AEPD (Spain) - EXP202304685
AEPD - EXP202304685 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Article 32 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 24.04.2024 |
Decided: | |
Published: | 12.08.2024 |
Fine: | 270,000 EUR |
Parties: | Uniqlo Europe LTD |
National Case Number/Name: | EXP202304685 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | lm |
The DPA fined Uniqlo €270,000, finding that it infringed the principle of confidentiality and had insufficient security measures after an employee erroneously sent hundreds of employees' payroll data to an unauthorised person.
English Summary
Facts
An employee of Uniqlo Europe LTD (the controller) was emailing its human resources department requesting their payroll information for the month of July 2022. In response, on 8 August 2022, the data subject received an email with a PDF attached with numerous of the data subject’s personal data, including their name, identification number, social security number, banking number and payroll information for the month – as well as that of 446 other employees of the controller. On 24 April 2023, the data subject filed a complaint with the Spanish DPA (AEPD).
The controller admitted that the breach occurred and stated that that it resulted from a human error during an email exchange involving human resources. It also claimed that the employee who committed the error did not inform her superiors, who only learned of the breach when the complaint was notified to them. The controller informed data subjects of the incidents a few days after they became aware of the breach, on 4 May 2023.
The AEPD’s investigation indicated that the controller did not conduct any impact assessment or risk analysis for the processing related to the management of payroll.
Holding
The AEPD noted that the controller lacked organizational and technical measures to ensure the security of its employees’ payroll data and to prevent unauthorised third parties from accessing this data. It considered that the measures in place should be proportionate to the risks – which the controller had failed to assess – and should take into account pseudonymisation and encryption, capacity to ensure confidentiality and verification procedures.
Given the inadequate security measures and the resulting breach of confidentiality, the AEPD concluded that the controller infringed Articles 5(1)(f) and 32 GDPR and recommended a sanction of €450,000.
Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €270,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/26 File No.: EXP202304685 RESOLUTION TO TERMINATE THE PROCEDURE FOR VOLUNTARY Payment From the procedure initiated by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: On July 5, 2024, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against UNIQLO EUROPE, LTD, BRANCH IN SPAIN (hereinafter, the respondent party), through the Agreement transcribed below: << File No.: EXP202304685 (PS/00238/2024) AGREEMENT TO START SANCTIONING PROCEDURE From the actions carried out by the Spanish Data Protection Agency and based on the following following FACTS FIRST: A.A.A. and B.B.B. (hereinafter, the complainant) filed a complaint with the Spanish Data Protection Agency on March 31, 2023. The claimed facts reveal a possible infringement attributable to UNIQLO EUROPE, LTD, SUCURSAL EN ESPAÑA with NIF W8266168G (hereinafter, UNIQLO). The known facts are the following: The first claim filed by the complainant, who provided services in the respondent entity, states that on August 8, 2022, after requesting his payroll from the entity, he received an email with an attached PDF document that included his payroll and that of 446 other employees on the payroll. Together with the claim, the PDF document containing the payrolls of 447 employees of the entity being claimed, including name and surname, ID, SS membership number and bank account number, among other data, is provided. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/26 The second claim originates from receiving the informative communication of the breach, sent by UNIQLO to the affected employees by email. The complainant of this second claim, who claims to belong to the Working Committee, provides a screenshot of the email received on May 4, 2023. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), said claim was transferred to UNIQLO, so that it could proceed to analyze it and inform this Agency within one month of the actions carried out to comply with the requirements provided for in the data protection regulations. UNIQLO responds to the transfer of the claim dated May 18, 2023. However, it is observed that, from the response to the transfer of the claim, a possible violation of the data protection regulations is inferred. THIRD: On June 8, 2023, in accordance with article 65 of the LOPDGDD, the claim submitted by the complaining party was admitted for processing. FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out preliminary investigation actions to clarify the facts in question, by virtue of the functions assigned to the control authorities in article 57.1 and the powers granted in article 58.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VIII of the LOPDGDD. As a result of the actions carried out, the following matters have been learned: 1.- Verification of the facts claimed. As a first aspect of these investigative actions, the information provided in the complaint and by the respondent party has been analyzed, both in the transfer and in subsequent requests in relation to the origin of the incident. The object causing the breach would be a PDF file containing the information of the entire UNIQLO workforce regarding the payrolls for the month of July. This file has been provided by the complainant party and the information contained in it has been checked, as well as the reason why it was improperly sent to an unauthorized person. The respondent party admits the claimed facts: Due to the termination of the complainant's employment contract, the complainant requested his/her July 2022 payroll from the human resources department. They state that, in the context of the exchange of information by email, their human resources department mistakenly sent the indicated file, with the information of the entire workforce. They attribute this fact to human error, both in the personal data breach notification document: “the breach was caused by an HR staff by mistake (human error) who did C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/26 not follow the internal process” and in numerous points of the allegations “the HR Employee sent a file that, by mistake, contained the July payrolls of all Uniqlo workers and the following personal data:..”. The respondent states that the file contained the information of 446 UNIQLO workers. After reviewing the list provided in the claim, it is noted that, although the file contains 471 pay slips, they correspond to 447 employees, since there are some cases in which the same person had different pay slips associated during the month for different work reasons (change of contract, sick leave, etc.). The claim indicates the figure of 470 workers, not including the claimant employee himself, but the correct figure would indeed be 446. The respondent states that said file contained the following personal data: name, surname, DNI/NIE number, Social Security number, bank account number and remuneration received. It is verified that the statements of the respondent are consistent with the information provided by the complainant and the leaked file provided. In addition, the respondent provides communications maintained at that time between the complainant and the person who intervened from human resources, via email. Through these messages, the date of the incident can be proven, with the file being sent on August 8, 2022. It is clear from the communications exchanged thereafter that the complainant would delete the file ("For your peace of mind, I inform you that I did not download it, I opened it online and as soon as I saw the first page I closed it, so do not worry, it is not in my files"), a fact that could have conditioned the actions of the respondent's staff. According to the respondent, the human resources employee who sent the file did not inform his superiors or bring it to the attention of the company, so the breach did not transcend nor was it proactively acted upon. The only time that this was known, as they state, was when they received notification of the transfer of the claim: “On April 18, 2023, Uniqlo received a notification from the AEPD in which it was notified of the claim filed and required certain information. It was at this precise moment that Uniqlo, as a business organization, was able to learn about the security incident of last August, until then, unknown.” 2.- Informative communication of the breach. 2.1. Notification to the control authority. Since the information of this breach to the Agency arrived through a claim, the respondent party was asked to explain why the breach was not notified. As indicated in the previous point, the argument presented by the respondent party is that they were directly unaware of the existence of the breach until they received the transfer of the claim. Internally, they blame this situation on the human resources person who was responsible for sending the information: “the HR C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/26 employee – in a flagrant breach of Uniqlo’s internal policies – did not at any time inform his hierarchical superior or Uniqlo management of the incident, which is why the company was unable to find out in a timely manner that it had occurred and, consequently, was unable to notify the AEPD in accordance with article 33 of General Data Protection Regulation 2016/769” They subsequently made the formal notification of the personal data breach, on April 24, 2023, and it was incorporated into the file. The following relevant points are included in this notification: - Responsible party: UNIQLO EUROPE LTD, branch in Spain. - Processor: There is no processor. - Affected parties: 471 employees. - Affected data: Basic contact data, identity number, financial data (without payment data) and contact data. - Cause of the breach: Accidental, of internal origin. The explanation previously mentioned in point 1 of the report regarding the human resources error is provided. - Consequences for those affected: Confidentiality affected. They could suffer severe inconveniences such as phishing or impersonation attempts, although it is considered unlikely that this will materialize. - Cross-border: No, only in Spain. - Minors: There are no minors among those affected. 2.2. Communication to interested parties: On the other hand, information regarding communication to interested parties was requested. The respondent party states that the communication informing them of the incident was made a few days after they became aware of it, on May 4, 2023. They provide the communication sent, which has a version in Spanish and English. The report reports on the incident, explaining the causes and its magnitude in clear and concise language ("within the framework of the response to a legitimate request, a file with your payroll for the month of July 2022 was mistakenly sent to a former employee by UNIQLO. The information contained in a payroll sheet includes the following personal data: name, address, DNI/NIE number, Social Security number, bank account number, salary and its breakdown"). It is reiterated that there was no knowledge at management level until it was communicated by the AEPD, thus justifying the gap of several months between the events and the communication. A contact email is provided for additional queries. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/26 They state that they have received 10 communications in this regard, which have been duly attended to. The communication states that there is no evidence of exfiltration of personal data and a reference is made to INCIBE (National Institute of Cybersecurity) so that those affected can consult additional cybersecurity resources. The possible consequences that this breach could have are not specified, although it states: “we recommend that you be aware of any potential risk that could arise from improper use of your personal data.” Finally, the measures that UNIQLO will take to try to ensure that no further incidents of this type occur are indicated: training for staff in cybersecurity and data privacy, together with the review of internal procedures and policies. In addition to the text of the communication, a table of 15 questions and answers is provided, sent to those affected, which summarize the description of the breach and the points discussed above. An email is also provided to the Company Committee, on the same date, informing them of this event and requesting their collaboration. They state that they sent the communication by email to all of the affected parties, consisting of 287 employees and 160 former employees in May 2023, as they no longer had an employment relationship with a significant group of those affected. Taking into account that the first claimant was also among the workers, the communication would have been sent to all of those affected. Proof that the communication was effectively sent to all affected personnel has been requested, but no confirmation has been received in this regard, although samples of the emails addressed to both active workers and former employees are provided. The content of the communication is provided in two parts, as the second claim also includes it. In this claim, which comes from a person who claims to be from the Company Committee, it is stated that "the company is sending an email (attached) to all employees in which it communicates and acknowledges that there has been a communication to third parties which contained personal data", so it can be confirmed that the communication has been effectively made to, at least, all active personnel at that time. 3.- Payroll management. Since the breach has been caused by the management of the company's payroll, its operation and organization has been further investigated. (…). (…). (…). (…). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/26 (…). (…). (…). However, in this particular case, the data controller, even though it was a payroll-related issue, had no involvement in the incident as it was internally limited to the controller. 4.- Security measures. 4.1. Measures prior to the incident. The respondent party has been asked for information on the measures prior to the incident regarding data protection, as well as the regulations in this regard that develop the action protocols. The respondent party states that they have the following technical and organizational measures: (…). Regarding the processing of data for payroll management, the respondent party states that a specific impact assessment has not been carried out, as they interpret that it is not considered a treatment that requires this assessment. Consequently, they state that a specific risk analysis has not been documented for this treatment: “As regards the processing of data related to payroll management, the company has not carried out an impact assessment since, in accordance with article 35.3 of the GDPR, payroll management is not considered a treatment that requires this assessment. Likewise, and in consequence of the above, the company has not documented a specific risk analysis of this treatment either.” In any case, they state a series of security measures that are applicable to this treatment. Among them: - (…). - (…). - (…). - (…). - (…). - (…). - (…). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/26 UNIQLO has a digital platform called the ISO portal. It is an online portal operated by the corporate group's information security office, where materials and documentation relating to information security are made available to employees. Among the documentation found on the portal, there is the aforementioned basic security regulation (“Fast Retailing Group - Information Security Basic Regulations”) and the information security manual (“Information Security Handbook”). Certification is provided that these protocols are accessible within the portal. As will be explained later, information is also provided regarding the dissemination of the use of this portal among employees. In addition to the above, there would be measures with the person in charge of the treatment, GM Integra RRHH S.L., although in this case the breach would be unrelated to them. In the regulatory framework, the following documentation is provided in this regard: - Procedure for managing incidents. This procedure includes the obligation to notify both the information security department and its direct manager of any type of incident, even if it is not malicious: “All Officers and Employees are required to report Information Security Incidents (hereinafter Incidents) to their direct manager and ISO immediately through the ISO Portal. Reporting must include actual, suspected events or anomalies with or without malicious intent” (in Spanish: “All Officers and Employees are required to report Information Security Incidents (hereinafter Incidents) to their direct manager and ISO immediately through the ISO Portal. Reporting must include actual or suspected events or anomalies with or without malicious intent.”). - Basic information security regulations (“Fast Retailing Group - Information Security Basic Regulations”). The report was in force since February 2017 and mentions the obligation of confidentiality that employees must maintain when disclosing information assets through digital means, as well as the need to report in the event of loss of information. - Information Security Handbook. - Record of Processing Activities, which records the payroll management activity and the personal data affected by this processing. - Data protection protocol for the human resources department. This protocol contains the need to notify the information security department (ISO) in the event of a breach. - Risk matrix - Store employee manual C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/26 In section 5 of this report, the effective dissemination of this regulation among UNIQLO employees will be discussed in more detail. In relation to contractual measures with human resources personnel, the Code of Conduct is provided and is made available to employees at the time of their hiring. Among the principles included is respect for personal and confidential information, as well as improper or inappropriate use. Data protection clauses for employees are also provided. These clauses are aimed at the data provided by the employee, not at the management of personal data of other employees. 4.2. Measures adopted subsequently. In relation to the previous point, the respondent party has been asked for information on the measures taken after the incident, aimed at preventing events of this type from occurring again. They state again that all actions have been carried out after the transfer of the complaint by the AEPD, not after the events occurred in August 2022. These include the following: - Internal opening of the incident and inclusion of the security breach in the organization's breach registry. This registry is provided, where the incident is recorded together with the associated risk matrix. - Notification to the AEPD, as previously discussed in point 2.1. - Notification to those affected and the Company Committee, as previously discussed in point 2.2. - Hiring of external legal services to advise on this case. - Implementation of the threat intelligence tool (...), which will be developed in point 6 regarding data exfiltration. - Review of the internal protocols of the human resources department and the payroll sending process. Among the changes made, they state: former employees will be able to download their payrolls (...). In addition, UNIQLO's human resources department will exchange payrolls with the agency in charge of this treatment on an individual basis, sending the specific payrolls of each worker and not jointly. At the level of the organization's personnel, they state that they have carried out the following actions: - Opening a disciplinary file against the human resources employee for serious breach of the duties of good faith and legitimate trust by not having followed the existing protocols. They state that this is considered a very serious fault that could even lead to dismissal. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/26 - Training for those affected in data protection, focused on protection against possible consequences. They provide an email of the call, dated May 2023. - Training for UNIQLO employees aimed at reinforcing data protection and the company's internal protocols and policies. A tentative schedule of training actions is provided. Additionally, they indicate that a vigilant attitude will be maintained regarding this incident and it will be periodically reviewed that the compromised data has not been published on the Internet. Finally, although the respondent party does not expressly state it as a measure adopted following the incident, the addendum signed with the management company GM Integra RRHH S.L., in charge of processing payroll management services, is highlighted. It was signed in May 2023 and, as stated, the purpose was to reinforce proactive responsibility. 5.- Transfer of protocols to employees. Because the incident was caused by human error, it is especially relevant to analyze the situation and training of employees in data protection and cybersecurity. The respondent party has been required to prove the dissemination and transfer of security policies to staff prior to the breach. They state in this regard that the company regularly sends circulars to all employees reminding them of relevant issues from the point of view of information security and data protection. The respondent states that the employee in question had the necessary training to perform his duties, based on numerous different types of evidence. The following sample circulars are provided: - First circular, sent on October 20, 2020. In this circular, the Director of Information Security informs employees of the applications that are allowed to send company information. - Second circular, dated August 6, 2021, also sent by the Director of Information Security. It reminds employees that the leak of personal information constitutes a violation and that files shared with third parties outside UNIQLO must be sent using the tool (...). The circular includes links to the application and the user manual. - Third circular, dated October 26, 2021, also sent by the same person in charge, informing employees about information security incidents, indicating the portal for their management (the aforementioned ISO portal) and including a link to the incident management procedure. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/26 - Fourth circular dated March 1, 2022. This circular exemplifies some behaviors contrary to the correct management of confidential information, such as sending confidential information to unauthorized personnel. For all these cases, it is proven that the human resources employee involved was in a copy of the information circulars. Furthermore, the respondent party states that the human resources employee in question also received specific training in data protection related to personnel management. The materials for the training given on April 25, 2022, are provided. This training was aimed at the protection of personal data in personnel selection processes. Additionally, within the training activities, the respondent party states that an annual reminder of the aforementioned Code of Conduct is carried out. It is proven that the employee involved completed a training, as of January 28, 2022, although the information provided in the evidence is brief and the content of the same is not shown. Another of the activities that the respondent party states it carries out is the periodic distribution of educational videos in which the accepted and prohibited behaviors are shown in accordance with the Code of Conduct. These videos are provided, in which the corporate codes of conduct, good practices and handling of confidential information are discussed. The videos are in English, with subtitles in Spanish. The information provided cannot prove that it was actually disseminated, or which personnel viewed it. 6.- Exfiltration of the affected data. There is no evidence that the data affected by the breach was exfiltrated. The respondent states that it has no information in this regard or that it could have been used for other purposes. As indicated: “the information security department has used the threat intelligence tool (...) to monitor the impact of the incident. The result of the analysis carried out with this tool indicates that, as of the date of this document, no leaks of Uniqlo data have been detected, including data relating to the compromised file, on the Internet (even on the so-called “dark web”).” A statement from the Information Security Officer dated May 18, 2023 is provided, detailing the analysis carried out and its conclusions, confirming that no information leaks have been detected nor that the data had been published against the will of those affected. FIFTH: According to the diligence dated May 27, 2024 in the file, the total annual turnover of the UNIQLO Group, whose economic activity is the retail trade of clothing in specialized stores, in the financial year 2023 was approximately (...) million euros. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/26 LEGAL BASIS I Competence In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD) and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. II Procedure Likewise, article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures”. In accordance with article 64 of the LOPDGDD, and taking into account the characteristics of the alleged infringements committed, a sanctioning procedure is initiated. The procedure will have a maximum duration of twelve months from the date of the start agreement. After this period, it will expire and, consequently, the proceedings will be filed, in accordance with the provisions of article 64 of the LOPDGDD. If no objections are made to this initiation agreement within the stipulated period, it may be considered a resolution proposal, as established in article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP). III Preliminary questions Article 4.2) of the GDPR defines “processing” as: “any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/26 any other form of making available, alignment or combination, restriction, erasure or destruction.” Article 4.7) of the GDPR defines the “data controller” or “controller” as: “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing; If Union or Member State law determines the purposes and means of processing, the controller or the specific criteria for its appointment may be established by Union or Member State law”. In this case, in accordance with the provisions of article 4.1 and 4.2 of the GDPR, personal data processing is carried out, since UNIQLO EUROPE, LTD, BRANCH IN SPAIN collects, consults, communicates by transmission and stores, among others, the following personal data of the natural persons who work in this company: name, address, DNI/NIE number, Social Security number, bank account number, salary and its breakdown, among other treatments. UNIQLO EUROPE, LTD, SUCURSAL EN ESPAÑA carries out this activity in its capacity as data controller, since it is the one who determines the purposes and means of such activity, pursuant to article 4.7 of the GDPR. Within the principles of processing provided for in article 5 of the GDPR, the integrity and confidentiality of personal data is guaranteed in section 1.f) of article 5 of the GDPR. For its part, the security of personal data is regulated in article 32 of the GDPR, which regulates the security of processing. IV Obligation not fulfilled. Principles relating to processing Article 5.1(f) of the GDPR provides: "1. Personal data shall be: (…) (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, by using appropriate technical or organisational measures ('integrity and confidentiality')." In the present case, on 5 August 2022, the complainant requested by e-mail from UNIQLO's human resources department that the payroll for the month of July be sent to him (page 546 of the file). In response, on August 8, 2022, UNIQLO sent the complainant, also by email, a PDF document with the payrolls of 447 of its employees, which the complainant provided along with the claim. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/26 The documentation in the file provides clear indications that UNIQLO violated article 5.1.f) of the GDPR, “Principles relating to processing”, by not properly guaranteeing the confidentiality and integrity of the personal data of its employees, having been made known to an unauthorized third party. This duty of confidentiality and integrity must be understood to be intended to prevent data leaks not consented to by the data owners. Therefore, in accordance with the evidence available at this time in the agreement to initiate sanctioning proceedings, it is considered that the known facts could constitute an infringement, attributable to UNIQLO EUROPE, LTD, BRANCH IN SPAIN, for violation of the article transcribed above. V Classification and classification of the infringement for the purposes of the limitation period under Article 5.1.f) of the GDPR Article 83.5 of the GDPR classifies the infringement of the following article as an administrative infringement, which shall be punishable, in accordance with paragraph 2, by administrative fines of up to EUR 20,000,000 or, in the case of an undertaking, of an amount equivalent to up to 4% of the total annual turnover of the preceding financial year, whichever is higher: "a) the basic principles for processing, including the conditions for consent pursuant to Articles 5, 6, 7 and 9;" For its part, the LOPDGDD in its article 71, Infringements, states that: “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law, constitute infringements.” For the sole purposes of the limitation period, article 72.1 of the LOPDGDD establishes the following: "In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered very serious and will be subject to a three-year statute of limitations: a) The processing of personal data in violation of the principles and guarantees established in article 5 of Regulation (EU) 2016/679." VI Proposal for a fine C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/26 In order to determine the administrative fine to be imposed, the provisions of articles 83.1 and 83.2 of the GDPR must be observed, which state: “1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article for infringements of this Regulation referred to in paragraphs 4, 9 and 6 are effective, proportionate and dissuasive in each individual case. 2. Administrative fines shall be imposed, depending on the circumstances of each individual case, as an additional or alternative measure to the measures provided for in article 58, paragraph 2, letters a) to h) and j). When deciding whether to impose an administrative fine and its amount in each individual case, due account shall be taken of: a) the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question as well as the number of data subjects affected and the level of damage suffered by them; b) the intent or negligence of the infringement; c) any measures taken by the controller or processor to mitigate the damage suffered by data subjects; d) the degree of responsibility of the controller or processor, taking into account any technical or organisational measures they have implemented pursuant to Articles 25 and 32; e) any previous infringements committed by the controller or processor; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate any adverse effects of the infringement; g) the categories of personal data affected by the infringement; (h) the manner in which the supervisory authority became aware of the infringement, in particular whether the controller or processor notified the infringement and, if so, to what extent; (i) where the measures referred to in Article 58(2) have been previously ordered against the controller or processor concerned in relation to the same matter, compliance with those measures; (j) adherence to codes of conduct pursuant to Article 40 or to certification mechanisms approved pursuant to Article 42, and (k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or losses avoided, directly or indirectly, through the infringement.” For its part, Article 76 “Penalties and corrective measures” of the LOPDGDD provides: “1. The sanctions provided for in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679 shall be applied taking into account the grading criteria established in section 2 of the aforementioned article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679, the following may also be taken into account: a) The continued nature of the infringement. b) The link between the offender's activity and the processing of personal data. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/26 c) The benefits obtained as a result of the commission of the infringement. d) The possibility that the conduct of the affected party could have induced the commission of the infringement. e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity. f) The impact on the rights of minors. g) Having, when not mandatory, a data protection officer. h) The voluntary submission by the controller or person in charge to alternative dispute resolution mechanisms, in cases where there are disputes between them and any interested party." In this case, considering the seriousness of the infringement found, paying special attention to the consequences that its commission causes for the complaining party, a fine must be imposed, in addition to the adoption of measures, where appropriate. The fine imposed must be, in each individual case, effective, proportionate and dissuasive, in accordance with the provisions of article 83.1 of the GDPR. In order to guarantee these principles, the status of a large company and the turnover of the respondent party (...)millions of euros in 2023 are considered as a preliminary matter. As a preliminary matter, it is estimated that the following circumstances are present: • The nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question as well as the number of interested parties affected and the level of damages they have suffered (article 83.2, letter a), of the GDPR): Since the information has been sent by email, it poses a greater risk of data leakage, not only by the recipient of the email (the complaining party), but also, due to the vulnerabilities in terms of email security, since, as the data is not encrypted, any attacker could access the data in transit. Furthermore, the number of interested parties affected by the personal data breach is 447 • Intentionality/Negligence in the infringement (article 83.2, letter b), of the RGPD): Although it cannot be understood that UNIQLO acted with malice, a lack of diligence is observed in the fulfillment of the obligations imposed by the regulations on data protection, such as compliance and implementation of the appropriate technical and organizational measures to guarantee a level of security appropriate to the risk in the treatments it carries out, specifically, in the management of the payrolls of its employees; in this respect, the SAN of 17/10/2007 can be cited, which although it was issued before the validity of the RGPD, its pronouncement is perfectly extrapolable to the case that we analyze. The ruling, after referring to the fact that entities in which the development of their activity involves continuous processing of data of clients and third parties must observe an adequate level of diligence, specified that "(...) the Supreme Court has understood that there is imprudence whenever a legal duty of care is disregarded, that is, when the offender does not behave with the required diligence. And in assessing the degree of diligence, the professionalism or otherwise of the subject must be especially considered, and there is no doubt that, in the case now examined, when the activity of the appellant is C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/26 constant and abundant handling of personal data, it is necessary to insist on the rigor and the exquisite care to comply with the legal provisions in this regard • The categories of personal data affected by the infringement (article 83.2, letter g), of the RGPD): In addition to personal identification data of the workers, financial data such as the bank account number and the income they receive monthly were leaked. In section 3.6 of the Guidelines 04/2022 on the calculation of administrative penalties under the GDPR, issued by the European Data Protection Board (hereinafter EDPB), in compliance with the objective of ensuring the consistent application of the General Data Protection Regulation, as attributed to it by its Article 70, the following is established (unofficial translation): “Categories of personal data affected 58. As regards the requirement to take into account the categories of personal data affected [Article 83, paragraph 2, letter g) of the GDPR], the GDPR clearly highlights the types of data that deserve special protection and, therefore, a stricter response with regard to fines. This refers, at a minimum, to the types of data referred to in Articles 9 and 10 of the GDPR and to data outside the scope of these articles whose dissemination causes immediate damage and harm to the data subject 26 (for example, location data, data on private communications, national identification numbers or financial data, such as transaction summaries or credit card numbers).” The following grading factors are also considered as aggravating factors: • The link between the offender's activity and the processing of personal data (Article 76.2, letter b), of the LOPDGDD): The development of business management activities by UNIQLO requires continuous processing of personal data of its employees. In addition, the following grading factors are considered as mitigating factors: Any other aggravating or mitigating factor applicable to the circumstances of the case (Article 83.2, letter k), of the GDPR): The email message had a single recipient, the complainant. The balance of the circumstances contemplated in Article 83.2 of the GDPR and 76.2 of the LOPDGDD, with respect to the infringement committed by violating the provisions of Article 5.1.f) of the GDPR, allows for an initial administrative fine of €300,000 (three hundred thousand euros). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/26 VII Obligation breached. Security of processing Article 32 of the GDPR states: "1. Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller and processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, which may include, where appropriate, inter alia: a) pseudonymisation and encryption of personal data; b) the ability to ensure the permanent confidentiality, integrity, availability and resilience of processing systems and services; c) the ability to restore the availability of and access to personal data quickly in the event of a physical or technical incident; d) a process of regular verification, evaluation and assessment of the effectiveness of the technical and organisational measures to ensure the security of processing. 2. When assessing the adequacy of the level of security, particular account shall be taken of the risks presented by the processing of data, in particular as a result of accidental or unlawful destruction, loss, alteration of, or unauthorised disclosure of or access to, personal data transmitted, stored or otherwise processed. 3. Adherence to a code of conduct approved pursuant to Article 40 or a certification mechanism approved pursuant to Article 42 may serve as an element of demonstrating compliance with the requirements set out in paragraph 1 of this Article. 4. The controller and the processor shall take steps to ensure that any person acting under the authority of the controller or the processor who has access to personal data processes such data only on instructions from the controller, unless he or she is required to do so by Union or Member State law." The GDPR defines personal data breaches as “any breach of security leading to the accidental or unlawful destruction, loss, alteration of personal data transmitted, stored or otherwise processed, or unauthorized disclosure of or access to such data.” The documentation in the file shows the violation of Article 32.1 of the GDPR, due to the failure to adopt appropriate technical and organizational measures, which allowed an unauthorized third party to access the personal data of UNIQLO employees, which was caused by the sending by email of the payrolls of 447 employees. employees of the company UNIQLO. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/26 It should be noted that the GDPR in the aforementioned provision does not establish a list of the security measures that are applicable according to the data that are subject to processing, but rather establishes that the controller and the processor will apply technical and organizational measures that are appropriate to the risk that the processing entails, taking into account the state of the art, the costs of application, the nature, scope, context and purposes of the processing, the risks of probability and severity for the rights and freedoms of the interested parties. Likewise, security measures must be appropriate and proportionate to the risk detected, noting that the determination of technical and organizational measures must be carried out taking into account: pseudonymization and encryption, the ability to guarantee confidentiality, integrity, availability and resilience, the ability to restore availability and access to data after an incident, verification process (not audit), evaluation and assessment of the effectiveness of the measures. In any case, when evaluating the adequacy of the security level to the risk, particular account will be taken into account of the risks presented by data processing, as a consequence of the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or unauthorized communication or access to such data and which could cause physical, material or immaterial damages. In this regard, recital 83 of the GDPR states that: “(83) In order to maintain security and prevent processing in violation of this Regulation, the controller or processor should assess the risks inherent in the processing and implement measures to mitigate them, such as encryption. These measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the cost of their implementation, in relation to the risks and the nature of the personal data to be protected. When assessing the risk in relation to data security, account should be taken of the risks arising from the processing of personal data, such as accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or unauthorized disclosure of or access to such data, which may in particular cause physical, material or immaterial damage.” In the present case, it is evident that the security measures implemented in relation to the data being processed were not adequate to guarantee the security and confidentiality of personal data at the time of the bankruptcy. As Recital 39 also states: “…Personal data must be treated in a way that guarantees adequate security and confidentiality of personal data, including to prevent unauthorized access to or use of such data and the equipment used in the processing.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/26 UNIQLO justifies a series of technical and organizational measures to preserve the security and privacy of its information systems. These measures were not adequate to prevent the events subject to the claim, so the infringement of article 32 of the GDPR occurs because there are no measures to prevent the violation that occurred. Similarly, a number of measures have been taken after the fact, such as allowing former employees access to their payslips for a period of 60 days after the termination of the contract or the review of the payslip sending process by the human resources department, as well as redesigning the internal protocols of said department. These measures cannot be taken into consideration for the purposes of assessing UNIQLO's liability in the facts. UNIQLO's liability is determined by the personal data breach revealed in the complaint, since it is responsible for making decisions intended to effectively implement the appropriate technical and organizational measures to ensure a level of security appropriate to the risk in order to ensure the confidentiality of the data, restoring its availability and preventing access to it in the event of a physical or technical incident. In this sense, the measures were not appropriate, regardless of the personal data breach that occurred. The negligent conduct of the employee in the management of personal data contained in the employees' payrolls does not exempt UNIQLO from liability. The company's liability in the area of sanctions for the negligent conduct of an employee that involves non-compliance with data protection regulations has been confirmed by the jurisprudence of the Supreme Court. In this regard, it is worth mentioning the Supreme Court Judgment No. 188/2022 (Contentious Chamber, Section 3), of February 15, 2022 (rec. 7359/2020), whose Legal Basis Fourth provides: “The fact that the conduct of an employee was negligent does not exempt her from her responsibility as the person in charge of the correct use of the security measures that should have guaranteed the proper use of the data recording system designed. As we already held in STS No. 196/2020, of February 15, 2021 (rec. 1916/2020), the data processor is also responsible for the actions of its employees and cannot excuse itself for its diligent actions, separately from the actions of its employees, but rather it is the "guilty" actions of these, as a consequence of the violation of existing security measures, which underlies the liability of the company in the area of sanctions for "own" acts of its employees or positions, not those of third parties." The judgment continues by arguing about the liability of legal persons in our legal system: “…It simply happens that, since our Administrative Law admits the direct liability of legal persons, who are therefore recognized as having the capacity to infringe, the subjective element of the infringement is expressed in these cases in a different way than it is in the case of natural persons, so that, as the constitutional doctrine that we have previously reviewed indicates -STC 246/1991, of December 19 (F.J. 2) and 129/2003, of June 30 (F.J. 8)- the direct blame derives from the legal asset protected by the rule that is infringed and the need for said protection to be truly effective and from the risk that, consequently, must be assumed by the legal person that is subject to compliance with said rule." C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/26 Therefore, in accordance with the evidence available at this time of the agreement to initiate sanctioning proceedings, it is considered that the known facts could constitute an infringement, attributable to UNIQLO EUROPE, LTD, BRANCH IN SPAIN, for violation of the article transcribed above. VIII Classification and qualification of the infringement for the purposes of the limitation period under Article 32 of the GDPR Article 83.4 of the GDPR classifies the infringement of the following article as an administrative infringement, and shall be subject, in accordance with paragraph 2, to administrative fines of not more than EUR 10,000,000 or, in the case of an undertaking, not more than 2% of the total annual turnover of the previous financial year, whichever is higher: "(a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, 42 and 43;" For its part, the LOPDGDD in its article 71, Infringements, states that: “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law, constitute infringements.” For the sole purposes of the limitation period, article 73 of the LOPDGDD establishes the following: "In accordance with the provisions of article 83.4 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered serious and will be subject to a two-year statute of limitations: f) The failure to adopt those technical and organizational measures that are appropriate to guarantee a level of security appropriate to the risk of the treatment, in the terms required by article 32.1 of Regulation (EU) 2016/679." IX Proposed sanction In accordance with the provisions of article 83.2 of the GDPR and article 76.2 of the LOPDGDD transcribed above, and without prejudice to what results from the instruction of the procedure, for the purposes of setting the amount of the sanction to be imposed in the present case for the infringement classified in article 32 of the GDPR, classified in article 83.4.a) of the GDPR for which UNIQLO is responsible, in an initial assessment, the following factors are considered to be present: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/26 As a preliminary matter, it is estimated that the following circumstances are present: • The nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question as well as the number of interested parties affected and the level of the damages and losses that they have suffered (Article 83.2, letter a), of the GDPR): Since the information has been sent by email, there is a greater risk of data leakage, not only by the recipient of the email (the complaining party), but also due to the vulnerability of email security, since, as the data is not encrypted, any attacker could access the data in transit.In addition, the number of interested parties affected by the personal data breach is 447 • The categories of personal data affected by the breach (Article 83.2, letter g) of the GDPR): In addition to personal identifying data of the workers, financial data such as bank account numbers and monthly income were leaked. In section 3.6 of the Guidelines 04/2022 on the calculation of administrative penalties under the GDPR, issued by the European Data Protection Board (hereinafter EDPB), in compliance with the objective of ensuring the consistent application of the General Data Protection Regulation, as attributed to it by its Article 70, the following is established (unofficial translation): “Categories of personal data affected 58. As regards the requirement to take into account the categories of personal data affected [Article 83, paragraph 2, letter g) of the GDPR], the GDPR clearly highlights the types of data that deserve special protection and, therefore, a stricter response with regard to fines. This refers, at a minimum, to the types of data referred to in Articles 9 and 10 of the GDPR and to data outside the scope of these articles whose dissemination causes immediate damage and harm to the data subject 26 (for example, location data, data on private communications, national identification numbers or financial data, such as transaction summaries or credit card numbers).” The following grading factors are also considered as aggravating factors: • The link between the offender's activity and the processing of personal data (Article 76.2, letter b), of the LOPDGDD): The development of business management activities by UNIQLO requires continuous processing of personal data of its employees. The balance of the circumstances contemplated in article 83.2 of the GDPR and 76.2 of the LOPDGDD, with respect to the infringement committed by violating the provisions of article 32 of the GDPR, allows for an initial administrative fine of €150,000 (one hundred and fifty thousand euros). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/26 X Adoption of measures If the infringement is confirmed, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to which each supervisory authority may “order the controller or processor to comply with the processing operations with the provisions of this Regulation, where appropriate, in a certain manner and within a specified period…”, in the resolution adopted, UNIQLO may be required to accredit to this Agency within 3 months the adoption of the following measures, without prejudice to other measures that may arise from the instruction of the procedure: - Adopt the technical and organizational measures to guarantee the security of the personal data of its employees. The imposition of these measures is compatible with the sanction consisting of an administrative fine, as provided for in article 83.2 of the GDPR. It is noted that failure to comply with the possible order to adopt measures imposed by this body in the sanctioning resolution may be considered an administrative infringement in accordance with the provisions of the GDPR, classified as an infringement in its article 83.5 and 83.6, and such conduct may motivate the opening of a subsequent administrative sanctioning procedure. Therefore, in accordance with the above, by the Director of the Spanish Data Protection Agency, IT IS AGREED: FIRST: TO INITIATE SANCTIONING PROCEDURE against UNIQLO EUROPE, LTD, BRANCH IN SPAIN, with NIF W8266168G: - For the alleged infringement of Article 5.1.f) of the GDPR, classified in Article 83.5 of the GDPR. - For the alleged infringement of Article 32 of the GDPR, classified in Article 83.4 of the GDPR SECOND: TO APPOINT C.C.C. as instructor. and, as secretary, D.D.D., indicating that they may be challenged, if applicable, in accordance with the provisions of articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP). THIRD: INCORPORATE into the file, for evidentiary purposes, the claim filed by the claimant and its documentation, as well as the documents obtained and generated by the General Subdirectorate of Data Inspection in the actions prior to the start of this sanctioning procedure. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/26 FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, the sanction that may apply, without prejudice to what results from the investigation, would be an administrative fine: - For the alleged infringement of article 5.1.f) of the GDPR, classified in article 83.5.a) of said regulation, administrative fine of 300,000.00 euros - For the alleged infringement of article 32 of the GDPR, classified in article 83.4.a) of said regulation, administrative fine of 150,000.00 euros FIFTH: NOTIFY this agreement to UNIQLO EUROPE, LTD, BRANCH IN SPAIN, with NIF W8266168G, granting it a hearing period of ten business days to make the allegations and present the evidence that it considers appropriate. In its written allegations it must provide its NIF and the procedure number that appears in the heading of this document. In accordance with the provisions of article 85 of the LPACAP, it may acknowledge its responsibility within the period granted for the formulation of allegations to the present agreement of initiation; which will entail a reduction of 20% of the sanction that must be imposed in the present procedure. With the application of this reduction, the sanction would be established at 360,000.00 euros, the procedure being resolved with the imposition of this sanction. Likewise, it may, at any time prior to the resolution of the present procedure, carry out the voluntary payment of the proposed sanction, which will entail a reduction of 20% of its amount. With the application of this reduction, the penalty would be set at 360,000.00 euros and its payment will imply the termination of the procedure, without prejudice to the imposition of the corresponding measures. The reduction for the voluntary payment of the penalty is cumulative to that which corresponds to apply for the recognition of responsibility, provided that this recognition of responsibility is made manifest within the period granted to formulate allegations at the opening of the procedure. The voluntary payment of the amount referred to in the previous paragraph may be made at any time prior to the resolution. In this case, if it were appropriate to apply both reductions, the amount of the penalty would be set at 270,000.00 euros. In any case, the effectiveness of either of the two reductions mentioned will be conditioned to the express withdrawal or waiver of any action or appeal in administrative proceedings against the penalty. For these purposes, if you choose to apply for any of them, you must send to the General Subdirectorate of Data Inspection an express communication of withdrawal or waiver of any action or appeal through administrative channels against the sanction indicating which of the two reductions you choose to apply for or whether it is both. If you choose to make a voluntary payment of any of the amounts indicated above (360,000.00 euros or 270,000.00 euros), you must do so C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 24/26 in cash by depositing it in the account number IBAN: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX) opened in the name of the Spanish Data Protection Agency at the bank CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the reason for the reduction of the amount to which you are entitled. Likewise, you must send proof of payment to the Subdirectorate General of Inspection together with the express communication of the withdrawal or waiver of any action or appeal through administrative channels against the sanction in order to continue with the procedure in accordance with the amount paid. In compliance with articles 14, 41 and 43 of the LPACAP, you are advised that, from hereinafter, the notifications sent to you will be made exclusively electronically, through the Unique Authorized Electronic Address (dehu.redsara.es), and that, if you do not access them, your rejection will be recorded in the file, considering the procedure carried out and the procedure followed. You are informed that you can identify before this Agency an email address to receive the notice of the availability of the notifications and that the lack of practice of this notice will not prevent the notification from being considered fully valid. Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP, there is no administrative appeal against this act. 1479-180624 Mar España Martí Director of the Spanish Data Protection Agency >> SECOND: On July 22, 2024, the respondent party has proceeded to pay the penalty in the amount of 270,000 euros using the two reductions provided for in the Initiation Agreement transcribed above, which implies the recognition of responsibility. THIRD: The payment made, within the period granted to formulate allegations at the opening of the procedure, entails the waiver of any action or appeal in administrative course against the penalty and the recognition of responsibility in relation to the facts referred to in the Initiation Agreement. FOURTH: The aforementioned initiation agreement indicated that, if the infringement is confirmed, it may be agreed to impose on the controller the adoption of appropriate measures to adjust its performance to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to which each supervisory authority may “order the controller or processor to comply with the provisions of this Regulation, where appropriate, in a certain manner and within a specified period…”. Having recognized the responsibility for the infringement, the imposition of the measures included in the initiation agreement is appropriate. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 25/26 LEGAL BASIS I Competence In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD) and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures." II Termination of the procedure Article 85 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), under the heading "Termination of sanctioning procedures" provides the following: "1. Once a sanctioning procedure has been initiated, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is of a purely monetary nature or when it is possible to impose a monetary sanction and another of a non-monetary nature but the inappropriateness of the second has been justified, voluntary payment by the presumed responsible party, at any time prior to the resolution, will imply the termination of the procedure, except in relation to the restoration of the altered situation or the determination of compensation for damages caused by the commission of the infringement. 3. In both cases, when the sanction is of a purely monetary nature, the body competent to resolve the procedure will apply reductions of at least 20% on the amount of the proposed sanction, these being cumulative with each other. The aforementioned reductions must be determined in the notification of the initiation of the procedure and their effectiveness will be conditional on the withdrawal or waiver of any action or appeal in administrative proceedings against the sanction. The percentage of reduction provided for in this section may be increased by regulation.” According to the above, the Director of the Spanish Data Protection Agency RESOLVES: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 26/26 FIRST: DECLARE the termination of procedure EXP202304685, in accordance with the provisions of article 85 of the LPACAP. SECOND: ORDER UNIQLO EUROPE, LTD, BRANCH IN SPAIN to in the period of 3 months from the date this resolution becomes final and enforceable, notify the Agency of the adoption of the measures described in the legal grounds of the initiation Agreement transcribed in this resolution. THIRD: NOTIFY this resolution to UNIQLO EUROPE, LTD, BRANCH IN SPAIN. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative process as prescribed by art. 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, interested parties may file an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the day following the notification of this act, as provided for in article 46.1 of the aforementioned Law. 1259-16012024 Mar España Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es