AEPD (Spain) - E/03276/2021

From GDPRhub
AEPD - E/03276/2021
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1)(a) GDPR
Regulation 1024/2012 (IMI Regulation)
Article 21(1) LSSI
Article 22(2) LSSI
Type: Complaint
Outcome: Other Outcome
Published: 09.04.2021
Fine: None
National Case Number/Name: E/03276/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: n/a

The Spanish DPA was not able to launch a sanction procedure because the ICO did not send any information following their cooperation request in the IMI, despite having accepted the case. After Brexit, the Spanish authority decided to archive the case.

English Summary


The Spanish DPA (AEPD) received a complaint regarding a website that was sending spam to them, and that additionally placed cookies without consent (or possibility of opposing) when visiting their site. This website ( is owned by a British marketing company, Aldaniti International Network LTD.

Given that the mentioned company doesn't have any premises or establishments in Spain, and therefore has no Spanish Tax number or any related information, the AEPD submitted a request to the Internal Market Information System (IMI), following the Regulation 1024/2012 (IMI Regulation). In August 2019, the ICO accepted the case, and subsequently the AEPD provisionally archived their own case.

However, the Spanish DPA did not receive any update on the case within the IMI request upon the entry into effect of Brexit, that implies that the United Kingdom is not any more a Member State of the European Union and is therefore nor affected by or part of European regulations.


The AEPD concluded that, given the fact Brexit, that implies that the United Kingdom is not any more a Member State of the European Union and is therefore nor affected by or part of European regulations, the authority will not be able to identify the controller, which is required by Spanish law for sanction procedures.

The Spanish Tax authority did not hold any data on the controller either and therefore it was not possible to launch a sanction procedure against it.

For this reason, the AEPD decided to archive the case.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


     Procedure Nº: E / 03276/2021


Of the actions carried out by the Spanish Agency for Data Protection and
based on the following


FIRST: The claim filed by Mr. A.A.A. (hereinafter, the claimant)
has entry dated March 29, 2019, in the Spanish Protection Agency
of data.

The claim is directed against ALDANITI INTERNATIONAL NETWORK, LTD, (in
ahead, the claimed one).

The claim indicates the following:

“I received an email from pulpower to confirm my subscription, as I had not done
no management, delete the mail that I have now been able to recover, as it turns out that without
accept that subscription that I also do not make, I begin to receive spam, not only do I not
I have subscribed, nor confirmed that email that they sent me, but I am subscribed in the
Robinson list, attached certificate certifying it. I request the opening of

sanctioning file. Thank you".

It all started with a confirmation email of a supposed registration in the system, and
He continued with emails where he was offered "tokens" to exchange for gifts. The
claimant does not acknowledge having ever registered in the services of the person in charge, and,
In addition, your email is listed on ADigital's Robinson list.

In the second letter it is denounced that, in the aforementioned web portal,
"cookies" with the mere visit to the page, and no way is offered not to provide or
revoke consent to said treatment.

SECOND: The Subdirectorate General for Data Inspection, learned of
the following points and carried out these actions:

     It was verified that the person responsible for the treatment and owner of the web
       established in the UK.
     The claim was incorporated into the "Internal Market Information System"
       (hereinafter IMI), regulated by Regulation (EU) No. 1024/2012, of the

       European Parliament and of the Council, of October 25, 2012 (Regulation
       IMI), whose objective is to promote cross-border administrative cooperation, the
       mutual assistance between Member States and the exchange of information;
       with IMI number 69346 and dated June 17, 2019. One month is given at
       authorities to manifest.

     On August 24, 2019: the data protection control authority
       in the United Kingdom (ICO) they accept the case, making a provisional file.

C / Jorge Juan, 6
28001 - Madrid 2/3

     When the time for Brexit to take effect, ICO has not made any
        action on the claim incorporated into IMI.

                            FOUNDATIONS OF LAW


In accordance with the investigative and corrective powers that article 58 of the
Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter
RGPD) grants each control authority, and according to the provisions of article 47 of the
Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter LOPDGDD), is competent to
resolve these investigative actions by the Director of the Spanish Agency for

Data Protection.


Prior to the initiation of sanctioning actions, it is necessary to identify the

presumed responsible for the administrative offense.

Article 64 of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, referring to the Initiation Agreement in the
procedures of a sanctioning nature, establishes the following:

        "1. The initiation agreement will be communicated to the instructor of the procedure, with
transfer of how many actions exist in this regard, and the interested parties will be notified,
understanding in any case the accused as such. Likewise, the initiation will be communicated
to the complainant when the rules governing the procedure so provide.

        2. The initiation agreement must contain at least:
        a) Identification of the person or persons allegedly responsible.
        ... "

In order to be able to initiate sanctioning actions, the Agency has been requested
State Tax Administration if there was any NIF associated with the entity
claimed, for identification.

The State Tax Administration Agency has responded to the Spanish Agency
of Data Protection that has not been able to locate any NIF related to the

claimed entity.
Therefore, although the claim presented, if detrimental to the possible prescription
of the infringements claimed, could constitute an infringement of the regulations of

data protection, it is not possible to initiate sanctioning actions due to not having
Tax identification of the alleged person responsible.

Therefore, in accordance with the provisions, by the Director of the Spanish Agency for
Data Protection, IT IS AGREED:


C / Jorge Juan, 6
28001 - Madrid 3/3

SECOND: NOTIFY this resolution to the claimant.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, and in accordance with the provisions of the

arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may
file, optionally, an appeal for reconsideration before the Director of the Agency
Spanish Data Protection within a period of one month from the day
following notification of this resolution or directly contentious appeal

administrative before the Contentious-Administrative Chamber of the National Court,
in accordance with the provisions of article 25 and paragraph 5 of the provision
Additional fourth of Law 29/1998, of July 13, regulating the Jurisdiction
Contentious-Administrative, within two months from the next day

upon notification of this act, as provided in article 46.1 of the aforementioned Law.

Mar Spain Martí
Director of the Spanish Agency for Data Protection

C / Jorge Juan, 6
28001 - Madrid