AEPD (Spain) - EXP202405119
AEPD - EXP202405119 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 58(1) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 23.11.2023 |
Decided: | |
Published: | 22.05.2024 |
Fine: | 96,000 EUR |
Parties: | Watium S.L. |
National Case Number/Name: | EXP202405119 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | lm |
The DPA fined a controller €160,000 for failing to respond to the DPA's requests for information. The controller acknowledged its fault and paid a reduced fine of €96,000 in accordance with national law.
English Summary
Facts
On 22 April 2024, the Spanish DPA (AEPD) initiated sanctioning procedures against Watium S.L. (the controller). As part of its investigation, the AEPD twice requested the controller to provide information related to the complaint filed against it. The requests were collected by the controller on 23 November 2023 and 9 February 2024 respectively.
On 21 February 2024, the controller requested that the period for providing the documents and information be extended to 29 February 2024. Despite this request, the controller did not respond to the AEPD with the requested information.
Holding
Article 58(1)(e) GDPR empowers DPAs to order controllers to facilitate information in order for DPAs to conduct their investigation. The failure to comply with such requests for information constitutes a violation of Article 83(5)(e) GDPR.
Given these likely violations, the AEPD resolved to initiate sanction proceedings against the controller and recommended a sanction of €160,000. In calculating the sanction, the AEPD noted that this was a grave infraction warranting a high sanction. It also took account of the large size of the controller, aiming for the fine to be dissuasive and proportionate.
Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €96,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/8 File No.: EXP202405119 RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE VOLUNTEER From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND FIRST: On April 22, 2024, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against WATIUM S.L. (in hereinafter, the claimed party), through the Agreement that is transcribed: << File No.: EXP202405119 AGREEMENT TO START SANCTIONING PROCEDURE Of the actions carried out by the Spanish Data Protection Agency, and in based on the following FACTS FIRST: As a consequence of a claim presented to the Spanish Agency of Data Protection against WATIUM S.L. with NIF B86459260 (hereinafter, the part claimed), showing signs of a possible non-compliance with the rules in the scope of the powers of the Spanish Data Protection Agency, They initiated proceedings with file number EXP202309276. In accordance with the provisions of article 65 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (LOPDGDD hereinafter), the claim was transferred to the person in charge or to the Delegate of Data Protection that may have been designated, requesting that you send to this Agency the information and documentation that was indicated. The transfer, which was notified in accordance with the rules established in Law 39/2015, of October 1, of the Common Administrative Procedure of Administrations Public (hereinafter, LPACAP) through electronic means, was collected by the claimed party dated July 27, 2023, as stated in the acknowledgment of receipt that work in the file. On August 24, 2023, in accordance with article 65 of the LOPDGDD, The claim presented by the complaining party was admitted for processing. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/8 SECOND: The General Subdirectorate of Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in issue, by virtue of the investigative powers granted to the authorities of control in article 58.1 of Regulation (EU) 2016/679 (General Regulation of Data Protection, hereinafter RGPD), and in accordance with the provisions of the Title VII, Chapter I, Second Section, of the aforementioned LOPDGDD. Within the framework of the investigative proceedings, the party was referred twice claimed a request for information, related to the claim indicated in the first section, so that, within a period of ten business days, it could be presented to this Agency the information and documentation that were indicated. THIRD: The aforementioned information requirement, which was notified in both occasions in accordance with the standards established in the LPACAP through means electronics, was collected by the claimed party on November 23, 2023 and February 9, 2024, as stated in the acknowledgments of receipt in the proceedings. FOURTH: With date February 21, 2024 and entry registration number REGAGE24e00013639767, the claimed party presents a document in which it requests the extension of the deadline granted to provide information and documentation required until February 29, 2024. FIFTH: Regarding the requested information, the claimed party has not sent any response to this Spanish Data Protection Agency. SIXTH: According to the report collected from the AXESOR tool, the entity WATIUM S.L. is a company established in 2012, and with a volume of business of ***AMOUNT.1 euros in 2022. FOUNDATIONS OF LAW Yo Competence In accordance with the powers that article 58.2 of the RGPD grants to each authority of control and as established in articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD, The Director of the Agency is competent to initiate and resolve this procedure. Spanish Data Protection. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II Unfulfilled obligation C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/8 In accordance with the evidence available at the present time of agreement to initiate the sanctioning procedure, and without prejudice to what results from the instruction, it is considered that the claimed party has not provided the Agency Spanish Data Protection Agency the information you requested. With the indicated conduct of the claimed party, the investigative power that the Article 58.1 of the RGPD confers on the control authorities, in this case, the AEPD, has been hindered. Therefore, the events described in the “Facts” section are considered to constitute an infraction, attributable to the claimed party, due to violation of article 58.1 of the RGPD, which provides that each supervisory authority will have, among its powers of investigation: “a) order the person responsible and the person in charge of the treatment and, where appropriate, the representative of the person responsible or the person in charge, who provide any information that is required for the performance of its functions.” III Classification and classification of the offense In accordance with the evidence available at the present time agreement to initiate the sanctioning procedure, and without prejudice to what results from the instruction, it is considered that the facts presented could constitute a infringement, attributable to the claimed party. This infraction is classified in article 83.5.e) of the RGPD, which considers as such: “no provide access in breach of Article 58(1).” The same article establishes that this violation can be punished with a fine. of twenty million euros (€20,000,000) maximum or, in the case of a company, of an amount equivalent to four percent (4%) maximum of the total global annual business volume of the previous financial year, opting for the of greater amount. For the purposes of the limitation period for infringements, the alleged infringement prescribes after three years, in accordance with article 72.1 of the LOPDGDD, which qualifies as The following behavior is very serious: “ñ) Do not facilitate access by data protection authority personnel competent to personal data, information, premises, equipment and means of processing that is required by the data protection authority for the exercise of its investigative powers.” IV Sanction proposal The fine imposed must be, in each individual case, effective, proportionate and dissuasive, in accordance with the provisions of article 83.1 of the RGPD. In Consequently, the sanction to be imposed must be graduated according to the criteria C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/8 established in article 83.2 of the RGPD, and with the provisions of article 76 of the LOPDGDD, regarding section k) of the aforementioned article 83.2 RGPD. Also, for To ensure consistent application of the GDPR, consideration must be given to Guidelines 04/2022 formulated by the European Data Protection Committee on the calculation of fines under the GDPR. In light of the facts presented, without prejudice to what results from the instruction of the procedure, it is considered appropriate to impute a sanction to the party claimed for violation of article 58.1 of the RGPD typified in article 83.5 e) of the GDPR. The sanction that would be imposed is an administrative fine for a amount of 160,000.00 euros. The following have been considered as circumstances for graduation of the sanction: - The classification of the infraction carried out by the legislator himself in art. 83 of the RGPD, placing it within the set of most serious infractions of the sections 5 and 6 of this article, which have a higher sanctioning range. - The nature of the infringement in accordance with art. 83.2.a), for the interests protected and its place in the framework of personal data protection. By not providing a response to the information request made, the powers of investigation that the RGPD provides to the control authorities, hindering the control function entrusted to them by the RGPD, and thus making supervision difficult on the effective application of the regulations and compliance with the objectives that pursue. - The turnover of the responsible company, so that the fine is effective, dissuasive and proportionate, in accordance with art. 83.1 of the GDPR. Therefore, in light of the above, By the Director of the Spanish Data Protection Agency, IT IS AGREED: FIRST: START SANCTIONING PROCEDURE against WATIUM S.L., with NIF B86459260, for the violation of article 58.1 of the RGPD, typified in art. 83.5 e) of the cited GDPR. SECOND: ORDER WATIUM S.L. that, according to the power of investigation provided in article 58.1.a) of the RGPD, is provided, within a period of ten business days, the information required in the requirements made within the framework of the actions with file number EXP202309276 and which have been referred to in the description of the facts of this initiation agreement. THIRD: APPOINT R.R.R. as instructor. and, as secretary, to S.S.S., indicating that they may be challenged, if applicable, in accordance with the provisions of the articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sector Public (LRJSP). FOURTH: INCORPORATE into the sanctioning file, for evidentiary purposes, the information requirements issued by the General Subdirectorate of Inspection of Data within the framework of the actions with file number EXP202309276 and the accreditation of having been notified. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/8 FIFTH: THAT for the purposes provided for in art. 64.2 b) of the LPACAP, the sanction that could correspond would be, for the alleged violation of article 58.1 of the RGPD, typified in article 83.5 of said rule, administrative fine of an amount 160,000.00 euros, without prejudice to what results from the investigation. SIXTH: NOTIFY this agreement to WATIUM S.L., with NIF B86459260, granting him a hearing period of ten business days to formulate the allegations and present the evidence you consider appropriate. In his writing of allegations must provide your NIF and the file number that appears in the heading of this document. If within the stipulated period you do not make allegations to this initial agreement, the same may be considered a proposal for a resolution, as established in the article 64.2.f) of the LPACAP. The procedure will have a maximum duration of twelve months from the date of the initiation agreement. After this period, its expiration will occur and, in consequently, the archive of actions; in accordance with the provisions of the article 64 of the LOPDGDD. In accordance with the provisions of article 85 of the LPACAP, you may recognize your responsibility within the period granted for the formulation of allegations to the present initiation agreement; which will entail a 20% reduction in the sanction that may be imposed in this procedure. With the application of this reduction, the penalty would be established at 128,000.00 euros, resolving the procedure with the imposition of this sanction. Likewise, you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which will mean a 20% reduction in the amount. With the application of this reduction, The penalty would be established at 128,000.00 euros and its payment will imply the termination of the procedure, without prejudice to the imposition of the measures corresponding. The reduction for the voluntary payment of the penalty is cumulative with that corresponding apply for recognition of responsibility, provided that this recognition of the responsibility becomes evident within the period granted to formulate allegations at the opening of the procedure. The voluntary payment of the referred amount in the previous paragraph may be done at any time prior to the resolution. In In this case, if both reductions were to be applied, the amount of the penalty would remain established at 96,000.00 euros. In any case, the effectiveness of any of the two mentioned reductions will be conditioned upon the withdrawal or waiver of any action or appeal pending. administrative against the sanction. In the event that you choose to proceed with the voluntary payment of any of the amounts indicated above (128,000.00 euros or 96,000.00 euros), you must do so cash by depositing it into the IBAN account number: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX) opened in the name of the Spanish Agency of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/8 Data Protection in the banking entity CAIXABANK, S.A., indicating in the concept the reference number of the procedure appearing in the heading of this document and the reason for the reduction in the amount to which it applies. Likewise, you must send proof of income to the General Subdirectorate of Inspection to continue the procedure in accordance with the quantity entered. Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP, There is no administrative appeal against this act. 972-110923 Sea Spain Martí Director of the Spanish Data Protection Agency >> SECOND: On May 16, 2024, the claimed party has proceeded to pay of the penalty in the amount of 96,000 euros making use of the two reductions provided for in the initiation Agreement transcribed above, which implies the recognition of responsibility. THIRD: The payment made, within the period granted to formulate allegations to The opening of the procedure entails the waiver of any action or appeal pending. administrative against sanction and recognition of responsibility in relation to the facts referred to in the Initiation Agreement. FOUNDATIONS OF LAW Yo Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/8 Termination of the procedure Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter, LPACAP), under the heading “Termination in sanctioning procedures” provides the following: "1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility, The procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction has only a pecuniary nature or a penalty can be imposed pecuniary sanction and another of a non-pecuniary nature but the inadmissibility of the second, the voluntary payment by the alleged responsible, in Any time prior to the resolution, will imply the termination of the procedure, except in relation to the restoration of the altered situation or the determination of the compensation for damages caused by the commission of the infringement. 3. In both cases, when the sanction has only a pecuniary nature, the body competent to resolve the procedure will apply reductions of, at least, 20% of the amount of the proposed penalty, these being cumulative with each other. The aforementioned reductions must be determined in the initiation notification. of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of any administrative action or appeal against the sanction. The reduction percentage provided for in this section may be increased “regularly.” According to what was stated, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DECLARE the termination of procedure EXP202405119, of in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to WATIUM S.L.. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Administrative Litigation Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. 936-040822 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/8 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es