AEPD (Spain) - EXP202414976
From GDPRhub
| AEPD - EXP202414976 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(f) GDPR Law 39/2015 |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 19.12.2024 |
| Decided: | 17.03.2025 |
| Published: | 17.03.2025 |
| Fine: | 1000 EUR |
| Parties: | Club Rapido de Bouzas |
| National Case Number/Name: | EXP202414976 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | cwa |
A football club was fined €600 after disposing of a large number of documents in a bin on a public road. The documents contained the personal data of minors playing for the club.
English Summary
Facts
On the 11th of October 2024, an individual found a box in a bin outside of the playing field of Club Rapido de Bouzas (the controller) on a public road. The box contained hundreds of documents detailing the ID numbers, names and surnames, addresses and photographs of their players (who were minors). In total, 1,444 cards identifying data subjects by name and photograph were found in the box.
The club had a “cleaning day” and claimed that this box was disposed of in the field in error.
The individual (a father of one of the players) reported the matter to the police, and subsequently filed a complaint with the AEPD (Spanish DPA).
On December 19th 2024, the DPA initiated their investigation.
Holding
The DPA were critical of the controller for firstly allowing the box containing the documents to be erroneously identified as something which could be disposed of in such a manner, and secondly, that no procedure existed whereby the person who disposed of them could be identified.
The DPA also noted that the fact that the negligent action was committed by an employee or third party did not absolve the club of responsibility for the incident. Accordingly, the DPA found that the club had violated Article 5(1)(f) GDPR, requiring the controller to implement appropriate technical and organizational security measures to ensure the security of processing.
The DPA initially set the fine at €1,000 but pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the DPA informed the controller that it may acknowledge its responsibility for the alleged violations and/or make a voluntary payment of the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €600.
The controller was also ordered to communicate to the DPA the adoption of technical and organizational measures to ensure the confidentiality of personal data undergoing processing, as well as a retention period and disposal method for such personal data.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/14
File No.: EXP202414976
RESOLUTION TERMINATING THE PROCEDURE FOR RECOGNITION OF LIABILITY AND VOLUNTARY PAYMENT
Regarding the procedure initiated by the Spanish Data Protection Agency and based on the following
BACKGROUND
FIRST: On December 19, 2024, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against CLUB RÁPIDO DE BOUZAS (hereinafter, CLUB BOUZAS), through the following agreement:
<<
File No.: EXP202414976
AGREEMENT TO INITIATE SANCTIONING PROCEDURE
Regarding the actions taken by the Spanish Data Protection Agency and based on the following
FACTS
FIRST: The The Spanish Data Protection Agency has learned of certain facts that could constitute a potential infringement attributable to CLUB
RÁPIDO DE BOUZAS, with NIF G36711513 (hereinafter, CLUB BOUZAS).
The facts brought to the attention of this authority are:
The Local Police of ***LOCALITY.1 provides a Service Report dated 10/11/2024, following a call from (...) the father of a minor who plays at (...) based at the A.A.A. field, noting that outside the field, "he observed a cardboard box full of documentation belonging to players belonging to the aforementioned club, from many seasons, most of whom were minors, located inside a garbage container, located on the public road on the sidewalk and near the main entrance to the field." Two Local Police Officers from
***LOCALITY.1 responded to the call and, accompanied by the requesting party, went to the container where they stated they saw: "inside a green container, located at the top of the container, with the flaps open and visible to passersby, they observed a cardboard box full of documentation, containing hundreds of ID cards and membership cards containing personal information such as: ID, first and last name, address, photograph..." The Officers took the box and took it to Police Headquarters, where they inspected it and detailed its contents in the Service Report.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/14
Subsequently, they located the manager of the (...) who turned out to be B.B.B. with DNI:
***NIF.1, to whom they showed all the documentation found, stating that
"they were cleaning these days and that someone must have gotten confused and thrown away that box, but
he doesn't know who."
Initially, the following documentation is available:
- Local Police Report from ***LOCALITY.1, mentioned above (...).
- Photographic report of the documentation found, prepared by the Local Police
of ***LOCALITY.1, showing:
o Cards issued by the Galician Football Federation showing:
photograph, name, surname, and DNI of the players.
o Player cards showing photograph, name and surname, DNI, address, telephone number, copy of DNI, and parents' information.
o Photographs of players with names and surnames on the back.
SECOND: According to the report collected from the AXESOR tool on November 20, 2024, CLUB BOUZAS is an association established in 2017 with operating results for 2023 of (…) €.
LEGAL BASIS
I
Jurisdiction
In accordance with the powers granted to each supervisory authority by Article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and as established in Articles 47, 48.1, 64.2, and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure.
II
Procedure
Likewise, Article 63.2 of the LOPDGDD establishes that: "The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, this Organic Law, the regulatory provisions issued in its development, and, insofar as they do not contradict them, in a subsidiary manner, by the general rules on administrative procedures."
In accordance with Article 64 of the LOPDGDD, and taking into account the characteristics of the alleged violations committed, a sanctioning procedure is initiated.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/14
The procedure will last a maximum of twelve months from the date of the initiation agreement. After this period, the proceedings will expire and, consequently, the proceedings will be archived, in accordance with the provisions of Article 64 of the LOPDGDD.
If no objections are made to this initial resolution within the stipulated period, it may be considered a proposed resolution, as established in Article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP).
III
Preliminary Questions
It is important to take into consideration the detailed report from the Local Police of
***LOCALITY.1:
“At 8:30 p.m. on 10/08/2024, we appeared outside the Baltasar Pújales soccer field, located at Paz Andrade Street No. 2 in Bouzas,
***LOCALITY.1, where we were summoned by: ***NIF.1, with DNI ***NIF.2. This person states that he is the father of a minor who plays for the club "(…)", based at the A.A.A. field, and that outside the field, he observed a cardboard box full of documentation belonging to players belonging to the aforementioned club for many seasons, most of whom were minors, located inside a garbage container located on a public street, on the sidewalk and near the main entrance to the field. The requesting party accompanies the officers to the container.
Inside a green container, located at the top of the container, with the flaps open and visible to passersby, they observe the cardboard box full of documentation, containing hundreds of federation cards and membership cards, each containing personal information such as: ID, first and last name, address, photograph, etc. The officers take the box and place it in a police vehicle, taking it to Police Headquarters, where the box is inspected and it is observed that inside it there are:
- A total of 1,444 cards issued by the Galician Football Federation, containing: photograph, first and last name, and ID of the players.
- Hundreds of player cards showing their photograph, first and last name, ID, address, mobile phone number, and details of one of the parents: First and last name, ID, email, address, and mobile phone number, as well as a photocopy of their ID or family record book. Many of them include an account number for direct debit payments.
- Photographs of players with their first and last names on the back.
- An original ID without the chip.
- Other club documentation.
The manager of (…)" was located, who turned out to be: B.B.B., with DNI ***NIF.1, and was informed that a report would be prepared and sent to the AEPD.
He was shown all the documentation found. He stated that they had been cleaning the last few days and that someone must have gotten confused and thrown away the box, but he did not know who. This person provided details of the club: CIF: G-36711513,
name: "Club Rápido de Bouzas", address: (…), ***LOCALITY.1, (…):
C.C.C., with telephone number: ***TELÉPHONE.1.
The box was collected and all its contents were deposited at the Local Police Headquarters of ***LOCALITY.1, in A sealed bag with seal number
(…). Page (…) Local Police Headquarters of ***LOCALITY.1”.
Regarding the photographic annex, the Local Police of ***LOCALITY.1 adds the following title, along with the photograph:
- Photograph No. 1: Files with photograph, name and surname, ID,
address, and copy of ID
- Photograph No. 2: Example of file with photograph, name and surname, ID,
address, and copy of ID
- Photograph No. 3: Files with photograph, name and surname, ID,
address, details of one of the parents or legal guardian, and in many of them,
a bank account for direct debit payments.
- Photograph No. 4: Photographs with name and surname written on the back.
(More than 100 photographs).
- Photograph No. 6: Players' federation cards
- Photograph No. 7: Total documentation found.
- Photograph No. 8: Total documentation located (this investigator notes that the documentation as a whole occupies an office desk).
In the present case, in accordance with Articles 4.1 and 4.2 of the GDPR, it is established that personal data is being processed, since CLUB BOUZAS collects and stores personal data of individuals, including their first and last names, photograph, date of birth, address, email address, and bank account number, among others.
CLUB BOUZAS carries out this activity in its capacity as data controller, since it determines the purposes and means of such activity, pursuant to Article 4.7 of the GDPR.
IV
Breached obligation. Integrity and Confidentiality
Article 5.1(f) of the GDPR stipulates:
"1. Personal data shall be:
(…)
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, by applying appropriate technical or organizational measures ("integrity and confidentiality")."
In the present case, CLUB BOUZAS, as the data controller of its users' personal data, was obliged to ensure that the security measures were not circumvented. However, according to its manager, someone must have made a mistake and threw those documents into a trash bin. This action allowed unauthorized third parties to access hundreds of personal data, such as names, surnames, photographs, etc., as these documents were seen by the father of a child who plays for the Club. He called the police after seeing a cardboard box full of documentation belonging to players belonging to the aforementioned club for many seasons, most of whom were minors. The fact that this was the negligent act of an employee or third party does not exempt the Club from its responsibility, as it is responsible for the correct use of the security measures that should have ensured that hundreds of documents did not end up in a trash container, available to anyone passing by on the public highway. Storing 1,444 ID cards, hundreds of cards, and photographs (in many cases of minors) in a cardboard box, containing personal data such as first and last names, address, telephone number, etc., would demonstrate a lack of organizational measures to ensure that the processing of this data is secure and confidential. The BOUZAS CLUB should have taken extreme measures to ensure that no one in its organization would place mixed documents of different types, different seasons, or minors in such an easily accessible cardboard box.
The lack of such measures would also be demonstrated by the subsequent disposal of said box in a trash container, with the manager acknowledging that he did not know who had done it. From all this, it would be inferred that the Club has not adopted the appropriate technical and organizational measures to preserve the confidentiality and integrity of the data it stores, since after placing it in a haphazard manner in a cardboard box, "someone" considered it "garbage." It would be sufficient to have established
appropriate organizational measures, implemented them, and used them with reasonable diligence.
Therefore, based on the evidence currently available, in accordance with the agreement to initiate sanctioning proceedings, it is considered that the known facts
could constitute an infraction, attributable to CLUB BOUZAS,
for violating the article transcribed above.
V
Classification of the violation of Article 5.1.f) of the GDPR and classification for the purposes of limitation
Article 83.5 of the GDPR classifies the violation of the following article as an administrative offense, which shall be punishable, in accordance with paragraph 2, with administrative fines of up to EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global turnover of the preceding financial year, whichever is higher:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/14
"a) the basic principles for processing, including the conditions for consent pursuant to Articles 5, 6, 7, and 9;"
For its part, the LOPDGDD (Organic Law on Personal Data Protection) in its Article 71, "Infractions," states that:
"The acts and conduct referred to in sections 4, 5, and 6 of Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this Organic Law, constitute infringements."
For the sole purpose of the statute of limitations, Article 72.1 of the LOPDGDD establishes the following:
"In accordance with the provisions of Article 83.5 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein, and in particular, the following, are considered very serious and will be subject to a three-year statute of limitations:
a) The processing of personal data in violation of the principles and guarantees established in Article 5 of Regulation (EU) 2016/679."
VI
Proposed Sanction
In order to determine the administrative fine to be imposed, the provisions of Articles 83.1 and 83.2 of the GDPR must be observed, which state:
“1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article for infringements of this Regulation referred to in paragraphs 4, 9, and 6 are, in each individual case, effective, proportionate, and dissuasive.
2. Administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or as a substitute for the measures provided for in Article 58(2)(a) to (h) and (j). When deciding whether to impose an administrative fine and its amount in each individual case, due account shall be taken of:
a) the nature, gravity, and duration of the infringement, taking into account the
nature, scope, or purpose of the processing operation in question, as well as the number of data subjects affected and the level of damage suffered by them;
b) the intentionality or negligence of the infringement;
c) any measures taken by the controller or processor to mitigate the damage suffered by data subjects;
d) the degree of responsibility of the controller or processor, taking into account the technical or organizational measures they have implemented pursuant to Articles 25 and 32;
e) any previous infringements committed by the controller or processor;
f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
g) the categories of personal data affected by the infringement;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/14
h) the manner in which the supervisory authority became aware of the infringement, in particular whether the controller or processor notified the infringement and, if so, to what extent;
i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned in relation to the same matter, compliance with those measures;
j) adherence to codes of conduct pursuant to Article 40 or certification mechanisms approved pursuant to Article 42; and
k) any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.
For its part, Article 76 "Sanctions and Corrective Measures" of the LOPDGDD (Organic Law on Personal Data Protection) provides:
"1. The sanctions provided for in sections 4, 5, and 6 of Article 83 of Regulation (EU) 2016/679 shall be applied taking into account the grading criteria established in section 2 of the aforementioned article.
2. In accordance with the provisions of Article 83.2.k) of Regulation (EU) 2016/679,
the following may also be taken into account:
a) The continuous nature of the infringement.
b) The connection between the offender's activity and the processing of personal data.
c) The benefits obtained as a result of committing the infringement.
d) The possibility that the affected party's conduct could have led to the commission of the infringement.
" e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the acquiring entity.
f) The violation of the rights of minors.
g) Having a data protection officer, when not mandatory, in place.
h) The voluntary submission by the controller or processor to alternative dispute resolution mechanisms, in cases where there are disputes between them and any interested party.
In the present case, considering the seriousness of the potential violation, especially considering the consequences its commission has on those affected, a fine should be imposed, in addition to the adoption of measures, if appropriate.
The fine imposed must be, in each individual case, effective, proportionate, and dissuasive, in accordance with the provisions of Article 83.1 of the GDPR. To guarantee these principles, it is considered as a preliminary matter, (…).
For the purposes of deciding on the imposition of an administrative fine and its amount, in accordance with the evidence currently available in the
initiation of sanctioning proceedings, and without prejudice to the outcome of the investigation, it is considered that the balance of the circumstances contemplated in
Article 83.2 of the GDPR and 76.2 of the LOPDGDD, with respect to the infringement committed
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/14
by violating the provisions of Article 5.1.f) of the GDPR, allows for the initial imposition of an administrative fine of €500.00.
VII
Corrective Measures
If the violation is confirmed, the resolution issued may establish the corrective measures that the offending entity must adopt to end the non-compliance with personal data protection legislation, in this case Article 5.1.f) of the GDPR and Article 32 of the GDPR, in accordance with the provisions of the aforementioned Article 58.2.d) of the GDPR, according to which each supervisory authority may "order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period."
Thus, the responsible entity may be required to bring its actions into compliance with personal data protection regulations, to the extent set out in the previous Legal Basis.
This document establishes the alleged violation committed and the facts that could lead to this potential breach of data protection regulations. From this, it is clear what measures to be adopted, without prejudice to the sanctioned party's responsibility to implement the specific procedures, mechanisms, or instruments. The data controller is fully familiar with their organization and must decide, based on proactive responsibility and a risk-based approach, how to comply with the GDPR and the LOPDGDD. However, in this case, regardless of the foregoing, in accordance with the evidence currently available regarding the agreement to initiate sanctioning proceedings, the resolution adopted may require CLUB BOUZAS to adopt the following measures within a period of three months from the date of execution of the resolution finalizing this procedure:
- Evidence of the adoption of technical and organizational measures to preserve the confidentiality and integrity of the personal data of the Club's players that it stores, and thus ensure compliance with the provisions of Article 5.1 f) of the GDPR.
- Regarding the retention period for said data, establish a maximum retention period for this information, in accordance with the need to prove that said players can continue participating in competitions, but delete it when they leave the Club or when it is no longer necessary.
- Establish a secure mechanism for the destruction of said information.
The imposition of these measures is compatible with the sanction of an administrative fine, as provided in Article 83.2 of the GDPR.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/14
Please note that failure to comply with the possible order to adopt measures imposed by this body in the resolution of this sanctioning procedure may be considered an administrative infraction pursuant to the provisions of the GDPR, classified as an infraction in Articles 83.5 and 83.6 thereof. Such conduct may lead to the opening of a subsequent administrative sanctioning procedure.
Likewise, it is recalled that neither the recognition of the infringement committed nor, where applicable, the voluntary payment of the proposed amounts exempts the applicant from the obligation to adopt the relevant measures to cease the conduct or correct the effects of the infringement committed, nor from the obligation to provide proof of compliance with this obligation to this AEPD.
Therefore, in accordance with the foregoing, the Director of the Spanish Data Protection Agency,
IT IS AGREED:
FIRST: TO INITIATE SANCTIONING PROCEEDINGS against CLUB RÁPIDO DE BOUZAS, with NIF G36711513, for the alleged infringement of Article 5.1.f) of the GDPR and Article 32 of the GDPR, defined, respectively, in Articles 83.4 and 83.5 of the GDPR.
SECOND: TO APPOINT D.D.D. as the instructor. and, as secretary, to E.E.E.,
indicating that they may be challenged, if appropriate, in accordance with the provisions of Articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP).
THIRD: TO INCORPORATE into the file, for evidentiary purposes, the documents obtained and generated by the Subdirectorate General of Data Inspection in the actions prior to the initiation of this sanctioning procedure.
FOURTH: THAT for the purposes set forth in Article 64.2 b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, the sanction that may be imposed would be an administrative fine of €1,000.00, without prejudice to the results of the investigation.
FIFTH: NOTIFY this agreement to CLUB RÁPIDO DE BOUZAS, with Tax Identification Number (NIF)
G36711513, granting it a hearing period of ten business days to formulate any allegations and present any evidence it deems appropriate. In its written allegations, it must provide its Tax Identification Number (NIF) and the procedure number shown in the heading of this document.
In accordance with the provisions of Article 85 of the LPACAP (Spanish Civil Code), it may acknowledge its liability within the period granted for the formulation of allegations to this initiation agreement; this will result in a 20% reduction in the sanction to be imposed in this procedure. With the application of this reduction, the sanction would be set at €800.00, and the procedure would be resolved with the imposition of this sanction.
Likewise, at any time prior to the resolution of this procedure, the applicant may voluntarily pay the proposed fine, which will result in a 20% reduction in its amount. With the application of this reduction, the fine would be set at €800.00, and its payment would terminate the procedure, without prejudice to the imposition of the corresponding measures.
The reduction for voluntary payment of the fine may be combined with the reduction applicable for acknowledgment of liability, provided that this acknowledgment of liability is made clear within the period granted for submitting allegations at the opening of the procedure. Voluntary payment of the amount referred to in the preceding paragraph may be made at any time prior to the resolution. In
this case, if both reductions were to be applied, the amount of the penalty would be set at €600.00.
In any case, the effectiveness of either of the aforementioned reductions will be subject to the express withdrawal or waiver of any administrative action or appeal against the penalty.
For these purposes, if you opt for either of them, you must send the
General Subdirectorate of Data Inspection express notification of the withdrawal or waiver of any administrative action or appeal against the penalty, indicating which of the two reductions you are opting for, or if you are opting for both.
If you choose to voluntarily pay any of the amounts indicated above (€800.00 or €600.00), you must do so by depositing it into account IBAN: ES00-0000-0000-0000-0000-0000
(BIC/SWIFT Code: CAIXESBBXXX) opened in the name of the Spanish Data Protection Agency at CAIXABANK, S.A., indicating in the entry the reference number of the procedure shown in the heading of this document and the reason for the reduction in the amount you are claiming.
You must also send proof of payment to the Subdirectorate General for Inspection, along with express notification of your withdrawal or waiver of any administrative action or appeal against the penalty in order to continue with the procedure in accordance with the amount paid.
In compliance with Articles 14, 41, and 43 of the LPACAP (Spanish Civil Protection Act), you are hereby advised that, from now on, notifications sent to you will be sent exclusively electronically, through the Single Authorized Electronic Address (dehu.redsara.es) and the Electronic Office (sedeagpd.gob.es). If you do not access them, your rejection will be recorded in the file, the procedure being deemed complete and the procedure followed. You are hereby informed that you may provide this Agency with an email address to receive notification of the availability of notifications and that failure to provide this notification will not prevent the notification from being considered fully valid.
Finally, it is noted that, pursuant to Article 112.1 of the LPACAP, no administrative appeal may be filed against this act.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/14
1479-111124
Mar España Martí
Director of the Spanish Data Protection Agency
>>
SECOND: On January 2, 2025, CLUB BOUZAS proceeded to pay the fine in the amount of €600.00, making use of the two reductions provided for
in the initiation agreement transcribed above, which implies recognition of liability in relation to the events referred to in the initiation agreement and its legal classification.
THIRD: CLUB BOUZAS has expressly waived any administrative action or appeal against the sanction.
FOURTH: The initiation agreement transcribed above indicated that, if the infringement was confirmed, it could be agreed that the controller would be required to adopt appropriate measures to bring its actions into compliance with the regulations mentioned in this act, in accordance with the provisions of the aforementioned Article 58.2 d) of the GDPR, according to which each supervisory authority may "order the controller or processor to ensure that processing operations comply with the provisions of this Regulation, where appropriate, in a specific manner and within a specified period...".
Having recognized responsibility for the infringement, the measures included in the initiation agreement may be imposed.
LEGAL BASIS
I
Jurisdiction
In accordance with the powers granted to each supervisory authority by Article 58.2 of Regulation (EU) 2016/679 (the General Data Protection Regulation, hereinafter GDPR) and as established in Articles 47, 48.1, 64.2, and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter LOPDGDD), the President of the Spanish Data Protection Agency is competent to resolve this procedure.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/14
Similarly, Article 63.2 of the LOPDGDD establishes that: "The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, by this Organic Law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, in a subsidiary capacity, by the general rules on administrative procedures."
II
Termination of the Procedure
Article 85 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), under the heading "Termination of Sanctioning Procedures" provides the following:
"1. Once a sanctioning procedure has been initiated, if the offender acknowledges responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.
2. When the sanction is solely monetary in nature, or when a monetary sanction and a non-monetary sanction may be imposed, but the inadmissibility of the latter has been justified, voluntary payment by the alleged offender, at any time prior to the resolution, will terminate the procedure,
except with regard to restoring the altered situation or determining compensation for damages caused by the commission of the violation.
3. In both cases, when the sanction is solely monetary in nature, the body competent to resolve the procedure will apply reductions of at least
20% on the amount of the proposed sanction, these being cumulative.
The aforementioned reductions must be specified in the notification of initiation of the procedure, and their effectiveness will be conditional on the withdrawal or waiver of any administrative action or appeal against the penalty.
The percentage reduction provided for in this section may be increased by regulation.
III
Voluntary Payment and Acknowledgment of Liability
In accordance with the provisions of the aforementioned Article 85 of the LPACAP, the notified initiation agreement provided information on the possibility of acknowledging liability and voluntarily paying the proposed penalty, which would entail two cumulative reductions of 20% each. With the application of these two reductions, the penalty would be set at €600.00, and its payment would imply the termination of the procedure, without prejudice to the imposition of the corresponding measures.
Following notification of the aforementioned initiation agreement, CLUB BOUZAS has proceeded to acknowledge liability and voluntarily pay the fine, accepting the two reductions provided for and expressly waiving any administrative action or appeal.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/14
It should be noted that, in accordance with the provisions of the LPACAP, as well as the Supreme Court's jurisprudence on this matter, the exercise of voluntary payment by the alleged liable party does not exempt the administration from its obligation to resolve and notify all proceedings, regardless of their form of initiation. Similarly, Article 88 of the aforementioned regulation establishes that the resolution that concludes the proceedings will decide all issues raised by the interested parties and any other issues arising from them.
Therefore, in accordance with applicable legislation and having assessed the criteria for graduating the sanctions whose existence has been proven, the Presidency of the Spanish Data Protection Agency RESOLVES:
FIRST: TO DECLARE the commission of the violations and CONFIRM the sanctions
determined in the operative section of the initiation agreement transcribed in this resolution.
The sum of the aforementioned amounts results in a total of €1,000.00.
After CLUB RÁPIDO DE BOUZAS has made prompt payment and acknowledged liability, pursuant to Article 85 of the LPACAP, the aforementioned total is reduced by 40%, resulting in the final amount of €600.00.
SECOND: TO DECLARE the termination of procedure EXP202414976, in accordance with the provisions of Article 85 of the LPACAP.
THIRD: ORDER CLUB RÁPIDO DE BOUZAS to notify the Agency within 3 months of this resolution becoming final and enforceable, of the adoption of the measures described in the legal grounds of the initiation agreement transcribed in this resolution.
FOURTH: NOTIFY CLUB RÁPIDO DE BOUZAS of this resolution.
FIFTH: In accordance with the provisions of Article 85 of the LPACAP, which conditions the reduction for voluntary payment and acknowledgment of liability on the withdrawal or waiver of any action or appeal through administrative channels, this authority accepts the waiver expressly stated by CLUB RÁPIDO DE BOUZAS. Consequently, no optional appeal for reconsideration of this resolution may be filed, all without prejudice to the possibility of resorting to contentious-administrative proceedings.
Consequently, taking into account the provisions of Article 90 of the LPACAP,
since no appeal is available through administrative channels after expressly waiving the waiver,
this resolution will be final and fully enforceable upon notification.
However, in accordance with the provisions of Article 90.3.a) of the LPACAP, the final administrative resolution may be provisionally suspended if the interested party expresses their intention to file an administrative appeal. If this is the case, the interested party must formally notify this fact in writing to the Spanish Data Protection Agency (C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/14). The interested party must submit a written request to the Spanish Data Protection Agency (AEPD) through the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-web/] or through any of the other registries provided for in Article 16.4 of the aforementioned Law
39/2015, of October 1. The interested party must also forward to the Agency the documentation proving the effective filing of the administrative appeal. If the Agency does not become aware of the filing of the administrative appeal within two months from the day following notification of this resolution, it will terminate the precautionary suspension.
In accordance with Article 50 of the LOPDGDD (Spanish Data Protection Act), this
Resolution will be made public once it has been notified to the interested parties.
1259-180225
Olga Pérez Sanjuán
The Deputy Director General of Data Inspection, in accordance with Article 48.2
LOPDGDD, due to a vacancy in the position of President and Deputy President
28001 – Madrid 6 sedeagpd.gob.es
