AEPD (Spain) - EXP202313226

From GDPRhub
Revision as of 10:48, 3 December 2024 by Mba (talk | contribs) (→‎Facts)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - EXP202313226
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Started: 21.08.2023
Decided: 20.11.2024
Published: 24.11.2024
Fine: 5,000 EUR
Parties: n/a
National Case Number/Name: EXP202313226
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: ao

The DPA fined a controller €5,000 for merely assuming the data subject had consented to the publication of their image and personal data on the company website.

English Summary

Facts

The data subject worked for Roca & Asociados lawyers and economists, the controller, from 13 March to 21 July 2023. The controller published the names and photographs of its employees without their consent on the company website.

On the 21 August 2023, the data subject filed a complaint with the AEPD against the controller.

The controller opposed the allegation stating that the data subject had consented to the publication of her picture by posing for the photo and providing details from her CV to be used in the firm’s profile section. The IT specialist of the controller had emailed employees in preparation for the pictures being taken which read as follows: “Tomorrow we will take pictures of the newcomers who want to take them” and it included a link to show what the usual style looks like.

The data subject had also been informed that she can review the photographs. The controller added to its argumentation that the data subject had posted the same details on their LinkedIn profile.

Holding

The AEPD confirmed that the controller had based the processing of personal data on the data subject’s consent.

With regard to the definition of consent under Article 4(11) GDPR as well as recitals 32 GDPR and 42 GDPR the AEPD highlighted that the data subject must be adequately informed of the processing and clearly agree to this. During its investigation the AEPD found no evidence of a clear declaration made by the data subject that it had agreed to the processing of their personal data in the form of publication on the website.

The AEPD held that the controller had merely assumed the data subject’s consent which does not meet the requirement of a clear affirmative action. It therefore found a violation of Article 6(1) GDPR and issued a fine of €5,000 to the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/15

 File No.: EXP202313226 (PS/00526/2023)

SANCTIONING PROCEDURE RESOLUTION

From the procedure instructed by the Spanish Data Protection Agency and based

on the following

BACKGROUND

FIRST: A.A.A. (hereinafter, the complaining party) on August 21, 2023
filed a claim with the Spanish Data Protection Agency. The

claim is directed against ROCA & ASOCIADOS ABOGADOS Y ECONOMISTAS,
S.L.P. with NIF B66945197 (hereinafter, ROCA & ASOCIADOS). The reasons on which the claim is based are the following:

The claimant worked at the defendant company between March 13 and July 21, 2023 and points out that the company (law firm) publishes the name and surname and photographs of its employees without consent, including his own.

The claimant states that in the next few days he will urge the defendant company to delete his data.

A link to the publication is provided with the claim: https://roca.legal/team.html.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the guarantee of digital rights (hereinafter LOPDGDD), this claim was transferred to ROCA & ASOCIADOS,
so that it could proceed with its analysis and inform this Agency within one month,
of the actions carried out to comply with the requirements provided for in the data protection regulations.

The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was collected on September 29, 2023
as stated in the acknowledgment of receipt in the file.

No response has been received to this transfer letter.

THIRD: On November 21, 2023, in accordance with article 65 of
the LOPDGDD, the claim submitted by the complainant was admitted for processing.

FOURTH: According to the report collected from the AXESOR tool, the entity

ROCA & ASOCIADOS ABOGADOS Y ECONOMISTAS, S.L.P. It is a micro-enterprise
established in 2017, with a turnover of ***AMOUNT.1 euros
in 2022.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/15

FIFTH: On January 31, 2024, the Director of the Spanish Data Protection Agency
agreed to initiate sanctioning proceedings against ROCA &

ASOCIADOS, in accordance with the provisions of articles 63 and 64 of the LPACAP, for the
alleged infringement of article 6.1 of the GDPR, classified in article 83.5 of the
RGPD, in which it was indicated that it had a period of ten days to submit
allegations.

This start-up agreement, which was notified to ROCA & ASOCIADOS in accordance with the rules

established in Law 39/2015, of October 1, on the Common Administrative Procedure
of Public Administrations (LPACAP), was collected on February 13, 2024, as stated in the acknowledgment of receipt in the file.

SIXTH: On February 27, 2024, this Agency received, in a timely manner, a letter from ROCA & ASOCIADOS in which it presented allegations regarding the start-up agreement in which, in summary, it stated that:

The complainant gave his consent to the publication of his photo on the ROCA & ASOCIADOS website, having posed for the photo to be taken, and providing his CV data for inclusion in the office profile, after communication from the company's IT technician by email in which it was mentioned
"Tomorrow we will take photos of the new ones who want it", attaching two messages
sent to the complainant's email in which he was notified of the
possibility of reviewing the photographs. In addition, the complainant previously published
on his LinkedIn profile the same data that appeared on the ROCA & ASOCIADOS website.

SEVENTH: On March 5, 2024, the body in charge of the procedure
agreed to open a period for the collection of evidence, taking into account
the documents obtained and generated in the transfer of the claim, which are part of
the file, as well as the allegations to the initiation agreement presented by ROCA
& ASOCIADOS and the accompanying documentation.

That same day, the body in charge of the procedure has requested ROCA &
ASOCIADOS to present the following:

- The information provided to the claimant regarding the publication of his

photo on the website.
- The information referred to in article 13 of the GDPR provided to the

employees whose photo was to be published. - The record of the processing activities of ROCA & ASOCIADOS

ABOGADOS Y ECONOMISTAS, S.L.P., and, in particular, those relating to the processing
of the image of its employees.

The notification of the agreement, which was carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of

Public Administrations (hereinafter, LPACAP), on March 16, 2023,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/15

as stated in the certificate in the file, the procedure being considered to have been carried out in accordance with the provisions of article 41.5 of the LPACAP. The notification was reiterated by the same means on May 31, 2024, and the agreement was recorded

on June 3, 2024, as stated in the acknowledgment of receipt in the
file.

Currently, the AEPD does not record that ROCA & ASOCIADOS had submitted
a written response to the agreement to practice evidence agreed by this Agency.

EIGHTH: On July 31, 2024, the body in charge of the procedure formulated
a resolution proposal, in which it proposes that the Director of the AEPD
sanction ROCA & ASOCIADOS, with NIF B6694519, for an infringement of article
6.1 of the GDPR, classified in Article 83.5 of the GDPR, with a fine of €5,000 (five thousand euros).

This resolution proposal, which was notified in accordance with the rules established in
Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (LPACAP) by electronic notification, was not
collected by ROCA & ASOCIADOS within the period for making it available,
being understood to be rejected in accordance with the provisions of art. 43.2 of the LPACAP on

August 11, 2024, as stated in the certificate in the file.

NINTH: Once the aforementioned resolution proposal was notified in accordance with the rules
established in the LPACAP and the period granted for the formulation of
allegations had elapsed, it has been verified that no allegation has been received from

ROCA & ASOCIADOS.

From the actions carried out in the present procedure and from the documentation in the file, the following have been proven:

PROVEN FACTS

FIRST: On March 28, 2023, from the email ***EMAIL.1 a message was sent to the corporate email of the claimant with the following

content:

“Tomorrow we will take photos of the new ones who want it

Take a look at https://roca.legal/team.html

Take a look at https://roca.legal/team.html
to see the style we use and choose the one that best suits you

Regards
See you tomorrow!”

SECOND: On April 27 and 28, 2023, from the email ***EMAIL.1, messages were sent to the corporate email of the complaining party, with the subject “Photos on

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/15

the website updated”, in which they were informed that they could review the photographs on the ROCA & ASOCIADOS website, both in Spanish and in Catalan and in English.

THIRD: In the screenshot of the ROCA & ASOCIADOS website, dated September 11, 2023, provided by the complaining party along with the complaint, the publication of a photograph with the image of the complaining party can be observed, in the caption of which their name and first surname appear.

FOURTH: On March 5, 2024, the body in charge of the procedure

agreed to open a period of evidence, in which this Agency
required ROCA & ASOCIADOS to submit the following:

- The information provided to the complainant regarding the publication of his/her
photo on the website.

- The information referred to in article 13 of the GDPR provided to the employees whose photo was to be published.

- The record of the processing activities of ROCA & ASOCIADOS LAWYERS AND ECONOMISTS, S.L.P., and, specifically, the information related to the processing of the
image of its employees.

The aforementioned agreement was not collected by ROCA & ASOCIADOS, within the period of
provision, and was deemed rejected in accordance with the provisions of art. 43.2
of the LPACAP on March 16, 2023, as stated in the certificate in the file, so the notification was validly carried out by electronic means, the procedure being considered carried out in accordance with the provisions of article

41.5 of the LPACAP.

The notification was repeated by the same means on May 31, 2024, and was notified on June 3, 2024, as stated in the acknowledgment of receipt in the file. At present, the AEPD does not record that ROCA & ASOCIADOS

has submitted a written response to the presentation of evidence.

LEGAL BASIS

I

Competence

In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD) and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to
initiate and resolve this procedure.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
of Regulation (EU) 2016/679, by this organic law, by the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/15

regulatory provisions issued in its development and, insofar as they do not contradict them, on a
subsidiary basis, by the general rules on administrative procedures."

II
Preliminary questions

Article 4 “Definitions” of the GDPR defines the following terms for the purposes of the

Regulation:

"1) “personal data” means any information relating to an identified or identifiable natural person
(“data subject”); an identifiable natural person shall be any person
whose identity can be determined, directly or indirectly, in particular by reference

to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”

(2) 'processing' means any operation or set of operations which is performed on
personal data or on sets of personal data, whether or not by automated means,
such as collection, recording, organisation, structuring,
storage, adaptation or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise making available,
alignment or combination, restriction, erasure or destruction;

(7) 'controller' or 'controller' means the natural or legal person,
public authority, agency or other body which, alone or jointly with others,
determines the purposes and means of the processing; where Union or Member State law
determines the purposes and means of the processing, the controller or the
specific criteria for its nomination may be determined by Union or Member State law;

In the present case, in accordance with Article 4.1 and 4.2 of the GDPR,
the processing of personal data is carried out, every time ROCA &
ASOCIADOS publishes on its website “https://roca.legal/team.html” the following
personal data of natural persons: image, name, first surname and profession of

its employees, among other treatments.

The physical image of a person is personal data, therefore, its inclusion in
publications that identify or make a person identifiable, implies a treatment of
personal data.

ROCA & ASOCIADOS carries out this activity in its capacity as data controller,
since it is the one who determines the purposes and means of such activity, pursuant
to article 4.7 of the GDPR.

III
Reply to the allegations adduced to the start agreement

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/15

Regarding the allegations adduced by ROCA & ASOCIADOS to the start agreement, which are summarized in that the complainant gave his consent to the

publication of his photo on the ROCA & ASOCIADOS website, having posed for the photo to be taken, and providing his CV details for inclusion in the firm's profile, after having received communication from the company's IT specialist by email in which it was mentioned "Tomorrow we will take photos of the new ones who wish to do so", and without having shown his opposition to the publication, after having been informed
in two emails that the photos were available to be reviewed.

Furthermore, the complainant previously published on his LinkedIn profile the same data that were on the ROCA & ASOCIADOS website.

In light of these arguments, it should be noted that the GDPR regulates the different legitimate bases for the processing of personal data in its article 6.1, and on this issue of the lawfulness of the processing, Recital 40 of the aforementioned GDPR also has an impact, when it states that “For the processing to be lawful, personal data must be processed with the consent of the data subject or on some other legitimate basis established in accordance with law, whether in this Regulation or by virtue of another law of the Union or of the Member States to which this Regulation refers, including the need to comply with the legal obligation applicable to the controller or the need to execute a contract with which the data subject is a party or in order to take measures at the request of the data subject prior to the conclusion of a contract.”

According to the statement made by ROCA & ASOCIADOS, the processing of data subject to the procedure has been based on the consent of the complaining party and in this respect, it is necessary that the consent be linked to the specific purposes of the processing of their data. Regarding the definition of consent, article 4.11 of the GDPR represents a paradigm shift with respect to the scheme in force prior to the aforementioned regulation, since it makes the so-called "presumed consent" disappear from legal reality. Thus, this definition indicates that the consent of the interested party is considered to be that "manifestation of free, specific, informed and unequivocal will by which the interested party accepts, either through a declaration or a clear affirmative action, the processing of personal data that concerns them."

Regarding the form of consent, according to Recital 32: "Consent
should be given by a clear affirmative act reflecting a freely given, specific, informed and unambiguous indication of the
data subject's wishes to agree to the processing of personal data relating to him or her, such as a statement in
writing, including by electronic means, or an oral declaration. This could include

ticking a box on a website, choosing technical settings for the use of information society services, or any other statement or
conduct which clearly indicates in this context that the data subject accepts the proposed processing of his or her personal data. Therefore, silence, ticked boxes or inaction should not constitute consent. Consent should

be given for all processing activities carried out for the same or the same purposes. Where processing has several purposes, consent should be given for all of them. If the data subject's consent is to be given following a request for electronic

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/15

media, the request must be clear, concise and not unnecessarily disrupt the use of the service for which it is provided.”

And, further elaborating on this need for a clear and unequivocal statement, Recital
42 states that: “Where processing is carried out with the data subject's consent, the controller must be able to demonstrate that the data subject has
given consent to the processing operation. In particular in the context of a
written declaration made on another matter, there must be guarantees that the data subject is aware of the fact that he or she is giving consent and the extent to which he or she is doing so. According to Council Directive 93/13/EEC [of 5 April 1993 on unfair terms in consumer contracts],
a model declaration of consent drawn up in advance by the controller must be provided in an intelligible and easily accessible formulation, using clear and plain language and not containing abusive clauses.

In order for consent to be informed, the data subject must know at least the identity of the controller and the purposes of processing for which the personal data are intended. Consent should not be considered freely given when the data subject does not have a genuine or free choice or cannot refuse or withdraw consent without suffering any disadvantage.”

Likewise, article 7 of the GDPR lists the conditions that must be met for consent to be granted and in our legal system, the LOPDGDD states
in its article 6, which is entitled “Treatment based on the consent of the affected party” the following:

“1. In accordance with the provisions of article 4.11 of Regulation (EU) 2016/679,
the consent of the affected party is understood to be any manifestation of free,
specific, informed and unequivocal will by which the affected party accepts, either through a
declaration or a clear affirmative action, the processing of personal data that
concerns him/her.

2. When the processing of data is intended to be based on the consent of the data subject for a plurality of purposes, it must be stated in a specific and unequivocal manner that said consent is given for all of them.

3. The execution of the contract may not be subject to the consent of the data subject to the processing of personal data for purposes that are not related to the maintenance, development or control of the contractual relationship.”

Therefore, in accordance with the provisions of article 6.1 of the GDPR, in relation to

Recitals 32 and 42, when the processing is based on the consent of the citizen, in order to consider said consent valid, it must be informed,
specifically refer to specific purposes, be freely given and be
unequivocal. On this issue, Guidelines 5/2020, adopted by the European Data Protection Committee, offer mechanisms to help interpret these criteria and ensure compliance by data controllers.

With regard to the need for informed consent, reference must be made to
Article 13 of the GDPR, which determines the information that must be provided

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/15

when data is obtained from the data subject. To achieve this end, Article 11 of the
LOPDGDD articulates the way in which the information in Article 13 of the GDPR is provided,
establishing what basic information must be provided, at least, directly, and

without prejudice to the proper indication of the means or place where the complete information that must be provided under the aforementioned Article 13 of the
RGPD can be accessed. The elements that make up the information to be provided in the event that consent is established as the legitimate basis for processing must include: the identity of the person responsible, the purposes of the processing or processing, what type of data is collected, the existence of the right to withdraw consent, information on whether the data will be subject to automated decisions and the possible risks in the event that an international transfer of data is planned in the absence of an adequacy decision and the corresponding safeguards.

Freely given consent means that the interested party must have a real

choice not to grant it. Consequently, consent cannot be considered to have been freely given when the subject cannot refuse to grant it without suffering
some type of negative consequence, which must be proven by the person responsible for the
processing. Finally, regarding non-equivocality, this requirement would be manifested in that the

interested party unquestionably accepts the processing of his/her data through a
deliberately affirmative action and prior to the beginning of the processing of the data.

The GDPR does not prescribe a specific way of recording the consent given and

therefore, it will be up to the controller to determine that, in line with the principle
of proactive responsibility established by article 4.2 of the GDPR, in such a way
that it can prove that the interested party has validly given the aforementioned
consent, that is, that it is informed, free, specific, and given
unequivocally.

In relation to the above and in accordance with the proven facts highlighted
in the present procedure, ROCA & ASOCIADOS carries out data processing
consisting of taking a photograph of the complainant for its subsequent
dissemination through the company's website based on consent, which is not
in accordance with data protection regulations for the following reasons.

Thus, in those cases in which the photographs taken affect identifiable
persons, who have not freely, specifically, informedly and unequivocally given their will at the time when these photographs are being taken,
the consent obtained cannot be considered valid since:

1. It is not possible to prove that the complainant has been duly informed.
Despite the documentation requested from ROCA & ASOCIADOS during the trial period, no document has been provided regarding the information provided to the
complainant regarding the use of his/her image once the photograph was taken for each and every purpose (in this case, the capture of the image and its
subsequent dissemination through the ROCA & ASOCIADOS website).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/15

2. It cannot be considered that the complainant has undoubtedly consented to the
taking of a photograph of his/her physical image, in response to an email in which the only warning is that "we will take photos of new applicants who wish to do so." As indicated

previously, presumed consent is no longer valid within the framework of the
data protection regulations arising from the approval of the GDPR,
and must be express. Similarly, the fact that the complainant had
published this photograph with his image on his profile on the social network linkedin,
does not imply express consent for it to be published by the company. It should
be noted that this circumstance has not been proven by the respondent.

3. However, it is important to note that, in these cases, all the
requirements mentioned above as necessary for the provision of valid consent must be met, which therefore implies the need for the
consent to also be informed and express, that it be free, and the

controller must be in a position to prove that these aspects have been met in all
cases.

Taking into account the above, the allegations of ROCA & ASOCIADOS cannot therefore be accepted, since they are based on the presumed consent of the complainant, in response to the email communicating the taking of the photographs ("for those who wish to do so"), The framework that configures the GDPR for the processing of personal data whose legitimizing basis is the consent of the interested parties, requires a clear affirmative action in the provision of said consent, which must comply with each and every one of the conditions referred to above, thus eliminating the so-called tacit or presumed consent. Therefore, in order to comply with data protection regulations, when the legitimizing basis of the processing is the consent of the interested party, the provision of information relating to the processing is configured as a necessary condition for the valid provision of consent.

For all the reasons stated above, the allegations made to the initiation agreement are rejected.

IV

Lawfulness of processing

Article 6.1 of the GDPR establishes the assumptions that allow the processing of personal data to be considered lawful:

“1. The processing will only be lawful if at least one of the following conditions is met:

a) the interested party has given his consent for the processing of his personal data
for one or more specific purposes;

b) the processing is necessary for the execution of a contract to which the interested party
is a party or for the application at the request of the latter of pre-contractual measures;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/15

c) the processing is necessary for compliance with a legal obligation applicable to the
data controller;

d) the processing is necessary to protect vital interests of the interested party or another
natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first paragraph shall not apply to processing carried out by public authorities in the exercise of their tasks.

2…”

Also, Recital 40 of the aforementioned GDPR, when it provides that “For
processing to be lawful, personal data must be processed with the

consent of the data subject or on another legitimate basis established in accordance with law, either in this Regulation or by virtue of another Union or Member State law to which this Regulation refers, including the
need to comply with the legal obligation applicable to the controller or the
need to perform a contract with which the data subject is a party or in order to
take steps at the request of the data subject prior to entering into a

contract.”

Furthermore, Article 4 of the GDPR, Definitions, in its section 11, states that:

“1) (…)

11) “consent of the interested party”: any manifestation of free, specific,
informed and unequivocal will by which the interested party accepts, either by a
declaration or a clear affirmative action, the processing of personal data concerning him or her”.

In relation to the facts claimed, the file (Page 14 to 17)

contains a printout dated September 1, 2023 of the website
“https://roca.legal/team.html” belonging to ROCA & ASOCIADOS, in which the personal data of the complaining party are
published, specifically, a photograph
with his image, name, first surname and profession, without there being evidence that
the prior consent of the interested party has been obtained or that any of the

other conditions that determine the legality of the treatment are met. For all these reasons, it is
considered that there is evidence that the processing of data by ROCA &
ASOCIADOS constitutes a violation of article 6.1 of the GDPR.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/15

V
Classification and qualification of the infringement

In accordance with the evidence available at the time of resolution of the sanctioning procedure, it is considered that ROCA & ASOCIADOS has
committed a violation of article 6.1 of the GDPR, as none of the conditions established in said article that legitimize the publication on its website of personal data of the complaining party are met.

The known facts constitute an infringement, attributable to ROCA &
ASOCIADOS, as defined in Article 83.5 of the GDPR, which stipulates the following:

“Infringements of the following provisions shall be punishable, in accordance with

paragraph 2, by administrative fines of up to EUR 20,000,000 or, in the case of an undertaking, of an amount equivalent to

a maximum of 4% of the total global annual turnover of the preceding financial year, whichever is higher:

a) the basic principles for processing, including the conditions for

consent pursuant to Articles 5, 6, 7 and 9; (...).”

For the purposes of the limitation period for infringements, the imputed infringement
shall be subject to a three-year statute of limitations, in accordance with article 72 of the LOPDGDD, which classifies the following conduct as very
serious:

1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679, infringements that constitute
a substantial violation of the articles mentioned therein and, in particular, the
following are considered very serious and shall be subject to a three-year statute of limitations:

(…)
b) The processing of personal data without any of the conditions for the
lawfulness of the processing established in article 6 of Regulation (EU) 2016/679 being met.
(…)”

VI
Penalty for infringement of article 6.1 of the GDPR

For the purposes of deciding on the imposition of an administrative fine and its amount, in

accordance with the evidence available at the time of the resolution of the sanctioning procedure, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the following criteria established in article
83.2 of the GDPR, which states:

“2. Administrative fines shall be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures contemplated in
article 58, paragraph 2, letters a) to h) and j). When deciding whether to impose an administrative fine and its amount in each individual case, due account shall be taken of:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/15

a) the nature, seriousness and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question, as well

as the number of data subjects affected and the level of damage suffered by them;

b) the intentionality or negligence of the infringement;

c) any measures taken by the controller or processor to

mitigate the damage suffered by the data subjects;

d) the degree of responsibility of the controller or processor,
taking into account any technical or organisational measures they have implemented pursuant
to Articles 25 and 32;

e) any previous infringement committed by the controller or processor;

(f) the degree of cooperation with the supervisory authority in order to remedy the
breach and mitigate any adverse effects of the breach;

(g) the categories of personal data affected by the breach;

(h) the manner in which the supervisory authority became aware of the breach, in
particular whether and, if so, to what extent the controller or processor notified the
breach;

(i) where measures referred to in Article 58(2) have been previously ordered
against the controller or processor concerned in relation to the same matter, compliance with those measures;

(j) adherence to codes of conduct pursuant to Article 40 or to certification
mechanisms approved pursuant to Article 42;

(k) any other aggravating or mitigating factors applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or
indirectly, through the breach.”

In relation to letter k) of article 83.2 of the GDPR, the LOPDGDD, in its article
76, “Sanctions and corrective measures”, provides:

“1. The sanctions provided for in sections 4, 5 and 6 of article 83 of Regulation
(EU) 2016/679 will be applied taking into account the grading criteria
established in section 2 of the aforementioned article.

2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679

the following may also be taken into account:

a) The continued nature of the infringement.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/15

b) The link between the offender's activity and the processing of personal
data.

c) The benefits obtained as a consequence of the commission of the infringement.

d) The possibility that the conduct of the affected party could have included the commission of the infringement.

e) The existence of a merger process by absorption subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity.

f) The impact on the rights of minors.

g) Having, when not mandatory, a data protection officer.

h) The submission by the responsible party or person in charge, on a voluntary basis, to alternative dispute resolution mechanisms, in those cases in which there are disputes between them and any interested party.

As a circumstance of article 76.2 of the LOPDGDD, understood in this case as an
aggravating factor:

- The link between the offender's activity and the processing of personal
data (section b): ROCA & ASOCIADOS in the development of its

professional activity needs to regularly process personal data, both of
clients and employees, which means that it has sufficient experience and
should have adequate knowledge for the processing of said data.

The balance of the circumstances contemplated in article 83.2 of the RGPD and 76.2 of
the LOPDGDD, with respect to the infringement committed by violating the provisions of
article 6.1 of the RGPD, allows for the imposition of a fine of €5,000 (five thousand euros).

VII
Imposition of measures

In accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to which
each supervisory authority may “order the controller or processor to

comply with the provisions of this Regulation, where appropriate, in a certain manner and within a specified
period…”, it is agreed to impose on ROCA & ASOCIADOS the adoption of the
following measure, which must be accredited to this Agency within 3 months:

- Prevent the publication of personal data on the ROCA & ASOCIADOS website without
complying with the provisions of 6.1 of the GDPR.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/15

The imposition of this measure is compatible with the sanction consisting of an administrative
fine, as provided for in art. 83.2 of the GDPR.

Please note that failure to comply with the possible order to adopt measures imposed by
this body in the sanctioning resolution may be considered as an
administrative infringement in accordance with the provisions of the GDPR, classified as an
infringement in its article 83.5 and 83.6, and such conduct may motivate the opening of a
subsequent administrative sanctioning procedure.

Therefore, in accordance with the applicable legislation and having assessed the criteria for
graduating sanctions whose existence has been proven,
the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: TO IMPOSE ROCA & ASOCIADOS ABOGADOS Y ECONOMISTAS,
S.L.P., with NIF B66945197, for an infringement of Article 6.1 of the GDPR, classified in
Article 83.5 of the GDPR, a fine of €5,000 (five thousand euros).

SECOND: ORDER ROCA & ASOCIADOS ABOGADOS Y ECONOMISTAS,

S.L.P., with NIF B66945197, that pursuant to article 58.2.d) of the GDPR, within a period of
3 months from the date this resolution becomes final and enforceable, it must prove that it has
complied with the measures to prevent personal data from being published on the ROCA & ASOCIADOS website without complying with the provisions of 6.1
of the GDPR.

THIRD: NOTIFY this resolution to ROCA & ASOCIADOS ABOGADOS
Y ECONOMISTAS, S.L.P.

FOURTH: This resolution will be enforceable once the deadline for filing the optional appeal for reconsideration ends (one month from the day following the

notification of this resolution) without the interested party having made use of this faculty.
The sanctioned party is warned that he must make effective the sanction imposed once
this resolution is enforceable, in accordance with the provisions of art. 98.1.b)
of Law 39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations (hereinafter LPACAP), within the voluntary payment period

established in art. 68 of the General Collection Regulations, approved by Royal
Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, by depositing it, indicating the NIF of the sanctioned party and the procedure number that appears in the heading of this document, in the restricted account nº IBAN: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code:

CAIXESBBXXX), opened in the name of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A. Otherwise, it will be collected during the enforcement period.

Once the notification has been received and has been enforced, if the date of enforceability is between the 1st and 15th of each month, both inclusive, the deadline for making the voluntary payment will be until the 20th of the following month or the next business day thereafter, and if it is between the 16th and the last day of each month, both inclusive, the deadline for payment will be until the 5th of the second following month or the next business day thereafter.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/15

Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties may, at their discretion, lodge an appeal for reconsideration before the Director of the Spanish Data Protection Agency within one month from the day following the notification of this resolution or directly lodge an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of 13 July, regulating the Administrative Litigation Jurisdiction, within two months from the day following the notification of this act, as provided for in article 46.1 of the aforementioned Law.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final resolution may be provisionally suspended by administrative means if the interested party
expresses his intention to lodge an administrative appeal.

If this is the case, the interested party must formally communicate this fact by means of a
written letter addressed to the Spanish Data Protection Agency, presenting it through
the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through one of the other registries provided for in art. 16.4 of
the aforementioned Law 39/2015, of October 1. He must also transfer to the Agency the

documentation that proves the effective filing of the administrative appeal. If the Agency is not aware of the filing of the administrative appeal
within two months from the day following the notification of this resolution, it will terminate the provisional suspension.

938-16012024
Mar España Martí
Director of the Spanish Data Protection Agency

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es