AEPD (Spain) - EXP202206542
AEPD - PS-00357-2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1) GDPR Article 12 GDPR Article 13 GDPR Article 14 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 18.01.2023 |
Published: | |
Fine: | 2000 EUR |
Parties: | n/a |
National Case Number/Name: | PS-00357-2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | 1917 |
The Spanish DPA fined a private detective €2,000 because of a violation of Article 13 GDPR. The data subject was not informed of the way her personal data would be processed, which the controller did by providing a contact form on its website. This website did not have a privacy notice, and the contract between the data subject and the investigator also lacked information about privacy or protection of personal data.
English Summary
Facts
The data subject had hired a private detective (controller) to investigate a personal matter. According to the data subject, the investigation contract did not include any wording about privacy and data protection. Moreover, a request to obtain a privacy notice under Article 13 GDPR had been ignored by the controller. On 19 May 2022, the data subject lodged a complaint with the Spanish DPA (DPA), claiming general lack of information around the controller's data processing activities. The DPA started an investigation and found that the contract between the data subject and controller contained a URL of a website. In turn, this website contained a contact-form which enabled the controller to collect personal data. However, the website itself did not provide any privacy notice. The DPA also notified the controller during the investigation. However, the controller ignored these requests.
Holding
In the present case, the DPA held that the controller was collecting personal data on its website with the contact form. However, the data subject was not given any information about the way in which their personal data was going to be processed. Furthermore, the website did not have a privacy notice. This lack of information was in violation of Article 13 GDPR. For this violation, the DPA fined the controller €2,000 pursuant of Article 83(5) GDPR. The DPA also ordered the controller, pursuant to Article 83(5)(b) GDPR, to add the privacy notice to future contracts with its clients and to its website.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/8 File No.: EXP202206542 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: A.A.A. (hereinafter, the claiming party) dated May 19, 2022 filed a claim with the Spanish Data Protection Agency. The claim is directed against B.B.B. with NIF ***NIF.1 (hereinafter, the part claimed). The reasons on which the claim is based are the following: On 04/24/2021, the claimant contracted the claimed party to carry out an investigation. According to him, the claimed party has processed his data without providing him with the information established in article 13 of the GDPR. The claiming party made a request to the claimed party so that it They sent this information and they have not responded. Along with the claim, provide the signed contract (not including any data protection clause) and an email sent by the party claimant to the email address ***EMAIL.1, to which the file was attached named requirement.pdf. The web address ***URL.1 is superimposed on the signed contract. In this page website a contact form appears in which personal data is requested, and it is not specifies the applicable privacy policy. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in forward LOPDGDD), said claim was transferred to the claimed party for to proceed with its analysis and inform this Agency within a month of the actions carried out to adapt to the requirements established in the regulations of Data Protection. The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations Public (hereinafter, LPACAP) by electronic notification, was not collected by the person in charge, within the period of availability, understood as rejected in accordance with the provisions of art. 43.2 of the LPACAP dated 06/21/2022, as stated in the certificate in the file. Reiterated the transfer on 06/21/2022 by certified postal mail, it was again returned by "unknown". No response has been received to this letter of transfer. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/8 THIRD: On July 1, 2022, in accordance with article 65 of the LOPDGDD, the claim presented by the claimant party was admitted for processing. FOURTH: On September 6, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate disciplinary proceedings against the claimed party, for the alleged violation of Article 13 of the GDPR, typified in Article 83.5 of the GDPR. Attempted notification through the Electronic Notification Service and Address Electronic Enabled on 09/07/2022, on 09/18/2022 the rejection occurred of the same as the recipient has not accessed it. On 10/04/2022, the notification is attempted again at the existing postal address in the file, with the result "returned to origin due to unknown" on 10/06/2022. In accordance with article 44 of Law 39/2015, of October 1, on the Procedure Common Administrative Board of Public Administrations, the announcement of agreement to open disciplinary proceedings in the Official Gazette of the State of day 10/14/2022. FIFTH: Notified of the aforementioned start-up agreement in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP) and after the period granted for the formulation of allegations, it has been verified that no allegation has been received any by the claimed party. Article 64.2.f) of the LPACAP -provision of which the claimed party was informed in the agreement to open the procedure - establishes that if no arguments within the established term on the content of the initiation agreement, when it contains a precise pronouncement about the imputed responsibility, may be considered a resolution proposal. In the present case, the agreement of beginning of the disciplinary file determined the facts in which the imputation, the infringement of the GDPR attributed to the defendant and the sanction that could impose. Therefore, taking into consideration that the claimed party has not made allegations to the agreement to start the file and in attention to what established in article 64.2.f) of the LPACAP, the aforementioned initiation agreement is considered in the present case resolution proposal. In view of all the proceedings, by the Spanish Agency for Data Protection In this proceeding, the following are considered proven facts: PROVEN FACTS FIRST: It is proven that the claiming party and the claimed party signed a contract according to which the complaining party contracted the services of a private detective, who corresponds to the person of the claimed party, in order to to carry out a family investigation. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/8 SECOND: It is proven that the signed contract appears superimposed on the address ***URL.1, web page in which a contact form appears in which personal data is requested, and the applicable privacy policy is not specified. FUNDAMENTALS OF LAW Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with character subsidiary, by the general rules on administrative procedures." II Pursuant to article 5.1 of the GDPR, the processing of personal data must be governed by by the following principles: "one. Personal data will be: a) Treated in a lawful, loyal and transparent manner with the interested party (...) 2. The controller will be responsible for compliance with the provisions in paragraph 1 and able to prove it” One of the manifestations of the principle of transparency is the right that the GDPR grants the owners of the data to receive information and the correlative obligation that requires the data controller to provide the data subject with the information detail articles 12, 13 and 14 of the GDPR. These last two provisions contemplate two different assumptions: That the data is obtained directly from the interested party (article 13), as in the present case, since the data is obtained either when signing the contract, or when filling out the questionnaire of the web page to request information, or that the data is not obtained from the interested party (article 14). Article 13 of the GDPR establishes: "one. When personal data relating to him or her is obtained from an interested party, the responsible for the treatment, at the time they are obtained, will provide you with all the information listed below: a) the identity and contact details of the person in charge and, where appropriate, their representative; b) the contact details of the data protection officer, if applicable; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/8 c) the purposes of the processing for which the personal data is intended and the legal basis of the treatment; d) when the treatment is based on article 6, paragraph 1, letter f), the interests legitimate of the person in charge or of a third party; e) the recipients or categories of recipients of personal data, in their case; f) where appropriate, the intention of the controller to transfer personal data to a third country or international organization and the existence or absence of a decision of adequacy of the Commission, or, in the case of the transfers indicated in the Articles 46 or 47 or Article 49, paragraph 1, second subparagraph, reference to the adequate or appropriate guarantees and the means to obtain a copy of these or to the fact that they have been lent. 2. In addition to the information mentioned in section 1, the person responsible for the treatment will provide the interested party, at the time the data is obtained personal data, the following information necessary to guarantee data processing fair and transparent a) the period during which the personal data will be kept or, when it is not possible, the criteria used to determine this term; b) the existence of the right to request the data controller access to the personal data relating to the interested party, and its rectification or deletion, or the limitation of their treatment, or to oppose the treatment, as well as the right to portability of the data c) when the treatment is based on article 6, paragraph 1, letter a), or article 9, paragraph 2, letter a), the existence of the right to withdraw consent in at any time, without affecting the legality of the treatment based on the consent prior to its withdrawal; d) the right to file a claim with a control authority; e) if the communication of personal data is a legal or contractual requirement, or a necessary requirement to sign a contract, and if the interested party is obliged to provide personal data and is informed of the possible consequences of not provide such data; f) the existence of automated decisions, including profiling, to which referred to in Article 22, paragraphs 1 and 4, and, at least in such cases, information significant about the applied logic, as well as the importance and consequences provisions of said treatment for the interested party. 3. When the person responsible for the treatment plans the subsequent processing of data personal information for a purpose other than that for which it was collected, will provide the data subject, prior to said further processing, information about that other purpose and any additional information pertinent under section 2. 4. The provisions of paragraphs 1, 2 and 3 shall not apply when and to the extent that the interested party already has the information.” Recitals 39 and 60 of the GDPR help to specify the scope of the right of information that is given to the interested parties. Recital 39 establishes: "All processing of personal data must be lawful and loyal. It must be completely clear to natural persons that they are being collected, using, consulting or otherwise processing personal data that concerned, as well as the extent to which said data is or will be processed. The beginning C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/8 of transparency requires that all information and communication related to the treatment of said data is easily accessible and easy to understand, and that language is used simple and clear. This principle refers in particular to the information of the interested parties on the identity of the person responsible for the treatment and the purposes of the treatment and to the information added to guarantee a fair and transparent treatment with regarding the natural persons affected and their right to obtain confirmation and communication of personal data concerning them that are subject to treatment. Natural persons must be aware of the risks, rules, safeguards and rights relating to the processing of personal data, as well as how to assert your rights in relation to the treatment. In In particular, the specific purposes of the processing of personal data must be explicit and legitimate, and must be determined at the time of collection. [...].” Recital 60 clarifies that "The principles of fair and transparent treatment require that the data subject be informed of the existence of the processing operation and their ends. The data controller must provide the interested party with all additional information is necessary to guarantee fair treatment and transparent, taking into account the specific circumstances and context in which process personal data. The interested party must also be informed of the existence profiling and the consequences of profiling. if the data data are obtained from data subjects, they must also be informed whether they are obliged to provide them and of the consequences in case they did not do so.” In the present case, from the claim presented by the claiming party, it is inferred that you were not informed of the way in which your personal data would be processed. Likewise, it is verified that on the web page ***URL.1 there is at least one form collection of personal data without containing any information related to the policy applicable privacy II Article 83.5 of the GDPR under the heading "General conditions for the imposition of administrative fines” provides: Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of maximum EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the highest amount: (…) b) the rights of the interested parties in accordance with articles 12 to 22; (…)” In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that "The acts and behaviors referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law”. For the purposes of the limitation period, article 72 of the LOPDGDD indicates: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/8 "one. Based on what is established in article 83.5 of Regulation (EU) 2016/679, are considered very serious and will prescribe after three years the infractions that a substantial violation of the articles mentioned therein and, in particular, the following: (…) h) The omission of the duty to inform the affected party about the processing of their data personal in accordance with the provisions of articles 13 and 14 of Regulation (EU) 2016/679 and 12 of this organic law.” IV. For the purposes of deciding on the imposition of an administrative fine and its amount considers that it is appropriate to graduate the sanction to be imposed according to the criteria that establishes article 83.2 of the GDPR. Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the criteria established in section 2 of article 76 "Sanctions and corrective measures" of the LOPDGDD. The balance of the circumstances contemplated in article 83.2 of the GDPR and the Article 76.2 of the LOPDGDD, with respect to the offense committed by violating the established in article 13 of the GDPR, allows a penalty of €2,000 (two thousand euro). V In accordance with the provisions of article 58.2 d) of the GDPR, according to which each The supervisory authority may “order the person in charge or in charge of the treatment to processing operations comply with the provisions of this Regulation, where appropriate, in a certain way and within a time limit specified…" It is indicated that, within 30 days from the receipt of this resolution, the The claimed party must proceed to complete the privacy policy in the contracts that are subscribed with clients, as well as in the web pages in which they are collected personal information The imposition of this measure is compatible with the sanction consisting of a fine administration, according to the provisions of art. 83.2 of the GDPR. It is noted that not meeting the requirements of this body may be considered as an administrative offense in accordance with the provisions of the GDPR, classified as an infraction in its article 83.5 and 83.6, being able to motivate such conduct the opening of a subsequent administrative sanctioning procedure. SAW Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of sanctions whose existence has been accredited, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE B.B.B., with NIF ***NIF.1, for a violation of Article 13 of the GDPR, typified in Article 83.5 of the GDPR, a fine of 2000 euros (TWO THOUSAND euro). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/8 SECOND: TO ORDER B.B.B., with NIF ***NIF.1, in accordance with article 58.2.d) of the GDPR, for a violation of article 13 of the GDPR typified in article 83.5.b) of the aforementioned Regulation, which, within a period of 30 days computed from the present resolution is enforceable, proceed to complete the privacy policy in the contracts that are subscribed with clients, as well as in the web pages in which they are collected personal data and to notify the AEPD of its compliance. THIRD: NOTIFY this resolution to B.B.B.. FOURTH: Warn the sanctioned party that he must enforce the sanction imposed Once this resolution is enforceable, in accordance with the provisions of Article art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter LPACAP), within the payment period voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by means of its income, indicating the NIF of the sanctioned and the number of procedure that appears in the heading of this document, in the account restricted IBAN number: ES00 0000 0000 0000 0000 0000 open in the name of the Agency Spanish Data Protection Agency at the bank CAIXABANK, S.A.. In the event Otherwise, it will proceed to its collection in the executive period. Once the notification has been received and once executed, if the execution date is between the 1st and 15th of each month, both inclusive, the term to make the payment voluntary will be until the 20th day of the following or immediately following business month, and if between the 16th and the last day of each month, both inclusive, the payment term It will be until the 5th of the second following or immediately following business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reversal before the Director of the Spanish Agency for Data Protection within a period of one month from count from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the firm resolution in administrative proceedings if the The interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registries provided for in art. 16.4 of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/8 aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative proceedings within a period of two months from the day following the Notification of this resolution would terminate the precautionary suspension. 938-181022 Mar Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es