AEPD (Spain) - PS/00177/2021
|AEPD (Spain) - PS/00177/2021
|Article 13 GDPR
|INMOPISO ZARAGOZA, S.L.
|National Case Number/Name:
|European Case Law Identifier:
|AEPD (in ES)
The Spanish DPA fined a real estate company €2000, reduced to €1200, for failing to provide the information required by Article 13 GDPR when entering into a contract with a data subject.
English Summary[edit | edit source]
Facts[edit | edit source]
A data subject filed a complaint before the Spanish DPA (AEPD) against a real state company, that had allegedly not provided the information required by Article 13 GDPR when they formalized the first payment for an apartment, for which the data subject had provided personal data.
Holding[edit | edit source]
The AEPD determined that the collection of data for entering a real state contract entails processing of personal data. Therefore, the controller had the obligation to provide the information required by Article 13 GDPR. However, the controller had not provided the data subject such information. The controller only mentioned the former Data Protection Act from 1999, and did not inform about the rights that the data subject is entitled to under the GDPR.
Hence, the AEPD fined the controller €2000, reduced to €1200 because of an early payment and recognition of responsibility, for a violation of Article 13 GDPR. In order to determine the amount of the fine, the DPA took into account, the absence of previous sanctions on the controller, the lack of benefit obtained by the controller and the small size of the controller.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/12 Procedure No.: PS / 00177/2021 RESOLUTION R / 00450/2021 OF TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTARY In the sanctioning procedure PS / 00177/2021, instructed by the Spanish Agency for Data Protection to INMOPISO ZARAGOZA, S.L., considering the complaint presented by A.A.A., and based on the following, BACKGROUND FIRST: On May 27, 2021, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning procedure to INMOPISO ZARAGOZA, S.L. (hereinafter, the claimed), through the Agreement that is transcribed: << Procedure No.: PS / 00177/2021 AGREEMENT TO START THE SANCTIONING PROCEDURE Of the actions carried out by the Spanish Agency for Data Protection and in based on the following FACTS FIRST: A.A.A. (hereinafter, the claimant) dated December 16, 2020 filed a claim with the Spanish Data Protection Agency. The claim is directed against INMOPISO ZARAGOZA, S.L. with NIF B99514218 (in forward, the claimed one). The grounds on which the claim is based are that the claimant has provided a signal for the acquisition of a home and they have not provided any information in C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/12 data protection matter on the processing of personal data provided. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), with reference number E / 06637/2020, a transfer of said claim to the defendant on February 14, 2021, to proceed with its analysis and inform this Agency within a month, of the actions taken carried out to adapt to the requirements provided in the data protection regulations. This Agency receives the allegations of the defendant on March 18, 2021, but in they are found to refer to the old organic law on data protection 15/1999, currently repealed, and the information requirement is not met established in article 13 of the RGPD. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, regarding the protection of natural persons with regard to the processing of personal data and the free circulation of these data (General Data Protection Regulation, hereinafter RGPD) recognizes each control authority, and as established in the articles 47, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on Data Protection Personal and digital rights guarantee (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate this procedure. Article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of the Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in their development and, as long as they do not contradict them, in a subsidiary, by the general rules on administrative procedures. " II C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/3 Article 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, regarding the protection of natural persons in what Regarding the processing of personal data and the free circulation of these data (General Data Protection Regulation, hereinafter RGPD), under the rubric "Definitions", provides that: "For the purposes of these Regulations, the following shall be understood as: 1) "personal data": any information about an identified natural person or identifiable ("the interested party"); an identifiable natural person shall be considered any person whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, data from location, an online identifier or one or more elements of the identity physical, physiological, genetic, psychic, economic, cultural or social of said person; 2) "treatment": any operation or set of operations carried out on personal data or personal data sets, whether by procedures automated or not, such as collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, broadcast or any other form of authorization of access, collation or interconnection, limitation, deletion or destruction; " Therefore, in accordance with these definitions, the collection of character data personal on the occasion of the formalization of a contract, constitutes a treatment of data, with respect to which the person responsible for the treatment must comply with the provided for in article 13 of the RGPD, providing the information that in said precept indicated. In relation to this matter, it is observed that the Spanish Agency for the Protection of Data is available to citizens, the Guide for the fulfillment of duty to inform (https://www.aepd.es/media/guias/guia-modelo-clausula-informativa.pdf) and, in case of low-risk data processing, the free tool Facilitates (https://www.aepd.es/herramdamientos/facilita.html). III Article 13 of the RGPD, precept in which the information that must provided to the interested party at the time of data collection, provides: "1.When personal data relating to him are obtained from an interested party, the responsible for the treatment, at the time these are obtained, will provide all the information indicated below: a) the identity and contact details of the person in charge and, where appropriate, of their representative; b) the contact details of the data protection officer, if applicable; c) the purposes of the treatment to which the personal data are destined and the legal basis of the treatment; C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/12 d) when the treatment is based on article 6, paragraph 1, letter f), the interests legitimate rights of the person in charge or of a third party; e) the recipients or categories of recipients of personal data, in their case; f) where appropriate, the intention of the person responsible to transfer personal data to a third party country or international organization and the existence or absence of a decision of adequacy of the Commission, or, in the case of transfers indicated in the Articles 46 or 47 or Article 49, paragraph 1, second subparagraph, reference to the adequate or appropriate warranties and the means to obtain a copy of these or to the fact that they have been borrowed. 2. In addition to the information mentioned in section 1, the person responsible for the treatment will facilitate the interested party, at the time the data is obtained personal information, the following information necessary to guarantee data processing loyal and transparent: a) the period during which the personal data will be kept or, when it is not possible, the criteria used to determine this deadline; b) the existence of the right to request the data controller for access to the personal data relating to the interested party, and its rectification or deletion, or the limitation of its treatment, or to oppose the treatment, as well as the right to portability of the data; c) when the treatment is based on article 6, paragraph 1, letter a), or article 9, paragraph 2, letter a), the existence of the right to withdraw consent in at any time, without affecting the legality of the treatment based on the consent prior to its withdrawal; d) the right to file a claim with a supervisory authority; e) if the communication of personal data is a legal or contractual requirement, or a necessary requirement to sign a contract, and if the interested party is obliged to provide personal data and is informed of the possible consequences of not provide such data; f) the existence of automated decisions, including profiling, to be referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information significant on the applied logic, as well as the importance and consequences provided for said treatment for the interested party. 3.When the data controller plans the further processing of data personal data for a purpose other than that for which they were collected, will provide the interested party, prior to said further processing, information on that other purpose and any additional relevant information pursuant to section 2. 4.The provisions of paragraphs 1, 2 and 3 shall not apply when and in the to the extent that the interested party already has the information ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/12 For its part, article 11 of the LOPDGDD, provides the following: "1. When personal data is obtained from the affected party, the person responsible for the treatment may comply with the duty of information established in article 13 of Regulation (EU) 2016/679, providing the affected party with basic information to the referred to in the following section and indicating an email address or other means that allows easy and immediate access to the rest of the information. 2. The basic information referred to in the previous section must contain, at the less: a) The identity of the person responsible for the treatment and their representative, if applicable. b) The purpose of the treatment. c) The possibility of exercising the rights established in articles 15 to 22 of the Regulation (EU) 2016/679. If the data obtained from the affected party were to be processed for the preparation of profiles, the basic information will also include this circumstance. In this In this case, the affected party must be informed of their right to oppose the adoption of automated individual decisions that produce legal effects on him or her significantly affect in a similar way, when this right to agree with the provisions of article 22 of Regulation (EU) 2016/679. " IV By virtue of the provisions of article 58.2 of the RGPD, the Spanish Agency for Data Protection, as a control authority, has a set of corrective powers in the event of an infringement of the precepts of the GDPR. Article 58.2 of the RGPD provides the following: “2 Each supervisory authority shall have all the following corrective powers listed below: (…) b) direct a warning to any person in charge or in charge of the treatment when the treatment operations have infringed the provisions of this Regulation; " (...) “D) order the person in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, where appropriate, in a certain way and within a specified period; " “I) impose an administrative fine in accordance with article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each particular case;" Article 83.5.b) of the RGPD establishes that: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/12 "Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the global total annual business volume of the previous financial year, opting for the highest amount: b) the rights of the interested parties in accordance with articles 12 to 22; " In turn, article 74.a) of the LOPDGDD, under the heading "Violations considered mild provides: "They are considered minor and will prescribe a year the remaining offenses of character merely formal of the articles mentioned in sections 4 and 5 of article 83 of Regulation (EU) 2016/679 and, in particular, the following: a) Failure to comply with the principle of transparency of information or the right of the data subject for not providing all the information required by the articles 13 and 14 of Regulation (EU) 2016/679. " V In this case, it is stated that the information provided to the claimant by of the claimed, in relation to the processing of personal data on the occasion of the formalization of the contract object of this procedure, is obsolete, since it indicates that is governed by organic law 15/1999 on data protection, currently regulation repealed and does not include, among other aspects, the rights recognized in article 13 of the RGPD, indicated in the basis of law III. This being the case, in accordance with the evidence available at present moment of agreement of initiation of the sanctioning procedure, and without prejudice to what result of the investigation, the facts presented could constitute, on the part of the claimed, an infringement of the provisions of article 13 of the RGPD. SAW In order to determine the administrative fine to be imposed, the provisions of articles 83.1 and 83.2 of the RGPD, provisions that state: "Each control authority will guarantee that the imposition of administrative fines in accordance with this article for infringements of this Regulation indicated in sections 4, 9 and 6 are effective in each individual case, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/12 proportionate and dissuasive. " "Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administrative and its amount in each individual case will be duly taken into account: a) the nature, severity and duration of the offense, taking into account the nature, scope or purpose of the processing operation in question as well such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the controller or processor to mitigate the damages and losses suffered by the interested parties; d) the degree of responsibility of the person in charge or the person in charge of the treatment, taking into account the technical or organizational measures that have been applied by virtue of of articles 25 and 32; e) any previous infringement committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority learned of the infringement, in in particular if the person in charge or the person in charge notified the infringement and, if so, in what measure; i) when the measures indicated in article 58, paragraph 2, have been ordered previously against the person in charge or the person in charge in relation to the same issue, compliance with said measures; j) adherence to codes of conduct under Article 40 or to mechanisms of certification approved in accordance with Article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, direct or indirectly, through the offense. " Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76, "Sanctions and corrective measures", provides: "two. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 The following may also be taken into account: a) The continuing nature of the offense. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/8 b) The linking of the activity of the offender with the performance of treatment of personal information. c) The benefits obtained as a result of the commission of the offense. d) The possibility that the affected person's conduct could have induced the commission of the offense. e) The existence of a merger by absorption process after the commission of the infringement, which cannot be attributed to the absorbing entity. f) Affecting the rights of minors. g) Have, when not mandatory, a data protection officer. h) The submission by the person in charge or in charge, on a voluntary basis, to alternative dispute resolution mechanisms, in those cases in which there are controversies between those and any interested party. " In accordance with the transcribed precepts, and without prejudice to what results from the instruction of the procedure, for the purpose of setting the amount of the fine impose in the present case the claimed entity as responsible for a infraction typified in article 83.5.b) of the RGPD, in an initial assessment, the following mitigating factors are considered concurrent: - The claimed has no prior infractions (83.2 e) RGPD). - Has not obtained direct benefits (83.2 k) RGPD and 76.2.c) LOPDGDD). - The claimed entity is not considered a large company. The penalty to be imposed on the claimed person should be graduated and set at the amount of € 1,500 for the violation of article 58.2 of the RGPD. Therefore, based on the foregoing, By the Director of the Spanish Data Protection Agency, HE REMEMBERS: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/12 FIRST: INITIATE SANCTIONING PROCEDURE to INMOPISO ZARAGOZA, S.L. with NIF B99514218, in accordance with the provisions of article 58.2.b) of the RGPD, for the alleged infraction 13 of the RGPD, typified in article 83.5.b) of the GDPR SECOND: APPOINT R.R.R. as Instructor and as Secretary to S.S.S., indicating that any of them may be challenged, if applicable, in accordance with the established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime Public Sector Legal (LRJSP). THIRD: INCORPORATE to the sanctioning file, for evidentiary purposes, the claim filed by the claimant and the documents obtained and generated by the Subdirectorate General for Data Inspection in relation to said claim; all of them are part of the file. FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations, the The corresponding penalty would be 2,000 euros (two thousand euros), without prejudice of what results from the instruction. FIFTH: NOTIFY this agreement to INMOPISO ZARAGOZA, S.L. with NIF B99514218, granting him a hearing period of ten business days to formulate the allegations and present the evidence that it deems appropriate. In his writing of allegations, you must provide your NIF and the procedure number that appears in the heading of this document. If within the stipulated period it does not make allegations to this initiation agreement, the same may be considered a resolution proposal, as established in article 64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP). In accordance with the provisions of article 85 of the LPACAP, in the event that the penalty to be imposed would be a fine, you may recognize your responsibility within the term granted for the formulation of allegations to the present initiation agreement; it which will entail a reduction of 20% of the penalty to be imposed in the present procedure. With the application of this reduction, the sanction would be established at 1600 euros, resolving the procedure with the imposition of this sanction. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/12 In the same way, you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which will mean a reduction of 20% of its amount. With the application of this reduction, the penalty would be established at 1600 euros and its payment will imply the termination of the process. The reduction for the voluntary payment of the penalty is cumulative to the corresponding apply for the acknowledgment of responsibility, provided that this acknowledgment of the responsibility is made manifest within the period granted to formulate allegations at the opening of the procedure. The voluntary payment of the referred amount in the preceding paragraph, it may be done at any time prior to the resolution. On In this case, if both reductions should be applied, the amount of the penalty would be set at 1200 euros. In any case, the effectiveness of either of the two mentioned reductions will be conditioned to the withdrawal or resignation of any action or remedy in administrative against the sanction. In case you choose to proceed to the voluntary payment of any of the amounts indicated above 1,600 or 1,200 euros, you must make it effective through your deposit in the account number ES00 0000 0000 0000 0000 0000 opened in the name of the Spanish Agency for Data Protection in Banco CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the cause of reduction of the amount to which welcomes. Likewise, you must send the proof of admission to the Subdirectorate General of Inspection to continue the procedure according to the quantity entered. The procedure will have a maximum duration of nine months from the date of date of the initiation agreement or, where appropriate, the draft initiation agreement. After this period, its expiration will occur and, consequently, the file of performances; in accordance with the provisions of article 64 of the LOPDGDD. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/12 Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP, There is no administrative appeal against this act. Mar Spain Martí Director of the Spanish Agency for Data Protection >> SECOND: On June 9, 2021, the defendant has proceeded to pay the sanction in the amount of 1200 euros making use of the two planned reductions in the Initiation Agreement transcribed above, which implies the recognition of the responsibility. THIRD: The payment made, within the period granted to formulate allegations to the opening of the procedure, entails the waiver of any action or appeal in the process administrative against the sanction and the recognition of responsibility in relation to the facts to which the Initiation Agreement refers. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in art. 47 of Organic Law 3/2018, of 5 of December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection is competent to sanction the infractions that are committed against said Regulation; infractions of article 48 of Law 9/2014, of May 9, General of Telecommunications (hereinafter LGT), in accordance with the provisions of the article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and 38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the information and electronic commerce (hereinafter LSSI), as provided in article 43.1 of said Law. II Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter, LPACAP), under the rubric "Termination of sanctioning procedures" provides the following: "1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/12 2. When the sanction is solely of a pecuniary nature or it is possible to impose a pecuniary sanction and other non-pecuniary sanction but the inadmissibility of the second, the voluntary payment by the presumed responsible, in any time prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or to the determination of the compensation for damages caused by the commission of the offense. 3. In both cases, when the sanction is solely of a pecuniary nature, the competent body to resolve the procedure will apply reductions of, at least, 20% on the amount of the proposed sanction, these being cumulative among themselves. The aforementioned reductions must be determined in the notice of initiation of the procedure and its effectiveness will be conditional on the withdrawal or resignation of any action or appeal in administrative proceedings against the sanction. The percentage of reduction foreseen in this section may be increased regulations. In accordance with the above, the Director of the Spanish Agency for the Protection of Data RESOLVES: FIRST: DECLARE the termination of procedure PS / 00177/2021, of in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to INMOPISO ZARAGOZA, S.L .. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. 936-031219 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es