AEPD (Spain) - PS/00178/2022
From GDPRhub
| AEPD - PS/00178/2022 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 4(1) GDPR Article 4(2) GDPR Article 5(1)(c) GDPR Article 6 GDPR Article 83(5)(a) GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | |
| Published: | |
| Fine: | 20,000 EUR |
| Parties: | n/a |
| National Case Number/Name: | PS/00178/2022 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | Giovanna Lahude |
The DPA fined the controler 20,000 for violation article 6 GDPR and held that a controller processed its employees’ and unaware customers’ personal data in a disproportionate manner without a legitimate legal basis using with audio recording.
English Summary
Facts
MUXERS CONCEPT, S.L. (the controller) is the owner of a restaurant. In 2020, the Judicial Police received complaints lodged by five workers of the restaurant related to the discovery of an audio recording system in the company's toilet, where their lockers were also located, hidden in a false ceiling, as well as camera of video surveillance, plugged in and in conditions of use. The public entity collected evidence by photographing the placement of thesuch hidden devices. Then, in November of 2020, the National Police lodged a complaint against the controller with the Spanish DPAAgency for the Protection of Data (Agencia Española de Protección de Datos - AEPD). In 2021, another restaurant employee lodged a complaint against the controller with the Spanish DPA, stating that video and sound recording devices werehad been placed in the employees’ changing room. Further, the AEPD proceeded to investigate the facts by requesting diligences and, on the 20th of 20 May of 2022, the DPA Director of the Spanish Agency for the Protection of Data decided to initiate a sanctioning proceedings against the controller for the alleged infringement of Article 6 GDPR, typified in Article 83(5)(a) GDPR. It qualified as a grave violation, according to the prescription of Article 72(1)(b), of the Spanish Organic Law 3/2018, on the Protection of Personal Data and Guarantee of Digital Rights ('LOPDGDD'). On PS/00178/2022, Tthe AEPD considered as proven facts that the controller had been carrying out, since 2018, personal data processing activities by capturing and recording images and sound of voices of employees and customers, through video and audio surveillance. The controller only informed workers that their images, captured by video cameras, could be used to control and comply with obligations and labour rights, but not about the recording through audio devices, neither had the customers of such establishment been informed of their voices’ recordings.
Holding
At first, considering that the image and the voice of a person fall within the provision of Article 4(1) GDPR, as well as the processing activity falls within the concept provided on Article. 4(2) GDPR, the capture of those by a system of camera and audio recording devices is subject to the enforcement of GDPR. Thus, the Spanish DPA stressed that any processing must meet the criteria ofn Article 5(1)(c) GDPR, and, in that case, the system violated the principle of data minimiszation, given that the personal data of employees had been processed in a disproportionate manner by means of capture of their images and sounds in private spaces, such as changing rooms and lockers in their workplace. At second, the same reasoning expressed above, in relation to the infringement of the principle of data minimiszation, was also referred to concerning the violation of the prohibition stated ion Article 89(2) of the national LOPDGDD law, particularly considering that one of the microphones was installed in the office used by the workers in a hidden way. The Spanish DPA held, also, that there was no consideration by the controller of the relevance of the risks measured against the limits of proportionality and minimum intervention, which would have allowed the recording of sounds, according to Article 89(3) LOPDGDD. At third, as it had been proven, that the system included the installation of hidden microphones in the entrance to the restaurant and in the room where the tables and bar of the establishment were placed, resulting in recording of voices of unaware and uninformed customers. The Spanish DPA noted that the controller did notn’t consider the decision of the Spanish Constitutional Court, dated of 10/04/2000 (2000/98) and delivered in Rec. No. 4015/1996, according to which the recording of conversations among workers or between them and customers is not justified on the basis of employers’ compliance with its legal obligations or duties. Therefore, the AEPD concluded that the voice recording of voices of employees (in a hidden manner) and of (unaware) customers of the controllers’ restaurant had no valid legal basiswas not valid by any legal basis or argument raised concerning the video surveillance (mere image recording), which implied in a greater intrusion on subjects’ personal data protection and in a violation by sound processing without a legitimate basis of Article 6 GDPR. When determining the amount of the fine imposed, the Spanish DPA considered, as aggravating factors based on the provision of Article 83(2)(a) GDPR, the duration of the infringement, given that the placement of voice recording devices dated back to 2018, and the significant number of personal data subjects affected by the violation, concerning all employees and customers of the controller. On the other hand, based on Article 83(2)(k) GDPR, the status of small business (SME) and its turnover were considered mitigating factors. As a result, the imposed fine amounted to €20,000 byfor a violation of Article 6 GDPR.
Comment
The decision of Spanish DPA on PS/00178/2022 conveys an important element to consider when analyszing the legitimacy of personal data processing in the workplace, that is the confiormation of the legal bases on Article 6 simultaneously to the principles prescribed ion Article 5 GDPR, highlighting the importance of taking into account the proportionality and necessity of employees’ sound recording, in that case processed by a combination of devices amounting to a system of surveillance, consisting not only in mere image collection and recording by video cameras. One valuable resource that could be useful in supporting such analysis is the specific guidance provided by the AEPD related to the protection of personal data in employment relation, available here.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
File No.: PS/00178/2022
RESOLUTION OF PUNISHMENT PROCEDURE
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following
BACKGROUND
FIRST: The General Police Directorate, Moncloa-Aravaca Police Station (in
successive National Police), dated 11/16/2020 filed a claim with the
Spanish Data Protection Agency against the entity MUXERS CONCEPT,
SL, with NIF B87345369 (hereinafter, the claimed party or MUXERS). The motives
on which the claim is based are as follows:
The National Police gives an account of the complaint made before the Police Group
Judicial by five workers of a restaurant belonging to the claimed party,
for the “finding of an audio recording system in the company locker room”,
hidden in a false ceiling; as well as the proceedings instituted for that reason.
Provides a copy of the complaints outlined, in which the complainants declare having
found in the employee toilet, where their lockers are also located, a
alleged video surveillance camera and sound recorder, plugged in and on
conditions of use (three of the five complaints refer only to a
microphone). They also state that they were not informed about the installation of
These devices.
The National Police also provides a copy of a record, dated 10/27/2020, extended to
proceed to the intervention of a "Microphone with number Air Space AA003", and
photographs showing the location of this device in a false ceiling. According to
It is stated in this Act that the interested person who witnesses the intervention of the Police
Nacional states “that the seized microphone is owned by the company Muxers
Concept, SL, CIF…”.
On the other hand, on 04/20/2021, a claim filed by AAA was received
(hereinafter, the complaining party), also directed against the entity MUXERS, in the
stating that on 10/27/2020, in the company of other colleagues,
discovered at his workplace (the same one referred to in the claim of the
National Police) “the placement of audio/video recording cameras in the toilets
corresponding to the changing rooms of the workers”.
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, of Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), the claim received from the National Police was transferred
to the claimed party, so that it could proceed with its analysis and inform this Agency in
within a month, of the actions carried out to adapt to the requirements
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/18
provided for in the data protection regulations.
The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of
October 1, of the Common Administrative Procedure of the Administrations
(hereinafter, LPACAP) by electronic notification, was not collected by
the person in charge, within the period of making available, understanding rejected
in accordance with the provisions of art. 43.2 of the LPACAP on 12/20/2020, as stated
in the certificate that works in the file.
Although the notification was validly made by electronic means, assuming
carried out the procedure in accordance with the provisions of article 41.5 of the LPACAP, by way of
informative, a copy was sent by mail that was reliably notified in
date 01/18/2021. In said notification, he was reminded of his obligation to relate
electronically with the Administration, and they were informed of the means of access to
said notifications, reiterating that, in the future, it would be notified exclusively
by electronic means.
On 02/17/2021, this Agency received a response letter provided by the
Respondent, stating the following:
The system, which was installed by the entity Teknometric Biometric Solutions and New
Technologies, SL (Teknometric) on 06/20/2018, has 22 cameras within
of the premises, 2 exterior cameras on the facade, 1 recording equipment and 4 microphones of
preamplified audio, without any device in the locker room or in the
toilets.
On the existence of a contract by which a third party is commissioned to view and/or
listening to the images and/or audios, informs that there is a contract with the company
“Stop Alarma since the installation corresponds to the video surveillance system”. I know
attached contract and certificate of connection to alarm center and video certificate
check with that company.
In relation to the purpose of the installation of video surveillance equipment, it indicates that
Said purpose is “the access control of people, merchandise… security of the
goods and people”. In this regard, it notes that a written communication was made to
the workers since the opening and the letters signed in agreement by
each worker about the placement, its nature and its location.
Regarding the causes that gave rise to the claim, the respondent adds that the
rarefaction of the labor relationship caused by the reduction of working hours of the
workers and not having collected the amounts owed by the partial ERTE, motivated
that the workers raised the false ceiling and dragged the micro from the office (where if
there is a microphone) and they will take him to the locker room area, not to the bathrooms, and from there all the
controversy.
Additionally, all the workers have criminally denounced the owner of the
company, and there have been dismissals with the corresponding lawsuits in the Court
of the Social.
There are complaints by the company against the aforementioned workers for this
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/18
incident, which led to the dismissal of some of them, among others the manager who
abandoning her functions, she admitted the entry of people outside the premises and
he hatched a whole plan in order to ask for money by all means, as it has been.
Attached are the complaints from the company, the letters reducing the working day, which
explain the real reasons for this matter, which has nothing to do with the
placement of cameras or microphones since the company has never placed them and
appears on the location map from the first day of opening of the premises and the
communication to female workers since August 2018.
Therefore, according to the respondent, it is difficult for the workers to say, as
say they were unaware of the location of the security systems when they were
knowledgeable from the beginning of its existence, purpose, location, etc.
For more details, the lawyer of one of the complainants has asked the company
35,000 euros for this compensation issue for not going to trial.
Everything along the lines that we have said of pressuring the company to compensate the
workers or to reinstate them.
With his response, he provides the following relevant documentation:
. Location map of the cameras and microphones (22 interior cameras, 2
exterior cameras, 1 recording equipment, 4 audio microphones
preamps). According to this plan, prepared by Teknometric, the microphones
they are installed at the entrance to the restaurant, in the room where they are located
the tables and bar of the establishment (more than XX tables of different dimensions
-between and six stalls- and 12 bar stalls), in an office and in a room of
small size whose use is not specified in the plan.
. Camera location photos
. Provide a photograph in which the existence of an informative poster can be seen
of the existence of the cameras, located inside the premises.
. Provides an invoice from the installer of the Teknometric cameras, detailing
the installed system, made up of 22 interior cameras, 2 exterior cameras, a recorder
video surveillance and 4 audio outputs with hard disk, and "4 hidden microphones
preamplified”; and technical report issued by this same entity on the
installation of these devices on 06/20/2018. This report indicates
that MUXERS was informed “of the regulations and legality regarding the notice of
their employees before the placement of audio microphones”.
. "Video verification certificate" and "Certificate of connection to alarm center"
issued by the entity Stop Alarmas, SLU The latter includes a section
called "Verification" in which the "Sequential" options are marked,
Image” and “Bidirectional”. The “Audio” option is not checked.
. 10 documents dated 08/20/2018, with the label “Communication to the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/18
worker of the existence of video surveillance cameras whose images can
be used to control labor obligations and duties”. to information
contained in these documents is excerpted in the Fourth Proven Fact.
. Complaint filed with the National Police by the administrator of the entity
MUXERS, for damage caused to the staff locker room on the date
10/27/2020 (“the roof is broken and the microphone cables that were in the
inside hanging”). This document contains the manifestations of the
complainant. Among them, the following:
"That the complainant states that they are microphones, that in the employment contract comes
specified the audio and video recording, and that they themselves have signed”.
“That at 1:20 p.m. another indicative of the National Police comes to
seize the microphone from the locker room, all of which is reflected in a Record of
Intervention of Effects of which they deliver a copy to the complainant”.
THIRD: On 02/22/2021, in accordance with article 65 of the LOPDGDD,
The claim filed by the National Police was admitted for processing.
Similarly, the claim made by the claimant was admitted for processing in
date 05/07/2021.
FOURTH: The General Subdirectorate for Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
question, by virtue of the functions assigned to the control authorities in the
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter RGPD), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD, having knowledge of the following extremes:
. A request for information was sent to the claimed party, by postal mail
Addressed to the same address where the notification of the outlined transfer was made
in the previous Antecedent, without in this case the notification could be practiced
(it was returned with the indication "unknown").
. The National Police, on 12/03/2021, informed the Inspection Services that
the police report of the Moncloa-Aravaca Police Station, has led to the opening
Preliminary Proceedings No. ***PROCEEDINGS.1, followed up in the Court of Instruction No.
XX of Madrid.
. Requested information from the aforementioned Court of Instruction on the possible
responsibility of the claimed party in the installation of the devices of
audio and video recording in the changing rooms and toilets used by the workers of the
establishment to which the claims refer, no reply was received from
said court during the period of these investigative actions.
Thus, it was agreed to declare the expiration of the aforementioned prior actions of
research and open new research actions, as well as incorporate the
same the documentation that integrates the expired actions.
The response from the Investigating Court was received on 01/26/2022, stating
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/18
reports that what has been done to date (01/18/2022) in the Procedure
Abbreviated that follows under the number ***DILIGENCIAS.1, "the
responsibility of the entity MUXERS CONCEPT, SL”.
FIFTH: On 05/13/2022, by the General Subdirectorate for Data Inspection
You can access the information related to the MUXERS entity in “Axesor” (“Informe
monitor”). (...).
SIXTH: On 05/20/2022, the Director of the Spanish Agency for the Protection of
Data agreed to initiate a sanctioning procedure against the MUXERS entity, in accordance with the
provided in articles 63 and 64 of the LPACAP, for the alleged violation of article
6 of the RGPD, typified in article 83.5.a) of the aforementioned Regulation; and rated as
very serious for prescription purposes in article 72.1.b) of the LOPDGDD.
In the opening agreement it was determined that the sanction that could correspond,
attended the existing evidence at the time of opening and without prejudice to what
resulting from the instruction, would amount to a total of 20,000 euros (twenty thousand euros).
The notification of this opening agreement to the claimed party, in which
granted a term to formulate allegations and propose evidence, it was sent by means of the
Electronic Notification Service, although it was not collected by the
claimed within the period of availability.
Although the notification was validly made by electronic means, assuming
carried out the procedure in accordance with the provisions of article 41.5 of the LPACAP, with
date 06/09/2022 a new notification attempt was made by post, being
returned the shipment due to an incorrect address, even though it was addressed to the
registered office of the entity that appears in the Mercantile Registry.
Likewise, on 06/23/02022, a document was published in the Official State Gazette
announcement of notification of the opening of proceedings. In said announcement, it is informed
the party complained against about the possibility of obtaining a copy of the opening agreement.
SEVENTH: Notification of the aforementioned start-up agreement in accordance with the established rules
in the LPACAP and after the term granted for the formulation of allegations,
has verified that no allegation has been received by the respondent party.
Article 64.2.f) of the LPACAP - provision of which the respondent was informed
in the agreement to open the procedure - establishes that if no
allegations within the stipulated period on the content of the initiation agreement, when
it contains a precise statement about the imputed responsibility,
may be considered a resolution proposal. In the present case, the agreement
beginning of the sanctioning file determined the facts in which the
imputation, the infraction of the RGPD attributed to the claimed and the sanction that could
prevail. Therefore, taking into consideration that the respondent has not
formulated allegations to the agreement to initiate the file and in attention to what
established in article 64.2.f) of the LPACAP, the aforementioned initial agreement is
considered in this case proposed resolution.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/18
In view of everything that has been done, by the Spanish Data Protection Agency
In this proceeding, the following are considered proven facts:
PROVEN FACTS
1. the MUXERS entity is responsible for the video surveillance system installed in the
premises in which it carries out its activity on 06/20/2018. It's about a
establishment open to the public dedicated to restoration.
2. The video surveillance system outlined in the First Proven Fact, in addition to
video surveillance cameras, has four audio microphones
preamplified, installed at the entrance to the restaurant, in the room where they are
located the tables and bar of the establishment (more than 30 tables of different
dimensions -between and six seats- and 12 bar seats), in an office and in a
small room whose use is not specified.
This system has a video surveillance recorder and 4 audio outputs with
HDD.
3. The intended purpose of installing this equipment is access control
of people and goods, the safety of goods and people, as well as the
control of labor obligations and duties.
4. At the time of the installation of the video surveillance system, the entity MUXERS
provided its workers with an informative document with the label "Communication to the
worker of the existence of video surveillance cameras whose images can be
used to control labor obligations and duties”. According to these documents,
the party claimed informs the worker who signs it as follows:
“In accordance with Law 5/1999… INFORMS… (name and surname of the worker) of the
recording through video cameras in the internal and external facilities of the company of
which is a treatment responsibility of Muxers Concept, SL in which they remain
stored his personal data, including his image and sound obtained, recorded and
captured through cameras and video cameras, for the following purposes:
I. Surveillance
Internal and external surveillance of the company's facilities..., in order to provide
compliance with the security operation and to prevent risks that affect the security and
protection of people, premises and patrimonial assets as well as to denounce, when
necessary, made before the competent authorities or meet requirements of the
themselves.
II. Quality and work performance
Control of the quality and labor performance of the workers as well as verification of the
fulfillment by… (name and surname of the worker) of their obligations and duties
labor.
III. disciplinary sanctions
The images and sound captured by the video surveillance cameras may be used to
the detection by Muxers… of criminal acts or labor offenses included in the agreement
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/18
collective… as evidence when sanctioning
…the technical instruments used…respect the right to privacy, within the
legitimate exercise of the power of business surveillance.
5. Due to complaints made by restaurant workers, the
The National Police appeared at the MUXERS establishment and drew up a record dated
10/27/2020, extended to proceed with the intervention of a “Microphone with
Air Space numbering AA003”. This document includes some photographs in which
the location of this device is seen in a false ceiling. As stated in these Minutes,
the interested person who, on behalf of MUXERS, witnesses the intervention
of the National Police states “that the seized microphone is property of the
company Muxers Concept, SL, CIF…”.
In its response to the claim transfer process, MUXERS stated that the
microphone intervened by the National Police was in the office set up in the
establishment.
FOUNDATIONS OF LAW
Yo
In accordance with the powers that article 58.2 of the RGPD grants to each authority of
control and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law
3/2018, of December 5, on the Protection of Personal Data and guarantee of the
digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve
this procedure the Director of the Spanish Data Protection Agency.
Likewise, article 63.2 of the LOPDGDD determines that: “The procedures
processed by the Spanish Agency for Data Protection will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations issued in its development and, as long as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures.
II
Image and voice are personal data
The physical image and voice of a person, in accordance with article 4.1 of the RGPD, are a
personal data and its protection, therefore, is the subject of said Regulation. In the article
4.2 of the RGPD defines the concept of "treatment" of personal data.
Images and voice captured by a camera or video camera system are data
of a personal nature, so its treatment is subject to the regulations of
Data Protection.
It is, therefore, pertinent to analyze whether the processing of personal data (image and voice
of the workers in the establishment to which the claims refer, whose
ownership corresponds to the claimed party, and of the natural persons who attend
as customers to said establishment, open to the public) carried out through the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/18
denounced video surveillance system is in accordance with the provisions of the RGPD.
III
Infringement
Article 6.1 of the RGPD establishes the assumptions that allow the legalization of the
treatment of personal data.
The permanent installation of a video camera system for reasons of
Security has a legitimate basis in the LOPDGDD, whose explanatory statement indicates:
“Together with these assumptions are included others, such as video surveillance… in which the legality of the
treatment comes from the existence of a public interest, in the terms established in the
article 6.1.e) of Regulation (EU) 2016/679”.
Regarding the treatment for video surveillance purposes, article 22 of the LOPDGDD
establishes that natural or legal persons, public or private, may carry out
carry out the processing of images through camera systems or video cameras
in order to preserve the safety of people and property, as well as their
installations.
This same article 22, in its section 8, provides that "The treatment by the
employer of data obtained through camera systems or video cameras
subject to the provisions of article 89 of this organic law.
On the legitimacy for the implementation of video surveillance systems in the field
employment, Royal Legislative Decree 1/1995 of 03/24 is taken into account, approving
the revised text of the Workers' Statute Law (LET), whose article 20.3
points out:
"3. The employer may adopt the measures that he deems most appropriate for surveillance and control.
to verify compliance by the worker with his labor obligations and duties,
keeping in its adoption and application the consideration due to its dignity and taking into account
account, where appropriate, the real capacity of workers with disabilities.
The surveillance and control measures admitted include the installation of
security cameras, although these systems must always respond at the beginning
of proportionality, that is, the use of video cameras must be proportional to the purpose
pursued, this is to guarantee the security and fulfillment of the obligations and
job duties.
Article 89 of the LOPDPGDD, specifically referring to the "right to privacy
against the use of video surveillance and sound recording devices in the place
of work” and the treatment of personal data obtained with camera systems or
video cameras for the exercise of control functions of workers, allows
that employers can treat the images obtained through systems of
cameras or video cameras for the exercise of control functions of the
workers or public employees provided, respectively, in article 20.3
of the Workers' Statute and in the public function legislation, provided that
These functions are exercised within their legal framework and with the limits inherent to the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/18
same.
In relation to the recording of sounds, the aforementioned article 89 of the LOPDGDD
sets the following:
"two. In no case will the installation of sound recording systems or
video surveillance in places intended for rest or recreation of workers or
public employees, such as changing rooms, toilets, dining rooms and the like.
3. The use of systems similar to those referred to in the previous sections for the
recording of sounds in the workplace will be allowed only when they are relevant
risks to the safety of facilities, assets and people arising from the activity
that is developed in the workplace and always respecting the principle of proportionality,
the minimum intervention and the guarantees provided for in the previous sections. suppression
of the sounds preserved by these recording systems will be made according to what
provided in section 3 of article 22 of this law.”
On the other hand, it is interesting to note that, according to the doctrine of the Constitutional Court, the
Recording of conversations between workers or between them and customers is not justified
for verification of compliance by the worker with his obligations or duties.
In Judgment dated 04/10/2000 (2000/98), issued in rec. no. 4015/1996, it
declares the following:
“In this sense, it must be taken into account that the managerial power of the employer,
essential for the smooth running of the productive organization and expressly recognized
in art. 20 LET, attributes to the employer, among other powers, that of adopting the measures that
considers more opportune of vigilance and control to verify the fulfillment of the worker of
his labor obligations (art. 20.3 LET). But this faculty must occur in any case,
as is logical, within due respect for the dignity of the worker, as we expressly
It is recalled by labor regulations (arts. 4.2. and 20.3 LET)…
… it should be remembered that the jurisprudence of this Court has repeatedly insisted on the
full effectiveness of the fundamental rights of the worker within the framework of the relationship
employment, since this cannot imply in any way the deprivation of such rights for
those who provide service in productive organizations... Consequently, and as
this Court has also affirmed, the exercise of such rights only admits
limitations or sacrifices to the extent that it operates within an organization
that reflects other constitutionally recognized rights in arts. 38 and 33 EC and that
imposes, according to the assumptions, the necessary adaptability for the exercise of all of them...
For this reason, the premise from which the appealed Judgment starts, consisting of
affirm that the workplace does not constitute by definition a space in which the
right to privacy on the part of the workers, in such a way that the conversations that
keep workers among themselves and with customers in the performance of their work activity
are not covered by art. 18.1 EC and there is no reason why the company cannot
know the content of those, since the aforementioned right is exercised in the field of
worker's private sphere, which in the workplace must be understood as limited to the
places of rest or recreation, changing rooms, toilets or the like, but not those
places where work is carried out...
…Such an affirmation is rejectable, since it cannot be ruled out that also in those
places of the company in which the work activity is carried out may occur
illegitimate interference by the employer in the right to privacy of the
workers, such as the recording of conversations between a worker and a
client, or between the workers themselves, in which issues unrelated to the relationship are addressed
28001 – Madrid 6 sedeagpd.gob.es 10/18
work that are integrated into what we have called the sphere of development of the
individual (SSTC 231/1988, of December 2, FJ 4 and 197/1991, of October 17, FJ 3, by
all). In short, it will be necessary to attend not only to the place of the workplace where they are installed
by the company audiovisual control systems, but also to other elements of judgment (if
the installation is done or not indiscriminately and massively, if the systems are visible or have
been installed surreptitiously, the real purpose pursued with the installation of such
systems, if there are security reasons, due to the type of activity that takes place in the
work center in question, justifying the implementation of such means of control, etc.)
to elucidate in each specific case whether these means of surveillance and control respect the right
to the privacy of workers. Certainly, the installation of such means in places of
rest or recreation, changing rooms, toilets, dining rooms and the like is, a fortiori, harmful
in any case of the right to privacy of workers, without further consideration, for
obvious reasons... But this does not mean that this injury cannot occur in those places
where the work activity is carried out, if any of the exposed circumstances that
allows the business action to be qualified as an illegitimate intrusion into the right to privacy
from the workers. It will therefore be necessary to attend to the concurrent circumstances in the event
specifically to determine whether or not there is a violation of art. 18.1 EC.
…their limitation [of the fundamental rights of the worker] by the powers
business can only derive good from the fact that the very nature of work
contracted implies the restriction of the right (SSTC 99/1994, FJ 7, and 106/1996, FJ 4), either
an accredited need or business interest, without its mere invocation being sufficient to
sacrificing the fundamental right of the worker (SSTC 99/1994, FJ 7, 6/1995, FJ 3 and 136/1996,
FJ 7)…
These limitations or modulations must be those that are indispensable and strictly
necessary to satisfy a business interest worthy of guardianship and protection, in a
that if there are other possibilities of satisfying said interest that are less aggressive and affect the
right in question, it will be necessary to use the latter and not the more aggressive and
affecting. It is, in short, the application of the principle of proportionality...
The question to be resolved is, therefore, whether the installation of microphones that allow the recording of
conversations of workers and customers in certain areas... is adjusted in the event
that concerns us to the essential requirements of respect for the right to privacy. To the
In this regard, we must begin by pointing out that it is indisputable that the installation of
capture and recording of sound in two specific areas... it is not without utility for the
business organization, especially if one takes into account that these are two areas in which
significant economic transactions take place. Now, the mere utility
or convenience for the company does not simply legitimize the installation of hearing aids and
recording, given that the company already had other security systems than the
hearing system is intended to complement…
In summary, the implementation of the audition and recording system has not been in this case
in accordance with the principles of proportionality and minimum intervention that govern the modulation
of fundamental rights by the requirements of the interest of the organization
business, because the purpose pursued (to give a plus of security, especially before
possible claims from customers) is disproportionate to the sacrifice that
It implies the right to privacy of workers (and even customers...). This system
allows you to capture private comments, both from customers and workers...,
comments completely unrelated to business interest and therefore irrelevant from the
perspective of control of labor obligations, being able, however, to have
consecuencias negativas para los trabajadores que, en todo caso, se van a sentir constreñidos
de realizar cualquier tipo de comentario personal ante el convencimiento de que van a ser
escuchados y grabados por la empresa. Se trata, en suma, de una intromisión ilegítima en el
derecho a la intimidad consagrado en el art. 18.1 CE, pues no existe argumento definitivo que
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/18
autorice a la empresa a escuchar y grabar las conversaciones privadas que los trabajadores…
mantengan entre sí o con los clientes”.
Por otra parte, el tratamiento de datos personales está sometido al resto de los
principios del tratamiento contenidos en el artículo 5 del RGPD. Destacaremos el
principio de minimización de datos contenido en el artículo 5.1.c) del RGPD que
dispone que los datos personales serán “adecuados, pertinentes y limitados a lo
necesario en relación con los fines para los que son tratados”.
Esto significa que en un tratamiento concreto sólo pueden tratarse los datos
personales oportunos, que vengan al caso y que sean los estrictamente necesarios
para cumplir la finalidad para la que son tratados. El tratamiento debe ser ajustado y
proporcional a la finalidad a la que se dirige. La pertinencia en el tratamiento de los
datos debe producirse tanto en el momento de la recogida de los datos como en el
posterior tratamiento que se realice de los mismos.
Conforme a lo antedicho, debe restringirse el tratamiento de los datos excesivos o bien
procederse a la supresión de los mismos.
La aplicación del principio de minimización de datos al supuesto examinado comporta
que el sistema de cámaras o videocámaras instalado no pueda obtener imágenes o
sonidos afectando a la intimidad de los empleados, resultando desproporcionado
captar imágenes o sonidos en espacios privados, tales como vestuarios, taquillas o
zonas de descanso de trabajadores.
IV
Obligaciones en materia de videovigilancia
De conformidad con lo expuesto, el tratamiento de imágenes a través de un sistema
de videovigilancia, para ser conforme con la normativa vigente, debe cumplir los
requisitos siguientes:
1.- La personas físicas o jurídicas, públicas o privadas, pueden establecer un sistema
de videovigilancia con la finalidad de preservar la seguridad de las personas y bienes,
así como de sus instalaciones.
Se ha de valorar si la finalidad pretendida puede lograrse de otra forma menos
intrusiva para los derechos y libertades de los ciudadanos. Los datos personales solo
deben tratarse si la finalidad del tratamiento no pudiera lograrse razonablemente por
otros medios, considerando 39 del RGPD.
2.- Las imágenes obtenidas no puedan utilizarse para una finalidad ulterior
incompatible con la que motivó la instalación del sistema de videovigilancia.
3.- Se deberá cumplir con el deber de informar a los afectados previsto en los artículos
12 y 13 del RGPD, y 22 de la LOPDGDD.
En tal sentido, el artículo 22 de la LOPDGDD prevé en relación con la videovigilancia
un sistema de “información por capas”.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/18
La primera capa ha de referirse, al menos, a la existencia del tratamiento
(videovigilancia), la identidad del responsable, la posibilidad de ejercitar los derechos
previstos en los artículos 15 a 22 del RGPD y dónde obtener más información sobre el
tratamiento de los datos personales.
Esta información se contendrá en un dispositivo colocado en un lugar suficientemente
visible y debe suministrarse por adelantado.
La información de la segunda capa debe estar disponible en un lugar fácilmente
accesible al afectado, ya sea una hoja informativa en una recepción, cajero, etc…,
colocada en un espacio público visible o en una dirección web, y ha de referirse al
resto de elementos del artículo 13 del RGPD.
4.- No pueden captarse imágenes de la vía pública, puesto que el tratamiento de
imágenes en lugares públicos, salvo que concurra autorización gubernativa, sólo
puede ser realizado por las Fuerzas y Cuerpos de Seguridad.
En algunas ocasiones, para la protección de espacios privados, donde se hayan
instalado cámaras en fachadas o en el interior, puede ser necesario para garantizar la
finalidad de seguridad la grabación de una porción de la vía pública.
Es decir, las cámaras y videocámaras instaladas con fines de seguridad no podrán
obtener imágenes de la vía pública salvo que resulte imprescindible para dicho fin, o
resulte imposible evitarlo por razón de la ubicación de aquéllas. Y, en tal caso
extraordinario, las cámaras sólo podrán captar la porción mínima necesaria para
preservar la seguridad de las personas y bienes, así como de sus instalaciones.
Las cámaras instaladas no pueden obtener imágenes de espacio privativo de tercero
y/o espacio público sin causa justificada debidamente acreditada, ni pueden afectar a
la intimidad de transeúntes que transiten libremente por la zona.
No está permitida, por tanto, la colocación de cámaras hacia la propiedad privada de
vecinos con la finalidad de intimidarlos o afectar a su ámbito privado sin causa
justificada.
En ningún caso se admitirá el uso de prácticas de vigilancia más allá del entorno
objeto de la instalación y en particular, no pudiendo afectar a los espacios públicos
circundantes, edificios contiguos y vehículos distintos de los que accedan al espacio
vigilado.
No pueden captarse ni grabarse imágenes en espacios propiedad de terceros sin el
consentimiento de sus titulares, o, en su caso, de las personas que en ellos se
encuentren.
Resulta desproporcionado captar imágenes en espacios privados, tales como
vestuarios, taquillas o zonas de descanso de trabajadores.
5.- Las imágenes podrán conservarse por un plazo máximo de un mes, salvo en
aquellos supuestos en que se deban conservar para acreditar la comisión de actos
que atenten contra la integridad de personas, bienes o instalaciones.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/18
En este segundo supuesto, deberán ser puestas a disposición de la autoridad
competente en un plazo máximo de 72 horas desde que se tuviera conocimiento de la
existencia de la grabación.
6.- El responsable deberá llevar un registro de actividades de los tratamientos
efectuados bajo su responsabilidad en el que se incluya la información a la que hace
referencia el artículo 30.1 del RGPD.
7.- El responsable deberá realizar un análisis de riesgos o, en su caso, una evaluación
de impacto en la protección de datos, para detectar los derivados de la implantación
del sistema de videovigilancia, valorarlos y, en su caso, adoptar las medidas de
seguridad apropiadas.
8.- Cuando se produzca una brecha de seguridad que afecte a los tratamientos de
cámaras con fines de seguridad, siempre que exista riesgo para los derechos y
libertades de las personas físicas, deberá notificarlo a la AEPD en un plazo máximo de
72 horas.
Se entiende por brecha de seguridad la destrucción, pérdida o alteración accidental o
ilícita de datos personales transmitidos, conservados o tratados de otra forma, o la
comunicación o acceso no autorizado a dichos datos.
9.- Cuando el sistema esté conectado a una central de alarma, únicamente podrá ser
instalado por una empresa de seguridad privada que reúna los requisitos
contemplados en el artículo 5 de la Ley 5/2014 de Seguridad Privada, de 4 de abril.
La Agencia Española de Protección de Datos ofrece a través de su página web
[https://www.aepd.es] acceso a:
. la legislación en materia de protección de datos personales, incluyendo el RGPD
y la LOPDGDD (apartado “Informes y resoluciones” / “normativa”),
. la Guía sobre el uso de videocámaras para seguridad y otras finalidades,
. la Guía para el cumplimiento del deber de informar (ambas disponibles en el
apartado “Guías y herramientas”).
También resulta de interés, en caso de realizar tratamientos de datos de bajo riesgo, la
herramienta gratuita Facilita (en el apartado “Guías y herramientas”), que, mediante
unas preguntas concretas, permite valorar la situación del responsable respecto del
tratamiento de datos personales que lleva a cabo, y en su caso, generar diversos
documentos, cláusulas informativas y contractuales, así como un anexo con medidas
de seguridad orientativas consideradas mínimas.
v
Infracción administrativa
La reclamación se basa en la presunta ilicitud del sistema de videovigilancia instalado
por la parte reclamada en el local donde desarrolla su actividad empresarial, en
relación con la grabación de sonidos.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/18
No resulta controvertido en este caso el hecho de que la parte reclamada es la titular y
responsable del sistema de videovigilancia denunciado y, por tanto, la responsable de
los tratamientos de datos que conlleva la utilización de dicho sistema. Y tampoco el
hecho de que entre los tratamientos de datos realizados se contempla la recogida y
almacenamiento de datos personales relativos a la voz de empleados y clientes.
Consta probado en las actuaciones, asimismo, que dicha instalación se realiza con
fines de seguridad y control laboral.
Por ese motivo, con fecha 20/08/2018, la parte reclamada comunicó a los trabajadores
afectados, entre los que figura la parte reclamante, la instalación del sistema de
videovigilancia, con captación y grabación de imágenes y sonido, “con la finalidad de
dar cumplimiento al operativo de seguridad y para prevenir riesgos que afecten a la
seguridad y protección de las personas, locales y bienes patrimoniales” y para el
“control de la calidad y rendimiento laboral de los trabajadores así como verificación
del cumplimiento… de sus obligaciones y deberes laborales”.
La parte reclamada no aporta justificación suficiente sobre estos tratamientos de datos
(grabación de sonidos). No tiene en cuenta la parte reclamada los limites previstos en
el artículo 20.3 de la Ley del Estatuto de los Trabajadores (LET); lo establecido en el
artículo 89.3 de la LOPDGDD, que admite la grabación de sonidos únicamente cuando
resulten relevantes los riesgos y respetando los principios de proporcionalidad e
intervención mínima; ni la doctrina del Tribunal Constitucional, ya expresada, según la
cual la grabación de conversaciones entre trabajadores o entre éstos y clientes no se
justifica por la verificación del cumplimiento por el trabajador de sus obligaciones o
deberes.
El citado artículo 89 de la LOPDGDD, más allá de la prohibición de utilizar estos
sistemas de videovigilancia y grabación de sonidos en “lugares destinados al
descanso o esparcimiento de los trabajadores o los empleados públicos, tales como
vestuarios, aseos, comedores y análogos”, expresamente y con carácter general,
establece el sometimiento de tales sistemas al marco legal y con los límites inherentes
al mismo, ya señalados anteriormente. Ello implica que no puede entenderse como
legítimo, sin más condición, cualquier sistema que no incluya aquellos espacios.
En este caso, además, consta que uno de los micrófonos se instaló en el office
utilizado por los trabajadores. Según ha quedado probado, el sistema incluyó la
instalación de cuatro micrófonos “ocultos”: en el acceso al restaurante, en la sala
donde están ubicadas las mesas y barra del establecimiento (más de 30 mesas de
distintas dimensiones -entre y seis puestos- y 12 puestos de barra), en un office y en
una estancia de pequeño tamaño cuyo uso no está especificado en el plano. Por tanto,
resulta que alguno de estos dispositivos podría vulnerar la prohibición de instalar
“sistemas de grabación de sonidos… en lugares destinados al descanso o
esparcimiento de los trabajadores…, tales como vestuarios, aseos, comedores y
análogos”, establecida en el citado artículo 89 de la LOPDGDD.
Por otra parte, en la información facilitada a los trabajadores se hace referencia a la
“facultada de vigilancia empresarial”. Sobre esta cuestión, relativa a las posibilidades
en cuanto a la adopción de medidas de vigilancia que atribuye al empresario su poder
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/18
de dirección, interesa destacar algunos de los aspectos declarados en la Sentencia del
Tribunal Constitucional de fecha 10/04/2000, reseñada en el Fundamento de Derecho
III:
“…esa facultad ha de producirse en todo caso, como es lógico, dentro del debido respeto a la
dignidad del trabajador, como expresamente nos lo recuerda la normativa laboral (arts. 4.2.ey
20.3 LET)…”.
“Debe por ello rechazarse… que las conversaciones que mantengan los trabajadores entre sí y
con los clientes en el desempeño de su actividad laboral no están amparadas por el art.
18.1…”.
“…su limitación [de los derechos fundamentales del trabajador] por parte de las facultades
empresariales sólo puede derivar bien del hecho de que la propia naturaleza del trabajo
contratado implique la restricción del derecho (SSTC 99/1994, FJ 7, y 106/1996, FJ 4), bien de
una acreditada necesidad o interés empresarial, sin que sea suficiente su mera invocación para
sacrificar el derecho fundamental del trabajador (SSTC 99/1994, FJ 7, 6/1995, FJ 3 y 136/1996,
FJ 7)…
Estas limitaciones o modulaciones tienen que ser las indispensables y estrictamente
necesarias…”.
“…la mera utilidad o conveniencia para la empresa no legitima sin más la instalación de los
aparatos de audición y grabación, habida cuenta de que la empresa ya disponía de otros
sistemas de seguridad que el sistema de audición pretende complementar…”.
Tampoco explica qué puede aportar la grabación de conversaciones entre los
trabajadores, entre sí, entre los trabajadores y los clientes, o de éstos últimos entre sí,
en orden a acreditar aquellas circunstancias, que no aporte la sola grabación de
imágenes.
Asimismo, Interesa destacar nuevamente que la grabación de sonidos incluye la voz
de clientes de la parte reclamada (dos dispositivos instalados en la zona de clientes,
en el acceso al restaurante y en la sala donde están ubicadas las mesas y barra del
establecimiento), los cuales no tienen conocimiento de la existencia de los micrófonos.
En consecuencia, en este caso, se entiende desproporcionada la captación de la voz
tanto de los trabajadores como de clientes de la parte reclamada para la función de
videovigilancia pretendida, para el control del cumplimiento por los trabajadores de sus
obligaciones y deberes laborales. Se tiene en cuenta que la grabación de voz supone
una mayor intromisión en la intimidad.
Se considera que la parte reclamada realizó tratamientos de datos sin disponer de
base legítima, vulnerando lo establecido en el artículo 6 del RGPD, por lo que podrían
suponer la comisión de una infracción tipificada en el artículo 83.5 del RGPD, que
dispone lo siguiente:
“Las infracciones de las disposiciones siguientes se sancionarán, de acuerdo con el apartado
2, con multas administrativas de 20 000 000 EUR como máximo o, tratándose de una empresa,
de una cuantía equivalente al 4 % como máximo del volumen de negocio total anual global del
ejercicio financiero anterior, optándose por la de mayor cuantía:
a) los principios básicos para el tratamiento, incluidas las condiciones para el consentimiento a
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/18
tenor de los artículos 5, 6, 7 y 9;”.
A efectos del plazo de prescripción de las infracciones, la infracción señalada en el
párrafo anterior se considera muy grave conforme al artículo 72.1.b) de la LOPDGDD,
que establece que:
“En función de lo que establece el artículo 83.5 del Reglamento (UE) 2016/679 se consideran
muy graves y prescribirán a los tres años las infracciones que supongan una vulneración
sustancial de los artículos mencionados en aquel y, en particular, las siguientes:
b) El tratamiento de datos personales sin que concurra alguna de las condiciones de licitud del
tratamiento establecidas en el artículo 6 del Reglamento (UE) 2016/.79”
SAW
Sanction
El artículo 58.2 del RGPD establece:
“Cada autoridad de control dispondrá de todos los siguientes poderes correctivos
indicados a continuación:
(...)
d) ordenar al responsable o encargado de tratamiento que las operaciones de
treatment comply with the provisions of this Regulation, where appropriate,
in a certain way and within a specified period;
(...)
i) imponer una multa administrativa con arreglo al artículo 83, además o en lugar de
las medidas mencionadas en el presente apartado, según las circunstancias de cada
caso particular”.
Según lo dispuesto en el artículo 83.2 del RGPD, la medida prevista en el artículo
58.2.d) del citado Reglamento es compatible con la sanción consistente en multa
administrativa.
Con respecto a las infracciones del artículo 6 del RGPD, atendiendo a los hechos
expuestos, se considera que la sanción que correspondería imponer es de multa
administrativa.
La multa que se imponga deberá ser, en cada caso individual, efectiva, proporcionada
y disuasoria, conforme a lo establecido en el artículo 83.1 del RGPD.
In order to determine the administrative fine to be imposed, the
previsiones del artículo 83.2 del RGPD y del artículo 76 de la LOPDGDD, respecto al
apartado k) del citado artículo 83.2 RGPD.
En este caso, se consideran las siguientes circunstancias como agravantes:
. Artículo 83.2.a) del RGPD: “a) la naturaleza, gravedad y duración de la infracción,
teniendo en cuenta la naturaleza, alcance o propósito de la operación de tratamiento
de que se trate así como el número de interesados afectados y el nivel de los daños y
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/18
perjuicios que hayan sufrido”.
. La duración de la infracción, considerando que la instalación de los dispositivos
de captación y grabación de voz tuvo lugar en agosto de 2018.
. El número de interesados: la presunta infracción afecta a todos los trabajadores
y clientes de la parte reclamada.
Por otra parte, se estima que concurren como atenuantes las circunstancias
siguientes:
. Artículo 76.2.b) de la LOPDGDD: “b) La vinculación de la actividad del infractor con la
realización de tratamientos de datos personales”.
La escasa vinculación de la parte reclamada con la realización de tratamientos de
datos personales, considerando la actividad que desarrolla.
. Artículo 83.2.k) del RGPD: “k) cualquier otro factor agravante o atenuante aplicable a
las circunstancias del caso, como los beneficios financieros obtenidos o las pérdidas
evitadas, directa o indirectamente, a través de la infracción”.
La condición de pequeña empresa de la parte reclamada y su volumen de negocio.
(...).
Considerando los factores expuestos, la valoración que alcanza la multa por la
Infracción del artículo 6 del RGPD es de 20.000 euros (veinte mil euros).
Therefore, in accordance with the applicable legislation and having assessed the criteria for
graduation of sanctions whose existence has been proven,
the Director of the Spanish Data Protection Agency RESOLVES:
PRIMERO: IMPONER A MUXERS CONCEPT, SL, con NIF B87345369, por una
infracción del Artículo 6 del RGPD, tipificada en el Artículo 83.5.a) del RGPD, una
multa de 20.000 euros (veinte mil euros).
SEGUNDO: NOTIFICAR la presente resolución a MUXERS CONCEPT, SL
THIRD: Warn the sanctioned party that he must make the imposed sanction effective once
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) de la ley 39/2015, de 1 de octubre, del Procedimiento Administrativo
Common Public Administrations (hereinafter LPACAP), within the payment term
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
de 17 de diciembre, mediante su ingreso, indicando el NIF del sancionado y el número
of procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened on behalf of the Agency
Spanish Data Protection in the banking entity CAIXABANK, SA. In case
Otherwise, it will be collected in the executive period.
Received the notification and once executed, if the date of execution is
between the 1st and 15th of each month, both inclusive, the term to make the payment
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/18
voluntary will be until the 20th day of the following month or immediately after, and if
between the 16th and last day of each month, both inclusive, the payment term
It will be until the 5th of the second following month or immediately after.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month from
counting from the day following the notification of this resolution or directly
recurso contencioso administrativo ante la Sala de lo Contencioso-administrativo de la
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the
day following the notification of this act, as provided in article 46.1 of the
aforementioned Law.
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the firm resolution in administrative proceedings if the
The interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact by
writing addressed to the Spanish Agency for Data Protection, presenting it through
Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registers provided for in art. 16.4 of the
aforementioned Law 39/2015, of October 1. También deberá trasladar a la Agencia la
documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would end the precautionary suspension.
938-050522
Sea Spain Marti
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
