AEPD (Spain) - EXP202401110
AEPD - EXP202401110 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 58(1) GDPR |
Type: | Complaint |
Outcome: | Other Outcome |
Started: | 31.10.2023 |
Decided: | 26.11.2024 |
Published: | 2.12.2024 |
Fine: | 4,000 EUR |
Parties: | n/a |
National Case Number/Name: | EXP202401110 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Ao |
The DPA fined a controller €4,000 for repeatedly ignoring the DPA’s requests to provide information required to carry out an investigation.
English Summary
Facts
On the 31 October 2023, the Spanish DPA (AEPD) accepted a complaint for processing and began to investigate the situation under Article 58(1) GDPR.
In November 2023, the AEPD sent two requests for information to the controller, but the 10-day deadline passed without any response from the controller.
On 7 February 2024, the AEPD initiated disciplinary proceedings against the controller for an infringement of Article 58(1) GDPR. The controller also did not respond to the notice regarding the initiation of this proceedings.
Holding
The AEPD issued a decision in the disciplinary proceeding and held that the controller is to be sanctioned with a fine of €4,000 for a breach of Article 58(1) GDPR.
The AEPD again ordered the controller to respond within 10 working days and stated that failure to do so would prove a violation of Article 83(6) GDPR and would warrant another fine.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/6 File No.: EXP202401110 SANCTIONING PROCEDURE RESOLUTION From the procedure initiated by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: As a result of a claim filed with the Spanish Data Protection Agency against GESTIÓN DE PATRIMONIOS ANFIPOLIS SOCIEDAD DE RESPONSABILIDAD LIMITADA with NIF B04859575 (hereinafter, the respondent), with indications of a possible breach of the rules in the scope of the powers of the Spanish Data Protection Agency, actions were initiated with file number EXP202313081. In accordance with the provisions of article 65 of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the guarantee of digital rights (LOPDGDD hereinafter), the claim was forwarded to the controller or to the Data Protection Officer that he/she had designated, requesting that he/she send to this Agency the information and documentation indicated. The transfer, which was notified in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP) by electronic notification, was not collected by the controller within the period of availability, as stated in the acknowledgment of receipt that is in the file, the procedure being understood to have been carried out in accordance with the provisions of arts. 43.2 and 41.5 of the LPACAP on October 8, 2023. Although the notification was validly carried out by electronic means, for informational purposes two copies were sent by post, resulting in the transfer being delivered on November 1, 2023, as stated in the receipts in the file. On October 31, 2023, in accordance with article 65 of the LOPDGDD, the claim submitted by the complainant was admitted for processing. SECOND: The General Subdirectorate for Data Inspection proceeded to carry out preliminary investigation actions to clarify the facts in question, by virtue of the investigative powers granted to the control authorities in article 58.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I, Section two, of the aforementioned LOPDGDD. Within the framework of the investigative actions, the respondent party was sent a request for information twice, regarding the claim indicated in the first C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/6 section, so that, within ten working days, it would submit to this Agency the information and documentation indicated. THIRD: The aforementioned request for information was notified on both occasions in accordance with the rules established in the LPACAP. On November 30, the request was delivered to the respondent party by mail, as stated in the acknowledgment of receipt in the file. After the period granted had elapsed without this Agency having received any response from the respondent party, the request was sent again through electronic means, not being collected by the person responsible within the period of availability, as stated in the acknowledgment of receipt in the file, and therefore the notification was understood to have been made in accordance with the provisions of art. 43.2 and 41.5 of the LPACAP on December 30, 2023. FOURTH: Regarding the requested information, the respondent party has not sent any response to this Spanish Data Protection Agency. FIFTH: On February 7, 2024, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the respondent party, for the alleged violation of Article 58.1 of the GDPR, classified in Article 83.5 of the GDPR. SIXTH: The agreement to initiate this sanctioning procedure was notified, in accordance with the rules established in the LPACAP, by means of an announcement published in the Official State Gazette dated February 22, 2024, after being returned to origin by Correos as unknown, despite having been sent to the tax address of the respondent party provided by the State Tax Administration Agency, as accredited in the file. In accordance with art. 42.1 of the LPACAP, the notification of the initiation agreement was also made available to the interested party by electronic means through the single enabled electronic address. SEVENTH: Once the aforementioned initiation agreement has been notified in accordance with the rules established in the LPACAP and the period granted for the formulation of allegations has elapsed, it has been noted that no allegations have been received from the respondent party. Article 64.2.f) of the LPACAP - a provision of which the respondent party was informed in the agreement to open the procedure - establishes that if no allegations are made within the period provided for regarding the content of the initiation agreement, when it contains a precise statement regarding the imputed liability, it may be considered a resolution proposal. In the present case, the agreement to initiate the sanctioning procedure determined the facts in which the imputation was specified, the infringement of the RGPD attributed to the respondent and the sanction that could be imposed. Therefore, taking into account that the respondent party has not made any objections to the agreement to initiate the proceedings and in accordance with the provisions of article 64.2.f) of the LPACAP, the aforementioned agreement to initiate the proceedings is considered in this case a resolution proposal. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/6 EIGHTH: According to the report collected from the AXESOR tool, the entity GESTIÓN DE PATRIMONIOS ANFIPOLIS SOCIEDAD DE RESPONSABILIDAD LIMITADA is a company established in 2017 for which there is no financial information. In view of all the actions taken by the Spanish Data Protection Agency in the present procedure, the following facts are considered proven: PROVEN FACTS FIRST: The requests for information indicated in the second and third background information were notified in accordance with the provisions of the LPACAP. SECOND: The respondent party has not responded to the requests for information made by this Agency in the framework of the investigation actions of file EXP202313081 within the time limits granted for this purpose. LEGAL BASIS I Competence In accordance with the powers that article 58.2 of the GDPR grants to each supervisory authority and as established in articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, by this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures." II Unfulfilled obligation In light of the facts set out, it is considered that the respondent party has not provided the Spanish Data Protection Agency with the information that it requested. With the aforementioned conduct of the respondent party, the power of investigation that article 58.1 of the GDPR confers on the control authorities, in this case, the AEPD, has been hindered. Therefore, the facts described in the section “Proven facts” are considered to constitute an infringement, attributable to the respondent party, for violation of Article 58.1 of the GDPR, which provides that each supervisory authority shall have, among its investigative powers: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/6 “a) order the controller and the processor and, where appropriate, the representative of the controller or the processor, to provide any information required for the performance of their duties.” III Classification and qualification of the infringement The facts set out are considered to constitute an infringement, attributable to the respondent party. This infringement is classified in Article 83.5.e) of the GDPR, which considers as such: “failing to provide access in breach of Article 58, paragraph 1.” The same article establishes that this infringement may be sanctioned with a fine of twenty million euros (€20,000,000) as maximum or, in the case of a company, an amount equivalent to four percent (4%) as maximum of the total global annual turnover of the previous financial year, choosing the higher amount. For the purposes of the limitation period for infringements, the imputed infringement is subject to a three-year statute of limitations, in accordance with article 72.1 of the LOPDGDD, which classifies the following conduct as very serious: “ñ) Not facilitating access by the personnel of the competent data protection authority to personal data, information, premises, equipment and means of processing that are required by the data protection authority for the exercise of its investigative powers.” IV Imputed sanction The fine imposed must be, in each individual case, effective, proportionate and dissuasive, in accordance with the provisions of article 83.1 of the RGPD. Consequently, the sanction to be imposed must be graduated in accordance with the criteria established in article 83.2 of the RGPD, and with the provisions of article 76 of the LOPDGDD, with respect to section k) of the aforementioned article 83.2 RGPD. Furthermore, in order to ensure a consistent application of the GDPR, the Guidelines 04/2022 formulated by the European Data Protection Committee on the calculation of fines under the GDPR must be taken into consideration. Based on the facts set out, it is considered that a sanction should be imposed on the respondent party for the violation of article 58.1 of the GDPR as defined in article 83.5 e) of the GDPR. The sanction to be imposed is an administrative fine of 4,000.00 euros. Therefore, in accordance with applicable legislation, the Director of the Spanish Data Protection Agency RESOLVES: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/6 FIRST: TO IMPOSE on GESTIÓN DE PATRIMONIOS ANFIPOLIS SOCIEDAD DE RESPONSABILIDAD LIMITADA, with NIF B04859575, for an infringement of Article 58.1 of the GDPR, classified in Article 83.5 of the GDPR, a fine of 4,000.00 euros (FOUR THOUSAND euros). SECOND: ORDER GESTIÓN DE PATRIMONIOS ANFIPOLIS SOCIEDAD DE RESPONSABILIDAD LIMITADA, with NIF B04859575, in accordance with the power of investigation provided for in article 58.1.a) of the GDPR, to provide, within ten business days from the date this resolution becomes final and enforceable, the information required in the requests made within the framework of the actions with file number EXP202313081 and to which reference has been made in the background of this resolution. It is noted that failure to comply with the requests of this body may be considered an administrative infringement in accordance with the provisions of the GDPR, classified as an infringement in its article 83.6, and such conduct may motivate the opening of a subsequent administrative sanctioning procedure. THIRD: NOTIFY this resolution to GESTIÓN DE PATRIMONIOS ANFIPOLIS SOCIEDAD DE RESPONSABILIDAD LIMITADA. FOURTH: This resolution will be enforceable once the deadline for filing the optional appeal for reconsideration ends (one month from the day following the notification of this resolution) without the interested party having made use of this faculty. The sanctioned party is warned that he must make effective the sanction imposed once this resolution is enforceable, in accordance with the provisions of art. 98.1.b) of Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations (hereinafter LPACAP), within the voluntary payment period established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, by depositing it, indicating the NIF of the sanctioned party and the procedure number that appears in the heading of this document, in the restricted account nº IBAN: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX), opened in the name of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A. Otherwise, it will be collected during the enforcement period. Once the notification has been received and has become enforceable, if the date of enforceability is between the 1st and 15th of each month, both inclusive, the deadline for making the voluntary payment will be until the 20th of the following month or the next business day thereafter, and if it is between the 16th and the last day of each month, both inclusive, the payment deadline will be until the 5th of the second following month or the next business day thereafter. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, interested parties may, at their discretion, lodge an appeal for reconsideration before the Director of the Spanish Data Protection Agency within one month from the day following notification of this resolution or directly file an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of 13 July, regulating the Administrative Litigation Jurisdiction, within two months from the day following notification of this act, as provided for in article 46.1. of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final resolution may be suspended as a precautionary measure in administrative proceedings if the interested party expresses his intention to lodge an administrative appeal. If this is the case, the interested party must formally communicate this fact by writing to the Spanish Data Protection Agency, submitting it through the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica- web/], or through one of the other registries provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. He must also transfer to the Agency the documentation that proves the effective filing of the administrative appeal. If the Agency is not aware of the filing of the administrative appeal within two months from the day following notification of this resolution, it will terminate the precautionary suspension. 938-16012024 Mar España Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es