AEPD (Spain) - EXP202100639: Difference between revisions
No edit summary |
No edit summary |
||
Line 56: | Line 56: | ||
=== Facts === | === Facts === | ||
Spanish police notified the Spanish DPA (AEPD) that a private individual had placed security cameras facing public and private | The Spanish police notified the Spanish DPA (AEPD) that a private individual had placed security cameras facing public and private spaces in the surroundings of their property. The police report stated that they had warned the individual that the cameras should not be pointed in the direction of areas beyond their property, and that there was no sign posted with adequate information related to the functioning of these video cameras. | ||
Despite the police’s warnings, the individual refused to redirect the cameras, or to place the appropriate sign with information required under GDPR. The AEPD therefore initiated proceedings in order to investigate the issue, and bring the individual into compliance with their obligations related to the use of security cameras under GDPR. The individual did not submit any allegations or proof to contradict the police report, and also ignored the AEPD’s request for information related to their compliance with GDPR on this matter. | Despite the police’s warnings, the individual refused to redirect the cameras, or to place the appropriate sign with information required under GDPR. The AEPD therefore initiated proceedings in order to investigate the issue, and bring the individual into compliance with their obligations related to the use of security cameras under GDPR. The individual did not submit any allegations or proof to contradict the police report, and also ignored the AEPD’s request for information related to their compliance with GDPR on this matter. |
Revision as of 13:16, 13 April 2022
AEPD (Spain) - PS/00484/2021 - EXP202100639 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(c) GDPR Article 13 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 15.07.2021 |
Decided: | |
Published: | 08.04.2022 |
Fine: | 1500 EUR |
Parties: | n/a |
National Case Number/Name: | PS/00484/2021 - EXP202100639 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Cesar Manso-Sayao |
The Spanish DPA issued a €1500 fine against an individual for installing security cameras pointed towards the street and adjacent private areas without an adequate information sign, in violation of Articles 5(1)(c) and 13 GDPR.
English Summary
Facts
The Spanish police notified the Spanish DPA (AEPD) that a private individual had placed security cameras facing public and private spaces in the surroundings of their property. The police report stated that they had warned the individual that the cameras should not be pointed in the direction of areas beyond their property, and that there was no sign posted with adequate information related to the functioning of these video cameras.
Despite the police’s warnings, the individual refused to redirect the cameras, or to place the appropriate sign with information required under GDPR. The AEPD therefore initiated proceedings in order to investigate the issue, and bring the individual into compliance with their obligations related to the use of security cameras under GDPR. The individual did not submit any allegations or proof to contradict the police report, and also ignored the AEPD’s request for information related to their compliance with GDPR on this matter.
Holding
The AEPD held that according to Article 22 of the Spanish Data Protection Act (Ley Orgánica de Protección de Datos Personales y Garantía de los Derechos Digitales – LOPDGDD), security cameras can be installed in order to preserve the safety of persons and property, as well as the security of premises, but that recording of public streets is only permitted to the extent that it is essential for these purposes. Additionally, the AEPD held that any recording of private premises cannot take place without consent.
Morever, the AEPD held that when installing video cameras, the information requirements under Articles 12 and 13 GDPR must be fulfilled by placing a sign in a sufficiently visible place which announces that the video processing of personal data is taking place, the identity of the data controller, and the possibility for data subjects to exercise the rights provided for in Articles 15 to 22 GDPR.
Since the individual did not submit any defense in order to justify why the cameras were pointed towards the street and adjacent private areas, the AEPD issued a fine of €1500 against the individual (€1000 for a violation of the data minimisation principle under Article 5(1)(c) GDPR, and €500 for a violation of the information requirements under Article 13 GDPR). Additionally, the AEPD ordered the individual to either take down the cameras, or to redirect them facing his property and place a sign containing the aforementioned information requirements.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/11 File No.: EXP202100639 RESOLUTION OF PUNISHMENT PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: The CIVIL GUARD - POST OF ***LOCALITY.1 (hereinafter, the claimant party), dated 07/15/2021, sent the Notification Act of an alleged infringement of data protection regulations to the Spanish Protection Agency of data. The following is indicated in the letter of remission of the Minutes, in relation to the matter of Data Protection: “While the patrol was with the agents with the number of types ***NUMBER.1 and ***NUMBER.2, carrying out citizen security tasks in the locality of ***LOCATION.1, they observe the step located ***ADDRESS.1, of said locality, as in the facade of the building there are two cameras that are oriented towards the road traffic in both directions, focusing on road users and other private addresses, which should be asked to the owner of the house, this being A.A.A. (***NIF.1), the reason for which the cameras are placed, it states that it is because security. […] The agents report that there is also no visible sign informing the use of the video surveillance cameras. […] That the agents inform him that it is not the first time that he has been told to remove the cameras, ignoring them and stating that they are not going to be removed. […] SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, of Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), the claimant was notified on 07/20/2021, so that he could inform to this Agency within a month, of the actions carried out to adapt to the requirements set forth in the data protection regulations. The notification is delivered on 08/02/20212, as stated in the Notice issued by Correos, but on the day As of today, this Agency has not received any reply. THIRD: On 09/29/2021, the Director of the Spanish Protection Agency Data agreed to admit the claim filed by the claimant for processing. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 2/11 FOURTH: On 12/09/2021, the Director of the Spanish Protection Agency of Data agreed to initiate a sanctioning procedure against the claimed party, for the alleged infringement of article 5.1.c) of the RGPD and article 13 of the RGPD, typified in Article 83.5 a) and b) of the GDPR. FIFTH: On 12/17/2021 the claimant is notified of the start agreement of this sanctioning procedure and a hearing period of TEN DAYS is granted SKILLFUL to formulate the allegations and present the evidence that it considers convenient, in accordance with the provisions of articles 73 and 76 of the Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP). SIXTH: After the term granted for the formulation of allegations to the agreement of the beginning of the procedure, it has been verified that no allegation has been received by the claimed party. Article 64.2.f) of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter LPACAP) -provision of which the party claimed was informed in the agreement to open the proceeding- establishes that if allegations are not made within the stipulated period on the content of the initiation agreement, when it contains a precise statement about the imputed responsibility, may be considered a resolution proposal. In the present case, the agreement to initiate the disciplinary proceedings determined the facts in which the imputation was specified, the infraction of the RGPD attributed to the claimed and the sanction that could be imposed. Therefore, taking into account that the party complained against has made no objections to the agreement to initiate the file and In accordance with the provisions of article 64.2.f) of the LPACAP, the aforementioned agreement of beginning is considered in the present case resolution proposal. SEVENTH: The agreement to initiate the procedure agreed in the third point of the operative part “INCORPORATE to the disciplinary file, for the purposes of evidence, the claims submitted by claimants and the information and documentation obtained by the Subdirectorate General for Data Inspection in the phase of information prior to the agreement for admission to processing of the claim”. In view of everything that has been done, by the Spanish Data Protection Agency In this proceeding, the following are considered proven facts: ACTS FIRST: Installation of two video surveillance cameras on the facade of the building of your home located at ***ADDRESS.1, ***LOCATION.1, which could be capturing images of public roads in both directions and private areas. Nor does it have the proper information sign for the video-monitored area. SECOND: The person in charge of the devices is A.A.A., with NIF ***NIF.1. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 3/11 THIRD: The Spanish Data Protection Agency has notified the claimant of the agreement to open this sanctioning procedure, but has not presented allegations or evidence that contradicts the reported facts. FOUNDATIONS OF LAW I In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47 and 48.1 of the Law Organic 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Agency for Data Protection will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations issued in its development and, as long as they do not contradict them, with a subsidiary, by the general rules on administrative procedures.” II The physical image of a person under article 4.1 of the RGPD is personal data and its protection, therefore, is the subject of said Regulation. Article 4.2 of the GDPR defines the concept of “treatment” of personal data. Article 22 of the LOPDGDD includes the specific rules for the treatment of data for video surveillance purposes and states the following: "one. Natural or legal persons, public or private, may carry out the treatment ment of images through camera systems or video cameras with the purpose to preserve the safety of people and property, as well as its facilities. 2. Images of public roads may only be captured to the extent that it is im- dispensable for the purpose mentioned in the previous section. However, it will be possible to capture public roads to a greater extent when necessary to guarantee the security of assets or strategic installations. services or infrastructures linked to transport, without in any case being able to put the capturing of images of the interior of a private home. 3. The data will be deleted within a maximum period of one month from its collection, except when they had to be kept to prove the commission of acts that attend to have against the integrity of people, goods or facilities. In this case, the images must be made available to the competent authority within a maximum period of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 4/11 seventy-two hours since the existence of the recording became known. tion. The blocking obligation provided for in art. article 32 of this organic law. 4. The duty of information provided for in article 12 of Regulation (EU) 2016/679 is understood to be fulfilled by placing an informative device in a sufficient place ciently visible identifying, at least, the existence of the treatment, the identity of the person in charge and the possibility of exercising the rights provided for in articles 15 to 22 of Regulation (EU) 2016/679. It may also be included in the device information I attach a connection code or internet address to this information. In any case, the person in charge of the treatment must keep available to the affected the information referred to in the aforementioned regulation. 5. Under article 2.2.c) of Regulation (EU) 2016/679, it is considered excluded of its scope of application the treatment by a natural person of images that are regretfully capture the interior of your own home. This exclusion does not cover processing carried out by a private security entity. given that she had been hired to guard a home and had access to the images. 6. The processing of personal data from the images and sounds obtained nests through the use of cameras and video cameras by the Forces and Corps Security and by the competent bodies for surveillance and control in the centers prisons and for the control, regulation, surveillance and discipline of traffic, will be governed by the legislation transposing Directive (EU) 2016/680, when the treatment for purposes of prevention, investigation, detection or prosecution of violations criminal offenses or the execution of criminal sanctions, including protection and prevention against threats to public safety. Apart from these assumptions, said treatment will be governed by its specific legislation and additionally by the Regulations to (EU) 2016/679 and this organic law. 7. What is regulated in this article is understood without prejudice to the provisions of the Law 5/2014, of April 4, on Private Security and its development provisions. 8. The treatment by the employer of data obtained through camera systems cameras or video cameras is subject to the provisions of article 89 of this organic law. III In accordance with the foregoing, the processing of images through a system of video surveillance, to be in accordance with current regulations, must comply with the following requirements: - Respect the principle of proportionality. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 5/11 - When the system is connected to an alarm center, you can only be installed by a private security company that meets the requirements contemplated in article 5 of Law 5/2014 on Private Security, of 4 april. - The video cameras will not be able to capture images of the people who are outside the private space where the security system is installed. video surveillance, since the processing of images in public places only can be carried out, unless there is government authorization, by the Security Forces and Bodies. They cannot be captured or recorded spaces owned by third parties without the consent of their owners, or, in their case, of the people who are in them. This rule admits some exceptions since, on some occasions, for the protection of private spaces, where cameras have been installed in facades or inside, it may be necessary to guarantee the purpose of security recording a portion of the public highway. That is, the cameras and video cameras installed for security purposes will not be able to obtain images of public roads unless it is essential for that purpose, or it is impossible to avoid due to their location and extraordinarily The minimum space for said purpose will also be collected. Therefore, the cameras could exceptionally capture the minimally necessary portion for its intended security purpose. - The duty to inform those affected provided for in articles 12 and 13 of the RGPD and 22.4 of the LOPDGDD. - The person in charge must keep a record of treatment activities carried out under their responsibility, including the information to which refers to article 30.1 of the RGPD. - The installed cameras cannot obtain images of private spaces. third party and/or public space without duly accredited justified cause, or may affect the privacy of passers-by who move freely through the zone. It is not allowed, therefore, the placement of cameras towards the private property of neighbors with the purpose of intimidating them or affecting their private sphere without just cause. - In no case will the use of surveillance practices be admitted beyond the environment object of the installations and in particular, not being able to affect the surrounding public spaces, adjoining buildings and vehicles other than those access the guarded space. In relation to the foregoing, to facilitate the consultation of interested parties, the Agency Spanish Data Protection offers through its website [https://www.aepd.es] access to data protection legislation including the RGPD and the LOPDGDD (section “Reports and resolutions” / “regulations”), to the Guide on the use of video cameras for security and other purposes and the Guide for compliance with the duty to inform (both available in the “Guides and tools” section). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 6/11 It is also of interest in the event that low-level data processing is carried out. risk, the free tool Facilita (in the “Guides and tools” section) that, through specific questions, it allows to assess the situation of the person in charge regarding the processing of personal data that it carries out and, where appropriate, generate various documents, informative and contractual clauses, as well as an annex with indicative security measures considered minimal. IV In the present case, the respondent has not presented arguments or evidence that contradict the facts denounced within the period given for it. In accordance with the evidence available and which has not been distorted during the sanctioning procedure, the defendant has installed two video surveillance cameras on the facade of the building where your home is located, located in ***ADDRESS.1, ***LOCATION.1, capturing images of both transit areas public and private. In addition, it lacks an information sign for a video-monitored area. Based on the foregoing, the facts entail a violation of the provisions of articles 5.1 c) and 13 of the RGPD, which supposes a commission of both infractions typified in article 83.5 of the RGPD, which provides the following: “The infractions of the following dispositions will be sanctioned, in accordance with the section 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, an amount equivalent to 4% of the turnover global annual total of the previous financial year, choosing the highest amount: a) The basic principles for the treatment, including the conditions for the consent under articles 5, 6, 7 and 9; b) The rights of the interested parties according to articles 12 to 22; (…) For the mere purposes of prescription, article 72.1 of the LOPDGDD qualifies as very serious: a) The processing of personal data violating the principles and guarantees established in article 5 of Regulation (EU) 2016/679; b) The processing of personal data without the concurrence of any of the conditions of legality of the treatment established in article 6 of Regulation (EU) 2016/679; (…) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 7/11 h) The omission of the duty to inform the affected party about the processing of their data personal in accordance with the provisions of articles 13 and 14 of the Regulation (EU) 2016/679 and 12 of this Organic Law; v The corrective powers available to the Spanish Agency for the Protection of Data, as a control authority, is established in article 58.2 of the RGPD. Between they find the power to direct a warning (art. 58.2 b)), the power to impose an administrative fine in accordance with article 83 of the RGPD (art. 58.2 i)), or the power to order the person in charge or in charge of the treatment that the treatment operations comply with the provisions of the RGPD, where appropriate, in a certain way and within a specified period (art. 58.2 d)). According to the provisions of article 83.2 of the RGPD, the measure provided for in article 58.2 d) of the aforementioned Regulation is compatible with the sanction consisting of a fine administrative. In this case, based on the facts set forth, it is considered that the sanction that should be imposed is an administrative fine for each of the offenses committed. The fine imposed must be, in each individual case, effective, proportionate and dissuasive, in accordance with article 83.1 of the RGPD. finally determining the administrative fine to be imposed, the provisions of the article 83.2 of the RGPD, which indicates: "two. Administrative fines will be imposed, depending on the circumstances of each individual case, in addition to or as a substitute for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administration and its amount in each individual case will be duly taken into account: a) the nature, seriousness and duration of the offence, taking into account the nature, scope or purpose of the processing operation in question, as well such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the controller or processor to alleviate the damages suffered by the interested parties; d) the degree of responsibility of the person in charge or of the person in charge of the treatment, taking into account the technical or organizational measures that they have applied under of articles 25 and 32; e) any previous infringement committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 8/11 g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the person in charge or the person in charge notified the infringement and, if so, in what extent; i) when the measures indicated in article 58, section 2, have been ordered previously against the person in charge or the person in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under article 40 or mechanisms of certification approved in accordance with article 42, k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement. For its part, in relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its article 76, "Sanctions and corrective measures", provides: "one. The penalties provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679 will be applied taking into account the graduation criteria established in section 2 of the aforementioned article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuing nature of the offence. b) The link between the activity of the offender and the performance of treatment of personal information. c) The profits obtained as a result of committing the offence. d) The possibility that the conduct of the affected party could have included the commission of the offence. e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity f) Affectation of the rights of minors g) Have, when not mandatory, a data protection delegate. h) Submission by the person in charge or person in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which there are controversies between them and any interested party”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 9/11 In accordance with the precepts transcribed, in order to set the amount of the sanction of fine to be imposed in the present case for the infractions typified in article 83.5 a) and b) of the RGPD, it is appropriate to grade them according to the following aggravating factors: - The nature of the offence. The claimed by having a system of video surveillance that is oriented to public roads and private areas without cause justified, as well as the absence of an informative poster, produces damages and damages to all affected stakeholders who do not know who is the responsible for the treatment and to whom they must be addressed in order to exercise the rights recognized in the RGPD (art. 83.2 a) RGPD). - The intention or negligence in the infringement. With the system video surveillance carries out excessive control of the area without any justified cause, highlighting the poor orientation of the device (art. 83.2 b) RGPD). - The degree of cooperation with this Agency in order to remedy the infringement. After having made a transfer to the claimed party for the purpose of being able to answer and, where appropriate, take measures to avoid the infringement, the AEPD has not received any response. No response has been received either. Once the opening agreement has been notified (art. 83.2 f) RGPD). - The way in which the control authority became aware of the infraction. The The way in which this Agency has become aware has been through the remission of the notification Act of the CIVIL GUARD - POSITION OF *** LOCATION.1 (art. 83.2 h) RGPD). - The continuing nature of the offence. The respondent had already received with Prior to the claim notices by the claimant so that adopt the necessary measures in order to comply with the regulations of personal data protection. However, the respondent continues without putting the informative poster and capturing images which supposes a treatment of data of identifiable natural persons (art. 76.2 a) LOPDGDD). The balance of the circumstances contemplated, with respect to the infractions committed by violating the provisions of articles 5.1 c) and 13 of the RGPD, allows setting a fine of 1,000 euros (one thousand euros) and 500 euros (five hundred euros), respectively. Therefore, in accordance with the applicable legislation and having assessed the criteria for graduation of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE A.A.A., with NIF ***NIF.1, for an infraction of article 5.1.c) of the RGPD, typified in article 83.5 a) of the RGPD, a fine of €1,000 (one thousand euros). SECOND: IMPOSE A.A.A., with NIF ***NIF.1, for an infraction of article 13 of the RGPD, typified in article 83.5 b) of the RGPD, a fine of €500 (five hundred euros). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 10/11 THIRD: ORDER A.A.A., with NIF ***NIF.1 that, by virtue of article 58.2 d) of the RGPD, within ten business days, take the following measures: - Prove that you proceeded to remove the cameras from the current location, or to the reorientation of these towards their particular area. - Prove that you have proceeded to place the informative poster in the areas video-monitored (at least the existence of a treatment must be identified, the identity of the controller and the possibility of exercising the rights provided in said precepts), locating this device in a sufficiently visible. - Prove that you keep the information to which it refers available to those affected. refers to the aforementioned RGPD. FOURTH: NOTIFY this resolution to A.A.A., with NIF ***NIF.1. FIFTH: Warn the sanctioned party that he must enforce the sanctions imposed Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter LPACAP), within the payment term voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, through its entry, indicating the NIF of the sanctioned and the number of procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened on behalf of the Agency Spanish Department of Data Protection in the banking entity CAIXABANK, S.A.. In case Otherwise, it will be collected in the executive period. Received the notification and once executed, if the date of execution is between the 1st and 15th of each month, both inclusive, the term to make the payment voluntary will be until the 20th day of the following month or immediately after, and if between the 16th and last day of each month, both inclusive, the payment term It will be until the 5th of the second following month or immediately after. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month from counting from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned Law. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 11/11 Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the firm resolution in administrative proceedings if the The interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact by writing addressed to the Spanish Agency for Data Protection, presenting it through Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would end the precautionary suspension. 938-190122 Sea Spain Marti Director of the Spanish Data Protection Agency 28001 – Madrid 6 sedeagpd.gob.es