AEPD (Spain) - PS/00499/2022
From GDPRhub
| AEPD - PS/00499/2022 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(c) GDPR Article 13 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 27.10.2021 |
| Decided: | |
| Published: | |
| Fine: | 75,000 EUR |
| Parties: | n/a |
| National Case Number/Name: | PS/00499/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | Bernardo Armentano |
The Spanish DPA imposed a total fine of €75,000 on an accommodation company for requiring excessive data for guests' check-in and for not providing them with complete information about the processing of their data.
English Summary
Facts
The data subject booked an apartment from Marketing Accomodantion Solutions, the controller, for a period of vacation in Catalonia. To check in, the data subject had to fill in an online form and provide personal data of all guests, including emails, telephone numbers and addresses, as well as photos of both sides of the identity cards of each of them.
The data subject filed a complaint with the Spanish DPA claiming that the data requested was excessive. In response, the controller argued that it was obliged by law to register its guests and to transfer their data to the Catalan police. Not satisfied with the response, the data subject filed a complaint twith the Spanish DPA, which proceeded to investigate the facts.
Holding
The Spanish DPA highlighted that the controller must limit data processing to what is strictly necessary for the specific purpose it intends to achieve.
In the present case, it noted that not all data processed were necessary to provide the service of renting holiday apartments or to comply with the obligation to register guests provided for by Article 2 of Regulation IRP/418/2010. This Regulation deals with the obligation to register and notify the General Directorate of Police of persons staying in accommodation establishments located in Catalonia and only requires that the following data be collected: identity document number, type of document, date of issue thereof (if indicated), surnames, first name, gender, nationality, date of entry, address, telephone and expected days of stay. For this reason, the DPA found that the controller violated Article 5(1)(c) GDPR, notably for having requested the image of both sides of the identity documents of its guests.
In addition, the DPA recalled that Article 13 GDPR requires the controller to provide the data subject with a series of information at the time of collection the collection of their personal data. In the case at stake, it verified that the information provided to the guests was not complete. In particular, the following information was missing: the identity and contact details of the controller, the contact of the DPO, the legal basis for the processing of personal data, the recipients or the categories of recipients and the retention period. Similarly, the controller's privacy policy did not comply with the provisions of Article 13.
In view of the above, the DPA imposed a fine of €25,000 for the violation of Article 5(1)(c) GDPR and a fine of €50,000 for the violation of Article 13 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/21
File No.: PS/00499/2022
RESOLUTION OF SANCTIONING PROCEDURE
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following
BACKGROUND
FIRST: Ms. A.A.A. (hereinafter, the claiming party) dated October 27,
2021 filed a claim with the Spanish Data Protection Agency. The
claim is directed against MARKETING ACCOMMODATION SOLUTIONS FZ,
L.L.C. with fiscal identifier 45000501 (hereinafter, the claimed party). The motives
on which the claim is based are the following:
Through the Airbnb online platform, the claimant contacted the entity
owner of an apartment in Barcelona, MARKETING ACCOMMODATION
SOLUTIONS FZ, L.L.C. (***URL.1), with the purpose of staying there for a few days with
his companions. Said entity had enabled a web page / app to make the
online check-in, a mandatory procedure to formalize the delivery of the keys to the
apartment. To carry out the online check-in, the seven people who were going to
to stay in the apartment they had to fill out a form with the post office,
telephone numbers and addresses, as well as send photos of your D.N.I. for the two
faces and selfies of each of them.
After the stay, specifically on October 23, 2021, the claimant
contacted the person responsible for the treatment to indicate that the data that
are requested to make the reservation are excessive, protest because there is no option to
to deny consent for the sending of offers and products, and ask
what data of yours they have, which have been obtained following the authorization and which have
assigned and to whom.
The answer they gave it, on October 25, 2021, was that the only data that
they have of the claimant are those that they provided to Airbnb: name, surname, number of
phone and email. Likewise, it is indicated that the purpose of the check-in that
did is to comply with the regional regulation that obliges to communicate such data to the
Register of Travelers maintained by the Catalan police (the Mossos d'Esquadra), since
Once the data is uploaded to the platform, it is dumped into
the website of the Mossos d'Esquadra, in such a way that when they are transferred to them,
They disappear from your platform. They also indicate that "we have not transferred your data
because we have never had them nor do we want them, nor do we need them. can
rest assured, we do not send any type of advertising to clients nor do we
bells."
The claimant considers the response very generic.
Attach the complaining party:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/21
a) Email that was sent to you from ***EMAIL.1 to check-in
online, which contains the following information on data processing:
“Your information has just been entered into the database. We inform you that the
data provided will only be used to fulfill reservations, as well as to
keep you updated with our news, promotions and offers.
Also, we would like to inform you that the company stores the personal information that
you provided with your last reservation, in order to manage your future reservations
with the best comfort for you and your family. All the data you have given us
provided are kept secure and will not be transferred to third parties, except in the
cases in which we make a reservation or have to fulfill an obligation
legal.
In any case, if you do not wish to receive our news, offers and promotions, do not
Feel free to contact us by email: ***EMAIL.1
Finally, we inform you that according to the new regulation, you can exercise your
rights of access, rectification, opposition, cancellation or elimination and limitation of
data; as well as request not to be subject to individualized decisions or the delivery of
your data through the right of portability, following the steps below:
- In person at the company's offices.
- Via email with a scanned copy of your passport or ID
sent to email: ***EMAIL.1”
b) Exchange of emails between the complaining party and the claimed party
between October 23, 2021 and October 25, 2021.
.
SECOND: The Agency's General Subdirectorate for Data Inspection sent to
the party complained of writing dated December 1, 2021 in which:
- It is requested that within a month, report the name or the entity that has
appointed as his representative and his domicile in the Union or, indicate the reasons why
for which such designation is not necessary, since the claimed party does not
is established in the Union and the Agency does not know who is its representative
in the Union in accordance with Article 27 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR).
- The claim is transferred to proceed with its analysis and report to this
Agency, within a month, of the actions carried out to adapt to the
requirements set forth in the data protection regulations, in accordance with the
Article 65.4 of Organic Law 3/2018, of December 5, on Data Protection
Personal and guarantee of digital rights (hereinafter LOPDGDD).
- It is required so that within a period of one month it sends the following to the Agency
information:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/21
1. Justification of the legal basis supposedly chosen to collect and
process the "selfie" images of the users, as well as a copy of their documents
identification, taking into account that the order establishing the obligation (the Order
IRP/418/2010, of August 5, on the obligation of registration and communication to the
General Directorate of the Police for people staying in establishments
lodging located in Catalonia) does not include said information among the data to
provide to the Catalan police.
2. Confirmation that the information collected is not being processed after its supposed
communication to the Catalan police.
3. Confirmation that customers' personal data is not being used with
advertising or other purposes.
4. Report on the measures adopted to adapt its "Privacy Policy" to the
article 13 of the RGPD, so that it reflects the previous points. Indicate dates of
implementation and controls carried out to verify its effectiveness.
5. The decision adopted regarding this claim.
6. The postal address of the representative of the controller in the Union
European.
7. Any other that you consider relevant.
The aforementioned letter, whose notification was made in accordance with the rules
established in Law 39/2015, of October 1, on Administrative Procedure
Common for Public Administrations (hereinafter, LPACAP) by mail
international postal service, was returned due to missing delivery.
THIRD: On January 27, 2022, in accordance with article 65 of the
LOPDGDD, the claim presented by the claimant party was admitted for processing.
FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
matter, by virtue of the functions assigned to the control authorities in the
article 57.1 and of the powers granted in article 58.1 of the GDPR, and of
in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD, having knowledge of the following extremes:
On July 29, 2022, it is verified in whois records that the domain
***URL.1 is registered by the registrar 10DENCEHISPAHARD S.L.
Dated July 29, 2022, it is verified in the privacy policy of ***URL.1
the identification data of the person responsible for the page, corresponding to
MARKETING ACCOMMODATION SOLUTIONS FZ-LLC and consists of:
“MARKETING ACCOMMODATION SOLUTIONS FZ-LLC, with identifier
fiscal
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/21
45000501 and address at: Business Park, PO Box 10055, Ras Al Khaimah
UAE[…]”
On July 29, 2022, a request for information is sent to
10DENCEHISPAHARD S.L., regarding identification and contact data, including
name, surnames or company name, DNI/CIF and postal address, of the holder of the
following domain, as well as whoever has contracted your accommodation: ***URL.1.
On August 2, 2022, 10DENCEHISPAHARD S.L. send this Agency the data
identification and contact details of the owner of the website ***URL.1, these being the following:
Company: MARKETING ACCOMMODATION SOLUTIONS FZ-LLC
NIF: 784119887490316
Name: B.B.B.
Position: Manager
Address: Business Park, PO 10055
ZIP Code: I
Location: Ras Al Khaimah
Country: United Arab Emirates
Email: ***EMAIL.2
Phone: +***PHONE.1
On July 29, 2022, a request for information is sent to MARKETING
ACCOMMODATION SOLUTIONS FZ-LLC relating to:
1. Justification of the legal basis supposedly chosen to collect and
process the "selfie" images of the users, as well as a copy of their documents
identification, taking into account that the order establishing the obligation (the Order
IRP/418/2010, of August 5, on the obligation of registration and communication to the
General Directorate of the Police for people staying in establishments
lodging located in Catalonia, which is attached to this request) does not
includes said information among the data to be provided to the Catalan police.
2. Screenshots of the app that your entity uses with the complete process that
follow their clients to provide data such as the copy of documents of
identification and a "selfie" as a prerequisite for entering the apartment.
3. Screenshots of your systems showing all the data that
They have about 100 users including the claimant.
4. Documentation that proves the geographical location where the data of your clients is processed.
customers.
5. Screenshots of your systems showing all transmissions or
data communications made from 100 users, including the claimant, with
the details of which recipients have been sent.
6. Screenshots of their systems where it is stated that the data of the claimant
have been deleted after being sent to the Catalan police and where the date is also stated
of elimination.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/21
7. Detailed description of the system used to send the data of your
clients to the Catalan police indicating the types of data sent, instant
precise in that they are sent since they are received from their clients and if the data
at some point they pass through systems under their responsibility or not. If
the data does not pass at any time through systems under your responsibility indicate
the identification and contact details, including postal address, of whoever is the
responsible for those systems and provide a copy of the contracts signed between your entity and
said person in charge, and that include the field of data protection.
8. Report on the measures adopted to adapt its "Privacy Policy" to the
article 13 of the GDPR. Indicate implementation dates and controls carried out to
check its effectiveness.
9. The postal address of the representative of the controller in the Union
European.
10. Any other that you consider relevant.
The aforementioned letter, whose notification was made in accordance with the rules
established in Law 39/2015, of October 1, on Administrative Procedure
Common for Public Administrations (hereinafter, LPACAP) by mail
international postal service, was returned due to missing delivery.
On September 13, 2022, it is verified that in Order IRP/418/2010, of
August 5, on the obligation of registration and communication to the General Directorate of
the Police of people who stay in lodging establishments
located in Catalonia, consists of:
“[…]
Article 2
documentary record
Any person who stays in the establishments included in the scope
application of this Order, you must register. For this purpose it must
fill in, as a minimum, the information specified as mandatory in the
model of annex 1 of this Order.
[…]
Article 3
Communication of data by telematic means to the General Directorate of the
Police.
The establishments included in the scope of application of this Order
must notify the General Directorate of Police of the department
competent in matters of public security the information contained in the
Annex 2 of this Order. […]
Article 4
Communication of data by other means
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/21
When for special reasons duly motivated, the establishments
cannot carry out communication through telematic means
mentioned, the information in annex 2 must be sent to the dependencies
police officers of the squad boys through any of the
following systems:
[…]
APPENDIX 2
Data of the information that must be communicated to the General Directorate of the
Police
Establishment data
CIF/NIF
Property name
Address
Municipality
Province
Data of the hosted person
Document number
Document type
Expedition date
Name
Surnames
Sex (F=female / M=male)
Date of birth (date format: YYYYMMDD)
Nationality (country name)
Date of entry into the establishment (date format: YYYYMMDD)
[…]”
On September 13, 2022, it is verified that in Order IRP/418/2010, of
August 5, on the obligation of registration and communication to the General Directorate of
the Police of people who stay in lodging establishments
located in Catalonia, there is a form in its Annex 1 with the data of “Num.
identity document”, “Type of document”, “Date of issue (if stated)”,
name and surname, sex, date of birth, nationality, date of entry,
address, telephone number, expected days of stay and signature, all of them related to the
people staying
FIFTH: On September 27, 2022, the Director of the Spanish Agency
of Data Protection agreed to initiate disciplinary proceedings against the claimed party,
for the alleged infringement of article 5.1.c) of the GDPR, typified in article 83.5 of the
GDPR, and for the alleged infringement of article 13, typified in article 83.5.b) of the
GDPR.
SIXTH: The aforementioned initiation agreement, the notification of which was carried out in accordance with the
norms established in Law 39/2015, of October 1, on the Procedure
Common Administrative of Public Administrations (hereinafter, LPACAP)
by international postal mail, it was returned due to non-delivery. Hence
the notification was made, in accordance with article 44 of the LPACAP, by
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/21
means of announcement published in the Official State Gazette dated December 27
2022. It has been verified that no allegation has been received from the party
claimed.
Article 64.2.f) of the LPACAP -provision of which the claimed party was informed
in the agreement to open the procedure - establishes that if no
arguments within the established term on the content of the initiation agreement, when
it contains a precise pronouncement about the imputed responsibility,
may be considered a resolution proposal.
In the present case, the agreement to initiate the sanctioning file determined the
facts in which the accusation was specified, the infringement of the GDPR attributed to the
party claimed and the sanction that could be imposed. Therefore, taking into
consideration that the claimed party has not made allegations to the settlement agreement
start of the file and in accordance with the provisions of article 64.2.f) of the LPACAP,
the aforementioned start-up agreement is considered in the present case as a proposal for
resolution.
In view of all the proceedings, by the Spanish Agency for Data Protection
In this proceeding, the following are considered proven facts:
PROVEN FACTS
FIRST: Dated October 6, 2021, from the email ***EMAIL.1,
An email was sent to the complaining party with the following content:
“With Apartments2be Online Check-in you will enjoy before your stay! fill
the necessary data to stay and avoid waiting. It is a simple process that
it will take few minutes.
MAKE YOUR CHECK-IN
We remind you that you must check-in online before your arrival. For this, you
We recommend that you have at hand the data and identity documents of all
accommodation occupants. It is mandatory to formalize the delivery of keys of your
accommodation.
(…)
Apartments2be
(…)
SBAM0460 Service Block Al Jazirah Al Hamra , Al Hamra Industrial Zone- FZ,
United Arab Emirates
Your information has just been entered into the database. We inform you that the
data provided will only be used to fulfill reservations, as well as to
keep you updated with our news, promotions and offers.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/21
Also, we would like to inform you that the company stores the personal information that
you provided with your last reservation, in order to manage your future reservations
with the best comfort for you and your family. All the data you have given us
provided are kept secure and will not be transferred to third parties, except in the
cases in which we make a reservation or have to fulfill an obligation
legal.
In any case, if you do not wish to receive our news, offers and promotions, do not
Feel free to contact us by email: ***EMAIL.1
Finally, we inform you that according to the new regulation, you can exercise your
rights of access, rectification, opposition, cancellation or elimination and limitation of
data; as well as request not to be subject to individualized decisions or the delivery of
your data through the right of portability, following the steps below:
- In person at the company's offices.
- Via email with a scanned copy of your passport or ID
sent to email: ***EMAIL.1”
SECOND: On October 23, 2021, the complaining party sent an email
***EMAIL.1 containing:
"Recently I have been asked for authorization to process and transfer my data
personal as well as that of the 6 people who accompanied me in relation to a
reservation I made of an apartment in Barcelona. In addition to being excessive (we had
to send copies of our IDs, fill out a long form and take selfies), not
They gave me the option to deny consent for them to send me their offers and
other products.
In accordance with the provisions of said authorization and with the regulations for the protection of
data I would like to know what data they have about me, what they have obtained by following this
authorization and which ones have been ceded and to whom.[…]”
On October 25, 2021, the booking department of apartments2be, from the
address ***EMAIL.1, sent an email to the complaining party in which
responded to the aforementioned email, indicating:
“Thank you for your email, the only data we have about you is what you
provided Airbnb with: your first and last name, a phone number, and the email you received
Airbnb did when you created your account and that the messages arrive in your inbox
airbnb messages
The register of travelers they made is mandatory in Catalonia, it cannot be accessed
to accommodation in Catalonia of any type without first carrying out a registration of
travelers, there are individuals who do it by hand by filling out a piece of paper and making a
photo of the client's ID that they then print and send in pdf format to the mossos, but
In this way, in our opinion, it does make customer data be in
our hands and suffer traceability, which is why we use the telematic mode,
you uploaded your data to a platform that makes a dump on the website of the
Mossos de Esquadra, practically you send them directly, we just
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/21
We validate an image that we see (we cannot print, download, or copy)
to verify that it is correct, because it is our responsibility to collect all
this data, once the data is transferred to you directly, it disappears
and only they have them.
The police are not required to tell you the purpose for which they collect data from
Travellers.
We have not given your data because we have never had it or
we want, nor do we need them. you can rest assured, we do not send any type of
advertise to clients or campaigns”
THIRD: On October 27, 2021, the claimant filed a
claim before the Spanish Data Protection Agency for understanding that the
data required in the online check-in are excessive and considering that the
The response that has been given on October 25, 2021 is very generic.
FOURTH: It is accredited that the person in charge of the web page ***URL.1 is the
claimed part.
FIFTH: The Spanish Agency for Data Protection has legally notified
the party claimed the agreement to open this disciplinary proceeding,
but it has not presented allegations or evidence that contradict the facts
denounced.
FUNDAMENTALS OF LAW
Yo
By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control and as established in articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD,
The Director of the Agency is competent to initiate and resolve this procedure
Spanish Data Protection.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures.”
Article 3.2 of the GDPR states that "This Regulation applies to the treatment
of personal data of data subjects who are in the Union by a
controller or processor not established in the Union, when the activities of
treatment are related to:
a) the offer of goods or services to said interested parties in the Union,
regardless of whether they are required to pay,
b) the control of their behavior, to the extent that this takes place in the Union”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/21
In the present case, the claimed party, although not established in the Union,
offers a vacation rental service within the same, so
that the Agency is competent to process this file.
II
Every data controller must respect the principles contained in article
5 of the GDPR. We will highlight article 5.1.c) of the GDPR which establishes that:
"1. Personal data will be
c) adequate, pertinent and limited to what is necessary in relation to the purposes for which
that are processed ("data minimization");"
It must be clarified that this article does not limit the excess of data, but the need. Is
In other words, the personal data will be "adequate, pertinent and limited to the need"
for which they were collected, in such a way that if the objective pursued can
achieved without excessive data processing, this should be done at all
case.
Similarly, recital 39 of the GDPR indicates that: "Personal data only
should be processed if the purpose of the processing cannot reasonably be achieved by
other media." Therefore, only the data that is "adequate,
relevant and not excessive in relation to the purpose for which they are obtained or processed”.
The categories of data selected for processing must be the
strictly necessary to achieve the stated objective and the person responsible for the
treatment must strictly limit the collection of data to that information that
is directly related to the specific purpose that is intended to be achieved.
In this case, the claimed party processes various data
personal information such as name, surname, telephone number, email address
email, postal address, image of the D.N.I. on both sides.
And not all of them are necessary to provide the apartment rental service
vacation or to comply with the obligation to register people who
stay in accommodation establishments in Catalonia required by article 2 of
Order IRP/418/2010, of August 5, on the obligation of registration and communication
to the General Directorate of Police of the people staying in the
lodging establishments located in Catalonia.
It is in Annex I of the aforementioned Order where the data that is necessary to
such registration: identity document number, type of document, date of
issuance of the same (if stated), surnames, first name, sex, nationality, date of
entry, address, telephone number and expected days of stay.
From the documentation in the file there is evidence that the party
claimed has violated article 5.1.c) of the GDPR, having demanded the image of the
ID on both sides, in order to be able to obtain the keys to the accommodation
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/21
that they have reserved, since such data is not necessary for the treatment carried out by
the claimed part.
On the other hand, it should be noted that, although the complaining party indicated that the party
claimed also demanded a selfie of the people who were going to stay in the
apartment, this point has not been properly tested.
II
In the present case, the defendant party has not presented allegations or evidence that
contradict the facts denounced within the period given for it.
In accordance with the evidence that is available and that has not been
distorted during the disciplinary procedure, it is considered that the party
claimed has processed data that was excessive as it was not necessary for the purpose
for which they were treated.
In view of the foregoing, the facts imply a violation of what is established in the
Article 5.1.c) of the GDPR, which implies the commission of an offense classified in the
Article 83.5, section a) of the GDPR, which under the heading "General conditions for
the imposition of administrative fines" provides that:
Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of maximum EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:
a) the basic principles for the treatment, including the conditions for the
consent in accordance with articles 5, 6, 7 and 9;”
In this regard, the LOPDGDD, in its article 71 establishes that "They constitute
offenses the acts and behaviors referred to in sections 4, 5 and 6 of the
Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the
present organic law”.
For the purposes of the limitation period, article 72 of the LOPDGDD indicates:
Article 72. Offenses considered very serious.
"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
are considered very serious and will prescribe after three years the infractions that
a substantial violation of the articles mentioned therein and, in particular, the
following:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/21
a) The processing of personal data in violation of the principles and guarantees
established in article 5 of Regulation (EU) 2016/679.”
IV.
In order to determine the administrative fine to be imposed, the
provisions of articles 83.1 and 83.2 of the GDPR, precepts that state:
"1. Each control authority will guarantee that the imposition of fines
administrative proceedings under this article for violations of this
Regulations indicated in sections 4, 5 and 6 are in each individual case
effective, proportionate and dissuasive.
2. Administrative fines will be imposed, depending on the circumstances of each
individual case, in addition to or in lieu of the measures contemplated in
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administration and its amount in each individual case shall be duly taken into account:
a) the nature, seriousness and duration of the offence, taking into account the nature
nature, scope or purpose of the processing operation in question as well as the number
number of interested parties affected and the level of damages they have suffered;
b) intentionality or negligence in the infringement;
c) any measure taken by the person in charge or in charge of the treatment to
settle the damages suffered by the interested parties;
d) the degree of responsibility of the person in charge or of the person in charge of the treatment, habi-
gives an account of the technical or organizational measures that have been applied by virtue of the
articles 25 and 32;
e) any previous infringement committed by the controller or processor;
f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the potential adverse effects of the infringement;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority became aware of the infringement, in
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/21
particular whether the person in charge or the person in charge notified the infringement and, if so, in what
extent;
i) when the measures indicated in article 58, paragraph 2, have been ordered
previously against the person in charge or the person in charge in relation to the
same matter, compliance with said measures;
j) adherence to codes of conduct under article 40 or to mechanisms of
certification approved in accordance with article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or
indirectly, through the infringement.”
Regarding section k) of article 83.2 of the GDPR, the LOPDGDD, article 76,
"Sanctions and corrective measures", provides:
"2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
may also be taken into account:
a) The continuing nature of the offence.
b) The link between the activity of the offender and the performance of data processing.
personal information.
c) The benefits obtained as a consequence of the commission of the infraction.
d) The possibility that the conduct of the affected party could have led to the commission
of the offence.
e) The existence of a merger by absorption process subsequent to the commission of the
violation, which cannot be attributed to the absorbing entity.
f) The affectation of the rights of minors.
g) Have, when it is not mandatory, a data protection delegate.
h) Submission by the person responsible or in charge, on a voluntary basis, to
alternative conflict resolution mechanisms, in those cases in which
there are controversies between those and any interested party.”
Taking into account the precepts transcribed, for the purpose of setting the amount of the sanction of
fine to be imposed in the present case for the infraction typified in article 83.5.a)
of the GDPR, it is appropriate to graduate it in accordance with the following circumstances:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/21
As aggravating factors:
- In the activity of the claimed party, it is essential to process personal data.
personal character of the people who stay in their holiday apartments
(article 76.2.b) of the LOPDGDD in relation to article 83.2.k) of the GDPR).
- The intent or negligence in the infringement, since the claimed party was
fully aware of the procedure implemented (article 83.2.b) of the GDPR).
Connected with the degree of diligence that the data controller is obliged to
to deploy in compliance with the obligations imposed by the regulations of
data protection, the Judgment of the National Court of 17 of 10
of 2007 (rec. 63/2006), which, after alluding to the fact that the entities in which the
development of its activity involves continuous processing of customer data and
third parties must observe an adequate level of diligence, specified that "(...) the
The Supreme Court has understood that there is imprudence whenever
disregards a legal duty of care, that is, when the offender does not behave
with the due diligence. And in assessing the degree of diligence, consideration must be
especially the professionalism or not of the subject, and there is no doubt that, in the case
now examined, when the appellant's activity is of constant and abundant
handling of personal data must insist on rigor and exquisite care
for complying with the legal provisions in this regard” (article 83.2.b) of the GDPR).
The agreement to initiate this disciplinary procedure indicated that "The amount of
the corresponding fine, without prejudice to what results from the instruction of the
procedure, is €50,000 (fifty thousand euros).”
However, in view of the fact that it has not been proven that the claimed party requires a selfie
of the people who are going to stay in their apartments at the time of check-in
online, as well as by the balance of the circumstances contemplated, with respect to the
offense committed by violating the provisions of article 5.1.c) of the GDPR, a
fine of €25,000 (twenty-five thousand euros).
V
Article 13 of the GDPR regulates the information that must be provided to the interested party
when the data is collected directly from it, establishing the following:
"1. When personal data relating to him or her is obtained from an interested party, the
responsible for the treatment, at the time they are obtained, will provide you with
all the information listed below:
a) the identity and contact details of the person in charge and, where appropriate, their
representative;
b) the contact details of the data protection officer, if applicable;
c) the purposes of the processing for which the personal data is intended and the legal basis
of the treatment;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/21
d) when the treatment is based on article 6, paragraph 1, letter f), the interests
legitimate of the person in charge or of a third party;
e) the recipients or categories of recipients of personal data, in their
case;
f) where appropriate, the intention of the controller to transfer personal data to a third party
country or international organization and the existence or absence of a decision of
adequacy of the Commission, or, in the case of the transfers indicated in the
Articles 46 or 47 or Article 49, paragraph 1, second subparagraph, reference to the
adequate or appropriate guarantees and the means to obtain a copy of these or
to the fact that they have been lent.
2. In addition to the information mentioned in section 1, the person responsible for the
treatment will provide the interested party, at the time the data is obtained
personal data, the following information necessary to guarantee data processing
fair and transparent
a) the period during which the personal data will be kept or, when it is not
possible, the criteria used to determine this term;
b) the existence of the right to request the data controller access to the
personal data relating to the interested party, and its rectification or deletion, or the limitation
of their treatment, or to oppose the treatment, as well as the right to portability
of the data;
c) when the treatment is based on article 6, paragraph 1, letter a), or article
9, paragraph 2, letter a), the existence of the right to withdraw consent in
at any time, without affecting the legality of the treatment based on the
consent prior to its withdrawal;
d) the right to file a claim with a control authority;
e) if the communication of personal data is a legal or contractual requirement, or a
necessary requirement to sign a contract, and if the interested party is obliged to provide
personal data and is informed of the possible consequences of not
provide such data;
f) the existence of automated decisions, including profiling, to which
referred to in Article 22, paragraphs 1 and 4, and, at least in such cases, information
significant about the applied logic, as well as the importance and consequences
provisions of said treatment for the interested party.”
The information sent by the claimed party to the persons who have carried out the
reservation of one of your holiday apartments is as follows:
“Your information has just been entered into the database. We inform you that the
data provided will only be used to fulfill reservations, as well as to
keep you updated with our news, promotions and offers.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/21
Also, we would like to inform you that the company stores the personal information that
you provided with your last reservation, in order to manage your future reservations
with the best comfort for you and your family. All the data you have given us
provided are kept secure and will not be transferred to third parties, except in the
cases in which we make a reservation or have to fulfill an obligation
legal.
In any case, if you do not wish to receive our news, offers and promotions, do not
feel free to contact us by email: hello@***URL.1
Finally, we inform you that according to the new regulation, you can exercise your
rights of access, rectification, opposition, cancellation or elimination and limitation of
data; as well as request not to be subject to individualized decisions or the delivery of
your data through the right of portability, following the steps below:
- In person at the company's offices.
- Via email with a scanned copy of your passport or ID
sent to email: ***EMAIL.1”
Therefore, the claimed party does not send the interested parties all the information required
Article 13 of the GDPR, specifically it would be necessary to send them:
- The identity and contact details of the person in charge and, where appropriate, their
representative.
- The contact details of the data protection officer, if applicable.
- The legal basis of data processing.
- The recipients or categories of recipients of personal data, in their
case.
- The period during which the personal data will be kept or, when it is not
possible, the criteria used to determine this term.
- The right to file a claim with a control authority.
- If the communication of personal data is a legal or contractual requirement, or a
necessary requirement to sign a contract, and if the interested party is obliged to provide
personal data and is informed of the possible consequences of not
provide such data.
Furthermore, the "Privacy Policy" of the claimed party states what
following:
“MARKETING ACCOMMODATION SOLUTIONS FZ-LLC, with fiscal identifier
45000501 and address at: Business Park, PO Box 10055, Ras Al Khaimah UAE, no
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/21
can assume no responsibility derived from the incorrect, inappropriate or
illicit information appearing on the web pages of: ***URL.1
That MARKETING ACCOMMODATION SOLUTIONS FZ-LLC is registered in the
UAE Business Registry
With the limits established by law, MARKETING ACCOMMODATION SOLUTIONS
FZ-LLC does not assume any responsibility derived from the lack of veracity,
integrity, updating and accuracy of the data or information contained in your
websites.
The contents and information do not bind MARKETING ACCOMMODATION
SOLUTIONS FZ-LLC nor do they constitute opinions, advice or legal advice of
any kind because it is merely a service offered for informational purposes and
informative.
The Internet pages of MARKETING ACCOMMODATION SOLUTIONS FZ-LLC
may contain links (links) to other pages of third parties that MARKETING
ACCOMMODATION SOLUTIONS FZ-LLC. can't control. Therefore,
MARKETING ACCOMMODATION SOLUTIONS FZ-LLC cannot assume
responsibilities for the content that may appear on third party pages.
The texts, images, sounds, animations, software and other content
included in this website are the exclusive property of MARKETING
ACCOMMODATION SOLUTIONS FZ-LLC or its licensors. any act of
transmission, distribution, assignment, reproduction, storage or communication
total or partial public, must have the express consent of MARKETING
ACCOMMODATION SOLUTIONS FZ-LLC Likewise, to access some of the
services that MARKETING ACCOMMODATION SOLUTIONS FZ-LLC offers through
of the website, you must provide some personal data. In
compliance with the provisions of Regulation (EU) 2016/679 of the Parliament
European Union and of the Council, of April 27, 2016, regarding the protection of persons
with regard to the processing of personal data and the free movement of
these data we inform you that, by completing these
forms, your personal data will be incorporated and will be processed in the
MARKETING ACCOMMODATION SOLUTIONS FZ-LLC files in order to
to be able to provide and offer our services as well as to inform you of improvements
from the website.
We also inform you that you will have the possibility at all times to exercise the
rights of access, rectification, cancellation, opposition, limitation and portability of
your personal data, free of charge by email to: ***EMAIL.3”
That is, the privacy policy of the claimed party is not adapted to what
established in article 13 of the GDPR, since the following information would need to be included:
- The identity and contact details of the person in charge and, where appropriate, their
representative.
- The contact details of the data protection officer, if applicable.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/21
- The legal basis of data processing.
- The recipients or categories of recipients of personal data, in their
case.
- The period during which the personal data will be kept or, when it is not
possible, the criteria used to determine this term.
- The right to file a claim with a control authority.
- If the communication of personal data is a legal or contractual requirement, or a
necessary requirement to sign a contract, and if the interested party is obliged to provide
personal data and is informed of the possible consequences of not
provide such data.
From the documentation in the file there is evidence that the party
claimed has violated article 13 of the GDPR, by not having sent to the people
who have made the reservation of one of their holiday apartments all the
information required by the aforementioned precept, nor has its policy of
privacy to what is established in the aforementioned article.
SAW
In the present case, the defendant party has not presented allegations or evidence that
contradict the facts denounced within the period given for it.
In accordance with the evidence that is available and that has not been
distorted during the disciplinary procedure, it is considered that the party
claimed has not complied with the obligation to send the interested party all the information
which includes article 13 of the GDPR.
In view of the foregoing, the facts imply a violation of what is established in the
Article 13 of the GDPR, which implies the commission of an offense classified in the
Article 83.5, section b) of the GDPR, which under the heading "General conditions for
the imposition of administrative fines" provides that:
Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of maximum EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:
b) the rights of the interested parties in accordance with articles 12 to 22;”
In this regard, the LOPDGDD, in its article 71 establishes that "They constitute
offenses the acts and behaviors referred to in sections 4, 5 and 6 of the
Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the
present organic law”.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/21
For the purposes of the limitation period, article 72 of the LOPDGDD indicates:
Article 72. Offenses considered very serious.
"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
are considered very serious and will prescribe after three years the infractions that
a substantial violation of the articles mentioned therein and, in particular, the
following:
(…)
h) The omission of the duty to inform the affected party about the processing of their data
personal in accordance with the provisions of articles 13 and 14 of Regulation (EU)
2016/679 and 12 of this organic law.”
VII
For the purposes of setting the amount of the fine to be imposed in this case for
the infringement typified in article 83.5.b) of the GDPR, it is necessary to graduate it according to
with the following circumstances:
As aggravating factors:
- In the activity of the claimed party, it is essential to process personal data.
personal character of the people who stay in their holiday apartments
(article 76.2.b) of the LOPDGDD in relation to article 83.2.k) of the GDPR).
- The intent or negligence in the infringement, since the claimed party is
fully aware of its privacy policy. Connected with the degree of
diligence that the person responsible for the treatment is obliged to deploy in the
compliance with the obligations imposed by the data protection regulations
the Judgment of the National Court of 10/17/2007 (rec.
63/2006), which, after alluding to the fact that the entities in which the development of their
This activity involves continuous processing of customer data and third parties must
observe an adequate level of diligence, specified that "(...) the Supreme Court
has understood that imprudence exists whenever a legal duty is neglected
of care, that is, when the offender does not behave with the required diligence. AND
In assessing the degree of diligence, special consideration must be given to the
professionalism or not of the subject, and there is no doubt that, in the case now examined,
when the activity of the appellant is constant and abundant handling of data from
personal character must be insisted on the rigor and exquisite care to adjust to the
legal precautions in this regard” (article 83.2.b) of the GDPR).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/21
The balance of the circumstances contemplated, with respect to the infraction committed
by violating the provisions of article 13 of the GDPR, it allows setting a fine of €50,000
(fifty thousand euros).
VIII
The text of the resolution establishes which have been the infractions committed and
the facts that have given rise to the violation of the regulations for the protection of
data, from which it is clearly inferred what are the measures to adopt, without prejudice
that the type of procedures, mechanisms or concrete instruments for
implement them corresponds to the sanctioned party, since it is responsible for the
treatment who fully knows its organization and has to decide, based on the
proactive responsibility and risk approach, how to comply with the GDPR and the
LOPDGDD.
Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been accredited,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: IMPOSE MARKETING ACCOMMODATION SOLUTIONS FZ, L.L.C.,
with fiscal identifier 45000501, for the infraction:
- From article 5.1.c) of the GDPR, typified in article 83.5.a) of the GDPR, a fine of
TWENTY-FIVE THOUSAND EUROS (€25,000).
- From article 13 of the GDPR, typified in article 83.5.b) of the GDPR, a fine of
FIFTY THOUSAND EUROS (€50,000).
SECOND: NOTIFY this resolution to MARKETING ACCOMMODATION
SOLUTIONS FZ, L.L.C.
THIRD: Warn the penalized person that they must make the imposed sanction effective
Once this resolution is enforceable, in accordance with the provisions of Article
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of its income, indicating the NIF of the sanctioned and the number
of procedure that appears in the heading of this document, in the account
restricted IBAN number: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code:
XXXXXXXXXXXX), opened on behalf of the Spanish Agency for Data Protection in
the banking entity CAIXABANK, S.A. Otherwise, it will proceed to its
collection in executive period.
Once the notification has been received and once executed, if the execution date is
between the 1st and 15th of each month, both inclusive, the term to make the payment
voluntary will be until the 20th day of the following or immediately following business month, and if
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/21
between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediately following business month.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.
Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reversal before the
Director of the Spanish Agency for Data Protection within a period of one month from
count from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.
Finally, it is noted that in accordance with the provisions of art. 90.3.a) of the LPACAP,
may provisionally suspend the firm resolution in administrative proceedings if the
The interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the
aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative proceedings within a period of two months from the day following the
Notification of this resolution would terminate the precautionary suspension.
938-181022
Mar Spain Marti
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
