AEPD (Spain) - PS-00563-2022: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS-00563-2022 |ECLI= |Original_Source_Name_1=AEDP |Original_Source_Link_1=https://www.aepd.es/en |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code_2= |Type=Investigation...")
 
No edit summary
Line 11: Line 11:


|Original_Source_Name_1=AEDP
|Original_Source_Name_1=AEDP
|Original_Source_Link_1=https://www.aepd.es/en
|Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00563-2022.pdf
|Original_Source_Language_1=Spanish
|Original_Source_Language_1=Spanish
|Original_Source_Language__Code_1=ES
|Original_Source_Language__Code_1=ES

Revision as of 15:03, 9 January 2024

AEPD - PS-00563-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(2) GDPR
Article 13 GDPR
Article 58(2)(d) GDPR
Article 83(2) GDPR
Article 83(5) GDPR
Article 83(5)(b) GDPR
Recital 60 Regulation 2016/679
Type: Investigation
Outcome: Violation Found
Started: 30.06.2020
Decided: 28.06.2023
Published:
Fine: 2,000 EUR
Parties: GAVANOVA DE IMMOBLES, S.L.
A.A.A.
National Case Number/Name: PS-00563-2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEDP (in ES)
Initial Contributor: Konrad Kontriner

After a complaint sent by A.A.A. (data subject), the Spanish DPA found that the real estate agency / company Gavanova de immobles, S.L. (controller) infringed and thereby violated Article 13 GDPR.

English Summary

Facts

The data subject (A.A.A.) is a former customer (tenant) of the controller (Gavanova de immobles, S.L.).

On 29 July 2020 the data subject signed the reservation document for the property, then on 4 September 2020 the lease agreement / contract was signed. After approximately two years the lease was terminated on 31 January 2022.

On 30 June 2022 the Spanish Data Protection Agency (AEPD) received a complaint from the data subject stating, that they didn’t feel that their data was protected enough. In addition, the complaint concerned their data being part of a deal between the controller and a cleaning company. It is important to mention, that the data subject did not know anything about this deal. Lastly when the data subject went on the real estate´s website, the Privacy Policy page was blank. The data subject also found out that the contract and lease resolution made between the two parties, contained data protection law which was not up to date with the current law.

Following the complaint lodged by the data subject, the Spanish DPA accessed the website of the controller on 27 July 2022 and confirmed that the Privacy Policy section was in fact blank. As a result, the complaint was transferred to the controller. The reason for that step was, that the controller could proceed with the analysis and inform the DPA within one month of actions carried out to adapt to the requirements set out in the data protection regulations. This was carried out in accordance with Spanish Public Administration Law (Common Administrative Procedure for Public Administrations) by electronic means. However, the controller did not take up the required steps and it was understood to have been rejected by them. Nevertheless, a copy was sent via post which was notified on 31 August 2022. In this notification, the controller was reminded to interact electronically and that from now on they would be notified exclusively by electronic means. The controller did not reply.

On 20 September 2022 the complaint was admitted for processing

Shortly after, the Spanish DPA accessed the website again to check if any changes have been made. The DPA proved that the Private Policy page was last updated on 29 September 2022.

As a result, the director of the Spanish Data Protection Agency agreed to initiate disciplinary proceedings against the controller for the infringement of Article 13 GDPR as defined in Article 83 (5) (b) of the GDPR. This initiation agreement was notified and delivered to the controller on 16 December 2022.

The controller responded with a written statement in due time and form on the 21 December 2022. - The controller mentioned that the data subject had authorized them to process their data including the possible transfer to other companies (in this case the cleaning company). - The data subjects agreed with the landlady a cleaning of the flat which would be deducted from their deposit. - The controller requested the proceedings to be filed.

The controller made allegations against the decision to initiate the sanctioning procedure. - The controller mentioned that the complainant authorized them and that there is no significant proof of any exchange of data between the controller and the cleaning company. - In addition, the controller information given to the complainant was only out of date and since then has been updated the Privacy Policy and Legal Notice have been modified. - The controller even invoked the mitigating factor that they complied with the DPA and with the procedure. They contacted a consultancy firm to advise them on compliance with the rules. - No benefits have been claimed from the commission of the offence and no rights of minors have been harmed.

On the 31 January 2023 the DPA agreed to open a period of evidence. The complaint by the data subject and the controller´s allegations to the initiation agreement and the accompanying documentation were already incorporated. The controller was required to provide a copy of the new contract they make with tenants, landlords and third-party companies. Subsequently on 13 February 2023 the controller replied by sending the requested documents called “Lease contract” and “Termination of contract” with an annex “Information on Personal Data Protection”.

Holding

As a response to the allegations made by the controller, the DPA pointed out that the cooperation has been considered, when setting the fine imposed according to Article 83 (2) GDPR. However, the DPA also stressed, the principle of proactive accountability according to Article 5 (2) GDPR.

Relating to the measures adopted the DPA said that the website lacked the following mandatory sections: purpose, legitimisation, or period of conservation of personal data.

In addition, the DPA wanted to point out that the adoption of the measures by the controller did not remedy the infringement of Article 13 GDPR. After all, the controller did not comply with their obligation to correctly inform the data subject, prior to the initiation of the sanctioning procedure.

The claims of the controller were dismissed by the DPA. In addition, the processing of data had to be according to Article 5 GDPR and Recital 60.

Regarding the Privacy Policy however, it was clear that it didn’t inform users of all the points listed in Article 13 GDPR.

Due to the known facts the DPA attributed the infringement to the controller for violation of Article 13 GDPR.

After balancing the circumstances, the DPA has concluded that a fine of €2,000 be set for the infringement of Article 13 GDPR as defined in Article 83 (5) GDPR. Pursuant to Article 58 (2) (d) GDPR the Spanish DPA ordered the controller to accredit that it has completed the information contained in the section Privacy Policy on their website within ten working days of being notified.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

The campaign, launched by the Spanish Data Protection Authority and the Spanish Association of Pediatrics, promotes the digital health of minors through the awareness of their parents, reducing the risks posed at a physical, mental and social level by intensive and uncontrolled use of digital screens.