AEPD (Spain) - EXP202102088
AEPD - PS-00609-2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 13 GDPR Article 83(5)(b) GDPR Article 11 LOPDGDD |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 22.07.2021 |
Decided: | 06.07.2022 |
Published: | 06.07.2022 |
Fine: | 3000 EUR |
Parties: | Private Party (A.A.A) ASOCIACIÓN DE AFICIONADOS Y PEQUEÑOS ACCIONISTAS UNIDAD HERCULANA |
National Case Number/Name: | PS-00609-2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | Spanish DPA (in ES) |
Initial Contributor: | Carmen Jurado Taboada |
The Spanish DPA fined an amateur football association €3,000 because its website lacked a privacy policy despite the fact that it collected various personal data.
English Summary
Facts
The data subject filed a complaint with the Spanish DPA regarding the website of a football club. The website required users to fill in forms with personal data but did not have a privacy policy.
Holding
The DPA reiterated that when personal data are collected, there must be accompanying disclosures per Article 13 GDPR, including identifying the means and purposes of processing, the identity and contact details of the controller, and the existence of data subjects' rights under the GDPR.
Noting the small size of the association and the absence of a history of violations, the DPA assessed a fine of €3,000 and ordered an appropriate privacy policy be added to the website.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/10 File No.: EXP202102088 RESOLUTION OF PUNISHMENT PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: A.A.A. (hereinafter, the complaining party) dated July 22, 2021 filed a claim with the Spanish Data Protection Agency. The claim is directed against the ASSOCIATION OF AMATEURS AND SMALL SHAREHOLDERS UNIT HERCULANA with NIF G42688721 (hereinafter, the claimed). The reason on which the claim is based is that the person responsible for the website https://unidadherculana.es/ lacks a privacy policy in accordance with the provisions in article 13 of the RGPD, despite the fact that personal data is collected through various forms. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, of Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), on October 5, 2021, said claim was transferred to the party claimed, so that it proceeded to its analysis and inform this Agency in the period of one month, of the actions carried out to adapt to the requirements provided for in the data protection regulations. No response to this letter has been received. THIRD: On December 17, 2021, the Director of the Spanish Agency of Data Protection agreed to admit for processing the claim presented by the party claimant. FOURTH: On February 3, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against the claimed party, for the alleged infringement of article 13 of the RGPD, typified in article 83.5 of the GDPR. FIFTH: After the period granted for the formulation of allegations to the agreement to initiate the procedure, it has been verified that no allegation has been received any by the claimed party. Article 64.2.f) of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter LPACAP) -provision of which the party claimed was informed in the agreement to open the proceeding- establishes that if allegations are not made within the stipulated period on the content of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 2/10 initiation agreement, when it contains a precise statement about the imputed responsibility, may be considered a resolution proposal. In the present case, the agreement to initiate the disciplinary proceedings determined the facts in which the imputation was specified, the infraction of the RGPD attributed to the claimed and the sanction that could be imposed. Therefore, taking into account that the party complained against has made no objections to the agreement to initiate the file and In accordance with the provisions of article 64.2.f) of the LPACAP, the aforementioned agreement of beginning is considered in the present case resolution proposal. In view of everything that has been done, by the Spanish Data Protection Agency In this proceeding, the following are considered proven facts: PROVEN FACTS FIRST: A claim is filed denouncing the lack of policy of privacy appropriate to the personal data protection regulations on the web https://unidadherculana.es/; verifying by the AEPD that the website object of claim lacks privacy policy. SECOND: On February 3, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against the claimant, for the alleged infringement of article 13 of the RGPD, typified in article 83.5 of the RGPD. THIRD: On February 15, 2022, the claimant is notified of the settlement agreement beginning of this procedure, turning said agreement into a resolution proposal in accordance with articles 64.2.f) and 85 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (LPACAP), to the not make the claimed allegations within the indicated period. FOUNDATIONS OF LAW Yo By virtue of the powers that article 58.2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, regarding the protection of individuals with regard to the processing of personal data and the free circulation of these data (General Data Protection Regulation, hereinafter RGPD) recognizes each control authority, and according to what is established in the articles 47, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on Data Protection Personal and guarantee of digital rights (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate this procedure. Article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Agency for Data Protection will be governed by the provisions of the Regulation (EU) 2016/679, in this organic law, by the provisions regulations issued in its development and, as long as they do not contradict them, with a subsidiary, by the general rules on administrative procedures.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 3/10 II Article 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, regarding the protection of natural persons in what regarding the processing of personal data and the free circulation of these data (General Data Protection Regulation, hereinafter RGPD), under the rubric “Definitions”, provides that: “For the purposes of this Regulation, the following shall be understood as: 1) "personal data": any information about an identified natural person or identifiable ("the interested party"); An identifiable natural person shall be deemed to be any person whose identity can be determined, directly or indirectly, in particular by an identifier, such as a name, an identification number, location, an online identifier or one or more elements of the identity physical, physiological, genetic, psychic, economic, cultural or social of said person; 2) “processing”: any operation or set of operations carried out on personal data or sets of personal data, whether by procedures automated or not, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, broadcast or any other form of enabling of access, collation or interconnection, limitation, suppression or destruction;” III Article 13 of the RGPD, a precept that determines the information that must be provided to the interested party at the time of collecting their data, it has: "1. When personal data relating to him is obtained from an interested party, the responsible for the treatment, at the time these are obtained, will provide all the information indicated below: a) the identity and contact details of the person in charge and, where appropriate, of their representative; b) the contact details of the data protection delegate, if applicable; c) the purposes of the treatment to which the personal data is destined and the legal basis of the treatment; d) when the treatment is based on article 6, paragraph 1, letter f), the interests legitimate of the person in charge or of a third party; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 4/10 e) the recipients or the categories of recipients of the personal data, in their case; f) where appropriate, the intention of the controller to transfer personal data to a third party country or international organization and the existence or absence of a decision to adequacy of the Commission, or, in the case of transfers indicated in the Articles 46 or 47 or Article 49, paragraph 1, second paragraph, reference to the adequate or appropriate warranties and the means to obtain a copy of these or to the fact that they have been borrowed. 2. In addition to the information mentioned in section 1, the person responsible for the treatment will facilitate the interested party, at the moment in which the data is obtained personal, the following information necessary to guarantee data processing fair and transparent a) the period during which the personal data will be kept or, when it is not possible, the criteria used to determine this period; b) the existence of the right to request from the data controller access to the personal data relating to the interested party, and its rectification or deletion, or the limitation of its treatment, or to oppose the treatment, as well as the right to portability of the data; c) when the treatment is based on article 6, paragraph 1, letter a), or article 9, paragraph 2, letter a), the existence of the right to withdraw consent in any time, without affecting the legality of the treatment based on the consent prior to its withdrawal; d) the right to file a claim with a supervisory authority; e) if the communication of personal data is a legal or contractual requirement, or a necessary requirement to sign a contract, and if the interested party is obliged to provide personal data and is informed of the possible consequences of not provide such data; f) the existence of automated decisions, including profiling, to which referred to in article 22, sections 1 and 4, and, at least in such cases, information about applied logic, as well as the importance and consequences provisions of said treatment for the interested party. 3. When the controller plans the further processing of data personal data for a purpose other than that for which they were collected, you will provide the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 5/10 interested party, prior to such further processing, information on that other purpose and any additional information relevant under paragraph 2. 4. The provisions of sections 1, 2 and 3 shall not apply when and in the to the extent that the interested party already has the information. For its part, article 11 of the LOPDGDD, provides the following: "1. When the personal data is obtained from the affected party, the person responsible for the treatment may comply with the duty of information established in article 13 of Regulation (EU) 2016/679, providing the affected party with the basic information to referred to in the following section and indicating an electronic address or other medium that allows easy and immediate access to the rest of the information. 2. The basic information referred to in the previous section must contain, at less: a) The identity of the data controller and his representative, if any. b) The purpose of the treatment. c) The possibility of exercising the rights established in articles 15 to 22 of the Regulation (EU) 2016/679. If the data obtained from the affected party were to be processed for the preparation of profiles, the basic information will also include this circumstance. In this In this case, the affected party must be informed of their right to oppose the adoption of automated individual decisions that produce legal effects on him or her significantly affect in a similar way, when this right concurs in accordance with the provisions of article 22 of Regulation (EU) 2016/679.” IV By virtue of the provisions of article 58.2 of the RGPD, the Spanish Agency for Data Protection, as a control authority, has a set of corrective powers in the event of an infraction of the precepts of the GDPR. Article 58.2 of the RGPD provides the following: “2 Each supervisory authority shall have all of the following corrective powers listed below: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 6/10 (…) b) send a warning to any person responsible or in charge of the treatment when the treatment operations have violated the provisions of this Regulation;” (...) “d) order the person responsible or in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;” “i) impose an administrative fine under article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each particular case;" Article 83.5.b) of the RGPD establishes that: “The infractions of the following dispositions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the global total annual turnover of the previous financial year, opting for the largest amount: a) the rights of the interested parties pursuant to articles 12 to 22;” In turn, article 72. 1 h) of the LOPDGDD, under the heading "Infringements considered very serious provides: “1 Based on the provisions of article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: h) The omission of the duty to inform the affected party about the processing of their data personal in accordance with the provisions of articles 13 and 14 of the Regulation (EU) 2016/679 and 12 of this organic law.” v In this case, this Agency has confirmed that the respondent requires his customers who provide their personal data, without indicating any of the aspects required in article 13 of the RGPD, indicated in the legal basis III, according to which, the claimed party must inform the owner of the personal data that he takes about the aspects indicated in said precept such as the identity and contact details of the responsible for the treatment, the purposes of the treatment to which the data is destined data and the legal basis of the treatment. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 7/10 Therefore, since the respondent does not comply with the information required in the aforementioned article 13 of the RGPD, it could incur in an infringement of the RGPD. SAW In order to determine the administrative fine to be imposed, the provisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate: “Each control authority will guarantee that the imposition of administrative fines under this Article for infringements of this Regulation indicated in sections 4, 9 and 6 are in each individual case effective, proportionate and dissuasive.” “Administrative fines will be imposed, depending on the circumstances of each individual case, in addition to or as a substitute for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administration and its amount in each individual case will be duly taken into account: a) the nature, seriousness and duration of the offence, taking into account the nature, scope or purpose of the processing operation in question, as well such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the controller or processor to alleviate the damages suffered by the interested parties; d) the degree of responsibility of the person in charge or of the person in charge of the treatment, taking into account the technical or organizational measures that they have applied under of articles 25 and 32; e) any previous infringement committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the person in charge or the person in charge notified the infringement and, if so, in what measure; i) when the measures indicated in article 58, section 2, have been ordered previously against the person in charge or the person in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under article 40 or mechanisms of certification approved in accordance with article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 8/10 Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76, “Sanctions and corrective measures”, provides: "two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuing nature of the offence. b) The link between the activity of the offender and the performance of treatment of personal information. c) The profits obtained as a result of committing the offence. d) The possibility that the conduct of the affected party could have induced the commission of the offence. e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity. f) Affectation of the rights of minors. g) Have, when not mandatory, a data protection officer. h) Submission by the person in charge or person in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which there are controversies between them and any interested party.” In accordance with the precepts transcribed, in order to set the amount of the sanction of fine to be imposed in this case on the entity claimed as responsible for a infringement typified in article 83.5.b) of the RGPD, the following mitigating factors: - The claimed one does not have previous infringements (83.2 e) RGPD). - It has not obtained direct benefits (83.2 k) RGPD and 76.2.c) LOPDGDD). - The claimed entity is not considered a large company. It is appropriate to graduate the sanction to be imposed on the claimed party and set it at the amount of €3,000 in accordance with article 58.2 of the RGPD. Likewise, upon confirming the existence of an infraction, in accordance with the provisions of the aforementioned article 58.2.d) of the RGPD, in the resolution the claimed party is ordered, as responsible for the treatment, which prepares an adequate privacy policy, so that the information required in the aforementioned article 13 of the GDPR. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 9/10 Therefore, in accordance with the applicable legislation and having assessed the criteria for graduation of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE THE ASSOCIATION OF AMATEURS AND SMALL SHAREHOLDERS UNIT HERCULANA, with NIF G42688721, for an infraction of the aarticle 13 of the RGPD, typified in article 83.5 b) of the RGPD, a fine of €3,000 (three thousand euros). SECOND: ORDER the respondent, as data controller, to prepare an adequate privacy policy, so that the information is available required in the aforementioned article 13 of the RGPD THIRD: NOTIFY this resolution to the FANS ASSOCIATION AND SMALL SHAREHOLDERS UNIT HERCULANA. FOURTH: Warn the sanctioned party that he must make the imposed sanction effective once Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter LPACAP), within the payment term voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, through its entry, indicating the NIF of the sanctioned and the number of procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened on behalf of the Agency Spanish Department of Data Protection in the banking entity CAIXABANK, S.A.. In case Otherwise, it will be collected in the executive period. Received the notification and once executed, if the date of execution is between the 1st and 15th of each month, both inclusive, the term to make the payment voluntary will be until the 20th day of the following month or immediately after, and if between the 16th and last day of each month, both inclusive, the payment term It will be until the 5th of the second following month or immediately after. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month from counting from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned Law. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 10/10 Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the firm resolution in administrative proceedings if the The interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact by writing addressed to the Spanish Agency for Data Protection, presenting it through Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would end the precautionary suspension. Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es