AEPD (Spain) - PS/00062/2020: Difference between revisions
mNo edit summary |
m (Ar moved page AEPD(Spain) - PS/00062/2020 to AEPD (Spain) - PS/00062/2020) |
||
(One intermediate revision by the same user not shown) |
Latest revision as of 13:53, 13 December 2023
AEPD - PS/00062/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 13 GDPR Article 11 LOPDGDD |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 28.01.2021 |
Published: | 08.02.2021 |
Fine: | 5000 EUR |
Parties: | Predase Servicios Integrales SL Predase Servicios Integrales SL |
National Case Number/Name: | PS/00062/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The Spanish DPA (AEPD) imposed a fine of €5,000 on Predase Servicios Integrales SL for infringing Article 13 GDPR. PSI did not have a privacy policy, nor any information on processing in the contact section of its webpage (which required the provision of personal data).
English Summary
Facts
Predase Servicios Integrales SL (PSI) provides advice on a range of issues such as occupational risk prevention; data protection or insurance. On its webpage, PSI has a section of interested parties which included requirements to fill in address, telephone number and had a data collection form.
However, investigations by the Spanish DPA showed that PSI's website did not have a privacy policy, nor provided information in accordance with Article 13 GDPR.
To justify this, PSI mentioned that the contact form was not operational, so an email address was provided instead.
The Spanish DPA encountered many errors (server permission denial and object not found) attempting to access the website during its investigation. At the time of the decision, the website was still not accessible
Dispute
Does the lack of a privacy policy or information on data processing on a webpage's contact section breach Article 13 GDPR even if the contact form is not operational?
Holding
The Spanish DPA (AEPD) held that the defendant, PSI, violated Article 13 GDPR by failing to provide information to parties interested in their services. The Spanish DPA also refered to Article 11 of the national Spanish Law on Data Protection and Digital Rights (LOPDGDD) on the provision of information to data subjects.
The Spanish DPA therefore went to conclude that PSI violated Article 13 GDPR by provided a contact section that included requirements for telephone, an email and a data collection form without providing information on the data processing at stake.
The argument that the contact section was not operational and therefore not collecting personal data could not be verified by the DPA due to the website's errors. Therefore, this argument was dismissed by the DPA. Similarly, the DPA held that the fact that the form is not operational, does not mean that the controller in charged of a webpage does not have to comply with the duty to provide information as per Article 12 and 13 GDPR. This is the case as the website would process personal data even if interested parties contact PSI via the email address provided.
The Spanish DPA therefore imposed a fine of €5000 on Predase Servicios Integrales SL for infringing Article 13 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/16 Procedure No.: PS / 00062/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: A.A.A. (hereinafter, the claimant) dated March 20, 2019 filed a claim with the Spanish Data Protection Agency. The claim is directed against PREDASE SERVICIOS INTEGRALES SOCIEDAD LIMITED with NIF B02547164 (hereinafter, the claimed). The reasons on which it bases the claim are as follows: "[….] SECOND. - On the Internet page with the domain name «Www.predase.es», and under the trade name «PREDASE», are offered, among others, regulatory compliance services within the scope of Regulation (EU) 2016/679 and of Organic Law 3/2018. […] THIRD. - Scrolling down the sidebar of the browser on the page of start, you have access to various links related to the presence in different Internet social networks of the natural or legal person acting under the name commercial «PREDASE». In relation to data protection services, it stands out, in the margin left of the screen, the image of a padlock that includes the legend «RGPD / LOPD », […] BEDROOM. - By clicking on the image of the aforementioned padlock, you are linked to a publication in the public profile of «PRÉDASE» on the social network Google+, in which a quadrilateral appears that groups the graphic symbols of «PRÉDASE» and of the SPANISH AGENCY FOR DATA PROTECTION, without distinguishing between them, and adding to the set the contact details of the natural or legal person that acts under said trade name. […] SIXTH.- In this sense, the grouping of the graphic symbols of «PRÉDASE» and of the SPANISH DATA PROTECTION AGENCY, considered as a whole homogeneous within the same quadrilateral, without distinguishing between its components, and adding to the set the contact details of the natural or legal person acting under said trade name, it could be constitutive of an unlawful act consisting of generate «the appearance that it is acting in the name, on behalf of or in collaboration with the Spanish Agency for Data Protection ”, in relation to the indiscriminate publication or communication of its offer of services in the field of data protection to your entire network of contacts in the social network Google+ and to Anyone responsible and in charge of the treatments who visit your page of Internet for the purpose of contracting professional compliance services normative in this area. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/16 SEVENTH. - As a consequence, this alleged misleading and illegitimate use of the graphic symbol of the SPANISH DATA PROTECTION AGENCY can suppose an aggressive practice in terms of data protection, generating the Image of a false endorsement of the aforementioned supervisory authority in relation to the services offered by the natural or legal person acting under the trade name «PRÉDASE». EIGHTH. - This practice has its supposed continuation in a second performance that allegedly could incur in letter c) of the Additional Provision sixteenth of Organic Law 3/2018, which considers aggressive practice in matters of data protection the performance of "commercial practices in which the decision-making power of the recipients by referring to the possible imposition of sanctions for breach of the personal data protection regulations »: "It can not be true!!!!! You are not yet adapted to the new general regulation of data protection (RGPD). DO NOT wait for them to sanction you, find out at C / *** ADDRESSB.1 or *** URL.1 ”[…] NINTH.- As a corollary of what has been stated so far, the facts and factual elements related in this brief could suppose an alleged conjunction of aggressive practices in terms of data protection, through interference undue not only in the image and powers of the Spanish Protection Agency of Data, but also in the autonomy of the will of those responsible and those in charge of the treatments, through an alleged distortion of the spirit of the legal regulations on data protection. TENTH. - The Internet page with the domain name "*** URL.1" does not facilitate the general information established in article 10 of Law 34/2002, of July 11, on information society and electronic commerce services. Likewise, despite having a personal data collection form, nor does it provide a privacy policy in order to comply with what is established in articles 12 (right of transparency) and 13 (right of information) of Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, regarding the protection of natural persons in what Regarding the processing of personal data and the free circulation of these data and repealing Directive 95/46 / EC (General Regulation for the protection of data)." Along with the claim, it provides screenshots of the web, of the social network Google+ and Facebook for evidential purposes of what is stated in the brief. It also incorporates copy of the Notarial Accountability Deed granted before the notary of the city of *** LOCALIDAD.1, D. B.B.B., dated March 18, 2019, Protocol No. 620, of the content of the web page that leads to the PREDASE profile on the social network GOOGLE +. SECOND: On April 23, 2019, proceedings are carried out in this Agency to to state that, after an analysis of the web page that is the object of the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/16 claim (www.predase.es), does not have the same identification of your responsible or information regarding privacy policy. THIRD: The claim was admitted for processing on April 29, 2019. FOURTH: In view of the facts reported in the claim and the documents provided by the claimant, the Subdirectorate General for Data Inspection proceeded to carry out preliminary investigation actions to clarify the facts in question, by virtue of the powers of investigation granted to the control authorities in article 57.1 of Regulation (EU) 2016/679 (Regulation General Data Protection, hereinafter RGPD), and in accordance with the established in Title VII, Chapter I, Second Section, of Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of rights digital (hereinafter LOPDGDD). As a result of the investigative actions carried out, the report prepared by the acting inspector reveals the following: “Regarding the fact of the use of the logo of this Agency together with the logo and contact information of PREDASE, this is verified by the notarial deed presented by the claimant of the content of the page web that leads to the PREDASE profile on the GOOGLE social network + done appear grouped together, and as a whole, the PREDASE logo, the logo of this Agency, the European flag, and PREDASE contact information. Regarding the denounced fact of the publication on the social network FACEBOOK and the indicated in the claim according to the sixteenth additional provision, letter c) that establishes aggressive practice regarding data protection: “Carry out commercial practices in which the decision-making power of the recipients by referring to the possible imposition of sanctions for breach of the personal data protection regulations ”. It is found that in PREDASE's FACEBOOK profile, dated March 12 2019, the following content was published: "It can not be true!!!!! You are not yet adapted to the new general regulation of data protection (RGPD). DO NOT wait for them to sanction you, find out at C / *** ADDRESS.1 or *** URL.1. " Access to this publication is still available at the date of this report. Diligence is recorded in the SIGRID system with the screen print of the publication. It is also verified that the website of PREDASE, a company of advice, among other issues, on data protection, lacks policy of privacy and collect data in your contact form without the need for the acceptance of treatment. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/16 It is recorded in the SIGRID diligence system with the only content page of the site Web. Nor is the ownership of the website reported as stated in article 10 of Law 34/2002, of July 11, on information society services and e-commerce, mentioning the commercial brand as a company name PREDASE On June 28, 2019, it is received at this Agency, with registration number 032629/2019, letter sent by ORANGE ESPAGNE, S.A.U. informing that the ownership of the line *** TELEPHONE. 1 that appears on the website corresponds to C.C.C., with DNI *** NIF.1 and installation address on the street *** ADDRESS.1, *** LOCALITY. 1. After a search in the Central Mercantile Registry, the PREDASE SERVICIOS INTEGRALES SOCIEDAD LIMITADA, with registered office coinciding with the one that appears on the website denounced and in which the owner of the The contact telephone number that appears on the website appears as the sole administrator. The Mercantile Registry report is recorded in the SIGRID system, as an associated object. Central. For all the above, it can be affirmed that the facts denounced are true and that the company responsible for the website referred to in the claim is PREDASE SERVICIOS INTEGRALES SOCIEDAD LIMITADA. " FIFTH: Consulted on March 10, 2020, the application of the AEPD was verifies that the only sanctioning procedure in which the claim appears as mercantile PREDASE SERVICIOS INTEGRALES SOCIEDAD LIMITADA with NIF B02547164, is the present procedure. SIXTH: On March 17, 2020, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure for the complained party, by the alleged infringement of article 13 of the RGPD, typified in article 83.5 of the aforementioned rule. SEVENTH: Once the aforementioned commencement agreement was notified, the defendant submitted a written allegations on June 25, 2020 where he requested the filing of the procedure sanctioner and revealed the following: "[...] Regarding the data form, it is not operational (nor has it ever been). Of In fact, it is an addition of a template in order to use the "blue popup" style of the Contact Form. You can see that it does not display any error message in case of do not enter data (or do it wrongly), nor do you have a satisfactory message in shipping case. It just redirects directly to the home screen. It is enough to note that if said form were functional and operational, the email address to the left of it (since it would be redundant and unnecessary). " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/16 […] " EIGHTH: On August 10, 2020, the procedure instructor agreed to the opening of a period of practice of tests, being considered reproduced, for the purpose of evidencing the claim filed by the claimant, the data obtained and generated by the Subdirectorate General for Data Inspection and the allegations presented by the defendant. Since it was not possible to notify this opening of the period test practice, due to the expiration of the electronic notification, on the 1st of September 2020, a reiteration of the document was sent, which was notified on same day 1. NINTH: On October 5, 2020, the Checks carried out on September 21, 25 and 29 and October 5, 2020 on the web www.predase.es. TENTH: On October 19, 2020, a resolution proposal was formulated, proposing a penalty of warning be imposed on the defendant, for a infringement of article 13 of the RGPD, typified in article 83.5 of the same rule. In this proposal, a period of 10 days was granted so that the defendant could allege whatever is considered in his defense, as well as present the documents and information deemed pertinent, in accordance with article 89.2 of the Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP). The proposed resolution was notified on October 30 and the defendant submitted brief of allegations on November 13, stating the following: "[...] FIRST: In points THIRD, FOURTH and SIXTH (since the point FIFTH) of the complaint, interprets the alleged union of the PRÉDASE and of the AEPD as an attempt of association in the face of potential clients. Assuming that it is a mere question of structural organization of the design web and graphic, any minimally informed person knows how to distinguish between the Spanish Data Protection Agency and a service provider company (call it PRÉDASE, AUDIDAT or any other). As indicated by the complainant and appears, clearly in capital letters, on the header of said website, said image belongs to the SOCIAL NETWORKS of the company (not to the services provided, estimates, invoices, or any other public document that could, effectively, imply an improper use of the AEPD logo). Indeed, said publication was made on March 12, 2019 and the link corresponds to the social network Google+, which has not been operational since April 2, 2019 (it was canceled by Google on that date). Following your twisted reasoning and personal, the use of the Facebook, Google or Twitter logos would also imply a deception of any customer who visited your website by giving rise to the mistake that C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/16 PRÉDASE (as in your case AUDIDAT) are part of or act on behalf of said Business. SECOND: Again at the SEVENTH, EIGHTH and NINTH points the complainant once again attributes judicial powers (which border on insult and slander) by directly labeling it as "misleading, illicit, image of false authority, aggressive practices or restricting the ability to make decisions "(since the use of adjective "presumed" preceding all these niceties does not reduce the least or lessens their accusations) which in any company is a simple advertising campaign on social networks. THIRD: In reference to the alleged breach of Art. 10 of Law 34/2002 of July 11, as you will have been able to verify (and according to assures you have captures of screen 'notarized') all contact information: Name (commercial), address, phone and email are clearly visible. Not being mandatory for a autonomous (name under which the company operated at the time of its complaint) the registration in the Mercantile Registry. However, and as you can see in the attached document (“Metadata *** METADATA.1 ”) and despite not being mandatory, a simple search in the metadata of the web (and therefore publicly accessible in any search engine or web browser) if the owner's information "C.C.C. - *** NIF.1" appears under the "meta tag "*** META TAG.1. Regarding the data form and as you will also have been able to verify in your Flawless detective work, it is not operational (nor has it ever been). Of In fact, it is an addition of a template in order to use the "blue popup" style of the Contact Form. You can see that it does not display any error message in case of do not enter data (or do it wrongly), nor do you have a satisfactory message in shipping case. It just redirects directly to the home screen (I hope there left this also duly registered in a notarial public deed). It is enough to note that if said form were functional and operational, the email address to the left of it (since it would be redundant and unnecessary). FOURTH: The denounced facts must be considered prescribed based on the Sections 1 and 2 of Art. 30 of Law 40/2015 of October 1, on the Legal Regime of the Public Sector, therefore applicable to the AEPD, regarding the prescription of infractions: 1. The infractions and sanctions will prescribe according to the provisions of the laws that establish. If they do not set limitation periods, very serious offenses They will prescribe after three years, the serious ones after two years and the minor ones after six months; the Sanctions imposed for very serious offenses will prescribe after three years, those imposed for serious offenses after two years and those imposed for minor offenses after one year. 2. The statute of limitations for infringements will begin to run from the day on which that the offense had been committed. In the case of ongoing or permanent, the term will begin to run from the end of the offending conduct. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/16 For all the above, WE REQUEST: That the COMPLAINT IS Filed from the Spanish Agency for Data Protection based both on the lack of veracity of the facts denounced, as well as on the prescription of time limits from the date of the complaint. LASTLY: From PRÉDASE SERVICIOS INTEGRALES S.L. (current company name of the company) we do not know the motivation of the complainant in light of the facts above exposed. Only understandable under the eagerness to intimidate and try to eliminate the competition through denunciations and "chuscas y barriobajeras" actions such as the detailed inspection of our website (which by the way, we are updating together with the IT company, in order to correct the slightest error). In their eagerness to discredit us or for us to desist in the provision of our services, Mr. A.A.A. (on behalf of AUDIDAT) demonstrates a manifest incompetence in your complaint by being unable to locate our postal address at the to direct the complaint, which was clearly indicated on the same website object of your complaint (thus forcing the AEPD to resort to Orange Espagne SAU to provide an address that we do not know at all and that nothing it has to do with our mercantile). " In view of all the actions, by the Spanish Agency for Data Protection In the present proceeding, the following are considered proven facts, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/16 ACTS FIRST: PREDASE SERVICIOS INTEGRALES S.L. is a company of advice on various matters such as occupational risk prevention, protection of data or insurance that the web page had on the internet *** URL.1. SECOND: The website had a contact section for potential interested parties in your services, including address, telephone, email and a form data collection. THIRD: The website lacked a privacy policy and did not provide the information regulated in article 13 of the RGPD, as shown in the previous investigation actions carried out. FOURTH: The defendant states that the form was not operational and that for that reason reason the email address was provided. FIFTH: The website is not accessible in the checks carried out on days 21, 25 and 29 of September and 5 of October of 2020 since it returns an error of access by server permission denial (Error 403) and object not found (Additional 404 error). SIXTH: The website is still not accessible in the checks carried out on the 8th and January 12, 2021, returning the same error indicated in the previous event. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in arts. 47 and 48.1 of the LOPDGDD, the Director of The Spanish Data Protection Agency is competent to resolve this process. II The defendant is charged with committing an offense for violation of article 13 of the RGPD, regarding the information that must be provided when the data is obtained from the interested party, which establishes that: "1. When personal data relating to him are obtained from an interested party, the responsible for the treatment, at the time these are obtained, will provide all the information indicated below: a) the identity and contact details of the person in charge and, where appropriate, of their representative; b) the contact details of the data protection officer, if applicable; C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/16 c) the purposes of the treatment to which the personal data are destined and the legal basis of the treatment; d) when the treatment is based on article 6, paragraph 1, letter f), the interests legitimate rights of the person in charge or of a third party; e) the recipients or categories of recipients of personal data, in their case; f) where appropriate, the intention of the person responsible to transfer personal data to a third party country or international organization and the existence or absence of a decision of adequacy of the Commission, or, in the case of transfers indicated in the Articles 46 or 47 or Article 49, paragraph 1, second subparagraph, reference to the adequate or appropriate warranties and the means to obtain a copy of these or to the fact that they have been borrowed. 2. In addition to the information mentioned in section 1, the person responsible for the treatment will facilitate the interested party, at the time the data is obtained personal information, the following information necessary to guarantee data processing loyal and transparent: a) the period during which the personal data will be kept or, when it is not possible, the criteria used to determine this deadline; b) the existence of the right to request the data controller for access to the personal data relating to the interested party, and its rectification or deletion, or the limitation of its treatment, or to oppose the treatment, as well as the right to portability of the data; c) when the treatment is based on article 6, paragraph 1, letter a), or article 9, paragraph 2, letter a), the existence of the right to withdraw consent in at any time, without affecting the legality of the treatment based on the consent prior to its withdrawal; d) the right to file a claim with a supervisory authority; e) if the communication of personal data is a legal or contractual requirement, or a necessary requirement to sign a contract, and if the interested party is obliged to provide personal data and is informed of the possible consequences of not provide such data; f) the existence of automated decisions, including profiling, to be referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information significant on the applied logic, as well as the importance and consequences provided for said treatment for the interested party. 3.When the data controller plans the further processing of data personal data for a purpose other than that for which they were collected, will provide the interested party, prior to said further processing, information on that other purpose and any additional relevant information pursuant to section 2. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/16 4.The provisions of paragraphs 1, 2 and 3 shall not apply when and in the to the extent that the interested party already has the information. " The violation of this article is classified as an infringement in article 83.5 of the RGPD, which it considers as such: "Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the highest amount: […] B) the rights of the interested parties pursuant to Articles 12 to 22; […]. " For the purposes of the statute of limitations for the offense, article 72.1 of the LOPDGDD establishes: "Based on what is established in article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein, and, in particular, the following: […] H) The omission of the duty to inform the affected party about the treatment of their personal data in accordance with the provisions of articles 13 and 14 of the Regulation (EU) 2016/679. […] ”. III This sanctioning procedure has its origin, as indicated in the agreement of initiation and it was reiterated in the resolution proposal, in the absence of privacy of the website www.predase.es. As regards the complaints regarding aggressive practices in terms of data protection (specifically framed in letters b) and c) of the additional provision sixteenth of the LOPDGDD: «to generate the appearance that it is acting in name, on behalf of or in collaboration with the Spanish Agency for the Protection of Data or an autonomous data protection authority in carrying out any communication to those responsible and in charge of the treatments in which the sender offers its products or services "and" carry out commercial practices in the that the decision-making power of the recipients is curtailed by referring to the possible imposition of sanctions for non-compliance with the regulations for the protection of personal data ”, respectively), it means that its regulation is carried out by Law 3/1991, of January 10, on Unfair Competition, not showing the Agency Spanish Data Protection competences in this matter. "Article 5 of the RGPD, regarding the principles of personal data processing enunciates in his letter to the one of "legality, loyalty and transparency", principle in which to his Considering 39: “All processing of personal data must be lawful and loyal. For natural persons it must be completely clear that they are being collected, using, consulting or otherwise processing personal data that C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/16 concern, as well as the extent to which said data is or will be processed. The beginning transparency requires that all information and communication regarding the treatment of such data is easily accessible and easy to understand, and that a language is used simple and clear. This principle refers in particular to the information of the interested parties about the identity of the person responsible for the treatment and the purposes of the same and to the information added to ensure fair and transparent treatment with regarding the affected natural persons and their right to obtain confirmation and communication of personal data concerning them that are the subject of treatment. Natural persons must be aware of the risks, the rules, safeguards and rights regarding the processing of personal data as well as the way to enforce your rights in relation to the treatment. In In particular, the specific purposes of the processing of personal data must be explicit and legitimate, and must be determined at the time of collection. The data Personal data must be adequate, relevant and limited to what is necessary for the purposes for those who are treated. This requires, in particular, ensuring that it is limited to a Strict minimum its conservation period. Personal data should only be processed if the purpose of the treatment could not reasonably be achieved by other means. For ensure that personal data is not kept longer than necessary, the responsible for the treatment has to establish deadlines for its deletion or revision periodic. All reasonable steps must be taken to ensure that rectify or delete personal data that are inaccurate. Personal information should be treated in a way that ensures adequate security and confidentiality of personal data, including to prevent unauthorized access or use of said data and the equipment used in the treatment. " Recital 60 links the duty of information with the principle of transparency, by establishing that “The principles of fair and transparent treatment require that inform the interested party of the existence of the treatment operation and its purposes. The responsible for the treatment must provide the interested party with all the information complementary is necessary to guarantee fair and transparent treatment, taking into account the specific circumstances and context in which the personal information. The interested party must also be informed of the profiling and the consequences of such elaboration. If the personal data is obtained from interested parties must also be informed if they are obliged to provide them and of the consequences should they fail to do so […] '. In this order, article 12.1 of the RGPD regulates the conditions to ensure its effective implementation and article 13 specifies what information should be provided when the data is obtained from the interested. In turn, article 11 LOPDGDD introduces the information rule by layers when has: "1. When personal data is obtained from the affected party, the person responsible for the treatment may comply with the duty of information established in article 13 of Regulation (EU) 2016/679, providing the affected party with basic information to the referred to in the following section and indicating an email address or other means that allows easy and immediate access to the rest of the information. 2. The basic information referred to in the previous section must contain, at the less: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/16 a) The identity of the person responsible for the treatment and their representative, if applicable. b) The purpose of the treatment. c) The possibility of exercising the rights established in articles 15 to 22 of the Regulation (EU) 2016/679. […] ”. In relation to the foregoing, the proven facts show that the website It had a contact section for potential clients that included the telephone, an email and a data collection form, without stating no section that provides the information that, in accordance with article 13 of the RGPD, must be provided about the processing of data likely to be generated by providing personal damage through any of the means of contact referrals. With regard to the claimed claim made in the brief of response of June 25, 2020 to the commencement agreement, in the sense that the form was not operational and that by not collecting data effectively, indicated next to the email address, it has not been possible to verify the veracity of said statement about the functionality of the aforementioned form as it is not possible access to the website in the checks carried out. Now the The fact that the form has not been operational, does not prevent the web page must comply with the duty of information established in article 12 of the RGPD and specified in the subsequent article 13 for situations in which the information is obtained from the interested party, since the collection of personal data is susceptible to also be done through the rest of the published means of contact (and particularly, as the complainant himself points out, by means of the email address electronic that has been indicated supplying the lack of functionality of the form). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 13/16 And with regard to the allegations presented by the defendant to the proposal of resolution, and that they are objectified in the alleged prescription of the imputed infringement and in the statement that the website is in the process of being updated, the following is noted: Regarding the possible prescription of the offense, the defendant alleges that it would be applicable those provided in article 30 of Law 40/2015, of October 1, of the Legal Regime of the Public Sector (hereinafter, LRJSP) and that the facts denounced should be considered prescribed since, according to the underlined that accompanies this writing, the defendant seems to understand that the alleged infringement is would consider mild (and prescribe at 6 months) and that the term would begin to computed from the day it was committed. These arguments cannot to qualify for several reasons: 1. Article 30.1 of the LRJSP provides that “Infractions and sanctions They will prescribe according to the provisions of the laws that establish them. […] ”. In this In this sense, the LOPDGDD has a Title, IX, dedicated to the regime sanctioner. Within this title, article 71 establishes that they constitute offenses the acts and conducts typified in article 83, sections 4, 5 and 6 of the RGPD as well as those contrary to the LOPDGDD itself and dedicates the Articles 72 to 74 to determine a gradation of infractions in very serious, serious and minor, instituting the statute of limitations for each of the the levels. Therefore, the applicable statute of limitations will be the provided in the LOPDGDD. 2. The imputed infringement is subsumed, for these purposes of prescription, in the article 72.1.h) of the LOPDGDD and in this article it is specified that considered very serious and that he will prescribe after 3 years. This is reflected in the Legal Basis V of the initiation agreement and is recalled in the Basis Legal II of the proposed resolution. 3. Regarding the time of the beginning of the calculation of the term of prescription, the LOPDGDD does not establish any specific regime, so At this point, the provisions of article 30.2 of the LRJSP are applicable with supplementary character. Well, going to this article, it is observed that makes a distinction between “single” or ongoing commission offenses. Taking into account the nature of the alleged offense, it seems clear that the omission of the duty to provide the information was maintained, at least, until the date of February 7, 2020, the day on which the diligence is carried out about the website mentioned in the previous action report inspection that has been collected in the fourth Antecedent. Also, this limitation period would have been interrupted by the notification of the initiation agreement, as provided in article 75 of the LOPDGDD. In conclusion, therefore, in the most favorable case for the defendant, the term of 3-year prescription would have started on February 7, 2020, leaving interrupted on June 5, 2020, the date on which the notification took place effective of the agreement to initiate the sanctioning procedure. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 14/16 Regarding the statement of the claimed that the web page is in update to correct possible errors, it is not possible to verify it, since that, as has been reflected in the sixth proven fact of this resolution, the mentioned web (*** URL.1) is not available. The rest of the allegations are not taken into consideration as they do not refer to the object of this sanctioning procedure. IV The corrective powers available to the Spanish Agency for the Protection of Data, as a control authority, are established in article 58.2 of the RGPD. Between they have the power to sanction with warning -article 58.2 b) -, the Power to impose an administrative fine in accordance with article 83 of the RGPD -article 58.2 i) -, or the power to order the person in charge of the treatment that the processing operations comply with the provisions of the RGPD, when proceed, in a certain way and within a specified period - article 58. 2 d) -. According to the provisions of article 83.2 of the RGPD, the measure provided for in article 58.2 d) of the aforementioned Regulation is compatible with the sanction consisting of a fine administrative. IV In accordance with the provisions of the RGPD in its art. 83.2, when deciding to impose a administrative fine and its amount in each individual case will take into account the aggravating and mitigating factors that are listed in the indicated article, as well as any other that may be applicable to the circumstances of the case. For the purposes of setting the sanction to be imposed on the claimed party, the following aggravating circumstances: 1. Intentionality or negligence in the infringement (article 83.2.a) RGPD) since it is It is about a company that offers advice, among other issues on the subject of data protection, which requires greater diligence in complying with the obligations of the matter with respect to which it claims to advise. 2. The continuing nature of the offense (article 76.2.a) LOPDGDD), since the The claim submitted is dated March 20, 2019 and the diligence of the previous inspection actions that corroborate the maintenance of the situation in The website www.predase.es was carried out on February 7, 2020. On the other hand, the following circumstances have also been taken into account mitigating: 1. There is no record of the commission of any prior infraction regarding the protection of data by the claimed party (article 83.2.e) RGPD). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 15/16 2. It is a micro-SME for the purposes of the provisions of the Recommendation of the Commission, of May 6, 2003, on the definition of micro, small and medium businesses. Based on the foregoing, it is appropriate to propose a fine of FIVE THOUSAND EUROS (5,000.00 €). Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of the sanctions whose existence has been accredited, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: IMPOSE PREDASE SERVICIOS INTEGRALES S. L., with NIF B02547164, for an infringement of article 13 of the RGPD, typified in article 83.5 GDPR, a fine of FIVE THOUSAND EUROS (€ 5,000.00). SECOND: NOTIFY this resolution to PREDASE SERVICIOS INTEGRALES S.L. and inform A.A.A .. THIRD: Warn the sanctioned person that the sanction imposed by a Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter LPACAP), within the payment period voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency Spanish Data Protection in the banking entity CAIXABANK, S.A .. In case Otherwise, it will be collected in the executive period. Received the notification and once executive, if the date of execution is found Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment volunteer will be until the 20th of the following or immediately subsequent business month, and if between the 16th and the last day of each month, both inclusive, the payment term It will be until the 5th of the second following or immediate business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to counting from the day after the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 16/16 Contentious-administrative jurisdiction, within two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Agency for Data Protection, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web /], or through any of the other records provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. 938-131120 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es