AEPD (Spain) - EXP202207270: Difference between revisions

From GDPRhub
(Added why the DPA dismissed the claim in the short summary)
 
(7 intermediate revisions by 4 users not shown)
Line 61: Line 61:
}}
}}


The Spanish DPA dismissed a complaint about alleged violations of [[Article 4 GDPR|Articles 4(1)]] and [[Article 19 GDPR|19 GDPR]] for publishing a photo of the data subject without consent for lack of evidence. It also held that if a controller erases or rectifies a personal data it must notfiy each affected data subject about it.
The Spanish DPA dismissed a complaint about alleged violations of [[Article 4 GDPR|Articles 4(1)]] and [[Article 19 GDPR|19 GDPR]] for publishing a photo of the data subject without consent due to lack of evidence.
== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The first controller, a website owner, published a photo of the data subject on its website without consent. In that photo, the data subject was sitting behind a glass door with coloured squares partially covering their face and body.
A construction company, the first controller, carried out work in the warehouse of the data subject. In order to show the results of its work, the first controller uploaded on its website photographs published on another ocmpany's, the second controller, website, which portrayed the construction site. In one of the photographs, the data subject was sitting behind a glass door with coloured squares partially covering their face and body. The photo was published by the first controller without the data subject's consent.  


Subsequently, the data subject requested access to their data from a company, Servicios e Intervenciones en Edificacion del Mediterraneo. However, since they did not receive a response, the data subject submitted a complaint to the Spanish DPA. The first controller claimed that the photography tried to show the result of the works of construction carried out in a building owned by the data subject. To do so, the company took the photos from another company’s website, Digiman Alicante S.A’, the second controller with its consent.
Subsequently, the data subject requested access to their data from the first controller. However, since they did not receive a response, the data subject submitted a complaint to the Spanish DPA. The first controller claimed that the photograph tried to show the result of the works of construction carried out in a building owned by the data subject. To do so, it re-used the photos from the second controller's website, with its consent. Accordingly, it was the second controller who should have asked the data subject for consent before further processing.  


The Spanish DPA started a sanctioning proceeding against the second controller. They claimed that the publication of that photo did not involve processing of personal data and that they had not authorised the use of that photography nor communicated any personal data belonging to the data subject to the first controller.
The Spanish DPA started a sanctioning proceeding against the second controller who claimed that the publication of that photo did not involve processing of personal data and that they had not authorised the use of that photograph nor communicated any personal data belonging to the data subject to the first controller.
=== Holding ===
=== Holding ===
First, the DPA recalled that [[Article 4 GDPR|Article 4(1) GDPR]] defines personal data as “any information relating to an identified or identifiable natural person”. According to this, the image of a person constitutes personal data because it allows to reflect distinctive and particular features, such as height or style, that help the association with a concrete individual. Moreover, a photo can inform about the age, gender or ethnicity, making the identification of a person easier.
First, the DPA recalled that according to [[Article 4 GDPR|Article 4(1) GDPR]] the image of a person constitutes personal data because it reflects distinctive features, such as height or style, that help the association with a concrete individual. Moreover, a photo can inform about the age, gender or ethnicity, making the identification of a person easier. The DPA referred to [[Article 4 GDPR|Article 4(2) GDPR]] which defines the concept of processing. Publishing a person's image on websites must be regarded as processing of personal data.


Second, the DPA referred to [[Article 4 GDPR|Article 4(2) GDPR]] which defines the concept of processing and the adding of someone’s image in websites, forums, publications must be regarded as processing of personal data.
Second, it was noted that the photograph did not portray the data subject entirely. With regards to this, national case law ([https://www.poderjudicial.es/cgpj/es/Poder-Judicial/Tribunal-Supremo/ Judgement of the Supreme Court of 12 July 2004, 1702/2000]) interpreted that a photo of someone whose face is not visible but could still be identified by their contour may lead to a breach of their fundamental right to privacy.


It was noted that the photography did not portray the person entirely. With regards to this, national case law interprets that a photo of someone whose face is not visible, could be identified by their contour even when that person is not a public figure. This may lead to a breach of their fundamental right to privacy.
Finally, since the photos were removed from the website as a result of another proceeding involving the controller, the Spanish DPA recalled [[article 19 GDPR|Article 19 GDPR]], which sets out the obligation to notify the rectification or erasure of personal data to each recipient to whom the personal data have been disclosed. In this case, the second controller had deleted the data in the course of the proceedings but did not inform the first controller, as a recipient of the photo, about the erasure.


Finally, since the photos were removed from the website as a result of another proceeding, the Spanish DPA alluded to [[article 19 GDPR|Article 19 GDPR]], the obligation to notify the rectification or erasure of personal data to each recipient to whom the personal data have been disclosed.
Having analysed the case, the Spanish DPA dismissed the complaint against the second controller as there was not enough evidence of the first controller communicating to the second controller the publication of the photographs on its website. However, the DPA noted ex officio that the second controller acted in violation of [[Article 19 GDPR]] by not informing the recipients that the photo had been deleted.
 
Having analysed the case, the Spanish DPA dismissed the complaint as there was not enough evidence of the communication of the photography or the authorisation of its publication, therefore, the obligation of notification of the erasure did not apply neither.  
== Comment ==
== Comment ==
''Share your comments here!''
''Share your comments here!''

Latest revision as of 13:19, 13 December 2023

AEPD - PS-00360-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 19 GDPR
Type: Investigation
Outcome: No Violation Found
Started: 06.07.2022
Decided:
Published: 06.10.2022
Fine: n/a
Parties: Digiman Alicante S.L
National Case Number/Name: PS-00360-2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA dismissed a complaint about alleged violations of Articles 4(1) and 19 GDPR for publishing a photo of the data subject without consent due to lack of evidence.

English Summary

Facts

A construction company, the first controller, carried out work in the warehouse of the data subject. In order to show the results of its work, the first controller uploaded on its website photographs published on another ocmpany's, the second controller, website, which portrayed the construction site. In one of the photographs, the data subject was sitting behind a glass door with coloured squares partially covering their face and body. The photo was published by the first controller without the data subject's consent.

Subsequently, the data subject requested access to their data from the first controller. However, since they did not receive a response, the data subject submitted a complaint to the Spanish DPA. The first controller claimed that the photograph tried to show the result of the works of construction carried out in a building owned by the data subject. To do so, it re-used the photos from the second controller's website, with its consent. Accordingly, it was the second controller who should have asked the data subject for consent before further processing.

The Spanish DPA started a sanctioning proceeding against the second controller who claimed that the publication of that photo did not involve processing of personal data and that they had not authorised the use of that photograph nor communicated any personal data belonging to the data subject to the first controller.

Holding

First, the DPA recalled that according to Article 4(1) GDPR the image of a person constitutes personal data because it reflects distinctive features, such as height or style, that help the association with a concrete individual. Moreover, a photo can inform about the age, gender or ethnicity, making the identification of a person easier. The DPA referred to Article 4(2) GDPR which defines the concept of processing. Publishing a person's image on websites must be regarded as processing of personal data.

Second, it was noted that the photograph did not portray the data subject entirely. With regards to this, national case law (Judgement of the Supreme Court of 12 July 2004, 1702/2000) interpreted that a photo of someone whose face is not visible but could still be identified by their contour may lead to a breach of their fundamental right to privacy.

Finally, since the photos were removed from the website as a result of another proceeding involving the controller, the Spanish DPA recalled Article 19 GDPR, which sets out the obligation to notify the rectification or erasure of personal data to each recipient to whom the personal data have been disclosed. In this case, the second controller had deleted the data in the course of the proceedings but did not inform the first controller, as a recipient of the photo, about the erasure.

Having analysed the case, the Spanish DPA dismissed the complaint against the second controller as there was not enough evidence of the first controller communicating to the second controller the publication of the photographs on its website. However, the DPA noted ex officio that the second controller acted in violation of Article 19 GDPR by not informing the recipients that the photo had been deleted.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                             1/8








     File No.: EXP202207270



               RESOLUTION OF PUNISHMENT PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following

                                 BACKGROUND



FIRST: Don A.A.A. (hereinafter, the complaining party) dated June 9,
2022 filed a claim with the Spanish Data Protection Agency. the re-
The claim is directed against DIGIMAN ALICANTE, S.L. with NIF B53246906 (hereinafter

te, the party claimed).

The grounds on which the claim is based are as follows:

“I ATTACH THE RESOLUTION OF THE SPANISH PROTECTION AGENCY
OF DATA WHERE THE COMPANY SERVICES AND INTERVENTIONS IN BUILDINGS-

CION DEL MEDITERRÁNEO, S.L. CONFIRMS THAT DIGIMAN ALICANTE SL GAVE ITS
CONSENT FOR THE IMAGE TO BE PUBLISHED WITHOUT MY AUTHORIZATION.
I ALSO ATTACH THE STS_5073_2004 WHERE JURISPRUDENCE IS CREATED
ABOUT THE RECOGNITION OF A PERSON AND THEREFORE THEIR DATA
STAFF.

IT IS EVIDENT THAT ANY PERSON IN THE COMPANY AND ANY PERSON
SONA FROM MY ENVIRONMENT KNOWS WHO IS THE PERSON WHO APPEARS SITTING
ON A COUCH BEHIND VINYL-COVERED GLASS.”

SECOND: On April 8, 2022, the claimant filed a claim

against the company SERVICES AND INTERVENTIONS IN MEDICAL BUILDING
TERRANEO, S.L., because it had exercised the right of access as established in article
Article 15 of the EU Regulation 2016/679, General Data Protection (RGPD), by
the publication in his day of an image where he was recognizable and had not answered him-
do.


THIRD: When the previous claim was transferred to SERVICIOS E INTER-
VENCIONES EN EDIFICACION DEL MEDITERRANEO, S.L., alleged that it had
do construction works in a ship of the claimed party and in order to publish in
his web page images of the result of the work carried out, he took images of the page
website of the claimed party the photographs where they were seen, with the knowledge of

said company.

FOURTH: On July 6, 2022, the Director of the Spanish Agency for Pro-
Data Protection agreed to initiate sanctioning proceedings against the claimed party, with
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the

Common Administrative Procedure of Public Administrations (hereinafter,
LPACAP), for the alleged violation of Article 19.1 of the LOPDGDD, typified in the
Article 83.5 of the RGPD.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/8








   FIFTH: Notification of the aforementioned start-up agreement in accordance with the rules established in
   Law 39/2015, of October 1, on the Common Administrative Procedure of the Administrations
   Public Administrations (hereinafter, LPACAP), the respondent filed a written

   pleadings in which, in summary, it stated the following:

          “This party understands that there is a basic error in the approach of the re-
   claim made by Mr. D. A.A.A., since:

          a) there is no processing of personal data of the claimant on the occasion of the

   publication of the photograph in question.

          b) my represented in no case authorized the use of the object photograph
   of this procedure, nor communicated any personal data of the claimant to the company
   dam SERVICES AND INTERVENTIONS IN BUILDING OF THE MEDITERRANEAN,

   SL
          (…)

          We must categorically deny that my client authorized SERVI-
   CIOS E INTERVENCIONES EN EDIFICACIÓN DEL MEDITERRÁNEO, S.L. uses it-
   tion of said photograph or any other of those published on the DIGITAL website.

   MAN ALICANTE, S.L.

          SERVICES AND INTERVENTIONS IN BUILDING OF THE MEDITERRANEAN,
   SL downloaded these photographs from the website of my client, without authorization from the latter.
   ta, obviously when the claimant had not yet asked my client for the

   removal of them.

          It should also be made clear that my client never sent any file
   to said merchant with the photograph object of this procedure (or any other
   other) or expressly communicated SERVICES AND INTERVENTIONS IN BUILDINGS

   CACIÓN DEL MEDITERRÁNEO, S.L. that he could use such a photograph (or any
   other)."

   He adds that the image does not identify the person.

   SIXTH: On August 1, 2022, the instructor of the procedure agreed to practice

   carry the following tests:

1. Consider reproduced for evidentiary purposes the claim filed by Mr. A.A.A.
   and its documentation, the documents obtained and generated during the administration phase
   sion to process the claim.


2. Likewise, it is considered reproduced for evidentiary purposes, the allegations to the agreement of
   start of the referenced sanctioning procedure, presented by DIGIMAN ALICAN-
   TE, S.L.

   SEVENTH: On August 1, 2022, a resolution proposal was formulated, pro-

   considering that the Director of the Spanish Data Protection Agency proceeded
   order the ARCHIVE of the procedure when not verifying the commission of infraction
   administrative action in the framework of data protection.

   C/ Jorge Juan, 6 www.aepd.es
   28001 – Madrid sedeagpd.gob.es 3/8









Notified of the proposed resolution on August 2, 2022, no reports have been received.
make allegations to it.


Of the actions carried out in this procedure and the documentation
in the file, the following have been accredited:

                                PROVEN FACTS


FIRST: SERVICES AND INTERVENTIONS IN MEDITERRANEAN BUILDING
NEO, S.L., carried out construction works on a warehouse of the claimed party and, in order to
to publish on its website images of the result of the work carried out, it took
images of the web page of the claimed party; Specifically, he used some photographs
where the result of the work could be seen, with the knowledge of said company. In a

of these photographs three people can be seen, one of them the claimed party
day, behind a glass door with colored squares glued on it.

SECOND: The entity SERVICES AND INTERVENTIONS IN BUILDING OF THE
MEDITERRANEO, S.L., has never claimed that it had the consent of the
party complained against for the publication of the photograph in which the complaining party appears

ce sitting behind glass with colored squares glued on it hiding part of her
face and body; nor that the claimed party had provided that image.

THIRD: The respondent denies that he authorized SERVICES AND INTERVENTION-
NES EN EDIFICACIÓN DEL MEDITERRÁNEO, S.L. the use of said photograph

nor of any other of those published on the website of DIGIMAN ALICANTE, S.L. Ana-
that he did not send any file to said company with the photograph object of this
procedure (or any other).

                           FOUNDATIONS OF LAW


                                            Yo
                                     Competition

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (Re-
General Data Protection Regulation, hereinafter RGPD), grants each authori-

control and as established in articles 47, 48.1, 64.2 and 68.1 of the Law
Organic 3/2018, of December 5, on the Protection of Personal Data and guarantee of
digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve
this procedure the Director of the Spanish Data Protection Agency.


Likewise, article 63.2 of the LOPDGDD determines that: "The formal procedures
ted by the Spanish Agency for Data Protection will be governed by the provisions of
Regulation (EU) 2016/679, in this organic law, by the regulatory provisions
dictated in its development and, as long as they do not contradict them, with a sub-
sidiario, by the general rules on administrative procedures."


                                           II
                            The image as personal data


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/8








The image of a person, in accordance with article 4.1 of the RGPD, is personal data.
make it identifiable, and its protection, therefore, is the subject of said RGPD:


       “«personal data»: any information about an identified natural person or
identifiable ("the interested party"); An identifiable natural person shall be deemed to be any person
whose identity can be determined, directly or indirectly, in particular by
an identifier, such as a name, an identification number,
location, an online identifier or one or more elements of the identity
physical, physiological, genetic, psychic, economic, cultural or social of said person;”


The image is a personal and individual attribute of each physical person that is
defined by their height, complexion, way of sitting, dressing. Endowed with distinctive features
unique and singular elements that individualize it directly, associating it with an in-
concrete individual, being able to know, through it, the age, the sex, the color of the

skin, their way of being by the way they sit... which facilitates the identification of the in-
divide

For this reason, report 139/2017 of the Legal Office of this Agency states that "the
image, just as the voice of a person is a personal data, just as it will be any-
any information that allows to determine, directly or indirectly, their identity (...)”


Article 4.2 of the RGPD defines "treatment" as: "any operation or set
of operations carried out on personal data or sets of personal data,
whether by automated procedures or not, such as the collection, registration, organization
tion, structuring, conservation, adaptation or modification, extraction, consultation,

use, communication by transmission, diffusion or any other form of authorization
tion of access, collation or interconnection, limitation, suppression or destruction.”

The inclusion of the image of a person in web pages, forums, publications, which
identifies or makes a person identifiable, supposes a treatment of personal data-

them and, therefore, the person in charge of the treatment that carries out the same is obliged to
comply with the obligations that for the data controller are provided in the
RGPD and in the LOPDGDD.

                                            III
                            Right to data protection


This proceeding is initiated because the respondent party published, on its website
website the image of the complaining party, presumably authorizing the entity
SERVICES AND INTERVENTIONS IN BUILDING OF MEDITERRÁNEO, S.L., to
its use The image does not allow to see the person completely, but it is seen in

part. This, together with the fact that it appears linked to the embroidered part, where
lowered, which is additional information, make that person identifiable. All this,
constitutes a treatment of personal data of the complaining party.

Individuals have the power to dispose of their personal data, including

its image, as well as its dissemination, resulting, without a doubt, worthy of
protection of the person whose personal data is disseminated in violation of the legal
legal.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/8








Thus, the STC 292/2000, of November 30, provides that "the content of the fundamental right
fundamental to data protection consists of a power of disposition and social control
on the personal data that empowers the person to decide which of these data

provide to a third party, be it the State or an individual, or what this third party can
collect, and that also allows the individual to know who owns that personal data
and for what, being able to oppose that possession or use. These powers of disposal and
control over personal data, which constitute part of the content of the right
fundamental to data protection are legally specified in the power to con-
feel the collection, obtaining and access to personal data, its subsequent storage

storage and treatment, as well as its possible use or uses, by a third party, be it the Es-
ted or an individual. And that right to consent to knowledge and treatment, informed
matic or not, of personal data, requires as essential complements,
On the one hand, the ability to know at all times who has these personal data.
and to what use it is subjecting them, and, on the other hand, the power to oppose that possession

sion and uses”.

The Judgment of the Supreme Court, Civil Chamber, dated July 12, 2004, no.
resource number 1702/200, indicates the following in relation to the image:

       << The judgment under appeal bases its acquittal on not being identical

the plaintiff in the photograph can be confirmed, reasoning that <as observed in the reference
In the photograph, the "face" of the person who appears nude is not "visible"; of other
On the other hand, the "silhouette" does not offer special, singular, specific signs, which in the normal
coexistence and citizen public relations allow its attribution to a concrete and de-
finished person...


       In the present case, the conclusion to which
the Court of appeal arrives if the plaintiff in the aforementioned photograph is not identifiable,
so that the witnesses who testified in the instance, all of whom knew the
Mrs. Lina for several years, they identified the photograph as a reproduction of the fi-

figure of the same, being indifferent that the circle of acquaintances of that lady is
major or minor.

       Therefore, the estimation of the motive is imposed, with the consequence of having
as a proven fact that the photograph of the woman that appears in the published photograph
each on the cover of the June 28, 1998 issue reproduces the image of the de-

principal…

       Declared proven that the published photograph corresponds to the plaintiff
appellant and there is no controversy about the circumstance of having been all
med and published without the consent of the photograph, not being this public figure

public, such publication constituted an illegitimate interference in the right to one's own image.
gene, provided for in art. 7.5 of the Organic Law 1/1982, not concurring in the case none
Some of the circumstances of justification included in art. 8.2 of the Law itself. >>

                                            IV

           Obligation to communicate the deletion of data to other entities

The RGPD establishes an obligation related to the right of suppression in its ar-
article 19, which indicates the following:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/8









       “Obligation of notification regarding the rectification or deletion of personal data
or the limitation of the treatment


       “The person responsible for the treatment will communicate any rectification or deletion
of personal data or limitation of the treatment carried out in accordance with article 16, to the
article 17, paragraph 1, and article 18 to each of the recipients to whom
have communicated the personal data, unless it is impossible or requires an effort
disproportionate. The person in charge will inform the interested party about said recipients.

rivers, if he so requests.”

In accordance with the evidence provided to the present procedure and those collected
tions of prior Rights procedures (deletion of images of the re-
claimed on the web pages of the claimed party), it has not been possible to prove that the

claimed party provided to SERVICES AND INTERVENTIONS IN BUILDING
DEL MEDITERRANEO, S.L., the images of the complaining party object of dispute
sia nor that he consented to its publication.

Given that it has not been proven that the defendant communicated the data of the party,
the claimant to the entity SERVICES AND INTERVENTIONS IN BUILDING OF THE

MEDITERRANEO, S.L., the infraction of what is established in the art-
article 19 of the RGPD.

                                           v
                                      conclusion


The principle of presumption of innocence prevents imputing an administrative offense
when proof of charge accrediting the criminals has not been obtained and verified.
facts that motivate the imputation or the intervention in them of the presumed infraction
thor. Applying the principle "in dubio pro reo" in case of doubt regarding a fact

concrete and determined, which obliges in any case to resolve said doubt in the most
favorable to the interested party.

The presumption of innocence must govern without exceptions in the sanctioning system.
and must be respected in the imposition of any sanctions, since the exerciser
ius puniendi in its various manifestations is conditioned to the game of

evidence and a contradictory procedure in which they can defend their own
positions. In this sense, the Constitutional Court in its Judgment 76/1990, of
26/04, considers that the right to the presumption of innocence entails: “that the sanction
tion is based on acts or means of proof of charge or incriminating the con-
reproached conduct; that the burden of proof corresponds to the one who accuses, without anyone

is obliged to prove his own innocence; and that any insufficiency in the result
of the tests carried out, freely assessed by the sanctioning body, must
translate into an acquittal pronouncement.”

The presumption of innocence governs without exceptions in the sanctioning system and has

to be respected in the imposition of any sanction, whether criminal or administrative
(TCo 13/1981), since the exercise of the sanctioning right in any of its manifestations
festivities is conditioned to the game of evidence and to a contradictory procedure
river in which their own positions can be defended. According to this principle, no

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/8








no sanction may be imposed by reason of the defendant's guilt if there is no
an activity to prove the charge, which, in the appreciation of the authorities or bodies

called to resolve, destroy this presumption (TCo Auto 3-12-81).

Based on the foregoing, it has not been proven that the respondent party provided the
images of the claimant party to the entity SERVICES AND INTERVENTIONS IN
BUILDING OF THE MEDITERRANEAN, S.L. The latter indicated that the party claimed

knew its use, but does not credit the means or the way in which it was done, reason
that is considered sufficient to propose the File of the present procedure, since
that by not accrediting that communication of the data of the complaining party, neither
There is an obligation of the party complained against to communicate its deletion.


Therefore, in accordance with the applicable legislation and after assessing the graduation criteria
tion of the sanctions whose existence has been proven,

The Director of the Spanish Data Protection Agency RESOLVES:


FIRST: ORDER the FILE of this procedure as there is no evidence
gives the commission of the administrative infraction object of claim.

SECOND: NOTIFY this resolution to DIGIMAN ALICANTE, S.L.


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the

resents may optionally file an appeal for reconsideration before the Director
of the Spanish Agency for Data Protection within a month from the date of
the day following the notification of this resolution or directly contentious appeal
before the Contentious-Administrative Chamber of the National High Court,
in accordance with the provisions of article 25 and section 5 of the additional provision

Final fourth of Law 29/1998, of July 13, regulating the Contentious Jurisdiction-
administrative, within a period of two months from the day following the notification
tion of this act, as provided for in article 46.1 of the aforementioned Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,

may provisionally suspend the firm resolution in administrative proceedings if the interested party
do states its intention to file a contentious-administrative appeal. If it is-
In this case, the interested party must formally communicate this fact in writing
addressed to the Spanish Agency for Data Protection, presenting it through the Re-
Electronic registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or to

through any of the other registers provided for in art. 16.4 of the aforementioned Law
39/2015, of October 1. You must also transfer to the Agency the documentation
that proves the effective filing of the contentious-administrative appeal. If the
Agency was not aware of the filing of the contentious-administrative appeal
tive within two months from the day following the notification of this

resolution, would end the precautionary suspension.


                                                                                  938-120722
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/8










Sea Spain Marti

Director of the Spanish Data Protection Agency








































































C/ Jorge Juan, 6 www.aepd.es

28001 – Madrid sedeagpd.gob.es