AEPD (Spain) - EXP202310910

From GDPRhub
Revision as of 13:53, 21 May 2024 by Lm (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202310910 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00568-2023.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - EXP202310910
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(c) GDPR
Article 13 GDPR
Ley 3/2017 de los Espectáculos Públicos y Actividades Recreativas de Cantabria
Type: Complaint
Outcome: Upheld
Started: 23.06.2023
Decided:
Published: 07.05.2024
Fine: 20,000 EUR
Parties: Mouro Producciones, S.R.L.
National Case Number/Name: EXP202310910
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: lm

The DPA fined a controller €20,000 for violating data minimisation obligations by requiring copies of IDs to verify ages upon entry to events. The controller acknowledged its fault and paid a reduced fine of €12,000 in accordance with national law.

English Summary

Facts

On 23 June 2023, a data subject filed a complaint with the Spanish DPA (AEPD) requesting sanctioning proceedings against Mouro Producciones, S.R.L. (the controller). The controller, which hosted concerts and other events, required that parents or guardians provide a copy for their national identity cards (IDs) as well as of the minors’ IDs in order to gain entry.

The AEPD noted that the controller’s policy discussing its processing of minors’ data was out of date, making reference to a national law that had since been replaced. The policy did not specify why copies of IDs were necessary or how the copies would be processed beyond admission to the venue. It also did not state how long the data would be retained by the controller.

In its reply brief, the controller argued that it was necessary to verify the minors’ and their companions’ IDs in order to confirm their ages and to ensure compliance with Law 3/2017 the Espectáculos Públicos y Actividaded Recreativas de Cantabria. The national/regional? law limits minors’ ability to enter certain types of venues, including party rooms, discos, and dance rooms, and requires that establishments deny entry to anyone who does not verify their age with documentation. The law makes exceptions where the establishment authorises special sessions for minors or where minors under the age of 16 are accompanied by adults and the activity of the establishment is compatible with protecting minors’ moral and physical integrity.

Holding

The AEPD found that the controller likely violated Articles 5(1)(c) and 13 GDPR and recommended a €20,000 fine.

First, the AEPD considered that the controller failed to meet data minimisation standards pursuant to Article 5(1)(c) GDPR. The AEPD took into consideration Recital 39 GDPR’s instruction that personal data should only be processed if the purpose could not be reasonably achieved by other means. While Law 3/2017 required age verification of minors and their guardians, the controller went a step further by requiring a copy of the IDs. This collection of a complete and unredacted photocopy of IDs resulted in more processing than necessary and thus likely violated Article 5(1)(c) GDPR.

Second, the AEPD found that the controller likely violated Article 13 GPPR. The lack of information concerning the processing or storage period provided in the disclosure policy, as well as its being out of date, indicated that the controller failed to meet its information obligations. The AEPD noted that this resulted in other shortcomings for data subjects’ ability to exercise their rights, as the policy’s lack of sufficient information prevented data subjects from exercising their rights pursuant to Article 17 GDPR.

Given these likely violations, the AEPD resolved to initiate sanction proceedings against the controller and recommended a sanction of €20,000. Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €12,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/15










     File No.: EXP202310910



       RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE
                                   VOLUNTEER


From the procedure instructed by the Spanish Data Protection Agency and based
to the following


                                 BACKGROUND


FIRST: On April 18, 2024, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against MOURO
PRODUCTIONS, S.R.L. (hereinafter, the claimed party), through the Agreement that
is transcribed:


<<


File No.: EXP202310910



           AGREEMENT TO START SANCTIONING PROCEDURE

Of the actions carried out by the Spanish Data Protection Agency and in
based on the following


                                     FACTS

FIRST: A.A.A. (hereinafter, the complaining party) dated June 23, 2023
filed a claim with the Spanish Data Protection Agency. The
claim is directed against MOURO PRODUCCIONES, S.R.L. with NIF B39529847.

The reasons on which the claim is based are the following:

The complaining party states that, to attend concerts accompanied by minors
managed by the claimed entities, it is requested that they be completed
authorizations from mothers, fathers or guardians of minors who attend

said events, for which the contribution of a copy of the DNI of the authorizer is required,
as well as personal information of both the authorizer and the minors who
They attend the event. It also points out that the authorization documents by which
collect the aforementioned data do not provide adequate information regarding data protection.
data, without, on the other hand, stating that they have a Data Protection Delegate.
Data.

Provides authorizations for participation in concerts in which data is collected.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/15








hereinafter LOPDGDD), said claim was transferred to MOURO
PRODUCTIONS, S.R.L. to proceed with its analysis and inform this
Agency within one month, of the actions carried out to adapt to the
requirements provided for in data protection regulations.


The transfer, which was carried out in accordance with the rules established in Law 39/2015, of
October 1, of the Common Administrative Procedure of Administrations
Public (hereinafter, LPACAP), was collected on 08/03/2023 as stated in the
acknowledgment of receipt that appears in the file.

On 09/01/2023, this Agency received a response letter in which

states the following:

 - The events organized by Mouro Producciones have their
corresponding Privacy Policy and treats personal data in accordance with the
requirements provided for in the regulations on data protection, although it is

It is true that there has been an error on your part when loading the informative clauses in
the Web Pages of the corresponding events, which has implied the publication
on said Web Pages of the clauses that were outdated, with
references to the repealed regulations.
- In relation to the reason why it is requested that the companion of the
minors provide a copy of the DNI, it should be noted that it is necessary to make, before

authorize access to the premises, correct identification of the person. This results
necessary to the extent that their age must be verified in order to ensure that
You can accompany minors in your care.

- The DNI of minors is requested to the extent that it is necessary
verify the age of those attending the event according to current regulations regarding

Public Shows and Recreational Activities in Cantabria, since minors
age have certain prohibitions and certain requirements for attendance at said
events.

- Mouro Producciones is not faced with one of the mandatory assumptions of
appointment of a DPO in accordance with the requirements of the GDPR.


THIRD: On September 23, 2023, in accordance with article 65 of
the LOPDGDD, the claim presented by the complaining party was admitted for processing.

FOURTH: According to the report collected from the AXESOR tool, the entity
MOURO PRODUCTIONS, S.R.L. It is a small company established in the year

2002, and with a business volume of 4,992,744 euros in 2022.


                           FOUNDATIONS OF LAW


                                           Yo
                                    Competence

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/15








control authority and as established in articles 47, 48.1, 64.2 and 68.1
LOPDGDD, is competent to initiate and resolve this procedure the Director of the
Spanish Data Protection Agency.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures

processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."



                                           II
                                  Previous issues

In the present case, the processing of personal data by
part of MOURO PRODUCCIONES, S.R.L. in its business activity, as

established in article 4.2 of the RGPD:

"processing": any operation or set of operations performed on data
personal data or sets of personal data, whether through procedures
automated or not, such as the collection, registration, organization, structuring,
conservation, adaptation or modification, extraction, consultation, use,

communication by transmission, broadcast or any other form of enabling
access, collation or interconnection, limitation, deletion or destruction;

MOURO PRODUCTIONS, S.R.L. carries out this activity in its capacity as
responsible for the treatment, given that it is the one who determines the purposes and means of such

activity, under article 4.7 of the GDPR:

"responsible for the treatment" or "responsible": the natural or legal person, authority
public, service or other body that, alone or together with others, determines the purposes and
means of treatment; whether Union or Member State law
determines the purposes and means of the treatment, the person responsible for the treatment or the

Specific criteria for their appointment may be established by Union Law.
or of the Member States.


                                           III
                                 Unfulfilled obligation

The known facts could constitute an infringement, attributable to Mouro
Productions, regulated in article 5.1.c) of the RGPD and other violation of article 13
of the GDPR.


                                           III
                               Article 5.1 c) of the GDPR

 Article 5 of the GDPR “Principles relating to processing” refers to the principle of

data minimization in letter c) of section 1 in the following terms:

“The personal data will be:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/15









 c) adequate, relevant and limited to what is necessary in relation to the purposes for which
that are processed (“data minimization”)”.


This article states that personal data will be “adequate,
relevant and limited to the need” for which they were collected, in such a way
that, if the objective pursued can be achieved without excessive treatment of
data, this is how it should be done.


In turn, recital 39 of the GDPR indicates that: “Personal data must only be
processed if the purpose of the processing could not reasonably be achieved by others
media." Therefore, only data that is “adequate,
relevant and not excessive in relation to the purpose for which they are obtained or processed.”


The categories of data selected for processing must be the
strictly necessary to achieve the stated objective and the person responsible for the
processing must strictly limit data collection to that information that
is directly related to the specific goal that is intended to be achieved.

In this case, the company requests that the “access to access document” be completed.

minors under 16 years of age” by fathers, mothers or legal guardians in order to
allow the entry of minors to concerts managed by it. In addition to
This completed authorization requires the presentation of a photocopy of the ID of the
authorizing parent or guardian who will remain in the possession of the company.


In the written response to the transfer of the claim, the company states that
the reason why the minor's companion is requested to provide a copy of the
DNI, it is because it is necessary to carry out, before authorizing access to the premises, a
correct identification of the person to comply with current regulations.


Article 40 “Protection of childhood and adolescence” of Law 3/2017, of 5
April, of Public Entertainment and Recreational Activities of Cantabria establishes, in
its section 2.:

2. The following limitations on access and permanence are established in the
public establishments and portable or removable facilities, where

celebrate public shows and recreational activities, with respect to minors
eighteen years:

a) It is prohibited, in general, to enter and remain in rooms of
party, discos, macro discos, dance halls, pubs, whiskey bars and venues

assimilated, with the following exceptions whose content will be developed
regulations:

1. That these establishments have authorization for sessions for minors
of age, in which the entry and stay of those over fourteen will be allowed

years and under eighteen, in accordance with article 24 of the Law of Cantabria
5/1997, of October 6, on Prevention, Assistance and Social Incorporation in matters
of drug dependence.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/15








2. That the activity that is going to take place in the party rooms, dance halls,
pubs, whiskey shops and similar venues is compatible with moral and physical integrity
of minors, while it lasts and as long as they are accompanied by a

responsible adult when they are under sixteen years of age.

And, in section 6:

6. The owners of public establishments or portable facilities or
detachable, as well as people who organize public shows or

recreational activities, may require, directly or through personnel at their disposal,
service, the exhibition of the national identity document or equivalent document
as a means of accreditation of the age of the attending public. They must prevent access
and, where appropriate, evict, directly or through personnel at your service, those who
do not document their age or do not comply with the age requirement at which

effects of the provisions of this law.

In accordance with the evidence available at the present time
agreement to initiate the sanctioning procedure, and without prejudice to what results from the
instruction, it can be understood that collecting the photocopy of the registration document
identity of the client with all the information contained in that document is a

processing of personal data contrary to the principle of “data minimization”,
regulated in article 5.1.c) of the RGPD.


                                           IV

                        Classification and classification of the offense


If confirmed, the aforementioned violation of article 5.1.c) of the RGPD could mean the
commission of the infractions classified in article 83.5 of the RGPD that under the

The section “General conditions for the imposition of administrative fines” provides:

“Infractions of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for

the largest amount:

   a) the basic principles for the treatment, including the conditions for the
       consent under articles 5, 6, 7 and 9;


In this regard, the LOPDGDD, in its article 71 establishes that “They constitute
infractions the acts and conduct referred to in sections 4, 5 and 6 of the
article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the
present organic law.”


For the purposes of the limitation period, article 72 of the LOPDGDD indicates:

Article 72. Infractions considered very serious.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/15








"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe violations that involve three years
a substantial violation of the articles mentioned therein and, in particular, the

following:

    a) The processing of personal data violating the principles and guarantees
        established in article 5 of Regulation (EU) 2016/679”.



                                            V
                                  Article 13 of the GDPR

Article 13 of the GDPR stipulates the following:


"1. When personal data relating to him or her are obtained from an interested party, the
responsible for the treatment, at the time these are obtained, will provide you
all information indicated below:
a) the identity and contact details of the person responsible and, where applicable, their
representative;
b) the contact details of the data protection officer, if applicable;

c) the purposes of the processing for which the personal data are intended and the legal basis
of the treatment;
d) where the processing is based on Article 6, paragraph 1, letter f), the interest
legitimate of the person responsible or a third party;
e) the recipients or categories of recipients of the personal data, in their

case;
f) where applicable, the intention of the controller to transfer personal data to a third party
country or international organization and the existence or absence of a decision of
adequacy of the Commission, or, in the case of the transfers indicated in the
Articles 46 or 47 or Article 49, paragraph 1, second paragraph, reference to the

adequate or appropriate safeguards and the means to obtain a copy of these or
to the place where they have been made available.

2. In addition to the information mentioned in section 1, the person responsible for the
treatment will provide the interested party, at the time the data is obtained
personal, the following information necessary to guarantee data processing

loyal and transparent:
a) the period during which the personal data will be kept or, when it is not
possible, the criteria used to determine this period;
b) the existence of the right to request from the data controller access to the data
personal data relating to the interested party, and its rectification or deletion, or the limitation

of your treatment, or to oppose the treatment, as well as the right to portability
of the data;
c) when the processing is based on Article 6(1)(a) or Article
9, paragraph 2, letter a), the existence of the right to withdraw consent in
at any time, without affecting the legality of the treatment based on the

consent prior to its withdrawal;
d) the right to file a claim with a supervisory authority;
e) if the communication of personal data is a legal or contractual requirement, or a
necessary requirement to sign a contract, and if the interested party is obliged to provide

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/15








personal data and is informed of the possible consequences of not providing
such data;
f) the existence of automated decisions, including profiling, to which

referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information
significant about the logic applied, as well as the importance and consequences
foreseen of said treatment for the interested party.

3. When the data controller plans the subsequent processing of data
personal data for a purpose other than that for which they were collected, will provide the

interested party, prior to said further processing, information about that other purpose
and any additional information relevant under paragraph 2.

The provisions of paragraphs 1, 2 and 3 shall not apply when and to the extent
in which the interested party already has the information."



In this case, in the “access document for minors under 16 years of age”, regarding
to basic information on data protection, is outdated and makes
reference to Organic Law 15/1999 of December 13, on Data Protection
Personal character.


This document does not refer to the treatment that will be carried out on the
data obtained through the copy of the DNI and neither the conservation period of
the same.


There is not enough information provided about the company to be able to exercise the
rights of data subjects established in the GDPR, specifically, the right
established in article 17 “right of deletion”.

For all this, in accordance with the evidence available herein

moment of agreement to start the sanctioning procedure, and without prejudice to what
results from the instruction, it is considered that Mouro Producciones has been able to carry out a
processing of the personal data of the complaining party without complying with the
stipulations of article 13 of the RGPD, previously transcribed.



                                           SAW
           Classification and classification of the violation of article 13 of the RGPD

If confirmed, the aforementioned violation of article 13 of the RGPD could mean the
commission of the infractions classified in article 83.5 of the RGPD that under the

The section “General conditions for the imposition of administrative fines” provides:

 “Infractions of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the

global total annual business volume of the previous financial year, opting for
the largest amount: a) (…)

   a) the rights of the interested parties under articles 12 to 22;” (…)”.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/15










In this regard, the LOPDGDD, in its article 71 establishes that “They constitute

infractions the acts and conduct referred to in sections 4, 5 and 6 of the
article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the
present organic law.”

For the purposes of the limitation period, article 72 of the LOPDGDD indicates:


"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that involve
a substantial violation of the articles mentioned therein and, in particular, the
following:


h) The omission of the duty to inform the affected party about the processing of their data
personal in accordance with the provisions of articles 13 and 14 of the Regulation (EU)
2016/679 and 12 of this organic law.


                                           VII

                                 Sanction proposal

In order to determine the administrative fine to impose, the following must be observed:
provisions of articles 83.1 and 83.2 of the RGPD, provisions that indicate:


"1. Each supervisory authority will ensure that the imposition of fines
administrative sanctions under this article for violations of this
Regulations indicated in sections 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive.


2. Administrative fines will be imposed, depending on the circumstances of each
individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:

 a) the nature, severity and duration of the infringement, taking into account the

nature, scope or purpose of the processing operation in question, as well as
such as the number of interested parties affected and the level of damages that
have suffered;
b) intentionality or negligence in the infringement;
c) any measure taken by the person responsible or in charge of the treatment to

alleviate the damages and losses suffered by the interested parties;
d) the degree of responsibility of the person responsible or in charge of the treatment,
taking into account the technical or organizational measures that have been implemented under
of articles 25 and 32;
e) any previous infringement committed by the controller or processor;

f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;
g) the categories of personal data affected by the infringement;


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/15








 h) the way in which the supervisory authority became aware of the infringement, in
particular whether the controller or processor notified the infringement and, if so, in what
extent;

 i) when the measures indicated in Article 58, paragraph 2, have been ordered
previously against the person responsible or the person in charge in question in relation to the
same matter, compliance with said measures;
j) adherence to codes of conduct under Article 40 or to mechanisms of
certification approved in accordance with Article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the case,

such as financial benefits obtained or losses avoided, direct or
indirectly, through infringement.”

Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76,
“Sanctions and corrective measures” provides:


"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation
(EU) 2016/679 will be applied taking into account the graduation criteria
established in section 2 of the aforementioned article.

2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679

may also be taken into account:

a) The continuous nature of the infringement.
b) The linking of the offender's activity with the performance of medical treatment.
personal information.

c) The benefits obtained as a consequence of the commission of the infraction.
d) The possibility that the conduct of the affected person could have induced the commission
of the infringement.
e) The existence of a merger by absorption process subsequent to the commission of the
infringement, which cannot be attributed to the absorbing entity.

f) The impact on the rights of minors
g) Have, when not mandatory, a data protection delegate.
h) The submission by the person responsible or in charge, on a voluntary basis, to
alternative conflict resolution mechanisms, in those cases in which
"There are disputes between those and any interested party."


In this case, given the possible violation of articles 5.1 c) and 13 of the RGPD,
the imposition of a fine would be appropriate, in addition to the adoption of measures, in its
case.

The fine imposed must be, in each individual case, effective, proportionate

and dissuasive, in accordance with the provisions of article 83.1 of the RGPD. Thus
considers, in advance, the condition of the claimed part of small
company, and with a business volume of 4,992,744 euros in 2022.

In accordance with the indicated precepts, in accordance with the evidence that

currently has an agreement to initiate the sanctioning procedure and
without prejudice to what results from the instruction of the procedure, for the purposes of setting the
amount of the sanctions to be imposed in the present case, it is considered that it is appropriate


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/15








graduate the sanctions according to the following criteria established by the
transcribed precepts:

In an initial assessment, the criteria for
following graduation:


 - Art. 5.1.c)

       Article 83.2.g) of the RGPD: Categories of personal data
       affected by the infringement. And this is because the content included in the
       identity document is especially sensitive data, the processing of which

       may give rise to issues of identity theft or fraud, and contains
       data that is not necessary for the purpose for which it was processed, and may
       mere on-site verification of age may be sufficient.

 - Art. 13 GDPR:


       Article 83.2.a) of the RGPD: Nature, severity and duration of the infringement:
       In fulfilling its legal obligations, the claimed party must
       act with the diligence that the circumstances of the case demand, not being able
       It can be understood that this occurs when there is no proper information about the
       rights that assist those affected by the data processing that is going to

       carried out. In this sense, it is necessary to refer to the Judgment
       of the Court of Justice of the European Union, of December 5, 2023,
       relapse in case C-807/21 (Deutsche Wohnen), which indicates:

       “76 In this regard, it must also be specified, as regards the question of
       whether an infringement has been committed intentionally or negligently and, therefore,

       may be punished with an administrative fine in accordance with article 83 of the
       GDPR, that a data controller can be sanctioned by a
       behavior falling within the scope of application of the GDPR when it does not
       could ignore the offending nature of his conduct, whether or not he was aware of it.
       infringe the provisions of the GDPR (see, by analogy, the rulings of
       18 June 2013, Schenker & Co. and others, C 681/11, EU:C:2013:404,

       paragraph 37 and cited case law; of March 25, 2021,
       Lundbeck v Commission, C 591/16 P, EU:C:2021:243, paragraph 156, and of 25
       March 2021, Arrow Group and Arrow Generics v Commission, C 601/16 P,
       EU:C:2021:244, paragraph 97).” (emphasis is ours).



Considering the factors exposed, the initial valuation that reaches the fine for the
violation of article 5.1.c) of the RGPD is €13,000 (thirteen thousand euros) and for the
violation of article 13 of the RGPD of €7,000 (seven thousand euros), without prejudice to what
results from the instruction of the procedure.



                                          VIII
                                Adoption of measures



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/15








If the violation is confirmed, it could be agreed to impose on the person responsible the adoption of
appropriate measures to adjust its actions to the regulations mentioned in this
act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the

which each control authority may “order the person responsible or in charge of the
treatment that the processing operations comply with the provisions of the
this Regulation, where appropriate, in a certain manner and within a
specified period…” The imposition of this measure is compatible with the sanction
consisting of an administrative fine, as provided in art. 83.2 of the GDPR.


In such case, in the resolution that is adopted, this authority may require the
responsible so that within one month:

 - Include information in the “access document for minors under 16 years of age”.
regarding data protection duly updated, eliminating the reference to the

Organic Law 15/1999 of December 13, on the Protection of Personal Data
Staff.

- Adapt your information clause to the provisions of the privacy protection regulations.
data.


- Eliminate from the documents of access to minors: “This document lacks
validity without a photocopy of the DNI of the parent/guardian who signs it.”

It is warned that failure to comply with the possible order to adopt measures imposed by
This body in the sanctioning resolution may be considered as a

administrative offense in accordance with the provisions of the RGPD, classified as
infringement in its article 83.5 and 83.6, and such conduct may be motivated by the opening of a
subsequent administrative sanctioning procedure.

Therefore, in accordance with the above, by the Director of the Agency

Spanish Data Protection,
HE REMEMBERS:

FIRST: START SANCTIONING PROCEDURE against MOURO
PRODUCCIONES, S.R.L., with NIF B39529847, for the alleged violation of the
articles 5.1 c) and 13 of the RGPD, both classified in article 83.5 of the RGPD.


SECOND: APPOINT B.B.B. as instructor. and, as secretary, to C.C.C.,
indicating that they may be challenged, if applicable, in accordance with the provisions of the
articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sector
Public (LRJSP).


THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the
claim filed by the complaining party and its documentation, as well as the
documents obtained and generated by the General Subdirectorate of Inspection of
Data in the actions prior to the start of this sanctioning procedure.


FOURTH: THAT for the purposes provided for in art. 64.2 b) of the LPACAP, the sanction that
could correspond would be: without prejudice to what results from the instruction.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/15








- For the alleged violation of article 5.1.c) of the RGPD, typified in article 83.5
of said rule, administrative fine of €13,000.00 (THIRTEEN THOUSAND EUROS);


- For the alleged violation of article 13 of the RGPD, typified in article 83.5 of
said rule, administrative fine of €7,000.00 (SEVEN THOUSAND EUROS).

The above adds up to a total amount of €20,000 (TWENTY THOUSAND EUROS).

FIFTH: NOTIFY this agreement to MOURO PRODUCCIONES, S.R.L., with

NIF B39529847, granting a hearing period of ten business days so that
formulate the allegations and present the evidence you consider appropriate. In its
written allegations must provide your NIF and the file number that appears in
the heading of this document.


If within the stipulated period you do not make allegations to this initial agreement, the same
may be considered a proposal for a resolution, as established in the article
64.2.f) of the LPACAP.

In accordance with the provisions of article 85 of the LPACAP, you may recognize your
responsibility within the period granted for the formulation of allegations to the

present initiation agreement; which will entail a 20% reduction in the
sanction that may be imposed in this procedure. With the application of this
reduction, the penalty would be established at 16,000.00 euros, resolving the
procedure with the imposition of this sanction.


Likewise, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which
will mean a 20% reduction in the amount. With the application of this reduction,
The penalty would be established at 16,000.00 euros and its payment will imply termination
of the procedure, without prejudice to the imposition of the corresponding measures.


The reduction for the voluntary payment of the penalty is cumulative with that corresponding
apply for recognition of responsibility, provided that this recognition
of the responsibility becomes evident within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount
in the previous paragraph may be done at any time prior to the resolution. In

In this case, if both reductions were to be applied, the amount of the penalty would remain
established at 12,000.00 euros.

In any case, the effectiveness of any of the two mentioned reductions will be
conditioned upon the withdrawal or waiver of any action or appeal pending.

administrative against the sanction.

In the event that you choose to proceed with the voluntary payment of any of the amounts
indicated above (16,000.00 euros or 12,000.00 euros), you must make it effective
by depositing it into the IBAN account number: ES00-0000-0000-0000-0000-0000

(BIC/SWIFT Code: CAIXESBBXXX) opened in the name of the Spanish Agency of
Data Protection in the banking entity CAIXABANK, S.A., indicating in the
concept the reference number of the procedure appearing in the heading
of this document and the reason for the reduction in the amount to which it applies.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/15









Likewise, you must send proof of income to the General Subdirectorate of

Inspection to continue the procedure in accordance with the quantity
entered.

The procedure will have a maximum duration of twelve months from the date
of the initiation agreement. After that period has elapsed without it having been issued and notified

resolution will expire and, consequently, the proceedings will be archived;
in accordance with the provisions of article 64 of the LOPDGDD.

In compliance with articles 14, 41 and 43 of the LPACAP, it is noted that, as far as
Subsequently, the notifications sent to you will be made exclusively

electronically, through the Unique Enabled Electronic Address (dehu.redsara.es), and
that, if you do not access them, your rejection will be recorded in the file, considering
the procedure has been carried out and the procedure is followed. You are informed that you can
identify to this Agency an email address to receive the notice
of making notifications available and that the lack of practice of this notice does not

will prevent the notification from being considered fully valid.

Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP,
There is no administrative appeal against this act.


                                                                              935-30102023

Sea Spain Martí
Director of the Spanish Data Protection Agency
>>

SECOND: On April 27, 2024, the claimed party has proceeded to pay

the penalty in the amount of 12,000 euros making use of the two reductions
provided for in the initiation Agreement transcribed above, which implies the
recognition of responsibility.

THIRD: The payment made, within the period granted to formulate allegations to

The opening of the procedure entails the waiver of any action or appeal pending.
administrative against sanction and recognition of responsibility in relation to
the facts referred to in the Initiation Agreement.

FOURTH: In the initiation agreement transcribed previously, it was stated that,

If the infringement is confirmed, it could be agreed to impose on the person responsible the adoption of
appropriate measures to adjust its actions to the regulations mentioned in this
act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the
which each control authority may “order the person responsible or in charge of the
treatment that the processing operations comply with the provisions of the

this Regulation, where appropriate, in a certain manner and within a
specified period…”

Having recognized the responsibility for the infraction, the imposition of
the measures included in the Initiation Agreement.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/15








                           FOUNDATIONS OF LAW

                                            Yo

                                     Competence

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and

guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures

processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."

                                           II

                             Termination of the procedure

Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter, LPACAP), under the heading
“Termination in sanctioning procedures” provides the following:


"1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction is solely pecuniary in nature or a penalty can be imposed

pecuniary sanction and another of a non-pecuniary nature but the
inadmissibility of the second, the voluntary payment by the alleged responsible, in
Any time prior to the resolution, will imply the termination of the procedure,
except in relation to the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.


3. In both cases, when the sanction has only a pecuniary nature, the
body competent to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed penalty, these being cumulative with each other.
The aforementioned reductions must be determined in the initiation notification.
of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of

any administrative action or appeal against the sanction.

The reduction percentage provided for in this section may be increased
“regularly.”


According to what was stated,
the Director of the Spanish Data Protection Agency RESOLVES:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/15








FIRST: DECLARE the termination of procedure EXP202310910, of

in accordance with the provisions of article 85 of the LPACAP.

SECOND: ORDER from MOURO PRODUCCIONES, S.R.L. so that within the period of
1 month from when this resolution is final and enforceable, notify the Agency of the

adoption of the measures described in the legal foundations of the
Initiation agreement transcribed in this resolution.

THIRD: NOTIFY this resolution to MOURO PRODUCCIONES, S.R.L..


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure as prescribed by

the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.



                                                                               1259-16012024
Sea Spain Martí
Director of the Spanish Data Protection Agency






























C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es