AEPD (Spain) - EXP202202164
AEPD - PS-00289-2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1) GDPR Article 13 GDPR Article 39 GDPR Article 58(2)(d) GDPR Article 58(2) GDPR Article 60 GDPR Article 83(2) GDPR Article 83(5) GDPR Article 112(1) LPACAP Article 14 LPACAP Article 23 LRJSP Article 24 LRJSP Article 41 LPACAP Article 43 LPACAP Article 47 LOPDGDD Article 48(1) LOPDGDD Article 50 LOPDGDD Article 63(2) LOPDGDD Article 64(2) LOPDGDD Article 64(2)(f) LPACAP Article 65(4) LOPDGDD Article 68(1) LOPDGDD Article 71 LOPDGDD Article 76(2) LOPDGDD Article 85 LPACAP |
Type: | Complaint |
Outcome: | Upheld |
Started: | 16.01.2022 |
Decided: | 26.08.2022 |
Published: | 08.11.2022 |
Fine: | 1,200 EUR |
Parties: | ORI, S.L. A.A.A |
National Case Number/Name: | PS-00289-2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Inés López Abad |
A 1,200€ fine is imposed for non-GDPR compliant websites without privacy policy. Further, the adoption of appropriate measures to bring the actions of the data controller into compliance should be imposed. This means, the Agency has to be notified within one month.
English Summary
Facts
Data subject filed a complaint with the DPA for the lack of privacy policy in the websites of ORI, S.I. The website collects personal data through multiple forms. At least 5 of the forms contained in the web pages where personal data are requested, do not provide information on the company’s privacy policy.
Holding
The DPA held that there is an infringement of Article 13 GDPR as defined in article 83.5 GDPR. Therefore the sanctioning procedure is initiated. The sanction imposed graduated in accordance with the criteria established in Article 83.2 GDPR. Data controller has 1 month to adapt to requirements set out in data protection regulations.
Comment
In all sections of the website information boxes obliged to communicate to users a box with the acceptance. The original fine is of 2,000€. However, he may acknowledge his responsibility within period granted which entails a reduction of 20% of sanction. Leaving the amount to a total of 1,600€. Reduction for voluntary payment of penalty may be accumulated, leaving the amount to be 1,200€. Both reductions are conditional upon the withdrawal or waiver of any administrative action or appeal against the sanction.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/10 File No.: EXP202202164 RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTEER Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: On August 26, 2022, the Director of the Spanish Agency for Data Protection agreed to start a sanctioning procedure against ORI, S.l. (onwards, the claimed party), through the Transcribed Agreement: << File No.: EXP202202164 AGREEMENT TO START THE SANCTION PROCEDURE Of the actions carried out by the Spanish Data Protection Agency and in based on the following FACTS FIRST: A.A.A. (hereinafter, the claiming party) dated January 16, 2022 filed a claim with the Spanish Data Protection Agency. The claim is directed against ORI, S.l. with NIF ***NIF.1 (hereinafter, ORI). The motives on which the claim is based are the following: Manifests the lack of privacy policy of the website where data is collected through multiple forms, only one informs about the treatment of data, violating data protection regulations. Along with the notification is provided: -Screenshot of a Google search for the domain ***URL.1, which offers various results on Facebook, Instagram, tik tok… -Screenshot of the detail of the BORME of ORI SL, in which they appear as sole partner and sole administrator B.B.B. -Screenshot of the page "***URL.1/register/" in which a registration form appears. contact in which personal data is requested, and the privacy policy is not indicated. privacy. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/10 -Screenshot of the page "***URL.1/become-soci" in which a registration form appears. contact in which personal data is requested, and the privacy policy is not indicated. privacy. -Screenshot of the page "***URL.1/request-your-catalogue/" in which a contact form in which personal data is requested, and the policy is not indicated of privacy, although the following text is added at the end of the questionnaire: "I accept that my data provided in the contact form are processed electronically and are used for the purpose of contacting me. I am aware that I can revoke my consent at any time” -Screenshot of the page "***URL.1/kit-de-inicio/" in which a form appears contact in which personal data is requested, and the privacy policy is not indicated. privacy, although the following text is added at the end of the questionnaire: "I accept that my data provided in the contact form are processed electronically and are used for the purpose of contacting me. I am aware that I can revoke my consent at any time” -Screenshot of the page "***URL.1/register/" in which a registration form appears. contact in which personal data is requested, appearing at the end of it a link to the privacy policy. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in forward LOPDGDD), said claim was transferred to ORI, so that proceed to its analysis and inform this Agency within a month of the actions carried out to adapt to the requirements established in the regulations of Data Protection. The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations Public (hereinafter, LPACAP), was collected on 03/27/2022, as stated in the acknowledgment of receipt in the file. No response has been received to this letter of transfer. THIRD: On April 16, 2022, in accordance with article 65 of the LOPDGDD, the claim presented by the claimant party was admitted for processing. FOURTH: On 06/09/2022, a letter was received from the ORI administrator in which states that in all sections of the web page ***URL.1 there are all the informative boxes where they are forced to communicate to the users a box with the following concept: "I accept that my data provided in the contact form are processed electronically and are used for the purpose of contacting with me. I am aware that I can revoke my consent at any moment" FUNDAMENTALS OF LAW Yo C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/10 In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with character subsidiary, by the general rules on administrative procedures." II Pursuant to article 5.1 of the GDPR, the processing of personal data must be governed by by the following principles: "1. Personal data will be: a) Treated in a lawful, loyal and transparent manner with the interested party (...) 2. The controller will be responsible for compliance with the provisions in paragraph 1 and able to prove it” One of the manifestations of the principle of transparency is the right that the GDPR grants the owners of the data to receive information and the correlative obligation that requires the data controller to provide the data subject with the information detail articles 12, 13 and 14 of the GDPR. These last two provisions contemplate two different assumptions: That the data is obtained directly from the interested party (article 13), as happens in the forms of collection of data that ORI has included in the web page of which it is the owner, or that the data is not obtained from the interested party (article 14). Article 13 of the GDPR establishes: "1. When personal data relating to him or her is obtained from an interested party, the responsible for the treatment, at the time they are obtained, will provide you with all the information listed below: a) the identity and contact details of the person in charge and, where appropriate, their representative; b) the contact details of the data protection officer, if applicable; c) the purposes of the processing for which the personal data is intended and the legal basis of the treatment; d) when the treatment is based on article 6, paragraph 1, letter f), the interests legitimate of the person in charge or of a third party; e) the recipients or categories of recipients of personal data, in their case; f) where appropriate, the intention of the controller to transfer personal data to a third country or international organization and the existence or absence of a decision of adequacy of the Commission, or, in the case of the transfers indicated in the Articles 46 or 47 or Article 49, paragraph 1, second subparagraph, reference to the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/10 adequate or appropriate guarantees and the means to obtain a copy of these or to the fact that they have been lent. 2. In addition to the information mentioned in section 1, the person responsible for the treatment will provide the interested party, at the time the data is obtained personal data, the following information necessary to guarantee data processing fair and transparent a) the period during which the personal data will be kept or, when it is not possible, the criteria used to determine this term; b) the existence of the right to request the data controller access to the personal data relating to the interested party, and its rectification or deletion, or the limitation of their treatment, or to oppose the treatment, as well as the right to portability of the data c) when the treatment is based on article 6, paragraph 1, letter a), or article 9, paragraph 2, letter a), the existence of the right to withdraw consent in at any time, without affecting the legality of the treatment based on the consent prior to its withdrawal; d) the right to file a claim with a control authority; e) if the communication of personal data is a legal or contractual requirement, or a necessary requirement to sign a contract, and if the interested party is obliged to provide personal data and is informed of the possible consequences of not provide such data; f) the existence of automated decisions, including profiling, to which referred to in Article 22, paragraphs 1 and 4, and, at least in such cases, information significant about the applied logic, as well as the importance and consequences provisions of said treatment for the interested party. 3. When the person responsible for the treatment plans the subsequent processing of data personal information for a purpose other than that for which it was collected, will provide the data subject, prior to said further processing, information about that other purpose and any additional information pertinent under section 2. 4. The provisions of paragraphs 1, 2 and 3 shall not apply when and to the extent that the interested party already has the information.” Recitals 39 and 60 of the GDPR help to specify the scope of the right of information that is given to the interested parties. Recital 39 establishes: "All processing of personal data must be lawful and loyal. It must be completely clear to natural persons that they are being collected, using, consulting or otherwise processing personal data that concerned, as well as the extent to which said data is or will be processed. The beginning of transparency requires that all information and communication related to the treatment of said data is easily accessible and easy to understand, and that language is used simple and clear. This principle refers in particular to the information of the interested parties on the identity of the person responsible for the treatment and the purposes of the treatment and to the information added to guarantee a fair and transparent treatment with regarding the natural persons affected and their right to obtain confirmation and communication of personal data concerning them that are subject to treatment. Natural persons must be aware of the risks, rules, safeguards and rights relating to the processing of personal data, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/10 as well as how to assert your rights in relation to the treatment. In In particular, the specific purposes of the processing of personal data must be explicit and legitimate, and must be determined at the time of collection. [...].” Recital 60 clarifies that "The principles of fair and transparent treatment require that the data subject be informed of the existence of the processing operation and their ends. The data controller must provide the interested party with all additional information is necessary to guarantee fair treatment and transparent, taking into account the specific circumstances and context in which process personal data. The interested party must also be informed of the existence profiling and the consequences of profiling. if the data data are obtained from data subjects, they must also be informed whether they are obliged to provide them and of the consequences in case they did not do so.” In the present case, having examined the forms contained in the web pages of ORI in which personal data is requested, it is observed that at least five of They are not informed of the company's privacy policy. Therefore, according to the evidence available at this time agreement to initiate disciplinary proceedings, and without prejudice to what results from the instruction, it is considered that the known facts could constitute a infringement, attributable to ORI, due to violation of article 13 of the GDPR II If confirmed, the aforementioned infringement of article 13 of the GDPR could lead to the commission of the offenses typified in article 83.5 of the GDPR that under the The heading "General conditions for the imposition of administrative fines" provides: Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of maximum EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the highest amount: (…) b) the rights of the interested parties in accordance with articles 12 to 22; (…)” In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that "The acts and behaviors referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law”. For the purposes of the limitation period, article 72 of the LOPDGDD indicates: "1. Based on what is established in article 83.5 of Regulation (EU) 2016/679, are considered very serious and will prescribe after three years the infractions that a substantial violation of the articles mentioned therein and, in particular, the following: (…) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/10 h) The omission of the duty to inform the affected party about the treatment of their personal data in accordance with the provisions of articles 13 and 14 of the Regulation (EU) 2016/679 and 12 of this organic law.” IV. For the purposes of deciding on the imposition of an administrative fine and its amount, In accordance with the evidence available at the present time of agreement to start disciplinary proceedings, and without prejudice to what results from the instruction, it is considered appropriate to graduate the sanction to be imposed in accordance with the criteria established in article 83.2 of the GDPR. Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the criteria established in section 2 of article 76 "Sanctions and corrective measures" of the LOPDGDD. If the infringement is confirmed, it could be agreed to impose on the person responsible that, within the term that is specified in the sanctioning resolution, proceed to complete the privacy policy privacy on all pages that collect personal data, without prejudice to others that could be derived from the instruction of the procedure, in accordance with the provisions in the aforementioned article 58.2 d) of the GDPR, according to which each control authority may “order the person in charge or person in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, where appropriate, in a certain way and within a specified period…”. the imposition of This measure is compatible with the sanction consisting of an administrative fine, according to The provisions of the art. 83.2 of the GDPR. It is noted that not meeting the requirements of this body may be considered as an administrative offense in accordance with the provisions of the GDPR, classified as an infraction in its article 83.5 and 83.6, being able to motivate such conduct the opening of a subsequent administrative sanctioning procedure. Therefore, in accordance with the foregoing, by the Director of the Agency Spanish Data Protection, HE REMEMBERS: FIRST: INITIATE SANCTIONING PROCEDURE against ORI, S.l., with NIF ***NIF.1, for the alleged violation of Article 13 of the GDPR, typified in Article 83.5 of the GDPR. SECOND: APPOINT as instructor R.R.R. and, as secretary, to S.S.S. indicating that any of them may be challenged, if applicable, in accordance with the established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime Legal Department of the Public Sector (LRJSP). THIRD: INCORPORATE into the disciplinary file, for evidentiary purposes, the claim filed by the claimant and its documentation, as well as the documents obtained and generated by the Sub-directorate General of Inspection of Data in the actions prior to the start of this sanctioning procedure. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/10 FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations, the sanction that could correspond would be, for the alleged violation of article 13 of the GDPR, typified in article 83.5 of said regulation, administrative fine of amount €2,000.00 FIFTH: NOTIFY this agreement to ORI, S.l., with NIF ***NIF.1, granting it a hearing period of ten business days to formulate the allegations and Submit any evidence you deem appropriate. In his statement of pleadings You must provide your NIF and the procedure number that appears in the heading of this document. If, within the stipulated period, he does not make allegations to this initial agreement, the same may be considered a resolution proposal, as established in article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, you may recognize your responsibility within the period granted for the formulation of allegations to the present initiation agreement; which will entail a reduction of 20% of the sanction that should be imposed in this proceeding. With the application of this reduction, the sanction would be established at 1,600.00 euros, resolving the procedure with the imposition of this sanction. In the same way, it may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which will mean a reduction of 20% of its amount. With the application of this reduction, the sanction would be established at 1,600.00 euros and its payment will imply the termination of the procedure. The reduction for the voluntary payment of the penalty is cumulative to the corresponding apply for acknowledgment of responsibility, provided that this acknowledgment of the responsibility is revealed within the period granted to formulate allegations at the opening of the procedure. Voluntary payment of the referred amount in the previous paragraph may be done at any time prior to the resolution. In In this case, if both reductions were to be applied, the amount of the penalty would remain established at 1,200.00 euros. In any case, the effectiveness of any of the two aforementioned reductions will be conditioned to the withdrawal or resignation of any action or appeal via administrative against the sanction. In the event that you choose to proceed with the voluntary payment of any of the amounts indicated above (1,600.00 euros or 1,200.00 euros), you must make it effective by depositing it in the account number ES00 0000 0000 0000 0000 0000 opened to name of the Spanish Data Protection Agency in the bank CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the cause of reduction of the amount to which it receives. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/10 Likewise, you must send proof of income to the General Subdirectorate of Inspection to continue with the procedure in accordance with the quantity entered. The procedure will have a maximum duration of nine months from the date of the initiation agreement or, where appropriate, of the draft initiation agreement. After this period, its expiration will occur and, consequently, the file of performances; in accordance with the provisions of article 64 of the LOPDGDD. In compliance with articles 14, 41 and 43 of the LPACAP, it is noted that, as regards successively, the notifications that are sent to you will be made exclusively in a electronically, through the Unique Authorized Electronic Address (dehu.redsara.es) and the Electronic Notification Service (notifications.060.es), and that, if you do not access their rejection will be recorded in the file, considering the process completed and following the procedure. You are informed that you can identify before this Agency an email address to receive the notice of making available to the notifications and that failure to practice this notice will not prevent the notification be considered fully valid. Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP, there is no administrative appeal against this act. 935-110422 Mar Spain Marti Director of the Spanish Data Protection Agency >> SECOND: On September 26, 2022, the claimed party has proceeded to the payment of the penalty in the amount of 1200 euros making use of the two reductions provided for in the initiation Agreement transcribed above, which implies the recognition of responsibility. THIRD: The payment made, within the period granted to formulate allegations to the opening of the procedure, entails the waiver of any action or appeal via against the sanction and acknowledgment of responsibility in relation to the facts referred to in the Commencement Agreement. FOURTH: In the previously transcribed initiation agreement, it was indicated that, if Once the infringement is confirmed, it could be agreed to impose on the controller the adoption of adequate measures to adjust its performance to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to the which each control authority may "order the person responsible or in charge of the processing that the processing operations comply with the provisions of the this Regulation, where appropriate, in a certain way and within a certain specified term…”. Having recognized the responsibility for the infringement, the imposition of the measures included in the Initiation Agreement. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/10 FUNDAMENTALS OF LAW Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with character subsidiary, by the general rules on administrative procedures." II Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common for Public Administrations (hereinafter, LPACAP), under the heading "Termination in disciplinary proceedings" provides the following: "1. Initiated a disciplinary procedure, if the offender acknowledges his responsibility, The procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction has only a pecuniary nature or it is possible to impose a pecuniary sanction and another of a non-pecuniary nature but the inadmissibility of the second, the voluntary payment by the presumed perpetrator, in any moment prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or the determination of the compensation for damages caused by the commission of the offence. 3. In both cases, when the sanction is solely pecuniary in nature, the The competent body to resolve the procedure will apply reductions of at least 20% of the amount of the proposed penalty, these being cumulative among themselves. The aforementioned reductions must be determined in the notification of initiation of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of any administrative action or resource against the sanction. The percentage reduction provided for in this section may be increased according to regulations." C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/10 According to what has been stated, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DECLARE the termination of procedure EXP202202164, in in accordance with the provisions of article 85 of the LPACAP. SECOND: REQUIRE ORI, S.l. so that within one month notify the Agency adopting the measures described in the fundamentals of law of the Initiation Agreement transcribed in this resolution. THIRD: NOTIFY this resolution to ORI, S.l.. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. Against this resolution, which puts an end to the administrative process as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Administrative Litigation Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. 1259-070622 Mar Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es