AEPD (Spain) - PS/00189/2020
From GDPRhub
| AEPD - PS/00189/2020 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 58(2) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | 18.11.2020 |
| Fine: | 2000 EUR |
| Parties: | Anmavas 61, S.L. (La Cueva Sex Club) |
| National Case Number/Name: | PS/00189/2020 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Spanish |
| Original Source: | AEPD decision (in ES) |
| Initial Contributor: | Miguel Garrido de Vega |
The Spanish DPA (AEPD) imposed a fine of €2000 on the sex club company Anmavas 61, S.L. for not granting (nor reasonably denying) the right to erasure, even after receiving a warning by the AEPD, and the consequent infringement of Article 58(2) GDPR.
English Summary
Facts
The decision is the consequence of a complaint submitted by a Spanish citizen (the claimant) stating that he had requested his right to erasure to the defendant, but that he did not receive any kind of answer.
Dispute
The AEPD requested the defendant to grant or to reasonably deny such right to erasure to the claimant within a period of ten days. The defendant did not answer any requirements of the AEPD, so the AEPD started the corresponding sanction procedure.
Holding
Thus, the AEPD understood that the defendant has infringed Article 58(2) GDPR, as it did not give any answer to the claimant when he requested his right to erasure, nor it followed the request of the AEPD. Consequently, after considering some circumstances [(i) there is a wilful misconduct by the defendant, and (ii) basic personal data have been affected], the AEPD decided to impose a fine of € 2000 to the defendant.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/8
Procedure Nº: PS / 00189/2020
938-300320
RESOLUTION OF SANCTIONING PROCEDURE
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following:
BACKGROUND
FIRST: The Spanish Agency for Data Protection proceeded to open the guardianship of
law, TD / 00128/2019, upon having knowledge of the following facts:
On November 23, 2018, D. A.A.A. (hereinafter, the claimant) exercised the
right of deletion before the entity ANMAVAS 61, S.L. (LA CUEVA SEX CLUB) with NIF
B01528736 (hereinafter, the claimed one), without your request having received the
legally established reply.
The complaining party provided various documentation on the exercise of the right
exercised.
On January 15, 2019, this Agency through the Support of the
Electronic Notifications and Enabled Address (Notific @ platform), put to
disposition of the defendant the claim presented by the claimant party and 25 of
January 2019 the person responsible for the treatment accepts the Electronic Notification, to
that within a maximum period of one month the allegations that
consider convenient, as well as the relevant documentation related to the procedures
carried out to facilitate the right exercised or the reasoned refusal, without having
received in this Agency written allegations.
On March 26, 2019, in accordance with article 65.4 of the Organic Law
3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights and for the purposes provided in its article 64.2, the Director of the
Spanish Data Protection Agency agreed to admit the claim for processing
presented by the complaining party against the claimed party and it is agreed to transfer the
claim, so that within fifteen business days present the allegations that
considers convenient and the parties are informed that the maximum to resolve the
procedure will be six months.
On April 4, 2019, this Agency through the Support of the
Electronic Notifications and Enabled Address (Notific @ platform), put
The claim presented by the party is again available to the defendant
claimant and on April 5, 2019, the person responsible for the treatment accepts the
Electronic Notification, so that within a maximum period of fifteen present the
allegations that they consider appropriate, without having received in this Agency a written
allegations.
C / Jorge Juan 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/8
SECOND: The Director of the Spanish Agency for Data Protection, issued on July 23,
2019, resolution of protection of right TD / 00128/2019, proceeding to “estimate the
claim made by D. A.A.A. and urge the claimed party to, within the period of
ten business days following notification of this resolution, send to the party
Claimant certification stating that he has met the right of deletion
exercised by the latter or is reasonedly denied indicating the reasons for which the
requested deletion. Actions carried out as a consequence of this Resolution
They must be communicated to this Agency within the same period. Failure to comply with this resolution
could lead to the commission of the offense typified in article 72.1 m) of the LOPDGDD,
to be sanctioned, in accordance with art. 58.2 of the RGPD ”.
Said agreement was notified through the Notification Service Support
Electronic and Authorized Address (Notific @ platform) to the claimed party, stating
as not withdrawn on August 4, 2019.
THIRD: On August 29, 2019 and February 25, 2020, it was received at this Agency
two submissions from the claimant in which he states that after the time limits granted
the claimed party failed to comply with said resolution.
Despite having upheld the resolution regarding the right to erasure, which was not
attended, the claimed party still does not attend.
The claimant requested the right of deletion, therefore he claims to this Agency that
act accordingly.
FOURTH: The claimed entity has not sent the claimant certification in which it makes
certify that the right of deletion exercised by him or her has been denied
motivated indicating the reasons why the requested deletion does not proceed, despite the
resolution of protection of right TD / 00128/2019 issued by the Director of the Agency
Spanish Data Protection.
FIFTH: On July 1, 2020, the Director of the Spanish Agency for the Protection of
Data agreed to initiate a sanctioning procedure for the claimed party, for the alleged infraction of the
Article 58.2 of the RGPD, typified in Article 83.5 e) of the
RGPD.
Said agreement was notified through the Notification Service Support
Electronic and Authorized Address (Notific @ platform) to the claimed party, stating
as not withdrawn on July 12, 2020.
SIXTH: Formally notified of the initiation agreement, the one claimed at the time of this
resolution has not submitted a brief of allegations, so what is indicated in
Article 64 of Law 39/2015, of October 1, on the Common Administrative Procedure of
the Public Administrations, which in its section f) establishes that in case of not carrying out
allegations within the term provided on the content of the initiation agreement, this may be
considered a motion for a resolution when it contains a precise pronouncement about
the imputed responsibility, for which a Resolution is issued.
C / Jorge Juan 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/8
In view of all the actions, by the Spanish Agency for Data Protection
In this proceeding, the following are considered proven facts,
ACTS
FIRST: On November 23, 2018, the claimant exercised the right of deletion
before the claimed, without your request having received the legally established answer.
SECOND: The claimed entity has not sent the claimant certification in which it makes
certify that the right of deletion exercised by him or her has been denied
motivated indicating the reasons why the requested deletion does not proceed, despite the
resolution of protection of right TD / 00128/2019 issued by the Director of the Agency
Spanish Data Protection.
THIRD: On July 1, 2020, this sanctioning procedure was initiated for the violation of the
Article 58.2 of the RGPD, being notified on July 12, 2020. Not having carried out
allegations, the one claimed, to the initial agreement.
FOUNDATIONS OF LAW
I
By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in arts. 47 and 48.1 of the LOPDGDD, the Director of the Agency
Spanish Data Protection is competent to resolve this procedure.
II
Article 58 of the RGPD, "Powers", says:
“2 Each supervisory authority shall have all the following corrective powers
listed below:
(…)
b) punish any person in charge or in charge of the treatment with warning when the
treatment operations have infringed the provisions of this
Regulation;
(...)
d) order the person in charge of the treatment that the treatment operations are
comply with the provisions of this Regulation, where appropriate, of a certain
manner and within a specified time.
(…)
i) impose an administrative fine in accordance with article 83, in addition to or instead of the
measures mentioned in this section, according to the circumstances of the particular case.
C / Jorge Juan 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/8
III
The RGPD deals in its article 58 with the powers of each control authority. The
section 1.a) provides:
"1. Each supervisory authority will have all the powers of investigation indicated
then:
a) order the person in charge and the person in charge of the treatment and, where appropriate, the representative
of the person in charge or the person in charge, who provide any information required for the
performance of their duties.
The offense for which the claimed entity is responsible is classified
in article 83 of the RGPD that, under the heading “General conditions for the imposition of
administrative fines ”, it states:
"5. Violations of the following provisions will be sanctioned, in accordance with the
section 2, with administrative fines of a maximum of 20,000,000 Euros or, in the case of
a company, of an amount equivalent to a maximum of 4% of the total turnover
annual global of the previous financial year, opting for the highest amount:
e) failure to comply with a resolution or a temporary or definitive limitation of the
treatment or suspension of data flows by the supervisory authority with
pursuant to article 58 (2), or failure to provide access in breach of article 58,
Paragraph 1."
Organic Law 3/2018, on Protection of Personal Data and Guarantee of Rights
Digital (LOPDGDD) in its article 72.1 m), under the rubric “Infractions considered very
grave ”provides:
"1. In accordance with the provisions of article 83.5 of Regulation (E.U.) 2016/679,
considered very serious and will prescribe after three years the infractions that suppose a
substantial violation of the articles mentioned therein and, in particular, the following:
(…)
m) Failure to comply with the resolutions issued by the protection authority of
competent data in exercise of the powers conferred by article 58.2 of the
Regulation (EU) 2016/679. "
IV
In the case analyzed here, it has been proven that the claimant exercised his
right of deletion before the claimed entity, your request did not obtain the answer
legally enforceable.
Likewise, after the evidence obtained, there is no record that the claimed party attended the
right of the claimant, as required by the Director of the Protection Agency
of Data, in the estimated resolution of the protection of right TD / 00128/2019, consisting of
C / Jorge Juan 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/8
send the claimant a certification stating that he has met the right to
deletion exercised by the latter or justly denied, it should be considered that the entity
claimed violated article 83.5.e) of the RGPD, which sufficiently motivates the present
sanctioning procedure.
It is clear that on August 4, 2019 the resolution of legal protection was notified
to the claimed party, urging it to, within the following ten business days, send
certification to the claimant stating that he has complied with the right to erasure
exercised by the latter, or is reasonedly denied indicating the reasons for which the
requested deletion, however, it has not been verified that any of the
the two senses.
It must be stated that the claim was transferred to the claimed party on
January and April 4, 2019, with January 25 and April 5 as the acceptance date
of the same year.
On July 24, 2019, compliance with said
resolution with the date of receipt and not withdrawn on August 4, 2019.
On July 12, 2020, the agreement to initiate this proceeding was notified
sanctioner, without having made any allegations to it.
V
In order to determine the administrative fine to be imposed, the
provisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate:
"Each supervisory authority will guarantee that the imposition of administrative fines
in accordance with this article for the infractions of this Regulation indicated in the
Sections 4, 9 and 6 are in each individual case effective, proportionate and dissuasive. "
"Administrative fines will be imposed, depending on the circumstances of each
individual case, as an additional or substitute for the measures referred to in article 58,
section 2, letters a) to h) and j). When deciding to impose an administrative fine and its amount
in each individual case, the following will be duly taken into account:
a) the nature, severity and duration of the offense, taking into account the nature, scope
o purpose of the treatment operation in question as well as the number of interested parties
affected and the level of damages they have suffered;
b) intentionality or negligence in the infringement;
c) any measure taken by the person in charge or in charge of the treatment to alleviate the
damages and losses suffered by the interested parties;
d) the degree of responsibility of the controller or processor, taking into account
the technical or organizational measures that have been applied by virtue of articles 25 and 32;
e) any previous infringement committed by the person in charge or the person in charge of the treatment;
f) the degree of cooperation with the supervisory authority in order to remedy the infringement
and mitigate the possible adverse effects of the violation; g) the categories of data from
personal character affected by the offense;
h) the way in which the supervisory authority learned of the infringement, in
In particular if the person in charge or the person in charge notified the infringement and, if so, to what extent;
C / Jorge Juan 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/8
i) when the measures indicated in article 58, paragraph 2, have been ordered
previously against the person in charge or the person in charge in relation to the same
subject, compliance with said measures;
j) adherence to codes of conduct under article 40 or to mechanisms of
certification approved in accordance with Article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or indirectly, through
through the offense. "
Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76, “Sanctions
and corrective measures ”, provides:
"2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
The following may also be taken into account:
a) The continuing nature of the offense.
b) The linking of the offender's activity with the performance of treatments
of personal data.
c) The benefits obtained as a result of the commission of the offense.
d) The possibility that the affected person's conduct could have led to the
commission of the offense.
e) The existence of a process of merger by absorption subsequent to the commission of
the infringement, which cannot be attributed to the absorbing entity.
f) Affecting the rights of minors.
g) To have, when not mandatory, a delegate for the protection of
data.
h) The submission by the person in charge or in charge, with character
voluntary, to alternative conflict resolution mechanisms, in those cases where the
that there are controversies between those and any interested party. "
In accordance with the transcribed precepts, in order to set the amount of the sanction of
fine to be imposed in the present case on the entity claimed as responsible for a
offense typified in article 83.5.e) of the RGPD, the following are considered concurrent
factors:
- The intentionality or negligence of the infringement (83.2b) of the RGPD.
- Basic personal identifiers (83.2 g) RGPD are affected.
The sanction to be imposed on ANMAVAS 61, S.L. (LA CUEVA SEX CLUB) with
NIF B01528736 and set it at the amount of € 2,000 for the violation of article 58.2 of the RGPD.
C / Jorge Juan 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/8
Therefore, in accordance with the applicable legislation and the criteria of
graduation of the sanctions whose existence has been accredited, the Director of the Agency
Spanish Data Protection RESOLVES:
FIRST: IMPOSE ANMAVAS 61, S.L. (LA CUEVA SEX CLUB), with NIF
B01528736, for a violation of Article 58.2 of the RGPD, typified in Article 83.5 of the
RGPD, a fine of two thousand euros (2,000 euros).
SECOND: NOTIFY this resolution to ANMAVAS 61, S.L. (LA CUEVA SEX CLUB).
THIRD: Warn the sanctioned person that the sanction imposed must be effective once the
This resolution is executive, in accordance with the provisions of art. 98.1.b) of the law
39/2015, of October 1, of the Common Administrative Procedure of the Administrations
Public (hereinafter LPACAP), within the voluntary payment period established in art. 68 of
General Regulation of Collection, approved by Royal Decree 939/2005, of July 29, in
relationship with art. 62 of Law 58/2003, of December 17, by means of your entry, indicating the
NIF of the sanctioned person and the procedure number that appears in the heading of this
document, in the restricted account number ES00 0000 0000 0000 0000 0000, opened in the name of
the Spanish Agency for Data Protection in the banking entity CAIXABANK, S.A .. In case
Otherwise, it will be collected in the executive period.
Notification received and once executive, if the execution date is found
Between the 1st and the 15th of each month, both inclusive, the deadline for making the voluntary payment
will be until the 20th day of the following or immediately subsequent business month, and if it is among the
16th and last day of each month, both inclusive, the payment term will be until the 5th of the second
next month or immediately after business.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties
They may optionally file an appeal for reconsideration before the Director of the Agency
Spanish Data Protection Agency within a month from the day after the
notification of this resolution or directly administrative contentious appeal before the Chamber
of the Contentious-administrative of the National Court, in accordance with the provisions of the
Article 25 and in section 5 of the fourth additional provision of Law 29/1998, of 13
July, regulating the Contentious-administrative Jurisdiction, within two months to
count from the day after notification of this act, as provided in article 46.1
of the referred Law.
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the interested party
expresses its intention to file an administrative contentious appeal. If this is the case,
the interested party must formally communicate this fact by writing to the Agency
Spanish Data Protection, presenting it through the Electronic Registry of the Agency
[https://sedeagpd.gob.es/sede-electronica-web/], or through any of the rest
records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also
forward to the Agency the documentation that proves the effective filing of the appeal
C / Jorge Juan 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/8
contentious-administrative. If the Agency was not aware of the filing of the
contentious-administrative appeal within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.
Mar España Martí
Director of the Spanish Agency for Data Protection
C / Jorge Juan 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
