AEPD (Spain) - EXP202308002: Difference between revisions
No edit summary |
No edit summary |
||
Line 59: | Line 59: | ||
}} | }} | ||
The Spanish DPA fined a controller €500 for | The Spanish DPA fined a controller €500 for obstructing the DPA's investigation by not providing the required information. | ||
== English Summary == | == English Summary == |
Latest revision as of 14:03, 21 February 2024
AEPD - EXP202308002 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 58(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | EXP202308002 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | EXP202308002 (in ES) |
Initial Contributor: | n/a |
The Spanish DPA fined a controller €500 for obstructing the DPA's investigation by not providing the required information.
English Summary
Factsc
A complaint was submitted to the Spanish DPA about an alleged infringement of the GDPR. This case was filed under the case name EXP202209784.
In relation to the case, the Spanish DPA submitted two requests for information to the controller with a ten day deadline for compliance attached to each request.
The first one was sent on 21.03.2023 and received no reply. The second one was sent on 12.05.2023 and the controller acknowledged receipt.
Nonethless, the controller never sent the Spanish DPA the relevant requested information and for this reason the DPA began seperate sanctioning proceedings against the controller for the infringement of Article 58(1) GDPR (EXP202308002).
Holding
The DPA fined the controller €500 for the infringement of Article 58(1) GDPR.
First, since the controller never cooperated with the DPA, the Spanish DPA considered the lack of information it received to breach Article 58(1) GDPR. It can be inferred that the controller breached Article 58(1)(a) GDPR specifically as it did not provide the information the DPA required to allow it perform its tasks as a regulator.
Second, under Article 83(1) GDPR the fine imposed must be individual, effective, proportionate and disuasive. When calculting the fine for this controller, the DPA took into account that there was no publicly available information about the company's financial revenue when deciding the appropriate amount of the fine and came to conclusion that €500 would suffice.
Third, the DPA used its powers under Article 58(1)(a) GDPR to order the controller to give to it within 10 working days (from the date of the decision) the relevant information it requires.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/6 File No.: EXP202308002 RESOLUTION OF SANCTIONING PROCEDURE From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND FIRST: As a consequence of a claim presented to the Spanish Agency of Data Protection, showing signs of a possible breach of the provided in Regulation (EU) 2016/679 (General Regulation for the Protection of Data, hereinafter RGPD), actions were initiated with file number EXP202209784. The claim was admitted for processing on October 28, 2022. SECOND: The General Subdirectorate of Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in issue, by virtue of the investigative powers granted to the authorities of control in article 57.1 of the RGPD, and in accordance with the provisions of Title VII, Chapter I, Second Section, of Organic Law 3/2018, of December 5, of Protection of Personal Data and guarantee of digital rights (LOPDGDD in what successive). Within the framework of the investigation actions, they were sent to UPMOBILE SOLUTIONS, S.L., with NIF B02682276, two information requirements, related to the claim outlined in the first section, so that within a period of ten days competent, submit to this Agency the information and documentation contained therein. he pointed out. The first of them was registered as leaving on March 21, 2023, while the second was registered on May 12, 2023. THIRD: The information requirements were notified in accordance with the regulations established in Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter, LPACAP). The first of them was sent by electronic notification and was not collected within the release period provision, therefore understood to be rejected on April 1, 2023, while that the second was collected by UPMOBILE SOLUTIONS, S.L. dated May 15 of 2023, as stated in the acknowledgments of receipt in the file. FOURTH: Regarding the required information, UPMOBILE SOLUTIONS, S.L. has not sent any response to this Spanish Data Protection Agency. FIFTH: On June 22, 2023, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against UPMOBILE SOLUTIONS, S.L., for the alleged violation of Article 58.1 of the RGPD, typified in Article 83.5 of the GDPR. The initiation agreement was notified to UPMOBILE SOLUTIONS, S.L., in accordance with the standards established in the LPACAP, through an announcement published in the Bulletin State Official dated July 5, 2023, after having been returned to origin by C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/6 postal notification of said initiation agreement is unknown, despite having been sent to the tax address of UPMOBILE SOLUTIONS, S.L. provided by the State Agency of Tax administration. SIXTH: The aforementioned initiation agreement has been notified in accordance with the rules established in the LPACAP and after the period granted for the formulation of allegations has elapsed, it has been verified that no allegation has been received by UPMOBILE SOLUTIONS, S.L.. Article 64.2.f) of the LPACAP - provision of which UPMOBILE was informed SOLUTIONS, S.L. in the agreement to open the procedure - establishes that if make allegations within the stipulated period regarding the content of the initiation agreement, when it contains a precise statement about the responsibility imputed, may be considered a resolution proposal. In the present case, the agreement to initiate the sanctioning file determined the facts in which specified the imputation, the violation of the RGPD attributed to UPMOBILE SOLUTIONS, S.L. and the sanction that could be imposed. Therefore, taking into consideration that UPMOBILE SOLUTIONS, S.L. has not made allegations to the agreement to start the file and in accordance with the provisions of article 64.2.f) of the LPACAP, the aforementioned initiation agreement is considered in this case as a proposed resolution. SEVENTH: According to the report collected from the AXESOR tool, the entity UPMOBILE SOLUTIONS, S.L. is an SME (Microenterprise), established in the year 2020, for which there is no financial information available. In view of everything that has been done, by the Spanish Data Protection Agency In this procedure, the following are considered proven facts: PROVEN FACTS FIRST: The information requirements indicated in the background information second and third, they were notified in accordance with the provisions of the LPACAP. SECOND: UPMOBILE SOLUTIONS, S.L. has not responded to the requirements of information carried out by this Agency within the framework of the actions of investigation of file EXP202209784 within the deadlines granted for this purpose. THIRD: The agreement to initiate this sanctioning procedure was notified to UPMOBILE SOLUTIONS, S.L., in accordance with the provisions of article 44 of the LPACAP, through an announcement published in the Official State Gazette dated July 5, 2023. FOURTH: UPMOBILE SOLUTIONS, S.L. has not presented allegations to the agreement initiation of this sanctioning procedure. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/6 FOUNDATIONS OF LAW Yo Competence In accordance with the powers that article 58.2 of the RGPD grants to each authority of control and in accordance with the provisions of articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD, The Director of the Agency is competent to initiate and resolve this procedure. Spanish Data Protection. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II Unfulfilled obligation In accordance with the evidence available, it is considered that UPMOBILE SOLUTIONS, S.L. has not requested the Spanish Protection Agency of Data the information you requested. With the indicated conduct of UPMOBILE SOLUTIONS, S.L., the power to investigation that article 58.1 of the RGPD confers on the supervisory authorities, in In this case, the AEPD has been hindered. Therefore, the facts described in the “Proven Facts” section are considered constituting an infringement, attributable to UPMOBILE SOLUTIONS, S.L., for violation of article 58.1 of the RGPD, which provides that each supervisory authority will have, among its investigative powers: “a) order the person responsible and the person in charge of the treatment and, where appropriate, the representative of the person responsible or the person in charge, who provide any information that is required for the performance of its functions; b) carry out research in form of data protection audits; c) carry out a review of the certifications issued under Article 42, paragraph 7; d) notify the responsible or to the person in charge of the treatment of the alleged violations of this Regulation; e) obtain from the person responsible and the person in charge of the treatment access to all personal data and all information necessary for the exercise of its functions; f) obtain access to all the premises of the person responsible and the person in charge of the processing, including any equipment and means of data processing, of in accordance with the procedural law of the Union or of the Member States.” III Classification and classification of the offense In accordance with the evidence available, the facts presented are They consider them to constitute an infringement, attributable to UPMOBILE SOLUTIONS, S.L.. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/6 This infraction is classified in article 83.5.e) of the RGPD, which considers as such: “no provide access in breach of Article 58(1).” The same article establishes that this violation can be punished with a fine. of twenty million euros (€20,000,000) maximum or, in the case of a company, of an amount equivalent to four percent (4%) maximum of the global total annual business volume of the previous financial year, opting for the of greater amount. For the purposes of the limitation period for infringements, the alleged infringement prescribes after three years, in accordance with article 72.1 of the LOPDGDD, which qualifies as The following behavior is very serious: “ñ) Do not facilitate access by data protection authority personnel competent to personal data, information, premises, equipment and means of processing that is required by the data protection authority for the exercise of its investigative powers. o) Resistance or obstruction of the exercise of the inspection function by the authority of competent data protection.” IV Imputed sanction The fine imposed must be, in each individual case, effective, proportionate and dissuasive, in accordance with the provisions of article 83.1 of the RGPD. In Consequently, the sanction to be imposed must be graduated according to the criteria established in article 83.2 of the RGPD, and with the provisions of article 76 of the LOPDGDD, regarding section k) of the aforementioned article 83.2 RGPD. It can be seen that no mitigating or aggravating circumstance applies. In light of the facts presented, it is considered that it is appropriate to impute a sanction to UPMOBILE SOLUTIONS, S.L. for the violation of article 58.1 of the RGPD typified in article 83.5 e) of the GDPR. The penalty to be imposed is a fine administrative for an amount of 500.00 euros. Therefore, in accordance with applicable legislation, the Director of the Agency Spanish Data Protection RESOLVES: FIRST: IMPOSE UPMOBILE SOLUTIONS, S.L., with NIF B02682276, for a violation of Article 58.1 of the GDPR, typified in Article 83.5 of the GDPR, a fine of 500.00 euros (FIVE HUNDRED euros). SECOND: ORDER UPMOBILE SOLUTIONS, S.L.. that, in accordance with the investigative power provided for in article 58.1.a) of the RGPD, is provided, in the within ten business days, the information required in the requirements made within the framework of the actions with file number EXP202209784 and to whom Reference has been made in the background to this resolution. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/6 Please note that failure to comply with the requirements of this organization may be considered as an administrative offense in accordance with the provisions of the RGPD, classified as an infraction in its article 83.6, and such conduct may be motivated by opening of a subsequent administrative sanctioning procedure. THIRD: NOTIFY this resolution to UPMOBILE SOLUTIONS, S.L.. FOURTH: This resolution will be enforceable once the deadline to file the optional resource for replacement (one month counting from the day following the notification of this resolution) without the interested party having made use of this power. The sanctioned person is warned that he must make effective the sanction imposed once This resolution is executive, in accordance with the provisions of art. 98.1.b) of the LPACAP, within the voluntary payment period established in art. 68 of the Regulations General Collection, approved by Royal Decree 939/2005, of July 29, in relationship with art. 62 of Law 58/2003, of December 17, through its entry, indicating the NIF of the sanctioned person and the procedure number that appears in the heading of this document, in the restricted account IBAN number: ES00-0000- 0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX), opened in the name of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A.. Otherwise, it will be collected during the executive period. Once the notification is received and once enforceable, if the enforceable date is between the 1st and 15th of each month, both inclusive, the deadline to make the payment voluntary will be until the 20th of the following month or immediately following business month, and if The payment period is between the 16th and last day of each month, both inclusive. It will be until the 5th of the second following or immediately following business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month to count from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registries provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/6 documentation that proves the effective filing of the contentious appeal administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. 938-250923 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es