AEPD (Spain) - PS/00261/2021: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00...")
 
mNo edit summary
 
Line 61: Line 61:
}}
}}


The AEPD fines a company (in charge of Vodafone's processing) €15,000 for unlawful data processing. Specifically, the company used the data of a Vodafone customer to register several telephone lines without that person's consent.
The AEPD fines a company (Vodafone's processor) €15,000 for unlawful data processing. Specifically, the company used the data of a Vodafone customer to register several telephone lines without that person's consent.


== English Summary ==
== English Summary ==

Latest revision as of 19:04, 16 May 2022

AEPD - PS/00261/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 29.04.2022
Fine: 15,000 EUR
Parties: MEDEROS MOVITEN, S.L.
National Case Number/Name: PS/00261/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: CSO

The AEPD fines a company (Vodafone's processor) €15,000 for unlawful data processing. Specifically, the company used the data of a Vodafone customer to register several telephone lines without that person's consent.

English Summary

Facts

The complainant contracted a fibre optic internet service from Vodafone through portability. Although the service was provided by Vodafone, the contract was taken out through Mederos Moviten, S.L., which acted as data processor. The company collected the customer's data and processed the portability. In addition, it used the data to activate several telephone services that had not been contracted by the customer. As a result, Vofadone charged the customer for these services. The AEPD found that the additional contracts did not have the customer's signature.

Holding

The AEPD found that the entity complained of processed the complainant's data unlawfully, since it processed several contracts in her name without due consent. On the other hand, the AEPD points out that this irregular action by the entity was not requested by Vodafone, which acted as the controller party. In this respect, the AEPD points out that the mere fact of using the technical means of the controller does not exempt the data processor from liability. Therefore, the AEPD considers that the entity complained acted outside its obligations as processor and, furthermore, in breach of the GDPR, for which reason it must be held liable for the infringement.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                 1/12








     File No.: PS/00261/2021

                RESOLUTION OF PUNISHMENT PROCEDURE


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following:

                                   BACKGROUND



FIRST: D.A.A.A. (hereinafter, the claimant party) dated February 9,
2021 filed a claim with the Spanish Data Protection Agency.

The claim is directed against Mederos Moviten, S.L. with NIF B38490983 (in

hereafter, the party claimed).

The reasons on which the claim is based are that on October 14, 2020, he contracted
through portability a package of fiber, landline and mobile, at the point of sale of
the claimed party.


On the other hand, they offered him a device called the Vodafone Kit V-Home,
telling him it was free.

Thus, in January 2021, the operator Vodafone charges the aforementioned Kit and
put in contact with the operator, they show him that there were several contracts of

financing of the aforementioned product, but they indicate that you must solve it at the point of
sale where I carry out the portability and they send you by email a copy of the
unsigned contracts.

Well, these contracts are dated October 17 and 29, November 4 and November 22,

December 2020, with the details of the claimant and account number
bank, in which different services are contracted that the complaining party has not
contracted or signed at any time. Also in one of the contracts
appear the data of a person who knows nothing.

The complaining party states that it has not made any financing, only the

first portability contract, dated October 14, 2020, not having
knowledge or having signed the aforementioned contracts, not
acknowledging the signature that appears on the contract shown by the clerk in the
point of sale and that you do not know have used your personal data to carry out
new telephone registrations or Vodafone services, as well as that you have not given your

consent to carry out these practices with your personal or banking data.

And, provide the following documentation:

- Complaint filed on February 1, 2021 at the Telde Police Station

(Las Palmas).
- Claim sheet dated January 28, 2021 stamped by the claimed entity and
addressed to the OMIC of your municipality.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 2/12








SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, of Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to the claimed party, to

to proceed with its analysis and inform this Agency within a month of the
actions carried out to adapt to the requirements set forth in the regulations of
Data Protection.

THIRD: On May 26, 2021, the Director of the Spanish Agency for
Data Protection agreed to admit for processing the claim presented by the party

claimant.

FOURTH: On July 30, 2021, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against the claimed party,
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1,

of the Common Administrative Procedure of the Public Administrations (in
hereinafter, LPACAP), for the alleged violation of Article 6.1 of the RGPD, typified in
Article 83.5 of the RGPD.

FIFTH: Notification of the aforementioned start-up agreement, D. B.B.B., on behalf of
of the trading company MEDEROS MOVITEN, S.L. requested an extension of the deadline

copy of the file, being granted.

On September 27, 2021, he filed a pleadings brief in which, in
In short, it stated that the only contracts signed between the claimant and
Vodafone Servicios S.L.U. (hereinafter Vodafone) with the intervention of the party

claimed as an authorized distributor of the products and services it sells
said telecommunications operator, are those granted on October 14,
2020 that they attach as documents numbers 3 and 4, so that those other
contracts dated after those referred to in the initiation agreement, if
actually exist, they will have been formalized through another distributor or through

another marketing channel.

On the other hand, the respondent proposes to practice, among others, the following
evidence: require Vodafone to identify the author of the date contracts
10/17/2020, 10/29/2020, 12/22/2020 and 11/4/2020, and witness evidence to Mrs. C.C.C.
and Mrs. D.D.D., employees of Mederos Moviten, S.L.


SIXTH: On September 28, 2021, the instructor of the procedure agreed
the opening of a period of practice of tests, considering incorporated the
previous investigative actions, E/02266/2021, as well as the documents
provided by the defendant.


SEVENTH: On September 28, 2021, the instructor of the procedure
PS/00261/2021, required Vodafone to provide a copy of the contracts signed by
D. AAA, dated 10/17/2020, 10/29/2020, 11/4/2020 and 12/22/2020 and in turn
required D. AAA, to provide the aforementioned contracts.


On October 5, 2021, the requested party was sent the contracts
provided by D. AAA, to this Agency, on the dates mentioned above.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 3/12








On October 18, 2021, Vodafone states that they are attached as
document number 2, 3, 4 and 5 the contracts requested by the Agency and signed between
the complaining party and Vodafone.


Vodafone provides the report of the Vodafone Systems Department, in it,
There is work order number 318089008 in relation to the contract 10/17/2020.
Work order No. 320771220 in relation to the contract 10/29/2020 that is carried out by the
distributor Mederos Moviten-Telde. Work Order No. 321768889 in relation to the
contract 04/11/2020. Work Order No. 332358071 in relation to the contract

12/22/2020, this order is generated through the Mederos distributor.

On the other hand, it states that as a consequence of this request, Vodafone
contacted the distributor Mederos Moviten S.L., with which Vodafone
has a signed contract (attach as document number 6 contract between the

parties) and the distributor informed Vodafone that both the contract dated 12/22/2020,
such as the contract dated 10/29/2020, they were managed at the dealer's store.

EIGHTH: On October 27, 2021 D. B.B.B., on behalf of and on behalf of the
mercantile company Mederos Moviten, S.L. filed an appeal against the
test refusal agreement of procedure PS/00261/2021.


NINTH: On November 24, 2021, the Director of the Spanish Agency
of Data Protection agreed to dismiss the appeal filed by Mr. B.B.B.,
on behalf of and on behalf of the trading company Mederos Moviten, S.L. against him
challenged act, dated September 28, 2021, issued in the present

penalty procedure.

TENTH: On January 10, 2022, the proposal for the
resolution, proposing that the Director of the Spanish Agency for the Protection of
Data is sanctioned to Mederos Moviten, S.L. with NIF B38490983, for an infringement of the

Article 6.1 of the RGPD, typified in Article 83.5.a) of the RGPD, a fine of
€15,000.00 (fifteen thousand euros).

ELEVEN: On January 11, 2022, the respondent requested the remission of the copy
of the actions referred to in the motion for a resolution, and on the 13th of the same
month and year the documentation was sent.


The party complained against presented arguments to the Resolution Proposal stating,
what it deems appropriate in defense of its interests, in short, that they contribute as
documents numbers 1 and 2 the testimonies of Doña C.C.C. and Mrs. D.D.D., employees
of Mederos Moviten, S.L.


On the other hand, it requests a review of the proven facts and states "that what
performed by the distributor on October 29 and December 22, 2020 were work
activation and adjustment in the price of the services contracted by the claimant on the day
previous October 14, but the documents issued with those dates that Vodafone

subsequently sent to the client were not generated by my client, who did not even have
knowledge of its existence, but it was done automatically by the system
computer of the operating entity.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 4/12








In the case at hand, the documents issued on October 17 and 29, 4
November and December 22, 2020 have been automatically generated by the
Vodafone's computer system as a result of the activation and completion

of various adjustments in the content of the products and services that were subject to
the two contracts signed between said operating entity and the claimant dated 14
October 2020, with the mediation of my represented as authorized distributor
of the products that it sells.

Therefore, it is evident that the processing of the personal data of the claimant

was necessary for the performance of those two contracts, first through the
dump and activation of the contracted services in the computer system of the
supplier, and later also to adjust the financing of the device of
surveillance "VHOME" to the commercial offer made, all of which fits squarely in the
assumption of lawful treatment contemplated by the supra-state precept of reference”.


Of the actions carried out in this procedure and the documentation
in the file, the following have been accredited:


                                PROVEN FACTS



1º- It is stated that the claimant on October 14, 2020 contracted through
portability a package of fiber, landline and mobile, at the point of sale of the part
claimed.


2º- It is verified that there are other four contracts in the name of the claimant of dates
October 17 and 29, 2020; November 4 and December 22, 2020, with their
data, in which the signature of the claimant does not appear.


3º- It is stated that, in January 2021, Vodafone charges the invoice to the claimant with
increase of X.XX€ and that in said invoice appears in the section other payments the
following description: “1 installment deferred payment. Earrings 23. Vodafone Kit V-Home,
pending payments YY,YY euros financed.”

4º- Vodafone informs you that on December 22, 2020 it had contracted the

Vodafone Kit V-Home device services.

5º- That from the customer service they send you a series of contracts of
dates 10/17/2020; contract dated 10/29/2020 with an installment sale for an amount
of RRR, RR euros to be paid in 24 months; contract day 11/4/2020 with two invoices for

an amount of SSS,SS euros each. Also in one of the contracts
appear the data of a third person who knows nothing and without signing, with
your data and bank account number, in which different services are contracted
that the claimant has not contracted or signed at any time.


6º- It is accredited in the contracts provided by Vodafone, entered into between the
claimant and the claimed, in which the signature of the claimant does not appear.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 5/12








7º- It is stated in the report of the Vodafone Systems Department, which consists
work order no. 318089008 in relation to the contract 10/17/2020. Order of
work no. 320771220 in relation to the contract 10/29/2020 that is carried out by the distributor

Mederos Moviten-Telde. Work Order No. 321768889 in relation to the contract
04/11/2020. Work Order No. 332358071 in relation to the contract 12/22/2020, this
order is generated through the distributor Mederos.


                            FOUNDATIONS OF LAW


                                            I

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each

control authority and as established in articles 47 and 48.1 of the Law
Organic 3/2018, of December 5, on the Protection of Personal Data and guarantee of
digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve
this procedure the Director of the Spanish Data Protection Agency.

Likewise, article 63.2 of the LOPDGDD determines that: “The procedures

processed by the Spanish Agency for Data Protection will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations issued in its development and, as long as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures.”


                                           II

The defendant is accused of committing an infraction for violation of the
Article 6 of the RGPD, "Legality of the treatment", which indicates in its section 1 the
assumptions in which the processing of third party data is considered lawful:


       "one. The treatment will only be lawful if at least one of the following is met
terms:

      a) the interested party gave their consent for the processing of their data
      personal for one or more specific purposes;
      b) the treatment is necessary for the execution of a contract in which the

      interested party is a party or for the application at the request of the latter of measures
      pre-contractual;
      (…)”


 The infringement is typified in Article 83.5 of the RGPD, which considers as such:


"5. Violations of the following provisions will be sanctioned, in accordance with the
section 2, with administrative fines of a maximum of EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
global total annual turnover of the previous financial year, opting for
the largest amount:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 6/12








      a) The basic principles for the treatment, including the conditions for the
      consent under articles 5,6,7 and 9.”


 The Organic Law 3/2018, on the Protection of Personal Data and Guarantee of the
Digital Rights (LOPDGDD) in its article 72, under the heading "Infringements
considered very serious” provides:


"one. Based on the provisions of article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that suppose
a substantial violation of the articles mentioned in it and, in particular, the
following:


       (…)
       a) The processing of personal data without the concurrence of any of the
           conditions of legality of the treatment established in article 6 of the
           Regulation (EU) 2016/679.”


                                          III

Examining the documentation in the file, it is evident that the conduct
allegedly infringing for which the claimed party is held responsible consisted,
in which he processed the personal data of the complaining party without

legitimacy for it. The personal data of the complaining party were
incorporated into the company's information systems, without having accredited
who had legitimacy for the collection and subsequent processing of their data
personal.

In the case examined, the regulations set forth and the statements

carried out by the claimed party, it can be inferred that the latter acts as the person in charge of the
Vodafone treatment.

In article 4.8, the person in charge of the treatment is defined as the natural person or
legal entity, public authority, service or other body that processes personal data for

account of the data controller.

All processing of personal data carried out by a person in charge must be governed by a
contract or other legal act in accordance with the Law of the Union or of the States
members concluded between the person in charge and the person in charge, as stipulated in the

Article 28, paragraph 3, of the GDPR.

In this regard, Guidelines 07/2020 on the concepts of "responsible for the
treatment” and “processor” in the RGPD, adopted by the CEPD, on 7
July 2021, detail the following:


“Although the elements provided for in Article 28 of the Regulation constitute its
essential content, the contract must serve so that the person in charge and the person in charge
clarify, by means of detailed instructions, how these will be applied in practice.
fundamental elements. Therefore, the treatment contract should not be limited to
reproduce the provisions of the RGPD, but must include more information

specific and concrete on how the requirements will be met and the degree of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 7/12








security that will be required for the treatment of the personal data object of the
treatment contract. Far from being a merely formal exercise, the negotiation and
stipulation of the contract conditions serve to specify the details of the

treatment."

They add that “In general, the treatment contract establishes who is the party
determining (the data controller) and who, the party that follows the
instructions (the person in charge of the treatment). Now, “If one party decides in the
practice how and why personal data is processed, that party will be the

responsible for the treatment, even if the contract stipulates that it is the person in charge”.

To determine the responsibility of the claimed party, it is necessary to take into account
that if a data processor infringes the Regulation in determining the purposes and
means of treatment, will be considered responsible for the treatment with respect to

such treatment (article 28, paragraph 10, of the RGPD).

On the "Ends and means" the aforementioned guidelines include the following
considerations:
“(…)
Dictionaries define the word end as an "anticipated result that is pursued

or that guides the intended action" and the word means as the "way in which
achieves a result or achieves a goal"
(…)
Determining ends and means is equivalent to deciding, respectively, the
why and how of treatment: in a specific treatment operation, the

The data controller is the party that determines why the processing takes place.
treatment (i.e. “for what purpose” or “what for”) and how this objective will be achieved
(ie what means will be used to achieve it). A natural or legal person who
influences in this way in the treatment of personal data participates, therefore, in the
determination of the purposes and means of such treatment in accordance with the

definition provided for in article 4, point 7, of the RGPD.
The data controller must decide on both the purpose and the means
treatment, as described below. Consequently, you cannot
limit itself to determining the end: it must also make decisions about the means of the
treatment. In contrast, the party acting as processor can never determine
the end of treatment. In practice, if a data controller uses a

manager to carry out the treatment on behalf of the former, the manager
you will usually be able to make some of your own decisions about how to do it. The
CEPD recognizes that the person in charge of the treatment may enjoy a certain margin of
maneuver to make some treatment decisions. In this sense, it is
necessary to clarify what degree of influence on the "why" and "how" entails that

an entity is considered responsible for the treatment and to what extent can the
person in charge of the treatment make their own decisions.
(…)”
In this case, taking into account the above, it can be concluded that the
The mere fact of using technical means of the person in charge does not exempt from responsibility

to the person in charge of the treatment, for the purposes of the provisions of article 28, paragraph 10,
of the GDPR. In this case, the respondent party has not proven that it acted following
the detailed instructions of the person in charge, so it can be considered that he has
acted as controller of the treatment examined in this procedure,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 8/12








whenever you have decided for yourself to process the personal data of the party
claimant in order to be registered in the services provided by
that. It has also decided how to deal with them, determining the means

organizational related, at least, with the legitimacy of said treatment, by not
There must be proof that the contracting has been carried out following the instructions
of the person in charge.

Well, the respondent alleges that the claimant only formalized a contract of
portability, dated October 14, 2020. However, there are four others without

sign, dated October 17 and 29, 2020; November 4 and December 22
year 2020, with the details of the claimant and bank account number, in the
which different services are contracted that the complaining party has not contracted or
signed in no time. Likewise, in one of the contracts the data of
a person who knows nothing.


On the other hand, Vodafone in the response to this Agency dated October 18,
2021, states that he contacted the respondent and informed him that
both the contract dated December 22, 2020, and the contract dated December 29,
October 2020, they were managed in the store of the claimed party. sayings
contracts have been provided by both Vodafone and the claimant. Without

However, all the data of the claimant are recorded, but not their signature.

In this sense, it is confirmed in the report of the Information Systems Department
Vodafone,
that the work order No. 320771220 in relation to the contract October 29, 2020 the

performs the claimed part, and work order No. 332358071 in relation to the contract
of December 22, 2020, this order is also generated through the part
claimed.

There is evidence that the portability contract was made in the physical store of the

claimed party and that the other four contracts are unsigned.

Thus, the alleged statements of Doña C.C.C. and Mrs. D.D.D.,
employees of Mederos Moviten, S.L., can clarify nothing in relation to these
hiring and are not transcendent.


In relation to the review of the proven facts, the allegations must be
dismissed, meaning that the arguments presented do not distort the
essential content of the sanction declared to have been committed, nor do they imply cause for
sufficient justification or exoneration.


In accordance with the available evidence, it is estimated that the conduct
of the claimed party could violate article 6.1 of the RGPD and may be
constituting the infringement typified in article 83.5.a) of the aforementioned Regulation
2016/679.


In this sense, Recital 40 of the GDPR states:

      “(40) For the processing to be lawful, the personal data must be processed
with the consent of the interested party or on some other legitimate basis established

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 9/12








 in accordance with Law, either in these Regulations or by virtue of another Law
 of the Union or of the Member States referred to in this Regulation,
 including the need to comply with the legal obligation applicable to the person responsible for the

 treatment or the need to execute a contract in which the interested party is a party or
 in order to take measures at the request of the interested party prior to the
 conclusion of a contract.”
                                              IV

 The determination of the sanction to be imposed in this case requires

 observe the provisions of articles 83.1 and 2 of the RGPD, precepts that,
 respectively, provide the following:

     "one. Each control authority will guarantee that the imposition of fines
 administrative actions under this article for violations of this

 Regulation indicated in sections 4, 9 and 6 are in each individual case
 effective, proportionate and dissuasive.”

    "two. Administrative fines will be imposed, depending on the circumstances of
 each individual case, in addition to or as a substitute for the measures contemplated in the
 Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine

 administration and its amount in each individual case will be duly taken into account:

 a) the nature, seriousness and duration of the offence, taking into account the
 nature, scope or purpose of the processing operation in question, as well
 such as the number of interested parties affected and the level of damages that
 have suffered;

 b) intentionality or negligence in the infringement;


 c) any measure taken by the controller or processor to
    alleviate the damages suffered by the interested parties;

d) the degree of responsibility of the person in charge or of the person in charge of the treatment,
    taking into account the technical or organizational measures that they have applied in

    under articles 25 and 32;

 e) any previous infringement committed by the person in charge or the person in charge of the treatment;

 f) the degree of cooperation with the supervisory authority in order to remedy the
    infringement and mitigate the possible adverse effects of the infringement;


 g) the categories of personal data affected by the infringement;

 h) the way in which the supervisory authority became aware of the infringement, in
    particular if the person in charge or the person in charge notified the infringement and, in such case, in
    what measure;


 i) when the measures indicated in article 58, section 2, have been ordered
  previously against the person in charge or the person in charge in question in relation to the
  same matter, compliance with said measures;


 C/ Jorge Juan, 6 www.aepd.es
 28001 – Madrid sedeagpd.gob.es, 10/12








j) adherence to codes of conduct under article 40 or mechanisms of
  certification approved in accordance with article 42, and

k) any other aggravating or mitigating factor applicable to the circumstances of the case,

   such as financial benefits obtained or losses avoided, direct or indirect.
   directly, through the infraction.”

  Within this section, the LOPDGDD contemplates in its article 76, entitled
“Sanctions and corrective measures”:


  "one. The penalties provided for in sections 4, 5 and 6 of article 83 of the Regulation
(EU) 2016/679 will be applied taking into account the graduation criteria
established in section 2 of the aforementioned article.

  2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679

may also be taken into account:

  a) The continuing nature of the offence.

  b) The link between the activity of the offender and the performance of treatment of
personal information.


  c) The profits obtained as a result of committing the offence.

  d) The possibility that the conduct of the affected party could have induced the
commission of the offence.

  e) The existence of a merger by absorption process subsequent to the commission of the

infringement, which cannot be attributed to the absorbing entity.

  f) Affectation of the rights of minors.

  g) Have, when not mandatory, a data protection officer.


  h) Submission by the person in charge or person in charge, on a voluntary basis, to
alternative conflict resolution mechanisms, in those cases in which
there are disputes between them and any interested party.

  3. It will be possible, complementary or alternatively, the adoption, when appropriate,
of the remaining corrective measures referred to in article 83.2 of the

Regulation (EU) 2016/679.”

In accordance with the precepts transcribed, in order to set the amount of the sanction of
fine to be imposed on the entity claimed as responsible for a typified infraction
in article 83.5.a) of the RGPD, the following are considered concurrent in this case:
following factors:


As aggravating factors:
- That the facts object of the claim are attributable to a lack of

diligence of the claimed party (article 83.2.b, RGPD). In the present case there are
four contracts in the name of the claimant dated October 17 and 29, 2020; 4 of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 11/12








November and December 22, 2020, with your data, in which the
claimant's signature.


The balance of the circumstances contemplated in article 83.2 of the RGPD, with
Regarding the infraction committed by violating what is established in article 6, it allows establishing
a fine of 15,000 euros (fifteen thousand euros), typified as "very serious", for
of prescription thereof, in article 72.1.b) of the LOPDGDD.
       
Therefore, in accordance with the applicable legislation and having assessed the criteria for

graduation of the sanctions whose existence has been proven, the Director of the
Spanish Data Protection Agency RESOLVES:

FIRST: IMPOSE MEDEROS MOVITEN, S.L., with NIF B38490983, for a
violation of Article 6.1 of the RGPD, typified in Article 83.5 of the RGPD, a fine

of 15,000 euros (fifteen thousand euros).

SECOND: NOTIFY this resolution to D. B.B.B., on behalf and
representation of the trading company MEDEROS MOVITEN, S.L.

THIRD: Warn the sanctioned party that he must make the imposed sanction effective once

Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter LPACAP), within the payment term
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,

of December 17, through its entry, indicating the NIF of the sanctioned and the number
of procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened on behalf of the Agency
Spanish Department of Data Protection in the banking entity CAIXABANK, S.A.. In case
Otherwise, it will be collected in the executive period.


Received the notification and once executed, if the date of execution is
between the 1st and 15th of each month, both inclusive, the term to make the payment
voluntary will be until the 20th day of the following month or immediately after, and if
between the 16th and last day of each month, both inclusive, the payment term
It will be until the 5th of the second following month or immediately after.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the

LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month from
counting from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the

National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 12/12









day following the notification of this act, as provided in article 46.1 of the
aforementioned Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,

may provisionally suspend the firm resolution in administrative proceedings if the
The interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact by
writing addressed to the Spanish Agency for Data Protection, presenting it through

Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registers provided for in art. 16.4 of the
aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-

administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would end the precautionary suspension.


Sea Spain Marti
Director of the Spanish Data Protection Agency









































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es