AEPD (Spain) - EXP202102088

From GDPRhub
AEPD - PS-00609-2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 13 GDPR
Article 83(5)(b) GDPR
Article 11 LOPDGDD
Type: Investigation
Outcome: Violation Found
Started: 22.07.2021
Decided: 06.07.2022
Published: 06.07.2022
Fine: 3000 EUR
Parties: Private Party (A.A.A)
ASOCIACIÓN DE AFICIONADOS Y PEQUEÑOS ACCIONISTAS UNIDAD HERCULANA
National Case Number/Name: PS-00609-2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: Spanish DPA (in ES)
Initial Contributor: Carmen Jurado Taboada

The Spanish DPA fined an amateur football association €3,000 because its website lacked a privacy policy despite the fact that it collected various personal data.

English Summary

Facts

The data subject filed a complaint with the Spanish DPA regarding the website of a football club. The DPA's investigation confirmed that controller's website required users to fill in forms with personal data but did not have a privacy policy.

Holding

The DPA reiterated that when personal data are collected, there must be accompanying disclosures per Article 13 GDPR, including identifying the means and purposes of processing, the identity and contact details of the controller, and the existence of data subjects' rights under the GDPR.

The DPA considered as mitigating factors that (a) the controller was a small company (b) had not profited from its violations, and (c) had no prior violations; it therefore assessed a fine of €3,000 and ordered an appropriate privacy policy be added to the controller's website.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                 1/10










     File No.: EXP202102088


                RESOLUTION OF PUNISHMENT PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


                                   BACKGROUND

FIRST: A.A.A. (hereinafter, the complaining party) dated July 22, 2021
filed a claim with the Spanish Data Protection Agency.


The claim is directed against the ASSOCIATION OF AMATEURS AND SMALL
SHAREHOLDERS UNIT HERCULANA with NIF G42688721 (hereinafter, the
claimed).


The reason on which the claim is based is that the person responsible for the website
https://unidadherculana.es/ lacks a privacy policy in accordance with the provisions
in article 13 of the RGPD, despite the fact that personal data is collected through

various forms.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, of Protection of Personal Data and guarantee of digital rights (in

hereinafter LOPDGDD), on October 5, 2021, said claim was transferred to
the party claimed, so that it proceeded to its analysis and inform this Agency in the
period of one month, of the actions carried out to adapt to the requirements

provided for in the data protection regulations.

No response to this letter has been received.

THIRD: On December 17, 2021, the Director of the Spanish Agency

of Data Protection agreed to admit for processing the claim presented by the party
claimant.


FOURTH: On February 3, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against the claimed party,
for the alleged infringement of article 13 of the RGPD, typified in article 83.5 of the
GDPR.


FIFTH: After the period granted for the formulation of allegations to the
agreement to initiate the procedure, it has been verified that no allegation has been received
any by the claimed party.

Article 64.2.f) of Law 39/2015, of October 1, on Administrative Procedure

Common Public Administrations (hereinafter LPACAP) -provision of which
the party claimed was informed in the agreement to open the proceeding-
establishes that if allegations are not made within the stipulated period on the content of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 2/10








initiation agreement, when it contains a precise statement about the
imputed responsibility, may be considered a resolution proposal. In the
present case, the agreement to initiate the disciplinary proceedings determined the

facts in which the imputation was specified, the infraction of the RGPD attributed to the
claimed and the sanction that could be imposed. Therefore, taking into account that
the party complained against has made no objections to the agreement to initiate the file and
In accordance with the provisions of article 64.2.f) of the LPACAP, the aforementioned agreement of
beginning is considered in the present case resolution proposal.


In view of everything that has been done, by the Spanish Data Protection Agency
In this proceeding, the following are considered proven facts:

                                PROVEN FACTS

FIRST: A claim is filed denouncing the lack of policy of

privacy appropriate to the personal data protection regulations on the web
https://unidadherculana.es/; verifying by the AEPD that the website object of
claim lacks privacy policy.

SECOND: On February 3, 2022, the Director of the Spanish Agency for

Data Protection agreed to initiate a sanctioning procedure against the claimant, for the
alleged infringement of article 13 of the RGPD, typified in article 83.5 of the RGPD.

THIRD: On February 15, 2022, the claimant is notified of the settlement agreement
beginning of this procedure, turning said agreement into a resolution proposal
in accordance with articles 64.2.f) and 85 of Law 39/2015, of October 1, of the

Common Administrative Procedure of Public Administrations (LPACAP), to the
not make the claimed allegations within the indicated period.

                           FOUNDATIONS OF LAW

                                            Yo


By virtue of the powers that article 58.2 of Regulation (EU) 2016/679 of the

European Parliament and of the Council of April 27, 2016, regarding the protection of
individuals with regard to the processing of personal data and the free
circulation of these data (General Data Protection Regulation, hereinafter

RGPD) recognizes each control authority, and according to what is established in the articles
47, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on Data Protection
Personal and guarantee of digital rights (hereinafter LOPDGDD), the

Director of the Spanish Data Protection Agency is competent to initiate
this procedure.


Article 63.2 of the LOPDGDD determines that: "The procedures processed by the
Spanish Agency for Data Protection will be governed by the provisions of the

Regulation (EU) 2016/679, in this organic law, by the provisions
regulations issued in its development and, as long as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 3/10








                                             II


Article 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council
of April 27, 2016, regarding the protection of natural persons in what

regarding the processing of personal data and the free circulation of these data
(General Data Protection Regulation, hereinafter RGPD), under the rubric
“Definitions”, provides that:


“For the purposes of this Regulation, the following shall be understood as:


1) "personal data": any information about an identified natural person or
identifiable ("the interested party"); An identifiable natural person shall be deemed to be any person

whose identity can be determined, directly or indirectly, in particular by
an identifier, such as a name, an identification number,
location, an online identifier or one or more elements of the identity

physical, physiological, genetic, psychic, economic, cultural or social of said person;


2) “processing”: any operation or set of operations carried out on
personal data or sets of personal data, whether by procedures
automated or not, such as the collection, registration, organization, structuring,

conservation, adaptation or modification, extraction, consultation, use,
communication by transmission, broadcast or any other form of enabling of
access, collation or interconnection, limitation, suppression or destruction;”


                                             III


Article 13 of the RGPD, a precept that determines the information that must be

provided to the interested party at the time of collecting their data, it has:

 "1. When personal data relating to him is obtained from an interested party, the

responsible for the treatment, at the time these are obtained, will provide
all the information indicated below:


a) the identity and contact details of the person in charge and, where appropriate, of their
representative;


b) the contact details of the data protection delegate, if applicable;


c) the purposes of the treatment to which the personal data is destined and the legal basis
of the treatment;


d) when the treatment is based on article 6, paragraph 1, letter f), the interests

legitimate of the person in charge or of a third party;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 4/10








e) the recipients or the categories of recipients of the personal data, in their
case;


f) where appropriate, the intention of the controller to transfer personal data to a third party

country or international organization and the existence or absence of a decision to
adequacy of the Commission, or, in the case of transfers indicated in the
Articles 46 or 47 or Article 49, paragraph 1, second paragraph, reference to the

adequate or appropriate warranties and the means to obtain a copy of these or
to the fact that they have been borrowed.


2. In addition to the information mentioned in section 1, the person responsible for the
treatment will facilitate the interested party, at the moment in which the data is obtained

personal, the following information necessary to guarantee data processing
fair and transparent


a) the period during which the personal data will be kept or, when it is not
possible, the criteria used to determine this period;


b) the existence of the right to request from the data controller access to the
personal data relating to the interested party, and its rectification or deletion, or the limitation

of its treatment, or to oppose the treatment, as well as the right to portability
of the data;


c) when the treatment is based on article 6, paragraph 1, letter a), or article
9, paragraph 2, letter a), the existence of the right to withdraw consent in

any time, without affecting the legality of the treatment based on the
consent prior to its withdrawal;


d) the right to file a claim with a supervisory authority;


e) if the communication of personal data is a legal or contractual requirement, or a
necessary requirement to sign a contract, and if the interested party is obliged to provide
personal data and is informed of the possible consequences of not

provide such data;


f) the existence of automated decisions, including profiling, to which
referred to in article 22, sections 1 and 4, and, at least in such cases, information
about applied logic, as well as the importance and consequences

provisions of said treatment for the interested party.


3. When the controller plans the further processing of data
personal data for a purpose other than that for which they were collected, you will provide the


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 5/10








interested party, prior to such further processing, information on that other purpose
and any additional information relevant under paragraph 2.


4. The provisions of sections 1, 2 and 3 shall not apply when and in the

to the extent that the interested party already has the information.


For its part, article 11 of the LOPDGDD, provides the following:


"1. When the personal data is obtained from the affected party, the person responsible for the
treatment may comply with the duty of information established in article
13 of Regulation (EU) 2016/679, providing the affected party with the basic information to

referred to in the following section and indicating an electronic address or other
medium that allows easy and immediate access to the rest of the information.


2. The basic information referred to in the previous section must contain, at
less:


a) The identity of the data controller and his representative, if any.


b) The purpose of the treatment.


c) The possibility of exercising the rights established in articles 15 to 22 of the
Regulation (EU) 2016/679.


If the data obtained from the affected party were to be processed for the preparation of

profiles, the basic information will also include this circumstance. In this
In this case, the affected party must be informed of their right to oppose the adoption of
automated individual decisions that produce legal effects on him or her

significantly affect in a similar way, when this right concurs in accordance
with the provisions of article 22 of Regulation (EU) 2016/679.”


                                            IV


By virtue of the provisions of article 58.2 of the RGPD, the Spanish Agency for
Data Protection, as a control authority, has a set of

corrective powers in the event of an infraction of the precepts of the
GDPR.


Article 58.2 of the RGPD provides the following:


“2 Each supervisory authority shall have all of the following corrective powers
listed below:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 6/10








(…)


b) send a warning to any person responsible or in charge of the treatment when the
treatment operations have violated the provisions of this Regulation;”


(...)


“d) order the person responsible or in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where appropriate,

in a specified manner and within a specified period;”

“i) impose an administrative fine under article 83, in addition to or instead of

the measures mentioned in this section, according to the circumstances of each
particular case;"


Article 83.5.b) of the RGPD establishes that:


“The infractions of the following dispositions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or,

in the case of a company, an amount equivalent to a maximum of 4% of the
global total annual turnover of the previous financial year, opting for

the largest amount:

a) the rights of the interested parties pursuant to articles 12 to 22;”

In turn, article 72. 1 h) of the LOPDGDD, under the heading "Infringements
considered very serious provides:

“1 Based on the provisions of article 83.5 of Regulation (EU) 2016/679,

considered very serious and will prescribe after three years the infractions that suppose
a substantial violation of the articles mentioned therein and, in particular, the
following:

h) The omission of the duty to inform the affected party about the processing of their data

personal in accordance with the provisions of articles 13 and 14 of the Regulation (EU)
2016/679 and 12 of this organic law.”


                                            v

In this case, this Agency has confirmed that the respondent requires his
customers who provide their personal data, without indicating any of the aspects
required in article 13 of the RGPD, indicated in the legal basis III, according to

which, the claimed party must inform the owner of the personal data that he takes about
the aspects indicated in said precept such as the identity and contact details of the

responsible for the treatment, the purposes of the treatment to which the data is destined
data and the legal basis of the treatment.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 7/10








Therefore, since the respondent does not comply with the information required in the aforementioned article
13 of the RGPD, it could incur in an infringement of the RGPD.


                                            SAW

In order to determine the administrative fine to be imposed, the

provisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate:

“Each control authority will guarantee that the imposition of administrative fines
under this Article for infringements of this Regulation
indicated in sections 4, 9 and 6 are in each individual case effective,
proportionate and dissuasive.”

“Administrative fines will be imposed, depending on the circumstances of each

individual case, in addition to or as a substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administration and its amount in each individual case will be duly taken into account:

a) the nature, seriousness and duration of the offence, taking into account the
nature, scope or purpose of the processing operation in question, as well

such as the number of interested parties affected and the level of damages that
have suffered;

b) intentionality or negligence in the infringement;

c) any measure taken by the controller or processor to
alleviate the damages suffered by the interested parties;

d) the degree of responsibility of the person in charge or of the person in charge of the treatment,
taking into account the technical or organizational measures that they have applied under

of articles 25 and 32;

e) any previous infringement committed by the person in charge or the person in charge of the treatment;

 f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;

g) the categories of personal data affected by the infringement;

h) the way in which the supervisory authority became aware of the infringement, in

particular whether the person in charge or the person in charge notified the infringement and, if so, in what
measure;

i) when the measures indicated in article 58, section 2, have been ordered
previously against the person in charge or the person in charge in question in relation to the
same matter, compliance with said measures;

j) adherence to codes of conduct under article 40 or mechanisms of

certification approved in accordance with article 42, and

k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or
indirectly, through the infringement.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 8/10








Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76,
“Sanctions and corrective measures”, provides:

"two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679

may also be taken into account:

a) The continuing nature of the offence.

b) The link between the activity of the offender and the performance of treatment of
personal information.


c) The profits obtained as a result of committing the offence.

d) The possibility that the conduct of the affected party could have induced the commission
of the offence.


e) The existence of a merger by absorption process subsequent to the commission of the
infringement, which cannot be attributed to the absorbing entity.

f) Affectation of the rights of minors.

g) Have, when not mandatory, a data protection officer.


h) Submission by the person in charge or person in charge, on a voluntary basis, to
alternative conflict resolution mechanisms, in those cases in which
there are controversies between them and any interested party.”

In accordance with the precepts transcribed, in order to set the amount of the sanction of

fine to be imposed in this case on the entity claimed as responsible for a
infringement typified in article 83.5.b) of the RGPD, the
following mitigating factors:

- The claimed one does not have previous infringements (83.2 e) RGPD).


- It has not obtained direct benefits (83.2 k) RGPD and 76.2.c) LOPDGDD).

- The claimed entity is not considered a large company.

It is appropriate to graduate the sanction to be imposed on the claimed party and set it at the amount of €3,000
in accordance with article 58.2 of the RGPD.

Likewise, upon confirming the existence of an infraction, in accordance with the provisions of

the aforementioned article 58.2.d) of the RGPD, in the resolution the claimed party is ordered, as
responsible for the treatment, which prepares an adequate privacy policy,

so that the information required in the aforementioned article 13 of the
GDPR.






C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 9/10








Therefore, in accordance with the applicable legislation and having assessed the criteria for
graduation of sanctions whose existence has been proven,

the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: IMPOSE THE ASSOCIATION OF AMATEURS AND SMALL
SHAREHOLDERS UNIT HERCULANA, with NIF G42688721, for an infraction of the
aarticle 13 of the RGPD, typified in article 83.5 b) of the RGPD, a fine of €3,000
(three thousand euros).

SECOND: ORDER the respondent, as data controller, to prepare

an adequate privacy policy, so that the information is available
required in the aforementioned article 13 of the RGPD

THIRD: NOTIFY this resolution to the FANS ASSOCIATION AND
SMALL SHAREHOLDERS UNIT HERCULANA.


FOURTH: Warn the sanctioned party that he must make the imposed sanction effective once
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter LPACAP), within the payment term
voluntary established in art. 68 of the General Collection Regulations, approved

by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, through its entry, indicating the NIF of the sanctioned and the number
of procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened on behalf of the Agency
Spanish Department of Data Protection in the banking entity CAIXABANK, S.A.. In case
Otherwise, it will be collected in the executive period.


Received the notification and once executed, if the date of execution is
between the 1st and 15th of each month, both inclusive, the term to make the payment
voluntary will be until the 20th day of the following month or immediately after, and if
between the 16th and last day of each month, both inclusive, the payment term
It will be until the 5th of the second following month or immediately after.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the

Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month from
counting from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the
day following the notification of this act, as provided in article 46.1 of the
aforementioned Law.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 10/10









Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the firm resolution in administrative proceedings if the
The interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact by

writing addressed to the Spanish Agency for Data Protection, presenting it through
Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registers provided for in art. 16.4 of the
aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the

documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would end the precautionary suspension.



Sea Spain Marti
Director of the Spanish Data Protection Agency












































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es