AEPD (Spain) - PS/00473/2019: Difference between revisions
No edit summary |
m (Ar moved page AEPD - PS/00473/2019 to AEPD (Spain) - PS/00473/2019) |
(No difference)
|
Latest revision as of 14:41, 13 December 2023
AEPD - PS/00473/2019 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5 GDPR Article 32 GDPR Art. 22 Ley de Servicios de la Sociedad de la Información y Comercio Electrónico (LSSI) |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | |
Decided: | 02.04.2020 |
Published: | |
Fine: | 1500 EUR |
Parties: | n/a |
National Case Number/Name: | PS/00473/2019 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AgenciaEspañola de Protección de Datos (in ES) |
Initial Contributor: | n/a |
The AEPD fined a controller for not providing its users with complete information regarding the use of cookies.
English Summary
Facts
The complainant highlights general non-compliance regarding processing. Just to take a couple of examples, in order to access the workstation, employees are not requested to use login credentials nor password are needed to unlock the screen. Employee can access all type of personal data regardless of their concrete tasks.
Moreover, the company's website does not provide an appropriate information regarding the use of cookies. The first pop-up banner does not inform about the existence of tracking cookies. The full cookie policy is also vague and does not provide a tool to uninstall cookies easily.
Dispute
The AEPD must assess whether or not the statements from the complainant are true. In particular if the processing is safeguarded with appropriate technical and organisational measures.
The Authority must also verify if the controller has respected the Spanish implementation of ePrivacy Directive (Ley 34/2002, Servicios de la Sociedad de la Información y ComercioElectrónico - LSSI). In particular if, under Article 22 LSSI, the controller has provided a clear and complete information on the use of cookies.
Holding
After thorough investigation, the AEPD considers that some statements in the complaint are not - or no longer - accurate.
For example, the controller has convincingly demonstrated that its personnel can now only access those data and resources required to carry out their tasks. Printed manuals and personal data are stored into locked filing cabinets and access to the office is only allowed to authorized personnel. Because of that, the AEPD decided to dismiss this part of the complaint.
The Authority then addresses the second point of the complaint.
According to the analysis, the pop-up notification (first layer) does not allow users to understand the use of cookies, as it happens, for instance, for phrases like “improve our services”. The Cookie Policy (second layer) does not describe which type of cookies is used or provide information regarding their sources (first or third-party). Also, it does not include any tool to manage cookies in a granular way. For these reasons, the Authority found a violation of Article 22(2) LSSI.
Comment
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Page 1 1/12 936-031219 Procedure No.: PS / 00473/2019 RESOLUTION R / 00258/2020 OF TERMINATION OF THE PAYMENT PROCEDURE VOLUNTARY In the sanctioning procedure PS / 00473/2019, instructed by the Agency Spanish Data Protection to HAPPY FRIDAY, SL , given the complaint presented by AAA , and based on the following, BACKGROUND FIRST: On April 2, 2020, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning procedure to HAPPY FRIDAY, SL (hereinafter, the claimed), through the Agreement that is transcribed: << Procedure Nº: PS / 00473/2019 935-240719 PENALTY PROCEDURE STARTING AGREEMENT Of the actions carried out by the Spanish Agency for Data Protection before the entity, HAPPY FRIDAY, SL, with CIF: B54660980, owner of the website https://happvfridavhome.com , (hereinafter “the claimed entity”), by virtue of- nuncia presented by DAAA , (hereinafter “the claimant”) and based on the following: ACTS FIRST: On 05/10/19, you have entered this Agency, complaint filed by the claimant indicating, among others, the following: "In the company Happy Friday, SL, everything is being done wrong, regarding the treatment of personal data and others: -Works with personal folders shared on the server where all the files that each Save your daily work in your own personal folder. Folders accessible by any other user regardless of the department to which it corresponds, without no type of server authentication, no password or type of permissions. Anyone can access any document from another worker regardless of their profile, department or the sensitivity of the information from which concerned. No login credentials required, no password to lock screen etc. In addition, all computers use illegal software both at the level of operating system and applications, with the risk that this implies. And without the security of updates typically provided by software manufacturers. Processing thousands of customer data accessible to any of the 25 workers without any control. Well, in the management application (Eneboo) the start of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 2 12/12 session, but everyone can access any part of the application regardless of their role and department without any authentication or log of who has performed each action. I also consider that they are not acting according to current legislation regarding the processing of personal data: When entering the web https://happvfridavhome.com a pop-up opens requesting the subscription to the newsletter with an "I accept the Terms and Conditions", but it is not noticed Nor does it inform about the cookies they use and the tracking they carry out since accessing the Web. Nor is any consent requested for the collection of this information. Cookies that are already started on the cover without accepting them, nor have shown us their information. As you can see they don't indicate anything on the next page https://happvfridavhome.com/en/cookies You can navigate with full functionality on the web without having accepted any cookie policy, Privacy". SECOND: In view of the facts set forth in the claim and the documents contributed by the claimant, the General Sub-Directorate for Data Inspection proceeded to carry out actions for its clarification, under the powers of investigation granted to the control authorities in article 57.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD). So, dated 07/12/19, an informative request is addressed to the claimed entity. THIRD: On 08/08/19, the requested entity sends this Agency written in who, among others, reports the following: “On the measures and regulations related to the identification and authentication of personnel authorized to access personal data. a) .- All users of the system are assigned an identifier and a password. The authentication system is based on a password environment under one system operating Microsoft Windows 10. The user enters his identifier (which identifies him as an authorized user to access) and your password (which authenticates you as the user river identified), which are verified on the computer itself, which recognizes it as system user, allowing access to directories, files and databases for the performance of their work. b) .- Passwords are one of the basic components of the security of the data, and must therefore be specially protected. As access keys to system, passwords must be strictly confidential and personal, and Any incident that compromises your confidentiality must be immediately communicated to the administrator and corrected in the shortest possible time. - The password file must be protected (in computerized format) they would be intelligible through the encryption system used by the system operational issue) and under the responsibility of the system administrator. - Passwords will be 13 alphanumeric characters, modified by the responsible for the file every 12 months. - The File Manager, or on his behalf the System Administrator in charge of the treatment, it will eliminate the passwords of the users that have unsubscribed from the organization. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 3 12/3 c) .- The staff will only access those data and resources that they need for the development. he of his functions. The person responsible for the file will establish mechanisms to avoid that a user can access resources other than those authorized in the following shape: - Different user profiles will be created in which they will be authorized / They will deny the different accesses to the allowed functions. - The staff will be informed of the applications, tools and documentation at which has access to perform its functions. - Only the person responsible for the file is authorized to grant, alter or cancel authorized access to data and resources. d) .- Annex II includes the updated users list with authorized access. do to each information system. Also, the type of authorized access is included for each of them. This list will be updated when necessary by modification. tions on the staff, by the person responsible for the file. - If there are personnel outside the person responsible for the file with access to the resources must be subject to the same conditions and security obligations than own staff. - Manual documents are located in locked cabinets at each station. work of authorized users. e) .- About the criteria for filing and storing information in ma- manual or non-automated. The archiving of the supports or documents will be carried out in accordance with the established criteria. blecidos by the person in charge of the file: The office has a work area made up of desks with computers and some locked metal filing cabinets, in those that manual documentation is kept, its content correctly identified and access only by authorized personnel. As long as the documents with personal data are not filed in the devices mentioned above, by working with them, people who are in charge of them must guard them and prevent in any way ment that it can be accessed by unauthorized persons. The office is located in an industrial warehouse. To access it you must call a external bell, enter with prior authorization, cross the nave and the bottom, going up some stairs, access to the second floor of the warehouse, where the management is located administrative office of the company. The security of the personal data of the Files not only supposes the confidentiality of them but also entails the integrity and availability of those data. To guarantee these two fundamental aspects of security, it is necessary to ary that there are backup and recovery processes that, in case of failure of the computer system, allow to recover and, where appropriate, reconstruct the data of the Fi- chero. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 4 4/12 - The person responsible for the File will be responsible for periodically obtaining a backup, for backup and recovery purposes in case of failure. - A backup is made daily on the Storage Device. (NAS) located in the company, as well as another parallel copy in another Device positive storage (NAS) located in a Ship used as warehouse- cen, inside a locked cabinet where only the Res- File manager and authorized person. With this current method that we have, the company guarantees an adequate level of security when in the processing of personal data. f) .- About Cookies. Regarding the measures adopted to provide clear and complete information on the use of Cookies, the purposes of the treatment of the data collected by them, and the procedure to obtain the consent of users about their installation In the browser, we inform you that since the launch of our WEB Yes, there is a notice to users at the bottom of the page, appearing I give an information and authorization sign for the use of Cookies framed in black on white letters that could accept or obtain more information, I am thus complying with our obligation. After having received this notification and after a Management meeting with the Computer department we have seen fit to improve our website by doing more Visible the section on Cookies, in order to have greater transparency for users who use our website. You can check it out at: https: //happyfridayhome.- com / ”. FOURTH: On 09/10/19, In view of the facts set forth in the information provided by the claimed entity, the General Sub-Directorate for Data Inspection proceeded to request additional information about, Security policies or in its to the following procedures: User authentication procedure; Procedures Access Control method; List of users with access to home information system training (Annex II) and Storage procedure and backup copies. FIFTH: On 10/10/19, the claimed entity remits to this Agency, written in which, among others, reports the following: a) .- All users are assigned an identifier and a password. The system Authentication is based on Microsoft Windows 10 operating system. The user enters his identifier (which identifies him as an authorized user) and his password (which authenticates you as the user), which are verified in the computer itself nador, which recognizes you as a user, allowing you to access directories, files, you and databases for the performance of your work. Passwords are 12 characters Alphanumeric racteres, modifying by the person in charge of the file every 12 months. The staff only access those data and resources that they need for the development of its functions. The person responsible for the File establishes mechanisms to prevent a user can access resources other than those authorized in the following way: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 5 12/5 - The different user profiles in which authorization is authorized have been drawn up. They will / deny the different accesses to the allowed functions. - The staff have been informed of the applications, tools and documents tion to which it has access to perform its functions. Exclusively the person in charge of the file is authorized to grant, alter or void authorized access to data and resources. Manual documents They are located in 2 locked cabinets, and are only accessed by authorized users. two. b) .- Storage of information in manual or non-automated files: The office has a work area made up of desks with a computer. res and some locked metal filing cabinets, in which the documentation is kept manual, correctly identified its content and access only by staff authorized for it. As long as the documents with personal data are not filed in the devices mentioned above, by working with them, people who are in charge of them must guard them and prevent in any way ment that it can be accessed by unauthorized persons. The office is located in an industrial warehouse. To access it you must call a external bell, enter with prior authorization, cross the nave and the bottom, going up some stairs, access to the second floor of the warehouse, where the management is located administrative office of the company. c) .- Storage of information in computer files. All files are located on the company server (SERVER 2019). Users are assigned an identifier and password. Access is through the PC of each user in Windows 10 environment with username and password and have access only to the files they use and for which they are duly authorized. d) .- Backups: The person responsible for the File is responsible for periodically obtaining a copy of file security. A daily backup is made to the Storage Device (NAS), located in the company, as well as another parallel copy in another device of storage (NAS) located in a Warehouse used as a warehouse, inside an Mario locked with a key where only the File Manager and person have access. authorized end. SIXTH: In view of the facts denounced, in accordance with the evidence of that is available, the Data Inspection of this Spanish Agency for the Protection of Data considers that the cookie policy that is made by the claimed entity, not C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 6 6/12 complies with the conditions imposed by current regulations, for which reason the opening ra of the present sanctioning procedure. FUNDAMENTALS OF LAW I Competition - About security measures: By virtue of the powers that art 58.2 of Regulation (EU) 2016/679, of European Parliament and of the Council, of 04/27/16, relative to the Protection of Individuals with regard to the Processing of Personal and Free Data Circulation of these Data (RGPD) recognizes each Control Authority and, according to the established in arts. 47, 64.2 and 68.1 of Organic Law 3/2018, of December 5, Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), The Director of the Spanish Agency for Data Protection is competent to initiate this procedure. Sections 1) and 2) of article 58 of the RGPD, list, respectively, the investigative and corrective powers that the supervisory authority may dispose to effect, mentioning in point 1.d), that of: “notify the person in charge or commission of the treatment of the alleged infractions of these Regulations ”and in 2.i), that of: “Impose an administrative fine pursuant to article 83, in addition to or instead of measures mentioned in this section, according to the circumstances of each case.". - About the Cookies Policy: In accordance with the provisions of art. 43.1, second paragraph, of the Law 34/2002, of July 11, on Services of the Information Society and Commerce Electronic (LSSI), is competent to initiate and resolve this Procedure Sanctioner, the Director of the Spanish Agency for Data Protection. II A) .- About security measures in computer systems: In the present case, the claimant denounces the lack of security measures, in the management of the existing computer system in the claimed company. However, from the information and documentation provided by the company, Several aspects emerge that must be taken into account: a) .- There is a work area made up of desks with computers and some locked metal filing cabinets, in which manual documentation is kept, correctly identified. b) .- Access is only allowed to authorized personnel. While the documents with personal data are not stored on the devices C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 7 12/7 mentioned above, by working with them, the people who are in charge of them are responsible for guarding them and preventing can be used by other unauthorized persons. c) .- The office is located in an industrial warehouse. To access it you must call an external bell, enter with authorization, cross the ship and access the second plant where the administrative management area of the company is located. d) .- About the storage of information in computer files: all Files are located on the company's server (SERVER 2019). The Users are assigned an identifier and password. Access is through the PC of each user in Windows 10 environment, with username and password. You only have access to files that are used and for which they are duly authorized. e) .- About backup copies: the person responsible for the file is in charge of periodically obtain a backup copy of the file. A copy of daily security on the storage device (NAS), located in the company, as well as another parallel copy on another storage device (NAS), located in another warehouse, inside a locked cabinet where you only have access the person responsible for the file and the authorized personnel. f) .- According to the person in charge, the company has made the adaptation to the new Regulation which includes a Security Document on Measures, Norms, Procedures, Rules and Security Standards, in which they are made explicit the measures and standards related to the identification and authentication of personnel with access to personal data based on a password system environment Windows 10. g) .- Regarding Access Control, the personnel only access those data and resources required for the development of its functions for which the responsible will establish mechanisms to prevent a user from accessing resources for those who do not have privileges based on the creation of different user profiles in which access to authorized functions will be authorized / denied. Talk about that staff will be informed of the applications, tools and documentation to the who has access to perform their functions. Annex II, sent to that Agency, includes an updated list of users, with access allowed to each system of information, as well as the type of access. Regarding the security of the entity's computer systems, indicate that the RGPD establishes a new data protection system based on the proactive responsibility. This means that they must be responsible for treatment which will establish the appropriate technical and organizational measures to guarantee an adequate level of security based on the risks detected in the Previous analysis. Therefore, the information and documentation provided by the entity claimed is not it follows that the security policy, implemented in their computer systems, contravene the guidelines set by the GDPR in this regard. III C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 8 12/8 B) .- About the Cookies Policy, and following the recommendations of the "Guide on Cookies ”published by the Spanish Agency for Data Protection, in November 2019, when entering the website https://happvfridavhome.com , the following features: a) On the initial page (first layer), there is a banner with the following legend: "We use our own and third party cookies to improve our services and show you advertising related to your preferences, by analyzing your browsing habits. You can get more information, or know how to change the settings, in our Cookies Policy. Press ACCEPT to confirm that you have read and accepted the information presented. After accepting, we will not show you this message again ” a) In the second layer, "Cookies Policy". If you access the "Policy of Cookies ”, information is provided on some aspects of cookies, such as what they are, the types of cookies that exist but are not given information on cookies, both own and third party, that are loaded when you browse the web or the time they will remain installed on the computer terminal. Nor is it possible, in this second layer, a mechanism that allow you to manage the installation of cookies in granular form and / or to reject all cookies. IV Thus, in the banner on cookies of the first layer, the information on the Cookies provided do not allow users to understand their purposes and the use that is it will give them since an unclear language is used, with phrases like “ (…) improve our services (…) ” without further information on this matter. In the second layer, which is accessed through the link, "Cookies Policy", there is no informs about the type of cookies used, whether they are their own or from third parties or the period of keeping them on the computer; whether or not it exists is not reported international data transfer or if there is profiling. I do not know includes a panel to manage cookies in a granular way or another that allows, in its case, reject all cookies. The page is only limited to offering information about tools that disable cookies and refer to the configuration of the browser for it. The exposed facts could suppose on the part of the entity demanded the commission of the violation of article 22.2 of the LSSI, according to which: “The providers of services may use data storage and recovery devices in terminal equipment of the recipients, provided that they have given their consent after clear and complete information has been provided to them on its use, in particular, for the purposes of data processing, with C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 9 12/9 pursuant to the provisions of Organic Law 15/1999, of December 13, on protection of personal data. When technically possible and effective, the recipient's consent to Accepting the data processing may be facilitated by using the parameters browser or other applications. The above will not prevent the possible storage or access of a technical nature for the sole purpose of transmitting a communication by an electronic communications network or, to the extent that it is strictly necessary, for the provision of a service of the company of the information expressly requested by the recipient ”. This Infringement is classified as mild in article 38.4 g) of the aforementioned Law, which considers as such: “Use data storage and recovery devices when the information had not been provided or the consent of the recipient of the service in the terms required by article 22.2. ", and may be sanctioned with a fine of up to € 30,000, in accordance with article 39 of the aforementioned LSSI. V After the evidence obtained in the preliminary investigation phase, and without prejudice to whatever results from the instruction, it is considered appropriate to graduate the sanction to impose in accordance with the following criteria established by art. 40 of the LSSI: - The existence of intentionality, an expression to be interpreted as equivalent to degree of guilt according to the Judgment of the National Hearing of 11/12/07 relapse in Resource no. 351/2006, corresponding to the entity denounced the determination of a system of Obtaining informed consent that is appropriate to the LSSI mandate. - Period of time during which the offense has been committed, as it is the claim May 2019, (section b). In accordance with these criteria, it is considered appropriate to impose on the entity claimed a penalty of 2,500 euros (two thousand five hundred euros), for the violation of the article 22.2 of the LSSI. Therefore, in accordance with the foregoing, by the Director of the Spanish Data Protection Agency, HE REMEMBERS: START: SANCTIONING PROCEDURE to the entity HAPPY FRIDAY, SL, with CIF: B54660980, owner of the website https://happvfridavhome.com , for Infringement of article 22.2) of the LSSI, punishable in accordance with the provisions of art. 39.1.c) and 40) of the aforementioned Law, regarding its Cookies Policy. NAME: as Instructor to DRRR, and Secretary, where appropriate, to Ms SSS , indi- Whereas any of them may be challenged, if applicable, in accordance with the provisions of cited in articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP). INCORPORATE: to the sanctioning file, for evidentiary purposes, the inter- put by the claimant and its documentation, the documents obtained and generated C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 10 12/10 by the General Sub-Directorate for Data Inspection during the investigation phase tions, all of them part of this administrative file. WHAT: for the purposes provided in art. 64.2 b) of law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations, the sanction that could correspond would be a fine of 2,500 euros for the violation of article 22.2 of the LSSI, without prejudice to what results from the instruction. REQUIRE: the entity HAPPY FRIDAY, SL, to take the appropriate measures to include in the web pages of your ownership, information about the cookies that are They install and a mechanism that enables or disables all cookies and another that enable granular cookies to manage preferences of the user. NOTIFY: this agreement to initiate sanctioning proceedings against the entity HAPPY FRIDAY, SL, granting you a hearing period of ten business days so that formulate the allegations and present the evidence that you consider appropriate. If, within the stipulated period, no allegations are made to this initial agreement, the same may be considered a resolution proposal, as established in the article 64.2.f) of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, in the event that the sanction to impose were a fine, you can recognize your responsibility within the zo granted for the formulation of allegations to this initial agreement; what will entail a reduction of 20% of the sanction to be imposed in the this procedure, equivalent in this case to 500 euros. With the application of this reduction, the sanction would be established at 2000 euros, resolving the transfer with the imposition of this sanction. In the same way, you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which means will give a reduction of 20% of the amount thereof, equivalent in this case to 500 euros. With the application of this reduction, the sanction would be established in 2000 euros and their payment will imply the termination of the procedure. The reduction for the voluntary payment of the sanction is cumulative to the one that corresponds apply for the acknowledgment of responsibility, provided that this acknowledgment of the responsibility is revealed within the term granted to formulate allegations to the opening of the procedure. Voluntary payment of the referred amount in the previous paragraph it may be done at any time prior to the resolution. In In this case, if both reductions were to apply, the amount of the sanction would be established at 1,500 euros (one thousand five hundred euros). In any case, the effectiveness of any of the two mentioned reductions will be conditioned to the withdrawal or resignation of any action or recourse through administrative against the sanction. If you choose to proceed to the voluntary payment of any of the amounts indicated C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 11 12/11 previously, you must make it effective by entering the account number ES00 0000 0000 0000 0000 0000 opened in the name of the Spanish Agency for the Protection of Data in Banco CAIXABANK, SA, indicating in the concept the reference number cia of the procedure that appears in the heading of this document and the cause reduction of the amount to which it avails. Likewise, you must send the proof of income to the General Subdirectorate of Ins- request to continue with the procedure in accordance with the amount entered gives. The procedure will have a maximum duration of nine months from the date cha of the initiation agreement or, where appropriate, the draft initiation agreement. Elapsed this period will expire and, consequently, the filing of proceedings; of in accordance with the provisions of article 64 of the LOPDGDD. Finally, it was pointed out which in accordance with the provisions of article 112.1 of the LPACAP, against this act there is no administrative appeal. Sea Spain Martí Director of the Spanish Agency for Data Protection. >> SECOND : On June 15, 2020, the requested party has paid the sanction in the amount of 1500 euros making use of the two planned reductions in the Initiation Agreement transcribed above, which implies the recognition of the responsibility. THIRD : The payment made, within the period granted to make allegations to the opening of the procedure, implies the waiver of any action or recourse administrative against the sanction and the recognition of responsibility in relation to the facts referred to in the Home Agreement. FUNDAMENTALS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in art. 47 of Organic Law 3/2018, of 5 of December, on Personal Data Protection and guarantee of digital rights (in hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection is competent to sanction the infractions that are committed against said Regulation; infractions of article 48 of Law 9/2014, of May 9, General Telecommunications (hereinafter LGT), in accordance with the provisions of the article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and 38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the information and electronic commerce (hereinafter LSSI), as provided in the article 43.1 of said Law. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 12 12/12 II Article 85 of Law 39/2015, of October 1, of the Administrative Procedure Common of Public Administrations (hereinafter, LPACAP), under the heading " Termination in sanctioning procedures " provides as follows: "one. Initiated a sanctioning procedure, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the sanction that proceed. 2. When the sanction is solely pecuniary or fits impose a pecuniary and a non-pecuniary sanction but it has been justified the inadmissibility of the second, the voluntary payment by the alleged responsible, in any time prior to the resolution, will imply the termination of the procedure, except with regard to the replacement of the altered situation or the determination of the compensation for the damages caused by the commission of the offense. 3. In both cases, when the sanction is solely pecuniary in nature, the competent body to resolve the procedure will apply reductions of, to less, 20% on the amount of the proposed sanction, these being cumulative each. The aforementioned reductions must be determined in the notification of initiation of the procedure and its effectiveness will be conditioned to the withdrawal or waiver of any action or administrative remedy against the sanction. The reduction percentage provided in this section may be increased by regulation. According to what was stated, the Director of the Spanish Agency for Data Protection RESOLVES : FIRST: DECLARE the termination of the procedure PS / 00473/2019 , of in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to HAPPY FRIDAY, SL . In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. Against this resolution, which ends the administrative route as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, of the Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within two months from day after notification of this act, as provided in article 46.1 of the referred Law. Sea Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es