AEPD (Spain) - PS/00317/2020: Difference between revisions
No edit summary |
m (Ar moved page AEPD - PS/00317/2020 to AEPD (Spain) - PS/00317/2020) |
Latest revision as of 14:28, 13 December 2023
AEPD - PS/00317/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 13 GDPR Article 22(2) Ley 34/2002 |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 11.11.2020 |
Published: | |
Fine: | 2400 |
Parties: | The Royal Clinic by Doctor Marin |
National Case Number/Name: | PS/00317/2020 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The Spanish DPA (AEPD) imposed a fine of € 4000 to a company for not having a privacy policy and a cookie policy on their website. The fine got reduced to € 2400 due to prompt payment and acknowledgment of responsibility.
English Summary
Facts
A data subject sent a complaint to the AEPD against a plastic surgery clinic because he had received unwanted publicity on his phone number. The data subject tried to find in the website of the clinic information about who to address his complaint to but he couldn't find it due to lack of a privacy policy in the website.
The AEPD sent a request for information to the clinic and they replied that they provide adequate information to their clients upon collection of their data when the clients go for the first time to the clinic. The clinic argued that in the data sheet where the personal data is collected, the data subjects are informed that their data will be used also for sending them publicity (such as discounts, offers, etc.).
The AEPD checked the website of the clinic (three months after the answer from the clinic was received) and they found that both the privacy policy and the cookies policy were missing.
Dispute
Does the lack of a privacy and cookie policy on a website infringe Article 13 GDPR and Article 22(2) LSSI?
Holding
The AEPD decided to impose a fine to the clinic: € 2000 for the lack of the privacy policy and € 2000 for the lack of cookies policy on the website. The absence of a privacy policy infringed Article 13 GDPR and the absence of a cookie policy infringed Article 22(2) of the Spanish law on the Information Society and Electronic Commerce Services (LSSI).
However, the fine got reduced due to:
1. prompt payment;
2. acknowledgement of responsibility (that includes the commitment of the company not to pursue any further appeal against the decision).
Comment
Interestingly, the AEPD only checked whether the website complied with Article 13 GDPR and did not go any further in investigating whether the use of the personal data for sending publicity to clients was lawful or not.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/14 Procedure No.: PS / 00317/2020 RESOLUTION R / 00559/2020 TERMINATION OF THE PAYMENT PROCEDURE VOLUNTARY In the sanctioning procedure PS / 00317/2020, instructed by the Spanish Agency for Protection of Data to DR MARÍN CIRUGIA PLÁSTICA, S.L.P., after the complaint submitted by A.A.A., and based on the following, BACKGROUND FIRST: On October 16, 2020, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against DR MARÍN CIRUGIA PLÁSTICA, S.L.P. (hereinafter, the claimed), through the Agreement that is transcribed: << Procedure Nº: PS / 00317/2020 935-240719 AGREEMENT TO INITIATE THE SANCTIONING PROCEDURE Of the actions carried out by the Spanish Data Protection Agency before the entity DR. MARÍN CIRUGIA PLÁSTICA, S.L.P., with CIF .: B64136120 holder of the website, www.dmarin.com, (hereinafter, "the person claimed"), by virtue of complaint filed by D.A.A.A., (hereinafter, “the claimant”), and having as base the following: ACTS FIRST: On 04/01/20, you have an entry in this Agency, a complaint filed by the claimant in which it indicated, among others, the following: "As a patient of B.B.B., I want to report that: the doctor's website lacks privacy policy, legal notice, in short, it does not comply with the law or the texts corresponding legal regulations, and therefore I do not know who RESPONSIBLE for the treatment, I must direct my writing. I have received on my personal phone, advertising "The Royal Clinic" By Doctor Marin. That at no time have I authorized my personal telephone number or incorporated into any customer file for commercial reasons and therefore I do not know the use they are making of my personal data, if they are giving to third parties etc. Attached capture of WhatsApp ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/14 SECOND: In view of the facts set forth in the claim and the documents provided by the claimant, the Subdirectorate General for Data Inspection proceeded to carry out actions for its clarification, under the powers of investigation granted to the control authorities in article 57.1 of the Regulation (EU) 2016/679 (RGPD). Thus, dated 06/10/20 an informative request is addressed to the claimed entity. THIRD: On 07/01/20, this Agency receives a written reply to the requirement, which indicates, among others, that: "1º Since the claimant is not identified, we do not know what may have happened 2º We dispose with total order and adjusting to the legality the protection matters of data, all physical documents being treated with closed filing cabinets with key and in rooms with limited and locked entry. 3º all patients when they come for consultation sign the personal data sheet learning about the data protection law and the rights they have and knowing that they enter the database and commercial of DR MARIN CIRUGIA PLASTIC 4th All patients undergoing treatments sign informed documents where they are explained that their data, photographs and other information are in charge of our database and with the possibility of an advertising nature 5th We do not know the true intentions of this claimant who, based on an advertisement of November 2019 make the claim on 04/01/2020, so late and nonsense since only discounts can be reported to favor our most loyal patients and what. evidently. have signed the law of Data Protection. not used for any other purpose than the benefit of one's own patient and improve their economic conditions in any treatment. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/14 FOURTH: On 10/07/20, by this Agency, the website is consulted denounced www.dmarin.com, verifying the following aspects about its privacy policy and cookie policy: A) .- About the Privacy Policy: 1º.- It has been verified that, on the initial page of the website denounced, in the part bottom of it, there is a contact form where data is collected users' personal names, such as name, phone number and email electronic. 2º.- In order to send the form, the user must check the box of “_ I accept the << conditions of use >> and << privacy policy >> ”. 3º.- On the initial page itself, there is information about the owner of the same: ***ADDRESS 1 4º.- If you try to access the “privacy policy”, through the corresponding link, the web does NOT redirect to any other site, entering a loop that refreshes the page initial, therefore, there is no "privacy policy" on the web. 5º.- If you try to access the “conditions of use”, through the corresponding link, the web does NOT redirect to any other site entering a loop that refreshes the page initial, not existing "conditions of use" on the web. B) .- Regarding the Cookies Policy: There is no banner or information on the use or not on this initial page of cookies by the web or the possible installation of them on the computer terminal. Nor is there on this initial page, any link or link that redirects to the "Privacy Policy". C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/14 FOURTH: In view of the facts denounced, in accordance with the evidence of that is available, the Data Inspection of this Spanish Agency for the Protection of Data considers the above, does not comply with current regulations, therefore that the opening of this sanctioning procedure proceeds. FOUNDATIONS OF LAW I Competition: About the Privacy Policy: By virtue of the powers that article 58.2 of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/16, regarding the Protection of Individuals with regard to the Processing of Personal and Free Data Circulation of these Data (RGPD) recognizes each Control Authority and, according to established in arts. 47, 64.2 and 68.1 of Organic Law 3/2018, of December 5, Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate this procedure. Sections 1) and 2) of article 58 of the RGPD, list, respectively, the investigative and corrective powers that the supervisory authority may have at the disposal of the effect, mentioning in point 1.d), that of: “notify the person in charge or commission of the treatment of alleged infringements of this Regulation ”and in 2.i), that of: “Impose an administrative fine in accordance with article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each case.". About the Cookies Policy: In accordance with the provisions of art. 43.1, second paragraph, of the Law 34/2002, of July 11, on Services of the Information Society and Commerce C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/14 Electronic (LSSI), is competent to initiate and resolve this Procedure Sanctioner, the Director of the Spanish Agency for Data Protection. II Regarding the complaint of having received publicity from "The Royal Clinic" By Doctor Marin ”not authorized by the claimant, indicate that he himself claims to be clinic patient reported, from which the existence of a contract signed by both parties, for their treatment. Well, in the present case, the provisions of article 6.1.b) must be observed. of the RGPD, as it establishes that the processing of personal data will be lawful if necessary for the performance of a contract to which the interested party is a party. In the present case, the treatment of personal data by the clinic will be lawful as long as the purpose for which they are used is included in the purposes for which that the contract in question has been signed, which also includes the communications with the client, as long as these are not unrelated to the end for the that the contract was signed. As the claimant has not provided any document or contract where specify, in its clauses, the consent given or not given by the claimant, This Agency cannot corroborate what was reported by the claimant. III Regarding the privacy policy of the website, it has been verified that, in it can collect personal data from users, and there is a link that << privacy policy >> and << conditions of use >>, but none of them redirects to info page, looping. Article 13 of the RGPD establishes the information that must be provided to the interested at the time of collection of your personal data. Information that It should appear in the "privacy policy" of the website in question: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/14 1.When personal data relating to him are obtained from an interested party, the responsible for the treatment, at the time these are obtained, will provide all the information indicated below: a) the identity and contact details of the responsible and, where appropriate, their representative; b) the delegate's contact details data protection, if applicable; c) the purposes of the treatment for which the personal data and the legal basis of the treatment; d) when the treatment is based in article 6, paragraph 1, letter f), the legitimate interests of the controller or a third; e) the recipients or categories of recipients of personal data, in your case; f) where appropriate, the intention of the person in charge of transferring personal data to a third country or international organization and the existence or absence of a decision of adequacy of the Commission, or, in the case of transfers indicated in the Articles 46 or 47 or Article 49, paragraph 1, second subparagraph, reference to the adequate or appropriate warranties and the means to obtain a copy of these or to the fact that they have been borrowed. 2.In addition to the information mentioned in section 1, the person responsible for the treatment will facilitate the interested party, at the time the data is obtained personal information, the following information necessary to guarantee data processing loyal and transparent: a) the period during which the personal data will be kept or, when this is not possible, the criteria used to determine this period; b) the existence of the right to request the data controller for access to the data personal data relating to the interested party, and their rectification or deletion, or the limitation of their treatment, or to oppose the treatment, as well as the right to the portability of the data; c) when the treatment is based on article 6, paragraph 1, letter a), or the Article 9, paragraph 2, letter a), the existence of the right to withdraw consent in at any time, without affecting the legality of the treatment based on the consent prior to its withdrawal; d) the right to file a claim with a supervisory authority; e) if the communication of personal data is a requirement legal or contractual, or a necessary requirement to enter into a contract, and if the interested party is obliged to provide personal data and is informed of the possible consequences of not providing such data; f) the existence of decisions automated, including profiling, referred to in article 22, paragraphs 1 and 4, and, at least in such cases, significant information on the logic applied, as well as the importance and expected consequences of such treatment for the interested party. Therefore, the known facts could constitute an infringement, attributable to the claimed, for violation of article 13 of the RGPD, which establishes the information that must be provided to the interested party at the time of collection of their data personal. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/14 For its part, article 72.1.h) of the LOPDGDD, considers very serious, for the purposes of prescription, “the omission of the duty to inform the affected party about the treatment of your personal data in accordance with the provisions of articles 13 and 14 of the RGPD " This offense can be sanctioned with a fine of € 20,000,000 maximum or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the of greater amount, in accordance with article 83.5.b) of the RGPD. In accordance with the indicated precepts, and without prejudice to what results from the instruction of the procedure, in order to fix the amount of the sanction to be imposed in In the present case, it is considered that the sanction to be imposed should be adjusted according to with the following aggravating criteria established in article 83.2 of the RGPD: - The category of personal data affected by the infringement. The Data processed in this case are of a marked personal nature, (section g). - The way in which the supervisory authority learned of the infringement. The The way in which this AEPD has learned has been by a complaint of a particular, (section h). The balance of the circumstances contemplated in article 83.2 of the RGPD, with Regarding the offense committed by violating the provisions of article 13, it allows set a penalty of 2,000 euros, (two thousand euros), regarding the non-existence of "Privacy policy", on the website denounced, verifying that it can collect information on personal data of users. IV Of the actions carried out, in relation to the "Cookies Policy", of the page claimed website, it is found that, when accessing the main page of the website, the first layer, it is verified that, there is NO banner or information on this initial page on the use or not of cookies or their installation on the computer terminal, there is no link or link that redirects to the "cookie policy". C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/14 The exposed facts could suppose on the part of the claimed entity the commission of the violation of article 22.2 of the LSSI, according to which: “Service providers may use storage devices and data recovery on recipient terminal equipment, provided that they have given their consent after they have been provided clear and complete information on its use, in particular, on the purposes of the data processing, in accordance with the provisions of Organic Law 15/1999, of 13 December, protection of personal data. When technically possible and effective, the consent of the recipient to accept the data processing may be facilitated by using the parameters from the browser or other applications. The foregoing will not prevent possible storage or access of a technical nature to only in order to carry out the transmission of a communication over a communication network electronic or, to the extent strictly necessary, for the provision of a service of the information society expressly requested by the addressee". This offense is classified as "slight" in article 38.4 g), of the aforementioned Law, which considers as such: “Use data storage and recovery devices when the information has not been provided or the consent of the recipient of the service in the terms required by article 22.2. ”, which may be sanctioned with a fine of up to € 30,000, in accordance with article 39 of the aforementioned LSSI. After the evidence obtained in the preliminary investigation phase, and without prejudice to what results from the instruction, it is considered that the sanction should be impose in accordance with the following aggravating criteria, established in art. 40 of the LSSI: - The existence of intentionality, an expression that must be interpreted as equivalent to degree of guilt according to the Judgment of the National Court of 11/12/07 relapse in Appeal no. 351/2006, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/14 corresponding to the entity denounced the determination of a system of obtaining the informed consent that conforms to the mandate of the LSSI. - Period of time during which the offense has been committed, as the claim for the month of April 2020, (section b). Based on these criteria, it is deemed appropriate to impose on the claimed entity a penalty of 2,000 euros (two thousand euros), for the violation of article 22.2 of the LSSI, regarding the cookie policy made on the website of its ownership. Therefore, the total penalty to be imposed, for both offenses, would be 4,000 euros. (four thousand euros). In accordance with the foregoing, by the Director of the Spanish Agency for Data Protection, HE REMEMBERS: START: SANCTIONING PROCEDURE to the entity DR. MARÍN SURGERY PLÁSTICA, S.L.P., with CIF .: B64136120 owner of the website, www.dmarin.com by: - Infringement of article 13) of the RGPD, regarding the lack of policy of privacy on its website, verifying that there is a treatment of the personal data of users, without the necessary information contemplated in said article. - Infringement of article 22.2) of the LSSI, punishable in accordance with the provisions of the art. 39) and 40) of the aforementioned Law, regarding the non-existence of "Policy of Cookies ”from the website you own. APPOINT: as Instructor to D. R.R.R., and Secretary, where appropriate, to Ms. indicating that any of them may be challenged, if applicable, in accordance with the established in articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP). INCORPORATE: to the sanctioning file, for evidentiary purposes, the claim filed by the claimant and his documentation, the documents obtained and C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/14 generated by the Subdirectorate General for Data Inspection during the investigations, all of them part of the present administrative file. WHAT: for the purposes provided for in art. 64.2 b) of Law 39/2015, of October 1, on Common Administrative Procedure of Public Administrations, the sanction that could correspond would be: - 2,000 euros (two thousand euros), for the violation of article 13) of the RGPD, regarding the lack of privacy policy on the website of its ownership and the processing of personal data without the necessary information contemplated in said article, without prejudice to what results from the instruction of this file. - 2,000 euros (two thousand euros), for the violation of article 22.2) of the LSSI, regarding the non-existence of "Cookies Policy" on the website of your ownership, without prejudice to what results from the instruction of this proceedings. WHAT: in accordance with article 58.2 of the RGPD, the corrective measure that could be imposed on the entity DR. MARÍN CIRUGIA PLÁSTICA, S.L.P., would consist of ORDER YOU to take the necessary measures on: - Adapt the privacy policy of the website of its ownership to the stipulated in article 13 of the RGPD. - Adapt the cookie policy of the website of your ownership to the stipulations in current regulations, for which, you can follow the recommendations indicated in the "Guide on Cookies" edited by the Spanish Agency for Data Protection, in November 2019. NOTIFY: this agreement to initiate the sanctioning file to the entity DR. MARÍN CIRUGIA PLÁSTICA, S.L.P., granting a hearing period of ten days able to formulate the allegations and present the evidence that it considers convenient. If within the stipulated period it does not make allegations to this initiation agreement, the same It may be considered a resolution proposal, as established in article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/14 If within the stipulated period it does not make allegations to this initiation agreement, the same It may be considered a resolution proposal, as established in article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, in the event that the penalty to be imposed would be a fine, you may recognize your responsibility within the term granted for the formulation of allegations to the present initiation agreement; the which will entail a reduction of 20% of the sanction to be imposed in the present procedure, equivalent in this case to 800 euros. With the application of this reduction, the penalty would be set at 3,200 euros, resolving the procedure with the imposition of this sanction. In the same way, you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which will mean a reduction of 20% of the amount thereof, equivalent in this case to 800 euros. With the application of this reduction, the sanction would be established in 3,200 euros and its payment will imply the termination of the procedure. The reduction for the voluntary payment of the penalty is cumulative to the corresponding apply for the recognition of responsibility, provided that this recognition of responsibility is made manifest within the period granted to formulate allegations at the opening of the procedure. The voluntary payment of the referred amount in the previous paragraph it may be done at any time prior to the resolution. In In this case, if both reductions should be applied, the amount of the penalty would be set at 2,400 euros (two thousand four hundred euros). In any case, the effectiveness of either of the two mentioned reductions will be conditioned to the withdrawal or resignation of any action or remedy in administrative against the sanction. If you choose to proceed to the voluntary payment of any of the amounts indicated previously, you must make it effective by entering account number ES00 0000 0000 0000 0000 0000 opened in the name of the Spanish Agency for the Protection of Data in Banco CAIXABANK, S.A., indicating in the concept the number of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/14 reference of the procedure in the heading of this document and the cause of reduction of the amount to which it is accepted. Likewise, you must send proof of admission to the Subdirectorate General of Inspection to continue the procedure according to the quantity entered. The procedure will have a maximum duration of nine months from the date of date of the initiation agreement or, where appropriate, the draft initiation agreement. After this period, its expiration will occur and, consequently, the file of performances; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP, There is no administrative appeal against this act. Mar Spain Martí Director of the Spanish Agency for Data Protection. >> SECOND: On November 5, 2020, the defendant has proceeded to pay the sanction in the amount of 2400 euros making use of the two planned reductions in the Initiation Agreement transcribed above, which implies the recognition of the responsibility. THIRD: The payment made, within the period granted to formulate allegations to the opening of the procedure, entails the waiver of any action or appeal in the process administrative against the sanction and the recognition of responsibility in relation to the facts to which the Initiation Agreement refers. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 13/14 FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in art. 47 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection is competent to sanction the infractions that are committed against said Regulation; infractions of article 48 of Law 9/2014, of May 9, General of Telecommunications (hereinafter LGT), in accordance with the provisions of the article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and 38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the information and electronic commerce (hereinafter LSSI), as provided in article 43.1 of said Law. II Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter, LPACAP), under the rubric "Termination of sanctioning procedures" provides the following: "1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is solely of a pecuniary nature or it is possible to impose a pecuniary sanction and other non-pecuniary sanction, but the inadmissibility of the second, the voluntary payment by the presumed responsible, in any time prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or the determination of the compensation for damages caused by the commission of the offense. 3. In both cases, when the sanction is solely of a pecuniary nature, the competent body to resolve the procedure will apply reductions of, at least, 20% of the amount of the proposed penalty, these being cumulative among themselves. The aforementioned reductions must be determined in the notice of initiation of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of any action or appeal in administrative proceedings against the sanction. The percentage of reduction foreseen in this section may be increased regulations. In accordance with the above, the Director of the Spanish Agency for the Protection of Data RESOLVES: FIRST: DECLARE the termination of procedure PS / 00317/2020, of in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to DR MARÍN CIRUGIA PLÁSTICA, S.L.P .. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 14/14 In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. 936-031219 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es