AEPD (Spain) - PS/00239/2022: Difference between revisions
No edit summary |
mNo edit summary |
||
Line 74: | Line 74: | ||
On 15 January 2020, Norconsulting (the controller), a human resources company established in Spain with contractual relations with various ad platform such as Linkedin, Infojobs or Xing AAA , sent an email to A.A.A., a data subject established in Germany (the data subject). The purpose of this email was to advertise targeted job offers to the data subject. | On 15 January 2020, Norconsulting (the controller), a human resources company established in Spain with contractual relations with various ad platform such as Linkedin, Infojobs or Xing AAA , sent an email to A.A.A., a data subject established in Germany (the data subject). The purpose of this email was to advertise targeted job offers to the data subject. | ||
On the same day, the data subject wrote back to the controller and requested: (i) access to the information under ([[Article 15 GDPR|Article 15]](1)), (ii) deletion of the data ([[Article 17 GDPR|Article 17]]); (iii) communication to the recipients of these data (Article 19); and (iv) deletion of these data from the sites where they have been published ( [[Article 17 GDPR|Article 17 | On the same day, the data subject wrote back to the controller and requested: (i) access to the information under ([[Article 15 GDPR|Article 15]](1)), (ii) deletion of the data ([[Article 17 GDPR|Article 17]]); (iii) communication to the recipients of these data (Article 19); and (iv) deletion of these data from the sites where they have been published ([[Article 17 GDPR|Article 17(2)]]). | ||
On 4 February 2020, the controller responded to the data subject, explaining that it had obtained the data subject’s contact through ad platforms to which the data subject was or had been, registered. The controller stated that it would delete the data subject’s email from its files. | On 4 February 2020, the controller responded to the data subject, explaining that it had obtained the data subject’s contact through ad platforms to which the data subject was or had been, registered. The controller stated that it would delete the data subject’s email from its files. |
Revision as of 11:07, 21 March 2023
AEPD - ps-00239-2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 15 GDPR Article 17 GDPR Article 56(1) GDPR Article 60 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 31.03.2020 |
Decided: | 28.02.2023 |
Published: | |
Fine: | 15,000 EUR |
Parties: | Norconsulting |
National Case Number/Name: | ps-00239-2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Mapez |
The Spanish DPA imposed fines of €10,000 and €5,000 to a controller for partially responding to and ignoring several times a data subject’s requests in violation of Article 15 and Article 17 GDPR.
English Summary
Facts
On 15 January 2020, Norconsulting (the controller), a human resources company established in Spain with contractual relations with various ad platform such as Linkedin, Infojobs or Xing AAA , sent an email to A.A.A., a data subject established in Germany (the data subject). The purpose of this email was to advertise targeted job offers to the data subject.
On the same day, the data subject wrote back to the controller and requested: (i) access to the information under (Article 15(1)), (ii) deletion of the data (Article 17); (iii) communication to the recipients of these data (Article 19); and (iv) deletion of these data from the sites where they have been published (Article 17(2)).
On 4 February 2020, the controller responded to the data subject, explaining that it had obtained the data subject’s contact through ad platforms to which the data subject was or had been, registered. The controller stated that it would delete the data subject’s email from its files.
The data subject contacted the controller by email of 4 February, 15 March and 31 March 2020, stating that the response was unlawful under GDPR rules. On 31 March 2020, the data subject filed a complaint to the German DPA of Berlin on the matter.
In accordance with Article 56(1) GDPR and in application of the procedural rules applicable to cross-border cases, the German DPA of Berlin transferred the case to the Spanish DPA for them to act as lead supervisory authority.
In the course of the proceedings, the controller claimed that it had obtained the data subject’s email address from contractual partners to which the data subject had agreed to share its data. The controller stated that it deleted the data subject’s email address after their request. Furthermore, the controller claimed it had not received any other email from the data subject following its response on 4 February 2020.
Holding
The Spanish DPA underlined that the focus of the legal proceedings was the exercise of the right of access and the right of erasure of the data subject, rather than the lawfulness of the processing carried out by the controller.
Right of access
The Spanish DPA found that the controller processed at least the data subject’s name, surname, e-mail address, professional profile and preferences in terms of job offer. The Spanish DPA held that the controller responded to the data subject’s first email in a generic manner, stating where the data came from, and did not answer any of the further emails of the data subject. Thus, the Spanish DPA found that the controller did not respond adequately to the data subject’s request, in violation of Article 15 GDPR.
The Spanish DPA considered the negligence of the controller to be an aggravating factor, as it did not respond to at least two further requests by the data subject. Furthermore, the Spanish DPA took into account the fact that the controller’s main activity was to process personal data. The Spanish DPA considered as mitigating factor the fact that the controller responded to the data subject, although not in an adequate manner. Thus the Spanish DPA imposed a fine of €10,000 and an order to comply within 30 days.
Right of erasure
The Spanish DPA held that the controller had deleted the data subject’s email, but did not mention anything regarding the remaining personal data. Thus, the Spanish DPA concluded that the controller did not respond adequately to the data subject’s request, in violation of Article 17 GDPR.
The Spanish DPA considered the absence of response to the data subject’s request as an aggravating factor. Furthermore, the Spanish DPA took into account the fact that the controller’s main activity was to process personal data. The Spanish DPA considered as mitigating factor the fact that the controller deleted the data subject’s email address. Thus the it imposed a fine of EUR €5,000 and an order to comply within 30 days.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/20 File No.: PS/00239/2022 IMI Reference: A61VMN 183387- A60DD 404884 - Case Register 180472 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on the following: BACKGROUND FIRST: A.A.A. (hereinafter, the claimant) filed a claim, dated 31 March 2020, before the German data protection authority in Berlin. The claim is directed against GRUPO NORCONSULTING, S.L. with NIF B15987100 (in forward, NORCONSULTING). The reasons on which the claim is based are the following: The complaining party states that they have requested the exercise of the right of access to their personal data to NORCONSULTING, as well as the subsequent elimination of these. NORCONSULTING replied that their data was obtained from employment social networks and told him that his email was going to be deleted so that he would not receive more emails. TO To this, the complaining party responded indicating that they had not yet responded to their request of the right of access. SECOND: Through the "Internal Market Information System" (hereinafter IMI System), regulated by Regulation (EU) No. 1024/2012, of the European Parliament and of the Council, of October 25, 2012 (IMI Regulation), whose objective is to promote the cross-border administrative cooperation, mutual assistance between Member States and the exchange of information, the aforementioned claim was transmitted on 11/27/2022 and gave the date of registration of entry into the Spanish Agency for Data Protection (AEPD) on day 12/1/2022. The transfer of this claim to the AEPD is carried out in accordance with the established in article 56 of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/2016, regarding the Protection of Physical Persons with regard to to the Processing of Personal Data and the Free Circulation of these Data (hereinafter, GDPR), taking into account its cross-border nature and that this Agency is competent to act as the main control authority, since NORCONSULTING is based company and unique establishment in Spain. The data processing that is carried out affects interested parties in several States members. According to the information incorporated into the IMI System, in accordance with the established in article 60 of the GDPR, acts as a "control authority interested party", in addition to the data protection authority of Berlin (Germany), the authorities from Norway, Poland, Estonia, Sweden, France, Italy, Lower Saxony (Germany), Bavaria- Private Sector (Germany), Finland and Denmark. All of them under article 4.22.b) of the GDPR, given that the interested parties residing in the territory of these authorities of control are substantially affected or are likely to be substantially affected affected by the treatment object of this procedure. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 2/20 THIRD: On March 2, 2021, the Berlin authority shared via IMI the original claim and its translation together with the following documentation provided by the complaining party: Copy of email sent to mail@***USUARIO.1 (hereinafter, the email of the complaining party) by ***USER.2@norconsulting.de dated January 15, 2020. The content of this email are job offers. Copy of email sent from the email of the complaining party to ***USER.2@norconsulting.de and to dpo@gnorcom.com dated January 15, 2020. In In this email, the claimant requests access to the information in article 15.1 of the General Data Protection Regulation (hereinafter, GDPR), and also requests the deletion of your data according to article 17 of the GDPR, and the communication to the recipients of this data (according to article 19 of the GDPR) and the deletion of this data on the sites where that have been published (according to article 17.2 of the GDPR). Copy of email sent by ***USER.3@gnorconsulting.com to email from the complaining party dated February 4, 2020. This email indicates to the complaining party that the data is obtained from employment social networks (Infojobs, LinkedIn, Xing…) and that they are going to eliminate the email of the complaining party so that they do not receive more offers. Copy of email response to the previous email sent from the email from the complaining party to ***USER.3@gnorconsulting.com dated February 4, 2020 indicating that this is not a valid response to respond to your access request according to the GDPR. Copy of email sent from the email of the complaining party to ***USER.3@gnorconsulting.com, ***USER.4@norconsulting.de and dpo@gnorcom.com dated March 15, 2020. In this email, the complaining party returns to demand a response to your request. Copy of email sent by the complaining party to the email ***USER.5@datenschutz-berlin.de dated March 31, 2020 requesting that a case is opened because you have not yet received a response to your exercise of the right of access, in addition to reporting that cookies are installed on the Norconsulting website without ask the user. FOURTH: On June 9, 2021, in accordance with article 64.3 of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of the digital rights (hereinafter, LOPDGDD), the claim filed was admitted for processing by the complaining party. FIFTH: The General Sub-directorate of Data Inspection proceeded to carry out preliminary investigation actions to clarify the facts in question, in by virtue of the functions assigned to the control authorities in article 57.1 and of the powers granted in article 58.1 of the GDPR, and in accordance with the provisions of the Title VII, Chapter I, Second Section, of the LOPDGDD, being aware of the following extremes: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 3/20 In response to a request from this Agency, on September 14, 2021, NORCONSULTING presents, among other things, the following information: 1. Indication that they are not aware of having received any response from the complaining party to the email sent by NORCONSULTING on February 4, 2020 in which it was given response to your request for access and deletion. 2. Copy of email sent by ***USER.3@gnorconsulting.com to the email of the complaining party dated February 4, 2020, with the following content: “Good Morning A.A.A.: We are a human resources company and work with various ad platforms (Linkedin, Infojobs, Experteer, Xing, etc.). Your contact has been obtained through these means, in which you have surely registered and / or are registered. But, as you have no interest in receiving job offers from us, we will proceed to delete your email from our automated files for which this company is responsible. If at any other time you wish to receive offers again, do not hesitate to contact us.” SIGNIFICANT EVIDENCE FOR THE GRADUATION OF THE SANCTION Linking the activity of NORCONSULTING with the performance of treatment of personal data: The development of the business activity carried out by the entity requires continuous processing of personal data. Total annual global business volume: According to the query made in the Monitoriza de Axesor (https://monitoriza.axesor.es/) on May 6, 2022, the sales of the GROUP NORCONSULTING SL were 5,201,368 euros and had 17 employees. Recidivism for commission of infractions of the same nature as the facts in issue: There is no evidence that proceedings have been resolved for violations of NORCONSULTING in the last year. SIXTH: On 06/1/2022, the Director of the AEPD adopted a draft decision of initiation of disciplinary proceedings. Following the process established in article 60 of the GDPR, on 06/09/2022 this draft decision was transmitted through the IMI system and they were informed the concerned authorities that they had four weeks from that moment to formulate pertinent and reasoned objections. Within the term for this purpose, the control authorities concerned did not present pertinent and reasoned objections to the in this regard, so it is considered that all the authorities agree with said draft decision and are bound by it, in accordance with the provisions of the paragraph 6 of article 60 of the GDPR. This draft decision was notified to NORCONSULTING in accordance with the rules established in the LPACAP on day 06/1/2022, as stated in the acknowledgment of receipt that is in the file. SEVENTH: On 06/30/2022, NORCONSULTING submitted a written statement of allegations to the draft decision. EIGHTH: On 07/15/2022, the Director of the Spanish Agency for the Protection of Datos agreed to initiate disciplinary proceedings against NORCONSULTING in order to impose a fine of 10,000 and 5,000 euros, in accordance with the provisions of articles 63 and 64 of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 4/20 LPACAP, for the alleged violation of Article 15 of the GDPR, typified in Article 83.5 of the GDPR, as well as for the alleged infringement of Article 17 of the GDPR, typified in the Article 83.5 of the GDPR, respectively, in which it was indicated that it had a period of ten days to present allegations. This startup agreement, which was notified to NORCONSULTING in accordance with the rules established in Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (LPACAP), was collected on 07/21/2022, as stated in the acknowledgment of receipt in the file. NINTH: Notified the aforementioned start agreement in accordance with the rules established in the LPACAP and after the period granted for the formulation of allegations, it has been verified that no claim has been received from NORCONSULTING. In the resolution proposal, the allegations presented to the draft resolution were taken into account. decision in which NORCONSULTING, in summary, stated that: “FIRST.- First of all, we must make it clear regarding the facts that are included in the Draft Decision to Initiate Sanctioning Procedure, which effectively on January 15, 2020, Mr. A.A.A. contacted the Company, regarding a job offer sent by GRUPO NORCONSULTING S.L. to cover job vacancies in different German cities, in which GRUPO NORCONSULTING S.L. has clients who require their services to provide candidates for job offers. In the case of Mr. A.A.A., the contact details are obtained by GRUPO NORCONSULTING S.L., of the companies with which it maintains a contractual relationship, Linkedin, Xing, Infojobs, Experteer and on the basis of which you allow access to the data, which logically they should have been transferred by Mr. A.A.A. to the indicated platforms. After the communication sent by Mr. A.A.A., from GRUPO NORCONSULTING S.L. HE has sent you an email dated February 4, 2020, which indicates: “Good Morning A.A.A.: We are a human resources company and work with various ad platforms (Linkedin, Infojobs, Experteer, Xing, etc.). Your contact has been obtained through these means, in which you have surely registered and/or are registered. But, as you have no interest in receiving job offers from us, we will proceed to delete your email from our automated files for which this company is responsible. If at any other time you wish to receive offers again, do not hesitate to contact us. Best regards" That is, Mr. A.A.A. is informed that the data was obtained through the mentioned platforms, and that, if you are not interested in receiving job offers from our entity, your data would be deleted. In the account of facts it is mentioned that the claimant responded to the email dated 4 February 2020, however, GRUPO NORCONSULTING S.L. the answer to which the resolution refers. We understand that at this point, GURPO NORCONSULTING S.L. has fulfilled his obligations regarding the data protection regulations, since it obtains the contact C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 5/20 of the complaining party by contract with respect to a platform or company that has ceded the data of Mr. A.A.A. for questions of job offers. SECOND.- Likewise, the account of the facts states that Mr. A.A.A. contact the German control office because no response has been given to your exercise of the right of access and denouncing that the web of my represented cookies are installed without asking. In relation to the use of cookies, there is record processed number 05473/2021, and that it was resolved by agreeing to file the file (we attach a copy of the Resolution by from the agency). Finally, note that the complaining party has not communicated in any other occasion, with our represented." TENTH: On 08/29/2022, the investigating body of the procedure agreed to open of a period of practice of tests, taking as incorporated the claim filed by the claimant and its documentation, the documents obtained and generated by the Inspection Services, the Report of previous Inspection actions that are part of the file, as well as the allegations to the draft decision presented by NORCONSULTING and the documentation that accompanies them. That same day, this Agency sent the test practice agreement to NORCONSULTING, granting a period of 10 business days to: - Make documentary evidence regarding the deletion of personal data, by the that GRUPO NORCONSULTING, S.L. certify the complete deletion of the personal data of the complaining party and the date on which it was made, according to the request made by the complaining party by email on 01/15/2020. On 09/13/2022, NORCONSULTING submitted a response letter to this Agency, in which he stated that: “FIRST.- First of all, we must point out that on the date of the events that are the object of the file processed by the Data Protection Agency, GRUPO NORCONSULTING S.L. worked with software provided by the Company ***COMPANY.1, which in the COVID pandemic period, it was replaced by software (...), so our represented cannot access the information of said period. In any case, we must show that our client never had the data of the complaining party, but simply that contact was made through the platform or social network for professionals LINKTEAM, in which Mr. A.A.A., voluntarily for possible job offers, a point that we already exposed in our brief of previous allegations, indicating that GRUPO NORCONSULTING S.L., to through the companies with which it maintains a contractual relationship, Linkedin, Xing, Infojobs, Experteer, to which Mr. A.A.A. had to give up his data, he obtained the contact to submit a job offer. The date on which Mr. A.A.A.'s data was deleted, appears in the email from February 4, 2020, already referenced previously, in which it is indicated, that since it is not interested in receiving job offers, we proceed to delete your email from our databases. “Good Morning A.A.A.: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 6/20 We are a human resources company and work with various ad platforms (Linkedin, Infojobs, Experteer, Xing, etc.). Your contact has been obtained through these means, in which you have surely registered and/or are registered. But, as you have no interest in receiving job offers from us, we will proceed to delete your email from our automated files for which this company is responsible. If at any other time you wish to receive offers again, do not hesitate to contact us. Best regards". ELEVENTH: On 09/27/2022, the investigating body of the disciplinary procedure formulated a resolution proposal, in which it proposes that the Director of the AEPD penalize GRUPO NORCONSULTING, S.L., with NIF B15987100, for a violation of the article 15 of the GDPR, typified in article 83.5 of the GDPR, with a fine of €10,000 (ten thousand euros), and for a violation of article 17 of the GDPR, typified in article 83.5 of the GDPR, with a fine of €5,000 (five thousand euros). This proposed resolution, which was notified to NORCONSULTING in accordance with the rules established in Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (LPACAP), was collected on 10/3/2022, as stated in the acknowledgment of receipt in the file. TWELFTH: On 10/18/2022, this Agency receives, in due time and form, written of NORCONSULTING in which it alleges allegations to the motion for a resolution in which, In summary, he stated that: “FIRST.- First of all, we want to consider the allegations made by this part throughout the entire procedure processed by this Administration. SECOND.- Secondly, we want to point out that in the Proposed Resolution it is indicates that GRUPO NORCONSULTING S.L. only proceeded to delete the email claimant's email, however, we must state that my represented once sent the email of February 2020, proceeded to delete any data related to the claimant, since no interest has for my represented the Saving of data of a person who requests its deletion. In any case, and as claimed, the contact details are obtained from GRUPO NORCONSULTING S.L., in a legitimate way, through dedicated platforms to the contact of professionals. On the other hand, we must point out that subsequent emails, and those that there is no record of this part, they were sent coinciding with the period in which the Government of Spain decreed the State of Alarm by COVID and in which the Company undertook ERTES in which the workforce was temporarily unemployed, which must be taken into account with respect to the special business situation. SECOND.- Likewise, we cannot fail to mention that in the actions of GRUPO NORCONSULTING S.L. there is no intentionality that deserves a reproach sanctioning, since once it has had proof of the claim, it has proceeded with the deletion of data, as it did with the claim for the use of cookies. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 7/20 There is no information on the claimant in the Company's files, except for those generated by this file.” Of the actions carried out in this procedure and of the documentation in hand In the file, the following have been accredited: PROVEN FACTS FIRST: On January 15, 2020, an email was sent to mail@***USER.1 (hereinafter, the email of the complaining party) by ***USER.2@norconsulting.de. The content of this email were offers from job. SECOND: On January 15, 2020, from the email of the complaining party, a email to ***USER.2@norconsulting.de and to dpo@gnorcom.com. In this mail, the complaining party requests access to the information of article 15.1 GDPR, and also requests the deletion of your data according to article 17 of the GDPR, and the communication to the recipients of these data (according to article 19 of the GDPR) and the deletion of these data on the sites where they have been published (according to article 17.2 of the GDPR). THIRD: On February 4, 2020, an email is sent by ***USUARIO.3@gnorconsulting.com to the email of the complaining party, with the following Content: “Good Morning A.A.A.: We are a human resources company and work with various ad platforms (Linkedin, Infojobs, Experteer, Xing, etc.). Your contact has been obtained through these means, in which you have surely registered and / or are registered. But, as you have no interest in receiving job offers from us, we will proceed to delete your email from our automated files for which this company is responsible. If at any other time you wish to receive offers again, do not hesitate to contact us.” FOURTH: In response to the email referred to in the previous section, dated April 4, February 2020 an email is sent from the email of the complaining party to ***USUARIO.3@gnorconsulting.com having a copy to the following emails: ***USER.4@norconsulting.de and dpo@gnorcom.com, indicating that this is not a valid response to respond to your access request, according to the GDPR. FIFTH: On March 15, 2020, an email from the complaining party is sent a email to ***USER.3@gnorconsulting.com, ***USER.4@norconsulting.de and dpo@gnorcom.com. In this email, the complaining party returns to demand a response to your request. SIXTH: On March 31, 2020, an email was sent by the party claimant to the email ***USER.5@datenschutz-berlin.de in which he requests that a case because you have not yet received a response to your exercise of right of access, in addition to report that cookies are installed on the Norconsulting website without asking the user. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 8/20 FUNDAMENTALS OF LAW Yo Competition and applicable regulations In accordance with the provisions of articles 58.2 and 60 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and free movement of these data (GDPR), and as established in articles 47, 48.1, 64.2 and 68.1 and 68.2 of the LOPDGDD is competent to initiate and resolve this procedure the Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of the Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with character subsidiary, by the general rules on administrative procedures.” II previous questions In the present case, in accordance with the provisions of article 4.1 of the GDPR, the processing of personal data, since NORCONSULTING performs the collection and storage of, among others, the following personal data of persons physical: email, name and surname, among other treatments. NORCONSULTING carries out this activity in its capacity as data controller, given that it is who determines the purposes and means of such activity, by virtue of article 4.7 of the GDPR. In addition, it is a cross-border treatment, since NORCONSULTING is established in Spain, although it provides service to the entire European Union. The GDPR provides, in its article 56.1, for cases of cross-border processing, provided for in article 4.23), in relation to the competence of the supervisory authority principal, that, without prejudice to the provisions of article 55, the supervisory authority of the main establishment or the only establishment of the person in charge or of the person in charge of the treatment will be competent to act as main control authority for the cross-border processing carried out by said controller or processor pursuant to to the procedure established in article 60. In the case examined, as has been stated, NORCONSULTING has its main establishment in Spain, so the Agency Española de Protección de Datos is competent to act as control authority major. For its part, article 15 of the GDPR regulates the information that can be requested through the exercise of the right of access of article 15 and, on the other, article 17 of the GDPR regulates the right to obtain without undue delay from the data controller the deletion of personal data concerning the interested party. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 9/20 II Allegations adduced In relation to the allegations made, we proceed to respond to them according to the order exposed by NORCONSULTING: 1.- The contact details are obtained by GRUPO NORCONSULTING, S.L., from the companies with which it maintains a contractual relationship. The legitimacy of the treatment carried out by NORCONSULTING, but the alleged infractions committed by the inadequate attention of the exercise of rights requested by the claimant, specifically, the exercise of the right of access and the exercise of the right to delete your data. 2.- To the NORCONSULTING GROUP, S.L. You do not know the email of February 4, 2020, whereby the complaining party indicated that the response sent by NORCONSULTING was not a valid response to meet your request for access according to the GDPR. As stated in the Fourth and Fifth Proven Facts, they appear in the file the messages sent by the complaining party dated 02/04/2020 and 03/15/2020. The mail dated 02/04/2020 is sent from the email of the complaining party to ***USUARIO.3@gnorconsulting.com having a copy to the following emails: ***USER.4@norconsulting.de and dpo@gnorcom.com. The mail of March 15, 2020 It is sent from the email of the claimant to the following emails: ***USER.3@gnorconsulting.com, ***USER.4@norconsulting.de and dpo@gnorcom.com. 3.- In relation to the use of cookies, there is file processed number 05473/2021, and which was resolved by agreeing to file the file. File E/05473/2021 had as its starting point the same claim as the this proceeding, however, refers to different facts included in said claim, such as failure to obtain informed consent for the installation of Cookies not strictly necessary and from third parties, which meant a breach of the provided in article 22.2 of Law 34/2002, of July 11, on services of the society of information and electronic commerce. As already stated in response to claim 1, the purpose of this proceeding is constitutes inadequate attention to requests for the exercise of rights, specifically, the exercise of the right of access and the exercise of the right to delete the data of the complaining party, evidenced in the claim and in the documentation that accompanies. Consequently, it cannot be said that there is a coincidence in the facts of the file. E/05473/2021 and of this file. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 10/20 Formulated resolution proposal by the instructor of this procedure, in the hearing procedure for the interested party, allegations are presented by NORCONSULTING to which we proceed to respond below: 1.- NORCONSULTING proceeded to delete any data related to the part claimant once sent the email of February 2020. NORCONSULTING has not maintained a clear position in this regard. Here we are told that proceeded to delete the data of the complaining party when it sent the email of February 2020. In the allegations submitted to the initiation agreement dated 09/13/2022, it was said that NORCONSULTING had never had the data of the complaining party following: "... In any case, we must make it clear that our client, never had the data of the complaining party…”. Finally, as referred to in the allegations presented to the resolution proposal, it is pointed out that the data were eliminated upon receipt of the claim: "...since it once had proof of the claim has proceeded with the deletion of data…”. NORCONSULTING does not certify having deleted personal data (name, surname, professional profile...) that he had of the complaining party. In addition, by not having attended the request to exercise the right of access, not even as a result of this procedure, it has not been possible to determine all the personal data subject to treatment. As an example, in the email dated 01/15/2022 NORCONSULTING proposes to the complaining party to have a telephone conversation about their preferences professionals, asking for the most recent documentation of your experience, will not they ask for their phone number, which they apparently already have. 2.- The data is obtained by NORCONSULTING in a legitimate way. This question was already answered in the motion for a resolution, specifically in the second point of response to the allegations made to the initiation agreement. It's not object of this procedure the legitimacy of the treatment carried out by NORCONSULTING, but the alleged infractions committed by the inadequate attention of the exercise of rights requested by the claimant, specifically, the exercise of the right of access and the exercise of the right to delete your data. to major abounding, that the treatment was legitimate in principle is not an obstacle for the complaining party to exercise their rights before the data controller and these are cared for correctly. 3.- Subsequent emails, and of which NORCONSULTING supposedly did not has the record, they were sent coinciding with the period in which the Government of Spain decreed the State of Alarm by COVID. In this regard, this Agency wishes to point out that the complaining party reiterated its request for the exercise of the right of access on 02/04/2020, from that date until the beginning of the state of alarm more than a month elapsed, therefore the maximum period established by the Article 12.3 of the GDPR to attend to this type of request. If we take into account the first request, dated 01/15/2020, which was not duly attended to, almost two months before the start of the state of alarm, so there was enough time to meet the said request. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 11/20 For all the above, the allegations presented are dismissed. IV. Evaluation of the practiced test On 08/29/2022, the instructor of the procedure agreed to carry out the practice of documentary evidence, regarding the security of the processing of personal data object of this procedure. On 09/13/2022, NORCONSULTING presented documentation, before which the following assessments can be made: 1.- On the date of the events in the file, NORCONSULTING worked with a software provided by the Company ***COMPANY.1, which, in the pandemic period due to COVID, was replaced by the software (...), for which NORCONSULTING alleges that it does not You can access the information for that period. In this regard, this Agency points out that NORCONSULTING cannot accept a change of management software to neglect, on the one hand, the obligations that, as responsible for treatment, is attributed by the GDPR in terms of guaranteeing the interested parties the due attention to your requests to exercise your rights and, on the other, the consequences derived from non-compliance with these requests. In Recital 15, the GDPR even goes further, determining that its precepts are binding regardless of of the technology used, by establishing that: "In order to avoid a serious risk of circumvention, the protection of natural persons must be technologically neutral and must not depend on the techniques used. 2.- NORCONSULTING indicates that it never had the data of the complaining party, but who simply made contact through the platform or social network for professionals LINKTEAM, communicating in the email sent on 02/04/2020 to the claimant the deletion of your email. However, the message sent by NORCONSULTING dated 02/4/2020 says: "But, as you have no interest in receiving job offers from us, we will proceed to delete your email from our automated files for which this company is responsible”, which we can translate as: "But, since we are not interested in receiving job offers from us, we will proceed to remove your email from our automated files from which this company it's responsible". In addition, in the first email sent by NORCONSULTING to the complaining party dated 01/15/2020, there is also other personal data such as the name and surname of the recipient. Therefore, in accordance with the test carried out, this Agency considers that NORCONSULTING has not provided any means of proof, which allows it to conclude that the email and other personal data of the complaining party (name, surname, professional profile, preferences regarding job offers...) has been removed from your automated files. In addition, we do not know all the data personal data of the complaining party that were subject to treatment and were included in said automated file for which NORCONSULTING is responsible, as the exercise of the right of access requested by the complaining party in the email dated 01/15/2020. V C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 12/20 Right of access of the interested party Article 15 "Right of access of the interested party" of the GDPR establishes: "1. The interested party shall have the right to obtain from the data controller confirmation of whether or not personal data concerning you is being processed and, in such a case, the right to access to personal data and the following information: a) the purposes of the treatment; b) the categories of personal data concerned; c) the recipients or categories of recipients to whom they were communicated or will be communicated personal data, in particular recipients in third countries or international organizations; d) if possible, the expected period of conservation of personal data or, if not possible, the criteria used to determine this term; e) the existence of the right to request from the controller the rectification or deletion of data personal data or the limitation of the processing of personal data relating to the interested party, or to oppose such treatment; f) the right to file a claim with a control authority; g) when the personal data has not been obtained from the interested party, any information available on its origin; h) the existence of automated decisions, including profiling, to which referred to in Article 22, paragraphs 1 and 4, and, at least in such cases, significant information about applied logic, as well as the significance and intended consequences of that treatment for the interested party. 2. When personal data is transferred to a third country or to an organization international, the interested party shall have the right to be informed of the adequate guarantees in under article 46 relating to the transfer. 3. The data controller shall provide a copy of the personal data object of treatment. The person in charge may receive for any other copy requested by the interested party a reasonable fee based on administrative costs. When the interested submit the application by electronic means, and unless the latter requests that it be provided Otherwise, the information will be provided in a commonly used electronic format. 4. The right to obtain a copy mentioned in section 3 will not negatively affect the rights and liberties of others.” In the present case, the complaining party, by email, requests the NORCONSULTING, in the exercise of the right of access of article 15 of the GDPR, the following information about the processing of your data: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 13/20 “a) What personal data has been stored or processed. b) Purpose of processing my data. c) The categories of personal data. d) The recipients or categories of recipients who already receive or will receive your data; e) The expected duration of data storage or, if this is not possible, the criteria to determine this duration; f) the existence of the rights of rectification, deletion or limitation of the treatment of my data, as well as the right to oppose said treatment in accordance with article 21 of the GDPR and to file a claim with the competent control authority. g) Information on the origin of the data; and h) If there is automated decision-making, including profiling, of in accordance with article 22 of the GDPR. i) If my personal data has been transferred to a third country or to an organization international". The complaining party requested NORCONSULTING the right of access to their data personal data and the information referred to in the previous paragraph on 02/15/2020. Well then, NORCONSULTING responds to said request in a generic way, with a brief information in which it only refers to the fact that the data of the interested party have been obtained in any job portal (Infojobs, Experteer...) with which they work, in any of to which the claimant would be subscribed. Because NORCONSULTING does not adequately responds to the requested information, the complaining party again requested said information in emails of 02/04/2020 and 03/15/2020, provided together with the claim, without getting any response. The personal data of the complaining party object of treatment by NORCONSULTING are, at least, name, surname, email email address, professional profile and preferences regarding job offers. In accordance with the evidence available at this time of resolution of sanctioning procedure, it is considered that the known facts constitute a infringement, attributable to NORCONSULTING, for violation of article 15 of the GDPR. SAW Classification of the infringement of article 15 of the GDPR The aforementioned infringement of article 15 of the GDPR supposes the commission of the infringements typified in article 83.5 of the GDPR that under the heading "General conditions for the imposition of administrative fines” provides: Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, for an amount equal to a maximum of 4% of the total turnover annual global of the previous financial year, opting for the one with the highest amount: (…) b) the rights of the interested parties in accordance with articles 12 to 22; (...).” In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that "They constitute offenses the acts and behaviors referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this law organic”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 14/20 For the purposes of the limitation period, article 72 "Infractions considered very serious" of the LOPDGDD indicates: 1. Based on what is established in article 83.5 of Regulation (EU) 2016/679, are considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: (…) k) The impediment or the obstruction or the reiterated non-attention of the exercise of the rights established in articles 15 to 22 of Regulation (EU) 2016/679. (…)” VII Penalty for violation of article 15 of the GDPR For the purposes of deciding on the imposition of an administrative fine and its amount, in accordance with the evidence available at the present time of resolution of disciplinary procedure, it is considered appropriate to graduate the sanction to be imposed according to in accordance with the following criteria established in article 83.2 of the GDPR. As an aggravating circumstance: - The nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as the number of stakeholders affected and the level of damage and damages they have suffered (section a): Due to the failure to attend to at least three requests for access to your personal data, the first dated 01/15/2020, which to date have not been duly addressed. - Negligence in the infringement (section b): The complaining party reiterated up to twice the request for information through emails sent on 02/04/2020 and 03/15/2020, without obtaining a response from NORCONSULTING, which supposes the lack of a minimum diligence in the compliance with your obligations as data controller. As a mitigation: - Any measure taken by the person in charge or in charge of the treatment to alleviate the damages suffered by the interested parties (section c): In a At first, it answered the complaining party, although it did not respond to the requested information. Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the following criteria established in section 2 of article 76 "Sanctions and measures corrective measures" of the LOPDGDD: As an aggravating circumstance: - The linking of the activity of the offender with the performance of treatment of personal data (section b): NORCONSULTING is a company whose C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 15/20 economic activity is the management of human resources, which entails a High processing of personal data. The balance of the circumstances contemplated in article 83.2 of the GDPR and 76.2 of the LOPDGDD, with respect to the offense committed by violating the provisions of article 15 of the GDPR, allows a penalty of €10,000 (ten thousand euros) to be imposed. VIII imposition of measures Among the corrective powers provided in article 58 "Powers" of the GDPR, in the section 2.d) establishes that each control authority may "order the person responsible or in charge of the processing that the processing operations comply with the provisions of the this Regulation, where appropriate, in a certain way and within a period specified…". Upon confirmation of the infringement, the Spanish Agency for Data Protection orders NORCONSULTING that within 30 days certify before this Agency that it has complied with the exercise of the right of access by the complaining party, answering all the information requested regarding the processing of your personal data. It is noted that not meeting the requirements of this body can be considered as an administrative offense in accordance with the provisions of the GDPR, classified as infraction in its article 83.5 and 83.6, being able to motivate such conduct the opening of a subsequent sanctioning administrative procedure. IX Right to erasure ("the right to be forgotten") Article 17 "Right of deletion" of the GDPR establishes: "1. The interested party shall have the right to obtain without undue delay from the person responsible for the treatment the deletion of personal data that concerns you, which will be obliged to delete personal data without undue delay when any of the following circumstances: a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) the interested party withdraws the consent on which the treatment is based in accordance with the Article 6(1)(a) or Article 9(2)(a) and this is not based on another legal basis; c) the interested party opposes the processing in accordance with article 21, paragraph 1, and does not other legitimate reasons for the treatment prevail, or the interested party opposes the treatment according to article 21, paragraph 2; d) the personal data have been unlawfully processed; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 16/20 e) personal data must be deleted to comply with a legal obligation established in the law of the Union or of the Member States that applies to the responsible for the treatment; f) the personal data have been obtained in relation to the offer of services of the information society referred to in article 8, paragraph 1. 2. When you have made the personal data public and are obliged, by virtue of the provided in section 1, to delete said data, the data controller, taking into account taking into account the available technology and the cost of its application, it will take reasonable measures, including technical measures, with a view to informing those responsible who are processing the personal data of the request of the interested party to suppress any link to those personal data, or any copy or replica thereof. 3. Sections 1 and 2 will not apply when the treatment is necessary: a) to exercise the right to freedom of expression and information; b) for compliance with a legal obligation that requires data processing imposed by the law of the Union or of the Member States that applies to the responsible for the treatment, or for the fulfillment of a mission carried out in the interest public or in the exercise of public powers conferred on the person responsible; c) for reasons of public interest in the field of public health in accordance with the Article 9, paragraph 2, letters h) and i), and paragraph 3; d) for archiving purposes in the public interest, for scientific or historical research purposes or for statistics, in accordance with Article 89(1), insofar as the right indicated in paragraph 1 could make impossible or seriously impede the achievement of the purposes of such processing, or e) for the formulation, exercise or defense of claims.” In the present case, as a response to the deletion of the data of the complaining party, the responsible for the treatment replies that he has deleted his email, nothing is said about the others personal data of the interested party to which NORCONSULTING has accessed, regardless of whether they have been obtained legitimately. In accordance with the evidence available at this time of resolution of sanctioning procedure, it is considered that the known facts constitute a infringement, attributable to NORCONSULTING, for violation of article 17 of the GDPR. X Classification of the infringement of article 17 of the GDPR The aforementioned infringement of article 17 of the GDPR supposes the commission of the infringements typified in article 83.5 of the GDPR that under the heading "General conditions for the imposition of administrative fines” provides: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 17/20 Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, for an amount equal to a maximum of 4% of the total turnover annual global of the previous financial year, opting for the one with the highest amount: (…) b) the rights of the interested parties in accordance with articles 12 to 22; (…).” In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that "They constitute offenses the acts and behaviors referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this law organic”. For the purposes of the limitation period, article 74 "Infringements considered minor" of the LOPDGDD indicates: "The remaining infractions of a merely of the articles mentioned in sections 4 and 5 of article 83 of the Regulation (EU) 2016/679 and, in particular, the following: (…) c) Failure to respond to requests to exercise the rights established in the Articles 15 to 22 of Regulation (EU) 2016/679, unless it is applicable provided in article 72.1.k) of this organic law (…).” eleventh Penalty for violation of article 17 of the GDPR For the purposes of deciding on the imposition of an administrative fine and its amount, in accordance with the evidence available at the present time of resolution of disciplinary procedure, it is considered appropriate to graduate the sanction to be imposed according to in accordance with the following criteria established in article 83.2 of the GDPR. As aggravating factors: - The nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question such as the number of interested parties affected and the level of damages that have suffered (section a): Due to the non-attendance of the request for deletion of their personal data, dated 01/15/2020, which to date has not been addressed duly. As mitigations: - Any measure taken by the controller or processor to alleviate the damages suffered by the interested parties (section c): Eliminated only the mail of the complaining party. Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the following criteria established in section 2 of article 76 "Sanctions and measures corrective measures" of the LOPDGDD: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 18/20 As aggravating factors: Linking the activity of the offender with the performance of data processing personal (section b): NORCONSULTING is a company whose activity economy is the management of human resources, which entails a high processing of personal data. The balance of the circumstances contemplated in article 83.2 of the GDPR and 76.2 of the LOPDGDD, with respect to the offense committed by violating the provisions of article 17 of the GDPR, allows a penalty of €5,000 (five thousand euros) to be imposed. twelfth imposition of measures Among the corrective powers provided in article 58 "Powers" of the GDPR, in the section 2.d) establishes that each control authority may "order the person responsible or in charge of the processing that the processing operations comply with the provisions of the this Regulation, where appropriate, in a certain way and within a period specified…". Upon infringement, the Spanish Agency for Data Protection orders NORCONSULTING that within 30 days certify before this Agency that it has complied with the request for deletion of the personal data of the complaining party. It is noted that not meeting the requirements of this body can be considered as an administrative offense in accordance with the provisions of the GDPR, classified as infraction in its article 83.5 and 83.6, being able to motivate such conduct the opening of a subsequent sanctioning administrative procedure. Therefore, in accordance with the applicable legislation and assessed graduation criteria of the sanctions whose existence has been accredited, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE GRUPO NORCONSULTING, S.L., with NIF B15987100: For a violation of article 15 of the GDPR, typified in article 83.5 of the GDPR, a fine of €10,000 (ten thousand euros). For a violation of article 17 of the GDPR, typified in article 83.5 of the GDPR, a fine of €5,000 (five thousand euros). SECOND: ORDER GRUPO NORCONSULTING, S.L., with NIF B15987100, that in the Within 30 days, prove to this Agency that you have complied with the exercise of the right of access by the complaining party, answering all the information requested regarding the treatment of your personal data, and that you certify before this Agency that you have complied with the request for deletion of the personal data of the complaining party. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 19/20 THIRD: NOTIFY this resolution to GRUPO NORCONSULTING, S.L. FOURTH: Warn the penalized person that they must make the imposed sanction effective once that this resolution be enforceable, in accordance with the provisions of art. 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the voluntary payment term established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, by means of its income, indicating the NIF of the sanctioned and the number of procedure that appears in the heading of this document, in the restricted account nº ES00 0000 0000 0000 0000 0000, opened in the name of the Spanish Agency for Data Protection at the bank CAIXABANK, S.A. Otherwise, it It will proceed to its collection in executive period. Once the notification has been received and once executed, if the execution date is between the days 1 and 15 of each month, both inclusive, the term to make the voluntary payment will be until the 20th day of the following or immediately following business month, and if it is between the days 16th and last of each month, both inclusive, the payment term will be until the 5th of the second following or immediately following business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution It will be made public once the interested parties have been notified. In accordance with the provisions of article 60.7 of the GDPR, this information will be resolution, once it is final, to the control authorities concerned and to the European Committee of Data Protection. Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for replacement before the Director of the Spanish Agency for Data Protection within a period of one month from the day following the notification of this resolution or directly contentious appeal before the Contentious-Administrative Chamber of the National Court, with in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within two months from the day following the notification of this act, according to the provisions of article 46.1 of the aforementioned Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, it may be provisionally suspend the final resolution in administrative proceedings if the interested party expresses their intention to file a contentious-administrative appeal. If this is the case, the The interested party must formally communicate this fact by writing to the Agency Spanish Protection of Data, presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the remaining records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the filing effective of the contentious-administrative appeal. If the Agency were not aware of the filing of the contentious-administrative appeal within a period of two months from the day C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 20/20 following the notification of this resolution, would terminate the suspension precautionary 938-120722 Mar Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es