AEPD (Spain) - EXP202202164

From GDPRhub
AEPD - PS-00289-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1) GDPR
Article 13 GDPR
Article 39 GDPR
Article 58(2)(d) GDPR
Article 58(2) GDPR
Article 60 GDPR
Article 83(2) GDPR
Article 83(5) GDPR
Article 112(1) LPACAP
Article 14 LPACAP
Article 23 LRJSP
Article 24 LRJSP
Article 41 LPACAP
Article 43 LPACAP
Article 47 LOPDGDD
Article 48(1) LOPDGDD
Article 50 LOPDGDD
Article 63(2) LOPDGDD
Article 64(2) LOPDGDD
Article 64(2)(f) LPACAP
Article 65(4) LOPDGDD
Article 68(1) LOPDGDD
Article 71 LOPDGDD
Article 76(2) LOPDGDD
Article 85 LPACAP
Type: Complaint
Outcome: Upheld
Started: 16.01.2022
Decided: 26.08.2022
Published: 08.11.2022
Fine: 1,200 EUR
Parties: ORI, S.L.
A.A.A
National Case Number/Name: PS-00289-2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Inés López Abad

A 1,200€ fine is imposed for non-GDPR compliant websites without privacy policy. Further, the adoption of appropriate measures to bring the actions of the data controller into compliance should be imposed. This means, the Agency has to be notified within one month.

English Summary

Facts

Data subject filed a complaint with the DPA for the lack of privacy policy in the websites of ORI, S.I. The website collects personal data through multiple forms. At least 5 of the forms contained in the web pages where personal data are requested, do not provide information on the company’s privacy policy.

Holding

The DPA held that there is an infringement of Article 13 GDPR as defined in article 83.5 GDPR. Therefore the sanctioning procedure is initiated. The sanction imposed graduated in accordance with the criteria established in Article 83.2 GDPR. Data controller has 1 month to adapt to requirements set out in data protection regulations.

Comment

In all sections of the website information boxes obliged to communicate to users a box with the acceptance. The original fine is of 2,000€. However, he may acknowledge his responsibility within period granted which entails a reduction of 20% of sanction. Leaving the amount to a total of 1,600€. Reduction for voluntary payment of penalty may be accumulated, leaving the amount to be 1,200€. Both reductions are conditional upon the withdrawal or waiver of any administrative action or appeal against the sanction.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/10








     File No.: EXP202202164



       RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT
                                     VOLUNTEER

Of the procedure instructed by the Spanish Agency for Data Protection and based on

to the following


                                   BACKGROUND


FIRST: On August 26, 2022, the Director of the Spanish Agency for
Data Protection agreed to start a sanctioning procedure against ORI, S.l. (onwards,
the claimed party), through the Transcribed Agreement:

<<



File No.: EXP202202164



            AGREEMENT TO START THE SANCTION PROCEDURE

Of the actions carried out by the Spanish Data Protection Agency and in
based on the following


                                       FACTS

FIRST: A.A.A. (hereinafter, the claiming party) dated January 16, 2022
filed a claim with the Spanish Data Protection Agency. The
claim is directed against ORI, S.l. with NIF ***NIF.1 (hereinafter, ORI). The motives

on which the claim is based are the following:

Manifests the lack of privacy policy of the website where data is collected
through multiple forms, only one informs about the treatment of
data, violating data protection regulations.


Along with the notification is provided:

-Screenshot of a Google search for the domain ***URL.1, which offers
various results on Facebook, Instagram, tik tok…


-Screenshot of the detail of the BORME of ORI SL, in which they appear as sole partner and
sole administrator B.B.B.

-Screenshot of the page "***URL.1/register/" in which a registration form appears.

contact in which personal data is requested, and the privacy policy is not indicated.
privacy.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/10








-Screenshot of the page "***URL.1/become-soci" in which a registration form appears.
contact in which personal data is requested, and the privacy policy is not indicated.
privacy.


-Screenshot of the page "***URL.1/request-your-catalogue/" in which a
contact form in which personal data is requested, and the policy is not indicated
of privacy, although the following text is added at the end of the questionnaire: "I accept that
my data provided in the contact form are processed electronically and
are used for the purpose of contacting me. I am aware that I can

revoke my consent at any time”

-Screenshot of the page "***URL.1/kit-de-inicio/" in which a form appears
contact in which personal data is requested, and the privacy policy is not indicated.
privacy, although the following text is added at the end of the questionnaire: "I accept that my

data provided in the contact form are processed electronically and are
used for the purpose of contacting me. I am aware that I can
revoke my consent at any time”

-Screenshot of the page "***URL.1/register/" in which a registration form appears.
contact in which personal data is requested, appearing at the end of it a link

to the privacy policy.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
forward LOPDGDD), said claim was transferred to ORI, so that

proceed to its analysis and inform this Agency within a month of the
actions carried out to adapt to the requirements established in the regulations of
Data Protection.

The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of

October 1, of the Common Administrative Procedure of the Administrations
Public (hereinafter, LPACAP), was collected on 03/27/2022, as stated in the
acknowledgment of receipt in the file.

No response has been received to this letter of transfer.


THIRD: On April 16, 2022, in accordance with article 65 of the
LOPDGDD, the claim presented by the claimant party was admitted for processing.

FOURTH: On 06/09/2022, a letter was received from the ORI administrator in
which states that in all sections of the web page ***URL.1 there are all

the informative boxes where they are forced to communicate to the users a box with
the following concept: "I accept that my data provided in the contact form
are processed electronically and are used for the purpose of contacting
with me. I am aware that I can revoke my consent at any
moment"


                           FUNDAMENTALS OF LAW

                                           Yo

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/10








In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the

Organic Law 3/2018, of December 5, Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures

processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures."


                                            II
Pursuant to article 5.1 of the GDPR, the processing of personal data must be governed by
by the following principles:

"1. Personal data will be:
    a) Treated in a lawful, loyal and transparent manner with the interested party (...)

2. The controller will be responsible for compliance with the provisions
in paragraph 1 and able to prove it”

One of the manifestations of the principle of transparency is the right that the GDPR
grants the owners of the data to receive information and the correlative obligation that

requires the data controller to provide the data subject with the information
detail articles 12, 13 and 14 of the GDPR.

These last two provisions contemplate two different assumptions: That the data is
obtained directly from the interested party (article 13), as happens in the forms of

collection of data that ORI has included in the web page of which it is the owner, or that
the data is not obtained from the interested party (article 14).

Article 13 of the GDPR establishes:

"1. When personal data relating to him or her is obtained from an interested party, the

responsible for the treatment, at the time they are obtained, will provide you with
all the information listed below:
a) the identity and contact details of the person in charge and, where appropriate, their
representative;
b) the contact details of the data protection officer, if applicable;

c) the purposes of the processing for which the personal data is intended and the legal basis
of the treatment;
d) when the treatment is based on article 6, paragraph 1, letter f), the interests
legitimate of the person in charge or of a third party;
e) the recipients or categories of recipients of personal data, in their

case; f) where appropriate, the intention of the controller to transfer personal data to a
third country or international organization and the existence or absence of a decision of
adequacy of the Commission, or, in the case of the transfers indicated in the
Articles 46 or 47 or Article 49, paragraph 1, second subparagraph, reference to the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/10








adequate or appropriate guarantees and the means to obtain a copy of these or
to the fact that they have been lent.


2. In addition to the information mentioned in section 1, the person responsible for the
treatment will provide the interested party, at the time the data is obtained
personal data, the following information necessary to guarantee data processing
fair and transparent
a) the period during which the personal data will be kept or, when it is not
possible, the criteria used to determine this term;

b) the existence of the right to request the data controller access to the
personal data relating to the interested party, and its rectification or deletion, or the limitation
of their treatment, or to oppose the treatment, as well as the right to portability
of the data
c) when the treatment is based on article 6, paragraph 1, letter a), or article

9, paragraph 2, letter a), the existence of the right to withdraw consent in
at any time, without affecting the legality of the treatment based on the
consent prior to its withdrawal;
d) the right to file a claim with a control authority;
e) if the communication of personal data is a legal or contractual requirement, or a
necessary requirement to sign a contract, and if the interested party is obliged to provide

personal data and is informed of the possible consequences of not
provide such data;
f) the existence of automated decisions, including profiling, to which
referred to in Article 22, paragraphs 1 and 4, and, at least in such cases, information
significant about the applied logic, as well as the importance and consequences

provisions of said treatment for the interested party.

3. When the person responsible for the treatment plans the subsequent processing of data
personal information for a purpose other than that for which it was collected, will provide the
data subject, prior to said further processing, information about that other purpose

and any additional information pertinent under section 2. 4. The
provisions of paragraphs 1, 2 and 3 shall not apply when and to the extent
that the interested party already has the information.”

Recitals 39 and 60 of the GDPR help to specify the scope of the right
of information that is given to the interested parties.


Recital 39 establishes: "All processing of personal data must be lawful and
loyal. It must be completely clear to natural persons that they are being collected,
using, consulting or otherwise processing personal data that
concerned, as well as the extent to which said data is or will be processed. The beginning

of transparency requires that all information and communication related to the treatment of
said data is easily accessible and easy to understand, and that language is used
simple and clear. This principle refers in particular to the information of the
interested parties on the identity of the person responsible for the treatment and the purposes of the treatment and
to the information added to guarantee a fair and transparent treatment with

regarding the natural persons affected and their right to obtain confirmation and
communication of personal data concerning them that are subject to
treatment. Natural persons must be aware of the risks,
rules, safeguards and rights relating to the processing of personal data,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/10








as well as how to assert your rights in relation to the treatment. In
In particular, the specific purposes of the processing of personal data must be
explicit and legitimate, and must be determined at the time of collection. [...].”


Recital 60 clarifies that "The principles of fair and transparent treatment
require that the data subject be informed of the existence of the processing operation and
their ends. The data controller must provide the interested party with all
additional information is necessary to guarantee fair treatment and
transparent, taking into account the specific circumstances and context in which

process personal data. The interested party must also be informed of the existence
profiling and the consequences of profiling. if the data
data are obtained from data subjects, they must also be informed whether they are
obliged to provide them and of the consequences in case they did not do so.”


In the present case, having examined the forms contained in the web pages of
ORI in which personal data is requested, it is observed that at least five of
They are not informed of the company's privacy policy.

Therefore, according to the evidence available at this time
agreement to initiate disciplinary proceedings, and without prejudice to what results from

the instruction, it is considered that the known facts could constitute a
infringement, attributable to ORI, due to violation of article 13 of the GDPR

                                            II
If confirmed, the aforementioned infringement of article 13 of the GDPR could lead to the

commission of the offenses typified in article 83.5 of the GDPR that under the
The heading "General conditions for the imposition of administrative fines" provides:

Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of maximum EUR 20,000,000 or,

in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:
       (…)
       b) the rights of the interested parties in accordance with articles 12 to 22;
       (…)”


In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that
"The acts and behaviors referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law”.


For the purposes of the limitation period, article 72 of the LOPDGDD indicates:

"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
are considered very serious and will prescribe after three years the infractions that

a substantial violation of the articles mentioned therein and, in particular, the
following:
       (…)


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/10








       h) The omission of the duty to inform the affected party about the treatment of their
       personal data in accordance with the provisions of articles 13 and 14 of the
       Regulation (EU) 2016/679 and 12 of this organic law.”


                                          IV.
For the purposes of deciding on the imposition of an administrative fine and its amount,
In accordance with the evidence available at the present time of
agreement to start disciplinary proceedings, and without prejudice to what results from the
instruction, it is considered appropriate to graduate the sanction to be imposed in accordance with

the criteria established in article 83.2 of the GDPR.

Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the
criteria established in section 2 of article 76 "Sanctions and corrective measures"
of the LOPDGDD.


If the infringement is confirmed, it could be agreed to impose on the person responsible that, within the term
that is specified in the sanctioning resolution, proceed to complete the privacy policy
privacy on all pages that collect personal data, without prejudice to others that
could be derived from the instruction of the procedure, in accordance with the provisions
in the aforementioned article 58.2 d) of the GDPR, according to which each control authority may

“order the person in charge or person in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where appropriate,
in a certain way and within a specified period…”. the imposition of
This measure is compatible with the sanction consisting of an administrative fine, according to
The provisions of the art. 83.2 of the GDPR.


It is noted that not meeting the requirements of this body may be
considered as an administrative offense in accordance with the provisions of the GDPR,
classified as an infraction in its article 83.5 and 83.6, being able to motivate such conduct the
opening of a subsequent administrative sanctioning procedure.


Therefore, in accordance with the foregoing, by the Director of the Agency
Spanish Data Protection,
HE REMEMBERS:

FIRST: INITIATE SANCTIONING PROCEDURE against ORI, S.l., with NIF ***NIF.1,

for the alleged violation of Article 13 of the GDPR, typified in Article 83.5 of the
GDPR.

SECOND: APPOINT as instructor R.R.R. and, as secretary, to S.S.S.
indicating that any of them may be challenged, if applicable, in accordance with the

established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime
Legal Department of the Public Sector (LRJSP).

THIRD: INCORPORATE into the disciplinary file, for evidentiary purposes, the
claim filed by the claimant and its documentation, as well as the

documents obtained and generated by the Sub-directorate General of Inspection of
Data in the actions prior to the start of this sanctioning procedure.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/10








FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations, the
sanction that could correspond would be, for the alleged violation of article 13 of the

GDPR, typified in article 83.5 of said regulation, administrative fine of amount
€2,000.00

FIFTH: NOTIFY this agreement to ORI, S.l., with NIF ***NIF.1, granting it
a hearing period of ten business days to formulate the allegations and
Submit any evidence you deem appropriate. In his statement of pleadings

You must provide your NIF and the procedure number that appears in the heading
of this document.

If, within the stipulated period, he does not make allegations to this initial agreement, the same
may be considered a resolution proposal, as established in article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of

Public Administrations (hereinafter, LPACAP).

In accordance with the provisions of article 85 of the LPACAP, you may recognize your
responsibility within the period granted for the formulation of allegations to the
present initiation agreement; which will entail a reduction of 20% of the

sanction that should be imposed in this proceeding. With the application of this
reduction, the sanction would be established at 1,600.00 euros, resolving the
procedure with the imposition of this sanction.

In the same way, it may, at any time prior to the resolution of this

procedure, carry out the voluntary payment of the proposed sanction, which
will mean a reduction of 20% of its amount. With the application of this reduction,
the sanction would be established at 1,600.00 euros and its payment will imply the termination
of the procedure.

The reduction for the voluntary payment of the penalty is cumulative to the corresponding

apply for acknowledgment of responsibility, provided that this acknowledgment
of the responsibility is revealed within the period granted to formulate
allegations at the opening of the procedure. Voluntary payment of the referred amount
in the previous paragraph may be done at any time prior to the resolution. In
In this case, if both reductions were to be applied, the amount of the penalty would remain

established at 1,200.00 euros.

In any case, the effectiveness of any of the two aforementioned reductions will be
conditioned to the withdrawal or resignation of any action or appeal via
administrative against the sanction.


In the event that you choose to proceed with the voluntary payment of any of the amounts
indicated above (1,600.00 euros or 1,200.00 euros), you must make it effective
by depositing it in the account number ES00 0000 0000 0000 0000 0000 opened to
name of the Spanish Data Protection Agency in the bank
CAIXABANK, S.A., indicating in the concept the reference number of the

procedure that appears in the heading of this document and the cause of
reduction of the amount to which it receives.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/10








Likewise, you must send proof of income to the General Subdirectorate of
Inspection to continue with the procedure in accordance with the quantity

entered.

The procedure will have a maximum duration of nine months from the
date of the initiation agreement or, where appropriate, of the draft initiation agreement.
After this period, its expiration will occur and, consequently, the file of

performances; in accordance with the provisions of article 64 of the LOPDGDD.

In compliance with articles 14, 41 and 43 of the LPACAP, it is noted that, as regards
successively, the notifications that are sent to you will be made exclusively in a
electronically, through the Unique Authorized Electronic Address (dehu.redsara.es) and the

Electronic Notification Service (notifications.060.es), and that, if you do not access
their rejection will be recorded in the file, considering the process completed and
following the procedure. You are informed that you can identify before this Agency
an email address to receive the notice of making available to the
notifications and that failure to practice this notice will not prevent the notification

be considered fully valid.

Finally, it is noted that in accordance with the provisions of article 112.1 of the
LPACAP, there is no administrative appeal against this act.


                                                                               935-110422

Mar Spain Marti
Director of the Spanish Data Protection Agency


>>


SECOND: On September 26, 2022, the claimed party has proceeded to the
payment of the penalty in the amount of 1200 euros making use of the two reductions
provided for in the initiation Agreement transcribed above, which implies the
recognition of responsibility.


THIRD: The payment made, within the period granted to formulate allegations to
the opening of the procedure, entails the waiver of any action or appeal via
against the sanction and acknowledgment of responsibility in relation to
the facts referred to in the Commencement Agreement.


FOURTH: In the previously transcribed initiation agreement, it was indicated that, if
Once the infringement is confirmed, it could be agreed to impose on the controller the adoption of
adequate measures to adjust its performance to the regulations mentioned in this
act, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to the

which each control authority may "order the person responsible or in charge of the
processing that the processing operations comply with the provisions of the
this Regulation, where appropriate, in a certain way and within a certain
specified term…”.


Having recognized the responsibility for the infringement, the imposition of
the measures included in the Initiation Agreement.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/10
















                           FUNDAMENTALS OF LAW


                                            Yo

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the

Organic Law 3/2018, of December 5, Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures

processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures."


                                            II

Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common for Public Administrations (hereinafter, LPACAP), under the heading
"Termination in disciplinary proceedings" provides the following:


"1. Initiated a disciplinary procedure, if the offender acknowledges his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction has only a pecuniary nature or it is possible to impose a
pecuniary sanction and another of a non-pecuniary nature but the

inadmissibility of the second, the voluntary payment by the presumed perpetrator, in
any moment prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or the determination of the
compensation for damages caused by the commission of the offence.


3. In both cases, when the sanction is solely pecuniary in nature, the
The competent body to resolve the procedure will apply reductions of at least
20% of the amount of the proposed penalty, these being cumulative among themselves.
The aforementioned reductions must be determined in the notification of initiation
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of

any administrative action or resource against the sanction.

The percentage reduction provided for in this section may be increased
according to regulations."

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/10










According to what has been stated,
the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: DECLARE the termination of procedure EXP202202164, in

in accordance with the provisions of article 85 of the LPACAP.

SECOND: REQUIRE ORI, S.l. so that within one month notify the
Agency adopting the measures described in the fundamentals of law

of the Initiation Agreement transcribed in this resolution.

THIRD: NOTIFY this resolution to ORI, S.l..

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once the interested parties have been notified.

Against this resolution, which puts an end to the administrative process as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure

Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.


                                                                                 1259-070622
Mar Spain Marti

Director of the Spanish Data Protection Agency


























C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es