AEPD (Spain) - EXP202308002: Difference between revisions

From GDPRhub
No edit summary
Line 66: Line 66:
A complaint was submitted to the Spanish DPA about an alleged infringement of the GDPR. This case was filed under the case name EXP202209784.  
A complaint was submitted to the Spanish DPA about an alleged infringement of the GDPR. This case was filed under the case name EXP202209784.  


In relation to the case, the Spanish DPA submitted two requests for information to the controller with a ten day deadline for compliance attatched to each request.  
In relation to the case, the Spanish DPA submitted two requests for information to the controller with a ten day deadline for compliance attached to each request.  


The first one was sent March 21, 2023, and received no reply. The second one was sent on May 12, 2023 and the controller acknowledged reciept.   
The first one was sent on 21.03.2023 and received no reply. The second one was sent on 12.05.2023 and the controller acknowledged receipt.   


Nonethless, the controller never sent the Spanish DPA the relevant requested information and for this reason the DPA began seperate sanctioning proceedings against the controller for the infringement of [[Article 58 GDPR|Article 58(1) GDPR]] (EXP202308002).
Nonethless, the controller never sent the Spanish DPA the relevant requested information and for this reason the DPA began seperate sanctioning proceedings against the controller for the infringement of [[Article 58 GDPR|Article 58(1) GDPR]] (EXP202308002).
Line 75: Line 75:
The DPA fined the controller €500 for the infringement of [[Article 58 GDPR#1|Article 58(1) GDPR]].
The DPA fined the controller €500 for the infringement of [[Article 58 GDPR#1|Article 58(1) GDPR]].


First, the DPA took into account there was no publiclically available information about the company's financial revenue when deciding the appropriate amount of the fine.
First, the DPA took into account there was no publicly available information about the company's financial revenue when deciding the appropriate amount of the fine.


Second, since the controller never cooperated with the DPA the Spanish DPA considered this to breach Article 58(1) GDPR.   
Second, since the controller never cooperated with the DPA, the Spanish DPA considered this to breach Article 58(1) GDPR.   


Third, the DPA used [[Article 58 GDPR|Article 58(1)(a) GDPR]] to order the controller to give to it within 10 working days (from the date of the decision) the relevant information it required.  
Third, the DPA used [[Article 58 GDPR|Article 58(1)(a) GDPR]] to order the controller to give to it within 10 working days (from the date of the decision) the relevant information it required.  

Revision as of 13:08, 21 February 2024

AEPD - EXP202308002
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 58(1) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: EXP202308002
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: EXP202308002 (in ES)
Initial Contributor: n/a

The Spanish DPA fined a controller €500 for non-complaince with the DPA's investigation.

English Summary

Factsc

A complaint was submitted to the Spanish DPA about an alleged infringement of the GDPR. This case was filed under the case name EXP202209784.

In relation to the case, the Spanish DPA submitted two requests for information to the controller with a ten day deadline for compliance attached to each request.

The first one was sent on 21.03.2023 and received no reply. The second one was sent on 12.05.2023 and the controller acknowledged receipt.

Nonethless, the controller never sent the Spanish DPA the relevant requested information and for this reason the DPA began seperate sanctioning proceedings against the controller for the infringement of Article 58(1) GDPR (EXP202308002).

Holding

The DPA fined the controller €500 for the infringement of Article 58(1) GDPR.

First, the DPA took into account there was no publicly available information about the company's financial revenue when deciding the appropriate amount of the fine.

Second, since the controller never cooperated with the DPA, the Spanish DPA considered this to breach Article 58(1) GDPR.

Third, the DPA used Article 58(1)(a) GDPR to order the controller to give to it within 10 working days (from the date of the decision) the relevant information it required.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/6








     File No.: EXP202308002



               RESOLUTION OF SANCTIONING PROCEDURE

From the procedure instructed by the Spanish Data Protection Agency and based
to the following


                                  BACKGROUND

FIRST: As a consequence of a claim presented to the Spanish Agency
of Data Protection, showing signs of a possible breach of the
provided in Regulation (EU) 2016/679 (General Regulation for the Protection of
Data, hereinafter RGPD), actions were initiated with file number

EXP202209784. The claim was admitted for processing on October 28, 2022.

SECOND: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
issue, by virtue of the investigative powers granted to the authorities of

control in article 57.1 of the RGPD, and in accordance with the provisions of Title
VII, Chapter I, Second Section, of Organic Law 3/2018, of December 5, of
Protection of Personal Data and guarantee of digital rights (LOPDGDD in what
successive).


Within the framework of the investigation actions, they were sent to UPMOBILE
SOLUTIONS, S.L., with NIF B02682276, two information requirements, related to
the claim outlined in the first section, so that within a period of ten days
competent, submit to this Agency the information and documentation contained therein.
he pointed out. The first of them was registered as leaving on March 21, 2023,
while the second was registered on May 12, 2023.


THIRD: The information requirements were notified in accordance with the regulations
established in Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter, LPACAP). The first of them
was sent by electronic notification and was not collected within the release period

provision, therefore understood to be rejected on April 1, 2023, while
that the second was collected by UPMOBILE SOLUTIONS, S.L. dated May 15
of 2023, as stated in the acknowledgments of receipt in the file.

FOURTH: Regarding the required information, UPMOBILE SOLUTIONS, S.L. has not

sent any response to this Spanish Data Protection Agency.

FIFTH: On June 22, 2023, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against UPMOBILE
SOLUTIONS, S.L., for the alleged violation of Article 58.1 of the RGPD, typified in
Article 83.5 of the GDPR.


The initiation agreement was notified to UPMOBILE SOLUTIONS, S.L., in accordance with the
standards established in the LPACAP, through an announcement published in the Bulletin
State Official dated July 5, 2023, after having been returned to origin by

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/6








postal notification of said initiation agreement is unknown, despite having been sent
to the tax address of UPMOBILE SOLUTIONS, S.L. provided by the State Agency of
Tax administration.


SIXTH: The aforementioned initiation agreement has been notified in accordance with the rules established in
the LPACAP and after the period granted for the formulation of allegations has elapsed, it has been
verified that no allegation has been received by UPMOBILE SOLUTIONS, S.L..

Article 64.2.f) of the LPACAP - provision of which UPMOBILE was informed

SOLUTIONS, S.L. in the agreement to open the procedure - establishes that if
make allegations within the stipulated period regarding the content of the initiation agreement,
when it contains a precise statement about the responsibility
imputed, may be considered a resolution proposal. In the present case, the
agreement to initiate the sanctioning file determined the facts in which

specified the imputation, the violation of the RGPD attributed to UPMOBILE SOLUTIONS,
S.L. and the sanction that could be imposed. Therefore, taking into consideration that
UPMOBILE SOLUTIONS, S.L. has not made allegations to the agreement to start the
file and in accordance with the provisions of article 64.2.f) of the LPACAP, the aforementioned
initiation agreement is considered in this case as a proposed resolution.


SEVENTH: According to the report collected from the AXESOR tool, the entity
UPMOBILE SOLUTIONS, S.L. is an SME (Microenterprise), established in the year
2020, for which there is no financial information available.

In view of everything that has been done, by the Spanish Data Protection Agency

In this procedure, the following are considered proven facts:


                                PROVEN FACTS

FIRST: The information requirements indicated in the background information second

and third, they were notified in accordance with the provisions of the LPACAP.

SECOND: UPMOBILE SOLUTIONS, S.L. has not responded to the requirements of
information carried out by this Agency within the framework of the actions of
investigation of file EXP202209784 within the deadlines granted for this purpose.


THIRD: The agreement to initiate this sanctioning procedure was notified
to UPMOBILE SOLUTIONS, S.L., in accordance with the provisions of article 44 of the
LPACAP, through an announcement published in the Official State Gazette dated
July 5, 2023.


FOURTH: UPMOBILE SOLUTIONS, S.L. has not presented allegations to the agreement
initiation of this sanctioning procedure.








C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/6








                           FOUNDATIONS OF LAW

                                           Yo

                                     Competence

In accordance with the powers that article 58.2 of the RGPD grants to each authority of
control and in accordance with the provisions of articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD,
The Director of the Agency is competent to initiate and resolve this procedure.
Spanish Data Protection.


Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a

subsidiary, by the general rules on administrative procedures."

                                           II
                                 Unfulfilled obligation

In accordance with the evidence available, it is considered that

UPMOBILE SOLUTIONS, S.L. has not requested the Spanish Protection Agency
of Data the information you requested.

With the indicated conduct of UPMOBILE SOLUTIONS, S.L., the power to
investigation that article 58.1 of the RGPD confers on the supervisory authorities, in

In this case, the AEPD has been hindered.

Therefore, the facts described in the “Proven Facts” section are considered
constituting an infringement, attributable to UPMOBILE SOLUTIONS, S.L., for
violation of article 58.1 of the RGPD, which provides that each supervisory authority

will have, among its investigative powers:

“a) order the person responsible and the person in charge of the treatment and, where appropriate, the
representative of the person responsible or the person in charge, who provide any information
that is required for the performance of its functions; b) carry out research in
form of data protection audits; c) carry out a review of the

certifications issued under Article 42, paragraph 7; d) notify the
responsible or to the person in charge of the treatment of the alleged violations of this
Regulation; e) obtain from the person responsible and the person in charge of the treatment access to
all personal data and all information necessary for the exercise of its
functions; f) obtain access to all the premises of the person responsible and the person in charge of the

processing, including any equipment and means of data processing, of
in accordance with the procedural law of the Union or of the Member States.”

                                           III
                       Classification and classification of the offense


In accordance with the evidence available, the facts presented are
They consider them to constitute an infringement, attributable to UPMOBILE SOLUTIONS, S.L..


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/6








This infraction is classified in article 83.5.e) of the RGPD, which considers as such: “no
provide access in breach of Article 58(1).”


The same article establishes that this violation can be punished with a fine.
of twenty million euros (€20,000,000) maximum or, in the case of a
company, of an amount equivalent to four percent (4%) maximum of the
global total annual business volume of the previous financial year, opting for the
of greater amount.


For the purposes of the limitation period for infringements, the alleged infringement
prescribes after three years, in accordance with article 72.1 of the LOPDGDD, which qualifies as
The following behavior is very serious:

“ñ) Do not facilitate access by data protection authority personnel

competent to personal data, information, premises, equipment and means of
processing that is required by the data protection authority for the
exercise of its investigative powers.
o) Resistance or obstruction of the exercise of the inspection function by the authority
of competent data protection.”


                                          IV
                                  Imputed sanction

The fine imposed must be, in each individual case, effective, proportionate
and dissuasive, in accordance with the provisions of article 83.1 of the RGPD. In

Consequently, the sanction to be imposed must be graduated according to the criteria
established in article 83.2 of the RGPD, and with the provisions of article 76 of the
LOPDGDD, regarding section k) of the aforementioned article 83.2 RGPD.

It can be seen that no mitigating or aggravating circumstance applies.


In light of the facts presented, it is considered that it is appropriate to impute a sanction to
UPMOBILE SOLUTIONS, S.L. for the violation of article 58.1 of the RGPD typified
in article 83.5 e) of the GDPR. The penalty to be imposed is a fine
administrative for an amount of 500.00 euros.



Therefore, in accordance with applicable legislation, the Director of the Agency
Spanish Data Protection RESOLVES:

FIRST: IMPOSE UPMOBILE SOLUTIONS, S.L., with NIF B02682276, for a

violation of Article 58.1 of the GDPR, typified in Article 83.5 of the GDPR, a
fine of 500.00 euros (FIVE HUNDRED euros).

SECOND: ORDER UPMOBILE SOLUTIONS, S.L.. that, in accordance with the
investigative power provided for in article 58.1.a) of the RGPD, is provided, in the

within ten business days, the information required in the requirements made
within the framework of the actions with file number EXP202209784 and to whom
Reference has been made in the background to this resolution.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/6








Please note that failure to comply with the requirements of this organization may be
considered as an administrative offense in accordance with the provisions of the RGPD,
classified as an infraction in its article 83.6, and such conduct may be motivated by

opening of a subsequent administrative sanctioning procedure.

THIRD: NOTIFY this resolution to UPMOBILE SOLUTIONS, S.L..

FOURTH: This resolution will be enforceable once the deadline to file the
optional resource for replacement (one month counting from the day following the

notification of this resolution) without the interested party having made use of this power.
The sanctioned person is warned that he must make effective the sanction imposed once
This resolution is executive, in accordance with the provisions of art. 98.1.b)
of the LPACAP, within the voluntary payment period established in art. 68 of the Regulations
General Collection, approved by Royal Decree 939/2005, of July 29, in

relationship with art. 62 of Law 58/2003, of December 17, through its entry,
indicating the NIF of the sanctioned person and the procedure number that appears in the
heading of this document, in the restricted account IBAN number: ES00-0000-
0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX), opened in the name of the
Spanish Data Protection Agency in the banking entity CAIXABANK, S.A..
Otherwise, it will be collected during the executive period.


Once the notification is received and once enforceable, if the enforceable date is
between the 1st and 15th of each month, both inclusive, the deadline to make the payment
voluntary will be until the 20th of the following month or immediately following business month, and if
The payment period is between the 16th and last day of each month, both inclusive.

It will be until the 5th of the second following or immediately following business month.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within a period of one month to
count from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the

National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.


Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through

writing addressed to the Spanish Data Protection Agency, presenting it through
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/6










documentation that proves the effective filing of the contentious appeal
administrative. If the Agency was not aware of the filing of the appeal

contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.



                                                                                      938-250923
Sea Spain Martí
Director of the Spanish Data Protection Agency


























































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es