AEPD (Spain) - EXP202411409
From GDPRhub
| AEPD - EXP202411409 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(f) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 03.11.2024 |
| Decided: | 25.02.2025 |
| Published: | 03.04.2025 |
| Fine: | 120,000 EUR |
| Parties: | Servicios Especiales S.A. |
| National Case Number/Name: | EXP202411409 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | cwa |
An employer was fined €120,000 for failing to protect the identity of the complainants and the accused in a workplace harassment complaint in violation of Article 5(1)(f) GDPR.
English Summary
Facts
In April 2024, the data subjects, along with four coworkers, made claims of workplace harassment against ten of their colleagues.
The Spanish Works Committee requested that their employer, Servicios Especiales S.A. (data controller), initiate a labour harassment protocol with the complainants and the accused.
In July 2024, the controller informed the Works Committee of the resolutions to each of the complaints, attaching the resolution in each case. The controller also forwarded these resolutions to each of the complainants and the accused, without redacting or anonymising the attachments.
This resulted in each of the complainants and the accused receiving details of each complaint made, including their name and surname, their job, as well as the position they had reported.
One of the accused then posted a message in a work WhatsApp group that read “Thank you for the complaint” with a kissing emoji. As a result, one of the complainants suffered an anxiety attack and had to take medical leave.
In another WhatsApp group, a copy of the email was sent in, revealing the names of both the complainants and the accused in the workplace harassment claim.
In August 2024, two of the complainants to the harassment claim filed a complaint with the AEPD.
During the course of the investigation, the controller argued that all parties were aware of the identities of those who complained and those who were accused.
Holding
The AEPD (Spanish DPA) launched their investigation in November 2024.
The DPA found that the controller had infringed Article 5(1)(f) GDPR in failing to ensure appropriate security of the personal data undergoing processing.
In considering the appropriate sanction, the DPA noted the seriousness of the personal data in question, as well as the sensitivity of the context. The DPA found a high degree of negligence on the part of the controller.
The DPA initially set the fine at €200,000 but pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the DPA informed the controller that it may acknowledge its responsibility for the alleged violations and/or make a voluntary payment of the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €120,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/15
File No.: EXP202411409
RESOLUTION TERMINATING THE PROCEDURE FOR RECOGNITION OF LIABILITY AND VOLUNTARY PAYMENT
From the procedure initiated by the Spanish Data Protection Agency and based on the following
BACKGROUND
FIRST: On February 25, 2025, the Presidency of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against SERVICIOS
ESPECIALES, S.A. (hereinafter, SERVICIOS ESPECIALES), by means of the agreement transcribed below:
<<
File No.: EXP202411409
AGREEMENT TO INITIATE SANCTIONING PROCEDURE
Regarding the actions taken by the Spanish Data Protection Agency and based on the following
FACTS
FIRST: On August 3, 2024 and August 6, 2024, Ms. A.A.A., with National Identity Document No. ***NIF.1
(complainant 1) and Mr. B.B.B., with National Identity Document No. ***NIF.2 (complainant 2), filed separate complaints with the Spanish Data Protection Agency. The complaints are directed against SERVICIOS ESPECIALES, S.A., with National Identity Document No. A11001450 (hereinafter, the respondent). The grounds for the claim are as follows: Complainant 1 indicates that the respondent company has published that she is a complainant in a workplace harassment case, disclosing her first and last name along with the word "complainant."
On April 15, 2024, the Works Council requested that the company open a workplace harassment protocol for a series of events. The complainant detailed the facts concerning her via email from her personal address to the Investigative Committee, with whom she conducted several interviews.
The complainant reports that the company opened a harassment protocol on May 6, 2024, with 5 complainants and 10 defendants.
On July 31, 2024, the company sent an email to the Works Council informing them that it had concluded the investigation. It attached the resolution to each of the complainants, a total of five. This resolution revealed the identity of each of the complainants, including their full names and positions, as well as the positions of the accused, including that of the complainant.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/15
The complainant stated that the Works Council was forwarding the email with its resolution.
At the same time, the company sent the same resolutions (identifying the complainants and the accused) to the entire list of people, making them clearly identifiable (15 people in total).
The complainant states that the entire workplace knows that she is one of the complainants and knows the accused, which led one of the accused to post a kiss emoji and the phrase "Thank you for the complaint" in a work WhatsApp group on the same day the resolution was announced.
The complainant indicates that she suffered an anxiety attack that same day, resulting in sick leave.
The complainant states that, in another WhatsApp group, a third party reports that an email has been sent out detailing the names of the complainants and accused, violating the supposed confidentiality of the complainant's information.
The complainant argues that she did not authorize the disclosure of her identity.
She provides:
a) complaint letter to the AEPD, dated 08/03/2024;
b) Email from an employee of the complainant company to the works council
reporting the closure of the investigation into the harassment complaint filed by them,
notifying the closure of the five complainant files, dated July 31, 2024;
c) Email from the works council to a union, notifying the closure of the five complainant files, dated August 2, 2024;
d) Letter from the Investigative Committee on behalf of the complainant, identifying the five complainants and the 10 defendants, dated July 31, 2024;
e) Two screenshots of conversations from two work WhatsApp groups,
with an unspecified date.
SECOND: In accordance with Article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter LOPDGDD), on August 12, 2024, the respondent was notified of this complaint so that it could analyze it and inform this Agency within one month of the actions taken to comply with the requirements set forth in the data protection regulations.
The notification, which was carried out in accordance with the regulations established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), was received on August 13, 2024, as recorded in the acknowledgment of receipt included in the file.
In response to the aforementioned notification dated September 13, 2024, the respondent party has stated the following in summary: first, it presents a chronological account of the events and, after analyzing the matter from a data protection perspective, concludes that it is not possible to establish a violation of the legislation in this matter, for the reason that all interested parties were perfectly aware of all the identities of those affected from the outset. However, the respondent party acknowledges in its protocols that it protects the confidentiality invoked by any person with the right to file a complaint with the company. Furthermore, it is the first party interested in using all means at its disposal to pacify and resolve a conflict in which it is not a party, seeking in all cases to restore full labor peace as soon as possible, which is its only interest at stake; To this end, all measures deemed appropriate have been adopted to prevent, or at least hinder, the recurrence of this situation in the future.
The respondent also pointed out that a significant fact was that the complaint that initiated the internal procedure was filed by the works council without invoking the complainants' right to anonymity, nor did they request it.
The respondent has decided to adopt preventive and remedial measures:
among the former, an information program and a specific seminar for the members who are to serve on the various committees on the scope of the rights of interested parties, including the protection of personal data.
The latter, an apology has been approved and sent to those affected, explaining what happened and ratifying the internal policy of maximum confidentiality.
THIRD: On 11/03/2024, in accordance with Article 65 of the LOPDGDD (Spanish Data Protection Act),
the claim filed by the complainant was admitted for processing.
FOURTH: According to the report collected from the AXESOR tool, the entity
SERVICIOS ESPECIALES, S.A. is a company established in 1951, with a turnover of ***AMOUNT.1 in 2023.
LEGAL BASIS
I
Jurisdiction
In accordance with the powers granted to each supervisory authority by Article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR) and as established in Articles 47, 48.1, 64.2, and 68.1 of the LOPDGDD (Spanish Data Protection Act), the President of the Spanish Data Protection Agency is competent to initiate and resolve this procedure.
II
Procedure
Likewise, Article 63.2 of the LOPDGDD establishes that: "Procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, by this Organic Law, by the regulatory provisions issued in its development, and, insofar as they do not contradict them, in a subsidiary capacity, by the general rules on administrative procedures."
In accordance with Article 64 of the LOPDGDD, and taking into account the characteristics of the alleged violation, a sanctioning procedure shall be initiated.
The procedure shall last a maximum of twelve months from the date of the initiation agreement. After this period, the proceedings will expire and, consequently, the proceedings will be archived, in accordance with the provisions of Article 64 of the LOPDGDD.
If no objections are made to this initial resolution within the stipulated period, it may be considered a proposed resolution, as established in Article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP).
III
Preliminary Questions
Article 4(1) of the GDPR defines "personal data" as: "any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is any person whose identity can be determined, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
Article 4(2) of the GDPR defines “processing” as: “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
Article 4(7) of the GDPR defines “controller” or “controller” as: “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing; where the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.” In turn, Article 4.8 of the GDPR defines the "processor" or "processor" as the natural or legal person, public authority, agency, or other body that processes personal data on behalf of the data controller.
In the present case, in accordance with the provisions of Articles 4.1 and 4.2 of the GDPR, it is established that personal data are being processed, since the respondent carries out, among other processing operations, the collection and storage of personal data of natural persons: name, surname, job title, among others.
The respondent carries out this activity in its capacity as data controller, given that it is the party that determines the purposes and means of such activity, pursuant to Article 4.7 of the GDPR.
IV
Breached Obligation: Violation of Article 5.1.f) of the GDPR
The facts revealed in the complaint are that, during a workplace harassment procedure in which the complainant is the complainant, the respondent sent the resolutions closing the procedure in such a way that both the complainants and the accused had access to each other's identities, which could violate personal data protection regulations.
Article 5 of the GDPR, "Principles relating to processing," establishes in its
section 1, letter f) that:
"1. Personal data shall be:
(…)
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, by applying appropriate technical or organizational measures ("integrity and confidentiality")."
(…)”
The documentation in the file provides clear evidence that the respondent violated Article 5 of the GDPR, principles relating to processing, by allowing access to personal data in violation of their confidentiality. This meant that the parties to the proceedings, both complainants and defendants, had access to each other's identities.
In the present case, the facts in question led to the transfer of the harassment complaint letter to the members of the Harassment Investigation Committee on May 3, 2024, in order to proceed with the actions deemed appropriate, resulting from the "Protocol for the prevention and action against psychological harassment and discriminatory harassment in the company."
The complaint identified those responsible for alleged conduct that could be considered susceptible to harassment under the terms established in the aforementioned document. protocol, which is why the Investigative Committee has carried out the corresponding inquiries to clarify the complaint.
After the procedure was initiated and following the investigations carried out, the Investigative Committee issued a report concluding that the complaint could not be classified as workplace harassment.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/15
as workplace harassment. The aforementioned report contains the identifying details of the complainants and the accused.
The complainant, in its letter dated August 3, 2024, stated that "On Wednesday, July 31, 2024, the company sent an email to the Works Council (attached as Document No. 1), concluding the investigation, attaching the resolution to each of the complainants, a total of 5, thus revealing the identity of each of the complainants, stating their full names, positions, and the positions they held and those accused of, including mine. It was the Works Council's own email that forwarded the email to me with my resolution. At the same time, the company sent the same resolutions (identifying the complainants and the accused) to the entire list of people, making them clearly identifiable. A total of 15 people."
The respondent, in its response dated September 13, 2024, acknowledged that, in relation to the incident, "While it is true that Servisa includes in its internal guidelines the protection of confidentiality in the processing of these types of cases, the reality surrounding this procedure is that there was not, in fact, even the mere possibility of a lack of identity for the reasons already indicated, which are otherwise obvious."
Therefore, it is clear that, after the processing of the workplace harassment procedure in the company, the respondent party submitted the resolution of the procedure in such a way that all the complainants and those accused had access to each other's identities, thus compromising their identity and the confidentiality of their data.
Based on the available evidence, it is considered that the facts complained of could constitute an infringement attributable to the respondent party, for violation of Article 5.1.f) of the GDPR.
V
Classification of the violation of Article 5.1.f) of the GDPR and classification for the purposes of statute of limitations
Based on the evidence available and without prejudice to the outcome of the investigation, it is considered that the respondent did not adequately guarantee the confidentiality of personal data.
The infringement attributed to the entity is defined in Article 83.5 a) of the GDPR, which considers that the infringement of "the basic principles for processing, including the conditions for consent pursuant to Articles 5, 6, 7, and 9" is punishable, in accordance with Section 5 of the aforementioned Article 83 of the aforementioned Regulation, "with administrative fines of a maximum of €20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total global annual turnover of the preceding financial year, whichever is higher."
The LOPDGDD (Organic Law on the Protection of Personal Data) in its Article 71, Infractions, states that: "The acts and conduct referred to in sections 4, 5, and 6 of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/15
Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this Organic Law, constitute infractions."
And in its Article 72, it considers the following for the purposes of the statute of limitations: “Infractions considered very serious:
1. In accordance with the provisions of Article 83.5 of Regulation (EU) 2016/679, the following are considered very serious and will be subject to a three-year statute of limitations:
(…)
a) The processing of personal data in violation of the principles and guarantees
established in Article 5 of Regulation (EU) 2016/679.
(…)”
VI
Proposed sanction for violation of Article 5.1.f) of the GDPR
In order to establish the administrative fine to be imposed, the provisions contained in Articles 83.1 and 83.2 of the GDPR must be observed, which state:
“1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 are, in each individual case, effective, proportionate, and dissuasive.
2. Administrative fines shall be imposed, depending on the circumstances of each individual case, as an additional or alternative measure to the measures provided for in Article 58(2)(a) to (h) and (j). When deciding on the imposition of an administrative fine and its amount in each individual case, due account shall be taken of:
(a) the nature, gravity, and duration of the infringement, taking into account the
nature, scope, or purpose of the processing operation concerned, as well as the number of data subjects affected and the level of damage and/or harm suffered by them;
(b) the intentionality or negligence involved in the infringement; c) any measures taken by the controller or processor to mitigate the damage suffered by the data subjects;
d) the degree of responsibility of the controller or processor, taking into account the technical or organizational measures they have implemented pursuant to Articles 25 and 32;
e) any previous breaches committed by the controller or processor;
f) the degree of cooperation with the supervisory authority to remedy the breach and mitigate the potential adverse effects of the breach;
g) the categories of personal data affected by the breach;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/15
h) the manner in which the supervisory authority became aware of the breach, in particular whether the controller or processor notified the breach and, if so, to what extent;
(i) where the measures referred to in Article 58(2) have been previously ordered against the controller or processor concerned in relation to the same matter, compliance with those measures; (j) adherence to codes of conduct pursuant to Article 40 or certification mechanisms approved pursuant to Article 42; and (k) any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.
In relation to letter k) of Article 83.2 of the GDPR, the LOPDGDD, in its Article 76, "Sanctions and corrective measures," establishes that:
"2. In accordance with the provisions of Article 83.2.k) of Regulation (EU) 2016/679, the following may also be taken into account:
a) The continuous nature of the infringement.
b) The connection between the offender's activity and the processing of personal data.
c) The benefits obtained as a result of the infringement.
d) The possibility that the affected party's conduct could have led to the infringement.
e) The existence of a merger by absorption subsequent to the infringement, which cannot be attributed to the acquiring entity.
f) The impact on the rights of minors.
g) The availability of a data protection officer, when not mandatory.
h) The submission of the data controller or commissioned, on a voluntary basis, to alternative dispute resolution mechanisms, in those
cases where there are disputes between them and any interested party."
In the present case, considering the seriousness of the potential violation, paying special attention
to the consequences that its commission has on those affected,
a fine would be appropriate, in addition to the adoption of measures, if appropriate.
The fine imposed must be, in each individual case, effective, proportionate,
and dissuasive, in accordance with the provisions of Article 83.1 of the GDPR. To guarantee
these principles, the respondent's turnover, which in fiscal year 2023 amounted to ***AMOUNT.1, is considered as a preliminary consideration.
For the purposes of deciding on the imposition of an administrative fine and its amount, in accordance with the evidence currently available in the decision to initiate sanctioning proceedings, and without prejudice to the outcome of the investigation, it is considered appropriate to grade the sanction to be imposed according to the following circumstances, contemplated in the aforementioned provisions:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/15
The nature and severity of the violation, as it must be taken into account that the processing carried out allowed access to the personal data of the complainants and defendants in a workplace harassment case, and, therefore, the severity of the conduct revealed in this type of procedure (Article 83.2.a) of the GDPR).
The intentionality or negligence in the violation. A lack of diligence is observed in compliance with the obligations imposed by data protection regulations, by allowing access to personal data, violating its confidentiality; in this regard, we can cite the SAN of 10/17/2007, which, although issued before the GDPR came into force, its ruling is perfectly applicable to the case we are analyzing. The ruling, after alluding to the fact that entities whose activities involve continuous processing of client and third-party data must observe an adequate level of due diligence,
specified that "(...) the Supreme Court has held that negligence exists whenever a legal duty of care is disregarded, that is, when the offender does not behave with the required due diligence. In assessing the degree of due diligence, the professionalism of the individual must be especially considered, and there is no doubt that,
in the case under consideration, when the appellant's activity involves constant and extensive handling of personal data, rigor and exquisite care must be emphasized to comply with the legal provisions in this regard" (Article 83.2, b) of the GDPR).
The degree of negligence in this case is considered high, given the nature of the personal data revealed (being the complainant or accused in a workplace harassment case) and the special confidentiality requirements that must be respected in workplace harassment proceedings.
For the purposes of deciding on the fine and its amount, in accordance with the available evidence, taking into account the criteria of Article 83.2 of the GDPR regarding the violation committed, a violation of Article 5.1.f) of the GDPR, a fine of €200,000 is considered appropriate.
VII
Corrective Measures
If the violation is confirmed, the resolution issued may establish the corrective measures that the offending entity must adopt to put an end to the breach of personal data protection legislation, in this case Article 5.1.f) of the GDPR, in accordance with the provisions of the aforementioned Article 58.2.d) of the GDPR, according to which each supervisory authority may "order the controller or processor to ensure that processing operations comply with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period..."
Thus, the responsible entity may be required to bring its actions into compliance with personal data protection regulations, within the scope expressed in the previous Legal Basis.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/15
This document establishes the alleged violation committed and the facts that could give rise to this potential violation of data protection regulations. From this, it is clear what measures to be adopted, without prejudice to the specific type of procedures, mechanisms, or instruments to implement them being the responsibility of the sanctioned party, since the data controller is fully familiar with their organization and must decide, based on proactive responsibility and a risk-based approach, how to comply with the GDPR and the LOPDGDD.
However, in this case, regardless of the foregoing, in accordance with the evidence currently available regarding the agreement to initiate sanctioning proceedings, the resolution adopted may require the respondent party to adopt appropriate measures within 3 months from the date of enforcement of the resolution finalizing this procedure to ensure the confidentiality of personal data, in accordance with the provisions of Article 5.1.f) of the GDPR and within the scope expressed in the previous Legal Basis.
The imposition of this measure is compatible with the sanction consisting of an administrative fine, as provided in Article 83.2 of the GDPR.
Please be advised that failure to comply with the possible order to adopt measures imposed by this body in the resolution of this sanctioning procedure may be considered an administrative infraction pursuant to the provisions of the GDPR, classified as an infraction in Articles 83.5 and 83.6, and such conduct may lead to the opening of a subsequent administrative sanctioning procedure.
Please also note that neither the acknowledgment of the infraction committed nor, where applicable, the voluntary payment of the proposed amounts exempts you from the obligation to adopt the relevant measures to cease the conduct or correct the effects of the infraction committed, nor from the obligation to prove compliance with this obligation to this Spanish Data Protection Agency.
Therefore, in light of the foregoing,
By the President of the Spanish Data Protection Agency,
IT IS HEREBY AGREED:
FIRST: TO INITIATE SANCTIONING PROCEDURE against SERVICIOS ESPECIALES, S.A. with NIF A11001450, for the alleged violation of Article 5.1.f) of the GDPR, as defined in Article 83.5.a) of the GDPR.
SECOND: APPOINT R.R.R. as Instructor and S.S.S. as Secretary, indicating that either of them may be challenged, if appropriate, in accordance with the provisions of Articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP).
THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the claim filed by the claimant and its documentation, the documents
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/15
obtained and generated during the admission phase; all of these documents are part of the file.
FOURTH: THAT for the purposes provided for in Article 64.2 b) of Law 39/2015, of October 1, and Article 58.2.b) of the GDPR, the sanction that may be imposed for the violation of Article 5.1.f) of the GDPR would be €200,000 (two hundred thousand euros), without prejudice to the outcome of the investigation.
FIFTH: NOTIFY this Agreement to SERVICIOS ESPECIALES, S.A. with Tax Identification Number (NIF)
A11001450, expressly informing it of its right to a hearing in the proceedings and granting it a period of TEN BUSINESS DAYS to submit any allegations and
propose any evidence it deems appropriate. In its written allegations, it must provide its Tax Identification Number (NIF) and the procedure number shown in the heading of this document.
In accordance with the provisions of Article 85 of the LPACAP (Spanish Civil Code), it may acknowledge liability within the period granted for submitting allegations to this initiation agreement; this will result in a 20% reduction in the sanction to be imposed in this proceeding. With the application of this reduction, the sanction would be set at €160,000 (one hundred and sixty thousand euros), and the procedure would be resolved with the imposition of this sanction.
Likewise, the applicant may, at any time prior to the resolution of this procedure, voluntarily pay the proposed penalty, which will result in a 20% reduction in its amount. With the application of this reduction, the penalty would be set at €160,000 (one hundred and sixty thousand euros), and its payment will result in the termination of the procedure, without prejudice to the imposition of the corresponding measures.
The reduction for voluntary payment of the penalty is cumulative with the reduction that must be applied for acknowledgment of liability, provided that this acknowledgment of liability is made clear within the period granted for submitting allegations upon opening the procedure. Voluntary payment of the amount referred to in the preceding paragraph may be made at any time prior to the resolution. In this case, if both reductions were to be applied, the penalty would be set at €120,000 (one hundred and twenty thousand euros).
In any case, the effectiveness of either of the two aforementioned reductions will be conditional on the withdrawal or waiver of any administrative action or appeal against the sanction. For these purposes, if you choose either of them, you must send the Subdirectorate General for Data Inspection express notification of your withdrawal or waiver of any administrative action or appeal against the sanction.
If you choose to voluntarily pay any of the amounts indicated above (€160,000 or €120,000), you must do so by depositing it into account IBAN: ES00-0000-0000-0000-0000-0000
(BIC/SWIFT Code: CAIXESBBXXX) opened in the name of the Spanish Data Protection Agency at the bank CAIXABANK, S.A., indicating in the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/15
item the reference number of the procedure that appears in the heading of this document and the reason for the reduction in the amount you are applying for.
Likewise, you must send proof of payment to the Subdirectorate General of Inspection, along with the notification of withdrawal or waiver of any administrative action or appeal against the penalty in order to continue with the procedure in accordance with the amount paid.
In compliance with Articles 14, 41, and 43 of the LPACAP (Spanish Civil Code), you are advised that, from now on, notifications sent to you will be sent exclusively electronically, through the Single Authorized Electronic Address (dehu.redsara.es). If you do not accept them, your rejection will be recorded in the file, the procedure being considered complete, and the procedure will be followed. You are informed that you can provide this Agency with an email address to receive notifications when notifications are made available. Failure to do so will not prevent the notification from being considered fully valid. Finally, it is noted that, pursuant to Article 112.1 of the LPACAP, no administrative appeal may be filed against this act.
Olga Pérez Sanjuán
The Deputy Director General of Data Inspection, in accordance with Article 48.2 of the LOPDGDD (Spanish Data Protection Act), due to a vacancy in the position of President and Deputy President
>>
SECOND: On March 4, 2025, SPECIAL SERVICES proceeded to pay the fine in the amount of €120,000.00, making use of the two reductions provided for in the initiation agreement transcribed above, which implies acknowledgment of liability in relation to the events referred to in the initiation agreement and their legal classification.
THIRD: The initiation agreement transcribed above indicated that, if the infringement was confirmed, it could be agreed that the controller would be required to adopt appropriate measures to bring its actions into compliance with the regulations mentioned in this act, in accordance with the provisions of the aforementioned Article 58.2 d) of the GDPR, according to which each supervisory authority may "order the controller or processor to ensure that processing operations comply with the provisions of this Regulation, where appropriate, in a specific manner and within a specified period...".
Having acknowledged responsibility for the infringement, the measures included in the initiation agreement may be imposed.
LEGAL BASIS
I
Jurisdiction
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/15
In accordance with the powers granted to each supervisory authority by Article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR) and as established in Articles 47, 48.1, 64.2, and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter LOPDGDD), the President of the Spanish Data Protection Agency is competent to resolve this procedure.
Likewise, Article 63.2 of the LOPDGDD establishes that: "The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, by this Organic Law, by the regulatory provisions issued in its development, and, insofar as they do not contradict them, in a subsidiary capacity, by the general rules on administrative procedures."
II
Termination of the Procedure
Article 85 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), under the heading "Termination of Sanctioning Procedures" provides the following:
"1. Once a sanctioning procedure has been initiated, if the offender acknowledges responsibility, the procedure may be terminated with the imposition of the appropriate sanction.
2. When the sanction is solely monetary in nature, or when a monetary sanction and a non-monetary sanction may be imposed, but the inadmissibility of the latter has been justified, voluntary payment by the alleged offender, at any time prior to the resolution, will entail the termination of the procedure, except with regard to restoring the altered situation or determining compensation for damages caused by the commission of the offense. Infraction.
3. In both cases, when the sanction is solely monetary in nature, the competent body to resolve the procedure will apply reductions of at least 20% on the amount of the proposed sanction, which may be combined.
These reductions must be specified in the notification of initiation of the procedure, and their effectiveness will be conditional on the withdrawal or waiver of any administrative action or appeal against the sanction.
The percentage reduction provided for in this section may be increased by regulation.
III
Voluntary Payment and Acknowledgment of Liability
In accordance with the provisions of the aforementioned Article 85 of the LPACAP (Spanish Civil Code), the notified initiation agreement
informed the public about the possibility of acknowledging liability and voluntarily paying the proposed penalty, which would entail two cumulative reductions of 20% each. With the application of these two reductions, the penalty would be set at €120,000.00, and its payment
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/15
would imply the termination of the procedure, without prejudice to the imposition of the corresponding measures.
Following notification of the aforementioned initiation agreement, SERVICIOS ESPECIALES has proceeded to acknowledge liability and voluntarily pay the penalty, taking advantage of the two planned reductions. Pursuant to section 3 of Article 85 of the LPACAP (Spanish Civil Code), the effectiveness of the aforementioned reductions will be conditional on the withdrawal or waiver of any administrative action or appeal against the penalty.
It should be noted that, in accordance with the provisions of the LPACAP, as well as the Supreme Court's jurisprudence on this matter, the exercise of voluntary payment by the alleged liable party does not exempt the administration from the obligation to resolve and notify all proceedings, regardless of their form of initiation. Similarly, Article 88 of the aforementioned law establishes that the resolution that concludes the procedure will decide all issues raised by the interested parties and any other issues arising from it.
Therefore, in accordance with applicable legislation and having assessed the criteria for the grading of sanctions, the Presidency of the Spanish Data Protection Agency RESOLVES:
FIRST: TO DECLARE the commission of the violations and CONFIRM the sanctions
determined in the operative section of the initiation agreement transcribed in this resolution.
The sum of the aforementioned amounts results in a total of €200,000.00.
After SERVICIOS ESPECIALES, S.A. has made prompt payment and acknowledged liability, pursuant to Article 85 of the LPACAP,
the aforementioned total is reduced by 40%, resulting in the final amount of €120,000.00.
The effectiveness of the aforementioned reductions is conditioned, in all cases, on the withdrawal or waiver of any action or appeal through administrative channels.
SECOND: DECLARE the termination of procedure EXP202411409, in accordance with the provisions of Article 85 of the LPACAP.
THIRD: ORDER SERVICIOS ESPECIALES, S.A. to notify the Agency within 3 months of this resolution becoming final and enforceable of the adoption of the measures described in the legal grounds of the initiation agreement transcribed in this resolution.
FOURTH: NOTIFY this resolution to SERVICIOS ESPECIALES, S.A.
FIFTH: In accordance with the provisions of Article 85 of the LPACAP (Spanish Civil Code), which conditions the reduction for voluntary payment and acknowledgment of liability on the withdrawal or waiver of any action or appeal in administrative proceedings, this resolution will become final in administrative proceedings and fully enforceable upon notification.
In accordance with the provisions of Article 50 of the LOPDGDD (Spanish Civil Code), this resolution will be made public once it has been notified to the interested parties.
Against this resolution, which terminates the administrative process as provided for in
Art. 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, interested parties may file an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of Article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the day following notification of this act, as provided for in Article 46.1 of the aforementioned Law.
However, in accordance with the provisions of Article 90.3.a) of the LPACAP, a final administrative decision may be provisionally suspended if the interested party expresses their intention to file an administrative appeal. If this is the case, the interested party must formally notify this fact in writing to the Spanish Data Protection Agency, submitting it through the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-web/], or through one of the other registries provided for in Article 16.4 of the aforementioned Law 39/2015, of October 1. They must also forward to the Agency the documentation proving the effective filing of the administrative appeal. If the Agency does not become aware of the filing of the administrative appeal within two months from the day following notification of this resolution, it will terminate the precautionary suspension. 1259-260325
Lorenzo Cotino Hueso
President of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
