AEPD (Spain) - EXP202310875

AEPD - EXP202310875

Authority:	AEPD (Spain)
Jurisdiction:	Spain
Relevant Law:	Article 6 GDPR Article 14 GDPR
Type:	Complaint
Outcome:	Upheld
Started:	25.06.2023
Decided:	08.07.2024
Published:
Fine:	4,000 EUR
Parties:	Asociación Escuela Nacional de Equitación
National Case Number/Name:	EXP202310875
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	Spanish
Original Source:	AEPD (in ES)
Initial Contributor:	fb
The DPA fined a controller €4,000 after it shared the data subject’s name on its Google profile. In addition, it did not provide the data subject with the information set by Article 14 GDPR.
English Summary

Facts

The controller, a horse riding school, has a profile on Google where customers can write reviews. Following some negative comments written by customers, the controller replied to them.
Since the controller believed that these reviews were defaming its reputation, it referred to the possibility of suing the authors of the reviews in court, like it had already successfully done with the data subject. In doing so, the controller explicitly mentioned the name of the data subject.
The data subject, having noticed that their name appeared in this replies, filed a complaint with the DPA. They argued that the judgement at hand was the result of a court proceeding initiated by another entity and that they had never sent the controller this judgement.
Holding

First, the DPA held that the controller had shared the name of the data subject on its Google profile without the proper legal basis. Therefore, it found a violation of Article 6 GDPR.
Secondly, the DPA noted that it is obvious that the controller has personal data of the data subject. Moreover, the controller has not proved that it had collected that data directly from the data subject. Therefore, the controller should have given the data subject the information set by Article 14 GDPR. Since it did not do so, the DPA found a violation of this provision.
On these grounds, the DPA issued a fine of €4,000 and ordered the controller to delete the data subject’s data.
Comment

Share your comments here!
Further Resources

Share blogs or news articles here!
English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/14

 File No.: EXP202310875

SANCTIONING PROCEDURE RESOLUTION

From the procedure instructed by the Spanish Data Protection Agency and based
on the following

BACKGROUND

FIRST: On June 25, 2023, A.A.A. (hereinafter, the complaining party)
filed a claim with the Spanish Data Protection Agency.

The claim is directed against ASOCIACIÓN ESCUELA NACIONAL DE
EQUITACIÓN with NIF G88409586 (hereinafter, the respondent party).

The reasons on which the claim is based are the following:

After pointing out that he has not provided any personal data to the aforementioned Association,
the complainant states that the respondent party exposes, without prior
consent, his identifying data, such as name and surname, in
responses made by said entity to reviews that other people left on the
GOOGLE profile of the same.

He states that in said review there is a reference to a sentence of a procedure
initiated between the EDUKA PROJECT ASSOCIATION against the complainant,
so he understands that data has been communicated between said associations, without his
consent. However, the complainant does not provide evidence of this

communication of data between associations, which proves that said sentence was
provided by that Association to the respondent party, nor that this is the sentence
referred to in the reviews in question.

The complainant provides three screenshots of the Google profile of the National Riding School – ENE – where the negative comments regarding the respondent entity that other people left on said profile are answered. The text of the respondent party's responses to these comments is reproduced in the Second Proven Fact.

The complainant understands that the facts stated constitute a treatment

without a legitimate basis and that the duty to inform about the treatment of the data has been omitted.

SECOND: On 01/08/2023, the Subdirectorate General of Data Inspection of the AEPD accessed the company profile of the respondent party, verifying

that the reviews and the responses to them that are the subject of the complaint are still visible. Regarding the date of these reviews, “One month ago”, “4 months
ago” and “6 months ago” are indicated.

It is also noted that there is another review with a similar response, with the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/14

same text transcribed in the First Background. It includes the indication “7 months ago”.

THIRD: In accordance with article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), said claim was forwarded to the respondent party on August 2, 2023, so that it could proceed with its analysis and inform this Agency within one month of the actions taken to comply with the requirements provided for in the data protection regulations.

The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP) by electronic notification, was not collected by the responsible party, within the period of availability, and was deemed to have been rejected

in accordance with the provisions of art. 43.2 of the LPACAP on August 13, 2023,
as stated in the certificate in the file.

Although the notification was validly made by electronic means, the procedure being considered as carried out in accordance with the provisions of article 41.5 of the LPACAP, for information purposes a copy was sent by post in accordance with the rules established

in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP) by certified mail,
on August 14, 2023, and this was returned as "Absent (not collected at the
office)".

No response has been received to this transfer letter.

FOURTH: On September 25, 2023, in accordance with article 65
of the LOPDGDD, the claim submitted by the claimant was admitted for processing.

FIFTH: To find out the corporate purpose of the entity being claimed, follow the link:

“Who we are - Escuela Nacional de Equitación (escuelanacionalequitacion.es)”.

By following this link you can access its website where, among others, the following aspects are publicly indicated:

“The NATIONAL EQUITATION SCHOOL (ENE) is an initiative promoted by
the Eduka Studies Chair, and specifically by its group of researchers from the
Equestrian Campus, created at the Rey Juan Carlos University.

(…) its purpose is the professionalization of the leisure sector, free time,
active tourism, adventure, sports practice and specific professional training.”

(…)
(…) In addition to the already highly structured training offer, international studies were added

from the Anglo-Saxon level system, for Basic Equitation levels I and II (3rd and 4th year of
Compulsory Secondary Education), which provide the possibility of taking an International Baccalaureate in Horse Riding
(first and second year of level III), with academic validity (equivalent to 1st and 2nd year of
Baccalaureate), allowing the student access to any university in the world; or

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/14

continue with the university degree in Horse Sciences and Horse Riding (levels IV,
V and VI).

(…)

(…) the ENE, with its headquarters at the Finca Equilibrium High Performance Centre
in Torrelaguna in Madrid, has an important network of affiliated centres, where
different equestrian specialties and trades are worked on; (…).

(…) the teaching vocation that marks the main line of work of the ENE, since
without education the progress of the sector is impossible, has allowed it to enjoy the
authorization as an approved teaching center for special regime sports teaching in Equestrian, recognized by Resolution of November 25, 2020 (published in the Official Gazette of the Junta de Castilla y León, on Wednesday, December 9, 2020), by the Ministry of Education of the Junta de Castilla y León
(center code 05009911), and by Order 1560/2021 of June 1 and Order
4068/2023 of October 23, of the Ministry of Education of the Community of
Madrid (center codes 28080700 and 28082058 respectively); as well as
and as the first University Chair in the field, to be able to impart the
official and valid teachings for all of Europe, in the field of Horse Riding, that the

Universities participating in the project are putting into circulation, in order to
achieve this intended professionalization of Horse Riding in Spain.”

SIXTH: On 03/11/2024, the General Subdirectorate of Data Inspection
of the AEPD confirmed that the reviews mentioned in the First and

Second Backgrounds and the responses to them made by the respondent party remain
visible in the Google company profile of this entity.

SEVENTH: On April 4, 2024, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the respondent party,

for the alleged violation of Article 6 of the GDPR and Article 14 of the GDPR, classified in
Article 83.5 of the GDPR.

EIGHTH: Having notified the aforementioned initiation agreement in accordance with the rules established in
Law 39/2015, of October 1, on the Common Administrative Procedure of Public
Administrations (hereinafter, LPACAP) and having elapsed the period granted

for the formulation of allegations, it has been noted that no allegation has been received
by the respondent party.

Article 64.2.f) of the LPACAP - a provision of which the respondent party was informed
in the agreement to open the procedure- establishes that if no
allegations are made within the stipulated period regarding the content of the agreement to initiate the procedure, when
it contains a precise statement about the imputed liability,
it may be considered a resolution proposal. In the present case, the agreement to
initiate the sanctioning procedure determined the facts in which the imputation was specified, the infringement of the RGPD attributed to the respondent and the sanction that could

be imposed. Therefore, taking into account that the respondent party has not
made allegations to the agreement to initiate the procedure and in accordance with the provisions of
article 64.2.f) of the LPACAP, the aforementioned agreement to initiate the procedure is
considered in the present case a resolution proposal.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/14

In view of all the actions taken by the Spanish Data Protection Agency
in this procedure, the following facts are considered proven:

PROVEN FACTS

FIRST: The respondent party has stated to this Agency that it has not provided
any personal data to the ASOCIACIÓN ESCUELA NACIONAL DE EQUITACIÓN and

that the duty to inform about the processing of its personal data by the same has been omitted.

SECOND: The entity ASOCIACIÓN ESCUELA NACIONAL DE EQUITACIÓN published
on its Google profile, without any access restrictions, three reviews with the following

text:

“Hello… (name and surname of the person to whom this reply is made), we are taking
legal action against those people who defame the name of the company.
When someone, lying and of course without written arguments, slanders the good name of an institution, the latter is forced to take legal action

to protect its image, as we have been doing in cases where there is already
a final conviction against A.A.A. (...), for example, and other people
indicted for this same matter. If you want to know about it on a personal level, we are
transparent and we will send you a copy of the judgment, and as much documentation
as you need to prove our good conduct. We demand an immediate

rectification, before filing the corresponding criminal complaint for slander. Greetings.” (answer used on two occasions).

“Hello… (name of the person to whom the response is being made). We are sorry that you say that…
However, we would like to inform you that we are taking legal action against those people

who defame the name of the company. When someone, lying and of course without written arguments, slanders the good name of an institution, the latter is
forced to take legal action to protect its image, as we have been
doing in cases where there is already a final conviction against A.A.A. (...), for
example, and other people indicted by this same person…”.

With these reviews or comments, the NATIONAL RIDING SCHOOL ASSOCIATION responds to the negative comments regarding the entity in question
that other people left on the aforementioned profile.

A copy of these reviews was provided to the proceedings by the complainant with his

complaint dated June 25, 2023.

THIRD: On August 1, 2023, the Subdirectorate General of
Data Inspection of the AEPD accessed the company profile of the NATIONAL RIDING SCHOOL ASSOCIATION, verifying that, as of that date,

the comments indicated in the Second Proven Fact were still visible.
Regarding the date of these reviews, it indicates “One month ago”, “4 months ago” and
“6 months ago”.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/14

It was also found that there is another review published with a similar response, with the same text transcribed in the Second Proven Fact. It includes the
indication “7 months ago”.

FOURTH: On March 11, 2024, the General Subdirectorate of Data Inspection of the AEPD
verified that the reviews mentioned in the Second and Third Proven Facts and the responses to them made by the respondent party
continued to be visible on the Google company profile of the NATIONAL RIDING SCHOOL ASSOCIATION.

BASIS OF LAW

I
Competence

In accordance with the powers granted to each supervisory authority by article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD) and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to

initiate and resolve this procedure.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions

of Regulation (EU) 2016/679, in this organic law, by the regulatory
provisions issued in its development and, insofar as they do not contradict them,
on a subsidiary basis, by the general rules on administrative procedures."

II

Preliminary issues

In the present case, it is claimed that, without prior consent, the
identifying data of the complaining party, such as name and surname, have been
disseminated in responses made by said entity to reviews that other people
left on the GOOGLE profile of the same.

III
Article 6 of the RGPD

Article 6.1 of the RGPD establishes the assumptions that allow the

processing of personal data to be considered lawful, indicating the following:

“1. The processing will only be lawful if at least one of the following conditions is met:
a) the interested party has given his or her consent to the processing of his or her personal data

for one or more specific purposes;

b) the processing is necessary for the execution of a contract to which the interested party
is a party or in order to take steps at the request of the interested party prior to entering into a contract;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/14

c) the processing is necessary for compliance with a legal obligation applicable to the
data controller;

d) the processing is necessary to protect the vital interests of the interested party or another
natural person; e) the processing is necessary for the performance of a task
carried out in the public interest or in the exercise of official authority vested in the
data controller;

(f) the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. The provisions of point (f) of the first paragraph shall not apply to processing carried out by public authorities in the exercise of their functions.

The facts set out above, namely the dissemination of personal data of the complaining party, such as name and surname, on the GOOGLE profile of the respondent entity, without prior consent or any other legal basis, are considered to imply processing of personal data by the respondent party despite lacking the necessary legitimacy to do so.

IV
Classification of Article 6 of the GDPR

The aforementioned infringement of Article 6 of the GDPR could entail the commission of the infringement classified in Article 83.5 of the GDPR, which under the heading “General conditions for the imposition of administrative fines” provides:

“Infringements of the following provisions shall be punishable, in accordance with
paragraph 2, by administrative fines of not more than EUR 20,000,000 or, in the case of an undertaking, not more than 4% of the total annual turnover of the preceding financial year, whichever is higher:

a) The basic principles for processing, including the conditions for consent pursuant to Articles 5, 6, 7 and 9; (…)”

In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,

5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law, constitute infringements”.

For the purposes of the limitation period, article 72 “Infringements considered very serious” of the LOPDGDD indicates:

“1. Pursuant to the provisions of Article 83.5 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered to be very serious and will be subject to a three-year statute of limitations:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/14

b) The processing of data without any of the conditions for the lawfulness of the processing established in Article 6 of Regulation (EU) 2016/679. (…)”

V
Article 14 of the GDPR

Article 14 of the GDPR, in relation to the information that must be provided when

the personal data has not been obtained from the data subject, establishes the following:

“1. Where the personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:

a) the identity and contact details of the controller and, where applicable, of his or her representative;

b) the contact details of the data protection officer, where applicable;

c) the purposes for which the personal data are processed and the legal basis for the processing;

d) the categories of personal data concerned;

(e) the recipients or categories of recipients of the personal data, where applicable

(f) where applicable, the intention of the controller to transfer personal data to a recipient in a third country or international organisation and the existence or absence
of an adequacy decision by the Commission, or, in the case of transfers

referred to in Articles 46 or 47 or the second subparagraph of Article 49(1),
a reference to adequate or appropriate safeguards and the means of obtaining a copy of them or the fact that they have been provided.

2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure

fair and transparent processing of data in relation to the data subject:

(a) the period for which the personal data will be stored, or, where that is not possible, the criteria used to determine that period;

(b) where processing is based on Article 6(1)(f) the legitimate interests of the controller or a third party;

(c) the existence of the right to request from the controller access to, rectification or erasure of, or restriction of processing of, personal data concerning the data subject and to object to processing, as well as the right to data portability;

(d) where processing is based on Article 6(1)(a) or Article 9(2)(a) the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;

(e) the right to lodge a complaint with a supervisory authority; (f) the source
from which the personal data originate and, where applicable, whether they originate from publicly
accessible sources;

(g) the existence of automated decision-making, including profiling, referred to in

Article 22, paragraphs 1 and 4, and, at least in such cases, meaningful
information about the logic involved, as well as the significance and the envisaged
consequences of such processing for the data subject.

3. The controller shall provide the information referred to in paragraphs 1 and 2:

a) within a reasonable period after obtaining the personal data and at the latest within one month, taking into account the specific circumstances in which the personal data are processed;

b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to the data subject, or

c) if the personal data are intended to be communicated to another recipient, at the latest at the time when the personal data are first communicated.

4. Where the controller intends to process personal data further for a purpose other than that for which they were obtained, he shall, before such further processing, provide the data subject with information about that other purpose and with any other relevant information referred to in paragraph 2.

5. Paragraphs 1 to 4 shall not apply where and to the extent that:

a) the data subject already has the information;

b) the provision of that information would be impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1), or insofar as the obligation referred to in paragraph 1 of this Article would make it impossible or seriously impede the achievement of the objectives of such processing. In
such cases, the controller shall take appropriate measures to protect the rights,
freedoms and legitimate interests of the data subject, including by making the
information public;

c) the collection or disclosure is expressly provided for by Union or Member State law to which the controller is
applicable and which provides for appropriate measures to protect the legitimate interests of the data subject, or

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/14

d) where the personal data must remain confidential on the basis of an obligation of professional secrecy governed by Union or Member State law,
including a statutory obligation of secrecy.”

In the present case, it is clear that the respondent party has the data of the complainant, at least the first name and surname, without the latter having provided any evidence of the collection of such data directly from the complainant, who, moreover, has denied having had any contact with the respondent.

Therefore, the respondent party should have informed the complainant once it obtained
their personal data from a third party, in the sense expressed in the aforementioned article 14
of the GDPR.

Therefore, it is considered that the facts subject to the complaint violate

article 14 of the GDPR, by not providing the information required in accordance with said
precept, when the personal data used have not been obtained from the interested party,
as in this case.

VI
Classification of Article 14 of the GDPR

The aforementioned infringement of Article 14 of the GDPR could entail the commission of the infringement classified in Article 83.5 of the GDPR, which under the heading “General conditions for the imposition of administrative fines” provides:

“Infringements of the following provisions shall be punishable, in accordance with
section 2, by administrative fines of a maximum of EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the total annual global turnover of the previous financial year, whichever is higher:

b) the rights of interested parties pursuant to Articles 12 to 22”.

For the purposes of the limitation period, Article 72 “Infringements considered very
serious” of the LOPDGDD indicates:

“1. Pursuant to the provisions of Article 83.5 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered to be very serious and will be subject to a three-year statute of limitations:

h) Failure to inform the data subject about the processing of his or her personal data in accordance with the provisions of Articles 13 and 14 of Regulation (EU) 2016/679 and 12 of this Organic Law

VII

Graduation of sanctions

In order to determine the administrative fine to be imposed, the provisions of Articles 83.1 and 83.2 of the GDPR must be observed, which state:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/14

“1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 are in each individual case
effective, proportionate and dissuasive.

2. Administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or as an alternative to the measures referred to in
Article 58(2)(a) to (h) and (j). When deciding on the imposition of an administrative fine and its amount in each individual case, due account shall be taken of:

(a) the nature, gravity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation concerned, as well as the number of data subjects affected and the level of damage suffered by them;

(b) the intentionality or negligence of the infringement;

(c) any measures taken by the controller or processor to
mitigate the damage suffered by data subjects;

(d) the degree of responsibility of the controller or processor,
taking into account any technical or organisational measures implemented by them pursuant
to Articles 25 and 32;

(e) any previous infringement committed by the controller or processor;

(f) the extent of cooperation with the supervisory authority in order to remedy the
breach and mitigate any adverse effects of the infringement;

(g) the categories of personal data affected by the infringement;

(h) the manner in which the supervisory authority became aware of the infringement, in
particular whether and, if so, to what extent the controller or processor notified the infringement;

(i) where measures referred to in Article 58(2) have been previously ordered
against the controller or processor concerned in relation to the same matter, compliance with those measures;

(j) adherence to codes of conduct pursuant to Article 40 or to certification mechanisms approved pursuant to Article 42,

(k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or
indirectly, through the infringement.”

For its part, Article 76 “Penalties and corrective measures” of the LOPDGDD
provides:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/14

“1. The penalties provided for in paragraphs 4, 5 and 6 of Article 83 of Regulation
(EU) 2016/679 shall be applied taking into account the grading criteria
established in paragraph 2 of the aforementioned article.

2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679,
the following may also be taken into account:

a) The continued nature of the infringement.

b) The connection between the offender's activity and the processing of personal data.

c) The benefits obtained as a result of committing the infringement.

d) The possibility that the affected party's conduct could have led to the commission of the infringement.

e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity.

f) The impact on the rights of minors.

g) Having, when not mandatory, a data protection officer.

h) The submission by the controller or processor, on a voluntary basis, to

alternative dispute resolution mechanisms, in those cases in which
there are disputes between them and any interested party.”

Penalty for infringement of Article 6 of the GDPR.

In accordance with the provisions transcribed, in order to set the amount of each penalty
for each infringement, each fine is graded taking into account:

Article 83.2.a) of the GDPR: “a) the nature, seriousness and duration of the infringement,
taking into account the nature, scope or purpose of the processing operation
in question as well as the number of data subjects affected and the level of damage and

loss they have suffered”.

The nature and seriousness of the infringement, taking into account the context in which the
personal data of the complaining party are disseminated and that such dissemination is carried out
through the Internet without any restriction.

The duration of the infringement, considering the period during which the personal data of the complaining party have
remained visible in the Google profile of the respondent party. The Third and Fourth Proven Facts state that, as of August 1, 2023, the four reviews subject to the proceedings had been published for 1, 4, 6 and 7 months, respectively, and that they remained visible as of March 11, 2024.

Article 83.2.b) GDPR: “b) negligence in the processing of data”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/14

The dissemination of the personal data of the complainant on four occasions through the publication of a review with a practically identical text
is the result of intentional conduct by the respondent.

Considering the factors set out, the amount of the fine is €2000 for the
infringement of article 6 of the aforementioned GDPR, for processing personal data without
legitimacy, which would imply that we are dealing with unlawful processing.

Penalty for the infringement of article 14 of the GDPR.

In accordance with the transcribed provisions, in order to set the amount of each sanction
for each infringement, each fine is graded taking into account:

Article 83.2.a) of the GDPR: “a) the nature, seriousness and duration of the infringement,

taking into account the nature, scope or purpose of the processing operation in question as well as the number of interested parties affected and the level of damages and
losses they have suffered”.

The nature and seriousness of the infringement, insofar as the failure to comply with the
obligation to provide information in a case in which the personal data of the
complainant party had been obtained from a third party affects the capacity of the data owner to exercise true control over them.

Considering the factors set out, the fine for the infringement of article 14 of the
RGPD is 2,000 euros (two thousand euros).

VIII
Measures

It is agreed to impose on the controller the adoption of appropriate measures to adjust

its actions to the regulations mentioned in this act, in accordance with the provisions of

the aforementioned article 58.2 d) of the GDPR, according to which each supervisory authority may

“order the controller or processor to comply with the provisions of this Regulation,

where appropriate, in a certain manner and within a specified period…”. The imposition of

this measure is compatible with the sanction consisting of an administrative fine, according to

the provisions of art. 83.2 of the GDPR.

This act establishes the infringement committed and the facts that
give rise to the violation of the data protection regulations, from which it is clearly inferred what measures are to be adopted, without prejudice to the type of

procedures, mechanisms or specific instruments to implement them
corresponding to the sanctioned party, since it is the person responsible for the treatment who
fully knows its organization and must decide, based on proactive responsibility
and a risk approach, how to comply with the RGPD and the LOPDGDD.

In this specific case, this Agency requires the responsible entity to, within a period of
one month, starting from the day following the notification of this resolution,
prove that it has proceeded to the complete deletion of the personal data of the complaining party.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/14

Therefore, in accordance with the applicable legislation and having assessed the criteria for
graduating the sanctions whose existence has been proven,

the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: TO IMPOSE ASOCIACIÓN ESCUELA NACIONAL DE EQUITACIÓN, with
NIF G88409586, for an infringement of Article 6 of the GDPR and Article 14 of the GDPR,
classified in Article 83.5 of the GDPR, a fine of 4,000 euros (four thousand euros),

an amount obtained from the sum of two sanctions of €2000 for infringements of
articles 6 and 14 of the GDPR, classified in Article 83.5 of the GDPR and for the purposes of
prescription, for the following: Articles 72.1 b) and 72.1 h) of the LOPDGDD respectively.

SECOND: ORDER the NATIONAL RIDING SCHOOL ASSOCIATION

that in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, within a period of
one month from the day following notification of this resolution, it
proves that it has proceeded to the complete deletion of the personal data of the
complainant.

THIRD: NOTIFY the present resolution to the NATIONAL RIDING SCHOOL ASSOCIATION.

FOURTH: This resolution will be enforceable once the period for filing the
optional appeal for reconsideration ends (one month from the day following the
notification of this resolution) without the interested party having made use of this faculty.

The sanctioned party is warned that he must make effective the sanction imposed once
this resolution is enforceable, in accordance with the provisions of art. 98.1.b)
of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter LPACAP), within the voluntary payment period
established in art. 68 of the General Collection Regulations, approved by Royal

Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, by depositing it, indicating the NIF of the sanctioned party and the procedure number that appears in the heading of this document, in the restricted account nº IBAN: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code:
CAIXESBBXXX), opened in the name of the Spanish Data Protection Agency in
the banking entity CAIXABANK, S.A. Otherwise, it will be collected during the enforcement period.

Once the notification has been received and is enforceable, if the date of enforceability is between the 1st and 15th of each month, both inclusive, the deadline for making the voluntary payment will be until the 20th of the following month or the next business day thereafter, and if it is between the 16th and the last day of each month, both inclusive, the payment deadline will be until the 5th of the second following month or the next business day thereafter.

In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency, in the period of one month from the day following the notification of this resolution, or directly file an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the day following the notification of this act, as provided for in article 46.1 of the
referenced Law.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final decision may be
suspended as a precautionary measure in administrative proceedings if the
interested party states his intention to lodge an administrative appeal.

If this is the case, the interested party must formally communicate this fact by means of
a letter addressed to the Spanish Data Protection Agency, presenting it through

the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through one of the other registries provided for in art. 16.4 of
the aforementioned Law 39/2015, of October 1. He must also transfer to the Agency the
documentation that proves the effective filing of the administrative appeal. If the Agency is not aware of the filing of the administrative appeal within two months from the day following the notification of this resolution, it will terminate the precautionary suspension.

938-16012024
Mar España Martí

Director of the Spanish Data Protection Agency

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es