AEPD (Spain) - EXP202103039: Difference between revisions

From GDPRhub
No edit summary
 
(4 intermediate revisions by 2 users not shown)
Line 65: Line 65:
}}
}}


The Spanish DPA imposed a €5,000 fine on a real-state agency because the contract for the purchase of property did not include information required by [[Article 13 GDPR]].  
The Spanish DPA imposed a €5,000 fine on a real-state agency for violating [[Article 13 GDPR]] because the contract for the purchase of property did not include a clause informing the customer how her personal data gathered in that contract was handled.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject purchased property from Rodali Gestión Inmobiliaria (controller), a real estate agency. She signed a contract to make a reservation of the property. This document included her personal data. The contract neither included a clause nor was the data subject otherwise informed how personal data would be managed. When the data subject discovered this, she filed a complaint with the DPA.  
The data subject purchased property from Rodali Gestión Inmobiliaria (controller), a real estate agency. She signed a contract to make a reservation of the property. This document included her personal data. The contract neither included a clause nor was the data subject otherwise informed on how her personal data would be processed. When the data subject discovered this, she filed a complaint with the DPA.  


The DPA tried to notify the controller about both the complaint and the start of a sanctioning procedure for the alleged infringement of [[Article 13 GDPR]], but was unsuccesful. The notifications were repeatedly rejected and returned.   
The DPA tried to notify the controller about both the complaint and the start of a sanctioning procedure for the alleged infringement of [[Article 13 GDPR]], but was unsuccesful. The notifications were repeatedly rejected and returned.   


=== Holding ===
=== Holding ===
The DPA noted that when a controller obtains personal data, it must provide the data subject with all information regarding their processing activities pursuant to [[Article 13 GDPR|Article 13]]. In the present case, the controller omitted this obligation. The DPA therefore held that the controller violated [[Article 13 GDPR|Article 13]] by neither informing the data subject nor including any clause about the processing of personal data in the contract.  
The DPA noted that when a controller obtains personal data, it must provide the data subject with all information regarding their processing activities pursuant to [[Article 13 GDPR]]. In the present case, the controller omitted this obligation. The DPA therefore held that the controller violated [[Article 13 GDPR]] by neither informing the data subject nor including any clause about the processing of personal data in the contract.  


The DPA found that since the main activity of the controller was direcltly linked to the processing of personal data, the controller was required to have a higher level of rigorousness, professionalism and, consequently, responsibility regarding the processing.  
The DPA found that since the main activity of the controller was direcltly linked to the processing of personal data, the controller was required to have a higher level of rigorousness, professionalism and, consequently, responsibility regarding the processing.  


Because of this aggravating circumstance, the DPA imposed a fine of €5.000. The DPA further ordered the controller to bring its operations into compliance with [[Article 13 GDPR|Article 13]] and thus making sure to inform its clients about the processing of their data.  
Because of this aggravating circumstance, the DPA imposed a fine of €5.000. The DPA further ordered the controller to bring its operations into compliance with [[Article 13 GDPR]] and thus making sure to inform its clients about the processing of their data.  


== Comment ==
== Comment ==

Latest revision as of 13:35, 13 December 2023

AEPD - PS/00618/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 13 GDPR
72 (1)(h) LOPDGDD
Type: Complaint
Outcome: Upheld
Started: 27.09.2021
Decided: 16.08.2022
Published: 16.08.2022
Fine: 5,000 EUR
Parties: RODALI GESTIÓN INMOBILIARIA, S.L
Private Party
National Case Number/Name: PS/00618/2021
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Carmen Jurado Taboada

The Spanish DPA imposed a €5,000 fine on a real-state agency for violating Article 13 GDPR because the contract for the purchase of property did not include a clause informing the customer how her personal data gathered in that contract was handled.

English Summary

Facts

The data subject purchased property from Rodali Gestión Inmobiliaria (controller), a real estate agency. She signed a contract to make a reservation of the property. This document included her personal data. The contract neither included a clause nor was the data subject otherwise informed on how her personal data would be processed. When the data subject discovered this, she filed a complaint with the DPA.

The DPA tried to notify the controller about both the complaint and the start of a sanctioning procedure for the alleged infringement of Article 13 GDPR, but was unsuccesful. The notifications were repeatedly rejected and returned.

Holding

The DPA noted that when a controller obtains personal data, it must provide the data subject with all information regarding their processing activities pursuant to Article 13 GDPR. In the present case, the controller omitted this obligation. The DPA therefore held that the controller violated Article 13 GDPR by neither informing the data subject nor including any clause about the processing of personal data in the contract.

The DPA found that since the main activity of the controller was direcltly linked to the processing of personal data, the controller was required to have a higher level of rigorousness, professionalism and, consequently, responsibility regarding the processing.

Because of this aggravating circumstance, the DPA imposed a fine of €5.000. The DPA further ordered the controller to bring its operations into compliance with Article 13 GDPR and thus making sure to inform its clients about the processing of their data.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                 1/7








     Procedure No.: PS/00618/2021(EXP202103039)

                RESOLUTION OF PUNISHMENT PROCEDURE


Of the actions carried out ex officio by the Spanish Agency for the Protection of
Data before the entity, RODALI GESTIÓN INMOBILIARIA, S.L. with CIF: B45811353,
(hereinafter "the claimed party"), for the alleged violation of the regulations of
data protection: Regulation (EU) 2016/679, of the European Parliament and of the
Council, of 04/27/16, regarding the Protection of Natural Persons in what

regarding the Processing of Personal Data and the Free Circulation of these Data
(RGPD) and Organic Law 3/2018, of December 5, on Data Protection
Personal and Guarantee of Digital Rights (LOPDGDD), and attending to the
following:


                                   BACKGROUND

FIRST: On 09/27/21, he entered this Agency, a brief presented by
Mrs. A.A.A., (hereinafter, "the complaining party"), in which it indicated, among others, that,
At the time of making the reservation for the purchase of a flat with this Agency, he did not fill in
no clause nor was she informed of the processing of her personal data.


Along with the written claim, a copy of the contract is provided: “Documentation of
Property Offer” dated 11/13/19, where the personal data of the
claimant, as well as, the data of the Real Estate and where the management is agreed, for
part of the Real Estate of the purchase of a property.


SECOND: On 10/18/21 and 10/29/21, this Agency transferred the
claim to the party complained against so that it could respond to it,
in accordance with the provisions of article 65.4 of the LOPDGDD Law. attempts to
notification resulted in the following:


    - According to a certificate from the Electronic Notifications Service and Address
       Electronic, the shipment made to the claimed entity, on 10/18/21, through
       of the electronic notification service "NOTIFIC@", was rejected in
       destination on 10/29/21.


Although the notification was validly made by electronic means, assuming
carried out the procedure in accordance with the provisions of article 41.5 of the LPACAP, by way of
informative, a copy was sent by mail that was reliably notified in
date 11/10/21, being the recipient of this, Ms. BBB ***NIF.1 In said notification,
he was reminded of his obligation to interact electronically with the Administration,

and they were informed of the means of access to said notifications, reiterating that, in
thereafter, you will be notified exclusively by electronic means.

THIRD: On 12/23/21, by the Director of the Spanish Agency for
Data Protection agreement is issued for the admission of processing of the claim

submitted by the claimant, in accordance with article 65 of the LPDGDD Law, to the
not receive any response to requests made from this Agency.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/7








FOURTH: On 02/18/22, by the Director of the Spanish Agency for
Data Protection, the initiation of the sanctioning procedure against the party
claimed, for the alleged infringement of article 13 of the RGPD, as there are indications of the

lack of information offered to customers about the processing of their data
personal, when these are obtained directly from them, imposing a
initial penalty of 5,000 euros (five thousand euros), based on the provisions of art. 64.2 b)
of Law 39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations (LPACAP). However, attempts to notify the
agreement to initiate the sanctioning file obtained as a result:


    - According to a certificate from the Electronic Notifications Service and Address
       Electronic, the shipment made to the claimed entity, on 02/22/22, through
       of the electronic notification service "NOTIFIC@", was rejected in
       destination on 03/05/22.


    - According to a certificate from the State Post and Telegraph Society, the shipment
       made to the claimed entity, on 05/30/22 through the service of
       Postal notification from Correos, was returned to destination with the legend of
       “unknown” on 06/08/22.


FIFTH: After the period granted for the formulation of allegations to the
agreement to initiate the procedure, it has been verified that no allegation has been received
any by the claimed party.

Article 64.2.f) of Law 39/2015, of October 1, on Administrative Procedure

Common Public Administrations (hereinafter LPACAP) -provision of which
the respondent was informed in the agreement to open the proceeding,
establishes that, if allegations are not made within the stipulated period on the content
of the initiation agreement, when it contains a precise statement about
imputed responsibility, may be considered a resolution proposal. In the

present case, the agreement to initiate the disciplinary proceedings determined the
facts in which the imputation was specified, the infraction of the RGPD attributed to the
claimed and the sanction that could be imposed. Therefore, taking into account that
the party complained against has made no objections to the agreement to initiate the file and
In accordance with the provisions of article 64.2.f) of the LPACAP, the aforementioned agreement of
beginning is considered in the present case resolution proposal


                                PROVEN FACTS

Of the actions carried out in this procedure and of the information and
documentation presented by the claimant, it has been proven that:


First: At the time of signing the contracts by which the Real Estate becomes
charge of the management of the purchase of a property, does not inform in any document
about the management of your personal data. The document that is provided together with the
claim, "Property Offer Document" dated 11/13/19, appear the

personal data of the claimant, as well as the data of the Real Estate, but not
there is no clause where the management of personal data is reported
obtained by the real estate.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/7








                           FOUNDATIONS OF LAW

       I-Competition


It is competent to initiate and resolve this Sanctioning Procedure the Director of
the Spanish Agency for Data Protection, by virtue of the powers established in
Article 58.2 of the RGPD and in the LOPDGDD Law.

       II- Summary of the facts:


In the present case, the claimant indicates that, at the time of signing the contract for
in which the Real Estate Agency was in charge of managing the purchase of a property, not
signed or was informed at any time about the management of their personal data.


       III- About the infraction committed due to the lack of information about the treatment
       of personal data:

Recital 61) of the RGPD establishes that:

       “Interested parties must be provided with information on the treatment of their

       personal data at the time it is obtained from them or, if obtained
       from another source, within a reasonable time, depending on the circumstances of the
       case. If the personal data can be legitimately communicated to another
       addressee, the interested party must be informed at the time the
       communicated to the recipient for the first time. The data controller that

       plans to process the data for a purpose other than that for which they were collected
       must provide the data subject, prior to such further processing,
       information about that other purpose and other necessary information (...)”.

In this sense, article 12.1 of the RGPD establishes, on the requirements that must be

comply with the information that the data controller must make available to
interested parties, the following:

       "1. The person responsible for the treatment will take the appropriate measures to facilitate
       to the interested party all the information indicated in articles 13 and 14, as well as
       any communication under articles 15 to 22 and 34 relating to the

       treatment, in a concise, transparent, intelligible and easily accessible form, with a
       clear and plain language, in particular any information directed
       specifically a child. The information will be provided in writing or by other
       means, including, if applicable, by electronic means. When requested by
       interested party, the information may be provided verbally provided that it is

       prove the identity of the interested party by other means (...)”.

And for its part, article 13 of the RGPD, details the information that must be provided to the
interested when the data is collected directly from him, establishing the
Next:


       “1. When personal data relating to him is obtained from an interested party, the
       responsible for the treatment, at the moment in which these are obtained,
       will facilitate:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/7









       a) the identity and contact details of the person in charge and, where appropriate, of their
       representative; b) the contact details of the data protection officer,

       in your case; c) the purposes of the treatment to which the personal data is destined
       and the legal basis of the treatment; d) when the treatment is based on the
       article 6, paragraph 1, letter f), the legitimate interests of the person in charge or of a
       third; e) the recipients or categories of recipients of the data
       personal, if any; f) if applicable, the intention of the controller to transfer
       personal data to a third country or international organization and the existence or

       absence of an adequacy decision by the Commission, or, in the case of
       transfers indicated in articles 46 or 47 or article 49, paragraph 1,
       second paragraph, reference to the adequate or appropriate guarantees and the
       means to obtain a copy of them or to the fact that they have been loaned.


       2. In addition to the information mentioned in section 1, the person in charge of the
       treatment will facilitate the interested party, at the moment in which the
       personal data, the following information necessary to guarantee a
       fair and transparent data processing: a) the period during which the
       will keep the personal data or, when it is not possible, the criteria
       used to determine this term; b) the existence of the right to request the

       data controller access to personal data relating to the
       interested, and its rectification or deletion, or the limitation of its treatment, or to
       oppose the treatment, as well as the right to data portability; c)
       when the treatment is based on article 6, paragraph 1, letter a), or the
       Article 9, paragraph 2, letter a), the existence of the right to withdraw the

       consent at any time, without affecting the legality of the
       treatment based on consent prior to its withdrawal; d) the right to
       file a claim with a control authority; e) if the communication
       of personal data is a legal or contractual requirement, or a requirement
       necessary to sign a contract, and if the interested party is obliged to provide

       personal data and is informed of the possible consequences of
       not provide such data; f) the existence of automated decisions, including the
       profiling, referred to in article 22, sections 1 and 4, and, when
       least in such cases, meaningful information about the applied logic, as well
       as the significance and anticipated consequences of such processing for the
       interested".


Therefore, in the case at hand, the lack of information on the treatment of
personal data when obtaining the personal data of the clients supposes, for
part of the person in charge of the treatment, the violation of article 13 of the RGPD.


In this sense, article 72.1.h) of the LOPDGDD, considers it very serious, for
of prescription, “the omission of the duty to inform the affected party about the treatment
of your personal data in accordance with the provisions of articles 13 and 14 of the RGPD”

This infraction may be sanctioned according to the provisions of article 83.5.b) of the

RGPD, where it is established that: “Infringements of the following provisions are
shall be sanctioned, in accordance with section 2, with administrative fines of 20,000,000
EUR maximum or, in the case of a company, an amount equivalent to 4%
as a maximum of the overall annual total turnover of the financial year

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/7








above, opting for the highest amount: a) the rights of the interested parties to
tenor of articles 12 to 22”.


The balance of the circumstances contemplated, with respect to the infractions
committed, by violating the provisions of its article 13 of the RGPD, allows to set a
fine of 5,000 euros (five thousand euros).

In accordance with the precepts indicated, in order to set the amount of the penalty to
impose, it is considered appropriate to graduate the sanction in accordance with the following

aggravating criteria established in article 76 of the LOPDGDD:

    - The link between the activity of the offender and the performance of treatment of
       personal data, (section b), considering the level of implementation of the
       entity and the activity it develops, in which data is involved

       of thousands of interested parties, having as its main activity, the
       purchase and sale of furniture and real estate, promotion of buildings, works and
       reforms. financial broker. consultancy, administration, services to
       companies, appraisal and appraisal, all these services related to property
       real estate. This circumstance determines a higher degree of demand and
       professionalism and, consequently, the responsibility of the entity in

       relation to the processing of personal data.

IV.- Regarding the corrective measures to be implemented:

Article 58.2. of the RGPD, establishes, on the corrective powers that each

control authority may require the offender, among whom is, in his
section d): "(...) order the person responsible or in charge of processing that the
processing operations comply with the provisions of this Regulation,
when appropriate, in a certain way and within a specified period”.

Therefore, it is appropriate to impose, in accordance with the provisions of the cited article, the
following corrective action:


    - Implement a mechanism in the management of the services performed by the
       Real estate where customers are informed of the treatment that will be carried out
       your personal data, in accordance with the provisions of article 13 of the
       GDPR.


In view of the foregoing, the following is issued:

                                     RESOLVES:

FIRST: IMPOSE RODALI GESTIÓN INMOBILIARIA, S.L. with CIF:
B45811353, a fine of 5,000 euros (five thousand euros), for violation of article

13 of the RGPD, by not conveniently informing customers of the purposes for which
allocate the personal data obtained from them.

SECOND: ORDER the entity RODALI GESTIÓN INMOBILIARIA, S.L. with CIF:
B45811353, which, within a month from the notification of this

resolution, take the necessary measures to implement a mechanism in the
management of the services performed where clients are informed of the treatment that
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/7








will be made of your personal data, in accordance with the provisions of article 13
of the GDPR.


THIRD: NOTIFY this resolution to the entity RODALI GESTIÓN INMO-
BILIARIA, S.L. and inform the complaining party of the result.

Warn the sanctioned party that the sanction imposed must be made effective once it is
enforce this resolution, in accordance with the provisions of article 98.1.b)
of Law 39/2015, of October 1, of the Common Administrative Procedure of the Ad-

Public Administrations (LPACAP), within the voluntary payment period indicated in article
68 of the General Collection Regulations, approved by Royal Decree 939/2005,
of July 29, in relation to art. 62 of Law 58/2003, of December 17, me-
upon deposit in the restricted account Nº ES00 0000 0000 0000 0000 0000, opened
on behalf of the Spanish Agency for Data Protection at CAIXABANK Bank,

S.A. or otherwise, it will be collected in the executive period.

Received the notification and once executed, if the date of execution is
between the 1st and 15th of each month, both inclusive, the term to make the payment
will be until the 20th day of the following month or immediately after, and if
is between the 16th and last day of each month, both inclusive, the term of the payment

It will be valid until the 5th of the second following month or immediately after.

In accordance with the provisions of article 82 of Law 62/2003, of December 30,
bre, of fiscal, administrative and social order measures, this Resolution is
will make public, once it has been notified to the interested parties. The publication is made

will be in accordance with the provisions of Instruction 1/2004, of December 22, of the Agency
Spanish Data Protection on the publication of its Resolutions.

Against this resolution, which puts an end to the administrative procedure, and in accordance with the
established in articles 112 and 123 of the LPACAP, the interested parties may interpose

have, optionally, an appeal for reconsideration before the Director of the Spanish Agency
of Data Protection within a period of one month from the day following the notification
fication of this resolution, or, directly contentious-administrative appeal before the
Contentious-administrative Chamber of the National High Court, in accordance with the provisions
placed in article 25 and in section 5 of the fourth additional provision of the Law
29/1998, of 07/13, regulating the Contentious-administrative Jurisdiction, in the

two months from the day following the notification of this act, according to
the provisions of article 46.1 of the aforementioned legal text.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the firm resolution in administrative proceedings if the interested party

do states its intention to file a contentious-administrative appeal. If it is-
In this case, the interested party must formally communicate this fact in writing
addressed to the Spanish Agency for Data Protection, presenting it through the Re-
Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronicaweb/], or to
through any of the other registers provided for in art. 16.4 of the aforementioned Law

39/2015, of October 1. You must also transfer to the Agency the documentation
that proves the effective filing of the contentious-administrative appeal. If the
Agency was not aware of the filing of the contentious-administrative appeal


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/7










tive within two months from the day following the notification of this

resolution, would end the precautionary suspension.

Sea Spain Marti

Director of the Spanish Agency for Data Protection.
































































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es