AEPD (Spain) - EXP202309054
From GDPRhub
| AEPD - EXP202309054 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(a) GDPR Article 13 GDPR Article 32 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 20.08.2023 |
| Decided: | 13.11.2024 |
| Published: | 13.02.2025 |
| Fine: | 100000 EUR |
| Parties: | Atrium Lex SFC |
| National Case Number/Name: | EXP202309054 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | cwa |
A controller was fined €100,000 for both failing to adequately inform the data subject and failing to implement appropriate security measures when requesting a copy of the data subject’s ID.
English Summary
Facts
The data subject was an investor with the controller, Atrium Lex SFC; a company which specialises in real estate investment projects. On 28/06/2022, the data subject requested information about his portfolio from the controller. In their response, the controller requested a copy of the data subject’s DNI (national identity card), requesting this without providing any information as to how this data would be processed. They requested that the copy of the identity card be scanned and sent to them via email. Following an email exchange with the data subject, the controller continued to request the DNI via email, offering no information as to the nature of the processing.
On 20/05/2023, the data subject filed a complaint with the Spanish DPA (AEPD) against (the controller). The data subject complained that they were not informed about the processing, that they were provided with no privacy policy from the controller, and, that email is an unsecure and inappropriate medium for the provision of a scanned identity document.
The controlled initially failed to respond to the AEPD’s request for a response. When they did, they claimed that as the sole administrators of the companies in which the data subject had invested, the requiring of the data subject’s DNI was a necessary measure to ensure that of access to investment-related information was limited to investors. They denied having breached data protection law and stated that they would implement the AEPD’s guidelines and improve their internal processes.
The AEPD opened a formal investigation on 20/08/2023.
Holding
The APED found that the controller had made two violations of the GDPR.
Firstly, it was found that the controller had failed to adequately inform the data subject about the processing in question, in violation of Articles 5(1)(a) & 13 GDPR. This was due to the fact that the controller had failed to provide the data subject about the processing when requesting his DNI. The controller also did not have a privacy policy in place and did not clarify to the data subject at the time of the data collection the legal basis for processing, the envisaged retention period, whether the data would be shared with third parties or the existence of the data subject’s rights under GDPR.
Secondly, the AEPD found that the controller had failed to implement appropriate technical and organisational measures to ensure the security of processing in violation of Article 32 GDPR. The AEPD noted that email is an insecure medium for such transmission, with a copy of the data subject’s DNI being very sensitive personal data.
The AEPD issued an administrative fine of €100,000 against the controller. A fine of €50,000 was levied for the controller’s infringement of Article 13, and a further €50,000 levied for their infringement of Article 32(1).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/26
File No.: EXP202309054
SANCTIONING PROCEDURE RESOLUTION
From the procedure instructed by the Spanish Data Protection Agency and based
on the following
BACKGROUND
FIRST: D. A.A.A. (hereinafter the complaining party) on 05/20/2023
filed a claim with the Spanish Data Protection Agency. The
claim is directed against ATRIUM LEX SFC, S.L. with NIF B87634564 (hereinafter
the respondent party). The reasons on which the claim is based are the following: the
complainant states that the respondent manages various real estate projects
in which different investors participate, the complainant having the status of investor in several of the projects managed by the respondent,
indicating that, when requesting information on said projects, a copy of the applicant's ID is requested, without information on the data processing to be carried out.
The complainant provides a copy of the emails exchanged with the respondent entity in which the
complainant requests information on various projects managed by the respondent party and the latter requests that the complainant provide a copy of his ID to verify his identity as an
investor in said projects.
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the guarantee of digital rights (hereinafter LOPDGDD), on 06/29/2023, said claim was transferred to the respondent party/ALIAS, so that it could proceed with its analysis and inform this Agency within one month of the actions taken to comply with the requirements provided for in the data protection regulations.
The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP) by electronic notification,
was not collected by the person responsible, within the period of availability,
being understood to be rejected in accordance with the provisions of art. 43.2 of the LPACAP on
10/07/2023, as stated in the certificate in the file.
Although the notification was validly carried out by electronic means,
considering the procedure carried out in accordance with the provisions of article 41.5 of the
LPACAP, for information purposes a copy was sent by post which was duly notified on 11/07/2023. In said notification, he was reminded of his
obligation to interact electronically with the Administration, and he was informed
of the means of access to said notifications, reiterating that, from now on, he would be
notified exclusively by electronic means.
On 02/08/2023, the respondent responded stating, in summary, the
following: that the claimant is a partner in three companies of which
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/26
the respondent holds the status of sole administrator and therefore, in his capacity
as administrator of the company, in accordance with current legislation, he is responsible
for the Entity's Register of Partners.
That the company, as administrator and responsible for the Register of Partners, has not breached any precept that affects the privacy of the partners and
that it will reinforce its procedures and proceed to include the use of the free tools
provided by the Spanish Data Protection Agency.
THIRD: On 08/20/2023, in accordance with article 65 of the LOPDGDD,
the claim filed by the complaining party was admitted for processing.
FOURTH: On 12/27/2023, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the respondent party, for the
alleged violation of articles 13 and 32.1 of the GDPR, classified in articles
83.5.a) and 83.4.a) of the GDPR, with fines of €50,000 (fifty thousand euros), each.
FIFTH: After notification of the start agreement, dated 01/19/2024, the respondent party
submitted a written statement of allegations, stating in summary the following: that the
claim made by the claimant has its origin in his status as a
partner in three companies of which the respondent holds the status of
sole director; that the claimant addressed the respondent in his capacity as
investor, although he acknowledged that he had been mistaken when saying in which
projects he was an investor, a reason that further deepened the need to confirm his
identity; that the facts declared in his claim by the claimant are false
and constitute a possible crime of false reporting; he requests testimonial evidence.
SIXTH: On 03/10/2024, a period of evidence practice began,
the following being agreed
- To reproduce for evidentiary purposes the claim filed by the
claimant and its documentation, the documents obtained and generated
by the Inspection Services that are part of the file.
- To reproduce for evidentiary purposes the allegations to the
initiation agreement presented by the respondent party and the documentation that accompanies
them.
- To request from the respondent: the Privacy Policy or Legal Notice of the company,
measures implemented to adapt it to article 13, implementation dates and
controls carried out to verify their effectiveness; the Record of Processing Activities and the
Risk Analysis and Impact Assessment in the processing of data.
On the other hand, in relation to the requested testimony, he was informed
that the claimant's statement about the motivation of the claim, that it is not the AEPD's competence to investigate or find out the psychological
stimuli or reasons that lead to filing a claim or complaint with it; its
competence is limited to determining whether or not the conduct may be subject to
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/26
reproach for not being in accordance with the regulations on the protection of personal data.
And in relation to the statement of the administrator of the Companies that are the subject of the file, such as the confrontation between said party and the claimant, they were
considered irrelevant and not appropriate for the purposes of the resolution of the present sanctioning procedure.
- The complainant was asked to provide documentation that
proved his status as an investor and projects in which he participates and whether he was
registered as a user on the Housers Global Properties PFP, S.L. Crowdfunding Platform.
On 10/03/20224, the complainant responded to the evidence provided
whose content is included in the file.
SEVENTH: On 11/13/2024, a Resolution Proposal was issued to the effect that
the Director of the Spanish Data Protection Agency would sanction the
respondent for violation of articles 13 and 32.1 of the GDPR, with a fine of
€50,000 (fifty thousand euros), each.
On 10/12/2024, the respondent party submitted a written statement of allegations
against the Resolution Proposal, alleging in summary: what is the position of the respondent party
in relation to the processing of personal data and the alleged
violation of article 13 of the GDPR; on the alleged violation of article
32.1 of the GDPR; the violation of the principle of proportionality; that a
resolution be issued agreeing to file this procedure.
EIGHTH: From the actions carried out in this procedure, the following have been
proven:
PROVEN FACTS
FIRST. On 05/20/2023, the AEPD received a complaint letter from the complaining party in which it states that the respondent party manages real estate projects in which different investors participate, the complaining party having the status of investor in some of the projects, indicating that, when requesting information about them, he was asked to provide a copy of his ID, without being informed about the data processing to be carried out.
SECOND. Emails exchanged between the parties are provided:
- 06/28/2022
The complaining party:
“(…)
I would like to know the status of accounts and whether or not the projects ***PROJECT.1 and ***PROJECT.2 are rented and for sale.
(...).
(…)”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/26
- 07/04/2022
The respondent party
“(…)
In order to confirm that you appear in the membership database of said project,
we would need you to send us your scanned ID so that we can compare it and provide you with the
information.
(…)”
- 07/04/2022
The complainant party:
“(…)
I was wrong, I do not have a stake in ***PROJECT.2, I would like to receive information
on ***PROJECT.1 and ***PROJECT.3, thank you.
(…)”
- 07/12/2022
The complainant
“(…)
I would also like to know the status of the project ***PROJECT.4 and propose a meeting
to set a market price so that I do not pay for the apartment to the tenants who
will live very well paying for it for several years.
(…)”
-09/13/2022
The complainant
“(…)
I am a partner in the companies that I have been requesting documents from since June, I understand that
it has been misplaced and you send it immediately. Thank you.
(…)”
THIRD. The respondent party in a letter dated 02/08/2023 has stated that “The
claim made by the claimant has its origin in his status as a partner of
three companies of which the respondent holds the status of sole administrator and
therefore, in his status as administrator of the company, in accordance with current legislation, we are responsible for the Entity's Register of Partners.
In response to the request of the claimant, it is the administrator's obligation to verify the identity
of the persons who request data in their capacity as partners, for which reason he is requested
to justify his identity and this has been explained to him in the email that the
claimant himself attached, where the processing of the data requested for comparison is explained
(the underline corresponds to the AEPD).
FOURTH. The claimant party in a letter dated 04/01/2024 has provided information as an
investor in certain projects.
FIFTH. The respondent party has not responded to the tests carried out in which it was
requested to provide the Privacy Policy or Legal Notice and measures
implemented to adapt it to article 13 of the GDPR, controls carried out to
check its effectiveness; the RAT and Risk Analysis and Impact Assessment carried out in the processing of data
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/26
LEGAL BASIS
I
Competence
In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD) and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and
the Guarantee of Digital Rights (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to
initiate and resolve this procedure.
Likewise, article 63.2 of the LOPDGDD determines that: "The
procedures processed by the Spanish Data Protection Agency will be governed
by the provisions of Regulation (EU) 2016/679, in this organic law, by the
regulatory provisions issued in its development and, insofar as they do not
contradict them, on a subsidiary basis, by the general rules on administrative
procedures."
II
Powers of the supervisory authority
Article 58 of the GDPR, Powers, states:
“2. Each supervisory authority shall have all of the following corrective
powers indicated below:
(…)
d) order the controller or processor to
comply the processing operations with the provisions of this Regulation,
where appropriate, in a certain manner and within a specified period;
(…)
(i) impose an administrative fine pursuant to Article 83, in addition to or instead of the measures referred to in this section, depending on the
circumstances of each particular case;
(…)”
III
Arguments to the Proposed Resolution
1. The respondent has alleged an alleged violation of Article
13 of the GDPR.
The respondent states in its written allegations that the
complainant is an investor in certain investment projects
developed by the entity Housers Global Properties PFP. S.L., the respondent being
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/26
the administrator of the aforementioned projects, and therefore has the status of data processor in relation to the
cited entity.
However, such arguments cannot be accepted; It should be noted that the
responding party has not provided any evidence to support its argument.
The aforementioned allegation is not supported by any evidence; it merely
points out that the duty to inform in accordance with article 13 of the GDPR
lies on the data controller, an issue that therefore does not concern it as it is
in charge.
Article 4 of the GDPR, Definitions, in its section 8 defines the “processor” or “processor”: "the natural or legal person, public authority, service or
other body that processes personal data on behalf of the controller."
Article 28 of the GDPR, Processor, establishes that:
“1. Where processing is to be carried out on behalf of a controller, the controller shall select only a processor who offers sufficient guarantees
to implement appropriate technical and organisational measures to ensure that the
processing complies with the requirements of this Regulation and ensures the
protection of the rights of the data subject.
2. The processor shall not use another processor without the
prior written authorisation, whether specific or general, of the controller. In the latter case, the processor shall inform the controller of any planned changes in the
introduction or replacement of other processors, thereby giving the controller the
opportunity to object to such changes.
3. The processing by the processor shall be governed by a contract or other legal act
under Union or Member State law, which binds the processor to the controller and sets out the subject matter, duration, nature
and purpose of the processing, the type of personal data and categories of data subjects,
and the obligations and rights of the controller. Such contract or legal act
shall provide, in particular, that the processor:
(a) shall process the personal data only on documented instructions from the
controller, including with regard to transfers of personal data to a third country or an international
organisation, unless it is required to do so by Union or Member State law to which the
processor is subject; in such case, the processor shall inform the controller of that legal requirement prior to processing, unless such law
prohibits processing for important reasons of public interest;
(b) shall ensure that persons authorised to process personal data have undertaken to respect confidentiality or are subject to a legal obligation of confidentiality;
(c) shall take all measures necessary in accordance with Article 32;
(d) shall comply with the conditions referred to in paragraphs 2 and 4 for using another processor;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/26
(e) assist the controller, taking into account the nature of the processing, by
appropriate technical and organisational measures, where possible, to
enable the controller to comply with its obligation to respond to requests for the
exercise of the rights of data subjects set out in Chapter III;
(f) assist the controller in ensuring compliance with the obligations
set out in Articles 32 to 36, taking into account the nature of the
processing and the information available to the processor;
(g) at the controller's discretion, erase or return all personal data
after the provision of the processing services has been terminated, and erase existing copies
unless retention of the personal data is required by Union or Member State law;
(h) make available to the controller all information necessary to
demonstrate compliance with the obligations set out in this Article and to
enable and assist the performance of audits, including inspections, by the controller or another auditor authorised
by the controller.
In relation to point (h) of the first subparagraph, the processor
shall immediately inform the controller if, in the processor's opinion, an instruction
infringes this Regulation or other Union or Member State data protection
provisions. 4. Where a processor uses another processor to carry out certain processing activities on behalf of the controller, that other processor shall, by contract or other legal act drawn up under Union or Member State law, be subject to the same data protection obligations as those laid down in the contract or other legal act between the controller and the processor referred to in paragraph 3, in particular the provision of sufficient guarantees that appropriate technical and organisational measures are in place to ensure that processing is in compliance with the provisions of this Regulation. If that other processor fails to comply with its data protection obligations, the initial processor shall remain fully liable to the controller for compliance with the obligations of the other processor.
5. The adherence of the data processor to a code of conduct
approved pursuant to Article 40 or to a certification mechanism approved pursuant
to Article 42 may be used as an element to demonstrate the existence of
sufficient guarantees referred to in paragraphs 1 and 4 of this Article.
6. Without prejudice to the fact that the controller and the processor conclude
an individual contract, the contract or other legal act referred to in paragraphs 3
and 4 of this Article may be based, in whole or in part, on the standard contractual clauses
referred to in paragraphs 7 and 8 of this Article, including
where they form part of a certification granted to the controller or processor in
pursuant to Articles 42 and 43.
7. The Commission may establish standard contractual clauses for the
matters referred to in paragraphs 3 and 4 of this Article, in accordance with the
examination procedure referred to in Article 93(2).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/26
8. A supervisory authority may adopt standard contractual clauses for the
matters referred to in paragraphs 3 and 4. of this article, in accordance with the
coherence mechanism referred to in article 63.
9. The contract or other legal act referred to in paragraphs 3 and 4 shall be in writing, including in electronic format.
10. Without prejudice to the provisions of articles 82, 83 and 84, if a data processor
infringes this Regulation when determining the purposes and means of processing, he or she shall be considered a data controller with respect to such
processing.
And the LOPDGDD in its article 33, Data processor, establishes that:
“(…)
2. The data controller and not the data processor shall be considered to be the person who, on his or her own behalf and without it being clear that he or she is acting on behalf of another, establishes
relations with the data subjects even when there is a contract or legal act with the
content set out in article 28.3 of Regulation (EU) 2016/679. This provision will not
be applicable to processing orders carried out within the framework of public sector contracting legislation.
Anyone who appears as the data processor and uses the data for his or her own purposes will also be considered the data controller.
As previously indicated, there is no document or evidence
confirming that the respondent party acted as the data processor for
Housers; moreover, neither in the request for information made by the acting inspector nor in the allegations subsequent to the start agreement has he made any
statement or allegation in this regard.
Furthermore, both in the preliminary action phase and in the evidentiary phase
he was required to provide his “Privacy Policy”, the date(s) of
implementation of the same, measures implemented to adapt it to article 13 of the
RGPD, controls carried out to verify its effectiveness, without providing
documentation or giving any response to the aforementioned requests.
This lack of cooperation does not seem to be very compatible with what is stated in Article 5.2 of the GDPR, which states:
“2. The controller shall be responsible for compliance with the provisions of paragraph 1 and
able to demonstrate it ('proactive responsibility').”
The respondent party is obliged to carry out appropriate activities to
comply with the data protection principles and to be able to demonstrate its
compliance. 2. The respondent has alleged an alleged violation of Article 32.1 of the GDPR
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/26
The respondent considers that the Resolution Proposal is based on a
false premise since the complainant was not required to send a copy of the
scanned ID card by email and, therefore, cannot be charged with
infringing Article 32.1 of the GDPR since at no time did the respondent make any
reference or mention in the aforementioned email to the channel through which the
documentation proving identity should be sent and that it merely limited itself to requesting a copy
of the ID card.
However, such an argument cannot be accepted; The respondent party, in its
reply email to the complainant requesting information on the projects in which it participated as an investor, states:
“(…)
In order to confirm that you appear in the partner database of said
project, we would need you to send us your scanned ID so that we can compare it and
provide you with the information.
(…)”
It is true that the cited text does not state that the sending of the copy of the scanned ID
is via email, although such a condition is understood
since the communications between the two were being carried out through
said channel.
And it is also true that if at no time did the respondent party
mention the channel through which the complainant should send the aforementioned
documentation (scanned copy of the DNI), it should be understood in the fact that
the channel used, email, was considered valid and true, because
otherwise it would have offered the complainant another means or alternative channel to
do so and, in this case, in view of the response offered, if it was not offering
this opportunity to send it by another means it was because it was assuming that
email was the appropriate and pertinent one for this.
Finally, the respondent party appears to contradict itself because, having alleged the above, it
states that the security of its communications is duly
guaranteed by having contracted the Office 365 Service for the provision of email services, whose email application, as described by the CCN,
has implemented guarantees aimed at guaranteeing the security of email, in order to prevent its integrity from being affected.
However, this is not true either because communications via email are carried out in "clear text", which means that if the
communication carried out is intercepted, the data sent can be accessed, since what Office truly guarantees is that the deposit or storage of emails in its systems is safe because it has implemented adequate security
measures, but not that the communications of said emails are safe.
3. The respondent party has alleged the violation of the principle of
proportionality.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/26
The respondent alleges that in the event that it is considered that there has been a
breach of the data protection regulations, the application of the principle of proportionality must be
particularly taken into account when determining the sanction that could be imposed.
It should be noted that article 83.1 of the GDPR provides that “Each supervisory
authority shall ensure that the imposition of administrative fines pursuant to
this article for infringements of this Regulation referred to in
paragraphs 4, 5 and 6 are effective, proportionate and
dissuasive in each individual case”.
The fines, therefore, according to the provision invoked, must be
effective, proportionate and dissuasive in order to achieve the purpose intended
by the GDPR.
It is true that for this system to work with all its guarantees, it is
necessary for several elements to be deployed in a complete and comprehensive manner. The
application of rules outside the GDPR regarding the determination of fines in
each of the Member States applying their national law, whether due to
aggravating or mitigating circumstances not provided for in the GDPR - or in the LOPDGDD
in the Spanish case, as the GDPR itself allows it-, would reduce the effectiveness of the system, which
would lose its meaning, its teleological purpose, the will of the legislator, resulting in
the fines imposed for different infractions ceasing to be effective,
proportionate and dissuasive. And in this way, the interested parties would also be
deprived of the effective guarantee of their rights and freedoms, weakening the uniform application
of the GDPR. The mechanisms for protecting the rights and freedoms of citizens would be
reduced and it would be contrary to the spirit of the GDPR.
The GDPR is endowed with its own principle of proportionality that must be applied in its strict terms.
Regarding the principle of proportionality of sanctions, the National Court has pointed out in numerous judgments that the principle of proportionality
cannot be exempt from judicial control, since the margin of appreciation that is
granted to the Administration in the imposition of sanctions within the limits
legally provided, must be developed by weighing in all cases the concurrent
circumstances, in order to achieve the necessary and due proportion
between the alleged facts and the liability required, given that any sanction must
be determined in accordance with the entity of the infringement committed and according to a
criterion of proportionality in relation to the circumstances of the fact. Thus,
proportionality constitutes a normative principle that is imposed on the
Administration and that reduces the scope of its sanctioning powers.
Well, in accordance with the circumstances that occur in the present case, which have been meticulously evaluated, this resolution does not
violate the principle of proportionality in determining the sanctions imposed, resulting in a balanced and proportionate decision to the seriousness of the infringements
committed, the importance of the facts, as well as the circumstances taken into account to
grade the sanction, without any reasons being appreciated that justify even more
the reduction made, especially taking into account the amount to which said sanctions may be
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/26
in accordance with article 83.5 of the GDPR, which provides
for the infringement of article 13 of the GDPR, “with administrative fines of
20,000,000€ as maximum or, in the case of a company, of a an amount equivalent
to a maximum of 4% of the total global annual turnover of the previous financial year,
whichever is higher” or in the case of Article 32.1 of the GDPR
in accordance with Article 83.4 of the GDPR “4. Violations of the
following provisions shall be punishable, in accordance with paragraph 2, by administrative
fines of a maximum of EUR 10,000,000 or, in the case of a company, an amount equivalent to
a maximum of 2% of the total global annual turnover of the previous financial year, whichever is higher”.
- In its statement of allegations, the respondent party has stated that it requested and
processed the data of the interested party in compliance with the procedures of Housers, in
its name and on its behalf.
However, the respondent party has not provided any evidence to prove
what is alleged, even though it is not credible that anyone would request a copy of the DNI from
third parties, in the name and on behalf of another.
Furthermore, the respondent party, who holds the status of
sole administrator of the company, in the response to the start-up agreement dated 01/19/2024, stated that: "Having said this, we must emphasize that at the request of the
claimant, or any investor, it is the administrator's obligation
to verify the identity of the persons requesting data in their capacity as partners
or investors, for which reason they are requested to justify their identity and this has been explained to them
in the email that the claimant himself attached, where the treatment of the data requested for comparison is explained to him.
2. That the complainant contacted this entity in his capacity as an investor in
the projects he refers to in his emails, although he admits that
he was “mistaken” when he said which projects he was an investor in, a reason that
further deepens the need to confirm his identity, …”
That is to say, that the request for a copy of the ID was related to
the accreditation of the identity of the complainant, in his capacity as an investor in
different projects, before the sole administrator of the company.
And it was already indicated to him in the Resolution Proposal that, in principle, the
request for a copy of the ID could have a legitimate purpose, since what was
involved was to verify the status of the complainant as an investor; however, it does
not appear that he was informed in accordance with the provisions of article 13 of the GDPR,
that is to say, that he was provided with any information in relation to the processing of his
personal data.
And in the Recitals of the GDPR the same idea is reiterated. Thus, Recital 61 indicates that “Data subjects must be provided with information about the processing of their personal data at the time when it is obtained from them or, if obtained from another source, within a reasonable period, depending on the circumstances of the case (...)”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/26
And Recital 62 “However, it is not necessary to impose the obligation to
provide information when the data subject already has the information, (...).”
- The respondent party has stated that the reasoning of the AEPD in relation
to the assessment of negligence in the conduct is inadequate, given that one thing is to assess fault as a requirement for a certain conduct to constitute an infringement and another is to assess that this element must
always be considered as an aggravating factor.
Taking into account that the conduct of the respondent party contains the element of guilt, which is essential to be able to demand punitive liability, in this case it also reflects a very serious lack of diligence, violating the obligation to inform the affected party about the processing of their personal data.
This is because there is no element that allows us to conclude that any minimum diligence was observed to guarantee the aforementioned principle, as proven and thus stated in the legal grounds of the Resolution Proposal, which are in no way contradicted.
Facts that are aggravated by the lack of collaboration with this
management center, since the respondent party was required, both in the preliminary action phase
(on two occasions), and in the evidentiary phase, to report on the measures adopted to adapt its "Privacy Policy" to article 13 of the RGPD,
the date/s of implementation, controls carried out to verify its effectiveness, without
providing documentation or giving any response to the aforementioned requests.
In addition, the lack of diligence demonstrated in the infringing conduct for which it is
held responsible must be classified as very serious; the respondent party is obliged
under article 5.2 of the RGPD to carry out the appropriate activity to comply with the
principles of data protection, which is of interest here, that of informing, and to be in a
position to demonstrate its compliance.
- Finally, the respondent considers that the statement by the AEPD
indicating that "we are faced with the absence of technical and organizational measures as a
consequence of the lack of diligence in the action carried out" is
unfounded since it is not possible to reach such a conclusion due to the fact that
a copy of the DNI was requested by email.
It was already indicated to him with respect to the DNI that its numerical identifier together with the
verification character corresponding to the tax identification number identifies
a natural person without a doubt. This quality makes it a particularly sensitive piece of
data, and this nature is aggravated when we refer to a scanned copy
of the DNI, since a third party who has access to it can easily impersonate the
identity of its holder, and perpetrate conduct that poses a high risk to the privacy, honor and assets of the person impersonated.
The respondent has not provided any evidence to prove that it had
implemented appropriate measures aimed at eliminating the risks of processing the
scanned ID, without having provided a secure means for the complainant to
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/26
send the aforementioned documentation. There is no evidence that it has carried out an analysis
of the risks involved in requesting the scanned ID, via email, focused on the protection of the rights and freedoms of the interested parties,
or of the technical and organisational measures that it had implemented to deal with such
risks.
Furthermore, it should be noted that when the respondent was asked to provide
in the probationary period the Register of Processing Activities, Risk Analysis and
the Impact Assessment on the processing of the data, the response is that there was
no response to the request.
Therefore, the allegations made by the respondent party to the Resolution Proposal cannot be accepted and must be dismissed.
IV
First breached obligation: infringement of article 13 of the GDPR
The facts reported are materialised in that the complainant, an investor
in some of the projects managed by the respondent party, when requesting
information about them was asked to provide a scanned copy of his/her ID,
without being informed about the data processing to be carried out in accordance with the provisions of
article 13 of the GDPR, which could violate the regulations on the
protection of personal data.
Article 13 of the GDPR, Information to be provided when personal data
is obtained from the data subject, establishes the following:
“1. Where personal data relating to a data subject are obtained from him or her, the controller shall, at the time of obtaining such data, provide him or her with all of the following information:
(a) the identity and contact details of the controller and, where applicable, of his or her representative;
(b) the contact details of the data protection officer, where applicable;
(c) the purposes for which the personal data are processed and the legal basis for the processing;
(d) where the processing is based on Article 6(1)(f), the
legitimate interests of the controller or of a third party;
(e) the recipients or categories of recipients of the personal data, where applicable;
(f) where applicable, the intention of the controller to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or, in the case of transfers referred to in Articles 46 or 47 or the second subparagraph of Article 49(1), reference to adequate or appropriate safeguards and the means to obtain a copy of these or the fact that they have been provided.
2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject, at the time the personal data are obtained, the following information necessary to ensure fair and transparent data processing:
a) the period for which the personal data will be stored or, where this is not possible, the criteria used to determine that period;
b) the existence of the right to request from the controller access to the personal data relating to the data subject, and to rectify or erase them, or to restrict their processing, or to object to their processing, as well as the right to data portability;
(c) where the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
(d) the right to lodge a complaint with a supervisory authority;
(e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, and whether the data subject is
obliged to provide the personal data and is informed of the possible consequences of not providing such data;
(f) the existence of automated decision-making, including profiling, referred to in
Article 22(1) and (4), and, at least in those cases, meaningful information about the logic involved, as well as the significance and the
envisaged consequences of such processing for the data subject.
3. Where the controller plans to process personal data for a purpose other than that for which they were collected, he shall provide the data subject, prior to such further processing, with information about that other purpose and any additional information relevant to the purposes of paragraph 2.
4. The provisions of paragraphs 1, 2 and 3 shall not apply where and to the extent that the data subject already has the information.”
This provision, in addition to determining in paragraphs 2 and 3 the information that the controller must provide, determines that this information must be provided at the time of data collection. However, the provision of Article 13, paragraphs 1 and 2, must be put in relation to Article 13.4, which dispenses with the obligation referred to in both provisions “where and to the extent that the data subject already has the information.”
The recitals of the GDPR reiterate the same idea. Thus, recital 61
indicates that “Data subjects must be provided with information about the processing of
their personal data at the time of obtaining it or, if obtained from
another source, within a reasonable period, depending on the circumstances of the case (...)” And
recital 62 states that “However, it is not necessary to impose an obligation to
provide information where the data subject already possesses the information, (...).”
In any case, it must be taken into account that according to recital 60
the controller is obliged to “provide the data subject with any additional
information necessary to ensure fair and transparent processing,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/26
taking into account the specific circumstances and context in which the
personal data are processed”.
Furthermore, the principles set out in Article 5.1.a) of the GDPR, concerning
lawful, fair and transparent processing of personal data, require that the interested party be informed
of the existence of the processing and its purposes and of the additional information
in order to ensure fair and transparent processing. The controller must provide the interested party with all the information necessary to
ensure fair and transparent processing, taking into account the specific circumstances and context in which the personal data are processed.
Recital 39 of the GDPR states that: "The principle of transparency requires
that all information and communication relating to the processing of such data be
easily accessible and easy to understand, and that simple and clear language be used.
This principle relates in particular to the information of data subjects about the identity of the controller and the purposes of processing and to additional information to ensure fair and transparent processing with regard to the natural persons concerned and their right to obtain confirmation and communication of the personal data concerning them that are being processed. Natural persons must be aware of the risks, rules, safeguards and rights relating to the processing of personal data, as well as how to assert their rights in relation to the processing. In particular, the specific purposes of the processing of personal data must be explicit and legitimate, and must be determined at the time of collection. […]» .
Therefore, information about the processing of their personal data must be provided to data subjects at the time of collection of the data or, if obtained from another source, within a reasonable period, depending on the circumstances of the case.
When personal data relating to the interested party are obtained, the
data controller, at the time when these are obtained, must provide him
with all the information regarding the processing of his data as indicated in article
13 of the GDPR.
In the present case, as shown in the exchanged emails, the
complainant, an investor in certain projects managed by the respondent party and
in response to the request of the latter for information about them, asked him to provide a scanned copy of his ID and although at first it seems to be a
request with a legitimate purpose, such as verifying the status of the requester of the information as an investor,
however, it does not appear that he was informed in accordance with the provisions of article 13 of the GDPR, that is, that he was provided with
any information regarding the processing of his ID data.
Furthermore, the respondent party was required, during the proceedings phase (on two
occasions), to report on the measures adopted to adapt its
“Privacy Policy” to article 13 of the GDPR, implementation dates and controls
carried out to verify its effectiveness, without providing any documentation.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/26
And during the evidentiary phase, it was again required to provide the company's
Privacy Policy or Legal Notice, the pertinent measures for its adaptation
in accordance with article 13, without any response being given.
Such conduct is considered to violate article 13 of the GDPR, classified in
article 83.5.b) of the GDPR.
V
Classification of infringement of article 13 of the GDPR
The infringement of article 13 of the GDPR is classified in article 83.5.b) of the
GDPR, which states: “Infringements of the following provisions shall be punished,
in accordance with section 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, an amount equivalent to 4% of the total annual global turnover of the
previous financial year, whichever is the highest:
(...)
b) the rights of the interested parties pursuant to articles 12 to 22; (...)”
(…)”
For the purposes of prescription, the LOPDGDD classifies this conduct in article
72.1.h) as a very serious infringement and sets a prescription period of three years for it.
The provision states:
“1. According to the provisions of article 83.5 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered to be very serious and will be subject to a three-year statute of limitations:
(...)
h) The failure to inform the affected party about the processing of their personal data in accordance with the provisions of articles 13 and 14 of Regulation (EU) 2016/679 and 12 of this organic law.”
(...)”
VI
Second unfulfilled obligation: infringement of article 32.1 of the GDPR
Secondly, article 32 of the GDPR “Security of processing”
establishes that:
“1. Taking into account the state of the art, the costs of implementation, and the
nature, scope, context and purposes of processing as well as the risks of
varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate
technical and organisational measures to ensure a level of security appropriate to the risk,
which may include, where appropriate, among others:
a) the pseudonymisation and encryption of personal data;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/26
b) the ability to ensure the permanent confidentiality, integrity, availability and
resilience of processing systems and services;
c) the ability to restore the availability of and access to personal data quickly in the event of a physical or technical incident;
d) a process of regular verification, evaluation and assessment of the effectiveness
of the technical and organisational measures to ensure the security of the processing.
2. When assessing the adequacy of the level of security, particular account shall be taken of the risks presented by the processing of personal data, in particular arising from accidental or unlawful destruction, loss or alteration of, or unauthorised disclosure of or access to, personal data transmitted, stored or otherwise processed.
3. Adherence to a code of conduct approved pursuant to Article 40 or a certification mechanism approved pursuant to Article 42 may serve as an element of
demonstration of compliance with the requirements set out in paragraph 1 of this Article.
4. The controller and the processor shall take measures to
ensure that any person acting under the authority of the controller or the
processor and having access to personal data may process such data only on instructions from the controller, unless he or she is required to do so by Union or Member State law.
1. The GDPR defines personal data security breaches as
“any breach of security that leads to the accidental or unlawful destruction, loss or
alteration of personal data transmitted, stored or otherwise processed, or the unauthorized communication or access to such data”.
The documentation in the file provides clear indications that
the respondent has violated article 32 of the GDPR, resulting from the lack of
diligence in not adopting appropriate technical and organizational measures to guarantee
a level of security appropriate to the risk of the processing, as a result of the
request for a scanned copy of the ID by email to prove the identity of the partner, a form or method that is not very secure for requesting this type of documentation.
It should be noted that the GDPR in the aforementioned provision does not establish a list of
the security measures that are applicable according to the data that are being
processed, but rather establishes that the controller and the processor will
apply technical and organizational measures that are appropriate to the risk
involved in the processing, taking into account the state of the art, the costs of
application, the nature, scope, context and purposes of the processing, the risks of
probability and severity for the rights and freedoms of the interested parties.
Likewise, security measures must be appropriate and
proportionate to the risk detected, noting that the determination of the
technical and organizational measures must be carried out taking into account: pseudonymization and
encryption, the ability to guarantee confidentiality, integrity, availability and
resilience, the ability to restore availability and access to data after an
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/26
incident, verification process (not audit), evaluation and assessment of the
effectiveness of the measures.
In any case, when assessing the adequacy of the level of security, particular account will be taken of the risks presented by the processing of data, such as the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or the unauthorized communication of or access to such data, which could cause physical, material or immaterial damage or harm.
In this same sense, recital 83 of the GDPR states that:
“(83) In order to maintain security and prevent processing in violation of the provisions of this Regulation, the controller or processor must assess the risks inherent in the processing and implement measures to mitigate them, such as encryption. These measures must ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the cost of its implementation, in relation to the risks and the nature of the personal data to be protected. When assessing the risk in relation to data security, the risks arising from the processing of personal data must be taken into account,
such as accidental or unlawful destruction, loss or alteration of personal data
transmitted, stored or otherwise processed, or unauthorized communication or access to such data,
which may in particular cause physical, material or immaterial damage and harm."
2. In the case analysed, as is evident from the facts, the AEPD forwarded the complaint submitted to the
respondent for analysis, requesting the provision of
information related to the incident complained of.
The respondent in his letter of 02/08/2023 stated that "In response to the request
of the claimant, it is the administrator's obligation to verify the identity of the persons
who request data in their capacity as partners, so he is requested to justify his
identity and this has been explained to him in the email that the claimant himself
attached, where the treatment of the data requested for comparison is explained."
As indicated in the start agreement, the Registry Book is a list that
contains the names of those who are partners of a public limited company or limited company
at any given time and it is the responsibility of the administrators of the company to keep it
allowing them to know who they have to consider a partner at any given time for the purposes,
by way of example, of allowing them to participate in social meetings, paying them a
dividend, etc. That is why it is said that the registry book has a legitimizing function.
However, it does not seem that the method used to request a scanned copy of the DNI
by email is a very safe method of requesting the
identity of the member requesting the information, in view of the risks that it
may cause.
In this regard, it is worth remembering that recitals 51 and 75 of the
RGPD distinguish a group of personal data that by their nature are
particularly “sensitive” due to the significant risk that their processing may entail
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/26
for fundamental rights and freedoms. Their common denominator is the risk
that it entails for fundamental rights and freedoms, since their processing
may cause physical, material or immaterial damage and harm.
This group or category includes specially protected data regulated by Article 9 of the GDPR - recital 51 of the GDPR - and many others that are not mentioned in this provision. Recital 75 mentions in detail the personal data whose processing may entail a risk of variable severity and probability for the rights and freedoms of natural persons as a result of which they may cause physical, material or immaterial damage and harm. Among them, it refers to those whose processing "may give rise to problems of discrimination,
identity theft or fraud, financial losses, damage to reputation,
loss of confidentiality of data subject to professional secrecy, unauthorized reversal of pseudonymization or any other significant economic or social
harm;"
The numerical identifier of the DNI together with the verification character
corresponding to the tax identification number identifies a natural person
without a doubt. This quality makes it a particularly sensitive piece of data, and
this character is aggravated when we refer to a scanned copy of the DNI, since
a third party who has access to it can impersonate the identity of its owner with
complete ease, and perpetrate conduct that poses a high risk to the privacy,
honour and assets of the person impersonated.
The respondent party should have adopted the appropriate technical and
organisational measures aimed at mitigating the risks of processing the scanned DNI,
after analysing said risks, offering a secure means to the claimant
for sending the documentation. However, it has not proven that it has carried out
an analysis of the risks involved in requesting a scanned ID card via
email, focused on the protection of the rights and freedoms of the
interested parties, nor of the technical and organizational measures that it had implemented
to deal with such risks.
The respondent's liability is determined by the absence of
adequate measures brought to light, since it is responsible for making
decisions aimed at effectively implementing the appropriate technical and
organizational measures to guarantee a level of security appropriate to the risk,
restoring their availability and preventing access to them in the event of a
physical or technical incident.
It is therefore questioned whether email constitutes a secure way
to send documentation, such as in this case the scanned copy of the ID card,
when security must be guaranteed. It is considered that sending the requested information
by a simple email is not an appropriate measure in
considering the risk to the rights and freedoms of natural persons due to the careless use that
could be made of email, so the respondent party should
have adopted appropriate security measures in accordance with the risk to protect
the rights and freedoms of the complainant in relation to the processing of the
data subject to this procedure
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/26
In accordance with the above, it is considered that the respondent would be
responsible for the infringement of the GDPR: the violation of article 32, infringement
classified in its article 83.4.a).
VII
Classification of the infringement of article 32.1 of the GDPR
The infringement of article 32 of the GDPR is classified in article
83.4.a) of the aforementioned GDPR in the following terms:
“4. Infringements of the following provisions shall be punished, in accordance with
section 2, with administrative fines of up to EUR 10 000 000 or,
in the case of a company, an amount equivalent to a maximum of 2% of the
total global annual turnover of the previous financial year, whichever is higher:
a) the obligations of the controller and the processor pursuant to articles 8,
11, 25 to 39, 42 and 43.
(…)”
For its part, the LOPDGDD in its article 73, for the purposes of prescription, classifies
as “Infringements considered serious”:
“In accordance with the provisions of article 83.4 of Regulation (EU) 2016/679,
infringements that constitute a
substantial violation of the articles mentioned therein and, in particular, are considered serious and will be subject to a two-year statute of limitations. the
following:
(…)
g) The breach, as a result of the lack of due diligence,
of the technical and organisational measures that have been implemented in accordance with the
requirements of Article 32.1 of Regulation (EU) 2016/679. (…)”
(…)”
VIII
Penalty for non-compliance with the infringement committed
In order to establish the administrative fine to be imposed, the provisions contained in Articles 83.1 and 83.2 of the GDPR must be observed, which
state:
“1. Each supervisory authority shall ensure that the imposition of administrative fines
pursuant to this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 are in each individual case
effective, proportionate and dissuasive.
2. Administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or as a substitute for the measures provided for in Article 58, paragraph 2, letters a) to h) and j). When deciding on the imposition of an administrative fine and its amount in each individual case, due account shall be taken of:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/26
a) the nature, seriousness and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question
as well as the number of data subjects affected and the level of damage suffered;
b) the intentionality or negligence of the infringement;
c) any measures taken by the controller or processor
to mitigate the damage suffered by the data subjects;
(d) the degree of responsibility of the controller or processor, taking into account any technical or organisational measures they have implemented pursuant to Articles 25 and 32;
(e) any previous infringement committed by the controller or processor;
(f) the extent of cooperation with the supervisory authority in order to remedy the infringement and mitigate any adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the supervisory authority became aware of the infringement, in particular whether and, if so, to what extent the controller or processor notified the infringement;
(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned in relation to the same matter, compliance with those measures;
(j) adherence to codes of conduct pursuant to Article 40 or to certification mechanisms approved pursuant to Article 42, and
(k) any other aggravating or mitigating factor applicable to the circumstances of the
case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.
In relation to letter k) of Article 83.2 of the GDPR, the LOPDGDD, in its
article 76, “Sanctions and corrective measures”, establishes that:
“2. In accordance with the provisions of Article 83.2.k) of Regulation (EU)
2016/679, the following may also be taken into account:
a) The continued nature of the infringement.
b) The connection between the offender's activity and the processing of personal
data.
c) The benefits obtained as a result of the commission of the infringement.
d) The possibility that the affected party's conduct could have led to the commission of the infringement.
e) The existence of a merger process after the commission of the infringement, which cannot be attributed to the absorbing entity.
f) The impact on the rights of minors.
g) Having, when not mandatory, a data protection officer.
h) The submission by the responsible party or person in charge, on a voluntary basis, to alternative dispute resolution mechanisms, in those cases in which there are disputes between them and any interested party.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/26
- In accordance with the transcribed provisions, for the purposes of setting the amount of the
fine to be imposed in the present case for the infringement of article 13 of the
RGPD, classified in article 83.5.a) of the RGPD for which the respondent is held responsible, the following factors are considered to be concurrent:
The nature and seriousness of the infringement, since we must not forget that we are
facing the violation of the omission of the duty to inform the affected party about the
processing of their personal data, the reproach of which is made in the RGPD with the greatest
seriousness; The complainant has not provided evidence to prove that
it had adopted measures to adapt the processing to the provisions of Article 13, its implementation date, controls to verify its effectiveness on the
processing of the complainant's data, etc. (Article 83.2.a) of the GDPR).
The degree of cooperation with the supervisory authority in order to remedy
and mitigate the possible adverse effects of the infringement; requested in the investigation phase
(on two occasions) and in the evidentiary phase to provide information
on the Privacy Policy or Legal Notice, the respondent did not respond at any time to the requests made (Article 83.2.a) of the GDPR).
The intentionality or negligence in the infringement; a serious lack of
diligence is observed in the actions of the entity derived from the processing of the complainant's data. Also related to the degree of diligence that the data controller is obliged to display in compliance with the obligations imposed by data protection regulations, we can cite the SAN of 17/10/2007, which, after referring to the fact that entities whose activity involves continuous processing of client and third party data must observe an adequate level of diligence, specified that “(...). The Supreme Court has understood that there is imprudence whenever a legal duty of care is disregarded, that is, when the offender does not behave with the required diligence. And in the assessment of the
degree of diligence, the professionalism or lack thereof of the subject must be specially considered,
and there is no doubt that, in the case now examined, when the activity of the
appellant is one of constant and abundant handling of personal data, it is necessary to
insist on the rigor and the exquisite care to comply with the legal provisions in this
regard” (article 83.2. b) of the RGPD).
The activity of the allegedly infringing entity is linked to the
processing of data of both clients and third parties. The defendant, given the
nature of his activity, finds it essential to process personal data of
clients and third parties, so the significance of his conduct, the subject of the present procedure, is undeniable (article 76.2. b) of the LOPDGDD in
relation to article 83.2. k).
In accordance with the aforementioned circumstances, it is considered appropriate to establish a
sanction of 50,000 euros.
- In accordance with the transcribed provisions, for the purposes of setting the amount of the
fine to be imposed in the present case for the infringement of article 32.1 of the
RGPD, classified in article 83.4.a) of the RGPD for which the respondent is held responsible, the following factors are considered to be concurrent:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/26
The nature and seriousness of the infringement, since the complaining party shows
absence of technical and organizational measures causing a lack of diligence
in the conduct developed and whose reproach is made in the RGPD with the category of
serious, considering that the entities that, due to their activity, process personal data
must adapt to the requirements contained in the norm and adopt due diligence
in the application of measures appropriate to the risk of the treatment for the rights and
freedoms of the interested parties. The respondent has not provided any evidence
that it had implemented security measures appropriate to the risk
involved in the processing of the complainant's data, requesting a scanned copy
of the ID by email, without proving measures (article 83.2.a) of the
RGPD).
The degree of cooperation with the supervisory authority in order to remedy and mitigate the possible adverse effects of the infringement; thus, when requested in the evidentiary phase to provide the RAT, Risk Analysis and Impact Assessment carried out in the processing of the data, the respondent party did not respond at any time to said request (article 83.2.a) of the GDPR).
The intentionality or negligence in the infringement; a serious lack of diligence in the actions of the entity is observed, derived from the absence of measures in relation to the method used to verify the identity. Also connected with the degree of
diligence that the data controller is obliged to display in
compliance with the obligations imposed by data protection regulations,
we can cite the SAN of 17/10/2007, which after referring to the fact that entities in which
the development of their activity involves a continuous processing of data of clients
and third parties must observe an adequate level of diligence, specified that “(...). the
Supreme Court has understood that there is imprudence whenever a legal duty of care is
disregarded, that is, when the offender does not behave with
the required diligence. And in the assessment of the degree of diligence, the professionalism or lack thereof of the subject must be especially considered, and there is no doubt that, in the case
now examined, when the activity of the appellant is one of constant and abundant
handling of personal data, it is necessary to insist on the rigor and the exquisite care
to comply with the legal provisions in this regard” (article 83.2. b) of the RGPD).
The activity of the allegedly infringing entity is linked to the
processing of data of both clients and third parties. The defendant, given the
nature of his activity, finds it essential to process personal data of clients
and third parties, so the significance of his conduct, the subject of this procedure, is undeniable (article 76.2. b) of the LOPDGDD in
relation to article 83.2. k).
In accordance with the aforementioned circumstances, it is considered appropriate to establish a
sanction of 50,000 euros.
IX
Adoption of measures
The corrective powers that the GDPR attributes to the AEPD as a supervisory authority are listed in its article 58.2, sections a) to j).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/26
In this case, it is appropriate to order the controller to adopt appropriate measures
to adjust its actions to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to which each
control authority may “order the controller or processor to
comply the processing operations with the provisions of this
Regulation, where appropriate, in a certain manner and within a specified period…”. The imposition of this measure is compatible with the sanction
consisting of an administrative fine, as provided for in art. 83.2 of the GDPR.
Therefore, it is considered appropriate to order the respondent to adapt the processing subject to this procedure to the applicable regulations, within six months of the finality of the sanctioning resolution that is issued, if applicable. The text of this resolution establishes the facts that have led to the violation of the data protection regulations, from which it is clearly inferred what the measures to be adopted would be, without prejudice to the type of specific procedures, mechanisms or instruments to implement them, which corresponds to the respondent party, since it is the one who fully knows its organization and must decide, based on proactive responsibility and a risk approach, how to comply with the GDPR and the LOPDGDD, including measures that guarantee compliance with the provisions of article 13 and 32.1 of the GDPR and that prevent a new violation.
Please note that failure to comply with the order imposed by this body may be
considered an administrative infringement in accordance with the provisions of the GDPR,
classified as an infringement in its article 83.5 and 83.6, and such conduct may motivate the
opening of a subsequent administrative sanctioning procedure.
Therefore, in accordance with the applicable legislation and having assessed the criteria for
graduating the sanctions whose existence has been proven,
The Director of the Spanish Data Protection Agency RESOLVES:
FIRST: TO IMPOSE on ATRIUM LEX SFC, S.L., with NIF B87634564,
- For an infringement of article 13 of the GDPR classified in article 83.5.a) of the
GDPR, a fine of €50,000 (fifty thousand euros).
- For an infringement of article 32.1 of the GDPR, as defined in article
83.4.a) of the GDPR, a fine of €50,000 (fifty thousand euros).
SECOND: ORDER ATRIUM LEX SFC, S.L., with NIF B87634564, pursuant to
article 58.2.d) of the GDPR, within six months of this resolution becoming final and enforceable, to prove that it has complied with the
measures that guarantee compliance with the provisions of article 13 and 32.1 of the
GDPR.
THIRD: NOTIFY this resolution to ATRIUM LEX SFC, S.L. with NIF
B87634564.
FOURTH: This resolution will be enforceable once the deadline for filing the optional appeal for reconsideration ends (one month from the day after the notification of this resolution) without the interested party having made use of this faculty.
The sanctioned party is warned that he must pay the imposed sanction once this resolution is enforceable, in accordance with the provisions of art. 98.1.b)
of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the voluntary payment period
established in art. 68 of the General Collection Regulations, approved by Royal
Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, by depositing it, indicating the NIF of the sanctioned party and the procedure number that appears in the heading of this document, in the restricted account nº IBAN: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code:
CAIXESBBXXX), opened in the name of the Spanish Data Protection Agency in
the banking entity CAIXABANK, S.A. Otherwise, it will be collected during the enforcement period.
Once the notification has been received and has become enforceable, if the date of enforceability is between the 1st and 15th of each month, both inclusive, the deadline for making the
voluntary payment will be until the 20th of the following month or the next business day thereafter, and if it is between the 16th and the last day of each month, both inclusive, the deadline for payment will be until the 5th of the second following month or the next business day thereafter.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which ends the administrative process in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the
LPACAP, interested parties may, at their discretion, lodge an appeal for reconsideration
with the Director of the Spanish Data Protection Agency within one month from the day following the notification of this resolution or directly
an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Administrative Litigation Jurisdiction, within two months from the day following the notification of this act, as provided for in article 46.1 of the
referred Law.
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the
LPACAP, the final resolution in administrative proceedings may be provisionally suspended
if the interested party expresses his intention to lodge an administrative appeal. If this is the case, the interested party must formally communicate this
fact by means of a letter addressed to the Spanish Data Protection Agency,
presenting it through the Electronic Registry of the Agency
[https://sedeagpd.gob.es/sede-electronica-web/], or through one of the other
registries provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. He must also
transfer to the Agency the documentation that proves the effective filing
of the administrative appeal. If the Agency is not aware of the
filing of the administrative appeal within two months from the
day following notification of this resolution, it will terminate the
preliminary suspension.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/26
Mar España Martí
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
