AEPD (Spain) - E/00647/2019 - CO/00198/2020

From GDPRhub
AEPD (Spain) - E/00647/2019 - CO/00198/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 4(16) GDPR
Article 4(22) GDPR
Article 4(23) GDPR
Article 60(8) GDPR
Article 80(2) GDPR
Type: Complaint
Outcome: Rejected
Decided:
Published: 18.11.2021
Fine: None
Parties: FACEBOOK IRELAND LIMITED
FACUA - ASOCIACIÓN DE CONSUMIDORES Y USUARIOS EN ACCIÓN
National Case Number/Name: E/00647/2019 - CO/00198/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Carmen Villarroel

The Spanish DPA referred a case to the Irish DPA regarding Facebook transfers of data to third parties. The Irish DPA rejected the case, since Ireland has not implemented Article 80(2) GDPR and the consumer organisation that brought the claim in Spain could therefore not act without an individual mandate.

English Summary[edit | edit source]

Facts[edit | edit source]

A consumers organisation lodged a complaint with the Spanish DPA (AEPD) against Facebook, since according to a series of news articles, Facebook had shared their users' personal data with over 150 third organisations without the users' consent.

Holding[edit | edit source]

The AEPD referred the complaint to the Irish Data Protection Commission (DPC) through the Internal Market Information system (IMI), since Facebook Ireland has their main establishment in Ireland, pursuant to the definition set by Article 4(16) GDPR. And, since the DPC is the lead authority with regard to Facebook Ireland, the DPC is in charge of cases regarding Facebook's international transfers of personal data, in accordance to Article 4(23) GDPR.

According to the AEPD, there are other concerned DPAs in this case, as defined in Article 4(22) GDPR: Spain, Belgium, Rhineland-Palatinate, Netherlands, Lower Saxony, Italy, Luxembourg, France, Sweden, Thuringia, Hesse, Norway, Berlin, Hungary, Finland, Saarland, Slovenia, North Rhine-Westphalia, Portugal, Slovakia, Greece, Austria and Poland.

The DPC rejected the case, alleging that it came from an organisation without an individual mandate. According to the DPC, Ireland has not implemented Article 80(2) GDPR and therefore the authority cannot handle a complaint lodged by an organisation mentioned in such Article (a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects' rights and freedoms with regard to the protection of their personal data).

Since the case had been rejected, the AEPD manifested that it was the competent authority to notify the complainant, in accordance with Article 60(8) GDPR. Therefore, the AEPD archived the proceedings, without prejudice of the consumers organisation lodging a new complaint following the mandate of an individual data subject.

Notwithstanding, according to the DPC, these facts are currently under investigation by the DPA within the competences attributed to it as lead authority.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                               1/6











     N / Ref .: E / 00647/2019 - CO / 00198/2020


                  RESOLUTION OF ACTION FILE


Of the actions followed on the occasion of the claim presented in the Agency
Spanish Data Protection, for alleged violation of Regulation (EU)
2016/679 of the European Parliament and of the Council of April 27, 2016, regarding the
protection of natural persons with regard to data processing
personal data and the free circulation of these data (hereinafter, RGPD) and having

as a basis the following


                                      FACTS


FIRST: Dated December 26, 2018 and with entry registration number
212801/2018, a claim had entered this Agency, related to a
Cross-border processing of personal data carried out by FACEBOOK
IRELAND LIMITED, presented by FACUA - ASSOCIATION OF CONSUMERS AND
USERS IN ACTION (hereinafter, the claimant) for an alleged violation

of Article 6.1 of the RGPD.

The grounds on which the claimant bases the claim are related to the
fact that the social network Facebook could have shared the data of its
users with more than 150 companies without the consent of the users, as

collected in several newspaper articles.

Along with the claim, the urls of several articles collected in the press are provided
Spanish in which information is provided on the matter and a copy of said articles.


*** URL.1

*** URL.2

*** URL.3



SECOND: FACEBOOK IRELAND LIMITED has its main establishment or
unique in Ireland.


THIRD: Taking into account the cross-border nature of the claim, with
On February 22, 2019, the claim was forwarded to the authority
control authority of Ireland as it is competent to act as a supervisory authority
main, in accordance with the provisions of article 56.1 of the RGPD, agreeing to the file
provisional procedure.


FOURTH: This referral was made through the "Market Information System
Interior ”(IMI).

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/6









However, the Irish supervisory authority rejected the case, as it came from a
association without an individual mandate.


As explained by the Irish supervisory authority, the national law that completes the GDPR
in Ireland (the “Irish Data Protection Act 2018”) has not implemented its art. 80.2, and, by
Therefore, this authority cannot manage a claim filed by an entity,
non-profit organization or association that has been properly constituted
under the law of a Member State, the statutory objectives of which are to

public interest and act in the field of protection of rights and freedoms
of those interested in the protection of their personal data, with
independence of the mandate of an interested party.

FIFTH: Notwithstanding the foregoing, these events are being the subject of a

research carried out by the DPC within the competences it has
attributed as main authority.

                           FOUNDATIONS OF LAW

I: Competition


In accordance with the provisions of article 60.8 of the RGPD, the Director of the Agency
Spanish Data Protection is competent to adopt this resolution, according to
the provisions of article 47 of Organic Law 3/2018, of December 5, of
Protection of Personal Data and guarantee of digital rights (hereinafter

LOPDGDD).

II: Internal Market Information System (IMI)

The Internal Market Information System is regulated by the

Regulation (EU) No. 1024/2012, of the European Parliament and of the Council, of 25
October 2012 (IMI Regulation), and its objective is to promote cooperation
administrative cross-border, mutual assistance between Member States and the
information exchange.

III: Determination of the territorial scope


As specified in article 66 of the LOPDGDD:

"1. Except in the cases referred to in article 64.3 of this organic law, the
Spanish Agency for Data Protection must, prior to carrying out

of any other action, including the admission for processing of a claim or the
commencement of preliminary investigative actions, examine their competence and
determine the national or cross-border character, in any of its modalities,
of the procedure to follow.


2. If the Spanish Agency for Data Protection considers that you do not have the condition
of the main supervisory authority for the processing of the procedure will send, without further ado
procedure, the claim made to the main supervisory authority that considers
competent, so that it is given the appropriate course. The agency

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/6








Española de Protección de Datos will notify this circumstance to who, if applicable,
would have made the claim.


The agreement by which the referral referred to in the previous paragraph is resolved
will involve the provisional filing of the procedure, without prejudice to the fact that the Agency
Spanish Data Protection Issue, if applicable, the resolution to
the one referred to in section 8 of article 60 of Regulation (EU) 2016/679. "

IV: Main establishment, cross-border treatment and supervisory authority

principal

Article 4.16 of the GDPR defines "main establishment":

       "A) in what refers to a person responsible for the treatment with establishments

       in more than one Member State, the place of its central administration in the
       Union, unless decisions about the purposes and means of treatment are
       take in another establishment of the person in charge in the Union and the latter
       establishment has the power to enforce such decisions, in which case
       the establishment that made such decisions shall be deemed
       main establishment;


       b) in what refers to a person in charge of the treatment with establishments in
       more than one Member State, the place of its central administration in the Union or,
       if it lacks this, the establishment of the person in charge in the Union where the
       carry out the main treatment activities in the context of the

       activities of a manager's establishment to the extent that the
       processor is subject to specific obligations under this
       Regulation"

For its part, article 4.23 of the RGPD considers "cross-border treatment":


       "A) the processing of personal data carried out in the context of the
       activities of establishments in more than one Member State of a
       controller or a processor in the Union, if the controller or the
       the person in charge is established in more than one Member State,


       or b) the processing of personal data carried out in the context of
       activities of a single establishment of a manager or manager of the
       treatment in the Union, but which substantially affects or is likely to
       substantially affects interested parties in more than one Member State "


The RGPD provides, in its article 56.1, for cases of cross-border processing,
provided for in its article 4.23), in relation to the competence of the
main control, that, without prejudice to the provisions of article 55, the authority of
control of the main establishment or the sole establishment of the person in charge or
The person in charge of the treatment will be competent to act as a control authority

principal for the cross-border processing carried out by said controller or
commissioned in accordance with the procedure established in article 60.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/6








In the case examined, as stated, FACEBOOK IRELAND LIMITED has
its main or sole establishment in Ireland, so that the supervisory authority of
Ireland is competent to act as the lead supervisory authority.


V: interested control authority

In accordance with the provisions of article 4.22) of the RGPD, it is the Authority of
interested control, the control authority affected by the data processing
personal because:


       a.- The person in charge or in charge of the treatment is established in the territory
       of the Member State of that supervisory authority;

       b.- The interested parties who reside in the Member State of that authority of

       control are substantially affected or are likely to be
       substantially affected by the treatment, or

       c.- A claim has been filed with that control authority.

In these proceedings, they act as the "interested supervisory authority"

the supervisory authorities of: Spain, Belgium, Rhineland-Palatinate, the Netherlands,
Lower Saxony, Italy, Luxembourg, France, Sweden, Thuringia, Hesse, Norway, Berlin,
Hungary, Finland, Saarland, Slovenia, North Rhine-Westphalia, Portugal,
Slovakia, Greece, Austria and Poland.


VI: Cooperation and coherence procedure

Article 60 of the RGPD, which regulates the cooperation procedure between the
main supervisory authority and the other interested supervisory authorities, has
in its section 8, the following:


8. Notwithstanding the provisions of section 7, when a
claim, the supervisory authority to which it has been submitted will adopt the
decision, will notify the claimant and inform the data controller. "

VII: Question claimed and legal reasoning.


In this case, it has been submitted to the Spanish Data Protection Agency
claim for an alleged violation of Article 6.1 of the RGPD, related to
a cross-border processing of personal data, carried out by
FACEBOOK IRELAND LIMITED.


The grounds on which the claimant bases the claim are related to the
fact that the social network Facebook could have shared the data of its
users with more than 150 companies without the consent of the users, as
collected in several newspaper articles.


The aforementioned claim was transferred to the DPC as it was competent to act as
main supervisory authority. However, the claim was rejected, as it came from
of an association without an individual mandate.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/6









As explained by the Irish supervisory authority, the national law that completes the GDPR

in Ireland (the “Irish Data Protection Act 2018”) has not implemented its art. 80.2, and, by
Therefore, this authority cannot manage a claim filed by an entity,
non-profit organization or association that has been properly constituted
under the law of a Member State, the statutory objectives of which are to
public interest and act in the field of protection of rights and freedoms

of those interested in the protection of their personal data, with
independence of the mandate of an interested party.

However, the DPC has also reported that these events are being subjected to
of an investigation that they are carrying out within the competences that it has

attributed as main authority.

So, taking into account that Ireland has not implemented the provision
contained in art. 80.2 of the RGPD, but that the reported events are being
object of an investigation by the DPC, the file of this claim proceeds

without prejudice to the fact that FACUA may present another claim as a representative of
an interested party as provided in article 80.1 of the RGPD, providing the mandatory
power of attorney.

Therefore, in accordance with the provisions, by the Director of the Spanish Agency for

Data Protection,

HE REMEMBERS:

FIRST: PROCEED TO THE FILE of the claim presented, dated February 26,

December 2018 and with entry registration number 212801/2018

SECOND: NOTIFY this resolution to the CLAIMANT

In accordance with the provisions of article 50 of the LOPDGDD, this

resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, and in accordance with the provisions of the

arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may
file, optionally, an appeal for reconsideration before the Director of the Agency
Spanish Data Protection within a period of one month from the day
following notification of this resolution or directly contentious appeal
administrative before the Contentious-Administrative Chamber of the National Court,

in accordance with the provisions of article 25 and paragraph 5 of the provision
Additional fourth of Law 29/1998, of July 13, regulating the Jurisdiction
Contentious-Administrative, within two months from the next day
upon notification of this act, as provided in article 46.1 of the aforementioned Law.


                                                                                1103-160721

Mar Spain Martí
Director of the Spanish Agency for Data Protection
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/6


































































































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es