AEPD (Spain) - PS/00006/2022: Difference between revisions
(mainly some fine tuning to make the facts and holding a bit more clear and simple structure and language wise but overall a well-written summary of a rather long decision! well done :)) |
(→Facts) |
||
Line 68: | Line 68: | ||
=== Facts === | === Facts === | ||
In the process of registering for an account through the controller's website, a motorcycle sharing company, the data subject was asked for further personal information besides that already provided (driver's license and credit card details), and thus decided to delete their account. Since neither the controller's website nor the app provided for an account cancellation option, the data subject requested the deletion of all their data and payment details at a generic email address of the company. The data subject used the customer service chat, which confirmed that the deletion of their data had been carried out. To formally register their request, the data subject was asked to email another generic mailbox, which did not accept incoming mail. The data subject then addressed the request to the controller's email address provided in the privacy policy for the exercise of data subject rights, but received no reply either. Despite all this, the data subject subsequently received various commercial messages from the controller. | In the process of registering for an account through the controller's website, a motorcycle sharing company, the data subject was asked for further personal information besides that already provided (driver's license and credit card details), and thus decided to delete their account. Since neither the controller's website nor the app provided for an account cancellation option, the data subject requested the deletion of all their data and payment details at a generic email address of the company. | ||
The data subject used the customer service chat, which confirmed that the deletion of their data had been carried out. To formally register their request, the data subject was asked to email another generic mailbox, which did not accept incoming mail. The data subject then addressed the request to the controller's email address provided in the privacy policy for the exercise of data subject rights, but received no reply either. Despite all this, the data subject subsequently received various commercial messages from the controller. | |||
On 19 February 2019, the data subject filed a complaint before the Italian DPA against the controller. On 19 October 2020, the data subject's complaint was forwarded and registered at the Spanish DPA because the controller's registered office and main establishment was located in Spain. The Spanish DPA was, therefore, the lead supervisory authority and the Italian DPA was a concerned authority for the purposes of [[Article 60 GDPR]]. | On 19 February 2019, the data subject filed a complaint before the Italian DPA against the controller. On 19 October 2020, the data subject's complaint was forwarded and registered at the Spanish DPA because the controller's registered office and main establishment was located in Spain. The Spanish DPA was, therefore, the lead supervisory authority and the Italian DPA was a concerned authority for the purposes of [[Article 60 GDPR]]. |
Revision as of 17:47, 10 January 2023
AEPD - AEPD PS-00006-2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 12 GDPR Article 17 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 19.02.2019 |
Decided: | |
Published: | 02.01.2023 |
Fine: | n/a |
Parties: | COOLTRA MOTOSHARING, S.L.U. |
National Case Number/Name: | AEPD PS-00006-2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Teresa López |
In an Article 60 GDPR procedure, the Spanish DPA reprimanded a controller for the failure to meet a data deletion request under Article 17 GDPR in a timely manner despite six different attempts by the data subject.
English Summary
Facts
In the process of registering for an account through the controller's website, a motorcycle sharing company, the data subject was asked for further personal information besides that already provided (driver's license and credit card details), and thus decided to delete their account. Since neither the controller's website nor the app provided for an account cancellation option, the data subject requested the deletion of all their data and payment details at a generic email address of the company.
The data subject used the customer service chat, which confirmed that the deletion of their data had been carried out. To formally register their request, the data subject was asked to email another generic mailbox, which did not accept incoming mail. The data subject then addressed the request to the controller's email address provided in the privacy policy for the exercise of data subject rights, but received no reply either. Despite all this, the data subject subsequently received various commercial messages from the controller.
On 19 February 2019, the data subject filed a complaint before the Italian DPA against the controller. On 19 October 2020, the data subject's complaint was forwarded and registered at the Spanish DPA because the controller's registered office and main establishment was located in Spain. The Spanish DPA was, therefore, the lead supervisory authority and the Italian DPA was a concerned authority for the purposes of Article 60 GDPR.
Holding
The Spanish DPA noted that it was a cross-border matter as the controller provided services in multiple EU Member States. Since the controller's main establishment was located in Spain, the Spanish DPA was the lead supervisory authority under the one stop-shop mechanism in Article 56(1) GDPR, competent to handle the complaint.
The DPA held that the controller failed to delete the data subject's account in due time, in breach of Article 17 GDPR. Moreover, the controller failed to notify the data subject once their account was deleted, in violation of Article 12 GDPR.
The DPA considered that the infringement was minor under Article 83(2) GDPR given several circumstances. Namely, the controller had no previous history of non-compliance, there were temporary lay-offs due to Covid-19 pandemic, the data subject sent some requests to a wrong e-mail address, the erasure had been dealt with in March 2019 even though the data subject had not been duly notified and, as soon as the controller became aware of the complaint, it informed the data subject of the deletion and modified its protocols to avoid a repetition of an incident of this nature.
Therefore, the DPA issued a reprimand (Article 58(2)(b) GDPR) against the controller instead of a fine.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/18 File No.: PS/00006/2022 IMI Reference: A56ID 157580- Case Register 354215 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: A.A.A. (hereinafter, the complaining party) dated February 19, 2019 filed a claim with the Italian data protection authority. The The claim is directed against COOLTRA MOTOSHARING S.L.U., with NIF B65874877 (hereinafter, COOLTRA). The reasons on which the claim is based are the following: In the account registration process in the ECOOLTRA services available to Through its web portal, the company requested information from the complaining party after you have provided your driver's license and credit card details credit. At that time, the complaining party decided to cancel his account. since no way was offered to delete the profile either on the web or in the app, the part claimant contacted COOLTRA through the email address info@ecooltra.com and requested the deletion of all your data and payment details, stored in their systems. However, the company did not agree to respond to his request, and again requested the same additional information multiple times. The complaining party resorted to the "chat" with the Customer Service, and there they confirmed that the deletion of their data had been realized. To formally register your request, They urged us to send it to a mailbox, ciao@ecooltra.com, which turned out to not accept input emails. The complaining party addressed the address rgpd@ecooltra.com, indicated in the privacy policy for the exercise of rights of protection of data, but received no reply either. Instead, later they have arrived commercial messages from ECOOLTRA to your account. The temporary description of what happened provided by the complaining party indicates what Next: On October 18, 2018, COOLTRA registered the claimant's account, but requested additional information about his address and driver's license. That same day the complaining party requested by email - no offer no profile deletion function either on the website or through the app - to info@ecooltra.com to delete your profile along with all your data and details of payment stored on your website, without providing the additional information that they had requested. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/18 On October 20, 2018, COOLTRA requested, once again, the information before mentioned to finalize the record. On October 21, 2018, COOLTRA requested, once again, the information before mentioned to finalize the record. On October 22, 2018, the complaining party requested by email - there was no no profiling feature available either on the website or through the application - to info@ecooltra.com that your request be granted according to your email dated 18 October 2018. On October 28, 2018 COOLTRA requested, once again, the information before mentioned to finalize the record. On October 30, 2018, the complaining party requested by email - there was no no profiling feature available on the website or through the application - to info@ecooltra.com that your request be granted according to your emails emails of October 18 and 22, 2018. On October 30, 2018, the claimant contacted COOLTRA at through the chat available on their website, in which they assured him that all his data they had been erased. However, you were informed that your request for deletion it should also be sent to ciao@ecooltra.com to be safe. It seems that the emails sent to ciao@ecooltra.com are not delivered since that account is not enabled to receive emails. The part claimant wrote a message, once again, to info@ecooltra.com. On November 22, 2018, the claimant received notices sent by mail email from the COOLTRA website. On November 23, 2018, the claimant sent an email to rgpd@ecooltra.com - there is no delete profile feature available on the site web or through the application - requesting according to the 'Privacy Policy' on the site website that your profile is deleted along with all your data and payment details stored on the website. He also attached his identification. On December 24 and 31, 2018 and February 11 and 19, 2019, the claimant received more announcements sent by email from the COOLTRA website. Along with the claim, provide: - Copy of your ID - Copy of the COOLTRA privacy policy - Screenshot with the aforementioned exchange of emails between the party claimant and COOLTRA. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/18 SECOND: Through the "Internal Market Information System" (hereinafter IMI), regulated by Regulation (EU) No. 1024/2012, of the European Parliament and of the Council, of October 25, 2012 (IMI Regulation), whose objective is to promote the cross-border administrative cooperation, mutual assistance between States members and the exchange of information, as of October 19, 2020, transmitted the aforementioned claim and was given a date of entry registration at the Agency Spanish Data Protection Agency (AEPD) on October 22, 2020. The transfer of This claim to the AEPD is made in accordance with the provisions of article 56 of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/2016, regarding the Protection of Physical Persons with regard to the Processing of Personal Data and the Free Circulation of these Data (in the hereinafter, GDPR), taking into account its cross-border nature and that this Agency is competent to act as main control authority, since COOLTRA has its registered office and unique establishment in Spain. The data processing that is carried out affects interested parties in various Member states. According to the information incorporated into the IMI System, of in accordance with the provisions of article 60 of the GDPR, acts as “control authority concerned” only the Italian data protection authority data. THIRD: On January 26, 2021, in accordance with article 64.3 of the Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (LOPDGDD), the claim was admitted for processing submitted by the complaining party. FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in matter, by virtue of the functions assigned to the control authorities in the article 57.1 and of the powers granted in article 58.1 of the GDPR, and of in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following extremes: 1. Decision adopted regarding this claim Upon receiving this claim, the COOLTRA DPD has reviewed all the attached documentation, has contrasted it with the affected departments within the organization (specifically, Legal, Marketing, Costumer Service and HR), has checked the enclosed communications and has verified the operation of the response system to the exercise of rights of those affected. After collecting the information, a change in the protocol has been established. current and is that the email rgpd@ecooltra.com will be managed directly by the DPD, being until then initially managed by the Department of Customer Service. 2. Proof of the response provided to the request of the complaining party, regarding to the exercise of the rights regulated in articles 15 to 22 of the GDPR C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/18 COOLTRA representatives have verified that no express response was given to the complaining party, beyond the indications of the Costumer department Service via chat dated October 30, 2018 that he should go to the mail ciao@ecooltra.com. As stated in the entity: The complaining party sent the first claims to the address info@ecooltra.com, not being the address indicated in the Privacy Policy (this was rgpd@ecooltra.com). Although unsubscriptions are also managed in this email, the The volume of communications is so high that it can happen that some of them are passed, for it is important that the exercise of rights be done through the established channels in the Privacy Policy that is accessible on the COOLTRA home page. Subsequently, via chat, he was told that he could request the cancellation without problems in the address ciao@ecooltra.com. However, the complaining party erred in enter the email, as it put ciao@ecooltra.it. Therefore, it was never received. The complainant's profile remained active, although it was pending verification. However, having accepted the sending of communications related to the service cio kept receiving them. In the communications an almost automatic link was provided to unsubscribe, but it was not used. Finally, the complaining party correctly sent the email to find out unsubscribed to rgpd@ecooltra.com on November 28, 2018, but was not attended in due to a specific error and because the company was in full implementation of new protocols. Subsequently, it was detected that this email had not been answered and the Department Marketing simply removed him from the system, without proceeding to give him a response. put. The withdrawal was made on March 1, 2019. On February 17, 2021, an email has been sent to the claiming party. keep informing of the cancellation of your data. 3. Report on the causes that have motivated the incidence that has originated the claim The claim filed by the claimant took place in the month of October of year 2018, year of implementation of the GDPR, and when the law was not yet in force Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights. The company was in a moment of full implementation of new processes, there were still many practical doubts about how the new regulations would operate and, although there was adequate external advice, COOLTRA still did not he had named no DPD, something he did the following year. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/18 As the first relevant fact, it should be noted that the emails dated 18, October 20 and 30, 2018 were all sent to info@ecooltra.com, and not by email that was already indicated at that time in the privacy policy, which is that of rgpd@ecooltra.com. (Previously there was also a policy stating the mail ciao@ecooltra.com). COOLTRA is a company that has more than 1,200,000 users, and despite the fact that From the email info@ecooltra.com, a response is always given to users who want to unsubscribe, it is not the channel indicated in the privacy policy to exercise the rights of interested persons, which specifically indicates the email rgpd@ecooltra.com since the exercises of user rights are channeled to through a priority channel, in order to guarantee that full compliance is given in time and form of each and every one of the requests and is answered, by protocol, in less than 24 hours, as well as forwarded, if necessary, to the Legal Department or DPD. When the complaining party contacted Costumer Care and after explaining the situation, he was instructed to send an email to ciao@ecooltra.com. This happened in full process of implementation of data protection measures, and that the workers had not yet received all the new organizational protocols and security, for this reason he was provided with the old email enabled to carry out the cancellations (ciao@ecooltra.com), which also worked, coexisting with the recently implemented rgpd@ecooltra.com until 2020. However, the claiming party made a mistake in the addressee and sent the email email to ciao@ecooltra.it (.it and not .com), and therefore the address came out as invalid. If you had sent the email to the correct address, the cancellation would have been done right the first time. In relation to the communications you received after requesting the withdrawal, the Representatives of the entity state the following: The claimant registered with a very particular service, the one that provided the Possibility of using company mopeds parked in your catchment area just by reserving them through the App for that purpose. By regulation, offering this service obliges to request specific personal information, which allows not not only verify the identity, but that the user has the corresponding permission to driving. That is why it is common for there to be users who have started to register, have accepted the terms and conditions, but are in a provisional situation because they have not sent all the documentation. The user, when requesting the service, can accept the remission of information from interest related to the service. In no case is indiscriminate "advertising" sent, if not important communications for the correct execution of the service or communications that contains objectively interesting information for the user (free kilometers, contamination levels, etc.). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/18 Especially at the beginning, when you have not yet submitted all the necessary information, Communications are sent to remind you that the system has not allowed you to validate your identity and suitability and that you are not yet an active user. In parallel, it send communications directly related to the service (not for the sale of alternative services of the company) or simply information of interest with the objective of informing and retaining the user. As the cancellation was not processed correctly and the service was subscribed to, he received some communications (those that appear in the file, all related to the service for which he registered), taking into account that he had accepted the same previously and in the emails I had the clear option in the footer of “unsubscribe”. COOLTRA acknowledges that a mistake was made, because Ms. A.A.A. states that, finally, he sent email correctly to rgpd@ecooltra.com and this was not answered within the 30-day period required by law. However, the cancellation was finally processed, specifically on March 1, 2019, the day the claimant was given deregistration as stated in the COOLTRA user management platform. This fact is that it was a specific error as has been verified by the company that you have reviewed all the communications received and how they have been managed. And the There are thousands of communications and all of them are recorded as having been managed correctly. During the first months of mandatory GDPR, two directions coexisted, the ciao@ and the rgpd@. The change was not immediate, and the first months the employees, accustomed, kept indicating the first. But this was not a problem, because it worked correctly. But in this case the complaining party made a mistake in the address of the ciao@ and the address rgpd@, in tests, it was not attended in time due to not being very clear about the receiver at that moment what should be done (almost everything was still received by ciao@). The reality is that, with the entry into force of Organic Law 3/2018, of 5 December, and in application of the organizational and technical measures that A clear action protocol was implemented, facilitated and improved in the event that Any user would like to exercise their rights of access, rectification, opposition, limitation and, where appropriate, portability or cancellation. This protocol was implemented throughout the Department of Costumer Service, and indicated that it was mandatory for any related application, regardless of the channel, outside in the rgpd@, in the info@, by phone or by chat. On the other hand, COOLTRA, to manage communications to its users, gave up registration in an external management platform, from which the user cancellation circuit became controlled by the marketing department, being the department of the Costumer Service, which is in charge of forwarding the unsubscription requests of the users to the marketing department. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/18 The entity considers that this system works perfectly since its implementation given that the volume of cancellations and requests that are managed is enormous, and in both years and two months of application has only failed in the case of the complaining party. 4. Report on the measures taken to prevent incidents from occurring similar, dates of implementation and controls carried out to verify their effectiveness COOLTRA has 1,200,000 users registered on its platform and the claim of the claiming party is the only claim that COOLTRA has had since it It started its activity in 2016. With such a high number of users, the volume of unsubscribe requests is very high: in 2018, 58,638 cancellations were processed, in 2019 66,313 cancellations and in the year 2020 43,781 user cancellations. All this without counting the automatic cancellations derived from the unsubscribe of the emails with information about the service. During the month of January 2021, only in the email enabled for such effect rgpd@cooltra.com 22 cancellations have been requested that have proceeded to be carried out in a maximum period of 24 hours. The Costumer Service team answers all the people who want to register unsubscribe from the system, whether they request it from the email rgpd@cooltra.com, as from the emails info@cooltra.com, hello@cooltra.com and ciao@cooltra.com (specifically for Italy) and inform the department of marketing so that the user unsubscribes from commercial communications. The user can also unsubscribe from communications through the link of the footer of their email. When requested through that channel, the process It's automatic. The entity considers that the protocols followed in COOLTRA and the measures organizational and technical procedures established as a result of the entry into force of the LOPDGDD are reliable since of 168,732 applications received since 2018, only one person has filed a claim with the Data Protection Agency and Said claim coincides with the months in which the company was implementing all the security mechanisms so that compliance with the GDPR and LOPDGDD were optimal. As a result of this problem, it has been decided that it is the DPD who directly receives the email rgpd@ecooltra.com, in order to filter those emails to which you should Pay special attention and avoid doubts to Costumer Service and Marketing or delays unnecessary in its management. 5. In relation to the transfer of the claim dated October 26, 2020 The representatives of the entity indicate that there are several circumstances that have matched: 1.- First of all, we must bear in mind that COOLTRA is a company that dedicated to renting motorcycles by the minute whose users are, in a proportion C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/18 quite important, coming from tourism, for this reason it is found in the main European capitals. Since the start of the SARS COVID 19 pandemic, COOLTRA has been seen seriously affected in its sales, and has had to make a plan of restructuring to adapt its workforce to the new world reality, resorting to ERTES for a very important part of its workforce. This has made many months of 2020 (and the ones we have been in 2021) the active personnel was seen, on occasions, assuming tasks that were not his own and assuming some responsibilities that They were not the usual ones, which undoubtedly entails malfunctions. Even so, the Costumer Service Dept. has always remained active and the staff has registration status almost completely, guaranteeing as always that the rights of the affected were safe. 2.- In addition, it was decided by business on the same date (October 2020) to unify all business lines under the same trade name "Cooltra", which includes both the services offered by COOLTRA and by other brands and business lines that the company has Therefore, the months from October to December 2020 were months of structural changes, and this added to the fact that part of the employees were in a situation of ERTE, partially collapsed certain Departments, especially the Legal Dept. 3.- Between October 23 and 24, the DPD for companies in the Group that had not yet registered it (previously, it was only registered in the company Parent, which is the manager of the others, considering that the rest had no obligation till the date). Precisely with dates October 26-27, 2020, the same date that was issued by the Agency the requirement not met, the DPO registrations of the rest of the group, state and European companies. The DPD warned the COOLTRA Legal Dept. that during the following days (between 26 and 29 October) would receive quite a few notifications from the AEPD, but they were DPD discharge confirmations and the DPD himself was also notified, so they would receive them and check that everything was correct. Who is in charge of receiving official notifications in the case of COOLTRA is ***COMPANY.1, consultancy that handles COOLTRA's tax issues, since the Most of the notifications received in this mailbox are from the AEAT. On October 26, 2020, COOLTRA's external advisory office downloaded and forwarded to the legal department 6 notifications in zip format from the AEPD, including found 5 DPD discharges of those carried out the previous days and the requirement that was not attended to and is now being answered. The legal department when opening a pair and seeing that it was the confirmations of discharge register that we had warned her about, she did not open any more, convinced that all they were the same since a total of 12 were expected, and therefore he did not realize that between C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/18 the same was the claim and request for information E / 08509/2020. for that reason the requirement went unnoticed and was not met. Upon receipt of an email sent dated February 2, 2021 by Don B.B.B., Data Inspector of the General Subdirectorate of Data Inspection of the Spanish Data Protection Agency, to the email address info@cooltra.com, Customer service proceeded to forward to the appropriate departments in less than an hour from receipt. This email was given the normal course, receiving the warning by the DPD for telephone by Mr. B.B.B. and proceeding to respond to the request in time and form. FIFTH: On January 10, 2022, the Director of the AEPD adopted a Proposal for a draft decision to initiate disciplinary proceedings. Following the process established in article 60 of the GDPR, on January 12, 2022 transmitted through the IMI system this proposal for a draft decision as informal consultation and concerned authorities were made aware that they had two weeks from that time for comment. SIXTH: On January 24, 2022, the Director of the AEPD adopted a project decision to initiate disciplinary proceedings. Following the established process in article 60 of the GDPR, that same day this draft decision and the authorities concerned were informed that they had four weeks from that time to raise pertinent objections and motivated. Within the term for this purpose, the control authorities concerned shall not presented pertinent and reasoned objections in this regard, for which reason it is considered that all authorities agree with said draft decision and are linked by it, in accordance with the provisions of section 6 of article 60 of the GDPR. This draft decision was notified to COOLTRA in accordance with the established rules in the LPACAP on February 4, 2022, as stated in the acknowledgment that work on file. SEVENTH: On July 20, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against COOLTRA in order to issue a warning, in accordance with the provisions of articles 63 and 64 of the LPACAP, for the alleged violation of Article 12 of the GDPR, typified in Article 83.5 of the GDPR, in which it is indicated that you have a period of ten days to present allegations. This start-up agreement, which was notified to COOLTRA in accordance with the rules established in Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (LPACAP), was collected on July 21 of 2022, as stated in the acknowledgment of receipt that is in the file. EIGHTH: Notification of the aforementioned initiation agreement in accordance with the established regulations in the LPACAP and after the period granted for the formulation of allegations, the has verified that no claim has been received from COOLTRA. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/18 Article 64.2.f) of the LPACAP -provision of which COOLTRA was informed in the agreement to open the procedure - establishes that if no allegations are made within the period provided for the content of the initiation agreement, when it contains a precise pronouncement about the imputed responsibility, it may be considered a motion for a resolution. In the present case, the agreement to initiate the disciplinary file determined the facts in which the imputation, the infringement of the GDPR attributed to COOLTRA and the sanction that could impose. Therefore, taking into consideration that COOLTRA has not formulated allegations to the agreement to start the file and in attention to what is established in the Article 64.2.f) of the LPACAP, the aforementioned initiation agreement is considered in the present case proposed resolution. In view of all the proceedings, by the Spanish Agency for Data Protection In this proceeding, the following are considered proven facts PROVEN FACTS FIRST: On February 18, 2018 at 6:27 p.m. an email was sent from the address ecooltra@email.ecooltra.com to ***USER.1@gmail.com, with the subject (in Italian the original) "Confirm your email" with the following text (in Italian the original): “Welcome to eCooltra Press the button to confirm CONFIRM" SECOND: On October 18, 2018 at 6:27 p.m. an email was sent from the address ***USUARIO.1@gmail.com to info@ecooltra.com, with the subject (in Italian the original) “Deletion of the profile” in which you can read the following text (in Italian the original): “I request the deletion of my profile, of all the data and of the method payment registered on your site. Thank you, A.A.A. (…) THIRD: On October 18, 2018 at 6:37 p.m. an email was sent from the address ecooltra@email.ecooltra.com to ***USER.1@gmail.com, with the subject (in Italian the original) "You are about to achieve freedom" and the message (in Italian the original): “Now it's our turn! We are validating your data so that you can access our website. eCooltra and make the planet more eco-sustainable. Can't wait and want to use the eCooltra today? Then get in Contact us and we will check your details together at this time. GET IN CONTACT WITH US" FOURTH: On October 18, 2018 at 7:06 p.m. an email was sent from the address registration@ecooltra.com to ***USER.1@gmail.com, with the subject “[Ticket#(…)] eCooltra” and the message (in Italian the original): Thank you for signing up! To activate your account, we need the following information: Complete address: street, no., city, postal code Front and back photo of the current license (from which the date is shown until it will be valid) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/18 Since the photos uploaded to the app get confused and can't be distinguished correctly the data according to the state, you can attach your driver's license. Tea We ask that you register on the page attached below and provide the certificate of your document, when you have the certificate we ask you to send it to email so you can activate your account. ***URL.1 For any clarification, please do not hesitate to contact us! Regards C.C.C.” FIFTH: On October 19, 2018 at 01:02 an email was sent from the address ***USUARIO.1@gmail.com to info@ecooltra.com, with the subject (in Italian the original) “Deletion of the profile” in which you can read the following text (in Italian the original): “I request the deletion of my profile, of all the data and of the method payment registered on your site. Thank you, A.A.A. (…)”. SIXTH: On October 21, 2018 at 00:07 an email was sent from the address ecooltra@email.ecooltra.com to ***USER.1@gmail.com, with the subject (in Italian the original) "Complete your registration to start driving with us" in which can be read the following text (in Italian the original): "Hello! Before you start driving, you must complete your registration. we need some minutes of your time, so you can use eCooltra for the first time Please check the following steps: 1. You have confirmed your email 2. You have entered the photo of your license and tax code (health card). 3. You have entered your payment details COMPLETE REGISTRATION (…)” SEVENTH: On October 22, 2018 at 00:07 an email was sent from the address ecooltra@email.ecooltra.com to ***USER.1@gmail.com, with the subject (in Italian the original) "A.A.A., there is little left" in which the following can be read text (in Italian the original): "Hello! You are not far from being part of eCooltra! Remember that we need some data so you can move around the city with our scooters. Please check the following steps: 1. You have confirmed your email 2. You have entered the photo of your license and tax code (health card). 3. You have entered your payment details COMPLETE REGISTRATION (…)” EIGHTH: On October 22, 2018 at 11:52 p.m. an email was sent from the address ***USUARIO.1@gmail.com to info@ecooltra.com, with the subject (in Italian the original) “Fwd: Deletion of the profile” in which you can read the following text (in Italian the original): “By continuing to receive emails, I request the what I asked for." C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/18 NINTH: On October 29, 2018 at 00:08 an email was sent from the address ecooltra@email.ecooltra.com to ***USER.1@gmail.com, with the subject (in Italian the original) “A.A.A., you are one step away from feeling the wind on your face” in which the following text can be read (in Italian the original): "Hello! More than 3,000 electric scooters await you to move around the city. Please check the following steps: 1. You have confirmed your email 2. You have entered the photo of your license and tax code (health card). 3. You have entered your payment details COMPLETE REGISTRATION (…)” TENTH: On October 30, 2018 at 3:23 p.m., the claiming party contacted contact with http://www.ecooltra.com/ through its chat, in which it indicates that asked several days ago about the cancellation of his profile by email, but to date it had not happened. And again ask for its cancellation. they tell him that he is requested but please send an email to ciao@ecooltra.com for there is evidence that you no longer want to use the account. ELEVENTH: On October 30, 2018 at 4:26 p.m. an email was sent email from the address ***USUARIO.1@gmail.com to info@ecooltra.com, with the subject (in Italian the original) “Fwd: Delete the profile” in which you can read the following text (in Italian the original): “I request again the deletion of my profile and all personal data, otherwise, since the site does not allow it, I will have to report it to the guarantor for privacy”. TWELFTH: On November 3, 2018 at 02:24 an email was sent email from mailer-daemon@googlemail.com to ***USER.1@gmail.com, with the subject (in English the original) "Notification of delivery status (Failure)”, with the following text (in Italian and English the original): “There was a problem during message delivery at ciao@ecooltra.it. See technical details below or try submitting new in a few minutes. MORE INFORMATION Response: The receiving server did not accept our connection requests. get more information at https://support.google.com/mail/answer/7720 [ecooltra.it 37.152.88.55:generic:failed_precondition:connect error (0): error]” THIRTEENTH: On November 5, 2018 at 09:36 an email was sent email from the address ***USUARIO.1@gmail.com to info@ecooltra.com, with the subject (in Italian the original) "Re: Deletion of the profile" in which you can read the following text (in Italian the original): “You asked me to write to ciao@ecooltra.it, but the mailbox does not accept emails. On Tuesday, Oct 30, 2018 at 4:26 p.m. A.A.A. wrote: [Cited text hidden]”. FOURTEENTH: On November 23, 2018 at 04:02 an email was sent email from the address ecooltra@email.ecooltra.com to ***USUARIO.1@gmail.com, with the subject (in Italian the original) “A.A.A., the Black Friday and we bring you a lot of discounts!”, with advertising by COOLTRA. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/18 FIFTEENTH: On November 23, 2018 at 6:05 p.m. an email was sent email from the address ***USUARIO.1@gmail.com to rgpd@ecooltra.com, with the subject (in Italian the original) “Fwd: Delete the profile” in which you can read the following text (in Italian the original): “I see that my demands have not yet been attended. I request the immediate deletion of all my data (including the credit card and driver's license information). I'm waiting confirmation. Otherwise, I will feel obliged to resort to the guarantor of the privacy. Best regards". SIXTEENTH: On November 23, 2018 at 6:09 p.m. an email was sent email from the address ***USUARIO.1@gmail.com to rgpd@ecooltra.com, with the subject (in Italian the original) "Re: Deletion of the profile" in which you can read the following text (in Italian the original): “I also attach my identity document, as indicated in its privacy policy. In which is attached a document with the name “<4- Carta di identita.pdf>”. SEVENTEENTH: On December 24, 2018 at 10:01 p.m. an email was sent email from the address ecooltra@email.ecooltra.com to ***USUARIO.1@gmail.com, with the subject (in Italian the original) “Happy green Christmas”, congratulating Christmas. EIGHTEENTH: On December 31, 2018 at 8:01 p.m. an email was sent email from the address ecooltra@email.ecooltra.com to ***USUARIO.1@gmail.com, with the subject (in Italian the original) “Good news to start 2019”, with advertising by COOLTRA. NINETEENTH: On February 12, 2019 at 02:00 an email was sent email from the address ecooltra@email.ecooltra.com to ***USER.1@gmail.com, with the subject (in Italian the original) “AAA, win 1,000 free minutes”, with COOLTRA advertising. TWELFTH: On February 19, 2019 at 9:04 p.m. an email was sent from the address ***USER.1@gmail.com to rgpd@ecooltra.com, with the subject (in Italian the original) “Last hour: 45 min. at 9.99 EUR, buy the MiniPack here”, with COOLTRA advertising. FUNDAMENTALS OF LAW Yo Competition and applicable legislation In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/18 Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with character subsidiary, by the general rules on administrative procedures." II previous questions In the present case, in accordance with the provisions of article 4.1 of the GDPR, there is the processing of personal data, since COOLTRA performs the collection and conservation of, among others, the following personal data of natural persons: name and surname and email, among other treatments. COOLTRA carries out this activity in its capacity as data controller, given who is the one who determines the purposes and means of such activity, by virtue of article 4.7 of the GDPR. In addition, it is a cross-border treatment, since COOLTRA is established in Spain, although it provides services to other countries of the European Union The GDPR provides, in its article 56.1, for cases of cross-border processing, provided for in its article 4.23), in relation to the competence of the authority of main control, that, without prejudice to the provisions of article 55, the authority of control of the main establishment or of the only establishment of the person in charge or of the The person in charge of the treatment will be competent to act as control authority for the cross-border processing carried out by said controller or commissioned in accordance with the procedure established in article 60. In the case examined, as has been exposed, COOLTRA has its unique establishment in Spain, so the Spanish Agency for Data Protection is competent to act as the main supervisory authority. For its part, the right to delete personal data is regulated in article 17 of the RGPD and the modalities of exercise of the rights of the interested parties are detailed in article 12 of the GDPR. II Right of erasure Article 17 “Right to erasure (“the right to be forgotten”)” of the GDPR establishes: "one. The interested party shall have the right to obtain without undue delay from the person responsible for the treatment the deletion of personal data that concerns you, which will be obliged to delete without undue delay the personal data when any of the following circumstances: a) the personal data is no longer necessary in relation to the purposes for which those that were collected or otherwise treated; b) the interested party withdraws the consent on which the treatment of in accordance with Article 6(1)(a) or Article 9(2), letter a), and this is not based on another legal basis; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/18 c) the data subject opposes the processing in accordance with article 21, paragraph 1, and no other legitimate reasons for the treatment prevail, or the interested party object to the processing pursuant to Article 21(2); d) the personal data have been unlawfully processed; e) the personal data must be deleted for the fulfillment of a legal obligation established in the Law of the Union or of the States members that applies to the data controller; f) the personal data have been obtained in connection with the offer of services of the information society mentioned in article 8, paragraph 1. (…) 3. Sections 1 and 2 will not apply when the treatment is necessary: a) to exercise the right to freedom of expression and information; b) for compliance with a legal obligation that requires data processing imposed by the law of the Union or of the Member States that applies to the responsible for the treatment, or for the fulfillment of a mission carried out in the interest public or in the exercise of public powers conferred on the person responsible; c) for reasons of public interest in the field of public health in accordance with Article 9, paragraph 2, letters h) and i), and paragraph 3; d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in accordance with Article 89(1), to the extent that the right indicated in paragraph 1 could make it impossible or hinder seriously impair the achievement of the objectives of such treatment, or e) for the formulation, exercise or defense of claims.” In the present case, it is clear that the complaining party had requested COOLTRA the deletion of your personal data on numerous occasions. IV. Exercise of the rights of the interested party Article 12 "Transparency of information, communication and modalities of exercise of the rights of the interested party" of the GDPR establishes: "one. The person in charge of the treatment will take the appropriate measures to facilitate the interested all information indicated in articles 13 and 14, as well as any communication pursuant to articles 15 to 22 and 34 relating to processing, in the form concise, transparent, intelligible and easily accessible, with clear and simple language, in particular any information directed specifically to a child. Information shall be provided in writing or by other means, including, if applicable, by electronics. When requested by the interested party, the information may be provided verbally as long as the identity of the interested party is proven by other means. 2. The person responsible for the treatment will facilitate the exercise of their rights by the interested party. under articles 15 to 22. In the cases referred to in article 11, paragraph 2, the person in charge will not refuse to act at the request of the interested party in order to exercise your rights under articles 15 to 22, unless you can show that you do not is in a position to identify the interested party. 3. The person responsible for the treatment will provide the interested party with information regarding their proceedings on the basis of a request under articles 15 to 22, without undue delay and, in any case, within one month of receipt of the request. This period may be extended by another two months if necessary, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/18 taking into account the complexity and number of requests. The responsible will inform the interested party of any of said extensions within a period of one month from from receipt of the request, indicating the reasons for the delay. when the interested party submits the application by electronic means, the information will be provided by electronic means when possible, unless the interested party requests that it be facilitate otherwise. 4. If the person responsible for the treatment does not process the request of the interested party, he will will inform without delay, and no later than one month after receipt of the application, the reasons for not acting and the possibility of presenting a claim before a control authority and take legal action. (…)” In the present case, it is clear that the complaining party requested the deletion of his account and your personal data up to 6 times. The last one on the 23rd of November 2018. And just on February 17, 2021 COOLTRA has sent a email to the complaining party informing him of the cancellation of his data, after receiving a request for information from this Agency, together with the corresponding claim. However, it was not until March 1, 2019 that COOLTRA removed the personal data of the claimant from its systems. Therefore, according to the evidence available at this time resolution of the disciplinary procedure, it is considered that the known facts are constitutive of an infraction, attributable to COOLTRA, for violation of the Article 12 of the GDPR, in conjunction with Article 17 of the GDPR. V Classification of the infringement of article 12 of the GDPR The aforementioned infringement of article 12 of the GDPR supposes the commission of the infringements typified in article 83.5 of the GDPR that under the heading "General conditions for the imposition of administrative fines” provides: Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of maximum EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the highest amount: (…) b) the rights of the interested parties in accordance with articles 12 to 22; (…)” In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that: "The acts and behaviors referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law”. For the purposes of the limitation period, article 72 "Infractions considered very serious” of the LOPDGDD indicates: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/18 "one. Based on what is established in article 83.5 of Regulation (EU) 2016/679, are considered very serious and will prescribe after three years the infractions that a substantial violation of the articles mentioned therein and, in particular, the following: (…) k) The impediment or the obstruction or the repeated non-attention of the exercise of the rights established in articles 15 to 22 of Regulation (EU) 2016/679. (…)”. SAW Penalty for violation of article 12 of the GDPR Without prejudice to the provisions of article 83 of the GDPR, the aforementioned Regulation provides in section 2.b) of article 58 "Powers" the following: "Each control authority will have all the following corrective powers indicated below: (…) b) send a warning to any person in charge or person in charge of the treatment when the processing operations have infringed the provisions of the this Regulation; (…)” For its part, recital 148 of the GDPR indicates: “In the event of a minor infraction, or if the fine likely to be imposed constitutes a disproportionate burden on a natural person, rather than sanction by means of a fine, a warning may be imposed. should however special attention should be paid to the nature, seriousness and duration of the infringement, to its intentional nature, to the measures taken to alleviate the damages suffered, to the degree of responsibility or any relevant prior infringement, to the manner in which that the supervisory authority has become aware of the infringement, to compliance of measures ordered against the person in charge or in charge, to adherence to codes of conduct and any other aggravating or mitigating circumstances.” According to the evidence available at the present time of disciplinary procedure resolution, it is considered that the offense in question is slight for the purposes of article 83.2 of the GDPR given that in the present case, taking into account that there is no record in this Agency of COOLTRA for not having duly attended to a right of deletion, to the circumstances so exceptional circumstances that were the cause of such request not having been duly attended, to the fact that the complaining party sent some of its requests to an address email that was not indicated in the privacy policy corresponding, to the fact that the deletion had been addressed in March 2019 although it did not had been duly communicated to the complaining party and that, as soon as it had knowledge of the claim, COOLTRA notified the claimant of the withdrawal and modified its protocols to prevent an incident of these characteristics from being repeat, it can be considered a reduction of guilt in the facts, so it is considers it in accordance with the law not to impose a sanction consisting of an administrative fine and replace it by directing a warning to COOLTRA. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/18 Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of sanctions whose existence has been accredited, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: ADDRESS COOLTRA MOTOSHARING S.L.U., with NIF B65874877, for an infringement of Article 12 of the GDPR, typified in Article 83.5 of the GDPR, a warning. SECOND: NOTIFY this resolution to COOLTRA MOTOSHARING S.L.U. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. In accordance with the provisions of article 60.7 of the GDPR, this information will be resolution, once it is final, to the control authorities concerned and to the Committee European Data Protection. Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reversal before the Director of the Spanish Agency for Data Protection within a period of one month from count from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the firm resolution in administrative proceedings if the The interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registries provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative proceedings within a period of two months from the day following the Notification of this resolution would terminate the precautionary suspension. 938-181022 Mar Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es