AEPD (Spain) - PS/00405/2019
From GDPRhub
AEPD - PS/00268/2019 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 13 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Decided: | 06.11.2019 |
Published: | n/a |
Fine: | 900 EUR |
Parties: | Todotecnicos24h S.L |
National Case Number: | PS/00268/2019 |
European Case Law Identifier | n/a |
Appeal: | n/a |
Original Language: | Spanish |
Original Source: | AEPD (in ES) |
The AEPD imposed a fine of € 900 to Todotecnicos24h S.L for violation of Article 13 GDPR.
English Summary
Facts
The Consumer Institute of Madrid brought a complaint before the AEPD because Todotecnicos24h S.L's privacy policy was not specific enough and did not comply with Article 13 GDPR.
Dispute
Does the lack of precision enough to infrige Article 13 GDPR?
Holding
The AEPD found that the information related to data collection in the privacy policy were insufficiently precise and that is violated Article 13 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the original. Please refer to the Spanish original for more details.
936-150719 Product No.: PS/00268/2019 RESOLUTION R/00578/2019 ON THE TERMINATION OF THE PROCEDURE BY VOLUNTARY PAYMENT In the sanctioning procedure PS/00268/2019, instructed by the Spanish Agency of Data Protection to TODOTECNICOS24H S.L., having regard to the complaint presented by INSTITUTO MUNICIPAL DE CONSUMO DE MADRID, and based on the following BACKGROUND FIRST: On 23 October 2019, the Director of the Spanish Data Protection Agency agreed to initiate disciplinary proceedings against TODOTECNICOS24H S.L. (hereinafter, the claimed), by means of the Agreement which is transcribed: << Product No.: PS/00268/2019 AGREEMENT TO INITIATE DISCIPLINARY PROCEEDINGS Of the actions carried out by the Spanish Data Protection Agency and based on the following FACTS FIRST: MADRID MUNICIPAL CONSUMPTION INSTITUTE (hereinafter referred to as On January 22, 2019, he filed a complaint with the Spanish Data Protection Agency against TODOTECNICOS24H S.L. with NIF B86558533 (hereinafter, the claimed). The reasons on which the claim is based are the collection of personal data by the claimed party, without providing the precise information to the interested parties in accordance with the current regulations on personal data protection. SECOND: It is verified that in the "Privacy Policy" of the mentioned website, it is indicated: - That the claimed party "operates the website hosted under the domain name www.todotecnicos24h.com/". - That this policy states that "TODOTECNICOS24H S.L. as responsible for this website and in accordance with the provisions of current legislation on the Protection of Personal Data, the new European Regulation 679/2016 and the Law on Information Society and Electronic Commerce (LSSI-CE 34/2002 of June 11) has implemented policies, means and procedures to ensure and protect the privacy of personal data of its users. You can exercise your rights of access, rectification, suppression and portability of your data, of limitation and opposition to their treatment, as well as not to be subject to decisions based solely on the automated processing of your data, when appropriate, before the company TODOTECNICOS24H S.L. C/Embajadores 190 local, 28045 - Madrid or at the e-mail address todotecnicos24h@gmail.com". SECOND: In view of the facts denounced in the complaint and the documents provided by the complainant, the Subdirectorate General for Data Inspection proceeded to carry out preliminary investigative actions to clarify the facts in question, by virtue of the powers of investigation granted to the supervisory authorities in Article 57.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I, Section Two of Organic Law 3/2018 of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD). As a result of the investigative actions carried out, it has been established that the person responsible for the processing is the one who has been claimed. Likewise, the following points are noted: This complaint was brought to the attention of the complainant on 27 May 2019, requesting that he send this Agency, within a period of one month, information on the response given to the complainant regarding the facts complained of, as well as the reasons for the incident and the measures adopted to adapt his "Privacy Policy" to Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (RGPD). After the given deadline, no response has been obtained from the respondent. LEGAL GROUNDS I By virtue of the powers conferred on each supervisory authority by Article 58(2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, hereinafter referred to as GDPR), and as set out in Articles 47, 642 and 68.1 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate this procedure. Article 63(2) of the LOPDGDD states that: 'The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, in this Organic Law, by the regulatory provisions issued in its implementation and, insofar as they do not contradict them, in the alternative, by the general rules on administrative procedures'. II Article 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, hereinafter referred to as GDPR), under the heading "Definitions", provides that "For the purposes of this Regulation personal data' means any information relating to an identified or identifiable natural person ('the data subject'); an identifiable natural person is one who whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or more elements specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person; processing' means any operation or set of operations which is performed upon personal data or upon sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction Therefore, in accordance with these definitions, the collection of personal data through forms included on a website constitutes data processing, for which the data controller must comply with the provisions of Article 13 of the RGPD, a provision that has been moved from 25 May 2018 to Article 5 of Organic Law 15/1999 of 13 December on the Protection of Personal Data. In relation to this matter, it is noted that the Spanish Data Protection Agency has at the disposal of citizens the Guide for the fulfilment of the duty to inform (https://www.aepd.es/media/guias/guia-modelo- clausula-informativa.pdf) and, in the case of low risk data processing, the free tool Facilita (https://www.aepd.es/herramientas/facilita.html). III Article 13 of the RGPD, which determines the information to be provided to the data subject at the time of collection of the data, provides that "1. Where personal data are obtained from a data subject, the data controller shall, at the time of collection, provide the data subject with all the following information (a) the identity and contact details of the controller and, where appropriate, of his representative (b) the contact details of the Data Protection Officer, if any; (c) the purposes of the processing for which the personal data are intended and the legal basis of the processing; (d) where the processing is based on Article 6(1)(f), the legitimate interests of the controller or of a third party; (e) the recipients or categories of recipient of the personal data, if any; (f) where appropriate, the controller's intention to transfer personal data to a third country or international organisation and the existence or otherwise of a decision to adequacy of the Commission, or, in the case of transfers referred to in Articles 46 or 47 or the second subparagraph of Article 49(1), reference to adequate or appropriate safeguards and the means of obtaining a copy thereof or the fact that they have been provided. 2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject, at the time when the personal data are collected, with the following information necessary to ensure fair and transparent processing of the data (a) the period for which the personal data are held or, where this is not possible, the criteria used to determine this period; (b) the existence of the right to request the controller to have access to the personal data concerning the data subject and to have them corrected, erased or restricted and the right to object to the processing, as well as the right to the portability of the data; (c) where the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time, without prejudice to the lawfulness of the processing based on consent prior to withdrawal; (d) the right to lodge a complaint with a supervisory authority; (e) whether the communication of personal data is a legal or contractual requirement, or a requirement for entering into a contract, and whether the data subject is under an obligation to supply the personal data and is informed of the possible consequences of not supplying such data; (f) the existence of automated decisions, including profiling, as referred to in Article 22(1) and (4) and, at least in such cases, significant information about the logic involved and the significance and the expected impact of the processing on the data subject. 3. Where the controller plans to further process personal data for a purpose other than that for which they were collected, he shall provide the data subject, prior to such further processing, with information on that other purpose and with any relevant additional information within the meaning of paragraph 2. 4. The provisions of paragraphs 1, 2 and 3 shall not apply where and insofar as the information is already available to the data subject. Article 11 of the LOPDGDD provides as follows "Where personal data are obtained from the data subject, the controller may fulfil the duty of information laid down in Article 13 of Regulation (EU) 2016/679 by providing the data subject with the basic information referred to in the following paragraph and by indicating an electronic address or other means that allows the remaining information to be accessed easily and immediately. 2. The basic information referred to in the previous paragraph shall contain at least (a) the identity of the controller and of his representative, in his case. b) The purpose of the processing. (c) The possibility of exercising the rights set out in Articles 15 to 22 of Regulation (EU) 2016/679. If the data obtained from the data subject are to be processed for profiling purposes, the basic information will also include this circumstance. In this case, the data subject must be informed of his right to oppose the adoption of automated individual decisions which produce legal effects concerning him or significantly affect him in a similar way, where this right exists in accordance with Article 22 of Regulation (EU) 2016/679. IV By virtue of the provisions of Article 58.2 of the RGPD, the Spanish Data Protection Agency, as the supervisory authority, has a set of corrective powers in the event of a breach of the precepts of the RGPD. Article 58.2 of the RGPD provides the following: "2 Each supervisory authority shall have all the following corrective powers as set out below: (…) (b) sanction any controller or processor with a warning where processing operations have infringed the provisions of this Regulation (...) "(d) to instruct the controller or processor to ensure that processing operations are carried out in accordance with this Regulation, where appropriate, in a particular manner and within a specified time limit;". "(i) to impose an administrative fine pursuant to Article 83, in addition to or instead of the measures referred to in this paragraph, depending on the circumstances of the individual case;". Article 83(5)(b) of the GPRS states that "'Infringements of the following provisions shall be punishable, in accordance with paragraph 2, by administrative fines of not more than EUR 20 000 000 or, in the case of an undertaking, of not more than 4 % of the total annual turnover in the preceding business year, whichever is the greater (b) the rights of the persons concerned within the meaning of Articles 12 to 22 In turn, Article 74.a) of the LOPDGDD, under the heading "Offences considered minor" provides: "The remaining infringements of a purely formal nature of the articles mentioned in Article 83(4) and (5) of Regulation (EU) 2016/679, and in particular the following, are considered minor and shall be subject to the statute of limitations for one year: (a) Failure to comply with the principle of transparency of information or the right to information of the person concerned by not providing all the information required by Articles 13 and 14 of Regulation (EU) 2016/679. In this case, it is taken into account that the claimant collects personal data from users who fill in the form included on the website https://www.todotecnicos24h.com/ without providing them, prior to collection, all the information on data protection provided for in Article 13 of the aforementioned RGPD. In accordance with the evidence available at the present time in agreement to the initiation of the sanctioning procedure, and without prejudice to what may result from the investigation, the facts set out could constitute, on the part of the defendant, an infringement of the provisions of Article 13 of the RGPD. Likewise, if the existence of an infringement is confirmed, in accordance with the provisions of the aforementioned Article 58.2.d) of the RGPD, the resolution may order the respondent, as the person responsible for the processing, to adapt the information offered to the users whose personal data is collected from them to the requirements set forth in Article 13 of the RGPD, as well as to provide means of proof of compliance with the requirements. V In order to determine the administrative fine to be imposed, the provisions of Articles 83.1 and 83.2 of the RGPD must be observed, which are the provisions that they indicate: "Each supervisory authority shall ensure that the imposition of administrative fines under this Article for the infringements of this Regulation referred to in paragraphs 4, 9 and 6 is in each individual case effective, proportionate and dissuasive". "Administrative fines shall be imposed in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j), depending on the circumstances of each individual case. In deciding whether to impose an administrative fine and the amount of the fine in each individual case, due account shall be taken of the circumstances of the case: (a) the nature, gravity and duration of the infringement, taking into account the nature, extent or purpose of the processing operation concerned, as well as the number of data subjects concerned and the level of damage they have suffered; (b) whether the infringement was intentional or negligent; (c) any measures taken by the controller or processor to mitigate the damage suffered by data subjects; (d) the degree of responsibility of the controller or processor, taking into account the technical or organisational measures they have implemented pursuant to Articles 25 and 32; (e) any previous breach committed by the controller or processor; (f) the degree of cooperation with the supervisory authority with a view to remedying the breach and mitigating the possible adverse effects of the breach; (g) the categories of personal data affected by the infringement; (h) the manner in which the supervisory authority became aware of the infringement, in particular whether and to what extent the controller or processor notified the infringement; (i) where the measures referred to in Article 58(2) were previously ordered against the controller or processor concerned in relation to the same matter, compliance with those measures; (j) adherence to codes of conduct pursuant to Article 40 or to certification schemes approved in accordance with Article 42; and (k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial gains obtained or losses avoided, directly or indirectly, through the infringement. With regard to article 83.2 (k) of the RGPD, the LOPDGDD, article 76, "Sanctions and corrective measures", provides: "In accordance with the provisions of Article 83(2)(k) of Regulation (EU) 2016/679, the following may also be taken into account (a) The continuing nature of the infringement. (b) The link between the activity of the offender and the processing of personal data (c) The benefits obtained as a result of the commission of the infringement. (d) the possibility that the conduct of the data subject may have led to the commission of the infringement (e) the existence of a merger process by absorption subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity (f) The effect on the rights of minors. g) The availability, when it is not compulsory, of a data protection representative. h) The submission by the person responsible or in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which there are disputes between them and any interested party. In accordance with the provisions transcribed above, and without prejudice to the outcome of the proceedings, for the purposes of setting the amount of the fine to be imposed in the present case on the entity claimed to be responsible for an infringement classified in Article 83.5.b) of the RGPD, in an initial assessment, the following mitigating factors are deemed to be present: - The claimed entity has no previous infractions (83.2 e) RGPD). - She has not obtained direct benefits (83.2 k) RGPD and 76.2.c) LOPDGDD). - The Respondent is not considered a large company. The sanction to be imposed on the respondent should be graduated and set at the amount of 1,500 for the infringement of Article 58.2 of the RGPD. Therefore, in view of the above, By the Director of the Spanish Data Protection Agency, AGREED: FIRST: TO START PENALTY PROCEEDINGS against TODOTECNICOS24H S.L. with NIF B86558533, in accordance with the provisions of article 58.2.b) of the RGPD, for the alleged infringement of article 13 of the RGPD, typified in article 83.5.b) of the RGPD SECOND: To appoint R.R.R. as Instructor and S.S.S. as Secretary, indicating that either of them may be challenged, if appropriate, in accordance with the provisions of Articles 23 and 24 of Law 40/2015, of 1 October, on the Legal System of the Public Sector (LRJSP). THIRD: TO INCORPORATE into the sanctioning file, for evidential purposes, the claim filed by the claimant and the documents obtained and generated by the Subdirectorate General of Data Inspection in relation to said claim; all of them are part of the file. FOURTH: THAT for the purposes set forth in article 64.2 b) of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations, the sanction that may correspond would be 1,500 Euros (one thousand five hundred Euros), without prejudice to the results of the investigation. FIFTH: TO NOTIFY the present agreement to TODOTECNICOS24H S.L. with NIF B86558533, granting it a period of ten working days to make the allegations and present the evidence it considers appropriate. In your pleading you must provide your NIF and the procedure number in the heading of this document. If within the stipulated period you do not make any allegations to this agreement to initiate, it may be considered a proposal for resolution, as established in article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP). In accordance with the provisions of Article 85 of the LPACAP, if the penalty to be imposed is a fine, it may acknowledge its responsibility within the period granted for the formulation of arguments to the present agreement of initiation; this will be accompanied by a reduction of 20% of the penalty to be imposed in the present procedure. With the application of this reduction, the penalty would be set at EUR 1 200, and the proceedings would be resolved with the imposition of this penalty. Similarly, at any time prior to the resolution of the present procedure, it may carry out the voluntary payment of the proposed penalty, which will entail a reduction of 20% of its amount. With the application of this reduction, the penalty would be set at EUR 1200 and its payment would imply the termination of the procedure. The reduction for the voluntary payment of the penalty is cumulative with that for the recognition of liability, provided that this recognition of liability is evidenced within the time allowed for making representations at the opening of the proceedings. The voluntary payment of the amount referred to in the previous paragraph may be made at any time prior to the decision. In this case, if both reductions are to be applied, the amount of the penalty shall be set at EUR 900. In any case, the effectiveness of either of the two above-mentioned reductions shall be conditional upon the withdrawal or waiver of any action or appeal in administrative proceedings against the sanction. In the event that you choose to proceed with the voluntary payment of any of the amounts indicated above, 1200 or 900 euros, you must make it effective by paying it into account number ES00 0000 0000 0000 0000 opened in the name of the Spanish Data Protection Agency at the CAIXABANK, S.A. Bank, indicating in the concept the reference number of the procedure that appears in the heading of this document and the cause of the reduction of the amount that you are using. Likewise, you must send the proof of payment to the Subdirectorate General of Inspection to continue with the procedure in accordance with the amount paid. The procedure shall have a maximum duration of nine months as of the date of the starting agreement or, where appropriate, of the draft starting agreement. Once this period has elapsed, it will expire and, consequently, the proceedings will be closed; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is noted that in accordance with Article 112.1 of the LPACAP, there is no administrative appeal against this act. Mar Spain Martí Director of the Spanish Data Protection Agency >> SECOND: On November 6, 2019, the claimant has proceeded to pay the penalty in the amount of 900 euros making use of the two reductions provided in the Agreement of initiation transcribed above, which implies the recognition of the responsibility. THIRD: The payment made, within the period granted for making allegations on the opening of the proceedings, implies the waiver of any action or appeal in administrative proceedings against the penalty and the acknowledgement of liability in relation to the facts referred to in the Agreement of Initiation. LEGAL GROUNDS I By virtue of the powers that Article 58.2 of the RGPD grants to each control authority, and as established in Article 47 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to sanction any infringements committed against those Regulations; infringements of Article 48 of Law 9/2014, of May 9, General Telecommunications Law (hereinafter LGT), in accordance with the provisions of Article 84.3 of the GLT, and the infringements defined in articles 38.3 c), d) and i) and 38.4 d), g) and h) of Law 34/2002 of 11 July on information society services and electronic commerce (hereinafter referred to as the ISESA), as provided for in Article 43.1 of the said Act. II Article 85 of Law 39/2015 of 1 October 1995 on the Common Administrative Procedure for Public Administrations (LPACAP), under the heading 'Termination in penalty proceedings', provides as follows "1. If a sanctioning procedure has been initiated, if the offender acknowledges his responsibility, the procedure may be terminated with the imposition of the appropriate sanction. 2. When the penalty is only pecuniary in nature or when it is possible to impose a pecuniary penalty and a non-pecuniary penalty but the latter has been justified, voluntary payment by the alleged offender, at any time prior to the decision, shall entail the termination of the proceedings, except as regards the reinstatement of the altered situation or the determination of compensation for damages caused by the commission of the offence. 3. In both cases, where the penalty is purely financial in nature, the body responsible for deciding the procedure shall apply reductions of at least 20 % to the amount of the penalty proposed, which may be cumulative. Such reductions shall be determined in the notification of initiation of the procedure and their effectiveness shall be conditional upon the withdrawal or waiver of any administrative action or appeal against the penalty. The percentage of reduction provided for in this paragraph may be increased by regulation. In accordance with the above, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO DECLARE the termination of procedure PS/00268/2019, in accordance with the provisions of Article 85 of the LPACAP SECOND: TO NOTIFY the present resolution to TODOTECNICOS24H S.L. In accordance with the provisions of Article 50 of the LOPDGDD, this resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative proceedings as provided by art. 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations, the interested parties may file a contentious-administrative appeal with the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided in Article 46.1 of the aforementioned Act. Mar Spain Martí Director of the Spanish Data Protection Agency