AEPD (Spain) - PS-00117-2024

From GDPRhub
AEPD - PS-00117-2024
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 32 GDPR
Type: Complaint
Outcome: Upheld
Started: 26.05.2024
Decided: 07.06.2024
Published: 26.06.2024
Fine: 100000 EUR
Parties: AXA Real Estate Investment Managers Iberica S.A.
National Case Number/Name: PS-00117-2024
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

AXA Real Estate Investment Managers Iberica S.A. faced a data breach involving information for 143 individuals. Although the USB was encrypted, the password was sent within the same envelope, leading to the loss of both the device and its password.

English Summary

Facts

AXA Real Estate Investment Managers Iberica S.A. faced a data breach in May 2023 involving the mishandling of a USB device containing sensitive information for 143 individuals. Although the USB was encrypted, the password was sent within the same envelope, leading to the loss of both the device and its password.

Holding

The AEPD initiated a sanction process, citing a violation of Article 32 of the GDPR for inadequate security measures. AXA was fined €100,000, reduced to €80,000 due to voluntary payment.

Comment

AXA implemented improvements, including better data protection training, dark web monitoring, and switching to a new courier service to prevent future incidents. The case emphasizes the importance of separating encryption keys from sensitive data during physical transfers.

Further Resources

https://allins4b.com/axa-es-sancionada-con-100-000-e-por-enviar-un-usb-con-datos-sensibles-en-un-sobre-junto-a-la-contrasena

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

 File No.: EXP202309790
RESOLUTION TO TERMINATE THE PROCEDURE DUE TO VOLUNTARY
PAYMENT
Of the procedure instructed by the Spanish Data Protection Agency and based on the following
BACKGROUND
FIRST: On June 7, 2024, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against AXA REAL ESTATE INVESTMENT MANAGERS IBERICA S.A. and SEUR GEOPOST, S.L. (hereinafter, the respondent party), through the Agreement transcribed below:
<<
File No.: EXP202309790
AGREEMENT TO START SANCTIONING PROCEDURE
Of the actions carried out by the Spanish Data Protection Agency and based on the following
FACTS
FIRST: On May 26, 2023, the Technological Innovation Division of this Agency was notified of a security breach of the personal data sent by AXA REAL ESTATE INVESTMENT MANAGERS IBERICA S.A. with NIF A78465267 as data controller.
The notification states the following:
Date of the events: 05/11/2023
Date of breach detection: 05/24/2023
The facts subject to a confidentiality breach are the following:
As a result of the notification to the Technological Innovation Division of this Agency of a breach by AXA REAL ESTATE INVESTMENT MANAGERS IBERICA S.A., (...), the General Subdirectorate of Data Inspection is ordered to carry out the appropriate prior investigations in order to determine a possible violation of data protection regulations.
This notification is summarised as follows:
(...)

SECOND: The General Subdirectorate of Data Inspection proceeded to carry out preliminary investigation actions to clarify the facts in question, by virtue of the functions assigned to the control authorities in article 57.1 and the powers granted in article 58.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I, Section two, of the LOPDGDD, having knowledge of the following points:
Regarding companies
The notifying entity is a Spanish public limited company, a subsidiary of the AXA Group, whose parent company is AXA REAL ESTATE INVESTMENT MANAGERS S.A. According to the data available at AXESOR, it has 23 employees and a sales volume of more than 7 million euros and its activity is “Management and administration of real estate property”.
SEUR GEOPOST SLU is a Spanish limited company, the parent company of the group. According to the data available in AXESOR, it has 2,094 employees and a turnover of more than 600 million euros and its activity is “Other postal and courier activities”.
Information and documentation has been requested from the notifying entity and from SEUR, and the following can be deduced from the responses received:
Regarding the chronology of the events. Actions taken to minimise the adverse effects and measures adopted for their final resolution
(...).
Regarding the causes that made the breach possible
(...).
Regarding the affected data
(...).
Regarding the contract with SEUR
(...)
Regarding the security measures implemented
AXA has sent the following security documentation:
 (...)
Regarding the measures implemented after the incident:
 (...)
Information on the recurrence of these events and the number of similar events that have occurred over time
There have been no previous security incidents
THIRD: The entity AXA REAL ESTATE INVESTMENT MANAGERS S.A. whose activity is “Management and administration of real estate property”, has a sales volume of more than 7 million euros (7,843,146 euros)

I Competence
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants to each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure, the Director of the Spanish Data Protection Agency.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures."
II Preliminary questions
Article 4 of the GDPR establishes that "the following shall be understood as:
1) "personal data": any information about an identified or identifiable natural person ("the interested party"); an identifiable natural person shall be considered to be any person whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or more elements specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;
2) “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
(...)
7) “controller” or “controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;”
AXA REAL ESTATE INVESTMENT MANAGERS IBERICA S.A. As the data controller, on 26 May 2023, it notified the Technological Innovation Division of this Agency of a data security breach detected on 24 May 2023, but produced on 11 May 2023, (...).
III
Article 32 of the GDPR
Article 32 of the GDPR, security of processing, establishes the following:
“1. Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, which may include, where appropriate, inter alia:
a) the pseudonymisation and encryption of personal data;
b) the ability to ensure the permanent confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability of and access to personal data quickly in the event of a physical or technical incident;
(d) a process of regular verification, evaluation and assessment of the effectiveness of the technical and organisational measures to ensure the security of processing.
2. When assessing the adequacy of the level of security, particular account shall be taken of the risks presented by the processing of data, in particular resulting from accidental or unlawful destruction, loss, alteration of, or unauthorised disclosure of, personal data transmitted, stored or otherwise processed.
3. Adherence to a code of conduct approved pursuant to Article 40 or to a certification mechanism approved pursuant to Article 42 may serve as an element to demonstrate compliance with the requirements set out in paragraph 1 of this Article.
4. The controller and the processor shall take measures to ensure that any person acting under the authority of the controller or the processor and having access to personal data processes such data only on instructions from the controller, unless he or she is required to do so by Union or Member State law.”
It should be noted that the GDPR in the aforementioned provision does not establish a list of the security measures that are applicable in accordance with the data being processed, but rather establishes that the controller and the processor shall apply technical and organisational measures that are appropriate to the risk involved in the processing, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing, the risks of probability and severity for the rights and freedoms of the interested parties.
Likewise, security measures must be appropriate and proportionate to the risk detected, noting that the determination of technical and organisational measures must be carried out taking into account: pseudonymisation and encryption, the ability to guarantee confidentiality, integrity, availability and resilience, the ability to restore availability and access to data after an incident, verification process (not audit), evaluation and assessment of the effectiveness of the measures.
In any case, when evaluating the adequacy of the security level, particular account will be taken of the risks presented by data processing, as a result of the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or the unauthorised communication or access to said data and which could cause physical, material or immaterial damages and losses.
In this regard, recital 83 of the GDPR states that:
“(83) In order to maintain security and prevent processing in violation of this Regulation, the controller or processor should assess the risks inherent in the processing and implement measures to mitigate them, such as encryption. These measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the cost of their implementation in relation to the risks and the nature of the personal data to be protected. When assessing the risk in relation to data security, account should be taken of the risks arising from the processing of personal data, such as accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or unauthorized disclosure of or access to such data, which may in particular cause physical, material or immaterial damage or harm.”
The respondent's liability is determined by the lack of security measures adopted for this specific case, with the peculiarities that it presents, since it is responsible for making decisions aimed at effectively implementing the appropriate technical and organisational measures to guarantee a level of security appropriate to the risk to ensure the confidentiality of the data, restoring its availability and preventing access to it in the event of a physical or technical incident.
Therefore, this Agency considers that article 32 of the GDPR could have been violated, as the respondent entity did not comply with the obligation to implement appropriate technical and organisational security measures to guarantee in this specific case, with the special characteristics that it may present, an adequate level of security by including the access key to the USB in the same envelope.
In the present case, AXA sent by postal courier, in an envelope, a USB with data from 143 people, including means of payment. The USB was encrypted but the password was inside the envelope.

It has been indicated that the envelope was returned, but without the USB or the password inside.
These facts show a lack of measures by including the password inside the envelope.
AXA has indicated the following as pre-existing measures and corrective measures adopted:
“1) Internal Information Security Procedure AXA REIM has an information security procedure implemented at company level.
It includes a section on “Transfer of physical media”, which includes the following obligation for employees: “When secret or confidential data is physically transferred, the use of physical media will be avoided as far as possible.
Secure file transfer should be used as the preferred means. If physical media is sent, it must be encrypted or subjected to strict physical controls. Encrypted media must be sent separately from the decryption keys.”
Therefore, prior to the incident, AXA REIM had adopted measures aimed at maintaining the confidentiality of personal data stored on physical media.
On the other hand, it should be emphasized that the usual procedure within the company for the transfer of information is electronically, avoiding as far as possible the sending of information through physical media.
However, in this specific case, and at the request of the insurance company Acquinex, it was necessary to send the information in a timely and isolated manner by this means.
2) Information security training All AXA REIM employees receive appropriate training and awareness of the company's policies and procedures, as appropriate to their job, as well as periodic updates of said policies and procedures.
Specifically, all employees (including the one who inserted the USB into the envelope) received initial training on information security when joining AXA REIM and annually thereafter.
However, and following recent events, an internal assessment is being carried out on how to more effectively transmit these obligations to employees, with the aim of avoiding, as far as possible, this type of action and raising even greater awareness among all staff.
3) Supplier risk analysis As a standard procedure, within AXA REIM before incorporating a new supplier, a risk analysis is carried out with the aim of analysing the viability of its contract and whether it complies with the requirements demanded by the regulations on personal data protection.
This analysis determines the level of risk that the treatments carried out by the supplier will pose to the rights and freedoms of the interested parties, so that AXA REIM can analyse the sufficiency of the security measures applied.
After carrying out the corresponding risk analysis of the communication of the data to SEUR, as a courier and transport entity, the result was that the communication posed a low risk from the point of view of the processing of personal data.
Given the above, AXA REIM proceeded to contract this provider that had adequate security mechanisms to preserve the confidentiality of the information and privacy of the data.
New measures adopted to mitigate the effects of a potential incident:
1) Awareness of the user involved Following the security incident, the employee in charge of entering the information in the envelope was contacted to remind him and warn him of the importance of complying with these guidelines, to which the person involved reacted appropriately, committing to follow the instructions and collaborating at all times to avoid future incidents.
2) Dark web monitoring AXA REIM has adopted a mitigating measure for 2 months to carry out cyber monitoring, with the aim of probing the dark web in order to verify that the information and personal data stolen from the USB are not being used fraudulently (identity theft, financial losses, phishing, etc.).
If during this monitoring period any similarity is detected with the information contained in the USB device, an alert will be issued informing of a possible illegal action by a third party.
3) Communication to those affected Communication has been sent to those affected indicating the measures that are being adopted in response to the breach, as well as those that users themselves can adopt to reduce risks.
4) Reports and monitoring The incident is continuously monitored by the DPO and this incident assessment report has been prepared by the AXA REIM IT Security team to update the information on the status of the incident.
This report is in turn complemented by the report attached as Evidence 15, which details the status of the situation in relation to the web monitoring of any potential leak, as well as the tools used.
5) Change of supplier

Given the incident detected in the transport of the USB device, it has been decided to contract a new supplier to carry out the shipment, which will be carried out by Correos.”
For all these reasons, in accordance with the evidence available at the time of the agreement to initiate the sanctioning procedure, and without prejudice to the results of the investigation, it is considered that there is sufficient evidence regarding the absence of adequate security measures in the processing by the respondent party of the data that it has included in the encrypted USB by including the access code in the same envelope.
Therefore, the known facts could constitute an infringement, attributable to the respondent party, for violation of article 32 GDPR. IV
Classification of the infringement of Article 32 of the GDPR
If confirmed, the aforementioned infringement of Article 32 of the GDPR could entail the commission of the infringements classified in Article 83.4 of the GDPR, which under the heading “General conditions for the imposition of administrative fines” provides:
“Infringements of the following provisions shall be punishable, in accordance with paragraph 2, by administrative fines of up to EUR 10 000 000 or, in the case of an undertaking, an amount equivalent to up to 2 % of the total global annual turnover of the preceding financial year, whichever is higher:
a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, 42 and 43; (...)”
In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that “The acts and conduct referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law, constitute infringements.”
For the purposes of the limitation period, article 73 “Infringements considered serious” of the LOPDGDD indicates:
“In accordance with the provisions of article 83.4 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein and, in particular, the following are considered serious and will be subject to a two-year statute of limitations:
f) The failure to adopt those technical and organisational measures that are appropriate to guarantee a level of security appropriate to the risk of the processing, in the terms required by article 32.1 of Regulation (EU) 2016/679.”

Proposed sanction
In order to determine the administrative fine to be imposed, the provisions of articles 83.1 and 83.2 of the GDPR must be observed, which state:
“1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 are in each individual case effective, proportionate and dissuasive.
2. Administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j). When deciding on the imposition of an administrative fine and its amount in each individual case, due account shall be taken of:
9/16
(a) the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as the number of data subjects affected and the level of damage suffered by them;
(b) the intent or negligence of the infringement;
(c) any measures taken by the controller or processor to remedy the damage suffered by data subjects;
(d) the degree of responsibility of the controller or processor, taking into account any technical or organisational measures implemented by them pursuant to Articles 25 and 32;
(e) any previous infringements committed by the controller or processor;
(f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate any adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the supervisory authority became aware of the infringement, in particular whether the controller or processor notified the infringement and, if so, to what extent;
(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor in question in relation to the same matter, compliance with such measures;
(j) adherence to codes of conduct pursuant to Article 40 or to certification mechanisms approved pursuant to Article 42;
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.”

For its part, Article 76 “Penalties and corrective measures” of the LOPDGDD provides:
“1. The sanctions provided for in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679 shall be applied taking into account the grading criteria established in section 2 of the aforementioned article.
2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679, the following may also be taken into account:
a) The continued nature of the infringement.
b) The link between the offender's activity and the processing of personal data.
c) The benefits obtained as a result of the commission of the infringement.
d) The possibility that the conduct of the affected party could have led to the commission of the infringement.
e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the acquiring entity.
f) The impact on the rights of minors.
g) Having, when not mandatory, a data protection officer. h) The voluntary submission by the controller or processor to alternative dispute resolution mechanisms, in cases where there are disputes between them and any interested party.”
Sanction for violations of article 32 of the GDPR.
In accordance with the transcribed provisions, and without prejudice to what results from the instruction of the procedure, in order to set the amount of each sanction for each infringement, each fine is graduated taking into account:
In the initial notification made by ALLIANZ about the security breach that occurred, said entity informs the AEPD that 150 people are affected, however, it then indicates that it has sent 143 notifications of the 150 that it should have sent, and in the additional notification sent by ALLIANZ it indicates that

As circumstances to take into account:
Article 83.2.a) RGPD: “the nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as the number of interested parties affected and the level of damages they have suffered”, since the facts subject to this sanctioning procedure reveal deficiencies in the management of the entity claimed.

the number of affected people is 800 people.
Article 83.2.b) GDPR: “intentional or negligent processing of data” since the loss of a storage medium containing personal data has been confirmed, along with the key that allowed access to the data contained therein.
Article 83.2 g) GDPR “the categories of personal data affected by the infringement”, since the activity of the entity in question requires continuous processing of personal data, including, among others, ID cards, means of payment and the rented address. Furthermore, the entity in question carries out a high volume of processing of personal data in order to carry out its activity.
Considering the factors set out above, the initial assessment that reaches the amount of the fine is €100,000 for infringement of article 32 of the GDPR, regarding the security of the processing of personal data.
VI Responsibility
Law 40/2015, of October 1, on the Legal Regime of the Public Sector, establishes in Chapter III regarding the “Principles of the Sanctioning Power”, in article 28 under the heading “Responsibility”, the following:
“1. Only natural and legal persons may be sanctioned for acts constituting an administrative infraction, as well as, when a Law recognizes their capacity to act, groups of affected persons, unions and entities without legal personality and independent or autonomous assets, who are responsible for them by way of fraud or negligence.”
The lack of diligence when implementing appropriate security measures with the consequence of breaching the principle of confidentiality constitutes the element of culpability.
VII Measures
If both infringements are confirmed, it may be agreed to impose on the controller the adoption of appropriate measures to adjust its actions to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to which each supervisory authority may “order the controller or processor to comply with the provisions of this Regulation, where appropriate, in a certain manner and within a specified period...”. The imposition of this measure is compatible with the sanction consisting of an administrative fine, as provided for in art. 83.2 of the GDPR.
Specifically, in this case, the measures would consist of notifying within two months of receipt of the resolution issued, that the entity responsible for the processing of personal data complies with the provisions of this Regulation, to guarantee confidentiality, integrity, availability and resilience, as well as the ability to restore the availability and access to personal data after an incident such as the one at hand, as well as having an adequate process of verification, evaluation and assessment of the effectiveness of such measures, in accordance with article 32 of the GDPR.
It is noted that failure to comply with the requirements of this body may be considered an administrative infringement in accordance with the provisions of the GDPR, classified as an infringement in its article 83.5 and 83.6, and such conduct may motivate the opening of a subsequent administrative sanctioning procedure.
Therefore, in accordance with the above, the Director of the Spanish Data Protection Agency,
IT IS AGREED:
FIRST: TO INITIATE SANCTIONING PROCEDURE against AXA REAL ESTATE INVESTMENT MANAGERS IBERICA S.A., with NIF A78465267, for the alleged infringement of article 32 of the GDPR, classified in accordance with the provisions of article 83.4 of the GDPR, classified as serious and for the purposes of prescription in articles 73 f) of the LOPDGDD.
SECOND: TO APPOINT R.R.R. as instructor and, as secretary, S.S.S., indicating that any of them may be challenged, where appropriate, in accordance with the provisions of articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP).
THIRD: INCLUDE into the sanctioning file, for evidentiary purposes, the claim filed by the claimant and its documentation, as well as the documents obtained and generated by the General Subdirectorate of Data Inspection in the actions prior to the start of this sanctioning procedure
FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, the sanction that could correspond would be €100,000 (one hundred thousand euros) for violation of article 32 of the aforementioned RGPD, regarding the security of the processing of personal data.
FIFTH: NOTIFY this agreement to AXA REAL ESTATE INVESTMENT MANAGERS IBERICA S.A., with NIF A78465267, granting it a hearing period of ten business days to formulate the allegations and present the evidence it considers appropriate. In your written allegations you must provide your NIF and the file number that appears in the heading of this document.
If you do not make any allegations to this initiation agreement within the stipulated period, it may be considered a resolution proposal, as established in article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP).
In accordance with the provisions of article 85 of the LPACAP, you may acknowledge your responsibility within the period granted for the formulation of allegations to this initiation agreement; which will entail a 20% reduction of the
penalty to be imposed in this procedure. With the application of this reduction, the penalty would be set at 80,000 euros, and the procedure will be resolved with the imposition of this penalty.
Likewise, the Court may, at any time prior to the resolution of this procedure, make the voluntary payment of the proposed sanction, which will entail a 20% reduction of its amount. With the application of this reduction, the sanction would be set at [Insert the text corresponding to 80,000 euros and its payment will imply the termination of the procedure, without prejudice to the imposition of the corresponding measures.
The reduction for the voluntary payment of the sanction is cumulative to that which corresponds to apply for the recognition of responsibility, provided that this recognition of responsibility is made clear within the period granted to formulate allegations at the opening of the procedure. The voluntary payment of the amount referred to in the previous paragraph may be made at any time prior to the resolution. In this case, if both reductions were to be applied, the amount of the sanction would be set at [Insert the text corresponding to 60,000 euros.
In any case, the effectiveness of any of the two reductions mentioned will be conditional on the withdrawal or waiver of any action or appeal in administrative proceedings against the sanction.
If you choose to proceed with the voluntary payment of any of the amounts indicated above 80,000 or 60,000 euros, you must do so by depositing it in the non-IBAN account: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX) opened in the name of the Spanish Data Protection Agency at the bank CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the reason for the reduction of the amount to which you are applying.
Likewise, you must send proof of payment to the Subdirectorate General of Inspection to continue with the procedure in accordance with the amount paid.
The procedure will have a maximum duration of twelve months from the date of the start agreement or, where appropriate, the draft start agreement. After this period, it will expire and, consequently, the proceedings will be archived; in accordance with the provisions of article 64 of the LOPDGDD.
In compliance with articles 14, 41 and 43 of the LPACAP, it is noted that, from now on, the notifications sent to you will be made exclusively electronically by appearing at the electronic headquarters of the General Access Point of the Administration or through the unique Authorized Electronic Address and that, if you do not access them, your rejection will be recorded in the file, considering the procedure carried out and the procedure followed. You are informed that you can identify before this Agency an email address to receive the notice of availability of the notifications and that the lack of practice of this notice will not prevent the notification from being considered fully valid.

>>
SECOND: On June 17, 2024, the respondent party has proceeded to pay the fine in the amount of 80,000 euros using one of the two reductions provided for in the Initiation Agreement transcribed above. Therefore, the recognition of liability has not been proven.
THIRD: The payment made entails the waiver of any action or appeal in administrative proceedings against the fine, in relation to the facts referred to in the Initiation Agreement.
FOURTH: In the Initiation Agreement transcribed above, it was indicated that it could be agreed to impose on the person responsible the adoption of appropriate measures to adjust his actions to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to which each supervisory authority may "order the person responsible or in charge of the treatment that the treatment operations comply with the provisions of this Regulation, where appropriate, in a certain way and within a specified period...".

LEGAL BASIS
I. Competence
In accordance with the powers granted to each supervisory authority by Article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD) and as established in Articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, by this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures."
14/16
Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP, no administrative appeal may be filed against this act.

II
Termination of the procedure
Article 85 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), under the heading "Termination in sanctioning procedures" provides the following:
"1. Once a sanctioning procedure has been initiated, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction.
2. When the sanction is of a purely monetary nature or when it is possible to impose a monetary sanction and another of a non-monetary nature but the inadmissibility of the second has been justified, voluntary payment by the presumed responsible party, at any time prior to the resolution, will imply the termination of the procedure, except with regard to the restoration of the altered situation or the determination of compensation for damages caused by the commission of the infringement.
3. In both cases, when the sanction is of a purely monetary nature, the competent body to resolve the procedure will apply reductions of at least 20% on the amount of the proposed sanction, which may be accumulated with each other. The aforementioned reductions must be determined in the notification of the initiation of the procedure and their effectiveness will be conditional on the withdrawal or waiver of any action or appeal in administrative proceedings against the sanction.
The percentage of reduction provided for in this section may be increased by regulation.”
Once the monetary penalty has been paid, in accordance with section 2 of this article, voluntary payment implies the termination of the procedure, except with regard to the restoration of the altered situation. Therefore, the imposition of the necessary measures is appropriate to cease the conduct or correct the effects of the infringement.
In accordance with the above, the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: TO DECLARE the termination of the procedure EXP202309790, in accordance with the provisions of article 85 of the LPACAP.
SECOND: TO ORDER AXA REAL ESTATE INVESTMENT MANAGERS IBERICA S.A. and SEUR GEOPOST, S.L. so that within 2 months from the date this resolution becomes final and enforceable, it will notify the Agency of the adoption of the measures described in the legal grounds of the Commencement Agreement transcribed in this resolution.
THIRD: NOTIFY this resolution to AXA REAL ESTATE INVESTMENT MANAGERS IBERICA S.A. and SEUR GEOPOST, S.L..
In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which ends the administrative procedure as required by art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es

Mar España Martí
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 28001 – Madrid
www.aepd.es sedeagpd.gob.es
16/16
Common Law of Public Administrations, interested parties may file an administrative appeal before the Administrative Litigation Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the day following the notification of this act, as provided for in article 46.1 of the aforementioned Law.
1309-16012024