AEPD (Spain) - EXP202315571: Difference between revisions
No edit summary |
No edit summary |
||
(One intermediate revision by one other user not shown) | |||
Line 63: | Line 63: | ||
}} | }} | ||
The DPA | The DPA fined a company €50,000 for unlawfully disclosing personal data in a mediation report, thus violating [[Article 5 GDPR|Article 5(1)(f)]] and [[Article 32 GDPR]]. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
A data subject claimed she suffered from harassment in | A data subject claimed she suffered from harassment in her workplace. She filed a complaint with the Labour and Social Security Inspectorate (la Inspección de Trabajo y Seguridad). Then, the data subject and an employee involved took part in the mediation proceedings held by employer, i.e. [https://www.quironprevencion.com/es Quirón Prevención] (the controller). | ||
The controller sent mediation report to data subject. However, the data subject’s and employee’s data (name and surname, ID, mobile number and email) were not redacted. The controller crossed out the data subject’s personal data after the request of the data subject. | The controller sent a mediation report to the data subject. However, the data subject’s and employee’s data (name and surname, ID, mobile number and email) were not redacted. The controller crossed out the data subject’s personal data after the request of the data subject. | ||
The data subject lodged a complaint with the Spanish DPA (AEPD). | The data subject lodged a complaint with the Spanish DPA (AEPD), claiming violation of personal data security. | ||
=== Holding === | === Holding === | ||
The DPA upheld the complaint. | The DPA upheld the complaint. | ||
The controller violated [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] and [[Article 32 GDPR|Article 32 GDPR]]. According to the DPA, the controller didn’t implement appropriate technical and organisational measures to guarantee data confidentiality. In particular, at the stage of | The controller violated [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] and [[Article 32 GDPR|Article 32 GDPR]]. According to the DPA, the controller didn’t implement appropriate technical and organisational measures to guarantee data confidentiality. In particular, at the stage of document preparation and disclosure there were no data anonymization techniques present. Because of that, unlawful disclosure of documents containing personal data took place. | ||
The DPA issued a fine of €30,000 for violation of [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] and €20,000 for violation of [[Article 32 GDPR|Article 32 GDPR]]. | The DPA issued a fine of €30,000 for a violation of [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] and €20,000 for a violation of [[Article 32 GDPR|Article 32 GDPR]]. | ||
The | The original fine of €50,000 was reduced to €30,000 due to voluntary payment and admission of responsibility. | ||
== Comment == | == Comment == |
Latest revision as of 10:38, 29 October 2024
AEPD - EXP202315571 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 09.09.2024 |
Published: | |
Fine: | 50,000 EUR |
Parties: | Quirón Prevención |
National Case Number/Name: | EXP202315571 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (Spain) (in ES) |
Initial Contributor: | wp |
The DPA fined a company €50,000 for unlawfully disclosing personal data in a mediation report, thus violating Article 5(1)(f) and Article 32 GDPR.
English Summary
Facts
A data subject claimed she suffered from harassment in her workplace. She filed a complaint with the Labour and Social Security Inspectorate (la Inspección de Trabajo y Seguridad). Then, the data subject and an employee involved took part in the mediation proceedings held by employer, i.e. Quirón Prevención (the controller).
The controller sent a mediation report to the data subject. However, the data subject’s and employee’s data (name and surname, ID, mobile number and email) were not redacted. The controller crossed out the data subject’s personal data after the request of the data subject.
The data subject lodged a complaint with the Spanish DPA (AEPD), claiming violation of personal data security.
Holding
The DPA upheld the complaint.
The controller violated Article 5(1)(f) GDPR and Article 32 GDPR. According to the DPA, the controller didn’t implement appropriate technical and organisational measures to guarantee data confidentiality. In particular, at the stage of document preparation and disclosure there were no data anonymization techniques present. Because of that, unlawful disclosure of documents containing personal data took place.
The DPA issued a fine of €30,000 for a violation of Article 5(1)(f) GDPR and €20,000 for a violation of Article 32 GDPR.
The original fine of €50,000 was reduced to €30,000 due to voluntary payment and admission of responsibility.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/14 File No.: EXP202315571 RESOLUTION TO TERMINATE THE PROCEDURE DUE TO VOLUNTARY Payment From the procedure initiated by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: On September 9, 2024, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against QUIRÓN PREVENCIÓN, S.L.U. (hereinafter, the respondent party), through the Agreement that is transcribed: << File No.: EXP202315571 AGREEMENT TO START SANCTIONING PROCEDURE From the actions carried out by the Spanish Data Protection Agency and based on the following FACTS FIRST: On 05/10/2023, this Agency received a document submitted by A.A.A. (hereinafter, the complaining party), through which it files a claim against QUIRÓN PREVENCIÓN, S.L.U. with NIF B64076482 (hereinafter, QUIRÓN PREVENCIÓN), for a possible breach of the provisions of the personal data protection regulations. The reasons on which the claim is based are the following: The complainant states that, as a result of the complaint she filed with the Labour and Social Security Inspectorate for possible situations of harassment towards her in the workplace, a mediation process was followed between the complainant and other workers involved in the events; where they were informed that personal data would be protected due to the seriousness of the accusations. When the final mediation report was sent by QUIRÓN PREVENCIÓN, the personal data of the complainant and those accused were shown (they are blurred, but can be read). However, when the complainant C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/14 informed the person responsible for the report about this situation, the personal data did appear crossed out. Finally, the claimant indicates that the process is judicialized, but considers QUIRÓN PREVENCIÓN's management of his personal data to be disastrous. Along with the claim, he provides, among others, the following documents: Copy of the mediation report issued on ***DATE.1 by QUIRÓN PREVENCIÓN with its annexes (REPORT OF MEDIATION AS EXTERNAL ADVISORS IN SITUATIONS OF PSYCHOSOCIAL RISK INDICATORS DUE TO INTERNAL CONFLICT IN THE WORKPLACE). Its content contains the following personal data of the claimant and of the accused (name and surname, ID, mobile number and email): o Claimant: A.A.A., ID ***NIF.1, ***TELEPHONE.1, ***EMAIL.1. o Reported parties: B.B.B., DNI ***NIF.2, ***TELEPHONE.2, ***EMAIL.2. C.C.C., DNI ***NIF.3, ***TELEPHONE.3, ***EMAIL.3. Screenshot of the following emails: o Email sent on ***DATE.2 by the complainant (***EMAIL.1) to the mediation services of QUIRÓN PREVENCIÓN (***EMAIL.4) warning that personal data is reflected in the final mediation report. Its content is as follows: (…). o Email dated ***DATE.3 sent by QUIRÓN PREVENCIÓN (***EMAIL.4) to, among others, the complaining party with 3 PDF documents relating to the “Mediation Report”, “Start Minutes” and “Final Minutes XXXXX”. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), on 11/03/2023, said claim was transferred to QUIRÓN PREVENCIÓN, so that it could proceed with its analysis and inform this Agency within one month of the actions taken to comply with the requirements provided for in the data protection regulations. The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was collected on 11/03/2023 as stated in the acknowledgement of receipt in the file. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/14 On 12/04/2023, this Agency received a written response from QUIRÓN PREVENCIÓN in which, in summary, it acknowledged having sent an email on 11/02/2023 to the technical staff of its entity and to the interested parties and participants in the labor mediation, with the final mediation report, the content of which includes personal data of the participants. Likewise, QUIRÓN PREVENCIÓN indicates that the parties involved in the mediation “formally accepted the mediation process and were expressly informed not only of the object of the mediation, but also of their obligations regarding confidentiality”. Therefore, the parties involved are bound not to “reveal the information that they may have obtained from the procedure”. Along with the document, they provide a copy of the Final Mediation Report with its annexes. THIRD: On 12/28/2023, in accordance with article 65 of the LOPDGDD, the claim submitted by the claimant was admitted for processing. FOURTH: According to the report collected from the AXESOR tool, the entity QUIRÓN PREVENCIÓN, S.L.U. is a large company established in 2006, belonging to the economic group HELIOS HEALTHCARE SPAIN, S.L. and with a turnover of almost 400,000,000 euros in 2023. LEGAL BASIS I Jurisdiction and procedure In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD) and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures." II Preliminary issues In this case, in accordance with the provisions of article 4.1 and 4.2 of the GDPR, there is evidence of the processing of personal data, since QUIRÓN PREVENCIÓN collects, uses and stores, among others, the following C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/14 personal data of natural persons: name and surname, ID, mobile number and email. QUIRÓN PREVENCIÓN carries out this activity in its capacity as data controller, since it is the party that determines the purposes and means of such activity, pursuant to article 4.7 of the GDPR. Within the principles of processing provided for in article 5 of the GDPR, the integrity and confidentiality of personal data is guaranteed in section 1 letter f) of the aforementioned article. For its part, the security of personal data is regulated in Article 32 of the GDPR, which regulates the security of processing. III Principle of integrity and confidentiality Article 5.1.f) “Principles relating to processing” of the GDPR establishes: “1. Personal data shall be: (…) f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, by applying appropriate technical or organizational measures («integrity and confidentiality»).” In the present case, it is clear that, on ***DATE.1, QUIRÓN PREVENCIÓN sent an email to the complainant with a copy of the Final Labor Mediation Report and its annexes, which included his personal data and that of the accused, such as name and surname, ID, mobile number and email. For its part, QUIRÓN PREVENCIÓN acknowledged in its reply to the transfer that it had sent the aforementioned email, but only to its technical staff and to the parties involved in the labor mediation process, who were obliged to keep it secret and guarantee its confidentiality. However, it is clear that QUIRÓN PREVENCIÓN in the report issued inappropriately exposed certain personal data of, among others, the complainant and the accused, as their IDs, mobile numbers or emails did not appear anonymized in the message sent. This constitutes a violation of the obligation of the respondent entity to guarantee the confidentiality of the data, by making the aforementioned personal data known to the parties involved. Furthermore, the documentation in the administrative file provides sufficient indications to understand that QUIRÓN PREVENCIÓN lacks the appropriate technical and organisational measures referred to in the aforementioned article. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/14 Therefore, in accordance with the evidence available at this time in the agreement to initiate sanctioning proceedings, and without prejudice to what may result from the investigation, it is considered that the known facts could constitute an infringement, attributable to QUIRÓN PREVENCIÓN, for violation of article 5.1.f) of the RGPD. IV Classification and qualification of the infringement of article 5.1.f) of the GDPR If confirmed, the aforementioned infringement of article 5.1.f) of the GDPR could entail the commission of the infringements classified in article 83.5 of the GDPR, which under the heading "General conditions for the imposition of administrative fines" provides: "Infringements of the following provisions shall be punishable, in accordance with paragraph 2, by administrative fines of a maximum of EUR 20 000 000 or, in the case of an undertaking, an amount equivalent to a maximum of 4% of the total global annual turnover of the preceding financial year, whichever is higher: a) the basic principles for processing, including the conditions for consent pursuant to articles 5, 6, 7 and 9; (…)” For the purposes of the limitation period, article 72 “Infringements considered very serious” of the LOPDGDD indicates: “1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered very serious and will be subject to a three-year statute of limitations: a) The processing of personal data in violation of the principles and guarantees established in article 5 of Regulation (EU) 2016/679. (…)” V Proposed sanction for infringement of article 5.1.f) of the GDPR For the purposes of deciding on the imposition of an administrative fine and its amount, in accordance with the evidence available at the time of the agreement to initiate sanctioning proceedings, and without prejudice to the outcome of the investigation, it is considered that the sanction to be imposed should be graded in accordance with the following criteria established in article 83.2 of the GDPR: As aggravating factors: The nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as the number of data subjects affected and the level of damages and losses they have suffered (section a). The infringing conduct is serious C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/14 since it entails a loss of confidentiality and, therefore, of disposition and irremediable control over the personal data of those affected, which is not only the complaining party, but also the two accused. The intention or negligence in the infringement (section b). The negligence appreciated in the commission of the infringement, considering that there is a conflict between those affected derived from a situation of harassment in the workplace towards the complaining party, making it even more necessary to avoid that in these processes the parties have access to the personal data of the rest. The categories of personal data affected by the infringement (section g). The final labor mediation report contains the personal data relating to the DNI of, among others, the complaining party. This data is considered to be particularly sensitive insofar as, if the processing of this data is not accompanied by the necessary technical and organisational measures to ensure that the person who identifies himself with it is really its owner, a third party can impersonate a natural person with the risks that this entails for the privacy, honour and assets of the person impersonated. Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the following criteria established in section 2 of article 76 “Sanctions and corrective measures” of the LOPDGDD: The link between the offender's activity and the processing of personal data (section b). The activity of QUIRÓN PREVENCIÓN requires regular processing of personal data. The balance of the circumstances contemplated in article 83.2 of the GDPR and 76.2 of the LOPDGDD, with respect to the infringement committed by violating the provisions of article 5.1.f) of the GDPR, allows for an initial administrative fine of 30,000€ (thirty thousand euros). VI Security of processing Article 32 “Security of processing” of the GDPR establishes: “1. Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as risks of varying probability and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, which may include, where appropriate, among others: a) the pseudonymization and encryption of personal data; a) the ability to ensure the permanent confidentiality, integrity, availability and resilience of the processing systems and services; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/14 b) the ability to restore the availability and access to personal data quickly in the event of a physical or technical incident; c) a process of regular verification, evaluation and assessment of the effectiveness of the technical and organisational measures to ensure the security of the processing. 2. When assessing the adequacy of the level of security, particular account will be taken into account of the risks presented by the processing of data, in particular as a consequence of the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or the unauthorised communication or access to such data. 3. Adherence to a code of conduct approved pursuant to Article 40 or to a certification mechanism approved pursuant to Article 42 may serve as an element to demonstrate compliance with the requirements set out in paragraph 1 of this Article. 4. The controller and the processor shall take measures to ensure that any person acting under the authority of the controller or the processor and having access to personal data may process such data only on instructions from the controller, unless required to do so by Union or Member State law. In the present case, the sending of the Final Report of labor mediation and its annexes by mail dated ***DATE.1 to the complaining party without anonymizing the data of the participants shows a lack of measures on the part of QUIRÓN PREVENCIÓN. Furthermore, the entity itself is aware of the irregularity of the communication of data, since one day after the warning from the complaining party, the entity sent the mediation report again with the data crossed out. Furthermore, QUIRÓN PREVENCIÓN has not accredited the security measures it has in place to prevent the documents it drafts from collecting personal data of the participants in the processes without anonymizing them. As the data controller, it should have implemented security measures and ensure their compliance, something that is not recorded in this Agency to date. Consequently, in accordance with the evidence available at this time of the agreement to initiate the sanctioning procedure, and without prejudice to what may result from the investigation, it is considered that the known facts could constitute an infringement, attributable to QUIRÓN PREVENCIÓN, for violation of article 32 of the GDPR. VII Classification and qualification of the infringement of article 32 of the GDPR If confirmed, the aforementioned infringement of article 32 of the GDPR could entail the commission of the infringements classified in article 83.4 of the GDPR, which under the heading “General conditions for the imposition of administrative fines” provides: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/14 “Infringements of the following provisions shall be punishable, in accordance with section 2, by administrative fines of a maximum of EUR 10,000,000 or, in the case of a company, an amount equivalent to a maximum of 2% of the total annual turnover of the previous financial year, whichever is higher: a) the obligations of the controller and the processor pursuant to articles 8, 11, 25 to 39, 42 and 43; (…)” For the purposes of the limitation period, article 73 “Infringements considered serious” of the LOPDGDD indicates: “In accordance with the provisions of article 83.4 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered serious and will be subject to a two-year expiration period: (…) f) The failure to adopt those technical and organizational measures that are appropriate to guarantee a level of security appropriate to the risk of the processing, in the terms required by article 32.1 of Regulation (EU) 2016/679.”(…) VIII Proposal for a sanction for the infringement of article 32 of the GDPR For the purposes of deciding on the imposition of an administrative fine and its amount, in accordance with the evidence available at the time of the agreement to initiate sanctioning proceedings, and without prejudice to what results from the investigation, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the following criteria established in article 83.2 of the GDPR: As aggravating factors: The nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as the number of data subjects affected and the level of damage and harm they have suffered (section a). Not having implemented the appropriate security measures for the risk led to improper access to personal data, not only of the complaining party, but also of the other defendants. The intention or negligence in the infringement (section b). The negligence appreciated in the commission of the infringement, considering that there is a conflict between those affected derived from a situation of harassment in the workplace towards the complainant, making it even more necessary to avoid that in these processes the parties have access to the personal data of the rest. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/14 The categories of personal data affected by the infringement (section g). The final report of labor mediation contains the personal data relating to the DNI of, among others, the complainant. This data is considered to be particularly sensitive insofar as, if the processing of this data is not accompanied by the necessary technical and organisational measures to ensure that the person who identifies himself with it is really its owner, a third party can impersonate a natural person with the risks that this entails for the privacy, honour and assets of the person impersonated. Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the following criteria established in section 2 of article 76 “Sanctions and corrective measures” of the LOPDGDD: The link between the offender's activity and the processing of personal data (section b). The activity of QUIRÓN PREVENCIÓN requires continuous processing of personal data. The balance of the circumstances contemplated in article 83.2 of the GDPR and 76.2 of the LOPDGDD, with respect to the infringement committed by violating the provisions of article 5.1.f) of the GDPR, allows for an initial administrative fine of €20,000 (twenty thousand euros) to be set. IX Adoption of measures If the infringement is confirmed, it could be agreed to impose on the controller the adoption of appropriate measures to adjust its actions to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to which each supervisory authority may “order the controller or processor to comply the processing operations with the provisions of this Regulation, where appropriate, in a certain manner and within a specified period…”. The imposition of this measure is compatible with the sanction consisting of an administrative fine, as provided for in art. 83.2 of the GDPR. In such a case, in the resolution adopted, this Agency may require the responsible entity to adapt its actions to the personal data protection regulations within two months, to the extent expressed in the Legal Basis of this agreement and without prejudice to the results of the instruction. It is noted that failure to comply with the possible order to adopt measures imposed by this body in the sanctioning resolution may be considered an administrative infringement in accordance with the provisions of the GDPR, classified as an infringement in its article 83.5 and 83.6, and such conduct may motivate the opening of a subsequent administrative sanctioning procedure. Therefore, in accordance with the above, by the Director of the Spanish Data Protection Agency, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/14 IT IS AGREED: FIRST: TO START SANCTIONING PROCEDURE against QUIRÓN PREVENCIÓN, S.L.U., with NIF B64076482, for: The alleged infringement of article 5.1.f) of the GDPR, classified in article 83.5.a) of the GDPR. The alleged infringement of article 32 of the GDPR, classified in article 83.4.a) of the GDPR. SECOND: TO APPOINT D.D.D. as instructor. and, as secretary, to E.E.E., indicating that they may be challenged, if applicable, in accordance with the provisions of articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP). THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the claim filed by the claimant and its documentation, as well as the documents obtained and generated by the General Subdirectorate of Data Inspection in the actions prior to the start of this sanctioning procedure. FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, the sanction that may apply, without prejudice to the outcome of the investigation, would be: For the alleged infringement of article 5.1.f) of the GDPR, classified in article 83.5 of said law, administrative fine of €30,000 (thirty thousand euros). For the alleged infringement of article 32 of the GDPR, classified in article 83.4 of said law, administrative fine of €20,000 (twenty thousand euros). FIFTH: NOTIFY this agreement to QUIRÓN PREVENCIÓN, S.L.U., with NIF B64076482, granting it a hearing period of ten working days to formulate the allegations and present the evidence it considers appropriate. In its written allegations it must provide its NIF and the file number that appears in the heading of this document. If within the stipulated period it does not make allegations to this initiation agreement, it may be considered a resolution proposal, as established in article 64.2.f) of the LPACAP. In accordance with the provisions of article 85 of the LPACAP, it may acknowledge its responsibility within the period granted for the formulation of allegations to this initiation agreement; which will entail a 20% reduction of the sanction that must be imposed in this procedure. With the application of this reduction, the penalty would be set at €40,000 (forty thousand euros), with the procedure being resolved with the imposition of this penalty. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/14 Likewise, at any time prior to the resolution of this procedure, the proposed penalty may be paid voluntarily, which will mean a 20% reduction of its amount. With the application of this reduction, the penalty would be set at €40,000 (forty thousand euros), and its payment will imply the termination of the procedure, without prejudice to the imposition of the corresponding measures. The reduction for voluntary payment of the fine may be added to the reduction that must be applied for the recognition of liability, provided that this recognition of liability is made clear within the period granted for making allegations at the opening of the procedure. The voluntary payment of the amount referred to in the previous paragraph may be made at any time prior to the resolution. In this case, if both reductions were to be applied, the amount of the fine would be set at €30,000 (thirty thousand euros). In any case, the effectiveness of either of the two reductions mentioned will be subject to the express withdrawal or waiver of any action or appeal in administrative proceedings against the fine. For these purposes, if you choose to accept any of them, you must send to the General Subdirectorate of Data Inspection an express communication of withdrawal or waiver of any action or appeal through administrative channels against the sanction indicating which of the two reductions you choose to accept or if it is both. If you choose to proceed with the voluntary payment of any of the amounts indicated above (€40,000 or €30,000) you must do so by making a deposit into the account number IBAN: ES00-0000-0000-0000-0000-0000 (BIC/Code XXXXXXXXXXX) opened in the name of the Spanish Data Protection Agency at the bank CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the reason for the reduction of the amount to which you choose. Likewise, proof of payment must be sent to the General Subdirectorate of Inspection along with express communication of withdrawal or waiver of any administrative action or appeal against the sanction in order to continue with the procedure in accordance with the amount paid. The procedure will have a maximum duration of twelve months from the date of the start agreement. After this period, it will expire and, consequently, the proceedings will be filed; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP, there is no administrative appeal against this act. 935-050724 Mar España Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/14 >> SECOND: On September 24, 2024, the respondent party has proceeded to pay the fine in the amount of 30,000 euros using the two reductions provided for in the Initiation Agreement transcribed above, which implies the recognition of responsibility. THIRD: The payment made, within the period granted to formulate allegations at the opening of the procedure, entails the waiver of any action or appeal through administrative means against the fine and the recognition of responsibility in relation to the facts referred to in the Initiation Agreement and its legal qualification. FOURTH: The aforementioned initiation agreement indicated that, if the infringement is confirmed, it may be agreed to impose on the person responsible the adoption of appropriate measures to adjust its performance to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to which each supervisory authority may "order the person responsible or in charge of the treatment that the treatment operations comply with the provisions of this Regulation, where appropriate, in a certain manner and within a specified period...". Having recognized the responsibility for the infringement, the imposition of the measures included in the initiation agreement is appropriate. BASIS OF LAW I Competence In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD) and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, by this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures." II Termination of the procedure Article 85 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), under the heading "Termination in sanctioning procedures" provides the following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/14 "1. Once a sanctioning procedure has been initiated, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is of a purely monetary nature or it is possible to impose a monetary sanction and another of a non-monetary nature but the inappropriateness of the second has been justified, voluntary payment by the presumed responsible party, at any time prior to the resolution, will imply the termination of the procedure, except in relation to the restoration of the altered situation or the determination of compensation for the damages and losses caused by the commission of the infringement. 3. In both cases, when the sanction is of a purely monetary nature, the body competent to resolve the procedure will apply reductions of at least 20% on the amount of the proposed sanction, these being cumulative with each other. The aforementioned reductions must be determined in the notification of initiation of the procedure and their effectiveness will be conditional on the withdrawal or waiver of any action or appeal in administrative proceedings against the sanction. The percentage of reduction provided for in this section may be increased by regulation.” In accordance with the above, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DECLARE the termination of procedure EXP202315571, in accordance with the provisions of article 85 of the LPACAP. SECOND: ORDER QUIRÓN PREVENCIÓN, S.L.U. to notify the Agency within 2 months from the date this resolution becomes final and enforceable of the adoption of the measures described in the legal grounds of the Initiation Agreement transcribed in this resolution. THIRD: NOTIFY this resolution to QUIRÓN PREVENCIÓN, S.L.U.. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative process as prescribed by art. 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, interested parties may file an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the day following the notification of this act, as provided for in article 46.1 of the aforementioned Law. 1259-151024 Mar España Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/14 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es