AEPD (Spain) - PS/00320/2020

From GDPRhub
AEPD - PS/00320/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 4(11) GDPR
Article 6(1) GDPR
Article 58(2)(i) GDPR
Article 83(2)(f) GDPR
Article 83(2)(g) GDPR
Article 83(5) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: 6000 EUR
Parties: n/a
National Case Number/Name: PS/00320/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA (AEPD) fined an accommodation services company €6000 for signing a contract on behalf of the claimant without their consent.

English Summary

Facts

An action for breach of contract was filed against the claimant. The claimant stated that they only became aware of the contract when the lawsuit was filed, because the respondent (the accommodation company) had signed the contract on the claimant’s behalf without the claimant knowing.

Dispute

Were the actions of the respondent a violation of the GDPR?

Holding

The AEPD held that the actions of the company violated Article 6 GDPR. According to the decision, acting as the claimant’s personal representative and signing a contract on their behalf without their consent, meant that the company had processed the claimant’s personal data without a lawful ground for doing so.

The AEPD fined the company €6000. They considered the respondent’s lack of cooperation with the AEPD during the investigation of the complaint, and the respondent’s use of the claimant’s basic personal identifiers (name, address and ID number) during the processing, to be aggravating factors in determining the amount of the fine.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                1/6








     Procedure No.: PS / 00320/2020

                RESOLUTION OF SANCTIONING PROCEDURE


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following:

                                  BACKGROUND



FIRST: D. A.A.A., in the name and on behalf of D. B.B.B. (hereinafter, the
claimant) on April 16, 2020 he filed a claim with the Agency
Spanish Data Protection. The claim is directed against Servicio de
Responsible Accommodations, S.L. with NIF B19517911 (hereinafter, the claimed one).


       The claimant states that, in March 2019, he had knowledge of the
existence of a lawsuit filed against him for breach of contract
deposit supposedly held on July 10, 2018, in which the entity
denounced claimed the status of her legal representative and signed the contract in

your name, without authorization or representation for it. The
treatment of the claimant's personal data without legal basis.

       Provides the deposit contract dated July 10, 2018.


SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights
(LOPDGDD), which has provided a mechanism, prior to the admission for processing of the
claims made before the Spanish Agency for Data Protection,
consisting of transferring them to the Data Protection Delegates designated by
those responsible or in charge of the treatment, for the purposes provided in article 37

of the aforementioned norm, or to them when they have not been designated, the
claim presented by the claimant to the defendant, to proceed with his
analysis and respond to this Agency within a month.

      Within the framework of file E / 03725/2020, by means of a document signed on June 5

2020, the claim was transferred to the defendant requesting that, in the
within a month, send the following information: 1. The decision adopted to
purpose of this claim. 2. In the event of exercise of rights
regulated in articles 15 to 22 of the RGPD, accreditation of the response provided to the
claimant.

      Thus, the defendant was notified electronically on June 9,
2020, as evidenced by the certificate issued by the FNMT that works in the
proceedings.

      After the period granted to the claimed person without having responded to the
request for information, in accordance with the provisions of article 65.2 of the

LOPDGDD, the agreement for admission for processing is signed on September 16 of this year
of this claim.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/6








THIRD: On October 8, 2020, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure to the claimed, by the
alleged violation of Article 6.1 of the RGPD, typified in Article 83.5.a) of the

RGPD.
Said agreement was notified electronically on October 20, 2020 at
reclaimed.

FOURTH: Formally notified of the initiation agreement, the one claimed at the time of the

This resolution has not submitted a brief of allegations, so it is
application of the provisions of article 64 of Law 39/2015, of October 1, of the
Common Administrative Procedure of Public Administrations, which in its
Section f) establishes that in case of not making allegations within the established period
on the content of the initiation agreement, it may be considered a proposal for
resolution when it contains a precise pronouncement about the responsibility

imputed, for which a Resolution is issued.

In view of all the actions, by the Spanish Agency for Data Protection
In this proceeding, the following are considered proven facts,

                                      ACTS


FIRST: That the defendant claimed the status of legal representative of the
claimant and signed a deposit contract on July 10, 2018 in his name and
consigning the personal data of the claimant, without authorization or
representation for it.


SECOND: It is stated in the deposit contract signed on July 10, 2018, that the
claimed acts as the legal representative of the claimant, acted on behalf of and
representation of the claimant, signing on their behalf and providing the data
claimant's personal.


THIRD: On October 8, 2020, this sanctioning procedure was initiated by the
alleged violation of article 6.1) of the RGPD, being notified on October 20,
2020. Not having made any allegations, the claimed one, to the initiation agreement.



                           FOUNDATIONS OF LAW

                                           I

       By virtue of the powers that article 58.2 of the RGPD recognizes to each

control authority, and as established in articles 47 and 48 of the LOPDGDD,
the Director of the Spanish Data Protection Agency is competent to initiate
and to solve this procedure.

                                           II


       Organic Law 3/2018, of December 5, on the Protection of Personal Data
and guarantee of digital rights, in its article 4.11 defines the consent of the
interested as “any manifestation of free will, specific, informed and

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/6








unequivocal by which the interested party accepts, either through a declaration or a
clear affirmative action, the processing of personal data that concerns you ”.


        Article 6.1 of the RGPD establishes the following:

        1. The treatment will only be lawful if at least one of the following is met
terms:

        a) the interested party gave their consent for the processing of their data
personal for one or more specific purposes;

        b) the treatment is necessary for the performance of a contract in which the
interested is part or for the application at the request of this of measures
pre-contractual;

        c) the treatment is necessary for the fulfillment of a legal obligation
applicable to the person responsible for the treatment;

        d) the treatment is necessary to protect vital interests of the interested party or
of another natural person;

        e) the treatment is necessary for the fulfillment of a mission carried out in
public interest or in the exercise of public powers conferred on the person responsible for
treatment;

        f) the treatment is necessary for the satisfaction of legitimate interests
pursued by the data controller or by a third party, provided that on

said interests do not prevail the interests or the rights and freedoms
fundamental data of the interested party that require the protection of personal data, in
particular when the interested party is a child.

        The provisions of letter f) of the first paragraph shall not apply to the
treatment carried out by public authorities in the exercise of their functions.

        In this sense, Article 6.1 of the RGPD establishes that “in accordance with

the provisions of article 4.11 of Regulation (EU) 2016/679, is understood as
consent of the affected party any manifestation of free will, specific,
informed and unequivocal by which it accepts, either through a statement or
a clear affirmative action, the treatment of personal data that concerns him ”.



                                             III

      According to the available evidence, it is considered that the
facts denounced, that is, that the defendant acted as the legal representative of the

claimant, intervened on behalf and on behalf of the claimant, signing in his
name and consigning the personal data of the claimant, without any legitimation
on the part of the claimed party, constitutes an infringement of the principle of legitimation in the
data processing.

      This action assumes that he processed the personal data of the claimant (name,

surnames and D.N.I.), without having legitimacy for the treatment of the data of the
claimant, thereby violating art. 6 of the RGPD.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/6








      Well, with regard to the facts that are the subject of this claim,
We must emphasize that the defendant, despite the repeated requests he received from the
AEPD to explain the facts about which it relates, never answered or

provided any evidence that would allow estimating that the treatment of the data of the
claimant had been legitimate.

      We refer on the matter to the request for information that the AEPD
addressed the defendant within the framework of E / 03725/2020. Request whose reception by him
It is proven (certificate issued by the FNMT) that it happened on June 9,

2020.

      However, no response was received and on September 16,
this year the claim was agreed to be admitted for processing. Reminder that,
limited to the violation of article 6.1. of the RGPD, its purpose is to put

it is clear that the respondent has had ample opportunities to provide evidence or
documents that certify that, contrary to the statements and evidence
documents provided by the claimant, the data processing that is the subject of
The assessment in this case was adjusted to the Law.

      Likewise, the notification of the Agreement to initiate this procedure, which

was notified electronically on October 20, 2020, without stating allegations
the same.

      The lack of diligence displayed by the entity in complying with the
Obligations imposed by the regulations for the protection of personal data

It is thus obvious. A diligent compliance with the principle of legality in the treatment
of third-party data requires that the person responsible for the treatment is in conditions
to prove it (principle of proactive responsibility)

      In short, there is evidence in the file that the defendant treated the

personal data of the claimant without standing for it. The behavior described
violates article 6.1. of the RGPD and is subsumable in the sanctioning type of the article
83.5.a, of the RGPD.


                                           IV


       Article 72.1.b) of the LOPDGDD states that “depending on what it establishes
Article 83.5 of Regulation (EU) 2016/679 are considered very serious and
The infractions that suppose a substantial violation will prescribe after three years
of the articles mentioned therein and, in particular, the following:


    c) The processing of personal data without any of the conditions
    of legality of the treatment in article 6 of Regulation (EU) 2016/679. "

                                            V


       Article 58.2 of the RGPD provides the following: “Each control authority
will have all of the following corrective powers listed below:


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/6








       b) sanction any person responsible or in charge of the treatment with
warning when the processing operations have violated the provisions of
these Regulations;


       d) order the person in charge of the treatment that the operations of
treatment are in accordance with the provisions of this Regulation, where appropriate,
in a certain way and within a specified time;

       i) impose an administrative fine in accordance with article 83, in addition or in

place of the measures mentioned in this section, depending on the circumstances
of each particular case;

                                           SAW


       This offense can be sanctioned with a fine of € 20,000,000 maximum
or, in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for the
higher amount, in accordance with article 83.5 of the RGPD.

       Likewise, it is considered that the sanction to be imposed should be adjusted according to

with the following criteria established in article 83.2 of the RGPD:

       As aggravating factors the following:

       - The null cooperation with the AEPD in order to remedy the infraction and
mitigate its effects (article 83.2.f, of the RGPD)

       -Basic personal identifiers (name,

surname, address, D.N.I.) (article 83.2 g).

       Therefore, in accordance with the applicable legislation and the criteria of

graduation of the sanctions whose existence has been accredited, the Director of the
Spanish Agency for Data Protection RESOLVES:

FIRST: IMPOSE SERVICIO DE ALOJAMIENTOS RESPONSABLES, S.L., with
NIF B19517911, for a violation of Article 6.1 of the RGPD, typified in Article

83.5 of the RGPD, a fine of 6,000 euros (six thousand euros).

SECOND: NOTIFY this resolution to the ACCOMMODATION SERVICE
RESPONSIBLES, S.L.

THIRD: Warn the sanctioned person that the sanction imposed by a

Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number

of procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/6








Spanish Data Protection in the bank CAIXABANK, S.A .. In case
Otherwise, it will be collected in the executive period.


Notification received and once executive, if the execution date is found
Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment
volunteer will be until the 20th day of the following or immediately subsequent business month, and if
between the 16th and the last day of each month, both inclusive, the payment term

It will be until the 5th of the second following or immediate business month.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may file, optionally, an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to
count from the day after notification of this resolution or directly

contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the

referred Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file contentious-administrative appeal.

If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the

documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.
                                                                                   938-300320
Mar Spain Martí
Director of the Spanish Agency for Data Protection















C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es