AEPD (Spain) - PS/00043/2020

From GDPRhub
AEPD - PS/00043/2020
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 13 GDPR
Article 83(5) GDPR
Type: Investigation
Outcome: Violation Found
Decided: 10.12.2020
Fine: None
Parties: n/a
National Case Number/Name: PS/00043/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Francesc Julve Falcó

The Spanish DPA (AEPD) imposed a warning sanction on a private individual for failing to comply with the right to information (Article 13 GDPR) when collecting personal data on its website.

English Summary


A citizen brought to the attention of the AEPD that the website that the respondent used as a platform for the position of president of a professional association in Madrid in 2019, did not have a privacy policy or legal notice, and therefore could be in breach of the right to information of visitors to the website.

The website contained a form to collect personal data (name, telephone number, and e-mail address) from those interested in the project led by the defendant.

The respondent stopped the data processing when it was warned of the possible unlawfulness of the conduct, and the AEPD was able to verify that the personal data collection form had been removed.


Is collecting personal data without the required privacy policy a breach of Article 13 GDPR?


The AEPD considered that, in the present case, it was sufficient to impose a warning sanction for breach of the duty to provide information on the processing of data, as set out in article 13 GDPR.

In order to determine the level of the sanction, the AEPD took into account the fact that this is a natural person whose main activity is not linked to the processing of personal data and that there is no evidence of recidivism, as there is no record of the commission of previous infringements.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


     Procedure Nº: PS / 00043/2020


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


FIRST: A.A.A. (hereinafter, the claimant) dated August 27, 2019

filed a claim with the Spanish Agency for Data Protection. The
complaint is directed against the website *** URL.1. The reason in relation to
Data protection regulations on which the claim is based is as follows:

“[…] SECOND: The indicated page does not include the PRIVACY POLICY or

LEGAL NOTICE, in breach of the existing regulations (art. 13 of the Regulation of
Data protection and art. 5 LOPD). "

Along with the claim, it provides screenshots of the aforementioned website.

SECOND: In view of the facts reported in the claim and the
documents provided by the claimant and documents of which he has had
knowledge of this Agency, the Subdirectorate General for Data Inspection proceeded
to carry out preliminary investigation actions to clarify the
facts in question, by virtue of the investigative powers granted to the
control authorities in article 57.1 of Regulation (EU) 2016/679 (Regulation

General Data Protection, hereinafter RGPD), and in accordance with the
established in Title VII, Chapter I, Second Section, of Organic Law 3/2018,
of December 5, Protection of Personal Data and guarantee of rights
digital (hereinafter LOPDGDD).

As a result of the investigative actions carried out, it is verified that the
responsible for the treatment is B.B.B. with NIF *** NIF.1 since the website
claimed is constituted as a platform for the candidacy for the elections of the
Official College of Graduates of E.F. and Sciences of Physical Activity and Sports
the Community of Madrid held in 2019 to which the respondent applied

as president.

THIRD: Prior to the admission for processing of this claim,
transferred the claimed to the professional address that advertises it on the internet,
in accordance with the provisions of article 65.4 of Organic Law 3/2018, of 5

December, Protection of Personal Data and guarantee of digital rights (in
hereinafter, LOPDGDD), being returned as "unknown" on 12/20/2019.

In view of the foregoing, the State Tax Administration Agency is requested to
Tax address of the claimed, being provided on 02/26/2020.

C / Jorge Juan, 6
28001 - Madrid 2/9

FOURTH: In view of the facts denounced in the claim and the
documents provided by the claimant, it is observed that the website contains a

personal data collection form (name, telephone number and email address
electronic) of those people who were interested in the project led
by the claimed.

Consulted on February 24, 2020 the web page *** URL.1, it is verified that the
website is still open and maintains the situation revealed in the claim

Submitted Aug 27, 2019 by A.A.A.

FIFTH: Consulted on February 25, 2020, the application of the AEPD was
verifies that the only sanctioning procedure in which the claim appears as
mercantile B.B.B. with NIF *** URL.1, is the present procedure.

SIXTH: On March 6, 2020, the Director of the Spanish Agency for

Data Protection agreed to initiate a sanctioning procedure to the claimed, by the
alleged infringement of article 13 of the RGPD, typified in article 83.5 of the RGPD.

SEVENTH: Once the aforementioned commencement agreement was notified, the defendant submitted a written
allegations on March 20, 2020, in which it stated that:

“[…] First. - That at no time has this party intended to breach
with the regulations governing Data Protection.

Second. That as soon as you receive the initiation agreement that gives rise to the present

allegations, for my part the data processing was ended, eliminating the form
and those data that had been collected by this means.

Third. - Having said the above, it is worth noting that this part had developed the
appropriate form where the requirements of the RGPD were complied with, but at the
appear to be due to a computer error that we were not warned about by anyone, could have occurred

the situation imputed to me. Insist on the lack of intentionality on my part in the
commission of the facts. […] "

EIGHTH: On June 12, 2020, the procedure instructor agreed to the
opening of a period of practical tests, taking as incorporated the

claim submitted by the claimant and his documentation, the documents
obtained by the General Subdirectorate for Data Inspection and the allegations
presented by the claimed.

NINTH: On August 5, 2020, the website *** URL.1 is accessed with

object of verifying what is stated by the claimed in his allegations.

TENTH: On September 18, 2020, a resolution proposal was formulated,
proposing that a penalty of warning be imposed on the defendant, for a
infringement of article 13 of the RGPD, typified in article 83.5 of the same rule.

The defendant has not submitted allegations to this proposal.

C / Jorge Juan, 6
28001 - Madrid 3/9

In view of all the actions, by the Spanish Agency for Data Protection
In this proceeding, the following are considered proven facts,


FIRST: The web page *** URL.1 provided me with a data collection form
personal data of possible people interested in the candidacy project
elections to the elections of the Official College of Graduates of E. F. and Sciences of

the Physical and Sports Activities of Madrid held on September 6, 2019
without having a Privacy Policy.

SECOND: B.B.B. with NIF *** NIF.1.

THIRD: The respondent asserts that he has withdrawn the aforementioned form and post
end of data processing.

FOURTH: It is proven, after the verification carried out on August 4,
2020, that the data collection form has been effectively withdrawn.

                            FOUNDATIONS OF LAW


By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in arts. 47 and 48.1 of the LOPDGDD, the Director of
The Spanish Agency for Data Protection is competent to resolve this


The defendant is charged with committing an offense for violation of article 13

of the RGPD, regarding the information that must be provided when the data is
obtained from the interested party, which establishes that:

"one. When personal data relating to him are obtained from an interested party, the
responsible for the treatment, at the time these are obtained, will provide

all the information indicated below:

a) the identity and contact details of the person in charge and, where appropriate, their
b) the contact details of the data protection officer, if applicable;

c) the purposes of the treatment to which the personal data are destined and the legal basis
of the treatment;

C / Jorge Juan, 6
28001 - Madrid 4/9

d) when the treatment is based on article 6, paragraph 1, letter f), the interests
legitimate rights of the person in charge or a third party;

e) the recipients or categories of recipients of the personal data, in their

f) where appropriate, the intention of the person responsible to transfer personal data to a third party
country or international organization and the existence or absence of a decision of

adequacy of the Commission, or, in the case of transfers indicated in the
Articles 46 or 47 or Article 49, paragraph 1, second subparagraph, reference to the
adequate or appropriate warranties and the means to obtain a copy of these or
to the fact that they have been borrowed.

2. In addition to the information mentioned in section 1, the person responsible for the
treatment will facilitate the interested party, at the time the data is obtained
personal information, the following information necessary to guarantee data processing
loyal and transparent:

a) the period during which the personal data will be kept or, when it is not

possible, the criteria used to determine this period;

b) the existence of the right to request the data controller access to the
personal data relating to the interested party, and its rectification or deletion, or the limitation
of its treatment, or to oppose the treatment, as well as the right to portability

of the data;

c) when the treatment is based on article 6, paragraph 1, letter a), or article
9, paragraph 2, letter a), the existence of the right to withdraw consent in
at any time, without affecting the legality of the treatment based on the

consent prior to its withdrawal;

d) the right to file a claim with a supervisory authority;

e) if the communication of personal data is a legal or contractual requirement, or a
necessary requirement to sign a contract, and if the interested party is obliged to provide

personal data and is informed of the possible consequences of not
provide such data;

f) the existence of automated decisions, including profiling, to be
referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information

significant on the applied logic, as well as the importance and consequences
provided for said treatment for the interested party.

3.When the controller plans the further processing of data
personal data for a purpose other than that for which they were collected, will provide the

interested party, prior to said further processing, information on that other purpose
and any additional pertinent information pursuant to section 2.

C / Jorge Juan, 6
28001 - Madrid 5/9

4.The provisions of paragraphs 1, 2 and 3 shall not apply when and in the
to the extent that the interested party already has the information. "

The violation of this article is classified as an infringement in article 83.5 of the RGPD,
which it considers as such:

"Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of up to EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the

total annual global business volume of the previous financial year, opting for
the highest amount:

[…] B) the rights of the interested parties pursuant to Articles 12 to 22; […]. "

For the purposes of the statute of limitations for the offense, article 72.1 of the LOPDGDD

"Based on what is established in article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that suppose
a substantial violation of the articles mentioned therein, and, in particular, the


[…] H) The omission of the duty to inform the affected party about the treatment of their
personal data in accordance with the provisions of articles 13 and 14 of the Regulation
(EU) 2016/679. […] ”.


In accordance with the evidence available in the present

sanctioning procedure, it is considered that the website, responsibility of the claimed, kept a form
collection of personal data without providing in any way the information that
establishes article 13 of the RGPD.

Regarding the allegations presented by the defendant - in which

points out that there had been no intentionality on his part, the form had been
originally designed in compliance with the provisions of the RGPD and that for a
computer error had occurred the events object of the present procedure (without
provide evidence in this regard) -, it should be noted that article 5.1.a) of the RGPD
states the principle of "lawfulness, loyalty and transparency", a principle on which the

Recital 39: «All processing of personal data must be lawful and fair. For
it must be fully clear to natural persons that they are collecting, using,
consulting or otherwise processing personal data that concerns them, as well as
the extent to which such data is or will be processed. The principle of transparency
requires that all information and communication regarding the processing of said data be

easily accessible and easy to understand, and that simple and clear language is used.
This principle refers in particular to the information of the interested parties about the
identity of the person responsible for the treatment and the purposes of the same and the information
added to ensure fair and transparent treatment with respect to people

C / Jorge Juan, 6
28001 - Madrid 6/9

affected individuals and their right to obtain confirmation and communication of the data
personal that concern them that are object of treatment. Natural persons
must be aware of the risks, rules, safeguards and rights

relating to the processing of personal data as well as the way to enforce their
rights in relation to the treatment. In particular, the specific purposes of the
processing of personal data must be explicit and legitimate, and must
be determined at the time of collection. Personal data must be
adequate, relevant and limited to what is necessary for the purposes for which they are
treaties. This requires, in particular, to ensure that its use is limited to a strict minimum.

conservation period. Personal data should only be processed if the purpose of the
treatment could not reasonably be accomplished by other means. To ensure that
personal data is not kept longer than necessary, the person responsible for the
Treatment must establish deadlines for its deletion or periodic review. Must
all reasonable measures are taken to ensure that they are rectified or deleted

personal data that is inaccurate. Personal data must be a
a way that ensures adequate data security and confidentiality
personal data, including to prevent unauthorized access or use of said data and
of the equipment used in the treatment. "

Recital 60 links the duty of information with the principle of transparency,

by establishing that “The principles of fair and transparent treatment require that
inform the interested party of the existence of the treatment operation and its purposes. The
data controller must provide the interested party with all the information
is necessary to guarantee fair and transparent treatment,
taking into account the specific circumstances and context in which the

personal information. The interested party must also be informed of the profiling
and the consequences of such elaboration. If personal data is obtained from
interested parties, should also be informed if they are obliged to provide them and of the
consequences if they do not […] '. In this order, article 12.1 of the
RGPD regulates the conditions to ensure its effective implementation and article 13

specifies what information should be provided when the data is obtained from the
interested. In turn, article 11 LOPDGDD introduces the information rule by
layers when you have:

"one. When personal data is obtained from the affected party, the person responsible for the
treatment may comply with the duty of information established in article

13 of Regulation (EU) 2016/679, providing the affected party with basic information to the
referred to in the following section and indicating an email address or other
means that allows easy and immediate access to the rest of the information.

2. The basic information to which the previous section refers must contain, at the


a) The identity of the person responsible for the treatment and their representative, if applicable.

b) The purpose of the treatment.

c) The possibility of exercising the rights established in articles 15 to 22 of the
Regulation (EU) 2016/679. […] »

C / Jorge Juan, 6
28001 - Madrid 7/9

Thus established the duty of information and the obligation, on the part of the person responsible for
carry out a transparent treatment, it cannot be ignored that article 5.2
of the RGPD establishes that «the data controller will be responsible for the

compliance with the provisions of section 1 and capable of demonstrating it
(“Proactive responsibility”) ». This means that, according to Articles 24 and 25
of the same legal text, the person in charge must guarantee the effective application of the
principles of treatment both at the time of determining the means of
treatment as during the treatment itself through the joint of a series
of measures, which must be periodically reviewed and updated.

This being the case, and even though in the present case the defendant had
proceeded, at the time of determining the means to design and implement
measures in accordance with guaranteeing compliance with the principle of transparency and
duty of information, this would not exempt you from continuing to be responsible for the effectiveness

of these measures during the entire time in which the collection and
processing of personal data, especially when in this case there has not been a
commissioning of the treatment to other actors.


The corrective powers available to the Spanish Agency for the Protection of
Data, as a control authority, are established in article 58.2 of the RGPD. Between
They have the power to sanction with warning - article 58.2 b) -, the
Power to impose an administrative fine in accordance with article 83 of the RGPD

-article 58.2 i) -, or the power to order the person in charge of the treatment
that the processing operations comply with the provisions of the RGPD, when
proceed, in a certain way and within a specified period - article 58. 2
d) -.

According to the provisions of article 83.2 of the RGPD, the measure provided for in article 58.2
d) of the aforementioned Regulation is compatible with the sanction consisting of a fine

Likewise, without prejudice to the provisions of article 83, the aforementioned RGPD provides the
possibility of sanctioning with warning, in relation to what is indicated in the

Recital 148:

"In the event of a minor offense, or if the fine likely to be imposed
constitutes a disproportionate burden for an individual, rather than
sanction by fine may be imposed a warning. It must however

pay special attention to the nature, severity and duration of the offense, its
intentional character, to the measures taken to alleviate the damages suffered,
the degree of responsibility or any relevant prior infringement, the way in which
that the supervisory authority has had knowledge of the infraction, to the fulfillment
of measures ordered against the person in charge or in charge, adherence to codes of

conduct and any other aggravating or mitigating circumstance. "

In the present case, when deciding the sanction to impose, they have taken into account
counts the following elements:

C / Jorge Juan, 6
28001 - Madrid 8/9

 That it is a natural person whose main activity is not related to the
processing of personal data.

 That no recidivism is appreciated, as the commission of infractions is not recorded

Therefore, it is considered that the sanction that would correspond to impose is

warning, in accordance with the provisions of article 58.2 b) of the RGPD, in
relation to what is stated in Considering 148, cited above.

Therefore, in accordance with the applicable legislation and the criteria of

graduation of the sanctions whose existence has been accredited, the Director of the
Spanish Agency for Data Protection RESOLVES:

FIRST: IMPOSE B.B.B., with NIF *** NIF.1, for an infraction of article 13 of the

RGPD, typified in article 83.5 of the RGPD, a sanction of APERCIBIMENTO.

SECOND: NOTIFY this resolution to B.B.B. and inform A.A.A ..

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may file, optionally, an appeal for reconsideration before the

Director of the Spanish Agency for Data Protection within a month to
count from the day after notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the

day following notification of this act, as provided in article 46.1 of the
referred Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the

interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
letter addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [
web /], or through any of the other records provided for in art. 16.4 of the

cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.

C / Jorge Juan, 6
28001 - Madrid 9/9

Mar Spain Martí
Director of the Spanish Agency for Data Protection

C / Jorge Juan, 6
28001 - Madrid