AEPD (Spain) - EXP202308002: Difference between revisions
From GDPRhub
No edit summary |
No edit summary |
||
| Line 59: | Line 59: | ||
}} | }} | ||
The Spanish DPA fined a controller €500 for | The Spanish DPA fined a controller €500 for obstructing the DPA's investigation by not providing the required information. | ||
== English Summary == | == English Summary == | ||
Latest revision as of 14:03, 21 February 2024
| AEPD - EXP202308002 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 58(1) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | n/a |
| Parties: | n/a |
| National Case Number/Name: | EXP202308002 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | EXP202308002 (in ES) |
| Initial Contributor: | n/a |
The Spanish DPA fined a controller €500 for obstructing the DPA's investigation by not providing the required information.
English Summary
Factsc
A complaint was submitted to the Spanish DPA about an alleged infringement of the GDPR. This case was filed under the case name EXP202209784.
In relation to the case, the Spanish DPA submitted two requests for information to the controller with a ten day deadline for compliance attached to each request.
The first one was sent on 21.03.2023 and received no reply. The second one was sent on 12.05.2023 and the controller acknowledged receipt.
Nonethless, the controller never sent the Spanish DPA the relevant requested information and for this reason the DPA began seperate sanctioning proceedings against the controller for the infringement of Article 58(1) GDPR (EXP202308002).
Holding
The DPA fined the controller €500 for the infringement of Article 58(1) GDPR.
First, since the controller never cooperated with the DPA, the Spanish DPA considered the lack of information it received to breach Article 58(1) GDPR. It can be inferred that the controller breached Article 58(1)(a) GDPR specifically as it did not provide the information the DPA required to allow it perform its tasks as a regulator.
Second, under Article 83(1) GDPR the fine imposed must be individual, effective, proportionate and disuasive. When calculting the fine for this controller, the DPA took into account that there was no publicly available information about the company's financial revenue when deciding the appropriate amount of the fine and came to conclusion that €500 would suffice.
Third, the DPA used its powers under Article 58(1)(a) GDPR to order the controller to give to it within 10 working days (from the date of the decision) the relevant information it requires.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/6
File No.: EXP202308002
RESOLUTION OF SANCTIONING PROCEDURE
From the procedure instructed by the Spanish Data Protection Agency and based
to the following
BACKGROUND
FIRST: As a consequence of a claim presented to the Spanish Agency
of Data Protection, showing signs of a possible breach of the
provided in Regulation (EU) 2016/679 (General Regulation for the Protection of
Data, hereinafter RGPD), actions were initiated with file number
EXP202209784. The claim was admitted for processing on October 28, 2022.
SECOND: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
issue, by virtue of the investigative powers granted to the authorities of
control in article 57.1 of the RGPD, and in accordance with the provisions of Title
VII, Chapter I, Second Section, of Organic Law 3/2018, of December 5, of
Protection of Personal Data and guarantee of digital rights (LOPDGDD in what
successive).
Within the framework of the investigation actions, they were sent to UPMOBILE
SOLUTIONS, S.L., with NIF B02682276, two information requirements, related to
the claim outlined in the first section, so that within a period of ten days
competent, submit to this Agency the information and documentation contained therein.
he pointed out. The first of them was registered as leaving on March 21, 2023,
while the second was registered on May 12, 2023.
THIRD: The information requirements were notified in accordance with the regulations
established in Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter, LPACAP). The first of them
was sent by electronic notification and was not collected within the release period
provision, therefore understood to be rejected on April 1, 2023, while
that the second was collected by UPMOBILE SOLUTIONS, S.L. dated May 15
of 2023, as stated in the acknowledgments of receipt in the file.
FOURTH: Regarding the required information, UPMOBILE SOLUTIONS, S.L. has not
sent any response to this Spanish Data Protection Agency.
FIFTH: On June 22, 2023, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against UPMOBILE
SOLUTIONS, S.L., for the alleged violation of Article 58.1 of the RGPD, typified in
Article 83.5 of the GDPR.
The initiation agreement was notified to UPMOBILE SOLUTIONS, S.L., in accordance with the
standards established in the LPACAP, through an announcement published in the Bulletin
State Official dated July 5, 2023, after having been returned to origin by
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/6
postal notification of said initiation agreement is unknown, despite having been sent
to the tax address of UPMOBILE SOLUTIONS, S.L. provided by the State Agency of
Tax administration.
SIXTH: The aforementioned initiation agreement has been notified in accordance with the rules established in
the LPACAP and after the period granted for the formulation of allegations has elapsed, it has been
verified that no allegation has been received by UPMOBILE SOLUTIONS, S.L..
Article 64.2.f) of the LPACAP - provision of which UPMOBILE was informed
SOLUTIONS, S.L. in the agreement to open the procedure - establishes that if
make allegations within the stipulated period regarding the content of the initiation agreement,
when it contains a precise statement about the responsibility
imputed, may be considered a resolution proposal. In the present case, the
agreement to initiate the sanctioning file determined the facts in which
specified the imputation, the violation of the RGPD attributed to UPMOBILE SOLUTIONS,
S.L. and the sanction that could be imposed. Therefore, taking into consideration that
UPMOBILE SOLUTIONS, S.L. has not made allegations to the agreement to start the
file and in accordance with the provisions of article 64.2.f) of the LPACAP, the aforementioned
initiation agreement is considered in this case as a proposed resolution.
SEVENTH: According to the report collected from the AXESOR tool, the entity
UPMOBILE SOLUTIONS, S.L. is an SME (Microenterprise), established in the year
2020, for which there is no financial information available.
In view of everything that has been done, by the Spanish Data Protection Agency
In this procedure, the following are considered proven facts:
PROVEN FACTS
FIRST: The information requirements indicated in the background information second
and third, they were notified in accordance with the provisions of the LPACAP.
SECOND: UPMOBILE SOLUTIONS, S.L. has not responded to the requirements of
information carried out by this Agency within the framework of the actions of
investigation of file EXP202209784 within the deadlines granted for this purpose.
THIRD: The agreement to initiate this sanctioning procedure was notified
to UPMOBILE SOLUTIONS, S.L., in accordance with the provisions of article 44 of the
LPACAP, through an announcement published in the Official State Gazette dated
July 5, 2023.
FOURTH: UPMOBILE SOLUTIONS, S.L. has not presented allegations to the agreement
initiation of this sanctioning procedure.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/6
FOUNDATIONS OF LAW
Yo
Competence
In accordance with the powers that article 58.2 of the RGPD grants to each authority of
control and in accordance with the provisions of articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD,
The Director of the Agency is competent to initiate and resolve this procedure.
Spanish Data Protection.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."
II
Unfulfilled obligation
In accordance with the evidence available, it is considered that
UPMOBILE SOLUTIONS, S.L. has not requested the Spanish Protection Agency
of Data the information you requested.
With the indicated conduct of UPMOBILE SOLUTIONS, S.L., the power to
investigation that article 58.1 of the RGPD confers on the supervisory authorities, in
In this case, the AEPD has been hindered.
Therefore, the facts described in the “Proven Facts” section are considered
constituting an infringement, attributable to UPMOBILE SOLUTIONS, S.L., for
violation of article 58.1 of the RGPD, which provides that each supervisory authority
will have, among its investigative powers:
“a) order the person responsible and the person in charge of the treatment and, where appropriate, the
representative of the person responsible or the person in charge, who provide any information
that is required for the performance of its functions; b) carry out research in
form of data protection audits; c) carry out a review of the
certifications issued under Article 42, paragraph 7; d) notify the
responsible or to the person in charge of the treatment of the alleged violations of this
Regulation; e) obtain from the person responsible and the person in charge of the treatment access to
all personal data and all information necessary for the exercise of its
functions; f) obtain access to all the premises of the person responsible and the person in charge of the
processing, including any equipment and means of data processing, of
in accordance with the procedural law of the Union or of the Member States.”
III
Classification and classification of the offense
In accordance with the evidence available, the facts presented are
They consider them to constitute an infringement, attributable to UPMOBILE SOLUTIONS, S.L..
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/6
This infraction is classified in article 83.5.e) of the RGPD, which considers as such: “no
provide access in breach of Article 58(1).”
The same article establishes that this violation can be punished with a fine.
of twenty million euros (€20,000,000) maximum or, in the case of a
company, of an amount equivalent to four percent (4%) maximum of the
global total annual business volume of the previous financial year, opting for the
of greater amount.
For the purposes of the limitation period for infringements, the alleged infringement
prescribes after three years, in accordance with article 72.1 of the LOPDGDD, which qualifies as
The following behavior is very serious:
“ñ) Do not facilitate access by data protection authority personnel
competent to personal data, information, premises, equipment and means of
processing that is required by the data protection authority for the
exercise of its investigative powers.
o) Resistance or obstruction of the exercise of the inspection function by the authority
of competent data protection.”
IV
Imputed sanction
The fine imposed must be, in each individual case, effective, proportionate
and dissuasive, in accordance with the provisions of article 83.1 of the RGPD. In
Consequently, the sanction to be imposed must be graduated according to the criteria
established in article 83.2 of the RGPD, and with the provisions of article 76 of the
LOPDGDD, regarding section k) of the aforementioned article 83.2 RGPD.
It can be seen that no mitigating or aggravating circumstance applies.
In light of the facts presented, it is considered that it is appropriate to impute a sanction to
UPMOBILE SOLUTIONS, S.L. for the violation of article 58.1 of the RGPD typified
in article 83.5 e) of the GDPR. The penalty to be imposed is a fine
administrative for an amount of 500.00 euros.
Therefore, in accordance with applicable legislation, the Director of the Agency
Spanish Data Protection RESOLVES:
FIRST: IMPOSE UPMOBILE SOLUTIONS, S.L., with NIF B02682276, for a
violation of Article 58.1 of the GDPR, typified in Article 83.5 of the GDPR, a
fine of 500.00 euros (FIVE HUNDRED euros).
SECOND: ORDER UPMOBILE SOLUTIONS, S.L.. that, in accordance with the
investigative power provided for in article 58.1.a) of the RGPD, is provided, in the
within ten business days, the information required in the requirements made
within the framework of the actions with file number EXP202209784 and to whom
Reference has been made in the background to this resolution.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/6
Please note that failure to comply with the requirements of this organization may be
considered as an administrative offense in accordance with the provisions of the RGPD,
classified as an infraction in its article 83.6, and such conduct may be motivated by
opening of a subsequent administrative sanctioning procedure.
THIRD: NOTIFY this resolution to UPMOBILE SOLUTIONS, S.L..
FOURTH: This resolution will be enforceable once the deadline to file the
optional resource for replacement (one month counting from the day following the
notification of this resolution) without the interested party having made use of this power.
The sanctioned person is warned that he must make effective the sanction imposed once
This resolution is executive, in accordance with the provisions of art. 98.1.b)
of the LPACAP, within the voluntary payment period established in art. 68 of the Regulations
General Collection, approved by Royal Decree 939/2005, of July 29, in
relationship with art. 62 of Law 58/2003, of December 17, through its entry,
indicating the NIF of the sanctioned person and the procedure number that appears in the
heading of this document, in the restricted account IBAN number: ES00-0000-
0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX), opened in the name of the
Spanish Data Protection Agency in the banking entity CAIXABANK, S.A..
Otherwise, it will be collected during the executive period.
Once the notification is received and once enforceable, if the enforceable date is
between the 1st and 15th of each month, both inclusive, the deadline to make the payment
voluntary will be until the 20th of the following month or immediately following business month, and if
The payment period is between the 16th and last day of each month, both inclusive.
It will be until the 5th of the second following or immediately following business month.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within a period of one month to
count from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/6
documentation that proves the effective filing of the contentious appeal
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.
938-250923
Sea Spain Martí
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
