AEPD (Spain) - PS/00379/2019

From GDPRhub
AEPD - PS/00379/2019
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6 GDPR
Type: Investigation
Outcome: Violation Found
Published: 10.03.2020
Fine: 6000 EUR
Parties: n/a
National Case Number/Name: PS/00379/2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: (in ES)
Initial Contributor: Pablo Rossi

The AEPD decided to fine an individual (A.A.A) in the amount of EUR 6000 for a violation of Article 6 GDPR. The justification for this sanction is that personal data in the form of contracts and forms that were previously seized by the police were processed without the consent of their holders. However A.A.A made use of two attenuating factors from the LPACAP (Spanish Law on Common Administrative Procedure of Public Administrations). This led to a reduction of up to EUR 2400 in the amount of the penalty, setting the total amount of the fine in EUR 3600.

English Summary


On 19/03/2019 the AEPD obtained knowledge from an amplification of a report from the Judicial Police Brigade, UDEV group, of a presumed crime of fraud, where two hundred and ninety-five photographs of contracts of companies and contract type forms were intervened. In this regard, a claim was sent to A.A.A for to provide information to the AEPD (clarifying aspects like legitimate cause of the data processing, purpose or aims of the processing, the origin of the personal data processed and the measures adopted to prevent the commission of an infringement of the data protection regulation).

On 22//05/2019, A.A.A submitted a written reply to the request, stating that some of the alleged documentation (the one belonging to the companies Distritohogar and Grupo Confort Editorial) was being transported in his vehicle to be destroyed, in accordance with article 32.1 of the GDPR. In words of the written reply, the legitimacy of the data processing was supported by the execution of a contract and, in its absence, the unequivocal consent of the interested parties. As regards to the purpose, the personal data was being processed for the management of orders of products. In relation with the origin of the data, it was stated that these were obtained from accessible sources to the public and the interested party itself. Finally, with regard to the security measures adopted, the controller stated that technical and organizational measures had been taken to ensure the appropriate use and processing of personal data (only the controller has access to the personal data, given his professional relationship with the companies as a self-employed freelancer).


Can A.A.A’s actions constitute a violation of article 6 of the GDPR (lack of legal basis for the processing of personal data)?


Firstly the AEPD decided to initiate a sanctioning procedure against the A.A.A for an alleged violation of article 6 of the GDPR typified as an infringement of basic principles for processing in article 83.5 GDPR.

In determining the amount of the fine, the following aspects were taken into consideration: the merely local scope of the processing carried out by the A.A.A, the fact that numerous people have been affected by the infringing conduct, the fact that the actions were aimed at elderly people (whose defense capacity is minor), the negligent character of the actions and the fact that A.A.A is a natural person. These considerations led to the determination of the amount of the fine in EUR 6000.

However, two attenuating circumstances of the Spanish Law on Common Administrative Procedure of Public Administrations (Article 85) can be applied, which may respectively reduce the fine by 20%. The first mitigating factor is to acknowledge the responsibility within the time allowed for the submission of claims. The second mitigating factor is, at any time prior to the resolution of the proceedings, to make voluntary payment of the proposed penalty. In this sense, on 03//03/2020 A.A.A proceeded to pay the sanction in the amount of EUR 3600, applying therefore the two previously mentioned reductions. This implied the recognition of their responsibility and the resignation to any action or appeal in administrative channels against the sanction. After these events, the AEPD decided to terminate the procedure.


Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Product No.: PS/00379/2019
In sanction procedure PS/00379/2019, conducted by the Agency Spanish Data Protection Authority to A.A.A., in view of the complaint filed by CUERPO NATIONAL POLICE BRIGADE JUDICIAL POLICE, UDEV GROUP COMMISSIONER OF ***LOCALITY.1, and on the basis of the following
FIRST: On February 24, 2020, the Director of the Spanish Agency of Data Protection agreed to initiate sanctioning procedures against A.A.A. (hereinafter, the respondent), by the Agreement as transcribed: << Product No.: PS/00379/2019
Of the actions carried out by the Spanish Agency for the Protection of Data and based on the following
FIRST: The 19/03/2019 has entry from the BRIGADE OF POLICE JUDICIAL, UDEV GROUP, COMMISSIONER FOR ***LOCALITY.1, office number ***OFICIO.1, extension of the statement made in the commissioner's office against Mr A.A.A. for an alleged offence of fraud and who had had two hundred and ninety-five photographs taken of company contracts, praise and contract forms for other companies, contract type forms of the company Grupo Pitágoras whose CIF coincides with the ID number of the person under investigation, etc.
The copy of the photographs of the contracts has been made available to the Court of Instruction number 1 of ***LOCALITY.1
SECOND: Upon receipt of the complaint, the Subdirectorate General of Data Inspection proceeded to perform the following actions:
On 25/02/2019, the complaint submitted for analysis was transferred to the respondent and provide information to this Agency indicating the legitimate cause of data processing you have carried out and what purpose or aims these processing, as well as the origin of the personal data processed and the measures adopted in order to prevent the commission of a breach of the rules for the protection of data.
On 17/06/2019 it was transferred to both DISTRIHOGAR 2013 S.L. and the EDITORIAL COMFORT what has been expressed by the respondent, so that within a month from the receipt of such written submissions, whether or not they confirm the by the respondent, which were reiterated on 02/07/2019.
On 22/05/2019, the respondent submitted a written reply to the request sent by the AEPD stating that it has no record of any past or present relationship between the companies Edilie Group, Signo Editores, Grupo Zafiro and Agrupación y Salud RYC. Secondly, that the documentation it does recognize was filed by to have terminated the business relationship with the companies Distrihogar and Grupo Confort Editorial and was transported in its vehicle to proceed with its destruction, from in accordance with Article 32.1 of the RGPD.
That the personal data are treated with the legitimacy of the execution of a contract and in its absence, the express and unequivocal consent of the interested. This information is legitimized in the treatment of "Clients and suppliers".
That between the person responsible for the processing and the owner of the personal data a contract of sale is established, after telephone contact with the interested party and the contract is formalized and signed at the head office of the treatment or at the client's office/household. Once completed the relationship between the
data are destroyed ensuring information security.
That as regards the purpose, personal data are processed for the management of orders and sale of products on credit at home and for accounting and tax management and administrative body itself.
That in relation to the origin of the data, these are obtained from accessible sources to the public (Infobel telephone directory) and the interested party himself.
That as regards the security measures adopted, the person responsible for the processing ensures that safeguards, technical and organisational measures have been taken to ensure the proper use and treatment of personal data.
That the data controller guarantees that only he has access to and processes the data of a personal nature. The places where the information systems are located are not of access to the public and does not have staff under contract, given that their professional relationship it's kind of a self-employed business. That the data controller has implemented measures to guarantee the confidentiality and the availability of automated information, as well as regular backups on external support located in a place other than computer equipment.
That the inputs and outputs of devices are made by taking the measurements of security necessary to prevent access by unauthorized third parties with unlocking mechanisms by means of a password. To avoid recovery the data controller has established mechanisms that guarantee confidential destruction.
On 20/09/2019, in accordance with Article 65 of the LOPDGDD, the Director of the Spanish Data Protection Agency agreed to admit the claim for processing filed by the claimant against the respondent.
By virtue of the powers conferred on each individual by Article 58(2) of the GPRS, the supervisory authority, and as established in Articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and to resolve this procedure.
The facts reported are specified in the processing of personal data without consent; in particular, such data has been allegedly used to defraud his victims and to recruit potential clients. Such treatment could constitute a breach of Article 6, Lawfulness of the treatment, the RGPD which states that: "1. The processing shall be lawful only if at least one of the following is complied with conditions:
(a) the data subject has given his consent to the processing of his data personal for one or more specific purposes;
(b) processing is necessary for the performance of a contract in which the interested is a party to or for the application at his request of measures pre-contractual;
Article 4 of the GPRS, Definitions, in paragraph 11, states that "(11) "Consent of the data subject" means any expression of free will specific, informed and unambiguously by which the data subject accepts, either by a statement or a clear affirmative action, the processing of personal data that concern him."
Also Article 6, Treatment based on the consent of the person concerned, of the new Organic Law 3/2018 of 5 December on Data Protection Personal and guarantee of digital rights (hereinafter LOPDGDD), states that, uh:
"1. In accordance with Article 4(11) of Regulation (EU) 2016/679, the consent of the person concerned means any expression of will specific, informed and unequivocal reason why he accepts, either by a statement or a clear affirmative action, the processing of personal data that you concern.
2. Where it is intended to base the processing of data on consent of the person concerned for a variety of purposes should be recorded in a manner specific and unequivocal that such consent is given for all of them.
3. Performance of the contract may not be made subject to the consent of the person concerned on processing of personal data for purposes unrelated to the maintenance, development or control of the contractual relationship". Article 83.5 (a) of the RGPD, considers that the infringement of "the principles for treatment, including conditions for consent under of Articles 5, 6, 7 and 9" is punishable, in accordance with Article mentioned in Article 83 of that Regulation, "with administrative fines of 20,000,000 maximum or, in the case of a company, an equivalent amount to a maximum of 4% of the total annual turnover for the financial year The previous one, opting for the one with the highest amount".
On the other hand, the LOPDGDD in its article 72 indicates for prescription purposes:
"Infractions considered very serious: 1. In accordance with Article 83(5) of the Regulation (EU) 2016/679 are considered to be very serious and will expire after three years if constitute a substantial infringement of the articles mentioned in that one and, in In particular, the following:

b) The processing of personal data without any the conditions for the lawfulness of processing laid down in Article 6 of the Regulation (EU) 2016/679.
From the documentation in the file, it is clear that the defendant violated Article 6 of the RGPD, since the personal data contained in the copies of the contracts and forms involved are used without consent of its holders, allegedly to defraud its victims and the attracting potential customers.
The Contentious-Administrative Chamber of the National Court, in similar cases has considered that when the holder of the data denies The burden of proof is on the person who claims its existence, and the the data controller of third parties collect and keep the documentation necessary to prove the consent of the owner. Thus, the SAN of 31/05/2006 (ECR 539/2004), Ground of Law 4.
It should be noted that respect for the principle of lawfulness of data requires that it is established that the data subject has consented to the processing of the data of personal character and display reasonable diligence essential to prove that end. Otherwise, the result would be to empty the principle of legality.
In order to determine the administrative fine to be imposed, the following should the provisions of Articles 83(1) and 83(2) of the GPRS, which they point out:
"Each supervisory authority shall ensure that the imposition of the fines administrative offences under this Article for violations of this Regulation referred to in paragraphs 4, 5 and 6 are in each individual case effective, proportionate and dissuasive.
2. Administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j) In deciding to impose a fine and its amount in each individual case will be duly taken into account:
(a) the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation concerned as well as the number of stakeholders affected and the level of damage and damages they have suffered;
(b) the intentional or negligent nature of the infringement;
(c) any action taken by the controller or processor to mitigate the damages suffered by those concerned;
(d) the degree of responsibility of the person responsible for or in charge of the treatment, taking into account any technical or organisational measures applied under Articles 25 and 32;
(e) any previous offence committed by the person responsible for or in charge of the treatment;
(f) the degree of cooperation with the supervisory authority in order to put remedy the infringement and mitigate the possible adverse effects of the infringement;
(g) the categories of personal data affected by the infringement;
(h) the manner in which the supervisory authority became aware of the infringement, in in particular whether the person responsible or the person in charge notified the infringement and, if so to what extent;
(i) where the measures referred to in Article 58(2) have been ordered in advance against the person responsible or the person in charge in relation to the same matter, compliance with those measures;
(j) adherence to codes of conduct under Article 40 or to mechanisms of certification approved in accordance with Article 42, and 
 (k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or the losses avoided, directly or indirectly, through the infringement.
With regard to Article 83(2)(k) of the RGPD, the LOPDGDD, in its Article 76, "Penalties and corrective measures", states that: "In accordance with Article 83(2)(k) of the Regulation (EU) 2016/679 may also be taken into account:
(a) the continuing nature of the infringement
(b) The link between the activity of the offender and the carrying out of processing
of personal data.
(c) The profits obtained as a result of the commission of the offence.
(d) the possibility that the conduct of the person concerned might have led to the
commission of the offence.
(e) The existence of a post-commission merger process of the infringement, which cannot be attributed to the absorber.
(f) Affecting the rights of minors.
g) Having, when it is not compulsory, a delegate for the protection of data.
h) The submission by the person responsible or in charge, with to alternative dispute resolution mechanisms, in those cases where there are disputes between them and any interested."
In accordance with the precepts transcribed, and without prejudice to what may result from the proceedings, for the purpose of setting the amount of the fine to be imposed on imposed in the present case for the infraction typified in article 83.5 of the RGPD of the one who is responsible for the claimant, in an initial assessment, are estimated The following factors are concurrent:
The purely local scope of the treatment carried out by the respondent. Many people have been affected by the offending behaviour. The damage caused since the sales were always aimed at a population vector, elderly people or people whose ability to dense is less. Although there is no evidence that the claimant had acted maliciously, the behavior observed is deeply negligent. The respondent is a natural person. Therefore, in accordance with the above, By the Director of the Spanish Data Protection Agency,
FIRST: Initiate disciplinary proceedings against D. A.A.A., with NIF ***NIF.1, for the alleged infringement of Article 6.1(a) of the RGPD, penalised in accordance with The provisions of Article 83(5)(a) of the said GPRS and classified as a very serious infringement of the law, the serious in Article 72(1)(a) of the above-mentioned Act.
SECOND: To appoint B.B.B. as instructor and C.C.C. as secretary, indicating that any of them may be challenged, if appropriate, in accordance with the established in Articles 23 and 24 of Law 40/2015 of 1 October on the Public Sector Law (LRJSP).
THIRD: INCORPORATE into the sanctioning file, for evidential purposes, the claimant's claim and its documentation, the documents obtained and generated by the Subdirectorate General for Data Inspection during the research phase.
FOURTH: THAT for the purposes of article 64.2 b) of law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations, the sanction that could correspond would be 6,000 euros, without prejudice to what resulting from the instruction.
FIFTH: TO NOTIFY this agreement to Mr. A.A.A., with NIF ***NIF.1, giving him a period of ten working days to formulate the allegations and submit any evidence it deems appropriate. In its brief of claims must provide their VAT number and the procedure number in the heading of this document. If you do not make representations to this initiating agreement within the stipulated time, the may be considered as a motion for resolution, as set out in the Article 64.2.f) of Law 39/2015 of 1 October on Administrative Procedure Commonwealth of Independent States (hereinafter LPACAP). In accordance with Article 85 of the LPACAP, in the case of that the sanction to be imposed was a fine, may acknowledge its responsibility within of the time allowed for the submission of claims under this agreement to commence; the which will be accompanied by a 20% reduction in the penalty to be imposed in the present procedure. With the application of this reduction, the sanction would be 4,800, with the procedure being resolved by the imposition of this sanction.
Similarly, at any time prior to the resolution of theThe Commission shall, in accordance with this procedure, carry out the voluntary payment of the proposed penalty which will result in a 20% reduction in its amount. With the application of this reduction, the penalty would be set at 4,800 euros and its payment would involve the termination of the procedure.
The reduction for the voluntary payment of the penalty is cumulative with the onE The same applies to the recognition of liability, provided that this recognition of responsibility is shown within the time limit granted to make representations on the opening of the proceedings. The payment of the amount referred to in the preceding paragraph may be made at any moment before the resolution. In this case, if it is appropriate to apply both reductions, the amount of the penalty would be set at In any case, the effectiveness of either of the two above-mentioned reductions shall be conditioned upon the waiver or relinquishment of any action or remedy in the administrative sanction against the sanction.
If you choose to proceed with the voluntary payment of any of the amounts indicated above ('4,800 or '3,600), must be paid by depositing it in the account nº ES00 0000 0000 0000 0000 open to name of the Spanish Data Protection Agency at CAIXABANK Bank, S.A., indicating in the concept the reference number of the procedure inthe heading of this document and the reason for the reduction in the amount to which welcomes.
Likewise, you must send the proof of admission to the Subdirectorate General of Inspection to continue the procedure in accordance with the quantity admitted.
The procedure will last a maximum of nine months from the date of the agreement to initiate or, where appropriate, the draft agreement to initiate. After this period, the agreement will expire and, consequently, the actions; in accordance with the provisions of Article 64 of the LOPDGDD. Finally, it is noted that in accordance with the provisions of Article 112.1 of the LPACAP, there is no administrative appeal against this act.
Director of the Spanish Data Protection Agency
>> SECOND : On March 3, 2020, the claimant has proceeded to pay the 3600 by making use of the two reductions provided for in the above transcribed Inception Agreement, which implies recognition of the responsibility.
THIRD: The payment made, within the period granted to make allegations to the opening of the procedure, entails the waiver of any action or appeal in administrative sanctioning and acknowledgement of responsibility in relation to the facts referred to in the Agreement to Initiate. LEGAL GROUNDS
I By virtue of the powers conferred on each authority in Article 58(2) of the GPRS, the control, and in accordance with Article 47 of Organic Law 3/2018, of 5 December, Protection of Personal Data and Guarantee of Digital Rights (in (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agencyis competent to penalise infringements committed against it Regulations; infringements of Article 48 of Law 9/2014 of 9 May, General of Telecommunications (hereinafter referred to as LGT), in accordance with the Article 84.3 of the GLT, and the infractions defined in articles 38.3 c), d) and i) and 38.4 d), g) and h) of Law 34/2002, of 11 July, on services of the company of the information and electronic commerce (hereinafter referred to as the ISESA), as provided for in 43.1 of the said Act.
Article 85 of Law 39/2015 of 1 October on Administrative Procedure Commonwealth of Independent States (hereinafter LPACAP), under the heading "Termination in sanctioning proceedings" provides the following: "1. Penalty proceedings are initiated if the offender acknowledges his responsibility, the proceedings may be terminated with the imposition of the penalty as appropriate.
2. Where the penalty is solely pecuniary in nature or where it is impose a financial penalty and a non-pecuniary penalty but has been justified the impropriety of the second, voluntary payment by the alleged perpetrator, in any time before the resolution, will imply the termination of the procedure, except as regards the restoration of the altered situation or the determination of the compensation for damages caused by the commission of the infringement. 3. In both cases, when the penalty is solely of a pecuniary nature, the body competent to decide on the procedure shall apply reductions of, at at least 20 % of the amount of the proposed penalty, which may be cumulated with each other. These reductions shall be determined in the notification of initiation of the procedure and its effectiveness shall be conditional upon the withdrawal or waiver of any action or appeal in administrative proceedings against the sanction. The percentage of reduction provided for in this paragraph may be increased by regulation. In accordance with the above, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO DECLARE the termination of procedure PS/00379/2019, of in accordance with Article 85 of the LPACAP. SECOND: TO NOTIFY the present resolution to A.A.A. In accordance with the provisions of Article 50 of the LOPDGDD, this The decision will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by Article 114(1)(c) of Law 39/2015 of 1 October on Administrative Procedure The interested parties may lodge an appeal with the administrative litigation before the Administrative Chamber of the Audiencia Nacional, in accordance with Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the Contentious-Administrative Jurisdiction, within two months of day following notification of this act, as provided for in Article 46(1) of referred to Law.
Mar España Martí
Director of the Spanish Data Protection Agency