AEPD (Spain) - PS/00459/2020
AEPD (Spain) - PS/00459/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5 GDPR Article 6 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 05.07.2021 |
Published: | 09.07.2021 |
Fine: | 4000 EUR |
Parties: | MALAGATROM, S.L.U. |
National Case Number/Name: | PS/00459/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The Spanish DPA fined a small vendor €4000 for publishing personal data from different clients in their public Amazon page.
English Summary
Facts
A data subject bought a product from Megalatrom, a vendor in Amazon. The product was defective, so the subject made a claim and also posted a negative review in Megalatrom's page.
The controller, Megalatrom, threatened the data subject to publish their personal data if they didn't take away the negative review on their page. Since the data subject didn't do as asked, the controller published their name, surnames, address, phone number, their husband's name and their phone company's name.
As the Spanish DPA (AEPD) noted, the controller had done the same several times.
Holding
The AEPD determined that the controller had processed personal data without consent, therefore violating Article 6(1) GDPR.
While the initial processing of the personal data was justified for the performance of a contract, and therefore based on Article 6(1)(b), the subsequent processing for making public the personal data of the data subject had no legal basis, as it was no necessary for the fulfillment of the initial contract.
The AEPD also found a breach of the confidentiality principle, since the data provided by the data subject were only meant to be processed within the commercial agreement both had, and not to be made publicly available.
However, the DPA considered that since both violations came from the same facts, in accordance with the criminal law principles that are applicable to sanctioning procedures, they could only sanction the controller for the original and most serious violation, which is the infringement of Article 6 GDPR.
For this, the AEPD fined the controller €4000. In order to determine the amount, the DPA took into account the intentionality of the behaviour, the nature of the infringement, the nature of the harm made to the data subject, the means for the infringement, which implies public access, and the categories of data disclosed. As a mitigating factor the DPA took into account the small size of the controller.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/14 Procedure No.: PS / 00459/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: A.A.A. (hereinafter, the claimant) on 06/10/2020 filed claim before the Spanish Agency for Data Protection. The claim is directs against MALAGATROM, S.L.U. with NIF B93178614 (hereinafter, MALAGATROM or the claimed one), which operates under the trademark “Mercatron”. The reasons on which the claim is based are: the respondent has treated and disclosed in "Amazon" your personal data relating to name and surname, address, number of mobile phone, your spouse's name and his or her mobile phone number. Warns that the reported data processing is carried out without your consent and without a legitimate purpose. This claim shows that, through the “Amazon” platform, the claimant acquired from the defendant a product marketed by this company, resulting in defective shipping and giving rise to various claims, some with the intermediation of “Amazon”. The complainant adds that she chose to insert a comment with a negative store rating of the claimed one along with a review of the product, receiving a response in which the claimed threatens to publish their data, which later complied with the incorporation of a comment that details the personal data indicated above. Attach the following scanned images of the “Amazon” user account: 1. Message from “Amazon” dated 05/15/2020 regarding an order. 2. Message of 06/02/2020 sent by <devolucion@amazon.es> to the claimant about return. 3. Message of 06/02/2020 from “Amazon” to “Mercatron” about the request for return of the order by the claimant. 4. Message of 06/03/2020 sent by “Mercatron” to the claimant about the return, with the following text: "Mr. Client, I advise you to return the equipment, so that our business relationship is annulled, a negative vote for a case like yours, just shows ... Also, I don't think you would like all sellers to see all their data in the reply to the comment, but if you do not care, we will not return to write to him. You are the one who plays it… ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/14 5. Message from 06/03/2020 sent by “Amazon” Customer Service to the claimant. 6. Comments posted on the “Mercatron” showcase page, among which figure one inserted by the claimed entity itself, dated 06/03/2020, with the text following: “Be very careful with this account… (name and surname, address and number of claimant's mobile phone). The husband's name is ... (name of the spouse of the claimant) and is the one who keeps the account ... (mobile phone number of the spouse of the claimant) ”. The claimant refers to the possible incorporation of her personal data and the from your spouse to advertisements published on the “Milanuncios” and “Tripadvisor” portals, and adds that on the same date of 06/03/2020 they began to receive calls from interested persons, some of whom knew the claimant's domicile. Not However, the claim does not include any proof in this regard. SECOND: The claim was admitted for processing on 06/22/2020. THIRD: In view of the facts denounced in the claim and the documents provided by the claimant, the Subdirectorate General for Inspection of Data proceeded to carry out preliminary investigation actions for the clarification of the facts in question, by virtue of the powers of investigation granted to the control authorities in article 57.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and of in accordance with the provisions of Title VII, Chapter I, Second Section, of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD). As a result of the investigative actions carried out, the report prepared by the acting inspector reveals the following: “[…] It is verified that the claimed facts are true, finding not only the personal data of the claimant and her husband published in the response provided by the claimed to the valuation made by the claimant, but rather three other cases of disclosure of personal data have been found in responses to evaluations in the last six months in the profile of the claimed on the website of sale online https://www.amazon.es. […] A search was made on the websites https://milanuncios.es and https://www.tripadvisor.es in which the claimant states that they have been published also your personal data for which you have received phone calls, not We found no reference to the claimant's phone number or that of her husband. […] It has been found that there are other cases in which, upon receiving an assessment C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/14 negative, the respondent makes public the personal data of the clients not satisfied with the purchase and / or the service. The most recent case of those found has been in a response to a customer comment dated August 17, 2020 ”. Through Inspection Diligence dated 12/03/2020, it is incorporated into the actions screen print with some responses from the claimed to comments inserted in the shopping website of "Amazon" by its customers, in which they are reveal their personal data. The pages that contain these comments, including those relating to the claimant, were obtained from the profile of the claimant in said website. Three comments are incorporated, all of them with a content similar to the one that has motivated the claim, according to the detail that is outlined in the Proven Fact Fifth. FOURTH: On 05/25/2021, by the General Sub-Directorate of Data Inspection Access to the information available on the entity claimed in "Axesor". On said website states that said entity was constituted in 2012, with a share capital of 3,000 euros. (…). (…). FIFTH: On 06/01/2021, the Director of the Spanish Agency for the Protection of Data agreed to initiate a sanctioning procedure against The MAGALATROM entity, by the alleged infringement of article 6 of the RGPD, typified in article 83.5.a) of the same Regulation; noting in said agreement that the sanction that may correspond amounts to 4,000 euros (four thousand euros), without prejudice to what results from the instruction. SIXTH: The aforementioned initiation agreement has been notified, the period granted to the claimed to formulating allegations passes without this Agency having received a written any. SEVENTH: On 06/28/2021 a resolution proposal was formulated in the sense of that the Director of the Spanish Data Protection Agency sanctions the entity claimed with a fine of 4,000 euros (four thousand euros), for a infringement of Article 6 of the RGPD, typified in Article 83.5 of the RGPD. Likewise, it was proposed that by the Director of the Spanish Agency for the Protection of Data is required from the claimed so that, within the period to be determined, adopt the necessary measures to adapt their actions to the data protection regulations personal, with the scope expressed in the Basis of Rights of the aforementioned motion for resolution. EIGHTH: The requested entity was notified of the resolution proposal, dated 06/30/2021 this Agency received a written statement of allegations, in which it states that there is no disclosure of data, as it is an internal chat of the web to which no no one else can have access. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/14 He alleges defenselessness, given the impossibility of proving his innocence, and adds that the low returns that you obtain do not allow you to bear penalties for events unrelated to his will, for which he will be forced not to continue with the business activity. With its writing, the claimed does not provide any documentation. Of the actions carried out in this procedure and of the documentation Obrante in the file, the following have been accredited: PROVEN FACTS FIRST: the claimed entity is registered as a "seller" in the Portal "Amazon". Through this website, the claimant acquired one of the products marketed by the claimed. SECOND: The shipment of the product that the claimant acquired from the defendant was defective, giving rise to the formulation of various claims by the client. The claimant also inserted a comment on the showcase page of the claimed on “Amazon” with a negative store rating and a review of the product. THIRD: In response to the claimant's comment, outlined in the Fact Second, the complainant, dated 06/03/2020, inserted a comment about of the return, with the following text: "Mr. Client, I advise you to return the equipment, so that our business relationship is annulled, a negative vote for a case like yours, just shows ... Also, I don't think you would like all sellers to see all their data in the reply to the comment, but if you do not care, we will not return to write to him. You are the one who plays it… ”. FOURTH: On 06/03/2020, the respondent inserted a comment on the platform shopping "Amazon", on its own showcase page, in which it discloses the data Claimant's personal names and surnames, address, number of mobile phone, your spouse's name and his or her mobile phone number. The text of this comment is as follows: “Be very careful with this account… (name and surname, address and number of claimant's mobile phone). The husband's name is ... (name of the spouse of the claimant) and is the one who keeps the account ... (mobile phone number of the spouse of the claimant) ”. FIFTH: The Agency's Inspection Services found that there are other cases in which, upon receiving a negative assessment, the complained entity makes make public the personal data of customers who do not comply with the purchase and / or the service. The pages that contain these comments, including those relating to the claimant, were obtained from the profile of the claimed in “Amazon”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/14 The text of these comments is as follows: . Comment inserted on 05/29/2020: “Be very careful with this buyer… (name and last name of the client, address and mobile phone number) ”. . Comment inserted on 06/03/2020: “Beware of this client… (client's name, city or postal code). He is a manipulator ”. . Comment inserted on 08/19/2020: “Be careful with this client… (name and surname customer, address and mobile phone number). He is dedicated to buying things and for the being prime it is believed that you do not have to pay. Be careful with this guy for calling him something". FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and to solve this procedure. Article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of the RGPD, in this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, in the alternative, by the norms general information on administrative procedures ”. II Article 6.1 of the RGPD establishes the assumptions that allow the processing of personal data: "1. The treatment will only be lawful if at least one of the following is met terms: a) the interested party gave their consent for the processing of their personal data for one or more specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is part of or for the application at his request of pre-contractual measures; c) the treatment is necessary for the fulfillment of a legal obligation applicable to the responsible for the treatment; d) the treatment is necessary to protect vital interests of the interested party or another Physical person; e) the treatment is necessary for the fulfillment of a mission carried out in the interest public or in the exercise of public powers conferred on the data controller; f) the treatment is necessary for the satisfaction of legitimate interests pursued by the person responsible for the treatment or by a third party, provided that on said interests do not override the interests or fundamental rights and freedoms of the interested party who require the protection of personal data, in particular when the interested is a child. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/14 The provisions of letter f) of the first paragraph will not apply to the treatment carried out by public authorities in the exercise of their functions. 2. Member States may maintain or introduce more specific provisions in order to adapt the application of the rules of this Regulation with respect to the treatment in compliance with section 1, letters c) and e), setting moreover specifies specific treatment requirements and other measures that ensure a lawful and equitable treatment, including other specific situations of treatment according to chapter IX. 3. The basis of the treatment indicated in section 1, letters c) and e), must be established by: a) Union law, or b) the law of the Member States that applies to the controller. The purpose of the treatment must be determined in said legal basis or, as relating to the treatment referred to in paragraph 1, letter e), will be necessary for the fulfillment of a mission carried out in the public interest or in the exercise of powers public conferred to the person in charge of the treatment. Said legal basis may contain specific provisions to adapt the application of the rules of this Regulation, among others: the general conditions that govern the legality of the treatment by the person in charge; the types of data being processed; the interested affected; the entities to which personal data may be communicated and the purposes of such communication; the limitation of the purpose; the terms of conservation of the data, as well as operations and treatment procedures, including measures to guarantee a lawful and equitable treatment, such as those related to other specific treatment situations in accordance with Chapter IX. Union law or Member States will meet a public interest objective and will be proportional to the legitimate end pursued. 4. When the treatment for a purpose other than that for which the data were collected personal data is not based on the consent of the interested party or on the Law of the Union or of the Member States that constitutes a necessary measure and proportional in a democratic society to safeguard the stated objectives in article 23, paragraph 1, the data controller, in order to determine if the treatment for another purpose is compatible with the purpose for which they were collected initially personal data, will take into account, among other things: a) any relationship between the purposes for which the data was collected personal and the purposes of the planned further processing; b) the context in which the personal data was collected, in particular for what Regarding the relationship between the interested parties and the person responsible for the treatment; c) the nature of the personal data, specifically when categories are processed special personal data, in accordance with article 9, or personal data relating to convictions and criminal offenses, in accordance with article 10; d) the possible consequences for the data subjects of the planned further processing; e) the existence of adequate guarantees, which may include encryption or pseudonymisation ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/14 What is expressed in recitals 40 to 45 and 47 of the RGPD is taken into account. In the present case, the claimed entity is registered as a "seller" in the Portal "Amazon". Through this website, the claimant acquired one of the products marketed by the claimed. By virtue of said purchase, the respondent collected the personal data of the claimant and was entitled to submit them to treatment in order to give compliance with the aforementioned commercial relationship. However, the respondent processed such data that was not necessary for the fulfillment or execution of said relationship, consisting of inserting a comment on his own showcase page on “Amazon” detailing the personal data of the claimant regarding name and surname, address, number of mobile phone, your spouse's name and his or her mobile phone number. The text of the comment in question is the following: “Be very careful with this account… (name and surname, address and number of claimant's mobile phone). The husband's name is ... (name of the spouse of the claimant) and is the one who keeps the account ... (mobile phone number of the spouse of the claimant) ”. On the other hand, the investigation actions carried out by the Services of Inspection of this Agency have verified the existence of similar comments Relating to other clients, whose personal data have been used in the same way. These proceedings incorporate three comments of this type, in addition to the corresponding to the claimant, in which personal data of clients of the claimed one. It does not appear, in the case of the claimed one or in relation to the other aforementioned clients, that the respective processing of personal data by the complained party is carried out under a legal basis that legitimizes them, they were not necessary for the fulfillment of the commercial relationship, as has been said, and the purpose for the that are carried out is not a purpose compatible with those that determined the collection of such personal data by the claimed party. Consequently, the aforementioned events violate the provisions of article 6 of the RGPD, which gives rise to the application of the corrective powers that article 58 of the aforementioned Regulation granted to the Spanish Agency for Data Protection. Regarding this use of the personal data of the clients, the claimed entity does not has made any statement in its brief of allegations to the proposal. III Article 5 of the RGPD establishes the principles that must govern the treatment of personal data and mentions among them that of "integrity and confidentiality". East Article, in section 1.f), states the following: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/14 "1. The personal data will be: (…) f) treated in such a way as to guarantee adequate data security personal data, including protection against unauthorized or illegal processing and against its loss, destruction or accidental damage, through the application of technical measures or appropriate organizational ('integrity and confidentiality') ”. Article 5 of the new Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), is refers to the "Duty of confidentiality" in the following terms: "1. Those responsible and in charge of data processing as well as all people who intervene in any phase of this will be subject to the duty of confidentiality referred to in article 5.1.f) of Regulation (EU) 2016/679. 2. The general obligation indicated in the previous section will be complementary to the duties of professional secrecy in accordance with its applicable regulations. 3. The obligations established in the previous sections will be maintained even when the relationship between the obligated party and the person in charge of the treatment". The comments made by the complainant about the complainant and other clients, in which details personal data relating to them, which were inserted in the sales portal "Amazon", on the showcase page of the claimed itself, which is registered as a selling entity in said portal, it implies the dissemination to third parties of those personal data without any type of restriction, considering that said website is freely accessible to any internet user. Thus, the respondent carried out a dissemination of personal data, which constitutes an offense for breach of the provisions of article 5 "Principles relating to the treatment" of the RGPD, section 1.f), in relation to the article 5 "Duty of confidentiality" of the LOPDGDD. This duty of confidentiality, previously the duty of secrecy, is intended to avoid such dissemination of data not consented to by the owners of the same. I know It is an obligation that is incumbent on the person in charge and in charge of the treatment, as well as to anyone who intervenes in any phase of the treatment; and what is complementary to the duty of professional secrecy. In its allegations to the proposed resolution, the claimed entity denies this disclosure of personal data, noting that the comments in question are carried out in an internal chat on the web that cannot be accessed by any other person. However, the actions carried out by the Inspection Services of the Agency have confirmed that the comments are public, since the site can be accessed without any restriction, without even being registered in the sales platform. In the same letter he has alleged defenselessness, but without expressing any cause or circumstance that determines it. IV C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/14 The verified facts, consisting of using the personal data of the interested to make some comments that were inserted in a website of free access, constitute the factual basis to substantiate the imputation to the claimed of the infractions of articles 6 and 5.1 of the LOPDGDD. We are faced with a case of medial contest, in which the same event could lead to two offenses, given the circumstance that the commission of a implies, necessarily, the commission of the other. That is, data processing personal information on a freely accessible website results, in turn, in a violation of the duty of confidentiality. The two possible infractions are considered very serious for the purposes of prescription in article 72 of the LOPDGDD and both are typified in article 83.5 of the GDPR. In this regard, article 29.5 of Law 40/2015, of October 1, on the Regime Public Sector Legal, establishes the following: "When the commission of an offense necessarily results in the commission of another or others, only the sanction corresponding to the most infringement must be imposed. serious committed ”. Therefore, it is appropriate to subsume both offenses in one, proceeding to impose only the sanction provided for the violation of article 6 of the RGPD, which is of the original infringement that has implied the commission of the other. V In the event of an infringement of the RGPD precepts, among the corrective powers available to the Spanish Data Protection Agency, As a supervisory authority, Article 58.2 of said Regulation contemplates the following: “2 Each supervisory authority shall have all the following corrective powers listed below: (…) b) direct a warning to any person in charge or in charge of the treatment when the treatment operations have infringed the provisions of this Regulation; (...) d) order the person in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, where appropriate, in a certain way and within a specified time frame; (…) i) impose an administrative fine in accordance with article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each particular case;". According to the provisions of article 83.2 of the RGPD, the measure provided for in letter d) C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/14 above is compatible with the sanction consisting of an administrative fine. SAW Failure to comply with the provisions of article 6 of the RGPD implies the commission of an offense typified in section 5.a) of article 83 of the RGPD, which under the heading "General conditions for the imposition of administrative fines" provides the next: "5. Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the highest amount: a) the basic principles for the treatment, including the conditions for the consent in accordance with articles 5, 6, 7 and 9 ". In this regard, the LOPDGDD, in its article 71 establishes that “They constitute offenses the acts and conducts referred to in sections 4, 5 and 6 of the Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the present organic law ”. For the purposes of the limitation period, article 72 of the LOPDGDD indicates: “Article 72. Violations considered very serious. 1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: (…) b) The processing of personal data without any of the conditions of legality of the treatment established in article 6 of Regulation (EU) 2016/679 ”. In order to determine the administrative fine to be imposed, the provisions of articles 83.1 and 83.2 of the RGPD, provisions that state: "1. Each supervisory authority will guarantee that the imposition of fines administrative regulations pursuant to this article for the infractions of this Regulations indicated in paragraphs 4, 9 and 6 are in each individual case effective, proportionate and dissuasive. 2. Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administrative and its amount in each individual case will be duly taken into account: a) the nature, severity and duration of the offense, taking into account the nature, scope or purpose of the processing operation in question as well such as the number of interested parties affected and the level of damages that C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/14 have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the controller or processor to mitigate the damages and losses suffered by the interested parties; d) the degree of responsibility of the person in charge or the person in charge of the treatment, taking into account the technical or organizational measures that have been applied by virtue of of articles 25 and 32; e) any previous infringement committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority learned of the infringement, in in particular if the person in charge or the person in charge notified the infringement and, if so, in what measure; i) when the measures indicated in article 58, paragraph 2, have been ordered previously against the person in charge or the person in charge in relation to the same issue, compliance with said measures; j) adherence to codes of conduct under Article 40 or to mechanisms of certification approved in accordance with Article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, direct or indirectly, through the offense. " For its part, article 76 "Sanctions and corrective measures" of the LOPDGDD has: "1. The penalties provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679 will be applied taking into account the graduation criteria established in section 2 of the aforementioned article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 The following may also be taken into account: a) The continuing nature of the offense. b) The linking of the activity of the offender with the performance of treatment of personal information. c) The benefits obtained as a result of the commission of the offense. d) The possibility that the affected person's conduct could have induced the commission of the offense. e) The existence of a merger by absorption process after the commission of the infringement, which cannot be attributed to the absorbing entity. f) Affecting the rights of minors. g) Have, when not mandatory, a data protection officer. h) The submission by the person in charge or in charge, on a voluntary basis, to alternative dispute resolution mechanisms, in those cases in which there are controversies between those and any interested party ”. In accordance with the indicated precepts, in order to set the amount of the sanction to impose in the present case, it is considered that the criteria following graduation: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/14 - The intentionality appreciated in the commission of the offense. In this case, what results from the incorporation of a comment related to the claimant, inserted on a publicly accessible website, there is a prior comment in which the herself claimed threatened with such disclosure of personal data. - The nature of the offense, taking into account the scope or purpose of the treatment operations in question, regarding the privacy of the claimant. - The nature of the damages caused to the interested persons. - The means through which the personal data object of the performances (free access website for any internet user). - The categories of personal data affected by the infringement, considering that the comment in question details the identifying data and contact of its clients and third parties. It is also considered that the circumstances concur as extenuating following: - The small business status of the responsible entity. Considering the exposed factors, the imposition of a fine in the amount of 4,000 euros (four thousand euros), for the violation of article 6 of the GDPR. The respondent has made allegations to the proposed resolution indicating that the low returns he obtains do not allow him to bear the penalty, so he is will be forced not to continue with the business activity. However, it has not provided any documentation that supports these statements, or that could imply that the amount indicated is disproportionate. In fact, it has not made any statement about the graduation criteria taken into account. VII In accordance with the provisions of article 58.2.d) of the RGPD, the commission of a infringement may lead to the imposition on the person responsible of the obligation to adopt adequate measures to adjust its performance to the data protection regulations personal. According to this article, each supervisory authority may “order the responsible or in charge of the treatment that the treatment operations are comply with the provisions of this Regulation, where appropriate, of a determined way and within a specified period… ”. Therefore, in this case, it is appropriate to require the claimed so that, within the period that is determine, delete all comments from your page on the “Amazon” platform inserted by the claimed itself in which the personal data of its clients or third parties; and take the appropriate measures to prevent similar events may be repeated in the future, warning everyone in your organization about the illegality of this conduct. It is noted that not meeting the requirements of this body may be considered as a serious administrative offense by “not cooperating with the Authority C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 13/14 of control ”before the requirements made, being able to assess such conduct to the time of the opening of an administrative procedure punishable by a fine pecuniary. Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE the entity MALAGATROM, S.L.U., with NIF B93178614, by an infringement of Article 6 of the RGPD, typified in Article 83.5 of the RGPD, a fine of 4,000 euros (four thousand euros). SECOND: REQUEST the entity MALAGATROM, S.L.U. that, within a month, adopt the necessary measures to adapt its actions to the regulations of protection of personal data, with the scope expressed in the Basis of Right VII of this resolution. THIRD: NOTIFY this resolution to MALAGATROM, S.L.U. FOURTH: Warn the sanctioned person that the sanction imposed by a Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter LPACAP), within the payment period voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency Spanish Data Protection in the banking entity CAIXABANK, S.A .. In case Otherwise, it will be collected in the executive period. Received the notification and once executive, if the date of execution is found Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment volunteer will be until the 20th of the following or immediately subsequent business month, and if between the 16th and the last day of each month, both inclusive, the payment term it will be until the 5th of the second following or immediately subsequent business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to counting from the day after the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within two months from the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 14/14 day following notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Agency for Data Protection, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web /], or through any of the other records provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. 938-131120 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es