AEPD (Spain) - PS/00351/2019

From GDPRhub
AEPD - PS/00351/2019
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 58(2)(c) GDPR
Type: Complaint
Outcome: Upheld
Published: 18.03.2020
Fine: 30,000 EUR
Parties: Telefónica Móviles España, S.A.U.
National Case Number/Name: PS/00351/2019
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish Data Protection Authority (AEPD) imposed a fine of 30,000 € on Telefónica Móviles España, S.AU. (the data controller) for infringing the obligation to comply with data subjects' requests to exercise their rights of access and erasure. The data controller had received an order with a previous AEPD's decision according to Article 58(2)(c) GDPR.

English Summary


The decision is the consequence of a second complaint submitted in June 2019 by a Spanish citizen stating that, after a first complaint (July 2018) in which he informed the AEPD that he had exercised his rights of access and erasure before the data controller without results (and, according to which, the AEPD had issued a decision requesting the data controller to grant such rights), the data controller only granted the erasure right to the citizen, but not the access right.

The data controller answered to the AEPD investigation requests that it had sent the citizen the corresponding information on the reason why it could not grant such access right: it had not been able to do so because it had already managed and granted the erasure right also requested.


Did the data controller infringe its obligation to fulfill the data subject's rights of access and erasure?


The AEPD found that the data controller did not comply with its previous decision (as it did not grant the access right to the citizen) and, after considering some aggravating (the data controller has the consideration of a big company) and extenuating (the data controller has not obtained any benefits from its actions) circumstances, it decided to impose a fine of 30,000 € to the data controller.


Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Procedure No: PS/00351/2019
The procedure conducted by the Spanish Data Protection Agency and on the basis of the following:
FIRST: The Spanish Data Protection Agency (Agencia Española de Protección de Datos) proceeded with the opening of legal protection, TD/00127/2019, on the basis of the following facts:
On 27 July 2018, Mr A.A.A.  ( the complainant) exercised the rights of access to and disposal of Telefónica Móviles España, S.A.U. with NIF A78923125 (hereinafter: the respondent party).In particular, it requested data protection (access rights and deletion).
SECOND:The Director of the Spanish Data Protection Agency, made an appeal under Law TD/00127/2019 on 4 June 2019, to review the complaint made by A.A.A. and to  invite the respondent to submit, within ten working days following notification of the present decision, to the complainant certifying that he has complied with his right of access or a reasoned refusal to state reasons why his or her request should not be granted.
That agreement was served on the party claimed on 10 June 2019.
THIRD:On 20 June 2019, he received a letter from the complainant in which he states that the time-limits allowed to the respondent party had been exceeded by the latter’s decision.
Despite having upheld the decision with regard to the right of access which was not served, the party complained against still has no bearing on that right.
The appellant requested the right to have access to and erasure and was only satisfied that he was therefore asking the Agency to act accordingly.
FOURTH:The appeal was transferred to the request for production of the claims which it considered appropriate and, on 1 August 2019, in those arguments, it stated that they had complied with the requested duty and took the view that only the deletion of the data was requested.
In excess of the deadline set for compliance with the aforementioned Resolution, it is not apparent from this Agency that it was complied with. 
 FIFTH:On 19 November 2019, the Director of the Spanish Data Protection Agency agreed to initiate disciplinary proceedings against the respondent in accordance with Articles 63 and 64 of Law 39/2015 of 1 October 2015 on the Common Administrative Procedure of the Public Administrations (hereinafter referred to as the LPACAP), on the alleged breach of Article 58 (2) GDPR as laid down in Article 83 (5) of the GDPR.
SIXTH:At the time of notification of the said initiation agreement, the respondent lodged a written statement stating, in essence, that the certificate was sent to the complainant with information on the cause for which access to his data was not possible, based on the request and handling of the deletion of his data, and that, in view of the circumstances of the case, it is proposed that the proceedings be closed.
SEVENTH:On 10 January 2020, the procedure instructor agreed to the opening of a probationary period, taking into account the previous investigative measures, TD/00127/2019, as well as the documents provided by the respondent.
EIGHT:On 5 February 2020, 10 of the same month and year was notified of the Motion for Resolution, on alleged breach of Article 58 (2) GDPR as laid down in Article 83 (5) GDPR, a fine of EUR 30,000.
The respondent submitted observations on the Motion for Resolution containing, in essence, the same facts and arguments as set out in the arguments of the initiating agreement.
It adds that that party can only be considered to have complied with the decision on the protection of rights TD/00127/2019, in so far as the claimant replied to the complaint.
Consequently, the respondent requests that account be taken of the circumstances that have occurred in the facts which are the subject of the proceedings, that the termination of the proceedings or the amount of the penalty laid down in the Motion for Resolution be terminated.
SOLELY:Telefónica Móviles España, S.A.U. has not sent the complainant the full access to his data, despite the decision of the Director of the Agencia Española de Protección de Datos (Spanish Data Protection Agency) to provide full access to his data.
As a result, for a breach of this resolution, and as it was notified to the entity in question, such facts can be understood as the offence referred to in Article 83 (5) (e) of the GDPR, which will be sanctioned in accordance with Article 58 (2) GDPR. 
By virtue of the powers conferred on each supervisory authority by Article 58 (2) of the GDPR, and as set out in Articles 47 and 48.1 of the LOPPDD, the Director of the Spanish Data Protection Agency is competent to resolve this procedure.
Is alleged to have infringed Article 58 (2) GDPR, which states that
“ 2 Each supervisory authority shall have all of the following corrective powers:
c)	to order the controller or the processor to comply with requests to exercise the rights of the data subject under this Regulation.”
The infringement by which the body responsible for IBERDROLA, S.A. is responsible, is listed in Article 83 of the GDPR which, under the heading ‘  General conditions for the imposition of administrative fines’, states:
‘5. Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to EUR 20 000 000, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
e)	non-compliance with a resolution or a temporary or definitive limitation on the processing or suspension of data flows by the supervisory authority pursuant to Article 58(2) or failing to provide access in violation of Article 58(1).”
Article 72.1 (m) of Organic Law 3/2018 on the Protection of Personal Data on the Personal Data Protection and the Protection of Digital Rights, under the heading “Very serious infringements”, provides:
‘1. In accordance with Article 83 (5) of Regulation (EU) 2016/679, infringements resulting in a substantial violation of the articles referred to therein and in particular the following shall be deemed to be very serious and shall be subject to a limitation period of three years:
(m) Failure by the protection authority to comply with a decision
of the data competent in exercise of the powers conferred on it by Article 58 (2)
Of Regulation (EU) No 2016/679.” 
 — III —
In the present case, the Director of the Spanish Data Protection Agency, made an application on 4 June 2019, a decision on the protection of Law TD/00127/2019, a review of the complaint made by A.A.A. and  calling upon the respondent to submit, within ten working days following notification of the present decision, to the complainant certifying that he has complied with his right of access or a reasoned refusal to state the reasons why his request should not be met.
In those circumstances, it is clear that the claim did not comply with the order for protection of law TD/00127/2019, in which the respondent party was called upon to comply with that right.
In order to determine the administrative fine to be imposed, the provisions of Articles 83.1 and 83.2 of the GDPR, which state:
‘Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 9 and 6 shall in each individual case be effective, proportionate and dissuasive.’
‘The administrative fines shall be imposed, depending on the circumstances of each individual case, by additional or substitutive to the measures referred to in points (a) to (h) and (j) of Article 58(2).When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
a)	the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
b)	the intentional or negligent character of the infringement;
c)	any action taken by the controller or processor to mitigate the damage suffered by data subjects;
d)	the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
e)	any relevant previous infringements by the controller or processor;
f)	the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
g)	the categories of personal data affected by the infringement;
h)	the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement; 
i)	 where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
j)	adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
k)	any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits gained or losses avoided, directly or indirectly, through the infringement.’
With regard to Article 83 (2) (k) of the GDPR, Article 76 of the GDPR,  ‘Sanctions and remedial measures’, provides:
‘2. In accordance with Article 83 (2) (k) of Regulation (EU) 2016/679, account may also be taken of:
a)	The continued nature of the infringement.
b)	Linking the offender’s activity with the processing of personal data.
c)	The benefits obtained as a result of the commission of the infringement.
d)	The possibility that the conduct of the affected person might have led to the commission of the infringement.
e)	The existence of a process of merger through absorption after the commission of the infringement, which cannot be attributed to the acquiring institution.
f)	The impact on the rights of minors.
g)	Where it is not required, dispose of a protection officer from
h)	The subjection by the controller or the processor to alternative dispute resolution, on a voluntary basis, where there are disputes between them and any interested party.’
According to Article 83.2 of the GDPR, when deciding to impose an administrative fine and the amount thereof in each individual case, account shall be taken of the aggravating and mitigating factors listed in that article and of any other factors that may be applicable to the circumstances of the case.
-	As a result, they have been taken into account as aggravating factors:
-	The entity is considered to be a large enterprise.
-	In addition, they have been taken into consideration as mitigating factors:
-	It did not derive direct benefits (83.2 k) (GDPR and 76.2.c) LOPDEAM).
The sanction imposed on Telefónica España, S.A.U. should be graduated and set at EUR 30.000 for the infringement of Article 58 (2) of the GDPR.
Therefore, in accordance with the applicable legislation and assessed the criteria for the gradation of sanctions whose existence has been established, the Director of the Spanish Data Protection Agency:
FIRST: Imposing on Telefónica MÓVILES ESPAÑA, S.A.U. with NIF A78923125, for an infringement of Article 58 (2) of the GDPR, as set out in Article 83 (5) (e) of the GDPR, a fine of EUR 30.000,00 (thirty thousand euros). 
 SECOND: Notification of this decision to Telefónica moved Telefónica ESPAÑA, S.A.U. with NIF A78923125.
THIRD: In accordance with Article 98.1 (b) of Law No 39/2015 of 1 October 2015 on the Common Administrative Procedure of Public Administrations (hereinafter referred to as ‘LPACAP’), in accordance with Article 68 of the General Tax Collection Regulation, approved by Royal Decree No 939/2005 of 29 July, read in conjunction with Article 62 of Law No 58/2003 of 17 December 1992, in conjunction with Article 00 0000 0000 0000 0000 0000 of Law No of 1992, in conjunction with Article of Law No, opened in the name of the Spanish Data Protection Agency, opened in the name of the Spanish Data Protection Agency with the Banco CAIXABANK, S.A. shall be enforced.
Once they have been notified and enforceable, if the date of enforceability is between 1 and 15 of each month inclusive, the period for voluntary payment shall be until the 20th day of the following month or immediately, and if there is a period between 16 and the last day of each month, both inclusive, the payment period shall be until 5 of the second following further calendar month or immediately thereafter.
In accordance with Article 50 of the LOPDDD, this Resolution shall be made public once it has been notified to the parties concerned.
Against this resolution, which brings to an end the administrative path under Article 48.6 of the LOPPDD, and in accordance with the provisions of Article 123 of the LPACAP, the persons  concerned may lodge an appeal before the Director of the Spanish Data Protection Agency within one month from the day following notification of this decision or directly an administrative appeal before the Administrative Appeals Chamber of the National High Court, in accordance with Article 25 and paragraph 5 of the fourth additional provision of Law No 29/1998 of 13 July 1998 governing the Administrative Court, within two months from the date of notification of this act, as provided for in Article 46 (1) of that Law.
Finally, it should be noted that, in accordance with Article 90.3 (a) of the LPACAP, a decision on an administrative remedy may be suspended as a precautionary measure if the person concerned indicates his intention to bring an action. If this is the case, the person concerned must formally notify this fact in writing to the Spanish Data Protection Agency, by submitting it via the Agency’s Electronic Register ( https: //, or by means of one of the other registers provided for in Article 16.4 of Law 39/2015 of 1 October. He shall also transfer to the Agency the documents attesting to the actual commencement of the administrative appeal. If the Agency is not aware of the lodging of an administrative appeal within two months of the day following the notification of this decision, the Agency would terminate the provisional suspension. 
Martes España Martí
Director of the Spanish Data Protection Agency