AEPD (Spain) - PS-00446-2023

From GDPRhub
Revision as of 09:28, 8 March 2024 by Teresa.lopez (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS-00446-2023 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00446-2023.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Cod...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - PS-00446-2023
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Started: 20.05.2023
Decided:
Published: 06.03.2024
Fine: n/a
Parties: n/a
National Case Number/Name: PS-00446-2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Teresa.lopez

The Spanish Data Protection Authority fined a controller €2,000 for requiring an employee to use their personal cell phone for work purposes without establishing an appropriate legal basis for the processing.

English Summary

Facts

An ex-employee of the controller filed a complaint with the Spanish Data Protection Authority, alleging that the company, for which they provided services, compelled them to utilize their personal cell phone for work purposes. This requirement involved installing an application, specifically a company wallet card platform.

Despite the complaints raised, the controller's response was adamant that they would not provide the employee with a company cell phone. Subsequently, the ex-employee mentioned that even after leaving the company, their phone number remained part of two WhatsApp groups. Consequently, they continued to receive messages from former colleagues, appearing in those groups as a former member, with their phone number and name still visible.

Holding

The Spanish Data Protection Authority ruled that the processing activities conducted by the controller violated Article 6.1 of the GDPR. As a result, the DPA imposed a fine of €2,000 on the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/12










     File No.: EXP202310230



       RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE
                                   VOLUNTEER


From the procedure instructed by the Spanish Data Protection Agency and based
to the following


                                  BACKGROUND


FIRST: On January 8, 2024, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against VUKMAL TRADE,
S.L. (hereinafter, the claimed party), through the Agreement transcribed:

<<

File No.: EXP202310230


            AGREEMENT TO START SANCTIONING PROCEDURE


Of the actions carried out by the Spanish Data Protection Agency and in
based on the following

                                      FACTS

FIRST: Mr. A.A.A., with DNI ***NIF.1 (hereinafter, the claiming party) with date

05/28/2023 filed a claim with the Spanish Data Protection Agency.
The claim is directed against VUKMAL TRADE, S.L. with NIF B09966508 (in
forward, the claimed part). The grounds on which the claim is based are:
following:


       The claimant states that the company for which he provided his services until
on ***DATE.1, required him to use his personal mobile phone for work, having
have to install an application (Soldo as a wallet card platform
company, which I had to enter daily to make transfers and to
account for expenses, requiring access to a phone to send the code

verification) to access a website in Ireland, and that, in addition, the company
shared your personal mobile number with other employees without their consent.

       After notifying the situation, the company's response was that they were not going to give him
a company cell phone; The claimant states that, although he no longer works in the
company, his personal phone was included in two WhatsApp groups (Notices

Expofactory and Central Services, the first for HR issues and the second
for work issues), being contacted by former colleagues, appearing
in these groups as a former member, with your phone number and name. The company


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/12








refuses to delete such groups and continues to force its employees to use their phones
personal to work.


       The claimant emphasizes that, in the two months that he worked in the company, for
part of the HR manager (whatsapp group administrator) and the
CFO of the company, he was told that it was nonsense regarding the
use of personal cell phone at work, with the financial director telling him not to
would give a company cell phone to the claimant.


SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), on 07/21/2023 said claim was transferred to the party
claimed, so that it could proceed with its analysis and inform this Agency within the period
of one month, of the actions carried out to adapt to the planned requirements

in data protection regulations.

       The transfer, which was carried out in accordance with the rules established in the Law
39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations (hereinafter, LPACAP) through electronic notification,
was not collected by the person responsible, within the period of making it available,

understood to be rejected in accordance with the provisions of art. 43.2 of the LPACAP in
date 08/01/2023, as stated in the certificate in the file.

       Although the notification was validly carried out by electronic means,
the procedure being considered completed in accordance with the provisions of article 41.5 of the

LPACAP, for information purposes, a copy was sent by postal mail that was notified
reliably on 08/10/2023. In said notification, he was reminded of his
obligation to relate electronically with the Administration, and were informed
of the means of access to said notifications, reiterating that, from now on, you will be
would notify exclusively by electronic means.


THIRD: On 08/28/2023, in accordance with article 65 of the LOPDGDD,
The claim presented by the complaining party was admitted for processing.


FOURTH: In writing dated 09/13/2023, the defendant has stated that on ***DATE.1

The complainant asked the company to remove him from the WhatsApp group and
the Soldo application and how many it will be used on; that the next day he was informed that
their data had been deleted in accordance with what was requested; that he
claimed has carried out a risk analysis on the processing of data of a nature
personnel, has drawn up a protocol of technical and security measures

organizational measures implemented to comply with data protection regulations and
has drafted a safety policy document to inform workers of
your rights and obligations regarding the processing of personal data;
that to date, WhatsApp groups were created to speed up the day-to-day life of the
company requesting only verbal consent; which since 05/03/2023 has been requested

written consent to all workers.

                           FOUNDATIONS OF LAW


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/12








                                           Yo

       In accordance with the powers that article 58.2 of Regulation (EU) 2016/679

(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.


       Likewise, article 63.2 of the LOPDGDD determines that: "The
Procedures processed by the Spanish Data Protection Agency will be governed
by the provisions of Regulation (EU) 2016/679, in this organic law, by the
regulatory provisions dictated in its development and, as far as they are not

contradict, on a subsidiary basis, by the general rules on the
administrative procedures."

                                           II
       The reported events materialize in the inclusion in WhatsApp groups
without basis of legitimation, which could violate the regulations on protection

of personal data.

       Article 58 of the GDPR, Powers, states:

       "2. Each supervisory authority will have all of the following powers

corrective measures indicated below:

       (…)
       d) order the person responsible or in charge of the treatment that the operations of
       treatment comply with the provisions of this Regulation, when

       appropriate, in a certain manner and within a specified period;
       (…)
       i) impose an administrative fine in accordance with Article 83, in addition to or in
       instead of the measures mentioned in this section, according to the
       circumstances of each particular case;
       (…)”


                                           III
       Article 5 of the GDPR, Principles relating to processing, states that:

       "1. The personal data will be:


       a) treated in a lawful, fair and transparent manner in relation to the interested party
       ("legality, loyalty and transparency");
       (…)”


       Article 6.1 of the RGPD establishes the assumptions that allow considering
lawful processing of personal data:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/12








       "1. The treatment will only be legal if it meets at least one of the following
conditions:

       a) the interested party gave their consent for the processing of their data
       personal for one or more specific purposes;

       b) the processing is necessary for the performance of a contract in which the
       interested party is part or for the application at his request of measures
       pre-contractual;
       c) the processing is necessary for compliance with a legal obligation
       applicable to the data controller;
       d) the processing is necessary to protect the vital interests of the interested party or

       of another natural person.
       e) the processing is necessary for the fulfillment of a mission carried out in
       public interest or in the exercise of public powers conferred on the person responsible
       of the treatment;
       f) the processing is necessary for the satisfaction of legitimate interests

       pursued by the person responsible for the treatment or by a third party, provided that
       The interests or rights and freedoms do not prevail over said interests.
       fundamentals of the interested party that require the protection of personal data,
       particularly when the interested party is a child.

       The provisions of letter f) of the first paragraph will not apply to the

processing carried out by public authorities in the exercise of their functions.”

       Likewise, Recital 40 of the aforementioned GDPR provides that "In order for
processing is lawful, personal data must be processed with the
consent of the interested party or on some other legitimate basis established in accordance
a Law, whether in this Regulation or under other Union law

or of the Member States referred to in this Regulation, including the
need to comply with the legal obligation applicable to the data controller or the
need to execute a contract to which the interested party is a party or for the purpose of
take measures at the request of the interested party prior to the conclusion of a
contract."


       On the other hand, article 4 of the RGPD, Definitions, in sections 1, 2 and 11,
notes that:

       “1) “personal data”: any information about an identified natural person
or identifiable ("the interested party"); Any identifiable natural person will be considered
person whose identity can be determined, directly or indirectly, in particular

by means of an identifier, such as a name, an identification number,
location data, an online identifier or one or more elements of the
physical, physiological, genetic, mental, economic, cultural or social identity of said
person;


       “2) “treatment”: any operation or set of operations performed
on personal data or sets of personal data, whether by procedures
automated or not, such as the collection, registration, organization, structuring,
conservation, adaptation or modification, extraction, consultation, use,


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/12








communication by transmission, broadcast or any other form of habilitation of
access, collation or interconnection, limitation, deletion or destruction;


       “11) “consent of the interested party”: any manifestation of free will,
specific, informed and unequivocal by which the interested party accepts, either through
a statement or a clear affirmative action, the processing of personal data that
concern him.”

                                           IV

       The infraction attributed to the defendant is classified in the
article 83.5 a) of the GDPR, which considers that the violation of “the basic principles
for processing, including the conditions for consent under the
articles 5, 6, 7 and 9” is punishable, in accordance with section 5 of the aforementioned
article 83 of the aforementioned Regulation, “with administrative fines of €20,000,000 as

maximum or, in the case of a company, an amount equivalent to 4% as
maximum of the total global annual turnover of the previous financial year,
opting for the highest amount.”

       The LOPDGDD in its article 71, Infractions, states that: “They constitute
infractions the acts and conduct referred to in sections 4, 5 and 6 of the

article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the
present organic law.”

       And in its article 72, it considers for the purposes of prescription, which are: “Infringements
considered very serious:


       1. Based on what is established in article 83.5 of the Regulation (EU)
2016/679 are considered very serious and will prescribe after three years the infractions that
involve a substantial violation of the articles mentioned therein and, in
in particular, the following:


       (…)
       b) The processing of personal data without any of the
       conditions of legality of the treatment established in article 6 of the
       Regulation (EU) 2016/679.
       (…)”


                                           V
       The processing of personal data requires the existence of a database
legal that legitimizes it.


       In accordance with article 6.1 of the GDPR, in addition to consent,
There are other possible bases that legitimize the processing of data without the need for
have the authorization of its owner. in particular, when necessary for the
execution of a contract to which the affected party is a party or for the application, at the request
of this, pre-contractual measures, or when necessary for the satisfaction of

legitimate interests pursued by the data controller or by a third party,
provided that the interests or rights do not prevail over said interests and
fundamental freedoms of the affected party that require the protection of such data. He
Treatment is also considered lawful when it is necessary for the fulfillment of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/12








a legal obligation applicable to the data controller, to protect interests
vital of the affected person or of another natural person or for the fulfillment of a mission
carried out in the public interest or in the exercise of public powers conferred on the

responsible for the treatment.

       The claimant in his writing of 05/28/2023 stated that the claimant is obliged
its workers to use their personal mobile phone to work (through the
Soldo application) and, furthermore, that having stopped providing services for the same
continues to be included in two WhatsApp groups, with the company refusing to delete the

themselves and forcing their employees to use their personal phones for work.

       The defendant in writing dated 09/13/2023 has stated that “To date,
They created WhatsApp groups to streamline the day-to-day life of the company, it was not a
mandatory requirement, but only verbal consent was requested, since 31

May 2023, written consent is requested from all workers.”

       Therefore, it is considered that the conduct of the defendant violates the principle of
legality enshrined in article 6.1 of the RGPD, typified in article 83.5 a) of the
GDPR.


                                           SAW
       In order to establish the administrative fine that should be imposed, they must
The provisions contained in articles 83.1 and 83.2 of the RGPD must be observed, which
they point out:


       "1. Each supervisory authority will ensure that the imposition of fines
administrative sanctions under this article for violations of this
Regulations indicated in sections 4, 5 and 6 are in each individual case
effective, proportionate and dissuasive.


       2. Administrative fines will be imposed, depending on the circumstances
of each individual case, as an additional or substitute for the measures contemplated
in Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:

       a) the nature, severity and duration of the infringement, taking into account the

       nature, scope or purpose of the processing operation in question
       as well as the number of interested parties affected and the level of damage and
       damages they have suffered;
       b) intentionality or negligence in the infringement;
       c) any measure taken by the person responsible or in charge of the treatment

       to alleviate the damages and losses suffered by the interested parties;
       d) the degree of responsibility of the person responsible or in charge of the
       treatment, taking into account the technical or organizational measures that have been
       applied under articles 25 and 32;
       e) any previous infraction committed by the person responsible or in charge of the

       treatment;
       f) the degree of cooperation with the supervisory authority in order to put
       remedy the infringement and mitigate the possible adverse effects of the infringement;
       g) the categories of personal data affected by the infringement;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/12








       h) the way in which the supervisory authority became aware of the infringement, in
       particular whether the person responsible or the person in charge notified the infringement and, in that case,
       what extent;

       i) when the measures indicated in Article 58(2) have been
       previously ordered against the person responsible or the person in charge in question
       in relation to the same matter, compliance with said measures;
       j) adherence to codes of conduct under Article 40 or to mechanisms
       of certification approved in accordance with Article 42, and
       k) any other aggravating or mitigating factor applicable to the circumstances of the

       case, such as financial benefits obtained or losses avoided, direct
       or indirectly, through infringement.

       In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its
Article 76, “Sanctions and corrective measures”, establishes that:


       "2. In accordance with the provisions of article 83.2.k) of the Regulation (EU)
2016/679 may also be taken into account:

       a) The continuous nature of the infringement.
       b) The linking of the offender's activity with the performance of treatments

       of personal data.
       c) The benefits obtained as a consequence of the commission of the infraction.
       d) The possibility that the conduct of the affected person could have induced the
       commission of the infraction.
       e) The existence of a merger by absorption process after the commission

       of the infringement, which cannot be attributed to the absorbing entity.
       f) The impact on the rights of minors.
       g) Have, when it is not mandatory, a delegate for the protection of
data.
       h) Submission by the person responsible or in charge, with character

       voluntary, to alternative conflict resolution mechanisms, in those
       cases in which there are disputes between them and any
       interested."


       In accordance with the transcribed precepts, and without prejudice to what results from the

instruction of the procedure, for the purposes of setting the amount of the fine sanction
impose in the present case for the violation of article 6.1 of the RGPD, typified in the
article 83.5.a) of the RGPD for which the defendant is held responsible, in an assessment
initial, it is considered appropriate to establish a penalty of €2,000 (two thousand euros).



                                           VII
       If the violation is confirmed, it could be agreed to impose the person responsible
adoption of appropriate measures to adjust its actions to the aforementioned regulations
in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD,

according to which each control authority may “order the person responsible or in charge
of the processing that the processing operations comply with the provisions of the
this Regulation, where appropriate, in a certain manner and within a


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/12








specified period…” The imposition of this measure is compatible with the sanction
consisting of an administrative fine, as provided in art. 83.2 of the GDPR.


       Therefore, it would be considered appropriate to order that the defendant within the period of
six months adapt the treatments object of this procedure to the regulations
applicable. The text of this agreement establishes the facts that
have given rise to the violation of data protection regulations, which is
clearly infers what measures to adopt, without prejudice to the type of
specific procedures, mechanisms or instruments to implement them

corresponds to the sanctioned party, since it is the one who fully knows its organization
and must decide, based on proactive responsibility and a risk approach, how
comply with the RGPD and the LOPDGDD. Specifically, to proceed to comply with the
required by data protection regulations, legitimizing the processing
which is carried out both in the use of the app and in the WhatsApp groups in the

company or such processing is terminated.

       Please note that failure to comply with the order imposed by this body may be

considered as an administrative offense in accordance with the provisions of the RGPD,
classified as an infraction in its articles 83.5 and 83.6, and such conduct may be motivated by
opening of a subsequent administrative sanctioning procedure.



       Therefore, in light of the above,


       By the Director of the Spanish Data Protection Agency,

       HE REMEMBERS:

FIRST: START SANCTIONING PROCEDURE against VUKMAL TRADE, S.L., with
NIF B09966508, for the alleged violation of article 6.1 of the RGPD, typified in the

article 83.5.a) of the RGPD.

SECOND: APPOINT B.B.B. Instructor. and Secretary to C.C.C., indicating that
Any of them may be challenged, if applicable, in accordance with the provisions of the
articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sector

Public (LRJSP).

THIRD. INCORPORATE into the sanctioning file, for evidentiary purposes, the
claim filed by the claimant and its documentation, the documents
obtained and generated by the Inspection Services; documents all of which

make up the file.

ROOM. THAT for the purposes provided for in art. 64.2 b) of law 39/2015, of 1
October and article 58.2.b) of the RGPD, the sanction that may apply for the
violation of article 6.1 of the RGPD would be €2,000 (two thousand euros), without prejudice to
what results from the instruction.


FIFTH. NOTIFY this Agreement to VUKMAL TRADE, S.L., with NIF
B09966508, expressly indicating your right to a hearing in the procedure

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/12








and granting you a period of TEN WORKING DAYS to formulate the allegations and
propose the evidence you consider appropriate. In his brief of allegations
You must provide your NIF and the procedure number that appears in the heading

of this document.

       If within the stipulated period you do not make allegations to this initial agreement, the
The same may be considered a proposal for a resolution, as established in the
article 64.2.f) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter, LPACAP).


       In accordance with the provisions of article 85 of the LPACAP, in case of
that the sanction to be imposed was a fine, may recognize its responsibility within
of the period granted for the formulation of allegations to this initiation agreement; it
which will entail a reduction of 20% of the sanction that may be imposed in

the present procedure. With the application of this reduction, the sanction would be
established at 1,600 euros, resolving the procedure with the imposition of this
sanction.

       Likewise, you may, at any time prior to the resolution of the
this procedure, carry out the voluntary payment of the proposed sanction, which

which will mean a 20% reduction in the amount. With the application of this
reduction, the penalty would be established at 1,600 euros and its payment will imply the
termination of the procedure, without prejudice to the measures that, if applicable,
impose


       The reduction for the voluntary payment of the penalty is cumulative with that
It is appropriate to apply for the recognition of responsibility, provided that this
acknowledgment of responsibility becomes evident within the deadline
granted to formulate allegations at the opening of the procedure. The pay
voluntary of the amount referred to in the previous paragraph may be made at any

moment before the resolution. In this case, if it were appropriate to apply both
reductions, the amount of the penalty would be established at 1,200 euros.

       In any case, the effectiveness of any of the two reductions mentioned
will be conditioned on the withdrawal or waiver of any action or resource pending.
administrative against the sanction.


       In the event that you choose to proceed with the voluntary payment of any of the
amounts indicated above (1,600 or 1,200 euros), you must make it effective
by depositing it into account number ES00 0000 0000 0000 0000 0000 open to
name of the Spanish Data Protection Agency at CAIXABANK Bank,

S.A., indicating in the concept the reference number of the procedure that appears in
the heading of this document and the reason for the reduction of the amount to which
welcomes

       Likewise, you must send proof of income to the General Subdirectorate of

Inspection to continue the procedure in accordance with the quantity
entered.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/12








       The procedure will have a maximum duration of twelve months counting from the
date of the initiation agreement or, where applicable, of the draft initiation agreement.
After this period, its expiration will occur and, consequently, the file of

performances; in accordance with the provisions of article 64 of the LOPDGDD.

       In compliance with articles 14, 41 and 43 of the LPACAP, it is noted that,
From now on, the notifications sent to you will be made exclusively
electronically, through the Unique Enabled Electronic Address
(dehu.redsara.es), and that, if you do not access them, your rejection will be recorded in the

file, considering the procedure completed and the procedure being followed. You will
informs that you can identify an email address to this Agency
to receive the notice of making notifications available and that the lack of
practice of this notice will not prevent the notice from being fully considered
valid.


       Finally, it is noted that in accordance with the provisions of article 112.1 of the
LPACAP, there is no administrative appeal against this act.

                                                                     Sea Spain Martí
                              Director of the Spanish Data Protection Agency




>>


SECOND: On January 16, 2024, the claimed party has proceeded to pay
of the penalty in the amount of 1,200 euros making use of the two reductions
provided for in the initiation Agreement transcribed above, which implies the
recognition of responsibility.


THIRD: The payment made, within the period granted to formulate allegations to
The opening of the procedure entails the renunciation of any action or appeal pending.
administrative against sanction and recognition of responsibility in relation to
the facts referred to in the Initiation Agreement.

FOURTH: In the initiation Agreement transcribed previously it was stated that,

If the infringement is confirmed, it could be agreed to impose on the person responsible the adoption of
appropriate measures to adjust its actions to the regulations mentioned in this
act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the
which each control authority may “order the person responsible or in charge of the
treatment that the processing operations comply with the provisions of the

this Regulation, where appropriate, in a certain manner and within a
specified period…”

Having recognized responsibility for the infraction, the imposition of penalties proceeds.
the measures included in the Initiation Agreement.



                           FOUNDATIONS OF LAW


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/12








                                            Yo
                                     Competence


In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency

of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions

regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."

                                           II
                             Termination of the procedure


Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter, LPACAP), under the heading
“Termination in sanctioning procedures” provides the following:

"1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility,

The procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction is solely pecuniary in nature or a penalty can be imposed
pecuniary sanction and another of a non-pecuniary nature but the
inadmissibility of the second, the voluntary payment by the alleged responsible, in

Any time prior to the resolution, will imply the termination of the procedure,
except in relation to the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.

3. In both cases, when the sanction has only a pecuniary nature, the
body competent to resolve the procedure will apply reductions of, at least,

20% of the amount of the proposed penalty, these being cumulative with each other.
The aforementioned reductions must be determined in the initiation notification.
of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of
any administrative action or appeal against the sanction.


The reduction percentage provided for in this section may be increased
“regularly.”

According to what was stated,
the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: DECLARE the termination of the procedure EXP202310230, of
in accordance with the provisions of article 85 of the LPACAP.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/12









SECOND: ORDER from VUKMAL TRADE, S.L. so that within 6 months
Since this resolution is final and enforceable, notify the Agency of the
adoption of the measures described in the legal foundations of the
Initiation agreement transcribed in this resolution.


THIRD: NOTIFY this resolution to VUKMAL TRADE, S.L..

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure

Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.


                                                                               1259-16012024

Sea Spain Martí
Director of the Spanish Data Protection Agency


































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es