AEPD (Spain) - PS/00427/2022
|AEPD - PS/00427/2022|
|Relevant Law:||Article 5(1)(c) GDPR|
Article 83(5) GDPR
|National Case Number/Name:||PS/00427/2022|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
The Spanish DPA fined €300 for installing security cameras that focused beyond the private property of the controller's, violating Article 5(1)(c) GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
The data subject states that he is a neighbor of the controller who has installed a video surveillance camera in his own home. Due to the surveillance camera's location and orientation, the system is capable of capturing images of the data subject's home, without being authorized to do so.
The controller affirmed that the cameras were installed in his own property and they do not focus, record or reproduce any personal or material element that is not inside his property. The cameras were installed solely for the security of the persons, property, installations and domestic animals on the property.
In addition, the controller claimed that none of the cameras were placed towards the private property of any neighbor or focused on such property or persons.
Holding[edit | edit source]
The Spanish DPA highlighted that in no case shall the use of surveillance practices be permitted beyond the area covered by the installation and, in particular, may not affect the surrounding public spaces, adjacent buildings and vehicles other than those accessing the monitored area.
The cameras installed may not obtain images of third parties' private space and/or public space without duly accredited with a justified cause, nor may they affect the privacy of passers through the area.
It is not permitted to place cameras on the private property of neighbors for the purpose of intimidating them or affecting their private sphere without just cause. Nor may images be captured or recorded in spaces owned by third parties without the consent of the owners or, where appropriate, of the persons who are there.
The Spanish DPA concluded that two cameras can focus beyond the private property of the controller's private property.
The Spanish DPA fined €300 the controller for installing security cameras that focused beyond his private property, violating Article 5(1)(c) GDPR. AEPD also determined the removal of the cameras in question or the regularization of the cameras, in accordance with current legislation, so that they do not record or capture images of the data subject's home or of the public or private road next to it.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/12 File No.: EXP202206626 RESOLUTION OF SANCTIONING PROCEDURE From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND FIRST: Ms. A.A.A. (hereinafter, the complaining party) dated June 8, 2022 filed a claim with the Spanish Data Protection Agency. The claim is directed against D. B.B.B. with NIF ***NIF.1 (hereinafter, the part claimed), for the installation of a video surveillance system located in URBANIZATION ***URBANIZATION.1, ***LOCALITY.1, LLEIDA, existing indications of a possible non-compliance with the provisions of article 5.1.c) of the Rules- General Data Protection Regulation (hereinafter, RGPD). The reasons underlying the claim are the following: The complaining party states that it is a neighbor of the claimed party and that the latter has installed in your home a video surveillance camera that, due to its location and orientation, is capable of capturing images of the complaining party's home, without having authorization to do so. Provides image of the camera location. The documents provided are: - Photo report SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), said claim was transferred to the claimed party, to to proceed with its analysis and inform this Agency within a period of one month, of the actions carried out to adapt to the requirements provided for in the regulations of Data Protection. The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations cas (hereinafter, LPACAP), was collected on June 15, 2022, as stated in the acknowledgment of receipt in the file. No response has been received to this transfer letter. THIRD: On August 8, 2022, in accordance with article 65 of the LOPDGDD, the claim presented by the complaining party was admitted for processing. FOURTH: On October 26, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against the claimed party, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/12 in accordance with the provisions of articles 63 and 64 of the LPACAP, for the alleged violation of Article 5.1.c) of the RGPD, typified in Article 83.5 of the RGPD. FIFTH: The aforementioned initiation agreement has been notified in accordance with the rules established in the LPACAP, the claimed party presented a written statement of allegations in which it only stated that: “ON DATE 11/04/2022, NOTIFICATION OF THE AGREEMENT TO START OF SANCTIONING PROCEDURE. FOR THIS PART, IT SHOULD BE INDICATED THAT ON DATE 06/09/2022, IT WAS ALREADY ATTENDED TO THE REQUEST RECEIVED BY THIS DEPARTMENT WITH C.S.V. XXXXXXXXXX…” SIXTH: On February 20, 2023, a proposed resolution was formulated, proposing that the Director of the Spanish Data Protection Agency sanction to D. A.A.A., with NIF ***NIF.1, for a violation of Article 5.1.c) of the RGPD, typified in Article 83.5 of the RGPD, with a fine of €300 (three hundred euros). SEVENTH: On March 16, 2023, the claimed party presents allegations to the proposed resolution, stating: 1. The proven facts indicate that the claimed party has installed in his home a video surveillance camera. Totally uncertain thing. 2. The cameras that are installed on my property, at no time focus, record or reproduce any personal item or material that is not inside my property. 3. The cameras installed on my property are solely and for the purpose of preserve the safety of people, property, facilities and domestic animals that are found therein, and must indicate their accident rate within the facilities. 5. None of the cameras are placed on any neighbor's private property. or that could target said property or people. 6. None of the cameras can record images in spaces owned by third parties. 9. The cameras only perceive images from the private area, in this case my property along with the rear part where the accidents occurred. 17. I request access to the file in order to verify its content and formulate the allegations, complaints, claims and whatever you think is necessary. 18. Attached is a photographic report of the captures and limits of the cameras. EIGHTH: Upon request for the file by the claimed party, on June 9 of 2023, said file is transferred, with a new deadline for carrying out the allegations that it considers pertinent, in view of the same. NINTH: On July 5, 2023, the claimed party presents new allegations, after the transfer of the file, in which he states: 1-At no time has any infraction been carried out since the cameras only perceive the images of a private area, in this case my property along with the part rear where the accidents occurred that are still under investigation. (both the toxic ones and the affected species) 2-The insurance company is aware of the installation of cameras and reviews periodically its location. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/12 3-Public report from the municipal corporation is also attached indicating the reason of the installation of the cameras and their viewing range. 4-Procedural expert report is attached, which certifies how and what situation The cameras have, as well as whether they are fixed or mobile and their range. Of the actions carried out in this procedure and the documentation recorded in the file, the following have been accredited: PROVEN FACTS FIRST: The claiming party states that it is a neighbor of the claimed party and that He has installed a video surveillance camera in his home that, due to its location and orientation, is capable of capturing images of the complaining party's home, without having authorization to do so. Provides image of the camera location. SECOND: In the images provided by the claimed party it can be seen that There are two cameras in which you can see that it is focused beyond the private property of the claimed part. FOUNDATIONS OF LAW Yo Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II Response Allegations Having examined the allegations of the claimed party, these allegations are not accepted, based on the following arguments: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/12 The report of the City Council ***LOCALIDAD.1 that it provides has no validity; only It is a writing with the letterhead and seal of the City Council, but without any signature. And in that writing it is stated: “It states that it has to pose perimeter cameras to the exterior of the seva isolated single-family house. That the street gives the edge of the house, “It is not a public road, it is part of the urbanization and is privately owned.” In this sense, Royal Decree 128/2018, of March 16, which regulates the legal regime of Local Administration officials with authorization of national character establishes the following: Article 2. Necessary public functions in all Local Corporations. 1. They are necessary public functions in all Local Corporations, whose Administrative responsibility is reserved for Local Administration officials with national authorization, the following: a) Secretariat, including public faith and mandatory legal advice. In art. 3 establishes what public faith includes. And although it is not planned specifically the provision of issuing this type of reports, it is true that any issue on which you want to determine its reliability, such as the ownership of one way, would correspond to the secretary of the City Council. From the documentation on hand In urban planning this information can be obtained and certified. It is also indicated in the aforementioned municipal report: “That the municipal guard, Agent 01, close this report on July 3, 2023.” The functions of the guard or municipal agent are those established in the GENERAL ORDINANCE OF CIRCULACIÓ, of the Alcoletge City Council, which points out: “TITLE FIRST. POWERS OF THE CRAZY POLICE / MUNICIPAL AGENTS Article 3. Police Agents and Municipal Vigilants. The agents of the Local Police are competent in the regulation of urban traffic. formulation of the complaints that arise from the infractions that are committed against therein provided by this ordinance and the rest of the applicable provisions. In cases where it is not available to agents of the Local Police, in other words, it is available to municipal vigilantes, this will determine the competencies that determine the protection of l’art.1 and 13 of Llei 16/1991 of July 10, local policies (endavant LPL) and other concordant provisions. According to what is foreseen in the art. 13 of the LPL, the vigilants will be able to complete them following performances: a) Guard and monitor municipal assets, services, facilities and dependencies. b) Order and regulate traffic within the urban core, in accordance with traffic regulations. c) Participate in city assistance and civil protection tasks, in accordance with the They dispose of the laws. d) Vetllar pel compliment of the regulations, of the ordinances, of the bans, resolutions and other municipal provisions and acts.” In view of the functions that the municipal guards have according to the Ordinance cited, among them is not the issue of issuing reports such as the one provided to this procedure. Finally, the claimed party alleges that it attaches a procedural expert report, where It is certified how and what situation the cameras have, as well as whether they are fixed or mobile and the scope of them. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/12 However, there is no report in the documentation received by this Agency. of procedural expert. However, in relation to the range of the cameras, in the photographs sent For the claimed party, it can be seen that there are two that focus beyond their property private, as indicated in the Second Proven Fact of this resolution. III The image is personal data The physical image of a person, in accordance with article 4.1 of the GDPR, is data personnel and their protection, therefore, is the subject of said Regulation. In article 4.2 The GDPR defines the concept of “processing” of personal data. Images generated by a camera or video camera system are data from personal nature, so its treatment is subject to protection regulations of data. It is, therefore, pertinent to analyze whether the processing of personal data (image of the natural persons) carried out through the reported video surveillance system is in accordance with the provisions of the RGPD. IV Infringement Article 6.1 of the RGPD establishes the assumptions that allow the processing of personal data. Regarding processing for video surveillance purposes, article 22 of the LOPDGDD establishes that natural or legal persons, public or private, may carry out carry out image processing through camera or video camera systems with the purpose of preserving the safety of people and property, as well as their facilities. The processing of personal data is subject to the rest of the principles of the treatment contained in article 5 of the RGPD. We will highlight the principle of data minimization contained in article 5.1.c) of the RGPD, which provides that personal data will be “adequate, relevant and limited to what is necessary in relation to with the purposes for which they are processed.” This means that in a specific processing only the data can be processed appropriate personnel, that are relevant and that are strictly necessary to fulfill the purpose for which they are processed. Treatment must be adjusted and proportional to the purpose at which it is directed. The relevance in the treatment of data must occur both at the time of data collection and at the subsequent treatment carried out on them. In accordance with the above, the processing of excessive data must be restricted or proceed to their deletion. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/12 The application of the principle of data minimization in video surveillance means that images of public roads cannot be captured, since the processing of images in public places, unless authorization is obtained governmental, can only be carried out by the Security Forces and Bodies. On some occasions, for the protection of private spaces, where there have been installed cameras on facades or inside, it may be necessary to ensure the security purpose the recording of a portion of the public road. That is, cameras and video cameras installed for security purposes cannot obtain images of public roads unless it is essential for this purpose, or It is impossible to avoid it due to their location. And, in that case extraordinary, the cameras will only be able to capture the minimum portion necessary to preserve the safety of people and property, as well as its facilities. In no case will the use of surveillance practices beyond the environment be permitted. object of the installation and, in particular, not being able to affect public spaces surrounding areas, adjacent buildings and vehicles other than those that access the space guarded The installed cameras cannot obtain images of third party private space and/or public space without duly accredited justified cause, nor can they affect the privacy of passersby who move freely through the area. Therefore, the placement of cameras towards the private property of neighbors with the purpose of intimidating them or affecting their private sphere without cause justified. Nor can images be captured or recorded in spaces owned by third parties. without the consent of its owners, or, where appropriate, of the people who are involved in them. find. Likewise, it is disproportionate to capture images in private spaces, such as such as changing rooms, lockers or worker rest areas. V Obligations regarding video surveillance In accordance with the above, the processing of images through a system video surveillance, to be in compliance with current regulations, must comply with the following requirements: 1.- Natural or legal persons, public or private, can establish a system video surveillance with the purpose of preserving the security of people and property, as well as its facilities. It must be assessed whether the intended purpose can be achieved in another way less intrusive to the rights and freedoms of citizens. Personal data only must be processed if the purpose of the processing could not reasonably be achieved by other means, considering 39 of the RGPD. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/12 2.- The images obtained cannot be used for a further purpose incompatible with that which motivated the installation of the video surveillance system. 3.- The duty to inform those affected as provided in the articles must be complied with. 12 and 13 of the RGPD, and 22 of the LOPDGDD. In this sense, article 22 of the LOPDGDD provides in relation to video surveillance a “layered information” system. The first layer must refer, at least, to the existence of the treatment (video surveillance), the identity of the person responsible, the possibility of exercising rights provided for in articles 15 to 22 of the GDPR and where to obtain more information about the processing of personal data. This information will be contained in a device placed in a sufficiently visible and must be supplied in advance. The second layer information must be available in one place easily accessible to the affected person, whether it is an information sheet at a reception, cashier, etc..., placed in a visible public space or on a web address, and must refer to the rest of the elements of article 13 of the RGPD. 4.- The processing of images through the installation of camera systems or video cameras must be lawful and comply with the principle of proportionality and the principle of data minimization, in the terms already indicated. 5.- Images may be kept for a maximum period of one month, except in those cases in which they must be kept to prove the commission of acts that threaten the integrity of people, property or facilities. In this second case, they must be made available to the authority competent within a maximum period of 72 hours from becoming aware of the existence of the recording. 6.- The person responsible must keep a record of treatment activities carried out under your responsibility that includes the information to which you make reference article 30.1 of the GDPR. 7.- The person responsible must carry out a risk analysis or, where appropriate, an evaluation of impact on data protection, to detect those derived from the implementation of the video surveillance system, evaluate them and, where appropriate, adopt measures to appropriate security. 8.- When a security breach occurs that affects the processing of cameras for security purposes, whenever there is a risk to the rights and freedoms of natural persons, you must notify the AEPD within a maximum period of 72 hours. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/12 A security breach is understood to be the accidental destruction, loss or alteration or unlawful use of personal data transmitted, stored or otherwise processed, or the unauthorized communication or access to said data. 9.- When the system is connected to an alarm center, it can only be installed by a private security company that meets the requirements contemplated in article 5 of Law 5/2014 on Private Security, of April 4. The Spanish Data Protection Agency offers through its website [https://www.aepd.es] access to: legislation regarding the protection of personal data, including the RGPD and the LOPDGDD (section “Reports and resolutions” / “regulations”), the Guide on the use of video cameras for security and other purposes, the Guide for compliance with the duty to inform (both available in the section “Guides and tools”). It is also of interest, in the case of low-risk data processing, the free tool Facilita (in the “Guides and tools” section), which, through Some specific questions allow us to assess the situation of the person responsible with respect to the processing of personal data that it carries out, and, where appropriate, generate various documents, informative and contractual clauses, as well as an annex with measures indicative safety standards considered minimum. SAW Administrative violation In accordance with the proven facts found during the procedure sanctioning, it is considered that the facts presented violate the provisions of the article 5.1.c) of the RGPD, so they involve the commission of an infraction classified in Article 83.5.a) of the GDPR, which provides the following: “Infringements of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or, In the case of a company, an amount equivalent to a maximum of 4% of the global total annual business volume of the previous financial year, opting for the largest amount: a) the basic principles for the treatment, including the conditions for the consent under articles 5, 6, 7 and 9; For the purposes of the limitation period for infractions, the infraction indicated in the previous paragraph is considered very serious in accordance with article 72.1 of the LOPDGDD, which states that: “Based on what is established in article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/12 a) The processing of personal data violating the principles and guarantees established in article 5 of Regulation (EU) 2016/679. VII Sanction Article 58.2 of the GDPR states: “Each supervisory authority will have all of the following corrective powers: indicated below: (...) d) order the person responsible or in charge of processing that the processing operations treatment comply with the provisions of this Regulation, where applicable, in a certain way and within a specified period; (...) i) impose an administrative fine in accordance with Article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each particular case". According to the provisions of article 83.2 of the GDPR, the measure provided for in article 58.2 d) of the aforementioned Regulation is compatible with the sanction consisting of a fine administrative. Regarding the violation of article 5.1.c) of the RGPD, taking into account the facts proven, it is considered that the sanction that should be imposed is a fine administrative. The fine imposed must be, in each case, individual, effective, proportionate and dissuasive, in accordance with the provisions of article 83.1 of the RGPD. In order to determine the administrative fine to impose, the following must be observed: provisions of article 83.2 of the RGPD, which indicates: "2. Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administrative and its amount in each individual case will be duly taken into account: a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question, as well as such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the person responsible or in charge of the treatment to alleviate the damages and losses suffered by the interested parties; d) the degree of responsibility of the person responsible or in charge of the treatment, taking into account the technical or organizational measures that have been applied under of articles 25 and 32; e) any previous infringement committed by the controller or processor; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/12 f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the controller or processor notified the infringement and, if so, in what extent; i) when the measures indicated in Article 58, paragraph 2, have been ordered previously against the person responsible or the person in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under Article 40 or to mechanisms of certification approved in accordance with article 42, k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, direct or indirectly, through infringement.” For its part, in relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its article 76, “Sanctions and corrective measures”, provides: "1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679 will be applied taking into account the graduation criteria established in section 2 of the aforementioned article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuous nature of the infringement. b) The linking of the offender's activity with the performance of medical treatments. personal information. c) The benefits obtained as a consequence of the commission of the infraction. d) The possibility that the conduct of the affected person could have included the commission of the infringement. e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity f) The impact on the rights of minors g) Have, when not mandatory, a data protection delegate. h) The submission by the person responsible or in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which "There are disputes between those and any interested party." The balance of the circumstances contemplated, with respect to the violation of the article 5.1 c) of the RGPD, allows a fine of €300 (three hundred euros) to be set. VIII Measures The text of the resolution establishes what infractions have been committed and the events that have given rise to the violation of the regulations for the protection of data, from which it is clearly inferred what measures to adopt, without prejudice that the type of procedures, mechanisms or specific instruments to implementing them corresponds to the sanctioned party, since it is responsible for the treatment who fully knows its organization and must decide, based on the proactive responsibility and risk approach, how to comply with the GDPR and LOPDGDD. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/12 Please note that failure to comply with the requirements of this organization may be considered as an administrative offense in accordance with the provisions of the RGPD, classified as an infraction in its articles 83.5 and 83.6, and such conduct may be motivated by opening of a subsequent administrative sanctioning procedure. IV Conclusion Therefore, in accordance with the applicable legislation and evaluated the graduation criteria of the sanction whose existence has been proven, the Director of the Spanish Agency of Data Protection RESOLVES: FIRST: IMPOSE D. B.B.B. with NIF ***NIF.1, for a violation of the Article 5.1.c) of the RGPD, typified in Article 83.5 of the RGPD, a fine of 300 euros (THREE HUNDRED euros). SECOND: ORDER D. B.B.B. that, pursuant to article 58.2 d) of the GDPR, in the Within ten business days, take the following measures: Prove that you have proceeded to remove the cameras in question, providing documentary evidence with date and time that certifies such point, or, failing that, accreditation regularization of the cameras, in accordance with current regulations, so that does not record or capture images of the complaining party's home or the road public or private that runs next to the homes. THIRD: NOTIFY this resolution to B.B.B.. FOURTH: Warn the sanctioned person that he must make the sanction imposed effective once this resolution is executive, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter LPACAP), within the payment period voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by entering it, indicating the NIF of the sanctioned person and the number of procedure that appears in the heading of this document, in the account restricted IBAN number: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code: XXXXXXXX), opened in the name of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A.. Otherwise, it will be collected in executive period. Once the notification is received and once enforceable, if the enforceable date is between the 1st and 15th of each month, both inclusive, the deadline to make the payment voluntary will be until the 20th of the following month or immediately following business month, and if The payment period is between the 16th and last day of each month, both inclusive. It will be until the 5th of the second following or immediately following business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/12 Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month to count from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registries provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. 938-290523 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es