AEPD (Spain) - EXP202310840: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=https://www.aepd.es/documento/ps-00570-2023.pdf |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00570-2023.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language...") |
mNo edit summary |
||
(3 intermediate revisions by 2 users not shown) | |||
Line 7: | Line 7: | ||
|DPA_With_Country=AEPD (Spain) | |DPA_With_Country=AEPD (Spain) | ||
|Case_Number_Name= | |Case_Number_Name=EXP202310840 | ||
|ECLI= | |ECLI= | ||
Line 63: | Line 63: | ||
}} | }} | ||
The DPA fined a controller €3,000 for violating data minimisation | The DPA fined a controller €3,000 for violating the principle of data minimisation by requiring photocopies of IDs to verify ages upon entry to events. | ||
== English Summary == | == English Summary == | ||
Line 72: | Line 72: | ||
The AEPD noted that the controller’s policy discussing its processing of minors’ data was out of date, making reference to a national law that had since been replaced. The policy did not specify why copies of IDs were necessary or how the copies would be processed beyond admission to the venue. It also did not state how long the data would be retained by the controller. | The AEPD noted that the controller’s policy discussing its processing of minors’ data was out of date, making reference to a national law that had since been replaced. The policy did not specify why copies of IDs were necessary or how the copies would be processed beyond admission to the venue. It also did not state how long the data would be retained by the controller. | ||
In its reply brief, the controller stated that due to an error, its online privacy policy was not up to date. argued that it was necessary to verify the minors’ and their companions’ IDs in order to confirm their ages and to ensure compliance with Law 3/2017 of Public Spectacles and Recreational Activities in Cantabria (Ley 3/2017 de Espectáculos Públicos y Actividaded Recreativas de Cantabria). The law limits minors’ ability to enter certain types of venues (with some exceptions where adults accompany minors), including party rooms, discos, and dance rooms | In its reply brief, the controller stated that due to an error, its online privacy policy was not up to date. The controller further argued that it was necessary to verify the minors’ and their companions’ IDs in order to confirm their ages and to ensure compliance with [https://www.boe.es/buscar/act.php?id=BOE-A-2017-5043 Law 3/2017 of Public Spectacles and Recreational Activities in Cantabria (Ley 3/2017 de Espectáculos Públicos y Actividaded Recreativas de Cantabria)]. The law limits minors’ ability to enter certain types of venues (with some exceptions where adults accompany minors), including party rooms, discos, and dance rooms and requires that establishments deny entry to anyone who does not verify their age with documentation. | ||
=== Holding === | === Holding === | ||
The AEPD found that the controller likely violated | The AEPD found that the controller likely violated [[Article 5 GDPR#1c|Article 5(1)(c)]] and [[Article 13 GDPR|13 GDPR]] and recommended a €5,000 fine. | ||
First, the AEPD considered that the controller failed to meet data minimisation standards pursuant to [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. The AEPD took into consideration Recital 39 GDPR’s instruction that personal data should only be processed if the purpose could not be reasonably achieved by other means. While Law 3/2017 required age verification of minors and their guardians, the controller went a step further by requiring a copy of the IDs. This collection of a complete and unredacted photocopy of IDs resulted in more processing than necessary and thus likely violated [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. | First, the AEPD considered that the controller failed to meet data minimisation standards pursuant to [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. The AEPD took into consideration Recital 39 GDPR’s instruction that personal data should only be processed if the purpose could not be reasonably achieved by other means. While [https://www.boe.es/buscar/act.php?id=BOE-A-2017-5043 Law 3/2017] required age verification of minors and their guardians, the controller went a step further by requiring a copy of the IDs. This collection of a complete and unredacted photocopy of IDs resulted in more processing than necessary and thus likely violated [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. | ||
Second, the AEPD found that the controller likely violated Article 13 | Second, the AEPD found that the controller likely violated [[Article 13 GDPR|Article 13 GDPR.]] The lack of information concerning the processing or storage period provided in the disclosure policy, as well as its being out of date, indicated that the controller failed to meet its information obligations. The AEPD noted that this resulted in other shortcomings for data subjects’ ability to exercise their rights, as the policy’s lack of sufficient information prevented data subjects from exercising their rights pursuant to [[Article 17 GDPR|Article 17 GDPR]]. | ||
Given these likely violations, the AEPD resolved to initiate sanction proceedings against the controller and recommended a sanction of €20,000. Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €3,000. | Given these likely violations, the AEPD resolved to initiate sanction proceedings against the controller and recommended a sanction of €20,000. Pursuant to [https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565 Law 39/2015], a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €3,000. | ||
== Comment == | == Comment == | ||
This case is nearly identical to one published prior in March 2024, EXP202310910, concerning a concert venue with the same policy. In that case, the AEPD also found infringements of Articles 5(1)(c) and 13 GDPR, and the controller paid a reduced €12,000 fine. | This case is nearly identical to one published prior in March 2024, [https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202310910 EXP202310910], concerning a concert venue with the same policy. In that case, the AEPD also found infringements of Articles 5(1)(c) and 13 GDPR, and the controller paid a reduced €12,000 fine. | ||
== Further Resources == | == Further Resources == |
Latest revision as of 12:40, 28 August 2024
AEPD - EXP202310840 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(c) GDPR Article 13 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | 3,000 EUR |
Parties: | 20 AÑOS DE MÚSICA A.I.E. |
National Case Number/Name: | EXP202310840 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | lm |
The DPA fined a controller €3,000 for violating the principle of data minimisation by requiring photocopies of IDs to verify ages upon entry to events.
English Summary
Facts
On 23 June 2023, a data subject filed a complaint with the Spanish DPA (AEPD) requesting sanctioning proceedings against 20 Años de Música A.I.E. (the controller). The controller, which organises concerts and other events, required that parents or guardians provide a copy for their national identity cards (IDs) as well as of the minors’ IDs in order to gain entry.
The AEPD noted that the controller’s policy discussing its processing of minors’ data was out of date, making reference to a national law that had since been replaced. The policy did not specify why copies of IDs were necessary or how the copies would be processed beyond admission to the venue. It also did not state how long the data would be retained by the controller.
In its reply brief, the controller stated that due to an error, its online privacy policy was not up to date. The controller further argued that it was necessary to verify the minors’ and their companions’ IDs in order to confirm their ages and to ensure compliance with Law 3/2017 of Public Spectacles and Recreational Activities in Cantabria (Ley 3/2017 de Espectáculos Públicos y Actividaded Recreativas de Cantabria). The law limits minors’ ability to enter certain types of venues (with some exceptions where adults accompany minors), including party rooms, discos, and dance rooms and requires that establishments deny entry to anyone who does not verify their age with documentation.
Holding
The AEPD found that the controller likely violated Article 5(1)(c) and 13 GDPR and recommended a €5,000 fine.
First, the AEPD considered that the controller failed to meet data minimisation standards pursuant to Article 5(1)(c) GDPR. The AEPD took into consideration Recital 39 GDPR’s instruction that personal data should only be processed if the purpose could not be reasonably achieved by other means. While Law 3/2017 required age verification of minors and their guardians, the controller went a step further by requiring a copy of the IDs. This collection of a complete and unredacted photocopy of IDs resulted in more processing than necessary and thus likely violated Article 5(1)(c) GDPR.
Second, the AEPD found that the controller likely violated Article 13 GDPR. The lack of information concerning the processing or storage period provided in the disclosure policy, as well as its being out of date, indicated that the controller failed to meet its information obligations. The AEPD noted that this resulted in other shortcomings for data subjects’ ability to exercise their rights, as the policy’s lack of sufficient information prevented data subjects from exercising their rights pursuant to Article 17 GDPR.
Given these likely violations, the AEPD resolved to initiate sanction proceedings against the controller and recommended a sanction of €20,000. Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €3,000.
Comment
This case is nearly identical to one published prior in March 2024, EXP202310910, concerning a concert venue with the same policy. In that case, the AEPD also found infringements of Articles 5(1)(c) and 13 GDPR, and the controller paid a reduced €12,000 fine.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/16 File No.: EXP202310840 RESOLUTION TO TERMINATE THE PROCEDURE FOR VOLUNTARY Payment From the procedure initiated by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: On May 23, 2024, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against 20 AÑOS DE MÚSICA A.I.E. (hereinafter, the respondent party), through the Agreement that is transcribed: << File No.: EXP202310840 AGREEMENT TO START SANCTIONING PROCEDURE From the actions carried out by the Spanish Data Protection Agency and based on the following FACTS FIRST: A.A.A. (hereinafter, the complainant) on June 23, 2023, filed a complaint with the Spanish Data Protection Agency. The complaint is directed against 20 AÑOS DE MÚSICA A.I.E. with NIF V09865601. The reasons on which the claim is based are the following: The complainant states that, in order to be accompanied by minors to concerts managed by the respondent entities, it is requested that authorizations be completed by mothers, fathers or guardians of the minors who attend said events, for which a copy of the ID of the person authorizing is required, as well as personal information of both the authorizing party and the minors who attend the event. It also points out that the authorization documents by which the aforementioned data are collected do not provide adequate information on data protection, without, on the other hand, stating that they have a Data Protection Officer. Provides authorizations for participation in concerts in which data is collected. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), this claim was forwarded to 20 AÑOS DE MÚSICA A.I.E., so that it could proceed to analyze it and inform this Agency within one month of the actions taken to comply with the requirements provided for in the data protection regulations. The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was collected on 08/03/2023 as stated in the acknowledgement of receipt that is in the file. On 09/01/2023, this Agency received a written response indicating: - The event organized by AIE has its corresponding Privacy Policy. This Privacy Policy complies with the requirements established in the GDPR and, in particular, with the provisions of article 13 and is available to interested parties at the time they register for the event, adequately informing them of the processing of their personal data on the Website. - AIE does not give access to your information to any third party that is not essential in order to comply with legal obligations and the correct provision of the service, informing you at all times of this in the Privacy Policy mentioned above. - There has been an error on the part of AIE when uploading the information clause on the corresponding event Website, which has caused the publication on said Website of the clause that was out of date, with references to the repealed regulations. - Before authorizing access to the premises, it is necessary to correctly identify the person. This is necessary to the extent that their age must be verified in order to ensure that they can accompany the minors in their care. The only purpose for which this data is collected and stored is to comply with current regulations (specifically, Law 3/2017, of April 5, on Public Shows and Recreational Activities of Cantabria) and, where appropriate, to be able to demonstrate it to the public authorities. - AIE is not in one of the mandatory cases of designating a DPO. - In relation to the measures adopted in order to prevent similar incidents from occurring in the future, AIE will proceed to carry out a manual and exhaustive review of the storage systems where the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/16 information clauses on data protection are stored, in order to confirm that they are updated with the latest version - The deficiencies alleged by the interested party were caused by a human error and are currently under review so that it does not happen again. THIRD: On September 23, 2023, in accordance with article 65 of the LOPDGDD, the claim submitted by the complainant was admitted for processing. FOURTH: According to the report collected from the AXESOR tool, the entity 20 AÑOS DE MÚSICAA.I.E. It is a micro-enterprise established in 2022. LEGAL BASIS I Competence In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD) and as established in articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures." II Preliminary questions In the present case, there is evidence of the processing of personal data by 20 AÑOS DE MÚSICAA.I.E. in its business activity, as set out in Article 4.2 of the GDPR: "processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/16 20 YEARS OF MUSIC A.I.E. carries out this activity in its capacity as controller of the processing, since it is the one who determines the purposes and means of such activity, pursuant to Article 4.7 of the GDPR: "controller" or "controller": the natural or legal person, public authority, service or other body which, alone or jointly with others, determines the purposes and means of the processing; if Union or Member State law determines the purposes and means of the processing, the controller or the specific criteria for its nomination may be determined by Union or Member State law. III Unfulfilled obligation The known facts could constitute an infringement, attributable to 20 YEARS OF MUSIC A.I.E., regulated in Article 5.1.c) of the GDPR and another infringement of Article 13 of the GDPR. IV Article 5.1 c) of the GDPR Article 5 of the GDPR “Principles relating to processing” refers to the principle of data minimisation in letter c) of its section 1 in the following terms: “Personal data shall be: (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”)”. This article makes clear that personal data shall be “adequate, relevant and limited to the need” for which they were collected, such that, if the objective pursued can be achieved without excessive data processing, this is how it should be done. In turn, recital 39 of the GDPR indicates that: “Personal data should only be processed if the purpose of the processing could not reasonably be achieved by other means.” Therefore, only data that is "adequate, relevant and not excessive in relation to the purpose for which it is obtained or processed" will be processed. The categories of data selected for processing must be those strictly necessary to achieve the stated objective and the data controller must strictly limit the collection of data to that information that is directly related to the specific purpose being achieved. In this case, the company requests that the “access document for minors under 16 years of age” be completed by parents or legal guardians in order to allow the minors to enter concerts managed by the company. In addition to this completed authorization, they require the presentation of a photocopy of the ID of the parent or guardian who authorizes and which will remain in the possession of the company. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/16 In the written response to the transfer of the claim, the company states that the reason why it requests that the person accompanying the minors provide a copy of the ID is because it is necessary to carry out, before authorizing access to the premises, a correct identification of the person in order to comply with current regulations. Article 40 “Protection of childhood and adolescence” of Law 3/2017, of April 5, on Public Shows and Recreational Activities of Cantabria establishes, in its section 2.: 2. The following limitations are established for access and permanence in public establishments and portable or removable facilities, where public shows and recreational activities are held, with respect to minors under eighteen years of age: a) Their entry and permanence in party halls, discos, macro-discos, dance halls, pubs, whiskey bars and similar premises is generally prohibited, with the following exceptions, the content of which will be developed by regulation: 1. That these establishments have authorization for sessions for minors, in which the entry and permanence of those over fourteen years of age and under eighteen years of age will be permitted, in accordance with article 24 of the Law of Cantabria 5/1997, of October 6, on Prevention, Assistance and Social Incorporation in matters of drug addiction. 2. That the activity to be carried out in party halls, dance halls, pubs, whiskey bars and similar premises is compatible with the moral and physical integrity of minors, while it lasts and provided that they are accompanied by a responsible adult when they are under sixteen years of age. And, in its section 6: 6. The owners of public establishments or portable or removable facilities, as well as the people who organize public shows or recreational activities, may require, directly or through personnel at their service, the display of the national identity document or equivalent document as a means of proving the age of the attending public. They must prevent access and, where appropriate, evict, directly or through personnel in their service, those who do not provide documentary evidence of their age or do not meet the age requirement for the purposes of this law." In accordance with the evidence available at the time of the agreement to initiate the sanctioning procedure, and without prejudice to the results of the instruction, it can be understood that the collection of the photocopy of the client's identity document with all the information contained in that document is a processing of personal data contrary to the principle of "data minimisation", regulated in article 5.1.c) of the GDPR. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/16 V Classification and qualification of the infringement If confirmed, the aforementioned infringement of article 5.1.c) of the GDPR could entail the commission of the infringements classified in article 83.5 of the GDPR which under the heading "General conditions for the imposition of administrative fines" provides: "Infringements of the following provisions shall be punishable, in accordance with section 2, by administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total global annual turnover of the previous financial year, whichever is higher: a) the basic principles for processing, including the conditions for consent pursuant to articles 5, 6, 7 and 9; In this regard, the LOPDGDD, in its article 71 establishes that “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law, constitute infringements”. For the purposes of the limitation period, article 72 of the LOPDGDD indicates: Article 72. Infringements considered very serious. “1. According to the provisions of article 83.5 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered to be very serious and will be subject to a three-year statute of limitations: a) The processing of personal data in violation of the principles and guarantees established in article 5 of Regulation (EU) 2016/679.” VI Article 13 GDPR Article 13 GDPR provides as follows: "1. Where personal data relating to a data subject are obtained from him or her, the controller shall, at the time when such data are obtained, provide the data subject with all of the following information: a) the identity and contact details of the controller and, where applicable, of his or her representative; b) the contact details of the data protection officer, where applicable; c) the purposes for which the personal data are processed and the legal basis for the processing; d) where the processing is based on Article 6(1)(f), the legitimate interests of the controller or a third party; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/16 e) the recipients or categories of recipients of the personal data, where applicable; (f) where applicable, the intention of the controller to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or, in the case of transfers referred to in Articles 46 or 47 or the second subparagraph of Article 49(1), a reference to the appropriate or adequate safeguards and the means by which to obtain a copy of those safeguards or the place where they have been made available. 2. In addition to the information referred to in paragraph 1, the controller shall, at the time when the personal data are obtained, provide the data subject with the following information necessary to ensure fair and transparent processing of the data: (a) the period for which the personal data will be stored, or, where that is not possible, the criteria used to determine that period; (b) the existence of the right to request from the controller access to personal data concerning the data subject, rectification or erasure, or restriction of processing, or to object to processing, as well as the right to data portability; (c) where processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent prior to its withdrawal; (d) the right to lodge a complaint with a supervisory authority; (e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, and whether the data subject is obliged to provide the personal data and is informed of the possible consequences of not providing such data; (f) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in such cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. 3. When the data controller plans to further process personal data for a purpose other than that for which they were collected, he/she shall provide the data subject, prior to such further processing, with information on that other purpose and any additional information relevant in accordance with paragraph 2. The provisions of paragraphs 1, 2 and 3 shall not apply when and to the extent that the data subject already has the information." In this case, the "access document for minors under 16 years of age", with regard to basic information on data protection, is outdated and makes reference to Organic Law 15/1999 of 13 December on the Protection of Personal Data. This document does not make reference to the processing that will be carried out on the data obtained through the copy of the DNI or to the period of conservation of the same. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/16 There is not enough information about the company to be able to exercise the rights of interested parties established in the GDPR, specifically, the right established in article 17 “right to deletion”. In the written response to the transfer of the claim, 20 AÑOS DE MÚSICA A.I.E. states that it will proceed to carry out a manual and exhaustive review of the storage systems where the information clauses on data protection are stored, in order to confirm that they are updated with the latest version and that the deficiencies alleged by the interested party were caused by human error. Although this Agency positively values the adoption of new measures that result in greater compliance with the regulations regarding the processing of personal data and that can prevent, in the future, incidents such as the one that is substantiated in the present procedure, the technical and organizational measures must be adopted taking into account each and every one of the risks present in the processing of personal data, including among them, the human factor. For all these reasons, in accordance with the evidence available at the time of the agreement to initiate the sanctioning procedure, and without prejudice to the results of the investigation, it is considered that 20 AÑOS DE MÚSICA A.I.E. may have processed the personal data of the complainant without complying with the provisions of article 13 of the GDPR, previously transcribed. VII Classification and qualification of the infringement of Article 13 of the GDPR If confirmed, the aforementioned infringement of Article 13 of the GDPR could entail the commission of the infringements classified in Article 83.5 of the GDPR, which under the heading “General conditions for the imposition of administrative fines” provides: “Infringements of the following provisions shall be punishable, in accordance with paragraph 2, by administrative fines of a maximum of EUR 20,000,000 or, in the case of an undertaking, an amount equivalent to a maximum of 4% of the total global annual turnover of the previous financial year, whichever is greater: a) the rights of data subjects pursuant to Articles 12 to 22;” In this regard, the LOPDGDD, in its article 71 establishes that “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law, constitute infringements”. For the purposes of the limitation period, article 72 of the LOPDGDD indicates: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/16 “1. Pursuant to the provisions of Article 83.5 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered to be very serious and will be subject to a three-year statute of limitations: h) Failure to comply with the duty to inform the data subject about the processing of his or her personal data in accordance with the provisions of Articles 13 and 14 of Regulation (EU) 2016/679 and 12 of this Organic Law. VIII Proposed sanction In order to determine the administrative fine to be imposed, the provisions of Articles 83.1 and 83.2 of the GDPR must be observed, which state: “1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article for infringements of this Regulation referred to in paragraphs 4, 9 and 6 are in each individual case effective, proportionate and dissuasive. 2. Administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or as an alternative to the measures referred to in Article 58(2)(a) to (h) and (j). When deciding on the imposition of an administrative fine and its amount in each individual case, due account shall be taken of: (a) the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation concerned as well as the number of data subjects affected and the level of damage they have suffered; (b) the intentionality or negligence of the infringement; (c) any measures taken by the controller or processor to mitigate the damage suffered by data subjects; (d) the degree of responsibility of the controller or processor, taking into account any technical or organisational measures implemented by them pursuant to Articles 25 and 32; (e) any previous infringement committed by the controller or processor; (f) the extent of cooperation with the supervisory authority in order to remedy the breach and mitigate any adverse effects of the infringement; (g) the categories of personal data affected by the infringement; (h) the manner in which the supervisory authority became aware of the infringement, in particular whether and, if so, to what extent the controller or processor notified the infringement; (i) where measures referred to in Article 58(2) have been previously ordered against the controller or processor concerned in relation to the same matter, compliance with those measures; (j) adherence to codes of conduct pursuant to Article 40 or to certification mechanisms approved pursuant to Article 42, and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/16 (k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.” With regard to section k) of Article 83.2 of the GDPR, the LOPDGDD, Article 76, “Sanctions and corrective measures”, provides: “1. The sanctions provided for in paragraphs 4, 5 and 6 of Article 83 of Regulation (EU) 2016/679 shall be applied taking into account the grading criteria established in paragraph 2 of the aforementioned article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679, the following may also be taken into account: a) The continued nature of the infringement. b) The connection between the offender's activity and the processing of personal data. c) The benefits obtained as a result of committing the infringement. d) The possibility that the affected party's conduct could have led to the commission of the infringement. e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity. f) The impact on the rights of minors. g) Having, when not mandatory, a data protection officer. h) The submission by the controller or processor, on a voluntary basis, to alternative dispute resolution mechanisms, in those cases in which there are disputes between them and any interested party. In this case, in the event of a possible infringement of Articles 5.1 c) and 13 of the GDPR, a fine would be imposed, in addition to the adoption of measures, if appropriate. The fine imposed must be, in each individual case, effective, proportionate and dissuasive, in accordance with the provisions of Article 83.1 of the GDPR. In accordance with the provisions indicated, in accordance with the evidence available at the moment of the agreement to initiate sanctioning proceedings and without prejudice to what results from the instruction of the procedure, in order to establish the amount of the sanctions to be imposed in the present case, it is considered that it is appropriate to graduate the sanctions according to the following criteria established by the precepts transcribed: In an initial assessment, the following grading criteria are considered to be concurrent as aggravating factors: - Art. 5.1.c) Article 83.2.g) of the GDPR: The categories of personal data affected by the infringement. And this is because the content included in the identity document is a particularly sensitive data, the processing of which may give rise to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/16 identity theft or fraud problems, and it contains data that are not necessary for the purpose for which they were processed, and a mere on-site verification of age may be sufficient. - Art. 13 GDPR: Article 83.2.a) of the GDPR: Nature, seriousness and duration of the infringement: In compliance with its legal obligations, the respondent party must act with the diligence that the circumstances of the case require, and it cannot be understood that this occurs when the rights of those affected by the data processing to be carried out are not duly informed. In this regard, it is necessary to refer to the judgment of the Court of Justice of the European Union of 5 December 2023 in Case C-807/21 (Deutsche Wohnen), which states: “76 In this regard, it should also be noted, as regards the question of whether an infringement has been committed intentionally or negligently and may therefore be subject to an administrative fine under Article 83 of the GDPR, that a controller may be penalized for conduct falling within the scope of the GDPR where he could not have been unaware of the infringing nature of his conduct, whether or not he was aware of infringing the provisions of the GDPR (see, by analogy, judgments of 18 June 2013, Schenker & Co. and Others, C 681/11, EU:C:2013:404, paragraph 37 and the case-law cited; of 25 March 2021, Lundbeck v Commission, C 591/16 P, EU:C:2021:243, paragraph 156, and of 25 March 2021, Arrow Group and Arrow Generics v Commission, C 601/16 P, EU:C:2021:244, paragraph 97).” Considering the factors set out above, the initial fine for infringement of Article 5.1.c) of the GDPR is €3,000 (three thousand euros) and for infringement of Article 13 of the GDPR €2,000 (two thousand euros), without prejudice to the outcome of the investigation of the procedure. IX Adoption of measures If the infringement is confirmed, it may be agreed to impose on the controller the adoption of appropriate measures to adjust its performance to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to which each supervisory authority may “order the controller or processor to comply with the provisions of this Regulation, where appropriate, in a certain manner and within a specified period…”. The imposition of this measure is compatible with the sanction consisting of an administrative fine, as provided for in art. 83.2 of the GDPR. In such case, in the resolution adopted, this authority may require the person responsible to, within one month: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/16 - Include in the “document for access to minors” information regarding data protection, duly updated, eliminating the reference to Organic Law 15/1999 of 13 December, on the Protection of Personal Data. - Adapt its information clause to that established in the data protection regulations. - Eliminate from the documents for access to minors: “This document is not valid without the photocopy of the ID of the parent/guardian who signs it.” It is noted that failure to comply with the possible order to adopt measures imposed by this body in the sanctioning resolution may be considered as an administrative infringement in accordance with the provisions of the RGPD, classified as an infringement in its article 83.5 and 83.6, and such conduct may motivate the opening of a subsequent administrative sanctioning procedure. Therefore, in accordance with the above, by the Director of the Spanish Data Protection Agency, IT IS AGREED: FIRST: TO INITIATE SANCTIONING PROCEDURE to 20 AÑOS DE MÚSICA A.I.E., with NIF V09865601, for the alleged infringement of articles 5.1c) and 13 of the RGPD, both classified in article 83.5 of the RGPD. SECOND: TO APPOINT B.B.B. as instructor. and, as secretary, to C.C.C., indicating that they may be challenged, if applicable, in accordance with the provisions of articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP). THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the claim filed by the claimant and its documentation, as well as the documents obtained and generated by the General Subdirectorate of Data Inspection in the actions prior to the start of this sanctioning procedure. FOURTH: THAT for the purposes provided for in art. 64.2 b) of the LPACAP, the sanction that may correspond would be: without prejudice to what results from the investigation. - For the alleged infringement of article 5.1.c) of the GDPR, classified in article 83.5 of said regulation, administrative fine of €3,000 (THREE THOUSAND EUROS); - For the alleged infringement of article 13 of the GDPR, classified in article 83.5 of said regulation, administrative fine of €2,000 (TWO THOUSAND EUROS). The above amounts to a total amount of €5,000 (FIVE THOUSAND EUROS). FIFTH: NOTIFY this agreement to 20 AÑOS DE MÚSICA A.I.E., with NIF V09865601, granting it a hearing period of ten business days to formulate the allegations and present the evidence it considers appropriate. In your written submission to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/16 you must provide your NIF and the file number that appears in the heading of this document. If you do not submit any submissions to this initiation agreement within the stipulated period, it may be considered a resolution proposal, as established in article 64.2.f) of the LPACAP. In accordance with the provisions of article 85 of the LPACAP, you may acknowledge your responsibility within the period granted for submitting submissions to this initiation agreement; which will entail a 20% reduction of the sanction to be imposed in this procedure. With the application of this reduction, the sanction would be set at €4,000 (FOUR THOUSAND EUROS), with the procedure being resolved with the imposition of this sanction. Likewise, at any time prior to the resolution of this procedure, the applicant may make voluntary payment of the proposed fine, which will involve a 20% reduction in its amount. With the application of this reduction, the fine would be set at €4,000 (FOUR THOUSAND EUROS) and its payment will imply the termination of the procedure, without prejudice to the imposition of the corresponding measures. The reduction for voluntary payment of the fine can be added to the one that must be applied for the recognition of responsibility, provided that this recognition of responsibility is made clear within the period granted to formulate allegations at the opening of the procedure. The voluntary payment of the amount referred to in the previous paragraph may be made at any time prior to the resolution. In this case, if both reductions were to be applied, the amount of the fine would be established at €3,000 (THREE THOUSAND EUROS). In any case, the effectiveness of any of the two reductions mentioned will be conditioned on the withdrawal or waiver of any action or appeal through administrative channels against the sanction. If you choose to proceed with the voluntary payment of any of the amounts indicated above (4,000 euros or 3,000 euros), you must make the payment by depositing it in the account number IBAN: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code: XXXXXXXXXXX) opened in the name of the Spanish Data Protection Agency at the bank CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the reason for the reduction of the amount to which you are entitled. Likewise, proof of payment must be sent to the Subdirectorate General of Inspection to continue with the procedure in accordance with the amount paid. The procedure will have a maximum duration of twelve months from the date of the start agreement. After this period has elapsed without a resolution having been issued and notified, the procedure will expire and, consequently, the proceedings will be archived; in accordance with the provisions of article 64 of the LOPDGDD. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/16 In compliance with articles 14, 41 and 43 of the LPACAP, you are advised that, from hereinafter, the notifications sent to you will be made exclusively electronically, through the Single Authorized Electronic Address (dehu.redsara.es), and that, if you do not access them, your rejection will be noted in the file, considering the process to have been carried out and the procedure to be followed. You are informed that you can identify an email address with this Agency to receive the notice of the availability of the notifications and that the lack of practice of this notice will not prevent the notification from being considered fully valid. Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP, there is no administrative appeal against this act. 935-18032024 Mar España Martí Director of the Spanish Data Protection Agency >> SECOND: On June 4, 2024, the respondent party has proceeded to pay the penalty in the amount of 3000 euros using the two reductions provided in the Agreement of initiation transcribed above, which implies the recognition of responsibility. THIRD: The payment made, within the period granted to formulate allegations at the opening of the procedure, entails the waiver of any action or appeal in administrative course against the penalty and the recognition of responsibility in relation to the facts referred to in the Agreement of Initiation. FOURTH: In the aforementioned initiation agreement transcribed above, it was indicated that if the infringement were confirmed, it could be agreed to impose on the person responsible the adoption of appropriate measures to adjust its performance to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to which each control authority may “order the person responsible or in charge of the treatment that the treatment operations comply with the provisions of this Regulation, where appropriate, in a certain manner and within a specified period…”. Having received a letter by which 20 YEARS OF MUSIC A.I.E. informs that it has adopted the necessary measures so that the events determining the infringement committed do not occur again, this Agency acknowledges receipt of the same, without this declaration implying any pronouncement on the regularity or legality of the measures adopted. Please note that the provisions of Article 5.2 of the GDPR establish the principle of proactive responsibility when it states that “The data controller will be responsible for compliance with the provisions of section 1 and able to demonstrate it.” This principle refers to the obligation of the data controller not only to design, implement and observe the appropriate legal, technical and organisational measures so that data processing is in accordance with the regulations, but also to remain actively alert throughout the entire C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/16 life cycle of the processing so that this compliance is correct, and also being able to demonstrate it. LEGAL BASIS I Competence In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD) and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, in a subsidiary manner, by the general rules on administrative procedures." II Termination of the procedure Article 85 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), under the heading "Termination of sanctioning procedures" provides the following: "1. Once a sanctioning procedure has been initiated, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is of a purely monetary nature or when it is possible to impose a monetary sanction and another of a non-monetary nature but the inappropriateness of the second has been justified, the voluntary payment by the presumed responsible party, at any time prior to the resolution, will imply the termination of the procedure, except in relation to the restoration of the altered situation or the determination of compensation for the damages and losses caused by the commission of the infringement. 3. In both cases, when the sanction is of a purely monetary nature, the body competent to resolve the procedure will apply reductions of at least 20% on the amount of the proposed sanction, these being cumulative with each other. The aforementioned reductions must be determined in the notification of the initiation of the procedure and their effectiveness will be conditional on the withdrawal or waiver of any action or appeal in administrative proceedings against the sanction. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/16 The percentage of reduction provided for in this section may be increased by regulation.” In accordance with the above, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DECLARE the termination of procedure EXP202310840, in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to 20 AÑOS DE MÚSICA A.I.E.. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative process as prescribed by art. 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, interested parties may file an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the day following the notification of this act, as provided for in article 46.1 of the aforementioned Law. 1219-21112023 Mar España Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es