AEPD (Spain) - EXP202313983

AEPD - EXP202313983
Authority:	AEPD (Spain)
Jurisdiction:	Spain
Relevant Law:	Article 5(1)(c) GDPR Law 39/2015 RD 933/2021
Type:	Complaint
Outcome:	Upheld
Started:	05.02.2025
Decided:	11.03.2025
Published:	13.03.2025
Fine:	1200 EUR
Parties:	n/a
National Case Number/Name:	EXP202313983
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Spanish
Original Source:	AEPD (in ES)
Initial Contributor:	cwa

An accommodation provider was fined €1200 for infringing Article 5(1)(c) GDPR in requiring guests, including children, to send photos of their IDs via WhatsApp.

English Summary

Facts

The data subject rented an accommodation unit for their family from Residential Quality Enjoy (controller). The controller requested that the data subject send copies of their family’s ID, including that of a child, via WhatsApp. The ID card contained the data subject’s name, sex, date of birth and address.

The data subject was not provided with any information on how or why the data was going to be processed.

The data subject filed a complaint with the AEP (Spanish DPA) on the 21st August 2023.

During the investigation, the accommodation provider argued that they were required under Spanish law RD 933/2021 to verify the identity of guests staying in their accommodation.

Holding

The DPA found that while RD 933/2021 did require the verification of the identity of guests, it did not require the retention of copies of IDs.

The DPA, referencing the range of personal data contained within the ID cards, accordingly found that the controller had infringed the data minimisation principle in Article 5(1)(c) GDPR.

The DPA initially imposed a fine of €2000 on the controller but pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €1,200.

The DPA also ordered the controller to modify their registration system so that guests do not have to provide a copy of their ID, and, also, to prove that existing copies of previous customer’s IDs have been deleted from their system.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/16

 File No.: EXP202313983

RESOLUTION TERMINATING THE PROCEDURE FOR RECOGNITION OF LIABILITY AND VOLUNTARY PAYMENT

From the procedure initiated by the Spanish Data Protection Agency and based on the following

BACKGROUND

FIRST: On February 5, 2025, the Presidency of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against RESIDENTIAL
QUALITY ENJOY, S.L. (hereinafter, RESIDENTIAL QUALITY ENJOY), through the following agreement:

<<
File No.: EXP202313983 (PS/00138/2024)

AGREEMENT TO INITIATE SANCTIONING PROCEDURE

Regarding the actions taken by the Spanish Data Protection Agency and based on the following

FACTS

FIRST: On August 21, 2023, a complaint was filed with the Spanish Data Protection Agency for a possible infringement attributable to
RESIDENTIAL QUALITY ENJOY, S.L. (hereinafter, RESIDENTIAL QUALITY ENJOY) with Tax Identification Number (NIF) B72865363.

The facts brought to the attention of this authority:

The complainant states that they contracted accommodation in a tourist apartment with the respondent entity without formalizing a contract, and they were requested to send, via WhatsApp, images of the guests' IDs, including that of a minor, without providing any information regarding data processing.

They state that they have not signed any consent regarding data processing and that, at the apartment, upon handing over the keys, they made them sign a document of which they were not provided a copy.

Along with the complaint, they provide an email address in which a representative of the respondent

requested the IDs of the guests in the contracted apartment.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/16

SECOND: In accordance with Article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter LOPDGDD), this complaint was forwarded to RESIDENTIAL QUALITY ENJOY, so that it could analyze it and inform this Agency within one month of the actions taken to comply with the requirements set forth in the data protection regulations.

The respondent responded to the transfer and request for information on November 7, 2023, although the information provided suggests a possible violation of data protection regulations.

In its response, RESIDENTIAL QUALITY ENJOY describes circumstances related to problems with the payment of the reservation, unrelated to the subject of the claim raised by the complainant. It also provides a WhatsApp conversation with the complainant, in which they are asked to send "a photo of the IDs of the people who will be staying in the apartment." RESIDENTIAL QUALITY ENJOY states that "via email in response to the automatic messages from the app, they sent us the IDs." Finally, they communicate the following measures: an informative poster on data protection will be placed at the property; information regarding data protection will be sent to guests upon first contact with them; and a copy of the rental agreement will be provided, either directly on paper at the property itself or later by email. THIRD: On November 21, 2023, in accordance with Article 65 of the LOPDGDD (General Data Protection Act), the claim was admitted for processing.

LEGAL BASIS

I
Jurisdiction

In accordance with the powers granted to each supervisory authority by Article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and as established in Articles 47, 48.1, 64.2, and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter LOPDGDD), the President of the Spanish Data Protection Agency is competent to initiate and resolve this procedure.

II
Procedure

Likewise, Article 63.2 of the LOPDGDD establishes that: "The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, by this Organic Law, by the regulations issued in its development and, insofar as they do not contradict them, in a subsidiary manner, by the general rules on administrative procedures."

In accordance with Article 64 of the LOPDGDD, and taking into account the characteristics of the alleged violation, a sanctioning procedure shall be initiated.

The procedure will last a maximum of twelve months from the date of the initiation agreement. After this period, the data will expire and, consequently, the proceedings will be archived, in accordance with the provisions of Article 64 of the LOPDGDD (General Data Protection Act).

If no objections are made to this initial resolution within the stipulated period, it may be considered a proposed resolution, as established in Article

64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP).

III

Preliminary Questions

Article 4.1) of the GDPR defines "personal data" as:

"any information relating to an identified or identifiable natural person ("the data subject"); An identifiable natural person is any person whose identity can be determined, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

Article 4(2) of the GDPR defines "processing" as:

"any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as

collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or
other form of making available, alignment or combination, restriction, erasure or destruction."

For its part, Article 4.7 of the GDPR defines the "controller" or "controller" as:

"the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing; where the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law."

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/16

In this case, in accordance with the provisions of Articles 4.1 and 4.2 of the GDPR,
personal data processing is established, since RESIDENTIAL QUALITY ENJOY carries out, among other processing operations, the collection and

communication of personal data of natural persons: identity document number, type of document (DNI in this case), date of issue of the document,
first surname, middle surname, first name, gender, date of birth, and address, among others, data included in the DNI image.

RESIDENTIAL QUALITY ENJOY carries out this activity in its capacity as

data controller, given that it determines the purposes and means of such activity, pursuant to Article 4.7 of the GDPR.

Within the processing principles set forth in Article 5 of the GDPR, section 1.c) guarantees the principle of data minimization.

IV
Legal Regime for Guest Record Books and Communication of Guest Data to the
Law Enforcement Agencies and State Security Forces

The regulations governing guest record books and guest entry forms in hospitality establishments, as well as the obligation to communicate the information contained in the record sheets to the State Security Forces, are basically constituted by Organic Law 4/2015, of March 30, on the protection of citizen security (hereinafter, Organic Law 4/2015), and Royal Decree 933/2021, of October 26, which establishes the obligations for document recording and information for natural or legal persons engaged in lodging and motor vehicle rental activities (hereinafter, Royal Decree 933/2021).

Article 24 of Organic Law 4/2015 provides in its first section as follows:

"Natural or legal persons who carry out activities relevant to public safety, such as accommodation (...) shall be subject to the obligations of document registration and reporting under the terms established by the applicable provisions."

These obligations are currently implemented by the aforementioned Royal Decree 933/2021, whose
Article 2 establishes the following:

Article 2. Definitions.

For the purposes of this Royal Decree, the following are considered:

1. Hospitality activities: those carried out, professionally or non-professional, for the purpose of providing, in exchange for a price, consideration, or compensation,

a room or space for overnight stays to individuals, with or without other complementary services. In any case, the following activities are included in this definition:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/16

a) Those carried out by commercial establishments open to the public integrated
in this sector in accordance with the regulations issued by the competent administration. This concept includes hotels, hostels, guesthouses, guest houses, rural tourism establishments, or similar.

b) […]

3. Obligated entities: natural or legal persons who carry out or mediate in the activities described. (emphasis added).

For its part, Article 4.3 of Royal Decree 933/2021 provides that: "The reports and sheets will be provided by the accommodation or vehicle rental establishment, which will be responsible for the accuracy of the data recorded therein, so that they match the documents or systems that prove the identity of the persons, which must be shown or provided by the users of these services."

Section 3 of Annex I.A of Royal Decree 933/2021 specifies the guest information that must be entered into the "Registration Sheet" that the entity responsible for the accommodation establishment must forward to the State Security Forces. These are:

a) Name.

b) First surname.

c) Second surname.

d) Sex.

e) Identity document number.

f) Document support number.

g) Document type (DNI, passport, TIE).

h) Nationality.

i) Date of birth.

j) Place of habitual residence. – Full address. – City. – Country.

k) Landline telephone number.

l) Mobile telephone number.

m) Email address.

n) Number of guests.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/16

o) Relationship between guests (if any are minors).”

The apartment rental activity for tourism purposes carried out by RESIDENTIAL QUALITY ENJOY is included within the scope of RD 933/2021, according to Article 2, which is directed at natural or legal persons who carry out accommodation activities.

The obligation to verify the accuracy of guests' personal data, provided for in Article 4.3 of RD 933/2021, must be fulfilled without the need to request a copy or image of the ID document or a scan of it, as there are other equally valid alternatives that allow this verification to be carried out reliably.

The collection of the image or photocopy of your ID (both sides), passport, or other identity documents involves the processing of personal data that exceeds that required in Section 3 of Annex I.A of Royal Decree 933/2021, such as: the image of the traveler's face, the expedition team number, or the names of the traveler's parents, for which there is no legal obligation to collect, record, and communicate. All of these would constitute personal data whose collection would entail excessive processing, which is contrary to the principle of data minimization provided for in Article 5.1.c) of the GDPR.

V
Breached obligation. Data Minimization

Article 5.1(c) of the GDPR provides:

"1. Personal data shall be:
(…)
c) adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed ("data minimization");"

In the present case, RESIDENTIAL QUALITY ENJOY, on August 7, 2023, sent a WhatsApp message to the complainant requesting "a photo of the IDs of the people who will be staying in the apartment." The complainant sent an email, on August 7, 2023, to the complainant, an image of all the IDs of the people who would be staying in the RESIDENTIAL QUALITY ENJOY apartment.

In accordance with the provisions of the regulations set forth in Legal Basis IV,
it is verified that it is not mandatory to collect, record, or communicate to the competent authorities the image, photocopy, or full image of each traveler's identity document, but only some of the data contained therein, such as:
first and last name, identification number, support number, type of document (DNI; passport, etc.), nationality, and date of birth.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/16

According to our constitutional jurisprudence, if the right to privacy acts as a barrier against interference or intrusion by others (STC 142/1993, of April 22), the right to data protection "consists of a power of disposition and control over personal data" (SSTC 290 and 292/2000, of November 30); if the right to privacy prohibits third parties from knowing certain aspects of a person (intimate aspects or aspects related to their private and family life), the right to data protection provides guarantees of disposition and control over personal data that may or may not fall within the scope of privacy and that may be subject to knowledge and handling by others; If the right to privacy is the right to

refrain from others from accessing our personal sphere, the right to data protection implies, above all, self-determination over our data.

It is worth highlighting the considerations regarding the data minimization principle made by the European Data Protection Board (EDPB). In compliance with the objective of ensuring the consistent application of the General Data Protection Regulation (as assigned by Article 70 of the GDPR), on October 20, 2020, it adopted Guidelines 4/2019 on Article 25: Data Protection by Design and by Default (https://edpb.europa.eu/system/files/2021-04/edpb_guidelines_201904_dataprotection_by_design_and_by_default_v2.0_es.pdf).
Section 76 of these guidelines establishes that

“Essential elements by design and by default with respect to data minimization may include the following:
• Data avoidance: All processing of personal data shall be avoided where possible to fulfill the relevant purpose.

• Limitation: The amount of personal data collected shall be limited to that strictly necessary for the intended purpose.
(…)
• Relevance: Personal data must be relevant to the processing in question, and the controller must be able to demonstrate such relevance.

• Necessity: Each category of personal data shall be necessary for the specified purposes and should only be processed if the purpose cannot be fulfilled by other means.”

From the application of these characteristics of the data minimization principle, it follows that the collection of data, such as the image of the ID of its guests, by RESIDENTIAL QUALITY ENJOY cannot be justified. This personal data is not mandatory nor relevant to the processing in question, and must be limited to what is necessary to comply with the provisions of the regulations contained in Legal Basis IV.

Therefore, based on the evidence available at this time regarding the agreement to initiate sanctioning proceedings, it is considered that the known facts could constitute an infringement, attributable to RESIDENTIAL QUALITY ENJOY, for violating the aforementioned article.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/16

VI
Classification of the violation of Article 5.1.c) of the GDPR and classification for the purposes of

statute of limitations

Article 83.5 of the GDPR classifies the violation of the following article as an administrative offense, which shall be punishable, in accordance with paragraph 2, with administrative fines of up to EUR 20,000,000 or, in the case of a company, of

an amount equivalent to a maximum of 4% of the total annual global turnover of the preceding financial year, whichever is higher:

"a) the basic principles for processing, including the conditions for consent pursuant to Articles 5, 6, 7, and 9;"

For its part, the LOPDGDD (Organic Law on Personal Data Protection) in its Article 71, "Infractions," states that:

"The acts and conduct referred to in sections 4, 5, and 6 of Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this Organic Law, constitute infringements."

For the sole purpose of the statute of limitations, Article 72.1 of the LOPDGDD establishes the following:

"In accordance with the provisions of Article 83.5 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein, and in particular, the following, are considered very serious and will be subject to a three-year statute of limitations:
a) The processing of personal data in violation of the principles and guarantees established in Article 5 of Regulation (EU) 2016/679."

VII
Proposed Sanction

In order to determine the administrative fine to be imposed, the provisions of Articles 83.1 and 83.2 of the GDPR must be observed, which state:

“1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article for violations of this Regulation indicated in paragraphs 4, 9, and 6 are, in each individual case, effective, proportionate, and dissuasive.

2. Administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or as a substitute for the measures provided for in Article 58, paragraph 2, letters a) to h) and j). When deciding whether to impose an administrative fine and its amount in each individual case, due account shall be taken of:
a) the nature, severity, and duration of the infringement, taking into account the nature, scope, or purpose of the processing operation in question, as well as the number of data subjects affected and the level of damage suffered by them;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/16

b) the intentionality or negligence involved in the infringement;
c) any measures taken by the controller or processor to mitigate the damage suffered by the data subjects;

(d) the degree of responsibility of the controller or processor, taking into account the technical or organizational measures they have implemented pursuant to Articles 25 and 32;
(e) any previous breaches committed by the controller or processor;
(f) the degree of cooperation with the supervisory authority to remedy the breach and mitigate any adverse effects of the breach;

(g) the categories of personal data affected by the breach;
(h) how the supervisory authority became aware of the breach, in particular whether the controller or processor notified the breach and, if so, to what extent;
(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned in relation to the same matter, compliance with those measures;
j) adherence to codes of conduct pursuant to Article 40 or certification mechanisms approved pursuant to Article 42, and
k) any other aggravating or mitigating factors applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement."

For its part, Article 76 "Sanctions and corrective measures" of the LOPDGDD (Organic Law on the Protection of Personal Data)
provides:

"1. The sanctions provided for in paragraphs 4, 5, and 6 of Article 83 of Regulation
(EU) 2016/679 shall be applied taking into account the grading criteria
established in paragraph 2 of the aforementioned article.

2. In accordance with the provisions of Article 83.2.k) of Regulation (EU) 2016/679,

the following may also be taken into account:
a) The continuous nature of the infringement.

b) The connection between the offender's activity and the processing of personal data.
c) The benefits obtained as a result of committing the infringement.
d) The possibility that the affected party's conduct could have led to the commission of the infringement.

e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the acquiring entity.
f) The impact on the rights of minors.
g) Having a data protection officer, when not mandatory, in place.

h) The voluntary submission by the controller or processor to alternative dispute resolution mechanisms in cases where there are disputes between them and any interested party.

In the present case, considering the seriousness of the potential infringement, especially considering the consequences that its commission has on those affected, a fine would be appropriate, in addition to the adoption of measures, if appropriate.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/16

The fine imposed must be, in each individual case, effective, proportionate, and dissuasive, in accordance with the provisions of Article 83.1 of the GDPR.

For the purposes of deciding on the imposition of an administrative fine and its amount, in accordance with the evidence available at the time of the decision to initiate sanctioning proceedings, and without prejudice to the outcome of the investigation, it is considered that the balance of the circumstances contemplated in Article 83.2 of the GDPR and Article 76.2 of the LOPDGDD, with respect to the infringement committed by violating the provisions of Article 5.1.c) of the GDPR, allows for the initial imposition of an administrative fine of €2,000.00.

VIII

Corrective Measures

If the violation is confirmed, the resolution issued may establish the corrective measures that the offending entity must adopt to end the non-compliance with personal data protection legislation, in this case Article 5.1.c) of the GDPR, in accordance with the provisions of the aforementioned Article 58.2.d) of the GDPR, according to which each supervisory authority may "order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period..."

Thus, the responsible entity may be required to bring its actions into compliance with personal data protection regulations, within the scope expressed in the previous Legal Basis.

This document establishes the alleged violation committed and the facts that could lead to this potential breach of data protection regulations. From this, it is clear what measures to be adopted, without prejudice to the specific procedures, mechanisms, or instruments to implement them being the responsibility of the sanctioned party, as the data controller is fully familiar with their organization and must decide, based on proactive responsibility and a risk-based approach, how to comply with the GDPR and the LOPDGDD. However, in this case, regardless of the foregoing, in accordance with the evidence currently available regarding the agreement to initiate sanctioning proceedings, the resolution adopted may require RESIDENTIAL QUALITY ENJOY to adopt the following measures within two months from the date of the final resolution of this procedure:

- Modify its registration system so that it no longer requires the provision of a copy or image of guests' identification documents as a requirement for accommodation.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/16

- Prove that any photographs of its guests' identification documents currently stored in its system have been deleted.

The imposition of this measure is compatible with the sanction consisting of an administrative fine, as provided in Art. 83.2 of the GDPR.

Please note that failure to comply with the possible order to adopt measures imposed by

this body in the resolution of this sanctioning procedure may be
considered an administrative infraction pursuant to the provisions of the GDPR,
classified as an infraction in its articles 83.5 and 83.6, and such conduct may lead to the
opening of a subsequent administrative sanctioning procedure.

Please also remember that neither the acknowledgment of the infraction committed nor, where applicable, the voluntary payment of the proposed amounts, exempts you from the obligation to
adopt the relevant measures to cease the conduct or correct the effects of the infraction committed, nor from the obligation to prove compliance with this obligation to this AEPD.

Therefore, in light of the above, the President of the Spanish Data Protection Agency,
HAS RESOLVED:

FIRST: TO INITIATE SANCTIONING PROCEEDINGS against RESIDENTIAL QUALITY ENJOY, S.L., with Tax Identification Number (NIF) B72865363, for the alleged violation of Article 5.1.c) of the GDPR, as defined in Article 83.5 of the GDPR.

SECOND: TO APPOINT A.A.A. as investigating judge and B.B.B. as secretary, indicating that they may be challenged, if appropriate, in accordance with the provisions of Articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP).

THIRD: INCORPORATE into the file, for evidentiary purposes, the claim filed by the complaining party and its documentation, as well as the documents obtained and generated by the Subdirectorate General of Data Inspection in the proceedings prior to the initiation of this sanctioning procedure.

FOURTH: THAT for the purposes set forth in Article 64.2 b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, the applicable sanction would be an administrative fine of €2,000.00, without prejudice to the outcome of the investigation.

FIFTH: NOTIFY this agreement to RESIDENTIAL QUALITY ENJOY, S.L.,

with Tax ID No. B72865363, granting it a hearing period of ten business days to formulate its allegations and present any evidence it deems appropriate. In its written allegations, it must provide its Tax ID No. and the procedure number shown in the heading of this document.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/16

In accordance with the provisions of Article 85 of the LPACAP, it may acknowledge its liability within the period granted for the formulation of allegations to this initiation agreement; this will entail a 20% reduction in the sanction that may be imposed in this procedure. With the application of this reduction, the penalty would be set at €1,600.00, and the procedure would be resolved with the imposition of this penalty.

Similarly, at any time prior to the resolution of this procedure, the applicant may voluntarily pay the proposed penalty, which will result in a 20% reduction in its amount. With the application of this reduction, the penalty would be set at €1,600.00, and its payment would terminate the procedure, without prejudice to the imposition of the corresponding measures.

The reduction for voluntary payment of the penalty is cumulative with the reduction applicable for acknowledgment of liability, provided that this acknowledgment of liability is made clear within the period granted for submitting allegations at the opening of the procedure. Voluntary payment of the amount referred to in the preceding paragraph may be made at any time prior to the resolution. In this case, if both reductions were to be applied, the penalty would be set at €1,200.00.

In any case, the effectiveness of either of the two aforementioned reductions will be conditioned on the express withdrawal or waiver of any administrative action or appeal against the sanction.

To this end, if you opt for either of them, you must send to the

General Subdirectorate of Data Inspection an express notification of the withdrawal or waiver of any administrative action or appeal against the sanction, indicating which of the two reductions you are opting for, or if you are opting for both.

If you choose to voluntarily pay any of the amounts indicated above (€1,600.00 or €1,200.00), you must do so by depositing it into account IBAN: ES00-0000-0000-0000-0000-0000
(BIC/SWIFT Code: CAIXESBBXXX) opened in the name of the Spanish Data Protection Agency at the bank CAIXABANK, S.A., indicating in the entry the reference number of the procedure shown in the heading of this document and the reason for the reduction in the amount you are claiming.

You must also send proof of payment to the Subdirectorate General of Inspection along with express notification of your withdrawal or waiver of any administrative action or appeal against the penalty in order to continue with the procedure in accordance with the amount paid.

Finally, it is noted that, pursuant to Article 112.1 of the LPACAP,
there is no administrative appeal against this act.

1479-111124

Olga Pérez Sanjuán

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/16

The Deputy Director General of Data Inspection, in accordance with Art. 48.2
LOPDGDD, due to vacancy in the position of President and Deputy President
>

SECOND: On February 18, 2025, RESIDENTIAL QUALITY ENJOY paid the fine in the amount of €1,200.00, making use of the two reductions provided for in the initiation agreement transcribed above, which implies acknowledgment of liability in relation to the events referred to in the initiation agreement and its legal classification.

THIRD: RESIDENTIAL QUALITY ENJOY expressly waived any administrative action or appeal against the fine.

FOURTH: The initiation agreement transcribed above indicated that, if the infringement was confirmed, it could be agreed that the controller would be required to adopt appropriate measures to bring its actions into compliance with the regulations mentioned in this act, in accordance with the provisions of the aforementioned Article 58.2 d) of the GDPR, according to which each supervisory authority may "order the controller or processor to ensure that processing operations comply with the provisions of this Regulation, where appropriate, in a specific manner and within a specified period...".

Having recognized responsibility for the infringement, the measures included in the initiation agreement may be imposed.

LEGAL BASIS

I
Jurisdiction

In accordance with the powers granted to each supervisory authority by Article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR) and as established in Articles 47, 48.1, 64.2, and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter LOPDGDD), the President of the Spanish Data Protection Agency is competent to resolve this procedure.

Likewise, Article 63.2 of the LOPDGDD establishes that: "The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, this Organic Law, the regulatory provisions issued in its development, and, insofar as they do not contradict them, in a subsidiary capacity, by the general rules on administrative procedures."

II

Termination of the procedure

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/16

Article 85 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), under the heading "Termination of sanctioning procedures" provides the following:

"1. Once a sanctioning procedure has been initiated, if the offender acknowledges responsibility, the procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction is solely monetary in nature, or when a monetary sanction and a non-monetary sanction may be imposed, but the inadmissibility of the latter has been justified, voluntary payment by the alleged offender, at any time prior to the resolution, will terminate the procedure, except with regard to restoring the altered situation or determining compensation for damages caused by the commission of the violation.

3. In both cases, when the sanction is solely monetary in nature, the body competent to resolve the procedure will apply reductions of at least 20% on the amount of the proposed sanction, which may be combined. The aforementioned reductions must be specified in the notification of initiation of the procedure, and their effectiveness will be conditional on the withdrawal or waiver of any administrative action or appeal against the penalty.

The percentage reduction provided for in this section may be increased by regulation.

III

Voluntary payment and acknowledgment of liability

In accordance with the provisions of the aforementioned Article 85 of the LPACAP, the notified initiation agreement provided information on the possibility of acknowledging liability and voluntarily paying the proposed penalty, which would entail two cumulative reductions of 20% each. With the application of these two reductions, the penalty would be set at €1,200.00, and its payment would imply the termination of the procedure, without prejudice to the imposition of the corresponding measures.

Following notification of the aforementioned initiation agreement, RESIDENTIAL QUALITY ENJOY has

acknowledged liability and voluntarily paid the fine,
availing itself of the two reductions provided for and expressly waiving any
administrative action or appeal.

It should be noted that, in accordance with the provisions of the LPACAP, as well as

the Supreme Court's jurisprudence on this matter, the exercise of voluntary payment by the alleged liable party does not exempt the administration from its obligation to resolve and notify all proceedings, regardless of their form of initiation. Similarly, Article 88 of the aforementioned regulation establishes that the resolution
ending the proceedings will decide all issues raised by the interested parties and any other issues arising from them.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/16

Therefore, in accordance with applicable legislation and having assessed the criteria for graduating the sanctions whose existence has been proven, the Presidency of the Spanish Data Protection Agency RESOLVES:

FIRST: TO DECLARE the commission of the violations and CONFIRM the sanctions
determined in the operative section of the initiation agreement transcribed in this resolution.

The sum of the aforementioned amounts results in a total of 2,000.00 euros.

After RESIDENTIAL QUALITY ENJOY, S.L. has made prompt payment and acknowledged liability, pursuant to Article 85 of the LPACAP,
the aforementioned total is reduced by 40%, resulting in a final amount of

1,200.00 euros.

SECOND: DECLARE the termination of procedure EXP202313983, in accordance with the provisions of Article 85 of the LPACAP.

THIRD: ORDER RESIDENTIAL QUALITY ENJOY, S.L. to notify the Agency within two months of this resolution becoming final and enforceable of the adoption of the measures described in the legal grounds of the initiation agreement transcribed in this resolution.

FOURTH: NOTIFY RESIDENTIAL QUALITY ENJOY, S.L. of this resolution.

FIFTH: In accordance with the provisions of Article 85 of the LPACAP, which conditions the reduction for voluntary payment and acknowledgment of liability on the withdrawal or waiver of any action or appeal through administrative channels, this authority accepts the waiver expressly stated by RESIDENTIAL QUALITY ENJOY, S.L., and consequently, no optional appeal for reconsideration may be filed against this resolution, all without prejudice to the possibility of resorting to contentious-administrative proceedings.

Consequently, taking into account the provisions of Article 90 of the LPACAP, given that no appeal may be made through administrative channels since this resolution has been expressly waived, this resolution will be final and fully enforceable upon notification.

However, in accordance with the provisions of Article 90.3.a) of the LPACAP (Spanish Data Protection Act), a final administrative decision may be provisionally suspended if the interested party expresses their intention to file an administrative appeal. If this is the case, the interested party must formally notify this fact in writing to the Spanish Data Protection Agency, submitting it through the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other registries provided for in Article 16.4 of the aforementioned Law 39/2015, of October 1. They must also submit to the Agency the documentation proving the effective filing of the administrative appeal. If the
Agency does not become aware of the filing of the contentious-administrative appeal within two months from the day following notification of this resolution, it will terminate the precautionary suspension.

In accordance with Article 50 of the LOPDGDD (Spanish Data Protection Act), this resolution will be made public once it has been notified to the interested parties.

1259-180225
Lorenzo Cotino Hueso
President of the Spanish Data Protection Agency

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es