AEPD (Spain) - PS/00239/2022: Difference between revisions

From GDPRhub
 
(One intermediate revision by one other user not shown)
Line 78: Line 78:
On 4 February 2020, the controller responded to the data subject, explaining that it had obtained the data subject’s contact through ad platforms to which the data subject was or had been, registered. The controller stated that it would delete the data subject’s email from its files.  
On 4 February 2020, the controller responded to the data subject, explaining that it had obtained the data subject’s contact through ad platforms to which the data subject was or had been, registered. The controller stated that it would delete the data subject’s email from its files.  


The data subject contacted the controller by email on 4 February, 15 March and 31 March 2020, stating that the response was not GDPR compliant. On 31 March 2020, the data subject filed a complaint to the German DPA of Berlin on the matter. In accordance with [[Article 56 GDPR#1|Article 56(1) GDPR]] and in application of the procedural rules applicable to cross-border cases, the Berlin DPA transferred the case to the Spanish DPA, as lead supervisory authority.
The data subject contacted the controller by email on 4 February, 15 March and 31 March 2020, stating that the response was not valid under the GDPR. On 31 March 2020, the data subject filed a complaint to the German DPA of Berlin on the matter. In accordance with [[Article 56 GDPR#1|Article 56(1) GDPR]] and in application of the procedural rules applicable to cross-border cases, the Berlin DPA transferred the case to the Spanish DPA, as lead supervisory authority.


In the course of the proceedings, the controller claimed that it had obtained the data subject’s email address from contractual partners to which the data subject had agreed to share its data. The controller also stated that it deleted the data subject’s email address after their request.  
In the course of the proceedings, the controller claimed that it had obtained the data subject’s email address from contractual partners to which the data subject had agreed to share its data. The controller also stated that it deleted the data subject’s email address after their request.  

Latest revision as of 12:34, 13 December 2023

AEPD - ps-00239-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 15 GDPR
Article 17 GDPR
Article 56(1) GDPR
Article 60 GDPR
Type: Complaint
Outcome: Upheld
Started: 31.03.2020
Decided: 28.02.2023
Published:
Fine: 15,000 EUR
Parties: Norconsulting
National Case Number/Name: ps-00239-2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Mapez

The Spanish DPA imposed fines of €10,000 and €5,000 to a controller for partially responding to and ignoring several times a data subject’s requests in violation of Article 15 and Article 17 GDPR.

English Summary

Facts

On 15 January 2020, Norconsulting (the controller), a human resources company established in Spain with contractual relations with various ad platform such as Linkedin, Infojobs or Xing AAA , sent an email to A.A.A., a data subject established in Germany (the data subject). The purpose of this email was to advertise targeted job offers to the data subject.

On the same day, the data subject wrote back to the controller and requested: (i) access to the information under (Article 15(1)), (ii) deletion of the data (Article 17); (iii) communication to the recipients of these data (Article 19); and (iv) deletion of these data from the sites where they have been published (Article 17(2)).

On 4 February 2020, the controller responded to the data subject, explaining that it had obtained the data subject’s contact through ad platforms to which the data subject was or had been, registered. The controller stated that it would delete the data subject’s email from its files.

The data subject contacted the controller by email on 4 February, 15 March and 31 March 2020, stating that the response was not valid under the GDPR. On 31 March 2020, the data subject filed a complaint to the German DPA of Berlin on the matter. In accordance with Article 56(1) GDPR and in application of the procedural rules applicable to cross-border cases, the Berlin DPA transferred the case to the Spanish DPA, as lead supervisory authority.

In the course of the proceedings, the controller claimed that it had obtained the data subject’s email address from contractual partners to which the data subject had agreed to share its data. The controller also stated that it deleted the data subject’s email address after their request.

Holding

The Spanish DPA underlined that the focus of the legal proceedings was the exercise of the right of access and the right of erasure of the data subject, rather than the lawfulness of the processing carried out by the controller.

Right of access

The Spanish DPA found that the controller processed at least the data subject’s name, surname, e-mail address, professional profile and preferences in terms of job offer. The Spanish DPA held that the controller responded to the data subject’s first email in a generic manner, stating where the data came from, and did not answer any of the further emails of the data subject. Thus, the Spanish DPA found that the controller did not respond adequately to the data subject’s request, in violation of Article 15 GDPR.

The Spanish DPA considered the negligence of the controller to be an aggravating factor, as it did not respond to at least two further requests by the data subject. Furthermore, the Spanish DPA took into account the fact that the controller’s main activity was to process personal data. The Spanish DPA considered as mitigating factor the fact that the controller responded to the data subject, although not in an adequate manner. Thus the Spanish DPA imposed a fine of €10,000 and an order to comply within 30 days.

Right of erasure

The Spanish DPA held that the controller had deleted the data subject’s email address, but did not mention anything regarding the remaining personal data. Thus, the Spanish DPA concluded that the controller did not respond adequately to the data subject’s request, in violation of Article 17 GDPR.

The Spanish DPA considered the absence of response to the data subject’s request as an aggravating factor. Furthermore, the Spanish DPA took into account the fact that the controller’s main activity was to process personal data. The Spanish DPA considered as mitigating factor the fact that the controller deleted the data subject’s email address. Thus the it imposed a fine of EUR €5,000 and an order to comply within 30 days.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/20










     File No.: PS/00239/2022

IMI Reference: A61VMN 183387- A60DD 404884 - Case Register 180472


                  RESOLUTION OF SANCTIONING PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on the

following:


                                     BACKGROUND



FIRST: A.A.A. (hereinafter, the claimant) filed a claim, dated 31
March 2020, before the German data protection authority in Berlin. The
claim is directed against GRUPO NORCONSULTING, S.L. with NIF B15987100 (in
forward, NORCONSULTING). The reasons on which the claim is based are the following:


The complaining party states that they have requested the exercise of the right of access to their
personal data to NORCONSULTING, as well as the subsequent elimination of these.
NORCONSULTING replied that their data was obtained from employment social networks and
told him that his email was going to be deleted so that he would not receive more emails. TO
To this, the complaining party responded indicating that they had not yet responded to their request

of the right of access.

SECOND: Through the "Internal Market Information System" (hereinafter
IMI System), regulated by Regulation (EU) No. 1024/2012, of the European Parliament and of the
Council, of October 25, 2012 (IMI Regulation), whose objective is to promote the

cross-border administrative cooperation, mutual assistance between Member States and
the exchange of information, the aforementioned claim was transmitted on 11/27/2022 and
gave the date of registration of entry into the Spanish Agency for Data Protection (AEPD) on
day 12/1/2022. The transfer of this claim to the AEPD is carried out in accordance with the
established in article 56 of Regulation (EU) 2016/679, of the European Parliament and of the
Council, of 04/27/2016, regarding the Protection of Physical Persons with regard to

to the Processing of Personal Data and the Free Circulation of these Data (hereinafter,
GDPR), taking into account its cross-border nature and that this Agency is competent
to act as the main control authority, since NORCONSULTING is based
company and unique establishment in Spain.


The data processing that is carried out affects interested parties in several States
members. According to the information incorporated into the IMI System, in accordance with the
established in article 60 of the GDPR, acts as a "control authority
interested party", in addition to the data protection authority of Berlin (Germany), the
authorities from Norway, Poland, Estonia, Sweden, France, Italy, Lower Saxony (Germany),

Bavaria- Private Sector (Germany), Finland and Denmark. All of them under article
4.22.b) of the GDPR, given that the interested parties residing in the territory of these authorities
of control are substantially affected or are likely to be substantially affected
affected by the treatment object of this procedure.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 2/20










THIRD: On March 2, 2021, the Berlin authority shared via IMI
the original claim and its translation together with the following documentation provided
by the complaining party:

 Copy of email sent to mail@***USUARIO.1 (hereinafter, the email of
the complaining party) by ***USER.2@norconsulting.de dated January 15, 2020. The

content of this email are job offers.

 Copy of email sent from the email of the complaining party to
***USER.2@norconsulting.de and to dpo@gnorcom.com dated January 15, 2020. In
In this email, the claimant requests access to the information in article 15.1 of the
General Data Protection Regulation (hereinafter, GDPR), and also requests the

deletion of your data according to article 17 of the GDPR, and the communication to the recipients
of this data (according to article 19 of the GDPR) and the deletion of this data on the sites where
that have been published (according to article 17.2 of the GDPR).

 Copy of email sent by ***USER.3@gnorconsulting.com to
email from the complaining party dated February 4, 2020. This email indicates to the

complaining party that the data is obtained from employment social networks (Infojobs, LinkedIn,
Xing…) and that they are going to eliminate the email of the complaining party so that they do not receive
more offers.

 Copy of email response to the previous email sent from the email

from the complaining party to ***USER.3@gnorconsulting.com dated February 4, 2020
indicating that this is not a valid response to respond to your access request
according to the GDPR.

 Copy of email sent from the email of the complaining party to
***USER.3@gnorconsulting.com, ***USER.4@norconsulting.de and

dpo@gnorcom.com dated March 15, 2020. In this email, the complaining party
returns to demand a response to your request.

 Copy of email sent by the complaining party to the email
***USER.5@datenschutz-berlin.de dated March 31, 2020 requesting that
a case is opened because you have not yet received a response to your exercise of the right of

access, in addition to reporting that cookies are installed on the Norconsulting website without
ask the user.

FOURTH: On June 9, 2021, in accordance with article 64.3 of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of the
digital rights (hereinafter, LOPDGDD), the claim filed was admitted for processing

by the complaining party.

FIFTH: The General Sub-directorate of Data Inspection proceeded to carry out
preliminary investigation actions to clarify the facts in question, in
by virtue of the functions assigned to the control authorities in article 57.1 and of the
powers granted in article 58.1 of the GDPR, and in accordance with the provisions of the

Title VII, Chapter I, Second Section, of the LOPDGDD, being aware of the
following extremes:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 3/20









In response to a request from this Agency, on September 14, 2021,
NORCONSULTING presents, among other things, the following information:

 1. Indication that they are not aware of having received any response from the complaining party

to the email sent by NORCONSULTING on February 4, 2020 in which it was given
response to your request for access and deletion.

2. Copy of email sent by ***USER.3@gnorconsulting.com to the email of
the complaining party dated February 4, 2020, with the following content: “Good
Morning A.A.A.: We are a human resources company and work with various ad platforms

(Linkedin, Infojobs, Experteer, Xing, etc.). Your contact has been obtained through these
means, in which you have surely registered and / or are registered. But, as you have no
interest in receiving job offers from us, we will proceed to delete your email from our
automated files for which this company is responsible. If at any other time you wish to
receive offers again, do not hesitate to contact us.”



SIGNIFICANT EVIDENCE FOR THE GRADUATION OF THE SANCTION

Linking the activity of NORCONSULTING with the performance of treatment of
personal data: The development of the business activity carried out by the

entity requires continuous processing of personal data.

Total annual global business volume: According to the query made in the Monitoriza de
Axesor (https://monitoriza.axesor.es/) on May 6, 2022, the sales of the GROUP
NORCONSULTING SL were 5,201,368 euros and had 17 employees.


Recidivism for commission of infractions of the same nature as the facts in
issue: There is no evidence that proceedings have been resolved for violations of
NORCONSULTING in the last year.

SIXTH: On 06/1/2022, the Director of the AEPD adopted a draft decision of
initiation of disciplinary proceedings. Following the process established in article 60 of the

GDPR, on 06/09/2022 this draft decision was transmitted through the IMI system and they were
informed the concerned authorities that they had four weeks from that moment
to formulate pertinent and reasoned objections. Within the term for this purpose, the
control authorities concerned did not present pertinent and reasoned objections to the
in this regard, so it is considered that all the authorities agree with said
draft decision and are bound by it, in accordance with the provisions of the

paragraph 6 of article 60 of the GDPR. This draft decision was notified
to NORCONSULTING in accordance with the rules established in the LPACAP on
day 06/1/2022, as stated in the acknowledgment of receipt that is in the file.

SEVENTH: On 06/30/2022, NORCONSULTING submitted a written statement of allegations to the

draft decision.

EIGHTH: On 07/15/2022, the Director of the Spanish Agency for the Protection of
Datos agreed to initiate disciplinary proceedings against NORCONSULTING in order to impose a
fine of 10,000 and 5,000 euros, in accordance with the provisions of articles 63 and 64 of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 4/20








LPACAP, for the alleged violation of Article 15 of the GDPR, typified in Article 83.5
of the GDPR, as well as for the alleged infringement of Article 17 of the GDPR, typified in the
Article 83.5 of the GDPR, respectively, in which it was indicated that it had a period of

ten days to present allegations.

This startup agreement, which was notified to NORCONSULTING in accordance with the rules
established in Law 39/2015, of October 1, of the Common Administrative Procedure
of Public Administrations (LPACAP), was collected on 07/21/2022, as stated
in the acknowledgment of receipt in the file.


NINTH: Notified the aforementioned start agreement in accordance with the rules established in the
LPACAP and after the period granted for the formulation of allegations, it has been
verified that no claim has been received from NORCONSULTING. In the
resolution proposal, the allegations presented to the draft resolution were taken into account.

decision in which NORCONSULTING, in summary, stated that:

“FIRST.- First of all, we must make it clear regarding the facts that are
included in the Draft Decision to Initiate Sanctioning Procedure, which
effectively on January 15, 2020, Mr. A.A.A. contacted the
Company, regarding a job offer sent by GRUPO NORCONSULTING S.L.

to cover job vacancies in different German cities, in which GRUPO
NORCONSULTING S.L. has clients who require their services to
provide candidates for job offers.
In the case of Mr. A.A.A., the contact details are obtained by GRUPO
NORCONSULTING S.L., of the companies with which it maintains a contractual relationship,

Linkedin, Xing, Infojobs, Experteer and on the basis of which you allow access to the data, which
logically they should have been transferred by Mr. A.A.A. to the indicated platforms.

After the communication sent by Mr. A.A.A., from GRUPO NORCONSULTING S.L. HE
has sent you an email dated February 4, 2020, which indicates:

“Good Morning A.A.A.:
We are a human resources company and work with various ad platforms (Linkedin, Infojobs,
Experteer, Xing, etc.).
Your contact has been obtained through these means, in which you have surely registered
and/or are registered.
But, as you have no interest in receiving job offers from us, we will proceed to delete your

email from our automated files for which this company is responsible.
If at any other time you wish to receive offers again, do not hesitate to contact us.
Best regards"

That is, Mr. A.A.A. is informed that the data was obtained through the

mentioned platforms, and that, if you are not interested in receiving job offers from our
entity, your data would be deleted.

In the account of facts it is mentioned that the claimant responded to the email dated 4
February 2020, however, GRUPO NORCONSULTING S.L. the answer

to which the resolution refers.

We understand that at this point, GURPO NORCONSULTING S.L. has fulfilled his
obligations regarding the data protection regulations, since it obtains the contact

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 5/20








of the complaining party by contract with respect to a platform or company that has
ceded the data of Mr. A.A.A. for questions of job offers.


SECOND.- Likewise, the account of the facts states that Mr. A.A.A. contact the
German control office because no response has been given to your exercise of the right of
access and denouncing that the web of my represented cookies are installed without asking.
In relation to the use of cookies, there is record processed number 05473/2021, and that it was
resolved by agreeing to file the file (we attach a copy of the Resolution by
from the agency).

Finally, note that the complaining party has not communicated in any other
occasion, with our represented."

TENTH: On 08/29/2022, the investigating body of the procedure agreed to open
of a period of practice of tests, taking as incorporated the claim

filed by the claimant and its documentation, the documents obtained and
generated by the Inspection Services, the Report of previous Inspection actions
that are part of the file, as well as the allegations to the draft decision
presented by NORCONSULTING and the documentation that accompanies them.

That same day, this Agency sent the test practice agreement to NORCONSULTING,

granting a period of 10 business days to:

    - Make documentary evidence regarding the deletion of personal data, by the
       that GRUPO NORCONSULTING, S.L. certify the complete deletion
       of the personal data of the complaining party and the date on which it was made,

       according to the request made by the complaining party by email on
       01/15/2020.

On 09/13/2022, NORCONSULTING submitted a response letter to this Agency,
in which he stated that:


“FIRST.- First of all, we must point out that on the date of the events that are the object of the
file processed by the Data Protection Agency, GRUPO NORCONSULTING
S.L. worked with software provided by the Company ***COMPANY.1, which in the
COVID pandemic period, it was replaced by software (...), so our
represented cannot access the information of said period.

In any case, we must show that our client never had the
data of the complaining party, but simply that contact was made through the
platform or social network for professionals LINKTEAM, in which Mr.
A.A.A., voluntarily for possible job offers, a point that we already exposed in
our brief of previous allegations, indicating that GRUPO NORCONSULTING S.L., to

through the companies with which it maintains a contractual relationship, Linkedin, Xing,
Infojobs, Experteer, to which Mr. A.A.A. had to give up his data, he obtained the contact to
submit a job offer.

The date on which Mr. A.A.A.'s data was deleted, appears in the email from

February 4, 2020, already referenced previously, in which it is indicated, that since it is not
interested in receiving job offers, we proceed to delete your email from
our databases.
“Good Morning A.A.A.:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 6/20








We are a human resources company and work with various ad platforms (Linkedin, Infojobs,
Experteer, Xing, etc.).
Your contact has been obtained through these means, in which you have surely registered

and/or are registered.
But, as you have no interest in receiving job offers from us, we will proceed to delete your
email from our automated files for which this company is responsible.
If at any other time you wish to receive offers again, do not hesitate to contact us.
Best regards".


ELEVENTH: On 09/27/2022, the investigating body of the disciplinary procedure
formulated a resolution proposal, in which it proposes that the Director of the AEPD
penalize GRUPO NORCONSULTING, S.L., with NIF B15987100, for a violation of the
article 15 of the GDPR, typified in article 83.5 of the GDPR, with a fine of €10,000
(ten thousand euros), and for a violation of article 17 of the GDPR, typified in article 83.5

of the GDPR, with a fine of €5,000 (five thousand euros).

This proposed resolution, which was notified to NORCONSULTING in accordance with the rules
established in Law 39/2015, of October 1, of the Common Administrative Procedure
of Public Administrations (LPACAP), was collected on 10/3/2022, as stated
in the acknowledgment of receipt in the file.



TWELFTH: On 10/18/2022, this Agency receives, in due time and form, written
of NORCONSULTING in which it alleges allegations to the motion for a resolution in which,
In summary, he stated that:


“FIRST.- First of all, we want to consider the allegations made by
this part throughout the entire procedure processed by this Administration.

SECOND.- Secondly, we want to point out that in the Proposed Resolution it is

indicates that GRUPO NORCONSULTING S.L. only proceeded to delete the email
claimant's email, however, we must state that my
represented once sent the email of February 2020, proceeded to delete any
data related to the claimant, since no interest has for my represented the
Saving of data of a person who requests its deletion.
In any case, and as claimed, the contact details are obtained from

GRUPO NORCONSULTING S.L., in a legitimate way, through dedicated platforms
to the contact of professionals.

On the other hand, we must point out that subsequent emails, and those that
there is no record of this part, they were sent coinciding with the period in which the

Government of Spain decreed the State of Alarm by COVID and in which the Company
undertook ERTES in which the workforce was temporarily unemployed, which
must be taken into account with respect to the special business situation.

SECOND.- Likewise, we cannot fail to mention that in the actions of GRUPO

NORCONSULTING S.L. there is no intentionality that deserves a reproach
sanctioning, since once it has had proof of the claim, it has proceeded with
the deletion of data, as it did with the claim for the use of cookies.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 7/20








There is no information on the claimant in the Company's files, except for those
generated by this file.”


Of the actions carried out in this procedure and of the documentation in hand

In the file, the following have been accredited:



                                  PROVEN FACTS


FIRST: On January 15, 2020, an email was sent to
mail@***USER.1 (hereinafter, the email of the complaining party) by
***USER.2@norconsulting.de. The content of this email were offers from
job.


SECOND: On January 15, 2020, from the email of the complaining party, a
email to ***USER.2@norconsulting.de and to dpo@gnorcom.com. In this
mail, the complaining party requests access to the information of article 15.1 GDPR, and
also requests the deletion of your data according to article 17 of the GDPR, and the communication
to the recipients of these data (according to article 19 of the GDPR) and the deletion of these data
on the sites where they have been published (according to article 17.2 of the GDPR).


THIRD: On February 4, 2020, an email is sent by
***USUARIO.3@gnorconsulting.com to the email of the complaining party, with the following
Content: “Good Morning A.A.A.:
 We are a human resources company and work with various ad platforms (Linkedin, Infojobs,
Experteer, Xing, etc.). Your contact has been obtained through these means, in which you

have surely registered and / or are registered. But, as you have no interest in receiving job
offers from us, we will proceed to delete your email from our automated files for which this
company is responsible. If at any other time you wish to receive offers again, do not hesitate
to contact us.”

FOURTH: In response to the email referred to in the previous section, dated April 4,

February 2020 an email is sent from the email of the complaining party to
***USUARIO.3@gnorconsulting.com having a copy to the following emails:
***USER.4@norconsulting.de and dpo@gnorcom.com, indicating that this is not a
valid response to respond to your access request, according to the GDPR.

FIFTH: On March 15, 2020, an email from the complaining party is sent a

email to ***USER.3@gnorconsulting.com,
***USER.4@norconsulting.de and dpo@gnorcom.com. In this email, the complaining party
returns to demand a response to your request.

SIXTH: On March 31, 2020, an email was sent by the party

claimant to the email ***USER.5@datenschutz-berlin.de in which he requests that a
case because you have not yet received a response to your exercise of right of access, in addition
to report that cookies are installed on the Norconsulting website without asking the
user.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 8/20












                              FUNDAMENTALS OF LAW

                                              Yo
                             Competition and applicable regulations

In accordance with the provisions of articles 58.2 and 60 of Regulation (EU) 2016/679 of the

European Parliament and of the Council of April 27, 2016 on the protection of
natural persons with regard to the processing of personal data and free movement
of these data (GDPR), and as established in articles 47, 48.1, 64.2 and 68.1 and 68.2
of the LOPDGDD is competent to initiate and resolve this procedure the Director of the
Spanish Data Protection Agency.


Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed
by the Spanish Data Protection Agency will be governed by the provisions of the
Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures.”


                                              II
                                     previous questions

In the present case, in accordance with the provisions of article 4.1 of the GDPR, the

processing of personal data, since NORCONSULTING performs
the collection and storage of, among others, the following personal data of persons
physical: email, name and surname, among other treatments.

NORCONSULTING carries out this activity in its capacity as data controller,

given that it is who determines the purposes and means of such activity, by virtue of article 4.7 of the
GDPR. In addition, it is a cross-border treatment, since NORCONSULTING
is established in Spain, although it provides service to the entire European Union.

The GDPR provides, in its article 56.1, for cases of cross-border processing,
provided for in article 4.23), in relation to the competence of the supervisory authority

principal, that, without prejudice to the provisions of article 55, the supervisory authority of the
main establishment or the only establishment of the person in charge or of the person in charge of the
treatment will be competent to act as main control authority for the
cross-border processing carried out by said controller or processor pursuant to
to the procedure established in article 60. In the case examined, as has been stated,

NORCONSULTING has its main establishment in Spain, so the Agency
Española de Protección de Datos is competent to act as control authority
major.

For its part, article 15 of the GDPR regulates the information that can be requested

through the exercise of the right of access of article 15 and, on the other, article 17 of the
GDPR regulates the right to obtain without undue delay from the data controller the
deletion of personal data concerning the interested party.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 9/20









                                            II
                                  Allegations adduced


In relation to the allegations made, we proceed to respond to them according to
the order exposed by NORCONSULTING:

1.- The contact details are obtained by GRUPO NORCONSULTING, S.L., from the
companies with which it maintains a contractual relationship.


The legitimacy of the treatment carried out by
NORCONSULTING, but the alleged infractions committed by the inadequate attention
of the exercise of rights requested by the claimant, specifically, the exercise of the
right of access and the exercise of the right to delete your data.


2.- To the NORCONSULTING GROUP, S.L. You do not know the email of February 4, 2020,
whereby the complaining party indicated that the response sent by
NORCONSULTING was not a valid response to meet your request for access
according to the GDPR.


As stated in the Fourth and Fifth Proven Facts, they appear in the file
the messages sent by the complaining party dated 02/04/2020 and 03/15/2020. The mail
dated 02/04/2020 is sent from the email of the complaining party to
***USUARIO.3@gnorconsulting.com having a copy to the following emails:
***USER.4@norconsulting.de and dpo@gnorcom.com. The mail of March 15, 2020

It is sent from the email of the claimant to the following emails:
***USER.3@gnorconsulting.com, ***USER.4@norconsulting.de and
dpo@gnorcom.com.

3.- In relation to the use of cookies, there is file processed number 05473/2021, and

which was resolved by agreeing to file the file.

File E/05473/2021 had as its starting point the same claim as the
this proceeding, however, refers to different facts included in said
claim, such as failure to obtain informed consent for the installation of
Cookies not strictly necessary and from third parties, which meant a breach of the

provided in article 22.2 of Law 34/2002, of July 11, on services of the society of
information and electronic commerce.

As already stated in response to claim 1, the purpose of this proceeding is
constitutes inadequate attention to requests for the exercise of rights, specifically, the

exercise of the right of access and the exercise of the right to delete the data of the
complaining party, evidenced in the claim and in the documentation that
accompanies.

Consequently, it cannot be said that there is a coincidence in the facts of the file.

E/05473/2021 and of this file.




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 10/20








Formulated resolution proposal by the instructor of this procedure, in the
hearing procedure for the interested party, allegations are presented by
NORCONSULTING to which we proceed to respond below:

1.- NORCONSULTING proceeded to delete any data related to the part

claimant once sent the email of February 2020.

NORCONSULTING has not maintained a clear position in this regard. Here we are told
that proceeded to delete the data of the complaining party when it sent the email of
February 2020. In the allegations submitted to the initiation agreement dated 09/13/2022,
it was said that NORCONSULTING had never had the data of the complaining party

following: "... In any case, we must make it clear that our client, never
had the data of the complaining party…”. Finally, as referred to in the
allegations presented to the resolution proposal, it is pointed out that the data were
eliminated upon receipt of the claim: "...since it once had
proof of the claim has proceeded with the deletion of data…”.


NORCONSULTING does not certify having deleted personal data (name, surname,
professional profile...) that he had of the complaining party. In addition, by not having attended the
request to exercise the right of access, not even as a result of this
procedure, it has not been possible to determine all the personal data subject to

treatment. As an example, in the email dated 01/15/2022 NORCONSULTING
proposes to the complaining party to have a telephone conversation about their preferences
professionals, asking for the most recent documentation of your experience, will not
they ask for their phone number, which they apparently already have.

2.- The data is obtained by NORCONSULTING in a legitimate way.


This question was already answered in the motion for a resolution, specifically in the
second point of response to the allegations made to the initiation agreement. It's not
object of this procedure the legitimacy of the treatment carried out by
NORCONSULTING, but the alleged infractions committed by the inadequate attention
of the exercise of rights requested by the claimant, specifically, the exercise of the

right of access and the exercise of the right to delete your data. to major
abounding, that the treatment was legitimate in principle is not an obstacle for the
complaining party to exercise their rights before the data controller and these are
cared for correctly.

3.- Subsequent emails, and of which NORCONSULTING supposedly did not

has the record, they were sent coinciding with the period in which the Government of Spain
decreed the State of Alarm by COVID.

In this regard, this Agency wishes to point out that the complaining party reiterated its request for the
exercise of the right of access on 02/04/2020, from that date until the beginning of the state of

alarm more than a month elapsed, therefore the maximum period established by the
Article 12.3 of the GDPR to attend to this type of request. If we take into account the
first request, dated 01/15/2020, which was not duly attended to, almost
two months before the start of the state of alarm, so there was enough time to
meet the said request.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 11/20








For all the above, the allegations presented are dismissed.

                                             IV.

                             Evaluation of the practiced test

On 08/29/2022, the instructor of the procedure agreed to carry out the practice of
documentary evidence, regarding the security of the processing of personal data object
of this procedure. On 09/13/2022, NORCONSULTING presented documentation,
before which the following assessments can be made:


1.- On the date of the events in the file, NORCONSULTING worked with a
software provided by the Company ***COMPANY.1, which, in the pandemic period due to
COVID, was replaced by the software (...), for which NORCONSULTING alleges that it does not
You can access the information for that period.


In this regard, this Agency points out that NORCONSULTING cannot accept a change
of management software to neglect, on the one hand, the obligations that, as
responsible for treatment, is attributed by the GDPR in terms of guaranteeing the interested parties the
due attention to your requests to exercise your rights and, on the other, the
consequences derived from non-compliance with these requests. In Recital 15, the

GDPR even goes further, determining that its precepts are binding regardless of
of the technology used, by establishing that: "In order to avoid a serious risk of
circumvention, the protection of natural persons must be technologically neutral and must not
depend on the techniques used.


2.- NORCONSULTING indicates that it never had the data of the complaining party, but
who simply made contact through the platform or social network for professionals
LINKTEAM, communicating in the email sent on 02/04/2020 to the claimant the
deletion of your email.


However, the message sent by NORCONSULTING dated 02/4/2020 says: "But, as
you have no interest in receiving job offers from us, we will proceed to delete your email from
our automated files for which this company is responsible”, which we can translate as:
"But, since we are not interested in receiving job offers from us, we will proceed to
remove your email from our automated files from which this company
it's responsible". In addition, in the first email sent by NORCONSULTING to

the complaining party dated 01/15/2020, there is also other personal data such as the
name and surname of the recipient.

Therefore, in accordance with the test carried out, this Agency considers that
NORCONSULTING has not provided any means of proof, which allows it to conclude that the

email and other personal data of the complaining party (name, surname,
professional profile, preferences regarding job offers...) has been removed from
your automated files. In addition, we do not know all the data
personal data of the complaining party that were subject to treatment and were included in said
automated file for which NORCONSULTING is responsible, as the

exercise of the right of access requested by the complaining party in the email dated
01/15/2020.

                                              V

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 12/20








                              Right of access of the interested party

Article 15 "Right of access of the interested party" of the GDPR establishes:


"1. The interested party shall have the right to obtain from the data controller confirmation of
whether or not personal data concerning you is being processed and, in such a case, the right to
access to personal data and the following information:

a) the purposes of the treatment;


b) the categories of personal data concerned;

c) the recipients or categories of recipients to whom they were communicated or will be
communicated personal data, in particular recipients in third countries or

international organizations;

d) if possible, the expected period of conservation of personal data or, if not
possible, the criteria used to determine this term;

e) the existence of the right to request from the controller the rectification or deletion of data

personal data or the limitation of the processing of personal data relating to the interested party, or to
oppose such treatment;

f) the right to file a claim with a control authority;


g) when the personal data has not been obtained from the interested party, any information
available on its origin;

h) the existence of automated decisions, including profiling, to which
referred to in Article 22, paragraphs 1 and 4, and, at least in such cases, significant information

about applied logic, as well as the significance and intended consequences of that
treatment for the interested party.

2. When personal data is transferred to a third country or to an organization
international, the interested party shall have the right to be informed of the adequate guarantees in
under article 46 relating to the transfer.


3. The data controller shall provide a copy of the personal data object of
treatment. The person in charge may receive for any other copy requested by the
interested party a reasonable fee based on administrative costs. When the interested
submit the application by electronic means, and unless the latter requests that it be provided

Otherwise, the information will be provided in a commonly used electronic format.

4. The right to obtain a copy mentioned in section 3 will not negatively affect the
rights and liberties of others.”


In the present case, the complaining party, by email, requests the
NORCONSULTING, in the exercise of the right of access of article 15 of the GDPR, the
following information about the processing of your data:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 13/20








“a) What personal data has been stored or processed.
b) Purpose of processing my data.
c) The categories of personal data.

d) The recipients or categories of recipients who already receive or will receive your data;
e) The expected duration of data storage or, if this is not possible, the criteria
to determine this duration;
f) the existence of the rights of rectification, deletion or limitation of the treatment of my
data, as well as the right to oppose said treatment in accordance with article 21 of the
GDPR and to file a claim with the competent control authority.

g) Information on the origin of the data; and
h) If there is automated decision-making, including profiling, of
in accordance with article 22 of the GDPR.
i) If my personal data has been transferred to a third country or to an organization
international".


The complaining party requested NORCONSULTING the right of access to their data
personal data and the information referred to in the previous paragraph on 02/15/2020. Well then,
NORCONSULTING responds to said request in a generic way, with a brief
information in which it only refers to the fact that the data of the interested party have been obtained
in any job portal (Infojobs, Experteer...) with which they work, in any of

to which the claimant would be subscribed. Because NORCONSULTING does not
adequately responds to the requested information, the complaining party again requested
said information in emails of 02/04/2020 and 03/15/2020, provided together with the
claim, without getting any response. The personal data of the complaining party
object of treatment by NORCONSULTING are, at least, name, surname, email

email address, professional profile and preferences regarding job offers.

In accordance with the evidence available at this time of resolution of
sanctioning procedure, it is considered that the known facts constitute a
infringement, attributable to NORCONSULTING, for violation of article 15 of the GDPR.



                                             SAW
                    Classification of the infringement of article 15 of the GDPR

The aforementioned infringement of article 15 of the GDPR supposes the commission of the infringements

typified in article 83.5 of the GDPR that under the heading "General conditions for the
imposition of administrative fines” provides:

Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of

a company, for an amount equal to a maximum of 4% of the total turnover
annual global of the previous financial year, opting for the one with the highest amount:
       (…)
       b) the rights of the interested parties in accordance with articles 12 to 22; (...).”


In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that "They constitute
offenses the acts and behaviors referred to in sections 4, 5 and 6 of article 83
of Regulation (EU) 2016/679, as well as those that are contrary to this law
organic”.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 14/20









For the purposes of the limitation period, article 72 "Infractions considered very serious" of
the LOPDGDD indicates:


1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
are considered very serious and will prescribe after three years the infractions that suppose a
substantial violation of the articles mentioned therein and, in particular, the following:
       (…)


       k) The impediment or the obstruction or the reiterated non-attention of the exercise of the
       rights established in articles 15 to 22 of Regulation (EU) 2016/679. (…)”

                                             VII
                     Penalty for violation of article 15 of the GDPR


For the purposes of deciding on the imposition of an administrative fine and its amount,
in accordance with the evidence available at the present time of resolution of
disciplinary procedure, it is considered appropriate to graduate the sanction to be imposed according to
in accordance with the following criteria established in article 83.2 of the GDPR.


As an aggravating circumstance:

          - The nature, seriousness and duration of the infringement, taking into account the
              nature, scope or purpose of the processing operation in question,
              as well as the number of stakeholders affected and the level of damage and

              damages they have suffered (section a): Due to the failure to attend to at least three
              requests for access to your personal data, the first dated
              01/15/2020, which to date have not been duly addressed.

          - Negligence in the infringement (section b): The complaining party reiterated up to

              twice the request for information through emails sent on
              02/04/2020 and 03/15/2020, without obtaining a response from
              NORCONSULTING, which supposes the lack of a minimum diligence in the
              compliance with your obligations as data controller.

As a mitigation:


          - Any measure taken by the person in charge or in charge of the treatment to
              alleviate the damages suffered by the interested parties (section c): In a
              At first, it answered the complaining party, although it did not respond to the
              requested information.


Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the
following criteria established in section 2 of article 76 "Sanctions and measures
corrective measures" of the LOPDGDD:


As an aggravating circumstance:

          - The linking of the activity of the offender with the performance of treatment of
              personal data (section b): NORCONSULTING is a company whose

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 15/20








              economic activity is the management of human resources, which entails a
              High processing of personal data.


The balance of the circumstances contemplated in article 83.2 of the GDPR and 76.2 of the
LOPDGDD, with respect to the offense committed by violating the provisions of article 15
of the GDPR, allows a penalty of €10,000 (ten thousand euros) to be imposed.

                                              VIII
                                    imposition of measures


Among the corrective powers provided in article 58 "Powers" of the GDPR, in the section
2.d) establishes that each control authority may "order the person responsible or in charge
of the processing that the processing operations comply with the provisions of the
this Regulation, where appropriate, in a certain way and within a period

specified…".

Upon confirmation of the infringement, the Spanish Agency for Data Protection orders
NORCONSULTING that within 30 days certify before this Agency that it has complied with
the exercise of the right of access by the complaining party, answering all the information
requested regarding the processing of your personal data.


It is noted that not meeting the requirements of this body can be considered
as an administrative offense in accordance with the provisions of the GDPR, classified as
infraction in its article 83.5 and 83.6, being able to motivate such conduct the opening of a subsequent
sanctioning administrative procedure.



                                              IX
                        Right to erasure ("the right to be forgotten")


Article 17 "Right of deletion" of the GDPR establishes:

"1. The interested party shall have the right to obtain without undue delay from the person responsible for the
treatment the deletion of personal data that concerns you, which will be obliged to
delete personal data without undue delay when any of the
following circumstances:


a) the personal data are no longer necessary in relation to the purposes for which they were
collected or otherwise processed;

b) the interested party withdraws the consent on which the treatment is based in accordance with the

Article 6(1)(a) or Article 9(2)(a) and this is not based on another
legal basis;

c) the interested party opposes the processing in accordance with article 21, paragraph 1, and does not
other legitimate reasons for the treatment prevail, or the interested party opposes the

treatment according to article 21, paragraph 2;

d) the personal data have been unlawfully processed;


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 16/20








e) personal data must be deleted to comply with a legal obligation
established in the law of the Union or of the Member States that applies to the
responsible for the treatment;


f) the personal data have been obtained in relation to the offer of services of the
information society referred to in article 8, paragraph 1.

2. When you have made the personal data public and are obliged, by virtue of the
provided in section 1, to delete said data, the data controller, taking into account

taking into account the available technology and the cost of its application, it will take reasonable measures,
including technical measures, with a view to informing those responsible who are processing the
personal data of the request of the interested party to suppress any link to those
personal data, or any copy or replica thereof.


3. Sections 1 and 2 will not apply when the treatment is necessary:

a) to exercise the right to freedom of expression and information;

b) for compliance with a legal obligation that requires data processing
imposed by the law of the Union or of the Member States that applies to the

responsible for the treatment, or for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers conferred on the person responsible;

c) for reasons of public interest in the field of public health in accordance with the
Article 9, paragraph 2, letters h) and i), and paragraph 3;


d) for archiving purposes in the public interest, for scientific or historical research purposes or for
statistics, in accordance with Article 89(1), insofar as the right
indicated in paragraph 1 could make impossible or seriously impede the achievement of the
purposes of such processing, or


e) for the formulation, exercise or defense of claims.”

In the present case, as a response to the deletion of the data of the complaining party, the
responsible for the treatment replies that he has deleted his email, nothing is said about the others
personal data of the interested party to which NORCONSULTING has accessed,

regardless of whether they have been obtained legitimately.

In accordance with the evidence available at this time of resolution of
sanctioning procedure, it is considered that the known facts constitute a
infringement, attributable to NORCONSULTING, for violation of article 17 of the GDPR.


                                              X
                    Classification of the infringement of article 17 of the GDPR

The aforementioned infringement of article 17 of the GDPR supposes the commission of the infringements

typified in article 83.5 of the GDPR that under the heading "General conditions for the
imposition of administrative fines” provides:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 17/20








Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of
a company, for an amount equal to a maximum of 4% of the total turnover

annual global of the previous financial year, opting for the one with the highest amount:
       (…)
       b) the rights of the interested parties in accordance with articles 12 to 22; (…).”

In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that "They constitute
offenses the acts and behaviors referred to in sections 4, 5 and 6 of article 83

of Regulation (EU) 2016/679, as well as those that are contrary to this law
organic”.

For the purposes of the limitation period, article 74 "Infringements considered minor" of the
LOPDGDD indicates:


"The remaining infractions of a merely
of the articles mentioned in sections 4 and 5 of article 83 of the Regulation
(EU) 2016/679 and, in particular, the following:

       (…)

       c) Failure to respond to requests to exercise the rights established in the
       Articles 15 to 22 of Regulation (EU) 2016/679, unless it is applicable
       provided in article 72.1.k) of this organic law (…).”

                                             eleventh

                     Penalty for violation of article 17 of the GDPR

For the purposes of deciding on the imposition of an administrative fine and its amount,
in accordance with the evidence available at the present time of resolution of
disciplinary procedure, it is considered appropriate to graduate the sanction to be imposed according to

in accordance with the following criteria established in article 83.2 of the GDPR.

As aggravating factors:

   - The nature, seriousness and duration of the infringement, taking into account the
       nature, scope or purpose of the processing operation in question

       such as the number of interested parties affected and the level of damages that
       have suffered (section a): Due to the non-attendance of the request for deletion of their
       personal data, dated 01/15/2020, which to date has not been addressed
       duly.


As mitigations:

   - Any measure taken by the controller or processor to alleviate
       the damages suffered by the interested parties (section c): Eliminated only
       the mail of the complaining party.


Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the
following criteria established in section 2 of article 76 "Sanctions and measures
corrective measures" of the LOPDGDD:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 18/20









As aggravating factors:


       Linking the activity of the offender with the performance of data processing
       personal (section b): NORCONSULTING is a company whose activity
       economy is the management of human resources, which entails a high
       processing of personal data.

The balance of the circumstances contemplated in article 83.2 of the GDPR and 76.2 of the

LOPDGDD, with respect to the offense committed by violating the provisions of article 17
of the GDPR, allows a penalty of €5,000 (five thousand euros) to be imposed.

                                              twelfth
                                    imposition of measures


Among the corrective powers provided in article 58 "Powers" of the GDPR, in the section
2.d) establishes that each control authority may "order the person responsible or in charge
of the processing that the processing operations comply with the provisions of the
this Regulation, where appropriate, in a certain way and within a period
specified…".


Upon infringement, the Spanish Agency for Data Protection orders NORCONSULTING
that within 30 days certify before this Agency that it has complied with the request for
deletion of the personal data of the complaining party.


It is noted that not meeting the requirements of this body can be considered
as an administrative offense in accordance with the provisions of the GDPR, classified as
infraction in its article 83.5 and 83.6, being able to motivate such conduct the opening of a subsequent
sanctioning administrative procedure.





Therefore, in accordance with the applicable legislation and assessed graduation criteria
of the sanctions whose existence has been accredited,
the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: IMPOSE GRUPO NORCONSULTING, S.L., with NIF B15987100:

     For a violation of article 15 of the GDPR, typified in article 83.5 of the GDPR,
       a fine of €10,000 (ten thousand euros).


     For a violation of article 17 of the GDPR, typified in article 83.5 of the GDPR,
       a fine of €5,000 (five thousand euros).

SECOND: ORDER GRUPO NORCONSULTING, S.L., with NIF B15987100, that in the

Within 30 days, prove to this Agency that you have complied with the exercise of the right of
access by the complaining party, answering all the information requested regarding the
treatment of your personal data, and that you certify before this Agency that you have complied with
the request for deletion of the personal data of the complaining party.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 19/20









THIRD: NOTIFY this resolution to GRUPO NORCONSULTING, S.L.


FOURTH: Warn the penalized person that they must make the imposed sanction effective once
that this resolution be enforceable, in accordance with the provisions of art. 98.1.b)
of Law 39/2015, of October 1, on the Common Administrative Procedure of
Public Administrations (hereinafter LPACAP), within the voluntary payment term
established in art. 68 of the General Collection Regulations, approved by Royal
Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17

December, by means of its income, indicating the NIF of the sanctioned and the number of
procedure that appears in the heading of this document, in the restricted account
nº ES00 0000 0000 0000 0000 0000, opened in the name of the Spanish Agency for
Data Protection at the bank CAIXABANK, S.A. Otherwise, it
It will proceed to its collection in executive period.


Once the notification has been received and once executed, if the execution date is between the
days 1 and 15 of each month, both inclusive, the term to make the voluntary payment will be
until the 20th day of the following or immediately following business month, and if it is between the days
16th and last of each month, both inclusive, the payment term will be until the 5th of the second
following or immediately following business month.


In accordance with the provisions of article 50 of the LOPDGDD, this Resolution
It will be made public once the interested parties have been notified.

In accordance with the provisions of article 60.7 of the GDPR, this information will be

resolution, once it is final, to the control authorities concerned and to the European Committee
of Data Protection.

Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for replacement before the Director of

the Spanish Agency for Data Protection within a period of one month from the day
following the notification of this resolution or directly contentious appeal
before the Contentious-Administrative Chamber of the National Court, with
in accordance with the provisions of article 25 and section 5 of the fourth additional provision
of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction,

within two months from the day following the notification of this act,
according to the provisions of article 46.1 of the aforementioned Law.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, it may be
provisionally suspend the final resolution in administrative proceedings if the interested party expresses
their intention to file a contentious-administrative appeal. If this is the case, the

The interested party must formally communicate this fact by writing to the Agency
Spanish Protection of Data, presenting it through the Electronic Registry of the
Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the
remaining records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1.
You must also transfer to the Agency the documentation that proves the filing

effective of the contentious-administrative appeal. If the Agency were not aware of the
filing of the contentious-administrative appeal within a period of two months from the day


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 20/20











following the notification of this resolution, would terminate the suspension
precautionary



                                                                                                938-120722
Mar Spain Marti

Director of the Spanish Data Protection Agency































































C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es