following:
following:

       “Infringements of the following provisions will be sanctioned, according to
       with paragraph 2, with administrative fines of EUR 20 000 000 as
       maximum or, in the case of a company, an amount equivalent to 4%

       maximum of the overall total annual turnover of the financial year
       above, opting for the highest amount: (…) b) the rights of the
       interested parties in accordance with articles 12 to 22.”

With regard to limitation periods, article 72.1.k) of the LOPDGDD,

establishes:

       "1. Based on what is established in article 83.5 of the Regulation (EU)
       2016/679 are considered very serious and will expire after three years.
       infractions that involve a substantial violation of the articles

       mentioned in that and, in particular, the following: (…) k) The impediment or
       the obstruction or repeated failure to attend to the exercise of rights
       established in articles 15 to 22 of Regulation (EU) 2016/679”.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/12








In order to determine the administrative fine to impose, the provisions must be observed.
ns of sections 1 and 2 of article 83 of the RGPD, provisions that indicate:


        "1. Each supervisory authority will ensure that the imposition of fines admitted
        pursuant to this article for violations of this Recommendation.
        regulations indicated in sections 4, 9 and 6 are in each individual case
        effective, proportionate and dissuasive.

        2. Administrative fines will be imposed, depending on the circumstances

        of each individual case, as an additional or substitute for the contemporary measures.
        covered in Article 58, paragraph 2, letters a) to h) and j). When deciding the tax
        of an administrative fine and its amount in each individual case will be determined
        duly taken into account: a) the nature, severity and duration of the infringement,
        taking into account the nature, scope or purpose of the processing operation

        ment in question, as well as the number of interested parties affected and the level
        of the damages and losses they have suffered; b) intentionality or negligence
        in the infringement;
        c) any measure taken by the person responsible or in charge of the treatment
        to alleviate the damages and losses suffered by the interested parties; d) the degree of
        responsibility of the person responsible or in charge of the treatment, taking into account

        ta of the technical or organizational measures that they have applied under the
        articles 25 and 32; e) any previous infringement committed by the person responsible or the
        data processor; f) the degree of cooperation with the control authority
        control in order to remedy the infringement and mitigate the possible adverse effects.
        verses of infraction; g) the categories of personal data

        affected by the infringement; h) the way in which the supervisory authority had
        knowledge of the infringement, in particular if the person responsible or the person in charge notifies
        what the infringement was and, if so, to what extent; i) when the indicated measures
        in Article 58, paragraph 2, have been previously ordered against the res-
        responsible person or the person in charge in question in relation to the same matter, the

        compliance with said measures; j) adherence to codes of conduct in
        tution of Article 40 or to certification mechanisms approved in accordance with the
        Article 42, and k) any other aggravating or mitigating factor applicable to the circumstances.
        circumstances of the case, such as financial benefits obtained or losses
        avoided, directly or indirectly, through infringement.”


For its part, article 76 “Sanctions and corrective measures” of the LOPDGDD provides
ne:

        "1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Rules-
        ment (EU) 2016/679 will be applied taking into account the grading criteria.

        tion established in section 2 of the aforementioned article.

        2. In accordance with the provisions of article 83.2.k) of the Regulation (EU)
        2016/679 may also be taken into account: a) The continuous nature of the in-
        fraction. b) The linking of the offender's activity with the performance of work

        processing of personal data. c) The benefits obtained as a consequence
        ncy of the commission of the infraction. d) The possibility that the conduct of the
        affected could have induced the commission of the infraction. e) The existence
        of a merger by absorption process after the commission of the infringement,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/12








       which cannot be attributed to the absorbing entity. f) The impact on the rights
       children's children. g) Have, when not mandatory, a delegate
       of data protection. h) Submission by the person responsible or entrusted

       voluntarily, to alternative dispute resolution mechanisms.
       conflicts, in those cases in which there are disputes between those and
       "any interested party."

In accordance with the indicated precepts, for the purposes of setting the amount of the sanctions
to be imposed in the present case, it is considered that it is appropriate to graduate the fine according to

with the following criteria:

    - The scope or purpose of the data processing operation, as well as the
       affected interested parties, (article 83.2.a): In relation to the number of
       affected stakeholders, all potentially

       affected, web users.

In accordance with the above, it is considered appropriate to impose a penalty of 5,000 euros
(five thousand euros), for the violation of article 21 RGPD.

                                          IV.-3

                                 Adoption of Measures

Once the violations have been confirmed, it is appropriate to impose on the denounced party the obligation to
adopt appropriate measures to adjust its actions to the regulations mentioned in
this act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to

which each control authority may “order the person responsible or in charge of the
treatment that the processing operations comply with the provisions of the
this Regulation, where appropriate, in a certain manner and within a
specified period…”


The imposition of this measure is compatible with the sanction consisting of a fine
administrative, according to the provisions of art. 83.2 of the GDPR.

The text of this resolution establishes the violation committed.
and the facts that give rise to the violation of data protection regulations, of
which clearly infers what measures to adopt, without prejudice to the fact that the

type of procedures, mechanisms or specific instruments to implement them
corresponds to the sanctioned party, since it is the person responsible for the treatment who
fully knows your organization and must decide, based on the responsibility
proactive and risk approach, how to comply with the RGPD and the LOPDGDD.


However, in this case, regardless of the above, it is appropriate to require the
claimed party so that, within a period of one month, it makes the modifications
necessary on your website and enable a valid email address for
that users can contact it and be able to exercise, if they wish, their
rights regarding data protection.


Please note that failure to comply with the requirements of this organization may be
considered as an administrative offense in accordance with the provisions of the RGPD,


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/12








classified as an infraction in its articles 83.5 and 83.6, and such conduct may be motivated by
opening of a subsequent administrative sanctioning procedure.


Therefore, in accordance with the applicable legislation and evaluated the criteria of
graduation of the sanctions whose existence has been proven, the Director of the
Spanish Data Protection Agency

                                      RESOLVES:


FIRST: IMPOSE on the entity ROUNDED TECHNOLOGIES, S.L., with CIF.:
B01673862, the following fines:

    - For violation of article 21 of the LSSI, typified in article 38.4.d) of the
       cited rule, a fine of 2,500 euros (two thousand five hundred euros).


    - For violation of article 21 of the RGPD, typified in article 83.5.b) of the
       cited rule, a fine of 5,000 euros (five thousand euros).

SECOND: : ORDER ROUNDED TECHNOLOGIES, S.L., which by virtue of the
article 58.2.d) of the RGPD, within a period of one month from the notification of the

present act, adapt its actions to the regulations on the protection of personal data,
with the scope expressed in the Legal Basis IV.-3. In the same period
indicated, you must justify before this Spanish Data Protection Agency the
attention to this requirement.


THIRD NOTIFY this resolution to ROUNDED TECHNOLOGIES, S.L.,

FOURTH: Warn the sanctioned person that he must make the sanction imposed effective
once this resolution is executive, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure

Common Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by entering it, indicating the NIF of the sanctioned person and the number
of procedure that appears in the heading of this document, in the account
restricted IBAN No.: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code:

CAIXESBBXXX), opened on behalf of the Spanish Data Protection Agency in
the banking entity CAIXABANK, S.A..

Otherwise, it will be collected during the executive period. Received the
notification and once executive, if the date of execution is between the days

1 and 15 of each month, both inclusive, the deadline to make the voluntary payment will be
until the 20th of the following or immediately following business month, and if it is between
on the 16th and last day of each month, both inclusive, the payment period will be until the 5th
of the second following or immediately following business month.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/12








Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the

Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within a period of one month to
count from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.


Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through

of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronicaweb/],
or through any of the other registries provided for in art. 16.4 of the aforementioned Law
39/2015, of October 1. You must also transfer the documentation to the Agency
that proves the effective filing of the contentious-administrative appeal. If the
Agency was not aware of the filing of the contentious appeal.

administrative within a period of two months from the day following notification of the
This resolution would end the precautionary suspension.

Sea Spain Martí
Director of the Spanish Data Protection Agency





























C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es