AEPD (Spain) - EXP202300692

From GDPRhub
Revision as of 15:18, 24 June 2024 by Lm (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202300692 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00435-2023.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - EXP202300692
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Ley 39/2015, de 1 de octubre, del Procedimiento Administrativo Común de las Administraciones Públicas
Type: Complaint
Outcome: Upheld
Started: 12.12.2022
Decided:
Published: 20.06.2024
Fine: 42,000 EUR
Parties: CUI ZSQ FOOD, S.L.
National Case Number/Name: EXP202300692
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: lm

A controller violated the GDPR’s confidentiality principle when one of its supervisors sent video surveillance footage of a data subject leaving their post for a longer bathroom break to a workplace group chat. The controller acknowledged its fault and paid a reduced fine of €120,000 in accordance with national law.

English Summary

Facts

On 12 December 2022, a data subject filed a complaint with the Spanish DPA (AEPD) against CUI ZSQ FOOD, S.L. (the controller) concerning the controller’s video surveillance system. The data subject alleged that the controller used the video surveillance to observe an employee’s absence from his post to use the toilet for 18 minutes and sent the footage to employees in a WECHAT group chat. The video was sent with a caption stating that it observed the employee using the toilet for 18 minutes. It asked the employees if they all thought that it was fair to do so, and if not, that the employee should have the money subtracted from his pay.

The controller argued that the message in the WECHAT group was the result of an angry outburst by the controller’s production overseer due to the employee’s prolonged absence. It did not admonish any employee because it considered that the only purpose of the message was to remind the workers that they should respect the company’s obligations for employees. The controller argued that no employee was identified in the message by name, and that it was not possible to identify the employee from the footage due to its quality.

The AEPD noted that the controller’s facility had several signs indicating a video surveillance zone prior to entering the recorded space. Its alleged purpose for the surveillance was monitoring the security of the workplace and employees, the quality of the products and the work of the employees. The controller claimed that all employees were given a privacy policy which mentioned the video surveillance system and these purposes. The retention period for video surveillance data was 30 days.

Holding

The AEPD found that the controller violated Article 5(1)(f) GDPR when one of its employees sent a video of the data subject to a WECHAT group. The distribution of the video surveillance footage lacked a legal basis and violated the confidentiality of the data subject’s personal data, along with the other employees visible in the video.

The AEPD recommended a sanction of €70,000. Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €42,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/12











     File No.: EXP202300692

       RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE
                                    VOLUNTEER


From the procedure instructed by the Spanish Data Protection Agency and based
to the following


                                  BACKGROUND


FIRST: On May 28, 2024, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against CUI ZSQ FOOD, S.L.
(hereinafter, the claimed party), through the Agreement transcribed:


<<


File No.: EXP202300692



            AGREEMENT TO START SANCTIONING PROCEDURE

Of the actions carried out by the Spanish Data Protection Agency and in

based on the following

                                      FACTS

FIRST: On December 12, 2022, a claim was filed with the

Spanish Data Protection Agency directed against CUI ZSQ FOOD, S.L. with
NIF B16277311 (hereinafter, the claimed part). The reasons on which the
claim are the following:

The complaining party states that he works in the claimed party and that in his

facilities have a video surveillance system that has been used by the
company, in the event of a person's absence for a period of 18 minutes from their
job, to threaten employees at work through a group
of the mobile phone application WE CHAT, showing two videos alluding to the period

absence of said person.

Along with the claim, a copy of the videos published in the chat and images are provided.
of the chat, in Chinese language, and translation into Spanish carried out by a translator-interpreter
Chinese jury.


The chat is called “Grupo cui zsq food noodle factory (35)”.

On May 19 11:57 A.A.A. sent a video. He also sent a voice message with the
following content: “Hello to the entire group, in this video you can see one of you

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/12








going to the bathroom at 9:00 at night, this is when it starts to go, it's not clear
who is it. It goes at 9:00 and comes back at 9:18, this period of time, how is that. Yeah
You all agree with that, well, if you don't, let him get the money."


Next, that person sends another voice message, with the following content:
“I'm sending you another video, this is from when he comes back.” And send a video.

Then send a new voice message, with the following content: “This is the video
Afterwards, when he comes back, it's 9:18 and a few seconds, look, he's from the group of

B.B.B.”

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to the claimed party, to

to proceed with its analysis and inform this Agency within a period of one month, of the
actions carried out to adapt to the requirements provided for in the regulations of
Data Protection.

The transfer, which was carried out in accordance with the rules established in Law 39/2015, of
October 1, of the Common Administrative Procedure of Administrations

Public (hereinafter, LPACAP), was collected on 01/20/2023 as stated in the
acknowledgment of receipt that appears in the file.

On 02/15/2023, this Agency received a written response indicating that the
The number of cameras in the surveillance system is a total of (…).


As document no. 1 annex, photographs of all the devices are provided.
(…). The first photograph shows the monitor, where the field of vision of
all devices. The first field of view image that appears on the
monitor corresponds to camera 1, the second image corresponds to camera 2, and so on

successively.

As document no. 2 annex, photographs of all devices and
of the monitor of (…).

The monitor is located in (…).


The measures taken to ensure that only authorized personnel access the
images and recordings are:
- (…).
- (…).


It is provided as document no. 3, the photographs of the signs that warn of the
existence of a video-surveillance area. These signs are installed in the part
exterior of all access doors to warehouses where there are cameras
(regardless of whether the cameras are located inside or outside the ships),

and one at the entrance to each enclosure.




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/12








There is no contract in written form for the maintenance of the security system.
video surveillance. If there is any breakdown, the services of the
installer.


The recording time of the surveillance system images depends on the
capacity of the device, but the maximum is 30 days.

Regarding the requirement for information on the dissemination of two videos via application
WECHAT messaging service, it is reported that recently reviewed the

conversations held in the WECHAT group, it has not been possible to locate the
videos that are mentioned. Furthermore, in this group of workers of the
company only communicate in the Chinese language, which is unknown to
who answers the transfer of the claim, so to date there had not been any
able to carry out further investigations.


THIRD: On 02/20/2023, additional information was requested from the claimed party.

This request, which was carried out in accordance with the rules established in the LPACAP, was
collected on 02/20/2023 as stated in the acknowledgment of receipt that is in the
proceedings.


On 02/24/2023, this Agency received a written response indicating that the
The purpose of the installed video surveillance system is the security of the
facilities and the workers themselves, monitoring the quality control of the
products, as well as verify compliance with the obligations and duties of the

workers.

Indicates that all workers are given a policy document
of privacy of labor relations, in which, among other things, they are informed of the
existence of a video surveillance system and its purpose, that is, the

compliance with the obligations and duties of workers.

All the privacy policy documents of
labor relations signed by current workers.

Clear images of the captures made by each one are provided as Annex II.

of the chambers of (…); and as Annex III, same images from (…).

Regarding the dissemination of two videos in the group of workers in the application
WECHAT, after reviewing the images provided by the AEPD, conclude that
These videos and conversations are the result of a hot reaction on the part of the

person in charge of monitoring production, in case of absence for a period of time
of someone in their workplace, a fact that results in a
noticeable damage to the company and other workers.

It is explained that no worker was sanctioned or reprimanded for this

event, since the objective was none other than to remind all workers of the
importance of respecting the rules established for the proper functioning
of the company. As can be seen in the WECHAT conversations provided
By the AEPD, no worker is identified by name or surname.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/12









It is also not possible to identify any worker through the images
provided, given their quality, being that the only thing that is seen in the

same, is a worker returning to his job after hours, but without
identification may be possible, since the resolution of the cameras does not allow it, since
These are only intended to control the number of employees working on the line
of production at all times.

FOURTH: On 03/08/2023, additional information was requested again from the party

claimed.

This new request, which was carried out in accordance with the rules established in the
LPACAP, was collected on 03/08/2023 as stated in the acknowledgment of receipt that
work in the file.


On 03/10/2023, this Agency received a written response indicating that
He was notified of a requirement to again provide images of the field of vision of
the cameras, corrected in such a way that they do not focus on other people's properties.

That in order to evacuate said requirement, annexes are provided with the images of

the fields of view after having reoriented the cameras.

It is emphasized that some of the rustic lands that appear in the fields of
vision of some cameras (those identified in the annexes with a red arrow),
are also owned by the claimed part or are even part of the property itself.

ship enclosure.

FIFTH: On March 12, 2023, in accordance with article 65 of the
LOPDGDD, the claim presented by the complaining party was admitted for processing.


SIXTH: On March 15, 2023, the Director of the Spanish Agency for
Data Protection resolved to archive the proceedings considering that they were not
appreciated reasonable indications of the existence of an infringement in the area
competence of this Agency.

SEVENTH: On April 14, 2023, the claimant filed an appeal

power of reconsideration against the aforementioned resolution, in which he alleges that
unjustifiably disclosed a security video without the consent of the
workers as a way to intimidate at work. Furthermore, in these images
can see and identify the person, so it should be considered a violation
of the Data Protection Law and, furthermore, in the employment contract

there is no communication regarding data protection and even less than the possibility
recording images and disseminating them among employees. Regarding the posters of
information, its implementation must have been after its removal, since before
They didn't exist. In short, it is alleged that said installation does not comply with the guide on
the use of video surveillance by this Agency. The

sworn translation of the WECHAT group including the videos among others
documentation.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/12








EIGHTH: On September 7, 2023, by virtue of article 118 of the
LPACAP, a hearing procedure was granted to the claimed party so that within the period
maximum of ten business days to formulate the allegations and present the documents and

supporting documents that you deem appropriate.

This procedure, which was carried out in accordance with the standards established in the LPACAP, was
collected on 09/08/2023 as stated in the acknowledgment of receipt that is in the
proceedings.


On September 15, 2023, this Agency receives, in a timely manner,
writing from the claimed party in which it alleged allegations to the aforementioned appeal. In these
allegations, in summary, stated that:

    - The documents provided by the complaining party with its appeal document

       They are copies of the conversations already included in the original file and the
       The claimed party has already clarified everything that was considered necessary in this regard,
       having finally agreed to archive the proceedings due to the lack
       of rational indications of the existence of an infringement in the area
       jurisdiction of the AEPD, since no evidence was provided by the party
       complainant that no worker in the alleged video was identified

       concrete.

    - The allegations made by the complaining party in its appeal are
       are limited to being a mere reproduction of those formulated in the initial claim,
       but without alleging error in the assessment of the evidence by the Administration or

       challenge any of the grounds of its resolution.


    - In accordance with art. 118.1 of the Common Administrative Procedure Law, it is not
       may take into account in the resolution of the appeal, facts, documents or
       allegations of the appellant, when having been able to contribute them in the process of

       allegations he has not done so.

NINTH: On September 19, 2023, the Director of the Spanish Agency
of Data Protection decided to uphold the aforementioned optional appeal for reconsideration,
based on the fact that the dissemination in a messaging application of a video in which

identifies a female person in their work environment who is absent from work
temporary form of his position and rejoining minutes later, without there being a
legal basis that supports said treatment, is contrary to the regulations of
Data Protection.


This resolution, which was notified to the claimed party in accordance with the regulations
established in the LPACAP, was collected on September 28, 2023, as
It appears in the acknowledgment of receipt that is in the file.

TENTH: According to the report collected from the AXESOR tool on December 13
May 2024, the entity CUI ZSQ FOOD, S.L. It is a type company (…)

established in 2009, and had XX employees and a turnover of
***QUANTITY.1 euros in 2022.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/12








                            FOUNDATIONS OF LAW

                                            Yo

                                      Competence

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and

guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures

processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."

                                            II

                                   Previous issues

In the present case, in accordance with the provisions of article 4.1 and 4.2 of the RGPD,
involves processing personal data, since the party
claimed collects and preserves images of its workers, including

other treatments.

The claimed party carries out this activity in its capacity as responsible for the
treatment, given that it is the one who determines the purposes and means of such activity, by virtue
of article 4.7 of the GDPR.


                                           III
                  Unfulfilled obligation. Integrity and confidentiality

Article 5 “Principles relating to processing” of the GDPR establishes:


"1. The personal data will be: (…)
   f) processed in such a way as to ensure adequate data security
   personal data, including protection against unauthorized or unlawful processing and
   against its loss, destruction or accidental damage, through the application of measures
   appropriate technical or organizational measures (“integrity and confidentiality”).”


In the present case, as can be seen from the facts, A.A.A. shipped on May 19
2022 to a WECHAT group with all its employees a video in which you can
see a person leaving their job and another video in which that person
person returns. As recognized by the claimed party in its allegations, said
person was in charge of monitoring production, whose conduct qualifies

as a hot reaction (...) to the absence for a prolonged time of
someone in their workplace, a fact that results in significant harm to
the company and the other workers.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/12









However, such dissemination lacked any legal basis and violated the
confidentiality of the personal data of the aforementioned worker as well as the rest of the

employees visible in the recording.

Therefore, in accordance with the evidence available herein
moment of agreement to start the sanctioning procedure, and without prejudice to what
results from the instruction, it is considered that the known facts could be
constituting an infraction, attributable to the claimed party, for violation of the

article 5.1.f) of the RGPD.

                                            IV
          Classification and classification of the violation of article 5.1.f) of the RGPD


The known facts could constitute an infringement, attributable to the party
claimed, typified in 83.5 RGPD, which under the heading “General conditions
for the imposition of administrative fines” provides:
"5. Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the

global total annual business volume of the previous financial year, opting for
the largest amount:
       a) the basic principles for the treatment, including the conditions for the
       consent under articles 5, 6, 7 and 9; (…)”


For the purposes of the limitation period for infringements, the alleged infringement
prescribes after three years, in accordance with article 72 of the LOPDGDD, which qualifies as very
serious the following behavior:

"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,

considered very serious and will prescribe violations that involve three years
a substantial violation of the articles mentioned therein and, in particular, the
following:

       a) The processing of personal data violating the principles and guarantees
       established in article 5 of Regulation (EU) 2016/679. (…)”


                                            V
                                 Sanction proposal

For the purposes of deciding on the imposition of an administrative fine and its amount,

in accordance with the evidence currently available
agreement to initiate the sanctioning procedure, and without prejudice to what results from the
instruction, it is considered appropriate to graduate the sanction to be imposed in accordance with
the following criteria established by article 83.2 of the RGPD:


       - The nature, severity and duration of the infraction, taking into account the
       nature, scope or purpose of the processing operation in question
       as well as the number of interested parties affected and the level of damage and
       damages they have suffered (section a): due to the improper dissemination of two

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/12








       videos in which you can see a worker who was absent and returned to her
       job, as well as other workers on the production line, in
       a chat with all employees (at least 51 employees in 2022) of the

       company, with the presumed intention of warning - upon being classified as fact
       as a notable detriment to the company and other workers -, in order to
       to avoid possible similar behavior from other workers.

Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the
following criteria established in section 2 of article 76 “Sanctions and measures

“corrective measures” of the LOPDGDD:

       - The linking of the offender's activity with the performance of treatments
       of personal data (section b): this is a company used to
       capturing images of its, at least, 51 workers in 2022, when counting

       with 37 cameras in its facilities.

The balance of the circumstances contemplated in article 83.2 of the RGPD, with
regarding the infraction committed by violating the provisions of article 5.1.f) of the
RGPD, allows initially setting an administrative fine of €70,000
(SEVENTY THOUSAND EUROS).


                                          V
                                Adoption of measures

If the violation is confirmed, it could be agreed to impose on the person responsible the adoption of

appropriate measures to adjust its actions to the regulations mentioned in this
act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the
which each control authority may “order the person responsible or in charge of the
treatment that the processing operations comply with the provisions of the
this Regulation, where appropriate, in a certain manner and within a

specified period…” The imposition of this measure is compatible with the sanction
consisting of an administrative fine, as provided in art. 83.2 of the GDPR.

It is warned that failure to comply with the possible order to adopt measures imposed by
This body in the sanctioning resolution may be considered as a
administrative offense in accordance with the provisions of the RGPD, classified as

infringement in its article 83.5 and 83.6, and such conduct may be motivated by the opening of a
subsequent administrative sanctioning procedure.

Therefore, in accordance with the above, by the Director of the Agency
Spanish Data Protection,

HE REMEMBERS:

FIRST: START SANCTIONING PROCEDURE against CUI ZSQ FOOD, S.L., with
NIF B16277311, for the alleged violation of article 5.1.f) of the RGPD, typified in the
article 83.5 of the GDPR.


SECOND: APPOINT C.C.C. as instructor. and, as secretary, to D.D.D.,
indicating that they may be challenged, if applicable, in accordance with the provisions of the


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/12








articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sector
Public (LRJSP).


THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the
claim filed by the complaining party and its documentation, as well as the
documents obtained and generated by the General Subdirectorate of Inspection of
Data in the actions prior to the start of this sanctioning procedure.

FOURTH: THAT for the purposes provided for in art. 64.2 b) of law 39/2015, of 1

October, of the Common Administrative Procedure of Public Administrations, the
sanction that could correspond would be an administrative fine of €70,000
(SEVENTY THOUSAND EUROS), without prejudice to what results from the instruction.

FIFTH: NOTIFY this agreement to CUI ZSQ FOOD, S.L., with NIF

B16277311, granting him a hearing period of ten business days to formulate
the allegations and present the evidence that you consider appropriate. In his writing of
allegations must provide your NIF and the file number that appears in the
heading of this document.

If within the stipulated period you do not make allegations to this initial agreement, the same

may be considered a proposal for a resolution, as established in the article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP).

In accordance with the provisions of article 85 of the LPACAP, you may recognize your

responsibility within the period granted for the formulation of allegations to the
present initiation agreement; which will entail a 20% reduction in the
sanction that may be imposed in this procedure. With the application of this
reduction, the penalty would be established at 56,000.00 euros, resolving the
procedure with the imposition of this sanction.


Likewise, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which
will mean a 20% reduction in the amount. With the application of this reduction,
The penalty would be established at 56,000.00 euros and its payment will imply termination
of the procedure, without prejudice to the imposition of the corresponding measures.


The reduction for the voluntary payment of the penalty is cumulative with that corresponding
apply for recognition of responsibility, provided that this recognition
of the responsibility becomes evident within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount

in the previous paragraph may be done at any time prior to the resolution. In
In this case, if both reductions were to be applied, the amount of the penalty would remain
established at 42,000.00 euros.

In any case, the effectiveness of any of the two mentioned reductions will be

conditioned upon the withdrawal or waiver of any action or appeal pending.
administrative against the sanction.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/12








In the event that you choose to proceed with the voluntary payment of any of the amounts
indicated above (56,000.00 euros or 42,000.00 euros), you must make it effective

by depositing it into the IBAN account number: ES00-0000-0000-0000-0000-0000
(BIC/SWIFT Code: CAIXESBBXXX) opened in the name of the Spanish Agency of
Data Protection in the banking entity CAIXABANK, S.A., indicating in the
concept the reference number of the procedure appearing in the heading
of this document and the reason for the reduction of the amount to which it applies.


Likewise, you must send proof of income to the General Subdirectorate of
Inspection to continue the procedure in accordance with the quantity
entered.


The procedure will have a maximum duration of twelve months from the date
of the initiation agreement. After this period, its expiration will occur and, in
consequently, the archive of actions; in accordance with the provisions of the
article 64 of the LOPDGDD.


Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP,
There is no administrative appeal against this act.


                                                                             935-18032024
Sea Spain Martí
Director of the Spanish Data Protection Agency


 >>

SECOND: On June 13, 2024, the claimed party has proceeded to pay
the penalty in the amount of 42,000 euros making use of the two reductions

provided for in the initiation Agreement transcribed above, which implies the
recognition of responsibility.

THIRD: The payment made, within the period granted to formulate allegations to
The opening of the procedure entails the renunciation of any action or appeal pending.

administrative against sanction and recognition of responsibility in relation to
the facts referred to in the Initiation Agreement.



                           FOUNDATIONS OF LAW


                                           Yo
                                    Competence


In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the

Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/12








of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures

processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."

                                           II

                             Termination of the procedure

Article 85 of Law 39/2015, of October 1, on Administrative Procedure

Common Public Administrations (hereinafter, LPACAP), under the heading
“Termination in sanctioning procedures” provides the following:

"1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.


2. When the sanction has only a pecuniary nature or a penalty can be imposed
pecuniary sanction and another of a non-pecuniary nature but the
inadmissibility of the second, the voluntary payment by the alleged responsible, in
Any time prior to the resolution, will imply the termination of the procedure,
except in relation to the restoration of the altered situation or the determination of the

compensation for damages caused by the commission of the infringement.

3. In both cases, when the sanction has only a pecuniary nature, the
body competent to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed penalty, these being cumulative with each other.

The aforementioned reductions must be determined in the initiation notification.
of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of
any administrative action or appeal against the sanction.

The reduction percentage provided for in this section may be increased
“regularly.”


According to what was stated,
the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: DECLARE the termination of procedure EXP202300692, of

in accordance with the provisions of article 85 of the LPACAP.

SECOND: NOTIFY this resolution to CUI ZSQ FOOD, S.L..

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/12










National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the

day following the notification of this act, as provided for in article 46.1 of the
referred Law.



                                                                                       936-040822
Sea Spain Martí
Director of the Spanish Data Protection Agency
























































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es