AEPD (Spain) - PS/00322/2021

From GDPRhub
AEPD (Spain) - PS/00322/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1)(a) GDPR
Article 17 GDPR
Article 28(3)(f) GDPR
Article 28(3)(f) GDPR
Article 203 Real Decreto-ley 3/2020
Article 38 LSSI
Article 74 LOPDGDD
Type: Complaint
Outcome: Upheld
Started: 26.08.2020
Decided:
Published: 04.02.2022
Fine: 300,000 EUR
Parties: SEGURCAIXA ADESLAS, S.A.
National Case Number/Name: PS/00322/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Cesar Manso-Sayao

The Spanish DPA imposed a fine of €300,000 on an insurance company for not granting a data subject's erasure requests, for unlawfully sending marketing emails, and for having an invalid processing contract with an insurance agent.

English Summary[edit | edit source]

Facts[edit | edit source]

A data subject filed a complaint against an insurance company (Segurcaixa Adeslas S.A. de Seguros y Reaseguros) for failing to a grant their request to exercise their right to erasure. The data subject claimed they had written various emails spanning from 2016 to 2020, requesting the deletion of their personal data. Additionally, the data subject registered their email in the Spanish Robinson List (an opt-out list for marketing communications) in 2020. The data subject, however, claimed that these requests were not answered or granted, and they continued to receive marketing emails from the insurance company.

In their defense, the insurance company alleged that it had answered these requests stating it did not have the data subject’s information on file. Additionally, the insurance company claimed it had informed the data subject that, although the marketing had their name and company logo, the marketing activity was actually carried out by a mediator insurance agency, and therefore the appropriate recipient of the erasure request. The insurance company argued that this agency was a separate controller which acted independently, and that they could not be held accountable for this other controller's activity if it were in breach of GDPR.

The insurance company also claimed that the only information processed was merely the data subject’s email, which does not identify the person individually, and therefore should not be considered personal data. Additionally, the insurance company claimed that failing to grant erasure requests were minor infractions which would be already prescribed according to Article 38 of the Spanish Information Society and Electronic Commerce Law (Ley 34/2002 de servicios de la sociedad de la información y de comercio electrónico – LSSI), which corresponds to Article 74 of the Spanish Data Protection Act (Ley Orgánica 3/2018 de Protección de Datos Personales y garantía de los derechos digitales – LOPDGDD).

Holding[edit | edit source]

For starters, the AEPD held that emails (as well as phone numbers) despite not containing the name under which they are registered, do have a direct link to the person and make them identifiable, and therefore are considered personal data under the definition established in Article 4 GDPR.

With regards to the insurance company’s claims that they should not be considered controllers in this case, and that the mediator insurance agency acted as an independent controller instead, the AEPD categorically refuted this argument. The AEPD held that according to Article 203 of the Spanish national law in the field of private insurance and related matters (Real Decreto Ley 3/2020 de 4 de febrero, de medidas urgentes por el que se incorporan al ordenamiento jurídico español diversas directivas de la Unión Europea en el ámbito de la contratación pública en determinados sectores; de seguros privados; de planes y fondos de pensiones; del ámbito tributario y de litigios fiscales), mediator insurance agents are explicitly defined as processors under GDPR, and not controllers as the insurance company alleged in its defense.

The AEPD also held that after exhaustively evaluating the circumstances in the case, the fact the data subject had registered their email in the Spanish Robinson List was a clear manifestation of not consenting to receive marketing communications. Therefore, the continuous reception of these emails in the insurance company’s behalf constituted a violation of Article 6(1)(a) GDPR. The AEPD also found the insurance company in breach of Article 17 GDPR for not granting the data subject’s repeated requests to exercise their right to erasure.

Additionally, the AEPD held that the insurance company's contract with the mediator insurance agency did not comply with the requirements of Articles 28(3)(f) and (g) GDPR, which contain provisions related to assisting the data processor to ensure compliance with its obligations in the protection of personal data, and the deletion of personal data after the processor’s services have been completed.

Regarding the prescription of GDPR violations alleged by the insurance company, the AEPD held that the decision is actually based on a breaches of Article 6 GDPR, Article 28 GDPR and Article 17 GDPR. According to the AEPD, the first two are considered serious infractions which prescribe in 3 years according to Article 74 LOPDGDD, and would therefore not be prescribed.

Regarding the breach of Article 17 GDPR, the AEPD held that the insurance company’s lack of response to the data subject’s request to erase their personal data, and the continuation of marketing communications being sent to the data subject's email, should be considered as a “permanent infraction” (which is continuous in time and is not limited to only one act) according to the criteria of the Spanish Supreme Court (Tribunal Supremo – TS) in its decision of 7 March, 2006. In this case, a marketing email was received by the data subject the day before the claim was filed, and the violation of this provision had therefore not prescribed either according to the aforementioned Article 74 LOPDGDD.

Based on these considerations, the AEPD fined the insurance company with a total of €300,000 (€100,000 for the breach of Article 6 GDPR, €100,000 for the breach of Article 17 GDPR and €100,000 for the breach of Article 28 GDPR).


Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                              1/16










     File No.: PS/00322/2021


               RESOLUTION OF PUNISHMENT PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


                                  BACKGROUND

FIRST: A.A.A. (hereinafter, the complaining party) dated August 26, 2020
filed a claim with the Spanish Data Protection Agency.


The claim is directed against SEGURCAIXA ADESLAS, S.A. OF INSURANCE AND
REINSURANCE with NIF A28011864 (hereinafter, the claimed party).

The ground on which the claim is based is that the claimant has requested the
deletion of your personal data via email to the claimed party, with a copy to
"dpd@segurcaixaadeslas.es" and customer service "adeslas@segurcaixaadeslas.es"

on the following dates 05/19/2016, 05/21/2019, 07/15/2019, 02/04/2020 and 08/25/2020
and despite this, he has not received a response and continues to receive publicity.

The claimant also states that the facts claimed occurred from the 19th of
May 2016, until August 25, 2020, and that the electronic address in which

receives the advertisement (***EMAIL.1) is registered in the Robinson List.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, of Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to the claimed party, to

to proceed with its analysis and inform this Agency within a month of the
actions carried out to adapt to the requirements set forth in the regulations of
Data Protection.

On October 23, 2020, this Agency received a letter from SEGURCAIXA
ADESLAS, S.A. OF INSURANCE AND REINSURANCE where it states that the

claimant only submitted two claims to the email address
correct, specifically those of the dates 02/04/2020 and 08/25/2020, both being
processed and answered to the claimant in a timely manner.

The other two complaints were addressed to the addresses

segursaludplena@gmail.com and ***B.B.B.@agente.segurcaixaadeslas.es that I do not know
correspond with the Privacy Office and/or Data Protection Delegate of
this Company, that is, they are not addresses that correspond to those of
SEGURCAIXA ADESLAS.


SEGURCAIXA ADESLAS, S.A. OF INSURANCE AND REINSURANCE also states
that in the information systems of SEGURCAIXA ADESLAS there is no record
one with the email address ***EMAIL.1 to which the
communications that motivate the claim filed by the claimant.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 2/16









That is why, as indicated to the claimant in our responses
referred to above, you cannot delete what does not appear or is housed in our

systems.

In response to the request of this Agency, SEGURCAIXA ADESLAS, S.A. FROM
INSURANCE AND REINSURANCE, also points out that the communications that motivate the
complaint have been made by insurance agents (mediators) of our
Company, which maintain a commercial relationship with SEGURCAIXA ADESLAS

under the provisions of Law 12/1992 on agency contracts and Title I of the Book
second of royal decree-law 3/2020, of February 4, which transposes the Directive (EU)
2016/97 of the European Parliament and of the Council, of January 20, 2016, on the
insurance distribution.


SEGURCAIXA ADESLAS, S.A. OF INSURANCE AND REINSURANCE, in its
argumentation alleges that, as established in articles 128 and 129 of the Royal
Decree Law 3/2020, the performance of the aforementioned mediators is intended to attract
of customers who are interested in contracting insurance policies issued by
Our company.


Said activity of promotion or attraction of clients is carried out by the agent of
insurance, as established in article 2 of Law 12/1992 on agency contracts,
independently and autonomously, without dependence or subordination to
the insurer (in this case SEGURCAIXA ADESLAS) that contracts you.


SEGURCAIXA ADESLAS, S.A. OF INSURANCE AND REINSURANCE also points out that
This collection activity is carried out by the agent autonomously, independently
and outside SEGURCAIXA ADESLAS, using for this the personal contacts
available to the agent and whose purpose is to capture potential
clients for our Company. With respect to said personal contacts (prior to

contracting the insurance and, therefore, outside the insurer) the mediator acts
as authentically responsible for them for the purposes of those established in the legislation
on data protection.

When the mediator agent is successful in his commercial work and gets his
contact formalize and contract an insurance policy of our Entity, it is when the

personal data of said person, now a client of our company, are transferred to
be included in the SEGURCAIXA ADESLAS databases

Therefore, SEGURCAIXA ADESLAS, S.A. OF INSURANCE AND REINSURANCE considers
Consequently, it will be the mediating agent who, in this preliminary phase, must

observe the legal precautions, in this case in the case of communications
electronic advertising, in accordance with the provisions of articles 21 and 22.1 of
Law 34/2002, of July 11, on services of the information society and
electronic commerce by application of the provisions of article 204 of the Royal
Decree Law 3/2020.


Therefore, based on such argumentation, the claimant was told that the exercise of
You should request this right of suppression from the agent who sent you the communication.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 3/16








THIRD: On October 29, 2020, the Director of the Spanish Agency for
Data Protection agreed to admit for processing the claim presented by the party
claimant.


FOURTH: The General Subdirectorate for Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
matter, by virtue of the investigative powers granted to the authorities of
control in article 57.1 of Regulation (EU) 2016/679 (General Regulation of
Data Protection, hereinafter RGPD), and in accordance with the provisions of the

Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the
following ends:

The terms of the emails are stated in the documentation provided
by the claimant. While permission is requested to send you additional information,

emails in themselves are of an advertising nature of SEGURCAIXA ADESLAS
appearing the “ADESLAS” logo and as title of the message “Exclusive agent
ADESLAS” with the corporate color of this insurance company. In them it consists
also response sent by the claimant exercising the right of opposition.
Requested information from ADIGITAL to check if the email address in which
communications are received is registered in the Robinson List as indicated by the

claimant, dated February 19, 2021, this Agency receives a letter from
reply confirming that the email address is registered
since March 29, 2020. Therefore, all messages except the last one,
would have been sent prior to this record.


FIFTH: On October 14, 2021, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against the claimant, with
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the
Common Administrative Procedure of Public Administrations (hereinafter,
LPACAP), for the alleged violation of article 6 of the RGPD, article 28 of the RGPD and

article 17 of the RGPD, typified in article 83.5 of the RGPD.

SIXTH: Once the aforementioned initial agreement has been notified, the respondent requests an extension of the
period of arguments and subsequently presented a brief of arguments on the 9th of
November 2021 providing the commercial mediation contract signed by the
claimed entity with its insurance agents and stating that the insurance agents

insurance must be considered responsible and not mere data processors
of personal data, based on what is indicated by the European Federation of
Insurance Intermediaries, specifically indicating the following:

“The European Federation of Insurance Intermediaries (BIPAR) has ruled

regarding the importance of highlighting that the legal definitions provided by other
rules regarding the roles related to the processing of personal data (such as
This may be the case of RD-Law 3/2020 and the attribution of the role of Manager that
establishes on Insurance Agents) do not automatically influence the
definitions or qualifications provided by the GDPR, what this part understands

such that, although the specific regulation on a certain sector indicates
Responsible or Responsible to a certain actor (in this case, to the Agents of
Sure), the reality of these roles cannot be ignored, a reality embodied in the RGPD
and that clearly establishes that those Responsible have autonomy in the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 4/16








making decisions regarding the processing of personal data, in line with the
provided in articles 4.7 and 28.10 of the RGPD, previously cited.”


SEVENTH: On November 25, 2021, the instructor of the procedure agreed
the opening of a period of practice of tests, considering incorporated the
previous investigation actions, as well as the documents provided by the
claimed in his statement of arguments.

EIGHTH: On December 22, 2021, the respondent entity files

allegations to the motion for a resolution, emphasizing in the first place that
considers that ***EMAIL.1 is a personal data, since it is a
simple generic e-mail address that notoriously prevents the identification of
any person acting through it.


Second, it notes that there is no evidence that the claimant requested the
deletion of your data.

Third, it acknowledges that the complainant registered ***EMAIL.1 on the List
Robinson, on March 29, 2020 and despite this he received emails,
but only requesting authorization to send advertising.


However, it states that these are three light sanctions and that
are prescribed in accordance with article 38 of the LSSI.

Of the actions carried out in this procedure and the documentation

in the file, the following have been accredited:

                                PROVEN FACTS

FIRST: The claimant requests the deletion of their personal data on 05/19/2016,

on 05/21/2019, 07/15/2019, 02/04/2020 and 08/25/2020 and despite this has not
received a response and continues to receive publicity.

It is also verified that the claimant registered the email address
***EMAIL.1 on the Robinson List, dated March 29, 2020.


SECOND: The entity claimed, states that the communications that motivate the
complaint have been made by insurance agents (mediators) of our
Company, which maintain a commercial relationship with SEGURCAIXA ADESLAS
under the provisions of Law 12/1992 on agency contracts.


Said activity of promotion or attraction of clients is carried out by the agent of
insurance, as established in article 2 of Law 12/1992 on agency contracts,
independently and autonomously, without dependence or subordination to
the insurer (in this case SEGURCAIXA ADESLAS) that hires him, reason why
which considers that insurance agents should be held responsible and not

mere managers of personal data processing.

                           FOUNDATIONS OF LAW


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 5/16








                                              I

By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of

control, and according to the provisions of articles 47 and 48 of the LOPDGDD, the Director
of the Spanish Agency for Data Protection is competent to initiate and to
resolve this procedure.

                                              II


Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights, in its article 4.11 defines the consent of the
interested party as "any manifestation of free will, specific, informed and
unequivocal by which the interested party accepts, either by means of a declaration or a
clear affirmative action, the treatment of personal data that concerns you”.


In this sense, article 6.1 of the RGPD establishes that:

"one. The processing will only be lawful if at least one of the following conditions is met:
nes:


a) the interested party gave their consent for the processing of their personal data
for one or more specific purposes;

b) the treatment is necessary for the execution of a contract in which the interested party
is part of or for the application at the request of the latter of pre-contractual measures;


c) the treatment is necessary for the fulfillment of a legal obligation applicable to the
data controller;

d) the treatment is necessary to protect the vital interests of the interested party or another

Physical person;

e) the treatment is necessary for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers vested in the data controller;

f) the treatment is necessary for the satisfaction of legitimate interests pursued

by the data controller or by a third party, provided that said interests
interests do not prevail or the fundamental rights and freedoms of the interest
cases that require the protection of personal data, in particular when the interested
sado be a child.


The provisions of letter f) of the first paragraph shall not apply to the processing
by public authorities in the exercise of their functions.”

In relation to the legitimacy for the processing of personal data, we must
also note article 19 of the LOPDGDD establishes a presumption "iuris

tantum” of prevalence of the legitimate interest of the person in charge when they are carried out
with a series of requirements, which does not exclude the legality of this type of treatment
when the conditions set forth in the text are not strictly met, although in
In this case, the person in charge must carry out the legally required weighting,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 6/16








not presume the prevalence of their legitimate interest, specifically said precept
sets the following:


"one. Unless proven otherwise, it will be presumed covered by the provisions of article
6.1.f) of Regulation (EU) 2016/679 the treatment of contact data and in its
case those related to the function or position held by natural persons who
provide services in a legal person provided that the following are met
requirements:


a) That the treatment refers only to the data necessary for its processing.
professional location.

b) That the purpose of the treatment is only to maintain relations of any
nature with the legal entity in which the affected party renders his services.


2. The same presumption will operate for the treatment of the data related to the
individual entrepreneurs and liberal professionals, when they refer to them
solely in that condition and are not processed to establish a relationship with the
themselves as natural persons.


3. Those responsible or in charge of the treatment referred to in article 77.1
of this organic law may also treat the data mentioned in the two
previous sections when this is derived from a legal obligation or is necessary
for the exercise of its powers.”


Thus, we must point out that, when the claimant is registered in the
Robinson list, the presumption "iuris tantum" of prevalence of interest does not concur
legitimate of the person in charge.
                                            III


In the legal analysis that concerns us, we must also take into account the Real
Decree Law 3/2020 of February 4, of urgent measures by which they are incorporated into the
Spanish legal system various directives of the European Union in the field of
public procurement in certain sectors; private insurance; of plans and
Pension funds; of the tax field and tax litigation in its article 135 and
following, regulates the figure of insurance brokers.


Thus, in article 135 of said legal text, the following is stated in relation to the
classes of insurance brokers.

1. Insurance brokers are classified as:


a) Insurance agents.
b) Insurance brokers.

Insurance agents and insurance brokers may be individuals or

legal.

2. The condition of insurance agent and insurance broker are incompatible
with each other, in terms of their simultaneous exercise by the same individuals or

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 7/16








legal. Notwithstanding the foregoing, any insurance broker may request the
modification of its registration in the administrative register of distributors of
insurance and reinsurance provided for in article 133, in order to exercise the

insurance distribution activity through another form of mediation, prior
accreditation of compliance with the requirements that are demanded for it.

3. The names "insurance agent" and "insurance broker" remain
reserved for insurance brokers defined in Title I.


4. Credit institutions, financial credit establishments and, where appropriate,
commercial companies controlled or owned by credit institutions or
financial credit establishments, when they exercise the activity of agent of
insurance through the distribution networks of either of the two, will adopt the
denomination of "bank-insurance operator", which will be reserved for them, and will be

will adjust to the specific regime regulated in articles 150 to 154.

5. The insurance brokers mentioned in section 1 may use websites
web or other distance communication techniques, through which the user is provided
customer information comparing prices or coverage of a given number of
insurance products from different companies.


On the other hand, article 144 of the aforementioned Royal Decree Law 3/2020 must be highlighted,
where advertising and commercial documentation of insurance distribution is regulated
insurance agents, indicating the following:


"one. In the advertising and in the commercial documentation of insurance distribution of the
insurance agents, the expression “insurance agent” must appear prominently.
exclusive insurance', 'linked insurance agent', 'exclusive insurance agency'
o “linked insurance agency”, followed by the company name of the entity
insurer for which you are carrying out the distribution operation in question,

by virtue of the agency contract entered into with it, or the contract signed between
insurance entities for the provision of services for distribution through the
assignment of their networks, as well as the registration number in the administrative registry
provided for in article 133 and, where appropriate, have contracted a health insurance
civil liability or other financial guarantee.


2. Likewise, in the publicity they carry out in general or through media
telematics, they must mention the insurance companies with which they have
entered into an insurance agency contract.

In relation to the condition of responsible or in charge of the treatment, the article

203 of said legal text, establishes the following:

1. For the purposes provided in Organic Law 3/2018, of December 5, as well as in
Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27
of 2016, relative to the protection of natural persons with regard to

processing of personal data and the free circulation of these data:




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 8/16








a) Insurance agents and bancassurance operators will have the status of
in charge of the treatment of the insurance company with which they had concluded
the corresponding agency contract, under the terms provided in title I.


b) Insurance brokers and reinsurance brokers will have the status of
responsible for the treatment with respect to the data of the people who come to
they.

c) The external collaborators referred to in article 137 will have the condition

of those in charge of the treatment of the insurance agents or brokers with whom
have entered into the corresponding commercial contract. In this case, they can only
process the data for the purposes set forth in article 137.1.

2. In the case provided for in letter a) of section 1, in the agency contract

The points provided for in article 28.3 of the Regulation must be stated.
(EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016.

In the same way, in the case provided for in section 1.c) they must be included in the
commercial contract entered into with external collaborators the ends provided in
Article 28.3 of Regulation (EU) 2016/679 of the European Parliament and of the Council,

of April 27, 2016.

3. The insurance entities may not keep the data provided by the
insurance brokers, and that do not result in the conclusion of an insurance contract,
being obliged to eliminate them unless there is another legal basis that allows a

legitimate treatment of data in accordance with Regulation (EU) 2016/679 of the
European Parliament and of the Council, of April 27, 2016.

In addition to the precepts indicated in the specific regulations for contracting
insurance, we must take into account that in terms of data protection, it is regulated

the figure of the person in charge of the treatment, in article 28 of the RGPD, indicating what
following:

1. When a treatment is going to be carried out on behalf of a person in charge of the
treatment, this will only choose a person in charge who offers sufficient guarantees
to apply appropriate technical and organizational measures, so that the

treatment is in accordance with the requirements of this Regulation and guarantees the
protection of the rights of the interested party.

2. The person in charge of treatment will not resort to another person in charge without prior authorization
in writing, specific or general, of the person in charge. In the latter case, the manager

will inform the person in charge of any change foreseen in the incorporation or
replacement of other processors, thus giving the controller the opportunity to oppose
to these changes.

3. The treatment by the person in charge will be governed by a contract or other legal act with

under the law of the Union or of the Member States, binding the person in charge
with respect to the person in charge and establish the object, duration, nature and
purpose of the treatment, the type of personal data and categories of interested parties, and the


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 9/16








obligations and rights of the controller. Said contract or legal act shall stipulate, in
particular, that the person in charge:


a) will process personal data only following documented instructions of the
responsible, including with respect to transfers of personal data to a
third country or an international organization, unless required to do so under
of the Law of the Union or of the Member States that applies to the person in charge; in
In such a case, the person in charge will inform the person in charge of that legal requirement prior to the
treatment, unless such Law prohibits it for important reasons of interest

public;

b) will guarantee that the persons authorized to process personal data have
committed to respecting confidentiality or are subject to an obligation of
confidentiality of a statutory nature;


c) take all necessary measures in accordance with article 32;

d) will respect the conditions indicated in sections 2 and 4 to resort to another
treatment manager;


e) will assist the person in charge, taking into account the nature of the treatment, through
appropriate technical and organizational measures, whenever possible, so that this
can comply with its obligation to respond to requests that are intended to
the exercise of the rights of the interested parties established in chapter III;


f) will help the person in charge to guarantee the fulfillment of the obligations
established in articles 32 to 36, taking into account the nature of the treatment
and the information available to the person in charge;

g) at the choice of the person in charge, will delete or return all personal data once

Once the provision of treatment services ends, and will delete the copies
existing unless the retention of personal data is required under
of the Law of the Union or of the Member States;

h) will make available to the person in charge all the information necessary to demonstrate
compliance with the obligations established in this article, as well as

to enable and assist in the performance of audits, including inspections, by
part of the person in charge or of another auditor authorized by said person in charge.

In relation to the provisions of letter h) of the first paragraph, the person in charge will inform
immediately to the controller if, in his opinion, an instruction violates this

Regulation or other provisions on data protection of the Union or of
the member states.

4. When a person in charge of the treatment resorts to another person in charge to carry out
certain treatment activities on behalf of the person in charge, will be imposed on

this other manager, by contract or other legal act established in accordance with the
Law of the Union or of the Member States, the same obligations of
data protection than those stipulated in the contract or other legal act between the
responsible and the person in charge referred to in section 3, in particular the provision

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 10/16








of sufficient guarantees of application of appropriate technical and organizational measures
so that the treatment is in accordance with the provisions of this
Regulation. If that other processor breaches its data protection obligations,

the initial processor will remain fully accountable to the controller
treatment with regard to the fulfillment of the obligations of the other
in charge.

5. The treatment manager's adherence to a code of conduct approved by
under article 40 or to an approved certification mechanism under article

42 may be used as an element to demonstrate the existence of guarantees
enough referred to in sections 1 and 4 of this article.

6. Without prejudice to the fact that the person in charge and the person in charge of the treatment celebrate a
individual contract, the contract or other legal act referred to in sections 3 and 4

of this article may be based, totally or partially, on the clauses
standard contracts referred to in sections 7 and 8 of this article, inclusive
when they form part of a certification granted to the person in charge or in charge of
in accordance with articles 42 and 43. 7. The Commission may establish clauses
contract types for the matters referred to in sections 3 and 4 of this
article, in accordance with the examination procedure referred to in article 93,

paragraph 2.

8. A supervisory authority may adopt standard contractual clauses for the
matters referred to in sections 3 and 4 of this article, in accordance with the
coherence mechanism referred to in article 63. 9. The contract or other act

The legal document referred to in sections 3 and 4 shall be recorded in writing, including in
electronic.

10. Without prejudice to the provisions of articles 82, 83 and 84, if a person in charge of the
treatment infringes this Regulation by determining the purposes and means of the

treatment, will be considered responsible for the treatment with respect to said
treatment.

                                           IV

In the present case, the claimant states that he receives publicity, despite the fact that

is registered on the Robinson list, and despite having exercised his right to
suppression.

In its defence, the entity claimed has stated that it must be the mediating agent
who must observe the legal precautions, in this case in the case of

electronic advertising communications, in accordance with the provisions of the
Articles 21 and 22.1 of Law 34/2002, of July 11, on services of the society of the
information and electronic commerce by application of the provisions of article
204 of Royal Decree Law 3/2020.


As allegations to this sanctioning procedure, the entity claimed provided
on November 9, 2021, commercial mediation contract signed with several
insurance agents, claiming that insurance agents should be considered
responsible and not merely in charge of processing personal data.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 11/16









On December 22, 2021, he contributes arguments to the resolution proposal
stating that he does not consider ***EMAIL.1 to be personal data, since

it is a simple generic email address that prevents,
notoriously, identify any person acting through it.

In this sense, it should be noted that the email addresses are
considered personal data, like a telephone number, or that
Despite not being constituted by the name and surname of its owner, they have a link

directly with him in accordance with article 4 of the RGPD, which establishes that
personal data shall be understood as “all information about an identified natural person or
identifiable ("the interested party"); An identifiable natural person shall be deemed to be any person
whose identity can be determined, directly or indirectly, in particular by
an identifier, such as a name, an identification number,

location, an online identifier or one or more elements of the identity
physical, physiological, genetic, psychic, economic, cultural or social of said person”.

Second, the respondent entity has argued that there is no evidence that the
claimant requested the deletion of their data, in this sense, it has been verified
by means of a copy of the emails sent by the claimant, which he has

repeatedly requested the deletion of all your data on their systems on
05/19/2016, 05/21/2019, 07/15/2019, 02/04/2020 and 08/25/2020, and your application has not
got response.

Third, the respondent entity acknowledges that the complainant registered the address

email address ***EMAIL.1 on the Robinson List, dated March 29, 2020
and that despite this he sent him emails, although he justifies it by alleging that these
they were not of an advertising nature but requested authorization to send you advertising,
despite the fact that the purpose of registering on the Robinson List is not to receive advertising.


The allegations of the claimed entity conclude, indicating that the infractions
imputed to him are prescribed.

In this sense, it should be noted that we are talking about an infringement of article 6
of the GDPR, a second violation of article 28 of the GDPR and a third violation
of article 17 of the RGPD, typified in articles 83.5 a), 83.5 b), and 83.4 a) of the

GDPR.

Therefore, the first two sanctions are considered, for prescription purposes,
of a very serious nature, so in accordance with article 72 of the LOPDGDD
prescribe after 3 years, and the third sanction is considered for prescription purposes

as of a minor nature, which implies that in accordance with article 74 of the
LOPDGDD, has a limitation period of one year.

However, in this last case we find ourselves in a case of infringement
permanent because the claimant has accredited the receipt of emails

dated 07/15/2019, 02/04/2020 and 08/25/2020.

In this sense, the TS says that "permanent offenses are those
unlawful conduct that persists over time and is not exhausted with a single act,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 12/16








determining the maintenance of the unlawful situation at the will of the author, case
of the development in the time of activities without the mandatory authorizations and other
similar assumptions”, STS of March 7, 2006.


In this case, it is not that the issuance of a single email is sanctioned, but the issuance
successive emails without the consent of the claimant, and
has verified that the day before the complaint, that is, on 08/25/2020, said action
continued, without prejudice to the fact that it was able to continue after the presentation of said
complaint, since despite the claimant's repeated request not to receive more emails

emails, the entity claimed did not respond to the claimant and therefore there is no
indications that measures were taken to correct such facts.

Therefore, the sanction would not have prescribed in accordance with article 30.2 of the law
39/2015 where the following is indicated:


The limitation period for infractions will begin to run from the day on which
that the offense had been committed. In the case of continued violations or
permanent, the term will begin to run from the end of the offending conduct.

The prescription will be interrupted by the initiation, with the knowledge of the interested party, of a

administrative procedure of a sanctioning nature, restarting the term of
prescription if the sanctioning file was paralyzed for more than a month
for reasons not attributable to the alleged perpetrator.”

Thus, this Agency, after an exhaustive study of the facts, proceeds to

assess that the referral of advertising by the entity claimed to the claimant
being this registered in the Robinson list, it supposes an infraction of the article
6 of the RGPD, (precept indicated in the foundation of law II) due to the lack of
legitimacy for its treatment.


Second, it has been proven that the claimant repeatedly exercised
your right of cancellation before the claimed on 05/19/2016, 05/21/2019, 07/15/2019,
02/04/2020 and 08/25/2020, and his request did not receive a response, despite the right
recognized in article 16 of the LOPD, in force until May 25, 2018,
right currently recognized in article 17 of the RGPD, called the right
of deletion ("the right to be forgotten") in whose precept the right of deletion is governed

of the claimant, affirming that he will have the right to obtain without undue delay from the
responsible for the treatment the deletion of the personal data that concerns him.

Thirdly, it is verified that the claimed entity, despite the contracts provided
does not have a formalized contract with the insurance agents that complies with all the

requirements demanded by the data protection regulations in article 28.3 of the
RGPD thereby infringing said precept, indicated in the foundation of law III,
such as the deletion of personal data, in accordance with the
established in article 28.3 in sections f) and g) of the RGPD, regarding helping
responsible for guaranteeing compliance with its obligations in the protection of

personal data that are processed, and regarding the deletion of data
once the provision of the services has ended.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 13/16








Therefore, it is considered that the claimed entity, in addition to violating article 6 of the
RGPD, for carrying out personal data processing without legitimacy,
contravenes article 17 of the RGPD for not responding to the right of suppression exercised

by the claimant and violates article 28.3 of the RGPD since it has not been accredited before
this Agency, the existence of a contract between the claimed entity and its agents, which
be in accordance with data protection regulations.

                                           v


By virtue of the provisions of article 58.2 of the RGPD, the Spanish Agency for
Data Protection, as a control authority, has a set of
corrective powers in the event of an infraction of the precepts of the
GDPR.
Article 58.2 of the RGPD provides the following:


“2 Each supervisory authority shall have all of the following corrective powers
listed below:

(…)


b) send a warning to any person responsible or in charge of the treatment when the
treatment operations have violated the provisions of this Regulation;”

(...)


“d) order the person responsible or in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where appropriate,
in a specified manner and within a specified period;”

“i) impose an administrative fine under article 83, in addition to or instead of

the measures mentioned in this section, according to the circumstances of each
particular case;"

                                           SAW

Violations of articles 6 and 17 of the RGPD, can be sanctioned with fines

€20,000,000 maximum or, in the case of a company, an amount
equivalent to a maximum of 4% of the total global annual turnover for the year
previous financial, opting for the highest amount, in accordance with article 83.5
of the RGPD in sections a) and b) respectively:


a) the basic principles for the treatment, including the conditions for the
consent under articles 5, 6, 7 and 9;

b) the rights of the interested parties according to articles 12 to 22;


The infringement of article 28.3 of the RGPD can be sanctioned with a fine
administration of EUR 10,000,000 maximum or, in the case of a company, of
an amount equivalent to a maximum of 2% of the total annual turnover


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 14/16








of the previous financial year, opting for the highest amount, in accordance with
with article 83.4 of the RGPD in its section a) where the following is indicated:


a) the obligations of the person in charge and of the person in charge pursuant to articles 8, 11, 25 a
39, 42 and 43;

Likewise, it is considered appropriate to graduate the sanctions to be imposed in accordance with
the following criteria established in article 83.2 of the RGPD.


Specifically, we are faced with several manifestly negligent actions,
in accordance with article 83.2 b) of the RGPD, since we could understand that the
negligence comes from the fact of the repeated and continuous emissions of mails from the
claimed party despite repeatedly requesting the claimant his desire not to receive
publicity and despite registering your email in the Robinson List since 29

March 2020, advertising referrals have not ceased, nor have they been applied
corrective measures.

In this sense, it should be noted that in the Judgment of the National High Court of
10/17/2007 (rec. 63/2006), establishes, with respect to entities whose activity has
coupled with the continuous processing of customer data, the following:


“(…) the Supreme Court has been understanding that there is imprudence whenever
disregards a legal duty of care, that is, when the offender fails to behave
with due diligence. And in assessing the degree of diligence, it must be weighed
especially the professionalism or not of the subject, and there is no doubt that, in the case

now examined, when the activity of the recurrent is of constant and abundant
handling of personal data must insist on rigor and exquisite care
to comply with the legal provisions in this regard”

In addition, we could also consider as an aggravating circumstance the provision of 76.2.b) of the

LOPDGDD because the activity of the claimed party is linked to the
processing of personal data, by dedicating itself to the sale and management of health insurance
Health.

                                            7th


In relation to the statute of limitations, the following must be taken into account:

Article 72.1 b) of the LOPDGDD states that “according to what is established in the
article 83.5 of Regulation (EU) 2016/679 are considered very serious and will prescribe
after three years the infractions that suppose a substantial violation of the

articles mentioned therein and, in particular, the following:

b) The processing of personal data without the concurrence of any of the conditions of
legality of the treatment established in article 6 of Regulation (EU) 2016/679”.


Article 74.c) of the LOPDGDD states that "they are considered minor and will prescribe after one year
the remaining infractions of a merely formal nature of the aforementioned articles
in sections 4 and 5 of article 83 of Regulation (EU) 2016/679 and, in particular:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 15/16








c) Failure to respond to requests to exercise the rights established in articles
15 to 22 of Regulation (EU) 2016/679.


e) Failure to comply with the notification obligation regarding the rectification or
deletion of personal data or limitation of treatment required by article 19
of Regulation (EU) 2016/679.

Therefore, in accordance with the applicable legislation and having assessed the criteria for
graduation of sanctions whose existence has been proven,


the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: IMPOSE SEGURCAIXA ADESLAS, S.A. OF INSURANCE AND
REINSURANCE, with NIF A28011864, for an infringement of article 6 of the RGPD,

typified in article 83.5 a) of the RGPD, a fine of €100,000 (one hundred thousand euros).

SECOND: IMPOSE SEGURCAIXA ADESLAS, S.A. OF INSURANCE AND
REINSURANCE, with NIF A28011864, for a violation of article 28 of the RGPD
typified in article 83.5 b) of the RGPD, a fine of €100,000 (one hundred thousand euros).


THIRD: IMPOSE SEGURCAIXA ADESLAS, S.A. OF INSURANCE AND
REINSURANCE, with NIF A28011864, for a violation of article 17 of the RGPD
typified in article 83.4 a) of the RGPD, a fine of €100,000 (one hundred thousand euros)

FOURTH: NOTIFY this resolution to SEGURCAIXA ADESLAS, S.A. FROM

INSURANCE AND REINSURANCE.

FIFTH: Warn the sanctioned party that he must make the imposed sanction effective once
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure

Common Public Administrations (hereinafter LPACAP), within the payment term
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, through its entry, indicating the NIF of the sanctioned and the number
of procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened on behalf of the Agency

Spanish Department of Data Protection in the banking entity CAIXABANK, S.A.. In case
Otherwise, it will be collected in the executive period.

Received the notification and once executed, if the date of execution is
between the 1st and 15th of each month, both inclusive, the term to make the payment

voluntary will be until the 20th day of the following month or immediately after, and if
between the 16th and last day of each month, both inclusive, the payment term
It will be until the 5th of the second following month or immediately after.

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 16/16








Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month from

counting from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-administrative jurisdiction, within a period of two months from the
day following the notification of this act, as provided in article 46.1 of the
aforementioned Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,

may provisionally suspend the firm resolution in administrative proceedings if the
The interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact by
writing addressed to the Spanish Agency for Data Protection, presenting it through

Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registers provided for in art. 16.4 of the
aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal

contentious-administrative within a period of two months from the day following the
notification of this resolution would end the precautionary suspension.


Sea Spain Marti

Director of the Spanish Data Protection Agency






























C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es