AEPD (Spain) - PS/00423/2019

From GDPRhub
Revision as of 12:38, 27 February 2020 by 10.90.129.7 (talk)
AEPD - PS/00423/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law:
Article 13 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: n/a
Published: 21.2.2020
Fine: 1.500 €
Parties: A.A.A. Vs. MYMOVILES EUROPA 2000, S.L.
National Case Number/Name: PS/00423/2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in es)
Initial Contributor: n/a

The APED fined 1.500 € a data controller for not having a privacy policy on its website – Article 13 GDPR.

English Summary

Facts

A citizen filed a complaint with the AEPD against Electric Renting Groups, S.L for sending an advertisement email and disclosing the recipients of this email. Indeed, the company, which acted as a data controller, sent the email without confining the dozens of email recipients in blind carbon copy (Bcc:.

Following the complaint, the AEPD agreed to initiate investigations against the data controller for the alleged infringement of Article 5(1)(f) GDPR, the principle of integrity and confidentiality.

Dispute

Does the disclosure of dozens email addresses constitute a GDPR violation?

Holding

The AEPD ruled that the sending of email without Bcc: the email recipients constituted a violation of the principle of integrity and confidentiality (Article 5(1)(f) GDPR), as well as the principle of proactive responsibility of the data controller.

Consequently, the APED decided to issue a fine of 2.500 € for the violation of the principle of integrity and confidentiality, pursuant to Article 83(5)(a) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the **Spanish** original. Please refer to the **Spanish** original for more details.

Procedure Nº: PS/00423/2019

RESOLUTION OF PENALTIARY PROCEDURE

The procedure instructed by the Spanish Data Protection Agency and based on the following FIRST BACKGROUND: A.A.A. (hereinafter, the claimant) dated October 17, 2019, filed a complaint with the Spanish Data Protection Agency. The claim is directed against MYMOVILES EUROPA 2000, S.L. with NIF B87403887 (hereinafter, the claimant). The grounds for the complaint are that the person responsible for the website ***WEB.1lacks a privacy policy and when trying to find out the property details of the website, the claimant checks that the company is not identified in the legal notice, and therefore considers that the website, although it has a form for collecting data (registration, contact, subscription to newsletter) does not provide any of the information provided for in Article 13 of the RGPD.Screenshot of the Terms and Conditions of the website.SECOND:In view of the facts reported in the complaint and the documents submitted by the complainant of which this Agency has become aware, the Subdirectorate General for Data Inspection proceeded to carry out preliminary investigative actions to clarify the facts in question, by virtue of the powers of investigation granted to the supervisory authorities in Article 57.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter referred to as the GDRP), and in accordance with the provisions of Title VII, Chapter I, Section Two, of Organic Law 3/2018 of December 5, 1978, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter referred to as the LOPDGDD).As a result of the investigative actions carried out, it has been established that the person responsible for the processing is the one who has been complained about, and the following has been established: On 14 March 2019, the complaint was transferred to the entity complained about, in the actions with reference E/02867/2019. The notification is made by post and is delivered by the Post Office on March 21, 2019. No reply is received.

On June 5, 2019 these actions began. On October 29, 2019, Tesys Internet SLU sent this agency the following information: 1. The client who hired the domain mymomoviles.com and dehosting service associated is the company whose name and CIF are included in the section of Investigated Entities. It also provides other data:Name: B.B.B.Surname: B.B.B.Address: ***ADDRESS.1Contact e-mail: ***EMAIL.1Contact telephone: ***On October 10, 2019, it was verified that the website***WEB.1:1 does not have a privacy policy.2.The creation of user accounts is allowed, where, among other things, the data of name, surname, e-mail address and password are collected, as well as the option to mark "Receive offers from our partners" and "Subscribe to our newsletter".4.On November 8, 2019, it was verified that the registered office of the company that owns the website is included in the section of Investigated Entities. THIRD: On December 3, 2019, the Director of the Spanish Agency for Data Protection agreed to initiate disciplinary proceedings against the defendant, for the alleged violation of Article 13 of the RGPD, as defined in Article 83.5 of the RGPD.FOURTH: Once the above-mentioned agreement to initiate the present sanctioning procedure has been notified, a period of TEN WORKING DAYS is granted to him to formulate the allegations and submit the evidence that he considers appropriate, in accordance with the provisions of Articles 73 and 76 of Law 39/2015 on Common Administrative Procedure of Public Administrations.FIFTH: Not having made any allegations or submitted any evidence within the given period, this resolution is issued taking into account the following:FIRST: the person responsible for the website ***WEB.1 has no privacy policy and when trying to find out the property details of the page, the claimant verifies that the company is not identified in the legal notice, and therefore considers that the website, although it has a data collection form (registration, contact, newsletter subscription) does not provide any of the information provided in Article 13 of the RGPD.

SECOND: The AEPD has notified the claimant of the agreement to initiate the present sanctioning procedure, but the claimant has not presented any allegations or evidence that contradict the facts denounced.2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, hereinafter GDPR), recognizes each supervisory authority, and as established in Articles 47, 64.2 and 68.1 of the Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate this procedure.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, in the present organic law, by the regulatory provisions dictated in its development and, insofar as they do not contradict them, with subsidiary character, by the general rules on administrative procedures."IIArticle 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, hereinafter referred to as GDPR), under the heading "Definitions", provides that: "For the purposes of this Regulation 1) "personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person any operation or set of operations which is performed upon personal data or upon sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;"Therefore, in accordance with these definitions, the collection of personal data through forms included on a website constitutes data processing, with respect to which the data controller must comply with the provisions of Article 13 of the RGPD, a provision which has been moved from 25 May 2018 to Article 5 of Organic Law 15/1999, of 13 December, on the Protection of Personal Data.In relation to this matter, it is noted that the Spanish Data Protection Agency has at the disposal of citizens the Guide for the fulfillment of the duty to inform (https://www.aepd.es/media/guias/guia-modelo-clausula-informativa.pdf) and, in case of low risk data processing, the free tool Facilita(https://www.aepd.es/herramientas/facilita.html).III Article 13 of the RGPD, which determines the information to be provided to the interested party at the time of collection of their data, provides that: "1. When personal data are obtained from a data subject, the person responsible for the processing, at the time they are obtained, will provide all the information indicated below: (a) the identity and contact details of the controller and of his representative, if any; (b) the contact details of the Data Protection Officer, if any; (c) the purposes of the processing for which the personal data are intended and the legal basis of the processing; (d) where the processing is based on Article 6(1)(f), the legitimate interests of the controller or of a third party; (e) the recipients or categories of recipient of the personal data, if any; (f) where appropriate, the controller's intention to transfer personal data to a third country or international organisation and the existence or otherwise of a Commission decision, or, in the case of transfers pursuant to Article 46 or 47 or the second subparagraph of Article 49(1), reference to adequate or appropriate safeguards and the means of obtaining a copy thereof or the fact that they have been provided. 2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject, at the time when the personal data are collected, with the following information necessary to ensure fair and transparent processing of the data(b) the existence of the right to request the controller to have access to the personal data concerning the data subject and to have them corrected, erased or restricted or to object to their processing and the right to the portability of the data; (c) where the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time, without affecting the lawfulness of the processing based on consent prior to withdrawal; (e) whether the communication of personal data is a legal or contractual requirement or a necessary condition for entering into a contract and whether the data subject is under an obligation to supply the personal data and is informed of the possible consequences of not supplying such data; (f) the existence of automated decisions, including profiling, as referred to in Article 22(1) and (4) and, at least in such cases, significant information about the logic involved and the likely impact and consequences of such processing on the data subject. 3.Where the controller intends to further process personal data for a purpose other than that for which they were collected, he shall provide the data subject, prior to such further processing, with information on that other purpose and with any relevant additional information as referred to in paragraph 2. 4.The provisions of paragraphs 1, 2 and 3 shall not apply where and to the extent that the information is already available to the data subject.Article 11 of the LOPDGDD states: "1. Where personal data are obtained from the data subject, the controller may fulfil the duty of information laid down in Article 13 of Regulation (EU) 2016/679 by providing the data subject with the basic information referred to in the following paragraph and by indicating an electronic address or other means that allows the remaining information to be accessed easily and immediately.The basic information referred to in the previous paragraph must contain at least: a) The identity of the controller and of his representative, if any. b) The purpose of the processing. c) The possibility of exercising the rights established in Articles 15 to 22 of Regulation (EU) 2016/679. In this case, the data subject must be informed of his/her right to oppose the adoption of automated individual decisions which produce legal effects on him/her or significantly affect him/her in a similar way, when this right exists in accordance with Article 22 of Regulation (EU) 2016/679."IVIn virtue of the provisions of Article 58.2 of the RGPD, the Spanish Data Protection Agency, as the supervisory authority, has a set of corrective powers in the event of a breach of the precepts of the RGPD. Article 58.2 of the RGPD states: "2 Each supervisory authority shall have all the following corrective powers:(...)b) to sanction any data controller or processor with a warning when the processing operations have infringed the provisions of this Regulation;"(...(d) order the controller or processor to bring processing operations into conformity with the provisions of this Regulation, where appropriate in a particular manner and within a specified time limit(b) of the RGPD provides that: 'Infringements of the following provisions shall be punishable, in accordance with paragraph 2, by administrative fines not exceeding EUR 20 000 000 or, in the case of an undertaking, not exceeding 4 % of its total annual turnover in the preceding business year, whichever is the greatera) of the LOPDGDD, under the heading "Minor infringements", states: "Other infringements of a formal nature of the articles referred to in Article 83(4) and (5) of Regulation (EU) 2016/679 shall be considered minor and shall be subject to the statute of limitations per year, in particular the following"In this case, it is taken into account that the requested party collects personal data from users who fill in the form included on the website ***WEB.1  without providing them, prior to its collection, all the information on data protection provided for in Article 13 of the RGPD. In accordance with the evidence available at this time of the agreement to initiate the sanctioning procedure, and without prejudice to the results of the investigation, the facts presented could constitute, by the defendant, an infringement of the provisions of Article 13 of the RGPD.Likewise, if the existence of an infringement is confirmed, in accordance with the provisions of the aforementioned article 58.2.d) of the RGPD, the resolution may order the respondent, as the person responsible for the processing, to adapt the information offered to users whose personal data is collected to the requirements of article 13 of the RGPD, as well as to provide evidence to prove that the requirements have been met. VA In order to determine the administrative fine to be imposed, the provisions of Articles 83.1 and 83.2 of the RGPD must be observed, which are the provisions that they indicate:
   "Each supervisory authority shall ensure that the imposition of administrative fines under this Article for the infringements of this Regulation referred to in paragraphs 4, 9 and 6 is in each individual case effective, proportionate and dissuasive. "Administrative fines shall be imposed in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j), depending on the circumstances of the individual case. Due account shall be taken in deciding on the imposition of an administrative fine and the succession thereof in each individual case:(a) the nature, gravity and duration of the infringement, taking into account the nature, extent or purpose of the processing operation concerned, as well as the number of data subjects concerned and the level of damage suffered(d) the degree of responsibility of the controller or processor, taking into account the technical or organisational measures they have implemented pursuant to Articles 25 and 32(g) the categories of personal data affected by the infringement; (h) the manner in which the supervisory authority became aware of the infringement, in particular whether and to what extent the controller or processor notified the infringement; (i) where the measures referred to in Article 58(2) were previously ordered against the controller or processor concerned in relation to the same matter, compliance with those measures;(j) adherence to codes of conduct under Article 40 or to certification mechanisms approved under Article 42; and"In accordance with the provisions of Article 83.2.k) of Regulation (EU) 2016/679, the following may also be taken into account: a) The continuous nature of the infringement. b) The link between the activity of the offender and the processing of personal data.c) The benefits obtained as a result of the commission of the infringement.d) The possibility that the conduct of the affected party could have led to the commission of the infringement.e) The existence of a merger process by absorption subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity.f) The effect on the rights of minors.g) The availability, when it is not compulsory, of a data protection representative.
h) The submission by the responsible party or person in charge, on a voluntary basis, of mechanisms for the alternative resolution of conflicts, in those cases in which there are disputes between the former and any interested party" In accordance with the precepts transcribed, for the purposes of fixing the amount of the fine, the following mitigating factors are deemed to be concurrent in the present case to be imposed on the entity claimed as responsible for an infringement as set out in article 83.5.b) of the RGPD: -The claimed entity does not have previous infringements (83.2 e) RGPD). -It has not obtained direct benefits (83.2 k) RGPD and 76.2.c) LOPDGD). It is appropriate to graduate the penalty to be imposed on the claimed company and to set it at the amount of 1,500 euros for the infringement of article 58.2 of the RGPD. Therefore, in accordance with the applicable legislation and having assessed the criteria for the downgrading of the penalties whose existence has been accredited, the Director of the Spanish Data Protection Agency RESOLVES:FIRST: TO IMPOSE MYMOVILES EUROPA 2000, S.L, with NIF B87403887, for an infringement of article 13 of the RGPD, typified in article 83.5 of the RGPD, a fine of 1,500 euros (one thousand five hundred euros),SECOND: TO NOTIFY the present resolution to MYMOVILES EUROPA 2000, S.L..THIRD: TO WARN the sanctioned party that he must make effective the sanction imposed once the present resolution is enforceable, in accordance with the provisions of art. 98.1.b) of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the period for payment of volunteers established in art. 68 of the General Regulations on Collection, approved by Royal Decree 939/2005, of 29 July, in relation to art. 62 of Law 58/2003, of 17 December, by means of its payment, indicating the Tax Identification Number of the sanctioned party and the number of the procedure that appears in the heading of this document, in the restricted account number ES00 0000 0000 0000 0000, opened in the name of the Spanish Data Protection Agency at Banco CAIXABANK, S.A.  Once the notification has been received, and once the payment has been executed, if the date of execution is between the 1st and 15th of each month, inclusive, the period for making the voluntary payment will be up to the 20th of the following month or the immediately following working month, and if it is between the 16th and last day of each month, inclusive, the period for making the payment will be up to the 5th of the second following month or the immediately following working month.In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with article 48.6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, the interested parties may, optionally, lodge an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month starting from the day following notification of this resolution or the address of the contentious-administrative proceedings before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided for in Article 46.Finally, it is noted that in accordance with the provisions of article 90.3 a) of the LPACAP, the final resolution may be suspended in administrative proceedings if the interested party expresses its intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact in writing addressed to the Spanish Data Protection Agency, presenting it through the Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of 1 October. He will also have to send to the Agency the documentation that accredits the effective lodging of the contentious-administrative appeal. If the Agency were not aware of the lodging of the contentious-administrative appeal within the period of two months from the day following the notification of the present resolution, it would terminate the precautionary suspension.