AEPD (Spain) - PS/00200/2020: Difference between revisions
m (→Holding) |
m (Ar moved page AEPD - PS/00200/2020 to AEPD (Spain) - PS/00200/2020) |
||
(2 intermediate revisions by one other user not shown) | |||
Line 19: | Line 19: | ||
|Date_Decided= | |Date_Decided= | ||
|Date_Published=26.08.2020 | |Date_Published=26.08.2020 | ||
|Year= | |Year=2021 | ||
|Fine=3000 | |Fine=3000 | ||
|Currency=EUR | |Currency=EUR | ||
Line 54: | Line 54: | ||
}} | }} | ||
The AEPD | The AEPD fined a basketball federation €3000 for disseminating personal data without consent. | ||
==English Summary== | ==English Summary== | ||
===Facts=== | ===Facts=== | ||
The complainant sent a complaint to the FEDERACIÓN DE BALONCESTO DE CASTILLA Y LEÓN | The complainant sent a complaint to the Castilla y León Basketball Federation (FEDERACIÓN DE BALONCESTO DE CASTILLA Y LEÓN) and this organization shared his personal data without his consent. | ||
On 30 August 2017, the complainant filed a complaint with the AEPD against the FEDERACIÓN DE BALONCESTO DE CASTILLA Y LEÓN for the disclosure without consent of his personal data via the Internet and a newspaper. | On 30 August 2017, the complainant filed a complaint with the AEPD against the FEDERACIÓN DE BALONCESTO DE CASTILLA Y LEÓN for the disclosure without consent of his personal data via the Internet and a newspaper. | ||
Line 65: | Line 65: | ||
It was demonstrated that the FEDERACION de BALONCESTO de CASTILLA Y LEÓN sent the document with the personal data of the claimant, and therefore it is responsible for the violation of confidentiality when sending this document with the personal data of the claimant to a newspaper. | It was demonstrated that the FEDERACION de BALONCESTO de CASTILLA Y LEÓN sent the document with the personal data of the claimant, and therefore it is responsible for the violation of confidentiality when sending this document with the personal data of the claimant to a newspaper. | ||
===Dispute=== | ===Dispute=== | ||
Does sharing a complainant's personal data without their consent a breach of Article 6 (1) (f) GDPR? | Does sharing a complainant's personal data without their consent a breach of Article 6(1)(f) GDPR? | ||
===Holding=== | ===Holding=== | ||
The AEPD considered that the conduct of the defendant's employees - sending personal data from a complaint - infringes Article 6 (1) GDPR, by unlawfully processing the complainant's personal data, in relation to Article 5 (1) (f) GDPR, which governs the principles of integrity and confidentiality of personal data, as well as the proactive responsibility of the data controller to demonstrate compliance. This is an infringement punishable under Article 83 (4) (a) GDPR. | The AEPD considered that the conduct of the defendant's employees - sending personal data from a complaint - infringes Article 6(1) GDPR, by unlawfully processing the complainant's personal data, in relation to Article 5(1)(f) GDPR, which governs the principles of integrity and confidentiality of personal data, as well as the proactive responsibility of the data controller to demonstrate compliance. This is an infringement punishable under Article 83(4)(a) GDPR. | ||
Assessing the circumstances that modify the responsibility contemplated in Article 83 (2) GDPR, in this case, the aggravating circumstances for being a non-intentional but significant negligent action (Article 83 (2) (b) GDPR), and for being data known as basic personal identifiers such as name and address (83 (2) (g) GDPR. | Assessing the circumstances that modify the responsibility contemplated in Article 83(2) GDPR, in this case, the aggravating circumstances for being a non-intentional but significant negligent action (Article 83(2)(b) GDPR), and for being data known as basic personal identifiers such as name and address (Article 83(2)(g) GDPR). | ||
The AEPD set the amount of the administrative fine at € 3000. | The AEPD set the amount of the administrative fine at € 3000. | ||
Line 80: | Line 80: | ||
In fact, two reductions of 20% were applied to it: one for acknowledging his responsibility and the other for the voluntary payment prior to the resolution of the procedure. | In fact, two reductions of 20% were applied to it: one for acknowledging his responsibility and the other for the voluntary payment prior to the resolution of the procedure. | ||
Therefore, the initial penalty corresponded to EUR 5,000 and was reduced by 40%, resulting in a final figure of | Therefore, the initial penalty corresponded to EUR 5,000 and was reduced by 40%, resulting in a final figure of €3000. | ||
==Further Resources== | ==Further Resources== |
Latest revision as of 14:10, 13 December 2023
AEPD - PS/00200/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR Article 83(2)(b) GDPR Article 83(2)(g) GDPR Ley Procedimiento Administrativo Común de las Administraciones Públicas |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 26.08.2020 |
Fine: | 3000 EUR |
Parties: | FEDERACIÓN DE BALONCESTO DE CASTILLA Y LEÓN |
National Case Number/Name: | PS/00200/2020 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Francesc Julve Falcó |
The AEPD fined a basketball federation €3000 for disseminating personal data without consent.
English Summary
Facts
The complainant sent a complaint to the Castilla y León Basketball Federation (FEDERACIÓN DE BALONCESTO DE CASTILLA Y LEÓN) and this organization shared his personal data without his consent.
On 30 August 2017, the complainant filed a complaint with the AEPD against the FEDERACIÓN DE BALONCESTO DE CASTILLA Y LEÓN for the disclosure without consent of his personal data via the Internet and a newspaper.
It was demonstrated that the FEDERACION de BALONCESTO de CASTILLA Y LEÓN sent the document with the personal data of the claimant, and therefore it is responsible for the violation of confidentiality when sending this document with the personal data of the claimant to a newspaper.
Dispute
Does sharing a complainant's personal data without their consent a breach of Article 6(1)(f) GDPR?
Holding
The AEPD considered that the conduct of the defendant's employees - sending personal data from a complaint - infringes Article 6(1) GDPR, by unlawfully processing the complainant's personal data, in relation to Article 5(1)(f) GDPR, which governs the principles of integrity and confidentiality of personal data, as well as the proactive responsibility of the data controller to demonstrate compliance. This is an infringement punishable under Article 83(4)(a) GDPR.
Assessing the circumstances that modify the responsibility contemplated in Article 83(2) GDPR, in this case, the aggravating circumstances for being a non-intentional but significant negligent action (Article 83(2)(b) GDPR), and for being data known as basic personal identifiers such as name and address (Article 83(2)(g) GDPR).
The AEPD set the amount of the administrative fine at € 3000.
Comment
In the first place, the AEPD did not admit the complaint about processing, stating that the processing of the complainant's data relating to his status as a representative of a sports organization is outside the scope of application of the LOPD and, therefore, outside the scope of action of the AEPD. The complainant filed an administrative appeal with the Audiencia Nacional, a court that declared the previous resolutions of the AEPD null and void, and therefore the AEPD agreed to initiate preliminary investigation proceedings.
The defendant/sanctioned benefited from the reduction provided for in Article 85 of Law 39/2015, of 1 October, on the Common Procedure of Public Administrations. In fact, two reductions of 20% were applied to it: one for acknowledging his responsibility and the other for the voluntary payment prior to the resolution of the procedure.
Therefore, the initial penalty corresponded to EUR 5,000 and was reduced by 40%, resulting in a final figure of €3000.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Procedure ID: PS/00200/2020 DECISION R/00384/2020 ON THE TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTEER In the sanctioning procedure PS/00200/2020, conducted by the Agency Spanish Data Protection Agency to FEDERACIÓN DE BALONCESTO DE CASTILLA And LEÓN, having regard to the complaint submitted by A.A.A., and on the basis of the following BACKGROUND FIRST: On 11 August 2020, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure to FEDERATION OF BALONCESTO DE CASTILLA Y LEÓN (hereinafter the claimed), by means of the Agreement transcribed: << Style ID: PS/00200/2020 AGREEMENT ON THE INITIATION OF DISCIPLINARY PROCEEDINGS Of the actions carried out by the Spanish Data Protection Agency on the basis of the following BACKGROUND FIRST: On August 30, 2017, this Agency received a written presented by A.A.A. (hereinafter, the complainant), against the DIARIO DE BURGOS and BALONCESTO DE CASTILLA Y LEÓN FEDERATION concerning dissemination No consented to your data by third parties via the internet. He states that the written material disseminated by the newspaper in all its formats and broadcast on networks The name and surname of the complainant appears together with the number of ID card as well as its heading and signature. And, among other things, the following documentation is attached: A copy of the news in printed format of the DIARIO DE BURGOS dated ***DATE.1 with the heading "***HOLDER.1" and containing a letter from the CLUB BALONCESTO TIZONA to the FEDERATION OF BALONCESTO OF CASTILLA Y LEÓN dated 18 July 2017 and containing the name of the complainant together with your ID number and your signature or rubric. Please provide a copy of the receipt dated 26 July 2017 at 12:20 pm corresponding to one shipment. Provides a screenshot of a mobile terminal with a message dated Wednesday 26 July, which includes a pdf document entitled "ESCRITO TIZONA". It provides a screenshot of the news in diariodeburgos.es with date ***DATE.1 and the initials B.B.B. next to the date. The headline of the news is "Tizona "entangled" on the Miraflores" and where there is a copy of the letter sent by CLUB BALONCESTO TIZONA to the FEDERATION OF BALONCESTO DE CASTILLA Y LEÓN dated 18 July 2017 and which contains the name and surname of the complainant together with your ID number and your signature or rubric. SECOND: On September 12, 2017, after analyzing the documentation The Director of the Spanish Agency for the Environment and Rural and Marine Affairs (AEMR) Data Protection, agreeing to the filing of the complaint number E/05214/2017 The the resolution was notified to the affected party on September 19, 2017, according to receipt on file. THIRD: On 29 September 2017 the person concerned lodged a written statement with the corresponding Public Registry, being registered with the Agency on 2 October 2017, in which he claims that his personal data have been disclosed such as those referring to name and surname and ID card in a non-consensual manner, which is contrary to the LOPD. FOURTH: On 30 October 2017, the Court of First Instance ruled that the appeal of replacement -RR/00764/2017- brought by the complainant against the resolution of this Agency issued on 12 September 2017, agreeing to close the complaint number E/05214/2017. In RR/00764/2017, the rejection of the complaint is justified E/05217/2017, noting that the processing of the complainant's data linked to his As a representative of a sporting body, it is outside the scope of application of the LOPD and, therefore, of the scope of action of this AEPD. FACTS FIRST: The complainant lodges an administrative appeal with the Court National, (Procedure CA/00004/2018), the court which declares the decisions of This Agency, previously indicated, so that the Spanish Agency for the Protection of Data agrees to the initiation of preliminary investigation proceedings, through the file E/06605/2019. SECOND: The Subdirectorate-General for Data Inspection carried out a preliminary investigation into the facts in question, in by virtue of the powers of investigation conferred on the supervisory authorities in Article 57.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, in hereinafter referred to as the GPRD), and in accordance with the provisions of Title VII, Chapter I, Section second, of Organic Law 3/2018, of 5 December, on Data Protection Personal and guarantee of digital rights (hereinafter LOPDGDD). THIRD: On 14 February 2020, the BALONCESTO FEDERATION OF CASTILLA Y LEÓN sends this Agency the following information and statements: 1. That on 26 July 2017 they received a letter from the complainant in as president of CB TIZONA, coinciding with that published in DIARIO DE BURGOS. 2. That, in federal proceedings, in particular when the case to be decided concerns a third party also belonging to the Federation itself, the received to the other party to provide the documentation or information that consider appropriate. In this case, the letter was delivered to the BC MIRAFLORES on the same day 26th. 3. That, in relation to the messages transmitted with the diffusion of the writing, they do not have constancy. 4. That they have no record that from any telephone line of the FEDERATION OF BALONCESTO DE CASTILLA Y LEÓN this document has been sent by WhatsApp. 5. That they will schedule new training and awareness actions for the staff of to maintain the due diligence practiced to date. 6. That they will provide training to the members of the Board of Directors in data protection and will again send a reminder to clubs and individuals The physical aspects of the different levels (referees and coaches) in this same line. FOURTH: On 17 February 2020, DIARIO DE BURGOS, S.A. refers to this Agency the following information and events: That on 26 July 2017 they published the news related to the in both paper and digital media because of its public significance to local and provincial level. 2. That the complainant is a public figure in the city of Burgos and the province because it holds the ***CARGO.1 and also the ***CARGO.2 being its data public personnel appearing on official public lists. 3. That the processing of the personal data of the complainant has been carried out in the context of the publication of information considered to be of public relevance of the news published in the territorial area where the news is produced. 4. Declares that: "And it is the media that echoes, through information received in the course of drafting and duly verified, of a paper submitted by Mr A.A.A. himself related to the TIZONA BALONCESTO CLUB, is not a within your personal sphere as a natural person and without transcendence of any kind. In addition, the jurisprudence of the Supreme Court and the Audiencia Nacional in infinity of Judgments and the Constitutional Court itself have repeatedly affirmed the the prevailing nature of the freedom of expression and information on protection of personal data in this case of Mr. A.A.A., the right to freedom of information is exercised by information professionals through of an institutionalized vehicle for the formation of public opinions, such as in this particular case, with the protection of these other rights being weakened constitutional provisions of Article 20.4 EC on freedom of expression and information when exercising in connection with matters that are relevant public and social interest by a media outlet and concerns truthful information. “ It, therefore, concludes that the information published is totally true, as well as DIARIO DE BURGOS does not use the Whatsapp system to communicate or spread the news or any other information, and that they have never disseminated or distributed such news by Whatsapp unless unknown persons have taken a photograph of the news published and disseminated by this medium and that in no way responsible for the actions of others that have nothing to do with this means of communication. FIFTH: On 6 March 2020 a request for information was sent to CLUB BASKETBALL MIRAFLORES, S.A.D. Notification is made electronically through notific@. According to this system of notification, the automatic refusal has taken place after ten days natural since it was made available. The postal address of the CLUB BALONCESTO MIRAFLORES, S.A.D. is checked and is included in its privacy policy, being this the El Plantío Sports Centre (office on the fencing room), C/Cascajera s/n, 09007, Burgos and joining the entities investigated. SIXTH: On 8 June 2020 a request for information was sent to CLUB BASKETBALL MIRAFLORES, S.A.D. The notification is made by postal mail and has the status "Returned to Origin by Surplus (Not removed from office)" on 22/06/2020 at 08:10. SEVENTH: On 30 June 2020 the postal address of CLUB is checked BASKETBALL MIRAFLORES, S.A.D.: consulted at www.rmc.es this is: C/ CASCAJERA S/N - POLIDEPORTIVO DE "EL PLANTIO" BURGOS. consulted at www.fbcyl.es this is: C/JUAN ALBARELLOS, 2-1º 09005 BURGOS. LEGAL FOUNDATIONS I By virtue of the powers conferred on each authority by Article 58(2) of the GPRS control, and in accordance with Articles 47 and 48.1 of the LOPDPGDD, the Director of the Spanish Data Protection Agency is competent to resolve this procedure. II Article 6.1 of the RGPD establishes the cases in which the following may be considered lawful processing of personal data. For its part, Article 5 of the RGPD establishes that personal data will be "(a) processed in a lawful, fair and transparent manner in relation to the data subject ("legality, fairness and transparency"); (b) collected for specified, explicit and legitimate purposes and not treated subsequently in a manner incompatible with those purposes; in accordance with Article 89, paragraph 1, the further processing of personal data for archiving purposes in the interest public, scientific and historical research or statistical purposes shall not be considered incompatible with the initial purposes ("purpose limitation"); (c) adequate, relevant and limited to what is necessary in relation to the purposes for those that are processed ("data minimization"); (d) accurate and, where necessary, updated; all measures shall be taken to have personal data deleted or rectified without delay if they are inaccurate with respect to the purposes for which they are intended ("accuracy"); (e) kept in a form which permits identification of the data subjects during no longer than is necessary for the purposes of processing the personal data; the personal data may be kept for longer periods provided that they are processed exclusively for archiving purposes in the public interest, for scientific research purposes or historical or statistical purposes, in accordance with Article 89(1), without prejudice the implementation of the appropriate technical and organizational measures imposed by this Regulation to protect the rights and freedoms of the data subject ("time limit of conservation"); (f) processed in such a way as to ensure adequate security of the data including the protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, through the application of technical or appropriate organizational arrangements ("integrity and confidentiality"). The controller shall be responsible for compliance with the provisions in paragraph 1 and able to demonstrate it ("proactive responsibility")." III In accordance with the evidence available at present, and without prejudice to the outcome of the investigation, it is deemed to be established that on 26 July 2017, the complainant submitted a brief containing his name, surname, and ID card, in his capacity as a representative of the BALONCESTO CLUB TIZONA, S.A.D. before the FEDERATION OF BALONCESTO OF CASTILLA AND LEÓN, and that almost immediately upon its reception by the aforementioned federal body, began to circulate on social networks. It is also noted that on ***DATE.1, the DIARIO DE BURGOS published in its print edition and in its digital formats the document in conflict with the data personal of the claimant, after having been referred by the FEDERATION OF CASTILLA Y LEÓN BASKETBALL. With regard to the DIARIO DE BURGOS, it should be noted that in accordance with the data protection regulations, the processing of personal data is considered lawful, in particular where necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that such interests are not the interests or the fundamental rights and freedoms of the person concerned which require the protection of such data. In relation to the dissemination of personal information in communication, it should be noted that Article 20 of the Constitution Spain protects, in particular, the right to freely express and disseminate thoughts, ideas, and opinions by word, writing, or any other means of reproduction and also the right to freely communicate or receive truthful information by any media. The case-law of the Constitutional Court tends to give a position preferential to freedom of expression over other constitutional rights when on the basis of the truthfulness of the information provided, the facts reported are considered to be of public relevance. This relevance is projected not only on those who public activity, but also in those who participate in events that are considered to be of interest to citizens. Case law has also determined that the discussion about the veracity of the published information is not incompatible with the pre-eminence of the right to information over the right to data protection. The preferential value of freedom of expression and information reaches its According to the Constitutional Court, when they are exercised by information professionals by publishing information considered to be public relevance through an institutionalized vehicle for opinion formation This prevents this Agency from carrying out additional weightings of the proportionality which, given its organic nature, would necessarily imply a method of administrative control over the content of the information published by means incompatible with our institutional system. In relation to the publication of images in journalistic information, it is It should also be noted that Organic Law 1/1982 of 5 May 1982 on the Protection of Right to Honor, to personal and family privacy, and to one's own image, in its Article 8(2) provides for certain limitations on the protection of these rights if the The images shown were taken during a public event or in places open to the public public. These limitations also extend to cases where the image of a A particular person appears as merely incidental to a public event or occurrence With regard to the origin of the published data, which may be different, it should It should be noted that the means, in the exercise of their constitutional rights, are entitled to exercise their right to non-disclosure of their sources, in accordance with Article 20(d) of our Magna Carta, which recognizes the right to professional secrecy for information professionals, in development of the recognition provided for in Article 19 of the Universal Declaration of Human Rights Human beings. However, those concerned may exercise the right of withdrawal provided for in data protection regulations, without prejudice to the rights granted by the aforementioned Law Organic 1/1982, which can be exercised before the competent judicial body. Those affected may also exercise, before the media, the the law provided for in Organic Law 2/1984, of 26 March, regulating the right to rectification referred to in article 85 of the Organic Law 3/2018, of 5 December, on Personal Data Protection and guarantee of digital rights, and that is outside the remit of this Agency. V In relation to the FEDERATION OF BALONCESTO DE CASTILLA Y LEÓN it is noted that they sent the letter with the complainant's personal data to DIARIO DE BURGOS, and is therefore responsible for the violation of the confidentiality by sending this document with the claimant's personal data to the newspaper, and is therefore considered to have violated Article 6.1 by a unlawful processing of the claimant's personal data, in relation to article 5.1 f) of the RGPD, which governs the principles of integrity and confidentiality of personal data, as well as the proactive responsibility of the controller to demonstrate his compliance. VI Article 72.1.b) of the LOPDGDD states that "in accordance with the Article 83(5) of Regulation (EU) 2016/679 is considered very serious and will be prescribed to three years for infringements involving a substantial breach of the articles mentioned in that one and, in particular, the following: b) The processing of personal data without any of the following conditions the lawfulness of processing laid down in Article 6 of Regulation (EU) 2016/679 VII Article 58(2) of the GPRS provides: "Each supervisory authority shall have all of the following corrective powers listed below: (b) sanction any controller or processor with a warning where processing operations have infringed the provisions of this Regulation; (d) instruct the controller or processor to ensure that the processing operations treatment in accordance with the provisions of this Regulation, where appropriate, of in a certain way and within a specified time frame; (i) impose an administrative fine in accordance with Article 83, in addition to or instead of the measures referred to in this paragraph, according to the circumstances of each case particular; VIII This offense is punishable by a fine of up to EUR 20 000 000 or in the case of a company, an amount equivalent to a maximum of 4% of the volume In the present case, we are dealing with unintentional but significant negligent action (Article 83(2)(b)) Basic personal identifiers are affected, according to the 83.2g) Therefore, on the basis of the above, By the Director of the Spanish Data Protection Agency, IT IS AGREED: FIRST: Initiate disciplinary proceedings against the FEDERATION OF BALONCESTO DE CASTILLA Y LEÓN, with NIF G09103458, in accordance with provided for in Article 58(2)(b) of the GPRD, for the alleged infringement of Article 6 of the RGPD, as defined in Article 83.5(a) of the RGPD in relation to Article 72.1(b) of the LOPDGDD. SECOND: To appoint R.R.R. as instructor and H.S.S. as secretary, indicating that any of them may be challenged, where appropriate, in accordance with the provisions of Articles 23 and 24 of Law 40/2015 of 1 October on the Legal Regime of the Sector Public (LRJSP). THIRD: TO INCORPORATE into the sanctioning file, for evidential purposes, the complaint by the claimants and their documentation, the documents obtained and generated by the Subdirectorate General for Data Inspection during the of investigations, as well as the report of previous Inspection actions. FOURTH: THAT for the purposes provided in Article 64.2 b) of Law 39/2015, of 1 October of the Common Administrative Procedure of Public Administrations, the sanction that 5,000 (five thousand euros) without prejudice to the outcome of the of instruction. of total annual business for the previous financial year, opting for the highest the amount, in accordance with article 83.5 of the RGPD. It is also considered that the penalty to be imposed should be graduated in accordance with the following criteria set out in Article 83.2 of the GPRS: The following are aggravating factors: FIFTH: TO NOTIFY THIS AGREEMENT TO THE BALCONY FEDERATION OF CASTILLA Y LEÓN, with NIF G09103458 giving you a ten-day hearing to formulate the allegations and submit the evidence it considers convenient. In your pleading, you must provide your VAT number and the number of the procedure set out in the heading of this document. If you do not make representations on this initiating agreement within the stipulated time limit, the The same may be considered as a motion for a resolution, as set out in Article 64.2.f) of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administration (LPACAP). In accordance with Article 85 of the LPACAP, if the penalty to be imposed other than a fine may acknowledge its responsibility within the time limit granted for the purpose of making representations on this initiating agreement; this will and a 20% reduction in the penalty to be imposed at present procedure. With the application of this reduction, the penalty would be set at 4000 (four thousand euros), the procedure being resolved with the imposition of this sanction. Similarly, at any time prior to the resolution of this the procedure, to carry out the voluntary payment of the proposed penalty, which will reduction of 20% of its amount. With the application of this reduction, the sanction would be set at EUR 4000 (four thousand euros), and its payment would imply the termination of the procedure. The reduction for the voluntary payment of the penalty is cumulative with the one is to be applied for the recognition of responsibility, provided that this recognition of responsibility is shown within the time allowed to make representations on the opening of the proceedings. The voluntary payment of the amount referred to in the previous paragraph may be made at any time prior to resolution. In this case, if both reductions are to be applied, the amount of the penalty would be set at 3000 euros (three thousand euros). In any case, the effectiveness of either of the two reductions mentioned shall be conditional upon the withdrawal or waiver of any action or remedy in the the administrative sanction against the sanction. If you choose to make a voluntary payment for any of the 4,000 or 3,000, you must pay it by depositing it in the account nº ES00 0000 0000 0000 0000 opened in the name of the Spanish Data Protection Agency in the CAIXABANK, S.A. Bank, indicating in the concept the reference number of the procedure in the heading of this document and the reason for the reduction in the amount it covers. You must also send proof of payment to the Subdirectorate General of Inspection to continue the procedure in accordance with the quantity entered. The procedure will last a maximum of nine months from the date of the agreement to initiate or, where appropriate, the draft agreement to initiate. Once has passed. that time limit will expire and, consequently, the proceedings will be discontinued in accordance with the provisions of Article 64 of the LOPDGDD Finally, it should be noted that in accordance with Article 112.1 of the LPACAP, there is no administrative remedy against this act. Mar Spain Martí Director of the Spanish Data Protection Agency >> SECOND: On August 22, 2020, the claimant paid the 3,000 by making use of the two reductions provided for in the above-transcribed agreement, which implies the recognition of the responsibility. THIRD: The payment made, within the period granted to make representations to the opening of the procedure entails the waiver of any action or appeal in administrative sanction and recognition of responsibility in relation to the facts referred to in the Home Agreement. LEGAL FOUNDATIONS I By virtue of the powers conferred on each authority in Article 58(2) of the GPRS control, and in accordance with Article 47 of Organic Law 3/2018 of 5 December December, on the Protection of Personal Data and Guarantee of Digital Rights (en hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to penalize infringements committed against it Regulations; infringements of Article 48 of Law 9/2014 of 9 May, General of Telecommunications (hereinafter referred to as LGT), in accordance with the article 84.3 of the GLT, and the offenses defined in articles 38.3 c), d) and i) and 38.4 d), g) and h) of Law 34/2002, of 11 July, on the services of the company information and electronic commerce (hereinafter referred to as the ISESA), as provided for in Article 43.1 of said Law. II Article 85 of Law 39/2015 of 1 October on Administrative Procedure Commonwealth of Independent States (hereinafter LPACAP), under the heading "Termination in sanctioning proceedings" provides the following: "1. A sanctioning procedure has been initiated if the offender acknowledges his responsibility, the procedure may be terminated with the imposition of the penalty as appropriate. 2. When the sanction is sole of a pecuniary nature or when it fits impose a financial penalty and a non-pecuniary penalty but it has been justified the unsuitability of the second, voluntary payment by the alleged perpetrator, in any time before the resolution, will imply the termination of the procedure, except as regards the restoration of the altered situation or the determination of compensation for damages caused by the commission of the infringement. 3. In both cases, when the sanction is solely of a pecuniary nature, the body competent to decide on the procedure shall apply reductions of, at less 20% of the amount of the proposed penalty, which may be cumulated each other. These reductions must be determined in the notification of initiation of the procedure and its effectiveness shall be conditional upon the withdrawal or waiver of any action or appeal in administrative proceedings against the sanction. The percentage of the reduction provided for in this paragraph may be increased by regulation. In accordance with the above, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO DECLARE the termination of procedure PS/00200/2020, of in accordance with Article 85 of the LPACAP. SECOND: NOTICE this resolution to the BALONCESTO FEDERATION OF CASTILE AND LION. In accordance with the provisions of Article 50 of the LOPDGDD, this The decision will be made public after it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by Article 114.1.c) of Law 39/2015, of 1 October, on Administrative Procedure The persons concerned may lodge an appeal with the administrative litigation before the Administrative Chamber of the Audiencia Nacional, in accordance with Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating Contentious-Administrative Jurisdiction, within two months from the day following notification of this act, as provided for in Article 46(1) of the referred to Law. Mar España Martí Director of the Spanish Data Protection Agency