AEPD (Spain) - PS/00177/2021

From GDPRhub
Revision as of 12:28, 7 July 2021 by SR (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD (Spain) - PS/00177/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 13 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 10.06.2021
Published: 14.06.2021
Fine: 2000 EUR
Parties: INMOPISO ZARAGOZA, S.L.
National Case Number/Name: PS/00177/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA fined a real estate company €2000, reduced to €1200, for failing to provide the information required by Article 13 GDPR when entering into a contract with a data subject.

English Summary

Facts

A data subject filed a complaint before the Spanish DPA (AEPD) against a real state company, that had allegedly not provided the information required by Article 13 GDPR when they formalized the first payment for an apartment, for which the data subject had provided personal data.

Holding

The AEPD determined that the collection of data for entering a real state contract entails processing of personal data. Therefore, the controller had the obligation to provide the information required by Article 13 GDPR. However, the controller had not provided the data subject such information. The controller only mentioned the former Data Protection Act from 1999, and did not inform about the rights that the data subject is entitled to under the GDPR.

Hence, the AEPD fined the controller €2000, reduced to €1200 because of an early payment and recognition of responsibility, for a violation of Article 13 GDPR. In order to determine the amount of the fine, the DPA took into account, the absence of previous sanctions on the controller, the lack of benefit obtained by the controller and the small size of the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                             1/12








     Procedure No.: PS / 00177/2021


RESOLUTION R / 00450/2021 OF TERMINATION OF THE PROCEDURE FOR PAYMENT
                                   VOLUNTARY

In the sanctioning procedure PS / 00177/2021, instructed by the Spanish Agency for

Data Protection to INMOPISO ZARAGOZA, S.L., considering the complaint presented by
A.A.A., and based on the following,

                                 BACKGROUND


FIRST: On May 27, 2021, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning procedure to INMOPISO
ZARAGOZA, S.L. (hereinafter, the claimed), through the Agreement that is transcribed:


<<





Procedure No.: PS / 00177/2021



           AGREEMENT TO START THE SANCTIONING PROCEDURE




Of the actions carried out by the Spanish Agency for Data Protection and in
based on the following




                                     FACTS




FIRST: A.A.A. (hereinafter, the claimant) dated December 16, 2020
filed a claim with the Spanish Data Protection Agency.




The claim is directed against INMOPISO ZARAGOZA, S.L. with NIF B99514218 (in
forward, the claimed one).




The grounds on which the claim is based are that the claimant has provided a
signal for the acquisition of a home and they have not provided any information in



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/12








data protection matter on the processing of personal data
provided.




SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5

December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), with reference number E / 06637/2020, a transfer of
said claim to the defendant on February 14, 2021, to proceed with its

analysis and inform this Agency within a month, of the actions taken
carried out to adapt to the requirements provided in the data protection regulations.




This Agency receives the allegations of the defendant on March 18, 2021, but in
they are found to refer to the old organic law on data protection
15/1999, currently repealed, and the information requirement is not met

established in article 13 of the RGPD.






                            FOUNDATIONS OF LAW



                                             I


By virtue of the powers that article 58.2 of Regulation (EU) 2016/679 of the

European Parliament and of the Council of April 27, 2016, regarding the protection of
natural persons with regard to the processing of personal data and the free
circulation of these data (General Data Protection Regulation, hereinafter

RGPD) recognizes each control authority, and as established in the articles
47, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on Data Protection

Personal and digital rights guarantee (hereinafter LOPDGDD), the
Director of the Spanish Data Protection Agency is competent to initiate
this procedure.



Article 63.2 of the LOPDGDD determines that: “The procedures processed by the
Spanish Data Protection Agency shall be governed by the provisions of the
Regulation (EU) 2016/679, in this organic law, by the provisions

regulations dictated in their development and, as long as they do not contradict them, in a
subsidiary, by the general rules on administrative procedures. "


                                             II

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/3








Article 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council
of April 27, 2016, regarding the protection of natural persons in what

Regarding the processing of personal data and the free circulation of these data
(General Data Protection Regulation, hereinafter RGPD), under the rubric
"Definitions", provides that:

"For the purposes of these Regulations, the following shall be understood as:

1) "personal data": any information about an identified natural person or

identifiable ("the interested party"); an identifiable natural person shall be considered any person
whose identity can be determined, directly or indirectly, in particular by means of
an identifier, such as a name, an identification number, data from

location, an online identifier or one or more elements of the identity
physical, physiological, genetic, psychic, economic, cultural or social of said person;

2) "treatment": any operation or set of operations carried out on
personal data or personal data sets, whether by procedures

automated or not, such as collection, registration, organization, structuring,
conservation, adaptation or modification, extraction, consultation, use,
communication by transmission, broadcast or any other form of authorization of

access, collation or interconnection, limitation, deletion or destruction; "

Therefore, in accordance with these definitions, the collection of character data
personal on the occasion of the formalization of a contract, constitutes a treatment of
data, with respect to which the person responsible for the treatment must comply with the

provided for in article 13 of the RGPD, providing the information that in said precept
indicated.

In relation to this matter, it is observed that the Spanish Agency for the Protection of
Data is available to citizens, the Guide for the fulfillment of duty

to inform (https://www.aepd.es/media/guias/guia-modelo-clausula-informativa.pdf) and,
in case of low-risk data processing, the free tool
Facilitates (https://www.aepd.es/herramdamientos/facilita.html).

                                             III

Article 13 of the RGPD, precept in which the information that must

provided to the interested party at the time of data collection, provides:

  "1.When personal data relating to him are obtained from an interested party, the
responsible for the treatment, at the time these are obtained, will provide
all the information indicated below:

a) the identity and contact details of the person in charge and, where appropriate, of their

representative;

b) the contact details of the data protection officer, if applicable;
c) the purposes of the treatment to which the personal data are destined and the legal basis

of the treatment;

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/12








d) when the treatment is based on article 6, paragraph 1, letter f), the interests
legitimate rights of the person in charge or of a third party;

e) the recipients or categories of recipients of personal data, in their

case;

f) where appropriate, the intention of the person responsible to transfer personal data to a third party
country or international organization and the existence or absence of a decision of
adequacy of the Commission, or, in the case of transfers indicated in the

Articles 46 or 47 or Article 49, paragraph 1, second subparagraph, reference to the
adequate or appropriate warranties and the means to obtain a copy of these or
to the fact that they have been borrowed.

2. In addition to the information mentioned in section 1, the person responsible for the

treatment will facilitate the interested party, at the time the data is obtained
personal information, the following information necessary to guarantee data processing
loyal and transparent:

a) the period during which the personal data will be kept or, when it is not

possible, the criteria used to determine this deadline;

b) the existence of the right to request the data controller for access to the
personal data relating to the interested party, and its rectification or deletion, or the limitation
of its treatment, or to oppose the treatment, as well as the right to portability

of the data;

c) when the treatment is based on article 6, paragraph 1, letter a), or article
9, paragraph 2, letter a), the existence of the right to withdraw consent in
at any time, without affecting the legality of the treatment based on the

consent prior to its withdrawal;

d) the right to file a claim with a supervisory authority;
e) if the communication of personal data is a legal or contractual requirement, or a

necessary requirement to sign a contract, and if the interested party is obliged to provide
personal data and is informed of the possible consequences of not

provide such data;
f) the existence of automated decisions, including profiling, to be

referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information
significant on the applied logic, as well as the importance and consequences

provided for said treatment for the interested party.
3.When the data controller plans the further processing of data

personal data for a purpose other than that for which they were collected, will provide the
interested party, prior to said further processing, information on that other purpose

and any additional relevant information pursuant to section 2.
4.The provisions of paragraphs 1, 2 and 3 shall not apply when and in the

to the extent that the interested party already has the information ”.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/12








For its part, article 11 of the LOPDGDD, provides the following:

"1. When personal data is obtained from the affected party, the person responsible for the
treatment may comply with the duty of information established in article

13 of Regulation (EU) 2016/679, providing the affected party with basic information to the
referred to in the following section and indicating an email address or other
means that allows easy and immediate access to the rest of the information.

2. The basic information referred to in the previous section must contain, at the

less:

a) The identity of the person responsible for the treatment and their representative, if applicable.
b) The purpose of the treatment.

c) The possibility of exercising the rights established in articles 15 to 22 of the

Regulation (EU) 2016/679.

If the data obtained from the affected party were to be processed for the preparation of
profiles, the basic information will also include this circumstance. In this
In this case, the affected party must be informed of their right to oppose the adoption of

automated individual decisions that produce legal effects on him or her
significantly affect in a similar way, when this right to agree
with the provisions of article 22 of Regulation (EU) 2016/679. "

                                            IV

By virtue of the provisions of article 58.2 of the RGPD, the Spanish Agency for

Data Protection, as a control authority, has a set of
corrective powers in the event of an infringement of the precepts of the
GDPR.

Article 58.2 of the RGPD provides the following:

“2 Each supervisory authority shall have all the following corrective powers

listed below:

(…)
b) direct a warning to any person in charge or in charge of the treatment when the

treatment operations have infringed the provisions of this Regulation; "

(...)

“D) order the person in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where appropriate,
in a certain way and within a specified period; "

“I) impose an administrative fine in accordance with article 83, in addition to or instead of

the measures mentioned in this section, according to the circumstances of each
particular case;"

Article 83.5.b) of the RGPD establishes that:

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/12








 "Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or,

in the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for

the highest amount:

 b) the rights of the interested parties in accordance with articles 12 to 22; "

In turn, article 74.a) of the LOPDGDD, under the heading "Violations considered
mild provides:


 "They are considered minor and will prescribe a year the remaining offenses of character

merely formal of the articles mentioned in sections 4 and 5 of article 83
of Regulation (EU) 2016/679 and, in particular, the following:

a) Failure to comply with the principle of transparency of information or the right
of the data subject for not providing all the information required by the articles

13 and 14 of Regulation (EU) 2016/679. "

                                            V


In this case, it is stated that the information provided to the claimant by
of the claimed, in relation to the processing of personal data on the occasion of the
formalization of the contract object of this procedure, is obsolete, since it indicates that

is governed by organic law 15/1999 on data protection, currently regulation
repealed and does not include, among other aspects, the rights recognized in article 13
of the RGPD, indicated in the basis of law III.





This being the case, in accordance with the evidence available at present
moment of agreement of initiation of the sanctioning procedure, and without prejudice to what
result of the investigation, the facts presented could constitute, on the part of the

claimed, an infringement of the provisions of article 13 of the RGPD.




                                            SAW


In order to determine the administrative fine to be imposed, the
provisions of articles 83.1 and 83.2 of the RGPD, provisions that state:




"Each control authority will guarantee that the imposition of administrative fines
in accordance with this article for infringements of this Regulation
indicated in sections 4, 9 and 6 are effective in each individual case,

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/12








proportionate and dissuasive. "



"Administrative fines will be imposed, depending on the circumstances of each
individual case, as an additional or substitute for the measures contemplated in the

Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:

a) the nature, severity and duration of the offense, taking into account the
nature, scope or purpose of the processing operation in question as well
such as the number of interested parties affected and the level of damages that
have suffered;


b) intentionality or negligence in the infringement;

c) any measure taken by the controller or processor to
mitigate the damages and losses suffered by the interested parties;

d) the degree of responsibility of the person in charge or the person in charge of the treatment,
taking into account the technical or organizational measures that have been applied by virtue of
of articles 25 and 32;

e) any previous infringement committed by the person in charge or the person in charge of the treatment;


 f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;

g) the categories of personal data affected by the infringement;

h) the way in which the supervisory authority learned of the infringement, in
in particular if the person in charge or the person in charge notified the infringement and, if so, in what
measure;

i) when the measures indicated in article 58, paragraph 2, have been ordered

previously against the person in charge or the person in charge in relation to the
same issue, compliance with said measures;

j) adherence to codes of conduct under Article 40 or to mechanisms of
certification approved in accordance with Article 42, and

k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, direct or

indirectly, through the offense. "


Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76,
"Sanctions and corrective measures", provides:

"two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
The following may also be taken into account:


a) The continuing nature of the offense.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/8








b) The linking of the activity of the offender with the performance of treatment of
personal information.


c) The benefits obtained as a result of the commission of the offense.

d) The possibility that the affected person's conduct could have induced the commission
of the offense.


e) The existence of a merger by absorption process after the commission of the
infringement, which cannot be attributed to the absorbing entity.

f) Affecting the rights of minors.

g) Have, when not mandatory, a data protection officer.


h) The submission by the person in charge or in charge, on a voluntary basis, to
alternative dispute resolution mechanisms, in those cases in which
there are controversies between those and any interested party. "


In accordance with the transcribed precepts, and without prejudice to what results from the
instruction of the procedure, for the purpose of setting the amount of the fine
impose in the present case the claimed entity as responsible for a
infraction typified in article 83.5.b) of the RGPD, in an initial assessment,
the following mitigating factors are considered concurrent:


- The claimed has no prior infractions (83.2 e) RGPD).

- Has not obtained direct benefits (83.2 k) RGPD and 76.2.c) LOPDGDD).

- The claimed entity is not considered a large company.


The penalty to be imposed on the claimed person should be graduated and set at the amount of € 1,500
for the violation of article 58.2 of the RGPD.



Therefore, based on the foregoing,



By the Director of the Spanish Data Protection Agency,










HE REMEMBERS:



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/12








FIRST: INITIATE SANCTIONING PROCEDURE to INMOPISO ZARAGOZA,
S.L. with NIF B99514218, in accordance with the provisions of article 58.2.b) of the

RGPD, for the alleged infraction 13 of the RGPD, typified in article 83.5.b) of the
GDPR
SECOND: APPOINT R.R.R. as Instructor and as Secretary to S.S.S.,

indicating that any of them may be challenged, if applicable, in accordance with the
established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime
Public Sector Legal (LRJSP).

THIRD: INCORPORATE to the sanctioning file, for evidentiary purposes, the
claim filed by the claimant and the documents obtained and generated
by the Subdirectorate General for Data Inspection in relation to said
claim; all of them are part of the file.



FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations, the

The corresponding penalty would be 2,000 euros (two thousand euros), without prejudice
of what results from the instruction.




FIFTH: NOTIFY this agreement to INMOPISO ZARAGOZA, S.L. with NIF
B99514218, granting him a hearing period of ten business days to formulate

the allegations and present the evidence that it deems appropriate. In his writing of
allegations, you must provide your NIF and the procedure number that appears in the
heading of this document.




If within the stipulated period it does not make allegations to this initiation agreement, the same
may be considered a resolution proposal, as established in article

64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
the Public Administrations (hereinafter, LPACAP).




In accordance with the provisions of article 85 of the LPACAP, in the event that the
penalty to be imposed would be a fine, you may recognize your responsibility within the

term granted for the formulation of allegations to the present initiation agreement; it
which will entail a reduction of 20% of the penalty to be imposed in
the present procedure. With the application of this reduction, the sanction would be

established at 1600 euros, resolving the procedure with the imposition of this
sanction.






C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/12








In the same way, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which

will mean a reduction of 20% of its amount. With the application of this reduction,
the penalty would be established at 1600 euros and its payment will imply the termination of the

process.



The reduction for the voluntary payment of the penalty is cumulative to the corresponding

apply for the acknowledgment of responsibility, provided that this acknowledgment
of the responsibility is made manifest within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount

in the preceding paragraph, it may be done at any time prior to the resolution. On
In this case, if both reductions should be applied, the amount of the penalty would be

set at 1200 euros.



In any case, the effectiveness of either of the two mentioned reductions will be

conditioned to the withdrawal or resignation of any action or remedy in
administrative against the sanction.




In case you choose to proceed to the voluntary payment of any of the amounts
indicated above 1,600 or 1,200 euros, you must make it effective through your
deposit in the account number ES00 0000 0000 0000 0000 0000 opened in the name of the

Spanish Agency for Data Protection in Banco CAIXABANK, S.A., indicating
in the concept the reference number of the procedure that appears in the
heading of this document and the cause of reduction of the amount to which

welcomes.




Likewise, you must send the proof of admission to the Subdirectorate General of
Inspection to continue the procedure according to the quantity
entered.




The procedure will have a maximum duration of nine months from the date of
date of the initiation agreement or, where appropriate, the draft initiation agreement.

After this period, its expiration will occur and, consequently, the file of
performances; in accordance with the provisions of article 64 of the LOPDGDD.





C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/12








Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP,
There is no administrative appeal against this act.






Mar Spain Martí


Director of the Spanish Agency for Data Protection






>>

SECOND: On June 9, 2021, the defendant has proceeded to pay the
sanction in the amount of 1200 euros making use of the two planned reductions

in the Initiation Agreement transcribed above, which implies the recognition of the
responsibility.

THIRD: The payment made, within the period granted to formulate allegations to
the opening of the procedure, entails the waiver of any action or appeal in the process

administrative against the sanction and the recognition of responsibility in relation to
the facts to which the Initiation Agreement refers.

                            FOUNDATIONS OF LAW


                                             I

By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in art. 47 of Organic Law 3/2018, of 5 of
December, Protection of Personal Data and guarantee of digital rights (in

hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection
is competent to sanction the infractions that are committed against said
Regulation; infractions of article 48 of Law 9/2014, of May 9, General
of Telecommunications (hereinafter LGT), in accordance with the provisions of the
article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and

38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the
information and electronic commerce (hereinafter LSSI), as provided in article
43.1 of said Law.

                                             II


Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter, LPACAP), under the rubric
"Termination of sanctioning procedures" provides the following:
"1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility,

the procedure may be resolved with the imposition of the appropriate sanction.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/12








2. When the sanction is solely of a pecuniary nature or it is possible to impose a
pecuniary sanction and other non-pecuniary sanction but the

inadmissibility of the second, the voluntary payment by the presumed responsible, in
any time prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or to the determination of the
compensation for damages caused by the commission of the offense.


3. In both cases, when the sanction is solely of a pecuniary nature, the
competent body to resolve the procedure will apply reductions of, at least,
20% on the amount of the proposed sanction, these being cumulative among themselves.
The aforementioned reductions must be determined in the notice of initiation
of the procedure and its effectiveness will be conditional on the withdrawal or resignation of

any action or appeal in administrative proceedings against the sanction.

The percentage of reduction foreseen in this section may be increased
regulations.


In accordance with the above, the Director of the Spanish Agency for the Protection of
Data RESOLVES:

FIRST: DECLARE the termination of procedure PS / 00177/2021, of
in accordance with the provisions of article 85 of the LPACAP.


SECOND: NOTIFY this resolution to INMOPISO ZARAGOZA, S.L ..

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Contentious-Administrative Chamber of the

National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.



                                                                                 936-031219
Mar Spain Martí
Director of the Spanish Agency for Data Protection











C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es