AEPD (Spain) - EXP202200439: Difference between revisions
mNo edit summary |
m (Ar moved page AEPD (Spain) - PS-00155-2022 to AEPD (Spain) - EXP202200439) |
||
(One intermediate revision by one other user not shown) | |||
Line 67: | Line 67: | ||
}} | }} | ||
The Spanish DPA fined a company €64,000 for the violation of [[Article 6 GDPR|Articles 6]] and [[Article 9 GDPR|9 GDPR]] | The Spanish DPA fined a company €64,000 for the violation of [[Article 6 GDPR|Articles 6]] and [[Article 9 GDPR|9 GDPR]] by sharing sensitive data of a data subject, their union trade membership, with third parties. | ||
== English Summary == | == English Summary == |
Latest revision as of 13:01, 13 December 2023
AEPD - PS-00155-2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR Article 9 GDPR Article 83(5)(a) GDPR §72(1)(b) and (e) LOPDGDD |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | |
Fine: | 64.000 EUR |
Parties: | Servicios Especiales S.A |
National Case Number/Name: | PS-00155-2022 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Michelle Ayora |
The Spanish DPA fined a company €64,000 for the violation of Articles 6 and 9 GDPR by sharing sensitive data of a data subject, their union trade membership, with third parties.
English Summary
Facts
In the first place, the data subject submitted a claim against their former employer company (the controller) for an illegal communication of their previous trade union membership data. Specifically, the controller sent to the CGT Union a registered mail explaining that the data subject had been a worker representative in another Union (Sindicato Unitario de Huelva) and that could lead to an incompatibility with their current nomination in CGT Union.
Additionally, the data subject claimed that their union membership and other data were also shared to the media since there were some news about their dismissal. In this regard, the data subject presented a letter sent by the controller stating that “[Data subject’s] disciplinary dismissal was prior to their nomination by CGT Union as company’s union section secretary, since the data subject was a member of Sindicato Unitario de Huelva when dismissed”.
Furthermore, it was published in another medium that the data subject was dismissed on disciplinary grounds.
Considering the above, the Spanish DPA started a sanctioning proceeding and notified the controller, who claimed that the communication of the union membership data was carried out in a common context of legal cooperation between the controller and the workers who make use of their right to freedom of union. The mention of the data subject in this interaction was allegedly due to their relation with both unions and the company, and that information shared had direct effect to the right to freedom of union.
Holding
First, the DPA agreed that data relating to trade union membership constitutes sensitive data within the meaning of Article 9 GDPR. The DPA alluded to Article 9(1) GDPR which prohibits the processing of these special categories of personal data. On the other hand, Article 9(2) GDPR contains a list of exceptions for this prohibition. One of them allows for the processing of sensitive data in order to assess the working capacity of the employees. Additionally, Article 9(3) GDPR states that the processing shall be allowed when performed by or under the responsibility of a professional subject to the obligation of professional secrecy.
The DPA also noted that Article 6 GDPR contains the legal bases for lawful processing. Therefore, these two Articles establish the circumstances for the legal processing of the general and special categories of data, respectively.
Finally, the DPA referred to Article 29 Working Party on its “Guidelines on Automated Individual Decision-making and Profiling for the Purpose of Regulation 2016/679” stating that data controllers can only process sensitive data if one of the conditions of Article 9(2) is fulfilled, in addition to any one of the conditions of Article 6 GDPR.
In this case, the controller claimed to have a legitimate interest for the processing of the data, therefore it did not ask for the data subject's consent. However, legitimate interest, even if the controller had one, cannot be a legal basis for the processing of sensitive data.
Taking this into account, the DPA conclued that the controller had no valid legal basis for the processing of trade union membership data. It fined the controller twice €40,000 for infringing Articles 6 and 9 GDPR, respectively. This was reduced to a total of €64,000 due to voluntary payment.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/12 File No.: EXP202200439 RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTEER Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: On July 26, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate disciplinary proceedings against SERVICES ESPECIALES, S.A (hereinafter, the claimed party), by means of the Agreement transcribe: << File No.: EXP202200439 AGREEMENT TO START A SANCTION PROCEDURE Of the actions carried out by the Spanish Data Protection Agency and in based on the following FACTS FIRST: On November 27, 2021, A.A.A. (hereinafter the part claimant) filed a claim with the Spanish Data Protection Agency. The claim is directed against SERVICIOS ESPECIALES, S.A with NIF A11001450 (hereinafter, the claimed party). The grounds on which the claim is based are as follows: The claimant states that the entity claimed has improperly communicated to the CGT union, details of your previous union affiliation. The entity informed the CGT union, through the burofax sent on August 17, 2021, that the appointment of the claimant as a representative of the workers communicated to them by the Unitarian Union of Huelva at the end of 2020 may be incompatible with the appointment now communicated by the CGT. The claimant states that the respondent entity also revealed its union affiliation to several media outlets that have published news related to his dismissal. Provide a letter dated December 30, 2021 sent by the entity claimed requesting a media outlet, Huelva24.com, to rectify the content of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/12 the news published on 12/27/21, revealing in the letter "that the disciplinary dismissal is before the CGT Huelva union appointed her secretary of the union section of the company, because in fact A.A.A. belonged to the Unitarian Union when she was fired of Huelva. It also provides the publication of news in other communication media with details of your dismissal, your name and details of your union affiliation. In La Voz del Sur.es the statements of the director of the funeral home are published in the that the claimant worked, informing about her union affiliation. In the publication "the digital funeral home" it is reported that: "The company SERVISA, the Seguros Ocaso funeral home, has issued a statement denying that the dismissal occurred because the worker refused to wear a skirt and wear 9 cm heels and it was for disciplinary reasons". This statement contains the same words published by Huelva24.com: "Servisa assures that the disciplinary dismissal is prior to the CGT union Huelva appointed her as secretary of the union section of the company, since she belonged upon being fired from the Unitarian Union of Huelva". SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, of Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), on January 25, 2022, said claim was transferred to the party claimed, so that it proceeded to its analysis and inform this Agency in the period of one month, of the actions carried out to adapt to the requirements provided for in the data protection regulations. On February 25, 2022, this Agency received a written response indicating that a treatment of the data of union affiliation of the claimant by two unions, within the scope of the legal dialogue established for the purposes of cooperation between the entity claimed and workers in the exercise of the right to freedom of association. In the course of this dialogue, the claimant is the subject of attention, as the of consideration by the two unions and by the claimed entity. It is in this circumstance that, before his legitimate interlocutor, in this case the second union, the claimed entity exposes some very specific circumstances directly related to the person notified by the union and affecting the right to freedom of association, with the sole intention of clarifying the situation of the claimant and his new position in this second union. The use of the data object of attention was produced in a reactive way within a process of successive communications between the union and the claimed entity. That this is its appropriate and even necessary environment. Without forgetting that article 7 EC includes the democratic principle, to which unions are also subject in the fulfillment of its functions, and that article 28 EC establishes that the freedom Union includes the right to join the union of your choice. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/12 THIRD: On February 27, 2022, in accordance with article 65 of the LOPDGDD, the claim filed by the claimant was admitted for processing. FOUNDATIONS OF LAW Yo By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and according to the provisions of articles 47 and 48 of the LOPDGDD, the Director of the Spanish Agency for Data Protection is competent to initiate and to resolve this procedure. II Article 9 of the RGPD establishes the following: 1. The processing of personal data that reveals ethnic origin is prohibited or racial background, political opinions, religious or philosophical convictions, or affiliation union, and the processing of genetic data, biometric data aimed at identifying unambiguously to a natural person, data relating to health or data relating to sexual life or sexual orientations of a natural person. 2. Section 1 shall not apply when one of the following circumstances occurs- following: a) the interested party gave their explicit consent for the processing of said data for one or more of the specified purposes, except when the Right of the Union or the Member States establishes that the prohibition referred to in the section 1 cannot be lifted by the interested party; b) the treatment is necessary for the fulfillment of obligations and the exercise of specific rights of the person in charge of the treatment or of the interested party in the field of Labor law and security and social protection, to the extent that it is so authorized. enact the Law of the Union of the Member States or a collective agreement with under the Law of the Member States that establishes adequate guarantees of the res- protection of the fundamental rights and interests of the interested party; c) the treatment is necessary to protect the vital interests of the interested party or another natural person, in the event that the interested party is not qualified, natural or legal, cally, to give your consent; d) the treatment is carried out, within the scope of its legitimate activities and with the de- guarantees, by a foundation, an association or any other organization without for profit, whose purpose is political, philosophical, religious or trade union, provided that the treatment refers exclusively to current or former members of such organizations. organizations or persons who maintain regular contact with them in relation to its purposes and provided that the personal data is not communicated outside of them without the consent of the interested parties; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/12 e) the treatment refers to personal data that the interested party has made manifest- public mind; f) the treatment is necessary for the formulation, exercise or defense of claims. tions or when the courts act in the exercise of their judicial function; g) the treatment is necessary for reasons of an essential public interest, on the basis of the law of the Union or of the Member States, which must be proportional the objective pursued, essentially respect the right to data protection and establish adequate and specific measures to protect the interests and rights fundamentals of the interested party; h) the treatment is necessary for the purposes of preventive or occupational medicine, evaluation of the worker's work capacity, medical diagnosis, provision of assistance or treatment of a health or social nature, or management of health care systems and services. health and social care, on the basis of the Law of the Union or of the Member States. or by virtue of a contract with a healthcare professional and without prejudice to the conditions tions and guarantees contemplated in section 3; i) the treatment is necessary for reasons of public interest in the field of health such as protection against serious cross-border threats to health, or to ensure high levels of quality and safety of healthcare and of medicines or medical devices, on the basis of Union Law or of the Member States to establish appropriate and specific measures to pro- protect the rights and freedoms of the interested party, in particular professional secrecy, j) the processing is necessary for archiving purposes in the public interest, research purposes, scientific or historical information or statistical purposes, in accordance with article 89, paragraph 1, on the basis of the law of the Union or of the Member States, which must be proportional to the objective pursued, respect essentially the right to data protection and establish adequate and specific measures to protect the interests and fundamental rights of the interested party. 3. The personal data referred to in section 1 may be processed for the purposes cited- two in section 2, letter h), when their treatment is carried out by a professional subject to the obligation of professional secrecy, or under your responsibility, in accordance with the Law of the Union or of the Member States or with the established rules by the competent national bodies, or by any other person also subject to also to the obligation of secrecy in accordance with the Law of the Union or of the States. two members or of the standards established by the competent national bodies. you. 4. Member States may maintain or introduce additional conditions, including ive limitations, with respect to the processing of genetic data, biometric data or health-related data. Articles 6 and 9 of the RGPD determine the assumptions that allow the treatment of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/12 personal data, in general, and specifically with respect to the categories special data categories, respectively. The Article 29 Working Group (whose functions have been taken over by the Committee European Data Protection) in its opinion “Guidelines on individual decisions automated dual data and profiling for the purposes of the Regulation 2016/679” indicates that (…) The controllers can only process data special category personal if one of the conditions set forth in the article 9, paragraph 2, as well as a condition of article 6. (…). III Article 4.11 of the RGPD defines the consent of the interested party as "any manifestation of free, specific, informed and unequivocal will by which the The interested party accepts, either by means of a declaration or a clear affirmative action, the processing of personal data concerning you”. In this sense, article 6.1 of the LOPDGDD, establishes that "in accordance with the provided in article 4.11 of Regulation (EU) 2016/679, consent is understood affected person, any manifestation of free, specific, informed and inappropriate will. equivocal by which he accepts, either through a statement or a clear action affirmative, the treatment of personal data that concerns you”. For its part, article 6 of the GDPR establishes the following: "1. The processing will only be lawful if at least one of the following conditions is met: nes: a) the interested party gave their consent for the processing of their personal data for one or more specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is part of or for the application at the request of the latter of pre-contractual measures; c) the treatment is necessary for the fulfillment of a legal obligation applicable to the data controller; d) the treatment is necessary to protect the vital interests of the interested party or another Physical person; e) the treatment is necessary for the fulfillment of a mission carried out in the interest public or in the exercise of public powers vested in the data controller; f) the treatment is necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that said interests interests do not prevail or the fundamental rights and freedoms of the interest cases that require the protection of personal data, in particular when the interested sado be a child. The provisions of letter f) of the first paragraph shall not apply to the processing carried out by public authorities in the exercise of their functions.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/12 IV In accordance with the evidence available at the present time of agreement to initiate the sanctioning procedure, and without prejudice to what results from the instruction, it is considered that the respondent party has communicated the trade union data of the claimant to third parties without being in any of the assumptions that by way of of exception allow their treatment according to article 9 of the RGPS. The known facts could constitute an infringement, attributable to the party claimed, for violation of article 9, indicated in the foundation of law II. Likewise, in accordance with the available evidence, and without prejudice to what results from the instruction of this sanctioning procedure, is considered that we are facing an illicit treatment of personal data, since in this case the respondent party treats the union data of the claimant, considering that it had legitimate interest for its treatment, despite not having your consent. Its non-compliance supposes the infringement of article 6 of the RGPD indicated in the basis of law III, since the personal data have been processed without counting with no kind of legitimacy. v Article 58.2 of the RGPD provides the following: "Each control authority will have of all the following corrective powers indicated below: b) sanction any person responsible or in charge of the treatment with a warning when the treatment operations have violated the provisions of this Regulation; d) order the person in charge or in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, where appropriate, in a certain way and within a specified period; i) impose an administrative fine under article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each particular case; SAW Both the infringement of article 9 and article 6 of the RGPD, are found provided for in article 83.5 a) of the RGPD where it is established that: “The infractions of the following dispositions will be sanctioned, in accordance with the section 2, with administrative fines of a maximum of 20,000,000 Eur or, in the case of of a company, of an amount equivalent to a maximum of 4% of the volume of Total annual global business of the previous financial year, opting for the one with the highest amount: a) The basic principles for the treatment, including the conditions for the consent under articles 5,6,7 and 9.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/12 In turn, article 72.1 of the LOPDGDD in its letters e) and b) qualifies as an infringement very serious for prescription purposes: e) “The processing of personal data of the categories referred to in article 9 of Regulation (EU) 2016/679 without any of the circumstances provided for in said precept and in the article of this Organic Law.” b) “The processing of personal data without the concurrence of any of the conditions of legality of the treatment established in article 6 of Regulation (EU) 2016/679.” Both offenses can be sanctioned with a maximum fine of €20,000,000. or, in the case of a company, an amount equivalent to a maximum of 4% of the global total annual turnover of the previous financial year, opting for the of greater amount, in accordance with article 83.5 of the RGPD. 7th In order to determine the administrative fines to be imposed, the provisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate: “Each control authority will guarantee that the imposition of administrative fines under this Article for infringements of this Regulation indicated in sections 4, 9 and 6 are in each individual case effective, proportionate and dissuasive.” “Administrative fines will be imposed, depending on the circumstances of each individual case, in addition to or as a substitute for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administration and its amount in each individual case will be duly taken into account: a) the nature, seriousness and duration of the offence, taking into account the nature nature, scope or purpose of the processing operation in question, as well as the number number of interested parties affected and the level of damages they have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the controller or processor to pa- allocate the damages suffered by the interested parties; d) the degree of responsibility of the person in charge or of the person in charge of the treatment, gives an account of the technical or organizational measures that have been applied by virtue of the articles 25 and 32; e) any previous infringement committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the person in charge or the person in charge notified the infringement and, if so, to what extent. gives; i) when the measures indicated in article 58, section 2, have been ordered C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/12 previously against the person in charge or the person in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under Article 40 or to certification mechanisms fication approved in accordance with article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly. mind, through infraction.” Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76, “Sanctions and corrective measures”, provides: "two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuing nature of the offence. b) The link between the activity of the offender and the performance of treatment of personal information. c) The profits obtained as a result of committing the offence. d) The possibility that the conduct of the affected party could have induced the commission of the offence. e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity. f) Affectation of the rights of minors. g) Have, when not mandatory, a data protection delegate. h) Submission by the person in charge or person in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which there are controversies between them and any interested party.” In accordance with the transcribed precepts, and without prejudice to what results from the instruction of the procedure, in order to set the amount of the sanction of fine to impose SERVICIOS ESPECIALES, S.A, as responsible for the infractions typified in article 83.5 of the RGPD, in an initial assessment, they are estimated Concurrent in this case, as aggravating factors, the following factors: Linking the activity of the offender with the performance of personal data processing. After the evidence obtained in the preliminary investigation phase, it is considered that it is appropriate to graduate the sanctions to be imposed in the amount of €40,000 (forty thousand euros) for the infringement of article 9 of the RGPD and €40,000 (forty thousand euros) for the infringement of article 6 of the RGPD. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/12 Therefore, in accordance with the foregoing, by the Director of the Agency Spanish Data Protection, HE REMEMBERS: FIRST: START SANCTION PROCEDURE TO SERVICES ESPECIALES, S.A, with NIF A11001450, in accordance with the provisions of article 58.2.i) of the RGPD, for the alleged infringement of article 9 of the RGPD, typified in the article 83.5 of the RGPD and for prescription purposes, by article 72.1 e) of the LOPDGDD. SECOND: START SANCTION PROCEDURE TO SERVICES ESPECIALES, S.A, with NIF A11001450, in accordance with the provisions of article 58.2.i) of the RGPD, for the alleged infringement of article 6 of the RGPD, typified in the article 83.5 of the RGPD and for prescription purposes, by article 72.1 b) of the LOPDGDD. THIRD: APPOINT instructor to R.R.R. and, as secretary, to S.S.S., indicating that any of them may be challenged, where appropriate, in accordance with the provisions of the Articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sector Public (LRJSP). FOURTH: INCORPORATE to the disciplinary file, for evidentiary purposes, the claim filed by the claimant and its documentation, as well as the documents obtained and generated by the Subdirectorate General for Inspection of Data in the actions prior to the start of this sanctioning procedure. FIFTH: THAT for the purposes provided in art. 64.2 b) of Law 39/2015, of 1 October, of the Common Administrative Procedure of the Public Administrations, the sanction that could correspond for the infringement of article 9 of the RGPD would be 40,000 euros (forty thousand euros) without prejudice to what results from the instruction. SIXTH: THAT for the purposes provided in art. 64.2 b) of Law 39/2015, of 1 October, of the Common Administrative Procedure of the Public Administrations, the sanction that could correspond for the infringement of article 6 of the RGPD would be 40,000 euros (forty thousand euros) without prejudice to what results from the instruction. SEVENTH: NOTIFY this agreement to SERVICIOS ESPECIALES, S.A, with NIF A11001450, granting a hearing period of ten business days for formulate the allegations and present the evidence that it deems appropriate. In its Allegation brief must provide your NIF and the procedure number that appears at the top of this document. If within the stipulated period it does not make allegations to this initial agreement, the same may be considered a resolution proposal, as established in article 64.2.f) of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, in the event that the sanction to be imposed was a fine, it may recognize its responsibility within the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/12 term granted for the formulation of allegations to this initial agreement; it which will entail a reduction of 20% of the sanction to be imposed in the present procedure. With the application of this reduction, each sanction would be established at 32,000 euros, (a total of 64,000 euros), resolving the procedure with the imposition of this sanction. Similarly, you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which will mean a reduction of 20% of the amount of this. With the application of this reduction, each sanction would be established at 32,000 euros, (a total of 64,000 euros), and its payment will imply the termination of the procedure. The reduction for the voluntary payment of the penalty is cumulative with the corresponding apply for the acknowledgment of responsibility, provided that this acknowledgment of the responsibility is revealed within the period granted to formulate arguments at the opening of the procedure. The voluntary payment of the referred amount in the previous paragraph may be done at any time prior to the resolution. In In this case, if it were appropriate to apply both reductions, the amount of each penalty would be established at 24,000 euros, (a total of 48,000 euros). In any case, the effectiveness of any of the two reductions mentioned will be conditioned to the abandonment or renunciation of any action or resource in via administrative against the sanction. If you choose to proceed to the voluntary payment of any of the amounts indicated previously, €32,000 or €24,000 for each penalty, (€64,000 or €48,000, depending on jointly) must make it effective by depositing it in account number ES00 0000 0000 0000 0000 0000 opened in the name of the Spanish Agency for the Protection of Data in Banco CAIXABANK, S.A., indicating in the concept the number of reference of the procedure that appears in the heading of this document and the cause of reduction of the amount to which it is accepted. Also, you must send the proof of admission to the Subdirectorate General for Inspection to continue with the procedure in accordance with the amount entered. The procedure will have a maximum duration of nine months from the date of the start-up agreement or, where appropriate, of the draft start-up agreement. Once this period has elapsed, it will expire and, consequently, the file of performances; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP, there is no administrative appeal against this act. 935-110422 Sea Spain Marti Director of the Spanish Data Protection Agency >> SECOND: On August 18, 2022, the claimed party has proceeded to pay of the sanction in the amount of 48,000 euros making use of the two reductions provided for in the Start Agreement transcribed above, which implies the acknowledgment of responsibility. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/12 THIRD: The payment made, within the period granted to formulate allegations to the opening of the procedure, entails the waiver of any action or resource in via administrative action against the sanction and acknowledgment of responsibility in relation to the facts referred to in the Initiation Agreement. FOUNDATIONS OF LAW Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Agency for Data Protection will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations issued in its development and, as long as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common to Public Administrations (hereinafter, LPACAP), under the rubric "Termination in sanctioning procedures" provides the following: "1. Started a sanctioning procedure, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is solely pecuniary in nature or it is possible to impose a pecuniary sanction and another of a non-pecuniary nature, but the inadmissibility of the second, the voluntary payment by the alleged perpetrator, in any time prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or the determination of the compensation for damages caused by the commission of the infringement. 3. In both cases, when the sanction is solely pecuniary in nature, the competent body to resolve the procedure will apply reductions of, at least, 20% of the amount of the proposed sanction, these being cumulative with each other. The aforementioned reductions must be determined in the notification of initiation of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of any administrative action or recourse against the sanction. The reduction percentage provided for in this section may be increased regulations." C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/12 According to what was stated, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO DECLARE the termination of procedure EXP202200439, of in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to SERVICIOS ESPECIALES, S.A. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of the Public Administrations, the interested parties may file an appeal contentious-administrative before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned Law. 936-040822 Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es