AEPD (Spain) - EXP202200439: Difference between revisions

From GDPRhub
 
(3 intermediate revisions by one other user not shown)
Line 67: Line 67:
}}
}}


The Spanish DPA fined a company €64,000 for the violation of [[Article 6 GDPR|Articles 6]] and [[Article 9 GDPR|9 GDPR]] regarding the communication of the data subject’s union trade membership (sensitive data) to third parties.  
The Spanish DPA fined a company €64,000 for the violation of [[Article 6 GDPR|Articles 6]] and [[Article 9 GDPR|9 GDPR]] by sharing sensitive data of a data subject, their union trade membership, with third parties.  


== English Summary ==
== English Summary ==

Latest revision as of 13:01, 13 December 2023

AEPD - PS-00155-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Article 9 GDPR
Article 83(5)(a) GDPR
§72(1)(b) and (e) LOPDGDD
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published:
Fine: 64.000 EUR
Parties: Servicios Especiales S.A
National Case Number/Name: PS-00155-2022
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Michelle Ayora

The Spanish DPA fined a company €64,000 for the violation of Articles 6 and 9 GDPR by sharing sensitive data of a data subject, their union trade membership, with third parties.

English Summary

Facts

In the first place, the data subject submitted a claim against their former employer company (the controller) for an illegal communication of their previous trade union membership data. Specifically, the controller sent to the CGT Union a registered mail explaining that the data subject had been a worker representative in another Union (Sindicato Unitario de Huelva) and that could lead to an incompatibility with their current nomination in CGT Union.

Additionally, the data subject claimed that their union membership and other data were also shared to the media since there were some news about their dismissal. In this regard, the data subject presented a letter sent by the controller stating that “[Data subject’s] disciplinary dismissal was prior to their nomination by CGT Union as company’s union section secretary, since the data subject was a member of Sindicato Unitario de Huelva when dismissed”.

Furthermore, it was published in another medium that the data subject was dismissed on disciplinary grounds.

Considering the above, the Spanish DPA started a sanctioning proceeding and notified the controller, who claimed that the communication of the union membership data was carried out in a common context of legal cooperation between the controller and the workers who make use of their right to freedom of union. The mention of the data subject in this interaction was allegedly due to their relation with both unions and the company, and that information shared had direct effect to the right to freedom of union.

Holding

First, the DPA agreed that data relating to trade union membership constitutes sensitive data within the meaning of Article 9 GDPR. The DPA alluded to Article 9(1) GDPR which prohibits the processing of these special categories of personal data. On the other hand, Article 9(2) GDPR contains a list of exceptions for this prohibition. One of them allows for the processing of sensitive data in order to assess the working capacity of the employees. Additionally, Article 9(3) GDPR states that the processing shall be allowed when performed by or under the responsibility of a professional subject to the obligation of professional secrecy.

The DPA also noted that Article 6 GDPR contains the legal bases for lawful processing. Therefore, these two Articles establish the circumstances for the legal processing of the general and special categories of data, respectively.

Finally, the DPA referred to Article 29 Working Party on its “Guidelines on Automated Individual Decision-making and Profiling for the Purpose of Regulation 2016/679” stating that data controllers can only process sensitive data if one of the conditions of Article 9(2) is fulfilled, in addition to any one of the conditions of Article 6 GDPR.

In this case, the controller claimed to have a legitimate interest for the processing of the data, therefore it did not ask for the data subject's consent. However, legitimate interest, even if the controller had one, cannot be a legal basis for the processing of sensitive data.

Taking this into account, the DPA conclued that the controller had no valid legal basis for the processing of trade union membership data. It fined the controller twice €40,000 for infringing Articles 6 and 9 GDPR, respectively. This was reduced to a total of €64,000 due to voluntary payment.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                               1/12








     File No.: EXP202200439

       RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT

                                    VOLUNTEER

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


                                  BACKGROUND

FIRST: On July 26, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate disciplinary proceedings against SERVICES
ESPECIALES, S.A (hereinafter, the claimed party), by means of the Agreement
transcribe:


<<


File No.: EXP202200439



            AGREEMENT TO START A SANCTION PROCEDURE

Of the actions carried out by the Spanish Data Protection Agency and in

based on the following

                                      FACTS

FIRST: On November 27, 2021, A.A.A. (hereinafter the part
claimant) filed a claim with the Spanish Data Protection Agency.


The claim is directed against SERVICIOS ESPECIALES, S.A with NIF A11001450
(hereinafter, the claimed party).

The grounds on which the claim is based are as follows:


The claimant states that the entity claimed has improperly communicated to the
CGT union, details of your previous union affiliation.

The entity informed the CGT union, through the burofax sent on August 17,

2021, that the appointment of the claimant as a representative of the workers
communicated to them by the Unitarian Union of Huelva at the end of 2020 may be
incompatible with the appointment now communicated by the CGT.

The claimant states that the respondent entity also revealed its union affiliation to
several media outlets that have published news related to his

dismissal.

Provide a letter dated December 30, 2021 sent by the entity claimed
requesting a media outlet, Huelva24.com, to rectify the content of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/12








the news published on 12/27/21, revealing in the letter "that the disciplinary dismissal is
before the CGT Huelva union appointed her secretary of the union section
of the company, because in fact A.A.A. belonged to the Unitarian Union when she was fired

of Huelva.

It also provides the publication of news in other communication media with
details of your dismissal, your name and details of your union affiliation.

In La Voz del Sur.es the statements of the director of the funeral home are published in the

that the claimant worked, informing about her union affiliation.

In the publication "the digital funeral home" it is reported that: "The company SERVISA, the
Seguros Ocaso funeral home, has issued a statement denying that the
dismissal occurred because the worker refused to wear a skirt and wear

9 cm heels and it was for disciplinary reasons".

This statement contains the same words published by Huelva24.com:
 "Servisa assures that the disciplinary dismissal is prior to the CGT union
Huelva appointed her as secretary of the union section of the company, since she belonged
upon being fired from the Unitarian Union of Huelva".


SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, of Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), on January 25, 2022, said claim was transferred to
the party claimed, so that it proceeded to its analysis and inform this Agency in the

period of one month, of the actions carried out to adapt to the requirements
provided for in the data protection regulations.

On February 25, 2022, this Agency received a written response
indicating that a treatment of the data of union affiliation of the

claimant by two unions, within the scope of the legal dialogue
established for the purposes of cooperation between the entity claimed and workers in
the exercise of the right to freedom of association.

In the course of this dialogue, the claimant is the subject of attention, as the
of consideration by the two unions and by the claimed entity.


It is in this circumstance that, before his legitimate interlocutor, in this case the
second union, the claimed entity exposes some very specific circumstances
directly related to the person notified by the union and affecting the
right to freedom of association, with the sole intention of clarifying the situation of the

claimant and his new position in this second union.

The use of the data object of attention was produced in a reactive way within a
process of successive communications between the union and the claimed entity. That
this is its appropriate and even necessary environment. Without forgetting that article 7 EC

includes the democratic principle, to which unions are also subject in the
fulfillment of its functions, and that article 28 EC establishes that the freedom
Union includes the right to join the union of your choice.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/12








THIRD: On February 27, 2022, in accordance with article 65 of the
LOPDGDD, the claim filed by the claimant was admitted for processing.


                            FOUNDATIONS OF LAW

                                             Yo

By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and according to the provisions of articles 47 and 48 of the LOPDGDD, the Director

of the Spanish Agency for Data Protection is competent to initiate and to
resolve this procedure.

                                            II

Article 9 of the RGPD establishes the following:


1. The processing of personal data that reveals ethnic origin is prohibited
or racial background, political opinions, religious or philosophical convictions, or affiliation
union, and the processing of genetic data, biometric data aimed at identifying

unambiguously to a natural person, data relating to health or data relating to
sexual life or sexual orientations of a natural person.


2. Section 1 shall not apply when one of the following circumstances occurs-
following:


a) the interested party gave their explicit consent for the processing of said data
for one or more of the specified purposes, except when the Right of
the Union or the Member States establishes that the prohibition referred to in the
section 1 cannot be lifted by the interested party;


b) the treatment is necessary for the fulfillment of obligations and the exercise of
specific rights of the person in charge of the treatment or of the interested party in the field of

Labor law and security and social protection, to the extent that it is so authorized.
enact the Law of the Union of the Member States or a collective agreement with
under the Law of the Member States that establishes adequate guarantees of the res-
protection of the fundamental rights and interests of the interested party;


c) the treatment is necessary to protect the vital interests of the interested party or another
natural person, in the event that the interested party is not qualified, natural or legal,
cally, to give your consent;


d) the treatment is carried out, within the scope of its legitimate activities and with the de-
guarantees, by a foundation, an association or any other organization without

for profit, whose purpose is political, philosophical, religious or trade union, provided that the
treatment refers exclusively to current or former members of such organizations.
organizations or persons who maintain regular contact with them in relation to
its purposes and provided that the personal data is not communicated outside of them without the
consent of the interested parties;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/12








e) the treatment refers to personal data that the interested party has made manifest-
public mind;


f) the treatment is necessary for the formulation, exercise or defense of claims.
tions or when the courts act in the exercise of their judicial function;


g) the treatment is necessary for reasons of an essential public interest, on the
basis of the law of the Union or of the Member States, which must be proportional
the objective pursued, essentially respect the right to data protection and

establish adequate and specific measures to protect the interests and rights
fundamentals of the interested party;


h) the treatment is necessary for the purposes of preventive or occupational medicine, evaluation
of the worker's work capacity, medical diagnosis, provision of assistance or
treatment of a health or social nature, or management of health care systems and services.
health and social care, on the basis of the Law of the Union or of the Member States.
or by virtue of a contract with a healthcare professional and without prejudice to the conditions

tions and guarantees contemplated in section 3;


i) the treatment is necessary for reasons of public interest in the field of health
such as protection against serious cross-border threats to health, or
to ensure high levels of quality and safety of healthcare and
of medicines or medical devices, on the basis of Union Law or
of the Member States to establish appropriate and specific measures to pro-
protect the rights and freedoms of the interested party, in particular professional secrecy,


 j) the processing is necessary for archiving purposes in the public interest, research purposes,
scientific or historical information or statistical purposes, in accordance with article 89,

paragraph 1, on the basis of the law of the Union or of the Member States, which
must be proportional to the objective pursued, respect essentially the right to
data protection and establish adequate and specific measures to protect the
interests and fundamental rights of the interested party.


3. The personal data referred to in section 1 may be processed for the purposes cited-
two in section 2, letter h), when their treatment is carried out by a professional
subject to the obligation of professional secrecy, or under your responsibility, in accordance

with the Law of the Union or of the Member States or with the established rules
by the competent national bodies, or by any other person also subject to
also to the obligation of secrecy in accordance with the Law of the Union or of the States.
two members or of the standards established by the competent national bodies.
you.


4. Member States may maintain or introduce additional conditions, including
ive limitations, with respect to the processing of genetic data, biometric data or

health-related data.


Articles 6 and 9 of the RGPD determine the assumptions that allow the treatment of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/12








personal data, in general, and specifically with respect to the categories
special data categories, respectively.


The Article 29 Working Group (whose functions have been taken over by the Committee
European Data Protection) in its opinion “Guidelines on individual decisions
automated dual data and profiling for the purposes of the Regulation

2016/679” indicates that (…) The controllers can only process data
special category personal if one of the conditions set forth in the
article 9, paragraph 2, as well as a condition of article 6. (…).




                                            III

Article 4.11 of the RGPD defines the consent of the interested party as "any
manifestation of free, specific, informed and unequivocal will by which the

The interested party accepts, either by means of a declaration or a clear affirmative action, the
processing of personal data concerning you”.

In this sense, article 6.1 of the LOPDGDD, establishes that "in accordance with the
provided in article 4.11 of Regulation (EU) 2016/679, consent is understood

affected person, any manifestation of free, specific, informed and inappropriate will.
equivocal by which he accepts, either through a statement or a clear action
affirmative, the treatment of personal data that concerns you”.

For its part, article 6 of the GDPR establishes the following:

"1. The processing will only be lawful if at least one of the following conditions is met:
nes:

a) the interested party gave their consent for the processing of their personal data
for one or more specific purposes;

b) the treatment is necessary for the execution of a contract in which the interested party
is part of or for the application at the request of the latter of pre-contractual measures;

c) the treatment is necessary for the fulfillment of a legal obligation applicable to the
data controller;

d) the treatment is necessary to protect the vital interests of the interested party or another
Physical person;

e) the treatment is necessary for the fulfillment of a mission carried out in the interest

public or in the exercise of public powers vested in the data controller;
 f) the treatment is necessary for the satisfaction of legitimate interests pursued

by the data controller or by a third party, provided that said interests
interests do not prevail or the fundamental rights and freedoms of the interest
cases that require the protection of personal data, in particular when the interested
sado be a child.

The provisions of letter f) of the first paragraph shall not apply to the processing
carried out by public authorities in the exercise of their functions.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/12









                                           IV


In accordance with the evidence available at the present time of
agreement to initiate the sanctioning procedure, and without prejudice to what results from the
instruction, it is considered that the respondent party has communicated the trade union data
of the claimant to third parties without being in any of the assumptions that by way of
of exception allow their treatment according to article 9 of the RGPS.


The known facts could constitute an infringement, attributable to the party
claimed, for violation of article 9, indicated in the foundation of law II.

Likewise, in accordance with the available evidence, and without prejudice to
what results from the instruction of this sanctioning procedure, is considered

that we are facing an illicit treatment of personal data, since in this case the
respondent party treats the union data of the claimant, considering that it had
legitimate interest for its treatment, despite not having your consent.

Its non-compliance supposes the infringement of article 6 of the RGPD indicated in the
basis of law III, since the personal data have been processed without counting

with no kind of legitimacy.

                                           v

Article 58.2 of the RGPD provides the following: "Each control authority will have

of all the following corrective powers indicated below:

b) sanction any person responsible or in charge of the treatment with a warning
when the treatment operations have violated the provisions of this
Regulation;


d) order the person in charge or in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where appropriate,
in a certain way and within a specified period;

i) impose an administrative fine under article 83, in addition to or instead of

the measures mentioned in this section, according to the circumstances of each
particular case;
                                           SAW

Both the infringement of article 9 and article 6 of the RGPD, are found

provided for in article 83.5 a) of the RGPD where it is established that:

“The infractions of the following dispositions will be sanctioned, in accordance with the
section 2, with administrative fines of a maximum of 20,000,000 Eur or, in the case of
of a company, of an amount equivalent to a maximum of 4% of the volume of

Total annual global business of the previous financial year, opting for the one with the highest
amount:
a) The basic principles for the treatment, including the conditions for the

consent under articles 5,6,7 and 9.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/12









In turn, article 72.1 of the LOPDGDD in its letters e) and b) qualifies as an infringement
very serious for prescription purposes:


e) “The processing of personal data of the categories referred to in article
9 of Regulation (EU) 2016/679 without any of the circumstances
provided for in said precept and in the article of this Organic Law.”

b) “The processing of personal data without the concurrence of any of the conditions of

legality of the treatment established in article 6 of Regulation (EU) 2016/679.”

Both offenses can be sanctioned with a maximum fine of €20,000,000.
or, in the case of a company, an amount equivalent to a maximum of 4% of the
global total annual turnover of the previous financial year, opting for the

of greater amount, in accordance with article 83.5 of the RGPD.

                                            7th

In order to determine the administrative fines to be imposed, the
provisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate:


“Each control authority will guarantee that the imposition of administrative fines
under this Article for infringements of this Regulation
indicated in sections 4, 9 and 6 are in each individual case effective,
proportionate and dissuasive.”


“Administrative fines will be imposed, depending on the circumstances of each
individual case, in addition to or as a substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administration and its amount in each individual case will be duly taken into account:

a) the nature, seriousness and duration of the offence, taking into account the nature
nature, scope or purpose of the processing operation in question, as well as the number
number of interested parties affected and the level of damages they have suffered;

b) intentionality or negligence in the infringement;

c) any measure taken by the controller or processor to pa-
allocate the damages suffered by the interested parties;

d) the degree of responsibility of the person in charge or of the person in charge of the treatment,
gives an account of the technical or organizational measures that have been applied by virtue of the
articles 25 and 32;

e) any previous infringement committed by the person in charge or the person in charge of the treatment;
 f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;

g) the categories of personal data affected by the infringement;

h) the way in which the supervisory authority became aware of the infringement, in particular
whether the person in charge or the person in charge notified the infringement and, if so, to what extent.
gives;

i) when the measures indicated in article 58, section 2, have been ordered
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/12








previously against the person in charge or the person in charge in question in relation to the
same matter, compliance with said measures;

j) adherence to codes of conduct under Article 40 or to certification mechanisms
fication approved in accordance with article 42, and

k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or indirectly.
mind, through infraction.”

Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76,
“Sanctions and corrective measures”, provides:


"two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
may also be taken into account:

a) The continuing nature of the offence.


b) The link between the activity of the offender and the performance of treatment of
personal information.

c) The profits obtained as a result of committing the offence.


d) The possibility that the conduct of the affected party could have induced the commission
of the offence.

e) The existence of a merger by absorption process subsequent to the commission of the
infringement, which cannot be attributed to the absorbing entity.


f) Affectation of the rights of minors.

g) Have, when not mandatory, a data protection delegate.

h) Submission by the person in charge or person in charge, on a voluntary basis, to

alternative conflict resolution mechanisms, in those cases in which
there are controversies between them and any interested party.”

In accordance with the transcribed precepts, and without prejudice to what results from the
instruction of the procedure, in order to set the amount of the sanction of fine to
impose SERVICIOS ESPECIALES, S.A, as responsible for the infractions

typified in article 83.5 of the RGPD, in an initial assessment, they are estimated
Concurrent in this case, as aggravating factors, the following factors:


      Linking the activity of the offender with the performance of
     personal data processing.

After the evidence obtained in the preliminary investigation phase, it is considered that
it is appropriate to graduate the sanctions to be imposed in the amount of €40,000 (forty thousand euros)
for the infringement of article 9 of the RGPD and €40,000 (forty thousand euros) for the infringement

of article 6 of the RGPD.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/12








Therefore, in accordance with the foregoing, by the Director of the Agency
Spanish Data Protection,

HE REMEMBERS:


FIRST: START SANCTION PROCEDURE TO SERVICES
ESPECIALES, S.A, with NIF A11001450, in accordance with the provisions of article
58.2.i) of the RGPD, for the alleged infringement of article 9 of the RGPD, typified in the
article 83.5 of the RGPD and for prescription purposes, by article 72.1 e) of the
LOPDGDD.


SECOND: START SANCTION PROCEDURE TO SERVICES
ESPECIALES, S.A, with NIF A11001450, in accordance with the provisions of article
58.2.i) of the RGPD, for the alleged infringement of article 6 of the RGPD, typified in the
article 83.5 of the RGPD and for prescription purposes, by article 72.1 b) of the
LOPDGDD.


THIRD: APPOINT instructor to R.R.R. and, as secretary, to S.S.S., indicating that
any of them may be challenged, where appropriate, in accordance with the provisions of the
Articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sector
Public (LRJSP).


FOURTH: INCORPORATE to the disciplinary file, for evidentiary purposes, the
claim filed by the claimant and its documentation, as well as the
documents obtained and generated by the Subdirectorate General for Inspection of
Data in the actions prior to the start of this sanctioning procedure.

FIFTH: THAT for the purposes provided in art. 64.2 b) of Law 39/2015, of 1

October, of the Common Administrative Procedure of the Public Administrations, the
sanction that could correspond for the infringement of article 9 of the RGPD would be
40,000 euros (forty thousand euros) without prejudice to what results from the instruction.

SIXTH: THAT for the purposes provided in art. 64.2 b) of Law 39/2015, of 1
October, of the Common Administrative Procedure of the Public Administrations, the

sanction that could correspond for the infringement of article 6 of the RGPD would be
40,000 euros (forty thousand euros) without prejudice to what results from the instruction.

SEVENTH: NOTIFY this agreement to SERVICIOS ESPECIALES, S.A, with
NIF A11001450, granting a hearing period of ten business days for
formulate the allegations and present the evidence that it deems appropriate. In its

Allegation brief must provide your NIF and the procedure number that appears
at the top of this document.

If within the stipulated period it does not make allegations to this initial agreement, the same
may be considered a resolution proposal, as established in article

64.2.f) of Law 39/2015, of October 1, of the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP).

In accordance with the provisions of article 85 of the LPACAP, in the event that the
sanction to be imposed was a fine, it may recognize its responsibility within the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/12








term granted for the formulation of allegations to this initial agreement; it
which will entail a reduction of 20% of the sanction to be imposed in
the present procedure. With the application of this reduction, each sanction would be

established at 32,000 euros, (a total of 64,000 euros), resolving the
procedure with the imposition of this sanction.

Similarly, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which
will mean a reduction of 20% of the amount of this. With the application of this

reduction, each sanction would be established at 32,000 euros, (a total of 64,000
euros), and its payment will imply the termination of the procedure.

The reduction for the voluntary payment of the penalty is cumulative with the corresponding
apply for the acknowledgment of responsibility, provided that this acknowledgment

of the responsibility is revealed within the period granted to formulate
arguments at the opening of the procedure. The voluntary payment of the referred amount
in the previous paragraph may be done at any time prior to the resolution. In
In this case, if it were appropriate to apply both reductions, the amount of each penalty
would be established at 24,000 euros, (a total of 48,000 euros).


In any case, the effectiveness of any of the two reductions mentioned will be
conditioned to the abandonment or renunciation of any action or resource in via
administrative against the sanction.

If you choose to proceed to the voluntary payment of any of the amounts indicated

previously, €32,000 or €24,000 for each penalty, (€64,000 or €48,000, depending on
jointly) must make it effective by depositing it in account number ES00
0000 0000 0000 0000 0000 opened in the name of the Spanish Agency for the Protection of
Data in Banco CAIXABANK, S.A., indicating in the concept the number of
reference of the procedure that appears in the heading of this document and the

cause of reduction of the amount to which it is accepted. Also, you must send the
proof of admission to the Subdirectorate General for Inspection to continue with the
procedure in accordance with the amount entered.

The procedure will have a maximum duration of nine months from the
date of the start-up agreement or, where appropriate, of the draft start-up agreement.

Once this period has elapsed, it will expire and, consequently, the file of
performances; in accordance with the provisions of article 64 of the LOPDGDD.

Finally, it is pointed out that in accordance with the provisions of article 112.1 of the
LPACAP, there is no administrative appeal against this act.

                                                                               935-110422

Sea Spain Marti
Director of the Spanish Data Protection Agency
>>

SECOND: On August 18, 2022, the claimed party has proceeded to pay
of the sanction in the amount of 48,000 euros making use of the two reductions

provided for in the Start Agreement transcribed above, which implies the
acknowledgment of responsibility.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/12









THIRD: The payment made, within the period granted to formulate allegations to
the opening of the procedure, entails the waiver of any action or resource in via

administrative action against the sanction and acknowledgment of responsibility in relation to
the facts referred to in the Initiation Agreement.


                            FOUNDATIONS OF LAW


                                            Yo

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the

Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures

processed by the Spanish Agency for Data Protection will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations issued in its development and, as long as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."


                                            II

Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common to Public Administrations (hereinafter, LPACAP), under the rubric
"Termination in sanctioning procedures" provides the following:


"1. Started a sanctioning procedure, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction is solely pecuniary in nature or it is possible to impose a
pecuniary sanction and another of a non-pecuniary nature, but the

inadmissibility of the second, the voluntary payment by the alleged perpetrator, in
any time prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.


3. In both cases, when the sanction is solely pecuniary in nature, the
competent body to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed sanction, these being cumulative with each other.
The aforementioned reductions must be determined in the notification of initiation
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of

any administrative action or recourse against the sanction.

The reduction percentage provided for in this section may be increased
regulations."

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/12










According to what was stated,
the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: TO DECLARE the termination of procedure EXP202200439, of
in accordance with the provisions of article 85 of the LPACAP.

SECOND: NOTIFY this resolution to SERVICIOS ESPECIALES, S.A.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of the Public Administrations, the interested parties may file an appeal
contentious-administrative before the Contentious-administrative Chamber of the

National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided in article 46.1 of the

aforementioned Law.


                                                                                 936-040822
Sea Spain Marti
Director of the Spanish Data Protection Agency
































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es