AEPD (Spain) - EXP202401934: Difference between revisions

AEPD - EXP202401934
Authority:	AEPD (Spain)
Jurisdiction:	Spain
Relevant Law:	Article 21 LSSI
Type:	Complaint
Outcome:	Upheld
Started:	02.01.2024
Decided:	26.09.2024
Published:	20.11.2024
Fine:	20,000 EUR
Parties:	Supervista Optics Spain
National Case Number/Name:	EXP202401934
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Spanish
Original Source:	AEPD (in ES)
Initial Contributor:	ao

The DPA fined an optician €20,000 for sending a former customer a marketing email even though she had expressly objected to this form of processing.

English Summary

Facts

On the 2 January 2024, the data subject filed a complaint against the controller, Supervista Optics - an optician, with the Spanish DPA (AEPD). The data subject had received an email from the controller informing her that although it had been two years since she had purchased glasses with the controller, she is entitled to a free eye examination with the controller.

The data subject had previously exercised her right to object to receiving any marketing communications on 24 May 2023. The controller had acknowledged receipt of the request and placed the data subject on a “marketing blacklist”.

The controller argued, that the communication was a service email, which did not discuss content of a commercial nature. It detailed that it was justified in sending this email as the warranty for the purchased glasses had not expired yet. It further argued that Article 21(2)(1) of the Spanish transposition of the e-privacy Directive, Law 34/2002 (Ley 34/2002 - LSSI) allows for the delivery of commercial advertisements as long as there is a contractual relationship between the controller and the data subject.

Holding

The AEPD held, that any form of communication, which directly or indirectly promotes the goods, or services of a company is classified as being of a commercial nature. Although the service offered is free of charge, it is performed as part of the controller’s commercial activity as an opticians.

Article 21(2)(1) LSSI would only hold up if the data subject had not specifically exercised their right to object. The AEPD set a fine of €20,000 for the violation of Article 21(1) of the LSSI.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/12

 File No.: EXP202401934

SANCTIONING PROCEDURE RESOLUTION

From the procedure instructed by the Spanish Data Protection Agency and based
on the following

BACKGROUND

FIRST: A.A.A. (hereinafter, the claimant) filed a

complaint with the Spanish Data Protection Agency (hereinafter AEPD) on 02/01/2024. The
complaint is directed against GAFAS EN RED DE ÓPTICAS S.L. (hereinafter GAFAS
EN RED), with NIF B73833758, but in the allegations of 11/07/2024 to this
sanctioning procedure, its legal representative reports that the name of the
company is SUPERVISTA OPTICS SLU as of 01/01/2024.

The reasons on which the claim is based are the following:

The receipt of commercial electronic communications at the email address
***USUARIO.1@gmail.com, the last one being dated 12/12/2023, after confirmation
on 05/24/23 by GAFAS EN RED of the receipt of opposition/deletion of the

complainant's request to receive commercial communications.

Along with the notification, a copy of the message of 05/24/23 from GAFAS EN RED is provided,
confirming the requested cancellation, as well as a copy of the message of 12/12/2023, in which
GAFAS EN RED offers a new vision review to the complainant.

The email sent by GAFAS EN RED to the complainant says the

following:

“Dear customer, it has been approximately 2 years since you purchased a pair of

glasses from us.

Did you know that, despite the passage of time, as a customer of gafas.es you are entitled
to a free vision check?

Since visual acuity can change significantly over the course of

two years, we would like to remind you today that you are invited to have a free vision
check with us.

Perhaps you have already noticed this for yourself? For example, have you
experienced pronounced glare from traffic lights while driving at night?

If so, this would be a clear sign that your visual acuity has changed!

In addition, with the glasses you purchased from us, you are always entitled to a
free, no-obligation eyeglass fitting and vision check. The eyeglass fitting
includes: - Cleaning, screwing and adjusting the frame for greater comfort. -

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/12

Free professional eye exam to assess the current state of your lenses and whether
your prescription has changed. BOOK A FREE GLASSES FITTING AND EYE
CHECK-UP”

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of December 5, on the
Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), said claim was transferred on 02/02/2024 to GAFAS EN
RED, so that it could proceed with its analysis and inform the AEPD within one month of the actions carried out, to comply with the requirements provided for in the
data protection regulations.

The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was collected on February 13, 2023, as stated in the
acknowledgement of receipt that is in the file. No response has been received to this transfer letter.

THIRD: On April 2, 2024, in accordance with article 65 of the LOPDGDD,
the claim submitted by the complaining party was admitted for processing.

FOURTH: On May 28, 2024, the Director of the AEPD agreed to initiate sanctioning proceedings against the respondent party, for the alleged violation of Article 21 of the LSSI,

specified in Article 38.4.d) of the LSSI.

FIFTH: The aforementioned start agreement was notified electronically on 05/29/2024
in accordance with the rules established in Law 39/2015, of October 1, on the
Common Administrative Procedure of Public Administrations (hereinafter,
LPACAP), and the acknowledgement of receipt takes place on 06/07/2024.

SIXTH: On 07/04/2024, SUPERVISTA AG, as 100% owner of SUPERVISTA
OPTICS SLU (formerly called GAFAS EN RED), submits a request for an extension
until July 12, 2024 for this file. SUPERVISTA AG is a S.A. with
domicile in Germany, Königs Wusterhausen SIEMENSSTRABE 2, 15711 CP.

In the request for an extension of a new period for the allegations, in addition to being
untimely, there is also no documentary evidence that the signatory of
SUPERVISTAAG holds the representation of SUPERVISTA S.L.U.

SEVENTH: In its written allegations of 07/11/2024 SUPERVISTA OPTICS SLU
(SPAIN), it first indicates that as of 01/01/2024 GAFAS EN RED) there has been a
change of corporate name, becoming SUPERVISTA
OPTICS SLU; and then states in summary that the complainant was a
customer of GAFAS EN RED and after refusing to receive messages on 07/24/2023, it was
included on a marketing blacklist, so it did not receive electronic
commercial communications from that date onwards. However, your data, as a

customer and user, continued to be stored in accordance with legal requirements.

You also allege that on 12/12/2023, GAFAS EN RED sent the complainant a

message for a free review of the purchased glasses, as the warranty period had not yet expired

and that it was a service email and not a commercial one, because article 21.2 of the LSSI
authorizes the sending of commercial communications when there is a prior contractual relationship and the communication
refers to the purchased product.

The Court concludes in its pleadings that there is no infringement, no intent, no
repeat in this case and that the proposed fine of twenty thousand euros (€20,000) is completely disproportionate, even if intent and
repeat are assumed.

It also cites the judgment of the CJEU (EuGH/ECJ C-300/21 of 04.05.2023), according to which
it must be examined whether damage has been caused to the person concerned, which occurs
if the data of the data subject has been disclosed to unauthorized third parties. This
judgment resolves a preliminary question on the interpretation of Article 84 of the

GDPR, on the possibility of automatically obtaining compensation for damages before the courts, based on a breach of the GDPR.
EIGHTH: In the Resolution Proposal of 07/08/2024, the allegations of the

Initiation Agreement presented by GAFAS EN RED on 11/07/2024 are assessed as follows:

GAFAS EN RED alleges that the complainant was a client and that after exercising his
right to object to advertising communications on 24/05/2023, the complainant was included in a marketing blacklist, so he did not receive any

electronic commercial communications from that date. GAFAS EN RED considers that the message sent is for its client, it is not of a commercial nature, as it is a service offered to its client, in accordance with article 21.2 of the
LSSI.

In this regard, it is necessary to reiterate the definition of commercial communication in ANNEX

section f) of the LSSI as: “any form of communication aimed at the promotion,
directly or indirectly, of the image or the goods or services of a company,
organization or person that carries out a commercial, industrial, artisanal or
professional activity.” In accordance with this definition, both the letter and the
e-mail sent by GAFAS EN RED have the character of commercial

communication.

With respect to article 21.2 paragraph 1 of the LSSI alleged by GAFAS EN RED, the
sending of advertising communications would only be applicable as long as the
interested party has not exercised his right to object, provided for in paragraph 2 of
article 21.2 of the LSSI itself.

Since the complainant exercised his right to object to continuing to receive
advertising messages on 05/24/2023 and GAFAS EN RED acknowledged receipt of
this request on the same date, subsequent communications from GAFAS EN RED
have taken place against the expressed will of the complainant.

Article 21 of the LSSI thus expressly prohibits the sending of
advertising or promotional communications by email that have not previously been
requested or expressly authorized by the recipients thereof and also those made against the right of opposition of the interested party,
duly expressed.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/12

GAFAS EN RED also claims that there is no infringement, no intent, no
repeat in this case and the proposed fine of twenty thousand euros (20,000 €)
is completely disproportionate, even if intent and

repeat are assumed.

As regards the non-existence of the alleged infringement, article 38.4 section d) of the
LSSI classifies as a minor infringement the sending of commercial communications by
e-mail or other equivalent means of electronic communication, when such
sending does not comply with the requirements established in article 21 of the LSSI, as is

the case. Sending advertising communications in the knowledge of the contrary will expressed by the interested party is a minor infringement according to the LSSI, since GAFAS EN RED was aware of the opposition of the complaining party, to whom it sent a confirmation email.

As regards the allegation of the lack of proportionality of the sanction, it should be noted that the proposed €20,000 for the sanction is at the mid-range of fines of up to a maximum of €30,000, as stipulated for minor infringements by article 39.1 c) of the LSSI.

As regards the allegation of the absence of recidivism, Law 40/2015 on the Legal Regime of the Public Sector (hereinafter LRJSP), in its article 29.3 section d)
(proportionality of sanctions for the sanctioning power) regulates this aspect
as follows:

“The degree of the sanction will especially consider the following criteria:

(…)
d) Recidivism, due to the commission within a period of one year of more than one infringement of the
same nature when this has been declared by a final resolution in an administrative
process.”

There is already a final resolution of the sanctioning procedure of the AEPD itself
(PS/00076/2024), for the commission within a year of an infringement of the
same nature by GAFAS EN RED; the sanction proposal of
PS/00076/2024 was initially €10,000 and the sanction finally paid was reduced
by €6,000, but only as a result of the reductions of 20% for recognition of
responsibility and 20% for waiving the administrative route (total reduction of 40%

of the sanction as a sum of both concepts).

Therefore, it is appropriate to aggravate the sanction proposal, thus complying with the
principle of proportionality, as the breach is aggravated, in accordance with
article 29.3 section d) of the LRJSP.

As regards the allegation of lack of intention as an aggravating factor, it should be noted
that GAFAS EN RED ignores the legitimately expressed desire of the
complainant to whom it even sent an e-mail confirming his right to object, thereby demonstrating a qualified desire to contradict his desire
not to receive advertising mailings, by sending him an e-mail and also a postal mail,
both with similar promotional content.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/12

In the grading of the sanction, the application of the aggravating factors of intention and
recidivism are correct in terms of the application of the principle of proportionality
in the sanction, taking as a starting point the previously proposed sanction

(PS/00076/2024), together with the two aggravating factors described and duly accredited.

GAFAS EN RED invokes in its defence the judgment of the Court of Justice of the
European Communities (EuGH/TJCE C-300/21 of 04.05.2023), which would require the
existence of damage to the affected person as a prerequisite for the sanction and
which would only take place if the data subject's data has been disclosed to unauthorized

third parties.

This judgment resolves a preliminary question on the interpretation of article 84
of the GDPR, namely the possibility of automatically obtaining compensation for
damages before the courts, based on a violation of the GDPR. This

contentious issue and its solution in the indicated judgment, has nothing to do with the
present procedure, which is based on an administrative infringement of the
LSSI, and not on the requirements necessary for a possible
compensation for damages before the civil courts for non-compliance with the
RGPD, so the resulting jurisprudence and doctrine would not be applicable to
the case in question.

NINTH: In the resolution proposal, the initial sanction of the
Initiation Agreement is confirmed and it is proposed that SUPERVISTA OPTICS SLU (until
31/12/2023 under the name of GAFAS EN RED DE ÓPTICAS, S.L.) be sanctioned with a fine of
twenty thousand euros (€20,000) for the infringement of Article 21 of the LSSI, classified in

Article 38.4.d) of the LSSI.

On 08/07/2024, the AEPD notified SUPERVISTA OPTICS SLU, with an acknowledgement of receipt
of 08/08/2024, of the proposed resolution, granting them a period of 10 days to
make new allegations, without any allegation having been submitted to date.

From the actions carried out in the present procedure and the documentation
in the file, the following have been proven:

PROVEN FACTS

FIRST: The complainant has been a client of GAFAS EN RED (from
01/01/2024 it is called SUPERVISTA OPTICS SLU).

SECOND: On 05/24/23 the complainant exercised before GAFAS EN RED its right
to object to the receipt of advertising communications. GAFAS EN RED

notified on the same date the cancellation of the complainant's data.

THIRD: On 12/12/2023, the complainant received a commercial communication at his/her email address from GAFAS EN RED ***USUARIO@gmail.com, again, for an eye exam and the prescription of new glasses.

LEGAL BASIS

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/12

I
Jurisdiction

In accordance with the provisions of article 43.1 of Law 34/2002, of July 11, on
information society services and electronic commerce (hereinafter
LSSI) and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law
3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve

this procedure. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
of Regulation (EU) 2016/679, in this organic law, by the
regulatory provisions issued in its development and, insofar as they do not contradict them,
on a subsidiary basis, by the general rules on administrative procedures."

Finally, the fourth additional provision "Procedure in relation to the
powers attributed to the Spanish Data Protection Agency by other
laws" establishes that: "The provisions of Title VIII and its implementing

rules will be applicable to the procedures that the Spanish Data Protection Agency
must process in the exercise of the powers attributed to it by
other laws."
II
Preliminary issues

Prohibition of unsolicited or expressly authorized commercial communications, by email or equivalent electronic means of communication

In general, the LSSI prohibits unsolicited or expressly authorized commercial communications, based on a concept of commercial communication that
is classified as an information society service and is defined in its Annex
as follows:

“f) Commercial communication”: any form of communication aimed at promoting,
directly or indirectly, the image or the goods or services of a company,
organization or person who carries out a commercial, industrial, artisanal or
professional activity.

For the purposes of this Law, data that allow direct access to the activity of a person, company or
organization, such as the domain name or email address, or
communications relating to the goods, services or image offered
when they are prepared by a third party and without financial compensation, will not be considered commercial communication.

The concept of commercial communication, according to the definition contained in
Annex f), first paragraph of the LSSI, includes all forms of communication
intended to directly or indirectly promote goods, services or the image of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/12

a company, organization or person with a commercial, industrial, artisanal or
professional activity.

On the other hand, the LSSI in its Annex a) defines “Information Society Service” as “any service normally provided for a fee, at a distance,
electronically and at the individual request of the recipient.

The concept of information society service also includes
services not remunerated by their recipients, insofar as they constitute an

economic activity for the service provider.”

The definition of service provider is contained in section c) of the Annex of the
cited standard, which considers as such the “natural or legal person who provides an
information society service”.

The aforementioned section adds that the sending of commercial communications is an
information society service, provided that it represents an economic activity.

According to section d) of the cited Annex, the recipient is the “natural or legal person who
uses, whether or not for professional reasons, an information society
service”.

From the above it follows that, when the commercial communication does not meet the
requirements required by the concept of Information Society Services,
it loses the character of commercial communication.

In this regard, the second paragraph of Annex f) of the LSSI indicates two cases, which
will not be considered commercial communication for the purposes of this Law:

a) data that allow direct access to the activity of a person,

company or organization, such as the domain name or email address, and,

b) communications relating to the goods, services or image offered when they are prepared by a third party and without
financial compensation.

Article 21 of the LSSI regulates the conditions of advertising communications

as follows (the relevant part is underlined):

Article 21

“1. The sending of advertising or promotional communications by

e-mail or other equivalent means of electronic communication that
have not been previously requested or expressly authorized by the recipients of the same is prohibited.

2. The provisions of the previous section will not apply when there is a
previous contractual relationship, provided that the provider has lawfully obtained

the contact details of the recipient and used them to send commercial communications
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/12

regarding products or services of its own company that are
similar to those that were initially the subject of the contract with the client.

In any case, the provider must offer the recipient the possibility of opposing the
processing of their data for promotional purposes through a simple and free procedure, both at the time of data collection and in each of the
commercial communications sent to them.

When the communications have been sent by email, this

means must necessarily consist of the inclusion of an email address or other valid electronic address where this right can be exercised,
and the sending of communications that do not include this address is prohibited.”

Article 21.1 of the LSSI expressly prohibits the sending of advertising or promotional communications by email, which have not been previously requested or expressly authorized by the recipients of the same, with the sole exception provided for in article 21.2 of the LSSI, which authorizes the sending of commercial communications when there is a prior contractual relationship, and exclusively for commercial communications referring to products or services of

your own company that are similar to those initially contracted by the client.

"Spam" refers to any type of unsolicited communication, sent electronically and whose purpose is to offer, market or try to arouse interest in a product, service or company.

The sending of commercial messages, without prior consent or having exercised the right of opposition, is prohibited by Spanish legislation, and even more so when it is carried out in a massive and indiscriminate manner. The low cost of sending emails via the Internet or by mobile phone (SMS and MMS), their possible

anonymity, the speed and volume of transmissions have favored this practice to be carried out in an abusive and indiscriminate manner.

III
Obligation breached

Article 21 of the LSSI

The known facts could constitute an infringement, attributable to the respondent party, for violation of article 21 of the LSSI.

In accordance with the available evidence, GAFAS EN RED sent a commercial email on 12/12/2023 to the complaining party's email address
***USUARIO.1@gmail.com, despite GAFAS EN RED having confirmed by
message dated 24/05/23 the removal from its databases for the purposes of commercial
communications, in response to the complaining party's request.

GAFAS EN RED is a service provider, as it is a
legal person that provides an information society service (Annex
c) of the LSSI) that carries out commercial communication for the direct

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/12

or indirect promotion of the image or of its goods or services of its company, (definition Annex
f) of the LSSI). The service offered is a free eye exam, a non-remunerated
service, but which GAFAS EN RED carries out within the framework of its commercial activity,

in its capacity as a provider of optical services (sale of glasses, etc.) for
the promotion of its goods and services.

GAFAS EN RED would have sent an email with advertising communication,
knowing the recipient's opposition since May 2023, despite the fact that GAFAS EN RED communicated on that date the deletion of personal data to the

complainant.

By sending the commercial communication without the consent of the complainant, who has exercised his right of opposition prior to sending it,
GAFAS EN RED would have infringed article 21 of the LSSI, which requires for these

cases the consent of the recipient and prohibits the sending of commercial communications
after the right of opposition has been exercised.

IV
Classification of the infringement

Thus, the sending of unsolicited commercial communications, outside the
exceptional assumption of article 21.2 of the LSSI, may constitute a minor or serious infringement of the LSSI.

Title VII of the LSSI, under the heading “Infringements and sanctions”, contains the

penalty regime applicable in the event of any of the infringements contained in the table of infringements contained therein. Specifically,
Article 37 specifies that “information society service providers are subject to the
penalty regime established in this Title when this Law is applicable to them.”

In accordance with the provisions of Article 38, in its sections 3 and 4 of the LSSI,
the following are considered serious and minor infringements (the part applicable to the case is underlined):

“4. The following are considered minor infringements:

d) The sending of commercial communications by email or other equivalent means of
electronic communication when said sending does not comply with the
requirements established in Article 21 and does not constitute a serious infringement.”

In view of the proven facts, non-compliance with Article 21 of the LSSI
constitutes, in the terms indicated by the aforementioned Article 38.4.d), a minor infringement
in this case, as it involves an individual sending of an advertising or

promotional communication by email, without the consent of the interested party.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/12

V
Proposed sanction

This infringement of Article 21, being classified as minor, may be sanctioned with
a fine of up to €30,000, in accordance with Article 39.1 c) of the LSSI, which stipulates the
following (the part applicable to the case is underlined):

“1. For the commission of the offences listed in the previous article, the following sanctions will be imposed:

a) For the commission of very serious offences, a fine of 150,001 to 600,000 euros.
The repetition within a period of three years of two or more very serious offences,
sanctioned with final character, may give rise, depending on its circumstances, to the
sanction of prohibition of acting in Spain, for a maximum period of two years.

b) For the commission of serious offences, a fine of 30,001 to 150,000 euros.
c) For the commission of minor offences, a fine of up to 30,000 euros.”

Likewise, in accordance with the evidence available, it is considered that
it is appropriate to graduate the sanction to be imposed in accordance with the following criteria
established in article 40 of the LSSI:

“The amount of the fines imposed will be graduated according to the following
criteria (the criteria applied are underlined):

a) The existence of intentionality.
b) Period of time during which the infringement has been committed.
c) Recidivism by committing infringements of the same nature, when
this has been declared by a final resolution.
d) The nature and amount of the damages caused.
e) The benefits obtained by the infringement.

f) Volume of turnover affected by the infringement committed.
g) Adherence to a code of conduct or a system of advertising self-regulation applicable to the infringement committed, which complies with the provisions of
article 18 or the eighth final provision and which has been reported
favorably by the competent body or bodies.”

-The existence of intentionality (section a), since the complaining party had
requested that no more commercial communications be sent to it and the entity
responded to had acknowledged receipt of said request, confirming that it had been
acknowledged, and despite this, it has subsequently sent advertising messages again.

-As there is a final resolution of the sanctioning procedure of the AEPD
(PS/00076/2024), for the commission by GAFAS EN RED of an infringement of the
same nature in the same year, the aggravating circumstance of recidivism also applies
(section c).

For all the reasons set out above, it is considered appropriate to maintain the proposed
sanction of the initiation agreement, of an administrative fine of twenty thousand euros
(€20,000).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/12

Therefore, in accordance with applicable legislation and having assessed the criteria for
graduating sanctions whose existence has been proven,

the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: TO IMPOSE on SUPERVISTA OPTICS SLU (until 31/12/2023 under the
name of GAFAS EN RED DE ÓPTICAS, S.L.), with NIF B73833758, for a
violation of Article 21 of the LSSI, classified in Article 38.4.d) of the LSSI, a
fine of twenty thousand euros (20,000 euros).

SECOND: NOTIFY this resolution to SUPERVISTA OPTICS SLU.

THIRD: This resolution will be enforceable once the deadline for filing the optional appeal for reconsideration ends (one month from the day following the notification of this resolution) without the interested party having made use of this faculty.
The sanctioned party is warned that he must make effective the sanction imposed once this resolution is enforceable, in accordance with the provisions of art. 98.1.b)
of Law 39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations (hereinafter LPACAP), within the voluntary payment period
established in art. 68 of the General Collection Regulations, approved by Royal

Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, by depositing it, indicating the NIF of the sanctioned party and the procedure number that appears in the heading of this document, in the restricted account nº IBAN: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code:
CAIXESBBXXX), opened in the name of the Spanish Data Protection Agency in

the banking entity CAIXABANK, S.A. Otherwise, it will be collected during the enforcement period.

Once the notification has been received and is enforceable, if the date of enforceability is between the 1st and 15th of each month, both inclusive, the deadline for making the voluntary payment will be until the 20th of the following month or the next business day thereafter, and if it is between the 16th and last day of each month, both inclusive, the payment deadline will be until the 5th of the second following month or the next business day thereafter.

In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within one month from the day following the notification of this resolution or directly file an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the day following the notification of this act, as provided for in article 46.1 of the aforementioned Law.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/12

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final decision in administrative proceedings may be provisionally suspended if the interested party
expresses his intention to lodge an administrative appeal.
If this is the case, the interested party must formally communicate this fact by means of a

written letter addressed to the Spanish Data Protection Agency, presenting it through the
Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through one of the other registries provided for in art. 16.4 of the
cited Law 39/2015, of October 1. He must also transfer to the Agency the

documentation that proves the effective filing of the administrative appeal. If the Agency is not aware of the filing of the administrative appeal within two months from the day following the notification of this resolution, it will terminate the precautionary suspension.

Mar España Martí

Director of the Spanish Data Protection Agency

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es