AEPD (Spain) - EXP202316737

From GDPRhub
AEPD - EXP202316737
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law:
Ley 34/2002
Type: Complaint
Outcome: Upheld
Started: 24.10.2023
Decided: 09.09.2024
Published:
Fine: 20,000 EUR
Parties: The Nude Project
National Case Number/Name: EXP202316737
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Ao

The DPA fined a clothing retailer €20,000 for failing to demonstrate that the data subject had consented to commercial advertisements when providing their e-mail address in order to receive a digital receipt for a purchase.

Facts

On the 24 October 2023, the data subject filed a complaint with the Spanish DPA (AEPD) against the controller, a clothing retailer called “Nude project”. The data subject alleged that the controller had infringed Law 34/2002 which is the Spanish national implementation of the EU e-privacy Directive.

On the 23 September 2023, the data subject was in one of the controller’s shops and upon requesting the receipt for a purchased item, was told that they can only be provided digitally. They had the option of either providing an e-mail address or a telephone number and were then handed a tablet to enter their e-mail address. The data subject details that the tablet did not show any option to object to receiving advertising.

Before filing the complaint, the data subject had received three advertisement e-mails from the controller. The e-mails included a passage which offered the option of unsubscribing from the advertising e-mails.

The controller argued that cashiers inform customers that receipts are preferably delivered digitally but that it is possible to get a physical receipt. It further claimed that the tablet does display an option to object to receiving advertising and provided three screenshots as proof. The first screenshot was of the tablet screen showing a box agreeing to advertisement which could be unticked, the second screeshot showed the data subject's account which showed a ticked box to receive advertisements via e-mail and the third showed a confirmation of the data subject having unsubscribed from the e-mail advertisements.

Holding

The AEPD stated, that in order to show that consent was obtained according to the requirements of the GDPR, the controller must keep a record of the actions carried out to obtain consent of the data subject.

The AEPD highlights that the controller did not for example provide a log demonstrating that the data subject gave consent or a screenshot of the signature of the data subject together with the user ID. Therefore, the controller had submitted no evidence which showed that the data subject had given consent to commercial advertisements as per the requirements of Article 7 GDPR.

The AEPD further stated that the controller's intent constituted an aggravating factor. By leaving customer's with no other option but to receive advertising communications via e-mail or text message in order to be provided with a receipt, the controller intentionally breached the provisions of Law 34/2002.

The AEPD sanctioned the controller for a violation of Article 21 of Law 34/2002, classified as minor under Article 38(4)(d) of Law 34/2002, with a fine of €20,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/16

 Procedure No.: EXP202316737 (PS/00110/2024)

SANCTIONING PROCEDURE RESOLUTION

From the actions carried out by the Spanish Data Protection Agency and based on the
following:
BACKGROUND

FIRST: On 10/24/23, D. A.A.A. (the complaining party), filed a complaint
with the Spanish Data Protection Agency.

The complaint is directed against the entity NUDE PROJECT, S.L. with CIF.:
B01945328, (the respondent party), for the alleged violation of Law 34/2002, of July 11, on Information Society Services and Electronic Commerce (LSSI).

The complainant states that on 23/09/23 he went to a store of the defendant entity to make a purchase and that, when he requested the corresponding purchase receipt, he was told that it was not possible to deliver it physically, and that he had to provide his email address or telephone number, being forced to provide said data to receive the corresponding purchase receipt. He also states that, when he provided said data on a Tablet in the establishment, at no time did any message or form appear where he could object to receiving advertising. Despite this, he has received up to three advertising emails from the defendant entity in his email, all without having authorized it. The following documentation is attached to the complaint:

- Dated 23/09/23, 28/09/23 and 01/10/23, a copy of the emails
sent from the NUDE PROJECT address <help@nude—project.com>
received by the complainant, containing advertising messages and photographs,
such as, for example:

o NUDE PROJECT© Thank you for your purchase! Visit Our store.
Order summary …
o NUDE PROJECT© NEW IN T-SHIRTS HOODIES BOTTOMS
o By Artists, For Artists…
o So, let's play who's who... you choose. Also, we have some last units of

new Playboy garments. Have a look. JACK HAB LOW… or PLAYBOY CARDIGAN PLAYMATE SHIRT PLAYBOY CHINO PANTS SHOP THE LOOK DRAKE… or CHESS KNITTED POLO POOL DENIM PANTS CHAMPAGNE PROBLEMS HAT NAVY SHOP THE LOOK RIHAN NA… or WOMEN RACING JACKET BIG HEART WHITE BABY BUNNY BOWLING BAG WHITE/NAVY SHOP THE LOOK LIL NAS sedeagpd.gob.es 2/16

In each of the emails received, there is the following message, in
English: Do you no longer want to receive these emails? Unsubscribe.

NUDE PROJECT CIPujadas. 81 Barcelona. Barcelona 08005)

SECOND: On 11/22/23, in accordance with the provisions of article 65.4
of Organic Law 3/2018, of December 5, on the Protection of Personal Data and
Guarantee of Digital Rights, (LOPDGDD), this Agency transferred
said claim to the respondent party so that it could proceed to analyze it

and report, within a period of one month, on what was set forth in the claim letter.

The transfer was carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations

(LPACAP), by electronic notification, with access to the content of the notification taking place on 12/01/23 as recorded in the file. No response has been received
to this transfer letter.

THIRD: On 01/24/24, in accordance with article 65 of the LOPDGDD,
the claim submitted by the claimant was admitted for processing.

FOURTH: On 03/12/24, the Director of the Spanish Data Protection Agency agreed to initiate disciplinary proceedings against the entity NUDE PROJECT, S.L.,
in accordance with the provisions of articles 63 and 64 of the LPACAP, for the alleged
infringement of article 21 of the LSSI, classified as "minor" in art. 38.4.d) of the

same regulation. In the opening agreement it was determined that the sanction that could
be imposed, taking into account the evidence existing at the time of the opening,
would amount to a total of 20,000 euros (twenty thousand euros).

FIFTH: Having been notified of the aforementioned initiation agreement in accordance with the rules established in

the LPACAP, the respondent party submitted a written statement of allegations on 03/27/24, in which
it states the following:

“First.- First of all, we must indicate that the statement of facts does not
reflect the reality of what happened. This party has received advice on
privacy, personal data protection and electronic commerce, so it is aware of the obligation provided for in the aforementioned article to obtain the
express consent, or that it had been requested by the recipient of the same, to allow the sending of advertising
communications by email or equivalent means.

The company that I represent has been able to verify that the
complainant effectively made a purchase at the company's store located in La Roca
Village on September 23, 2023 at 5:00 p.m. However, this
entity must indicate that the consent of its clients was obtained in order to
send them commercial communications, and furthermore, there are

a series of measures implemented by default to avoid sending communications to those
clients who have not requested it or whose consent has not been
expressly obtained.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/16

At the time of payment, the cashier informs
you that, in accordance with the commitment to eliminate paper, the ticket is
preferably delivered electronically by email.

However, it is not true that the option of delivering the physical ticket
was not given, nor that a message or form to oppose the receipt of advertising did
not appear on the establishment's Tablet.

Attached as DOCUMENT Nº 2 is a screenshot of the Tablet screen

in which you can see in the “customer options” section a first tab called
“accept advertising”, which as you can see is unchecked by default. At that moment all customers are
expressly asked if they wish to accept the sending of advertising
before opening said tab, which occurred in this case.

That is, the complainant expressly accepted the sending of advertising, since
he was interested in receiving information about other products of the brand
that would be subsequently marketed.

Attached as DOCUMENT Nº 3 is a screenshot of the final purchase in which

you can see the customer's subscription to said advertising by email to be sent to the address ***EMAIL.1

If you look at the screenshot of Document Nº 2 you can draw
different conclusions: Firstly, we can see how the box for

commercial communications by email has been checked
because the user accepted that option during the purchase. Likewise,
it can be observed that consent was not given to receive
communications via SMS, which can be classified as another means of
electronic communication equivalent to emails, according to

article 21 of the LSSI.

In this regard, and following the instructions of the client, all
commercial communications were sent via email, for which the client's consent was
obtained. Additionally, it can be observed that it was indicated that the notifications would be received in English.

Nude Project, S.L. never sends advertising to people who have not given their
express consent to such delivery by subscribing.

Once D. A.A.A. had subscribed, it is true that Nude
Project, S.L. sent the emails detailed in the agreement to

initiate the sanctioning procedure. However, we must point out that the
client was fully aware that he could cancel the subscription since
this is stated in each email that is sent. In fact, the
complainant canceled the subscription on December 20, 2023 at 8:57 a.m.,
simply by clicking on the link he received in the emails under the word "unsubscribe".

The proof of said deletion is provided as DOCUMENT NO. 4. It is therefore
surprising that if he did not wish to receive emails, he could have easily

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/16

cancelled the subscription upon receiving the first one on the same day of purchase, September 23,
or the second one a few days later (September 28).

We would like to emphasise that from the moment you unsubscribed,
Nude Project, S.L. has not sent any other commercial communications.
In short, we consider that Nude Project, S.L. has acted correctly, complying with the mandates of its client, both in sending commercial communications and in unsubscribing; and all of this
in strict compliance with the provisions of current legislation.

Second.- In any case and in a subsidiary manner, we understand that the
actions of Nude Project, S.L. will be covered by the second section of
article 21 of Law 34/2002 on Information Society Services and
Electronic Commerce. This law establishes that: 1. The

sending of advertising or promotional communications by email or other equivalent
means of electronic communication that have not previously been requested or expressly
authorised by the recipients of the same is prohibited.

2. The provisions of the previous section shall not apply when there is a

prior contractual relationship, provided that the provider has lawfully obtained the
recipient's contact details and used them to send commercial communications
regarding products or services of its own company that are similar to those that were
initially contracted.

In any case, the provider must offer the recipient the possibility of
opposing the processing of their data for promotional purposes through a
simple and free procedure, both at the time of data collection
and in each of the commercial communications sent to them. When the

communications have been sent by email, this means must necessarily consist of the inclusion of an
email address or other valid electronic address where this right can be
exercised, and the sending of communications that do not include
this address is prohibited. We have underlined the second section of said article
since it establishes that the first section is not applicable

(prohibition of sending advertising communications), when the following
requirements are met: - There is a prior contractual relationship. - The provider
had lawfully obtained the client's contact details. - The provider
used said data to send commercial communications regarding
products or services of its own company similar to those that were the subject
of the contract.

The action of Nude Project, S.L. is covered by the second section
of the aforementioned article because: 1) The complainant D. A.A.A. contracted
with Nude Project, S.L. the acquisition of a product (varsity sweatshirt) on

September 23, 2023. 2) Nude Project, S.L. lawfully obtained the client's
data as the client was the one who voluntarily provided it, ordering
the sending of the purchase ticket by email. 3) Nude Project, S.L.
sent commercial communications to its client, now the complainant, via

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/16

emails in which information was provided about products similar to the one
purchased by Mr. A.A.A.. 4) Nude Project, S.L. gave the client the opportunity to
unsubscribe in each email it sent, simply by clicking on a

link. 5) Nude Project, S.L. did not send a single email to the
complainant after he expressed his desire not to receive any more
commercial communications.

Third.- The sending of the purchase receipt by email is
protected by Royal Decree 1619/2012 of 30 November, which

approves the Regulations governing billing obligations. Specifically, article 8 specifies that invoices may be issued by any means, on paper or in electronic format, while article 9
supports invoices that are issued and received in electronic format.

Fourth.- In terms of sanctions, the Constitutional Court has established
as one of the basic pillars for the interpretation of administrative sanctioning law
that the basic principles and guarantees present in the field of criminal law are applicable, with certain nuances, in the exercise
of any sanctioning power of the Public Administration (for example, in the
Constitutional Court's rulings 76/1990, 120/1994,

154/1994, 23/1995, 97/1995, 147/1995, 45/1997 of April 26, among many
others).

Article 25.1 of the Constitution establishes that no one may be convicted or
sanctioned for actions or omissions that at the time of their occurrence
did not constitute a crime, misdemeanor or administrative infraction according to the legislation in force
at that time. The Constitutional Court has held that the principle of
typicality consists of the need for normative predetermination of the
offending conduct and the corresponding sanctions (SSTC 61/1990,
116/1993, 151/1997, 124/2000113/2002, 129/2003, 297/2005, 129/2006 etc.).

In the same sense, article 27 of Law 40/2015 on the Legal Regime of the
Public Sector defines the principle of typicality in the same terms in that
only violations of the legal system provided for as such violations by a Law may constitute administrative infractions.

In the present case, disciplinary proceedings are initiated and a sanction is proposed against Nude Project, S.L. for having allegedly infringed article 38.4.d) of Law 34/2002 on Information Society Services and Electronic Commerce, which classifies as a minor infraction “the
sending of commercial communications by email or other equivalent means of electronic
communication, when said sending does not comply with the requirements established in article 21 and does not constitute a serious infraction”

Given that, as we have seen, the actions of Nude Project, S.L. is protected by the second section of article 21, the imposition of a sanction would constitute a violation of the principle of typicality that governs all administrative sanctioning procedures. In the rulings of the National Court (5 February 2019 EDJ 2019/543106, 25 March 2016 EDJ 2016/66100,
4 FEBRUARY 2010 EDJ 2010/12007, 23 May 2007 EDJ 2007/76092) of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/16

which we are aware of and which have been handed down in similar cases,
sanctions are only upheld in cases where the affected parties received emails after expressly
stating their opposition to receiving them.

In the present case, the situation is completely different. The complainant not
only gave his express authorization to receive commercial communications, but
could have replied to the first communication received indicating
that he did not wish to receive any more. This could be done in several ways: - Clicking
in the indicated place in the email "unsubscribe". - Replying to the email received - Sending a message to customer service. In the

"about us" section of the website www.nude-project.com there is a direct form
to send any questions or considerations. There is also a direct email to send it, specifically, help@nude-project.com -
Indicating it personally in any of the company's physical stores.

We are therefore not in the cases regulated in the Sentences
in which the sanction imposed by the AEPD has been validated.

Fifth.- We also oppose the grading of the sanction that appears in the
agreement initiating the sanctioning procedure, which applies the aggravating circumstance
of the existence of intent, when in our opinion it is not applicable, and also without taking into consideration the rest of the circumstances
provided for in article 40 of Law 34/2002 on Information Society Services and Electronic Commerce.

The existence of intent is justified in that commercial communications were sent after obtaining the client's email address in order to

send the purchase receipt and there being no possibility of rejecting the sending of commercial communications when the email is provided. The application of
this circumstance is absolutely erroneous since as has been proven: 1) The client expressly allowed the sending of commercial communications,
modifying at that time the corresponding tab of the application; given that he was expressly interested in receiving

commercial communications. 2) Once the purchase receipt was received, the customer
was perfectly able to cancel his subscription, just as he was able to do when
he received the other two communications. 3) The complainant himself deleted his
subscription on December 20, 2023.

The National Court's ruling of June 21, 2023 (EDJ

2023/606757) considers the application of this aggravating circumstance of intentionality to be correct in the case where a commercial email is sent after the user expressly expressed his opposition, but
not in the case at hand.

But what is more, the truth is that none of the other circumstances of article 40 apply to the actions of Nude Project, S.L.,
specifically: o Period of time during which the infringement is supposedly committed, which according to the complaint itself is only 8 days. o
Recidivism: Non-existent in this case since Nude Project, S.L. has not been

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/16

sanctioned for an infringement of the same nature. o Nature and amount
of the damages caused. No damages have been caused in this case. o
Benefits obtained from the infringement: Nude Project, S.L. has not obtained
any benefits given that the customer did not purchase any items after his
purchase on September 23. o The turnover is non-existent.

That is to say, in this case, the sanction imposed should have taken into account
all of these circumstances, so a fine of 20,000 euros
when the range is between 1 and 30,000 euros seems
clearly excessive. This incorrect application represents the violation of another constitutional
right, such as the principle of proportionality, which has been established

as an instrument of control over discretionary administrative decisions.

It is included in articles 103.1 and 106 of the Spanish Constitution
and in article 29 of Law 40/2015 on the Legal Regime of the Public Sector. In this last article it is determined that the appropriateness and necessity of the sanction to be imposed and its adaptation to the seriousness
of the act constituting the infringement must be observed on the basis of four criteria: a)
Degree of guilt or intentionality b) Continuity or persistence of the
conduct c) Damages caused d) Recidivism. Given all the above,
we understand that the hypothetical sanction should be in any case within
the lower quarter of the amount proposed in the Standard.

Sixth.- As a continuation of the previous argument, we invoke the application of
article 39 ter of Law 24/2002 in the sense that we understand that there is
sufficient data so that, even in the case that the infringement could be understood
to have been committed, the archiving of the sanctioning procedure is agreed and
in its place a warning with the adoption of corrective measures
determined by the competent body.

In this regard, we indicate that this entity, having obtained the recommendations of
our advisors on personal data protection, has decided
to carry out the following actions, aimed at avoiding a repeat of an
incident such as the one that is the subject of notification:  The aforementioned

advisors are requested to provide information on the legal considerations regarding
consent in electronic communications.

The written statement of allegations is accompanied by the following documentation:

- DOCUMENT No. 1 – Screenshot showing the option to
receive advertising unchecked by default.
- DOCUMENT No. 2 – Screenshot of the claimant's account, where it is
indicated that electronic communications can be sent because
they have given their consent, their contact email, and the option to send communications
by SMS unchecked.

- DOCUMENT No. 3 – First communication with the option to unsubscribe.
- DOCUMENT No. 4 – Withdrawal of consent to receive commercial communications by the complainant.

- DOCUMENT No. 5.- Report with considerations on consent in commercial communications.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/16

- DOCUMENT No. 6.- Screenshot of registration in the system.

- DOCUMENT No. 7 – Screenshot with the system check carried out on 03/21/24.

SIXTH: On 07/30/24, a resolution proposal was made in the sense that
the Director of the AEPD would sanction the respondent party for violation of the provisions of article 21 of the LSSI, classified as "minor" in art. 38.4.d)
of the same regulation with a penalty of 20,000 euros (twenty thousand euros).

In FD II of the resolution proposal, the objections were answered

at the initiation of the file:

First: The complainant states in his complaint that on
09/23/23, when making a purchase in one of the establishments of the

entity being claimed, he was told that it was not possible to deliver the physical purchase ticket

and that he had to provide his email address or telephone number.
He also points out that, when providing said data on a Tablet of the establishment,
at no time did any message or form appear through which he could

object to receiving advertising, having received up to three advertising emails from the

entity in his email without having authorized it. To corroborate the above, a copy of the three advertising emails received on 23/09/23, 28/09/23 and 01/10/23 is attached.

For its part, the respondent party states in its written allegations to the
initiation of the file that it is true that the claimant made a purchase

in one of its stores on 23/09/23 but that at the time of making the
payment, the cashier informed him that in accordance with the commitment to
eliminate paper, the ticket is preferably delivered electronically
by email, there being also the option of delivering the physical ticket.

That the claimant agreed to receive the ticket by email and that when giving it, he was
expressly asked if he wished to accept the sending of advertising
before opening said tab, which occurred in this case and is attached to the
capture of the screen of the Tablet where the option to receive
advertising is shown unchecked by default; the screenshot of the claimant's account, where the list of purchases made appears, on the one hand,

the only one dated 09/23/23 and on the other hand, the email address: ***EMAIL.1; and a copy of the screen for withdrawing consent
to receive commercial communications where the following information appears: Email Unsubscribe: ***EMAIL.1 Unsubscribe Date Dec 20, 2023 at 8:57 pm.

Now, regarding the consent that the user gives to the person responsible for the processing of his/her data so that, for example, as in the present case, he/she can send him/her commercial communications, Directive 5/2020 on consent within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27/04/16 on the Protection of Natural Persons with regard to the Processing of Personal Data and the Free Circulation of such Data (RGPD) establishes, points 105 to 108, the following:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/16

105. Recital 42 establishes that: “When the processing is carried out with the consent of the interested party, the controller must be able to demonstrate that the latter has given his/her consent to the processing operation.”

106. Controllers are free to develop methods to comply with this provision that are tailored to their daily operations. At the same time, the obligation to demonstrate that a controller has obtained valid consent should not in itself lead to excessive additional data processing. This means that controllers should have sufficient data to show a link to the processing (to show that consent was obtained), but should not collect further information. 107. It is up to the controller to demonstrate that it has obtained valid consent from the data subject. The GDPR does not prescribe how this should be done exactly. However, the controller must be able to demonstrate that in a specific case a data subject has given consent. The obligation to demonstrate consent will exist for the duration of the data processing activity in question. After the end of that activity, proof of consent should not be kept longer than is strictly necessary to comply with a legal obligation or for the establishment, exercise or defence of legal claims, in accordance with Article 17(3)(b) and (e).

108. For example, the controller must keep a record of the

declarations of consent received, so that it can demonstrate
how and when consent was obtained, and
the information that was provided to the data subject at the time must also be demonstrated. The controller must also be able to demonstrate that the data subject was informed and that the controller's workflow met all relevant criteria for valid consent. The logic underlying this
obligation in the GDPR is that controllers must be accountable for obtaining valid consent from data subjects and for the consent mechanisms they have adopted. For example, in an online context, a controller could
retain information about the session in which consent was expressed,

together with documentation about the consent workflow when that session took place, and a copy of the information that was presented at that time to the data subject. It would not be sufficient to refer only to a correct
configuration of the website in question. The GDPR establishes that consent must be “free, specific,
informed and unequivocal”. In addition, the interested party must be given control over it and be given the possibility of accepting or rejecting the terms under which it is
given.

Article 7 of the GDPR establishes that, when the treatment is carried out
based on consent, this must be verifiable and the controller must be able to demonstrate that the interested party gave it in a
valid manner.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/16

The GDPR does not establish a specific mechanism on how the controller
must be able to prove that it has obtained valid consent, having
freedom to implement the form of obtaining and recording that best suits
the processes of the organization but, at least, must be able to prove who

gave the consent, when, how and for what, as well as the information that was provided at the time of obtaining it. This obligation remains in force as long as the processing of personal data continues to be carried out under the initial conditions in which the data was collected and must be verifiable in the event of an audit or inspection.

It is therefore of interest to implement tools that offer guarantees to the various parties involved in the consent process and allow them to manage the processing of personal data that is being carried out.

Therefore, to assess whether consent is granted in a valid manner, the data controller must keep a log of the actions carried out to obtain consent.

In the present case, the entity being complained about only presents a capture of the screen of a Tablet where the option to receive advertising is displayed unchecked by default; the screenshot of the claimant's account,
where on the one hand the list of purchases made appears and on the other hand,
the claimant's email address and the screenshot of a screen
of the Tablet where the withdrawal of consent to receive commercial communications appears
but does not provide, for example, a history of the "log"
that can demonstrate that the interested party gave consent to receive
commercial communications in a valid manner, or a screen where the signature of the interested party appears
together with the ID number, thus complying with what is established in the current regulations, regarding the obligation of those responsible for the treatment to demonstrate that they have obtained consent
in a valid manner.

In short, on the one hand, the claimant, in his complaint,
states that he has received commercial communications from the defendant without
prior authorization, thereby breaching the provisions of article 21 of the LSSI, and on the other, from the documentation presented by the defendant in its allegations at the initiation of the file, there is no evidence
that the interested party gave valid consent to receive
commercial communications, as established in article 7 of the GDPR.

Second: Regarding the grading of the sanction in which the aggravating circumstance of the existence of intentionality is applied, stating that it is not applicable, since, according to the defendant, the client expressly allowed the
sending of commercial communications, and once the purchase receipt was received,
the client could perfectly cancel his subscription, just as he could do
when he received the other two communications and did so on 09/20/23.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/16

State that, with regard to the fact that the complainant expressly allowed the sending of
commercial communications, as set out in the previous section, in relation to the point, in this case, there is no evidence that

the complainant clearly expressed consent to receive commercial communications as established in article 7 of the RGPD and in relation to the fact that the complainant was able to unsubscribe easily and
directly, both when receiving the purchase receipt and through the emails received, indicate that this file is not dealing with the possibility of
opposition to the processing of personal data for promotional purposes as established in section 2 of article 21 of the LSSI, but rather the fact that
before being able to exercise his right to oppose receiving advertising, the
complainant received advertising emails without him having requested them or expressly
permitted them, article 21.1 LSSI, so, in the case at hand, the application of the burden of intent is considered correct, in the sense that these events could and should have been avoided, observing and complying with a rule that imposed a duty of care.

The claimant continues by stating that “(…) the sanction imposed should have taken into account all of these circumstances, so a sanction of

20,000 euros when the range is between 1 and 30,000 euros seems excessive (…), thereby violating the principle of proportionality (…)”.

Regarding the latter, let us remember that the infringement charged is classified as “minor” in art. 38.4.d) of the LSSI and that article

39.1.c) establishes that said infringements may be sanctioned with a fine of
up to 30,000 euros and to graduate said sanction, article 40 LSSI,
establishes that said graduation will be taken into account in the following criteria: a) The existence of
intentionality. b) Period of time during which the infringement has been committed.
c) Recidivism by committing infringements of the same nature,
when this has been declared by a final resolution. d) The
nature and amount of the damages caused. e) The benefits obtained
by the infringement. f) Volume of turnover affected by the infringement committed.
g) Adherence to a code of conduct or a system of advertising self-regulation applicable to the infringement committed, which complies with the provisions of article 18 or the eighth final provision and which has been favourably reported by the competent body or bodies.

Furthermore, article 29.3 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (RJSP), establishes that,

(…) in the imposition of sanctions by Public Administrations, the appropriateness and necessity of the sanction to be imposed and its adequacy to the seriousness of the fact constituting the infringement must be observed (…)”.

In our case, it is considered that it is appropriate to graduate the sanction to be imposed according to the existence of intent (section a), as has been
set out above and therefore, it is considered that the amount of the sanction
complies with the proportionality criteria of article 29 of the LRJSP and 40 of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/16

the LSSI, without the initially proposed sanction reaching the maximum of the range established for this type of infraction.

The notification of the aforementioned resolution proposal was carried out in accordance with the rules
established in the LPACAP, by electronic notification, with access to the content of the notification taking place on 01/08/24 as recorded in the file.

No response has been received to this written resolution proposal.

In view of all the actions taken, the Spanish Data Protection Agency
in this procedure considers the following proven facts:

PROVEN FACTS

First: It has been established that on 23/09/23 the claimant made a purchase in
the store of the defendant located in La Roca Village.

Second: It is known that the claimant received, in the email ***EMAIL.1 on
the days 23/09/23, 28/09/23 and 01/10/23, three emails sent from the
address NUDE PROJECT <help@nude—project.com> containing advertising messages and
photographs in English, such as:

- NUDE PROJECT© Thank you for your purchase! ¡Visit Our store. Order summary … - NUDE PROJECT© NEW IN T-SHIRTS HOODIES BOTTOMS - By Artists, For Artists… - So, let's play who's who... you choose. Also, we have some last units of new Playboy garments. Have a look. JACK HAB LOW… - PLAYBOY CARDIGAN PLAYMATE SHIRT PLAYBOY CHINO PANTS SHOP THE LOOK DRAKE… - CHESS KNITTED POLO POOL DENIM PANTS CHAMPAGNE PROBLEMS HAT NAVY SHOP THE LOOK RIHAN NA… - WOMEN RACING JACKET BIG HEART WHITE BABY BUNNY BOWLING BAG WHITE/NAVY SHOP THE LOOK LIL NAS


- Screenshot of the Tablet showing the option to receive advertising unchecked by default.

- Screenshot of the claimant's account, where the list of purchases made appears, the only one dated 09/23/23, and on the other hand, the email address: ***EMAIL.1 with the annotation "notifications will be made in English". It can be seen that the option "subscribed email" is checked and the option to send communications by SMS is unchecked. There is no signature of the claimant's authorization.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/16

- Copy of the screen for withdrawing consent to receive commercial communications
where the following information appears, in English: Email

Unsubscribed: ***EMAIL.1Subscription details Status Unsubscribed or Method
Email Link Date Dec 20, 2023, at 8:57 pm UTC. (Unsubscribe Email: ***EMAIL.1
Subscription details Status: Unsubscribe Date Dec 20, 2023)

LEGAL BASIS

I
Competence.

In accordance with the provisions of article 43.1 of the LSSI and the provisions of
articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to resolve this

procedure. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
of Regulation (EU) 2016/679, in this organic law, by the regulatory
provisions issued in its development and, insofar as they do not contradict them,
in a subsidiary manner, by the general rules on administrative procedures."

The fourth additional provision "Procedure in relation to the powers
conferred on the Spanish Data Protection Agency by other laws" establishes
that: "The provisions of Title VIII and its implementing regulations will apply to

the procedures that the Spanish Data Protection Agency must process in the exercise of the powers attributed to it by other laws."

II
Prohibition of unsolicited or expressly authorized commercial communications

The LSSI prohibits unsolicited or expressly authorized commercial communications, based on a concept of commercial communication that is classified
as an information society service and is defined in its Annex as: “f)
Commercial communication”: any form of communication aimed at promoting, directly
or indirectly, the image or the goods or services of a company, organization or

person who carries out a commercial, industrial, artisanal or professional activity.

Therefore, the concept of commercial communication, according to the
previous definition, includes all forms of communication intended to promote,
directly or indirectly, goods, services or the image of a company, organization or

person with a commercial, industrial, artisanal or professional activity.

On the other hand, the LSSI in its Annex a) defines “Information Society Service” as “any service normally provided for a fee, at a distance,
by electronic means and at the individual request of the recipient, which also includes services
not remunerated by their recipients, to the extent that they constitute an
economic activity for the service provider”.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/16

According to section d) of the aforementioned Annex, the recipient is the “natural or legal person who
uses, whether or not for professional reasons, an information society service”

III
Classification of the infringement committed by sending commercial communications without
having been requested or expressly authorized.

The fact that the respondent sends advertising emails to the complainant

that had not previously been requested or expressly authorized constitutes
a violation of the provisions of article 21 of the LSSI, as it establishes the
following:

“1. The sending of advertising or promotional communications

by email or other equivalent means of electronic communication that have not previously been requested or expressly authorized by
the recipients of these is prohibited.

2. The provisions of the previous section will not apply when there is a
prior contractual relationship, provided that the provider has lawfully obtained the
recipient's contact details and used them to send commercial communications
regarding products or services of its own company that are similar to those that were initially the subject of the
contract with the client.

In any case, the provider must offer the recipient the possibility of
opposing the processing of their data for promotional purposes through a
simple and free procedure, both at the time of data collection
and in each of the commercial communications sent to them.

When the communications have been sent by email,
this means must necessarily consist of the inclusion of an email address or other valid electronic
address where this right can be exercised, and the sending of communications that
do not include this address is prohibited.”
IV

Sanction

The aforementioned infringement is classified as “minor” in art. 38.4.d) of said
regulation, which qualifies as such, “The sending of commercial communications by email
or other equivalent means of electronic communication when said

sendings do not comply with the requirements established in article 21 and do not
constitute a serious infringement.”

According to the provisions of article 39.1.c) of the LSSI, minor infringements may be
sanctioned with a fine of up to €30,000, while article 40 of the LSSI

establishes the criteria for grading the amount of the sanctions:

“The amount of the fines imposed will be graded according to the
following criteria: a) The existence of intent. b) Period of time

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/16

during which the infringement has been committed. c) Recidivism in the commission of infringements of the same nature, when this has been
declared by a final resolution. d) The nature and amount of the damages
caused. e) The profits obtained from the infringement. f) Volume of turnover affected by the infringement committed. g) Adherence to a code of conduct or a system of advertising self-regulation applicable to the infringement committed, which complies with the provisions of article 18 or the eighth final provision and which has been favourably reported by the competent body or bodies."

Based on the evidence obtained, it is considered that the sanction to be imposed should be graded

in accordance with the aggravating criteria established in art. 40 LSSI:

- The existence of intentionality (section a), since, if the customer wishes to receive
the purchase ticket, he must provide the email address or telephone number where it will be sent, but he will also receive

commercial communications by said means, even if he does not wish to, since there is no
possibility of rejecting the sending of commercial communications
when the email or telephone number is provided.

According to these criteria, it is considered appropriate to propose a fine of 20,000 euros (twenty thousand euros), for the violation of article 21.1 of the LSSI.

In accordance with the applicable legislation and having assessed the criteria for grading the sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency
RESOLVES:

FIRST: TO IMPOSE on the entity NUDE PROJECT, S.L. with CIF: B01945328, for the
infringement of article 21 of the LSSI, classified as “minor” in art. 38.4.d), a
fine of 20,000 euros (twenty thousand euros).

SECOND: TO NOTIFY this resolution to the entity NUDE PROJECT, S.L.

THIRD: To warn the sanctioned party that the sanction imposed must be made effective
once this resolution is enforceable, in accordance with the provisions of
article 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations, within the voluntary payment period indicated in
article 68 of the General Collection Regulations, approved by Royal Decree
939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17,

by depositing it in the restricted account No. ES00 0000 0000 0000
0000, opened in the name of the Spanish Data Protection Agency at the banking
entity CAIXABANK, S.A. or otherwise, it will be collected in the
enforcement period.

Once the notification has been received and has become enforceable, if the date of enforceability is between the 1st and 15th of each month, both inclusive, the deadline for making the voluntary payment will be until the 20th of the following month or the next business day thereafter, and if it is between the 16th and the last day of each month, both inclusive, the payment deadline will be until the 5th of the second following month or the next business day thereafter.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/16

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure (article 48.6 of the LOPDGDD), and in accordance with the provisions of articles 112 and 123 of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations, interested parties may optionally file an appeal for reconsideration with the Director of the Spanish Data Protection Agency within one month from the day following notification of this resolution or directly file an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the day following notification of this act, as provided for in Article 46.1 of the aforementioned legal text.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of Law 39/2015,
of October 1, on the Common Administrative Procedure of Public Administrations, the final resolution in administrative proceedings may be provisionally suspended if
the interested party expresses his intention to file an administrative appeal.
If this is the case, the interested party must formally communicate this fact by means of

a written document addressed to the Spanish Data Protection Agency, presenting it through
the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronicaweb/],
or through one of the other registries provided for in art. 16.4 of the aforementioned Law
39/2015, of October 1.

The documentation proving the effective filing of the administrative appeal must also be transferred to the Agency. If the Agency is not aware
of the filing of the administrative appeal within two months
from the day following notification of this resolution, it will consider the
precautionary suspension to be terminated.

Mar España Martí
Director of the Spanish Data Protection Agency.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es