AEPD (Spain) - EXP202100764

From GDPRhub
AEPD - PS/00428/2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Article 83(4) GDPR
Article 83(5) GDPR
Type: Complaint
Outcome: Upheld
Started: 26.07.2021
Decided: 25.08.2023
Published: 25.08.2023
Fine: 1,500 EUR
Parties: n/a
National Case Number/Name: PS/00428/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Mgrd

The Spanish DPA fined a Community €1,500 for unduly exposure of personal data to third parties that appeared in a judgement that was placed on a public bulletin board, in violation of Article 5(1)(f) and Article 32 GDPR.

English Summary

Facts

The data subject claims that the Community/condominium, to which he belongs, has posted on a bulletin board, located in a common area (at the entrance of the doorway next to the elevator), a judgement in which his personal data (name, address and information about the judicial process) appears.

Exposure of the document allegedly took place since May 17, 2021 without, at the date of the complaint (July 26, 2021) having being deleted or anonymized despite the clear warning on the document itself for non-dissemination to non-interested parties without prior dissociation of personal data: "it will be contrary to the Law to disseminate non-anonymized Judicial documents that have not been anonymized".

Additionally, on November 24, 2017 the data subject had already filed a complaint against the Community before the AEPD for facts of identical nature. This was processed under procedure A/00001/2018 with a warning result (R/00601/2018) for infringement and a requirement to remove the information improperly exposed.

The Community alleged that on October 13, 2021 it proceeded with the withdrawal of the document exhibited on the notice board.

Holding

The Spanish DPA considered that even though the Community is authorized to display personal data in some cases for the management of the community, the notice board must not be placed in a public area of transit easily accessible by any person.

The AEPD highlighted that the data subject had a previous complaint against the Community under proceeding A/00001/2018, concluded with a warning to the Community and an order to remove the (other) document displayed.

AEPD concluded that, based on the evidence, it occurred a personal data security breach, categorized as a breach of confidentiality as the data subject’s personal data was improperly exposed by the Community to third parties, as they appeared in an Decree of Execution of Judicial Titles. Specifically, the information was displayed on a bulletin board in plain view of any person who accesses the building and not only the neighbors.

For this reason, the Community was fined €1,500 for unduly exposure of personal data to third parties on a public bulletin board, in violation of Article 5(1)(f) and Article 32 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/11










     File No.: EXP202100764



                RESOLUTION OF SANCTIONING PROCEDURE

From the procedure instructed by the Spanish Data Protection Agency and based
to the following



                                   BACKGROUND

FIRST: Dated July 26, 2021 A.A.A. (hereinafter, the complaining party)

On July 26, 2021, he filed a claim with the Spanish Agency for
Data Protection. The claim is directed against COMMUNITY OWNERS
B.B.B. with NIF ***NIF.1 (hereinafter, the Community). The reasons on which the
claim are the following:

Claims that the Community, to which the claimant belongs, displays on the bulletin board

Locked advertisements, located in a common area, at the entrance to the portal next to
of the elevator, a Decree of Execution of Judicial Titles in which the data
personal details of the claimant (name and surname).

It also informs that the Community was subject to a procedure of

warning for the same reason in 2018.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to the Community, so that

proceed to its analysis and inform this Agency within a period of one month, of the
actions carried out to adapt to the requirements provided for in the regulations of
Data Protection.

The transfer, which was carried out in accordance with the rules established in Law 39/2015, of
October 1, of the Common Administrative Procedure of Administrations

Public (hereinafter, LPACAP) through electronic notification, was not collected by
the person responsible, within the period of making available, being understood as rejected
in accordance with the provisions of art. 43.2 of the LPACAP on August 10, 2021,
as stated in the certificate in the file.


Although the notification was validly carried out by electronic means, it was deemed
the procedure has been carried out in accordance with the provisions of article 41.5 of the LPACAP, as
Informational copy was sent by post. In said notification, he was reminded
your obligation to relate electronically with the Administration, and you will be
They reported the means of access to said notifications, reiterating that, as far as

Subsequently, you would be notified exclusively by electronic means. Said notification
postcard was returned for not being picked up at the Post Office on September 13,
2021, after two attempts to notify the home on different days and times.
Reiterating the transfer by the same means, it is notified on October 11, 2021.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/11









No response has been received to this transfer letter.


THIRD: On December 2, 2021, in accordance with article 65 of the
LOPDGDD, the claim presented by the complaining party was admitted for processing.

FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
issue, by virtue of the functions assigned to the control authorities in the

article 57.1 and the powers granted in article 58.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter GDPR), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD, having knowledge of the following points:


Facts according to statements by the complaining party:

The claimed community, to which the claimant belongs, has posted on the board
of advertisements located in a common area (at the entrance of the portal next to the elevator)
a Decree of Execution of Judicial Titles in which the name and the
surnames of the claimant. The exhibition would have occurred “at least” from the

on May 17, 2021 without, according to the claimant, on the date of the claim (26
July 2021) has been deleted or anonymized “despite the clear warning
which appears in the document itself: “the dissemination of
“Non-anonymized judicial documents.”


It states that on November 24, 2017, it already submitted a claim
against the Community before the AEPD for acts of the same nature. This was
processed under procedure A/00001/2018 with the result of a warning
(R/00601/2018) for infringement (article 44.3.d of organic law 15/1999) and
requirement for removal of improperly exposed information.


The claimant adds that the Community's actions cause her harm because,
on the one hand, it informs non-interested third parties about your place of residence, and on the other hand
links him to a judicial procedure whose publicity is unjustified, putting into
risk your personal data. Likewise, it indicates that it is not clear what the purpose is
of such publication of your personal data.


Relevant documentation provided by the complaining party:

    - Copy of the decree of execution of judicial titles of May 12, 2021 in
       which includes the claimant (name and surname) and the Community as

       interveners. The side of the decree contains a text warning of non-dissemination to
       non-interested parties without prior dissociation of personal data. Besides,
       The operative part includes the text: “Approve in XX.XXX.XX euros the cost of the
       do what this execution refers to.”


    - Photographs of the portal in which the decree outlined in the paragraph is displayed
       previous hanging on the bulletin board located between the staircase and the
       elevator.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/11








    - Copy of resolution R/00601/2018 of procedure A/00001/2018.

Date on which the claimed events took place: May 17, 2021

The background information contained in the information systems is as follows:


    - A prior claim appears in the AEPD information system.
       filed by the claimant against the Community (registration number
       370647/2017) managed within the framework of procedure A/00001/2018. This
       procedure concluded with the warning of the Community together with the
       request to remove the document displayed on the notice board

       object of controversy (R/00601/2018, incorporated herein
       performances).

In addition, information is collected from the following sources:


    - Writing from the Community registered upon entry into the AEPD on the day
       February 22, 2022 with number O00007128e2200008332 (hereinafter
       Writing #1).

    - Guide “Data Protection and Property Administration” of the AEPD downloaded
       from your website.


The Community states in Document #1 that on October 13, 2021 it proceeded to
removal of the document displayed on the notice board that is the subject of the claim. In
attention to the withdrawal requests the archiving of the proceedings or, alternatively, a
warning sanction. Attach a photograph of a bulletin board to the letter.
empty.


The “Data Protection and Property Administration” guide of the AEPD includes in the
eighth section the following text:

“Can personal data be published on the notice board of the
Community of owners?


The cases in which the exposure of personal data is authorized
related to matters derived from community management are specified in the
article 9.h) of the LPH.

The notice board should not be placed in an easily accessible transit location.

by anyone.”

FIFTH: On October 21, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against the claimed party,
for the alleged violation of Article 5.1.f) of the RGPD and Article 32 of the RGPD,

typified in Article 83.4 of the RGPD and Article 83.5 of the RGPD.

The initiation agreement was notified electronically to the Community. This is what the
article 14.2 of Law 39/2015 on Common Administrative Procedure of the
Public Administrations (LPACAP) according to which “In any case they will be

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/11








obliged to interact through electronic means with the Administrations
Public for carrying out any procedure of an administrative procedure, to the
at least, the following subjects: a) Legal entities.”


Work in the file Certificate issued by the Electronic Notification Service
and the Enabled Electronic Address of the FNMT-RCM, which records the sending
of the initiation agreement, notification from the AEPD addressed to the Community, through that
medium being the date of making available in the electronic headquarters of the organization the
October 21, 2022 and the automatic rejection date on November 11, 2022.


Article 43.2. of the LPACAP establishes that when notification by means
electronic devices is mandatory - as is the case in the present case - “it is
will be deemed rejected when ten calendar days have elapsed since the date of publication.
provision of the notification without accessing its content.” (The emphasis is from the

AEPD).

Add that articles 41.5 and 41.1, third paragraph, of the LPACAP establish,
respectively, that:

       When the interested party or his representative rejects the notification of a

administrative action, it will be recorded in the file specifying the
circumstances of the attempted notification and the means, considering the procedure completed and
following the procedure. (The emphasis is from the AEPD)

       Regardless of the medium used, notifications will be valid

provided that they allow us to have evidence of its shipment or making available, of the
receipt or access by the interested party or his representative, of its dates and times, of the
complete content, and the reliable identity of the sender and recipient of the
same. The accreditation of the notification made will be incorporated into the file.


Likewise, and in addition to the electronic notification, a copy was sent
by postal mail. Said postal notification was returned because it was not picked up at the office.
of the Post Office on November 8, 2022, after two attempts to notify the address
on different days and times, as stated in the Certificate issued by Correos and
that is in the file.


SIXTH: Article 73.1 of the LPCAP determines that the deadline to formulate
allegations to the Startup Agreement is ten days computed from the day following the
of the notification.

Article 64.2.f) LPACAP - provision of which the claimed party was informed in the

agreement to open the procedure - establishes that in case of not carrying out
allegations within the stipulated period regarding the content of this initiation agreement
may be considered a proposal for a resolution when it contains a statement
precise about the imputed responsibility. (The emphasis is from the AEPD). In it
In this case, the agreement to initiate the sanctioning file determined the

facts in which the imputation materialized, the violation of the RGPD attributed to the
claimed and the sanction that could be imposed. Therefore, taking into consideration that
the claimed party has not made allegations to the agreement to initiate the file and


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/11








In accordance with the provisions of article 64.2.f) of the LPACAP, the aforementioned agreement
initiation is considered in the present case as a proposed resolution.


In view of everything that has been done, by the Spanish Data Protection Agency
In this procedure, the following are considered proven facts:


                                PROVEN FACTS

FIRST: The Community has displayed on the bulletin board located in an area

common and transit easily accessible by anyone (at the entrance of the portal
next to the elevator) a Decree of Execution of Judicial Titles in which the
personal data of the claimant (name and surname and information about a process
judicial) and the Community as interveners. At least it has been published since the 17th
from May 2021 until October 13, 2021, date on which the Community

He claims to have removed it.

On the side of the Decree appears a text warning of non-dissemination to non-parties.
interested parties without prior dissociation of personal data. Furthermore, the part
The device includes the text: “Approve in XX.XXX.XX euros the cost of making the
refers to the present execution.”



SECOND: A prior claim is recorded in the AEPD information system
by the claimant against the Community managed within the framework of the procedure
A/00001/2018. This procedure concluded with a resolution warning the

Community together with the requirement to withdraw the document displayed on the bulletin board
advertisements subject to controversy (R/00601/2018).


                           FOUNDATIONS OF LAW


                                            Yo
                                     Competence

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each

control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.


Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a

subsidiary, by the general rules on administrative procedures."

                                           II
                                  Previous issues
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/11









In the present case, in accordance with the provisions of article 4.1 of the RGPD, there is
the processing of personal data, since the Community

carries out, among other treatments, the collection, registration, organization, conservation,
modification, consultation, use, deletion of the following personal data of
natural persons, such as: name, surname, address, identification number,
telephone number etc.

The Community carries out this activity in its capacity as data controller,

given that he is the one who determines the ends and means of such activity, by virtue of article
4.7 of the GDPR.

Article 4 section 12 of the GDPR broadly defines “violations of
security of personal data” (hereinafter security breach) as “all

those security violations that cause the destruction, loss or alteration
accidental or unlawful personal data transmitted, preserved or otherwise processed
form, or unauthorized communication or access to said data.”

In the present case, there is a personal data security breach in the
circumstances indicated above, categorized as a breach of confidentiality when

personal data of the claimant having been displayed on a bulletin board in a
common area, specifically in the access portal of the property of the Community of
Owners, between the stairs and the elevator, therefore in sight of any
person who accesses it and not only the neighbors.


It should be noted that the identification of a security breach does not imply the
imposition of a sanction directly by this Agency, since it is necessary
analyze the diligence of those responsible and in charge and the security measures
applied.


Within the treatment principles provided for in article 5 of the RGPD, the
integrity and confidentiality of personal data is guaranteed in section 1.f)
of article 5 of the GDPR. For its part, the security of personal data comes
regulated in articles 32, 33 and 34 of the RGPD, which regulate the security of the
processing, notification of a breach of personal data security to
the control authority, as well as the communication to the interested party, respectively.


                                           III
                                Article 5.1.f) of the GDPR

Article 5.1.f) “Principles relating to processing” of the GDPR establishes:


"1. The personal data will be:
(…)

       f) treated in such a way as to ensure adequate safety of the

       personal data, including protection against unauthorized processing or
       unlawful and against its loss, destruction or accidental damage, through the application
       of appropriate technical or organizational measures ("integrity and
       confidentiality»).”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/11









In the present case, it is clear that the personal data of the claimant (name,
surnames and information about a judicial process), were improperly exposed

by the Community to third parties, since they appeared in a Decree of Execution of
Judicial Titles that was placed by said Community on a bulletin board,
locked, located at the entrance to the property (between the stairs and the
elevator), a place where any person can pass, whether or not they are the owner of the
property being, therefore, an area of public access, which constitutes an access
not authorized to said data. This document was exposed from the 17th of

May 2021 until October 13, 2021.

Article 9.h) of the Horizontal Property Law indicates as the owner's obligation the
of “Communicate to whoever exercises the functions of Secretary of the community, for
any means that allows proof of receipt, address in Spain

for the purposes of summonses and notifications of all kinds related to the community.
In the absence of this communication, the address will be considered for summonses and
notifications to the apartment or premises belonging to the community, taking full effect
legal those delivered to the occupant thereof.

       If a summons or notification to the owner is attempted, it is impossible to carry it out

in the place provided for in the previous paragraph, it will be understood to be carried out by means of the
placement of the corresponding communication on the bulletin board of the
community, or in a visible place of general use enabled for this purpose, with diligence
expressive of the date and reasons why this form of notification is carried out,
signed by whoever exercises the functions of Secretary of the community, with the approval

good of the President. The notification carried out in this way will produce full
legal effects within a period of three calendar days.”

In the present case, the presentation of the claimant's data on the board of the
community does not comply with the assumptions set forth in the Horizontal Property Law.


In accordance with the evidence available, it is considered that the
known facts constitute an infringement, attributable to the Community, for
violation of article 5.1.f) of the RGPD.

                                          IV

                Classification of the violation of article 5.1.f) of the RGPD

The violation of article 5.1.f) of the RGPD implies the commission of the violations
typified in article 83.5 of the RGPD that under the heading “General conditions
for the imposition of administrative fines” provides:


“Infringements of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for

the largest amount:

       a) the basic principles for the treatment, including the conditions for the
       consent under articles 5, 6, 7 and 9; (…)”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/11









In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,

5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.”

For the purposes of the limitation period, article 72 “Infringements considered very
“serious” of the LOPDGDD indicates:


"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that involve
a substantial violation of the articles mentioned therein and, in particular, the
following:


       a) The processing of personal data violating the principles and guarantees
       established in article 5 of Regulation (EU) 2016/679. (…)”

                                           V
                 Penalty for violation of article 5.1.f) of the RGPD


The balance of the circumstances contemplated in article 83.2 of the RGPD and the
article 76.2 of the LOPDGDD, with respect to the infraction committed by violating the
established in article 5.1.f) of the RGPD, allows setting a penalty of €1,000 (one thousand
euros).


                                           SAW
                                 Article 32 of the GDPR

Article 32 “Security of processing” of the GDPR establishes:


"1. Taking into account the state of the art, the application costs, and the
nature, scope, context and purposes of the processing, as well as risks of
variable probability and severity for people's rights and freedoms
physical, the person responsible and the person in charge of the treatment will apply technical and
appropriate organizational measures to guarantee a level of security appropriate to the risk,
which, if applicable, includes, among others:

       a) pseudonymization and encryption of personal data;
       b) the ability to guarantee the confidentiality, integrity, availability and
       permanent resilience of treatment systems and services;
       c) the ability to restore availability and access to data
       personnel quickly in the event of a physical or technical incident;

       d) a process of regular verification, evaluation and assessment of effectiveness
       of the technical and organizational measures to guarantee the security of the
       treatment.

2. When evaluating the adequacy of the security level, particular consideration will be given to

takes into account the risks presented by data processing, in particular as
consequence of the accidental or unlawful destruction, loss or alteration of data
personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to said data.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/11









3. Adherence to a code of conduct approved pursuant to Article 40 or to a
certification mechanism approved pursuant to article 42 may serve as an element

to demonstrate compliance with the requirements established in section 1 of the
present article.

4. The controller and the person in charge of the treatment will take measures to ensure that
any person acting under the authority of the person responsible or in charge and
has access to personal data can only process said data following

instructions of the person responsible, unless it is obliged to do so by virtue of the Law of
the Union or the Member States.

In the present case, at the time of the breach, it cannot be said that the
claimed had the appropriate measures to avoid the incident, since

posted the complainant's personal details on a notice board in an area
easily accessible by anyone (at the access portal, between the stairs
and the elevator) of the Community property, having also been warned by
this Agency in a previous procedure for similar facts, which puts into question
evidence that it has not adopted adequate technical and organizational measures to avoid
again security incidents like the one that happened.


In accordance with the evidence available, it is considered that the
known facts constitute an infringement, attributable to the Community, for
violation of article 32 of the RGPD.


                                           VII
                 Classification of the violation of article 32 of the RGPD

The aforementioned violation of article 32 of the RGPD implies the commission of the violations
typified in article 83.4 of the RGPD that under the heading “General conditions

for the imposition of administrative fines” provides:

“Infringements of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
In the case of a company, an amount equivalent to a maximum of 2% of the
global total annual business volume of the previous financial year, opting for

the largest amount:

       a) the obligations of the controller and the processor pursuant to Articles 8,
       11, 25 to 39, 42 and 43; (…)”


In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.”


For the purposes of the limitation period, article 73 “Infringements considered serious”
of the LOPDGDD indicates:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/11








“Based on what is established in article 83.4 of Regulation (EU) 2016/679,
are considered serious and will prescribe after two years the infractions that involve a
substantial violation of the articles mentioned therein and, in particular, the

following:
(…)
       f) The lack of adoption of those technical and organizational measures that
       are appropriate to guarantee a level of security appropriate to the risk
       of the treatment, in the terms required by article 32.1 of the Regulation
       (EU) 2016/679.


                                          VIII
                  Penalty for violation of article 32 of the GDPR

The balance of the circumstances contemplated in article 83.2 of the RGPD and the

article 76.2 of the LOPDGDD, with respect to the infraction committed by violating the
established in article 32 of the RGPD, allows a fine of €500 (five hundred
euros).

Therefore, in accordance with the applicable legislation and evaluated the criteria of
graduation of the sanctions whose existence has been proven, the Director of the

Spanish Data Protection Agency RESOLVES:

FIRST: IMPOSE COMMUNITY OWNERS B.B.B., with NIF ***NIF.1, for
a violation of Article 5.1.f) of the GDPR, typified in Article 83.5 of the GDPR,
a fine of ONE THOUSAND EUROS (1,000 euros).


SECOND: IMPOSE COMMUNITY OWNERS B.B.B., with NIF ***NIF.1, for
a violation of Article 32 of the GDPR, typified in Article 83.4 of the GDPR, a
fine of FIVE HUNDRED EUROS (500 euros)


THIRD: NOTIFY this resolution to the COMMUNITY OWNERS
B.B.B.

FOURTH: Warn the sanctioned person that he must make the sanction imposed effective
once this resolution is executive, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure

Common Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by entering it, indicating the NIF of the sanctioned person and the number
of procedure that appears in the heading of this document, in the account

restricted IBAN number: ES00-0000-0000-0000-0000-0000 open in the name of the Agency
Spanish Data Protection in the banking entity CAIXABANK, S.A. in case
Otherwise, it will be collected during the executive period.

Once the notification is received and once enforceable, if the enforceable date is

between the 1st and 15th of each month, both inclusive, the deadline to make the payment
voluntary will be until the 20th of the following month or immediately following business month, and if
The payment period is between the 16th and last day of each month, both inclusive.
It will be until the 5th of the second following or immediately following business month.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/11









In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the

Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within a period of one month to
count from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.


Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through

writing addressed to the Spanish Data Protection Agency, presenting it through
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal

administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.


                                                                                938-010623

Sea Spain Martí
Director of the Spanish Data Protection Agency






















C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es