| AEPD - PS/00292/2022 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 21 Law 34/2002 |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | 28.11.2022 |
| Fine: | 4000 EUR |
| Parties: | MAX2PROTECT, S.L. |
| National Case Number/Name: | PS/00292/2022 |
| European Case Law Identifier: | PS |
| Appeal: | Unknown |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | @patrikmatos |
The Spanish DPA fined a manufacturer of sanitary products €4,000 for sending unrequested and unauthorised commercial e-mails, as there was no evidence of the consent by the recipients.
English Summary
Facts
The data subject alleged he was constantly receiving spam messages in his mailbox from a company that manufactures antigen tests (the controller). The data subject had six different email addresses, on which he received spam messages from the controller. He decided to file a complaint with the DPA who started proceedings in this regard.
In defense, the controller claimed to be carrying out a campaign to promote its products through e-mails. Allegedly, the database for sending these e-mails was acquired from a central communication provider (“Datantify”) and also through public internet pages. The controller alleged that the data subject could have manually disabled the receipt of these advertisements, but only did so in one of his six e-mail addresses. Hence, he continued to receive commercial e-mails on the other five e-mails addresses.
Holding
According to the Spanish DPA, the controller did not present evidence of the consent given by the data subject for the sending of commercial e-mails as well as did not present the purchase agreement for the database, which it claims to have acquired and where the claimant's e-mail address was supposedly located.
Therefore, the company violated Article 21 of Law 34/2002, on Information Society Services and Electronic Commerce (LSSI), which prohibits the sending of advertising or promotional communications by e-mail that had not been previously requested or expressly authorised by the recipients.
The Spanish DPA imposed on the controller a fine of €4,000, as it considered that there was no evidence of the data subject's consent to receive commercial e-mails, nor of the database purchase contract that the controller claims to have acquired.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/6
Procedure No.: EXP202201667, (PS/00292/2022)
RESOLUTION OF THE SANCTION PROCEDURE
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following.
BACKGROUND
FIRST: Dated 01/12/22, you have entered this Agency, written submitted by
D. A.A.A., (hereinafter, "the complaining party"), against MAX2PROTECT, S.L. with CIF.:
B88606355, (hereinafter, "the claimed party"), in which it indicated, among other things, what
Next:
“I receive spam from covidtest@antigenos.es several times a day (attached the 6
commercial communications received dated 12-jan-2022). The website,
Max2Protect SL, was already fined by the AEPD for similar events in the
procedure No.: PS/00170/2021”.
The claim document is accompanied by a copy of the following documentation
a.- Copy of the email received at the claimant's address on 01/12/22
sent from the address <<B.B.B.>> covidtest@antigenos.es, containing
commercial information.
SECOND: On 02/10/22, in accordance with the provisions of article 65.4
of Organic Law 3/2018, of December 5, Protection of Personal Data and
Digital Rights Guarantee (LOPDGDD), this Agency sent
writing to the claimed party requesting information regarding what is stated in the
claim.
THIRD: On 03/11/22, a response letter was received from the entity
claimed to the request for information made by this Agency, in which, among others,
indicates that:
"From max2protect we were carrying out a campaign to promote
our products through mailing, the databases for sending
these mailings are purchased from the central communication provider and also
taken through public internet pages.
In the first image that we provide you can see that in the newsletter itself
can be disabled. This user has 6 email accounts, but only
disabled one of them as you can see on our server panel
emails (second image) and that is why it continued to be sent to the others
accounts.
Through your notification we have learned that this person does not want
receive any information from our company thus on the same day
that we were aware of it, it was manually removed from our file
as you can see in the third image”.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/6
FOURTH: On 04/12/22, by the Director of the Spanish Agency for
Protection of Data, an agreement is issued to admit the processing of the claim
presented, in accordance with article 65 of the LPDGDD Law, when assessing possible
rational indications of a violation of the rules in the field of competences
of the Spanish Data Protection Agency.
FIFTH: On 05/12/22, this Agency issued a request
information to the claimed party, under the investigative powers granted
to the control authorities in article 58.1 of Regulation (EU) 2016/679, of
European Parliament and of the Council, of 04/27/16, regarding the Protection of
Natural Persons with regard to the Processing of Personal Data and the Free
Circulation of these Data (RGPD).
SIXTH: On 05/24/22, a response letter was received from the entity
claimed to the information request made by this Agency, in which, among
others, indicates:
"We bought the datantify database: https://datantify.com/ It is possible that the
User, by leaving his email on a website, accepted the privacy and cookies policy
"I have read and accept the privacy policy" "accept cookies" of said website,
transferring your personal data to third parties, therefore, the providers of the
bbdd have said access and can use it for buying/selling.
The "bbdd" that we buy are segmented by sectors, in this case, the
health. The users that come in said database are related to the
health sector, either because you visited a website, filled out a form, requested
a quote, etc., our company sells a covid test and that is why we send you
the mail.
We did not receive any email from the owners to oppose, we found out
who did not want to receive our newsletter when you sent us the
notification and it was when we looked at mailrelay and saw that on 01/20/22
described from one of the accounts, but not from all of the ones he has, so he
we did manually that day”.
SEVENTH: On 06/07/22, the Board of Directors of the Spanish Agency for the Protection of
Data signs the initiation of this disciplinary procedure against the entity
claimed, when appreciating reasonable indications of violation of article 21 of the Law
34/2002, of July 11, on Services of the Information Society and Commerce
Electronic (LSSI), regarding the sending of commercial communications without the
necessary legitimation for this, imposing an initial sanction of 4,000 euros (four
a thousand euros).
EIGHTH: On 06/20/22, the defendant entity formulated, in summary, the following
allegations to the initiation of the file:
“Max2protect bought a database that the seller said was
lawful No user we sent an email to complained about the email sent
since any of them who did not want to receive more emails from us
You could unsubscribe at the bottom of the body of the email sent (image 1).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/6
This user had 6 different email accounts (image 2) and that is why he
6 emails arrived in one day, one to each account, but only unsubscribed
in one of them, the other 5 accounts remained active until we received
your notification and we manually remove the other 5 accounts from our
database to not receive any more mail from us. The
user complains because he received 6 emails, but it is because he has 6 accounts, for
please take it into account. We have not done anything illegal nor have we intended to do so.
NINTH: On 07/22/22, the respondent entity is notified of the proposed
resolution in which it was proposed that, by the Director of the Spanish Agency for
Protection of Data proceed to sanction the entity, in accordance with the provisions of
Articles 63 and 64 of Law 39/2015, of October 1, on the Procedure
Common Administrative Council of Public Administrations (LPACAP), with a sanction
of 4,000 euros (four thousand euros) for the violation of article 21 LSSI, for sending
commercial communications without the necessary legitimacy for it.
Once the proposed resolution was notified to the claimed entity, as of today, there is no
evidence in this Agency of the receipt of any type of written allegations to
said proposal.
PROVEN FACTS
First: According to the complainant, he receives spam emails from
covidtest@antigenos.es whose ownership belongs to the entity Max2Protect SL, and indicates
that this entity was already fined by the AEPD for similar acts in the
procedure No.: PS/00170/2021. To corroborate what was said in the claim,
Attach the following documentation:
- The screenshot of the inbox of the mail accounts
e-mail (ALL INBOXES) in which reference to six emails
incoming emails from “B.B.B.” and with the subject: “Test
Nasal-antigens-saliva-swab from 2.9…”
- Screenshot of the headers and content of a dated email
01/12/22, sent from the address covidtest@antigenos.es to the address
email of the claimant with the subject: "Test Antigens-nasal-saliva-
swab from 2.95”.
Second: The legal notice of the website www.antigenos.es identifies
MAX2PROTECT, S.L. as responsible for it. This website has a
privacy policy that offers an electronic address where to exercise the opposition or
request the revocation of consent.
Third: According to the claimed entity, the email addresses for the
sending this advertising are purchased from the central communication provider
(DATANTIFY) or are obtained from public Internet pages.
In the document provided as "Privacy Policy", together with the letter of
allegations to the initiation of the file can be read, among others, the following:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/6
2. How do we collect your data? Some are collected when you give them to us.
provides. Other data is collected automatically by technicians,
as the browser and the automatic operating system as soon as it enters
our website (…)”.
Notwithstanding the foregoing, the claimed entity does not provide accreditation of the
consent given by the claimant for the remission of commercial emails.
FUNDAMENTALS OF LAW
I - Competition.
It is competent to initiate and resolve this Disciplinary Procedure, the Director of
the Spanish Data Protection Agency, in accordance with the provisions of the
art. 43.1, second paragraph, of the LSSI Law.
II.- Regarding the offense committed by sending advertising emails without
consent of the interested party.
In the present case, the claimant states that he has received 6 emails,
but it only provides the internet headers of one of them
For its part, the claimed entity acknowledges the sending of the communications and indicates
that you bought a database that the seller said was legal.
It is also indicated that, in the emails, it is reported that, if you do not want to receive more,
You can unsubscribe at the bottom of the body of the email sent and that 6 emails were sent
emails to the claimant because the claimant had 6 accounts.
However, all of this, the defendant does not provide proof of consent
provided by the claimant for the sending of commercial emails and the
purchase contract for the database, which he claims to have purchased and where
found the complainant's email address.
In this sense, article 21 of the LSSI, on the sending of communications
without the prior consent of the interested party, provides the following:
"1. The sending of advertising or promotional communications is prohibited
by email or other equivalent electronic means of communication
that had not previously been requested or expressly authorized by
the recipients of these.
2. The provisions of the previous section shall not apply when there is a
prior contractual relationship, provided that the provider had obtained
lawful contact details of the recipient and will use them to send
commercial communications regarding products or services of your own
company that are similar to those that were initially the subject of
contracting with the client.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/6
In any case, the provider must offer the recipient the possibility of
oppose the processing of your data for promotional purposes through a
simple and free procedure, both at the time of data collection
as in each of the commercial communications that you direct.
When the communications have been sent by email,
said means must necessarily consist of the inclusion of an address
email or other valid electronic address where you can
exercise this right, being prohibited the sending of communications that
do not include that address.”
In accordance with the available evidence, it is considered that the
facts exposed, suppose the violation of article 21 of the LSSI.
The aforementioned offense is classified as minor in art. 38.4.d) of said
rule, which qualifies as such, "The sending of commercial communications by mail
electronic or other equivalent electronic means of communication when in said
shipments do not meet the requirements established in article 21 and do not constitute
Serious offense".
In accordance with the precepts indicated, and without prejudice to what results from the
instruction of the procedure, in order to set the amount of the sanction to be imposed in
In the present case, it is considered appropriate to graduate the sanction to be imposed in accordance
with the following aggravating criteria established in article 40 of the LSSI:
- Section c): Recidivism for committing infractions of the same
nature, when it has been so declared by firm resolution: It appears in the
Information System of the General Subdirectorate of Data Inspection
(SIGRID) a Disciplinary Procedure (PS/00170/2021) in which, dated
of 08/16/21, the Director of the Spanish Data Protection Agency
resolves to impose on the entity, MAX2PROTECT, S.L., for the infringement of the
Article 21 of the LSSI, a penalty of 2,000 euros (two thousand euros), with respect to the
sending commercial communications without the express consent of the same
addressee. Said sanction was finalized in administrative proceedings on 10/17/21.
Pursuant to the foregoing, the Director of the Spanish Agency for
Data Protection,
RESOLVES:
FIRST: IMPOSE the entity, MAX2PROTECT, S.L. with CIF.: B88606355, a
penalty of 4,000 euros (four thousand euros) for the violation of article 21 LSSI, for
sending commercial communications without the necessary legitimacy for it.
SECOND: NOTIFY this resolution to the entity MAX2PROTECT, S.L
THIRD: Warn the penalized party that the sanction imposed must make it effective
once this resolution is enforceable, in accordance with the provisions of Article
Article 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, within the voluntary payment period indicated in the
Article 68 of the General Collection Regulations, approved by Royal Decree
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/6
939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17
December, by depositing it in the restricted account No. ES00 0000 0000 0000
0000 0000, opened in the name of the Spanish Data Protection Agency in the
Banco CAIXABANK, S.A. or otherwise, it will proceed to its collection in
executive period.
Once the notification has been received and once executed, if the execution date is
between the 1st and 15th of each month, both inclusive, the term to make the payment
voluntary will be until the 20th day of the following or immediately following business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediately following business month.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.
Against this resolution, which puts an end to the administrative procedure (article 48.6 of the
LOPDGDD), and in accordance with the provisions of articles 112 and 123 of the Law
39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations, interested parties may optionally file
appeal for reversal before the Director of the Spanish Agency for Data Protection
within a month from the day following notification of this
resolution or directly contentious-administrative appeal before the Chamber of
contentious-administrative of the National Court, in accordance with the provisions of the
article 25 and in section 5 of the fourth additional provision of Law 29/1998, of
July 13, regulating the Contentious-administrative Jurisdiction, within the period of
two months from the day following the notification of this act, according to what
provided for in article 46.1 of the aforementioned legal text.
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of Law 39/2015,
of October 1, of the Common Administrative Procedure of the Administrations
Public, the firm resolution may be temporarily suspended in administrative proceedings if
The interested party declares his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the
aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative proceedings within a period of two months from the day following the
Notification of this resolution would terminate the precautionary suspension.
Mar Spain Marti
Director of the Spanish Data Protection Agency.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
