AEPD (Spain) - PS/00315/2020

From GDPRhub
AEPD (Spain) - PS/00315/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 28 GDPR
Article 29 GDPR
Type: Complaint
Outcome: Upheld
Decided: 17.08.2021
Published: 02.09.2021
Fine: 100,000 EUR
Parties: SIGNALLIA MARKETING DISTRIBUTION, S.A.
National Case Number/Name: PS/00315/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Carmen Villarroel

The Spanish DPA fined a processor €100,000 for not complying with its obligation to delete and return all the personal data it held, as well as any existing copies, to the controller after ending its services as a processor.

English Summary[edit | edit source]

Facts[edit | edit source]

The company EHR, dedicated to tourism and hotelier services, hired another company, Signallia, dedicated to software and computing services, to manage their data and servers. The data processing agreement between them stated that Signallia had to give back EHR all data and copies obtained or processed for them, as their relationship ends.

Accordingly, when EHR decided to move their servers to an internal place they instructed Signallia to return to them all their data. However, the processor did not follow the request and instead asked the controller to pay the debts they had with them. The controller argued that the processor had debt with them as well and that they had lodged a legal claim before the courts. The legal claim was targeted at getting back data, including those of the clients of their hotels.

Even though the processor communicated to the controller that they would handle over the data, a month after such communication no data was received. Therefore, the controller lodged a complaint with the Spanish DPA (AEPD). Again, the processor offered the controller to handle the data over in a 5TB hard disk, which they did not do, alleging organizational problems.

This behaviour caused huge losses to the controller, who could not access their servers and data during a long time.

Holding[edit | edit source]

The AEPD stated that the controller cannot exercise a right to access, which is a personal right that belongs to the data subject, and that the controller can only compel the processor to comply with its legal obligations.

The AEPD also remarked that the controller cannot give the processor direct and specific orders about the processing of the data itself, as the processor acts on behalf of the controller, but not under its direct control. Therefore, the processor still has some degree of autonomy on how to process the data to comply with its obligations and the controller's interests.

Nevertheless, the AEPD concluded that there had been a violation of Article 28(3)(g) GDPR, that obliges the processor, at the choice of the controller, to delete or return all the personal data, as well as existing copies, to the controller after the end of the provision of services relating to processing. For not complying with this obligation, the AEPD fined the processor €100,000.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                 1/20








     Procedure No.: PS / 00315/2020

                RESOLUTION OF SANCTIONING PROCEDURE


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following:

                                   BACKGROUND


FIRST: EXCEL HOTELS RESORT S.A. (hereinafter, the claimant) dated
07/12/2019 filed a claim with the Spanish Data Protection Agency.
The claim is directed against SIGNALLIA MARKETING DISTRIBUTION, S.A., with
CIF A76539030 (hereinafter, the claimed one). The reasons on which you base the claim
are "the malpractice of the claimed, upon terminating a contract for the provision of services

and deny us access to our own servers, access to our keys,
in addition to refusing to return all the data of our entity causing
serious damage to our systems, our personnel, as well as great damage
economic as all work systems are paralyzed ”.


He states that on 04/29/2019 he sent a burofax to the claimed requesting the change of
servers to the company's facilities under a contract for the provision of
services signed on 07/01/2011 (copy of the contract attached).

In the copy of the literal of the burofax, document 1, it is indicated: “As we have

revealed, it is our intention to change where you are
our company's servers are stored in such a way that they become
located in our central offices and illicit access to the information that
It is housed in them. Although the truth is that today they are doing
disregarding our request, pretending to misappropriate our
computer equipment and the information that is housed in them, therefore

We warn that in case they do not proceed to make the
company servers within the non-extendable period of 5 days we will see you at the
obligation to report the facts ”. In delivery it appears: "not delivered, left notice".
A second attempt consists of "not delivered due to surplus-not withdrawn in office."


He states that on *** DATE.1, his company suffered a fraud attempt by impersonating
someone the email account, email address, of your financial advisor, suing
through a collaborating company that will deposit an amount in an account in
a bank. The respondent was notified of this circumstance because she was in charge of the
treatment of computer systems and those that had access to the servers of your

company. On this matter, provide a copy of document 2, of *** DATE.1, written to
claimed, in which he informs him and asks for explanations of what happened, adding “Les
We reiterate that once the contract for the provision of services is terminated,
They are obliged to return the servers and provide us with the keys of
access by refraining from accessing our servers ”. His delivery is unknown
effective.


It states in the claim, “from this day and the contract for the provision of
services signed on its day (day of termination of the contract *** DATE.2) you are requested to
This entity has the obligation to return the servers to us and provide us with the ac-

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/20








I cease to them ”. Attached document 3, written by the complainant addressed to the complainant,
of *** DATE.3, entitled "Notice of non-payment for the provision of the service contracted between
the parties on 07/1/2011 ”and states in English that the claimant owes him € 409,724.50,

of what has already been informed, and that if it is not paid before 05/14/2019, “they will cease
in the provision of the service on *** DATE.2, suspending all activity and operations
nes ". He expresses the continuous delays in the payment of the invoices issued by his company
ñía to the claimed, informing that this amount has been accumulated since January 2017 by
the services provided. It tells him that “after a series of lawsuits urged on
claimed in recent months, they are forced to claim the amount.


In document 3-1, which is provided, entitled "Reply to the letter of *** DATE.3", the
claimant in writing of *** DATE.4, shows her surprise at the fact that she
he is owed "an amount greater than 10 million euros". Informs you that they have inter-
filed a lawsuit against them and indicates that they have breached the “obligation to

make available to the claimant the servers of their property, a matter that is
causing serious damage to society and refuse to provide the password of ad-
minister that allows us to operate with our computer equipment, a matter that
it is a breach of the aforementioned contract ”.

It also reports that “we have recently detected that there has been a

Impersonation of the claimant's workers to order third parties
that payments are made in current accounts that are not owned by the entity, which
which constitutes a serious fraud attempt. "

“Although we have asked them for the precise keys to be able to carry out an

vestigation of what happened today they have not provided us with these keys in a way that
We must access the system to carry out the corresponding inquiries. Hereby
we exercise our power to terminate the aforementioned contract so that from
On the date of receipt, no amount will be accrued for the provision of the indicated
two services. "


“We ask your technicians for precise instructions so that they refrain from contin-
n Continue providing computer services and proceed to return the computer material to us
of our property that was delivered to them at the time of signing the agreement.
treatment." Effective delivery of this document is unknown, as proof is not provided
of reception.


Declares in the claim that on 06/14/2019, the claimant sent a burofax to the
claimed informing you that the non-delivery of your servers and keys has meant a
serious damage to them and that they will file a complaint with the Spanish Agency for
Data Protection. Provide a copy of the document, without accrediting a sample of its delivery.


Indicate as damages suffered.

        -Since Friday 7/06, the claimant had no access to the systems
related to accounting, he was only left with the possession of copies of some

data from the newspaper of each company.

        -The program provider informed the claimant that it would take a minimum of
one week to restore the installation of the programs: Account, payment management,

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/20








bank reconciliation, fixed assets and accounting transfers. This meant that by not
recover the historical data, the information was lost in digital format for the

accounting records.

        Short term:

        - Impossibility of complying with the obligations of the SII system, they had to declare

all invoices within 8 calendar days after issuance.

        -In the same way, to reduce the IGIC in the monthly declaration, you must inform
on all the invoices received, the date to make the declaration of data of
Deductible bills on June 15th. This means that the claimant will have to

pay this month more IGIC to the Canary Islands Tax Agency,

        -Difficulties in preparing draft accounts as of 05/31 that should have
completed.


        -ATECRESA informed the claimant that it would take up to 6 months to recover
the operability of the system, which implies that they have not been correctly assessed
inventories and the F&B cost posting to be delayed.

        -It has not been able to issue certified payments so the payments have been made

by transfer or issuing a stub, which is time consuming.

-Problems to complete the audits of the claimant.

        -The claimant did not have and does not have data to present to any inspection

State or Canary Islands Treasury.

Long-term:

        - delays in preparing and filing taxes, penalties and fines

associated

        -Impossibility of carrying out business analysis to prepare projections.

        - Lack of digital support for accounting for depreciation of fixed assets.


        -Additional expenses related to reinstalling work applications
additional technicians

Along with the claim, it provides:


-Copy of a service lease contract dated 07/01/2011, including a
party as client, SILVERPOINT HOTELS AND RESORTS SA, CIF A-38083101, and
as service provider SILVER POINT VACATION SOLUTIONS SA, CIF A-
76539030, in which it is entrusted with the provision of prevention services, maintaining

maintenance and advice of computer equipment in the telecommunications environment
tions and informatics.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/20








-Copy of document 4 of the complaint of the claimant before the Police, date
05/23/2019, for attempted fraud through identity theft suffered on
*** DATE.1, which was finally not consummated, when it was detected that it was an operation

fraudulent ration.

It is indicated in point 4 of the complaint that a report from the company SIGNA-
LLIA, in charge of the administration and management of the company's computer systems
claiming dam, in which, among other information, it states that it was the account of the
Claimant's financial director had been the target of a cyber attack.


-Provide a copy of document 5 of the complaint of the claimant to the Police, on 06/07/2019,
against the one claimed for professional malpractice and fraud, without more documentation than
disclose reasons.


- Provide document 6, of 06/13/2019, written from claimed to claimant entitled “car-
response "request for data based on arc rights". "After the
legal term of 30 days established in the letter delivered by the representative of the
clamoring -in our offices on May 14, 2019 we have easily accessed
List the data that our company maintains of EXCEL HOTELES Y RESORTS SA. "
“Given their volume and for internal technical reasons of Signallia said in-

training will be made available to you 10 days from the sending of this
letter".

-Provide document 8, written claim to the claimant, dated 06/20/2019, in which
indicates:


“In order to provide the requested information and comply with the Protec-
tion of Data, our company informs you that we have more than 5 terabytes of data
cough ... The computer security team tells us that the safest way to
to treat such data is to follow the following steps… ”purchase a hard drive with a

minimum memory capacity of 5 terabytes, to be delivered to the specific offices
Since the download time will be two working days, you would be provided with a
name and password to the authorized person and that once the hard disk is delivered and
its reading is confirmed, the complained party would proceed to erase said data.

-Provides document 9, consisting of "XL equipment report" forms

with PC name, manufacturer, model, and operating system and serial number, date
bios, 8 sheets. Also contained, document 10, a list of equipment description
computer, including, among others, servers and year of purchase and purchase prices,
prepared by the claimant and which are communicated internally on 04/25/2019, with the
text “Please try to find the invoices for the newest servers. Everything is-

so active in Central ”.

-Provide document 12, email copy, 07/01/2019, from an employee of the
claimant with a copy to two employees, addressed to gacacostaytorres.com, possibly
their advice or similar, indicating that they have designated two people to attend the

offices of the claimed, to, with a hard drive, try to recover the data. I ad-
he puts together a prepared letter in case he sees that something needs to be added. Emails follow
precedents on 06/28/2019, in which the person from gacacostaytorres.com, in


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/20








the same issue of "monitoring delivery of data by SIGNALLIA to EXCEL"
referred to the importance of getting the data and the obstacles they put.


-Copy of a letter of 07/01/2019 from the claimant to the claimed, indicating in reference-
reference to the burofax received on 06/20/2019, where they indicated the procedure below
guide to treat the data in the safest way, "we deliver a disc
hard ”it indicates how to deliver the password, according to the email received on
06/27 sent by A.A.A. (of the claimed party) where the requirements are extended to us.


"In order to access said data, we want to state that SIGNALLIA does not
may be exempt from liability once you have delivered the data as you
des request because some open procedures are in process on this cause. "

-Copy of an email dated 07/1/2019 in which an employee of the claim-

It informs other people, including gacacostaytorres.com with a copy for two
people of the claimant: “I am attaching you an email with the data that occurred today at the
Na designated when two of our EXCEL employees have gone with the hard drive
to recover our data. I would be grateful if you could inform us of how we should proceed.
der after these events. We have written in the email below ”. I attached
ta the explanation given in turn by email from the people who came to

var the hard disk, indicating “at 12:30 we have traveled to the SIG-
NALLIA in order to deliver the external hard drive “We have stated our intention
tion of leaving the external hard drive, and we have been informed that A.A.A., supposedly
the top manager has left the offices and that they do not have the authority to
cibir delivery ... "


-Copy of email of the maximum responsible for the claimant, to the claim-
7/1/2019 stating “Please can you fix this, our employees have
I came back to their offices and they have not been delivered what my team requested
you have the authorization to pick it up. "


SECOND: In view of the facts denounced in the claim and the
documents provided by the claimant, dated 09/25/2019, is transferred to the
claimed copy of the claim, instructing you to report on the decision you have
adopted on the claim, causes that have motivated the incidence and measures
taken.


According to the postal certificate, the shipment was delivered on 10/21/2019 and was not attended on
request.

THIRD: On 12/23/2019, the admission for processing of the

claim.

FOURTH: On 01/30/20120, in the preliminary investigation phase
For the clarification of the facts, information is required from the claimed,
requesting if the data has been returned, and if not, report the causes that

motivate that they have not been returned, warning you of what the regulations establish
on data protection on the responsibility of the person in charge of the treatment.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/20








The shipment was sent electronically, resulting in “automatic rejection” “date of posting
available on 01/30/2020 automatic rejection date 02/10/2020. "


On 02/18/2020, the respondent is required again, warning of the obligation
to communicate telematically with the administration. The shipment that this time
it is carried out, exceptionally, in order to obtain the information, it is carried out through
from the postal service, to the address Avenida San Francisco, urbanization Oasis sur
3865, Los Cristianos, Arona, Santa Cruz de Tenerife (same address as above-
mind was collected) and it turned out: “returned to origin by unknown on 03/06/2020”.


On 03/31/2020, a written letter is sent to the respondent,
*** ADDRESS.1, *** LOCALITY.1 (*** PROVINCE.1), address of the Mer-
cantil, giving result "Returned to Origin by Unknown on 06/22/2020".


FIFTH: Entering the data of the claimed in GOOGLE, it appears that in the
BOE of 10/24/2020, an edict of the Commercial Court No. 2 of
*** PROVINCE. 1, in which the reference of the claimed party is indicated, incurs in the
bankruptcy grant no. *** PROCEDURE. 1, in which an order of *** FE-
CHA.5, rectified on 10/13/2020, declaring the bankruptcy of the company SIGNALLIA
MARKETING DISTRIBUTION S.A., CIF A76539030.


He is designated as bankruptcy administrator B.B.B., indicating his address.

It is indicated that the opening of the liquidation phase has been agreed.


SIXTH: The complained party, as of 10/5/2020, does not have any penalty entry
previously in the SIGRID application that manages the claims of the AEPD.

SEVENTH: In the “monitoriza Business” application, the claimed one appears, constituted the
03/03/2011, last year presented 2017, SME size, agency activities

travel sales: € 7,764,059.

EIGHTH: On 12/10/2020, the director of the AEPD agreed:

       "START SANCTIONING PROCEDURE for SIGNALLIA MARKETING
DISTRIBUTION, S.A., with CIF A76539030, for the alleged violation of article

28.3.g) of the RGPD, in accordance with article 83.4.a) of the RGPD. "

       "For the purposes specified in the art. 64.2 b) of Law 39/2015, of 1/10, of the
Common Administrative Procedure of Public Administrations, (as
hereinafter, LPACAP) the corresponding sanction would be an administrative fine

100,000 euros, without prejudice to the results of the instruction. "

       "NOTIFY this agreement to SIGNALLIA MARKETING DISTRIBUTION,
S.A., with CIF A76539030, through the bankruptcy administrator, B.B.B., "


The defendant made no allegations.

NINTH: On 06/03/2021 the trial practice period begins, agreeing:


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/20








Assume reproduced the claim and its documentation, the documents obtained
and generated by the Inspection Services of the claimed.


   As additional evidence, it was requested

1) To claimant: What was the legal act by which the name of the name was changed?
signatory, client, of the 2011 service lease agreement, with the claim
mada, since in the same figure: SILVERPOINT HOTELS & RESORTS SA, then in
subsequent writings EXCEL HOTELS & RESORTS SA.


On 06/11/2021 a response was received indicating that on 12/21/2010 the
denomination to SILVERPOINT, provide document 1, to change to EXCEL HOTELS
on 02/08/2013, with a copy of document 2.


2) To the claimant, in their claim they provided several burofax and letters addressed to the
claimed, warning of the end of the relationship for alleged breach. Is requested
that provide proof of receipt of the shipment and its content by the claim
mada of that communiqué, and expanded the causes that motivated the resolution of the
contract, and if the other party has challenged any point of it in court.


Provide a copy of document 3, letter of 06/13/2019 of the claimed addressed to the
claimant (already commented in the antecedents) explaining that after the deadline
of 30 days established in the letter delivered by the claimant to their offices on the
do 14/05/2019 “we have agreed to provide you with the data that our company“ maintains
ne ”of the claimant, and“ given their volume and for technical inter-

nas "of the claimed" said information will be made available to you 10 days from
since the sending of this letter. "

Provide document 4, which was also attached to the claim, writing in which
the claimed, on 06/20/2019, indicates to the claimant that he has the data of his

systems and that due to the size suggests the way to deliver them,

Document 5 that it provides is a letter from the complained party about the interference in the
email account of an employee of the claimed, facts that were reported
by the claimant. Discuss the meetings held with the claimant on the
affair.

It states that the defendant breached a marketing and reservation agreement and
when "we terminated that contract," they canceled our access to the servers,
which led to the termination of the computer maintenance contract ”. Attached
document 6 mp3 format, a 2.25 minute sound file with a conversation
between two people, the caller who belongs to the hotels and the caller. The one who called

ma indicates that they have run out of computer access and the other party states that they obey
gives orders, the caller talks about damages to the company and customers and explains that
They have canceled their reservation, commercialization contract, not the IT one, and
they can't do this. The other part says that it will probably reactivate again,
if he receives the order.


3) A claimed and claimant, what type of personal data were managed
for the claimed, which periods covered and how many hotels.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/20








Claimant indicates that: “Nationality, name and surname, postal address, telephone
mobile, email and date of birth "


The insolvency administrator of the defendant indicates that he is aware that “months prior-
res to the declaration of the contest, 07/28/2020, the company no longer had any activity
na, nor were there workers in it ”, and that he does not have information on the questions
raised, trying to obtain them from the director (whom he identifies) of the department
IT period until 12/31/2018 (that is, when disagreements occur and the
question of the return of the data was not valid) and answers that it was data from

clients, containing nationality, names, addresses, telephone numbers, co-
e-mail addresses, and in certain cases dates of birth and marital status, for five
hotels that it identifies. The data stored was from 2012.

4) To the claimant and claimed, if the defendant issued orders and instructions on

the processing of personal data that were managed through the ser-
vidores, copy of some. And if you didn't have problems with copy issues before
security, access etc.

Claimant manifests that it provides document 7, communication on instructions on
The treatment of the data that SIGNALLIA "indicates to us on 06/20/2019",

which is already mentioned in the present antecedents.

Claimed indicates that data access was made solely on the basis of need
to know them. In 2017 the customer's “marketing data was migrated to the system in
“Salesforce” cloud and reservations and PMS systems to “SIHOT” (hotel management system).

lera) stored in a virtual environment on Oracle servers, and there were no problems
with backup or access.

5) A claimed and claimant, who owned the servers in which the
claimed stored and managed the claimant's information, and for reasons

Is it possible that the claimant asked the respondent to transfer them?

Claimant indicates that they were owned by him and that "that is why he requested their transfer."
an internal email in which on 05/14/2019 the CFO communicates to XX (high
responsible for the claimant) a list with a description of assets, years of purchase and
price, including servers that are said to have invoices underlined in green,

and others that "we can prove that we bought it".

Respondent states that she was the owner of the servers, and that the rest cannot
answer for being on medical leave at that time.


6) A claimant and claimed, if the computer equipment that appears in the sheet “infor-
me of equipment "were owned by the claimed and where they were physically located" and that
use was given to them.

Claimant indicates that they were owned by him, and were located as referred to, in different

Red hotels, up to four, plus the central one, identified by their initials. Attached documents
Item 8 that relate equipment and invoices.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/20








Respondent states that she does not know the sheet that is cited, but “SIGNALLIA possessed and
managed teams both locally in their offices and in the service rooms.
res, but also in the server rooms located in each of the hotels. "


7) To the claimant and claimed, which is why at least one of the copies of security
rity was not available from the claimant herself. If they currently have contracted
similar services and if they have changed their way of having access to files and
databases.


It declares to the claimant that in the lease of services of
07/01/2011 in the first clause, three, was established as a task covered by the loan
tary backups, backup policy management, and cus-
all of them.


"Currently we have our own servers and also services contracted to companies
that offer us different products, against which we have creden-
cials that allow us to manage them ”.

“We have our own network and all the teams from both the hotels and the
Central have administrative accounts ”of the claimant.


“Now we have an internal IT department of the company's own, credentials-
team administrators, own network managed by the department, figure-
We as authorized persons before the companies that provide us services, creden-
cial to be able to manage users, passwords, profiles, emails, etc. ”.


The respondent indicates that it has not obtained information on the matter, however “SIG-
NALLIA stopped paying Salesforce invoices months before the declaration of the
contest "


8) A claimant and claimed, how the aspect to which it was
referred to in the claim of the keys or passwords, in some points they refer to
“The administrator password that allows us to operate with our computer equipment
ticos ”which was what said password allowed, who made use of it by the
claimed or in the claimant and, who changed and how often it changed
this key and by whom. What was the sense that the key of the teams was in

power of the processor.

The complainant states that the administrator password referring to computers would allow
make changes to computers such as installing applications, changing settings
network and generally any changes that a normal user should not be able to make in

a corporate team for operational and / or safety issues.

The administrator password referring to the servers with user control and contra-
corporate signatures would allow you to create new users, delete them, block them, assign them
to one complex or another, reset passwords when they forget them etc.


The administrator keys of the network systems allow to apply network changes,
create subnets, manage Wi-Fi, enable new networks, monitor the network
to see if there are security problems etc.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/20









“Before it was completely dependent on each and every one of the systems and even on all-
two and each of the services, even though they are third-party as well, since those who

they had the keys to those services and were listed as authorized persons
neither were they from EXCEL HOTELS AND RESORTS SA.

Claimed indicates that, within the security protocol, each user had their own
Pious passwords that were forced to change at least every three months.


9) To claimant and claimed: Report if any judicial matter related to
sworn with this claim or has fallen a ruling on liability, compensation
tion etc. on these facts, with a copy of the ruling. The claim contained a
Announcement against the claimed or with eventual debts included in the bankruptcy
creditors of the claimed


Claimant indicates that apart from the fact that his credit is "recognized" in the contest
of creditors, there is no other pending matter, and claimed indicates that it has not
received no judicial notification related to the matter.

10) To the claimant, and claimed, it is appreciated that a process of attempt to enter

delivery of the data that the claimed handled of the claimant. You want to know if
finally the data is delivered, with proof of what was delivered, and date.

Claimant indicates that the then administrator of the claimant “signed a receipt from
a hard drive, but pending confirmation and verification that never occurred

because information was missing ”. Provides document 9 in which XX, high person responsible for the
claimant sends a written request to the claimant, dated 07/25/2019, stating that he confirms that he has
received the hard disk with the data that were kept by the claimed and that has
to check and verify that all the data are there and the confirmation would be sent to the
claimed that all data has been successfully transferred.


They provide document 10 which is an internal email dated 07/26/2019 in which an employee
tells XX “we need to know with which tool the data has been encrypted and
some technical details that supposedly “they were going to send us in an e-mail”, and added
give the screen impression of a conversation by “whatsapp between our infor-
and that of the claimed one ", in which it says" I have the external hard drive and I see that there is

a 3tb file with no extension. I understand that it will be encrypted ”, and asks what tool
lie was encrypted. The other party asks if the details were not provided, to which they respond.
from, "only hard drive and password", to which the other party replies that they have to speak
with another person, everything has to be through him.


The respondent indicates that it does not offer information on this point, “as it is not part of
This process"

TENTH: On 07/06/2021, a resolution proposal was formulated, with the literal:


“That the Director of the Spanish Data Protection Agency sanctions
SIGNALLIA MARKETING DISTRIBUTION, S.A., with CIF A76539030, for a
infringement of article 28.3.g) of the RGPD, in accordance with article 83.4 b) of the


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/20








RGPD, and article 74.k) of the LOPDGDD, a fine of 100,000 euros, of
in accordance with article 83.2.a) of the RGPD and 76.2.b) of the LOPDGDD.) "


No allegations were received within the time allowed to make them.

                                PROVEN FACTS:

1) The claimant, who manages the management of four hotels, states in her
claim that your company “has been affected by the malpractice of the claimed

by terminating a contract for the provision of services and denying us access to our
own servers, to access our keys, in addition to refusing to return
all the data of our entity causing serious damage to our systems, to
our staff, in addition to great economic damages when everything is paralyzed
our work system ”The personal data that were managed by the claimed

were those of: ”Nationality, name and surname, postal address, mobile phone, e-mail and
date of birth"

2) The claimant, (formerly known as SILVERPOINT VACATION SOLUTIONS SA)
subscribed on 07/1/2011 contracted with the defendant the lease of services of
prevention, maintenance and advice of computer equipment in the environment of

telecommunications and information technology, in order to assist in operational needs
and performance. As clauses, the most important ones are meant:

-Object: Provision of preventive and corrective maintenance services for equipment
client's computer software, which are listed in ANNEX 1 in the networks of

telecommunications. In the support service provided, it included the problems of
access to the network of all computer equipment, remote access to e-mail
corporate, or adequate access to files and programs (first clause 1.2),
manage the backup policy and safeguard them and act as
interlocutor in all technical aspects with the different service providers

telecommunication. The service would be provided 24/365.

In the contract, the third clause provides that the duration of the contract was initially
for two years, until 06/30/2013, with tacit extensions for periods of one year, if not
there is a complaint 30 days before the corresponding expiration date.
It also provides for the resolution for breach of any of the stipulations,

the compliant party giving the other five days advance notice.

In the 12th clause, it adds: termination of the contract: “any of the parties may give
terminate this contract at any time during its duration through
written communication to the other party not less than two months in advance of the

interested termination date. As causes of resolution are indicated in addition to
the general ones of the commercial and civil code, "those derived from non-compliance by
part of the client of the obligations contracted by virtue of the contract "

The 11th clause entitled: "Data Protection", states:


“As a consequence of this contract for the execution thereof, the borrower
will have access to personal customer data that are subject to the
legal regime provided by LOPD and its implementing regulations. For such purposes in

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/20








compliance with the provisions of article 12 of the LOPD, the borrower
expressly manifests and undertakes to use and process the data with the sole and
exclusive object of complying with this contract, following in any case the

instructions received from the customer. Expressly refrain from giving the data
any use other than the one agreed and in particular refrain from altering them, using them
for your own business interest, or communicate them or allow access by third parties to
the same not even for their conservation. In the event that I had to
communicate the data to a third party for the development of this contract, the borrower will
will notify the client so that he can sign a contract with said third party.

Observe the maximum confidentiality of reservations regarding the data that are
provided by the client regarding the development of the object of this contract
agreeing not to disclose any third person any of this data, thus
like any other information that has been provided regarding the company. TO
return to the client, once the provision of services object of the present has concluded

I contract all the documents and files in which all or
some of the data whatever its medium or format, as well as copies of
these."

-Ninth clause: "levels of compliance with services": The client will determine the
organization of the services to be provided by dictating those generic norms necessary

for a normal and optimal exercise of the services, remaining in any case in favor of the
borrower the faculty of management and coordination of the service and personnel
in charge of the provision of the same. "

3) In document 1 of the claim, the claimant asks the respondent for the

04/29/2019 as "contract instruction", "that as we have put
repeatedly manifest "," it is our intention to change the place where
the servers of our company are stored, so that they pass to
be located in our central offices "" today they are paying attention
disregarding our request ”, announcing that if the servers are not made available to you,

criminally denounced. The claimant does not provide evidence that
delivered to the claimed.

4) The parties by disagreements, decide to resolve their relationship. There is a writing of
claimed, document 3, of *** DATE.3, which indicates that, if you do not pay what is
owes you, will terminate the contract with effect date *** DATE.2, responding to the

claimant to the claimed in writing of *** DATE. 4 that the counterpart owes them a
amount greater - greater than 10 million euros - in document 3-1, entitled
Reply to the letter of *** DATE. 3. Informs you that they have filed a lawsuit
against them and indicates that they have breached the “obligation to make available to the
claiming the servers of their property, an issue that is causing a serious

detriment to society and refuse to provide the administrator password that we
allows us to operate with our computer equipment, an issue that represents a
breach of the aforementioned contract ”.

5) The complainant had access to the complainant's servers and this is how it is derived

also of the investigative actions carried out by the respondent in order to
scam attempt to hack the email account of an employee of the
claimant, who was brought to the attention of the Police on 05/23/2019. In these
investigations collaborated the claimed, being at the same time denounced by the claimant

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/20








later before the Police, on 06/07/2019, for professional malpractice and fraud, without
more documentation revealing the reasons. The result is unknown as there was no
The parties stated nothing, only in evidence they reported that they do not have

judicial pendency for any issue between them, except the inclusion of credits of the
claimant in the contest of the claimed.

6) The representative of the respondent indicated that it “owned and managed equipment
both locally in their offices and in the server rooms, but also in the
server rooms located in each of the hotels. "


7) The claimant provides an extensive list of computer equipment that was
located in different hotels that managed the claimed, as well as servers,
that accredits are owned by them that were managed within the commission contract
treatment.


8) In document 6, dated 06/13/2019, the respondent indicated to the complainant: “petition for
data based on arch rights "" After the legal period of 30 days has elapsed
established in the letter delivered per day to our offices on 05/14/2019
we have agreed to provide the data that our company maintains about EXCEL
HOTELES Y RESORTS SA. " "Given their volume and for technical reasons

internal SIGNALLIA said information will be made available to you 10 days after
count from the sending of this letter ”. "

9) On 06/14/2019, the claimant, in a letter, indicated to the respondent: “the
time of the response period of the right of access ”that the claimant filed the

05/14/2019 to the claimed one, and that it still does not deliver the data or return the
servers or provide the access codes to access the system, and that the
Non-compliance has been a serious damage, communicating that they file a complaint
before the AEPD


10) On 06/20/2019, the respondent addresses the claimant indicating the way
to proceed so that a copy of the data is delivered (doc. 8 of the claim),
"Delivering a hard disk that will take two days to record the data." It detaches from
the emails of the claimant, that on 07/01/2019 her employees went to the headquarters
of the claimed to try to recover the data and they were not allowed to leave the disk
It was hard to start the process on the pretext that the person in charge was not there. To date

07/26/2019, according to document 10 provided in tests, there were problems with the
data owned by the claimant.


11) The defendant stayed for a time, without allowing the claimant access to her

data, its systems and its servers. The claimant in her claim states that
since 06/07/2019, and reiterates it in a later letter, such as that of 06/14/2019, that
did not have access to the data, affecting accounting, billing, declaration
monthly taxes and bills among others. Additionally, the claimed was
delaying the delivery of data to be returned to the claimant for reasons unrelated to the

claimant. The claimant provides in evidence a sound file in which it is listened to
to an employee of the complaining party who states that they have been left without access
computer scientist and the other party states that he obeys orders, from "C.C.C.", a person who
it appears in some of the signatures of the petitioner's writings. The caller speaks of damages

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 14/20








to the company and customers and explains that the reservation contract has been canceled,
marketing, not computer science, and they can't do this. The other party says
which will probably be reactivated, if he receives the order. The claimant does not

indicates the date or period in which they could have been without service and in the
claim explains the damages that the non-access has caused.

12) The claimant, although she signed the receipt of an encrypted hard disk with information
of your data provided by the claimed, was pending confirmation and
verification that "never occurred because information was missing." It is credited because

Claimant sent an email to the claimed on 07/25/2019, stating that it should
verify that everything was there and send you a confirmation that everything was fine.
As can be seen in document 10 of your answer in evidence per claimant,
07/26/2019, the next day he sends an email to the complainant that reveals that
the data is encrypted and the tool has not been sent to them. In the copy of

WhatsApp screen print between the parties on the absence of the details
necessary to extract the files, the defendant refers back to the superior.

13) In the BOE of 10/24/2020, an edict of the Commercial Court is published
no. 2 of *** PROVINCE. 1, which indicates the reference of the claimed incursa
in bankruptcy procedure no. XXX, in which XXXX's order was issued, rectified

on 10/13/2020, declaring the bankruptcy of the company SIGNALLIA MARKETING
DISTRIBUTION S.A., CIF A76539030. The insolvency administrator indicates that “months
prior to the declaration of the contest, 07/28/2020, the company no longer had activity
some, nor were there workers in it ”.


                            FOUNDATIONS OF LAW

                                            I

By virtue of the powers that article 58.2 of Regulation (EU) 2016/679 of the

European Parliament and of the Council, of 04/27/2016, regarding the protection of
natural persons with regard to the processing of personal data RGPD
recognizes each control authority, and as established in arts. 47 and 48.1 of
Organic Law 3/2018, of 5/12, on Protection of Personal Data and guarantee of
digital rights (hereinafter LOPDGDD), the Director of the Spanish Agency for
Data Protection is competent to resolve this procedure.


                                            II

The RGPD refers -in section 8 of its article 4-, to the person in charge of the treatment or
commissioned as “the natural or legal person, public authority, service or other

body that processes personal data on behalf of the data controller "
(here the claimed one), and article 4.7 of the RGPD "data controller" or
"Responsible": the natural or legal person, public authority, service or other
body that, alone or together with others, determines the purposes and means of the treatment; Yes
The law of the Union or of the Member States determines the ends and means of the

treatment, the person responsible for the treatment or the specific criteria for your
appointment may be established by the law of the Union or of the States
members ”, here the claimant, who clearly shows that he established orders
Regarding its servers, the service was interrupted and the data was not returned,

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 15/20








being that all of them really belong to him for the management of the business, his
collection and treatment of those who are directly responsible for the claimant.


The treatment by the person in charge will be governed by a contract or act or other legal act with
according to the law of the Union or of the Member States that binds the processor
with respect to the person in charge and establish the object, duration, nature and purpose
treatment, the type of personal data and categories of interested parties, and the obligations
tions and rights of the person in charge (28.3 RGPD). Consequently, the figure of the incarnation
The end of the treatment is due to the need to respond to phenomena such as

outsourcing of services by companies and other entities, in a way
that in those cases in which the data controller entrusts a third party
zero the provision of a service that requires access to personal data,
This access cannot be considered as a different treatment but rather serves to
the person in charge, the actions being carried out by the person in charge on behalf of the

ta of the person in charge, as if he himself were the one who carried it out. The manager must
offer sufficient guarantees to apply appropriate technical and organizational measures,
so that the treatment is in accordance with the requirements of the regulation (art 28.1
GDPR).

For these purposes, the owner of the data does not exercise and cannot exercise the right of access

to some data that are his, for which he is directly responsible, having them
collected and by establishing the data it collects and the purposes for which it is intended. The
Right of access is a very personal right of the owner of the same, which is not
must be confused with the person responsible for the treatment and the power he holds over the
themselves. When a controller signs a treatment order contract with a

third, what is done is to implement a legal business that must meet certain
requirements to understand that the data is processed not by a third party, but by a
third party on behalf of the person in charge, so there is no transfer,
transfer or transfer of data to a third party, but they continue in the circle of the
responsable.


Also and for this reason, there is the power of the person in charge and the specific obligation for the
manager, when he receives an order to comply with it according to the
Article 29 of the RGPD: “The person in charge of the treatment and any person who acts
under the authority of the person in charge or the person in charge and have access to personal data
They may only process said data following instructions from the person in charge, unless

are obliged to do so by virtue of the law of the Union or of the Member States ”.

Certainly, as has been said, the instructions of the person responsible for the treatment
they can still leave some degree of discretion on how best to serve the interests
of the person responsible for the treatment, allowing the person in charge of the treatment to choose the

more adequate technical and organizational means. In practice, if a person responsible for the
treatment hires a processor to carry out the
treatment on your behalf, it often means that the processor will be able to
make certain decisions for yourself about how to carry out the treatment.
It is recognized that there may be some room for maneuver for the person in charge of the

treatment may also make some decisions regarding treatment.
Here the complained party has a technical role inasmuch as the collection of customer data from
hotel is carried out by the claimant who introduces them into the system, serving the
claimed the technical means with material provided by the same claimant.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 16/20









Since the treatment must be carried out on behalf of a person responsible for the treatment,
but not under their direct authority or control, acting "on behalf of" means serving the

interests of another person and recalls the legal concept of "delegation". In this
In this case, the instructions for server changes were not attended, it was left without access to
the systems deliberately by the claimed and the
return of the data delaying and putting conditions on some data of the
responsible for unjustified issues.


It is the person responsible, in this case the claimant, who decides to put in the hands of the
In charge of the data so that it can carry out the tasks agreed upon in the
contract. In this case, activities of a technical nature in telecommunications,
servers and access to systems and their storage. Even using the claimed
their experience and discretion in technical matters, the control of the data resides

on the claimant.

In the present case, it is a situation that affects the claimant in the
development of its activities with the data for which it is responsible since despite
your requirements, the respondent has not delivered the personal data files or
servers, making it difficult and even impossible to carry out the activity

ordinary management of the commercial traffic of its activity.

Ultimately, the violation that is credited and attributed to the claimed is that of article
28.3.g) which indicates:


"3. The treatment by the person in charge will be governed by a contract or other legal act with
according to the law of the Union or of the Member States, that binds the person in charge
with respect to the person in charge and establish the object, duration, nature and end of
nature of the treatment, the type of personal data and categories of interested parties, and the obligations
responsibilities and rights of the person in charge. Said contract or legal act shall stipulate, in part,

ticular, that the person in charge:
g) at the discretion of the person in charge, delete or return all personal data a
once the provision of treatment services ends, and will delete the copies
existing unless the preservation of personal data is required by virtue of
of the Law of the Union or of the Member States ”.


                                             III

Determines article 83.4 of the RGPD:

        "Violations of the following provisions will be sanctioned, in accordance with

with paragraph 2, with administrative fines of maximum EUR 10 000 000 or,
in the case of a company, an amount equivalent to a maximum of 2% of the
global total annual business volume of the previous financial year, opting for
the highest amount:


    a) the obligations of the person in charge and the person in charge in accordance with articles 8, 11,
        25 to 39, 42 and 43;
Article 74 of the LOPDGDD indicates:


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 17/20








        “They are considered minor and the remaining infractions of
merely formal character of the articles mentioned in sections 4 and 5 of the
Article 83 of Regulation (EU) 2016/679 and, in particular, the following:


        "K) The breach by the person in charge of the stipulations imposed in the
contract or legal act that regulates the treatment or the instructions of the person in charge
of the treatment, unless it is legally obliged to do so in accordance with the Regulation
(EU) 2016/679 and this organic law or in the cases where necessary
to avoid the infringement of data protection legislation and

would have warned the person in charge or the person in charge of the treatment "

In no way was the delivery of the data owned by the
claimant, it is not proven that it has become effective, as acknowledged by the claimant that
The entire data was never finally provided despite the time that had elapsed.


Article 58.2 of the RGPD provides the following: “Each control authority will have
of all of the following corrective powers listed below:

        i) impose an administrative fine in accordance with article 83, in addition or in
place of the measures mentioned in this section, depending on the circumstances

of each particular case.

                                             IV

The determination of the sanctions to be imposed in the present case requires ob-

Serve the provisions of articles 83.1 and 2 of the RGPD, precepts that, respectively,
mind, they provide the following:

        "1. Each supervisory authority shall guarantee that the imposition of the fines administered
nistrative pursuant to this article for infractions of these Regulations.

indicated in sections 4, 9 and 6 are effective in each individual case,
and dissuasive. "

    "2. Administrative fines will be imposed, depending on the circumstances of
each individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose an admissible fine

nistrative and its amount in each individual case will be duly taken into account:

        a) the nature, severity and duration of the offense, taking into account the
nature, scope or purpose of the treatment operation in question, as well as
such as the number of interested parties affected and the level of damages incurred

have suffered;
    b) intentionality or negligence in the infringement;
    c) any measure taken by the controller or processor to
        mitigate the damages and losses suffered by the interested parties;
    d) the degree of responsibility of the person in charge or the person in charge of the treatment,

        taking into account the technical or organizational measures that have been applied in
        under articles 25 and 32;
    e) any previous infringement committed by the person in charge or the person in charge of the traffic-
        I lie;

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 18/20








    f) the degree of cooperation with the supervisory authority in order to remedy
        to the infringement and mitigate the possible adverse effects of the infringement;
    g) the categories of personal data affected by the infringement;

    h) the way in which the supervisory authority learned of the infringement, in
in particular if the person in charge or the person in charge notified the infringement and, if so, in what
measure;
    i) when the measures indicated in article 58, paragraph 2, have been ordered
previously issued against the person in charge or the person in charge in relation to
the same matter, the fulfillment of said measures;

    j) adherence to codes of conduct under Article 40 or to mechanisms of
    certification approved in accordance with Article 42, and
    k) any other aggravating or mitigating factor applicable to the circumstances of the
case, such as financial benefits obtained or losses avoided, direct or indirect,
rightly, through the infraction. "


    Within this section, the LOPDGDD contemplates in its article 76, entitled “San-
corrective measures and actions ”:

    "1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the
Regulation (EU) 2016/679 will be applied taking into account the criteria of

graduation established in section 2 of the aforementioned article.
    2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
The following may also be taken into account:
    a) The continuing nature of the offense.
    b) The linking of the activity of the offender with the performance of treatment of

personal information.
    c) The benefits obtained as a result of the commission of the offense.
    d) The possibility that the affected person's conduct could have led to the
commission of the offense.
    e) The existence of a process of merger by absorption subsequent to the commission of

the infringement, which cannot be attributed to the absorbing entity.
    f) Affecting the rights of minors.
    g) Have, when not mandatory, a data protection officer.
    h) The submission by the person in charge or in charge, on a voluntary basis,
to alternative dispute resolution mechanisms, in those cases in which the
that there are controversies between those and any interested party.

    3. It will be possible, complementary or alternatively, the adoption, when appropriate,
of the remaining corrective measures referred to in article 83.2 of the
Regulation (EU) 2016/679. "

For the assessment of the sanction, the commencement agreement contained its assessment without

damage of the instruction, and as an amount for the estimated infraction, they were considered
100,000 euros of penalty.

It was taken into account:
-The disturbance in the development of the actions of the claimant of special gra-

truth to prevent operating with the data (83.2.a RGPD) from 06/07/2029, adding
that as of 07/26/2019 it is not completed or accredited by the one that carries out the treatment-
on behalf of the claimant who complied with said ordinary obligation to


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 19/20








established in the treatment order contracts, thus not considering delivery-
two (art 83.2.a) of the RGPD.


- The linking of the activity of the offender with the performance of data processing
personal (art. 76.2 b LOPDGDD).

The aforementioned circumstances and amount are ratified after the instruction and proposal.

Therefore, in accordance with the applicable legislation and assessed the criteria of

graduation of the sanction whose existence has been accredited,

The Director of the Spanish Data Protection Agency RESOLVES:

FIRST: IMPOSE a fine of 100,000 euros, to SIGNALLIA MARKETING

DISTRIBUTION, S.A., with CIF A76539030, for a violation of article 28.3.g) of the
RGPD, in accordance with article 83.4 b) of the RGPD, and article 74.k) of the
LOPDGDD, with the concurrent circumstances in articles 83.2.a) of the RGPD and
76.2.b) of the LOPDGDD.

SECOND: NOTIFY this resolution to SIGNALLIA MARKETING

DISTRIBUTION, S.A.

THIRD: Warn the sanctioned person that the sanction imposed by a
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of 1/10, of the Common Administrative Procedure of the

Public Administrations (hereinafter LPACAP), within the voluntary payment period
established in art. 68 of the General Collection Regulations, approved by Real
Decree 939/2005, of 07/29, in relation to art. 62 of Law 58/2003, of 12/17,
by entering it, indicating the NIF of the sanctioned person and the procedure number
that appears in the heading of this document, in the restricted account nº ES00

0000 0000 0000 0000 0000, opened in the name of the Spanish Protection Agency
of Data in the bank CAIXABANK, S.A .. Otherwise, we will proceed to
its collection in executive period.

Received the notification and once executive, if the date of execution is found
Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment

volunteer will be until the 20th of the following or immediately subsequent business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediate business month.

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the

Director of the Spanish Agency for Data Protection within a month to
counting from the day after the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 20/20









the fourth additional provision of Law 29/1998, of 07/13, regulating the
Contentious-administrative jurisdiction, within two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.


Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file contentious-administrative appeal.

If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the

cited LPACAP. You must also send the Agency the documentation that proves
the effective filing of the contentious-administrative appeal. If the Agency does not
had knowledge of the filing of the contentious-administrative appeal in the
within two months from the day following notification of this resolution,

would terminate the precautionary suspension.


                                                                                      938-131120
Mar Spain Martí

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es