AEPD (Spain) - PS/00459/2020: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD (Spain) |DPA_With_Country=AEPD (Spain) |Case_Number_Na...")
 
No edit summary
(2 intermediate revisions by one other user not shown)
Line 50: Line 50:
}}
}}


The Spanish DPA fined a small vendor €4000 for publishing personal data from different clients in their public Amazon page.
The Spanish DPA fined a small vendor €4000 for publishing the personal data of various clients in their public Amazon page without a legal basis.


== English Summary ==
== English Summary ==
Line 59: Line 59:
The controller, Megalatrom, threatened the data subject to publish their personal data if they didn't take away the negative review on their page. Since the data subject didn't do as asked, the controller published their name, surnames, address, phone number, their husband's name and their phone company's name.  
The controller, Megalatrom, threatened the data subject to publish their personal data if they didn't take away the negative review on their page. Since the data subject didn't do as asked, the controller published their name, surnames, address, phone number, their husband's name and their phone company's name.  


As the Spanish DPA (AEPD), the controller had done the same several times.
As the Spanish DPA (AEPD) noted, the controller had done the same several times.
 
=== Dispute ===
 
 
=== Holding ===
=== Holding ===
The AEPD determined that the controller had processed personal data without consent, therefore violating [[Article 6 GDPR#1|Article 6(1) GDPR]].
The AEPD determined that the controller had processed personal data without consent, therefore violating [[Article 6 GDPR#1|Article 6(1) GDPR]].

Revision as of 10:39, 21 July 2021

AEPD (Spain) - PS/00459/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5 GDPR
Article 6 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 05.07.2021
Published: 09.07.2021
Fine: 4000 EUR
Parties: MALAGATROM, S.L.U.
National Case Number/Name: PS/00459/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA fined a small vendor €4000 for publishing the personal data of various clients in their public Amazon page without a legal basis.

English Summary

Facts

A data subject bought a product from Megalatrom, a vendor in Amazon. The product was defective, so the subject made a claim and also posted a negative review in Megalatrom's page.

The controller, Megalatrom, threatened the data subject to publish their personal data if they didn't take away the negative review on their page. Since the data subject didn't do as asked, the controller published their name, surnames, address, phone number, their husband's name and their phone company's name.

As the Spanish DPA (AEPD) noted, the controller had done the same several times.

Holding

The AEPD determined that the controller had processed personal data without consent, therefore violating Article 6(1) GDPR.

While the initial processing of the personal data was justified for the performance of a contract, and therefore based on Article 6(1)(b), the subsequent processing for making public the personal data of the data subject had no legal basis, as it was no necessary for the fulfillment of the initial contract.

The AEPD also found a breach of the confidentiality principle, since the data provided by the data subject were only meant to be processed within the commercial agreement both had, and not to be made publicly available.

However, the DPA considered that since both violations came from the same facts, in accordance with the criminal law principles that are applicable to sanctioning procedures, they could only sanction the controller for the original and most serious violation, which is the infringement of Article 6 GDPR.

For this, the AEPD fined the controller €4000. In order to determine the amount, the DPA took into account the intentionality of the behaviour, the nature of the infringement, the nature of the harm made to the data subject, the means for the infringement, which implies public access, and the categories of data disclosed. As a mitigating factor the DPA took into account the small size of the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                               1/14









     Procedure No.: PS / 00459/2020



               RESOLUTION OF SANCTIONING PROCEDURE


Of the procedure instructed by the Spanish Agency for Data Protection and based on

to the following

                                  BACKGROUND


FIRST: A.A.A. (hereinafter, the claimant) on 06/10/2020 filed

claim before the Spanish Agency for Data Protection. The claim is
directs against MALAGATROM, S.L.U. with NIF B93178614 (hereinafter,
MALAGATROM or the claimed one), which operates under the trademark “Mercatron”. The
reasons on which the claim is based are: the respondent has treated and disclosed in
"Amazon" your personal data relating to name and surname, address, number of

mobile phone, your spouse's name and his or her mobile phone number. Warns
that the reported data processing is carried out without your consent and without a
legitimate purpose.

This claim shows that, through the “Amazon” platform, the

claimant acquired from the defendant a product marketed by this company,
resulting in defective shipping and giving rise to various claims, some with the
intermediation of “Amazon”. The complainant adds that she chose to insert a comment
with a negative store rating of the claimed one along with a review of the
product, receiving a response in which the claimed threatens to publish their
data, which later complied with the incorporation of a comment that

details the personal data indicated above.

Attach the following scanned images of the “Amazon” user account:

1. Message from “Amazon” dated 05/15/2020 regarding an order.


2. Message of 06/02/2020 sent by <devolucion@amazon.es> to the claimant
about return.

3. Message of 06/02/2020 from “Amazon” to “Mercatron” about the request for

return of the order by the claimant.

4. Message of 06/03/2020 sent by “Mercatron” to the claimant about the
return, with the following text:

"Mr. Client, I advise you to return the equipment, so that our business relationship

is annulled, a negative vote for a case like yours, just shows ...
Also, I don't think you would like all sellers to see all their
data in the reply to the comment, but if you do not care, we will not return to
write to him. You are the one who plays it… ”.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/14









5. Message from 06/03/2020 sent by “Amazon” Customer Service
to the claimant.


6. Comments posted on the “Mercatron” showcase page, among which
figure one inserted by the claimed entity itself, dated 06/03/2020, with the text
following:

“Be very careful with this account… (name and surname, address and number of

claimant's mobile phone). The husband's name is ... (name of the spouse of the
claimant) and is the one who keeps the account ... (mobile phone number of the spouse of the
claimant) ”.

The claimant refers to the possible incorporation of her personal data and the

from your spouse to advertisements published on the “Milanuncios” and “Tripadvisor” portals, and
adds that on the same date of 06/03/2020 they began to receive calls from
interested persons, some of whom knew the claimant's domicile. Not
However, the claim does not include any proof in this regard.

SECOND: The claim was admitted for processing on 06/22/2020.


THIRD: In view of the facts denounced in the claim and the
documents provided by the claimant, the Subdirectorate General for Inspection of
Data proceeded to carry out preliminary investigation actions for the
clarification of the facts in question, by virtue of the powers of investigation

granted to the control authorities in article 57.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter RGPD), and of
in accordance with the provisions of Title VII, Chapter I, Second Section, of the Law
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter LOPDGDD).


As a result of the investigative actions carried out, the report prepared
by the acting inspector reveals the following:

“[…]


It is verified that the claimed facts are true, finding not only the
personal data of the claimant and her husband published in the response
provided by the claimed to the valuation made by the claimant, but rather
three other cases of disclosure of personal data have been found in responses to
evaluations in the last six months in the profile of the claimed on the website of

sale online https://www.amazon.es.
[…]
A search was made on the websites https://milanuncios.es and
https://www.tripadvisor.es in which the claimant states that they have been published
also your personal data for which you have received phone calls, not

We found no reference to the claimant's phone number or that of her husband.
[…]

It has been found that there are other cases in which, upon receiving an assessment

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/14








negative, the respondent makes public the personal data of the clients not
satisfied with the purchase and / or the service. The most recent case of those found has
been in a response to a customer comment dated August 17,

2020 ”.

Through Inspection Diligence dated 12/03/2020, it is incorporated into the actions
screen print with some responses from the claimed to comments
inserted in the shopping website of "Amazon" by its customers, in which they are
reveal their personal data. The pages that contain these comments,

including those relating to the claimant, were obtained from the profile of the claimant in said
website.

Three comments are incorporated, all of them with a content similar to the one that has
motivated the claim, according to the detail that is outlined in the Proven Fact

Fifth.

FOURTH: On 05/25/2021, by the General Sub-Directorate of Data Inspection
Access to the information available on the entity claimed in "Axesor". On
said website states that said entity was constituted in 2012, with a share capital of
3,000 euros. (…).


(…).

FIFTH: On 06/01/2021, the Director of the Spanish Agency for the Protection of
Data agreed to initiate a sanctioning procedure against The MAGALATROM entity, by the

alleged infringement of article 6 of the RGPD, typified in article 83.5.a) of the same
Regulation; noting in said agreement that the sanction that may correspond
amounts to 4,000 euros (four thousand euros), without prejudice to what results from the
instruction.


SIXTH: The aforementioned initiation agreement has been notified, the period granted to the claimed to
formulating allegations passes without this Agency having received a written
any.

SEVENTH: On 06/28/2021 a resolution proposal was formulated in the sense of
that the Director of the Spanish Data Protection Agency sanctions the

entity claimed with a fine of 4,000 euros (four thousand euros), for a
infringement of Article 6 of the RGPD, typified in Article 83.5 of the RGPD.

Likewise, it was proposed that by the Director of the Spanish Agency for the Protection of
Data is required from the claimed so that, within the period to be determined, adopt the

necessary measures to adapt their actions to the data protection regulations
personal, with the scope expressed in the Basis of Rights of the aforementioned
motion for resolution.

EIGHTH: The requested entity was notified of the resolution proposal, dated

06/30/2021 this Agency received a written statement of allegations, in which it states that
there is no disclosure of data, as it is an internal chat of the web to which no
no one else can have access.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/14








He alleges defenselessness, given the impossibility of proving his innocence, and adds that the
low returns that you obtain do not allow you to bear penalties for events unrelated to
his will, for which he will be forced not to continue with the business activity.


With its writing, the claimed does not provide any documentation.


Of the actions carried out in this procedure and of the documentation
Obrante in the file, the following have been accredited:



                                PROVEN FACTS



FIRST: the claimed entity is registered as a "seller" in the Portal
"Amazon". Through this website, the claimant acquired one of the products
marketed by the claimed.

SECOND: The shipment of the product that the claimant acquired from the defendant was
defective, giving rise to the formulation of various claims by the

client. The claimant also inserted a comment on the showcase page of the
claimed on “Amazon” with a negative store rating and a review of the
product.

THIRD: In response to the claimant's comment, outlined in the Fact

Second, the complainant, dated 06/03/2020, inserted a comment about
of the return, with the following text:

"Mr. Client, I advise you to return the equipment, so that our business relationship
is annulled, a negative vote for a case like yours, just shows ...

Also, I don't think you would like all sellers to see all their
data in the reply to the comment, but if you do not care, we will not return to
write to him. You are the one who plays it… ”.

FOURTH: On 06/03/2020, the respondent inserted a comment on the platform
shopping "Amazon", on its own showcase page, in which it discloses the data

Claimant's personal names and surnames, address, number of
mobile phone, your spouse's name and his or her mobile phone number. The text of
this comment is as follows:

“Be very careful with this account… (name and surname, address and number of

claimant's mobile phone). The husband's name is ... (name of the spouse of the
claimant) and is the one who keeps the account ... (mobile phone number of the spouse of the
claimant) ”.

FIFTH: The Agency's Inspection Services found that there are other

cases in which, upon receiving a negative assessment, the complained entity makes
make public the personal data of customers who do not comply with the purchase and / or the
service. The pages that contain these comments, including those relating to the
claimant, were obtained from the profile of the claimed in “Amazon”.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/14









The text of these comments is as follows:


. Comment inserted on 05/29/2020: “Be very careful with this buyer… (name
and last name of the client, address and mobile phone number) ”.
. Comment inserted on 06/03/2020: “Beware of this client… (client's name,
city or postal code). He is a manipulator ”.
. Comment inserted on 08/19/2020: “Be careful with this client… (name and surname
customer, address and mobile phone number). He is dedicated to buying things and for the

being prime it is believed that you do not have to pay. Be careful with this guy for calling him
something".

                            FOUNDATIONS OF LAW


                                              I

By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in articles 47 and 48 of the LOPDGDD, the Director
of the Spanish Data Protection Agency is competent to initiate and to
solve this procedure.


Article 63.2 of the LOPDGDD determines that: “The procedures processed by the
Spanish Data Protection Agency will be governed by the provisions of the RGPD, in
this organic law, by the regulatory provisions issued in its
development and, insofar as they do not contradict them, in the alternative, by the norms

general information on administrative procedures ”.

                                             II

Article 6.1 of the RGPD establishes the assumptions that allow the

processing of personal data:

"1. The treatment will only be lawful if at least one of the following is met
terms:

a) the interested party gave their consent for the processing of their personal data

for one or more specific purposes;
b) the treatment is necessary for the execution of a contract in which the interested party
is part of or for the application at his request of pre-contractual measures;
c) the treatment is necessary for the fulfillment of a legal obligation applicable to the
responsible for the treatment;

d) the treatment is necessary to protect vital interests of the interested party or another
Physical person;
e) the treatment is necessary for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers conferred on the data controller;
f) the treatment is necessary for the satisfaction of legitimate interests pursued

by the person responsible for the treatment or by a third party, provided that on said
interests do not override the interests or fundamental rights and freedoms of the
interested party who require the protection of personal data, in particular when the
interested is a child.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/14








The provisions of letter f) of the first paragraph will not apply to the treatment
carried out by public authorities in the exercise of their functions.


2. Member States may maintain or introduce more specific provisions
in order to adapt the application of the rules of this Regulation with respect to the
treatment in compliance with section 1, letters c) and e), setting moreover
specifies specific treatment requirements and other measures that ensure a
lawful and equitable treatment, including other specific situations of
treatment according to chapter IX.


3. The basis of the treatment indicated in section 1, letters c) and e), must be
established by:

a) Union law, or

b) the law of the Member States that applies to the controller.

The purpose of the treatment must be determined in said legal basis or, as
relating to the treatment referred to in paragraph 1, letter e), will be necessary for the
fulfillment of a mission carried out in the public interest or in the exercise of powers
public conferred to the person in charge of the treatment. Said legal basis may contain

specific provisions to adapt the application of the rules of this
Regulation, among others: the general conditions that govern the legality of the treatment
by the person in charge; the types of data being processed; the interested
affected; the entities to which personal data may be communicated and the purposes
of such communication; the limitation of the purpose; the terms of conservation of the

data, as well as operations and treatment procedures, including
measures to guarantee a lawful and equitable treatment, such as those related to other
specific treatment situations in accordance with Chapter IX. Union law
or Member States will meet a public interest objective and will be proportional
to the legitimate end pursued.


4. When the treatment for a purpose other than that for which the data were collected
personal data is not based on the consent of the interested party or on the Law
of the Union or of the Member States that constitutes a necessary measure and
proportional in a democratic society to safeguard the stated objectives
in article 23, paragraph 1, the data controller, in order to determine

if the treatment for another purpose is compatible with the purpose for which they were collected
initially personal data, will take into account, among other things:

a) any relationship between the purposes for which the data was collected
personal and the purposes of the planned further processing;

b) the context in which the personal data was collected, in particular for what
Regarding the relationship between the interested parties and the person responsible for the treatment;
c) the nature of the personal data, specifically when categories are processed
special personal data, in accordance with article 9, or personal data
relating to convictions and criminal offenses, in accordance with article 10;

d) the possible consequences for the data subjects of the planned further processing;
e) the existence of adequate guarantees, which may include encryption or
pseudonymisation ”.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/14








What is expressed in recitals 40 to 45 and 47 of the RGPD is taken into account.

In the present case, the claimed entity is registered as a "seller" in the

Portal "Amazon". Through this website, the claimant acquired one of the
products marketed by the claimed.

By virtue of said purchase, the respondent collected the personal data of the
claimant and was entitled to submit them to treatment in order to give
compliance with the aforementioned commercial relationship.


However, the respondent processed such data that was not
necessary for the fulfillment or execution of said relationship, consisting of inserting
a comment on his own showcase page on “Amazon” detailing the
personal data of the claimant regarding name and surname, address, number of

mobile phone, your spouse's name and his or her mobile phone number. The text
of the comment in question is the following:

“Be very careful with this account… (name and surname, address and number of
claimant's mobile phone). The husband's name is ... (name of the spouse of the
claimant) and is the one who keeps the account ... (mobile phone number of the spouse of the

claimant) ”.

On the other hand, the investigation actions carried out by the Services of
Inspection of this Agency have verified the existence of similar comments
Relating to other clients, whose personal data have been used in the same way.

These proceedings incorporate three comments of this type, in addition to the
corresponding to the claimant, in which personal data of clients of
the claimed one.

It does not appear, in the case of the claimed one or in relation to the other aforementioned clients,

that the respective processing of personal data by the complained party is
carried out under a legal basis that legitimizes them, they were not necessary
for the fulfillment of the commercial relationship, as has been said, and the purpose for the
that are carried out is not a purpose compatible with those that determined the
collection of such personal data by the claimed party.


Consequently, the aforementioned events violate the provisions of article 6 of the RGPD,
which gives rise to the application of the corrective powers that article 58 of the aforementioned
Regulation granted to the Spanish Agency for Data Protection.

Regarding this use of the personal data of the clients, the claimed entity does not

has made any statement in its brief of allegations to the proposal.


                                            III


Article 5 of the RGPD establishes the principles that must govern the treatment of
personal data and mentions among them that of "integrity and confidentiality". East
Article, in section 1.f), states the following:


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/14








"1. The personal data will be:
(…)
f) treated in such a way as to guarantee adequate data security

personal data, including protection against unauthorized or illegal processing and against
its loss, destruction or accidental damage, through the application of technical measures
or appropriate organizational ('integrity and confidentiality') ”.

Article 5 of the new Organic Law 3/2018, of December 5, on the Protection of
Personal Data and guarantee of digital rights (hereinafter LOPDGDD), is

refers to the "Duty of confidentiality" in the following terms:

"1. Those responsible and in charge of data processing as well as all
people who intervene in any phase of this will be subject to the duty of
confidentiality referred to in article 5.1.f) of Regulation (EU) 2016/679.

2. The general obligation indicated in the previous section will be complementary to the
duties of professional secrecy in accordance with its applicable regulations.
3. The obligations established in the previous sections will be maintained even
when the relationship between the obligated party and the person in charge of the
treatment".


The comments made by the complainant about the complainant and other clients, in
which details personal data relating to them, which were inserted
in the sales portal "Amazon", on the showcase page of the claimed itself, which
is registered as a selling entity in said portal, it implies the dissemination to third parties
of those personal data without any type of restriction, considering that said

website is freely accessible to any internet user.

Thus, the respondent carried out a dissemination of personal data, which
constitutes an offense for breach of the provisions of article 5
"Principles relating to the treatment" of the RGPD, section 1.f), in relation to the article

5 "Duty of confidentiality" of the LOPDGDD.

This duty of confidentiality, previously the duty of secrecy, is intended to
avoid such dissemination of data not consented to by the owners of the same. I know
It is an obligation that is incumbent on the person in charge and in charge of the treatment, as well
as to anyone who intervenes in any phase of the treatment; and what is

complementary to the duty of professional secrecy.

In its allegations to the proposed resolution, the claimed entity denies this
disclosure of personal data, noting that the comments in question are
carried out in an internal chat on the web that cannot be accessed by any other

person. However, the actions carried out by the Inspection Services
of the Agency have confirmed that the comments are public, since
the site can be accessed without any restriction, without even being registered in the
sales platform.


In the same letter he has alleged defenselessness, but without expressing any cause or
circumstance that determines it.

                                            IV

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/14









The verified facts, consisting of using the personal data of the
interested to make some comments that were inserted in a website of

free access, constitute the factual basis to substantiate the imputation to the
claimed of the infractions of articles 6 and 5.1 of the LOPDGDD.

We are faced with a case of medial contest, in which the same event
could lead to two offenses, given the circumstance that the commission of a
implies, necessarily, the commission of the other. That is, data processing

personal information on a freely accessible website results, in turn, in a violation of the
duty of confidentiality.

The two possible infractions are considered very serious for the purposes of prescription
in article 72 of the LOPDGDD and both are typified in article 83.5 of the

GDPR.

In this regard, article 29.5 of Law 40/2015, of October 1, on the Regime
Public Sector Legal, establishes the following:

"When the commission of an offense necessarily results in the commission of another or

others, only the sanction corresponding to the most infringement must be imposed.
serious committed ”.

Therefore, it is appropriate to subsume both offenses in one, proceeding to impose
only the sanction provided for the violation of article 6 of the RGPD, which is

of the original infringement that has implied the commission of the other.


                                           V


In the event of an infringement of the RGPD precepts, among the
corrective powers available to the Spanish Data Protection Agency,
As a supervisory authority, Article 58.2 of said Regulation contemplates the
following:

“2 Each supervisory authority shall have all the following corrective powers

listed below:
(…)
b) direct a warning to any person in charge or in charge of the treatment when the
treatment operations have infringed the provisions of this Regulation;
(...)

d) order the person in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where appropriate,
in a certain way and within a specified time frame;
(…)
i) impose an administrative fine in accordance with article 83, in addition to or instead of

the measures mentioned in this section, according to the circumstances of each
particular case;".

According to the provisions of article 83.2 of the RGPD, the measure provided for in letter d)

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/14








above is compatible with the sanction consisting of an administrative fine.



                                            SAW

Failure to comply with the provisions of article 6 of the RGPD implies the commission of
an offense typified in section 5.a) of article 83 of the RGPD, which under the
heading "General conditions for the imposition of administrative fines" provides
the next:


"5. Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for

the highest amount:

a) the basic principles for the treatment, including the conditions for the
consent in accordance with articles 5, 6, 7 and 9 ".

In this regard, the LOPDGDD, in its article 71 establishes that “They constitute

offenses the acts and conducts referred to in sections 4, 5 and 6 of the
Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the
present organic law ”.

For the purposes of the limitation period, article 72 of the LOPDGDD indicates:


“Article 72. Violations considered very serious.
1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that suppose
a substantial violation of the articles mentioned therein and, in particular, the

following:
(…)
b) The processing of personal data without any of the conditions of
legality of the treatment established in article 6 of Regulation (EU) 2016/679 ”.

In order to determine the administrative fine to be imposed, the

provisions of articles 83.1 and 83.2 of the RGPD, provisions that state:

"1. Each supervisory authority will guarantee that the imposition of fines
administrative regulations pursuant to this article for the infractions of this
Regulations indicated in paragraphs 4, 9 and 6 are in each individual case

effective, proportionate and dissuasive.

2. Administrative fines will be imposed, depending on the circumstances of each
individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine

administrative and its amount in each individual case will be duly taken into account:
a) the nature, severity and duration of the offense, taking into account the
nature, scope or purpose of the processing operation in question as well
such as the number of interested parties affected and the level of damages that

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/14








have suffered;
b) intentionality or negligence in the infringement;
c) any measure taken by the controller or processor to

mitigate the damages and losses suffered by the interested parties;
d) the degree of responsibility of the person in charge or the person in charge of the treatment,
taking into account the technical or organizational measures that have been applied by virtue of
of articles 25 and 32;
e) any previous infringement committed by the person in charge or the person in charge of the treatment;
f) the degree of cooperation with the supervisory authority in order to remedy the

infringement and mitigate the possible adverse effects of the infringement;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority learned of the infringement, in
in particular if the person in charge or the person in charge notified the infringement and, if so, in what
measure;

i) when the measures indicated in article 58, paragraph 2, have been ordered
previously against the person in charge or the person in charge in relation to the
same issue, compliance with said measures;
j) adherence to codes of conduct under Article 40 or to mechanisms of
certification approved in accordance with Article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the case,

such as financial benefits obtained or losses avoided, direct or
indirectly, through the offense. "

For its part, article 76 "Sanctions and corrective measures" of the LOPDGDD
has:


"1. The penalties provided for in sections 4, 5 and 6 of article 83 of the Regulation
(EU) 2016/679 will be applied taking into account the graduation criteria
established in section 2 of the aforementioned article.
2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679

The following may also be taken into account:

a) The continuing nature of the offense.
b) The linking of the activity of the offender with the performance of treatment of
personal information.
c) The benefits obtained as a result of the commission of the offense.

d) The possibility that the affected person's conduct could have induced the commission
of the offense.
e) The existence of a merger by absorption process after the commission of the
infringement, which cannot be attributed to the absorbing entity.
f) Affecting the rights of minors.

g) Have, when not mandatory, a data protection officer.
h) The submission by the person in charge or in charge, on a voluntary basis, to
alternative dispute resolution mechanisms, in those cases in which
there are controversies between those and any interested party ”.


In accordance with the indicated precepts, in order to set the amount of the sanction to
impose in the present case, it is considered that the criteria
following graduation:


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/14








    - The intentionality appreciated in the commission of the offense. In this case, what
        results from the incorporation of a comment related to the claimant, inserted
        on a publicly accessible website, there is a prior comment in which the

        herself claimed threatened with such disclosure of personal data.
    - The nature of the offense, taking into account the scope or purpose of the
        treatment operations in question, regarding the privacy of the
        claimant.
    - The nature of the damages caused to the interested persons.
    - The means through which the personal data object of the

        performances (free access website for any internet user).
    - The categories of personal data affected by the infringement,
        considering that the comment in question details the identifying data and
        contact of its clients and third parties.


It is also considered that the circumstances concur as extenuating
following:

    - The small business status of the responsible entity.

Considering the exposed factors, the imposition of a

fine in the amount of 4,000 euros (four thousand euros), for the violation of article 6 of the
GDPR.

The respondent has made allegations to the proposed resolution indicating that
the low returns he obtains do not allow him to bear the penalty, so he is

will be forced not to continue with the business activity. However, it has not
provided any documentation that supports these statements, or that could
imply that the amount indicated is disproportionate. In fact, it has not
made any statement about the graduation criteria taken into account.



                                            VII

In accordance with the provisions of article 58.2.d) of the RGPD, the commission of a
infringement may lead to the imposition on the person responsible of the obligation to adopt
adequate measures to adjust its performance to the data protection regulations

personal. According to this article, each supervisory authority may “order the
responsible or in charge of the treatment that the treatment operations are
comply with the provisions of this Regulation, where appropriate, of a
determined way and within a specified period… ”.


Therefore, in this case, it is appropriate to require the claimed so that, within the period that is
determine, delete all comments from your page on the “Amazon” platform
inserted by the claimed itself in which the personal data of its
clients or third parties; and take the appropriate measures to prevent similar events
may be repeated in the future, warning everyone in your organization

about the illegality of this conduct.

It is noted that not meeting the requirements of this body may be
considered as a serious administrative offense by “not cooperating with the Authority

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/14








of control ”before the requirements made, being able to assess such conduct to the
time of the opening of an administrative procedure punishable by a fine
pecuniary.



Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been proven,
the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: IMPOSE the entity MALAGATROM, S.L.U., with NIF B93178614, by
an infringement of Article 6 of the RGPD, typified in Article 83.5 of the RGPD, a
fine of 4,000 euros (four thousand euros).

SECOND: REQUEST the entity MALAGATROM, S.L.U. that, within a

month, adopt the necessary measures to adapt its actions to the regulations of
protection of personal data, with the scope expressed in the Basis of
Right VII of this resolution.

THIRD: NOTIFY this resolution to MALAGATROM, S.L.U.


FOURTH: Warn the sanctioned person that the sanction imposed by a
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved

by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number
procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency
Spanish Data Protection in the banking entity CAIXABANK, S.A .. In case

Otherwise, it will be collected in the executive period.

Received the notification and once executive, if the date of execution is found
Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment
volunteer will be until the 20th of the following or immediately subsequent business month, and if
between the 16th and the last day of each month, both inclusive, the payment term

it will be until the 5th of the second following or immediately subsequent business month.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to
counting from the day after the notification of this resolution or directly

contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within two months from the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 14/14









day following notification of this act, as provided in article 46.1 of the
referred Law.


Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through

writing addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the

documentation that proves the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.


                                                                                      938-131120
Mar Spain Martí
Director of the Spanish Agency for Data Protection









































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es