AEPD (Spain) - EXP202316537
From GDPRhub
| AEPD - EXP202316537 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(c) GDPR Article 6(1)(c) GDPR Article 58(2)(d) GDPR Article 83(5)(a) GDPR Article 24 LO 4/2015 Article 4(3) RD 933/2021 Article 85, LPACAP |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 20.05.2024 |
| Decided: | 30.09.2024 |
| Published: | 05.02.2025 |
| Fine: | 1200 EUR |
| Parties: | Posada El Azufral |
| National Case Number/Name: | EXP202316537 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | r_e_ |
The DPA fined a hotel €1,200 for breaching Article 5(1)(c) GDPR by retaining copies of travellers' IDs. The hotel was ordered to implement appropriate technical and organisational measures, i.e. to remove the requirement to provide an ID and to delete IDs already on file.
English Summary
Facts
The data subject was asked by the controller to provide photo ID to complete hotel check in, as part of the controller's legal obligations to maintain records of staying guests. The data subject refused to do so (both online and at the hotel on the day of check-in) on grounds of excessiveness when it became apparent the ID would be kept on file by the controller, and was refused accommodation.
The controller alleged photo ID was necessary to verify the accuracy of travellers data provided in entry and exits forms and the registration sheets required from hotel establishments (per Article 4(3) RD 933/2021 establishing the obligations of documentary registration and information of natural or legal persons who carry out activities of hosting and rental of motor vehicles). While the check-in software used by the controller had options to allow travellers to check in online or in person without providing ID, the controller maintained the need for a copy of travellers IDs. Further, while the software would only keep the ID image for 5 days per its privacy policy, the controller confirmed it would keep images for 3 years in order to fulfil its tax obligations.
Holding
The DPA found that the controller did not have a legal basis for requesting a copy of travellers' identity documents as a condition of their registration (check-in), which was determined to be excessive and unnecessary processing of personal data contrary to the data minimisation principle (Article 5(1)(c) GDPR). The DPA determined that requiring a traveller to provide a copy of their identity documents constituted excessive processing of personal data, since the documents contained personal data that was inadequate, not pertinent and not necessary for the specific purpose of the processing in question (compliance with the legal obligations in force regarding registration of entry and exit of travellers (Article 4(3) RD 933/2021)). The DPA noted that the law (both RD 933/2021 and Article 24 Organic Law 4/2015 on the protection of citizen security) did not require that a copy/photograph of the identity document be provided, nor that all the data contained in said document be reported. Therefore Article 6(1)(c) GDPR was not a legal basis for processing the data contained in the data subject's ID.
The controller was also incorrect in storing ID images for 3 years, as RD 933/2021 only required certain data to be retained for this period rather than the image itself.
The DPA fined the controller €1,500 for infringing Article 5(1)(c) GDPR and taking into consideration the factors outlined in Article 83(2) GDPR. Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 20%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €1,200.
The controller was also ordered by the DPA to take a number of steps to comply with the GDPR (as per Article 58(2)(d) GDPR), such as establishing necessary technical and organizational measures by introducing changes in its reservation management process that removed the need for travellers to provide a photograph or copy of an identity document, and by erasing those documents already on file.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/26
File No.: EXP202316537
RESOLUTION TO TERMINATE THE PROCEDURE FOR VOLUNTARY
Payment
From the procedure initiated by the Spanish Data Protection Agency and based
on the following
BACKGROUND
FIRST: On May 20, 2024, the Director of the Spanish Data
Protection Agency agreed to initiate sanctioning proceedings against A.A.A. (hereinafter the
respondent). After being notified of the initiation agreement and after analyzing the allegations
presented, on September 30, 2024, the resolution proposal was issued, which is transcribed
below:
<<
File No.: EXP202316537
Sanctioning Procedure No. PS/00036/2024
PROPOSAL FOR A SANCTIONING PROCEDURE RESOLUTION
From the procedure initiated by the Spanish Data Protection Agency and based
on the following:
BACKGROUND
FIRST: B.B.B. (hereinafter, the complaining party) filed a claim with the Spanish Data Protection Agency on October 22,
2023. The claim is directed against the hotel establishment called “POSADA EL
AZUFRAL” whose owner is A.A.A. with NIF ***NIF.1 (hereinafter, the respondent).
The reasons on which the claim is based are the following:
- The complainant states that on 26-7-2023 he made a reservation for a room through the website booking.com at the hotel establishment
POSADA ELAZUFRAL, S.C, for the dates 25-08-23 to 26-08-23.
- He states that on the same date of 26-7-23 he was sent an email
from the establishment to carry out the early guest registration ("pre-registration" or "online
pre-check in"), an email that included a link that directed to the website of an application called "Partee", which asked him to fill
in certain data, and attach a photograph of both sides of his ID. The complainant
provided his data to carry out the registration through said web application, but
not an image of his ID, considering this request to be excessive, communicating
this circumstance to the establishment through the messaging of
booking.com.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/26
- He states that when he went to stay at the inn where he made his prior reservation on the
day scheduled for entry 25-8-23, the respondent party demanded, as a
condition for providing him with the reserved room, the delivery of his ID in
order to take a photograph in order to complete the online check-in or a
photocopy to do the manual check-in. The complainant refused because he
considered that this requirement is contrary to the data protection regulations,
and was denied accommodation.
- That the complainant requested a complaint form from the establishment, and
filed the relevant complaint with the competent Department of Tourism of the Government of Cantabria.
The following documentation is provided with the claim, which is completed
by means of a letter dated November 13, 2023:
- Accommodation reservation made through booking.com on July 26,
2023.
- Message sent on July 26, 2023 to the claimant by Posada El Azufral
through ebooking.com, stating: “Please, to speed up your registration
at POSADA EL AZUFRAL, 08-25-2023, click on the following LINK and
fill out the form with your ID, Passport or NIE details”. This
link directs to the “app.partee check in online”.
- New message received on August 25, 2023 from “Partee check-in online”
warning that you can complete the online registration until the same day, August 25, 2023, being necessary to complete the information in the link to
comply with the regulations on entry parts and registration book of accommodations.
- Screenshot of the data form to be completed in the app part for online
check-in.
- Complaints Form filed with Posada el Azufral on August 25, 2023, when the reservation was canceled, and filing of such claim with the
Department of Tourism of the Government of Cantabria.
- Royal Decree 933/2021, of October 26, which establishes the
obligations of documentary registration and information of natural or legal persons who carry out lodging and motor vehicle rental activities.
- Resolution of the sanctioning procedure nº 78/2021 published by this
Spanish Data Protection Agency.
- Extract from the privacy policy section of the PARTEE application
(www.app.partee.es), where there is a link to the agreement for the
processing of data.
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the
guarantee of digital rights (hereinafter LOPDGDD), said claim was transferred to A.A.A., which appears
as the data controller in the privacy policy section of
the TARIFAS Y POLITICAS | EL AZUFRAL website, so that it could proceed to its analysis and
inform this Agency within one month of the actions carried out to
comply with the requirements provided for in the data protection regulations.
The transfer, which was carried out by mail in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/26
Public Administrations (hereinafter, LPACAP), was collected on 11/12/2023
as stated in the acknowledgment of receipt in the file.
THIRD: On 29/12/2023, this Agency received a written response from
A.A.A., in which it acknowledged being responsible for the treatment, with POSADA EL
AZUFRAL S.C being the commercial name of the hotel establishment.
In its letter, the respondent party provides a report on the treatment of personal data of the establishment, and a report on the event that occurred.
In summary, it should be noted that the respondent acknowledges being responsible for the
processing of personal data of POSADA EL AZUFRAL, S.C, and admits that the
events occurred as reported by the complainant, although it denies that there is
a violation of personal data protection regulations, considering that it is
necessary to require the client to provide a photograph or copy of the traveler's identity document
in order to verify the accuracy of the data that must be completed in the
entry and exit forms of the traveler and the registration sheets established in the
regulations of the Ministry of the Interior, for hotel establishments.
FOURTH: On January 9, 2024, in accordance with article 65 of the
LOPDGDD, the claim submitted by the complainant was admitted for processing.
FIFTH: On May 20, 2024, the Director of the Spanish Data Protection Agency agreed to initiate disciplinary proceedings against the respondent party,
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1,
on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged violation of Article 5.1.c) of the GDPR, classified
in Article 83.5.a) of the GDPR.
SIXTH: Having notified the aforementioned start agreement with an electronic acknowledgement of receipt date of May 29, 2024, in accordance with the rules established in Law
39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), the respondent party submitted a written statement of allegations dated June 10, 2024 in which, after indicating that the aforementioned agreement has been
received in the first point and confirming that the respondent is the
responsible party for the processing of the personal data of the clients of POSADA EL
AZUFRAL in the second point, it literally states the following (points 3 to 8 of the written statement of allegations):
THIRD.- The procedure for carrying out the check-in or "pre-registration"
is fully automated, with the guest having to go through a process through one of the 4 options made available to them: A) Online check-in without providing an ID or passport. B) Online check-in
by providing an ID or passport. C) In-person check-in
without providing an ID or passport. D) In-person check-in
by providing an ID or passport. In all cases, both in
the online format (the client fills out the form directly) and in the
in-person format (the data is entered on-site by the reception staff at the
accommodation), the computer application called Partee is used,
supplied through the corresponding service contract of the provider (and
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/26
in charge of the treatment) YNEEDS, YOUR INTELLIGENT IMAGING
COMPANY S.L.U.
FOURTH.- The principle of minimizing personal data seeks to limit
the processing of the same. However, it does not prohibit the automated dumping
of personal data if an intelligent process of transferring information from a
photograph or other medium is used, always with the same intention
of covering the information necessary for the corresponding legal obligations
(police record).
FIFTH.- We must clarify that between the data controller and the
data processor, there is a data processing contract and a service provision
contract, in accordance with the provisions of article 28
of the GDPR. T
SIXTH.- Through the Partee application, the data controller obtains
the personal data required and necessary for the completion of the entry and
traveler reports.
SEVENTH.- When guests make a reservation, they receive
an online communication (email) days before their arrival, for the online check-in. Said check-in is done from the Client's device. The
application allows the voluntary and intelligent scanning of the DNI, obtaining
the necessary data directly, and this process can be dispensed with if the
guest fills in the data manually. In the event that the Client
opts for the method of providing his/her DNI for the intelligent scanning of the
information, the copy of the national identity document is not stored on
the application servers, but is only used occasionally to extract the necessary
information. This fact was reported to the B.B.B., as stated in
the REPORT ON THE AUGUST 25TH EVENT
submitted by Ms. A.A.A., at the request of the AEPD. In other words, the Guest was
aware at all times that no copy of his/her DNI was kept.
EIGHTH.- In the event that the guest manually provides the data, it will be necessary to subsequently verify the veracity of the data, given that the person at the establishment who receives the Guest is responsible for verifying the accuracy of the data provided and, to do so, requests identification from the Client. At all times, and during the making of the reservation, the guest is informed of who is responsible for the processing, the purpose of the data collected, the recipients of the information, retention periods and the legitimacy of the processing, with which the guest can decide whether to do so or not. Likewise, the data provided by the Client will be kept for the purposes of providing the service and after the departure of the Guest, kept for tax and billing purposes for the established legal period, after which said data will be deleted.
In defense of these allegations, the respondent provides as Annex I, a screenshot
showing the part of the form (point 3) of Check-in of the PARTEE application, used for the management of the reservation and registration process of
guests, where the photo of the Client's ID is requested, although in the information note
it refers to "i) Your accommodation requires these screenshots to verify the data of the
online Check-in."
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/26
SEVENTH: On September 30, 2024, the instructor issues a
Diligence to join the procedure with the content of the privacy policy of
the PARTEE application, contracted by the respondent.
From the actions carried out in the present procedure and from the documentation in the file, the following have been proven:
PROVEN FACTS
FIRST: On 26-7-2023 the claimant made a reservation for a room
through the website booking.com at the POSADA EL AZUFRAL, S.C. hotel establishment, for the dates 25-08-23 to 26-08-23, as stated in the reservation
provided with the claim. This can be deduced from the reservation provided by the
claimant, the terms and content of which are recognized by the respondent.
SECOND: On the same date of 26-7-23, the complainant was automatically sent an email to voluntarily register as an early guest
("pre-registration" or "online pre-check in"), an email that included a link that led to the
website of an application called "Partee", which is proven by the provision
of the aforementioned email in the complaint, the sending of which is acknowledged by the respondent.
THIRD: That the procedure to check in at the establishment
can be done online or in person at the establishment through the PARTEE
application, which has been contracted for this purpose by the establishment. As the respondent points out in point 3 of its written allegations to the start agreement of June 10, 2024, and can be verified in the link to the application contained in the email sent to the complainant to proceed with the pre-check in: “In all cases, both in the online format (the client directly fills out the form), as in
the in-person format (the data is entered on-site by the reception staff of the accommodation), the computer application called Partee is used, provided through the corresponding service contract of the provider (and person in charge of the
treatment) YNEEDS, YOUR INTELLIGENT IMAGING COMPANY S.L.U”
FOURTH: According to what is filled out on July 26, 2023,
according to the privacy policy of the application contracted by the respondent, PARTEE,
the personal data to be collected in the check-in processes in person are those indicated in sections e) and f), which give the traveler the possibility of completing the registration process without having to provide a copy or scan the photograph of their identity document, provided that the data of said document are entered into the PARTEE application by the establishment's staff manually, after showing the document.
“PARTEE APPLICATION PRIVACY POLICY.
What personal data do we obtain from our clients' guests (…)
e. Photographs of ID cards or Passports during in-person check-in. Partee's in-person check-in is the procedure for capturing data and signing the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/26
guests in their presence. With the fourfold objective of a) ensuring the accuracy
of the traveler reports (obligation set out in section 3 of article 4 of
RD 933/2021, and which is the basis of legitimacy for this treatment), b) to
improve productivity in compliance with the regulations, c) to advance in
digital transformation and d) to save the guest time and provide a better
service, our clients have the option of using the camera on their mobile
device, or a desktop scanner or multifunction equipment, to obtain an
image of the guest's identification document and automatically fill out the
report, as opposed to a slow manual entry of data. Partee will not store or distribute the images of these documents,
it will simply use them to extract the guests' personal data and
comply with the registration obligations established in the regulations. Once this task has been
fulfilled, which takes just a few seconds, Partee will automatically delete these
images. In order for the Partee client to use this automatic data capture function from an image of the ID or Passport,
the guest must accept this privacy policy in the Partee application by
selecting the corresponding box. In the event that the guest
refuses to have an image of his or her identification document taken, the Partee client must fill out the data form using the keyboard, based on the
identification document shown by the guest.
f. Photographs of IDs or Passports during online check-in. Partee's online
check-in is a pre-registration or pre-check-in mode, which aims
to offer better service to guests and speed up the registration process,
by capturing in advance the personal data of the guests required by the regulations on guest registration. During online check-
in, guests access a Partee web form in which they can enter their personal data and sign comfortably and in a few seconds. In
the Partee web form, guests are shown a direct link to this privacy policy, as well as a checkbox for the guest to accept it. If
they do not accept it, Partee will not store or communicate any of the data entered by the guest, they will simply be discarded. In order to
comply with the obligation set out in section 3 of article 4 of RD
933/2021, which is the basis of legitimacy for this treatment, and which
establishes that the establishment will be "responsible for the accuracy of the data
that is recorded therein (refers to traveler reports), so that
they match the documents or systems that prove the identity of the persons, which must be displayed or provided by the users of these
services", Partee customers can configure Partee's online check-in links
so that Partee asks the guest to attach photographs of their identification
document during online check-in. In these cases, if guests do not wish to provide photographs of their identification documents, they must request from the establishment either an online check-in link that does not require such photographs to be attached, or indicate to the establishment that they prefer to have their check-in done in person upon arrival at the establishment. In the event that the guest provides such images of their documents, Partee will send the photographs to the email address of the Partee client who manages the accommodation, so that they can verify the identity of the guests and the accuracy of the data provided, and, in case the Partee client does not receive or mistakenly deletes such images received by email, Partee stores them on its servers for a maximum of 5 calendar days, so that they can be consulted by the establishment, and will ALWAYS delete them after this maximum period has elapsed. If
before 5 days the client deletes this data, or if the guest expresses his
desire to delete it, Partee will delete it without waiting for the 5 calendar days
period.
FIFTH: Regarding the storage of photographs or photocopies of the identity document, in addition to the privacy policy indicated in the previous paragraph that the PARTEE application archives them for 5 calendar days, the
responding entity acknowledges that the photographs obtained by the PARTEE application
in the online check-in process are sent by email to the establishment
for verification of the data, and that they are kept for the purposes provided for by tax legislation for a period of 3 years. This is indicated in the Report on the
“data processing process” provided on December 29, 2023 to this
Agency, the following:
“In the case of taking photographs of the document, they are sent by partee at the time the guest checks in online. Once the data verification is carried out, the photographs are deleted and no record of said photographs is kept by A.A.A. (…)
The period for deleting the data necessary for administration and accounting is that provided for in tax legislation regarding the limitation of liabilities. In the case of data used to produce traveller reports, the legislation establishes a period of 3 years for maintaining them.”
SIXTH: Regarding the specific case raised in the claim,
regarding the requirement to provide a photograph/copy of the identity document
to the claimant to formalize his reservation, the following is proven in the file:
- At the time of online pre-check in, the claimant informed the respondent that he did not wish to scan the photograph of his ID, and that he would use the
option stated in the email received to show his ID in the
in-person check-in process, which coincides with what is stated in the privacy policy of the
PARTEE application in its section e). This fact is not denied
by the respondent and is proven by the provision of the message from
e.booking.com that was sent by the complainant, and has been provided along with the
claim.
- On the start date of the reservation, August 25, 2023, the claimant appeared
at the establishment to check in in person, and offered to show his
ID so that the employee could write down in the PARTEE application the data that
were required to complete the traveler entry and exit reports required in the Regulatory Order of the Ministry of the Interior that establishes this
obligation. However, the establishment required him to hand over his ID in order to
scan it and fill in the data in the PARTEE application, indicating that
it was a necessary requirement to formalize the registration. Given the
claimant's refusal to hand over said copy or photograph, requesting to fill out a
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/26
paper form, the establishment indicated that it did not have the possibility of
completing it on paper. As an alternative, the complainant proposes that his/her data be recorded and verified by showing his/her ID to the staff so that they can complete the check-in, which was also denied by the accommodation, which ultimately proceeded to cancel the reservation.
This has been acknowledged by the respondent in the “Report on the incident”
provided on December 29, 2012, which states the following:
“On August 25, the client arrives at the inn. Upon entering, after being welcomed, he/she is told that he/she must check in. That the process is carried out
through the application, as he/she had been notified by the messaging service. The client says that he/she will not use the application and that we will
do it for him/her. We tell him/her that we will proceed to scan his/her ID, in front of him/her and in plain sight, to capture the data, which he/she refuses to do. After explaining the procedure again and that we will not keep any copy of his ID at any time, he warns that it is not necessary and that he knows what he is talking about, showing a badge so that no verification is possible.
He is asked if he is a police officer and if he is identifying himself. The client does not identify himself as a police officer, does not show his badge in a reliable manner, nor does he identify himself with his officer number.
In view of this suspicious behaviour, we decide not to give in and we tell him that his identification and verification of the data provided will be necessary. The client says that we should take note on a piece of paper that he shows us his ID and that he will sign the paper. We again tell him that the communication is done by electronic means and that we do not have a paper passenger list. Given the client's persistent refusal, we tell him that if he does not verify the data we will proceed to
cancel his reservation and we inform him that as a sign of good faith, we will refund the amount of his reservation, without any obligation on our part.
LEGAL BASIS
I
Competence and procedure
In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD) and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to
initiate and resolve this procedure.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/26
of Regulation (EU) 2016/679, by this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures."
II
Reply to the allegations against the initiation agreement
The present procedure having been initiated due to the alleged commission of a
breach of article 5.1.c) of the GDPR, which regulates the Principle of minimisation of
personal data, allegedly committed by the respondent by imposing on the complainant
the requirement to provide a full image or photograph of his or her identity document
in order to carry out the registration or check-in at its hospitality establishment (Posada el
Azufral), which has a face-to-face reception and the possibility of online check-in of travellers, the respondent has presented allegations against the initiation agreement
which have been reproduced in full in the initiation agreement.
Once the allegations presented have been analyzed, they must be rejected for the following
reasons:
1. The processing of personal data for the registration of the entry and exit of travelers is automated, it is carried out through the PARTEE application contracted
with the entity YNEEDS, YOUR INTELLIGENT IMAGING COMPANY S.L.U,
the guest having to go through a process through one of the 4 options
that are made available to him:
A) Online check-in without providing the Identity Document or passport.
B) Online check-in providing the Identity Document or passport.
C) In-person check-in without providing the Identity Document or passport.
D) In-person check-in providing the Identity Document or passport.
Well, referring to PARTEE's privacy policy, which appears in the link
attached in the email sent to the claimant to carry out the online check-in,
the content of which has been completed by this instructor on July 26, 2024, and is
attached to this file, it is verified that it is true that the PARTEE application
allows the traveler's registration process to be formalized without the need to
deliver/scan the photograph of the traveler's identity document
(guest in whose name the check-in is carried out), offering these 4 options to each
client (the service contractor, which is usually the establishment or its owner, which in
this case is A.A.A.). But it also appears in the privacy policy that the client
can request that the application be configured to require said
photograph or copy, which is what happened in the present case.
Thus, the privacy policy states in its section: “What personal data do we obtain from our clients’ guests (…)
e. Photographs of ID cards or passports during in-person check-in. (…) In
the event that the guest refuses to have an image of his or her identification document obtained, the Partee client must fill out the data form
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/26
using the keyboard, from the identification document shown by the guest.
f. Photographs of ID cards or passports during online check-in. (…) In order to comply with the obligation set forth in section 3 of article 4 of RD 933/2021, which is the basis of legitimacy for this treatment, and which establishes that the establishment will be “responsible for the accuracy of the data recorded therein (referring to traveler reports), so that they match the documents or systems that prove the identity of the persons, which must be displayed or provided by the users of these services”, Partee customers can configure Partee’s online check-in links so that Partee requests the guest to attach photographs of their identification document during online check-in. In these cases, if guests do not wish to provide photographs of their identification documents,
they must request from the establishment either an online check-in link that does not
require such photographs to be attached, or indicate to the establishment that they
prefer to have their check-in done in person upon arrival at the establishment (…)”
From what is stated in the privacy policy it follows that:
(i) The PARTEE online check-in process does not require the photograph to be provided by
default, but allows each client (hotel establishment) to configure the online check-in links so that PARTEE requests the
guest to attach these photographs, as occurred in the present case, in which the respondent provides as Annex I a
screenshot showing the part of the Check-in form (point 3) of the PARTEE application, used for the management of the reservation process and
guest registration, where the Client's ID photo is requested, although
in the information note it refers to "i) Your accommodation requires these
screenshots to verify the data of the Online check-in.” This fact is
also acknowledged in the reports submitted during the transfer phase
of the file.
(i) In the face-to-face check-in process, where it is the staff of the
establishment who fill in the data, the PARTEE application
allows the document to be displayed and it is not necessary to scan the
photograph in the application, but it is the establishment of the respondent that
decides to request it, in general from all its travelers, as stated in
its allegations, because it understands that the contribution is necessary to
comply with its legal obligations. This interpretation is
erroneous for the reasons already indicated in the start agreement, to which we
will refer later.
In any case, this argument must be rejected because even though the PARTEE application would have allowed the completion of the traveller registration forms without requesting the photographs and complying with the Principle of minimisation of personal data, it is the
complainant, as a client, who asks that the application be configured to require the photograph, and who voluntarily decides to request the copy of the document, and not to accept
the possibility offered by PARTEE and the traveller that the latter show his document at the time of the in-person check-in so that the staff can directly check and record the necessary data in this application.
It is important to note that in this case, although the possibility of
doing a voluntary online pre-check in is offered for the traveler, there is a face-to-face reception of the traveler at the establishment on the day scheduled for the reservation, in which the staff of the inn receives the traveler and requests a copy/photograph of the
identification document as a requirement to be able to stay at the establishment. Therefore, even if the traveler decides not to do the online check in or not to provide the photograph
of his/her identification document during the check in, this does not imply that he/she has the freedom not to provide it, since the establishment will ultimately require it
at the face-to-face reception as a condition of accommodation, not accepting that the traveler
shows the document so that the staff can complete and verify the
accuracy of the data, as stated in this file.
1. The respondent insists that it is necessary to request the delivery of a copy of the
identity document to formalize the traveler's reservation, since it is
needed to comply with its obligation to verify the authenticity of the personal
data contained therein, in accordance with the provisions of Royal Decree 933/2021, of October 26, which establishes the obligations of
documentary registration and information of natural or legal persons who carry out
motor vehicle rental and lodging activities (hereinafter, RD 933/2021).
In this regard, it is worth reproducing the arguments contained in the initial agreement, which are fully shared, in which it is explained in detail why the regulations governing the registration books and entry forms of travelers in hospitality establishments, as well as the obligation to communicate the information contained in the registration sheets to the State Security Forces and Corps, do not at any time require that a copy/photograph of the identity document be provided, nor that all the data contained in said document be reported.
This regulation is basically constituted by Organic Law 4/2015, of March 30, on the
protection of citizen security (hereinafter, LO 4/2015), and Royal
Decree 933/2021, of October 26, which establishes the obligations of
documentary registration and information of natural or legal persons who carry out
activities of lodging and rental of motor vehicles (hereinafter, RD 933/2021).
Article 24 of LO 4/2015 provides in its first section the following:
“Natural or legal persons who carry out activities relevant to
citizen security, such as lodging (…) will be subject to the
obligations of documentary registration and information in the terms established
by the applicable provisions.”
These are currently set by the aforementioned RD 933/2021, to which the respondent refers, with Annex I. a), in its section 3, establishing the data of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/26
travellers whose collection is required to be included in the so-called “Registration Sheet” that the
entity responsible for the hotel must transfer to the State Security Forces and Corps,
when it comes to professional hospitality establishments. Specifically,
the following traveller data are legally required:
“a) Name.
b) First surname.
c) Second surname.
d) Sex.
e) Identity document number.
f) Document support number.
g) Type of document (DNI, passport, TIE).
h) Nationality.
i) Date of birth.
j) Place of habitual residence.– Full address.– Town.– Country.
k) Landline telephone.
l) Mobile telephone.
m) Email.
n) Number of travellers.
o) Relationship between travellers (in the event that any of them is a minor).”
Consequently, in accordance with the provisions of this regulation, it is deduced that it is not
obligatory to collect, register or communicate to the competent authorities the image,
photocopy or complete photograph of the identity document of each traveller, but
only some data contained therein such as: name and surname,
identification number, support number, type of document (DNI;
passport…etc.), nationality, and date of birth.
It must be taken into account that the photograph or photocopy of the traveller's ID
(on both sides), passport or other identity documents
contains personal data that exceeds those required by this regulation, such
as: the image or face of the traveller, the team number, or the names of the
traveller's parents, for which there is no legal obligation to collect,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/26
registration, and communication, in accordance with the aforementioned regulation. All of them would be
personal data whose processing cannot be covered by the legal basis of
article 6.1.c) of the RGPD, assuming excessive processing that is contrary to the
principle of data minimisation provided for in article 5.1.c) of the RGPD.
2. It is argued that the PARTEE application does not archive the photograph of the document,
but rather automatically dumps data from the scanning of the
document, and that the traveler is informed that his personal data is not
saved nor will it be used for other purposes.
The respondent points out in this regard: “When guests make a
reservation, they receive an online communication (email) days before their arrival, for
online check-in. Said check-in is done from the Client's device. The application allows the voluntary and intelligent scanning of the DNI, obtaining
directly the necessary data, being able to dispense with this process if the
guest fills in the data manually.
In the event that the Client chooses the method of providing his/her ID for the intelligent scanning of the information, the copy of the national identity document is not
stored on the application servers, but is only used punctually for the extraction of necessary information.
This argument cannot be accepted either for several reasons:
- From PARTEE's privacy policy it can be deduced that, indeed, the application
incorporates an intelligent data dump scan, usually carried out using an optical character
recognition (OCR) computer program that automatically identifies the characters of a
certain alphabet and stores them in the form of data, that is, it converts the
image into text, and enables the completion of the "customer form" or "traveler entry part", which does not necessarily require the digital image to be saved. However, the use of these smart scans is not
incompatible with the fact that, in addition to taking the data and
automatically filling it in the form, the scanned images are saved in the application
for a certain period of time, since it is possible to
make various types of configuration that allow this archiving.
- In the present case, there is no doubt that when the traveler
provides the photograph during the online check-in process, PARTEE does
save the images for 5 days, and that, in addition, these are sent by email to
the respondent, since this is expressly configured by the respondent,
which says it will not delete "the data used to make the
travelers' report for a period of 3 years" among which is this photograph,
in order to comply with the deadlines set by tax legislation. This can be deduced from
the following evidence that has been verified in the fifth proven fact
of this proposal:
Firstly, the respondent herself acknowledges that the photographs obtained by
the PARTEE application - in the event that the traveller chooses to provide the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/26
photograph during the online check-in process - are automatically sent
by the PARTEE application to the establishment for verification of the data.
This is stated in the Report on the “data processing process”
provided on December 29, 2023 to this Agency, the following:
“In the case of taking photographs of the document, they are sent
by partee at the time the guest checks in online.
Once the data check is carried out, the photographs are deleted
and no record of said photographs is kept by A.A.A.
This fact was reported to the B.B.B., as stated in the
REPORT ON THE EVENT OF AUGUST 25 submitted by
A.A.A., at the request of the AEPD. That is, the Guest was aware at
all times that no copy of his ID was kept.
This coincides with what is stated in the PARTEE privacy policy that has
been completed, from which it is clearly deduced that the photograph is saved
in the application for 5 days, being sent to the client by email in the
case of online check-in. Thus, the following is stated:
“f. Photographs of ID cards or passports during online check-in. (…)
In the event that the guest provides such images of their
documents, Partee will send the photographs to the Partee client's email address
that manages the accommodation, so that they can verify the identity of the guests and the accuracy of the data provided, and, in case
the Partee client does not receive or deletes by mistake such images received
by email, Partee stores them on its servers for a maximum of 5 calendar days, so that they can be consulted by the
establishment, and will ALWAYS delete them after this maximum period.
If before 5 days the client deletes this data, or if the guest
expresses their desire to delete it, Partee will delete it without waiting for the
5 calendar day period”.
- Regarding the archiving of photographs when check-in is in person,
the privacy policy of the PARTEE application indicates that the scanned photograph is not stored, according to section "e. Photos of IDs or
Passports during in-person check-in: our guests
have the option to use their mobile device camera, or a desktop or multifunction
scanner, to obtain an image of the guest's identification document and
automatically fill out the form, as opposed to a slow manual entry of data. Partee will
not store or distribute the images of these documents, it will simply use them
to extract the guests' personal data and comply with the registration obligations established in the regulations. Once this task has been completed, which takes just a few seconds, Partee will automatically delete these images(…)”
However, this does not mean that the images are not saved, since according to PARTEE, it is the establishment that can use the camera on its mobile device or a desktop scanner to obtain the image of the document that the traveler gives it, so although it may be true that the PARTEE application itself does not store the image, it cannot be ruled out that the devices on the server of the defendant do so. Which,
furthermore, would be the most logical in view of the line of argument maintained by
the respondent in the "report on the data processing" provided to the
procedure, since it insists that it must request this copy/scan of the
photograph because it is a mandatory piece of information for the registration of
the traveller's reports and that it is obliged to keep them for a period of 3 years
to fulfil its tax obligations.
Furthermore, if this were the case, it must be said that it would make
no sense to store the photographs obtained during the online check-in
process and not do so when the check-in is in person.
As the data controller, the respondent should be aware that
when the traveller carries out the online check-in process that requires the
provision of a photograph, the PARTEE application is archiving the photograph and
sending it to the establishment by email, which implies that they
go from being on the client's device to being on the respondent's server, which
goes on to carry out processing operations on the photograph in the document (archiving
and storage for a period of 3 years as stated in its
allegations). And on the other hand, when the establishment's staff scans the photo
in the application using their devices, they are in turn using said image or
photograph, so they are carrying out excessive data processing operations when
scanning it and when storing it. And what Royal Decree 933/2021 enables it to
keep and retain for 3 years is not the photograph or image of the complete document
but the specific data specified in its Annex I. a), in its
section 3.
As can be seen from the above, the conclusions obtained
on the facts analyzed go beyond the specific action of the respondent
with respect to the claimant, and have to do with the design of the personal data management
process implemented by this entity in general, a design that
supposes a personal data processing operation according to the broad concept
of processing operations maintained by the Court of Justice of the
European Union, and that, therefore, must be carried out taking into account that a
legal basis is necessary to process all the personal data that it requests from its travelers
through the PARTEE application, which the respondent was able to configure without the need to
require the delivery of the photograph of the identity document at check-in. online,
requesting the display of the document to fill in the data directly at the time of the in-person check-in, but chose to ask its provider expressly
to request said copy.
Therefore, the respondent has voluntarily decided to configure the application to
require excessive information, when it had the “technical” possibility of not doing so, and
that it has decided to request the photograph of the document at the in-person reception,
when the applicable regulations did not require it to obtain the image of said document, which
contains data about which there is no obligation to inform, according to RD 933/2021.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/26
This implies that in its usual practice it is acting contrary to the Principle
of Minimization of personal data every time travelers agree to provide the
photograph.
1. Finally, regarding the lack of information on the need to provide a copy of the
identification document prior to making the reservation on the platform.
The respondent states that she has verified that she configured booking.com to
show travelers that this copy/photograph is necessary to be able to make the reservation
before making it, accompanying the screenshots and indicating that as additional
measures she has requested booking.com to inform her of this.
However, it should be noted that the purpose of this procedure is to determine whether there has been excessive processing of personal data contrary to article 5.1.c) of the
RGPD by requesting and keeping a copy of said documents, so the prior information
provided to the traveller at the time of making the reservation is irrelevant in this
procedure, as the infringement of article 13 of the RGPD regarding
information on the processing of personal data has not been imputed, and it is not the responsibility of this
authority to monitor compliance with the information conditions related to the
contracting of accommodation services.
III
Obligation not fulfilled. Excessive data processing
The processing of personal data of persons who reserve accommodation in
hotel establishments (called "travellers") must be governed by the
principles listed in article 5 of the RGPD.
It is worth highlighting, due to their relation to the present case, the so-called “Principle of
legality and transparency” and “Principle of data minimization” provided for in the
first section of the same, letters a) and c), respectively, which provide:
“Article 5 Principles relating to processing
1. Personal data shall be:
a) processed lawfully, fairly and in a transparent manner in relation to the interested party
(“lawfulness, fairness and transparency”.
(…)
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
(“data minimization”)”.
In addition, article 5.2 of the GDPR indicates that: “The data controller shall be
responsible for compliance with the provisions of paragraph 1 and able to
demonstrate it”.
Article 6 of the GDPR, regarding the “Lawfulness of processing”, determines in its section
1 the cases in which the regulations allow the processing of personal data of a third party, which are called the “lawfulness bases”. If none of these cases or conditions are met, the processing will not be legitimate, or
considered lawful by the GDPR:
“1. The processing will only be lawful if it meets at least one of the following
conditions:
a) the interested party gave his consent for the processing of his personal data
for one or more specific purposes;
b) the processing is necessary for the execution of a contract to which the
interested party is a party or for the application at the request of the latter of pre-contractual measures;
c) the processing is necessary for compliance with a legal obligation
applicable to the data controller; (d) processing is necessary to protect the vital interests of the data subject or of
another natural person.
(e) processing is necessary for the performance of a task carried out in the
public interest or in the exercise of official authority vested in the
controller;
(f) processing is necessary for the purposes of the legitimate interests pursued
by the controller or by a third party, except where such interests are
overridden by the interests or fundamental rights and freedoms of the data subject which
require protection of personal data, in particular where the data subject is a child.
Point (f) of the first paragraph shall not apply to processing
carried out by public authorities acting in the exercise of their tasks.”
In the present case, after examining the allegations and documentation
provided by the respondent in the phases of transfer of the claim and allegations
against the initiation agreement in the previous Legal Basis, it can be concluded that the
respondent party does not have a legal basis to request the delivery of a copy or
photograph of the identity document of the travelers as a condition of their registration (check in), which represents excessive and
unnecessary processing of personal data contrary to the Data Minimization Principle of article 5.1.c) of the
RGPD.
Given the circumstances, in which the establishment has a
prior voluntary online check-in process, but has a face-to-face reception
in which the traveller is required to provide a photograph or image of his or her
identification document as a condition for being able to stay there, it is understood
that requiring the traveller to provide the image or photograph of these documents constitutes
excessive processing of personal data, since they contain personal data
that are inadequate, not pertinent and not necessary for the specific purpose of the
processing in question (compliance with the legal obligations in force regarding
registration of entry and exit of travellers).
Since, as stated above, the photograph or photocopy of the traveller's ID (on both sides), passport or other identity documents contains personal data that exceeds those required by these regulations, such as: the image or face of the traveller, the team number, or the names of the traveller's parents, which are not subject to a legal obligation to collect, record and communicate, in accordance with the aforementioned regulations.
All of these would be personal data whose processing cannot be covered by the legal basis of article 6.1.c) of the GDPR, assuming excessive processing that is contrary to the principle of data minimisation provided for in article 5.1.c) of the GDPR.
Consequently, in accordance with the evidence available at the time when the procedure is opened, and without prejudice to the outcome of the investigation, the aforementioned facts could constitute a violation by the respondent party of the provisions of article 5.1.c) of the GDPR, referring to the Principle of Minimization of personal data.
IV
Classification and qualification of the infringement
The known facts could constitute an infringement, attributable to the respondent party, of Article 5.1.c) of the GDPR, with the scope expressed in the previous Legal Grounds, which, if confirmed, could entail the commission of the infringement classified in Article 83.5, paragraph a) of the GDPR, which under the heading "General conditions for the imposition of administrative fines"
provides that:
"Infringements of the following provisions shall be punishable, in accordance with
paragraph 2, by administrative fines of up to EUR 20,000,000 or, in the case of an undertaking, of an amount equivalent to a maximum of 4% of the
total global annual turnover of the previous financial year, whichever is higher:
a) the basic principles for processing, including the conditions for consent pursuant to Articles 5, 6, 7 and 9”.
In this regard, the LOPDGDD, in its article 71 establishes that “The acts and conduct referred to in sections 4, 5 and 6 of
article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law, constitute
infringements”.
For the purposes of the limitation period, article 72 of the LOPDGDD indicates:
“Article 72. Infringements considered very serious.
“1. According to the provisions of article 83.5 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered to be very serious and will be subject to a three-year statute of limitations:
a) The processing of personal data in violation of the principles and guarantees established in article 5 of Regulation (EU) 2016/679”.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/26
V
Proposed sanction
The infringement of article 5.1.c) of the GDPR, provided for in article 83.5 of the GDPR,
may be sanctioned with a fine of up to 20 million euros, as a maximum, if the person responsible is a natural person.
Fine which must be, in each individual case, effective, proportionate and dissuasive,
in accordance with the provisions of article 83.1 of the GDPR.
In order to determine the administrative fine to be imposed, the provisions of article 83.2 of the GDPR must be observed, which states:
“2. Administrative fines shall be imposed, depending on the circumstances of each individual case, as an addition to or substitute for the measures provided for in article 58, paragraph 2, letters a) to h) and j). When deciding on the imposition of an administrative fine and its amount in each individual case, due account shall be taken of:
a) the nature, seriousness and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question,
as well as the number of data subjects affected and the level of damage they have suffered;
b) the intentionality or negligence of the infringement;
(c) any measures taken by the controller or processor to
mitigate the damage suffered by data subjects;
(d) the degree of responsibility of the controller or processor,
taking into account any technical or organisational measures they have implemented
pursuant to Articles 25 and 32;
(e) any previous infringement committed by the controller or processor;
(f) the extent of cooperation with the supervisory authority in order to
remedy the infringement and mitigate any adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the supervisory authority became aware of the infringement, in
particular whether and, if so, to what extent the controller or processor notified the infringement;
(i) where measures referred to in Article 58(2) have been
previously ordered against the controller or processor concerned in relation to the same matter, compliance with those measures;
(j) adherence to codes of conduct pursuant to Article 40 or to certification mechanisms approved pursuant to Article 42,
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/26
On the other hand, in relation to letter k) of article 83.2 of the GDPR, the LOPDGDD, in
its article 76, “Sanctions and corrective measures”, provides:
“1. The sanctions provided for in sections 4, 5 and 6 of article 83 of
Regulation (EU) 2016/679 will be applied taking into account the
grading criteria established in section 2 of the aforementioned article.
2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679,
the following may also be taken into account:
a) The continued nature of the infringement.
b) The connection between the offender's activity and the processing of personal
data. c) The benefits obtained as a consequence of the commission of the infringement.
d) The possibility that the conduct of the affected party could have included the commission of the infringement.
e) The existence of a merger process by absorption after the commission of the infringement, which cannot be attributed to the absorbing entity.
f) The impact on the rights of minors.
g) Having, when not mandatory, a data protection delegate.
h) The submission by the responsible party or person in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which there are controversies between them and any interested party.
Taking into account the aforementioned grading criteria, and in light of the facts tried, it is considered that the amount of the fine that could be imposed, without prejudice to what results from the instruction of the procedure, would be €1,500 (ONE THOUSAND FIVE HUNDRED EUROS).
VI
Corrective measures
If the infringement is confirmed, it may be agreed to impose on the person responsible the adoption of
appropriate measures to adjust its performance to the regulations mentioned in this
act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to which
each supervisory authority may “order the person responsible or in charge of the treatment
that the processing operations comply with the provisions of this Regulation, where appropriate, in a certain manner and within a
specified period…”.
Thus, the responsible entity may be required to adapt its performance to the
personal data protection regulations, with the scope expressed in the
previous Legal Grounds.
This act establishes the alleged infringement committed and the facts
that could lead to this possible violation of the data protection regulations, from which it is clearly inferred what the measures to be adopted are, without prejudice
to the type of procedures, mechanisms or specific instruments to
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/26
implement them corresponding to the sanctioned party, since it is the person responsible for the
treatment who fully knows its organization and must decide, based on
proactive responsibility and a risk approach, how to comply with the RGPD and the
LOPDGDD.
However, in this case, regardless of the above, in accordance with the
evidence available at this time of the agreement to initiate
sanctioning proceedings, in the resolution that is adopted, A.A.A. may be required
so that, within a period of 2 months, counting from the date of enforcement of the
resolution finalizing this procedure, it proves that it has adopted the following
measures:
- Prove that it has established the necessary technical and organizational
measures by introducing the changes in its reservation management process, which are
necessary to avoid the need to provide a photograph or copy of the traveler's
identification document in the PARTEE application or any other system used to
formalize the online and in-person check-in process.
- Prove that it has given the necessary instructions to its staff so that
they do not require the provision/scanning of copies or photographs of the
identification documents.
- Prove that it has proceeded to erase and eliminate the photographs of
identification documents that it says it will keep for 3 years for their
contribution to the authorities. It is noted that the effective application of the appropriate technical and organizational measures must be proven, not only to comply with the regulations, but also to
demonstrate compliance before the control authorities and interested parties.
The imposition of this measure is compatible with the sanction consisting of an administrative fine, as provided for in art. 83.2 of the GDPR.
It is noted that failure to comply with the possible order to adopt measures imposed by
this body in the sanctioning resolution may be considered an administrative infringement in accordance with the provisions of the GDPR, classified as an infringement in its article 83.5 and 83.6, and such conduct may motivate the opening of a
subsequent administrative sanctioning procedure.
In view of the above, the following
PROPOSED RESOLUTION
FIRST: That the Director of the Spanish Data Protection Agency
sanction A.A.A., with NIF ***NIF.1, for an infringement of Article 5.1.c) of the GDPR,
classified in Article 83.5.a) of the GDPR, with a fine of €1,500 (ONE THOUSAND FIVE HUNDRED EUROS).
SECOND: That the Director of the Spanish Data Protection Agency
order A.A.A., with NIF ***NIF.1, that in accordance with article 58.2.d) of the GDPR, at
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/26
a period of 2 months, counting from the date of enforceability of the resolution finalizing
this procedure, prove that it has adopted the following measures:
- Prove that it has established the necessary technical and organizational measures
by introducing the changes in its reservation management process that are
necessary to avoid the need to provide a photograph or
copy of the traveler's identity document in the PARTEE application or
any other system used to formalize the online and in-person check-in
process. - Prove that you have given the necessary instructions to your staff so that
they do not require the provision/scanning of copies or photographs of the identity documents.
- Prove that you have proceeded to erase and eliminate the photographs of
the identity documents that you say you will keep for 3 years to provide to the
authorities.
THIRD: Likewise, in accordance with the provisions of article 85.2 of the
LPACAP, you are informed that you may, at any time prior to the resolution of
the present procedure, make the voluntary payment of the proposed fine, which
will entail a reduction of 20% of the amount of the fine. With the application
of this reduction, the fine would be set at 1,200 euros and its payment will imply the
termination of the procedure, without prejudice to the imposition of the
corresponding measures. The effectiveness of this reduction will be conditioned to the
withdrawal or waiver of any action or appeal in administrative proceedings against the
fine. If you choose to make voluntary payment of the amount specified above,
in accordance with the provisions of article 85.2 cited above, you must make the payment
into the restricted account number IBAN: ES00-0000-0000-0000-0000-
0000-0000 (BIC/SWIFT code: CAIXESBBXXX) opened in the name of the Spanish Data Protection Agency
at the bank CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the
heading of this document and the reason, due to voluntary payment, for the reduction of the
amount of the penalty. You must also send proof of payment to the
General Subdirectorate of Inspection to proceed with closing the file.
FOURTH: By virtue of this, you are hereby notified of the above, and the procedure is made clear to you so that within TEN DAYS you may allege whatever you consider
in your defense and present the documents and information you consider relevant,
in accordance with article 89.2 of the LPACAP.
926-070623
(...)
INSTRUCTOR
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/26
ANNEX
Index of file EXP202316537
10/22/2023 Claim by B.B.B.
11/13/2023 Extension of claim by B.B.B.
11/22/2023 Complaint forwarded to POSADA ELAZUFRAL
12/29/2023 Response to request for information from A.A.A. as the data controller
of POSADA ELAZUFRAL.
01/09/2024 Communication of admission to process to B.B.B.
05/21/2024 Agreement to initiate sanctioning proceedings against A.A.A. and its
notification.
05/31/2024 Communication of initiation of procedure to B.B.B.
06/10/2024 Objections to the Commencement Agreement presented by A.A.A.
>>
SECOND: On October 29, 2024, the respondent party has proceeded to pay
the penalty in the amount of 1,200.00 euros, making use of the reduction provided
in the resolution proposal transcribed above.
THIRD: The respondent party has expressly waived any action or
appeal through administrative channels against the penalty.
FOURTH: In the draft resolution transcribed above, the facts constituting an infringement were established, and it was proposed that the Director should require the controller to adopt appropriate measures to adjust its actions to the regulations, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to which each supervisory authority may “order the controller or processor to comply with the provisions of this Regulation, where appropriate, in a certain manner and within a specified period…”.
BASIS OF LAW
I
Competence
In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD) and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), the Presidency of the Spanish Data Protection Agency is competent to
initiate and resolve this procedure.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/26
processed by the Spanish Data Protection Agency shall be governed by the provisions
of Regulation (EU) 2016/679, by this organic law, by the regulatory
provisions issued in its development and, insofar as they do not contradict them,
subsidiarily, by the general rules on administrative procedures."
II
Termination of the procedure
Article 85 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations
(hereinafter LPACAP), under the heading
"Termination in sanctioning procedures" provides the following:
"1. Once a sanctioning procedure has been initiated, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.
2. When the sanction is of a purely monetary nature or it is possible to impose a
monetary sanction and another of a non-monetary nature but the
inappropriateness of the second has been justified, the voluntary payment by the presumed responsible party, at
any time prior to the resolution, will imply the termination of the procedure,
except in relation to the restoration of the altered situation or the determination of
compensation for the damages and losses caused by the commission of the infringement.
3. In both cases, when the sanction is of a purely monetary nature, the
body competent to resolve the procedure will apply reductions of at least
20% on the amount of the proposed sanction, these being cumulative with each other.
The aforementioned reductions must be determined in the notification of initiation of the procedure
and their effectiveness will be conditional on the withdrawal or waiver of
any action or appeal in administrative proceedings against the sanction.
The percentage of reduction provided for in this section may be increased
by regulation.”
III
Voluntary payment
In accordance with the provisions of the aforementioned article 85 of the LPACAP, in the
notified resolution proposal, the voluntary payment of the proposed sanction was allowed, which would entail a 20% reduction of its amount. With the
application of this reduction, the sanction would be set at 1,200.00 euros and its
payment will imply the termination of the procedure, without prejudice to the imposition of the corresponding
measures.
Following the aforementioned resolution proposal, and before the resolution was issued by
this authority, the respondent party, on October 29, 2024, proceeded to
make the voluntary payment, accepting the 20% reduction and waiving
any action or appeal through administrative channels.
It should be noted that, in accordance with the provisions of the LPACAP, as well as
the jurisprudence of the high court in this matter, the exercise of voluntary payment by
the alleged responsible party does not exempt the administration from the obligation to resolve and
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/26
notify all procedures, regardless of their form of initiation. Likewise, article 88 of the aforementioned regulation establishes that the resolution that ends the procedure will decide all the questions raised by the interested parties and any other questions
derived from it.
Therefore, in accordance with the applicable legislation and having assessed the criteria for grading the sanctions whose existence has been proven, the Presidency of the Spanish Data Protection Agency RESOLVES:
FIRST: TO DECLARE the commission of the infringements and CONFIRM the sanctions determined in the operative part of the resolution proposal transcribed in this resolution.
The sum of the aforementioned amounts gives a total amount of 1,500.00 euros.
After the party being claimed has made prompt payment, although without acknowledging liability, a 20% reduction of the total amount mentioned is carried out, in accordance with article 85 of the LPCAP, which represents the final amount of 1,200.00 euros.
SECOND: DECLARE the termination of procedure EXP202316537, in
accordance with the provisions of article 85 of the LPACAP.
THIRD: ORDER A.A.A. to notify the Agency within 2 months from the date this resolution becomes final and enforceable of the adoption of the
measures described in the legal grounds of the proposed resolution transcribed in this resolution.
FOURTH: NOTIFY this resolution to A.A.A..
FIFTH: In accordance with the provisions of article 85 of the LPACAP, which conditions the
reduction for voluntary payment to the withdrawal or waiver of any action or appeal
in administrative proceedings, the present authority accepts the waiver
expressly stated by the respondent party, and consequently there is no
possibility of filing an optional appeal for reconsideration against this resolution, all
without prejudice to the possibility of resorting to the contentious-administrative jurisdiction.
Consequently, taking into account the provisions of article 90 of the LPACAP,
since no appeal is possible in administrative proceedings after having
expressly waived, this resolution will be fully enforceable from the moment of its
notification.
However, in accordance with the provisions of article 90.3 a) of the LPACAP, the final decision may be provisionally suspended by administrative means if the interested party
states his intention to lodge an administrative appeal. If this is the
case, the interested party must formally communicate this fact by means of a written document
addressed to the Spanish Data Protection Agency, presenting it through the
Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or
through one of the other registries provided for in art. 16.4 of the aforementioned Law
39/2015, of October 1. He must also transfer to the Agency the documentation
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/26
that proves the effective lodging of the administrative appeal. If the
Agency is not aware of the filing of the administrative appeal within two months from the day following notification of this resolution, it will terminate the precautionary suspension.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
1331-15012025
Olga Pérez Sanjuán
The Deputy Director General of Data Inspection, in accordance with art. 48.2
LOPDGDD, due to vacancy in the position of President and Deputy
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
