AEPD (Spain) - PS/00315/2020
|AEPD (Spain) - PS/00315/2020|
|Relevant Law:||Article 28 GDPR|
Article 29 GDPR
|Parties:||SIGNALLIA MARKETING DISTRIBUTION, S.A.|
|National Case Number/Name:||PS/00315/2020|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
|Initial Contributor:||Carmen Villarroel|
The Spanish DPA fined a processor €100,000 for not complying with its obligation to delete and return all the personal data it held, as well as any existing copies, to the controller after ending its services as a processor.
English Summary[edit | edit source]
Facts[edit | edit source]
The company EHR, dedicated to tourism and hotelier services, hired another company, Signallia, dedicated to software and computing services, to manage their data and servers. The data processing agreement between them stated that Signallia had to give back EHR all data and copies obtained or processed for them, as their relationship ends.
Accordingly, when EHR decided to move their servers to an internal place they instructed Signallia to return to them all their data. However, the processor did not follow the request and instead asked the controller to pay the debts they had with them. The controller argued that the processor had debt with them as well and that they had lodged a legal claim before the courts. The legal claim was targeted at getting back data, including those of the clients of their hotels.
Even though the processor communicated to the controller that they would handle over the data, a month after such communication no data was received. Therefore, the controller lodged a complaint with the Spanish DPA (AEPD). Again, the processor offered the controller to handle the data over in a 5TB hard disk, which they did not do, alleging organizational problems.
This behaviour caused huge losses to the controller, who could not access their servers and data during a long time.
Holding[edit | edit source]
The AEPD stated that the controller cannot exercise a right to access, which is a personal right that belongs to the data subject, and that the controller can only compel the processor to comply with its legal obligations.
The AEPD also remarked that the controller cannot give the processor direct and specific orders about the processing of the data itself, as the processor acts on behalf of the controller, but not under its direct control. Therefore, the processor still has some degree of autonomy on how to process the data to comply with its obligations and the controller's interests.
Nevertheless, the AEPD concluded that there had been a violation of Article 28(3)(g) GDPR, that obliges the processor, at the choice of the controller, to delete or return all the personal data, as well as existing copies, to the controller after the end of the provision of services relating to processing. For not complying with this obligation, the AEPD fined the processor €100,000.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/20 Procedure No.: PS / 00315/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following: BACKGROUND FIRST: EXCEL HOTELS RESORT S.A. (hereinafter, the claimant) dated 07/12/2019 filed a claim with the Spanish Data Protection Agency. The claim is directed against SIGNALLIA MARKETING DISTRIBUTION, S.A., with CIF A76539030 (hereinafter, the claimed one). The reasons on which you base the claim are "the malpractice of the claimed, upon terminating a contract for the provision of services and deny us access to our own servers, access to our keys, in addition to refusing to return all the data of our entity causing serious damage to our systems, our personnel, as well as great damage economic as all work systems are paralyzed ”. He states that on 04/29/2019 he sent a burofax to the claimed requesting the change of servers to the company's facilities under a contract for the provision of services signed on 07/01/2011 (copy of the contract attached). In the copy of the literal of the burofax, document 1, it is indicated: “As we have revealed, it is our intention to change where you are our company's servers are stored in such a way that they become located in our central offices and illicit access to the information that It is housed in them. Although the truth is that today they are doing disregarding our request, pretending to misappropriate our computer equipment and the information that is housed in them, therefore We warn that in case they do not proceed to make the company servers within the non-extendable period of 5 days we will see you at the obligation to report the facts ”. In delivery it appears: "not delivered, left notice". A second attempt consists of "not delivered due to surplus-not withdrawn in office." He states that on *** DATE.1, his company suffered a fraud attempt by impersonating someone the email account, email address, of your financial advisor, suing through a collaborating company that will deposit an amount in an account in a bank. The respondent was notified of this circumstance because she was in charge of the treatment of computer systems and those that had access to the servers of your company. On this matter, provide a copy of document 2, of *** DATE.1, written to claimed, in which he informs him and asks for explanations of what happened, adding “Les We reiterate that once the contract for the provision of services is terminated, They are obliged to return the servers and provide us with the keys of access by refraining from accessing our servers ”. His delivery is unknown effective. It states in the claim, “from this day and the contract for the provision of services signed on its day (day of termination of the contract *** DATE.2) you are requested to This entity has the obligation to return the servers to us and provide us with the ac- C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/20 I cease to them ”. Attached document 3, written by the complainant addressed to the complainant, of *** DATE.3, entitled "Notice of non-payment for the provision of the service contracted between the parties on 07/1/2011 ”and states in English that the claimant owes him € 409,724.50, of what has already been informed, and that if it is not paid before 05/14/2019, “they will cease in the provision of the service on *** DATE.2, suspending all activity and operations nes ". He expresses the continuous delays in the payment of the invoices issued by his company ñía to the claimed, informing that this amount has been accumulated since January 2017 by the services provided. It tells him that “after a series of lawsuits urged on claimed in recent months, they are forced to claim the amount. In document 3-1, which is provided, entitled "Reply to the letter of *** DATE.3", the claimant in writing of *** DATE.4, shows her surprise at the fact that she he is owed "an amount greater than 10 million euros". Informs you that they have inter- filed a lawsuit against them and indicates that they have breached the “obligation to make available to the claimant the servers of their property, a matter that is causing serious damage to society and refuse to provide the password of ad- minister that allows us to operate with our computer equipment, a matter that it is a breach of the aforementioned contract ”. It also reports that “we have recently detected that there has been a Impersonation of the claimant's workers to order third parties that payments are made in current accounts that are not owned by the entity, which which constitutes a serious fraud attempt. " “Although we have asked them for the precise keys to be able to carry out an vestigation of what happened today they have not provided us with these keys in a way that We must access the system to carry out the corresponding inquiries. Hereby we exercise our power to terminate the aforementioned contract so that from On the date of receipt, no amount will be accrued for the provision of the indicated two services. " “We ask your technicians for precise instructions so that they refrain from contin- n Continue providing computer services and proceed to return the computer material to us of our property that was delivered to them at the time of signing the agreement. treatment." Effective delivery of this document is unknown, as proof is not provided of reception. Declares in the claim that on 06/14/2019, the claimant sent a burofax to the claimed informing you that the non-delivery of your servers and keys has meant a serious damage to them and that they will file a complaint with the Spanish Agency for Data Protection. Provide a copy of the document, without accrediting a sample of its delivery. Indicate as damages suffered. -Since Friday 7/06, the claimant had no access to the systems related to accounting, he was only left with the possession of copies of some data from the newspaper of each company. -The program provider informed the claimant that it would take a minimum of one week to restore the installation of the programs: Account, payment management, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/20 bank reconciliation, fixed assets and accounting transfers. This meant that by not recover the historical data, the information was lost in digital format for the accounting records. Short term: - Impossibility of complying with the obligations of the SII system, they had to declare all invoices within 8 calendar days after issuance. -In the same way, to reduce the IGIC in the monthly declaration, you must inform on all the invoices received, the date to make the declaration of data of Deductible bills on June 15th. This means that the claimant will have to pay this month more IGIC to the Canary Islands Tax Agency, -Difficulties in preparing draft accounts as of 05/31 that should have completed. -ATECRESA informed the claimant that it would take up to 6 months to recover the operability of the system, which implies that they have not been correctly assessed inventories and the F&B cost posting to be delayed. -It has not been able to issue certified payments so the payments have been made by transfer or issuing a stub, which is time consuming. -Problems to complete the audits of the claimant. -The claimant did not have and does not have data to present to any inspection State or Canary Islands Treasury. Long-term: - delays in preparing and filing taxes, penalties and fines associated -Impossibility of carrying out business analysis to prepare projections. - Lack of digital support for accounting for depreciation of fixed assets. -Additional expenses related to reinstalling work applications additional technicians Along with the claim, it provides: -Copy of a service lease contract dated 07/01/2011, including a party as client, SILVERPOINT HOTELS AND RESORTS SA, CIF A-38083101, and as service provider SILVER POINT VACATION SOLUTIONS SA, CIF A- 76539030, in which it is entrusted with the provision of prevention services, maintaining maintenance and advice of computer equipment in the telecommunications environment tions and informatics. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/20 -Copy of document 4 of the complaint of the claimant before the Police, date 05/23/2019, for attempted fraud through identity theft suffered on *** DATE.1, which was finally not consummated, when it was detected that it was an operation fraudulent ration. It is indicated in point 4 of the complaint that a report from the company SIGNA- LLIA, in charge of the administration and management of the company's computer systems claiming dam, in which, among other information, it states that it was the account of the Claimant's financial director had been the target of a cyber attack. -Provide a copy of document 5 of the complaint of the claimant to the Police, on 06/07/2019, against the one claimed for professional malpractice and fraud, without more documentation than disclose reasons. - Provide document 6, of 06/13/2019, written from claimed to claimant entitled “car- response "request for data based on arc rights". "After the legal term of 30 days established in the letter delivered by the representative of the clamoring -in our offices on May 14, 2019 we have easily accessed List the data that our company maintains of EXCEL HOTELES Y RESORTS SA. " “Given their volume and for internal technical reasons of Signallia said in- training will be made available to you 10 days from the sending of this letter". -Provide document 8, written claim to the claimant, dated 06/20/2019, in which indicates: “In order to provide the requested information and comply with the Protec- tion of Data, our company informs you that we have more than 5 terabytes of data cough ... The computer security team tells us that the safest way to to treat such data is to follow the following steps… ”purchase a hard drive with a minimum memory capacity of 5 terabytes, to be delivered to the specific offices Since the download time will be two working days, you would be provided with a name and password to the authorized person and that once the hard disk is delivered and its reading is confirmed, the complained party would proceed to erase said data. -Provides document 9, consisting of "XL equipment report" forms with PC name, manufacturer, model, and operating system and serial number, date bios, 8 sheets. Also contained, document 10, a list of equipment description computer, including, among others, servers and year of purchase and purchase prices, prepared by the claimant and which are communicated internally on 04/25/2019, with the text “Please try to find the invoices for the newest servers. Everything is- so active in Central ”. -Provide document 12, email copy, 07/01/2019, from an employee of the claimant with a copy to two employees, addressed to gacacostaytorres.com, possibly their advice or similar, indicating that they have designated two people to attend the offices of the claimed, to, with a hard drive, try to recover the data. I ad- he puts together a prepared letter in case he sees that something needs to be added. Emails follow precedents on 06/28/2019, in which the person from gacacostaytorres.com, in C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/20 the same issue of "monitoring delivery of data by SIGNALLIA to EXCEL" referred to the importance of getting the data and the obstacles they put. -Copy of a letter of 07/01/2019 from the claimant to the claimed, indicating in reference- reference to the burofax received on 06/20/2019, where they indicated the procedure below guide to treat the data in the safest way, "we deliver a disc hard ”it indicates how to deliver the password, according to the email received on 06/27 sent by A.A.A. (of the claimed party) where the requirements are extended to us. "In order to access said data, we want to state that SIGNALLIA does not may be exempt from liability once you have delivered the data as you des request because some open procedures are in process on this cause. " -Copy of an email dated 07/1/2019 in which an employee of the claim- It informs other people, including gacacostaytorres.com with a copy for two people of the claimant: “I am attaching you an email with the data that occurred today at the Na designated when two of our EXCEL employees have gone with the hard drive to recover our data. I would be grateful if you could inform us of how we should proceed. der after these events. We have written in the email below ”. I attached ta the explanation given in turn by email from the people who came to var the hard disk, indicating “at 12:30 we have traveled to the SIG- NALLIA in order to deliver the external hard drive “We have stated our intention tion of leaving the external hard drive, and we have been informed that A.A.A., supposedly the top manager has left the offices and that they do not have the authority to cibir delivery ... " -Copy of email of the maximum responsible for the claimant, to the claim- 7/1/2019 stating “Please can you fix this, our employees have I came back to their offices and they have not been delivered what my team requested you have the authorization to pick it up. " SECOND: In view of the facts denounced in the claim and the documents provided by the claimant, dated 09/25/2019, is transferred to the claimed copy of the claim, instructing you to report on the decision you have adopted on the claim, causes that have motivated the incidence and measures taken. According to the postal certificate, the shipment was delivered on 10/21/2019 and was not attended on request. THIRD: On 12/23/2019, the admission for processing of the claim. FOURTH: On 01/30/20120, in the preliminary investigation phase For the clarification of the facts, information is required from the claimed, requesting if the data has been returned, and if not, report the causes that motivate that they have not been returned, warning you of what the regulations establish on data protection on the responsibility of the person in charge of the treatment. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/20 The shipment was sent electronically, resulting in “automatic rejection” “date of posting available on 01/30/2020 automatic rejection date 02/10/2020. " On 02/18/2020, the respondent is required again, warning of the obligation to communicate telematically with the administration. The shipment that this time it is carried out, exceptionally, in order to obtain the information, it is carried out through from the postal service, to the address Avenida San Francisco, urbanization Oasis sur 3865, Los Cristianos, Arona, Santa Cruz de Tenerife (same address as above- mind was collected) and it turned out: “returned to origin by unknown on 03/06/2020”. On 03/31/2020, a written letter is sent to the respondent, *** ADDRESS.1, *** LOCALITY.1 (*** PROVINCE.1), address of the Mer- cantil, giving result "Returned to Origin by Unknown on 06/22/2020". FIFTH: Entering the data of the claimed in GOOGLE, it appears that in the BOE of 10/24/2020, an edict of the Commercial Court No. 2 of *** PROVINCE. 1, in which the reference of the claimed party is indicated, incurs in the bankruptcy grant no. *** PROCEDURE. 1, in which an order of *** FE- CHA.5, rectified on 10/13/2020, declaring the bankruptcy of the company SIGNALLIA MARKETING DISTRIBUTION S.A., CIF A76539030. He is designated as bankruptcy administrator B.B.B., indicating his address. It is indicated that the opening of the liquidation phase has been agreed. SIXTH: The complained party, as of 10/5/2020, does not have any penalty entry previously in the SIGRID application that manages the claims of the AEPD. SEVENTH: In the “monitoriza Business” application, the claimed one appears, constituted the 03/03/2011, last year presented 2017, SME size, agency activities travel sales: € 7,764,059. EIGHTH: On 12/10/2020, the director of the AEPD agreed: "START SANCTIONING PROCEDURE for SIGNALLIA MARKETING DISTRIBUTION, S.A., with CIF A76539030, for the alleged violation of article 28.3.g) of the RGPD, in accordance with article 83.4.a) of the RGPD. " "For the purposes specified in the art. 64.2 b) of Law 39/2015, of 1/10, of the Common Administrative Procedure of Public Administrations, (as hereinafter, LPACAP) the corresponding sanction would be an administrative fine 100,000 euros, without prejudice to the results of the instruction. " "NOTIFY this agreement to SIGNALLIA MARKETING DISTRIBUTION, S.A., with CIF A76539030, through the bankruptcy administrator, B.B.B., " The defendant made no allegations. NINTH: On 06/03/2021 the trial practice period begins, agreeing: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/20 Assume reproduced the claim and its documentation, the documents obtained and generated by the Inspection Services of the claimed. As additional evidence, it was requested 1) To claimant: What was the legal act by which the name of the name was changed? signatory, client, of the 2011 service lease agreement, with the claim mada, since in the same figure: SILVERPOINT HOTELS & RESORTS SA, then in subsequent writings EXCEL HOTELS & RESORTS SA. On 06/11/2021 a response was received indicating that on 12/21/2010 the denomination to SILVERPOINT, provide document 1, to change to EXCEL HOTELS on 02/08/2013, with a copy of document 2. 2) To the claimant, in their claim they provided several burofax and letters addressed to the claimed, warning of the end of the relationship for alleged breach. Is requested that provide proof of receipt of the shipment and its content by the claim mada of that communiqué, and expanded the causes that motivated the resolution of the contract, and if the other party has challenged any point of it in court. Provide a copy of document 3, letter of 06/13/2019 of the claimed addressed to the claimant (already commented in the antecedents) explaining that after the deadline of 30 days established in the letter delivered by the claimant to their offices on the do 14/05/2019 “we have agreed to provide you with the data that our company“ maintains ne ”of the claimant, and“ given their volume and for technical inter- nas "of the claimed" said information will be made available to you 10 days from since the sending of this letter. " Provide document 4, which was also attached to the claim, writing in which the claimed, on 06/20/2019, indicates to the claimant that he has the data of his systems and that due to the size suggests the way to deliver them, Document 5 that it provides is a letter from the complained party about the interference in the email account of an employee of the claimed, facts that were reported by the claimant. Discuss the meetings held with the claimant on the affair. It states that the defendant breached a marketing and reservation agreement and when "we terminated that contract," they canceled our access to the servers, which led to the termination of the computer maintenance contract ”. Attached document 6 mp3 format, a 2.25 minute sound file with a conversation between two people, the caller who belongs to the hotels and the caller. The one who called ma indicates that they have run out of computer access and the other party states that they obey gives orders, the caller talks about damages to the company and customers and explains that They have canceled their reservation, commercialization contract, not the IT one, and they can't do this. The other part says that it will probably reactivate again, if he receives the order. 3) A claimed and claimant, what type of personal data were managed for the claimed, which periods covered and how many hotels. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/20 Claimant indicates that: “Nationality, name and surname, postal address, telephone mobile, email and date of birth " The insolvency administrator of the defendant indicates that he is aware that “months prior- res to the declaration of the contest, 07/28/2020, the company no longer had any activity na, nor were there workers in it ”, and that he does not have information on the questions raised, trying to obtain them from the director (whom he identifies) of the department IT period until 12/31/2018 (that is, when disagreements occur and the question of the return of the data was not valid) and answers that it was data from clients, containing nationality, names, addresses, telephone numbers, co- e-mail addresses, and in certain cases dates of birth and marital status, for five hotels that it identifies. The data stored was from 2012. 4) To the claimant and claimed, if the defendant issued orders and instructions on the processing of personal data that were managed through the ser- vidores, copy of some. And if you didn't have problems with copy issues before security, access etc. Claimant manifests that it provides document 7, communication on instructions on The treatment of the data that SIGNALLIA "indicates to us on 06/20/2019", which is already mentioned in the present antecedents. Claimed indicates that data access was made solely on the basis of need to know them. In 2017 the customer's “marketing data was migrated to the system in “Salesforce” cloud and reservations and PMS systems to “SIHOT” (hotel management system). lera) stored in a virtual environment on Oracle servers, and there were no problems with backup or access. 5) A claimed and claimant, who owned the servers in which the claimed stored and managed the claimant's information, and for reasons Is it possible that the claimant asked the respondent to transfer them? Claimant indicates that they were owned by him and that "that is why he requested their transfer." an internal email in which on 05/14/2019 the CFO communicates to XX (high responsible for the claimant) a list with a description of assets, years of purchase and price, including servers that are said to have invoices underlined in green, and others that "we can prove that we bought it". Respondent states that she was the owner of the servers, and that the rest cannot answer for being on medical leave at that time. 6) A claimant and claimed, if the computer equipment that appears in the sheet “infor- me of equipment "were owned by the claimed and where they were physically located" and that use was given to them. Claimant indicates that they were owned by him, and were located as referred to, in different Red hotels, up to four, plus the central one, identified by their initials. Attached documents Item 8 that relate equipment and invoices. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/20 Respondent states that she does not know the sheet that is cited, but “SIGNALLIA possessed and managed teams both locally in their offices and in the service rooms. res, but also in the server rooms located in each of the hotels. " 7) To the claimant and claimed, which is why at least one of the copies of security rity was not available from the claimant herself. If they currently have contracted similar services and if they have changed their way of having access to files and databases. It declares to the claimant that in the lease of services of 07/01/2011 in the first clause, three, was established as a task covered by the loan tary backups, backup policy management, and cus- all of them. "Currently we have our own servers and also services contracted to companies that offer us different products, against which we have creden- cials that allow us to manage them ”. “We have our own network and all the teams from both the hotels and the Central have administrative accounts ”of the claimant. “Now we have an internal IT department of the company's own, credentials- team administrators, own network managed by the department, figure- We as authorized persons before the companies that provide us services, creden- cial to be able to manage users, passwords, profiles, emails, etc. ”. The respondent indicates that it has not obtained information on the matter, however “SIG- NALLIA stopped paying Salesforce invoices months before the declaration of the contest " 8) A claimant and claimed, how the aspect to which it was referred to in the claim of the keys or passwords, in some points they refer to “The administrator password that allows us to operate with our computer equipment ticos ”which was what said password allowed, who made use of it by the claimed or in the claimant and, who changed and how often it changed this key and by whom. What was the sense that the key of the teams was in power of the processor. The complainant states that the administrator password referring to computers would allow make changes to computers such as installing applications, changing settings network and generally any changes that a normal user should not be able to make in a corporate team for operational and / or safety issues. The administrator password referring to the servers with user control and contra- corporate signatures would allow you to create new users, delete them, block them, assign them to one complex or another, reset passwords when they forget them etc. The administrator keys of the network systems allow to apply network changes, create subnets, manage Wi-Fi, enable new networks, monitor the network to see if there are security problems etc. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/20 “Before it was completely dependent on each and every one of the systems and even on all- two and each of the services, even though they are third-party as well, since those who they had the keys to those services and were listed as authorized persons neither were they from EXCEL HOTELS AND RESORTS SA. Claimed indicates that, within the security protocol, each user had their own Pious passwords that were forced to change at least every three months. 9) To claimant and claimed: Report if any judicial matter related to sworn with this claim or has fallen a ruling on liability, compensation tion etc. on these facts, with a copy of the ruling. The claim contained a Announcement against the claimed or with eventual debts included in the bankruptcy creditors of the claimed Claimant indicates that apart from the fact that his credit is "recognized" in the contest of creditors, there is no other pending matter, and claimed indicates that it has not received no judicial notification related to the matter. 10) To the claimant, and claimed, it is appreciated that a process of attempt to enter delivery of the data that the claimed handled of the claimant. You want to know if finally the data is delivered, with proof of what was delivered, and date. Claimant indicates that the then administrator of the claimant “signed a receipt from a hard drive, but pending confirmation and verification that never occurred because information was missing ”. Provides document 9 in which XX, high person responsible for the claimant sends a written request to the claimant, dated 07/25/2019, stating that he confirms that he has received the hard disk with the data that were kept by the claimed and that has to check and verify that all the data are there and the confirmation would be sent to the claimed that all data has been successfully transferred. They provide document 10 which is an internal email dated 07/26/2019 in which an employee tells XX “we need to know with which tool the data has been encrypted and some technical details that supposedly “they were going to send us in an e-mail”, and added give the screen impression of a conversation by “whatsapp between our infor- and that of the claimed one ", in which it says" I have the external hard drive and I see that there is a 3tb file with no extension. I understand that it will be encrypted ”, and asks what tool lie was encrypted. The other party asks if the details were not provided, to which they respond. from, "only hard drive and password", to which the other party replies that they have to speak with another person, everything has to be through him. The respondent indicates that it does not offer information on this point, “as it is not part of This process" TENTH: On 07/06/2021, a resolution proposal was formulated, with the literal: “That the Director of the Spanish Data Protection Agency sanctions SIGNALLIA MARKETING DISTRIBUTION, S.A., with CIF A76539030, for a infringement of article 28.3.g) of the RGPD, in accordance with article 83.4 b) of the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/20 RGPD, and article 74.k) of the LOPDGDD, a fine of 100,000 euros, of in accordance with article 83.2.a) of the RGPD and 76.2.b) of the LOPDGDD.) " No allegations were received within the time allowed to make them. PROVEN FACTS: 1) The claimant, who manages the management of four hotels, states in her claim that your company “has been affected by the malpractice of the claimed by terminating a contract for the provision of services and denying us access to our own servers, to access our keys, in addition to refusing to return all the data of our entity causing serious damage to our systems, to our staff, in addition to great economic damages when everything is paralyzed our work system ”The personal data that were managed by the claimed were those of: ”Nationality, name and surname, postal address, mobile phone, e-mail and date of birth" 2) The claimant, (formerly known as SILVERPOINT VACATION SOLUTIONS SA) subscribed on 07/1/2011 contracted with the defendant the lease of services of prevention, maintenance and advice of computer equipment in the environment of telecommunications and information technology, in order to assist in operational needs and performance. As clauses, the most important ones are meant: -Object: Provision of preventive and corrective maintenance services for equipment client's computer software, which are listed in ANNEX 1 in the networks of telecommunications. In the support service provided, it included the problems of access to the network of all computer equipment, remote access to e-mail corporate, or adequate access to files and programs (first clause 1.2), manage the backup policy and safeguard them and act as interlocutor in all technical aspects with the different service providers telecommunication. The service would be provided 24/365. In the contract, the third clause provides that the duration of the contract was initially for two years, until 06/30/2013, with tacit extensions for periods of one year, if not there is a complaint 30 days before the corresponding expiration date. It also provides for the resolution for breach of any of the stipulations, the compliant party giving the other five days advance notice. In the 12th clause, it adds: termination of the contract: “any of the parties may give terminate this contract at any time during its duration through written communication to the other party not less than two months in advance of the interested termination date. As causes of resolution are indicated in addition to the general ones of the commercial and civil code, "those derived from non-compliance by part of the client of the obligations contracted by virtue of the contract " The 11th clause entitled: "Data Protection", states: “As a consequence of this contract for the execution thereof, the borrower will have access to personal customer data that are subject to the legal regime provided by LOPD and its implementing regulations. For such purposes in C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/20 compliance with the provisions of article 12 of the LOPD, the borrower expressly manifests and undertakes to use and process the data with the sole and exclusive object of complying with this contract, following in any case the instructions received from the customer. Expressly refrain from giving the data any use other than the one agreed and in particular refrain from altering them, using them for your own business interest, or communicate them or allow access by third parties to the same not even for their conservation. In the event that I had to communicate the data to a third party for the development of this contract, the borrower will will notify the client so that he can sign a contract with said third party. Observe the maximum confidentiality of reservations regarding the data that are provided by the client regarding the development of the object of this contract agreeing not to disclose any third person any of this data, thus like any other information that has been provided regarding the company. TO return to the client, once the provision of services object of the present has concluded I contract all the documents and files in which all or some of the data whatever its medium or format, as well as copies of these." -Ninth clause: "levels of compliance with services": The client will determine the organization of the services to be provided by dictating those generic norms necessary for a normal and optimal exercise of the services, remaining in any case in favor of the borrower the faculty of management and coordination of the service and personnel in charge of the provision of the same. " 3) In document 1 of the claim, the claimant asks the respondent for the 04/29/2019 as "contract instruction", "that as we have put repeatedly manifest "," it is our intention to change the place where the servers of our company are stored, so that they pass to be located in our central offices "" today they are paying attention disregarding our request ”, announcing that if the servers are not made available to you, criminally denounced. The claimant does not provide evidence that delivered to the claimed. 4) The parties by disagreements, decide to resolve their relationship. There is a writing of claimed, document 3, of *** DATE.3, which indicates that, if you do not pay what is owes you, will terminate the contract with effect date *** DATE.2, responding to the claimant to the claimed in writing of *** DATE. 4 that the counterpart owes them a amount greater - greater than 10 million euros - in document 3-1, entitled Reply to the letter of *** DATE. 3. Informs you that they have filed a lawsuit against them and indicates that they have breached the “obligation to make available to the claiming the servers of their property, an issue that is causing a serious detriment to society and refuse to provide the administrator password that we allows us to operate with our computer equipment, an issue that represents a breach of the aforementioned contract ”. 5) The complainant had access to the complainant's servers and this is how it is derived also of the investigative actions carried out by the respondent in order to scam attempt to hack the email account of an employee of the claimant, who was brought to the attention of the Police on 05/23/2019. In these investigations collaborated the claimed, being at the same time denounced by the claimant C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 13/20 later before the Police, on 06/07/2019, for professional malpractice and fraud, without more documentation revealing the reasons. The result is unknown as there was no The parties stated nothing, only in evidence they reported that they do not have judicial pendency for any issue between them, except the inclusion of credits of the claimant in the contest of the claimed. 6) The representative of the respondent indicated that it “owned and managed equipment both locally in their offices and in the server rooms, but also in the server rooms located in each of the hotels. " 7) The claimant provides an extensive list of computer equipment that was located in different hotels that managed the claimed, as well as servers, that accredits are owned by them that were managed within the commission contract treatment. 8) In document 6, dated 06/13/2019, the respondent indicated to the complainant: “petition for data based on arch rights "" After the legal period of 30 days has elapsed established in the letter delivered per day to our offices on 05/14/2019 we have agreed to provide the data that our company maintains about EXCEL HOTELES Y RESORTS SA. " "Given their volume and for technical reasons internal SIGNALLIA said information will be made available to you 10 days after count from the sending of this letter ”. " 9) On 06/14/2019, the claimant, in a letter, indicated to the respondent: “the time of the response period of the right of access ”that the claimant filed the 05/14/2019 to the claimed one, and that it still does not deliver the data or return the servers or provide the access codes to access the system, and that the Non-compliance has been a serious damage, communicating that they file a complaint before the AEPD 10) On 06/20/2019, the respondent addresses the claimant indicating the way to proceed so that a copy of the data is delivered (doc. 8 of the claim), "Delivering a hard disk that will take two days to record the data." It detaches from the emails of the claimant, that on 07/01/2019 her employees went to the headquarters of the claimed to try to recover the data and they were not allowed to leave the disk It was hard to start the process on the pretext that the person in charge was not there. To date 07/26/2019, according to document 10 provided in tests, there were problems with the data owned by the claimant. 11) The defendant stayed for a time, without allowing the claimant access to her data, its systems and its servers. The claimant in her claim states that since 06/07/2019, and reiterates it in a later letter, such as that of 06/14/2019, that did not have access to the data, affecting accounting, billing, declaration monthly taxes and bills among others. Additionally, the claimed was delaying the delivery of data to be returned to the claimant for reasons unrelated to the claimant. The claimant provides in evidence a sound file in which it is listened to to an employee of the complaining party who states that they have been left without access computer scientist and the other party states that he obeys orders, from "C.C.C.", a person who it appears in some of the signatures of the petitioner's writings. The caller speaks of damages C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 14/20 to the company and customers and explains that the reservation contract has been canceled, marketing, not computer science, and they can't do this. The other party says which will probably be reactivated, if he receives the order. The claimant does not indicates the date or period in which they could have been without service and in the claim explains the damages that the non-access has caused. 12) The claimant, although she signed the receipt of an encrypted hard disk with information of your data provided by the claimed, was pending confirmation and verification that "never occurred because information was missing." It is credited because Claimant sent an email to the claimed on 07/25/2019, stating that it should verify that everything was there and send you a confirmation that everything was fine. As can be seen in document 10 of your answer in evidence per claimant, 07/26/2019, the next day he sends an email to the complainant that reveals that the data is encrypted and the tool has not been sent to them. In the copy of WhatsApp screen print between the parties on the absence of the details necessary to extract the files, the defendant refers back to the superior. 13) In the BOE of 10/24/2020, an edict of the Commercial Court is published no. 2 of *** PROVINCE. 1, which indicates the reference of the claimed incursa in bankruptcy procedure no. XXX, in which XXXX's order was issued, rectified on 10/13/2020, declaring the bankruptcy of the company SIGNALLIA MARKETING DISTRIBUTION S.A., CIF A76539030. The insolvency administrator indicates that “months prior to the declaration of the contest, 07/28/2020, the company no longer had activity some, nor were there workers in it ”. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 04/27/2016, regarding the protection of natural persons with regard to the processing of personal data RGPD recognizes each control authority, and as established in arts. 47 and 48.1 of Organic Law 3/2018, of 5/12, on Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection is competent to resolve this procedure. II The RGPD refers -in section 8 of its article 4-, to the person in charge of the treatment or commissioned as “the natural or legal person, public authority, service or other body that processes personal data on behalf of the data controller " (here the claimed one), and article 4.7 of the RGPD "data controller" or "Responsible": the natural or legal person, public authority, service or other body that, alone or together with others, determines the purposes and means of the treatment; Yes The law of the Union or of the Member States determines the ends and means of the treatment, the person responsible for the treatment or the specific criteria for your appointment may be established by the law of the Union or of the States members ”, here the claimant, who clearly shows that he established orders Regarding its servers, the service was interrupted and the data was not returned, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 15/20 being that all of them really belong to him for the management of the business, his collection and treatment of those who are directly responsible for the claimant. The treatment by the person in charge will be governed by a contract or act or other legal act with according to the law of the Union or of the Member States that binds the processor with respect to the person in charge and establish the object, duration, nature and purpose treatment, the type of personal data and categories of interested parties, and the obligations tions and rights of the person in charge (28.3 RGPD). Consequently, the figure of the incarnation The end of the treatment is due to the need to respond to phenomena such as outsourcing of services by companies and other entities, in a way that in those cases in which the data controller entrusts a third party zero the provision of a service that requires access to personal data, This access cannot be considered as a different treatment but rather serves to the person in charge, the actions being carried out by the person in charge on behalf of the ta of the person in charge, as if he himself were the one who carried it out. The manager must offer sufficient guarantees to apply appropriate technical and organizational measures, so that the treatment is in accordance with the requirements of the regulation (art 28.1 GDPR). For these purposes, the owner of the data does not exercise and cannot exercise the right of access to some data that are his, for which he is directly responsible, having them collected and by establishing the data it collects and the purposes for which it is intended. The Right of access is a very personal right of the owner of the same, which is not must be confused with the person responsible for the treatment and the power he holds over the themselves. When a controller signs a treatment order contract with a third, what is done is to implement a legal business that must meet certain requirements to understand that the data is processed not by a third party, but by a third party on behalf of the person in charge, so there is no transfer, transfer or transfer of data to a third party, but they continue in the circle of the responsable. Also and for this reason, there is the power of the person in charge and the specific obligation for the manager, when he receives an order to comply with it according to the Article 29 of the RGPD: “The person in charge of the treatment and any person who acts under the authority of the person in charge or the person in charge and have access to personal data They may only process said data following instructions from the person in charge, unless are obliged to do so by virtue of the law of the Union or of the Member States ”. Certainly, as has been said, the instructions of the person responsible for the treatment they can still leave some degree of discretion on how best to serve the interests of the person responsible for the treatment, allowing the person in charge of the treatment to choose the more adequate technical and organizational means. In practice, if a person responsible for the treatment hires a processor to carry out the treatment on your behalf, it often means that the processor will be able to make certain decisions for yourself about how to carry out the treatment. It is recognized that there may be some room for maneuver for the person in charge of the treatment may also make some decisions regarding treatment. Here the complained party has a technical role inasmuch as the collection of customer data from hotel is carried out by the claimant who introduces them into the system, serving the claimed the technical means with material provided by the same claimant. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 16/20 Since the treatment must be carried out on behalf of a person responsible for the treatment, but not under their direct authority or control, acting "on behalf of" means serving the interests of another person and recalls the legal concept of "delegation". In this In this case, the instructions for server changes were not attended, it was left without access to the systems deliberately by the claimed and the return of the data delaying and putting conditions on some data of the responsible for unjustified issues. It is the person responsible, in this case the claimant, who decides to put in the hands of the In charge of the data so that it can carry out the tasks agreed upon in the contract. In this case, activities of a technical nature in telecommunications, servers and access to systems and their storage. Even using the claimed their experience and discretion in technical matters, the control of the data resides on the claimant. In the present case, it is a situation that affects the claimant in the development of its activities with the data for which it is responsible since despite your requirements, the respondent has not delivered the personal data files or servers, making it difficult and even impossible to carry out the activity ordinary management of the commercial traffic of its activity. Ultimately, the violation that is credited and attributed to the claimed is that of article 28.3.g) which indicates: "3. The treatment by the person in charge will be governed by a contract or other legal act with according to the law of the Union or of the Member States, that binds the person in charge with respect to the person in charge and establish the object, duration, nature and end of nature of the treatment, the type of personal data and categories of interested parties, and the obligations responsibilities and rights of the person in charge. Said contract or legal act shall stipulate, in part, ticular, that the person in charge: g) at the discretion of the person in charge, delete or return all personal data a once the provision of treatment services ends, and will delete the copies existing unless the preservation of personal data is required by virtue of of the Law of the Union or of the Member States ”. III Determines article 83.4 of the RGPD: "Violations of the following provisions will be sanctioned, in accordance with with paragraph 2, with administrative fines of maximum EUR 10 000 000 or, in the case of a company, an amount equivalent to a maximum of 2% of the global total annual business volume of the previous financial year, opting for the highest amount: a) the obligations of the person in charge and the person in charge in accordance with articles 8, 11, 25 to 39, 42 and 43; Article 74 of the LOPDGDD indicates: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 17/20 “They are considered minor and the remaining infractions of merely formal character of the articles mentioned in sections 4 and 5 of the Article 83 of Regulation (EU) 2016/679 and, in particular, the following: "K) The breach by the person in charge of the stipulations imposed in the contract or legal act that regulates the treatment or the instructions of the person in charge of the treatment, unless it is legally obliged to do so in accordance with the Regulation (EU) 2016/679 and this organic law or in the cases where necessary to avoid the infringement of data protection legislation and would have warned the person in charge or the person in charge of the treatment " In no way was the delivery of the data owned by the claimant, it is not proven that it has become effective, as acknowledged by the claimant that The entire data was never finally provided despite the time that had elapsed. Article 58.2 of the RGPD provides the following: “Each control authority will have of all of the following corrective powers listed below: i) impose an administrative fine in accordance with article 83, in addition or in place of the measures mentioned in this section, depending on the circumstances of each particular case. IV The determination of the sanctions to be imposed in the present case requires ob- Serve the provisions of articles 83.1 and 2 of the RGPD, precepts that, respectively, mind, they provide the following: "1. Each supervisory authority shall guarantee that the imposition of the fines administered nistrative pursuant to this article for infractions of these Regulations. indicated in sections 4, 9 and 6 are effective in each individual case, and dissuasive. " "2. Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). When deciding to impose an admissible fine nistrative and its amount in each individual case will be duly taken into account: a) the nature, severity and duration of the offense, taking into account the nature, scope or purpose of the treatment operation in question, as well as such as the number of interested parties affected and the level of damages incurred have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the controller or processor to mitigate the damages and losses suffered by the interested parties; d) the degree of responsibility of the person in charge or the person in charge of the treatment, taking into account the technical or organizational measures that have been applied in under articles 25 and 32; e) any previous infringement committed by the person in charge or the person in charge of the traffic- I lie; C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 18/20 f) the degree of cooperation with the supervisory authority in order to remedy to the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority learned of the infringement, in in particular if the person in charge or the person in charge notified the infringement and, if so, in what measure; i) when the measures indicated in article 58, paragraph 2, have been ordered previously issued against the person in charge or the person in charge in relation to the same matter, the fulfillment of said measures; j) adherence to codes of conduct under Article 40 or to mechanisms of certification approved in accordance with Article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, direct or indirect, rightly, through the infraction. " Within this section, the LOPDGDD contemplates in its article 76, entitled “San- corrective measures and actions ”: "1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679 will be applied taking into account the criteria of graduation established in section 2 of the aforementioned article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 The following may also be taken into account: a) The continuing nature of the offense. b) The linking of the activity of the offender with the performance of treatment of personal information. c) The benefits obtained as a result of the commission of the offense. d) The possibility that the affected person's conduct could have led to the commission of the offense. e) The existence of a process of merger by absorption subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity. f) Affecting the rights of minors. g) Have, when not mandatory, a data protection officer. h) The submission by the person in charge or in charge, on a voluntary basis, to alternative dispute resolution mechanisms, in those cases in which the that there are controversies between those and any interested party. 3. It will be possible, complementary or alternatively, the adoption, when appropriate, of the remaining corrective measures referred to in article 83.2 of the Regulation (EU) 2016/679. " For the assessment of the sanction, the commencement agreement contained its assessment without damage of the instruction, and as an amount for the estimated infraction, they were considered 100,000 euros of penalty. It was taken into account: -The disturbance in the development of the actions of the claimant of special gra- truth to prevent operating with the data (83.2.a RGPD) from 06/07/2029, adding that as of 07/26/2019 it is not completed or accredited by the one that carries out the treatment- on behalf of the claimant who complied with said ordinary obligation to C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 19/20 established in the treatment order contracts, thus not considering delivery- two (art 83.2.a) of the RGPD. - The linking of the activity of the offender with the performance of data processing personal (art. 76.2 b LOPDGDD). The aforementioned circumstances and amount are ratified after the instruction and proposal. Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of the sanction whose existence has been accredited, The Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE a fine of 100,000 euros, to SIGNALLIA MARKETING DISTRIBUTION, S.A., with CIF A76539030, for a violation of article 28.3.g) of the RGPD, in accordance with article 83.4 b) of the RGPD, and article 74.k) of the LOPDGDD, with the concurrent circumstances in articles 83.2.a) of the RGPD and 76.2.b) of the LOPDGDD. SECOND: NOTIFY this resolution to SIGNALLIA MARKETING DISTRIBUTION, S.A. THIRD: Warn the sanctioned person that the sanction imposed by a Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of 1/10, of the Common Administrative Procedure of the Public Administrations (hereinafter LPACAP), within the voluntary payment period established in art. 68 of the General Collection Regulations, approved by Real Decree 939/2005, of 07/29, in relation to art. 62 of Law 58/2003, of 12/17, by entering it, indicating the NIF of the sanctioned person and the procedure number that appears in the heading of this document, in the restricted account nº ES00 0000 0000 0000 0000 0000, opened in the name of the Spanish Protection Agency of Data in the bank CAIXABANK, S.A .. Otherwise, we will proceed to its collection in executive period. Received the notification and once executive, if the date of execution is found Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment volunteer will be until the 20th of the following or immediately subsequent business month, and if between the 16th and the last day of each month, both inclusive, the payment term It will be until the 5th of the second following or immediate business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to counting from the day after the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 20/20 the fourth additional provision of Law 29/1998, of 07/13, regulating the Contentious-administrative jurisdiction, within two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Agency for Data Protection, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web /], or through any of the other records provided for in art. 16.4 of the cited LPACAP. You must also send the Agency the documentation that proves the effective filing of the contentious-administrative appeal. If the Agency does not had knowledge of the filing of the contentious-administrative appeal in the within two months from the day following notification of this resolution, would terminate the precautionary suspension. 938-131120 Mar Spain Martí C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es