AEPD (Spain) - PS/00475/2021

From GDPRhub
AEPD (Spain) - PS/00475/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 13 GDPR
Article 22(2) LSSI
Type: Complaint
Outcome: Partly Upheld
Started:
Decided:
Published: 04.01.2022
Fine: 20000 EUR
Parties: MyHeritage, LTD
National Case Number/Name: PS/00475/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Carmen Villarroel

The Spanish DPA fined a online genealogy platform €20,000 (reduced to €16,000 because of an early payment) for placing unnecessary own and third-party cookies before asking for consent, and for not offering sufficient information about cookies in the banner and in their privacy policy.

English Summary

Facts

A Spanish Consumers and Users Organisation lodged a complaint with the Spanish DPA (AEPD) against MyHeritage, LTD, an online genealogy platform that offers a genetic testing service that analyses the user's DNA. The Spanish branch is part of a company based in Israel.

The complainant raised several issues:

  • International transfers of personal data outside the EEA to countries without adequate guarantees, as stipulated in Article 46 GDPR.
  • Processing of personal data without a clear legal basis, and lack of adequate information given to the data subject.
  • Processing of genetic personal data (DNA) that does not seem to comply with any of the exceptions contained in Article 9(2) GDPR.
  • Disclosure to other users of the personal data of third parties that are included in the genealogical trees.
  • Disclosure of personal data of users among which "DNA Matches" or "Smart Matches" (similarities between their DNA) are established.
  • Assignments to third parties for strange purposes (e.g. to protect their rights or the property of other users).
  • Doubtful sharing of information with "Genealogy partners".
  • Deficiencies in information and consent related to cookies.
  • Legitimization of "investigations" based on consent. Doubts about whether they really get consent, what this investigation really consists of, its purposes, as well as the information provided to the data subjects.
  • Doubts about the processing of data for commercial purposes (opposition to the sending of advertising communications and what legal basis is used to send these, clarifying whether cookies are their own or third-party cookies, which is not clear in the privacy policy).
  • Deficiencies in information about the processing activities.
  • The privacy policy does not clearly specify that one should send their genetic material and not that of another. This issue could refer to the security measures to prove that a person is sending you their genetic material and not that of another person.
  • Other deficiencies in the matter of information to users from Article 13 GDPR.
  • No doors are closed to possible assignments or sales under license of health information or DNA of users who are not Russian, Norwegian and Swedish.
  • Processing of minors' data between 13 years and the minimum age that each country establishes to provide consent without needing that of their parents or guardians.
  • Other deficiencies in the drafting of the policy (inconsistencies, duplicities, omissions, ambiguities, etc.)
  • Issues related to the exercise of rights.
  • Doubts about the storage period of data once deleted, and the scope of the deletion.

Hence, the AEPD launched a general investigation.

Holding

According to the AEPD, the controller did not provide all the information required by Article 13 GDPR, since information about the right to portability and to restrict the processing was missing, as well as information about the right to lodge a complaint with the supervisory authority. In this regard, AEPD issued a reprimand to the controller and ordered them to include such information.

The AEPD found no evidence whatsoever of a violation of Article 6 GDPR, nor of Article 8 GDPR. There was also no violation of Article 9 GDPR, since the exception for explicit consent from Article 9(2)(a) GDPR applied.

With regard to international transfers of data, the AEPD concluded that there was no evidence of a violation, since the complainant did not point to any specific risks, and the controller manifested that they were working on new Standard Contractual Clauses (SCCs).

The AEPD also disregarded all the other allegations, finding no violations whatsoever, except in relation to cookies. Regarding cookies, the AEPD found that the website placed unnecessary own and third-party cookies before asking for consent. Additionally, the information offered in the banner was insufficient, and the cookies policy did not identify the cookies the web used. According to the AEPD, such facts constituted a violation of Article 22(2) LSSI, (the Spanish law implementing the e-Privacy Directive), and fined the controller €20,000, that were reduced to €16,000 because of an early payment.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                             1/30








     File No.: PS / 00475/2021



       RESOLUTION OF TERMINATION OF THE PROCEDURE BY PAYMENT
                                   VOLUNTARY

Of the procedure instructed by the Spanish Agency for Data Protection and based on

to the following

                                 BACKGROUND

FIRST: On October 1, 2021, the Director of the Spanish Agency for

Data Protection agreed to initiate sanctioning procedure to MYHERITAGE, LTD
(hereinafter, the claimed party), through the Agreement that is transcribed:

<<


File No.: PS / 00475/2021






           AGREEMENT TO START THE SANCTIONING PROCEDURE



Of the actions carried out by the Spanish Agency for Data Protection and in

based on the following:



                                     FACTS




FIRST: The ORGANIZATION OF CONSUMERS AND USERS (hereinafter, the
complaining party) on July 1, 2020 filed a claim with the Agency

Spanish Data Protection. The claim is directed against MY HERITAGE,
LTD (hereinafter, the claimed party). The reasons on which you base the claim are
the following.




The Organization of Consumers and Users (OCU) indicates a series of possible
breaches of data protection regulations by the person responsible for the

web portal https://www.myheritage.es/, in which they are offered to Spanish residents
Genealogical services, including DNA analysis and comparisons:


- International transfers of personal data outside the EEA to countries without guarantee
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/30








adequate fees, as stipulated in art. 46 GDPR.




- Processing of personal data without a clear legitimation basis, and lack of information-
adequate treatment to the affected person.




-Treatment of personal data of a genetic nature (DNA) that does not seem to comply
none of the premises contained in art. 9.2 GDPR.




- Disclosure to other users of the personal data of third parties that are included

in family trees.



- Disclosure of personal data of users among which are established "Coinciden-

DNA Matches "or" Smart Matches "(similarities between your DNA).



- Assignments to third parties for strange purposes (eg to protect their rights or property)

other users)




- Doubtful sharing of information with "Genealogy partners"



- Deficiencies in information and consent to "cookies"




- Legitimation of "investigations" based on consent. Doubts about whether to
really understand, what this research really consists of, and the purposes of the

itself, as well as the information provided to the owners of the data.



- Doubts about the processing of data for commercial purposes (opposition to the sending of co-

advertising communications, and what basis of legitimacy is used for shipments, clarification
rando if they are own or of third parties - in the policy it is not clear).




- Deficiencies in information about the treatments carried out:

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/30











- The privacy policy does not clearly specify that one should send their ma-
genetic material and not that of another. This question could refer to that of security measures.
to prove that a person is sending you their genetic material and not that of

another person.




- Other deficiencies in the matter of information to users (art. 13 RGPD)



- Do not close doors to possible assignments or sales under license of information from

health or DNA of users other than Russian, Norwegian and Swedish.



- Treatment of data of minors between 13 years and the minimum age that each country is-

table to accept the consent of a staff without needing that of their parents
or tutors.




- Other deficiencies in the drafting of the policy (inconsistencies, duplications, omission-
nes, ambiguities, etc.)




- Issues related to the exercise of rights:




- Doubts about the conservation of data once deleted, and the scope of the deletion
nation.




SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in

hereinafter LOPDGDD), said claim was transferred to the claimed party, to
to proceed with its analysis and inform this Agency within a month of the
actions carried out to adapt to the requirements set forth in the regulations of

Data Protection.



No response has been received to this letter, although there has been no record of his reply.

reception by the claimed party.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/30










THIRD: On November 30, 2020, the Director of the Spanish Agency

of Data Protection agreed to admit to processing the claim presented by the party
claimant.


FOURTH: The Subdirectorate General for Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in

question, by virtue of the investigative powers granted to the investigation authorities
in article 57.1 of Regulation (EU) 2016/679 (General Regulation of Protec-
tion of Data, hereinafter RGPD), and in accordance with the provisions of Title

VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the
following extremes:




- On 05/24/2021 DIGITAL VALLADOLID, S.L. sends this Agency the following
you information and statements:




That the owner of the domain myheritage.es is A.A.A ..




- Dated 08/24/2021 MYHERITAGE LTD. sends this Agency the following information
mation and representations of its unofficial translation from English:

(…)


- On 07/22/2020 it is verified that in the privacy policy of myherita-
ge.es consists of:




1. In the section “WHAT PERSONAL INFORMATION IS COLLECTED FROM YOU OR
ABOUT YOU?":




“2) Information about your family and third parties: You can also enter other information
personal training about yourself and others while creating your tree.
genealogical bowl or study of your family on the Website, for example, names, relationships

tions, dates and places of birth and death, contact information such as a
email address and photos.

If you decide to invite a family member or other person to view or edit

your family tree, we will ask for the email address and name of

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/30








said person. Before issuing the invitation, you will need to ensure that you have the
consent of this person to transmit their data to MyHeritage.


When creating a family tree, you decide which relatives to add to the family tree.
tree, whether it adds deceased, living, or both, and what information it provides about
they. To add living relatives to the family tree, you will need to obtain their consent.

prior mentoring. Before adding living minor relatives to the family tree, you must
obtain the consent of your parent or guardian. "




2. In the section "WHAT DO WE USE YOUR PERSONAL INFORMATION FOR?"
consists of:

"[...]


iv) For internal company uses: In order to improve the Service and develop
new products and services, we may use your personal information to
perform internal data analysis, to study the use made of the Website,

to diagnose problems and ensure the security of the Service, to identify trends
usage patterns and to determine the effectiveness of promotional campaigns. For
For example, we can examine how much time visitors spend on each page of the Si-

tio Web and how they navigate through it. We will only use this information to
improve the Website.

We use your IP address to provide you with the Website and our Service, as well as

as well as to diagnose problems in our servers. Your IP address is also
used to gather broad demographic information, such as the geographic distribution of
our members. When you visit the Service for the first time, we will use your address

IP address to offer you the Service in the language that we consider most appropriate
for the geographic region in which it originates.


[…] "



3. In the section “WILL MYHERITAGE DISCLOSE YOUR PERSONAL INFORMATION
TO THIRDS?" consists of:




“The personal information that you provide us will never be sold or transferred under license.
cence. We will never sell or license DNA or health information

to third parties without your express informed consent. We will never sell or give up
Licensed DNA or health information belonging to users from Russia, No-

begs or Sweden under any circumstances (even if they give an informed consent)
mado express). […] "

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/30










4. In the section "DATA CONSERVATION" it appears:


"[...]

In some cases, when you or we remove your content, you may per-
copies of such information are conspicuously kept in other places to the extent that

such copy has been shared with others or otherwise distributed
according to your privacy settings or has been copied or stored by others
users. For example, other users may have copied part of your tree

nealogical in your own family tree.

[…] "




5. In the section “HOW CAN YOU ELIMINATE INFORMATION ABOUT YOU OR
YOUR FAMILY OR CAN YOU LET US KNOW? " consists of:

"[...]

In case of controversies or problems with other types of personal information present

on the Website about you, contact us at the primary address
vacy@myheritage.com. If you are a registered member of the Website and send us

a request regarding information that you entered on the Website, we will ask you
to communicate with us from the same email address as
used to register on the Website. If not, we may need to verify

your identity before considering your request.

If you need additional help, you can write an email to the primary address
vacy@myheritage.com to ask us to help you remove any information

tion you want, and our staff will promptly address your request unless,
upon examination, it is deemed illegitimate.

[…] "




- On 05/24/2021 it is verified that the myheritage.es cookie policy
The sections consist of:


to. What are cookies and why does MYHERITAGE use them?

b. What are the different types of cookies?

c. How to manage your cookie preferences?

d. How to manage cookies through your browser settings?

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/30








and. How to disable interest-based advertising?

F. Will this cookie policy be modified?




- On 07/22/2020 it is verified that in the terms and conditions of myherita-
ge.es consists of:




1. In the “DNA Services” section:

"[...]


Furthermore, you declare that any DNA sample you provide, as well as any
information you transfer or upload that relates an individual to your Test Results

DNA, refers either to your DNA or, solely with respect to the use of the Services
DNA genealogy data, to the DNA of a person of whom you are the guardian or of the
that you have obtained legal authorization to provide us with your DNA.


[…] "



- On 08/30/2021 it is verified that in the privacy policy of myherita-

ge.es consists of:

1. In the section “WILL MYHERITAGE DISCLOSE YOUR PERSONAL INFORMATION
TO THIRDS?" consists of:


"WE WILL NEVER SELL OR GRANT LICENSES WITH RESPECT TO THE
PERSONAL INFORMATION PROVIDED BY YOU, INCLUDING INFORMATION
GENETIC MATION AND HEALTH INFORMATION, TO THIRD PARTIES, INCLUDING

INSURANCE COMPANIES, GOVERNMENT AGENCIES, OTHERS
COMPANIES OR EMPLOYERS. "













                           FOUNDATIONS OF LAW



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/30








                                              I




                                       Competence






- About the "Privacy Policy", "Treatment" and "Transfers":



It is competent to initiate and resolve this Penalty Procedure, the Director of

the Spanish Agency for Data Protection, by virtue of the powers that art 58.2
of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/16,

Relating to the Protection of Natural Persons with regard to the Treatment of
Personal Data and the Free Circulation of this Data (RGPD) recognizes each Au-
Control and, as established in arts. 47, 64.2 and 68.1 of the Law

Organic 3/2018, of December 5, Protection of Personal Data and Guarantee of
Digital Rights (LOPDGDD),




Sections 1) and 2) of article 58 of the RGPD, list, respectively, the
investigative and corrective powers that the supervisory authority may provide to the
effect, mentioning in point 1.d), that of: “notify the person in charge or commission of the

treatment of the alleged infringements of this Regulation ”and in 2.i), that of:
“Impose an administrative fine in accordance with article 83, in addition to or instead of the

measures mentioned in this section, according to the circumstances of each
case."




Article 3.2 of the RGPD establishes territorial jurisdiction, noting the following:



2. This Regulation applies to the processing of personal data of interested parties.

residing in the Union by a person in charge or manager not established in the
Union, when the treatment activities are related to:




a) the offer of goods or services to said interested parties in the Union, independently
if they are required to pay, or

b) the control of their behavior, insofar as it takes place in the Union.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/30










- About the Cookies Policy:




It is competent to initiate and resolve this Penalty Procedure, the Director of
the Spanish Agency for Data Protection, in accordance with the provisions of the

art. 43.1, second paragraph, of Law 34/2002, of July 11, on Services of the
Information Society and Electronic Commerce (LSSI), is competent to initiate

and resolve this Penalty Procedure, the Director of the Spanish Agency for
Data Protection.




Article 4 of the LSSI establishes territorial jurisdiction for providers
established in a State not belonging to the European Union or Space
European Economic, noting the following:




"To providers established in countries that are not members of the European Union
or of the European Economic Area, the provisions of articles

7.2 and 11.2.

The providers that direct their services specifically to the Spanish territory

will be subject, in addition, to the obligations provided for in this Law, provided that this
does not contravene the provisions of international treaties or conventions that are
applicable. "






                                              II




Upon receipt of the broad and generic complaint presented by the complaining party,
mante, preliminary investigation actions were initiated consisting of requesting information

mation to the claimed party located in Israel. To not have data of any claimant,
The research carried out is generic and it has not been possible to address more specific questions.
chalk.




For a better understanding of the result of these actions, they are included in different
the denounced facts separated.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/30










Regarding deficiencies in the information provided to users whose data is

object of treatment.



Article 5 of the RGPD regarding the principles that must govern data processing

personal mention among them that of transparency. Section 1 of the precept provides
ne:




        "The personal data will be:

         a) treated in a lawful, loyal and transparent manner in relation to the interested party

("Legality, loyalty and transparency") "


Manifestation of the principle of transparency is the obligation incumbent on the

data controllers to inform, in the terms of article 13 of the RGPD, to the
owner of personal data when they are obtained directly from the interested party:


      "one. When personal data relating to him are obtained from an interested party, the
responsible for the treatment, at the time these are obtained, will provide

all the information indicated below:
      a) the identity and contact details of the person in charge and, where appropriate, their re
presenter;


      b) the contact details of the data protection officer, if applicable;

      c) the purposes of the treatment to which the personal data are destined and the legal basis-
treatment statement;


      d) when the treatment is based on article 6, paragraph 1, letter f), the interests
legitimacy of the person in charge or of a third party;

      e) the recipients or categories of recipients of personal data, in

Their case;

      f) where appropriate, the intention of the person responsible to transfer personal data to a
third country or international organization and the existence or absence of a decision of

adequacy of the Commission, or, in the case of transfers indicated in articles
46 or 47 or article 49, paragraph 1, second paragraph, reference to guarantees

appropriate or appropriate and the means to obtain a copy of these or the fact of
that have been borrowed.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/30








      2. In addition to the information mentioned in section 1, the person responsible for the
treatment will facilitate the interested party, at the moment in which the personal data is obtained

sonal, the following information necessary to guarantee data processing
loyal and transparent:




      a) the period during which the personal data will be kept or, when it is not
possible, the criteria used to determine this deadline;

      b) the existence of the right to request the data controller access to

the personal data relating to the interested party, and its rectification or deletion, or the limitation-
tion of their treatment, or to oppose the treatment, as well as the right to portability
data quality;


      c) when the treatment is based on article 6, paragraph 1, letter a), or the
Article 9, paragraph 2, letter a), the existence of the right to withdraw consent in
at any time, without affecting the legality of the treatment based on the

feeling prior to withdrawal;

      d) the right to file a claim with a supervisory authority;

      e) if the communication of personal data is a legal or contractual requirement, or

a necessary requirement to sign a contract, and if the interested party is obliged to
provide personal data and are informed of the possible consequences of not
provide such data;


      f) the existence of automated decisions, including profiling, to
referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information
significant on the applied logic, as well as the importance and consequences

views of said treatment for the interested party.



      3. When the person responsible for the treatment plans the subsequent treatment of data

personal coughs for a purpose other than that for which they were collected, will provide
to the interested party, prior to said subsequent treatment, information about that other
purpose and any additional relevant information pursuant to section 2.




      4. The provisions of sections 1, 2 and 3 shall not apply when and in the
to the extent that the interested party already has the information. "


In this sense, Recital 60 of the RGPD says that “The principles of treatment
loyal and transparent require that the interested party be informed of the existence of the
tion of treatment and its purposes. The data controller must provide the interested party

sado as much additional information is necessary to guarantee a treatment
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/30








fair and transparent, taking into account the specific circumstances and context in
that personal data is processed. The interested party must also be informed of the existence

tenance of profiling and the consequences of such elaboration. Yes
the personal data is obtained from the interested parties, they must also be informed of

if they are obliged to facilitate them and of the consequences if they do not. "



The information collected in the privacy policy, which has been updated and expanded-

da, does not respond to all the requirements contained in article 13 of the RGPD.



It is found that there is no information on the possibility of exercising the right of portability and

the right to limit treatment. Likewise, the right of the intellectuals is not indicated.
rested from filing a claim with the supervisory authority.




The form used violates article 13 of the RGPD conduct that is subsumable
in article 83.5 of the RGPD which provides: “Violations of the provisions
The following will be sanctioned in accordance with section 2, with administrative fines of

EUR 20,000,000 maximum or, in the case of a company, of an equal amount
equivalent to a maximum of 4% of the total global annual turnover for the financial year

above, opting for the one with the highest amount:

        (...)

    b) The rights of the interested parties in accordance with articles 12 to 22; "




For the mere purposes of prescription, article 74.1.a) of the LOPDGDD considers
as slight “a) Failure to comply with the principle of transparency of information or the

right to information of the affected person for not providing all the information required by the
Articles 13 and 14 of Regulation (EU) 2016/679. ”. The statute of limitations for the
light fractions provided for in Organic Law 3/2018 is one year.




Article 58.2 of the RGPD establishes:




      “Each supervisory authority shall have all the following corrective powers
listed below:

      to) (..)


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/30








      b) direct a warning to any data controller or processor when
If the processing operations have infringed the provisions of this Regulation-

ment;

      c) ...


      d) order the person in charge or in charge of treatment that the operations of
treatment comply with the provisions of this Regulation, where appropriate,
in a certain way and within a specified time;


      (...)

      i) impose an administrative fine in accordance with article 83, in addition or instead of
of the measures mentioned in this section, according to the circumstances of

each particular case ”.



In the present case, taking into account the special circumstances that concur and conform to

Recital 148 of the RGPD, according to which when there is a minor infringement
instead of the fine, the warning sanction may be imposed, in this
phase of the procedure, and without prejudice to the result of the investigation, it is estimated that

for the infringement of article 13 of the RGPD, it is necessary to impose the sanction of warning
to; taking into account that the privacy policy is very complete, although they have

omitted two pieces of information: the possibility of exercising the right of portability and
treatment, and the right to file a claim with the authority of
control.




Likewise, in the event that the resolution goes in the same direction as this agreement,
It would be appropriate to impose the corrective measure described in article 58.2.d) RGPD and order

tell the respondent to prepare a data collection form that offers to the
affected all the information that is obliged to provide under article 13 of the

GDPR.



                                              III


Regarding the treatment of user data



Article 6 of the RGPD, “Legality of the treatment”, specifies in section 1 the assumptions

coughs in which the processing of third party data is considered lawful:

"one. The treatment will only be lawful if it meets at least one of the following conditions.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 14/30








nes:

a) the interested party gave their consent for the processing of their personal data

for one or more specific purposes;

b) the treatment is necessary for the execution of a contract in which the interested party

is part of or for the application at his request of pre-contractual measures;

c) the treatment is necessary for the fulfillment of a legal obligation applicable to the
responsible for the treatment;


d) the treatment is necessary to protect vital interests of the interested party or of another
Physical person.

e) the treatment is necessary for the fulfillment of a mission carried out in the interest

public or in the exercise of public powers conferred on the data controller;

f) the treatment is necessary to satisfy the legitimate interests pursued
by the person responsible for the treatment or by a third party, provided that on said interests

interests or fundamental rights and freedoms of the interest do not prevail.
that require the protection of personal data, in particular when the interested party
sado be a boy.


The provisions of letter f) of the first paragraph shall not apply to the treatment carried out
zado by public authorities in the exercise of their functions.


two. (…)"



Article 4 of the RGPD, “Definitions”, section 2, offers a legal concept of “treatment

ment ":" any operation or set of operations carried out on personal data
data or set of personal data, whether by automated procedures or not,
such as the collection, registration, organization, structuring, conservation, adaptation or

modification, extraction, consultation, use, communication by transmission, diffusion or
any other form of enabling access, collation, interconnection, limitation, suppression
sion or destruction ”.




The investigated entity legitimizes the processing of your data in the consent of the in-
interested party, in which the treatment is necessary to execute a contract entered into with

the user, and that the treatment is necessary to comply with a legal obligation per-
relevant.




Although the legal basis of section c) of article 6.1 of the RGPD refers to the existence of

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 15/30








of “a legal obligation”, and the AEPD's Legal Office indicates that the sentiment
do of the expression "legal obligation" contained in article 6.1.c) of the RGPD is equivalent,

in the Spanish regulation of data protection, to the obligation established in a law
in a formal sense, to a norm with the force of law. The investigated entity can legitimize

mar the treatment of personal data in the first two sections of the article
6.1 of the RGPD.




In relation to the possible disclosure of personal information, they state that as
part of the periodic reviews they carry out to their privacy policy to ensure
ensure that the information they provide accurately reflects the way they treat

personal data, have reviewed this policy and have specified the cases of communication
disclosure of data to third parties “if required by law or during a judicial process, or for

prevent fraud and cybercrime. "



In the present case, according to the data available at this time of

agreement to initiate the sanctioning procedure, no evidence has been found that
prove a breach of the provisions of article 6 of the RGPD.




Data processing of children under 13 years of age



Article 7 of the LOPDGDD establishes the following:




        "one. The processing of personal data of a minor only
It may be based on your consent when you are over fourteen years of age.


Exceptions are those cases in which the law requires the assistance of the owners of the homeland.
power or guardianship for the celebration of the act or legal business in which context is
Obtain consent for the treatment.




        "two. The treatment of the data of minors under fourteen years of age, based on the
Consent, will only be lawful if it consists of that of the holder of parental authority or guardianship, with

the scope determined by the holders of parental authority or guardianship. "



The investigated entity indicates that data of children under 14 years of age are not processed. For

People over 14 years of age and up to 18 years do treat them and in all
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 16/30








cases have collected parental consent.




In the present case, according to the evidence available at this time
According to the initiation of the sanctioning procedure, it is considered that the treatment of

data of the claimed website, does not contradict the provisions of article 7
of the LOPDGDD in relation to art. 8 of the GDPR.




                                             IV



Regarding the treatment of special categories of user data




These categories of data are regulated in article 9 of the RGPD, which de-
The following ends in its first two sections:




        "one. The processing of personal data that reveals the origin is prohibited
ethnic or racial beliefs, political opinions, religious or philosophical convictions, or

union membership, and the treatment of genetic data, biometric data aimed at identifying
unequivocally identify a natural person, data related to health or data related to
you to the sexual life or sexual orientations of a natural person.




        2. Section 1 shall not apply when one of the circumstances occurs.
following:


        a) the interested party gave their explicit consent for the treatment of said
personal data for one or more of the specified purposes, except when the Right-

the Union or the Member States establishes that the aforementioned prohibition
in section 1 it cannot be lifted by the interested party;

        b) the treatment is necessary for the fulfillment of obligations and the exercise

cio of specific rights of the person responsible for the treatment or of the interested party in the
scope of labor law and social security and protection, insofar as this is
Authorized by Union law of the Member States or a collective agreement

in accordance with the law of the Member States that establishes adequate guarantees
respect for the fundamental rights and interests of the interested party;

        c) the treatment is necessary to protect vital interests of the interested party or

of another natural person, in the event that the interested party is not qualified, physical or
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 17/30








legally, to give your consent;

        d) the treatment is carried out, within the scope of its legitimate activities and with

the due guarantees, by a foundation, an association or any other body
non-profit, whose purpose is political, philosophical, religious or union, always
that the treatment refers exclusively to current or former members of the

organizations or persons who maintain regular contact with them in relation to
with their purposes and provided that personal data is not communicated outside of them without
the consent of the interested parties;


        e) the treatment refers to personal data that the interested party has made ma-
not publicly;

        f) the treatment is necessary for the formulation, exercise or defense of

claims or when the courts act in the exercise of their judicial function;

        g) the treatment is necessary for reasons of an essential public interest, on
the basis of Union or Member State law, which must be proportionate

nal to the objective pursued, to respect essentially the right to data protection
and establish adequate and specific measures to protect the interests and rights
fundamentals of the interested party;


        h) the treatment is necessary for the purposes of preventive or occupational medicine,
evaluation of the worker's work capacity, medical diagnosis, provision of assistance
health or social care or treatment, or management of health care systems and services

health and social assistance, on the basis of Union or State law
members or by virtue of a contract with a healthcare professional and without prejudice to the

conditions and guarantees referred to in section 3;

        i) the treatment is necessary for reasons of public interest in the field of
public health, such as protection against serious cross-border threats to the

health, or to guarantee high levels of quality and safety of care
health and medicines or health products, on the basis of the Right to
the Union or the Member States to establish appropriate and specific measures

to protect the rights and freedoms of the interested party, in particular professional secrecy
sional;

        j) the treatment is necessary for archival purposes in the public interest, purposes of

scientific or historical research or statistical purposes, in accordance with article
89 (1) on the basis of Union or Member State law,
which must be proportional to the objective pursued, respect essentially the right to

data protection and establish adequate and specific measures to protect
the interests and fundamental rights of the interested party. "




On the other hand, with regard to the treatment of special categories of city data,
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 18/30








Spanish danos, article 9.1 of the LOPDGDD is applicable, which indicates the following
tea:




        "one. For the purposes of article 9.2.a) of Regulation (EU) 2016/679, in order to avoid

discriminatory situations, the consent of the affected person alone will not be enough to
lift the prohibition of the processing of data whose main purpose is to identify your
ideology, union affiliation, religion, sexual orientation, racial or racial beliefs or origin

ethnic.

        The provisions of the preceding paragraph will not prevent the processing of said data
under the other assumptions contemplated in article 9.2 of the Regulation

(EU) 2016/679, when applicable. "



The claimed entity provides a DNA KIT service to users who want to use it.

In the Register of treatment activities they differentiate the purpose of carrying out the
Family tree for the DNA KIT service.




Regarding the purpose, the claimed entity indicates the following: "The main purpose is the
provision of our DNA services. This means dispatching the DNA kit to the user / reci-

pient following a purchase, to perform genetic analysis and to present the DNA results,
which include Ethnicity Estimates and optionally also DNA Matches ”, that is, the fi-
main purpose is genetic testing and obtaining results; optionally

with the results they can get matches between users.



It is a specific service that has the main purpose of obtaining the map

genetic of the subject.



Well, in the privacy policy and in the answer to the request for information

carried out by this Agency, the investigated entity indicates that the processing of «data
special category "or" sensitive personal data "is only allowed

when there is a relevant exemption. Special category data includes
genetic information, which they treat as part of the DNA Services, as well as
any information about your ethnicity or information from the Questionnaire

Health. In such cases, special category data or personal data
sensitive, the prohibition of their treatment is lifted by virtue of the consent
explicit and informed of the user. The details of the data processing



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 19/30








DNA and information that can be shared with third parties, it consists
detailed in the Acts section.


In the present case, according to the data available at this time of
agreement to initiate the sanctioning procedure, no evidence has been found that
prove a breach of what is stipulated in article 9 of the RGPD.




                                           V




Treatment of user data for commercial purposes



The complaint raises questions about the processing of data for commercial purposes
and if possible the opposition to the sending of advertising communications.




The sending of advertising emails is regulated in article 21 of the
LSSI, which establishes:




"one. The sending of advertising or promotional communications by
email or other equivalent electronic means of communication that

had not previously been requested or expressly authorized by the
recipients of the same.




2. The provisions of the previous section shall not apply when there is a
prior contractual relationship, provided that the provider had obtained lawfully
the recipient's contact details and will use them to send communications

commercial related to products or services of your own company that are
similar to those that were initially contracted with the client. Throughout

In this case, the provider must offer the recipient the possibility of opposing the
processing of your data for promotional purposes using a simple procedure
and free, both at the time of data collection and at each of the

commercial communications that you direct. When the communications had been
sent by email, said means must necessarily consist of the
inclusion of an email address or other valid email address

where this right can be exercised, the sending of
communications that do not include said address. "


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 20/30










In relation to commercial communications, the claimed entity indicates that it is

They see about products or services that are identical or similar to those that users
used or acquired. Users can choose not to receive further communications to

through the "unsubscribe" link present at the bottom of the communications or
modifying your preferences.




                                             SAW



Deficiencies in the use and information of cookies




This Agency has been able to verify that, when entering the initial page of the web,
(first layer), without taking any action on it and without rejecting cookies,

The website uses non-necessary cookies, both its own and those of third parties. Also, in the
initial page the banner does not report well; the cookie policy does not identify the
cookies they use.




The exposed facts could suppose on the part of the claimed entity the commission
of the violation of article 22.2 of the LSSI, according to which:




“Service providers may use storage and retrieval devices
ration of data in terminal equipment of recipients, provided that the same

We have given their consent after information has been provided to them
clear and complete on its use, in particular, on the purposes of the treatment of

the data, in accordance with the provisions of Organic Law 15/1999, of December 13,
protection of personal data.




When technically possible and effective, the consent of the recipient to
accept the data processing may be facilitated by using the parameters
from the browser or other applications.




The foregoing will not prevent possible storage or access of a technical nature to only
in order to carry out the transmission of a communication over a communication network

electronic devices or, insofar as is strictly necessary, for the provision of
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 21/30








an information society service expressly requested by the recipient.
River".




This offense is classified as "slight" in article 38.4 g), of the aforementioned Law, which

considers as such: "Use data storage and recovery devices
when the information had not been provided or the consent of the recipient had not been obtained.
natario of the service in the terms required by article 22.2. ”, which may be sanctioned

nothing with a fine of up to € 30,000, in accordance with article 39 of the aforementioned LSSI.



After the evidence obtained in the preliminary investigation phase, and without prejudice to

Whatever results from the instruction, it is considered that the sanction should be
ner in accordance with the following aggravating criteria, established in art. 40 of the
LSSI:




    - The existence of intentionality, an expression that must be interpreted as equi-
        value to degree of guilt according to the Judgment of the Hearing

        National of 11/12/07 relapse in Appeal no. 351/2006, corresponding to
        the entity denounced the determination of a system for obtaining consent

        informed service that conforms to the mandate of the LSSI.



    - Period of time during which the offense has been committed (section

        b).



Based on these criteria, it is deemed appropriate to impose on the claimed entity

a penalty of 20,000 euros (twenty thousand euros), for the violation of article 22.2 of the
LSSI, regarding the cookie policy made on the myheritage.es website.




                                              VII



Legitimation of "research" based on consent




MYHERITAGE has reported that users from Spain have been excluded
two of the research project carried out with broad purposes.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 22/30










Data retention


The information provided by the entity in its privacy policy is as follows:



We will retain your personal information only for as long as necessary to

Comply with the purposes for which it was collected and with the applicable legislation. This means
means that we will store your personal information for as long as necessary.

river to provide our services, unless we have a legal basis for
keep it for a longer period of time (for example, once your subscription ends
tion, we may still have a legitimate interest in using your contact details

to offer you our service commercially). We also keep the information
personal information we need to complete pending tasks and to exercise
our legal rights and assert our claims, as well as determine

nothing personal information that we must keep for a specified period of time
ceptive (in the latter case, our treatment of such information is limited). Yes

you accept the DNA Informed Consent Agreement, we may retain
the information provided pursuant to it for as long as it deems-
We are necessary for the research purposes contained therein.




In some cases, when you or we remove your content, you may per-
copies of such information are conspicuously kept in other places to the extent that

such copy has been shared with others or otherwise distributed
according to your privacy settings or has been copied or stored by others
users. For example, other users may have copied part of your tree

nealogical in your own family tree. The information removed and deleted may
da is kept in backup copies for a limited time for internal use

from our company, but it will not be available to you or other users.



The first paragraph of the information complies with the provisions of article 17 of the RGPD

regarding the deletion of data. If the interested party opposes receiving publicity, no
They may keep any data for that purpose. The second paragraph warns of
the possibility that, if the user himself has left his genealogical tree publicly,

blica, can be copied or saved by third parties.



Therefore, they inform about the criteria used for the conservation of the data; he has-

referring to the possibility that if the user has made his / her family tree public
logical, it can be copied and kept by third parties outside the claimed entity.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 23/30













International data transfers



Article 45 of the RGPD establishes the following:




        "one. A transfer of personal data may be made to a third country or
international organization when the Commission has decided that the third country, a

territory or one or more specific sectors of that third country, or the international organization
national authorities guarantee an adequate level of protection. Said transfer

cia will not require any specific authorization.



        2. When evaluating the adequacy of the level of protection, the Commission shall take into account

ta, in particular, the following elements: a) the rule of law, respect for the
human rights and fundamental freedoms, relevant legislation, both general and
general as well as sectoral, including that relating to public security, defense,

nationality and criminal legislation, and the access of public authorities to data
personal, as well as the application of said legislation, the norms of protection of

data, professional standards, and security measures, including social standards,
On subsequent transfers of personal data to another third country or international organization
observed in that country or international organization, jurisprudence, as well as

as the recognition of the interested parties whose personal data is being transferred
due to effective and enforceable rights and administrative remedies and legal actions
cials that are effective; b) the existence and effective operation of one or more

independent control authorities in the third country or to which a
international organization, with the responsibility of guaranteeing and enforcing the

data protection rules, including adequate enforcement powers,
to assist and advise interested parties in the exercise of their rights, and to cooperate
with the supervisory authorities of the Union and of the Member States, and c) the

international promises made by the third country or international organization of
in question, or other obligations derived from agreements or instruments legally
binding, as well as their participation in multilateral or regional systems, in

particular in relation to the protection of personal data.



        3. The Commission, after having assessed the adequacy of the level of protection, may

will decide, by means of an implementing act, that a third country, a territory or one or several
specific sectors of a third country, or an international organization guaranteeing

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 24/30








provide an adequate level of protection in accordance with the provisions of section 2 of the
Sente article. The execution act will establish a periodic review mechanism, at the

least every four years, taking into account all relevant events
in the third country or in the international organization. The act of execution will specify

its territorial and sectoral scope of application, and, where appropriate, will determine the authority or
control authorities referred to in paragraph 2, letter b) of this article. The
The implementing act shall be adopted in accordance with the examination procedure referred to

re Article 93, paragraph 2.



        4. The Commission will continuously monitor events in the country.

third parties and international organizations that may affect the effective application of
tion of the decisions taken pursuant to paragraph 3 of this article and of

decisions taken on the basis of Article 25 (6) of the Directive
95/46 / EC.




        5. When the information available, in particular after the review to which it refers
referred to in paragraph 3 of this article, show that a third country, a territory or a
specific sector of that third country, or an international organization no longer guarantees

an adequate level of protection pursuant to paragraph 2 of this article, the Commission
sion, through acts of execution, will repeal, modify or suspend, to the extent
necessary and without retroactive effect, the decision referred to in section 3 of the present

I article. Said implementing acts shall be adopted in accordance with the procedure
examination referred to in article 93, paragraph 2. For imperative reasons of urgency

duly justified agency, the Commission will adopt acts of immediate execution-
enforceable in accordance with the procedure referred to in article 93,
section 3.




        6. The Commission shall enter into consultations with the third country or international organization.
nal with a view to remedying the situation that gave rise to the decision taken

in accordance with section 5.



        7. Any decision in accordance with paragraph 5 of this article is entered into

will tend without prejudice to the transfers of personal data to the third country, to a
territory or one or more specific sectors of that third country, or the international organization

national in question by virtue of articles 46 to 49.



        8. The Commission shall publish in the Official Journal of the European Union and on its page

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 25/30








on the web a list of third countries, territories and specific sectors in a third
country, and international organizations with respect to which it has decided to

guarantees, or no longer, an adequate level of protection.




       9. Decisions taken by the Commission pursuant to article 25, paragraph
6 of Directive 95/46 / EC will remain in force until they are amended, replaced
removed or repealed by a decision of the Commission adopted in accordance with the

sections 3 or 5 of this article. "



Article 46 establishes the possibility of transmitting personal data to a third country or

international organization if it had offered adequate guarantees and on condition of
that the interested parties have enforceable rights and effective legal actions. The ar-
The following article regulates the binding corporate rules and article 49 establishes

the exceptions in which personal data may be transferred in the event of certain circumstances
specific circumstances.




Given that the complaint raises doubts about the legality of the transfers,
without specifying exact risks, when requesting information about these transfers,

MYHERITAGE indicates that after the Schrems II ruling they are reviewing the clauses
contractual standard following the recommendations of the EDPB. According to the data
of those available at this time, there is no evidence to prove the in-

compliance with regard to international transfers.



Therefore, in accordance with the foregoing, by the Director of the Spanish Agency

Data Protection Policy,



HE REMEMBERS:




FIRST: INITIATE SANCTIONING PROCEDURE to MYHERITAGE, LTD, with
NIF 513410662, for the alleged violation of article 13 of the RGPD typified in the ar-

Article 83.5.b) of the same Regulation, and direct a warning for this infraction.



SECOND: INITIATE SANCTIONING PROCEDURE for MYHERITAGE, LTD, with

NIF 513410662, for the alleged violation of article 22.2) of the LSSI, punishable

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 26/30








in accordance with the provisions of art. 39) and 40) of the aforementioned Law, regarding the “Policy
of Cookies ”of the web page of its ownership, sanctioning with a fine of 20,000

euros.




THIRD: For the purposes of article 64.2.b) LPACAP, the claim could be ORDERED
in accordance with the provisions of article 58.2 d) of the RGPD that, within the period of
ten business days from the date on which the resolution so agreed

is executive, proceed, on the one hand, to adapt the data collection form of
those who request their services according to the provisions of article 13 of the RGPD.








FOURTH: APPOINT R.R.R. as instructor. and, as secretary, to S.S.S., indicating

that any of them may be challenged, where appropriate, in accordance with the provisions of
Articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sec-
tor Public (LRJSP).




FIFTH: INCORPORATE to the sanctioning file, for evidentiary purposes, the claim

action filed by the complaining party and its documentation, as well as the documents
data obtained and generated by the General Sub-Directorate of Data Inspection in the
actions prior to the start of this sanctioning procedure.




SIXTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of October 1,
of the Common Administrative Procedure of Public Administrations, the san-

tion that may correspond would be APPEARANCE and € 20,000 (twenty thousand euros)
ros).




SEVENTH: NOTIFY this agreement to MYHERITAGE, LTD, with NIF
513410662, granting him a hearing period of ten business days to formulate
the allegations and present the evidence that it deems appropriate. In his writing of

allegations, you must provide your NIF and the procedure number that appears in the
heading of this document




If, within the stipulated period, no allegations are made to this initiation agreement, the same

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 27/30








It may be considered a resolution proposal, as established in article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of

the Public Administrations (hereinafter, LPACAP).




In accordance with the provisions of article 85 of the LPACAP, you may recognize your
responsibility within the term granted for the formulation of allegations to the
Sentence initiation agreement; which will entail a reduction of 20% of the blood

tion to be imposed in the present procedure. With the application of this re-
duction, the penalty would be set at € 16,000 (sixteen thousand euros), resolving-
the procedure being imposed with the imposition of this sanction.




In the same way, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which

It will reduce the amount of 20%. With the application of this reduction, the blood
tion would be set at € 16,000 (sixteen thousand euros), and its payment will involve the

termination of the procedure.



The reduction for the voluntary payment of the penalty is cumulative to the corresponding

apply for the acknowledgment of responsibility, provided that this acknowledgment
of the responsibility is made manifest within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount

in the preceding paragraph, it may be done at any time prior to the resolution. In
In this case, if both reductions should be applied, the amount of the penalty would be
established at € 12,000 (twelve thousand euros).




In any case, the effectiveness of either of the two mentioned reductions will be

conditioned to the withdrawal or resignation of any action or resource in the administration
trative against the sanction.




In case you choose to proceed to the voluntary payment of any of the amounts
indicated above, you must make it effective by entering account no.
ES00 0000 0000 0000 0000 0000 opened in the name of the Spanish Protection Agency

tion of Data in the banking entity CAIXABANK, S.A., indicating in the concept the
procedure reference number at the top of this document.
cument and the cause of reduction of the amount to which it avails itself.




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 28/30








Likewise, you must send proof of admission to the Subdirectorate General of Ins-

to continue with the procedure according to the amount entered.
gives.




The procedure will have a maximum duration of nine months from the date of the
cha of the initiation agreement or, where appropriate, the draft initiation agreement. Elapsed

after this period, its expiration will occur and, consequently, the file of proceedings;
In accordance with the provisions of article 64 of the LOPDGDD.




Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPA-
CAP, there is no administrative appeal against this act.






                                                                                  935-160721

Mar Spain Martí

Director of the Spanish Agency for Data Protection




>>



SECOND: On November 2, 2021, the claimed party has proceeded to
payment of the sanction in the amount of 16,000 euros making use of one of the two
reductions provided for in the Inception Agreement transcribed above. Therefore, it has not
The acknowledgment of responsibility has been accredited.


THIRD: The payment made entails the waiver of any action or recourse in progress
against the sanction, in relation to the facts referred to in the
Initiation Agreement.



                            FOUNDATIONS OF LAW

                                             I


By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in art. 47 of Organic Law 3/2018, of 5 of
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection

is competent to sanction the infractions that are committed against said
Regulation; infractions of article 48 of Law 9/2014, of May 9, General
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 29/30








of Telecommunications (hereinafter LGT), in accordance with the provisions of the
article 84.3 of the LGT, and the offenses classified in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the

information and electronic commerce (hereinafter LSSI), as provided in article
43.1 of said Law.



                                            II


Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), under the rubric
"Termination of sanctioning procedures" provides the following:


"one. Initiated a sanctioning procedure, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction is solely of a pecuniary nature or it is possible to impose a
pecuniary sanction and other non-pecuniary sanction but the
inadmissibility of the second, the voluntary payment by the presumed responsible, in

any time prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or the determination of the
compensation for damages caused by the commission of the offense.

3. In both cases, when the sanction is solely of a pecuniary nature, the

competent body to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed sanction, these being cumulative with each other.
The aforementioned reductions must be determined in the notice of initiation
of the procedure and its effectiveness will be conditional on the withdrawal or resignation of
any action or appeal in administrative proceedings against the sanction.


The reduction percentage provided for in this section may be increased
Regulatory. "


In accordance with the aforementioned, the Director of the Spanish Agency for the Protection of

Data
RESOLVES:

FIRST: DECLARE the termination of procedure PS / 00475/2021, of
in accordance with the provisions of article 85 of the LPACAP.


SECOND: NOTIFY this resolution to MYHERITAGE, LTD.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 30/30










administrative litigation before the Contentious-administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-Administrative Jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.



                                                                                           937-160721
Mar Spain Martí
Director of the Spanish Agency for Data Protection






















































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es