AEPD - EXP202202164 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1) GDPR Article 13 GDPR Article 83(5) GDPR Article 83(6) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 16.01.2022 |
Decided: | 28.09.2022 |
Published: | 28.09.2022 |
Fine: | 2,000 EUR |
Parties: | n/a |
National Case Number/Name: | EXP202202164 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | mgrd |
AEPD fined in €2,000 a website for non-GDPR compliant privacy policy, violating Article 13 GDPR.
English Summary
Facts
On January 16, 2022 the data subject complaint against ORI S.L. for not having a privacy policy on the website in which personal data are collected through multiple forms, only one of them informs about the processing of personal data.
During the procedure, the data subject included different screenshots of the website.
On March, 2022, AEDP sent a notification to the data controller to, within a period of one month, to inform of the actions taken to adapt to the requirements set forth in the data protection regulations.
On June, 2022, ORI replied stating that all the sections of the web page contained informative boxes where they are obliged to communicate to the users with the following concept: "I agree that my personal data provided in the contact form be electronically processed and used for the purpose of contacting me. I am aware that I can remove my consent at any time".
Holding
AEPD fined the data controller in €2,000 for non-GDPR compliant website without privacy policy, violating Article 13 GDPR.
On September 26, 2022, the data controller made the voluntary payment of the fine and acknowledged its liability, leading to a reduce of the fine to €1,200.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/10 File No.: EXP202202164 RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE VOLUNTEER From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND FIRST: On August 26, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against ORI, S.l. (onwards, the claimed party), through the Agreement that is transcribed: << File No.: EXP202202164 AGREEMENT TO START SANCTIONING PROCEDURE Of the actions carried out by the Spanish Data Protection Agency and in based on the following FACTS FIRST: A.A.A. (hereinafter, the complaining party) dated January 16, 2022 filed a claim with the Spanish Data Protection Agency. The claim is directed against ORI, S.l. with NIF ***NIF.1 (hereinafter, ORI). The motives on which the claim is based are the following: Expresses the lack of privacy policy of the website where data is collected personal data through multiple forms, only one informs about the treatment of data, violating data protection regulations. Along with the notification, the following is provided: -Screenshot of a Google search for the domain ***URL.1, which offers several results on Facebook, Instagram, tik tok... -Screenshot of the detail of the BORME of ORI SL, in which they appear as the sole partner and sole administrator B.B.B. -Screenshot of the page “***URL.1/register/” on which a registration form appears contact in which personal data is requested, and the privacy policy is not indicated. privacy. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/10 -Screenshot of the page “***URL.1/hazte-soci” on which a registration form appears contact in which personal data is requested, and the privacy policy is not indicated. privacy. -Screenshot of the page “***URL.1/solicita-tu-catalog/” in which a contact form in which personal data is requested, and the policy is not indicated of privacy, although the following text is added at the end of the questionnaire: “I accept that my data provided in the contact form are processed electronically and are used for the purpose of contacting me. I am aware that I can revoke my consent at any time” -Screenshot of the page “***URL.1/starter-kit/” on which a registration form appears contact in which personal data is requested, and the privacy policy is not indicated. privacy, although the following text is added at the end of the questionnaire: “I accept that my Data provided in the contact form are processed electronically and are used for the purpose of contacting me. I am aware that I can revoke my consent at any time” -Screenshot of the page “***URL.1/register/” on which a registration form appears contact in which personal data is requested, with a link appearing at the end of it to the privacy policy. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), said claim was transferred to ORI, so that proceed to its analysis and inform this Agency within a period of one month, of the actions carried out to adapt to the requirements provided for in the regulations of Data Protection. The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, of the Common Administrative Procedure of Administrations Public (hereinafter, LPACAP), was collected on 03/27/2022, as stated in the acknowledgment of receipt that appears in the file. No response has been received to this transfer letter. THIRD: On April 16, 2022, in accordance with article 65 of the LOPDGDD, the claim presented by the complaining party was admitted for processing. FOURTH: On 06/09/2022, a letter was received from the ORI administrator in which states that in all sections of the website ***URL.1 there are all the information boxes where they are forced to communicate to users a box with the following concept: “I accept that my data provided in the contact form are processed electronically and are used for the purpose of contacting with me. I am aware that I can revoke my consent at any time. moment" FOUNDATIONS OF LAW Yo C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/10 In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II In accordance with article 5.1 of the RGPD, the processing of personal data must be governed by the following principles: "1. The personal data will be: a) treated in a lawful, loyal and transparent manner with the interested party (…) 2. The person responsible for the treatment will be responsible for compliance with the provisions in section 1 and capable of demonstrating it” One of the manifestations of the principle of transparency is the right that the RGPD grants the data owners to receive information and the corresponding obligation that requires the person responsible for the treatment to provide the interested party with the information that They detail articles 12, 13 and 14 of the GDPR. These last two provisions contemplate two different assumptions: That the data is obtained directly from the interested party (article 13), as happens in the forms of collection of data that ORI has included in the website of which it is the owner, or that the data is not obtained from the interested party (article 14). Article 13 of the GDPR states: "1. When personal data relating to him or her is obtained from an interested party, the responsible for the treatment, at the time these are obtained, will provide you all information indicated below: a) the identity and contact details of the person responsible and, where applicable, their representative; b) the contact details of the data protection officer, if applicable; c) the purposes of the processing for which the personal data are intended and the legal basis of the treatment; d) where the processing is based on Article 6, paragraph 1, letter f), the interest legitimate of the person responsible or a third party; e) the recipients or categories of recipients of the personal data, in their case; f) where applicable, the intention of the controller to transfer personal data to a third country or international organization and the existence or absence of a decision of adequacy of the Commission, or, in the case of the transfers indicated in the Articles 46 or 47 or Article 49, paragraph 1, second paragraph, reference to the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/10 adequate or appropriate safeguards and the means to obtain a copy of these or to the fact that they have been lent. 2. In addition to the information mentioned in section 1, the person responsible for the treatment will provide the interested party, at the time the data is obtained personal, the following information necessary to guarantee data processing loyal and transparent: a) the period during which the personal data will be kept or, when it is not possible, the criteria used to determine this period; b) the existence of the right to request from the data controller access to the data personal data relating to the interested party, and its rectification or deletion, or the limitation of your treatment, or to oppose the treatment, as well as the right to portability of the data c) when the processing is based on Article 6(1)(a) or Article 9, paragraph 2, letter a), the existence of the right to withdraw consent in at any time, without affecting the legality of the treatment based on the consent prior to its withdrawal; d) the right to file a claim with a supervisory authority; e) if the communication of personal data is a legal or contractual requirement, or a necessary requirement to sign a contract, and if the interested party is obliged to provide personal data and is informed of the possible consequences of not provide such data; f) the existence of automated decisions, including profiling, to which refers to article 22, paragraphs 1 and 4, and, at least in such cases, information significant information about the applied logic, as well as the importance and consequences foreseen of said treatment for the interested party. 3. When the data controller plans subsequent data processing personal data for a purpose other than that for which they were collected, will provide the interested party, prior to said further processing, information about that other purpose and any additional information relevant under paragraph 2. 4. The The provisions of paragraphs 1, 2 and 3 shall not apply when and to the extent “that the interested party already has the information.” Recitals 39 and 60 of the GDPR help clarify the scope of the right of information provided to interested parties. Recital 39 establishes: “All processing of personal data must be lawful and loyal. For natural persons it must be completely clear that they are being collected, using, consulting or otherwise processing personal data that they concern, as well as the extent to which said data is or will be processed. The beginning Transparency requires that all information and communication related to the treatment of said data is easily accessible and easy to understand, and that a language is used simple and clear. This principle refers in particular to the information of the interested parties about the identity of the person responsible for the treatment and the purposes of the same and to the added information to guarantee fair and transparent treatment with regarding the affected natural persons and their right to obtain confirmation and communication of personal data that concerns them that are subject to treatment. Natural persons must be aware of the risks, rules, safeguards and rights relating to the processing of personal data, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/10 as well as the way to assert your rights in relation to the treatment. In In particular, the specific purposes of the processing of personal data must be explicit and legitimate, and must be determined at the time of collection. […].” Considering 60 clarifies that “The principles of fair and transparent treatment require that the interested party be informed of the existence of the treatment operation and its purposes. The person responsible for the treatment must provide the interested party with additional information is necessary to guarantee fair treatment and transparent, taking into account the specific circumstances and context in which process personal data. The interested party must also be informed of the existence of profiling and the consequences of such profiling. If the data personal data are obtained from the interested parties, they must also be informed of whether they are obliged to provide them and the consequences if they did not do so.” In the present case, having examined the forms contained in the web pages of ORI in which personal data is requested, it is observed that in at least five of They are not informed of the company's privacy policy. Therefore, in accordance with the evidence available at this time agreement to initiate the sanctioning procedure, and without prejudice to what results from the instruction, it is considered that the known facts could constitute a infringement, attributable to ORI, for violation of article 13 of the RGPD III If confirmed, the aforementioned violation of article 13 of the RGPD could mean the commission of the infractions classified in article 83.5 of the RGPD that under the The section “General conditions for the imposition of administrative fines” provides: “Infringements of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or, In the case of a company, an amount equivalent to a maximum of 4% of the global total annual business volume of the previous financial year, opting for the largest amount: (…) b) the rights of the interested parties under articles 12 to 22; (…)” In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result contrary to this organic law.” For the purposes of the limitation period, article 72 of the LOPDGDD indicates: "1. Based on what is established in article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following: (…) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/10 h) The omission of the duty to inform the affected person about the treatment of their personal data in accordance with the provisions of articles 13 and 14 of the Regulation (EU) 2016/679 and 12 of this organic law.” IV For the purposes of deciding on the imposition of an administrative fine and its amount, in accordance with the evidence currently available agreement to initiate the sanctioning procedure, and without prejudice to what results from the instruction, it is considered appropriate to graduate the sanction to be imposed in accordance with the criteria established in article 83.2 of the RGPD. Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the criteria established in section 2 of article 76 “Sanctions and corrective measures” of the LOPDGDD. If the infringement is confirmed, it could be agreed to impose on the person responsible that, within the period that is specified in the sanctioning resolution, proceed to complete the privacy on all pages that collect personal data, without prejudice to others that could arise from the instruction of the procedure, in accordance with the provisions in the aforementioned article 58.2 d) of the RGPD, according to which each control authority may “order the person responsible or in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, where applicable, in a certain way and within a specified period….” The imposition of This measure is compatible with the sanction consisting of an administrative fine, according to The provisions of the art. 83.2 of the GDPR. Please note that failure to comply with the requirements of this organization may be considered as an administrative offense in accordance with the provisions of the RGPD, classified as an infraction in its articles 83.5 and 83.6, and such conduct may be motivated by opening of a subsequent administrative sanctioning procedure. Therefore, in accordance with the above, by the Director of the Agency Spanish Data Protection, HE REMEMBERS: FIRST: START SANCTIONING PROCEDURE against ORI, S.l., with NIF ***NIF.1, for the alleged violation of Article 13 of the RGPD, typified in Article 83.5 of the GDPR. SECOND: APPOINT R.R.R. as instructor. and, as secretary, to S.S.S. indicating that any of them may be challenged, if applicable, in accordance with the established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime Legal Department of the Public Sector (LRJSP). THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the claim filed by the complaining party and its documentation, as well as the documents obtained and generated by the General Subdirectorate of Inspection of Data in the actions prior to the start of this sanctioning procedure. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/10 FOURTH: THAT for the purposes provided for in art. 64.2 b) of law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations, the sanction that could correspond would be, for the alleged violation of article 13 of the RGPD, typified in article 83.5 of said regulation, administrative fine of amount 2,000.00 euros FIFTH: NOTIFY this agreement to ORI, S.l., with NIF ***NIF.1, granting it a hearing period of ten business days to formulate the allegations and present the evidence you consider appropriate. In his brief of allegations You must provide your NIF and the procedure number that appears in the heading of this document. If within the stipulated period you do not make allegations to this initial agreement, the same may be considered a proposal for a resolution, as established in the article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, you may recognize your responsibility within the period granted for the formulation of allegations to the present initiation agreement; which will entail a 20% reduction in the sanction that may be imposed in this procedure. With the application of this reduction, the penalty would be established at 1,600.00 euros, resolving the procedure with the imposition of this sanction. Likewise, you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which will mean a 20% reduction in the amount. With the application of this reduction, The penalty would be established at 1,600.00 euros and its payment will imply termination of the procedure. The reduction for the voluntary payment of the penalty is cumulative with that corresponding apply for recognition of responsibility, provided that this recognition of the responsibility becomes evident within the period granted to formulate allegations at the opening of the procedure. The voluntary payment of the referred amount in the previous paragraph may be done at any time prior to the resolution. In In this case, if both reductions were to be applied, the amount of the penalty would remain established at 1,200.00 euros. In any case, the effectiveness of any of the two mentioned reductions will be conditioned upon the withdrawal or waiver of any action or appeal pending. administrative against the sanction. In the event that you choose to proceed with the voluntary payment of any of the amounts indicated above (1,600.00 euros or 1,200.00 euros), you must make it effective by depositing it into account number ES00 0000 0000 0000 0000 0000 open to name of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the cause of reduction of the amount to which it is accepted. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/10 Likewise, you must send proof of income to the General Subdirectorate of Inspection to continue the procedure in accordance with the quantity entered. The procedure will have a maximum duration of nine months counting from the date of the initiation agreement or, where applicable, of the draft initiation agreement. After this period, its expiration will occur and, consequently, the file of performances; in accordance with the provisions of article 64 of the LOPDGDD. In compliance with articles 14, 41 and 43 of LPACAP, it is noted that, as far as Subsequently, the notifications sent to you will be made exclusively electronically, through the Unique Enabled Electronic Address (dehu.redsara.es) and the Electronic Notification Service (notifications.060.es), and that, if you do not access their rejection will be recorded in the file, considering the procedure completed and following the procedure. You are informed that you can identify before this Agency an email address to receive the notice of making available the notices and that failure to comply with this notice will not prevent the notice be considered fully valid. Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP, there is no administrative appeal against this act. 935-110422 Sea Spain Martí Director of the Spanish Data Protection Agency >> SECOND: On September 26, 2022, the claimed party has proceeded to payment of the penalty in the amount of 1,200 euros making use of the two reductions provided for in the initiation Agreement transcribed above, which implies the recognition of responsibility. THIRD: The payment made, within the period granted to formulate allegations to The opening of the procedure entails the renunciation of any action or appeal pending. administrative against sanction and recognition of responsibility in relation to the facts referred to in the Initiation Agreement. FOURTH: In the initiation Agreement transcribed previously it was stated that, If the infringement is confirmed, it could be agreed to impose on the person responsible the adoption of appropriate measures to adjust its actions to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the which each control authority may “order the person responsible or in charge of the treatment that the processing operations comply with the provisions of the this Regulation, where appropriate, in a certain manner and within a specified period…” Having recognized responsibility for the infraction, the imposition of penalties proceeds. the measures included in the Initiation Agreement. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/10 FOUNDATIONS OF LAW Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter, LPACAP), under the heading “Termination in sanctioning procedures” provides the following: "1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility, The procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is solely pecuniary in nature or a penalty can be imposed pecuniary sanction and another of a non-pecuniary nature but the inadmissibility of the second, the voluntary payment by the alleged responsible, in Any time prior to the resolution, will imply the termination of the procedure, except in relation to the restoration of the altered situation or the determination of the compensation for damages caused by the commission of the infringement. 3. In both cases, when the sanction has only a pecuniary nature, the body competent to resolve the procedure will apply reductions of, at least, 20% of the amount of the proposed penalty, these being cumulative with each other. The aforementioned reductions must be determined in the initiation notification. of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of any administrative action or appeal against the sanction. The reduction percentage provided for in this section may be increased “regularly.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/10 According to what was indicated, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DECLARE the termination of procedure EXP202202164, of in accordance with the provisions of article 85 of the LPACAP. SECOND: REQUIRE ORI, S.l. so that within a period of one month notify the Agency the adoption of the measures described in the legal bases of the Initiation Agreement transcribed in this resolution. THIRD: NOTIFY this resolution to ORI, S.l.. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Administrative Litigation Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. 1259-070622 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es