AEPD (Spain) - PS/00261/2021: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00...") |
mNo edit summary |
||
Line 61: | Line 61: | ||
}} | }} | ||
The AEPD fines a company ( | The AEPD fines a company (Vodafone's processor) €15,000 for unlawful data processing. Specifically, the company used the data of a Vodafone customer to register several telephone lines without that person's consent. | ||
== English Summary == | == English Summary == |
Latest revision as of 19:04, 16 May 2022
AEPD - PS/00261/2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 29.04.2022 |
Fine: | 15,000 EUR |
Parties: | MEDEROS MOVITEN, S.L. |
National Case Number/Name: | PS/00261/2021 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | CSO |
The AEPD fines a company (Vodafone's processor) €15,000 for unlawful data processing. Specifically, the company used the data of a Vodafone customer to register several telephone lines without that person's consent.
English Summary
Facts
The complainant contracted a fibre optic internet service from Vodafone through portability. Although the service was provided by Vodafone, the contract was taken out through Mederos Moviten, S.L., which acted as data processor. The company collected the customer's data and processed the portability. In addition, it used the data to activate several telephone services that had not been contracted by the customer. As a result, Vofadone charged the customer for these services. The AEPD found that the additional contracts did not have the customer's signature.
Holding
The AEPD found that the entity complained of processed the complainant's data unlawfully, since it processed several contracts in her name without due consent. On the other hand, the AEPD points out that this irregular action by the entity was not requested by Vodafone, which acted as the controller party. In this respect, the AEPD points out that the mere fact of using the technical means of the controller does not exempt the data processor from liability. Therefore, the AEPD considers that the entity complained acted outside its obligations as processor and, furthermore, in breach of the GDPR, for which reason it must be held liable for the infringement.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/12 File No.: PS/00261/2021 RESOLUTION OF PUNISHMENT PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following: BACKGROUND FIRST: D.A.A.A. (hereinafter, the claimant party) dated February 9, 2021 filed a claim with the Spanish Data Protection Agency. The claim is directed against Mederos Moviten, S.L. with NIF B38490983 (in hereafter, the party claimed). The reasons on which the claim is based are that on October 14, 2020, he contracted through portability a package of fiber, landline and mobile, at the point of sale of the claimed party. On the other hand, they offered him a device called the Vodafone Kit V-Home, telling him it was free. Thus, in January 2021, the operator Vodafone charges the aforementioned Kit and put in contact with the operator, they show him that there were several contracts of financing of the aforementioned product, but they indicate that you must solve it at the point of sale where I carry out the portability and they send you by email a copy of the unsigned contracts. Well, these contracts are dated October 17 and 29, November 4 and November 22, December 2020, with the details of the claimant and account number bank, in which different services are contracted that the complaining party has not contracted or signed at any time. Also in one of the contracts appear the data of a person who knows nothing. The complaining party states that it has not made any financing, only the first portability contract, dated October 14, 2020, not having knowledge or having signed the aforementioned contracts, not acknowledging the signature that appears on the contract shown by the clerk in the point of sale and that you do not know have used your personal data to carry out new telephone registrations or Vodafone services, as well as that you have not given your consent to carry out these practices with your personal or banking data. And, provide the following documentation: - Complaint filed on February 1, 2021 at the Telde Police Station (Las Palmas). - Claim sheet dated January 28, 2021 stamped by the claimed entity and addressed to the OMIC of your municipality. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 2/12 SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, of Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), said claim was transferred to the claimed party, to to proceed with its analysis and inform this Agency within a month of the actions carried out to adapt to the requirements set forth in the regulations of Data Protection. THIRD: On May 26, 2021, the Director of the Spanish Agency for Data Protection agreed to admit for processing the claim presented by the party claimant. FOURTH: On July 30, 2021, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against the claimed party, in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations (in hereinafter, LPACAP), for the alleged violation of Article 6.1 of the RGPD, typified in Article 83.5 of the RGPD. FIFTH: Notification of the aforementioned start-up agreement, D. B.B.B., on behalf of of the trading company MEDEROS MOVITEN, S.L. requested an extension of the deadline copy of the file, being granted. On September 27, 2021, he filed a pleadings brief in which, in In short, it stated that the only contracts signed between the claimant and Vodafone Servicios S.L.U. (hereinafter Vodafone) with the intervention of the party claimed as an authorized distributor of the products and services it sells said telecommunications operator, are those granted on October 14, 2020 that they attach as documents numbers 3 and 4, so that those other contracts dated after those referred to in the initiation agreement, if actually exist, they will have been formalized through another distributor or through another marketing channel. On the other hand, the respondent proposes to practice, among others, the following evidence: require Vodafone to identify the author of the date contracts 10/17/2020, 10/29/2020, 12/22/2020 and 11/4/2020, and witness evidence to Mrs. C.C.C. and Mrs. D.D.D., employees of Mederos Moviten, S.L. SIXTH: On September 28, 2021, the instructor of the procedure agreed the opening of a period of practice of tests, considering incorporated the previous investigative actions, E/02266/2021, as well as the documents provided by the defendant. SEVENTH: On September 28, 2021, the instructor of the procedure PS/00261/2021, required Vodafone to provide a copy of the contracts signed by D. AAA, dated 10/17/2020, 10/29/2020, 11/4/2020 and 12/22/2020 and in turn required D. AAA, to provide the aforementioned contracts. On October 5, 2021, the requested party was sent the contracts provided by D. AAA, to this Agency, on the dates mentioned above. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 3/12 On October 18, 2021, Vodafone states that they are attached as document number 2, 3, 4 and 5 the contracts requested by the Agency and signed between the complaining party and Vodafone. Vodafone provides the report of the Vodafone Systems Department, in it, There is work order number 318089008 in relation to the contract 10/17/2020. Work order No. 320771220 in relation to the contract 10/29/2020 that is carried out by the distributor Mederos Moviten-Telde. Work Order No. 321768889 in relation to the contract 04/11/2020. Work Order No. 332358071 in relation to the contract 12/22/2020, this order is generated through the Mederos distributor. On the other hand, it states that as a consequence of this request, Vodafone contacted the distributor Mederos Moviten S.L., with which Vodafone has a signed contract (attach as document number 6 contract between the parties) and the distributor informed Vodafone that both the contract dated 12/22/2020, such as the contract dated 10/29/2020, they were managed at the dealer's store. EIGHTH: On October 27, 2021 D. B.B.B., on behalf of and on behalf of the mercantile company Mederos Moviten, S.L. filed an appeal against the test refusal agreement of procedure PS/00261/2021. NINTH: On November 24, 2021, the Director of the Spanish Agency of Data Protection agreed to dismiss the appeal filed by Mr. B.B.B., on behalf of and on behalf of the trading company Mederos Moviten, S.L. against him challenged act, dated September 28, 2021, issued in the present penalty procedure. TENTH: On January 10, 2022, the proposal for the resolution, proposing that the Director of the Spanish Agency for the Protection of Data is sanctioned to Mederos Moviten, S.L. with NIF B38490983, for an infringement of the Article 6.1 of the RGPD, typified in Article 83.5.a) of the RGPD, a fine of €15,000.00 (fifteen thousand euros). ELEVEN: On January 11, 2022, the respondent requested the remission of the copy of the actions referred to in the motion for a resolution, and on the 13th of the same month and year the documentation was sent. The party complained against presented arguments to the Resolution Proposal stating, what it deems appropriate in defense of its interests, in short, that they contribute as documents numbers 1 and 2 the testimonies of Doña C.C.C. and Mrs. D.D.D., employees of Mederos Moviten, S.L. On the other hand, it requests a review of the proven facts and states "that what performed by the distributor on October 29 and December 22, 2020 were work activation and adjustment in the price of the services contracted by the claimant on the day previous October 14, but the documents issued with those dates that Vodafone subsequently sent to the client were not generated by my client, who did not even have knowledge of its existence, but it was done automatically by the system computer of the operating entity. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 4/12 In the case at hand, the documents issued on October 17 and 29, 4 November and December 22, 2020 have been automatically generated by the Vodafone's computer system as a result of the activation and completion of various adjustments in the content of the products and services that were subject to the two contracts signed between said operating entity and the claimant dated 14 October 2020, with the mediation of my represented as authorized distributor of the products that it sells. Therefore, it is evident that the processing of the personal data of the claimant was necessary for the performance of those two contracts, first through the dump and activation of the contracted services in the computer system of the supplier, and later also to adjust the financing of the device of surveillance "VHOME" to the commercial offer made, all of which fits squarely in the assumption of lawful treatment contemplated by the supra-state precept of reference”. Of the actions carried out in this procedure and the documentation in the file, the following have been accredited: PROVEN FACTS 1º- It is stated that the claimant on October 14, 2020 contracted through portability a package of fiber, landline and mobile, at the point of sale of the part claimed. 2º- It is verified that there are other four contracts in the name of the claimant of dates October 17 and 29, 2020; November 4 and December 22, 2020, with their data, in which the signature of the claimant does not appear. 3º- It is stated that, in January 2021, Vodafone charges the invoice to the claimant with increase of X.XX€ and that in said invoice appears in the section other payments the following description: “1 installment deferred payment. Earrings 23. Vodafone Kit V-Home, pending payments YY,YY euros financed.” 4º- Vodafone informs you that on December 22, 2020 it had contracted the Vodafone Kit V-Home device services. 5º- That from the customer service they send you a series of contracts of dates 10/17/2020; contract dated 10/29/2020 with an installment sale for an amount of RRR, RR euros to be paid in 24 months; contract day 11/4/2020 with two invoices for an amount of SSS,SS euros each. Also in one of the contracts appear the data of a third person who knows nothing and without signing, with your data and bank account number, in which different services are contracted that the claimant has not contracted or signed at any time. 6º- It is accredited in the contracts provided by Vodafone, entered into between the claimant and the claimed, in which the signature of the claimant does not appear. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 5/12 7º- It is stated in the report of the Vodafone Systems Department, which consists work order no. 318089008 in relation to the contract 10/17/2020. Order of work no. 320771220 in relation to the contract 10/29/2020 that is carried out by the distributor Mederos Moviten-Telde. Work Order No. 321768889 in relation to the contract 04/11/2020. Work Order No. 332358071 in relation to the contract 12/22/2020, this order is generated through the distributor Mederos. FOUNDATIONS OF LAW I In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47 and 48.1 of the Law Organic 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Agency for Data Protection will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations issued in its development and, as long as they do not contradict them, with a subsidiary, by the general rules on administrative procedures.” II The defendant is accused of committing an infraction for violation of the Article 6 of the RGPD, "Legality of the treatment", which indicates in its section 1 the assumptions in which the processing of third party data is considered lawful: "one. The treatment will only be lawful if at least one of the following is met terms: a) the interested party gave their consent for the processing of their data personal for one or more specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is a party or for the application at the request of the latter of measures pre-contractual; (…)” The infringement is typified in Article 83.5 of the RGPD, which considers as such: "5. Violations of the following provisions will be sanctioned, in accordance with the section 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the global total annual turnover of the previous financial year, opting for the largest amount: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 6/12 a) The basic principles for the treatment, including the conditions for the consent under articles 5,6,7 and 9.” The Organic Law 3/2018, on the Protection of Personal Data and Guarantee of the Digital Rights (LOPDGDD) in its article 72, under the heading "Infringements considered very serious” provides: "one. Based on the provisions of article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned in it and, in particular, the following: (…) a) The processing of personal data without the concurrence of any of the conditions of legality of the treatment established in article 6 of the Regulation (EU) 2016/679.” III Examining the documentation in the file, it is evident that the conduct allegedly infringing for which the claimed party is held responsible consisted, in which he processed the personal data of the complaining party without legitimacy for it. The personal data of the complaining party were incorporated into the company's information systems, without having accredited who had legitimacy for the collection and subsequent processing of their data personal. In the case examined, the regulations set forth and the statements carried out by the claimed party, it can be inferred that the latter acts as the person in charge of the Vodafone treatment. In article 4.8, the person in charge of the treatment is defined as the natural person or legal entity, public authority, service or other body that processes personal data for account of the data controller. All processing of personal data carried out by a person in charge must be governed by a contract or other legal act in accordance with the Law of the Union or of the States members concluded between the person in charge and the person in charge, as stipulated in the Article 28, paragraph 3, of the GDPR. In this regard, Guidelines 07/2020 on the concepts of "responsible for the treatment” and “processor” in the RGPD, adopted by the CEPD, on 7 July 2021, detail the following: “Although the elements provided for in Article 28 of the Regulation constitute its essential content, the contract must serve so that the person in charge and the person in charge clarify, by means of detailed instructions, how these will be applied in practice. fundamental elements. Therefore, the treatment contract should not be limited to reproduce the provisions of the RGPD, but must include more information specific and concrete on how the requirements will be met and the degree of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 7/12 security that will be required for the treatment of the personal data object of the treatment contract. Far from being a merely formal exercise, the negotiation and stipulation of the contract conditions serve to specify the details of the treatment." They add that “In general, the treatment contract establishes who is the party determining (the data controller) and who, the party that follows the instructions (the person in charge of the treatment). Now, “If one party decides in the practice how and why personal data is processed, that party will be the responsible for the treatment, even if the contract stipulates that it is the person in charge”. To determine the responsibility of the claimed party, it is necessary to take into account that if a data processor infringes the Regulation in determining the purposes and means of treatment, will be considered responsible for the treatment with respect to such treatment (article 28, paragraph 10, of the RGPD). On the "Ends and means" the aforementioned guidelines include the following considerations: “(…) Dictionaries define the word end as an "anticipated result that is pursued or that guides the intended action" and the word means as the "way in which achieves a result or achieves a goal" (…) Determining ends and means is equivalent to deciding, respectively, the why and how of treatment: in a specific treatment operation, the The data controller is the party that determines why the processing takes place. treatment (i.e. “for what purpose” or “what for”) and how this objective will be achieved (ie what means will be used to achieve it). A natural or legal person who influences in this way in the treatment of personal data participates, therefore, in the determination of the purposes and means of such treatment in accordance with the definition provided for in article 4, point 7, of the RGPD. The data controller must decide on both the purpose and the means treatment, as described below. Consequently, you cannot limit itself to determining the end: it must also make decisions about the means of the treatment. In contrast, the party acting as processor can never determine the end of treatment. In practice, if a data controller uses a manager to carry out the treatment on behalf of the former, the manager you will usually be able to make some of your own decisions about how to do it. The CEPD recognizes that the person in charge of the treatment may enjoy a certain margin of maneuver to make some treatment decisions. In this sense, it is necessary to clarify what degree of influence on the "why" and "how" entails that an entity is considered responsible for the treatment and to what extent can the person in charge of the treatment make their own decisions. (…)” In this case, taking into account the above, it can be concluded that the The mere fact of using technical means of the person in charge does not exempt from responsibility to the person in charge of the treatment, for the purposes of the provisions of article 28, paragraph 10, of the GDPR. In this case, the respondent party has not proven that it acted following the detailed instructions of the person in charge, so it can be considered that he has acted as controller of the treatment examined in this procedure, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 8/12 whenever you have decided for yourself to process the personal data of the party claimant in order to be registered in the services provided by that. It has also decided how to deal with them, determining the means organizational related, at least, with the legitimacy of said treatment, by not There must be proof that the contracting has been carried out following the instructions of the person in charge. Well, the respondent alleges that the claimant only formalized a contract of portability, dated October 14, 2020. However, there are four others without sign, dated October 17 and 29, 2020; November 4 and December 22 year 2020, with the details of the claimant and bank account number, in the which different services are contracted that the complaining party has not contracted or signed in no time. Likewise, in one of the contracts the data of a person who knows nothing. On the other hand, Vodafone in the response to this Agency dated October 18, 2021, states that he contacted the respondent and informed him that both the contract dated December 22, 2020, and the contract dated December 29, October 2020, they were managed in the store of the claimed party. sayings contracts have been provided by both Vodafone and the claimant. Without However, all the data of the claimant are recorded, but not their signature. In this sense, it is confirmed in the report of the Information Systems Department Vodafone, that the work order No. 320771220 in relation to the contract October 29, 2020 the performs the claimed part, and work order No. 332358071 in relation to the contract of December 22, 2020, this order is also generated through the part claimed. There is evidence that the portability contract was made in the physical store of the claimed party and that the other four contracts are unsigned. Thus, the alleged statements of Doña C.C.C. and Mrs. D.D.D., employees of Mederos Moviten, S.L., can clarify nothing in relation to these hiring and are not transcendent. In relation to the review of the proven facts, the allegations must be dismissed, meaning that the arguments presented do not distort the essential content of the sanction declared to have been committed, nor do they imply cause for sufficient justification or exoneration. In accordance with the available evidence, it is estimated that the conduct of the claimed party could violate article 6.1 of the RGPD and may be constituting the infringement typified in article 83.5.a) of the aforementioned Regulation 2016/679. In this sense, Recital 40 of the GDPR states: “(40) For the processing to be lawful, the personal data must be processed with the consent of the interested party or on some other legitimate basis established C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 9/12 in accordance with Law, either in these Regulations or by virtue of another Law of the Union or of the Member States referred to in this Regulation, including the need to comply with the legal obligation applicable to the person responsible for the treatment or the need to execute a contract in which the interested party is a party or in order to take measures at the request of the interested party prior to the conclusion of a contract.” IV The determination of the sanction to be imposed in this case requires observe the provisions of articles 83.1 and 2 of the RGPD, precepts that, respectively, provide the following: "one. Each control authority will guarantee that the imposition of fines administrative actions under this article for violations of this Regulation indicated in sections 4, 9 and 6 are in each individual case effective, proportionate and dissuasive.” "two. Administrative fines will be imposed, depending on the circumstances of each individual case, in addition to or as a substitute for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administration and its amount in each individual case will be duly taken into account: a) the nature, seriousness and duration of the offence, taking into account the nature, scope or purpose of the processing operation in question, as well such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the controller or processor to alleviate the damages suffered by the interested parties; d) the degree of responsibility of the person in charge or of the person in charge of the treatment, taking into account the technical or organizational measures that they have applied in under articles 25 and 32; e) any previous infringement committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular if the person in charge or the person in charge notified the infringement and, in such case, in what measure; i) when the measures indicated in article 58, section 2, have been ordered previously against the person in charge or the person in charge in question in relation to the same matter, compliance with said measures; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 10/12 j) adherence to codes of conduct under article 40 or mechanisms of certification approved in accordance with article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, direct or indirect. directly, through the infraction.” Within this section, the LOPDGDD contemplates in its article 76, entitled “Sanctions and corrective measures”: "one. The penalties provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679 will be applied taking into account the graduation criteria established in section 2 of the aforementioned article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuing nature of the offence. b) The link between the activity of the offender and the performance of treatment of personal information. c) The profits obtained as a result of committing the offence. d) The possibility that the conduct of the affected party could have induced the commission of the offence. e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity. f) Affectation of the rights of minors. g) Have, when not mandatory, a data protection officer. h) Submission by the person in charge or person in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which there are disputes between them and any interested party. 3. It will be possible, complementary or alternatively, the adoption, when appropriate, of the remaining corrective measures referred to in article 83.2 of the Regulation (EU) 2016/679.” In accordance with the precepts transcribed, in order to set the amount of the sanction of fine to be imposed on the entity claimed as responsible for a typified infraction in article 83.5.a) of the RGPD, the following are considered concurrent in this case: following factors: As aggravating factors: - That the facts object of the claim are attributable to a lack of diligence of the claimed party (article 83.2.b, RGPD). In the present case there are four contracts in the name of the claimant dated October 17 and 29, 2020; 4 of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 11/12 November and December 22, 2020, with your data, in which the claimant's signature. The balance of the circumstances contemplated in article 83.2 of the RGPD, with Regarding the infraction committed by violating what is established in article 6, it allows establishing a fine of 15,000 euros (fifteen thousand euros), typified as "very serious", for of prescription thereof, in article 72.1.b) of the LOPDGDD. Therefore, in accordance with the applicable legislation and having assessed the criteria for graduation of the sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE MEDEROS MOVITEN, S.L., with NIF B38490983, for a violation of Article 6.1 of the RGPD, typified in Article 83.5 of the RGPD, a fine of 15,000 euros (fifteen thousand euros). SECOND: NOTIFY this resolution to D. B.B.B., on behalf and representation of the trading company MEDEROS MOVITEN, S.L. THIRD: Warn the sanctioned party that he must make the imposed sanction effective once Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter LPACAP), within the payment term voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, through its entry, indicating the NIF of the sanctioned and the number of procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened on behalf of the Agency Spanish Department of Data Protection in the banking entity CAIXABANK, S.A.. In case Otherwise, it will be collected in the executive period. Received the notification and once executed, if the date of execution is between the 1st and 15th of each month, both inclusive, the term to make the payment voluntary will be until the 20th day of the following month or immediately after, and if between the 16th and last day of each month, both inclusive, the payment term It will be until the 5th of the second following month or immediately after. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month from counting from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 12/12 day following the notification of this act, as provided in article 46.1 of the aforementioned Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the firm resolution in administrative proceedings if the The interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact by writing addressed to the Spanish Agency for Data Protection, presenting it through Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would end the precautionary suspension. Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es