AEPD (Spain) - PS/00043/2020
From GDPRhub
| AEPD - PS/00043/2020 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 13 GDPR Article 83(5) GDPR 11 LOPDGDD |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 10.12.2020 |
| Published: | |
| Fine: | None |
| Parties: | n/a |
| National Case Number/Name: | PS/00043/2020 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | Francesc Julve Falcó |
The Spanish DPA (AEPD) imposed a warning sanction on a private individual for failing to comply with the right to information (Article 13 GDPR) when collecting personal data on its website.
English Summary
Facts
A citizen brought to the attention of the AEPD that the website that the respondent used as a platform for the position of president of a professional association in Madrid in 2019, did not have a privacy policy or legal notice, and therefore could be in breach of the right to information of visitors to the website.
The website contained a form to collect personal data (name, telephone number, and e-mail address) from those interested in the project led by the defendant.
The respondent stopped the data processing when it was warned of the possible unlawfulness of the conduct, and the AEPD was able to verify that the personal data collection form had been removed.
Dispute
Is collecting personal data without the required privacy policy a breach of Article 13 GDPR?
Holding
The AEPD considered that, in the present case, it was sufficient to impose a warning sanction for breach of the duty to provide information on the processing of data, as set out in article 13 GDPR.
In order to determine the level of the sanction, the AEPD took into account the fact that this is a natural person whose main activity is not linked to the processing of personal data and that there is no evidence of recidivism, as there is no record of the commission of previous infringements.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/9
Procedure Nº: PS / 00043/2020
RESOLUTION OF SANCTIONING PROCEDURE
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following
BACKGROUND
FIRST: A.A.A. (hereinafter, the claimant) dated August 27, 2019
filed a claim with the Spanish Agency for Data Protection. The
complaint is directed against the website *** URL.1. The reason in relation to
Data protection regulations on which the claim is based is as follows:
“[…] SECOND: The indicated page does not include the PRIVACY POLICY or
LEGAL NOTICE, in breach of the existing regulations (art. 13 of the Regulation of
Data protection and art. 5 LOPD). "
Along with the claim, it provides screenshots of the aforementioned website.
SECOND: In view of the facts reported in the claim and the
documents provided by the claimant and documents of which he has had
knowledge of this Agency, the Subdirectorate General for Data Inspection proceeded
to carry out preliminary investigation actions to clarify the
facts in question, by virtue of the investigative powers granted to the
control authorities in article 57.1 of Regulation (EU) 2016/679 (Regulation
General Data Protection, hereinafter RGPD), and in accordance with the
established in Title VII, Chapter I, Second Section, of Organic Law 3/2018,
of December 5, Protection of Personal Data and guarantee of rights
digital (hereinafter LOPDGDD).
As a result of the investigative actions carried out, it is verified that the
responsible for the treatment is B.B.B. with NIF *** NIF.1 since the website
claimed is constituted as a platform for the candidacy for the elections of the
Official College of Graduates of E.F. and Sciences of Physical Activity and Sports
the Community of Madrid held in 2019 to which the respondent applied
as president.
THIRD: Prior to the admission for processing of this claim,
transferred the claimed to the professional address that advertises it on the internet,
in accordance with the provisions of article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter, LOPDGDD), being returned as "unknown" on 12/20/2019.
In view of the foregoing, the State Tax Administration Agency is requested to
Tax address of the claimed, being provided on 02/26/2020.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/9
FOURTH: In view of the facts denounced in the claim and the
documents provided by the claimant, it is observed that the website contains a
personal data collection form (name, telephone number and email address
electronic) of those people who were interested in the project led
by the claimed.
Consulted on February 24, 2020 the web page *** URL.1, it is verified that the
website is still open and maintains the situation revealed in the claim
Submitted Aug 27, 2019 by A.A.A.
FIFTH: Consulted on February 25, 2020, the application of the AEPD was
verifies that the only sanctioning procedure in which the claim appears as
mercantile B.B.B. with NIF *** URL.1, is the present procedure.
SIXTH: On March 6, 2020, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure to the claimed, by the
alleged infringement of article 13 of the RGPD, typified in article 83.5 of the RGPD.
SEVENTH: Once the aforementioned commencement agreement was notified, the defendant submitted a written
allegations on March 20, 2020, in which it stated that:
“[…] First. - That at no time has this party intended to breach
with the regulations governing Data Protection.
Second. That as soon as you receive the initiation agreement that gives rise to the present
allegations, for my part the data processing was ended, eliminating the form
and those data that had been collected by this means.
Third. - Having said the above, it is worth noting that this part had developed the
appropriate form where the requirements of the RGPD were complied with, but at the
appear to be due to a computer error that we were not warned about by anyone, could have occurred
the situation imputed to me. Insist on the lack of intentionality on my part in the
commission of the facts. […] "
EIGHTH: On June 12, 2020, the procedure instructor agreed to the
opening of a period of practical tests, taking as incorporated the
claim submitted by the claimant and his documentation, the documents
obtained by the General Subdirectorate for Data Inspection and the allegations
presented by the claimed.
NINTH: On August 5, 2020, the website *** URL.1 is accessed with
object of verifying what is stated by the claimed in his allegations.
TENTH: On September 18, 2020, a resolution proposal was formulated,
proposing that a penalty of warning be imposed on the defendant, for a
infringement of article 13 of the RGPD, typified in article 83.5 of the same rule.
The defendant has not submitted allegations to this proposal.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/9
In view of all the actions, by the Spanish Agency for Data Protection
In this proceeding, the following are considered proven facts,
ACTS
FIRST: The web page *** URL.1 provided me with a data collection form
personal data of possible people interested in the candidacy project
elections to the elections of the Official College of Graduates of E. F. and Sciences of
the Physical and Sports Activities of Madrid held on September 6, 2019
without having a Privacy Policy.
SECOND: B.B.B. with NIF *** NIF.1.
THIRD: The respondent asserts that he has withdrawn the aforementioned form and post
end of data processing.
FOURTH: It is proven, after the verification carried out on August 4,
2020, that the data collection form has been effectively withdrawn.
FOUNDATIONS OF LAW
I
By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in arts. 47 and 48.1 of the LOPDGDD, the Director of
The Spanish Agency for Data Protection is competent to resolve this
process.
II
The defendant is charged with committing an offense for violation of article 13
of the RGPD, regarding the information that must be provided when the data is
obtained from the interested party, which establishes that:
"one. When personal data relating to him are obtained from an interested party, the
responsible for the treatment, at the time these are obtained, will provide
all the information indicated below:
a) the identity and contact details of the person in charge and, where appropriate, their
representative;
b) the contact details of the data protection officer, if applicable;
c) the purposes of the treatment to which the personal data are destined and the legal basis
of the treatment;
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/9
d) when the treatment is based on article 6, paragraph 1, letter f), the interests
legitimate rights of the person in charge or a third party;
e) the recipients or categories of recipients of the personal data, in their
case;
f) where appropriate, the intention of the person responsible to transfer personal data to a third party
country or international organization and the existence or absence of a decision of
adequacy of the Commission, or, in the case of transfers indicated in the
Articles 46 or 47 or Article 49, paragraph 1, second subparagraph, reference to the
adequate or appropriate warranties and the means to obtain a copy of these or
to the fact that they have been borrowed.
2. In addition to the information mentioned in section 1, the person responsible for the
treatment will facilitate the interested party, at the time the data is obtained
personal information, the following information necessary to guarantee data processing
loyal and transparent:
a) the period during which the personal data will be kept or, when it is not
possible, the criteria used to determine this period;
b) the existence of the right to request the data controller access to the
personal data relating to the interested party, and its rectification or deletion, or the limitation
of its treatment, or to oppose the treatment, as well as the right to portability
of the data;
c) when the treatment is based on article 6, paragraph 1, letter a), or article
9, paragraph 2, letter a), the existence of the right to withdraw consent in
at any time, without affecting the legality of the treatment based on the
consent prior to its withdrawal;
d) the right to file a claim with a supervisory authority;
e) if the communication of personal data is a legal or contractual requirement, or a
necessary requirement to sign a contract, and if the interested party is obliged to provide
personal data and is informed of the possible consequences of not
provide such data;
f) the existence of automated decisions, including profiling, to be
referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information
significant on the applied logic, as well as the importance and consequences
provided for said treatment for the interested party.
3.When the controller plans the further processing of data
personal data for a purpose other than that for which they were collected, will provide the
interested party, prior to said further processing, information on that other purpose
and any additional pertinent information pursuant to section 2.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/9
4.The provisions of paragraphs 1, 2 and 3 shall not apply when and in the
to the extent that the interested party already has the information. "
The violation of this article is classified as an infringement in article 83.5 of the RGPD,
which it considers as such:
"Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of up to EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:
[…] B) the rights of the interested parties pursuant to Articles 12 to 22; […]. "
For the purposes of the statute of limitations for the offense, article 72.1 of the LOPDGDD
establishes:
"Based on what is established in article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that suppose
a substantial violation of the articles mentioned therein, and, in particular, the
following:
[…] H) The omission of the duty to inform the affected party about the treatment of their
personal data in accordance with the provisions of articles 13 and 14 of the Regulation
(EU) 2016/679. […] ”.
III
In accordance with the evidence available in the present
sanctioning procedure, it is considered that the website
www.unionccafyde.site123.me, responsibility of the claimed, kept a form
collection of personal data without providing in any way the information that
establishes article 13 of the RGPD.
Regarding the allegations presented by the defendant - in which
points out that there had been no intentionality on his part, the form had been
originally designed in compliance with the provisions of the RGPD and that for a
computer error had occurred the events object of the present procedure (without
provide evidence in this regard) -, it should be noted that article 5.1.a) of the RGPD
states the principle of "lawfulness, loyalty and transparency", a principle on which the
Recital 39: «All processing of personal data must be lawful and fair. For
it must be fully clear to natural persons that they are collecting, using,
consulting or otherwise processing personal data that concerns them, as well as
the extent to which such data is or will be processed. The principle of transparency
requires that all information and communication regarding the processing of said data be
easily accessible and easy to understand, and that simple and clear language is used.
This principle refers in particular to the information of the interested parties about the
identity of the person responsible for the treatment and the purposes of the same and the information
added to ensure fair and transparent treatment with respect to people
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/9
affected individuals and their right to obtain confirmation and communication of the data
personal that concern them that are object of treatment. Natural persons
must be aware of the risks, rules, safeguards and rights
relating to the processing of personal data as well as the way to enforce their
rights in relation to the treatment. In particular, the specific purposes of the
processing of personal data must be explicit and legitimate, and must
be determined at the time of collection. Personal data must be
adequate, relevant and limited to what is necessary for the purposes for which they are
treaties. This requires, in particular, to ensure that its use is limited to a strict minimum.
conservation period. Personal data should only be processed if the purpose of the
treatment could not reasonably be accomplished by other means. To ensure that
personal data is not kept longer than necessary, the person responsible for the
Treatment must establish deadlines for its deletion or periodic review. Must
all reasonable measures are taken to ensure that they are rectified or deleted
personal data that is inaccurate. Personal data must be a
a way that ensures adequate data security and confidentiality
personal data, including to prevent unauthorized access or use of said data and
of the equipment used in the treatment. "
Recital 60 links the duty of information with the principle of transparency,
by establishing that “The principles of fair and transparent treatment require that
inform the interested party of the existence of the treatment operation and its purposes. The
data controller must provide the interested party with all the information
is necessary to guarantee fair and transparent treatment,
taking into account the specific circumstances and context in which the
personal information. The interested party must also be informed of the profiling
and the consequences of such elaboration. If personal data is obtained from
interested parties, should also be informed if they are obliged to provide them and of the
consequences if they do not […] '. In this order, article 12.1 of the
RGPD regulates the conditions to ensure its effective implementation and article 13
specifies what information should be provided when the data is obtained from the
interested. In turn, article 11 LOPDGDD introduces the information rule by
layers when you have:
"one. When personal data is obtained from the affected party, the person responsible for the
treatment may comply with the duty of information established in article
13 of Regulation (EU) 2016/679, providing the affected party with basic information to the
referred to in the following section and indicating an email address or other
means that allows easy and immediate access to the rest of the information.
2. The basic information to which the previous section refers must contain, at the
less:
a) The identity of the person responsible for the treatment and their representative, if applicable.
b) The purpose of the treatment.
c) The possibility of exercising the rights established in articles 15 to 22 of the
Regulation (EU) 2016/679. […] »
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/9
Thus established the duty of information and the obligation, on the part of the person responsible for
carry out a transparent treatment, it cannot be ignored that article 5.2
of the RGPD establishes that «the data controller will be responsible for the
compliance with the provisions of section 1 and capable of demonstrating it
(“Proactive responsibility”) ». This means that, according to Articles 24 and 25
of the same legal text, the person in charge must guarantee the effective application of the
principles of treatment both at the time of determining the means of
treatment as during the treatment itself through the joint of a series
of measures, which must be periodically reviewed and updated.
This being the case, and even though in the present case the defendant had
proceeded, at the time of determining the means to design and implement
measures in accordance with guaranteeing compliance with the principle of transparency and
duty of information, this would not exempt you from continuing to be responsible for the effectiveness
of these measures during the entire time in which the collection and
processing of personal data, especially when in this case there has not been a
commissioning of the treatment to other actors.
IV
The corrective powers available to the Spanish Agency for the Protection of
Data, as a control authority, are established in article 58.2 of the RGPD. Between
They have the power to sanction with warning - article 58.2 b) -, the
Power to impose an administrative fine in accordance with article 83 of the RGPD
-article 58.2 i) -, or the power to order the person in charge of the treatment
that the processing operations comply with the provisions of the RGPD, when
proceed, in a certain way and within a specified period - article 58. 2
d) -.
According to the provisions of article 83.2 of the RGPD, the measure provided for in article 58.2
d) of the aforementioned Regulation is compatible with the sanction consisting of a fine
administrative.
Likewise, without prejudice to the provisions of article 83, the aforementioned RGPD provides the
possibility of sanctioning with warning, in relation to what is indicated in the
Recital 148:
"In the event of a minor offense, or if the fine likely to be imposed
constitutes a disproportionate burden for an individual, rather than
sanction by fine may be imposed a warning. It must however
pay special attention to the nature, severity and duration of the offense, its
intentional character, to the measures taken to alleviate the damages suffered,
the degree of responsibility or any relevant prior infringement, the way in which
that the supervisory authority has had knowledge of the infraction, to the fulfillment
of measures ordered against the person in charge or in charge, adherence to codes of
conduct and any other aggravating or mitigating circumstance. "
In the present case, when deciding the sanction to impose, they have taken into account
counts the following elements:
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/9
That it is a natural person whose main activity is not related to the
processing of personal data.
That no recidivism is appreciated, as the commission of infractions is not recorded
previous.
Therefore, it is considered that the sanction that would correspond to impose is
warning, in accordance with the provisions of article 58.2 b) of the RGPD, in
relation to what is stated in Considering 148, cited above.
Therefore, in accordance with the applicable legislation and the criteria of
graduation of the sanctions whose existence has been accredited, the Director of the
Spanish Agency for Data Protection RESOLVES:
FIRST: IMPOSE B.B.B., with NIF *** NIF.1, for an infraction of article 13 of the
RGPD, typified in article 83.5 of the RGPD, a sanction of APERCIBIMENTO.
SECOND: NOTIFY this resolution to B.B.B. and inform A.A.A ..
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may file, optionally, an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to
count from the day after notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
letter addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/9
938-131120
Mar Spain Martí
Director of the Spanish Agency for Data Protection
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
