AEPD (Spain) - EXP202103039: Difference between revisions
From GDPRhub
No edit summary |
m (Ar moved page AEPD (Spain) - PS/00618/2021 to AEPD (Spain) - EXP202103039) |
Latest revision as of 13:35, 13 December 2023
| AEPD - PS/00618/2021 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 13 GDPR 72 (1)(h) LOPDGDD |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 27.09.2021 |
| Decided: | 16.08.2022 |
| Published: | 16.08.2022 |
| Fine: | 5,000 EUR |
| Parties: | RODALI GESTIÓN INMOBILIARIA, S.L Private Party |
| National Case Number/Name: | PS/00618/2021 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | Carmen Jurado Taboada |
The Spanish DPA imposed a €5,000 fine on a real-state agency for violating Article 13 GDPR because the contract for the purchase of property did not include a clause informing the customer how her personal data gathered in that contract was handled.
English Summary
Facts
The data subject purchased property from Rodali Gestión Inmobiliaria (controller), a real estate agency. She signed a contract to make a reservation of the property. This document included her personal data. The contract neither included a clause nor was the data subject otherwise informed on how her personal data would be processed. When the data subject discovered this, she filed a complaint with the DPA.
The DPA tried to notify the controller about both the complaint and the start of a sanctioning procedure for the alleged infringement of Article 13 GDPR, but was unsuccesful. The notifications were repeatedly rejected and returned.
Holding
The DPA noted that when a controller obtains personal data, it must provide the data subject with all information regarding their processing activities pursuant to Article 13 GDPR. In the present case, the controller omitted this obligation. The DPA therefore held that the controller violated Article 13 GDPR by neither informing the data subject nor including any clause about the processing of personal data in the contract.
The DPA found that since the main activity of the controller was direcltly linked to the processing of personal data, the controller was required to have a higher level of rigorousness, professionalism and, consequently, responsibility regarding the processing.
Because of this aggravating circumstance, the DPA imposed a fine of €5.000. The DPA further ordered the controller to bring its operations into compliance with Article 13 GDPR and thus making sure to inform its clients about the processing of their data.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/7
Procedure No.: PS/00618/2021(EXP202103039)
RESOLUTION OF PUNISHMENT PROCEDURE
Of the actions carried out ex officio by the Spanish Agency for the Protection of
Data before the entity, RODALI GESTIÓN INMOBILIARIA, S.L. with CIF: B45811353,
(hereinafter "the claimed party"), for the alleged violation of the regulations of
data protection: Regulation (EU) 2016/679, of the European Parliament and of the
Council, of 04/27/16, regarding the Protection of Natural Persons in what
regarding the Processing of Personal Data and the Free Circulation of these Data
(RGPD) and Organic Law 3/2018, of December 5, on Data Protection
Personal and Guarantee of Digital Rights (LOPDGDD), and attending to the
following:
BACKGROUND
FIRST: On 09/27/21, he entered this Agency, a brief presented by
Mrs. A.A.A., (hereinafter, "the complaining party"), in which it indicated, among others, that,
At the time of making the reservation for the purchase of a flat with this Agency, he did not fill in
no clause nor was she informed of the processing of her personal data.
Along with the written claim, a copy of the contract is provided: “Documentation of
Property Offer” dated 11/13/19, where the personal data of the
claimant, as well as, the data of the Real Estate and where the management is agreed, for
part of the Real Estate of the purchase of a property.
SECOND: On 10/18/21 and 10/29/21, this Agency transferred the
claim to the party complained against so that it could respond to it,
in accordance with the provisions of article 65.4 of the LOPDGDD Law. attempts to
notification resulted in the following:
- According to a certificate from the Electronic Notifications Service and Address
Electronic, the shipment made to the claimed entity, on 10/18/21, through
of the electronic notification service "NOTIFIC@", was rejected in
destination on 10/29/21.
Although the notification was validly made by electronic means, assuming
carried out the procedure in accordance with the provisions of article 41.5 of the LPACAP, by way of
informative, a copy was sent by mail that was reliably notified in
date 11/10/21, being the recipient of this, Ms. BBB ***NIF.1 In said notification,
he was reminded of his obligation to interact electronically with the Administration,
and they were informed of the means of access to said notifications, reiterating that, in
thereafter, you will be notified exclusively by electronic means.
THIRD: On 12/23/21, by the Director of the Spanish Agency for
Data Protection agreement is issued for the admission of processing of the claim
submitted by the claimant, in accordance with article 65 of the LPDGDD Law, to the
not receive any response to requests made from this Agency.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/7
FOURTH: On 02/18/22, by the Director of the Spanish Agency for
Data Protection, the initiation of the sanctioning procedure against the party
claimed, for the alleged infringement of article 13 of the RGPD, as there are indications of the
lack of information offered to customers about the processing of their data
personal, when these are obtained directly from them, imposing a
initial penalty of 5,000 euros (five thousand euros), based on the provisions of art. 64.2 b)
of Law 39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations (LPACAP). However, attempts to notify the
agreement to initiate the sanctioning file obtained as a result:
- According to a certificate from the Electronic Notifications Service and Address
Electronic, the shipment made to the claimed entity, on 02/22/22, through
of the electronic notification service "NOTIFIC@", was rejected in
destination on 03/05/22.
- According to a certificate from the State Post and Telegraph Society, the shipment
made to the claimed entity, on 05/30/22 through the service of
Postal notification from Correos, was returned to destination with the legend of
“unknown” on 06/08/22.
FIFTH: After the period granted for the formulation of allegations to the
agreement to initiate the procedure, it has been verified that no allegation has been received
any by the claimed party.
Article 64.2.f) of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter LPACAP) -provision of which
the respondent was informed in the agreement to open the proceeding,
establishes that, if allegations are not made within the stipulated period on the content
of the initiation agreement, when it contains a precise statement about
imputed responsibility, may be considered a resolution proposal. In the
present case, the agreement to initiate the disciplinary proceedings determined the
facts in which the imputation was specified, the infraction of the RGPD attributed to the
claimed and the sanction that could be imposed. Therefore, taking into account that
the party complained against has made no objections to the agreement to initiate the file and
In accordance with the provisions of article 64.2.f) of the LPACAP, the aforementioned agreement of
beginning is considered in the present case resolution proposal
PROVEN FACTS
Of the actions carried out in this procedure and of the information and
documentation presented by the claimant, it has been proven that:
First: At the time of signing the contracts by which the Real Estate becomes
charge of the management of the purchase of a property, does not inform in any document
about the management of your personal data. The document that is provided together with the
claim, "Property Offer Document" dated 11/13/19, appear the
personal data of the claimant, as well as the data of the Real Estate, but not
there is no clause where the management of personal data is reported
obtained by the real estate.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/7
FOUNDATIONS OF LAW
I-Competition
It is competent to initiate and resolve this Sanctioning Procedure the Director of
the Spanish Agency for Data Protection, by virtue of the powers established in
Article 58.2 of the RGPD and in the LOPDGDD Law.
II- Summary of the facts:
In the present case, the claimant indicates that, at the time of signing the contract for
in which the Real Estate Agency was in charge of managing the purchase of a property, not
signed or was informed at any time about the management of their personal data.
III- About the infraction committed due to the lack of information about the treatment
of personal data:
Recital 61) of the RGPD establishes that:
“Interested parties must be provided with information on the treatment of their
personal data at the time it is obtained from them or, if obtained
from another source, within a reasonable time, depending on the circumstances of the
case. If the personal data can be legitimately communicated to another
addressee, the interested party must be informed at the time the
communicated to the recipient for the first time. The data controller that
plans to process the data for a purpose other than that for which they were collected
must provide the data subject, prior to such further processing,
information about that other purpose and other necessary information (...)”.
In this sense, article 12.1 of the RGPD establishes, on the requirements that must be
comply with the information that the data controller must make available to
interested parties, the following:
"1. The person responsible for the treatment will take the appropriate measures to facilitate
to the interested party all the information indicated in articles 13 and 14, as well as
any communication under articles 15 to 22 and 34 relating to the
treatment, in a concise, transparent, intelligible and easily accessible form, with a
clear and plain language, in particular any information directed
specifically a child. The information will be provided in writing or by other
means, including, if applicable, by electronic means. When requested by
interested party, the information may be provided verbally provided that it is
prove the identity of the interested party by other means (...)”.
And for its part, article 13 of the RGPD, details the information that must be provided to the
interested when the data is collected directly from him, establishing the
Next:
“1. When personal data relating to him is obtained from an interested party, the
responsible for the treatment, at the moment in which these are obtained,
will facilitate:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/7
a) the identity and contact details of the person in charge and, where appropriate, of their
representative; b) the contact details of the data protection officer,
in your case; c) the purposes of the treatment to which the personal data is destined
and the legal basis of the treatment; d) when the treatment is based on the
article 6, paragraph 1, letter f), the legitimate interests of the person in charge or of a
third; e) the recipients or categories of recipients of the data
personal, if any; f) if applicable, the intention of the controller to transfer
personal data to a third country or international organization and the existence or
absence of an adequacy decision by the Commission, or, in the case of
transfers indicated in articles 46 or 47 or article 49, paragraph 1,
second paragraph, reference to the adequate or appropriate guarantees and the
means to obtain a copy of them or to the fact that they have been loaned.
2. In addition to the information mentioned in section 1, the person in charge of the
treatment will facilitate the interested party, at the moment in which the
personal data, the following information necessary to guarantee a
fair and transparent data processing: a) the period during which the
will keep the personal data or, when it is not possible, the criteria
used to determine this term; b) the existence of the right to request the
data controller access to personal data relating to the
interested, and its rectification or deletion, or the limitation of its treatment, or to
oppose the treatment, as well as the right to data portability; c)
when the treatment is based on article 6, paragraph 1, letter a), or the
Article 9, paragraph 2, letter a), the existence of the right to withdraw the
consent at any time, without affecting the legality of the
treatment based on consent prior to its withdrawal; d) the right to
file a claim with a control authority; e) if the communication
of personal data is a legal or contractual requirement, or a requirement
necessary to sign a contract, and if the interested party is obliged to provide
personal data and is informed of the possible consequences of
not provide such data; f) the existence of automated decisions, including the
profiling, referred to in article 22, sections 1 and 4, and, when
least in such cases, meaningful information about the applied logic, as well
as the significance and anticipated consequences of such processing for the
interested".
Therefore, in the case at hand, the lack of information on the treatment of
personal data when obtaining the personal data of the clients supposes, for
part of the person in charge of the treatment, the violation of article 13 of the RGPD.
In this sense, article 72.1.h) of the LOPDGDD, considers it very serious, for
of prescription, “the omission of the duty to inform the affected party about the treatment
of your personal data in accordance with the provisions of articles 13 and 14 of the RGPD”
This infraction may be sanctioned according to the provisions of article 83.5.b) of the
RGPD, where it is established that: “Infringements of the following provisions are
shall be sanctioned, in accordance with section 2, with administrative fines of 20,000,000
EUR maximum or, in the case of a company, an amount equivalent to 4%
as a maximum of the overall annual total turnover of the financial year
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/7
above, opting for the highest amount: a) the rights of the interested parties to
tenor of articles 12 to 22”.
The balance of the circumstances contemplated, with respect to the infractions
committed, by violating the provisions of its article 13 of the RGPD, allows to set a
fine of 5,000 euros (five thousand euros).
In accordance with the precepts indicated, in order to set the amount of the penalty to
impose, it is considered appropriate to graduate the sanction in accordance with the following
aggravating criteria established in article 76 of the LOPDGDD:
- The link between the activity of the offender and the performance of treatment of
personal data, (section b), considering the level of implementation of the
entity and the activity it develops, in which data is involved
of thousands of interested parties, having as its main activity, the
purchase and sale of furniture and real estate, promotion of buildings, works and
reforms. financial broker. consultancy, administration, services to
companies, appraisal and appraisal, all these services related to property
real estate. This circumstance determines a higher degree of demand and
professionalism and, consequently, the responsibility of the entity in
relation to the processing of personal data.
IV.- Regarding the corrective measures to be implemented:
Article 58.2. of the RGPD, establishes, on the corrective powers that each
control authority may require the offender, among whom is, in his
section d): "(...) order the person responsible or in charge of processing that the
processing operations comply with the provisions of this Regulation,
when appropriate, in a certain way and within a specified period”.
Therefore, it is appropriate to impose, in accordance with the provisions of the cited article, the
following corrective action:
- Implement a mechanism in the management of the services performed by the
Real estate where customers are informed of the treatment that will be carried out
your personal data, in accordance with the provisions of article 13 of the
GDPR.
In view of the foregoing, the following is issued:
RESOLVES:
FIRST: IMPOSE RODALI GESTIÓN INMOBILIARIA, S.L. with CIF:
B45811353, a fine of 5,000 euros (five thousand euros), for violation of article
13 of the RGPD, by not conveniently informing customers of the purposes for which
allocate the personal data obtained from them.
SECOND: ORDER the entity RODALI GESTIÓN INMOBILIARIA, S.L. with CIF:
B45811353, which, within a month from the notification of this
resolution, take the necessary measures to implement a mechanism in the
management of the services performed where clients are informed of the treatment that
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/7
will be made of your personal data, in accordance with the provisions of article 13
of the GDPR.
THIRD: NOTIFY this resolution to the entity RODALI GESTIÓN INMO-
BILIARIA, S.L. and inform the complaining party of the result.
Warn the sanctioned party that the sanction imposed must be made effective once it is
enforce this resolution, in accordance with the provisions of article 98.1.b)
of Law 39/2015, of October 1, of the Common Administrative Procedure of the Ad-
Public Administrations (LPACAP), within the voluntary payment period indicated in article
68 of the General Collection Regulations, approved by Royal Decree 939/2005,
of July 29, in relation to art. 62 of Law 58/2003, of December 17, me-
upon deposit in the restricted account Nº ES00 0000 0000 0000 0000 0000, opened
on behalf of the Spanish Agency for Data Protection at CAIXABANK Bank,
S.A. or otherwise, it will be collected in the executive period.
Received the notification and once executed, if the date of execution is
between the 1st and 15th of each month, both inclusive, the term to make the payment
will be until the 20th day of the following month or immediately after, and if
is between the 16th and last day of each month, both inclusive, the term of the payment
It will be valid until the 5th of the second following month or immediately after.
In accordance with the provisions of article 82 of Law 62/2003, of December 30,
bre, of fiscal, administrative and social order measures, this Resolution is
will make public, once it has been notified to the interested parties. The publication is made
will be in accordance with the provisions of Instruction 1/2004, of December 22, of the Agency
Spanish Data Protection on the publication of its Resolutions.
Against this resolution, which puts an end to the administrative procedure, and in accordance with the
established in articles 112 and 123 of the LPACAP, the interested parties may interpose
have, optionally, an appeal for reconsideration before the Director of the Spanish Agency
of Data Protection within a period of one month from the day following the notification
fication of this resolution, or, directly contentious-administrative appeal before the
Contentious-administrative Chamber of the National High Court, in accordance with the provisions
placed in article 25 and in section 5 of the fourth additional provision of the Law
29/1998, of 07/13, regulating the Contentious-administrative Jurisdiction, in the
two months from the day following the notification of this act, according to
the provisions of article 46.1 of the aforementioned legal text.
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the firm resolution in administrative proceedings if the interested party
do states its intention to file a contentious-administrative appeal. If it is-
In this case, the interested party must formally communicate this fact in writing
addressed to the Spanish Agency for Data Protection, presenting it through the Re-
Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronicaweb/], or to
through any of the other registers provided for in art. 16.4 of the aforementioned Law
39/2015, of October 1. You must also transfer to the Agency the documentation
that proves the effective filing of the contentious-administrative appeal. If the
Agency was not aware of the filing of the contentious-administrative appeal
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/7
tive within two months from the day following the notification of this
resolution, would end the precautionary suspension.
Sea Spain Marti
Director of the Spanish Agency for Data Protection.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
