AEPD (Spain) - PS-00371-2021

From GDPRhub
Revision as of 18:47, 30 December 2023 by Marie04 (talk | contribs)
AEPD - PS-00371-2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Article 58(2)(d) GDPR
Article 60 GDPR
Article 83(2) GDPR
Article 83(4)(a) GDPR
Article 83(5)(a) GDPR
Article 63(2) LOPDGDD
Article 71 LOPDGDD
Article 72(1)(a) LOPDGDD
Article 73(f) LOPDGDD
Type: Complaint
Outcome: Upheld
Started: 29.07.2019
Decided: 27.04.2022
Published:
Fine: n/a
Parties: HERTZ DE ESPAÑA, S.L.
National Case Number/Name: PS-00371-2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Marie04

The AEPD held that sending someone notifications regarding monetary fines directed at another person constitutes a violation of Article 5(1)(f) GDPR. As the respective data was not rectified in time after receiving a complaint, it also resulted in a breach of Article 32 GDPR.

English Summary

Facts

On 5 July 2019 the data subject received an e-mail from Hertz España, a rental vehicle provider (the controller), containing information about monetary fines. These fines were directed at a third party, but sent to the data subject's e-mail address. Consequently, the data subject complained to the controller about this on the same day. In turn, the controller assured them on the 9 July 2019 that a rectification of the data had happened. However, the data subject received another e-mail directed at the third party on 29 July 2019. On the same day, the data subject submitted a complaint to the German data protection authority, which relayed it to the AEPD, the Spanish data protection authority. The complete deleting of the data subject's data from the third party's file was only achieved on 30 July 2023. The AEPD started an investigation and later initiated penalty proceedings. In its defense, the controller argued that the third party indicated the e-mail address of the data subject as their own themselves and that the error was most likely not made by an employee of the controller. Furthermore, the controller highlighted the uniqueness of the case and stated that it was a minor error with no lasting damage that was rectified as soon as possible. The controller also added that the data subject themselves only put the respective e-mail address into the controller's database on 7 February 2020, meaning the controller could not have confused the e-mail addresses of the data subject and the third party in 2019.

Holding

The AEPD held that the controller violated Article 5(1)(f) GDPR by giving the data subject access to personal data of the third party, thus giving way to sanctions according to Article 83(5)(a) GDPR. Furthermore, the AEPD held that the controller also breached Article 32 GDPR as the technical and organisational measures taken by the controller were considered insufficient. The AEPD assumed that with appropriate measures a timely rectification of the data during the three weeks between the complaint of the data subject to the controller and the sending of the second e-mail should have been possible. This violation gave way to sanctions according to Article 83(4)(a) GDPR. However, the AEPD imposed no fines in either of the two violations. Instead, according to Article 58(2)(d) GDPR, the AEPD reprimanded the controller and ordered them to take measures within 30 days to ensure that a situation similar to the one in question will not happen again.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/15










     File No.: PS/00371/2021


                RESOLUTION OF SANCTIONING PROCEDURE

From the procedure instructed by the Spanish Data Protection Agency and based
to the following


                                   BACKGROUND

FIRST: Through the “Internal Market Information System” (hereinafter
IMI), regulated by Regulation (EU) No. 1024/2012, of the European Parliament and of the
Council, of October 25, 2012 (IMI Regulation), whose objective is to promote the

cross-border administrative cooperation, mutual assistance between States
members and the exchange of information, was received in this Spanish Agency of
Data Protection (AEPD) a claim dated July 29, 2019, made
by a data subject to the data protection authority of Berlin (Germany). He
Transfer of this claim to the AEPD is carried out in accordance with the provisions
in article 56 of Regulation (EU) 2016/679, of the European Parliament and of the Council

jo, of 04/27/2016, relating to the Protection of Natural Persons with regard to
to the Processing of Personal Data and the Free Circulation of these Data (in the
cessive, RGPD), taking into account its cross-border nature and that this Agency is
competent to act as the main supervisory authority.


The aforementioned claim is made against HERTZ DE ESPAÑA, S.L. (hereinafter HER-
TZ), with registered office and sole establishment in Spain, in relation to the rental of
Firefly Car Rental cars, of which he was a customer in Malaga, which repeatedly sent him
mindly notifications about traffic fines, speed limit violations,
etc., caused by third parties, to your email address ***USER.1.


I had informed customer service through fireflycustomercarespain@fireflyca-
rrental.com about the erroneous email and the violation of data protection,
and was promised a fix in early July.

Provide email sent to your address in the name of A.A.A. ***ADDRESS.1.


The data processing carried out affects interested parties in several States.
two members. According to the information incorporated into the IMI System, in accordance
with the provisions of article 60 of the RGPD, have declared themselves interested in the pre-
this procedure, in addition to the supervisory authority of Berlin (Germany), the self-

control authorities of: Denmark, Norway, Rhineland-Palatinate (Germany), Lower Sa-
Ionia (Germany), Sweden, Portugal, France and Italy.

SECOND: In view of the facts presented, the Subdirectorate General of Inspection
of Data proceeded to carry out actions to clarify it, under the protection of the

investigative powers granted to supervisory authorities in article 58.1 of the
RGPD, being aware of the following extremes:

Background

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/15









B.B.B., with address: ***ADDRESS.2, filed a claim against Hertz Spain
ña, S.L., with NIF B28121549 and address at C/ JACINTO BENAVENTE, nº 2- EDF B-3ª

PLANT - 28232 MADRID (MADRID).

Reason why the sanctions have been sent to the email account ***USER.1

HERTZ representatives state that they have found an error in the database.
contract data, where Ms. A.A.A., had been assigned as a con-

tact in your rental contract, number (...) email ***USER.1.

This email belongs to the complaining party, D. B.B.B. and not to Ms. A.A.A..

Consequently, there was an error in the database, where the person holding the

rental contract had an email address assigned to it, ***USER.1,
which belonged to a third party, the complaining party, D. B.B.B..

This error occurred at the time of data collection at the rental point,
located at the Barcelona – El Prat Airport.


Therefore, when the entity received the traffic sanctions on file,
sent the informative emails to the email address assigned to the rental contract.
ler, which turned out to be wrong.

Reason why the right to rectification requested has not been correctly attended to.

by the complaining party

D.B.B.B. contacted the customer service of the brand
Hertz España, S.L., Firefly Car Rental, on July 5, 2019, once received the first
group of informative emails with a traffic fine, receiving a response to your

rectification request on July 9, 2019, at 1:09 p.m.

In the response sent from the email fireflycus-
tomercarespain@fireflycarrentl.com, they apologized to D. B.B.B. and was informed
that the email address had been deleted from Ms.'s file.
A.A.A.


The deletion of email from the sanctions file and the management program
of Car+ contracts did not occur until July 30, which meant that, on July 29,
July, a second email was sent to the address ***USER.1, with a
second sanction linked to Ms. A.A.A.'s contract.


According to the representatives of the entity, in the spirit of not incurring delays
improper actions, Customer Service informed D. B.B.B. of
that the data corresponding to the email had been rectified, as was the case
in the file managed directly by this Service, although, and in parallel, the Service

Customer Service department, following the established procedure, had requested the
rectification of the data to the appropriate departments (sanctions file and program
of Car+ contract management), which did not implement the change until July 30
of 2019, so, on this occasion, the rush to avoid incurring delays, entails

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/15








rum to be communicated to D. B.B.B. rectification of the required data days before
that the effective deletion of the data occurred in all its systems.


Since there was no time to delete the email data in the file
sanctions and contract management program, when the second sanction was received.
tion, on July 29, the informative communication was sent to D. B.B.B., implementing
The final rectification of the data, in all systems, will take place on July 30.

Detail of the measures adopted to address the right of rectification and to avoid

allow new traffic sanctions to be sent to other clients

The measures adopted by the entity for the complete deletion of the data object of
rectification requested by D.B.B.B., that is, the deletion of his email
***USER.1, were the following:


       Yo. July 9, 2019, deletion of the email from the file
               assigned by Customer Service to the contract (...),
               whose owner is Ms. A.A.A., in which the
               email of the complaining party, D. B.B.B..


               That same day, July 9, a request was made by the Security Service
               Customer Service for deleting the email in the file
               fine management and rental contract management program
               Car+.


       Yo. On July 30, 2019, the email data was deleted in
               the Car+ contract management file.

       iii. On July 30, 2019, the email data was deleted in
               the management file of the fines linked to the contract (...), in its moment

               ment signed by Ms. A.A.A.

THIRD: On August 21, 2020, the Director of the AEPD adopted a
draft decision to archive the proceedings. Following the established process
in article 60 of the GDPR, on 08/31/2020 this
draft decision and the authorities concerned were made aware that they had

four weeks from that moment to formulate relevant objections and
motivated. Within the period granted for this purpose, the Berlin supervisory authority
presented its pertinent and motivated objections for the purposes of the provisions of the
article 60 of the RGPD, in the sense that it considered that an archive of
the actions but that the case was analyzed and a warning was issued given that

a violation of the GDPR had occurred.

FOURTH: On July 19, 2021, the Director of the AEPD adopted a project
revised agreement to initiate sanctioning proceedings. Following the process is-
established in article 60 of the RGPD, that same day this document was shared on

the IMI system and the supervisory authorities concerned were made aware that they had
two weeks from that moment to formulate relevant and reasoned objections.
Once the period for this purpose has elapsed, the interested control authorities do not present
There were pertinent and motivated objections in this regard, so it was considered that all

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/15








the supervisory authorities agreed with the revised draft decision
and were bound by it, in accordance with the provisions of section 6 of the
Article 60 of the GDPR.


FIFTH: On August 16, 2021, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against HERTZ DE ESPAÑA,
S.L., in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1-
tuber, of the Common Administrative Procedure of Public Administrations (in
hereinafter, LPACAP), for the alleged violation of article 32 of the RGPD and article

5.1.f) of the RGPD, typified, respectively, in article 83.4 and 83.5 of the RGPD.

SIXTH: On January 14, 2022, the Director of the Spanish Agency for
Data Protection issued a resolution to rectify errors in the aforementioned agreement.
initiation of sanctioning proceedings and granted HERTZ DE ESPAÑA, S.L a new

deadline for him to formulate the allegations and propose the evidence he considers appropriate.
dents, in accordance with the provisions of section f) of article 64.2 of the LPA-
CHAP.

SEVENTH: The aforementioned resolution to rectify errors in the agreement was notified.
At the beginning, HERTZ presented a written statement of allegations in which, in summary, it stated that:


FIRST.- ABOUT THE SUPPOSED ERROR IN THE DATABASE OF
CONTRACTS

After an exhaustive internal investigation to delve into what happened, HERTZ has

you doubt the existence of the error because of the following:

       - Contract number (...) with Ms. A.A.A., whose postal address, as indicated
       This is ***ADDRESS.1, dated May 21, 2019, having been
       this person who provided the email address motu proprio

       ***USER.1.

       - Subsequently, the email address ***USER.1 appears in
       the HERTZ contract database at a much later date, 7
       February 2020, but this time associated with D. C.C.C. in the contract (...), whose
       postal address, as indicated by this one, is ***ADDRESS.2, having been

       provided by D.B.B.B. and that he appeared as an additional driver (he
       attached screen print of the contract record in the database
       as Document 2).

       - The fact of the uniqueness of this email address, which

       combines letters and numbers, the letters corresponding to the initials of the
       complaining party, leads us to conclude that it is very unlikely that the error was
       given at the time of entering them into the database by the personnel of
       HERTZ, but was provided by the person who signed contract number (...), of
       date May 21, 2019.


       - How is it feasible to issue traffic fines for violations that
       occur in 2019 to an email address provided in 2020? It is from
       every point impossible.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/15









Based on the above, it should be noted that any communication that had to be carried out
carried out, as is the case of notifications of traffic fines by the corresponding

outstanding infractions committed by Ms. A.A.A., was sent to the email address
electronic provided at the time of contracting the car rental (year 2019), without
that an error was possible given the uniqueness of the email address
mentioned.

This implies that the error in assigning the email address could be ruled out.

email ***USER.1 to the contract (...) with Ms. A.A.A..

SECOND.- ABOUT THE SINGULARITY OF THE CASE. NON-EXISTENCE OF REITERA-
TION OF CONDUCT BY HERTZ ESPAÑA. ISOLATED FACT, SUB-
HEALED AND COMMUNICATED TO THE CUSTOMER.


As the Agency points out in the Initiation Agreement (p. 10, paragraph): “it was a
specific case (of which there is no similar history in this Agency” and which is
would explain the fact that Mrs. A.A.A. provide the email address
unique already mentioned.


Furthermore, as the Agency knows, HERTZ proceeded to act immediately with the
purpose of trying to provide a solution as soon as possible to the claim made by the
complaining party. Specifically, the chronology of actions carried out by HER-
TZ was the following:


    - On July 5, 2019, the complaining party sent an email to attention
        to the client indicating that the email address ***USER.1 is in-
        correct since it is not for A.A.A..

    - On July 9, 2019 (i) your email was responded to indicating that
        has deleted the email address and we apologize and (ii)

        calls for the deletion of the email in the fines management file and
        in its Car+ rental contract management program.

Even though the complaining party has received two emails, it understands
We believe that it is also relevant that this situation has not occurred in

no other case, nor that the complaining party has raised any other claim
against HERTZ in relation to this matter.

Therefore, no harm has occurred to the complaining party whose email address
email appeared linked to Ms. A.A.A., who would have provided it in 2019,
before the complaining party provided that same address in another con-

vehicle rental deal that is in no way related to the first one.

It is difficult to maintain with this new data, that it was a mistake in the introduction of the di-
email address in the contract (...), but the email address
electronic was provided to HERTZ, which would explain the uniqueness of the case.


Even admitting that it was (which is not done), we agree with the Agency that
This is a very minor case, which has not caused any damage and which

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/15








It was solved practically immediately.

THIRD.- ABOUT WHAT IS REQUESTED BY THE BER- CONTROL AUTHORITY

LÍN IN HIS OBJECTIONS.

We understand that there is a disparity between what the Berlin Authority requests and what
that the Agency agrees to.

The Agency itself expresses in its Resolution what the control authority requested

of Berlin in its pertinent and motivated objections is that: (sic) “the case will be analyzed
and a warning was issued” (Third Fact, page 5), not that a procedure was initiated.
sanctioning action against HERTZ.

The Berlin authority has filed an objection in a case that, as is known to

the Agency itself, would not be serious, and it is also necessary to remember that initially,
The Agency had proposed archiving the proceedings.

If the Berlin supervisory authority did not request the opening of sanction proceedings
dor, it could be considered that, with the investigative powers attributed to the
Agency, and having previously obtained from HERTZ “all the necessary information

for the exercise of its functions” (article 58.2.1) of the RGPD), could direct a warning
authorization to HERTZ in accordance with the corrective power attributed to it by the article
58.2.b) of the RGPD. However, we fully understand that the Agency has to
act through the mechanisms available in our legal system and
We also appreciate the fact that you consider issuing a warning in the terms

indicated in the Startup Agreement.

EIGHTH: On February 16, 2022, the instructor of the procedure formulated
proposed resolution, in which he proposed that the Director of the AEPD address
a warning to HERTZ DE ESPAÑA, S.L., with NIF B28121549, for an infringement

of article 32 of the RGPD and article 5.1.f) of the RGPD, typified, respectively,
in article 83.4 and 83.5 of the GDPR. And that HERTZ DE ESPAÑA, S.L. be ordered, with
NIF B28121549, to adopt, within a period of thirty days, the measures aimed at guaranteeing
ensure that situations such as the one that is the subject of this complaint do not occur again.
mation. Likewise, HERTZ was granted a period of TEN DAYS for allegations to
that he could allege whatever he considered in his defense and present the documents and

information that you consider relevant.

Once the aforementioned proposed resolution has been notified and the deadline for this purpose has elapsed, it has been
verified that no allegation has been received from HERTZ.



In view of everything that has been done, by the Spanish Data Protection Agency
In this procedure, the following are considered proven facts:

                                PROVEN FACTS


FIRST: On July 5, 2019 at 11:36 a.m. an email is received from
the address noreply@gesthispania.com to the address ***USER.1, with the subject
“Notification of traffic fine”, addressed to A.A.A., address ***ADDRESS.1 and the si-

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/15








following text (in English):

“Madrid 07-05-2019


Dear Customer,

We are writing to you regarding your rental with Firefly in Spain (Registration
***NUMBER.1) from 05/21/2019 to 05/25/2019.


We have received a notification from a local authority ((REMESA) SERVEI CATALA
OF TRANSIT TARRAGONA) about a traffic violation during his period of registration.
quiler. Please find attached a copy of the sanction (It is informational only
and you will receive the official notification at your home).


Therefore, we inform you that in compliance with Article 11 of the Royal Legislative Decree-
tivo 6/2015, of October 30, which approves the consolidated text of the Law on
Traffic, Motor Vehicle Circulation and Road Safety, we have identified you
ted as the driver of the vehicle.

Therefore, we will proceed to charge your credit card the sum of XX.XX euros

(plus VAT, total: XX euros) corresponding to Hertz charges for identification
mentioned as indicated in the Terms and Conditions of the Rental Agreement.
ler.

If you do not charge this amount to your credit card, we will proceed formally.

mind to demand the amount of money mentioned above in the bank account
from Hertz de España, S. L in the account number: 0000-0000-00-0000000000 (IBAN
CODE: ES00 0000-0000-00-0000000000, SWIFT CODE: (…)XXX).

It is now at the discretion of the authorities whether to issue a notification for payment of

the fine itself. We inform you that we are not in a position to review
or litigate any aspect of these cases. Any possible dispute must be raised
directly to the competent authority, in case you contact
you directly. Thank you for choosing Firefly. Kind regards".

SECOND: On July 5, 2019 at 12:45 p.m., a response email is sent.

put from the email address of the complaining party to fireflycusto-
mercarespain@fireflycarrental.com with the following text (in English): “Sorry, always
If you use the wrong email address, please correct your information, this address
Email information is not from A.A.A. ***ADDRESS.1”.


THIRD: On May 21, 2019 Ms. A.A.A. rented a car with Firefly Car Rental
(HERTZ DE ESPAÑA, S.L.), from 05/21/2019 to 07/25/2019, rental contract number
(...).

This contract had been assigned in the HERTZ database, as email

contact, the email ***USER.1, which belongs to the complaining party.
keep

FOURTH: On July 9, 2019 at 1:09 p.m., an email was sent from the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/15








address fireflycustomercarespain@fireflycarrentl.com to the address ***USER.1
with the following text (in English):


“Good morning, Mr. B.B.B.;

Thank you for contacting Firefly Spain.

We have removed your email address from Mrs.'s profile. A.A.A.


We don't know why it was added to it.

We apologize for any inconvenience.

Kind regards"


FIFTH: On July 9, 2019, the email was deleted from the assigned file.
by the Customer Service to the contract (...), whose owner is Ms.
A.A.A., in which D. B.B.B.'s email was erroneously linked.
That same day, July 9, a request was made by the Customer Service
te stops the deletion of the email in the fine management file and in the

Car+ rental contract management program.

The deletion of email from the sanctions file and the management program
of Car+ contracts did not occur until July 30, 2019, which made the day
July 29, 2019, a second email was sent to the address ***USUA-

RIO.1, with a second sanction linked to Ms. A.A.A.'s contract. Also the
July 30, 2019 the email data was deleted from the management file
of the fines linked to the contract (...), at the time signed by Ms. A.A.A.

SIXTH: The email address ***USER.1 appears in the database.

of HERTZ contracts on February 7, 2020, associated with D. C.C.C. on the contrary
to (...), whose postal address, as indicated, is ***ADDRESS.2, having been
provided by D.B.B.B. and that he appeared as an additional driver.




                           FOUNDATIONS OF LAW

                                            Yo
                          Competition and applicable regulations


In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (Re-
General Data Protection Regulation, hereinafter RGPD), grants each authorization
control and in accordance with the provisions of articles 47 and 48.1 of the Organic Law
3/2018, of December 5, on Protection of Personal Data and guarantee of rights.
digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this

procedure the Director of the Spanish Data Protection Agency.

Likewise, article 63.2 of the LOPDGDD determines that: “The procedures processed
ted by the Spanish Data Protection Agency will be governed by the provisions of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/15








Regulation (EU) 2016/679, in this organic law, by the regulatory provisions-
dictated in its development and, insofar as they do not contradict them, with a sub-
subsidiary, by the general rules on administrative procedures.”


                                            II
                                   Previous issues

In the present case, in accordance with the provisions of article 4.1 of the RGPD, there is
the processing of personal data, since HERTZ carries out, in-

Among other treatments, the collection, conservation, consultation and deletion of personal data.
details of your clients, such as: name and surname, address and email address
electronic.

HERTZ carries out this activity in its capacity as data controller, given

which is the one who determines the ends and means of such activity, by virtue of article 4.7 of the
GDPR.

Within the principles of processing provided for in article 5 of the GDPR, the integrity
The quality and confidentiality of personal data is guaranteed in section 1.f) of the article.
article 5 of the GDPR, while the security of the processing of this data is required

regulated in article 32 of the GDPR.

                                            III
                                 Allegations alleged


In relation to the allegations alleged to the agreement to initiate this proceeding,
sanctioning procedure, we proceed to respond to them according to the order stated.
by HERTZ.

FIRST.- ABOUT THE SUPPOSED ERROR IN THE DATABASE OF

CONTRACTS

HERTZ claims that he doubts that there was an error on his part when recording the
email address of the complaining party in Ms.'s contract. A.A.A.,
given that this contract is dated May 21, 2019 and that the claiming party
appears as an additional driver in the contract (...), dated February 7, 2020. AND

that, therefore, Ms. A.A.A. would have provided the email of the complaining party
motu proprio.

In this regard, this Agency would like to point out that it has not been verified at this time
procedure the reason why the complaining party's email was associated with the

Ms. contract A.A.A.. And it has been proven that the email in
issue belongs to the complaining party.

In any case, it appears that two emails have been sent with data
personal information related to a traffic violation to an email address

ownership of the complaining party. And one of these emails was sent with
after the complaining party had notified HERTZ of this situation.

SECOND.- ABOUT THE SINGULARITY OF THE CASE. NON-EXISTENCE OF REITERA-

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/15








TION OF CONDUCT BY HERTZ ESPAÑA. ISOLATED FACT, SUB-
HEALED AND COMMUNICATED TO THE CUSTOMER


HERTZ alleges that this was a specific case and that it would be explained by the fact that
that Ms. A.A.A. Provide the email address already mentioned. No
However, this Agency wishes to highlight that this point has not been proven and that it
is irrelevant for the purposes of determining the existence or not of the infringements in
question.


Furthermore, HERTZ alleges that it proceeded to act immediately in order to try
provide a solution as soon as possible to the claim made by the complaining party. AND
that it is relevant that this situation would not have occurred in any other case,
nor that the complaining party has raised any other claim against HERTZ in
relation to this matter.


It states that no harm has been caused to the complaining party. And that it is difficult to maintain
ner that it was an error in entering the email address in the con-
deal (...), but the email address was provided to HERTZ, which
which would explain the uniqueness of the case.


In this regard, this Agency wishes to point out again that the reasons why the di-
email address of the complaining party was associated with the contract (...),
has not been proven and that is irrelevant for the purposes of determining the existence
of the infringements in question.


HERTZ also alleges that, even admitting that it was (which is not done), he agrees
with this Agency that it is a very minor case, which has not
caused any damage and which was resolved practically immediately.

In this regard, this Agency has nothing more to add.


THIRD.- ABOUT WHAT IS REQUESTED BY THE BER- CONTROL AUTHORITY
LÍN IN HIS OBJECTIONS

HERTZ understands that there is a disparity between what the Berlin Authority requests
and what this Agency agrees to, given that the Berlin supervisory authority in its objec-

pertinent and motivated requests that: (sic) “the case be analyzed and a
warning” (Third Fact, page 5), not that a sanctioning procedure was initiated.
dor against HERTZ.

And he alleges that, if the Berlin supervisory authority did not request the opening of proceedings,

sanctioning authority, it could be considered that, with the investigative powers attributed to it,
This Agency, could send a warning to HERTZ in accordance with the power
rrective attributed to it by article 58.2.b) of the RGPD. However, it also adds
that he perfectly understands that the Agency has to act through the mechanisms
nisms available in our legal system and also appreciates the fact that

consider issuing a warning under the terms indicated in the Initial Agreement.
cio.

In this regard, this Agency wishes to point out that, indeed, it must act through

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/15








the mechanisms available in our legal system (specifically, the LO-
PDGDD), which is why this sanctioning procedure is being processed,
there is no other different procedure.


                                            IV
                  Integrity and confidentiality of personal data

Article 5.1.f) “Principles relating to processing” of the GDPR establishes:


"1. The personal data will be:
(…)

f) processed in such a way as to ensure adequate security of personal data.
sonals, including protection against unauthorized or unlawful processing and against its

accidental loss, destruction or damage, through the application of technical measures or
appropriate organizational measures (“integrity and confidentiality”).”

In accordance with the evidence available at the present time of
resolution of the sanctioning procedure, it is considered that the personal data of
one of the clients (Ms. A.A.A.), recorded in the HERTZ database, were independent

duly exposed to a third party (the complaining party), violating the principles of
integrity and confidentiality, on two occasions.

The known facts are considered to constitute an infringement, attributable to HER-
TZ, for violation of article 5.1.f) of the RGPD.


                                            V
                Classification of the violation of article 5.1.f) of the RPGD

The aforementioned violation of article 5.1.f) of the RGPD implies the commission of the violations

typified in article 83.5 of the RGPD that under the heading “General conditions
for the imposition of administrative fines” provides:

“Infringements of the following provisions will be sanctioned, in accordance with the
section 2, with administrative fines of a maximum of EUR 20 000 000 or, trying-
of a company, of an amount equivalent to a maximum of 4% of the volume of

global annual total business of the previous financial year, opting for the highest
amount:

a) the basic principles for the treatment, including the conditions for consent
ment under articles 5, 6, 7 and 9; (…)”


In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that:

“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contra-

rias to this organic law.”

For the purposes of the limitation period, article 72 “Infringements considered very serious”
you see” of the LOPDGDD indicates:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/15









"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that involve

a substantial violation of the articles mentioned therein and, in particular, the
following:

a) The processing of personal data violating the principles and guarantees established
two in article 5 of Regulation (EU) 2016/679. (…)”


                                            SAW
                                  Security measures

Article 32 “Security of processing” of the GDPR establishes:


"1. Taking into account the state of the art, the application costs, and the nature
za, the scope, context and purposes of the processing, as well as probability risks
and severity for the rights and freedoms of natural persons, the responsibility
sable and the person in charge of the treatment will apply appropriate technical and organizational measures.
measures to guarantee a level of security appropriate to the risk, which, where appropriate, includes
already, among others:


    a) pseudonymization and encryption of personal data;

    b) the ability to guarantee the confidentiality, integrity, availability and resilience
permanent licensure of treatment systems and services;


    c) the ability to restore the availability and access to personal data of
quickly in case of physical or technical incident;

    d) a process of regular verification, evaluation and assessment of the effectiveness of

the technical and organizational measures to guarantee the security of the treatment.

2. When evaluating the adequacy of the security level, particular consideration will be given to
ta the risks presented by data processing, in particular as a consequence
of the accidental or unlawful destruction, loss or alteration of personal data transmitted
stored, preserved or otherwise processed, or unauthorized communication or access.

two to said data.”

In accordance with the evidence available at the present time of
resolution of the sanctioning procedure, it is considered that the decisive factor for
failure to comply with security obligations occurs is the lack of guarantees.

aunts regarding the security of the data processed. This will always be assumed if not
implemented technical and organizational security measures or if the measures adopted
all are not considered sufficient. In the present case, the complaining party received a
second email, again including personal data of another client -
with information on sanctions - on July 29, 2019, almost three weeks later

that HERTZ had confirmed that his data had been rectified. Of
According to HERTZ, this was due to a misunderstanding between the departments of
Customer Service and sanctions and contract management. If they had been adopted
sufficient technical and organizational measures, it could be assumed at first

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/15








that the email would have been assigned to the corresponding customer in the database
data and that, in addition, the rectification of this email address in the database
of customer data and in all relevant systems of the organization could

be implemented in less time, so the complaining party would not have received
send a second email with additional information.

Therefore, the known facts are considered to constitute an infringement, attributed
ble to HERTZ, for violation of article 32 of the RGPD.


                                            VII
                  Classification of the violation of article 32 of the RGPD

The aforementioned violation of article 32 of the RGPD implies the commission of typical violations.
pified in article 83.4 of the RGPD that under the heading “General conditions for

the imposition of administrative fines” provides:

“Infringements of the following provisions will be sanctioned, in accordance with the
section 2, with administrative fines of a maximum of EUR 10 000 000 or, trying-
of a company, of an amount equivalent to a maximum of 2% of the volume of
global annual total business of the previous financial year, opting for the highest

amount:

       a) the obligations of the controller and the processor pursuant to Articles 8,
       11, 25 to 39, 42 and 43; (…)”


In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that “Consti-
The acts and conduct referred to in sections 4, 5 and 6 are considered infractions.
of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to
this organic law.”


For the purposes of the limitation period, article 73 “Infringements considered serious”
of the LOPDGDD indicates:

“Based on what is established in article 83.4 of Regulation (EU) 2016/679,
considered serious and will prescribe after two years the infractions that involve a violation.
substantial portion of the articles mentioned therein and, in particular, the following:

       (…)
       f) The lack of adoption of those technical and organizational measures that result
       have appropriate measures to guarantee a level of security appropriate to the risk of the
       treatment, in the terms required by article 32.1 of the Regulation (EU)
       2016/679”. (…)


                                           VIII
           Penalty for violation of article 5.1.f) and article 32 of the RGPD

Without prejudice to the provisions of article 83 of the RGPD, the aforementioned Regulation provides

in section 2.b) of article 58 “Powers” the following:

“Each supervisory authority shall have all the following corrective powers indicated:
listed below:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/15








       (…)
       b) send a warning to any person responsible or in charge of processing
       when the processing operations have infringed the provisions of the pre-

       sente Regulation; (…)”

For its part, recital 148 of the GDPR indicates:

“In the case of a minor infringement, or if the fine that would probably be imposed constitutes
a disproportionate burden on a natural person, instead of sanction through

fine, a warning may be imposed. However, special attention must be paid
tion to the nature, severity and duration of the infringement, to its intentional nature, to
the measures taken to alleviate the damages and losses suffered, to the degree of responsibility
bility or to any relevant prior violation, to the manner in which the authority of
control has been aware of the infraction, to compliance with ordered measures.

against the person responsible or in charge, to adherence to codes of conduct and to any
“any other aggravating or mitigating circumstance.”

In accordance with the evidence available at the present time,
solution of sanctioning procedure, it is considered that the violation in question is
slight for the purposes of article 83.2 of the RGPD given that in the present case, considering

because it was a specific case, the consequence of a specific error (of which
similar antecedents exist in this Agency), and that was corrected shortly, but
means to consider a decrease in guilt in the facts, which is why it is considered
in accordance with the law, not impose a sanction consisting of an administrative fine and replacement.
blame her for sending a warning to HERTZ.


                                           IX
                                 Imposition of measures

Among the corrective powers provided in article 58 “Powers” of the GDPR, in the

section 2.d) establishes that each control authority may “order the person responsible
ble or processor that the processing operations comply with the
provisions of this Regulation, where applicable, in a certain manner
and within a specified period…”.

In this sense, it is considered appropriate to issue a warning and with the corrective measure

of article 58.2.d) of the RGPD, so that within 30 days it proceeds to adopt measures
measures aimed at guaranteeing that situations such as the one in question do not occur again.
subject of this claim.

The text of the resolution establishes what infractions have been committed and

the events that have given rise to the violation of the data protection regulations
cough, from which it is clearly inferred what measures to adopt, without prejudice to
that the type of procedures, mechanisms or specific instruments to implement
tarlas corresponds to the sanctioned party, since it is the person responsible for the treatment who
knows its organization fully and must decide, based on the responsibility

active and risk-focused, how to comply with the RGPD and the LOPDGDD.

Therefore, in accordance with the applicable legislation and evaluated the graduation criteria
tion of sanctions whose existence has been proven,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/15








the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: DIRECT HERTZ DE ESPAÑA, S.L., with NIF B28121549, for an infringement
tion of article 32 of the RGPD and article 5.1.f) of the RGPD, typified,
respectively, in article 83.4 and 83.5 of the RGPD, a warning.

ORDER HERTZ DE ESPAÑA, S.L., with NIF B28121549, to be adopted, in the

within thirty days, the measures to ensure that they do not occur again
situations such as that of the subject of this claim.

SECOND: NOTIFY this resolution to HERTZ DE ESPAÑA, S.L.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the inter-

rescheduled may optionally file an appeal for reconsideration before the Director
of the Spanish Data Protection Agency within a period of one month from
the day following notification of this resolution or directly contentious appeal
administrative before the Contentious-Administrative Chamber of the National Court,
in accordance with the provisions of article 25 and section 5 of the additional provision

final fourth of Law 29/1998, of July 13, regulating the Contentious Jurisdiction-
administrative, within a period of two months counting from the day following the notification.
tion of this act, as provided for in article 46.1 of the aforementioned Law.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,

may provisionally suspend the final resolution through administrative channels if the interested party
do expresses his intention to file a contentious-administrative appeal. If so-
If applicable, the interested party must formally communicate this fact in writing.
addressed to the Spanish Data Protection Agency, presenting it through the Re-
Electronic register of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or to

through one of the remaining records provided for in art. 16.4 of the aforementioned Law
39/2015, of October 1. You must also transfer the documentation to the Agency
that proves the effective filing of the contentious-administrative appeal. If the
Agency was not aware of the filing of the contentious-administrative appeal
treatment within a period of two months from the day following notification of this

resolution, would end the precautionary suspension.


                                                                                  938-100322
Sea Spain Martí
Director of the Spanish Data Protection Agency










C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es