AEPD (Spain) - EXP202104530

From GDPRhub
AEPD - PS-00073-2022
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 28 GDPR
Article 21 LSSI
Article 38(4)(d) LSSI
Type: Other
Outcome: n/a
Started: 11.10.2021
Fine: n/a
Parties: A.A.A
National Case Number/Name: PS-00073-2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

A data subject registered in the Robinson List, received a commercial SMS without being customer. On this legal basis they filed a complaint, however the accused company acted according to Article 28 GDPR and the Spanish DPA ended the proceedings.

English Summary


A.A.A. (data subject) received a commercial SMS from BOOKSY INTERNATIONAL SPOLKA, S.L. (the assumed controller) to their mobile number without being customer nor consent. On 11 October 2021, the data subject filed a complaint with the Spanish DPA against the controller. The data subject stated that they were not familiar with the controller and justified their registration on the Robinson List. Furthermore they provided a screenshot of an SMS received as evidence.

The complaint was transferred to the controller for analysis and a response within one month. The controller did not reply. On 11 January 2022, the complaint was admitted for processing. On 15 March 2022, the DPA initiated a disciplinary proceeding against the controller for the alleged infringement of Article 21 LSSI, as defined in Article 38(4)(d) LSSI. The controller reacted to the allegations with a written statement, saying that they are a service provider to beauty establishments, like SHEILA NAILS (controller) offering them platform to promote their services. They claim to be a processor and not responsible for the data subjects data.

On 27 April 2022 a motion for resolution was formulated, proposing that the DPA sanctions the processor with a fine of €500 for the violation of Article 21 of the LSSI.

On 11 May 2022, the processor submitted additional allegations defending their position as data processor, arguing that the data subject is not their customer and they are not responsible for the actions of the data controller. The processor proved that it has compiled at all times with the data protection regulations, particularly with Article 28 GDPR.


The Director of the Spanish DPA issued a resolution based on the evidence presented by both parties. The DPA upheld the company's claim that it was processor and not controller. Therefore, the Spanish DPA decided to archive the proceedings and notify this resolution to the data subject and processor. The parties have the right to file an optional appeal for reconsideration with the Spanish DPA within one month from date of notification. They could also directly appeal to the Administrative Court of the National Court (Sala de lo Contencioso-administrativo de la Audiencia Nacional) within 2 months from date of notification.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


     File No.: EXP202104530


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


FIRST: A.A.A. (hereinafter, the claiming party) dated October 11, 2021
filed a claim with the Spanish Data Protection Agency.

The claim is directed against BOOKSY INTERNATIONAL SPOLKA, S.L. with NIF
B88598636 (hereinafter, the claimed party).

The reason on which the claim is based is that the claimed entity sends the
claimant a commercial SMS on his mobile line ***NIF.1.

He states that he does not know the requested company.

It justifies the registration of the receiving line in the Robinson List since 07/22/2013.

Provides a screen print of an SMS received on 10/11/2021 at 8:25 p.m.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5

December, Protection of Personal Data and guarantee of digital rights (in
forward LOPDGDD), said claim was transferred to the claimed party, for
to proceed with its analysis and inform this Agency within a month of the
actions carried out to adapt to the requirements established in the regulations of
Data Protection.

The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of
October 1, of the Common Administrative Procedure of the Administrations
Public (hereinafter, LPACAP), was collected on December 7, 2021 as
It appears in the acknowledgment of receipt that is in the file.

No response has been received to this letter of transfer.

THIRD: On January 11, 2022, in accordance with article 65 of the
LOPDGDD, the claim presented by the claimant party was admitted for processing.

FOURTH: On March 15, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate disciplinary proceedings against the claimed party,
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1,
of the Common Administrative Procedure of Public Administrations (in
hereafter, LPACAP), for the alleged infringement of article 21 of the LSSI, typified in

Article 38.4.d) of the LSSI.

FIFTH: Once the aforementioned initiation agreement was notified, the claimed party submitted a written
allegations in which, in summary, it states that it is a company that

C/ Jorge Juan, 6
28001 – Madrid 2/4

provides a platform for beauty establishments (such as hairdressing
SHEILA NAILS), in which they have their own space to promote their
establishments, make reservations, store customer data and send them

SMS for said purposes, being a mere person in charge of the treatment with respect to the
services that these establishments provide to their customers.

It is indicated that the claimant has received an SMS sent by SHEILA NAILS where
informs you that you can request their services through the entity's application

However, it notes that the claimant is not his client nor does he appear in any
your database, since the claimant is a client of the SHEILA establishment
NAILS and not yours.

SIXTH: On April 11, 2022, the procedure instructor agreed to consider
reproduced for evidentiary purposes the claim filed by the claimant and his
documentation, the documents obtained and generated during the admission phase to
processing of the claim, and the report of previous investigation actions that
They are part of procedure E/12159/2021.

Likewise, it is considered reproduced for evidentiary purposes, the allegations to the
initiation of the referenced sanctioning procedure, presented by the entity
claimed, and the documentation that accompanies them

SEVENTH: On April 27, 2022, a resolution proposal was formulated,

proposing that the Director of the Spanish Data Protection Agency
penalize BOOKSY INTERNATIONAL SPOLKA, S.L., with NIF B88598636, for a
violation of article 21 of the LSSI, typified in article 38.4.d) of the LSSI, with a
fine of €500 (FIVE HUNDRED euros).

EIGHTH: On May 11, 2022, the respondent entity presents allegations
to the aforementioned resolution proposal, indicating that the claimant is not his client,
but he is a client of the SHEILA NAILS establishment.

He claims to be a mere person in charge of treatment and that he cannot be penalized by the
actions carried out by the data controller, in our case,


Therefore, it is alleged by the claimed entity that it has complied at all times with
the regulations on data protection and, in particular, with the obligations
provided for in article 28 of the GDPR for those in charge of data processing

personal and in the contract signed with SHEILA NAILS to provide services of
Technological platform.

Of the actions carried out in this procedure and of the documentation
in the file, the following have been accredited:

C/ Jorge Juan, 6
28001 – Madrid 3/4

                                PROVEN FACTS

FIRST: An SMS of a commercial nature has been sent by the entity

claimed to the mobile line ***NIF.1 owned by the claimant without their consent.

SECOND: The claimed entity alleges that it is a mere processor,
since it is a company that provides service to different companies such as
technological platform, so that they can promote their services, carry out

reservations, store the data of its clients and send them SMS for said purposes.

                           FUNDAMENTALS OF LAW

In accordance with the provisions of art. 43.1, second paragraph, of the Law
34/2002, of July 11, on Services of the Information Society and Commerce
Electronic, (LSSI), is competent to initiate and resolve this Procedure
Sanctioner, the Director of the Spanish Data Protection Agency.


In the present case, the claimant accredits by attaching a copy of this, the receipt of
an SMS on October 11, 2021.

The claimed entity has claimed to be a mere treatment manager, being
solely responsible for the application, that is, it is a technological platform,
and that the claimant is a client of the SHEILA NAILS establishment, the latter being
entity that uses its own databases to make shipments.


Therefore, after learning of these facts, the Director of the Agency
Spanish Data Protection RESOLVES:

FIRST: PROCEED TO THE ARCHIVE of the present proceedings.

SECOND: NOTIFY this resolution to the claimant and defendant.

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once the interested parties have been notified.

Against this resolution, which puts an end to the administrative process as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common for Public Administrations, and in accordance with the provisions of the

arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may
file, optionally, an appeal for reinstatement before the Director of the Agency
Spanish Data Protection Agency within a period of one month from the day
following the notification of this resolution or directly contentious appeal
before the Contentious-Administrative Chamber of the National Court,

C/ Jorge Juan, 6
28001 – Madrid 4/4

in accordance with the provisions of article 25 and paragraph 5 of the provision
additional fourth of Law 29/1998, of July 13, regulating the Jurisdiction
Contentious-Administrative, within a period of two months from the day following

to the notification of this act, as provided in article 46.1 of the aforementioned Law.

Mar Spain Marti
Director of the Spanish Data Protection Agency

C/ Jorge Juan, 6
28001 – Madrid