AEPD (Spain) - PS/00291/2019: Difference between revisions

From GDPRhub
No edit summary
 
No edit summary
Line 11: Line 11:
|-
|-
|Relevant Law:||
|Relevant Law:||
[[Article 6 GDPR#1a|Article 6(1) GDPR]] [[Category:Article 6(1) GDPR]]
[[Article 6 GDPR#1a|Article 6(1)(a) GDPR]] [[Category:Article 6(1) (a) GDPR]]
|-
|-
|Type:||Complaint
|Type:||Complaint

Revision as of 09:37, 6 February 2020

AEPD - PS/00291/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law:

Article 6(1)(a) GDPR

Type: Complaint
Outcome: Upheld
Decided: 23.12.2019
Published: 07.01.2019
Fine: 6,000 EUR
Parties: Joker Premium Invex Vs anonymous
National Case Number: PS/00291/2019
European Case Law Identifier n/a
Appeal: n/a
Original Language:

Spanish

Original Source: AEPD (in ES)

The AEPD imposed a fine of € 6.000 for unlawful processing data from a public registry without a legal basis under Article 6 GDPR.

English Summary

Facts

A citizen filled a complaint with the AEPD regarding the unlawful processing of his personal data. He claimed that his personal data was processed by the public administration for registration purposes only. The data was shared with the company Joker Premium (the controller) without a legal basis.

Dispute

Is consent necessary to process lawfully personal data for commercial advertisement purposes, if the personal data are not collected from the data subject?

Holding

The AEPD found that the controller unlawfully processed the personal data for commercial advertisement purposes due to the lack of consent. Indeed, it did send to the data subject advertisement and commercial offers while the data subject did not consent to the processing of his personal data. 

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the original. Please refer to the Spanish original for more details.




*

936-150719
Product No.: PS/00291/2019


RESOLUTION R/00559/2019 ON THE TERMINATION OF THE PROCEDURE BY VOLUNTARY PAYMENT

In the sanctioning procedure PS/00291/2019, instructed by the Spanish Data Protection Agency to JOKER PREMIUM INVEX, S.L., having regard to the complaint presented by A.A.A., and on the basis of the following

BACKGROUND

FIRST: On 4 October 2019, the Director of the Spanish Data Protection Agency agreed to initiate disciplinary proceedings against JOKER PREMIUM INVEX, S.L. (hereinafter, the claimed), by means of the Agreement that is transcribed:

<<




Product No.: PS/00291/2019

935-240719



AGREEMENT TO INITIATE DISCIPLINARY PROCEEDINGS



Of the actions carried out by the Spanish Data Protection Agency and based on the following

FACTS



FIRST: On December 27, 2018, Mr. A.A.A., (hereinafter, the claimant), filed a complaint with the Spanish Data Protection Agency (hereinafter, AEPD) against MEDISALUD/JOKER PREMIUM, in which he stated that since his registration in the municipal census of the town of ***POBLACIÓN.1 (Toledo) he has received advertising and commercial offers with identifying data (town, name and address) that he has only provided to the Public Administration. It added that it has sent electronic communications to the alleged promoter of the communications and to the administrator of the databases without any result. The information from
 



both refer to the collection of data from different public sources that do not contain personal data or identification of residents that, however, do appear in the communications it receives.
The claimant attaches a copy of an advertising message on the front of which is printed the MEDISALUD logo, the details of the sender (GM- ***APARTADO DE CORREOS Madrid) and the details of the recipient, in this case the claimant, in accordance with the proof that the name, surname and postal address of the recipient of the message studied coincide with the identification details and postal address provided by the claimant when presenting the aforementioned complaint.
The following text appears in the body of the advertising message:

"We give you an electric scooter just for attending. MEDISALUD invites you to find out about the latest developments designed exclusively for you to continue taking care of yourself and your loved ones. To this end, we are giving you a complimentary gift just for attending our event. If you come with your spouse, MEDIASALUD will give you a FREE ELECTRIC SKATING
If you are widowed, come with a family member or friend over 45 years old and you will receive the same gift, as long as you prove your marital status with valid documentation. And if you know a married couple or friend, over 45 years old, INVITE THEM to come. They will also receive the same gifts as you, as long as they do not repeat the invitation on those days.
Confirm your attendance and the reservation of your gift."

The dispatch indicated the place where the event would be held ***HOTEL.1, in Aranjuez), the dates and times of the event (10 and 11 January 2019, morning and afternoon). The telephone number ***TELÉFONO.1 was provided for reservations between 9:15 a.m. and 8:00 p.m.
Information is provided at the bottom of the advertising brochure: "This mailing has been sent to postal addresses which are recorded as residential gaps obtained through public information provided by the IN, the Post Office street libraries and direct procedures without in any case the identity of the residents of those addresses being recorded. However, if for any reason, you do not like these communications, you can express it by writing to JOKER PREMIUM C/Maria de Molina nº54 planta 5ª 28006 Madrid. Upon receipt of such a request, no further communications of this nature will be sent to the corresponding postal address".
SECOND: On 23 January 2019, the Subdirectorate General for Data Inspection transferred the aforementioned complaint to the entity GRUPO MEDISALUD TV, S.L., (hereinafter, MEDISALUD) for its analysis and communication to the complainant of the decision adopted in this regard. Likewise, this entity was required to
 



Within a period of one month, send the following information to the AEPD: Copy of the communications, of the decision adopted that has been sent to the claimant regarding the transfer of this claim, and accreditation that the claimant has received the communication of this decision; Report on the causes that have motivated the incident that has originated the claim; Report on the measures adopted to avoid similar incidents; Any other that it considers relevant.
On the same date, the claimant was notified of the receipt of the complaint and its transfer to MEDISALUD.
On February 22, 2019, a letter of response from MEDISALUD was registered with this Agency stating that
a) They have responded to the complainant stating that: MEDISALUD does not have, nor has it had, any information on the claimant in its databases. That the relationship between this company and JOKER PREMIUM is based on a service provision relationship consisting of the execution by JOKER PREMIUM of commercial campaigns for the celebration of face-to-face events in different Spanish towns and cities attended by interested parties for the presentation and sale of the products marketed by MEDISALUD. That these commercial campaigns are produced and directed in a totally autonomous manner by JOKER PREMIUM, without MEDISALUD intervening at any stage of the same.
b) A copy of the "Service Provision Agreement" signed by GRUPO MEDISALUD TV, S.L. on August 2, 2017 is attached (THE CLIENT) and JOKER PREMIUM INVEX, S.L. (THE SUPPLIER).
Sections 1.1 and 1.2 of the first stipulation and section 2.2 of the second stipulation of the aforementioned contract state
"FIRST.- OBJECT:

1.1 The purpose of this contract is to establish the legal framework that will regulate the provision by the SUPPLIER to the CLIENT of the advertising and marketing services necessary for the sale of the CLIENT's products.
1.2 The CLIENT will carry out these sales by means of face-to-face presentations of its products in places previously defined and agreed upon by the SUPPLIER (Hotels, Restaurants, etc.)
To this end, the SUPPLIER undertakes to carry out the necessary marketing tasks to ensure that the largest possible number of potential customers attend these events. To this end, the SUPPLIER will design each of the marketing and advertising campaigns to be carried out for the sale of the CLIENT's products and will prepare and execute such campaigns to attract attendees.
 



SECOND - OBLIGATIONS OF THE SUPPLIER

(…)

2.2.- THE SUPPLIER acknowledges that it is a requirement of the CLIENT that marketing campaigns be carried out without, under any circumstances, the use or processing of personal data of natural persons subject to personal data protection regulations".
c). They have sent a burofax to the company JOKER PREMIUM, a copy of which is attached, requesting a report on the causes that have given rise to the claim.
THIRD: In view of the information received from MEDISALUD, dated February 28, 2019, in accordance with article 65.4 of Organic Law 3/2018, dated December 5, on the Protection of Personal Data and the Guarantee of Digital Rights, (hereinafter LOPDGDD), and for the purposes set out in article 64.2, the Director of the AEPD agreed to admit the aforementioned claim for processing.
FOURTH: In accordance with the provisions of article 67 of the LOPDGD, and for the purpose of better determining and clarifying the facts set out in the complaint, the Subdirectorate General for Data Inspection of the AEPD carried out the investigative actions whose results are set out below:
On May 17, 2019, a reply was registered in this Agency by JOKER PREMIUM INVEX, S.L., (hereinafter, the claimed), to the information request made on April 24, 2019, and later reiterated on June 28, 2019, indicating that
- At present there is no personal data of the claimant in its files. These data were deleted after your client, MEDISALUD, informed you that they had received a complaint from the AEPD which had been made by the claimant because his name and surname appeared in an advertising message.
- That the existence of this information in the advertising sent surprised them as they have no personal data in their file, but only references corresponding to residential vacancies, without any type of information on the identity of the persons residing in them.
- After an internal investigation, the only conclusion is that there was an error and that for reasons unknown to them there was a register with data on the complainant. They were not aware that their computer systems contained such data.
- The incident was remedied by irreversibly deleting the data that were the subject of the complaint. In addition, an in-depth search was carried out for other possible personal data to ensure that this was a one-off situation and that such an event would not occur again.
 



The complainant provides a letter addressed to MEDISALUD explaining the above and assuming full responsibility for the incident.
Subsequently, on July 25, 2019, a letter from the sole administrator of the claim is registered in this Agency, on behalf of said entity, stating the following:
- It is confirmed that the personal data of the claimant used to send the advertising came from the files of that company.
- That he bought some databases to carry out marketing activities, with the complainant's data appearing in one of those files.
- Normally, it instructs its employees to ensure that people who do not want to receive advertising are not included in the mailings, or it uses data that are not personal, but in this case, it assumes that an illegal act has been committed and that it should have made sure that the complainant's data were legal before using them.
- That he cannot justify that he had the consent of the data subject, and therefore acknowledges the facts that are imputed and his responsibility for sending the advertising.
- That they have had no contact with the complainant nor is it known that they have sent him any other communication apart from the advertising studied.
- That they assume the corrections that should be imposed, requesting that it be taken into account that it is a specific event, that there has been no desire to cause damage, that the claimant's data have been eliminated, the reduced size of the company and the complicity that full and complete compliance with data protection regulations implies for the company.


LEGAL GROUNDS 

I

By virtue of the powers that Article 58.2 of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 27/04/2016, on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such Data (hereinafter, RGPD) recognizes to each supervisory authority and in accordance with the provisions of Articles 47, 64.2 and 68.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate this procedure.

II
 



Article 4 of the GPRS, under the heading "Definitions", provides that:

"For the purpose of this Regulation, the following definitions shall apply

personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person
processing' means any operation or set of operations which is performed upon personal data or upon sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction


"(11) "Consent of the data subject" means any freely given, specific, informed and unambiguous expression of his or her wishes by which the data subject signifies his or her agreement, either by declaration or by clear affirmative action, to personal data relating to him or her being processed.


In accordance with these definitions, and in view of the actions carried out, the facts which are the object of the alleged infringement are the processing by the requested party of the personal data of the claimant (name, surname and postal address) in order to send him, in the context of an advertising campaign organised by the requested party, a brochure containing advertising from another company without having proved that he is entitled to carry out such processing for that specific purpose.


III


The processing described could constitute a breach of Article 6 of the GPRS, "Lawfulness of processing", paragraph 1(a) of which states that


"Processing shall be lawful only if at least one of the following conditions is met
 





(a) the data subject has given his consent to the processing of his personal data for one or more specified purposes


Article 7 of the above-mentioned GPRS, under the heading "Conditions for consent", states that


"Where the processing is based on the consent of the data subject, the data controller must be able to prove that the data subject consented to the processing of his or her personal data.


2. Where the data subject's consent is given in the context of a written statement which also relates to other matters, the request for consent shall be presented in such a way as to be clearly distinguished from other matters, in an intelligible and easily accessible form and using clear and simple language. No part of the statement shall be binding which constitutes a breach of this Regulation.


3.	The data subject shall have the right to withdraw his/her consent at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent prior to withdrawal. The data subject shall be informed thereof before consent is given. Withdrawal of consent shall be as easy as giving consent.


4.	In assessing whether consent has been freely given, the utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is made subject to consent to the processing of personal data which are not necessary for the performance of that contract.


For its part, Article 6 of Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights, under the heading "Processing based on the consent of the data subject", states that


"In accordance with the provisions of Article 4.11 of Regulation (EU) 2016/679, consent of the data subject is understood to be any expression of will
 



free, specific, informed and unambiguously accepting, either by declaration or by clear affirmative action, the processing of personal data concerning him.


2.	Where it is intended to base the processing of data on the consent of the data subject for a variety of purposes, it must be specifically and unequivocally stated that such consent is given for all of them.


3. The execution of the contract may not be made subject to the consent of the data subject to the processing of personal data for purposes unrelated to the maintenance, development or control of the contractual relationship".


The alleged infringement for which the defendant is held responsible is typified in article 83.5.a) of the RGPD, which establishes that "Infringements of the following provisions shall be sanctioned, in accordance with section 2, with administrative fines of a maximum of 20,000,000 Euros or, in the case of a company, of an amount equivalent to a maximum of 4% of the total annual turnover of the previous financial year, whichever is greater:
(a) The basic principles for processing, including the conditions for consent pursuant to Articles 5, 6, 7 and 9
Article 71 of the LOPDGDD, under the heading "Infringements", states that
"The acts and conduct referred to in paragraphs 4 constitute infringements,
5 and 6 of Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this Organic Law".
For the purposes of prescription, Article 72(1)(b) of the LOPDGDD states
"Infringements considered very serious":

1.	In accordance with the provisions of Article 83(5) of Regulation (EU) 2016/679, infringements that substantially violate the articles mentioned therein, and in particular the following, are considered very serious and shall be subject to the statute of limitations after three years:
(…)


(a) Processing of personal data without complying with any of the conditions for the lawfulness of processing set out in Article 6 of Regulation (EU) 2016/679.
 



IV

From the documentation in the file, and from the statements of the Respondent himself in his brief dated July 25, 2019, it is evident that the Respondent violated Article 6.1 of the RGPD.


It is recorded in the file that the respondent processed the name, surname and postal address (street ***ADDRESS.1) of the claimant in order to send him, within the framework of an advertising campaign that was fully developed and managed by the respondent, a postal brochure promoting attendance at an event in which the latest news designed by MEDISALUD was to be advertised, to be held on 10 and 11 January 2019 at the place indicated in the brochure.
On the other hand, in the aforementioned document, the respondent has acknowledged that he does not have legal standing to process the complainant's personal data.
In accordance with the evidence available at this time, and without prejudice to the outcome of the proceedings, it is considered that the conduct of the respondent could violate Article 6.1.a) of the RGPD and could constitute the infringement defined in Article 83.5.a) of the aforementioned Regulation 2016/679, and qualified as very serious, for the purposes of the statute of limitations, in Article 72.1.b) of the LOPDGDD.

V

Article 58.2 of the GPRS, under the heading "Powers", states that:

"2 Each supervisory authority shall have all the following corrective powers as set out below:
(…)

"(i) to impose an administrative fine pursuant to Article 83, in addition to or instead of the measures referred to in this paragraph, depending on the circumstances of the individual case;".
In order to determine the administrative fine that should be imposed in this case, the provisions contained in Articles 83.1 and 83.2 of the RGPD must be observed, and these precepts are indicated:
"Each supervisory authority shall ensure that the imposition of administrative fines under this Article for the infringements of this Regulation referred to in paragraphs 4, 9 and 6 is in each individual case effective, proportionate and dissuasive.
2.	Administrative fines shall be imposed, depending on the circumstances of
 



each individual case, in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j). In deciding whether to impose an administrative fine and the amount of that fine in each individual case, due account shall be taken of the circumstances of the case:
(a) the nature, gravity and duration of the infringement, taking into account the nature, extent or purpose of the processing operation concerned, as well as the number of data subjects concerned and the level of damage they have suffered;
(b) whether the infringement was intentional or negligent;

(c) any measures taken by the controller or processor to mitigate the damage suffered by data subjects;
(d) the degree of responsibility of the controller or processor, taking into account the technical or organisational measures they have implemented pursuant to Articles 25 and 32;
(e) any previous breach committed by the controller or processor;
(f) the degree of cooperation with the supervisory authority with a view to remedying the breach and mitigating the possible adverse effects of the breach;
(g) the categories of personal data affected by the infringement;

(h) the manner in which the supervisory authority became aware of the infringement, in particular whether and to what extent the controller or processor notified the infringement;
(i) where the measures referred to in Article 58(2) were previously ordered against the controller or processor concerned in relation to the same matter, compliance with those measures;
(j) adherence to codes of conduct pursuant to Article 40 or to certification schemes approved in accordance with Article 42; and
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial gains obtained or losses avoided, directly or indirectly, through the infringement.
With regard to Article 83.2 (k) of the RGPD, the LOPDGDD, in its Article 76, "Sanctions and corrective measures", establishes that
"In accordance with the provisions of Article 83.2(k) of Regulation (EU) 2016/679, the following may also be taken into account
(a) The continuous nature of the infringement.
 



(b) The link between the activity of the offender and the processing of personal data
(c) The benefits obtained as a result of the commission of the infringement.

(d) the possibility that the conduct of the data subject may have led to the commission of the infringement
(e) the existence of a merger process by absorption subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity
(f) The effect on the rights of minors.

g) The availability, when it is not compulsory, of a data protection representative.
h) The submission by the person responsible or in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases where there are disputes between them and any interested party.
In accordance with the above provisions, and without prejudice to the outcome of the proceedings, for the purposes of setting the amount of the fine to be imposed in this case for the alleged infringement referred to in Article
83.5 of the RGPD attributed to the claimant, in an initial assessment, the following factors are estimated to be present:
As aggravating factors:

- That the facts which are the object of the complaint are attributable to a lack of diligence on the part of the defendant in not verifying whether there was a legitimate basis for processing the personal data of the claimant in the framework of the advertising campaign in which his data were used (Article 83.2.b, RGPD).
-The close connection of the activity of the respondent with the processing of personal data (Article 83.2.k, RGPD in relation to 76.2.b, LOPDGDD)
As extenuating circumstances:


-That only the claimant is recorded, in view of the available evidence, as being affected by the infringing conduct (Article 83(2)(a))
-The measures that the defendant adopted to mitigate the damages suffered by the claimant (Article 83.2.c). In this respect, it is worth noting that prior to the receipt of the request for information from this Agency, and with the knowledge of the
 



irregular situation through MEDISALUD, the respondent proceeded to delete the data of the complainant from its files, as stated in the letter dated 7 March 2019 that it sent to its client.
Therefore, in accordance with the above,

By the Director of the Spanish Data Protection Agency, it is agreed:
1. TO INITIATE PENALTY PROCEEDINGS against JOKER PREMIUM INVEX, S.L., with NIF B87743902, for the presumed infringement of Article 6.1 of the RGPD typified in Article 83.5.a) of the aforementioned Regulation (EU) 2016/679.
To appoint B.B.B. as instructor and C.C.C. as secretary, indicating that either of them may be challenged, where appropriate, in accordance with the provisions of Articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP).
3.	INCORPORATE into the sanctioning file, for the purposes of proof, the claim filed by the claimant and its documentation, the documents obtained and generated by the Subdirectorate General for Data Inspection as a result of the transfer made and during the previous investigation actions carried out; as well as the report of previous Inspection actions.
4.	THAT, for the purposes set forth in article 64.2 b) of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations, (hereinafter, LPACAP) the sanction that may correspond would be 10,000 Euros (Ten thousand Euros), without prejudice to the results of the investigation.
5.	TO NOTIFY this agreement to JOKER PREMIUM INVEX, S.L., with NIF B87743902, granting it a period of ten working days to present its allegations and evidence. In your pleading, you must provide your NIF and the procedure number in the heading of this document.
If within the stipulated term no allegations are made to this initiation agreement, it may be considered a proposal for resolution, as established in article 64.2.f) of Law 39/2015, of the LPACAP.
In accordance with Article 85.1 of LPACAP, if the sanction to be imposed is a fine, it may recognize its responsibility within the period granted for the formulation of allegations to this agreement to initiate the proceedings; this will be accompanied by a reduction of 20% of the sanction to be imposed in this procedure. With the application of this reduction, the penalty would be
 



8,000, and the procedure was resolved with the imposition of this penalty.
Similarly, at any time prior to the resolution of this procedure, the Committee may carry out the voluntary payment of the proposed penalty, in accordance with the provisions of Article 85.2 of the LPACAP, which will entail a reduction of 20% of its amount. With the application of this reduction, the sanction would be set at 8,000 euros and its payment would imply the termination of the procedure.
The reduction for the voluntary payment of the penalty can be cumulated with that for the recognition of liability, provided that this recognition of liability is made within the period granted for making representations on the opening of the proceedings. The voluntary payment of the amount referred to in the previous paragraph may be made at any time prior to the decision. In this case, if both reductions were to be applied, the amount of the penalty would be set at 6,000 euros.
In any case, the effectiveness of either of the two above-mentioned reductions shall be conditioned on the withdrawal or waiver of any action or appeal in administrative proceedings against the sanction.
In the event that you choose to proceed with the voluntary payment of any of the amounts indicated above (8,000 Euros or 6,000 Euros), you must make it effective by paying it into account number ES00 0000 0000 0000 opened in the name of the Spanish Data Protection Agency at Banco CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the cause for the reduction of the amount to which you are entitled.
Likewise, you must send the proof of payment to the Subdirectorate General of Inspection to continue with the procedure in accordance with the amount paid.
The procedure shall have a maximum duration of nine months as of the date of the starting agreement or, where appropriate, of the draft starting agreement. Once this period has elapsed, it will expire and, consequently, the proceedings will be closed; in accordance with the provisions of article 64 of the LOPDGDD.
Finally, it is noted that in accordance with Article 112.1 of the LPACAP, there is no administrative appeal against this act.


Mar Spain Martí

Director of the Spanish Data Protection Agency
 





>>

SECOND: On October 29, 2019, the claimant has proceeded to pay the penalty in the amount of 6000 euros making use of the two reductions provided in the Agreement of initiation transcribed above, which implies the recognition of liability.
THIRD: The payment made, within the period granted for making allegations on the opening of the proceedings, implies the waiver of any action or appeal in administrative proceedings against the penalty and the acknowledgement of liability in relation to the facts referred to in the Agreement of Initiation.

LEGAL GROUNDS

I

By virtue of the powers that Article 58.2 of the RGPD grants to each control authority, and as established in Article 47 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to sanction any infringements committed against those Regulations; infringements of Article 48 of Law 9/2014, of May 9, General Telecommunications Law (hereinafter LGT), in accordance with the provisions of Article 84.3 of the GLT, and the infringements defined in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002 of 11 July on information society services and electronic commerce (hereinafter referred to as the ISESA), as provided for in Article
43.1 of the said Act.

II

Article 85 of Law 39/2015 of 1 October 1995 on the Common Administrative Procedure for Public Administrations (LPACAP), under the heading 'Termination in penalty proceedings', provides as follows
"1. If a sanctioning procedure has been initiated, if the offender acknowledges his responsibility, the procedure may be terminated with the imposition of the appropriate sanction.
2.	When the penalty is only pecuniary in nature or when it is possible to impose a pecuniary penalty and a non-pecuniary penalty but the latter has been justified, voluntary payment by the alleged offender, at any time prior to the decision, shall entail the termination of the proceedings, except as regards the reinstatement of the altered situation or the determination of compensation for damages caused by the commission of the offence.
3.	In both cases, where the penalty is purely financial in nature, the body responsible for deciding the procedure shall apply reductions of at least 20 % to the amount of the penalty proposed, which may be cumulative
 



with each other. Such reductions shall be determined in the notification of initiation of the procedure and their effectiveness shall be conditional upon the withdrawal or waiver of any action or appeal against the sanction.
The percentage of reduction provided for in this paragraph may be increased by regulation.

In accordance with the above,
the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: TO DECLARE the termination of procedure PS/00291/2019, in accordance with the provisions of Article 85 of the LPACAP

SECOND: TO NOTIFY this resolution to JOKER PREMIUM INVEX, S.L..

In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure as stipulated in article 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations, the interested parties may file a contentious-administrative appeal with the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided in Article 46.1 of the aforementioned Act.

Mar Spain Martí
Director of the Spanish Data Protection Agency