AEPD (Spain) - PS/00320/2020
AEPD - PS/00320/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 4(11) GDPR Article 6(1) GDPR Article 58(2)(i) GDPR Article 83(2)(f) GDPR Article 83(2)(g) GDPR Article 83(5) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | 6000 EUR |
Parties: | n/a |
National Case Number/Name: | PS/00320/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The Spanish DPA fined an accommodation services company €6000 for signing a contract on behalf of the claimant without their consent.
English Summary
Facts
An action for breach of contract was filed against the claimant. The claimant stated that they only became aware of the contract when the lawsuit was filed, because the respondent (the accommodation company) had signed the contract on the claimant’s behalf without the claimant knowing.
Dispute
Were the actions of the respondent a violation of the GDPR?
Holding
The AEPD held that the actions of the company violated Article 6 GDPR. According to the decision, acting as the claimant’s personal representative and signing a contract on their behalf without their consent, meant that the company had processed the claimant’s personal data without a lawful ground for doing so.
The AEPD fined the company €6000. They considered the respondent’s lack of cooperation with the AEPD during the investigation of the complaint, and the respondent’s use of the claimant’s basic personal identifiers (name, address and ID number) during the processing, to be aggravating factors in determining the amount of the fine.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/6 Procedure No.: PS / 00320/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following: BACKGROUND FIRST: D. A.A.A., in the name and on behalf of D. B.B.B. (hereinafter, the claimant) on April 16, 2020 he filed a claim with the Agency Spanish Data Protection. The claim is directed against Servicio de Responsible Accommodations, S.L. with NIF B19517911 (hereinafter, the claimed one). The claimant states that, in March 2019, he had knowledge of the existence of a lawsuit filed against him for breach of contract deposit supposedly held on July 10, 2018, in which the entity denounced claimed the status of her legal representative and signed the contract in your name, without authorization or representation for it. The treatment of the claimant's personal data without legal basis. Provides the deposit contract dated July 10, 2018. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (LOPDGDD), which has provided a mechanism, prior to the admission for processing of the claims made before the Spanish Agency for Data Protection, consisting of transferring them to the Data Protection Delegates designated by those responsible or in charge of the treatment, for the purposes provided in article 37 of the aforementioned norm, or to them when they have not been designated, the claim presented by the claimant to the defendant, to proceed with his analysis and respond to this Agency within a month. Within the framework of file E / 03725/2020, by means of a document signed on June 5 2020, the claim was transferred to the defendant requesting that, in the within a month, send the following information: 1. The decision adopted to purpose of this claim. 2. In the event of exercise of rights regulated in articles 15 to 22 of the RGPD, accreditation of the response provided to the claimant. Thus, the defendant was notified electronically on June 9, 2020, as evidenced by the certificate issued by the FNMT that works in the proceedings. After the period granted to the claimed person without having responded to the request for information, in accordance with the provisions of article 65.2 of the LOPDGDD, the agreement for admission for processing is signed on September 16 of this year of this claim. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/6 THIRD: On October 8, 2020, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure to the claimed, by the alleged violation of Article 6.1 of the RGPD, typified in Article 83.5.a) of the RGPD. Said agreement was notified electronically on October 20, 2020 at reclaimed. FOURTH: Formally notified of the initiation agreement, the one claimed at the time of the This resolution has not submitted a brief of allegations, so it is application of the provisions of article 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations, which in its Section f) establishes that in case of not making allegations within the established period on the content of the initiation agreement, it may be considered a proposal for resolution when it contains a precise pronouncement about the responsibility imputed, for which a Resolution is issued. In view of all the actions, by the Spanish Agency for Data Protection In this proceeding, the following are considered proven facts, ACTS FIRST: That the defendant claimed the status of legal representative of the claimant and signed a deposit contract on July 10, 2018 in his name and consigning the personal data of the claimant, without authorization or representation for it. SECOND: It is stated in the deposit contract signed on July 10, 2018, that the claimed acts as the legal representative of the claimant, acted on behalf of and representation of the claimant, signing on their behalf and providing the data claimant's personal. THIRD: On October 8, 2020, this sanctioning procedure was initiated by the alleged violation of article 6.1) of the RGPD, being notified on October 20, 2020. Not having made any allegations, the claimed one, to the initiation agreement. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority, and as established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and to solve this procedure. II Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights, in its article 4.11 defines the consent of the interested as “any manifestation of free will, specific, informed and C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/6 unequivocal by which the interested party accepts, either through a declaration or a clear affirmative action, the processing of personal data that concerns you ”. Article 6.1 of the RGPD establishes the following: 1. The treatment will only be lawful if at least one of the following is met terms: a) the interested party gave their consent for the processing of their data personal for one or more specific purposes; b) the treatment is necessary for the performance of a contract in which the interested is part or for the application at the request of this of measures pre-contractual; c) the treatment is necessary for the fulfillment of a legal obligation applicable to the person responsible for the treatment; d) the treatment is necessary to protect vital interests of the interested party or of another natural person; e) the treatment is necessary for the fulfillment of a mission carried out in public interest or in the exercise of public powers conferred on the person responsible for treatment; f) the treatment is necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that on said interests do not prevail the interests or the rights and freedoms fundamental data of the interested party that require the protection of personal data, in particular when the interested party is a child. The provisions of letter f) of the first paragraph shall not apply to the treatment carried out by public authorities in the exercise of their functions. In this sense, Article 6.1 of the RGPD establishes that “in accordance with the provisions of article 4.11 of Regulation (EU) 2016/679, is understood as consent of the affected party any manifestation of free will, specific, informed and unequivocal by which it accepts, either through a statement or a clear affirmative action, the treatment of personal data that concerns him ”. III According to the available evidence, it is considered that the facts denounced, that is, that the defendant acted as the legal representative of the claimant, intervened on behalf and on behalf of the claimant, signing in his name and consigning the personal data of the claimant, without any legitimation on the part of the claimed party, constitutes an infringement of the principle of legitimation in the data processing. This action assumes that he processed the personal data of the claimant (name, surnames and D.N.I.), without having legitimacy for the treatment of the data of the claimant, thereby violating art. 6 of the RGPD. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/6 Well, with regard to the facts that are the subject of this claim, We must emphasize that the defendant, despite the repeated requests he received from the AEPD to explain the facts about which it relates, never answered or provided any evidence that would allow estimating that the treatment of the data of the claimant had been legitimate. We refer on the matter to the request for information that the AEPD addressed the defendant within the framework of E / 03725/2020. Request whose reception by him It is proven (certificate issued by the FNMT) that it happened on June 9, 2020. However, no response was received and on September 16, this year the claim was agreed to be admitted for processing. Reminder that, limited to the violation of article 6.1. of the RGPD, its purpose is to put it is clear that the respondent has had ample opportunities to provide evidence or documents that certify that, contrary to the statements and evidence documents provided by the claimant, the data processing that is the subject of The assessment in this case was adjusted to the Law. Likewise, the notification of the Agreement to initiate this procedure, which was notified electronically on October 20, 2020, without stating allegations the same. The lack of diligence displayed by the entity in complying with the Obligations imposed by the regulations for the protection of personal data It is thus obvious. A diligent compliance with the principle of legality in the treatment of third-party data requires that the person responsible for the treatment is in conditions to prove it (principle of proactive responsibility) In short, there is evidence in the file that the defendant treated the personal data of the claimant without standing for it. The behavior described violates article 6.1. of the RGPD and is subsumable in the sanctioning type of the article 83.5.a, of the RGPD. IV Article 72.1.b) of the LOPDGDD states that “depending on what it establishes Article 83.5 of Regulation (EU) 2016/679 are considered very serious and The infractions that suppose a substantial violation will prescribe after three years of the articles mentioned therein and, in particular, the following: c) The processing of personal data without any of the conditions of legality of the treatment in article 6 of Regulation (EU) 2016/679. " V Article 58.2 of the RGPD provides the following: “Each control authority will have all of the following corrective powers listed below: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/6 b) sanction any person responsible or in charge of the treatment with warning when the processing operations have violated the provisions of these Regulations; d) order the person in charge of the treatment that the operations of treatment are in accordance with the provisions of this Regulation, where appropriate, in a certain way and within a specified time; i) impose an administrative fine in accordance with article 83, in addition or in place of the measures mentioned in this section, depending on the circumstances of each particular case; SAW This offense can be sanctioned with a fine of € 20,000,000 maximum or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the higher amount, in accordance with article 83.5 of the RGPD. Likewise, it is considered that the sanction to be imposed should be adjusted according to with the following criteria established in article 83.2 of the RGPD: As aggravating factors the following: - The null cooperation with the AEPD in order to remedy the infraction and mitigate its effects (article 83.2.f, of the RGPD) -Basic personal identifiers (name, surname, address, D.N.I.) (article 83.2 g). Therefore, in accordance with the applicable legislation and the criteria of graduation of the sanctions whose existence has been accredited, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: IMPOSE SERVICIO DE ALOJAMIENTOS RESPONSABLES, S.L., with NIF B19517911, for a violation of Article 6.1 of the RGPD, typified in Article 83.5 of the RGPD, a fine of 6,000 euros (six thousand euros). SECOND: NOTIFY this resolution to the ACCOMMODATION SERVICE RESPONSIBLES, S.L. THIRD: Warn the sanctioned person that the sanction imposed by a Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter LPACAP), within the payment period voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number of procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/6 Spanish Data Protection in the bank CAIXABANK, S.A .. In case Otherwise, it will be collected in the executive period. Notification received and once executive, if the execution date is found Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment volunteer will be until the 20th day of the following or immediately subsequent business month, and if between the 16th and the last day of each month, both inclusive, the payment term It will be until the 5th of the second following or immediate business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may file, optionally, an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to count from the day after notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Agency for Data Protection, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web /], or through any of the other records provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. 938-300320 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es