AEPD (Spain) - EXP202304685

From GDPRhub
AEPD - EXP202304685
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Type: Complaint
Outcome: Upheld
Started: 24.04.2024
Decided:
Published: 12.08.2024
Fine: 270,000 EUR
Parties: Uniqlo Europe LTD
National Case Number/Name: EXP202304685
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: lm

The DPA fined Uniqlo €270,000, finding that it infringed the principle of confidentiality and had insufficient security measures after an employee erroneously sent hundreds of employees' payroll data to an unauthorised person.

English Summary

Facts

An employee of Uniqlo Europe LTD (the controller) was emailing its human resources department requesting their payroll information for the month of July 2022. In response, on 8 August 2022, the data subject received an email with a PDF attached with numerous of the data subject’s personal data, including their name, identification number, social security number, banking number and payroll information for the month – as well as that of 446 other employees of the controller. On 24 April 2023, the data subject filed a complaint with the Spanish DPA (AEPD).

The controller admitted that the breach occurred and stated that that it resulted from a human error during an email exchange involving human resources. It also claimed that the employee who committed the error did not inform her superiors, who only learned of the breach when the complaint was notified to them. The controller informed data subjects of the incidents a few days after they became aware of the breach, on 4 May 2023.

The AEPD’s investigation indicated that the controller did not conduct any impact assessment or risk analysis for the processing related to the management of payroll.

Holding

The AEPD noted that the controller lacked organizational and technical measures to ensure the security of its employees’ payroll data and to prevent unauthorised third parties from accessing this data. It considered that the measures in place should be proportionate to the risks – which the controller had failed to assess – and should take into account pseudonymisation and encryption, capacity to ensure confidentiality and verification procedures.

Given the inadequate security measures and the resulting breach of confidentiality, the AEPD concluded that the controller infringed Articles 5(1)(f) and 32 GDPR and recommended a sanction of €450,000.

Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €270,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/26

 File No.: EXP202304685

RESOLUTION TO TERMINATE THE PROCEDURE FOR VOLUNTARY

Payment

From the procedure initiated by the Spanish Data Protection Agency and based
on the following

BACKGROUND

FIRST: On July 5, 2024, the Director of the Spanish Data Protection Agency
agreed to initiate sanctioning proceedings against UNIQLO EUROPE,
LTD, BRANCH IN SPAIN (hereinafter, the respondent party), through the
Agreement transcribed below:

<<

File No.: EXP202304685 (PS/00238/2024)

AGREEMENT TO START SANCTIONING PROCEDURE

From the actions carried out by the Spanish Data Protection Agency and based
on the following following

FACTS

FIRST: A.A.A. and B.B.B. (hereinafter, the complainant) filed a complaint with the Spanish Data Protection Agency on March 31, 2023. The

claimed facts reveal a possible infringement attributable to UNIQLO
EUROPE, LTD, SUCURSAL EN ESPAÑA with NIF W8266168G (hereinafter,
UNIQLO).

The known facts are the following:

The first claim filed by the complainant, who provided services in
the respondent entity, states that on August 8, 2022, after requesting his
payroll from the entity, he received an email with an attached PDF document that
included his payroll and that of 446 other employees on the payroll.

Together with the claim, the PDF document containing the payrolls of 447 employees of the entity being claimed, including name and surname, ID, SS membership number and bank account number, among other data, is provided.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/26

The second claim originates from receiving the informative communication of the breach, sent by UNIQLO to the affected employees by email.
The complainant of this second claim, who claims to belong to the

Working Committee, provides a screenshot of the email received on May 4,
2023.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), said claim was transferred to UNIQLO, so that
it could proceed to analyze it and inform this Agency within one month of the
actions carried out to comply with the requirements provided for in the data protection
regulations.

UNIQLO responds to the transfer of the claim dated May 18, 2023. However, it is observed that, from the response to the transfer of the claim, a
possible violation of the data protection regulations is inferred.

THIRD: On June 8, 2023, in accordance with article 65 of the LOPDGDD, the claim submitted by the complaining party was admitted for processing.

FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out preliminary investigation actions to clarify the facts in question, by virtue of the functions assigned to the control authorities in article 57.1 and the powers granted in article 58.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VIII of the LOPDGDD.

As a result of the actions carried out, the following matters have been learned:

1.- Verification of the facts claimed. As a first aspect of these investigative actions, the information provided in the complaint and by the respondent party has been analyzed, both in the
transfer and in subsequent requests in relation to the origin of the incident.

The object causing the breach would be a PDF file containing the information of
the entire UNIQLO workforce regarding the payrolls for the month of July. This file has
been provided by the complainant party and the information contained in it has been
checked, as well as the reason why it was improperly sent to an

unauthorized person.

The respondent party admits the claimed facts: Due to the termination of the
complainant's employment contract, the complainant requested his/her July 2022 payroll from the
human resources department. They state that, in the context of the exchange

of information by email, their human resources department mistakenly sent the indicated file, with the information of the entire workforce. They attribute this fact to human error, both in the personal data breach notification document: “the breach was caused by an HR staff by mistake (human error) who did

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/26

not follow the internal process” and in numerous
points of the allegations “the HR Employee sent a file that, by mistake,

contained the July payrolls of all Uniqlo workers and the following personal
data:..”.

The respondent states that the file contained the information of 446 UNIQLO workers. After reviewing the list provided in the claim, it is noted
that, although the file contains 471 pay slips, they correspond to 447 employees, since

there are some cases in which the same person had different pay slips associated
during the month for different work reasons (change of contract, sick leave, etc.). The
claim indicates the figure of 470 workers, not including the claimant employee
himself, but the correct figure would indeed be 446.

The respondent states that said file contained the following personal
data: name, surname, DNI/NIE number, Social Security number,
bank account number and remuneration received. It is verified that the
statements of the respondent are consistent with the information provided by
the complainant and the leaked file provided.

In addition, the respondent provides communications maintained at that
time between the complainant and the person who intervened from human resources,
via email. Through these messages, the date of the
incident can be proven, with the file being sent on August 8, 2022. It is clear from the
communications exchanged thereafter that the complainant would delete the

file ("For your peace of mind, I inform you that I did not download it, I opened it online
and as soon as I saw the first page I closed it, so do not worry, it is not in my
files"), a fact that could have conditioned the actions of the respondent's staff.

According to the respondent, the human resources employee who sent the
file did not inform his superiors or bring it to the attention of the
company, so the breach did not transcend nor was it proactively acted upon. The only time that this was known, as they state, was when they received notification
of the transfer of the claim: “On April 18, 2023, Uniqlo received a
notification from the AEPD in which it was notified of the claim filed and

required certain information. It was at this precise moment that Uniqlo, as a
business organization, was able to learn about the security incident of last August,
until then, unknown.”

2.- Informative communication of the breach.

2.1. Notification to the control authority.
Since the information of this breach to the Agency arrived through a claim,
the respondent party was asked to explain why the breach was not notified.

As indicated in the previous point, the argument presented by the respondent party is that they were directly unaware of the existence of the breach until
they received the transfer of the claim. Internally, they blame this situation on the
human resources person who was responsible for sending the information: “the HR

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/26

employee – in a flagrant breach of Uniqlo’s internal policies – did not
at any time inform his hierarchical superior or Uniqlo management of the
incident, which is why the company was unable to find out in a timely manner that it

had occurred and, consequently, was unable to notify the AEPD in accordance
with article 33 of General Data Protection Regulation 2016/769”

They subsequently made the formal notification of the personal data breach, on
April 24, 2023, and it was incorporated into the file. The following relevant points are included in this notification:

- Responsible party: UNIQLO EUROPE LTD, branch in Spain.

- Processor: There is no processor.

- Affected parties: 471 employees.

- Affected data: Basic contact data, identity number, financial data (without payment data) and contact data.

- Cause of the breach: Accidental, of internal origin. The explanation previously mentioned in point 1 of the report regarding the human resources error is provided.

- Consequences for those affected: Confidentiality affected. They could suffer
severe inconveniences such as phishing or impersonation attempts, although it is
considered unlikely that this will materialize.

- Cross-border: No, only in Spain.

- Minors: There are no minors among those affected.

2.2. Communication to interested parties:

On the other hand, information regarding communication to interested parties was requested.
The respondent party states that the communication informing them of the
incident was made a few days after they became aware of it, on May 4,
2023.

They provide the communication sent, which has a version in Spanish and English.
The report reports on the incident, explaining the causes and its magnitude in clear and concise language ("within the framework of the response to a legitimate request, a file with your
payroll for the month of July 2022 was mistakenly sent to a former employee by UNIQLO. The information contained in a payroll sheet

includes the following personal data: name, address, DNI/NIE number, Social Security number, bank account number, salary and its

breakdown"). It is reiterated that there was no knowledge at management level until it was
communicated by the AEPD, thus justifying the gap of several months between the events and
the communication. A contact email is provided for additional queries.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/26

They state that they have received 10 communications in this regard, which have
been duly attended to.

The communication states that there is no evidence of
exfiltration of personal data and a reference is made to INCIBE (National
Institute of Cybersecurity) so that those affected can consult additional
cybersecurity resources. The possible consequences that this breach could have are not specified,
although it states: “we recommend that you be aware of any
potential risk that could arise from improper use of your personal data.”

Finally, the measures that UNIQLO will take to try to ensure that
no further incidents of this type occur are indicated: training for staff in
cybersecurity and data privacy, together with the review of internal procedures and
policies.

In addition to the text of the communication, a table of 15 questions and
answers is provided, sent to those affected, which summarize the description of the breach and the
points discussed above. An email is also provided to the Company Committee, on the same date, informing them of this event and requesting their collaboration.

They state that they sent the communication by email to all of the affected parties, consisting of 287 employees and 160 former employees in May 2023, as they no longer had an employment relationship with a significant group of those affected. Taking into account that the first claimant was also among the workers, the communication would have been sent to all of those affected. Proof that the communication was effectively sent to all affected personnel has been requested, but no confirmation has been received in this regard, although samples of the emails addressed to both active workers and former employees are provided.

The content of the communication is provided in two parts, as the second claim also includes it. In this claim, which comes from a person
who claims to be from the Company Committee, it is stated that "the company is sending an
email (attached) to all employees in which it communicates
and acknowledges that there has been a communication to third parties which contained
personal data", so it can be confirmed that the communication has been
effectively made to, at least, all active personnel at that time.

3.- Payroll management.
Since the breach has been caused by the management of the company's
payroll, its operation and organization has been further investigated.

(…).

(…).

(…).

(…).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/26

(…).

(…).

(…).

However, in this particular case, the data controller, even though it was a
payroll-related issue, had no involvement in the incident as it was
internally limited to the controller.

4.- Security measures.

4.1. Measures prior to the incident.

The respondent party has been asked for information on the measures prior to the
incident regarding data protection, as well as the regulations in this regard that
develop the action protocols.

The respondent party states that they have the following technical and
organizational measures: (…).

Regarding the processing of data for payroll management, the respondent party
states that a specific impact assessment has not been carried out, as they
interpret that it is not considered a treatment that requires this assessment. Consequently, they state that a specific risk analysis has not been documented for this treatment:

“As regards the processing of data related to payroll management, the company has not carried out an impact assessment since, in accordance with article 35.3 of the GDPR, payroll management is not considered a treatment that requires this assessment. Likewise,
and in consequence of the above, the company has not documented a specific risk analysis of this treatment either.”

In any case, they state a series of security measures that are applicable to this treatment. Among them:

- (…).

- (…).

- (…).

- (…).

- (…).

- (…).

- (…).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/26

UNIQLO has a digital platform called the ISO portal. It is an online portal operated by the corporate group's information security office, where
materials and documentation relating to information security are made available to employees. Among the documentation found on the portal,
there is the aforementioned basic security regulation (“Fast Retailing Group -
Information Security Basic Regulations”) and the information security manual
(“Information Security Handbook”). Certification is provided that these protocols
are accessible within the portal. As will be explained later, information is also provided regarding the dissemination of the use of this portal among employees.

In addition to the above, there would be measures with the person in charge of
the treatment, GM Integra RRHH S.L., although in this case the breach would be unrelated to
them.

In the regulatory framework, the following documentation is provided in this regard:
- Procedure for managing incidents. This procedure includes the obligation to
notify both the information security department and its direct manager of any type of incident, even if it is not
malicious: “All Officers and Employees are required to report Information
Security Incidents (hereinafter Incidents) to their direct manager and ISO

immediately through the ISO Portal. Reporting must include actual, suspected
events or anomalies with or without malicious intent” (in Spanish: “All Officers and Employees are required to
report Information Security Incidents (hereinafter Incidents) to their direct
manager and ISO immediately through the ISO Portal. Reporting must include actual or suspected
events or anomalies with or without malicious intent.”).

- Basic information security regulations (“Fast Retailing Group -
Information Security Basic Regulations”). The report was in force since
February 2017 and mentions the obligation of confidentiality that employees

must maintain when disclosing information assets through digital means, as well as the need to
report in the event of loss of information.

- Information Security Handbook.

- Record of Processing Activities, which records the payroll
management activity and the personal data affected by this processing.

- Data protection protocol for the human resources
department. This protocol contains the need to notify the information
security department (ISO) in the event of a breach.

- Risk matrix

- Store employee manual

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/26

In section 5 of this report, the effective dissemination of this regulation
among UNIQLO employees will be discussed in more detail.

In relation to contractual measures with human resources personnel, the Code of Conduct is provided and is made available to employees at the time of their

hiring. Among the principles included is respect for personal and confidential information, as well as improper or inappropriate use.

Data protection clauses for employees are also provided. These
clauses are aimed at the data provided by the employee, not at the management of personal data of other employees.

4.2. Measures adopted subsequently.
In relation to the previous point, the respondent party has been asked for information
on the measures taken after the incident, aimed at preventing
events of this type from occurring again.

They state again that all actions have been carried out after the transfer of the
complaint by the AEPD, not after the events occurred in August
2022. These include the following:

- Internal opening of the incident and inclusion of the security breach in the

organization's breach registry. This registry is provided, where the incident is recorded
together with the associated risk matrix.

- Notification to the AEPD, as previously discussed in point 2.1.

- Notification to those affected and the Company Committee, as previously
discussed in point 2.2.

- Hiring of external legal services to advise on this case.

- Implementation of the threat intelligence tool (...), which will

be developed in point 6 regarding data exfiltration.

- Review of the internal protocols of the human resources department and
the payroll sending process. Among the changes made, they state:

former employees will be able to download their payrolls (...).
In addition, UNIQLO's human resources department
will exchange payrolls with the agency in charge of this treatment on an

individual basis, sending the specific payrolls of each worker and
not jointly.

At the level of the organization's personnel, they state that they have carried out the

following actions:

- Opening a disciplinary file against the human resources employee for
serious breach of the duties of good faith and legitimate trust by not
having followed the existing protocols. They state that this is considered a

very serious fault that could even lead to dismissal. C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/26

- Training for those affected in data protection, focused on protection against possible consequences. They provide an email of the call, dated May 2023.

- Training for UNIQLO employees aimed at reinforcing data protection and the company's internal protocols and policies.

A tentative schedule of training actions is provided.

Additionally, they indicate that a vigilant attitude will be maintained regarding this incident and it will be periodically reviewed that the compromised data has not been published on the Internet.

Finally, although the respondent party does not expressly state it as a
measure adopted following the incident, the addendum signed with the management company
GM Integra RRHH S.L., in charge of processing payroll management services, is
highlighted. It was signed in May 2023 and, as stated, the purpose was

to reinforce proactive responsibility.

5.- Transfer of protocols to employees.

Because the incident was caused by human error, it is especially

relevant to analyze the situation and training of employees in data protection

and cybersecurity.

The respondent party has been required to prove the dissemination and transfer of security

policies to staff prior to the breach. They state in this regard that the

company regularly sends circulars to all employees reminding them of relevant issues

from the point of view of information security and data protection. The respondent states that the employee in question had the necessary training to perform his duties, based on numerous different types of evidence.

The following sample circulars are provided:

- First circular, sent on October 20, 2020. In this circular, the Director of Information Security informs employees of the applications that are allowed to send company information.

- Second circular, dated August 6, 2021, also sent by the Director of Information Security. It reminds employees that the leak of personal information constitutes a violation and that files shared with third parties outside UNIQLO must be sent using the tool (...). The circular includes links to the application and the user manual.

- Third circular, dated October 26, 2021, also sent by the same person in charge, informing employees about information security incidents, indicating the portal for their management (the aforementioned ISO portal) and including a link to the incident management procedure.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/26

- Fourth circular dated March 1, 2022. This circular exemplifies some behaviors contrary to the correct management of confidential information, such as sending confidential information to unauthorized personnel.

For all these cases, it is proven that the human resources employee involved was in a copy of the information circulars.

Furthermore, the respondent party states that the human resources employee in question also received specific training in data protection related to personnel management. The materials for the training given

on April 25, 2022, are provided. This training was aimed at the protection of

personal data in personnel selection processes.

Additionally, within the training activities, the respondent party states

that an annual reminder of the aforementioned Code of Conduct is carried out. It is

proven that the employee involved completed a training, as of January 28, 2022,

although the information provided in the evidence is brief and the content of the same is not

shown.

Another of the activities that the respondent party states it carries out is the
periodic distribution of educational videos in which the accepted and prohibited behaviors are

shown in accordance with the Code of Conduct. These videos are provided, in
which the corporate codes of conduct, good practices and handling of
confidential information are discussed. The videos are in English, with subtitles in
Spanish. The information provided cannot prove that it was actually disseminated,
or which personnel viewed it.

6.- Exfiltration of the affected data.
There is no evidence that the data affected by the breach was exfiltrated. The
respondent states that it has no information in this regard or that it could have been
used for other purposes. As indicated: “the information security department has
used the threat intelligence tool (...) to
monitor the impact of the incident. The result of the analysis carried out with this
tool indicates that, as of the date of this document, no leaks of Uniqlo data have been detected,
including data relating to the compromised file, on the Internet (even on the so-called “dark web”).”

A statement from the Information Security Officer dated May 18, 2023 is provided, detailing the analysis carried out and its conclusions, confirming that no information leaks have been detected nor that the data had been published against the will of those affected.

FIFTH: According to the diligence dated May 27, 2024 in the file, the total annual turnover of the UNIQLO Group, whose economic activity is the retail trade of clothing in specialized stores, in the financial year 2023 was approximately (...) million euros.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/26

LEGAL BASIS

I
Competence

In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD) and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to
initiate and resolve this procedure.

II
Procedure

Likewise, article 63.2 of the LOPDGDD determines that: “The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
of Regulation (EU) 2016/679, in this organic law, by the
regulatory provisions issued in its development and, insofar as they do not contradict them,
on a subsidiary basis, by the general rules on administrative procedures”.

In accordance with article 64 of the LOPDGDD, and taking into account the
characteristics of the alleged infringements committed, a sanctioning
procedure is initiated.

The procedure will have a maximum duration of twelve months from the date
of the start agreement. After this period, it will expire and, consequently, the proceedings will be filed, in accordance with the provisions of
article 64 of the LOPDGDD.

If no objections are made to this initiation agreement within the stipulated period, it
may be considered a resolution proposal, as established in article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP).

III
Preliminary questions

Article 4.2) of the GDPR defines “processing” as:

“any operation or set of operations performed on personal data or on
sets of personal data, whether or not by automated means, such as
collection, recording, organisation, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission, dissemination or

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/26

any other form of making available, alignment or combination, restriction,
erasure or destruction.”

Article 4.7) of the GDPR defines the “data controller” or
“controller” as:

“the natural or legal person, public authority, agency or other body which, alone or
jointly with others, determines the purposes and means of the processing; If Union or Member State law determines the purposes and means of processing, the

controller or the specific criteria for its appointment may be established by Union or Member State law”.

In this case, in accordance with the provisions of article 4.1 and 4.2 of the GDPR,

personal data processing is carried out, since UNIQLO
EUROPE, LTD, BRANCH IN SPAIN collects, consults, communicates
by transmission and stores, among others, the following personal data of the
natural persons who work in this company: name, address, DNI/NIE number, Social Security number, bank account number, salary and its
breakdown, among other treatments.

UNIQLO EUROPE, LTD, SUCURSAL EN ESPAÑA carries out this activity in its capacity as data controller, since it is the one who determines the purposes and means of such activity, pursuant to article 4.7 of the GDPR.

Within the principles of processing provided for in article 5 of the GDPR, the integrity and confidentiality of personal data is guaranteed in section 1.f)
of article 5 of the GDPR. For its part, the security of personal data is regulated in article 32 of the GDPR, which regulates the security of processing.

IV
Obligation not fulfilled. Principles relating to processing

Article 5.1(f) of the GDPR provides:

"1. Personal data shall be:
(…)
(f) processed in a manner that ensures appropriate security of the personal data,
including protection against unauthorised or unlawful processing and against accidental
loss, destruction or damage, by using appropriate technical or
organisational measures ('integrity and confidentiality')."

In the present case, on 5 August 2022, the complainant requested by
e-mail from UNIQLO's human resources department that the payroll for the month of July be sent to him
(page 546 of the file). In response, on August 8, 2022, UNIQLO sent the complainant, also by email, a PDF document with the payrolls of 447 of its employees, which the complainant provided along with the claim.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/26

The documentation in the file provides clear indications that UNIQLO violated article 5.1.f) of the GDPR, “Principles relating to processing”, by not properly guaranteeing the confidentiality and integrity of the personal data of its employees, having been made known to an unauthorized third party. This duty of confidentiality and integrity must be understood to be intended to prevent data leaks not consented to by the data owners.

Therefore, in accordance with the evidence available at this time

in the agreement to initiate sanctioning proceedings, it is considered that the known facts
could constitute an infringement, attributable to UNIQLO EUROPE,
LTD, BRANCH IN SPAIN, for violation of the article transcribed above.

V
Classification and classification of the infringement for the purposes of the limitation period under Article 5.1.f) of the GDPR

Article 83.5 of the GDPR classifies the infringement of the following

article as an administrative infringement, which shall be punishable, in accordance with paragraph 2, by administrative fines of
up to EUR 20,000,000 or, in the case of an undertaking, of an amount equivalent to
up to 4% of the total annual turnover of the preceding financial year, whichever is higher:

"a) the basic principles for processing, including the conditions for
consent pursuant to Articles 5, 6, 7 and 9;"

For its part, the LOPDGDD in its article 71, Infringements, states that:

“The acts and conduct referred to in sections 4,

5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law, constitute infringements.”

For the sole purposes of the limitation period, article 72.1 of the LOPDGDD
establishes the following:

"In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679, infringements that constitute a
substantial violation of the articles mentioned therein and, in particular, the
following are considered very serious and will be subject to a three-year statute of limitations:

a) The processing of personal data in violation of the principles and guarantees
established in article 5 of Regulation (EU) 2016/679."

VI

Proposal for a fine

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/26

In order to determine the administrative fine to be imposed, the provisions of
articles 83.1 and 83.2 of the GDPR must be observed, which state:

“1. Each supervisory authority shall ensure that the imposition of administrative
fines pursuant to this Article for infringements of this Regulation referred to in
paragraphs 4, 9 and 6 are effective, proportionate and dissuasive in each individual case.

2. Administrative fines shall be imposed, depending on the circumstances of each individual

case, as an additional or alternative measure to the measures provided for in
article 58, paragraph 2, letters a) to h) and j). When deciding whether to impose an administrative fine and its amount in each individual case, due account shall be taken of:
a) the nature, gravity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question as well

as the number of data subjects affected and the level of damage suffered by them;

b) the intent or negligence of the infringement;

c) any measures taken by the controller or processor to
mitigate the damage suffered by data subjects;

d) the degree of responsibility of the controller or processor,

taking into account any technical or organisational measures they have implemented pursuant
to Articles 25 and 32;

e) any previous infringements committed by the controller or processor;

f) the degree of cooperation with the supervisory authority in order to remedy the infringement and
mitigate any adverse effects of the infringement;

g) the categories of personal data affected by the infringement;
(h) the manner in which the supervisory authority became aware of the infringement, in
particular whether the controller or processor notified the infringement and, if so, to what
extent;
(i) where the measures referred to in Article 58(2) have been previously

ordered against the controller or processor concerned in relation to the same matter, compliance with those measures;
(j) adherence to codes of conduct pursuant to Article 40 or to certification mechanisms approved pursuant to Article 42, and
(k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as the financial benefits obtained or losses avoided, directly or

indirectly, through the infringement.”

For its part, Article 76 “Penalties and corrective measures” of the LOPDGDD
provides:

“1. The sanctions provided for in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679 shall be applied taking into account the grading criteria
established in section 2 of the aforementioned article.

2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679,

the following may also be taken into account:
a) The continued nature of the infringement.
b) The link between the offender's activity and the processing of personal
data.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/26

c) The benefits obtained as a result of the commission of the infringement.
d) The possibility that the conduct of the affected party could have induced the commission of the infringement.

e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity.
f) The impact on the rights of minors.
g) Having, when not mandatory, a data protection officer.
h) The voluntary submission by the controller or person in charge to
alternative dispute resolution mechanisms, in cases where

there are disputes between them and any interested party."

In this case, considering the seriousness of the infringement found, paying special attention
to the consequences that its commission causes for the complaining party,
a fine must be imposed, in addition to the adoption of measures, where appropriate.

The fine imposed must be, in each individual case, effective, proportionate
and dissuasive, in accordance with the provisions of article 83.1 of the GDPR. In order to guarantee
these principles, the status of a large company and the turnover of the respondent party (...)millions of euros in 2023 are considered as a preliminary matter.

As a preliminary matter, it is estimated that the following circumstances are present:

• The nature, seriousness and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question as well as the number of interested parties affected and the level of damages they have
suffered (article 83.2, letter a), of the GDPR): Since the information has been sent by
email, it poses a greater risk of data leakage, not only by the recipient of the email (the complaining party), but also, due to
the vulnerabilities in terms of email security, since, as the data is not
encrypted, any attacker could access the data in

transit. Furthermore, the number of interested parties affected by the personal data breach is 447

• Intentionality/Negligence in the infringement (article 83.2, letter b), of the
RGPD): Although it cannot be understood that UNIQLO acted with malice, a lack of diligence is observed in the fulfillment of the obligations imposed by the regulations on data protection, such as compliance and

implementation of the appropriate technical and organizational measures to guarantee a level of security appropriate to the risk in the treatments it carries out, specifically, in the management of the payrolls of its employees; in this
respect, the SAN of 17/10/2007 can be cited, which although it was issued before the validity of the RGPD, its pronouncement is perfectly extrapolable to the

case that we analyze. The ruling, after referring to the fact that entities
in which the development of their activity involves continuous processing of data
of clients and third parties must observe an adequate level of diligence, specified
that "(...) the Supreme Court has understood that there is imprudence whenever
a legal duty of care is disregarded, that is, when the offender does

not behave with the required diligence. And in assessing the degree of diligence, the professionalism or otherwise of the subject must be
especially considered, and there is no doubt that, in the case now examined, when the activity of the appellant is

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/26

constant and abundant handling of personal data, it is necessary to insist on
the rigor and the exquisite care to comply with the legal provisions in this regard

• The categories of personal data affected by the infringement

(article 83.2, letter g), of the RGPD): In addition to personal identification data of
the workers, financial data such as the bank account number and the income they receive monthly were leaked. In section 3.6

of the Guidelines 04/2022 on the calculation of administrative penalties
under the GDPR, issued by the European Data Protection Board (hereinafter EDPB), in compliance with the objective of ensuring the
consistent application of the General Data Protection Regulation, as attributed to it by its
Article 70, the following is established (unofficial translation):

“Categories of personal data affected
58. As regards the requirement to take into account the categories of personal data
affected [Article 83, paragraph 2, letter g) of the GDPR], the GDPR
clearly highlights the types of data that deserve special protection and,
therefore, a stricter response with regard to fines. This

refers, at a minimum, to the types of data referred to in Articles 9 and 10
of the GDPR and to data outside the scope of these articles whose
dissemination causes immediate damage and harm to the data subject 26 (for example,
location data, data on private communications, national identification
numbers or financial data, such as transaction summaries or

credit card numbers).”

The following grading factors are also considered as
aggravating factors:

• The link between the offender's activity and the
processing of personal data (Article 76.2, letter b), of the LOPDGDD): The
development of business management activities by UNIQLO requires
continuous processing of personal data of its employees.

In addition, the following grading factors are considered as
mitigating factors:

Any other aggravating or mitigating factor applicable to the circumstances of the case
(Article 83.2, letter k), of the GDPR): The email message had a single recipient, the
complainant.

The balance of the circumstances contemplated in Article 83.2 of the GDPR and 76.2 of
the LOPDGDD, with respect to the infringement committed by violating the provisions of
Article 5.1.f) of the GDPR, allows for an initial administrative fine of

€300,000 (three hundred thousand euros).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/26

VII
Obligation breached. Security of processing

Article 32 of the GDPR states:

"1. Taking into account the state of the art, the costs of implementation, and the
nature, scope, context and purposes of processing as well as the risks of
varying likelihood and severity for the rights and freedoms of natural persons, the
controller and processor shall implement appropriate technical and

organisational measures to ensure a level of security appropriate to the risk, which
may include, where appropriate, inter alia:
a) pseudonymisation and encryption of personal data;
b) the ability to ensure the permanent confidentiality, integrity, availability and
resilience of processing systems and services;
c) the ability to restore the availability of and access to personal data
quickly in the event of a physical or technical incident;
d) a process of regular verification, evaluation and assessment of the
effectiveness of the technical and organisational measures to ensure the security of processing.

2. When assessing the adequacy of the level of security, particular account shall be taken of the risks presented by the processing of data, in particular as a result of accidental or unlawful destruction, loss, alteration of, or unauthorised disclosure of or access to, personal data transmitted, stored or otherwise processed.

3. Adherence to a code of conduct approved pursuant to Article 40 or a certification mechanism approved pursuant to Article 42 may serve as an element of demonstrating compliance with the requirements set out in paragraph 1 of this Article.

4. The controller and the processor shall take steps to ensure that

any person acting under the authority of the controller or the processor who
has access to personal data processes such data only on instructions from the controller, unless he or she is required to do so by Union or Member State law."

The GDPR defines personal data breaches as “any
breach of security leading to the accidental or unlawful destruction, loss,
alteration of personal data transmitted, stored or otherwise processed, or unauthorized disclosure of or access to such data.”

The documentation in the file shows the violation of Article 32.1
of the GDPR, due to the failure to adopt appropriate technical and
organizational measures, which allowed an unauthorized third party to access the
personal data of UNIQLO employees, which was caused by the sending
by email of the payrolls of 447 employees. employees of the company

UNIQLO.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/26

It should be noted that the GDPR in the aforementioned provision does not establish a list of the
security measures that are applicable according to the data that are subject to
processing, but rather establishes that the controller and the processor
will apply technical and organizational measures that are appropriate to the risk that the
processing entails, taking into account the state of the art, the costs of application, the

nature, scope, context and purposes of the processing, the risks of probability
and severity for the rights and freedoms of the interested parties.

Likewise, security measures must be appropriate and proportionate to the risk detected, noting that the determination of technical and organizational measures must be carried out taking into account: pseudonymization and encryption, the

ability to guarantee confidentiality, integrity, availability and resilience, the
ability to restore availability and access to data after an incident, verification process
(not audit), evaluation and assessment of the effectiveness of the measures.

In any case, when evaluating the adequacy of the security level to the risk, particular account will be taken
into account of the risks presented by data processing, as a consequence of the accidental or unlawful destruction, loss or alteration of personal data
transmitted, stored or otherwise processed, or unauthorized communication or
access to such data and which could cause physical, material or immaterial damages.

In this regard, recital 83 of the GDPR states that:

“(83) In order to maintain security and prevent processing in violation of this Regulation, the controller or processor should assess the risks inherent in the processing and implement measures to mitigate them, such as encryption. These measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the cost of their implementation, in relation to the risks and the nature of the personal data to be protected. When assessing the risk in relation to data security, account should be taken of the risks arising from the processing of personal data, such as accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or unauthorized disclosure of or access to such data, which may in particular cause physical, material or immaterial damage.”

In the present case, it is evident that the security measures implemented in relation to the data being processed were not adequate to

guarantee the security and confidentiality of personal data at the time of
the bankruptcy.

As Recital 39 also states:

“…Personal data must be treated in a way that guarantees adequate security and
confidentiality of personal data, including to prevent unauthorized access to or use of such data and the equipment used in the processing.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/26

UNIQLO justifies a series of technical and organizational measures to
preserve the security and privacy of its information systems. These measures
were not adequate to prevent the events subject to the claim, so the

infringement of article 32 of the GDPR occurs because there are no measures to prevent the
violation that occurred. Similarly, a number of measures have been taken
after the fact, such as allowing former employees access to their payslips for a period of 60 days after the termination of the contract or the
review of the payslip sending process by the human resources department, as well as redesigning the internal protocols of said department. These

measures cannot be taken into consideration for the purposes of assessing UNIQLO's
liability in the facts.

UNIQLO's liability is determined by the personal data breach
revealed in the complaint, since it is responsible for making decisions

intended to effectively implement the appropriate technical and organizational
measures to ensure a level of security appropriate to the risk in order to ensure the
confidentiality of the data, restoring its availability and preventing access to it in the event of a physical or technical incident. In this sense, the measures were
not appropriate, regardless of the personal data breach that occurred.

The negligent conduct of the employee in the management of personal data contained in the
employees' payrolls does not exempt UNIQLO from liability. The
company's liability in the area of sanctions for the negligent conduct of an employee
that involves non-compliance with data protection regulations has been confirmed by the jurisprudence of the Supreme Court. In this regard,

it is worth mentioning the Supreme Court Judgment No. 188/2022 (Contentious Chamber, Section 3), of February 15, 2022 (rec. 7359/2020), whose
Legal Basis Fourth provides: “The fact that the conduct of an employee was negligent
does not exempt her from her responsibility as the person in charge
of the correct use of the security measures that should have guaranteed

the proper use of the data recording system designed. As we
already held in STS No. 196/2020, of February 15, 2021 (rec. 1916/2020), the
data processor is also responsible for the actions of its employees and
cannot excuse itself for its diligent actions, separately from the actions of its
employees, but rather it is the "guilty" actions of these, as a consequence of the
violation of existing security measures, which underlies the liability of the

company in the area of sanctions for "own" acts of its employees or positions, not
those of third parties."
The judgment continues by arguing about the liability of legal persons in our legal system: “…It simply happens that, since our Administrative Law admits the direct liability of legal persons, who are therefore recognized as having the capacity to infringe, the subjective element of the infringement is expressed in these cases in a different way than it is in the case of natural persons, so that, as the constitutional doctrine that we have previously reviewed indicates -STC 246/1991, of December 19 (F.J. 2) and 129/2003, of June 30 (F.J. 8)- the direct blame derives from the legal asset protected by

the rule that is infringed and the need for said protection to be truly effective
and from the risk that, consequently, must be assumed by the legal person that is subject
to compliance with said rule."

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/26

Therefore, in accordance with the evidence available at this time
of the agreement to initiate sanctioning proceedings, it is considered that the

known facts could constitute an infringement, attributable to UNIQLO EUROPE,
LTD, BRANCH IN SPAIN, for violation of the article transcribed above.

VIII

Classification and qualification of the infringement for the purposes of the limitation period under Article 32 of the GDPR

Article 83.4 of the GDPR classifies the infringement of the following article as an administrative infringement, and shall be subject, in accordance with paragraph 2, to administrative fines of not more than EUR 10,000,000 or, in the case of an undertaking, not more than 2% of the total annual turnover of the previous financial year, whichever is higher:

"(a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25
to 39, 42 and 43;"

For its part, the LOPDGDD in its article 71, Infringements, states that:

“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law, constitute infringements.”

For the sole purposes of the limitation period, article 73 of the LOPDGDD establishes
the following:

"In accordance with the provisions of article 83.4 of Regulation (EU) 2016/679, infringements that constitute a

substantial violation of the articles mentioned therein and, in particular, the
following are considered serious and will be subject to a two-year statute of limitations:

f) The failure to adopt those technical and organizational measures that are
appropriate to guarantee a level of security appropriate to the risk of the treatment,
in the terms required by article 32.1 of Regulation (EU) 2016/679."

IX
Proposed sanction

In accordance with the provisions of article 83.2 of the GDPR and article 76.2 of the

LOPDGDD transcribed above, and without prejudice to what results from the instruction
of the procedure, for the purposes of setting the amount of the sanction to be imposed in the present
case for the infringement classified in article 32 of the GDPR, classified in article
83.4.a) of the GDPR for which UNIQLO is responsible, in an initial assessment, the following factors are
considered to be present:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/26

As a preliminary matter, it is estimated that the following circumstances are present:

• The nature, seriousness and duration of the infringement, taking into account the

nature, scope or purpose of the processing operation in question as well as the number of interested parties affected and the level of the damages and losses that they have suffered (Article 83.2, letter a), of the GDPR): Since the information has been sent by email, there is a greater risk of data leakage, not only by the recipient of the email (the complaining party), but also due to the vulnerability of email security, since, as the data is not encrypted, any attacker could access the data in transit.In addition, the number of interested parties affected by the personal data breach is 447

• The categories of personal data affected by the breach (Article 83.2, letter g) of the GDPR): In addition to personal identifying data of the workers, financial data such as bank account numbers and monthly income were leaked. In section 3.6

of the Guidelines 04/2022 on the calculation of administrative penalties
under the GDPR, issued by the European Data Protection Board (hereinafter EDPB), in compliance with the objective of ensuring the
consistent application of the General Data Protection Regulation, as attributed to it by its
Article 70, the following is established (unofficial translation):

“Categories of personal data affected
58. As regards the requirement to take into account the categories of personal data
affected [Article 83, paragraph 2, letter g) of the GDPR], the GDPR
clearly highlights the types of data that deserve special protection and,
therefore, a stricter response with regard to fines. This
refers, at a minimum, to the types of data referred to in Articles 9 and 10

of the GDPR and to data outside the scope of these articles whose
dissemination causes immediate damage and harm to the data subject 26 (for example,
location data, data on private communications, national identification
numbers or financial data, such as transaction summaries or credit card
numbers).”

The following grading factors are also considered as
aggravating factors:

• The link between the offender's activity and the
processing of personal data (Article 76.2, letter b), of the LOPDGDD): The
development of business management activities by UNIQLO requires
continuous processing of personal data of its employees.

The balance of the circumstances contemplated in article 83.2 of the GDPR and 76.2 of

the LOPDGDD, with respect to the infringement committed by violating the provisions of
article 32 of the GDPR, allows for an initial administrative fine of
€150,000 (one hundred and fifty thousand euros). C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/26

X

Adoption of measures

If the infringement is confirmed, in accordance with the provisions of the aforementioned article 58.2 d)
of the GDPR, according to which each supervisory authority may “order the controller or
processor to comply with the processing operations with the
provisions of this Regulation, where appropriate, in a certain manner

and within a specified period…”, in the resolution adopted, UNIQLO may be required to
accredit to this Agency within 3 months the adoption of the following
measures, without prejudice to other measures that may arise from the
instruction of the procedure:

- Adopt the technical and organizational measures to guarantee the security of the
personal data of its employees.

The imposition of these measures is compatible with the sanction consisting of an administrative fine, as provided for in article 83.2 of the GDPR.

It is noted that failure to comply with the possible order to adopt measures imposed by this body in the sanctioning resolution may be considered an administrative infringement in accordance with the provisions of the GDPR, classified as an infringement in its article 83.5 and 83.6, and such conduct may motivate the opening of a subsequent administrative sanctioning procedure.

Therefore, in accordance with the above, by the Director of the Spanish Data Protection Agency,

IT IS AGREED:

FIRST: TO INITIATE SANCTIONING PROCEDURE against UNIQLO EUROPE, LTD,
BRANCH IN SPAIN, with NIF W8266168G:

- For the alleged infringement of Article 5.1.f) of the GDPR, classified in Article 83.5

of the GDPR.

- For the alleged infringement of Article 32 of the GDPR, classified in Article 83.4 of the
GDPR

SECOND: TO APPOINT C.C.C. as instructor. and, as secretary, D.D.D.,
indicating that they may be challenged, if applicable, in accordance with the provisions of
articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector
(LRJSP).

THIRD: INCORPORATE into the file, for evidentiary purposes, the claim
filed by the claimant and its documentation, as well as the documents obtained and generated by the General Subdirectorate of Data Inspection
in the actions prior to the start of this sanctioning procedure.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/26

FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, the

sanction that may apply, without prejudice to what results from the investigation,
would be an administrative fine:

- For the alleged infringement of article 5.1.f) of the GDPR, classified in article 83.5.a)
of said regulation, administrative fine of 300,000.00 euros
- For the alleged infringement of article 32 of the GDPR, classified in article 83.4.a)

of said regulation, administrative fine of 150,000.00 euros

FIFTH: NOTIFY this agreement to UNIQLO EUROPE, LTD, BRANCH IN
SPAIN, with NIF W8266168G, granting it a hearing period of ten business days to make the allegations and present the evidence that it considers appropriate. In its written allegations it must provide its NIF and the procedure number that appears in the heading of this document.

In accordance with the provisions of article 85 of the LPACAP, it may acknowledge its
responsibility within the period granted for the formulation of allegations to the present agreement of initiation; which will entail a reduction of 20% of the

sanction that must be imposed in the present procedure. With the application of this
reduction, the sanction would be established at 360,000.00 euros, the procedure being resolved with the imposition of this sanction.

Likewise, it may, at any time prior to the resolution of the present

procedure, carry out the voluntary payment of the proposed sanction, which
will entail a reduction of 20% of its amount. With the application of this reduction,
the penalty would be set at 360,000.00 euros and its payment will imply the
termination of the procedure, without prejudice to the imposition of the corresponding
measures.

The reduction for the voluntary payment of the penalty is cumulative to that which corresponds
to apply for the recognition of responsibility, provided that this recognition
of responsibility is made manifest within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the amount referred to
in the previous paragraph may be made at any time prior to the resolution. In

this case, if it were appropriate to apply both reductions, the amount of the penalty would be
set at 270,000.00 euros.

In any case, the effectiveness of either of the two reductions mentioned will be
conditioned to the express withdrawal or waiver of any action or appeal in

administrative proceedings against the penalty.

For these purposes, if you choose to apply for any of them, you must send to the
General Subdirectorate of Data Inspection an express communication of withdrawal
or waiver of any action or appeal through administrative channels against the sanction

indicating which of the two reductions you choose to apply for or whether it is both.

If you choose to make a voluntary payment of any of the amounts indicated above (360,000.00 euros or 270,000.00 euros), you must do so

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/26

in cash by depositing it in the account number IBAN: ES00-0000-0000-0000-0000-0000
(BIC/SWIFT Code: CAIXESBBXXX) opened in the name of the Spanish Data Protection Agency

at the bank CAIXABANK, S.A., indicating in the
concept the reference number of the procedure that appears in the heading
of this document and the reason for the reduction of the amount to which you are entitled.

Likewise, you must send proof of payment to the Subdirectorate General of

Inspection together with the express communication of the withdrawal or waiver of any
action or appeal through administrative channels against the sanction in order to
continue with the procedure in accordance with the amount paid.

In compliance with articles 14, 41 and 43 of the LPACAP, you are advised that, from

hereinafter, the notifications sent to you will be made exclusively electronically, through the
Unique Authorized Electronic Address (dehu.redsara.es), and that, if you do not access them, your rejection will be recorded in the file, considering
the procedure carried out and the procedure followed. You are informed that you can
identify before this Agency an email address to receive the notice

of the availability of the notifications and that the lack of practice of this notice will not
prevent the notification from being considered fully valid.

Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP,
there is no administrative appeal against this act.

1479-180624
Mar España Martí
Director of the Spanish Data Protection Agency
>>

SECOND: On July 22, 2024, the respondent party has proceeded to pay
the penalty in the amount of 270,000 euros using the two reductions
provided for in the Initiation Agreement transcribed above, which implies the
recognition of responsibility.

THIRD: The payment made, within the period granted to formulate allegations at
the opening of the procedure, entails the waiver of any action or appeal in administrative
course against the penalty and the recognition of responsibility in relation to
the facts referred to in the Initiation Agreement.

FOURTH: The aforementioned initiation agreement indicated that, if the infringement is confirmed, it may be agreed to impose on the controller the adoption of appropriate measures to adjust its performance to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to which each supervisory authority may “order the controller or processor to comply with the provisions of this Regulation, where appropriate, in a certain manner and within a specified period…”.

Having recognized the responsibility for the infringement, the imposition of the measures included in the initiation agreement is appropriate.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/26

LEGAL BASIS

I
Competence

In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD) and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to
initiate and resolve this procedure.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
of Regulation (EU) 2016/679, in this organic law, by the regulatory
provisions issued in its development and, insofar as they do not contradict them,
on a subsidiary basis, by the general rules on administrative procedures."

II
Termination of the procedure

Article 85 of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP), under the heading

"Termination of sanctioning procedures" provides the following:

"1. Once a sanctioning procedure has been initiated, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction is of a purely monetary nature or when it is possible to impose a
monetary sanction and another of a non-monetary nature but the
inappropriateness of the second has been justified, voluntary payment by the presumed responsible party, at
any time prior to the resolution, will imply the termination of the procedure,
except in relation to the restoration of the altered situation or the determination of
compensation for damages caused by the commission of the infringement.

3. In both cases, when the sanction is of a purely monetary nature, the
body competent to resolve the procedure will apply reductions of at least
20% on the amount of the proposed sanction, these being cumulative with each other.
The aforementioned reductions must be determined in the notification of the initiation

of the procedure and their effectiveness will be conditional on the withdrawal or waiver of
any action or appeal in administrative proceedings against the sanction.

The percentage of reduction provided for in this section may be increased
by regulation.”

According to the above,
the Director of the Spanish Data Protection Agency RESOLVES:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/26

FIRST: DECLARE the termination of procedure EXP202304685, in
accordance with the provisions of article 85 of the LPACAP.

SECOND: ORDER UNIQLO EUROPE, LTD, BRANCH IN SPAIN to
in the period of 3 months from the date this resolution becomes final and enforceable,
notify the Agency of the adoption of the measures described in the
legal grounds of the initiation Agreement transcribed in this resolution.

THIRD: NOTIFY this resolution to UNIQLO EUROPE, LTD,
BRANCH IN SPAIN.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative process as prescribed by

art. 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, interested parties may file an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the day following the notification of this act, as provided for in article 46.1 of the aforementioned Law.

1259-16012024
Mar España Martí
Director of the Spanish Data Protection Agency

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es