AEPD (Spain) - EXP202202164: Difference between revisions

From GDPRhub
 
(2 intermediate revisions by 2 users not shown)
Line 7: Line 7:
|DPA_With_Country=AEPD (Spain)
|DPA_With_Country=AEPD (Spain)


|Case_Number_Name=PS-00289-2022
|Case_Number_Name=EXP202202164
|ECLI=
|ECLI=


|Original_Source_Name_1=AEPD
|Original_Source_Name_1=AEPD
|Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00289-2022.pdf
|Original_Source_Link_1=https://www.aepd.es/documento/ps-00289-2022.pdf
|Original_Source_Language_1=Spanish
|Original_Source_Language_1=Spanish
|Original_Source_Language__Code_1=ES
|Original_Source_Language__Code_1=ES
Line 22: Line 22:
|Outcome=Upheld
|Outcome=Upheld
|Date_Started=16.01.2022
|Date_Started=16.01.2022
|Date_Decided=26.08.2022
|Date_Decided=28.09.2022
|Date_Published=08.11.2022
|Date_Published=28.09.2022
|Year=2022
|Year=2022
|Fine=1,200
|Fine=2,000
|Currency=EUR
|Currency=EUR


Line 32: Line 32:
|GDPR_Article_2=Article 13 GDPR
|GDPR_Article_2=Article 13 GDPR
|GDPR_Article_Link_2=Article 13 GDPR
|GDPR_Article_Link_2=Article 13 GDPR
|GDPR_Article_3=Article 39 GDPR
|GDPR_Article_3=Article 83(5) GDPR
|GDPR_Article_Link_3=Article 39 GDPR
|GDPR_Article_Link_3=Article 83 GDPR#5
|GDPR_Article_4=Article 58(2)(d) GDPR
|GDPR_Article_4=Article 83(6) GDPR
|GDPR_Article_Link_4=Article 58 GDPR#2d
|GDPR_Article_Link_4=Article 83 GDPR#6
|GDPR_Article_5=Article 58(2) GDPR
|GDPR_Article_5=
|GDPR_Article_Link_5=Article 58 GDPR#2
|GDPR_Article_Link_5=
|GDPR_Article_6=Article 60 GDPR
|GDPR_Article_6=
|GDPR_Article_Link_6=Article 60 GDPR
|GDPR_Article_Link_6=
|GDPR_Article_7=Article 83(2) GDPR
|GDPR_Article_Link_7=Article 83 GDPR#2
|GDPR_Article_8=Article 83(5) GDPR
|GDPR_Article_Link_8=Article 83 GDPR#5
|GDPR_Article_9=
|GDPR_Article_Link_9=
|GDPR_Article_10=
|GDPR_Article_Link_10=


|EU_Law_Name_1=
|EU_Law_Name_1=
Line 54: Line 46:
|EU_Law_Link_2=
|EU_Law_Link_2=


|National_Law_Name_1=Article 112(1) LPACAP
|National_Law_Name_1=
|National_Law_Link_1=https://www.boe.es/eli/es/l/2015/10/01/39/con
|National_Law_Link_1=
|National_Law_Name_2=Article 14 LPACAP
|National_Law_Name_2=
|National_Law_Link_2=https://www.boe.es/eli/es/l/2015/10/01/39/con
|National_Law_Link_2=
|National_Law_Name_3=Article 23 LRJSP
|National_Law_Link_3=https://www.boe.es/eli/es/l/2015/10/01/40/con
|National_Law_Name_4=Article 24 LRJSP
|National_Law_Link_4=https://www.boe.es/eli/es/l/2015/10/01/40/con
|National_Law_Name_5=Article 41 LPACAP
|National_Law_Link_5=https://www.boe.es/eli/es/l/2015/10/01/39/con
|National_Law_Name_6=Article 43 LPACAP
|National_Law_Link_6=https://www.boe.es/eli/es/l/2015/10/01/39/con
|National_Law_Name_7=Article 47 LOPDGDD
|National_Law_Link_7=https://www.boe.es/eli/es/lo/2018/12/05/3/con
|National_Law_Name_8=Article 48(1) LOPDGDD
|National_Law_Link_8=https://www.boe.es/eli/es/lo/2018/12/05/3/con
|National_Law_Name_9=Article 50 LOPDGDD
|National_Law_Link_9=https://www.boe.es/eli/es/lo/2018/12/05/3/con
|National_Law_Name_10=Article 63(2) LOPDGDD
|National_Law_Link_10=https://www.boe.es/eli/es/lo/2018/12/05/3/con
|National_Law_Name_11=Article 64(2) LOPDGDD
|National_Law_Link_11=https://www.boe.es/eli/es/lo/2018/12/05/3/con
|National_Law_Name_12=Article 64(2)(f) LPACAP
|National_Law_Link_12=https://www.boe.es/eli/es/l/2015/10/01/39/con
|National_Law_Name_13=Article 65(4) LOPDGDD
|National_Law_Link_13=https://www.boe.es/eli/es/lo/2018/12/05/3/con
|National_Law_Name_14=Article 68(1) LOPDGDD
|National_Law_Link_14=https://www.boe.es/eli/es/lo/2018/12/05/3/con
|National_Law_Name_15=Article 71 LOPDGDD
|National_Law_Link_15=https://www.boe.es/eli/es/lo/2018/12/05/3/con
|National_Law_Name_16=Article 76(2) LOPDGDD
|National_Law_Link_16=https://www.boe.es/eli/es/lo/2018/12/05/3/con
|National_Law_Name_17=Article 85 LPACAP
|National_Law_Link_17=https://www.boe.es/eli/es/l/2015/10/01/39/con
|National_Law_Name_18=
|National_Law_Link_18=
|National_Law_Name_19=
|National_Law_Link_19=


|Party_Name_1=ORI, S.L.
|Party_Name_1=
|Party_Link_1=
|Party_Link_1=
|Party_Name_2=A.A.A
|Party_Name_2=
|Party_Link_2=
|Party_Link_2=
|Party_Name_3=
|Party_Link_3=
|Party_Name_4=
|Party_Link_4=


|Appeal_To_Body=
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=Unknown
|Appeal_To_Status=Not appealed
|Appeal_To_Link=
|Appeal_To_Link=


|Initial_Contributor=Inés López Abad
|Initial_Contributor=mgrd
|
|
}}
}}


A 1,200€ fine is imposed for non-GDPR compliant websites without privacy policy. Further, the adoption of appropriate measures to bring the actions of the data controller into compliance should be imposed. This means, the Agency has to be notified within one month.
AEPD fined in €2,000 a website for non-GDPR compliant privacy policy, violating [[Article 13 GDPR|Article 13 GDPR.]]


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
Data subject filed a complaint with the DPA for the  lack of privacy policy in the websites of ORI, S.I. The website collects personal data through multiple forms. At least 5 of the forms contained in the web pages where personal data are requested, do not provide information on the company’s privacy policy.
On January 16, 2022 the data subject complaint against ORI S.L. for not having a privacy policy on the website in which personal data are collected through multiple forms, only one of them informs about the processing of personal data.
 
During the procedure, the data subject included different screenshots of the website.
 
On March, 2022, AEDP sent a notification to the data controller to, within a period of one month, to inform of the actions taken to adapt to the requirements set forth in the data protection regulations.
 
On June, 2022, ORI replied stating that all the sections of the web page contained informative boxes where they are obliged to communicate to the users with the following concept: "I agree that my personal data provided in the contact form be electronically processed and used for the purpose of contacting me. I am aware that I can remove my consent at any time".


=== Holding ===
=== Holding ===
The DPA held that there is an infringement of [[Article 13 GDPR|Article 13 GDPR]] as defined in article 83.5 GDPR. Therefore the sanctioning procedure is initiated. The sanction imposed graduated in accordance with the criteria established in Article 83.2 GDPR. Data controller has 1 month to adapt to requirements set out in data protection regulations.
AEPD fined the data controller in €2,000 for non-GDPR compliant website without privacy policy, violating [[Article 13 GDPR|Article 13 GDPR]].  
 
On September 26, 2022, the data controller made the voluntary payment of the fine and acknowledged its liability, leading to a reduce of the fine to €1,200.


== Comment ==
== Comment ==
In all sections of the website information boxes obliged to communicate to users a box with the acceptance.
''Share your comments here!''
The original fine is of 2,000€. However, he may acknowledge his responsibility within period granted  which entails a reduction of 20% of sanction. Leaving the amount to a total of  1,600€. Reduction for voluntary payment of penalty may be accumulated, leaving the amount to be 1,200€. Both reductions are conditional upon the withdrawal or waiver of any administrative action or appeal against the sanction.


== Further Resources ==
== Further Resources ==
Line 145: Line 106:




       RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT
       RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE
                                     VOLUNTEER
                                     VOLUNTEER


Of the procedure instructed by the Spanish Agency for Data Protection and based on
From the procedure instructed by the Spanish Data Protection Agency and based


to the following
to the following
Line 157: Line 118:


FIRST: On August 26, 2022, the Director of the Spanish Agency for
FIRST: On August 26, 2022, the Director of the Spanish Agency for
Data Protection agreed to start a sanctioning procedure against ORI, S.l. (onwards,
Data Protection agreed to initiate sanctioning proceedings against ORI, S.l. (onwards,
the claimed party), through the Transcribed Agreement:
the claimed party), through the Agreement that is transcribed:


<<
<<
Line 168: Line 129:




             AGREEMENT TO START THE SANCTION PROCEDURE
             AGREEMENT TO START SANCTIONING PROCEDURE


Of the actions carried out by the Spanish Data Protection Agency and in
Of the actions carried out by the Spanish Data Protection Agency and in
Line 176: Line 137:
                                       FACTS
                                       FACTS


FIRST: A.A.A. (hereinafter, the claiming party) dated January 16, 2022
FIRST: A.A.A. (hereinafter, the complaining party) dated January 16, 2022
filed a claim with the Spanish Data Protection Agency. The
filed a claim with the Spanish Data Protection Agency. The
claim is directed against ORI, S.l. with NIF ***NIF.1 (hereinafter, ORI). The motives
claim is directed against ORI, S.l. with NIF ***NIF.1 (hereinafter, ORI). The motives
Line 182: Line 143:
on which the claim is based are the following:
on which the claim is based are the following:


Manifests the lack of privacy policy of the website where data is collected
Expresses the lack of privacy policy of the website where data is collected
through multiple forms, only one informs about the treatment of
personal data through multiple forms, only one informs about the treatment of
data, violating data protection regulations.
data, violating data protection regulations.




Along with the notification is provided:
Along with the notification, the following is provided:


-Screenshot of a Google search for the domain ***URL.1, which offers
-Screenshot of a Google search for the domain ***URL.1, which offers
various results on Facebook, Instagram, tik tok…
several results on Facebook, Instagram, tik tok...




-Screenshot of the detail of the BORME of ORI SL, in which they appear as sole partner and
-Screenshot of the detail of the BORME of ORI SL, in which they appear as the sole partner and
sole administrator B.B.B.
sole administrator B.B.B.


-Screenshot of the page "***URL.1/register/" in which a registration form appears.
-Screenshot of the page ***URL.1/register/” on which a registration form appears


contact in which personal data is requested, and the privacy policy is not indicated.
contact in which personal data is requested, and the privacy policy is not indicated.
Line 212: Line 173:




-Screenshot of the page "***URL.1/become-soci" in which a registration form appears.
-Screenshot of the page ***URL.1/hazte-soci” on which a registration form appears
contact in which personal data is requested, and the privacy policy is not indicated.
contact in which personal data is requested, and the privacy policy is not indicated.
privacy.
privacy.




-Screenshot of the page "***URL.1/request-your-catalogue/" in which a
-Screenshot of the page ***URL.1/solicita-tu-catalog/in which a
contact form in which personal data is requested, and the policy is not indicated
contact form in which personal data is requested, and the policy is not indicated
of privacy, although the following text is added at the end of the questionnaire: "I accept that
of privacy, although the following text is added at the end of the questionnaire: “I accept that
my data provided in the contact form are processed electronically and
my data provided in the contact form are processed electronically and
are used for the purpose of contacting me. I am aware that I can
are used for the purpose of contacting me. I am aware that I can
Line 225: Line 186:
revoke my consent at any time”
revoke my consent at any time”


-Screenshot of the page "***URL.1/kit-de-inicio/" in which a form appears
-Screenshot of the page ***URL.1/starter-kit/” on which a registration form appears
contact in which personal data is requested, and the privacy policy is not indicated.
contact in which personal data is requested, and the privacy policy is not indicated.
privacy, although the following text is added at the end of the questionnaire: "I accept that my
privacy, although the following text is added at the end of the questionnaire: “I accept that my


data provided in the contact form are processed electronically and are
Data provided in the contact form are processed electronically and are
used for the purpose of contacting me. I am aware that I can
used for the purpose of contacting me. I am aware that I can
revoke my consent at any time”
revoke my consent at any time”


-Screenshot of the page "***URL.1/register/" in which a registration form appears.
-Screenshot of the page ***URL.1/register/” on which a registration form appears
contact in which personal data is requested, appearing at the end of it a link
contact in which personal data is requested, with a link appearing at the end of it


to the privacy policy.
to the privacy policy.
Line 240: Line 201:
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
December, Protection of Personal Data and guarantee of digital rights (in
forward LOPDGDD), said claim was transferred to ORI, so that
hereinafter LOPDGDD), said claim was transferred to ORI, so that


proceed to its analysis and inform this Agency within a month of the
proceed to its analysis and inform this Agency within a period of one month, of the
actions carried out to adapt to the requirements established in the regulations of
actions carried out to adapt to the requirements provided for in the regulations of
Data Protection.
Data Protection.


The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of
The transfer, which was carried out in accordance with the rules established in Law 39/2015, of


October 1, of the Common Administrative Procedure of the Administrations
October 1, of the Common Administrative Procedure of Administrations
Public (hereinafter, LPACAP), was collected on 03/27/2022, as stated in the
Public (hereinafter, LPACAP), was collected on 03/27/2022, as stated in the
acknowledgment of receipt in the file.
acknowledgment of receipt that appears in the file.


No response has been received to this letter of transfer.
No response has been received to this transfer letter.




THIRD: On April 16, 2022, in accordance with article 65 of the
THIRD: On April 16, 2022, in accordance with article 65 of the
LOPDGDD, the claim presented by the claimant party was admitted for processing.
LOPDGDD, the claim presented by the complaining party was admitted for processing.


FOURTH: On 06/09/2022, a letter was received from the ORI administrator in
FOURTH: On 06/09/2022, a letter was received from the ORI administrator in
which states that in all sections of the web page ***URL.1 there are all
which states that in all sections of the website ***URL.1 there are all


the informative boxes where they are forced to communicate to the users a box with
the information boxes where they are forced to communicate to users a box with
the following concept: "I accept that my data provided in the contact form
the following concept: “I accept that my data provided in the contact form
are processed electronically and are used for the purpose of contacting
are processed electronically and are used for the purpose of contacting
with me. I am aware that I can revoke my consent at any
with me. I am aware that I can revoke my consent at any time.
moment"
moment"




                           FUNDAMENTALS OF LAW
                           FOUNDATIONS OF LAW


                                           Yo
                                           Yo
Line 283: Line 244:


In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), grants each
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the


Organic Law 3/2018, of December 5, Protection of Personal Data and
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
initiate and resolve this procedure the Director of the Spanish Protection Agency
Line 295: Line 256:
processed by the Spanish Data Protection Agency will be governed by the provisions
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."
subsidiary, by the general rules on administrative procedures."




                                             II
                                             II
Pursuant to article 5.1 of the GDPR, the processing of personal data must be governed by
In accordance with article 5.1 of the RGPD, the processing of personal data must be governed
by the following principles:
by the following principles:


"1. Personal data will be:
"1. The personal data will be:
     a) Treated in a lawful, loyal and transparent manner with the interested party (...)
     a) treated in a lawful, loyal and transparent manner with the interested party ()


2. The controller will be responsible for compliance with the provisions
2. The person responsible for the treatment will be responsible for compliance with the provisions
in paragraph 1 and able to prove it”
in section 1 and capable of demonstrating it”


One of the manifestations of the principle of transparency is the right that the GDPR
One of the manifestations of the principle of transparency is the right that the RGPD
grants the owners of the data to receive information and the correlative obligation that
grants the data owners to receive information and the corresponding obligation that


requires the data controller to provide the data subject with the information
requires the person responsible for the treatment to provide the interested party with the information that
detail articles 12, 13 and 14 of the GDPR.
They detail articles 12, 13 and 14 of the GDPR.


These last two provisions contemplate two different assumptions: That the data is
These last two provisions contemplate two different assumptions: That the data is
obtained directly from the interested party (article 13), as happens in the forms of
obtained directly from the interested party (article 13), as happens in the forms of


collection of data that ORI has included in the web page of which it is the owner, or that
collection of data that ORI has included in the website of which it is the owner, or that
the data is not obtained from the interested party (article 14).
the data is not obtained from the interested party (article 14).


Article 13 of the GDPR establishes:
Article 13 of the GDPR states:


"1. When personal data relating to him or her is obtained from an interested party, the
"1. When personal data relating to him or her is obtained from an interested party, the


responsible for the treatment, at the time they are obtained, will provide you with
responsible for the treatment, at the time these are obtained, will provide you
all the information listed below:
all information indicated below:
a) the identity and contact details of the person in charge and, where appropriate, their
a) the identity and contact details of the person responsible and, where applicable, their
representative;
representative;
b) the contact details of the data protection officer, if applicable;
b) the contact details of the data protection officer, if applicable;


c) the purposes of the processing for which the personal data is intended and the legal basis
c) the purposes of the processing for which the personal data are intended and the legal basis
of the treatment;
of the treatment;
d) when the treatment is based on article 6, paragraph 1, letter f), the interests
d) where the processing is based on Article 6, paragraph 1, letter f), the interest
legitimate of the person in charge or of a third party;
legitimate of the person responsible or a third party;
e) the recipients or categories of recipients of personal data, in their
e) the recipients or categories of recipients of the personal data, in their


case; f) where appropriate, the intention of the controller to transfer personal data to a
case; f) where applicable, the intention of the controller to transfer personal data to a
third country or international organization and the existence or absence of a decision of
third country or international organization and the existence or absence of a decision of
adequacy of the Commission, or, in the case of the transfers indicated in the
adequacy of the Commission, or, in the case of the transfers indicated in the
Articles 46 or 47 or Article 49, paragraph 1, second subparagraph, reference to the
Articles 46 or 47 or Article 49, paragraph 1, second paragraph, reference to the


C/ Jorge Juan, 6 www.aepd.es
C/ Jorge Juan, 6 www.aepd.es
Line 352: Line 313:




adequate or appropriate guarantees and the means to obtain a copy of these or
adequate or appropriate safeguards and the means to obtain a copy of these or
to the fact that they have been lent.
to the fact that they have been lent.


Line 358: Line 319:
2. In addition to the information mentioned in section 1, the person responsible for the
2. In addition to the information mentioned in section 1, the person responsible for the
treatment will provide the interested party, at the time the data is obtained
treatment will provide the interested party, at the time the data is obtained
personal data, the following information necessary to guarantee data processing
personal, the following information necessary to guarantee data processing
fair and transparent
loyal and transparent:
a) the period during which the personal data will be kept or, when it is not
a) the period during which the personal data will be kept or, when it is not
possible, the criteria used to determine this term;
possible, the criteria used to determine this period;


b) the existence of the right to request the data controller access to the
b) the existence of the right to request from the data controller access to the data
personal data relating to the interested party, and its rectification or deletion, or the limitation
personal data relating to the interested party, and its rectification or deletion, or the limitation
of their treatment, or to oppose the treatment, as well as the right to portability
of your treatment, or to oppose the treatment, as well as the right to portability
of the data
of the data
c) when the treatment is based on article 6, paragraph 1, letter a), or article
c) when the processing is based on Article 6(1)(a) or Article


9, paragraph 2, letter a), the existence of the right to withdraw consent in
9, paragraph 2, letter a), the existence of the right to withdraw consent in
at any time, without affecting the legality of the treatment based on the
at any time, without affecting the legality of the treatment based on the
consent prior to its withdrawal;
consent prior to its withdrawal;
d) the right to file a claim with a control authority;
d) the right to file a claim with a supervisory authority;
e) if the communication of personal data is a legal or contractual requirement, or a
e) if the communication of personal data is a legal or contractual requirement, or a
necessary requirement to sign a contract, and if the interested party is obliged to provide
necessary requirement to sign a contract, and if the interested party is obliged to provide
Line 379: Line 340:
provide such data;
provide such data;
f) the existence of automated decisions, including profiling, to which
f) the existence of automated decisions, including profiling, to which
referred to in Article 22, paragraphs 1 and 4, and, at least in such cases, information
refers to article 22, paragraphs 1 and 4, and, at least in such cases, information
significant about the applied logic, as well as the importance and consequences
significant information about the applied logic, as well as the importance and consequences


provisions of said treatment for the interested party.
foreseen of said treatment for the interested party.


3. When the person responsible for the treatment plans the subsequent processing of data
3. When the data controller plans subsequent data processing
personal information for a purpose other than that for which it was collected, will provide the
personal data for a purpose other than that for which they were collected, will provide the
data subject, prior to said further processing, information about that other purpose
interested party, prior to said further processing, information about that other purpose


and any additional information pertinent under section 2. 4. The
and any additional information relevant under paragraph 2. 4. The
provisions of paragraphs 1, 2 and 3 shall not apply when and to the extent
The provisions of paragraphs 1, 2 and 3 shall not apply when and to the extent
that the interested party already has the information.”
“that the interested party already has the information.”


Recitals 39 and 60 of the GDPR help to specify the scope of the right
Recitals 39 and 60 of the GDPR help clarify the scope of the right
of information that is given to the interested parties.
of information provided to interested parties.




Recital 39 establishes: "All processing of personal data must be lawful and
Recital 39 establishes: “All processing of personal data must be lawful and
loyal. It must be completely clear to natural persons that they are being collected,
loyal. For natural persons it must be completely clear that they are being collected,
using, consulting or otherwise processing personal data that
using, consulting or otherwise processing personal data that they
concerned, as well as the extent to which said data is or will be processed. The beginning
concern, as well as the extent to which said data is or will be processed. The beginning


of transparency requires that all information and communication related to the treatment of
Transparency requires that all information and communication related to the treatment of
said data is easily accessible and easy to understand, and that language is used
said data is easily accessible and easy to understand, and that a language is used
simple and clear. This principle refers in particular to the information of the
simple and clear. This principle refers in particular to the information of the
interested parties on the identity of the person responsible for the treatment and the purposes of the treatment and
interested parties about the identity of the person responsible for the treatment and the purposes of the same and
to the information added to guarantee a fair and transparent treatment with
to the added information to guarantee fair and transparent treatment with


regarding the natural persons affected and their right to obtain confirmation and
regarding the affected natural persons and their right to obtain confirmation and
communication of personal data concerning them that are subject to
communication of personal data that concerns them that are subject to
treatment. Natural persons must be aware of the risks,
treatment. Natural persons must be aware of the risks,
rules, safeguards and rights relating to the processing of personal data,
rules, safeguards and rights relating to the processing of personal data,
Line 422: Line 383:




as well as how to assert your rights in relation to the treatment. In
as well as the way to assert your rights in relation to the treatment. In
In particular, the specific purposes of the processing of personal data must be
In particular, the specific purposes of the processing of personal data must be
explicit and legitimate, and must be determined at the time of collection. [...].”
explicit and legitimate, and must be determined at the time of collection. [].”




Recital 60 clarifies that "The principles of fair and transparent treatment
Considering 60 clarifies that “The principles of fair and transparent treatment
require that the data subject be informed of the existence of the processing operation and
require that the interested party be informed of the existence of the treatment operation and
their ends. The data controller must provide the interested party with all
its purposes. The person responsible for the treatment must provide the interested party with
additional information is necessary to guarantee fair treatment and
additional information is necessary to guarantee fair treatment and
transparent, taking into account the specific circumstances and context in which
transparent, taking into account the specific circumstances and context in which


process personal data. The interested party must also be informed of the existence
process personal data. The interested party must also be informed of the existence
profiling and the consequences of profiling. if the data
of profiling and the consequences of such profiling. If the data
data are obtained from data subjects, they must also be informed whether they are
personal data are obtained from the interested parties, they must also be informed of whether they are
obliged to provide them and of the consequences in case they did not do so.”
obliged to provide them and the consequences if they did not do so.”




In the present case, having examined the forms contained in the web pages of
In the present case, having examined the forms contained in the web pages of
ORI in which personal data is requested, it is observed that at least five of
ORI in which personal data is requested, it is observed that in at least five of
They are not informed of the company's privacy policy.
They are not informed of the company's privacy policy.


Therefore, according to the evidence available at this time
Therefore, in accordance with the evidence available at this time
agreement to initiate disciplinary proceedings, and without prejudice to what results from
agreement to initiate the sanctioning procedure, and without prejudice to what results from


the instruction, it is considered that the known facts could constitute a
the instruction, it is considered that the known facts could constitute a
infringement, attributable to ORI, due to violation of article 13 of the GDPR
infringement, attributable to ORI, for violation of article 13 of the RGPD


                                             II
                                             III
If confirmed, the aforementioned infringement of article 13 of the GDPR could lead to the
If confirmed, the aforementioned violation of article 13 of the RGPD could mean the


commission of the offenses typified in article 83.5 of the GDPR that under the
commission of the infractions classified in article 83.5 of the RGPD that under the
The heading "General conditions for the imposition of administrative fines" provides:
The section “General conditions for the imposition of administrative fines” provides:


Violations of the following provisions will be sanctioned, in accordance with the
“Infringements of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of maximum EUR 20,000,000 or,
paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,


in the case of a company, an amount equivalent to a maximum of 4% of the
In the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
global total annual business volume of the previous financial year, opting for
the highest amount:
the largest amount:
       (…)
       (…)
       b) the rights of the interested parties in accordance with articles 12 to 22;
       b) the rights of the interested parties under articles 12 to 22;
       (…)”
       (…)”




In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that
In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
"The acts and behaviors referred to in sections 4,
“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law”.
contrary to this organic law.




Line 475: Line 436:


"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
are considered very serious and will prescribe after three years the infractions that
considered very serious and will prescribe after three years the infractions that involve


a substantial violation of the articles mentioned therein and, in particular, the
a substantial violation of the articles mentioned therein and, in particular, the
Line 492: Line 453:




       h) The omission of the duty to inform the affected party about the treatment of their
       h) The omission of the duty to inform the affected person about the treatment of their
       personal data in accordance with the provisions of articles 13 and 14 of the
       personal data in accordance with the provisions of articles 13 and 14 of the
       Regulation (EU) 2016/679 and 12 of this organic law.”
       Regulation (EU) 2016/679 and 12 of this organic law.”




                                           IV.
                                           IV
For the purposes of deciding on the imposition of an administrative fine and its amount,
For the purposes of deciding on the imposition of an administrative fine and its amount,
In accordance with the evidence available at the present time of
in accordance with the evidence currently available
agreement to start disciplinary proceedings, and without prejudice to what results from the
agreement to initiate the sanctioning procedure, and without prejudice to what results from the
instruction, it is considered appropriate to graduate the sanction to be imposed in accordance with
instruction, it is considered appropriate to graduate the sanction to be imposed in accordance with


the criteria established in article 83.2 of the GDPR.
the criteria established in article 83.2 of the RGPD.


Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the
Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the
criteria established in section 2 of article 76 "Sanctions and corrective measures"
criteria established in section 2 of article 76 “Sanctions and corrective measures”
of the LOPDGDD.
of the LOPDGDD.




If the infringement is confirmed, it could be agreed to impose on the person responsible that, within the term
If the infringement is confirmed, it could be agreed to impose on the person responsible that, within the period
that is specified in the sanctioning resolution, proceed to complete the privacy policy
that is specified in the sanctioning resolution, proceed to complete the
privacy on all pages that collect personal data, without prejudice to others that
privacy on all pages that collect personal data, without prejudice to others that
could be derived from the instruction of the procedure, in accordance with the provisions
could arise from the instruction of the procedure, in accordance with the provisions
in the aforementioned article 58.2 d) of the GDPR, according to which each control authority may
in the aforementioned article 58.2 d) of the RGPD, according to which each control authority may


“order the person in charge or person in charge of the treatment that the operations of
“order the person responsible or in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where appropriate,
treatment comply with the provisions of this Regulation, where applicable,
in a certain way and within a specified period…”. the imposition of
in a certain way and within a specified period….” The imposition of
This measure is compatible with the sanction consisting of an administrative fine, according to
This measure is compatible with the sanction consisting of an administrative fine, according to
The provisions of the art. 83.2 of the GDPR.
The provisions of the art. 83.2 of the GDPR.




It is noted that not meeting the requirements of this body may be
Please note that failure to comply with the requirements of this organization may be
considered as an administrative offense in accordance with the provisions of the GDPR,
considered as an administrative offense in accordance with the provisions of the RGPD,
classified as an infraction in its article 83.5 and 83.6, being able to motivate such conduct the
classified as an infraction in its articles 83.5 and 83.6, and such conduct may be motivated by
opening of a subsequent administrative sanctioning procedure.
opening of a subsequent administrative sanctioning procedure.




Therefore, in accordance with the foregoing, by the Director of the Agency
Therefore, in accordance with the above, by the Director of the Agency
Spanish Data Protection,
Spanish Data Protection,
HE REMEMBERS:
HE REMEMBERS:


FIRST: INITIATE SANCTIONING PROCEDURE against ORI, S.l., with NIF ***NIF.1,
FIRST: START SANCTIONING PROCEDURE against ORI, S.l., with NIF ***NIF.1,


for the alleged violation of Article 13 of the GDPR, typified in Article 83.5 of the
for the alleged violation of Article 13 of the RGPD, typified in Article 83.5 of the
GDPR.
GDPR.


SECOND: APPOINT as instructor R.R.R. and, as secretary, to S.S.S.
SECOND: APPOINT R.R.R. as instructor. and, as secretary, to S.S.S.
indicating that any of them may be challenged, if applicable, in accordance with the
indicating that any of them may be challenged, if applicable, in accordance with the


Line 544: Line 505:
Legal Department of the Public Sector (LRJSP).
Legal Department of the Public Sector (LRJSP).


THIRD: INCORPORATE into the disciplinary file, for evidentiary purposes, the
THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the
claim filed by the claimant and its documentation, as well as the
claim filed by the complaining party and its documentation, as well as the


documents obtained and generated by the Sub-directorate General of Inspection of
documents obtained and generated by the General Subdirectorate of Inspection of
Data in the actions prior to the start of this sanctioning procedure.
Data in the actions prior to the start of this sanctioning procedure.


Line 562: Line 523:




FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1
FOURTH: THAT for the purposes provided for in art. 64.2 b) of law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations, the
October, of the Common Administrative Procedure of Public Administrations, the
sanction that could correspond would be, for the alleged violation of article 13 of the
sanction that could correspond would be, for the alleged violation of article 13 of the


GDPR, typified in article 83.5 of said regulation, administrative fine of amount
RGPD, typified in article 83.5 of said regulation, administrative fine of amount
€2,000.00
2,000.00 euros


FIFTH: NOTIFY this agreement to ORI, S.l., with NIF ***NIF.1, granting it
FIFTH: NOTIFY this agreement to ORI, S.l., with NIF ***NIF.1, granting it
a hearing period of ten business days to formulate the allegations and
a hearing period of ten business days to formulate the allegations and
Submit any evidence you deem appropriate. In his statement of pleadings
present the evidence you consider appropriate. In his brief of allegations


You must provide your NIF and the procedure number that appears in the heading
You must provide your NIF and the procedure number that appears in the heading
of this document.
of this document.


If, within the stipulated period, he does not make allegations to this initial agreement, the same
If within the stipulated period you do not make allegations to this initial agreement, the same
may be considered a resolution proposal, as established in article
may be considered a proposal for a resolution, as established in the article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of


Line 584: Line 545:
In accordance with the provisions of article 85 of the LPACAP, you may recognize your
In accordance with the provisions of article 85 of the LPACAP, you may recognize your
responsibility within the period granted for the formulation of allegations to the
responsibility within the period granted for the formulation of allegations to the
present initiation agreement; which will entail a reduction of 20% of the
present initiation agreement; which will entail a 20% reduction in the


sanction that should be imposed in this proceeding. With the application of this
sanction that may be imposed in this procedure. With the application of this
reduction, the sanction would be established at 1,600.00 euros, resolving the
reduction, the penalty would be established at 1,600.00 euros, resolving the
procedure with the imposition of this sanction.
procedure with the imposition of this sanction.


In the same way, it may, at any time prior to the resolution of this
Likewise, you may, at any time prior to the resolution of this


procedure, carry out the voluntary payment of the proposed sanction, which
procedure, carry out the voluntary payment of the proposed sanction, which
will mean a reduction of 20% of its amount. With the application of this reduction,
will mean a 20% reduction in the amount. With the application of this reduction,
the sanction would be established at 1,600.00 euros and its payment will imply the termination
The penalty would be established at 1,600.00 euros and its payment will imply termination
of the procedure.
of the procedure.


The reduction for the voluntary payment of the penalty is cumulative to the corresponding
The reduction for the voluntary payment of the penalty is cumulative with that corresponding


apply for acknowledgment of responsibility, provided that this acknowledgment
apply for recognition of responsibility, provided that this recognition
of the responsibility is revealed within the period granted to formulate
of the responsibility becomes evident within the period granted to formulate
allegations at the opening of the procedure. Voluntary payment of the referred amount
allegations at the opening of the procedure. The voluntary payment of the referred amount
in the previous paragraph may be done at any time prior to the resolution. In
in the previous paragraph may be done at any time prior to the resolution. In
In this case, if both reductions were to be applied, the amount of the penalty would remain
In this case, if both reductions were to be applied, the amount of the penalty would remain
Line 607: Line 568:
established at 1,200.00 euros.
established at 1,200.00 euros.


In any case, the effectiveness of any of the two aforementioned reductions will be
In any case, the effectiveness of any of the two mentioned reductions will be
conditioned to the withdrawal or resignation of any action or appeal via
conditioned upon the withdrawal or waiver of any action or appeal pending.
administrative against the sanction.
administrative against the sanction.


Line 614: Line 575:
In the event that you choose to proceed with the voluntary payment of any of the amounts
In the event that you choose to proceed with the voluntary payment of any of the amounts
indicated above (1,600.00 euros or 1,200.00 euros), you must make it effective
indicated above (1,600.00 euros or 1,200.00 euros), you must make it effective
by depositing it in the account number ES00 0000 0000 0000 0000 0000 opened to
by depositing it into account number ES00 0000 0000 0000 0000 0000 open to
name of the Spanish Data Protection Agency in the bank
name of the Spanish Data Protection Agency in the banking entity
CAIXABANK, S.A., indicating in the concept the reference number of the
CAIXABANK, S.A., indicating in the concept the reference number of the


procedure that appears in the heading of this document and the cause of
procedure that appears in the heading of this document and the cause of
reduction of the amount to which it receives.
reduction of the amount to which it is accepted.




Line 633: Line 594:


Likewise, you must send proof of income to the General Subdirectorate of
Likewise, you must send proof of income to the General Subdirectorate of
Inspection to continue with the procedure in accordance with the quantity
Inspection to continue the procedure in accordance with the quantity


entered.
entered.


The procedure will have a maximum duration of nine months from the
The procedure will have a maximum duration of nine months counting from the
date of the initiation agreement or, where appropriate, of the draft initiation agreement.
date of the initiation agreement or, where applicable, of the draft initiation agreement.
After this period, its expiration will occur and, consequently, the file of
After this period, its expiration will occur and, consequently, the file of


performances; in accordance with the provisions of article 64 of the LOPDGDD.
performances; in accordance with the provisions of article 64 of the LOPDGDD.


In compliance with articles 14, 41 and 43 of the LPACAP, it is noted that, as regards
In compliance with articles 14, 41 and 43 of LPACAP, it is noted that, as far as
successively, the notifications that are sent to you will be made exclusively in a
Subsequently, the notifications sent to you will be made exclusively
electronically, through the Unique Authorized Electronic Address (dehu.redsara.es) and the
electronically, through the Unique Enabled Electronic Address (dehu.redsara.es) and the


Electronic Notification Service (notifications.060.es), and that, if you do not access
Electronic Notification Service (notifications.060.es), and that, if you do not access
their rejection will be recorded in the file, considering the process completed and
their rejection will be recorded in the file, considering the procedure completed and
following the procedure. You are informed that you can identify before this Agency
following the procedure. You are informed that you can identify before this Agency
an email address to receive the notice of making available to the
an email address to receive the notice of making available the
notifications and that failure to practice this notice will not prevent the notification
notices and that failure to comply with this notice will not prevent the notice


be considered fully valid.
be considered fully valid.
Line 661: Line 622:
                                                                               935-110422
                                                                               935-110422


Mar Spain Marti
Sea Spain Martí
Director of the Spanish Data Protection Agency
Director of the Spanish Data Protection Agency


Line 668: Line 629:




SECOND: On September 26, 2022, the claimed party has proceeded to the
SECOND: On September 26, 2022, the claimed party has proceeded to
payment of the penalty in the amount of 1200 euros making use of the two reductions
payment of the penalty in the amount of 1,200 euros making use of the two reductions
provided for in the initiation Agreement transcribed above, which implies the
provided for in the initiation Agreement transcribed above, which implies the
recognition of responsibility.
recognition of responsibility.
Line 675: Line 636:


THIRD: The payment made, within the period granted to formulate allegations to
THIRD: The payment made, within the period granted to formulate allegations to
the opening of the procedure, entails the waiver of any action or appeal via
The opening of the procedure entails the renunciation of any action or appeal pending.
against the sanction and acknowledgment of responsibility in relation to
administrative against sanction and recognition of responsibility in relation to
the facts referred to in the Commencement Agreement.
the facts referred to in the Initiation Agreement.




FOURTH: In the previously transcribed initiation agreement, it was indicated that, if
FOURTH: In the initiation Agreement transcribed previously it was stated that,
Once the infringement is confirmed, it could be agreed to impose on the controller the adoption of
If the infringement is confirmed, it could be agreed to impose on the person responsible the adoption of
adequate measures to adjust its performance to the regulations mentioned in this
appropriate measures to adjust its actions to the regulations mentioned in this
act, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to the
act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the


which each control authority may "order the person responsible or in charge of the
which each control authority may “order the person responsible or in charge of the
processing that the processing operations comply with the provisions of the
treatment that the processing operations comply with the provisions of the
this Regulation, where appropriate, in a certain way and within a certain
this Regulation, where appropriate, in a certain manner and within a
specified term…”.
specified period…”




Having recognized the responsibility for the infringement, the imposition of
Having recognized responsibility for the infraction, the imposition of penalties proceeds.
the measures included in the Initiation Agreement.
the measures included in the Initiation Agreement.
C/ Jorge Juan, 6 www.aepd.es
C/ Jorge Juan, 6 www.aepd.es
Line 711: Line 672:




                           FUNDAMENTALS OF LAW
                           FOUNDATIONS OF LAW




Line 717: Line 678:


In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), grants each
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the


Organic Law 3/2018, of December 5, Protection of Personal Data and
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
initiate and resolve this procedure the Director of the Spanish Protection Agency
Line 729: Line 690:
processed by the Spanish Data Protection Agency will be governed by the provisions
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."
subsidiary, by the general rules on administrative procedures."


Line 736: Line 697:


Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common for Public Administrations (hereinafter, LPACAP), under the heading
Common Public Administrations (hereinafter, LPACAP), under the heading
"Termination in disciplinary proceedings" provides the following:
“Termination in sanctioning procedures” provides the following:




"1. Initiated a disciplinary procedure, if the offender acknowledges his responsibility,
"1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.
The procedure may be resolved with the imposition of the appropriate sanction.


2. When the sanction has only a pecuniary nature or it is possible to impose a
2. When the sanction is solely pecuniary in nature or a penalty can be imposed
pecuniary sanction and another of a non-pecuniary nature but the
pecuniary sanction and another of a non-pecuniary nature but the


inadmissibility of the second, the voluntary payment by the presumed perpetrator, in
inadmissibility of the second, the voluntary payment by the alleged responsible, in
any moment prior to the resolution, will imply the termination of the procedure,
Any time prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or the determination of the
except in relation to the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the offence.
compensation for damages caused by the commission of the infringement.




3. In both cases, when the sanction is solely pecuniary in nature, the
3. In both cases, when the sanction has only a pecuniary nature, the
The competent body to resolve the procedure will apply reductions of at least
body competent to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed penalty, these being cumulative among themselves.
20% of the amount of the proposed penalty, these being cumulative with each other.
The aforementioned reductions must be determined in the notification of initiation
The aforementioned reductions must be determined in the initiation notification.
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of
of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of


any administrative action or resource against the sanction.
any administrative action or appeal against the sanction.


The percentage reduction provided for in this section may be increased
The reduction percentage provided for in this section may be increased
according to regulations."
“regularly.


C/ Jorge Juan, 6 www.aepd.es
C/ Jorge Juan, 6 www.aepd.es
Line 775: Line 736:




According to what has been stated,
According to what was indicated,
the Director of the Spanish Data Protection Agency RESOLVES:
the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: DECLARE the termination of procedure EXP202202164, in
FIRST: DECLARE the termination of procedure EXP202202164, of


in accordance with the provisions of article 85 of the LPACAP.
in accordance with the provisions of article 85 of the LPACAP.


SECOND: REQUIRE ORI, S.l. so that within one month notify the
SECOND: REQUIRE ORI, S.l. so that within a period of one month notify the
Agency adopting the measures described in the fundamentals of law
Agency the adoption of the measures described in the legal bases


of the Initiation Agreement transcribed in this resolution.
of the Initiation Agreement transcribed in this resolution.
Line 791: Line 752:
In accordance with the provisions of article 50 of the LOPDGDD, this
In accordance with the provisions of article 50 of the LOPDGDD, this


Resolution will be made public once the interested parties have been notified.
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative process as prescribed by
Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure


Line 807: Line 768:


                                                                                 1259-070622
                                                                                 1259-070622
Mar Spain Marti
Sea Spain Martí


Director of the Spanish Data Protection Agency
Director of the Spanish Data Protection Agency

Latest revision as of 14:06, 5 March 2024

AEPD - EXP202202164
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1) GDPR
Article 13 GDPR
Article 83(5) GDPR
Article 83(6) GDPR
Type: Complaint
Outcome: Upheld
Started: 16.01.2022
Decided: 28.09.2022
Published: 28.09.2022
Fine: 2,000 EUR
Parties: n/a
National Case Number/Name: EXP202202164
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: mgrd

AEPD fined in €2,000 a website for non-GDPR compliant privacy policy, violating Article 13 GDPR.

English Summary

Facts

On January 16, 2022 the data subject complaint against ORI S.L. for not having a privacy policy on the website in which personal data are collected through multiple forms, only one of them informs about the processing of personal data.

During the procedure, the data subject included different screenshots of the website.

On March, 2022, AEDP sent a notification to the data controller to, within a period of one month, to inform of the actions taken to adapt to the requirements set forth in the data protection regulations.

On June, 2022, ORI replied stating that all the sections of the web page contained informative boxes where they are obliged to communicate to the users with the following concept: "I agree that my personal data provided in the contact form be electronically processed and used for the purpose of contacting me. I am aware that I can remove my consent at any time".

Holding

AEPD fined the data controller in €2,000 for non-GDPR compliant website without privacy policy, violating Article 13 GDPR.

On September 26, 2022, the data controller made the voluntary payment of the fine and acknowledged its liability, leading to a reduce of the fine to €1,200.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/10








     File No.: EXP202202164



       RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE
                                     VOLUNTEER

From the procedure instructed by the Spanish Data Protection Agency and based

to the following


                                   BACKGROUND


FIRST: On August 26, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against ORI, S.l. (onwards,
the claimed party), through the Agreement that is transcribed:

<<



File No.: EXP202202164



            AGREEMENT TO START SANCTIONING PROCEDURE

Of the actions carried out by the Spanish Data Protection Agency and in
based on the following


                                       FACTS

FIRST: A.A.A. (hereinafter, the complaining party) dated January 16, 2022
filed a claim with the Spanish Data Protection Agency. The
claim is directed against ORI, S.l. with NIF ***NIF.1 (hereinafter, ORI). The motives

on which the claim is based are the following:

Expresses the lack of privacy policy of the website where data is collected
personal data through multiple forms, only one informs about the treatment of
data, violating data protection regulations.


Along with the notification, the following is provided:

-Screenshot of a Google search for the domain ***URL.1, which offers
several results on Facebook, Instagram, tik tok...


-Screenshot of the detail of the BORME of ORI SL, in which they appear as the sole partner and
sole administrator B.B.B.

-Screenshot of the page “***URL.1/register/” on which a registration form appears

contact in which personal data is requested, and the privacy policy is not indicated.
privacy.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/10








-Screenshot of the page “***URL.1/hazte-soci” on which a registration form appears
contact in which personal data is requested, and the privacy policy is not indicated.
privacy.


-Screenshot of the page “***URL.1/solicita-tu-catalog/” in which a
contact form in which personal data is requested, and the policy is not indicated
of privacy, although the following text is added at the end of the questionnaire: “I accept that
my data provided in the contact form are processed electronically and
are used for the purpose of contacting me. I am aware that I can

revoke my consent at any time”

-Screenshot of the page “***URL.1/starter-kit/” on which a registration form appears
contact in which personal data is requested, and the privacy policy is not indicated.
privacy, although the following text is added at the end of the questionnaire: “I accept that my

Data provided in the contact form are processed electronically and are
used for the purpose of contacting me. I am aware that I can
revoke my consent at any time”

-Screenshot of the page “***URL.1/register/” on which a registration form appears
contact in which personal data is requested, with a link appearing at the end of it

to the privacy policy.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to ORI, so that

proceed to its analysis and inform this Agency within a period of one month, of the
actions carried out to adapt to the requirements provided for in the regulations of
Data Protection.

The transfer, which was carried out in accordance with the rules established in Law 39/2015, of

October 1, of the Common Administrative Procedure of Administrations
Public (hereinafter, LPACAP), was collected on 03/27/2022, as stated in the
acknowledgment of receipt that appears in the file.

No response has been received to this transfer letter.


THIRD: On April 16, 2022, in accordance with article 65 of the
LOPDGDD, the claim presented by the complaining party was admitted for processing.

FOURTH: On 06/09/2022, a letter was received from the ORI administrator in
which states that in all sections of the website ***URL.1 there are all

the information boxes where they are forced to communicate to users a box with
the following concept: “I accept that my data provided in the contact form
are processed electronically and are used for the purpose of contacting
with me. I am aware that I can revoke my consent at any time.
moment"


                           FOUNDATIONS OF LAW

                                           Yo

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/10








In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the

Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures

processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."


                                            II
In accordance with article 5.1 of the RGPD, the processing of personal data must be governed
by the following principles:

"1. The personal data will be:
    a) treated in a lawful, loyal and transparent manner with the interested party (…)

2. The person responsible for the treatment will be responsible for compliance with the provisions
in section 1 and capable of demonstrating it”

One of the manifestations of the principle of transparency is the right that the RGPD
grants the data owners to receive information and the corresponding obligation that

requires the person responsible for the treatment to provide the interested party with the information that
They detail articles 12, 13 and 14 of the GDPR.

These last two provisions contemplate two different assumptions: That the data is
obtained directly from the interested party (article 13), as happens in the forms of

collection of data that ORI has included in the website of which it is the owner, or that
the data is not obtained from the interested party (article 14).

Article 13 of the GDPR states:

"1. When personal data relating to him or her is obtained from an interested party, the

responsible for the treatment, at the time these are obtained, will provide you
all information indicated below:
a) the identity and contact details of the person responsible and, where applicable, their
representative;
b) the contact details of the data protection officer, if applicable;

c) the purposes of the processing for which the personal data are intended and the legal basis
of the treatment;
d) where the processing is based on Article 6, paragraph 1, letter f), the interest
legitimate of the person responsible or a third party;
e) the recipients or categories of recipients of the personal data, in their

case; f) where applicable, the intention of the controller to transfer personal data to a
third country or international organization and the existence or absence of a decision of
adequacy of the Commission, or, in the case of the transfers indicated in the
Articles 46 or 47 or Article 49, paragraph 1, second paragraph, reference to the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/10








adequate or appropriate safeguards and the means to obtain a copy of these or
to the fact that they have been lent.


2. In addition to the information mentioned in section 1, the person responsible for the
treatment will provide the interested party, at the time the data is obtained
personal, the following information necessary to guarantee data processing
loyal and transparent:
a) the period during which the personal data will be kept or, when it is not
possible, the criteria used to determine this period;

b) the existence of the right to request from the data controller access to the data
personal data relating to the interested party, and its rectification or deletion, or the limitation
of your treatment, or to oppose the treatment, as well as the right to portability
of the data
c) when the processing is based on Article 6(1)(a) or Article

9, paragraph 2, letter a), the existence of the right to withdraw consent in
at any time, without affecting the legality of the treatment based on the
consent prior to its withdrawal;
d) the right to file a claim with a supervisory authority;
e) if the communication of personal data is a legal or contractual requirement, or a
necessary requirement to sign a contract, and if the interested party is obliged to provide

personal data and is informed of the possible consequences of not
provide such data;
f) the existence of automated decisions, including profiling, to which
refers to article 22, paragraphs 1 and 4, and, at least in such cases, information
significant information about the applied logic, as well as the importance and consequences

foreseen of said treatment for the interested party.

3. When the data controller plans subsequent data processing
personal data for a purpose other than that for which they were collected, will provide the
interested party, prior to said further processing, information about that other purpose

and any additional information relevant under paragraph 2. 4. The
The provisions of paragraphs 1, 2 and 3 shall not apply when and to the extent
“that the interested party already has the information.”

Recitals 39 and 60 of the GDPR help clarify the scope of the right
of information provided to interested parties.


Recital 39 establishes: “All processing of personal data must be lawful and
loyal. For natural persons it must be completely clear that they are being collected,
using, consulting or otherwise processing personal data that they
concern, as well as the extent to which said data is or will be processed. The beginning

Transparency requires that all information and communication related to the treatment of
said data is easily accessible and easy to understand, and that a language is used
simple and clear. This principle refers in particular to the information of the
interested parties about the identity of the person responsible for the treatment and the purposes of the same and
to the added information to guarantee fair and transparent treatment with

regarding the affected natural persons and their right to obtain confirmation and
communication of personal data that concerns them that are subject to
treatment. Natural persons must be aware of the risks,
rules, safeguards and rights relating to the processing of personal data,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/10








as well as the way to assert your rights in relation to the treatment. In
In particular, the specific purposes of the processing of personal data must be
explicit and legitimate, and must be determined at the time of collection. […].”


Considering 60 clarifies that “The principles of fair and transparent treatment
require that the interested party be informed of the existence of the treatment operation and
its purposes. The person responsible for the treatment must provide the interested party with
additional information is necessary to guarantee fair treatment and
transparent, taking into account the specific circumstances and context in which

process personal data. The interested party must also be informed of the existence
of profiling and the consequences of such profiling. If the data
personal data are obtained from the interested parties, they must also be informed of whether they are
obliged to provide them and the consequences if they did not do so.”


In the present case, having examined the forms contained in the web pages of
ORI in which personal data is requested, it is observed that in at least five of
They are not informed of the company's privacy policy.

Therefore, in accordance with the evidence available at this time
agreement to initiate the sanctioning procedure, and without prejudice to what results from

the instruction, it is considered that the known facts could constitute a
infringement, attributable to ORI, for violation of article 13 of the RGPD

                                            III
If confirmed, the aforementioned violation of article 13 of the RGPD could mean the

commission of the infractions classified in article 83.5 of the RGPD that under the
The section “General conditions for the imposition of administrative fines” provides:

“Infringements of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,

In the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for
the largest amount:
       (…)
       b) the rights of the interested parties under articles 12 to 22;
       (…)”


In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.”


For the purposes of the limitation period, article 72 of the LOPDGDD indicates:

"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that involve

a substantial violation of the articles mentioned therein and, in particular, the
following:
       (…)


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/10








       h) The omission of the duty to inform the affected person about the treatment of their
       personal data in accordance with the provisions of articles 13 and 14 of the
       Regulation (EU) 2016/679 and 12 of this organic law.”


                                          IV
For the purposes of deciding on the imposition of an administrative fine and its amount,
in accordance with the evidence currently available
agreement to initiate the sanctioning procedure, and without prejudice to what results from the
instruction, it is considered appropriate to graduate the sanction to be imposed in accordance with

the criteria established in article 83.2 of the RGPD.

Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the
criteria established in section 2 of article 76 “Sanctions and corrective measures”
of the LOPDGDD.


If the infringement is confirmed, it could be agreed to impose on the person responsible that, within the period
that is specified in the sanctioning resolution, proceed to complete the
privacy on all pages that collect personal data, without prejudice to others that
could arise from the instruction of the procedure, in accordance with the provisions
in the aforementioned article 58.2 d) of the RGPD, according to which each control authority may

“order the person responsible or in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where applicable,
in a certain way and within a specified period….” The imposition of
This measure is compatible with the sanction consisting of an administrative fine, according to
The provisions of the art. 83.2 of the GDPR.


Please note that failure to comply with the requirements of this organization may be
considered as an administrative offense in accordance with the provisions of the RGPD,
classified as an infraction in its articles 83.5 and 83.6, and such conduct may be motivated by
opening of a subsequent administrative sanctioning procedure.


Therefore, in accordance with the above, by the Director of the Agency
Spanish Data Protection,
HE REMEMBERS:

FIRST: START SANCTIONING PROCEDURE against ORI, S.l., with NIF ***NIF.1,

for the alleged violation of Article 13 of the RGPD, typified in Article 83.5 of the
GDPR.

SECOND: APPOINT R.R.R. as instructor. and, as secretary, to S.S.S.
indicating that any of them may be challenged, if applicable, in accordance with the

established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime
Legal Department of the Public Sector (LRJSP).

THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the
claim filed by the complaining party and its documentation, as well as the

documents obtained and generated by the General Subdirectorate of Inspection of
Data in the actions prior to the start of this sanctioning procedure.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/10








FOURTH: THAT for the purposes provided for in art. 64.2 b) of law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations, the
sanction that could correspond would be, for the alleged violation of article 13 of the

RGPD, typified in article 83.5 of said regulation, administrative fine of amount
2,000.00 euros

FIFTH: NOTIFY this agreement to ORI, S.l., with NIF ***NIF.1, granting it
a hearing period of ten business days to formulate the allegations and
present the evidence you consider appropriate. In his brief of allegations

You must provide your NIF and the procedure number that appears in the heading
of this document.

If within the stipulated period you do not make allegations to this initial agreement, the same
may be considered a proposal for a resolution, as established in the article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of

Public Administrations (hereinafter, LPACAP).

In accordance with the provisions of article 85 of the LPACAP, you may recognize your
responsibility within the period granted for the formulation of allegations to the
present initiation agreement; which will entail a 20% reduction in the

sanction that may be imposed in this procedure. With the application of this
reduction, the penalty would be established at 1,600.00 euros, resolving the
procedure with the imposition of this sanction.

Likewise, you may, at any time prior to the resolution of this

procedure, carry out the voluntary payment of the proposed sanction, which
will mean a 20% reduction in the amount. With the application of this reduction,
The penalty would be established at 1,600.00 euros and its payment will imply termination
of the procedure.

The reduction for the voluntary payment of the penalty is cumulative with that corresponding

apply for recognition of responsibility, provided that this recognition
of the responsibility becomes evident within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount
in the previous paragraph may be done at any time prior to the resolution. In
In this case, if both reductions were to be applied, the amount of the penalty would remain

established at 1,200.00 euros.

In any case, the effectiveness of any of the two mentioned reductions will be
conditioned upon the withdrawal or waiver of any action or appeal pending.
administrative against the sanction.


In the event that you choose to proceed with the voluntary payment of any of the amounts
indicated above (1,600.00 euros or 1,200.00 euros), you must make it effective
by depositing it into account number ES00 0000 0000 0000 0000 0000 open to
name of the Spanish Data Protection Agency in the banking entity
CAIXABANK, S.A., indicating in the concept the reference number of the

procedure that appears in the heading of this document and the cause of
reduction of the amount to which it is accepted.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/10








Likewise, you must send proof of income to the General Subdirectorate of
Inspection to continue the procedure in accordance with the quantity

entered.

The procedure will have a maximum duration of nine months counting from the
date of the initiation agreement or, where applicable, of the draft initiation agreement.
After this period, its expiration will occur and, consequently, the file of

performances; in accordance with the provisions of article 64 of the LOPDGDD.

In compliance with articles 14, 41 and 43 of LPACAP, it is noted that, as far as
Subsequently, the notifications sent to you will be made exclusively
electronically, through the Unique Enabled Electronic Address (dehu.redsara.es) and the

Electronic Notification Service (notifications.060.es), and that, if you do not access
their rejection will be recorded in the file, considering the procedure completed and
following the procedure. You are informed that you can identify before this Agency
an email address to receive the notice of making available the
notices and that failure to comply with this notice will not prevent the notice

be considered fully valid.

Finally, it is noted that in accordance with the provisions of article 112.1 of the
LPACAP, there is no administrative appeal against this act.


                                                                               935-110422

Sea Spain Martí
Director of the Spanish Data Protection Agency


>>


SECOND: On September 26, 2022, the claimed party has proceeded to
payment of the penalty in the amount of 1,200 euros making use of the two reductions
provided for in the initiation Agreement transcribed above, which implies the
recognition of responsibility.


THIRD: The payment made, within the period granted to formulate allegations to
The opening of the procedure entails the renunciation of any action or appeal pending.
administrative against sanction and recognition of responsibility in relation to
the facts referred to in the Initiation Agreement.


FOURTH: In the initiation Agreement transcribed previously it was stated that,
If the infringement is confirmed, it could be agreed to impose on the person responsible the adoption of
appropriate measures to adjust its actions to the regulations mentioned in this
act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the

which each control authority may “order the person responsible or in charge of the
treatment that the processing operations comply with the provisions of the
this Regulation, where appropriate, in a certain manner and within a
specified period…”


Having recognized responsibility for the infraction, the imposition of penalties proceeds.
the measures included in the Initiation Agreement.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/10
















                           FOUNDATIONS OF LAW


                                            Yo

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the

Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures

processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."


                                            II

Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter, LPACAP), under the heading
“Termination in sanctioning procedures” provides the following:


"1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction is solely pecuniary in nature or a penalty can be imposed
pecuniary sanction and another of a non-pecuniary nature but the

inadmissibility of the second, the voluntary payment by the alleged responsible, in
Any time prior to the resolution, will imply the termination of the procedure,
except in relation to the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.


3. In both cases, when the sanction has only a pecuniary nature, the
body competent to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed penalty, these being cumulative with each other.
The aforementioned reductions must be determined in the initiation notification.
of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of

any administrative action or appeal against the sanction.

The reduction percentage provided for in this section may be increased
“regularly.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/10










According to what was indicated,
the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: DECLARE the termination of procedure EXP202202164, of

in accordance with the provisions of article 85 of the LPACAP.

SECOND: REQUIRE ORI, S.l. so that within a period of one month notify the
Agency the adoption of the measures described in the legal bases

of the Initiation Agreement transcribed in this resolution.

THIRD: NOTIFY this resolution to ORI, S.l..

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure

Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.


                                                                                 1259-070622
Sea Spain Martí

Director of the Spanish Data Protection Agency


























C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es