AEPD (Spain) - EXP202305050
From GDPRhub
| AEPD - AEPD 00204-2023 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 58(1) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | 02.08.2023 |
| Fine: | 20,000 EUR |
| Parties: | QUALITY-PROVIDER S.A. |
| National Case Number/Name: | AEPD 00204-2023 |
| European Case Law Identifier: | n/a |
| Appeal: | Appealed - Confirmed |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | João Pedro Teixeira |
The Spanish DPA imposed a fine of €20,000 on a data services company that refused to grant access to its premises for an on-site inspection, in breach of Article 58(1) GDPR.
English Summary
Facts
QUALITY-PROVIDER S.A, the controller, provides data services and processes personal data as part of its core activities. The Spanish DPA, prompted by a data subject's complaint, initiated proceedings to investigate alleged violations of the GDPR in relation to activities carried out through the controller's website. During the investigations, the DPA requested the controller to provide some information and documents relating to the investigated facts.
However, the controller refused to provide the information, claiming that the request did not include a copy of the data subject's national identity card, which prevented it from reliably identifying the person and the data concerned.
Then, the DPA decided to carry out an on-site inspection and informed the controller that its representatives should cooperate with the inspectors, facilitating access to the files.
Again, the controller refused to comply with the request, arguing that: a) the Spanish DPA was not competent for the inspection and was not a public body like the other European supervisory authorities; b) the Director of the Spanish DPA could not initiate the proceedings as the position had been extinguished by a decree; c) that Spain had not transposed Directive (EU) 2019/1937 on the protection of persons who report breaches of EU law and that this directive should have been applied directly. Moreover, the controller stated that it would record the inspection and expose the recording in court.
Holding
The DPA recalled that Article 51(1) GDPR stipulates that each Member State must establish one or more independent public authorities responsible for monitoring the application of the GDPR and that, in Spain, one of these authorities is the AEPD. Also, according to Article 58(2) GDPR and the provisions of the LOPDGDD, the Director of the Spanish DPA is competent to initiate and resolve this procedure.
As for the decree that extinguished the position of Director of the AEPD, the DPA clarified that the General Sub-Directorate for Data Inspection is the equivalent body in its organic structure and maintains its powers.
Finally, the DPA pointed out that the main objective of the Directive (EU) 2019/1937 was to guarantee that employees could denounce infringements in the context of work, which was not the case.
After rejecting all the aforementioned arguments, the DPA held that the controller ilegally prevented it staff from having access to the personal data, information, premises, equipment and means of processing, which was necessary for the exercise of its investigative powers.
Therefore, the DPA found a violation of Article 58(1) GDPR and issued a fine of €20,000 on the controller. When determining the ammount of the fine, the DPA took into account the degree of intentionality of the offence, as provided for by Article 83(2)(b) GDPR, and also the link between the company's activity and the processing of personal data, as provided for by Article 76(2)(b) GDPR.
Comment
The controller appealed the decision, but the appeal was dismissed by the DPA. In short, the DPA understood that the controller did not provide new facts or legal arguments that would allow the reconsiderarion of the decision. This decision can be found at: https://www.aepd.es/es/documento/reposicion-ps-00204-2023.pdf.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/18
File No.: EXP202305050
RESOLUTION OF SANCTIONING PROCEDURE
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following
BACKGROUND
FIRST: As a consequence of a claim filed with the Spanish Agency
of Data Protection against QUALITY-PROVIDER S.A. with NIF A87407243 (in
hereinafter, QUALITY) as the owner of the Inglobaly.com portal, appreciating signs of a
possible non-compliance with the provisions of Regulation (EU) 2016/679 (Regulation
General of Data Protection, hereinafter RGPD), proceedings were initiated with
file number EXP202213771.
In accordance with the provisions of article 65 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights
(LOPDGDD hereinafter), the claim was transferred to the person in charge or to the Delegate
of Data Protection that in his case has been designated, requesting him to send
to this Agency the information and documentation indicated.
In response to this request for information, QUALITY, by registered writing of
entry dated January 3, 2023 and registration number
REGAGE23e00000616695, states that she is unable to provide the
information related to file EXP202213771 since the complaining party does not
provide a photocopy of the national identity document for the purposes of power
identify it, which prevents them from knowing and reliably identifying which person
physics it is about and, therefore, know what data it is about.
On February 21, 2023, the claim was admitted for processing, having
Three months have elapsed since it entered this Agency.
SECOND: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
matter, by virtue of the investigative powers granted to the authorities of
control in article 57.1 of Regulation (EU) 2016/679 (General Regulation of
Data Protection, hereinafter GDPR), and in accordance with the provisions of the
Title VII, Chapter I, Second Section, of the aforementioned LOPDGDD.
Within the framework of the investigation actions, QUALITY was informed that
Inspectors from the Spanish Data Protection Agency would appear at its headquarters
dated March 27 to carry out an inspection visit, considering
the presence of representatives of the entity is essential, in order to
collaborate in the inspection, as well as facilitate access to their files. Bliss
The communication was registered on March 15, 2023.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/18
THIRD: The communication of the inspection visit, which was notified in accordance with the
norms established in Law 39/2015, of October 1, on the Procedure
Common Administrative Office of Public Administrations (hereinafter, LPACAP), was
collected by QUALITY on March 15, 2023, as stated in the acknowledgment of
receipt that works in the file.
FOURTH: QUALITY, by registered writing of entry dated March 22,
2023 and with registration number REGAGE23e00018591646, informs that the
The administrator of the company is subject to the right not to declare and that both he and the
Legal Department of the company, will attend the call on March 27
of 2023 at 10 a.m., at its registered office at Calle Goya 18 and that they will not allow the
entrance to the residence of the inspectors of this Agency.
This refusal is based on Royal Decree 389/2021, of June 1, which
approves the Statute of the Spanish Data Protection Agency (hereinafter RD
389/2021), specifically in the sole additional provision that suppresses the
following governing bodies:
a) The director of the Spanish Data Protection Agency.
b) The General Data Protection Registry.
c) Data Inspection.
As well as in the Sole Repealing Provision and the Sole Final Provision by which
Royal Decree 428/1993, of March 26, which approves the
Statute of the Spanish Agency for Data Protection and its entry into
vigor.
It argues that the preamble to RD 389/2021 establishes that the AEPD will have
its own legal personality and full public and private capacity and that, observing the
homonyms of the rest of the European Organizations, all are defined as public entities
only, for which reason this Agency is classified as a semi-public-private company,
affirming that there is no legal or private security.
In the same way, it affirms that the Government and this Agency have not proceeded to transpose
Directive (EU) 2019/1937 of the European Parliament and of the Council of October 23
of 2019 on the protection of persons who report violations of the
Law of the Union, which is directly applicable and prevails over any Law and
Royal National Decree.
Likewise, they request the identification and accreditation of the inspectors with their names,
surnames and supporting National Identity Documents as a condition for
that they be attended, in order to be able to challenge them and take measures against them, in
case of lack of respect and education.
It also accuses this Agency of systematically breaking the Law.
Finally, it warns that this Agency is not going to access any data and they are not going to
provide any information. It also informs that all collaboration
exhibited in court and warns in advance that the access of
inspectors to the company's registered office and they will be recorded.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/18
FIFTH: QUALITY is the owner of the Inglobaly.com portal, through which it carries out
personal data processing activities.
SIXTH: According to the report collected from the AXESOR tool, the entity
QUALITY-PROVIDER S.A. is an SME (Microenterprise), established in 2015,
and with a business volume of 558,381 euros in the year 2021.
SEVENTH: On May 24, 2023, the Director of the Spanish Agency for
Data Protection agreed to initiate sanction proceedings against QUALITY, in accordance with
to the provisions of articles 63 and 64 of Law 39/2015, of October 1, of
Common Administrative Procedure of Public Administrations (hereinafter,
LPACAP), for the alleged infringement of Article 58.1 of the GDPR, typified in the
Article 83.5 of the GDPR Regulation (EU) 2016/679 (General Regulation of
Data Protection, hereinafter GDPR).
EIGHTH: The aforementioned initiation agreement was collected by QUALITY on May 26
of 2023, as stated in the acknowledgment of receipt that is in the file.
NINTH: Dated June 6, 2023 and entry registration number
REGAGE23e00036059423, QUALITY presents a written statement of allegations to the
start. As a preliminary allegation, it states that there is an inadequacy of the
procedure initiated by the Spanish Data Protection Agency for the
processing of this file. Remember that, on December 17, 2019,
Directive (EU) 2019/1937, of the European Parliament and of the Council, entered into force
October 23, 2019, regarding the protection of people who report on
infringements of Union Law and that it recognizes
explicit and positive about what Union Law is.
It also points out that said Directive directly modifies Directive 2002/58/EC
of the European Parliament and of the Council, of July 12, 2002, regarding the treatment
of personal data and the protection of privacy in the information sector
electronic communications and the GDPR and delimits the scope of competences related to
to Union Law, establishing as the Union's own sovereignty the scope of
personal data and, therefore, the GDPR, establishing a procedure
different and distinct from the one initiated by this Agency.
It goes on to state that the most significant implications of this Directive are
which, first of all, creates a system of conflict resolution and simplification
different administrative; and, secondly, its entry into force makes obsolete the
LOPDGDD, which should have been adapted from the moment it entered into
Directive (EU) 2019/1937 is in force. This means that any procedure relating to
data protection must be carried out in accordance with the procedure imposed
by said Directive and, therefore, through ASPERTIC/VIADENUNCIA, which in January
of 2020 notified the European Commission that it would constitute a mailbox for complaints
external for the purposes of the Directive.
It affirms in the same way that the provision made by the Directive, regarding the
integration of the matter of data protection in the field of competences of the
national authority of the Law of the Union, also comes to empty of competence to
state agencies and institutions, such as the Spanish Agency for the Protection of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/18
Data, for the purpose that said faculties become part, total or
partially, from the scope of competences of the national institution or authority
competent, as designated by the Union in its Directive (EU) 2019/1937, which must
carry out and perform the functions provided for in the aforementioned Directive.
Lastly, it reports that QUALITY has adapted to said Directive and considers that there is
an inadequacy of the procedure initiated, as well as a manifest incompetence
of the Spanish Data Protection Agency for the processing of this
procedure, for which he requests that he declare himself incompetent and withdraw from his
processing.
As the first and only allegation, he declares that he does not have anyone's personal data, that
Up to now, the AEPD has not been able to demonstrate the data or files that
belong to QUALITY and who persists in something that he has not been able to demonstrate,
being demonstrated its lack of legal rigor and transparency.
Next, QUALITY asserts that the Director of the Spanish Agency for
Data Protection signs the Agreement to initiate this file illegally
and irregular since his position, already expired, disappears irreversibly with the
Royal Decree 389/2021, of June 1, which approves the Statute of the AEPD,
have been appointed in 2015, have a term of 5 years and have not been
revoked from his position or re-elected, exercising his position in fraud of the Law.
above, concludes that the Director cannot sign any requirement, agreement or
sanction until the appointment of a successor and not having rectified the Real
Decree leaves this Agency unfit.
With respect to the obstruction of the inspection activity, QUALITY maintains that said
obstruction has not existed because section c) of the aforementioned Royal Decree
389/2021, of June 1, suppresses the Data Inspection. In addition, it affirms that the AEPD
is persecuting them and they want to prepare non-existent tests through the
illegality.
They allege that on March 27, the inspectors did not appear because they knew that
would be recorded and their alleged continued infractions would be demonstrated and the
outrages committed up to now by this Organism.
QUALITY exposes that, despite having previously warned that they would not be at
our disposition that day, dated March 15, 2023, two
inspectors of the Spanish Agency for Data Protection at its headquarters for the purpose
to carry out an inspection.
As for March 27, 2023, they continue, no inspector from this Agency
appeared at its registered office, after warning that both the Administrator of
the company as well as its Legal Department would attend the call and not
would allow Agency inspectors to enter the home. re-insure
that this failure to appear was due to fear of being recorded and knowing what they would commit
an offense or offence. In addition, they reiterate that they do not own files or data
therefore it would be impossible to collaborate with this Agency, that this Agency is not
competent to carry out any inspection because its functions are suppressed and that
there have been no tests related to previous complainants who have been
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/18
refused to identify themselves before QUALITY, as well as that they have not read written
and for this reason, this Agency has not been able to contradict them in their allegations and
evidence.
Finally, QUALITY states that, according to the LPACAP, the resolution has been
communicated outside the period of six months allowed by said rule and appointment
various articles of this, to conclude by requesting that the previous allegation be upheld
and, secondarily, in case of being rejected, proceed to file the file
sanctioning.
TENTH: On June 16, 2023, a resolution proposal was formulated, in the
that it was proposed that the Director of this Agency sanction QUALITY for
an infringement of Article 58.1 of the GDPR, typified in Article 83.5 of the GDPR, with
a fine of €20,000.00. This proposed resolution was notified
reliably to the claimed party.
ELEVENTH: Dated June 28, 2023 and entry registration number
REGAGE23e00042424332, QUALITY presents a brief of allegations to the Proposal
resolution. As a previous allegation, it is ratified in all manifestations
set forth in previous writings.
Regarding the response of this Agency referring to the statement of QUALITY that
Director's position has expired, QUALITY says it has been unable to find
SAN 5570/2022, of December 9, 2022 within the CENDOJ. Besides,
QUALITY reproduces the sole article and the sole repealing provision of the Royal
Decree 389/2021, of June 1, which approves the Statute of the AEPD, as well as
as sections 1, 2 and 3 of article 3 of the Statute of the AEPD. With this
argues that, in order for this Agency to continue exercising its functions,
First, an acting president had to have been appointed or else
power was extended to the Director, whose position, they reiterate, was abolished.
Additionally, QUALITY reproduces article 38 of the AEPD Statute on
incompatibilities of the staff of the Spanish Data Protection Agency and says
have evidence and data. It also reproduces article 53 of the GDPR, on conditions
applicable to the members of the supervisory authority, after which it says that
"It is curious that Doña Mar España Martí was irregularly appointed by the
government in your case, we are in the case, that the Supreme Court and the Union
Union, specifically, the European Committee itself, have not allowed the
appointment as they did with you, of the new president for being incorrect and
irregular".
Likewise, QUALITY indicates that Organic Law 15/1999, of December 13 is
repealed in all its articles by the RGPD and the LOPDGDD. QUALITY returns to
insist that the charges have been dropped, as well as the Data Inspectorate,
arguing that, consequently, the entire new statute of the AEPD depends on the
new President to be appointed, but the position of Director has been abolished.
On the other hand, QUALITY points out that in Fundamental II we tell them that the
procedure will have a maximum duration of twelve months from the date of
Commencement agreement while in the file with number EXP202300740
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/18
We inform you that this procedure will have a maximum duration of nine months.
from the date of your Initiation Agreement. QUALITY argues that, due to
existing inconsistencies, believes it is better to be guided by the LPACAP, Law 40/2015, of 1
October, of the Legal Regime of the Public Sector and its development provisions,
without prejudice to the specialties of the disciplinary procedure, of which QUALITY
deduces that the procedure will expire after six months from its initiation
without notification of the resolution.
QUALITY also reproduces article 42 of the LOPDGDD that develops the
cases subject to prior authorization from the data protection authorities,
in which, in its first section, it establishes the procedure related to transfers
international for a maximum duration of six months. It also reproduces the
articles 48, on the Presidency of the Spanish Data Protection Agency, and
75, on interruption of the prescription of the infraction, of the aforementioned LOPDGDD.
Furthermore, QUALITY asserts that, during these proceedings, it has reiterated
on various occasions that it does not have personal data from anyone and that this Agency does not
has been able to demonstrate up to now which data or files belong to it, leaving
thus demonstrated its lack of legal rigor and transparency.
Regarding the signature of the Director of this Agency, QUALITY insists that her position
disappears irreversibly with Royal Decree 389/2021, of June 1, by the
that the Statute of the AEPD is approved. He affirms that his position, which lasts
determined of five years, has expired, therefore, the license must be revoked.
position and later re-elected, but that none of this has occurred. The date of
termination is on July 24, 2020 and, since there have been no
re-election or publication in the BOE, they add, is exercising his position in fraud of
Law. Consequently, they conclude, he cannot sign any requirement or sanction
some.
Along these lines, QUALITY adds that, in order to continue exercising his position, the
Government, should have been modified in a subsequent Royal Decree, which has not
carried out, the extension of the position of Mar España Martí, and it has not been published
said extension of the charge, therefore, understands QUALITY that it is still valid
with all its consequences Royal Decree 389/2021, of June 1.
It goes on to point out that said Royal Decree 389/2021, of June 1, annuls the
position of Director and therefore, it has expired and its signature lacks legitimate value, not
The Director may sign sanctions and agreements for having been removed from office,
there being an alleged fraud of law, by not being able to sign documents until the
appointment of a successor, leaving this body incapable and affirming that it is a
proven fact that has not been discussed by the AEPD, nor questioned, making a
erroneous interpretation of the new statute of the AEPD.
It also argues that the ECHR condemns Spain and makes it ugly for the "unjustified and
prolonged breach of the law" for not renewing the CGPJ and QUALITY maintains that
“The European Court of Human Rights affirms that the consequences derived
of the dysfunction in the renewal of the General Council of the Judiciary are enormous
with regard to the ordinary functioning of the judiciary and that there is a
chain of disturbances throughout the judicial system.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/18
It uses the same way as SAN 5570/2022, of December 9, 2022 cited in
the Proposal for a resolution of this disciplinary procedure, "demonstrates the
erroneous application and interpretation of the Judge who dictates it" because, as he affirms, it is a
"judgment caught with tweezers" and suffers from "lack of legal argumentation" that is not
may apply in this proceeding because it lacks effective judicial protection.
Thus, it concludes that "the charges expired and suppressed in the Royal Decree
389/2021, of June 1, cannot be in force until the new one is elected.
President of the AEPD, if they are not re-elected and said communication is published in the
BOE, a fact that has not been carried out by the government. Before this sentence
that is of direct application, an interim president must be appointed until the new
definitive appointment, therefore, Doña Mar España Martí must cease in her
functions immediately and present his resignation”.
Regarding the obstruction of the inspection performance, QUALITY denies said
obstruction because it affirms that there is no inspection action, that the AEPD
persecuted and they want to prepare non-existent evidence through illegality,
insisting that the inspectors of this Agency did not appear on the 27th of
March, because they are not authorized and because they knew they would be recorded and
demonstrate their alleged continued infractions and the infraction/crime that
they would commit They also point out that they do not own files or data, so
that it is impossible for them to collaborate with this Organism.
They continue their allegations pointing out the lack of motivation in the assessment of the
sanction. Thus, QUALITY considers that the application of Article 83.2.b) of the GDPR,
on the intentionality or negligence in the infringement, lacks substantiation
legal since negligence is not demonstrated nor what was the
intentionality on the part of QUALITY when attending the meeting on March 27.
Below, QUALITY reproduces article 53.1.c) and g) of the LPACAP, relating to
the rights not to present original documents and to act assisted by an advisor
when they deem it convenient in defense of their interests, and insists that they only
defend their rights and interests and that this Agency is not entitled to
perform any data inspection since its functions are suppressed.
Regarding the duration of the procedures, QUALITY once again refers to the
LPACAP, specifically article 21, which determines the obligation to issue
express resolution and notify it within the maximum term set by the regulation governing the
corresponding procedure, a term that may not exceed six months unless
a norm with the rank of Law establishes a higher one or so is provided for in the Law
of the European Union.
QUALITY also alleges a lack of motivation on the part of this Agency. So, name the
article 35 and reproduces article 87, on complementary actions, of the LPACAP, and
requests the corresponding complementary actions, because, according to what he says, "it is not
proceeded by said Agency, for all this, this part is in a
lack of protection of rights, committed by the instructor of the case. All this leads to
nullity and filing of actions, therefore, you have to proceed to File
of the Present Sanctioning Procedure.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/18
QUALITY reproduces article 63.3. of the LPACAP, according to which it will not be possible to initiate
new procedures of a sanctioning nature for acts or conduct classified as
as offenses in which the offender persists continuously, as long as
there has not been a first sanctioning resolution, with an executive nature.
It also reproduces Article 74 of the LPACAP, according to which matters
incidental that arise in the procedure, including those that refer to the
nullity of actions, will not suspend the processing of this, except for the challenge.
QUALITY says that the AEPD Inspectors, by not showing up or being able to
identify them on March 27, they deprived him of the reason for recusing them or
well to one of them. Therefore, it concludes, there was a violation of rights
fundamental.
Next, it reproduces article 47.1.a), e) and g), according to which they are null and void
right the acts of the Public Administrations that harm the rights and
liberties susceptible to constitutional protection, the dictates disregarding totally and
absolutely of the legally established procedure or of the norms that
contain the essential rules for the formation of the will of the organs
collegiate and any other that is expressly established in a provision with
law rank.
In this regard, QUALITY points out that "This part adds the constant persecution for the
AEPD against QUALITY, have not shown that it is the owner of any file, it is
initiate procedures for the protection of rights for requesting the accreditation of whoever
performs said acts, following the instructions of the European Regulation of
Data Protection and this Agency unjustifiably dedicates itself to skipping the
Law and apply the Laws according to their interests.”
QUALITY then reproduces article 48.3 of the LPACAP, according to which the
performance of administrative actions outside the time established for them only
will imply the annulment of the act when so imposed by the nature of the term or
term, as well as article 86 of the GDPR.
Finally, QUALITY points out that the CJUE 02/25/2021 condemns Spain to pay 15
million for failing to transpose a directive on time. Upon expiration of the period set in the
reasoned opinion of the Commission, he continues, Spain had not adopted the measures
necessary to guarantee the transposition of the directive nor communicated said
measures.
For all of the above, QUALITY requests that this file be archived
disciplinary action and that they be notified of said file in its entirety.
TWELFTH: Dated July 10, 2023 and entry registration number
REGAGE23e00046234948, QUALITY, upon receipt of the requested copy of this
file, presents a new brief of allegations to the Proposed resolution of the
this file in which, first of all, everything stated in its
previous registered writing of entry in this Agency on June 28, 2023.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/18
Secondly, QUALITY insists that the Director must present
immediate resignation and dismissal, referring again to the sentence of the ECtHR to Spain
in the face of the "unjustified and prolonged breach of the law" for not renewing the CGPJ,
which, according to QUALITY, ratifies his argument and produces a lack of judicial protection
effective.
Thirdly, QUALITY claims to be surprised that the name of the company now appears
claimant and accuses this Agency of attempting, fraudulently, "in a case that
we are discussing obstruction of the inspection performance (deleted),
introduce the case of this Lady, as an excuse”. Therefore, it requests that,
automatically and ex officio, "said Lady be removed" from this procedure.
Once again, QUALITY demands that all files be canceled
sanctions or in progress by this Agency against him, when meeting,
reiterates, signed by a director whose position is suspended by Royal Decree
389/2021, of June 1, which approves the Statute of the AEPD.
Fourthly, QUALITY refers to news related to the sanction imposed
by this Agency to CaixaBank for providing a mother, who did not identify herself, data on
your daughter's account. He considers it contradictory that CaixaBank is sanctioned for not
request the accreditation of the DNI and they themselves do it, appreciating that the sanction
between the two cases is not proportional.
Finally, QUALITY requests that this file be filed
disciplinary action, proceed immediately and ex officio to the suspension of all
open and penalizing procedures by this Agency, for lacking, it says, signature
authorized by the Director, having her position suppressed and expired.
In view of all the proceedings, by the Spanish Agency for Data Protection
In this proceeding, the following are considered proven facts:
PROVEN FACTS
FIRST: The communication to QUALITY of the inspection visit by
Inspectors from the Spanish Data Protection Agency to its registered office, to which
we refer to in the second and third precedents, was notified in accordance with the
provided in the LPACAP on March 15, 2023.
SECOND: On March 22, 2023, QUALITY communicates in writing that it does not
will allow the inspectors of this Agency to enter, expressing their refusal to allow
this Agency to access any data and to provide any information.
THIRD: Notification of the agreement to start this procedure
sanction was collected by QUALITY on May 26, 2023.
FOURTH: QUALITY has submitted allegations to the agreement to initiate this
disciplinary procedure included in the ninth antecedent.
FIFTH: Notification of the proposed resolution of this procedure
sanction was collected by QUALITY on June 16, 2023.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/18
SIXTH: QUALITY has submitted allegations to the proposed resolution of this
sanctioning procedure collected in the eleventh and twelfth records.
FUNDAMENTALS OF LAW
Yo
Competence
In accordance with the powers that article 58.2 of the RGPD grants to each authority of
control and as established in articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD,
The Director of the Agency is competent to initiate and resolve this procedure
Spanish Data Protection.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures."
II
Arguments to the initiation agreement
In response to the allegations presented by QUALITY, it should be noted that
following.
In the first place, regarding the so-called prior allegation by QUALITY, related
with Directive (EU) 2019/1937, it should be noted that article 1 thereof states
which aims to strengthen the application of Union law and policies in
specific areas by establishing common minimum standards that
provide a high level of protection for persons reporting on
infringements of Union Law, the scope of personal application being the
collected in its article 4 where it is limited to complainants who work in the
private or public sector and who have obtained information about violations in a
job context.
Likewise, in its article 17 it is stated that all processing of personal data
carried out in application of this Directive, including the exchange or transmission
of personal data by the competent authorities, will be carried out in accordance with
Regulation (EU) 2016/679 and Directive (EU) 2016/680.
Thus, the main objective of this Directive is to protect those who denounce
infractions or irregularities in a company through a specific channel without
there are reprisals.
For its part, the first paragraph of article 1 of the GDPR states that the Regulation
establishes the rules relating to the protection of natural persons in what
regarding the processing of personal data and the rules relating to the free
circulation of such data. It adds its second section that protects the rights and
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/18
fundamental freedoms of natural persons and, in particular, their right to
Protection of personal data.
With regard to the material scope of the GDPR, it is limited to the
stipulated in its article 2 where it is specified in its first section that it is of
application to the totally or partially automated processing of personal data, as well
as well as the non-automated processing of personal data contained or intended for
be included in a file.
Furthermore, article 51.1 of the GDPR stipulates that each Member State
establish that it is the responsibility of one or more public authorities
(hereinafter "control authority") supervise the application of the
this Regulation, in order to protect the rights and freedoms
rights of natural persons with regard to processing and to facilitate the
free circulation of personal data in the Union, developing the functions of each
control authority in its article 57.
For its part, the LOPDGDD in its article 47 establishes the functions and powers of
the Spanish Agency for Data Protection, among which is to supervise the
application of the GDPR and Title VIII regulates the procedures in case of
Possible violation of data protection regulations.
Therefore, Directive (EU) 2019/1937, contrary to what was stated by QUALITY, does not
modifies the GDPR or makes the LOPDGDD obsolete, but rather it is a rule with
an object and scope of application clearly different from that of the GDPR and, therefore, from the
LOPDGDD. Thus, what was alleged by QUALITY regarding the inadequacy of the
procedure initiated by the Spanish Data Protection Agency for the
processing of this file, is completely without foundation.
Next, it indicates as the first and only allegation that it does not have personal data
from anyone, accusing the AEPD of a lack of legal rigor and transparency. In this regard,
points out that the alleged infraction for which this disciplinary procedure is initiated
It is not related to the legitimacy of the possible treatments that you can carry out,
but with the hindrance so that this Agency can exercise the powers of
investigation recognized by article 58.1 of the GDPR and 53.1 of the LOPDGDD, as
It is developed in the motivation of the initiation agreement. On the other hand, the activity of
QUALITY's processing of personal data is accredited in resolutions
signatures of this Agency, such as the sanction procedure EXP202103457.
The following argument used by QUALITY focuses on the expiration of the charge of
the Director of the Spanish Data Protection Agency. Well, the SAN
5570/2022, of December 9, 2022, already extensively analyzes this matter,
ruled the following:
"Exposed the positions of the parties, we must start from article 53, section 3, of the
GDPR, insofar as it indicates that the members of the control authority "will consider
terminated their functions in case of termination of the mandate, resignation or retirement
compulsory, in accordance with the law of the Member State concerned".
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/18
In the internal sphere, article 36.1 of Organic Law 15/1999, of December 13
(LOPD), which is the legislation in force when the appointment of the
Director of the AEPD, establishes that the Director of the AEPD will be appointed by
Royal Decree, for a period of four years and section 3 of the same precept,
indicates that before the expiration of said period, the Director of the AEPD will only cease,
at their own request or by separation agreed by the Government for serious non-compliance
obligations, supervening incapacity for the exercise of his function,
incompatibility or conviction for an intentional crime.
In other words, after that 4-year term has elapsed, the Government can dismiss the Director without
necessity of cause, but this does not imply that when that term expires his position
automatically ceases to be effective and to have any functions or competence,
since that does not expressly result from the aforementioned LOPD, nor from the Organic Law
3/2018. of December 5 (LOPDCDD), in its art. 48 regarding the Presidency of the
AEPD.
This has been understood and has been done by all the governments that proceed to cease
expressly to the Directors of the AEPD by Royal Decree, even when their
term of appointment had expired, without their positions ceasing to have
effectiveness, in office, until their respective terminations and contemporaneous appointments
of his successors in office, to avoid gaps in the institution.
This obeys the principles of responsibility and continuity of the institutions,
to prevent the institution from being rendered inoperative when the
Appointment of a new person.
The legislator could have expressly established the automatic forecast of
decay of the position, that is, that the effectiveness in the position ceases in the same
time of compliance with the deadline, but it has not done so either in the LOPD or in the
current LOPDGDD, nor in RD 389/2021, of June 1, 2021, by which
the new Statute of the AEPD is approved, which precisely in article 12.3
establishes "the incumbent person of the outgoing Presidency will continue in office until
the inauguration of the new person holding the Presidency", without establishing
any limitation regarding the exercise of their functions or powers during the
period in office, which was not established in the previous regulations either.
Therefore, not having established limitations to the performance of the Director of the
AEPD in office, unlike what, by way of example, happens in the article
21.2 of Law 50/1997, of November 27, of the Government, which establishes that the
Government "continues in office until the inauguration of the new Government, with
the limitations established in this Law", the Director of the AEPD holds
competence to issue the contested resolution, as well as the agreement to initiate the
sanctioning procedure.
Thus, the condition under which the Director
of the AEPD issued the appealed act.”
Regarding the fact that the obstruction to the inspection work of this Agency does not exist due to
that Royal Decree 389/2021, of June 1, suppresses the Data Inspection, forgets
QUALITY that, although the Data Inspectorate as a governing body is suppressed,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/18
instead, the General Subdirectorate of Data Inspection is the equivalent body
in the organic structure of this Agency, defined in article 27 of said Royal
I decree its powers and functions, and therefore, this Sub-directorate maintains
their powers are in force as stated in said article.
Regarding the inspection that was attempted on March 15, 2023,
Proceedings appear in file EXP202213771 indicating that QUALITY
was notified of the inspection on March 8 at 11:44 a.m. by phone call
telephone number ***TELEPHONE.1, without recording any call or email to
cancel it. Having appeared on said date at the registered office of
QUALITY and informing the people present that the place where the
Inspectors rents offices for events to different companies, including
finds QUALITY, given the refusal to provide any type of information, the
Acting inspectors leave the premises.
On March 15, 2023, a letter was sent to QUALITY indicating that on the 27th
March 2023, inspectors from this Agency will appear in order to
carry out an inspection visit. QUALITY, by registered writing of entry with
dated March 22, 2023 communicates that they will not allow the entry to the home of the
inspectors from this Agency will not provide any information. under his
refusal to inspect, the inspectors did not go to the headquarters.
Finally, regarding QUALITY's assertion that the resolution has been
communicated outside the period allowed by the Law, it is noted that, on May 24,
of 2023 it was agreed by the Director of the Spanish Data Protection Agency on
commenced this disciplinary procedure, where it was reported that the
procedure will have a maximum duration of twelve months from the date of
said Agreement, in accordance with the provisions of article 64 of the LOPDGDD. By
Therefore, no resolution has yet been rendered, and the term that prevails by the principle of
normative specialty is the one indicated in the aforementioned Initiation Agreement.
II
Allegations to the Resolution Proposal
In response to the allegations to the resolution proposal of this file
presented by QUALITY, the following should be noted.
In the first place, regarding the so-called prior allegation by QUALITY, in which it
ratifies all the statements set forth in previous writings, it should be noted
that a large part of the allegations presented against the proposed resolution of
this file, reproduce the same arguments used against the agreement of
beginning and, therefore, have already been refuted by this Agency in the previous Foundation
of Law.
Regarding QUALITY's claim that it has been unable to find the SAN
5570/2022, of December 9, 2022, within the CENDOJ, we include the following
link where you can access its publication in CENDOJ:
https://www.poderjudicial.es/search/AN/openDocument/
2f1d10beac9183daa0a8778d75e36f0d/20221229
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/18
On the other hand, regarding the supposed inconsistency that QUALITY points out when
This Agency indicated that this procedure has a maximum duration of
twelve months from the date of the initiation agreement, while in the
file with number EXP202300740 we inform you that its maximum duration
was nine months, it is clarified that article 64 of the LOPDGDD has been modified
by final provision 9.4 of Law 11/2023, of May 8, entering said
modification in force as of May 10, 2023. Therefore, from that date the
maximum duration of the disciplinary procedure has become from twelve months to
count from the date of the initiation agreement. Since the date of the start agreement
was May 24, 2023, the maximum duration of this file, as stated
reported, is 12 months.
Regarding the statement of QUALITY regarding the lack of motivation in the
assessment of the sanction to apply article 83.2.b) of the GDPR, on the
intentionality or negligence in the infringement, QUALITY itself communicated in writing
that he was subject to the right not to declare and that he would not allow entry to the home of
the inspectors of this Agency. QUALITY accepts its rights not to present
original documents and to act assisted by an advisor, according to article 53.1.c) and g) of the
LPACAP, however, these rights do not conflict with the powers of
this Agency, in particular to carry out inspections, require the exhibition or the sending of
the necessary documents and data, examine them in the place where they are located
deposited or where the treatments are carried out and obtain a copy of them,
in accordance with the provisions of article 53.1 of the LOPDGDD.
Regarding the mention made by QUALITY of article 63.3 of the LPACAP, it is worth
point out that the present disciplinary procedure has its origin in the obstruction
of the inspection activity of this Agency carried out within the framework of the file
number EXP202213771, therefore, it has not been initiated by facts or conduct
classified as offenses in whose commission the offender persists
continued.
With respect to what was indicated by QUALITY that when the inspectors of this
Agency nor being able to identify them on March 27, he was deprived of the reason for recusal,
it becomes clear that it was the refusal to inspect QUALITY, communicated
in writing, which caused the inspectors not to go to their headquarters as was
provided. In addition, the mere identification of the inspectors does not lead to their recusal,
which would only take place, where appropriate, in accordance with the provisions of articles 23 and
24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector
(LRJSP).
QUALITY also requests that the name of the claimant disappear in the current
procedure, so it is clarified that the claimant of the file
EXP202213771 is not a participant in this proceeding, stating his
name only in the request for information that this Agency notified to
QUALITY and that was incorporated into this proceeding for evidentiary purposes, as
was stated in the Commencement Agreement.
Lastly, regarding QUALITY's allusion to the sanction of this Agency against
CaixaBank for providing a mother, who did not identify herself, with her daughter's account details,
it is pointed out again that the infringement that is the basis of this disciplinary procedure
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/18
It is not related to the legitimacy of the possible treatments that you can carry out,
therefore, its purpose is not to determine the need for QUALITY to request the
accreditation of the identity of third parties or the way, where appropriate, to do so, but rather
it is limited to the obstruction of the inspection activities of this Agency.
IV.
breached obligation
In accordance with the available evidence, it is considered that QUALITY
prevents the staff of the Spanish Data Protection Agency from accessing the
personal data, information, premises, equipment and means of treatment that are
required for the exercise of their investigative powers.
With the indicated conduct of QUALITY, the power of investigation that the article
58.1 of the GDPR confers on the control authorities, in this case, the AEPD, it has been
seen hindered.
Regarding what was alleged by QUALITY to refuse to provide access to the
information required by the inspectors of this Agency, it should be noted that article
53.1 of the LOPDGDD under the heading "Scope of research activity"
stipulates the following:
"1. Those who carry out the research activity may collect the information
necessary for the fulfillment of their functions, carry out inspections, require the
display or dispatch of the necessary documents and data, examine them on the spot
where they are deposited or where the treatments are carried out,
obtain a copy of them, inspect the physical and logical equipment and request the
execution of treatments and programs or procedures of management and support of the
treatment subject to investigation.
Likewise, in article 27.2 of the aforementioned RD 389/2021 the functions of
The General Sub-Directorate of Data Inspection, among which is found in its
section b) The exercise of the investigative powers defined in article 51
of Organic Law 3/2018, of December 5.
Therefore, the facts described in the "Proven facts" section are considered
constituting an infringement, attributable to QUALITY, for violation of article 58.1
of the GDPR, which provides that each control authority will have, among its powers of
investigation:
“a) order the person responsible and the person in charge of the treatment and, where appropriate, the
representative of the manager or manager, who provide any information
that it requires for the performance of its functions; b) carry out investigations in
form of data protection audits; c) carry out a review of the
certificates issued under article 42, paragraph 7; d) notify the
responsible or the person in charge of the treatment the alleged infractions of the present
Regulation; e) obtain from the person in charge and the person in charge of the treatment access to
all personal data and all the information necessary for the exercise of their
functions; f) obtain access to all the premises of the person in charge and of the person in charge of the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/18
processing, including any data processing equipment and means, of
accordance with the procedural law of the Union or of the Member States.”
V
Classification and classification of the offense
In accordance with the evidence available, the facts stated are
considered to constitute an infringement, attributable to QUALITY.
This infringement is typified in article 83.5.e) of the GDPR, which considers as such: "no
facilitate access in breach of article 58, section 1.”
The same article establishes that this infraction can be sanctioned with a fine.
twenty million euros (€20,000,000) maximum or, in the case of a
company, of an amount equivalent to four percent (4%) maximum of the
total annual global business volume of the previous financial year, opting for the
of greater amount.
For the purposes of the limitation period for infringements, the alleged infringement
prescribes after three years, in accordance with article 72.1 of the LOPDGDD, which qualifies as
the following behavior is very serious:
"ñ) Failing to facilitate access by data protection authority personnel
competent to personal data, information, premises, equipment and means of
treatment that are required by the data protection authority for the
exercise of its investigative powers.
o) The resistance or obstruction of the exercise of the inspection function by the authority
of competent data protection.”
SAW
sanction imputed
The fine imposed must be, in each individual case, effective, proportionate
and dissuasive, in accordance with the provisions of article 83.1 of the GDPR. In
Consequently, the sanction to be imposed must be graduated according to the criteria
established in article 83.2 of the GDPR, and with the provisions of article 76 of the
LOPDGDD, with respect to section k) of the aforementioned article 83.2 GDPR.
Based on the information available, it is appreciated that the circumstances concur
Justifications for the following aggravating factors:
- Article 83.2.b) of the GDPR: intentionality or negligence in the infringement.
The obstruction to the inspection activity of this Agency is intentional and manifest,
expressly declaring QUALITY that it will not provide access to this Agency to any
data or information, nor will it allow the access of the inspectors, sending their
collaboration with the courts.
- Article 76.2.b) of the LOPDGDD, in accordance with the provisions of article 83.2.k) of the
GDPR: linking the activity of the infringer with the performance of data processing
personal information.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/18
QUALITY maintains a personal data processing activity through the
Inglobaly.com portal, through which it manages a personal database and
offers various services to third parties related to such data.
In accordance with the facts exposed, it is considered that it is appropriate to impute a sanction to
QUALITY for the violation of article 58.1 of the GDPR typified in article 83.5 e)
of the GDPR. The sanction that corresponds to impose is an administrative fine for a
amount of 20,000.00 euros.
Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been accredited, the Director of the
Spanish Data Protection Agency RESOLVES:
FIRST: IMPOSE QUALITY-PROVIDER S.A., with NIF A87407243, for a
infringement of Article 58.1 of the GDPR, typified in Article 83.5 of the GDPR, a
fine of 20,000.00 euros (TWENTY THOUSAND euros).
SECOND: NOTIFY this resolution to QUALITY-PROVIDER S.A.
THIRD: Warn the penalized person that they must make the imposed sanction effective
Once this resolution is enforceable, in accordance with the provisions of Article
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment term
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of its income, indicating the NIF of the sanctioned and the number
of procedure that appears in the heading of this document, in the account
restricted IBAN number: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code:
CAIXESBBXXX), opened on behalf of the Spanish Data Protection Agency in
the banking entity CAIXABANK, S.A. Otherwise, it will proceed to its
collection in executive period.
Once the notification has been received and once executed, if the execution date is
between the 1st and 15th of each month, both inclusive, the term to make the payment
voluntary will be until the 20th day of the following or immediately following business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediately following business month.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.
Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reversal before the
Director of the Spanish Agency for Data Protection within a period of one month from
count from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/18
day following the notification of this act, as provided for in article 46.1 of the
referred Law.
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the firm resolution in administrative proceedings if the
The interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the
aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative proceedings within a period of two months from the day following the
Notification of this resolution would terminate the precautionary suspension.
938-010623
Mar Spain Marti
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
