AEPD (Spain) - PS-00563-2022

From GDPRhub
AEPD - PS-00563-2022
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(2) GDPR
Article 13 GDPR
Article 58(2)(d) GDPR
Article 83(2) GDPR
Article 83(5) GDPR
Article 83(5)(b) GDPR
Recital 60 Regulation 2016/679
Type: Investigation
Outcome: Violation Found
Started: 30.06.2020
Decided: 28.06.2023
Fine: 2,000 EUR
National Case Number/Name: PS-00563-2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEDP (in ES)
Initial Contributor: Konrad Kontriner

The Spanish DPA fined a controller €2,000 for infringing Article 13 GDPR in their contract with a tenant.

English Summary


The data subject is a former customer (tenant) of the controller (Gavanova de immobles, S.L.).

On 29 July 2020 the data subject signed the reservation document for the property, then on 4 September 2020 the lease agreement / contract was signed. After approximately two years the lease was terminated on 31 January 2022.

On 30 June 2022 the Spanish Data Protection Agency (AEPD) received a complaint from the data subject stating, that they didn’t feel that their data was protected by the controller. The data subject suspected that their personal data had been used to enter into a contract with a third party (a cleaning company) without their knowledge. When the data subject went on the real estate´s website, the Privacy Policy page was blank. The data subject also found out that the contract and lease resolution made between the two parties, contained data protection law which was not up to date with the current law.

Following the complaint lodged by the data subject, the Spanish DPA accessed the website of the controller on 27 July 2022 and confirmed that the Privacy Policy section was in fact blank. As a result, the DPA asked the controller to explain themselves. The reason for that step was, that the controller could proceed with the analysis and inform the DPA within one month of actions carried out to adapt to the requirements set out in the data protection regulations. This was carried out in accordance with Spanish Public Administration Law (Common Administrative Procedure for Public Administrations) by electronic means. However, the controller did not take up the required steps and it was understood to have rejected them. Nevertheless, a copy was sent via post which was notified on 31 August 2022. In this notification, the controller was reminded to interact electronically and that from now on they would be notified exclusively by electronic means. The controller did not reply.

On 20 September 2022 the complaint was admitted for processing.

Shortly after, the Spanish DPA accessed the website again to check if any changes have been made. The DPA proved that the Private Policy page was last updated on 29 September 2022.

As a result, the director of the Spanish Data Protection Agency agreed to initiate disciplinary proceedings against the controller for the infringement of Article 13 GDPR as defined in Article 83(5)(b) GDPR. This initiation agreement was notified and delivered to the controller on 16 December 2022.

The controller responded with a written statement in due time and form on the 21 December 2022. The controller mentioned that the data subject had authorised them to process their data including the possible transfer to other companies (in this case a cleaning company). The data subject had agreed with the landlady that the cleaning of the flat would be deducted from their deposit.

Therefore, the controller argued that the complainant authorised them to process their data. Moreover, there was no significant proof of any exchange of data between the controller and the cleaning company. In addition, the controller information given to the complainant was only out of date and since then has been updated the Privacy Policy and Legal Notice have been modified. -The controller even invoked the mitigating factor that they complied with the DPA and with the procedure. They contacted a consultancy firm to advise them on compliance with the rules. They noted that no benefits have been claimed from the commission of the offence and no rights of minors have been harmed.

On the 31 January 2023 the DPA agreed to open a period of evidence. The complaint by the data subject and the controller´s allegations to the initiation agreement and the accompanying documentation were already incorporated. The controller was required to provide a copy of the new contract they make with tenants, landlords and third-party companies.

Subsequently on 13 February 2023 the controller replied by sending the requested documents called “Lease contract” and “Termination of contract” with an annex “Information on Personal Data Protection”.


As a response to the allegations made by the controller, the DPA pointed out that the cooperation has been considered, when setting the fine imposed according to Article 83(2) GDPR. However, the DPA also stressed, the principle of accountability according to Article 5(2) GDPR.

Relating to the measures adopted the DPA said that the website lacked the following mandatory sections: purpose, legitimisation, or period of conservation of personal data.

In addition, the DPA wanted to point out that the adoption of the measures by the controller did not remedy the infringement of Article 13 GDPR. After all, the controller did not comply with their obligation to correctly inform the data subject, prior to the initiation of the sanctioning procedure.

The claims of the controller were dismissed by the DPA. In addition, the processing of data had to be according to Article 5 GDPR and Recital 60.

Regarding the Privacy Policy however, it was clear that it didn’t inform users of all the points listed in Article 13 GDPR.

Due to the known facts the DPA attributed the infringement to the controller for violation of Article 13 GDPR.

After balancing the circumstances, the DPA has concluded that a fine of €2,000 be set for the infringement of Article 13 GDPR as defined in Article 83(5) GDPR. Pursuant to Article 58(2)(d) GDPR the Spanish DPA ordered the controller to accredit that it has completed the information contained in the section Privacy Policy on their website within ten working days of being notified.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

The campaign, launched by the Spanish Data Protection Authority and the Spanish Association of Pediatrics, promotes the digital health of minors through the awareness of their parents, reducing the risks posed at a physical, mental and social level by intensive and uncontrolled use of digital screens.