AEPD - PS/00292/2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 21 Law 34/2002 |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 28.11.2022 |
Fine: | 4000 EUR |
Parties: | MAX2PROTECT, S.L. |
National Case Number/Name: | PS/00292/2022 |
European Case Law Identifier: | PS |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | @patrikmatos |
The Spanish DPA fined a manufacturer of sanitary products €4,000 for sending unrequested and unauthorised commercial e-mails, as there was no evidence of the consent by the recipients.
English Summary
Facts
The data subject alleged he was constantly receiving spam messages in his mailbox from a company that manufactures antigen tests (the controller). The data subject had six different email addresses, on which he received spam messages from the controller. He decided to file a complaint with the DPA who started proceedings in this regard.
In defense, the controller claimed to be carrying out a campaign to promote its products through e-mails. Allegedly, the database for sending these e-mails was acquired from a central communication provider (“Datantify”) and also through public internet pages. The controller alleged that the data subject could have manually disabled the receipt of these advertisements, but only did so in one of his six e-mail addresses. Hence, he continued to receive commercial e-mails on the other five e-mails addresses.
Holding
According to the Spanish DPA, the controller did not present evidence of the consent given by the data subject for the sending of commercial e-mails as well as did not present the purchase agreement for the database, which it claims to have acquired and where the claimant's e-mail address was supposedly located.
Therefore, the company violated Article 21 of Law 34/2002, on Information Society Services and Electronic Commerce (LSSI), which prohibits the sending of advertising or promotional communications by e-mail that had not been previously requested or expressly authorised by the recipients.
The Spanish DPA imposed on the controller a fine of €4,000, as it considered that there was no evidence of the data subject's consent to receive commercial e-mails, nor of the database purchase contract that the controller claims to have acquired.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/6 Procedure No.: EXP202201667, (PS/00292/2022) RESOLUTION OF THE SANCTION PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following. BACKGROUND FIRST: Dated 01/12/22, you have entered this Agency, written submitted by D. A.A.A., (hereinafter, "the complaining party"), against MAX2PROTECT, S.L. with CIF.: B88606355, (hereinafter, "the claimed party"), in which it indicated, among other things, what Next: “I receive spam from covidtest@antigenos.es several times a day (attached the 6 commercial communications received dated 12-jan-2022). The website, Max2Protect SL, was already fined by the AEPD for similar events in the procedure No.: PS/00170/2021”. The claim document is accompanied by a copy of the following documentation a.- Copy of the email received at the claimant's address on 01/12/22 sent from the address <<B.B.B.>> covidtest@antigenos.es, containing commercial information. SECOND: On 02/10/22, in accordance with the provisions of article 65.4 of Organic Law 3/2018, of December 5, Protection of Personal Data and Digital Rights Guarantee (LOPDGDD), this Agency sent writing to the claimed party requesting information regarding what is stated in the claim. THIRD: On 03/11/22, a response letter was received from the entity claimed to the request for information made by this Agency, in which, among others, indicates that: "From max2protect we were carrying out a campaign to promote our products through mailing, the databases for sending these mailings are purchased from the central communication provider and also taken through public internet pages. In the first image that we provide you can see that in the newsletter itself can be disabled. This user has 6 email accounts, but only disabled one of them as you can see on our server panel emails (second image) and that is why it continued to be sent to the others accounts. Through your notification we have learned that this person does not want receive any information from our company thus on the same day that we were aware of it, it was manually removed from our file as you can see in the third image”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/6 FOURTH: On 04/12/22, by the Director of the Spanish Agency for Protection of Data, an agreement is issued to admit the processing of the claim presented, in accordance with article 65 of the LPDGDD Law, when assessing possible rational indications of a violation of the rules in the field of competences of the Spanish Data Protection Agency. FIFTH: On 05/12/22, this Agency issued a request information to the claimed party, under the investigative powers granted to the control authorities in article 58.1 of Regulation (EU) 2016/679, of European Parliament and of the Council, of 04/27/16, regarding the Protection of Natural Persons with regard to the Processing of Personal Data and the Free Circulation of these Data (RGPD). SIXTH: On 05/24/22, a response letter was received from the entity claimed to the information request made by this Agency, in which, among others, indicates: "We bought the datantify database: https://datantify.com/ It is possible that the User, by leaving his email on a website, accepted the privacy and cookies policy "I have read and accept the privacy policy" "accept cookies" of said website, transferring your personal data to third parties, therefore, the providers of the bbdd have said access and can use it for buying/selling. The "bbdd" that we buy are segmented by sectors, in this case, the health. The users that come in said database are related to the health sector, either because you visited a website, filled out a form, requested a quote, etc., our company sells a covid test and that is why we send you the mail. We did not receive any email from the owners to oppose, we found out who did not want to receive our newsletter when you sent us the notification and it was when we looked at mailrelay and saw that on 01/20/22 described from one of the accounts, but not from all of the ones he has, so he we did manually that day”. SEVENTH: On 06/07/22, the Board of Directors of the Spanish Agency for the Protection of Data signs the initiation of this disciplinary procedure against the entity claimed, when appreciating reasonable indications of violation of article 21 of the Law 34/2002, of July 11, on Services of the Information Society and Commerce Electronic (LSSI), regarding the sending of commercial communications without the necessary legitimation for this, imposing an initial sanction of 4,000 euros (four a thousand euros). EIGHTH: On 06/20/22, the defendant entity formulated, in summary, the following allegations to the initiation of the file: “Max2protect bought a database that the seller said was lawful No user we sent an email to complained about the email sent since any of them who did not want to receive more emails from us You could unsubscribe at the bottom of the body of the email sent (image 1). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/6 This user had 6 different email accounts (image 2) and that is why he 6 emails arrived in one day, one to each account, but only unsubscribed in one of them, the other 5 accounts remained active until we received your notification and we manually remove the other 5 accounts from our database to not receive any more mail from us. The user complains because he received 6 emails, but it is because he has 6 accounts, for please take it into account. We have not done anything illegal nor have we intended to do so. NINTH: On 07/22/22, the respondent entity is notified of the proposed resolution in which it was proposed that, by the Director of the Spanish Agency for Protection of Data proceed to sanction the entity, in accordance with the provisions of Articles 63 and 64 of Law 39/2015, of October 1, on the Procedure Common Administrative Council of Public Administrations (LPACAP), with a sanction of 4,000 euros (four thousand euros) for the violation of article 21 LSSI, for sending commercial communications without the necessary legitimacy for it. Once the proposed resolution was notified to the claimed entity, as of today, there is no evidence in this Agency of the receipt of any type of written allegations to said proposal. PROVEN FACTS First: According to the complainant, he receives spam emails from covidtest@antigenos.es whose ownership belongs to the entity Max2Protect SL, and indicates that this entity was already fined by the AEPD for similar acts in the procedure No.: PS/00170/2021. To corroborate what was said in the claim, Attach the following documentation: - The screenshot of the inbox of the mail accounts e-mail (ALL INBOXES) in which reference to six emails incoming emails from “B.B.B.” and with the subject: “Test Nasal-antigens-saliva-swab from 2.9…” - Screenshot of the headers and content of a dated email 01/12/22, sent from the address covidtest@antigenos.es to the address email of the claimant with the subject: "Test Antigens-nasal-saliva- swab from 2.95”. Second: The legal notice of the website www.antigenos.es identifies MAX2PROTECT, S.L. as responsible for it. This website has a privacy policy that offers an electronic address where to exercise the opposition or request the revocation of consent. Third: According to the claimed entity, the email addresses for the sending this advertising are purchased from the central communication provider (DATANTIFY) or are obtained from public Internet pages. In the document provided as "Privacy Policy", together with the letter of allegations to the initiation of the file can be read, among others, the following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/6 2. How do we collect your data? Some are collected when you give them to us. provides. Other data is collected automatically by technicians, as the browser and the automatic operating system as soon as it enters our website (…)”. Notwithstanding the foregoing, the claimed entity does not provide accreditation of the consent given by the claimant for the remission of commercial emails. FUNDAMENTALS OF LAW I - Competition. It is competent to initiate and resolve this Disciplinary Procedure, the Director of the Spanish Data Protection Agency, in accordance with the provisions of the art. 43.1, second paragraph, of the LSSI Law. II.- Regarding the offense committed by sending advertising emails without consent of the interested party. In the present case, the claimant states that he has received 6 emails, but it only provides the internet headers of one of them For its part, the claimed entity acknowledges the sending of the communications and indicates that you bought a database that the seller said was legal. It is also indicated that, in the emails, it is reported that, if you do not want to receive more, You can unsubscribe at the bottom of the body of the email sent and that 6 emails were sent emails to the claimant because the claimant had 6 accounts. However, all of this, the defendant does not provide proof of consent provided by the claimant for the sending of commercial emails and the purchase contract for the database, which he claims to have purchased and where found the complainant's email address. In this sense, article 21 of the LSSI, on the sending of communications without the prior consent of the interested party, provides the following: "1. The sending of advertising or promotional communications is prohibited by email or other equivalent electronic means of communication that had not previously been requested or expressly authorized by the recipients of these. 2. The provisions of the previous section shall not apply when there is a prior contractual relationship, provided that the provider had obtained lawful contact details of the recipient and will use them to send commercial communications regarding products or services of your own company that are similar to those that were initially the subject of contracting with the client. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/6 In any case, the provider must offer the recipient the possibility of oppose the processing of your data for promotional purposes through a simple and free procedure, both at the time of data collection as in each of the commercial communications that you direct. When the communications have been sent by email, said means must necessarily consist of the inclusion of an address email or other valid electronic address where you can exercise this right, being prohibited the sending of communications that do not include that address.” In accordance with the available evidence, it is considered that the facts exposed, suppose the violation of article 21 of the LSSI. The aforementioned offense is classified as minor in art. 38.4.d) of said rule, which qualifies as such, "The sending of commercial communications by mail electronic or other equivalent electronic means of communication when in said shipments do not meet the requirements established in article 21 and do not constitute Serious offense". In accordance with the precepts indicated, and without prejudice to what results from the instruction of the procedure, in order to set the amount of the sanction to be imposed in In the present case, it is considered appropriate to graduate the sanction to be imposed in accordance with the following aggravating criteria established in article 40 of the LSSI: - Section c): Recidivism for committing infractions of the same nature, when it has been so declared by firm resolution: It appears in the Information System of the General Subdirectorate of Data Inspection (SIGRID) a Disciplinary Procedure (PS/00170/2021) in which, dated of 08/16/21, the Director of the Spanish Data Protection Agency resolves to impose on the entity, MAX2PROTECT, S.L., for the infringement of the Article 21 of the LSSI, a penalty of 2,000 euros (two thousand euros), with respect to the sending commercial communications without the express consent of the same addressee. Said sanction was finalized in administrative proceedings on 10/17/21. Pursuant to the foregoing, the Director of the Spanish Agency for Data Protection, RESOLVES: FIRST: IMPOSE the entity, MAX2PROTECT, S.L. with CIF.: B88606355, a penalty of 4,000 euros (four thousand euros) for the violation of article 21 LSSI, for sending commercial communications without the necessary legitimacy for it. SECOND: NOTIFY this resolution to the entity MAX2PROTECT, S.L THIRD: Warn the penalized party that the sanction imposed must make it effective once this resolution is enforceable, in accordance with the provisions of Article Article 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, within the voluntary payment period indicated in the Article 68 of the General Collection Regulations, approved by Royal Decree C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/6 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, by depositing it in the restricted account No. ES00 0000 0000 0000 0000 0000, opened in the name of the Spanish Data Protection Agency in the Banco CAIXABANK, S.A. or otherwise, it will proceed to its collection in executive period. Once the notification has been received and once executed, if the execution date is between the 1st and 15th of each month, both inclusive, the term to make the payment voluntary will be until the 20th day of the following or immediately following business month, and if between the 16th and the last day of each month, both inclusive, the payment term It will be until the 5th of the second following or immediately following business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. Against this resolution, which puts an end to the administrative procedure (article 48.6 of the LOPDGDD), and in accordance with the provisions of articles 112 and 123 of the Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations, interested parties may optionally file appeal for reversal before the Director of the Spanish Agency for Data Protection within a month from the day following notification of this resolution or directly contentious-administrative appeal before the Chamber of contentious-administrative of the National Court, in accordance with the provisions of the article 25 and in section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative Jurisdiction, within the period of two months from the day following the notification of this act, according to what provided for in article 46.1 of the aforementioned legal text. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations Public, the firm resolution may be temporarily suspended in administrative proceedings if The interested party declares his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registries provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative proceedings within a period of two months from the day following the Notification of this resolution would terminate the precautionary suspension. Mar Spain Marti Director of the Spanish Data Protection Agency. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es