AEPD (Spain) - EXP202401110

From GDPRhub
Revision as of 10:26, 2 December 2024 by Ao (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202401110 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00058-2024.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - EXP202401110
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 58(1) GDPR
Type: Complaint
Outcome: Other Outcome
Started: 31.10.2023
Decided:
Published:
Fine: 4,000 EUR
Parties: n/a
National Case Number/Name: EXP202401110
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Ao

The DPA fined a controller €4,000 for repeatedly ignoring the DPA’s requests for information in order to conduct its investigation.

English Summary

Facts

On the 31 October 2023, the Spanish DPA (AEPD) accepted a complaint for processing and began to investigate the situation under Article 58(1) GDPR.

In November 2023, the AEPD sent two requests for information to the controller, but the 10-day deadline passed without any response from the controller.

On 7 February 2024, the AEPD initiated disciplinary proceedings against the controller for an infringement of Article 58(1) GDPR. The controller also did not respond to the initiation of proceedings notice.

Holding

The AEPD held that the controller is to be sanctioned with a fine of €4,000 for a breach of Article 58(1) GDPR.

The AEPD again ordered the controller to respond within 10 working days and stated that failure to do so would prove a violation of Article 83(6) GDPR and would warrant another fine.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. 

1/6

 File No.: EXP202401110

SANCTIONING PROCEDURE RESOLUTION

From the procedure initiated by the Spanish Data Protection Agency and based

on the following

BACKGROUND

FIRST: As a result of a claim filed with the Spanish Data Protection Agency

against GESTIÓN DE PATRIMONIOS ANFIPOLIS SOCIEDAD

DE RESPONSABILIDAD LIMITADA with NIF B04859575 (hereinafter, the
respondent), with indications of a possible breach of the rules in the scope of the powers of the Spanish Data Protection Agency,
actions were initiated with file number EXP202313081.

In accordance with the provisions of article 65 of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the guarantee of digital rights
(LOPDGDD hereinafter), the claim was forwarded to the controller or to the Data Protection Officer that he/she had designated, requesting that he/she send
to this Agency the information and documentation indicated.

The transfer, which was notified in accordance with the rules established in Law 39/2015, of
October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP) by electronic notification, was not collected by
the controller within the period of availability, as stated in the acknowledgment of receipt that is in the file, the procedure being understood to have been carried out in accordance with the provisions of

arts. 43.2 and 41.5 of the LPACAP on October 8, 2023.

Although the notification was validly carried out by electronic means, for informational purposes
two copies were sent by post, resulting in the transfer being delivered
on November 1, 2023, as stated in the receipts in the

file.

On October 31, 2023, in accordance with article 65 of the LOPDGDD,
the claim submitted by the complainant was admitted for processing.

SECOND: The General Subdirectorate for Data Inspection proceeded to carry out preliminary investigation actions to clarify the facts in question, by virtue of the investigative powers granted to the control authorities in article 58.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I, Section two, of the aforementioned LOPDGDD.

Within the framework of the investigative actions, the respondent party was sent a request for information twice, regarding the claim indicated in the first

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/6

section, so that, within ten working days, it would submit to this Agency the information and documentation indicated.

THIRD: The aforementioned request for information was notified on both occasions
in accordance with the rules established in the LPACAP.

On November 30, the request was delivered to the respondent party
by mail, as stated in the acknowledgment of receipt in the file.

After the period granted had elapsed without this Agency having received any response
from the respondent party, the request was sent again through electronic means,
not being collected by the person responsible within the period of availability, as stated in the acknowledgment of receipt in the file, and
therefore the notification was understood to have been made in accordance with the provisions of art.

43.2 and 41.5 of the LPACAP on December 30, 2023.

FOURTH: Regarding the requested information, the respondent party has not sent
any response to this Spanish Data Protection Agency.

FIFTH: On February 7, 2024, the Director of the Spanish Data Protection Agency

agreed to initiate sanctioning proceedings against the respondent party,
for the alleged violation of Article 58.1 of the GDPR, classified in Article 83.5 of the
GDPR.

SIXTH: The agreement to initiate this sanctioning procedure was notified,

in accordance with the rules established in the LPACAP, by means of an announcement published

in the Official State Gazette dated February 22, 2024, after being returned to
origin by Correos as unknown, despite having been sent to the tax address of the
respondent party provided by the State Tax Administration Agency, as
accredited in the file.

In accordance with art. 42.1 of the LPACAP, the notification of the initiation agreement was
also made available to the interested party by electronic means through the
single enabled electronic address.

SEVENTH: Once the aforementioned initiation agreement has been notified in accordance with the rules established

in the LPACAP and the period granted for the formulation of allegations has elapsed, it has
been noted that no allegations have been received from the respondent party.

Article 64.2.f) of the LPACAP - a provision of which the respondent party was informed

in the agreement to open the procedure - establishes that if no allegations are made

within the period provided for regarding the content of the initiation agreement, when
it contains a precise statement regarding the imputed liability,
it may be considered a resolution proposal. In the present case, the agreement to

initiate the sanctioning procedure determined the facts in which the imputation was specified, the infringement of the RGPD attributed to the respondent and the sanction that

could be imposed. Therefore, taking into account that the respondent party has not
made any objections to the agreement to initiate the proceedings and in accordance with the provisions of
article 64.2.f) of the LPACAP, the aforementioned agreement to initiate the proceedings is
considered in this case a resolution proposal.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/6

EIGHTH: According to the report collected from the AXESOR tool, the entity
GESTIÓN DE PATRIMONIOS ANFIPOLIS SOCIEDAD DE RESPONSABILIDAD

LIMITADA is a company established in 2017 for which there is no
financial information.

In view of all the actions taken by the Spanish Data Protection Agency in the present procedure, the following facts are considered proven:

PROVEN FACTS

FIRST: The requests for information indicated in the second and third background information were notified in accordance with the provisions of the LPACAP.

SECOND: The respondent party has not responded to the requests for information made by this Agency in the framework of the investigation actions of file EXP202313081 within the time limits granted for this purpose.

LEGAL BASIS

I
Competence

In accordance with the powers that article 58.2 of the GDPR grants to each supervisory authority and as established in articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures

processed by the Spanish Data Protection Agency shall be governed by the provisions
of Regulation (EU) 2016/679, by this organic law, by the regulatory
provisions issued in its development and, insofar as they do not contradict them,
on a subsidiary basis, by the general rules on administrative procedures."

II

Unfulfilled obligation

In light of the facts set out, it is considered that the respondent party has
not provided the Spanish Data Protection Agency with the information that it
requested.

With the aforementioned conduct of the respondent party, the power of investigation that
article 58.1 of the GDPR confers on the control authorities, in this case, the AEPD,
has been hindered.

Therefore, the facts described in the section “Proven facts” are considered to constitute an infringement, attributable to the respondent party, for violation of
Article 58.1 of the GDPR, which provides that each supervisory authority shall have, among its investigative powers:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/6

“a) order the controller and the processor and, where appropriate, the
representative of the controller or the processor, to provide any information

required for the performance of their duties.”

III
Classification and qualification of the infringement

The facts set out are considered to constitute an infringement, attributable to the

respondent party.

This infringement is classified in Article 83.5.e) of the GDPR, which considers as such: “failing to
provide access in breach of Article 58, paragraph 1.”

The same article establishes that this infringement may be sanctioned with a fine of
twenty million euros (€20,000,000) as maximum or, in the case of a
company, an amount equivalent to four percent (4%) as maximum of the
total global annual turnover of the previous financial year, choosing the
higher amount.

For the purposes of the limitation period for infringements, the imputed infringement
is subject to a three-year statute of limitations, in accordance with article 72.1 of the LOPDGDD, which classifies the following conduct as
very serious:

“ñ) Not facilitating access by the personnel of the competent data protection

authority to personal data, information, premises, equipment and means of
processing that are required by the data protection authority for the
exercise of its investigative powers.”
IV
Imputed sanction

The fine imposed must be, in each individual case, effective, proportionate
and dissuasive, in accordance with the provisions of article 83.1 of the RGPD.

Consequently, the sanction to be imposed must be graduated in accordance with the criteria
established in article 83.2 of the RGPD, and with the provisions of article 76 of the
LOPDGDD, with respect to section k) of the aforementioned article 83.2 RGPD. Furthermore, in order

to ensure a consistent application of the GDPR, the
Guidelines 04/2022 formulated by the European Data Protection Committee on the
calculation of fines under the GDPR must be taken into consideration.

Based on the facts set out, it is considered that a sanction should be imposed on

the respondent party for the violation of article 58.1 of the GDPR as defined in
article 83.5 e) of the GDPR. The sanction to be imposed is an administrative
fine of 4,000.00 euros.

Therefore, in accordance with applicable legislation, the Director of the Spanish Data Protection Agency RESOLVES:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/6

FIRST: TO IMPOSE on GESTIÓN DE PATRIMONIOS ANFIPOLIS SOCIEDAD DE
RESPONSABILIDAD LIMITADA, with NIF B04859575, for an infringement of Article
58.1 of the GDPR, classified in Article 83.5 of the GDPR, a fine of 4,000.00 euros
(FOUR THOUSAND euros).

SECOND: ORDER GESTIÓN DE PATRIMONIOS ANFIPOLIS SOCIEDAD DE
RESPONSABILIDAD LIMITADA, with NIF B04859575, in accordance with the power of investigation provided for in article 58.1.a) of the GDPR, to provide, within ten business days from the date this resolution becomes final and enforceable, the information
required in the requests made within the framework of the actions with file number EXP202313081 and to which reference has been made in the background

of this resolution.

It is noted that failure to comply with the requests of this body may be
considered an administrative infringement in accordance with the provisions of the GDPR,
classified as an infringement in its article 83.6, and such conduct may motivate the

opening of a subsequent administrative sanctioning procedure.

THIRD: NOTIFY this resolution to GESTIÓN DE PATRIMONIOS
ANFIPOLIS SOCIEDAD DE RESPONSABILIDAD LIMITADA.

FOURTH: This resolution will be enforceable once the deadline for filing the

optional appeal for reconsideration ends (one month from the day following the
notification of this resolution) without the interested party having made use of this faculty.
The sanctioned party is warned that he must make effective the sanction imposed once
this resolution is enforceable, in accordance with the provisions of art. 98.1.b)
of Law 39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations (hereinafter LPACAP), within the voluntary payment period

established in art. 68 of the General Collection Regulations, approved by Royal
Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, by depositing it, indicating the NIF of the sanctioned party and the procedure number that appears in the heading of this document, in the restricted account nº IBAN: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code:
CAIXESBBXXX), opened in the name of the Spanish Data Protection Agency in

the banking entity CAIXABANK, S.A. Otherwise, it will be collected during the enforcement period.

Once the notification has been received and has become enforceable, if the date of enforceability is between the 1st and 15th of each month, both inclusive, the deadline for making the voluntary payment will be until the 20th of the following month or the next business day thereafter, and if it is between the 16th and the last day of each month, both inclusive, the payment deadline will be until the 5th of the second following month or the next business day thereafter.

In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, interested parties may, at their discretion, lodge an appeal for reconsideration before the Director of the Spanish Data Protection Agency within one month from the day following notification of this resolution or directly file an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of 13 July, regulating the Administrative Litigation Jurisdiction, within two months from the day following notification of this act, as provided for in article 46.1. of the
referred Law.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final resolution may be

suspended as a precautionary measure in administrative proceedings if the
interested party expresses his intention to lodge an administrative appeal.

If this is the case, the interested party must formally communicate this fact by
writing to the Spanish Data Protection Agency, submitting it through
the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-

web/], or through one of the other registries provided for in art. 16.4 of
the aforementioned Law 39/2015, of October 1. He must also transfer to the Agency the
documentation that proves the effective filing of the administrative appeal. If the Agency is not aware of the filing of the administrative appeal

within two months from the day following notification of this resolution, it will terminate the precautionary suspension.

938-16012024
Mar España Martí

Director of the Spanish Data Protection Agency

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
Retrieved from "https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202401110&oldid=44491"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki