AEPD (Spain) - EXP202206542

From GDPRhub
AEPD - PS-00357-2022
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1) GDPR
Article 12 GDPR
Article 13 GDPR
Article 14 GDPR
Type: Complaint
Outcome: Upheld
Decided: 18.01.2023
Fine: 2000 EUR
Parties: n/a
National Case Number/Name: PS-00357-2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: 1917

The Spanish DPA fined a private detective €2,000 because of a violation of Article 13 GDPR. The data subject was not informed how her personal data would be processed. The website of the detective, which was referred to in the contract with the data subject, lacked a privacy notice.

English Summary


The data subject had hired a private detective (controller) to investigate a personal matter. According to the data subject, the investigation contract did not include any wording about privacy and data protection. Moreover, a request to obtain a privacy notice under Article 13 GDPR had been ignored by the controller. On 19 May 2022, the data subject lodged a complaint with the Spanish DPA (DPA), claiming general lack of information around the controller's data processing activities in violation of Article 13 GDPR. The DPA started an investigation and found that the contract between the data subject and controller contained a URL of a website. In turn, this website contained a contact-form which enabled the controller to collect personal data. However, the website itself did not provide any privacy notice. The DPA also notified the controller during the investigation. However, the controller ignored these requests.


In the present case, the DPA held that the controller was collecting personal data on its website with the contact form. However, the data subject was not given any information about the way in which their personal data was going to be processed. Furthermore, the website did not have a privacy notice. This lack of information was in violation of Article 13 GDPR. For this violation, the DPA fined the controller €2,000 pursuant of Article 83(5) GDPR. The DPA also ordered the controller, pursuant to Article 83(5)(b) GDPR, ⁣ to add the privacy notice to future contracts with its clients and to its website.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


     File No.: EXP202206542


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


FIRST: A.A.A. (hereinafter, the claiming party) dated May 19, 2022
filed a claim with the Spanish Data Protection Agency. The

claim is directed against B.B.B. with NIF ***NIF.1 (hereinafter, the part
claimed). The reasons on which the claim is based are the following:

On 04/24/2021, the claimant contracted the claimed party to carry out
an investigation.

According to him, the claimed party has processed his data without providing him with the information
established in article 13 of the GDPR.

The claiming party made a request to the claimed party so that it
They sent this information and they have not responded.

Along with the claim, provide the signed contract (not including any
data protection clause) and an email sent by the party
claimant to the email address ***EMAIL.1, to which the file was attached
named requirement.pdf.

The web address ***URL.1 is superimposed on the signed contract. In this page
website a contact form appears in which personal data is requested, and it is not
specifies the applicable privacy policy.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in

forward LOPDGDD), said claim was transferred to the claimed party for
to proceed with its analysis and inform this Agency within a month of the
actions carried out to adapt to the requirements established in the regulations of
Data Protection.

The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of
October 1, of the Common Administrative Procedure of the Administrations
Public (hereinafter, LPACAP) by electronic notification, was not collected by
the person in charge, within the period of availability, understood as rejected
in accordance with the provisions of art. 43.2 of the LPACAP dated 06/21/2022, as stated

in the certificate in the file. Reiterated the transfer on 06/21/2022
by certified postal mail, it was again returned by "unknown".

No response has been received to this letter of transfer.

C/ Jorge Juan, 6
28001 – Madrid 2/8

THIRD: On July 1, 2022, in accordance with article 65 of the
LOPDGDD, the claim presented by the claimant party was admitted for processing.

FOURTH: On September 6, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate disciplinary proceedings against the claimed party,
for the alleged violation of Article 13 of the GDPR, typified in Article 83.5 of the

Attempted notification through the Electronic Notification Service and Address
Electronic Enabled on 09/07/2022, on 09/18/2022 the rejection occurred
of the same as the recipient has not accessed it.

On 10/04/2022, the notification is attempted again at the existing postal address

in the file, with the result "returned to origin due to unknown" on 10/06/2022.

In accordance with article 44 of Law 39/2015, of October 1, on the Procedure
Common Administrative Board of Public Administrations, the announcement of
agreement to open disciplinary proceedings in the Official Gazette of the State of
day 10/14/2022.

FIFTH: Notified of the aforementioned start-up agreement in accordance with the rules established in
Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP) and after the period granted
for the formulation of allegations, it has been verified that no allegation has been received

any by the claimed party.

Article 64.2.f) of the LPACAP -provision of which the claimed party was informed
in the agreement to open the procedure - establishes that if no
arguments within the established term on the content of the initiation agreement, when

it contains a precise pronouncement about the imputed responsibility,
may be considered a resolution proposal. In the present case, the agreement of
beginning of the disciplinary file determined the facts in which the
imputation, the infringement of the GDPR attributed to the defendant and the sanction that could
impose. Therefore, taking into consideration that the claimed party has not
made allegations to the agreement to start the file and in attention to what

established in article 64.2.f) of the LPACAP, the aforementioned initiation agreement is
considered in the present case resolution proposal.

In view of all the proceedings, by the Spanish Agency for Data Protection
In this proceeding, the following are considered proven facts:

                                PROVEN FACTS

FIRST: It is proven that the claiming party and the claimed party
signed a contract according to which the complaining party contracted the services of

a private detective, who corresponds to the person of the claimed party, in order to
to carry out a family investigation.

C/ Jorge Juan, 6
28001 – Madrid 3/8

SECOND: It is proven that the signed contract appears superimposed on the
address ***URL.1, web page in which a contact form appears in which
personal data is requested, and the applicable privacy policy is not specified.

                           FUNDAMENTALS OF LAW

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter GDPR), grants each

control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures."

Pursuant to article 5.1 of the GDPR, the processing of personal data must be governed by
by the following principles:

"one. Personal data will be:
    a) Treated in a lawful, loyal and transparent manner with the interested party (...)
2. The controller will be responsible for compliance with the provisions
in paragraph 1 and able to prove it”

One of the manifestations of the principle of transparency is the right that the GDPR
grants the owners of the data to receive information and the correlative obligation that
requires the data controller to provide the data subject with the information
detail articles 12, 13 and 14 of the GDPR.

These last two provisions contemplate two different assumptions: That the data is
obtained directly from the interested party (article 13), as in the present case,
since the data is obtained either when signing the contract, or when filling out the questionnaire
of the web page to request information, or that the data is not obtained from the
interested party (article 14).

Article 13 of the GDPR establishes:

"one. When personal data relating to him or her is obtained from an interested party, the
responsible for the treatment, at the time they are obtained, will provide you with

all the information listed below:
a) the identity and contact details of the person in charge and, where appropriate, their
b) the contact details of the data protection officer, if applicable;

C/ Jorge Juan, 6
28001 – Madrid 4/8

c) the purposes of the processing for which the personal data is intended and the legal basis
of the treatment;
d) when the treatment is based on article 6, paragraph 1, letter f), the interests

legitimate of the person in charge or of a third party;
e) the recipients or categories of recipients of personal data, in their
case; f) where appropriate, the intention of the controller to transfer personal data to a
third country or international organization and the existence or absence of a decision of
adequacy of the Commission, or, in the case of the transfers indicated in the
Articles 46 or 47 or Article 49, paragraph 1, second subparagraph, reference to the

adequate or appropriate guarantees and the means to obtain a copy of these or
to the fact that they have been lent.

2. In addition to the information mentioned in section 1, the person responsible for the
treatment will provide the interested party, at the time the data is obtained

personal data, the following information necessary to guarantee data processing
fair and transparent
a) the period during which the personal data will be kept or, when it is not
possible, the criteria used to determine this term;
b) the existence of the right to request the data controller access to the
personal data relating to the interested party, and its rectification or deletion, or the limitation

of their treatment, or to oppose the treatment, as well as the right to portability
of the data
c) when the treatment is based on article 6, paragraph 1, letter a), or article
9, paragraph 2, letter a), the existence of the right to withdraw consent in
at any time, without affecting the legality of the treatment based on the

consent prior to its withdrawal;
d) the right to file a claim with a control authority;
e) if the communication of personal data is a legal or contractual requirement, or a
necessary requirement to sign a contract, and if the interested party is obliged to provide
personal data and is informed of the possible consequences of not

provide such data;
f) the existence of automated decisions, including profiling, to which
referred to in Article 22, paragraphs 1 and 4, and, at least in such cases, information
significant about the applied logic, as well as the importance and consequences
provisions of said treatment for the interested party.

3. When the person responsible for the treatment plans the subsequent processing of data
personal information for a purpose other than that for which it was collected, will provide the
data subject, prior to said further processing, information about that other purpose
and any additional information pertinent under section 2. 4. The
provisions of paragraphs 1, 2 and 3 shall not apply when and to the extent

that the interested party already has the information.”

Recitals 39 and 60 of the GDPR help to specify the scope of the right
of information that is given to the interested parties.

Recital 39 establishes: "All processing of personal data must be lawful and
loyal. It must be completely clear to natural persons that they are being collected,
using, consulting or otherwise processing personal data that
concerned, as well as the extent to which said data is or will be processed. The beginning

C/ Jorge Juan, 6
28001 – Madrid 5/8

of transparency requires that all information and communication related to the treatment of
said data is easily accessible and easy to understand, and that language is used
simple and clear. This principle refers in particular to the information of the

interested parties on the identity of the person responsible for the treatment and the purposes of the treatment and
to the information added to guarantee a fair and transparent treatment with
regarding the natural persons affected and their right to obtain confirmation and
communication of personal data concerning them that are subject to
treatment. Natural persons must be aware of the risks,
rules, safeguards and rights relating to the processing of personal data,

as well as how to assert your rights in relation to the treatment. In
In particular, the specific purposes of the processing of personal data must be
explicit and legitimate, and must be determined at the time of collection. [...].”

Recital 60 clarifies that "The principles of fair and transparent treatment

require that the data subject be informed of the existence of the processing operation and
their ends. The data controller must provide the interested party with all
additional information is necessary to guarantee fair treatment and
transparent, taking into account the specific circumstances and context in which
process personal data. The interested party must also be informed of the existence
profiling and the consequences of profiling. if the data

data are obtained from data subjects, they must also be informed whether they are
obliged to provide them and of the consequences in case they did not do so.”

In the present case, from the claim presented by the claiming party, it is inferred
that you were not informed of the way in which your personal data would be processed.

Likewise, it is verified that on the web page ***URL.1 there is at least one form
collection of personal data without containing any information related to the policy
applicable privacy


Article 83.5 of the GDPR under the heading "General conditions for the imposition of
administrative fines” provides:

Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of maximum EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the

total annual global business volume of the previous financial year, opting for
the highest amount:
       b) the rights of the interested parties in accordance with articles 12 to 22;

In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that
"The acts and behaviors referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law”.

For the purposes of the limitation period, article 72 of the LOPDGDD indicates:

C/ Jorge Juan, 6
28001 – Madrid 6/8

"one. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
are considered very serious and will prescribe after three years the infractions that
a substantial violation of the articles mentioned therein and, in particular, the

h) The omission of the duty to inform the affected party about the processing of their data
personal in accordance with the provisions of articles 13 and 14 of Regulation (EU)
2016/679 and 12 of this organic law.”

For the purposes of deciding on the imposition of an administrative fine and its amount
considers that it is appropriate to graduate the sanction to be imposed according to the criteria that
establishes article 83.2 of the GDPR.

Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the
criteria established in section 2 of article 76 "Sanctions and corrective measures"
of the LOPDGDD.

The balance of the circumstances contemplated in article 83.2 of the GDPR and the
Article 76.2 of the LOPDGDD, with respect to the offense committed by violating the

established in article 13 of the GDPR, allows a penalty of €2,000 (two thousand

In accordance with the provisions of article 58.2 d) of the GDPR, according to which each

The supervisory authority may “order the person in charge or in charge of the treatment to
processing operations comply with the provisions of this
Regulation, where appropriate, in a certain way and within a time limit
It is indicated that, within 30 days from the receipt of this resolution, the

The claimed party must proceed to complete the privacy policy in the contracts
that are subscribed with clients, as well as in the web pages in which they are collected
personal information

The imposition of this measure is compatible with the sanction consisting of a fine
administration, according to the provisions of art. 83.2 of the GDPR.

It is noted that not meeting the requirements of this body may be
considered as an administrative offense in accordance with the provisions of the GDPR,
classified as an infraction in its article 83.5 and 83.6, being able to motivate such conduct the
opening of a subsequent administrative sanctioning procedure.

Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been accredited,
the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: IMPOSE B.B.B., with NIF ***NIF.1, for a violation of Article 13
of the GDPR, typified in Article 83.5 of the GDPR, a fine of 2000 euros (TWO THOUSAND

C/ Jorge Juan, 6
28001 – Madrid 7/8

SECOND: TO ORDER B.B.B., with NIF ***NIF.1, in accordance with article 58.2.d) of the
GDPR, for a violation of article 13 of the GDPR typified in article 83.5.b) of the

aforementioned Regulation, which, within a period of 30 days computed from the present
resolution is enforceable, proceed to complete the privacy policy in the contracts
that are subscribed with clients, as well as in the web pages in which they are collected
personal data and to notify the AEPD of its compliance.

THIRD: NOTIFY this resolution to B.B.B..

FOURTH: Warn the sanctioned party that he must enforce the sanction imposed
Once this resolution is enforceable, in accordance with the provisions of Article
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment period

voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of its income, indicating the NIF of the sanctioned and the number
of procedure that appears in the heading of this document, in the account
restricted IBAN number: ES00 0000 0000 0000 0000 0000 open in the name of the Agency
Spanish Data Protection Agency at the bank CAIXABANK, S.A.. In the event

Otherwise, it will proceed to its collection in the executive period.

Once the notification has been received and once executed, if the execution date is
between the 1st and 15th of each month, both inclusive, the term to make the payment
voluntary will be until the 20th day of the following or immediately following business month, and if

between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediately following business month.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.

Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reversal before the
Director of the Spanish Agency for Data Protection within a period of one month from
count from the day following the notification of this resolution or directly

contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the

referred Law.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the firm resolution in administrative proceedings if the
The interested party expresses his intention to file a contentious-administrative appeal.

If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Electronic Registry of the Agency [
web/], or through any of the other registries provided for in art. 16.4 of the

C/ Jorge Juan, 6
28001 – Madrid 8/8

aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal

contentious-administrative proceedings within a period of two months from the day following the
Notification of this resolution would terminate the precautionary suspension.

Mar Spain Marti
Director of the Spanish Data Protection Agency

C/ Jorge Juan, 6
28001 – Madrid