AEPD (Spain) - EXP202315571: Difference between revisions

AEPD - EXP202315571
Authority:	AEPD (Spain)
Jurisdiction:	Spain
Relevant Law:	Article 5(1)(f) GDPR Article 32 GDPR
Type:	Complaint
Outcome:	Upheld
Started:
Decided:	09.09.2024
Published:
Fine:	50,000 EUR
Parties:	Quirón Prevención
National Case Number/Name:	EXP202315571
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Spanish
Original Source:	AEPD (Spain) (in ES)
Initial Contributor:	wp

The DPA fined a company €50,000 for unlawfully disclosing personal data in a mediation report, thus violating Article 5(1)(f) and Article 32 GDPR.

English Summary

Facts

A data subject claimed she suffered from harassment in her workplace. She filed a complaint with the Labour and Social Security Inspectorate (la Inspección de Trabajo y Seguridad). Then, the data subject and an employee involved took part in the mediation proceedings held by employer, i.e. Quirón Prevención (the controller).

The controller sent a mediation report to the data subject. However, the data subject’s and employee’s data (name and surname, ID, mobile number and email) were not redacted. The controller crossed out the data subject’s personal data after the request of the data subject.

The data subject lodged a complaint with the Spanish DPA (AEPD), claiming violation of personal data security.

Holding

The DPA upheld the complaint.

The controller violated Article 5(1)(f) GDPR and Article 32 GDPR. According to the DPA, the controller didn’t implement appropriate technical and organisational measures to guarantee data confidentiality. In particular, at the stage of document preparation and disclosure there were no data anonymization techniques present. Because of that, unlawful disclosure of documents containing personal data took place.

The DPA issued a fine of €30,000 for a violation of Article 5(1)(f) GDPR and €20,000 for a violation of Article 32 GDPR.

The original fine of €50,000 was reduced to €30,000 due to voluntary payment and admission of responsibility.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/14

File No.: EXP202315571

RESOLUTION TO TERMINATE THE PROCEDURE DUE TO VOLUNTARY

Payment

From the procedure initiated by the Spanish Data Protection Agency and based
on the following

BACKGROUND

FIRST: On September 9, 2024, the Director of the Spanish Data Protection Agency
agreed to initiate sanctioning proceedings against QUIRÓN
PREVENCIÓN, S.L.U. (hereinafter, the respondent party), through the Agreement that is

transcribed:

<<

File No.: EXP202315571

AGREEMENT TO START SANCTIONING PROCEDURE

From the actions carried out by the Spanish Data Protection Agency and
based on the following

FACTS

FIRST: On 05/10/2023, this Agency received a document submitted
by A.A.A. (hereinafter, the complaining party), through which it files a claim
against QUIRÓN PREVENCIÓN, S.L.U. with NIF B64076482 (hereinafter, QUIRÓN
PREVENCIÓN), for a possible breach of the provisions of the personal data
protection regulations.

The reasons on which the claim is based are the following:

The complainant states that, as a result of the complaint she filed
with the Labour and Social Security Inspectorate for possible situations of

harassment towards her in the workplace, a mediation process was followed between
the complainant and other workers involved in the events; where they were
informed that personal data would be protected due to the seriousness of the
accusations.

When the final mediation report was sent by QUIRÓN PREVENCIÓN, the
personal data of the complainant and those accused were shown (they
are blurred, but can be read). However, when the complainant

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/14

informed the person responsible for the report about this situation, the personal data did
appear crossed out.

Finally, the claimant indicates that the process is judicialized, but considers
QUIRÓN PREVENCIÓN's management of his personal data to be disastrous.

Along with the claim, he provides, among others, the following documents:

 Copy of the mediation report issued on ***DATE.1 by QUIRÓN
PREVENCIÓN with its annexes (REPORT OF MEDIATION AS EXTERNAL

ADVISORS IN SITUATIONS OF PSYCHOSOCIAL RISK INDICATORS DUE TO INTERNAL CONFLICT IN THE WORKPLACE).
Its content contains the following personal data of the claimant and of the accused (name and surname, ID, mobile number and
email):

o Claimant: A.A.A., ID ***NIF.1, ***TELEPHONE.1, ***EMAIL.1.

o Reported parties:
 B.B.B., DNI ***NIF.2, ***TELEPHONE.2, ***EMAIL.2.

 C.C.C., DNI ***NIF.3, ***TELEPHONE.3, ***EMAIL.3.

 Screenshot of the following emails:

o Email sent on ***DATE.2 by the complainant (***EMAIL.1) to the mediation services of QUIRÓN

PREVENCIÓN (***EMAIL.4) warning that personal data is reflected in the final mediation report. Its content is as follows:

(…).

o Email dated ***DATE.3 sent by QUIRÓN
PREVENCIÓN (***EMAIL.4) to, among others, the complaining party with 3
PDF documents relating to the “Mediation Report”, “Start Minutes” and

“Final Minutes XXXXX”.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), on 11/03/2023, said claim was transferred to QUIRÓN
PREVENCIÓN, so that it could proceed with its analysis and inform this Agency within one
month of the actions taken to comply with the requirements provided for in the data protection regulations.

The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was collected on 11/03/2023 as stated in the

acknowledgement of receipt in the file.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/14

On 12/04/2023, this Agency received a written response from QUIRÓN
PREVENCIÓN in which, in summary, it acknowledged having sent an email on 11/02/2023 to the technical staff of its entity and to the interested parties and

participants in the labor mediation, with the final mediation report, the content of which includes personal data of the participants.

Likewise, QUIRÓN PREVENCIÓN indicates that the parties involved in the
mediation “formally accepted the mediation process and were expressly
informed not only of the object of the mediation, but also of their obligations regarding

confidentiality”. Therefore, the parties involved are bound not to “reveal the
information that they may have obtained from the procedure”.

Along with the document, they provide a copy of the Final Mediation Report with its annexes.

THIRD: On 12/28/2023, in accordance with article 65 of the LOPDGDD,
the claim submitted by the claimant was admitted for processing.

FOURTH: According to the report collected from the AXESOR tool, the entity
QUIRÓN PREVENCIÓN, S.L.U. is a large company established in 2006,
belonging to the economic group HELIOS HEALTHCARE SPAIN, S.L. and with a turnover of almost 400,000,000 euros in 2023.

LEGAL BASIS

I
Jurisdiction and procedure

In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679

(General Data Protection Regulation, hereinafter RGPD) and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to
initiate and resolve this procedure.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions
issued in its development and, insofar as they do not contradict them, on a

subsidiary basis, by the general rules on administrative procedures."

II
Preliminary issues

In this case, in accordance with the provisions of article 4.1 and 4.2 of the GDPR,
there is evidence of the processing of personal data, since QUIRÓN
PREVENCIÓN collects, uses and stores, among others, the following

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/14

personal data of natural persons: name and surname, ID, mobile number and email.

QUIRÓN PREVENCIÓN carries out this activity in its capacity as data controller,
since it is the party that determines the purposes and means of such activity, pursuant to
article 4.7 of the GDPR.

Within the principles of processing provided for in article 5 of the GDPR, the
integrity and confidentiality of personal data is guaranteed in section 1

letter f) of the aforementioned article. For its part, the security of personal data is regulated in Article 32 of the GDPR, which regulates the security of processing.

III

Principle of integrity and confidentiality

Article 5.1.f) “Principles relating to processing” of the GDPR establishes:

“1. Personal data shall be:

(…)

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by applying appropriate technical or organizational measures («integrity and confidentiality»).”

In the present case, it is clear that, on ***DATE.1, QUIRÓN PREVENCIÓN
sent an email to the complainant with a copy of the Final Labor Mediation Report and its annexes, which included his personal data and that of the
accused, such as name and surname, ID, mobile number and email.

For its part, QUIRÓN PREVENCIÓN acknowledged in its reply to the transfer that it had
sent the aforementioned email, but only to its technical staff and to the
parties involved in the labor mediation process, who were obliged to keep it secret and guarantee its confidentiality.

However, it is clear that QUIRÓN PREVENCIÓN in the report issued
inappropriately exposed certain personal data of, among others, the complainant and the
accused, as their IDs, mobile numbers or emails did not appear anonymized in the message sent. This constitutes a violation of the

obligation of the respondent entity to guarantee the confidentiality of the data,
by making the aforementioned personal data known to the parties involved.

Furthermore, the documentation in the administrative file provides sufficient

indications to understand that QUIRÓN PREVENCIÓN lacks the appropriate technical

and organisational measures referred to in the aforementioned article.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/14

Therefore, in accordance with the evidence available at this time
in the agreement to initiate sanctioning proceedings, and without prejudice to what may result from
the investigation, it is considered that the known facts could constitute an

infringement, attributable to QUIRÓN PREVENCIÓN, for violation of article 5.1.f) of the
RGPD.

IV
Classification and qualification of the infringement of article 5.1.f) of the GDPR

If confirmed, the aforementioned infringement of article 5.1.f) of the GDPR could entail the
commission of the infringements classified in article 83.5 of the GDPR, which under the heading "General conditions for the imposition of administrative fines" provides:

"Infringements of the following provisions shall be punishable, in accordance with
paragraph 2, by administrative fines of a maximum of EUR 20 000 000 or,
in the case of an undertaking, an amount equivalent to a maximum of 4% of the
total global annual turnover of the preceding financial year, whichever is higher:

a) the basic principles for processing, including the conditions for consent pursuant to
articles 5, 6, 7 and 9; (…)”

For the purposes of the limitation period, article 72 “Infringements considered very serious” of the LOPDGDD indicates:

“1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679, infringements that constitute a
substantial violation of the articles mentioned therein and, in particular, the
following are considered very serious and will be subject to a three-year statute of limitations:

a) The processing of personal data in violation of the principles and guarantees
established in article 5 of Regulation (EU) 2016/679. (…)”

V

Proposed sanction for infringement of article 5.1.f) of the GDPR

For the purposes of deciding on the imposition of an administrative fine and its amount, in accordance with the evidence available at the time of the agreement to initiate sanctioning proceedings, and without prejudice to the outcome of the investigation, it is considered that the sanction to be imposed should be graded in accordance with the following criteria established in article 83.2 of the GDPR:

As aggravating factors:

 The nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as the number of data subjects affected and the level of damages and losses they have suffered (section a). The infringing conduct is serious

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/14

since it entails a loss of confidentiality and, therefore, of disposition
and irremediable control over the personal data of those affected, which is not
only the complaining party, but also the two accused.

 The intention or negligence in the infringement (section b). The negligence
appreciated in the commission of the infringement, considering that there is a conflict
between those affected derived from a situation of harassment in the workplace towards the
complaining party, making it even more necessary to avoid that in these
processes the parties have access to the personal data of the rest.

 The categories of personal data affected by the infringement
(section g). The final labor mediation report contains the personal data
relating to the DNI of, among others, the complaining party. This data is considered to be

particularly sensitive insofar as, if the processing of this data is not
accompanied by the necessary technical and organisational measures to
ensure that the person who identifies himself with it is really its owner, a third party
can impersonate a natural person with the risks that this
entails for the privacy, honour and assets of the person impersonated.

Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the
following criteria established in section 2 of article 76 “Sanctions and corrective
measures” of the LOPDGDD:

 The link between the offender's activity and the processing of

personal data (section b). The activity of QUIRÓN PREVENCIÓN
requires regular processing of personal data.

The balance of the circumstances contemplated in article 83.2 of the GDPR and 76.2 of
the LOPDGDD, with respect to the infringement committed by violating the provisions of

article 5.1.f) of the GDPR, allows for an initial administrative fine of 30,000€ (thirty thousand euros).

VI

Security of processing

Article 32 “Security of processing” of the GDPR establishes:

“1. Taking into account the state of the art, the costs of implementation, and the

nature, scope, context and purposes of processing, as well as risks of
varying probability and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and
organizational measures to ensure a level of security appropriate to the risk,
which may include, where appropriate, among others:

a) the pseudonymization and encryption of personal data;

a) the ability to ensure the permanent confidentiality, integrity, availability and
resilience of the processing systems and services;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/14

b) the ability to restore the availability and access to personal data
quickly in the event of a physical or technical incident;

c) a process of regular verification, evaluation and assessment of the effectiveness of
the technical and organisational measures to ensure the security of the
processing.

2. When assessing the adequacy of the level of security, particular account will be taken
into account of the risks presented by the processing of data, in particular as a
consequence of the accidental or unlawful destruction, loss or alteration of
personal data transmitted, stored or otherwise processed, or the unauthorised
communication or access to such data.

3. Adherence to a code of conduct approved pursuant to Article 40 or to a

certification mechanism approved pursuant to Article 42 may serve as an element
to demonstrate compliance with the requirements set out in paragraph 1 of
this Article.

4. The controller and the processor shall take measures to ensure that
any person acting under the authority of the controller or the processor and

having access to personal data may process such data only on instructions from the
controller, unless required to do so by Union or Member State law.

In the present case, the sending of the Final Report of labor mediation and its annexes

by mail dated ***DATE.1 to the complaining party without anonymizing the data of the
participants shows a lack of measures on the part of QUIRÓN PREVENCIÓN. Furthermore, the entity itself is aware of the irregularity of the communication of data, since one day after the warning from the complaining party, the entity sent the mediation report again with the data crossed out.

Furthermore, QUIRÓN PREVENCIÓN has not accredited the security measures it has in place to prevent the documents it drafts from collecting personal data of the participants in the processes without anonymizing them. As the data controller, it should have implemented security measures and ensure their compliance, something that is not recorded in this Agency to date.

Consequently, in accordance with the evidence available at this time of the agreement to initiate the sanctioning procedure, and without prejudice to what may result from the investigation, it is considered that the known facts could constitute an infringement, attributable to QUIRÓN PREVENCIÓN, for violation of article 32 of the GDPR.

VII
Classification and qualification of the infringement of article 32 of the GDPR

If confirmed, the aforementioned infringement of article 32 of the GDPR could entail the
commission of the infringements classified in article 83.4 of the GDPR, which under the heading “General conditions for the imposition of administrative fines” provides:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/14

“Infringements of the following provisions shall be punishable, in accordance with
section 2, by administrative fines of a maximum of EUR 10,000,000 or,

in the case of a company, an amount equivalent to a maximum of 2% of the total annual turnover of the previous financial year, whichever is higher:

a) the obligations of the controller and the processor pursuant to articles 8, 11,
25 to 39, 42 and 43; (…)”

For the purposes of the limitation period, article 73 “Infringements considered serious”
of the LOPDGDD indicates:

“In accordance with the provisions of article 83.4 of Regulation (EU) 2016/679, infringements that constitute a
substantial violation of the articles mentioned therein and, in particular, the
following are considered serious and will be subject to a two-year
expiration period:

(…)

f) The failure to adopt those technical and organizational measures that are
appropriate to guarantee a level of security appropriate to the risk of
the processing, in the terms required by article 32.1 of Regulation (EU)
2016/679.”(…)

VIII
Proposal for a sanction for the infringement of article 32 of the GDPR

For the purposes of deciding on the imposition of an administrative fine and its amount, in

accordance with the evidence available at the time of the agreement to initiate sanctioning proceedings, and without prejudice to what results from the
investigation, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with
the following criteria established in article 83.2 of the GDPR:

As aggravating factors:

 The nature, seriousness and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question,
as well as the number of data subjects affected and the level of damage and

harm they have suffered (section a). Not having implemented the appropriate security measures for the
risk led to improper access to personal data, not only of the complaining party, but also of the
other defendants.

 The intention or negligence in the infringement (section b). The negligence

appreciated in the commission of the infringement, considering that there is a conflict
between those affected derived from a situation of harassment in the workplace towards the
complainant, making it even more necessary to avoid that in these processes the parties have access to the personal data of the rest.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/14

 The categories of personal data affected by the infringement
(section g). The final report of labor mediation contains the personal data

relating to the DNI of, among others, the complainant. This data is considered to be
particularly sensitive insofar as, if the processing of this data is not
accompanied by the necessary technical and organisational measures to
ensure that the person who identifies himself with it is really its owner, a third party
can impersonate a natural person with the risks that this
entails for the privacy, honour and assets of the person impersonated.

Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the
following criteria established in section 2 of article 76 “Sanctions and corrective
measures” of the LOPDGDD:

 The link between the offender's activity and the processing of
personal data (section b). The activity of QUIRÓN PREVENCIÓN
requires continuous processing of personal data.

The balance of the circumstances contemplated in article 83.2 of the GDPR and 76.2 of
the LOPDGDD, with respect to the infringement committed by violating the provisions of
article 5.1.f) of the GDPR, allows for an initial administrative fine of
€20,000 (twenty thousand euros) to be set.

IX
Adoption of measures

If the infringement is confirmed, it could be agreed to impose on the controller the adoption of
appropriate measures to adjust its actions to the regulations mentioned in this

act, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to which
each supervisory authority may “order the controller or processor to
comply the processing operations with the provisions of this Regulation, where appropriate, in a certain manner and within a
specified period…”. The imposition of this measure is compatible with the sanction
consisting of an administrative fine, as provided for in art. 83.2 of the GDPR.

In such a case, in the resolution adopted, this Agency may require the responsible entity to adapt its actions to the personal data protection regulations within two months, to the extent expressed in the Legal Basis of this agreement and without prejudice to the results of the instruction.

It is noted that failure to comply with the possible order to adopt measures imposed by this body in the sanctioning resolution may be considered an administrative infringement in accordance with the provisions of the GDPR, classified as an infringement in its article 83.5 and 83.6, and such conduct may motivate the opening of a subsequent administrative sanctioning procedure.

Therefore, in accordance with the above, by the Director of the Spanish Data Protection Agency,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/14

IT IS AGREED:

FIRST: TO START SANCTIONING PROCEDURE against QUIRÓN PREVENCIÓN,

S.L.U., with NIF B64076482, for:

 The alleged infringement of article 5.1.f) of the GDPR, classified in article
83.5.a) of the GDPR.

 The alleged infringement of article 32 of the GDPR, classified in article 83.4.a)
of the GDPR.

SECOND: TO APPOINT D.D.D. as instructor. and, as secretary, to E.E.E.,
indicating that they may be challenged, if applicable, in accordance with the provisions of

articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector
(LRJSP).

THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the
claim filed by the claimant and its documentation, as well as the

documents obtained and generated by the General Subdirectorate of Data Inspection
in the actions prior to the start of this sanctioning procedure.

FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, the
sanction that may apply, without prejudice to the outcome of the investigation,

would be:

 For the alleged infringement of article 5.1.f) of the GDPR, classified in article
83.5 of said law, administrative fine of €30,000 (thirty thousand
euros).

 For the alleged infringement of article 32 of the GDPR, classified in article
83.4 of said law, administrative fine of €20,000 (twenty thousand
euros).

FIFTH: NOTIFY this agreement to QUIRÓN PREVENCIÓN, S.L.U., with NIF
B64076482, granting it a hearing period of ten working days to formulate
the allegations and present the evidence it considers appropriate. In its written allegations it must provide its NIF and the file number that appears in the
heading of this document.

If within the stipulated period it does not make allegations to this initiation agreement, it
may be considered a resolution proposal, as established in article
64.2.f) of the LPACAP.

In accordance with the provisions of article 85 of the LPACAP, it may acknowledge its
responsibility within the period granted for the formulation of allegations to
this initiation agreement; which will entail a 20% reduction of the
sanction that must be imposed in this procedure. With the application of this reduction, the penalty would be set at €40,000 (forty thousand euros),

with the procedure being resolved with the imposition of this penalty.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/14

Likewise, at any time prior to the resolution of this procedure, the proposed penalty may be paid voluntarily, which
will mean a 20% reduction of its amount. With the application of this reduction,
the penalty would be set at €40,000 (forty thousand euros), and its payment will imply
the termination of the procedure, without prejudice to the imposition of the corresponding
measures.

The reduction for voluntary payment of the fine may be added to the reduction that must be applied for the recognition of liability, provided that this recognition of liability is made clear within the period granted for making allegations at the opening of the procedure. The voluntary payment of the amount referred to in the previous paragraph may be made at any time prior to the resolution. In this case, if both reductions were to be applied, the amount of the fine would be set at €30,000 (thirty thousand euros).

In any case, the effectiveness of either of the two reductions mentioned will be subject to the express withdrawal or waiver of any action or appeal in administrative proceedings against the fine.

For these purposes, if you choose to accept any of them, you must send to the
General Subdirectorate of Data Inspection an express communication of withdrawal

or waiver of any action or appeal through administrative channels against the sanction
indicating which of the two reductions you choose to accept or if it is both.

If you choose to proceed with the voluntary payment of any of the amounts
indicated above (€40,000 or €30,000) you must do so by making a

deposit into the account number IBAN: ES00-0000-0000-0000-0000-0000 (BIC/Code
XXXXXXXXXXX) opened in the name of the Spanish Data Protection Agency
at the bank CAIXABANK, S.A., indicating in the concept the reference number of the
procedure that appears in the heading of this document and the reason for the reduction of the amount to which you choose.

Likewise, proof of payment must be sent to the General Subdirectorate of Inspection along with express communication of withdrawal or waiver of any administrative action or appeal against the sanction in order to continue with the procedure in accordance with the amount paid.

The procedure will have a maximum duration of twelve months from the date of the
start agreement. After this period, it will expire and, consequently, the proceedings will be filed; in accordance with the provisions of
article 64 of the LOPDGDD.

Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP,
there is no administrative appeal against this act.

935-050724
Mar España Martí

Director of the Spanish Data Protection Agency

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/14

>>

SECOND: On September 24, 2024, the respondent party has proceeded to

pay the fine in the amount of 30,000 euros using the two

reductions provided for in the Initiation Agreement transcribed above, which implies the
recognition of responsibility.

THIRD: The payment made, within the period granted to formulate allegations at
the opening of the procedure, entails the waiver of any action or appeal through

administrative means against the fine and the recognition of responsibility in relation to
the facts referred to in the Initiation Agreement and its legal qualification.

FOURTH: The aforementioned initiation agreement indicated that, if the infringement is confirmed, it may be agreed to impose on the person responsible the adoption of

appropriate measures to adjust its performance to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to which
each supervisory authority may "order the person responsible or in charge of the treatment that the treatment operations comply with the provisions of this Regulation, where appropriate, in a certain manner and within a specified period...".

Having recognized the responsibility for the infringement, the imposition of
the measures included in the initiation agreement is appropriate.

BASIS OF LAW

I
Competence

In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD) and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to
initiate and resolve this procedure.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency shall be governed by the provisions
of Regulation (EU) 2016/679, by this organic law, by the regulatory

provisions issued in its development and, insofar as they do not contradict them, on a
subsidiary basis, by the general rules on administrative procedures."

II
Termination of the procedure

Article 85 of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP), under the heading
"Termination in sanctioning procedures" provides the following:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/14

"1. Once a sanctioning procedure has been initiated, if the offender acknowledges his responsibility,

the procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction is of a purely monetary nature or it is possible to impose a
monetary sanction and another of a non-monetary nature but the
inappropriateness of the second has been justified, voluntary payment by the presumed responsible party, at

any time prior to the resolution, will imply the termination of the procedure,
except in relation to the restoration of the altered situation or the determination of
compensation for the damages and losses caused by the commission of the infringement.

3. In both cases, when the sanction is of a purely monetary nature, the

body competent to resolve the procedure will apply reductions of at least
20% on the amount of the proposed sanction, these being cumulative with each other.
The aforementioned reductions must be determined in the notification of initiation of the procedure and their effectiveness will be conditional on the withdrawal or waiver of any action or appeal in administrative proceedings against the sanction.

The percentage of reduction provided for in this section may be increased by regulation.”

In accordance with the above,

the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: DECLARE the termination of procedure EXP202315571, in
accordance with the provisions of article 85 of the LPACAP.

SECOND: ORDER QUIRÓN PREVENCIÓN, S.L.U. to notify the Agency within 2 months from the date this resolution becomes final and enforceable of the adoption of the measures described in the legal grounds of the
Initiation Agreement transcribed in this resolution.

THIRD: NOTIFY this resolution to QUIRÓN PREVENCIÓN, S.L.U..

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative process as prescribed by
art. 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, interested parties may file an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the day following the notification of this act, as provided for in article 46.1 of the aforementioned Law.

1259-151024

Mar España Martí
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/14

C/ Jorge Juan, 6 www.aepd.es

28001 – Madrid sedeagpd.gob.es