AEPD (Spain) - EXP202201667: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00...")
 
m (adjusted the fine sum, changed some sentences to make them sound more clear, moved the information about the fine form facts to holding as it considers a substantive assessment. Otherwise, great summary!)
Line 61: Line 61:
}}
}}


The Spanish DPA fined a manufacturer of sanitary products, €1,800 for sending unrequested and unauthorized commercial e-mails, as there was no evidence of the consent by the recipients.
The Spanish DPA fined a manufacturer of sanitary products €4,000 for sending unrequested and unauthorised commercial e-mails, as there was no evidence of the consent by the recipients.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject alleges he was constantly receiving spam messages in his e-mail from the controller, a company that manufactures antigen tests. In defense, the controller claimed to be carrying out a campaign to promote its products through e-mails, and that the database for sending these e-mails was acquired from a central communication provider (“Datantify”) and also through public internet pages. It also alleged that the data subject could have manually disabled the receipt of these advertisements, but only did so in one of his six e-mail addresses. The Spanish DPA condemned the company to a fine of 4,000 euros, as it considered that there was no evidence of the data subject's consent to receive commercial e-mails, nor of the database purchase contract that the controller claims to have acquired.
The data subject alleged he was constantly receiving spam messages in his mailbox from a company that manufactures antigen tests (the controller). The data subject decided to file a complaint with the DPA who started proceedings in this regard.
 
In defense, the controller claimed to be carrying out a campaign to promote its products through e-mails. Allegedly, the database for sending these e-mails was acquired from a central communication provider (“Datantify”) and also through public internet pages. The controller alleged that the data subject could have manually disabled the receipt of these advertisements, but only did so in one of his six e-mail addresses.  


=== Holding ===
=== Holding ===
According to the Spanish DPA, the controller did not present an evidence of the consent given by the data subject for the sending of commercial e-mails as well as did not present the purchase agreement for the database, which it claims to have acquired and where the claimant's e-mail address was supposedly located. Therefore, the company violated Article 21 of Law 34/2002, on Information Society Services and Electronic Commerce (LSSI), which prohibits the sending of advertising or promotional communications by e-mail that had not been previously requested or expressly authorized by the recipients.
According to the Spanish DPA, the controller did not present evidence of the consent given by the data subject for the sending of commercial e-mails as well as did not present the purchase agreement for the database, which it claims to have acquired and where the claimant's e-mail address was supposedly located.  
 
Therefore, the company violated [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 Article 21 of Law 34/2002], on Information Society Services and Electronic Commerce (LSSI), which prohibits the sending of advertising or promotional communications by e-mail that had not been previously requested or expressly authorised by the recipients.
 
The Spanish DPA imposed on the controller a fine of €4,000, as it considered that there was no evidence of the data subject's consent to receive commercial e-mails, nor of the database purchase contract that the controller claims to have acquired.


== Comment ==
== Comment ==

Revision as of 10:14, 6 December 2022

AEPD - PS/00292/2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law:
Article 21 Law 34/2002
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 28.11.2022
Fine: 4000 EUR
Parties: MAX2PROTECT, S.L.
National Case Number/Name: PS/00292/2022
European Case Law Identifier: PS
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: @patrikmatos

The Spanish DPA fined a manufacturer of sanitary products €4,000 for sending unrequested and unauthorised commercial e-mails, as there was no evidence of the consent by the recipients.

English Summary

Facts

The data subject alleged he was constantly receiving spam messages in his mailbox from a company that manufactures antigen tests (the controller). The data subject decided to file a complaint with the DPA who started proceedings in this regard.

In defense, the controller claimed to be carrying out a campaign to promote its products through e-mails. Allegedly, the database for sending these e-mails was acquired from a central communication provider (“Datantify”) and also through public internet pages. The controller alleged that the data subject could have manually disabled the receipt of these advertisements, but only did so in one of his six e-mail addresses.

Holding

According to the Spanish DPA, the controller did not present evidence of the consent given by the data subject for the sending of commercial e-mails as well as did not present the purchase agreement for the database, which it claims to have acquired and where the claimant's e-mail address was supposedly located.

Therefore, the company violated Article 21 of Law 34/2002, on Information Society Services and Electronic Commerce (LSSI), which prohibits the sending of advertising or promotional communications by e-mail that had not been previously requested or expressly authorised by the recipients.

The Spanish DPA imposed on the controller a fine of €4,000, as it considered that there was no evidence of the data subject's consent to receive commercial e-mails, nor of the database purchase contract that the controller claims to have acquired.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/6








     Procedure No.: EXP202201667, (PS/00292/2022)

               RESOLUTION OF THE SANCTION PROCEDURE


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following.
                                  BACKGROUND

FIRST: Dated 01/12/22, you have entered this Agency, written submitted by

D. A.A.A., (hereinafter, "the complaining party"), against MAX2PROTECT, S.L. with CIF.:
B88606355, (hereinafter, "the claimed party"), in which it indicated, among other things, what
Next:

       “I receive spam from covidtest@antigenos.es several times a day (attached the 6

       commercial communications received dated 12-jan-2022). The website,
       Max2Protect SL, was already fined by the AEPD for similar events in the
       procedure No.: PS/00170/2021”.

The claim document is accompanied by a copy of the following documentation


a.- Copy of the email received at the claimant's address on 01/12/22
sent from the address <<B.B.B.>> covidtest@antigenos.es, containing
commercial information.

SECOND: On 02/10/22, in accordance with the provisions of article 65.4

of Organic Law 3/2018, of December 5, Protection of Personal Data and
Digital Rights Guarantee (LOPDGDD), this Agency sent
writing to the claimed party requesting information regarding what is stated in the
claim.


THIRD: On 03/11/22, a response letter was received from the entity
claimed to the request for information made by this Agency, in which, among others,
indicates that:

       "From max2protect we were carrying out a campaign to promote
       our products through mailing, the databases for sending

       these mailings are purchased from the central communication provider and also
       taken through public internet pages.

       In the first image that we provide you can see that in the newsletter itself
       can be disabled. This user has 6 email accounts, but only

       disabled one of them as you can see on our server panel
       emails (second image) and that is why it continued to be sent to the others
       accounts.
       Through your notification we have learned that this person does not want
       receive any information from our company thus on the same day

       that we were aware of it, it was manually removed from our file
       as you can see in the third image”.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/6








FOURTH: On 04/12/22, by the Director of the Spanish Agency for
Protection of Data, an agreement is issued to admit the processing of the claim
presented, in accordance with article 65 of the LPDGDD Law, when assessing possible

rational indications of a violation of the rules in the field of competences
of the Spanish Data Protection Agency.

FIFTH: On 05/12/22, this Agency issued a request
information to the claimed party, under the investigative powers granted
to the control authorities in article 58.1 of Regulation (EU) 2016/679, of

European Parliament and of the Council, of 04/27/16, regarding the Protection of
Natural Persons with regard to the Processing of Personal Data and the Free
Circulation of these Data (RGPD).

SIXTH: On 05/24/22, a response letter was received from the entity

claimed to the information request made by this Agency, in which, among
others, indicates:

       "We bought the datantify database: https://datantify.com/ It is possible that the
       User, by leaving his email on a website, accepted the privacy and cookies policy
       "I have read and accept the privacy policy" "accept cookies" of said website,

       transferring your personal data to third parties, therefore, the providers of the
       bbdd have said access and can use it for buying/selling.

       The "bbdd" that we buy are segmented by sectors, in this case, the
       health. The users that come in said database are related to the

       health sector, either because you visited a website, filled out a form, requested
       a quote, etc., our company sells a covid test and that is why we send you
       the mail.

       We did not receive any email from the owners to oppose, we found out

       who did not want to receive our newsletter when you sent us the
       notification and it was when we looked at mailrelay and saw that on 01/20/22
       described from one of the accounts, but not from all of the ones he has, so he
       we did manually that day”.

SEVENTH: On 06/07/22, the Board of Directors of the Spanish Agency for the Protection of

Data signs the initiation of this disciplinary procedure against the entity
claimed, when appreciating reasonable indications of violation of article 21 of the Law
34/2002, of July 11, on Services of the Information Society and Commerce
Electronic (LSSI), regarding the sending of commercial communications without the
necessary legitimation for this, imposing an initial sanction of 4,000 euros (four

a thousand euros).

EIGHTH: On 06/20/22, the defendant entity formulated, in summary, the following
allegations to the initiation of the file:


       “Max2protect bought a database that the seller said was
       lawful No user we sent an email to complained about the email sent
       since any of them who did not want to receive more emails from us
       You could unsubscribe at the bottom of the body of the email sent (image 1).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/6









       This user had 6 different email accounts (image 2) and that is why he
       6 emails arrived in one day, one to each account, but only unsubscribed

       in one of them, the other 5 accounts remained active until we received
       your notification and we manually remove the other 5 accounts from our
       database to not receive any more mail from us. The
       user complains because he received 6 emails, but it is because he has 6 accounts, for
       please take it into account. We have not done anything illegal nor have we intended to do so.


NINTH: On 07/22/22, the respondent entity is notified of the proposed
resolution in which it was proposed that, by the Director of the Spanish Agency for
Protection of Data proceed to sanction the entity, in accordance with the provisions of
Articles 63 and 64 of Law 39/2015, of October 1, on the Procedure
Common Administrative Council of Public Administrations (LPACAP), with a sanction

of 4,000 euros (four thousand euros) for the violation of article 21 LSSI, for sending
commercial communications without the necessary legitimacy for it.

Once the proposed resolution was notified to the claimed entity, as of today, there is no
evidence in this Agency of the receipt of any type of written allegations to
said proposal.

                                PROVEN FACTS

First: According to the complainant, he receives spam emails from
covidtest@antigenos.es whose ownership belongs to the entity Max2Protect SL, and indicates
that this entity was already fined by the AEPD for similar acts in the

procedure No.: PS/00170/2021. To corroborate what was said in the claim,
Attach the following documentation:

    - The screenshot of the inbox of the mail accounts
       e-mail (ALL INBOXES) in which reference to six emails

       incoming emails from “B.B.B.” and with the subject: “Test
       Nasal-antigens-saliva-swab from 2.9…”

    - Screenshot of the headers and content of a dated email
       01/12/22, sent from the address covidtest@antigenos.es to the address
       email of the claimant with the subject: "Test Antigens-nasal-saliva-

       swab from 2.95”.

Second: The legal notice of the website www.antigenos.es identifies
MAX2PROTECT, S.L. as responsible for it. This website has a
privacy policy that offers an electronic address where to exercise the opposition or

request the revocation of consent.

Third: According to the claimed entity, the email addresses for the
sending this advertising are purchased from the central communication provider
(DATANTIFY) or are obtained from public Internet pages.


In the document provided as "Privacy Policy", together with the letter of
allegations to the initiation of the file can be read, among others, the following:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/6








       2. How do we collect your data? Some are collected when you give them to us.
       provides. Other data is collected automatically by technicians,
       as the browser and the automatic operating system as soon as it enters

       our website (…)”.

Notwithstanding the foregoing, the claimed entity does not provide accreditation of the
consent given by the claimant for the remission of commercial emails.

                            FUNDAMENTALS OF LAW


       I - Competition.

It is competent to initiate and resolve this Disciplinary Procedure, the Director of
the Spanish Data Protection Agency, in accordance with the provisions of the

art. 43.1, second paragraph, of the LSSI Law.

       II.- Regarding the offense committed by sending advertising emails without
       consent of the interested party.

In the present case, the claimant states that he has received 6 emails,

but it only provides the internet headers of one of them

For its part, the claimed entity acknowledges the sending of the communications and indicates
that you bought a database that the seller said was legal.


It is also indicated that, in the emails, it is reported that, if you do not want to receive more,
You can unsubscribe at the bottom of the body of the email sent and that 6 emails were sent
emails to the claimant because the claimant had 6 accounts.

However, all of this, the defendant does not provide proof of consent

provided by the claimant for the sending of commercial emails and the
purchase contract for the database, which he claims to have purchased and where
found the complainant's email address.

In this sense, article 21 of the LSSI, on the sending of communications
without the prior consent of the interested party, provides the following:


       "1. The sending of advertising or promotional communications is prohibited
       by email or other equivalent electronic means of communication
       that had not previously been requested or expressly authorized by
       the recipients of these.


       2. The provisions of the previous section shall not apply when there is a
       prior contractual relationship, provided that the provider had obtained
       lawful contact details of the recipient and will use them to send
       commercial communications regarding products or services of your own

       company that are similar to those that were initially the subject of
       contracting with the client.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/6








       In any case, the provider must offer the recipient the possibility of
       oppose the processing of your data for promotional purposes through a
       simple and free procedure, both at the time of data collection

       as in each of the commercial communications that you direct.

       When the communications have been sent by email,
       said means must necessarily consist of the inclusion of an address
       email or other valid electronic address where you can
       exercise this right, being prohibited the sending of communications that

       do not include that address.”

In accordance with the available evidence, it is considered that the
facts exposed, suppose the violation of article 21 of the LSSI.


The aforementioned offense is classified as minor in art. 38.4.d) of said
rule, which qualifies as such, "The sending of commercial communications by mail
electronic or other equivalent electronic means of communication when in said
shipments do not meet the requirements established in article 21 and do not constitute
Serious offense".


In accordance with the precepts indicated, and without prejudice to what results from the
instruction of the procedure, in order to set the amount of the sanction to be imposed in
In the present case, it is considered appropriate to graduate the sanction to be imposed in accordance
with the following aggravating criteria established in article 40 of the LSSI:


    - Section c): Recidivism for committing infractions of the same
       nature, when it has been so declared by firm resolution: It appears in the
       Information System of the General Subdirectorate of Data Inspection
       (SIGRID) a Disciplinary Procedure (PS/00170/2021) in which, dated
       of 08/16/21, the Director of the Spanish Data Protection Agency

       resolves to impose on the entity, MAX2PROTECT, S.L., for the infringement of the
       Article 21 of the LSSI, a penalty of 2,000 euros (two thousand euros), with respect to the
       sending commercial communications without the express consent of the same
       addressee. Said sanction was finalized in administrative proceedings on 10/17/21.

Pursuant to the foregoing, the Director of the Spanish Agency for

Data Protection,
                                     RESOLVES:

FIRST: IMPOSE the entity, MAX2PROTECT, S.L. with CIF.: B88606355, a
penalty of 4,000 euros (four thousand euros) for the violation of article 21 LSSI, for

sending commercial communications without the necessary legitimacy for it.

SECOND: NOTIFY this resolution to the entity MAX2PROTECT, S.L

THIRD: Warn the penalized party that the sanction imposed must make it effective

once this resolution is enforceable, in accordance with the provisions of Article
Article 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, within the voluntary payment period indicated in the
Article 68 of the General Collection Regulations, approved by Royal Decree

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/6








939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17
December, by depositing it in the restricted account No. ES00 0000 0000 0000
0000 0000, opened in the name of the Spanish Data Protection Agency in the

Banco CAIXABANK, S.A. or otherwise, it will proceed to its collection in
executive period.

Once the notification has been received and once executed, if the execution date is
between the 1st and 15th of each month, both inclusive, the term to make the payment
voluntary will be until the 20th day of the following or immediately following business month, and if

between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediately following business month.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.


Against this resolution, which puts an end to the administrative procedure (article 48.6 of the
LOPDGDD), and in accordance with the provisions of articles 112 and 123 of the Law
39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations, interested parties may optionally file
appeal for reversal before the Director of the Spanish Agency for Data Protection

within a month from the day following notification of this
resolution or directly contentious-administrative appeal before the Chamber of
contentious-administrative of the National Court, in accordance with the provisions of the
article 25 and in section 5 of the fourth additional provision of Law 29/1998, of
July 13, regulating the Contentious-administrative Jurisdiction, within the period of

two months from the day following the notification of this act, according to what
provided for in article 46.1 of the aforementioned legal text.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of Law 39/2015,
of October 1, of the Common Administrative Procedure of the Administrations

Public, the firm resolution may be temporarily suspended in administrative proceedings if
The interested party declares his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the

aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative proceedings within a period of two months from the day following the
Notification of this resolution would terminate the precautionary suspension.


Mar Spain Marti
Director of the Spanish Data Protection Agency.








C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es