AEPD (Spain) - PS/00473/2019: Difference between revisions

From GDPRhub
No edit summary
 

Latest revision as of 14:41, 13 December 2023

AEPD - PS/00473/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5 GDPR
Article 32 GDPR
Art. 22 Ley de Servicios de la Sociedad de la Información y Comercio Electrónico (LSSI)
Type: Complaint
Outcome: Partly Upheld
Started:
Decided: 02.04.2020
Published:
Fine: 1500 EUR
Parties: n/a
National Case Number/Name: PS/00473/2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AgenciaEspañola de Protección de Datos (in ES)
Initial Contributor: n/a

The AEPD fined a controller for not providing its users with complete information regarding the use of cookies.

English Summary

Facts

The complainant highlights general non-compliance regarding processing. Just to take a couple of examples, in order to access the workstation, employees are not requested to use login credentials nor password are needed to unlock the screen. Employee can access all type of personal data regardless of their concrete tasks.

Moreover, the company's website does not provide an appropriate information regarding the use of cookies. The first pop-up banner does not inform about the existence of tracking cookies. The full cookie policy is also vague and does not provide a tool to uninstall cookies easily.

Dispute

The AEPD must assess whether or not the statements from the complainant are true. In particular if the processing is safeguarded with appropriate technical and organisational measures.

The Authority must also verify if the controller has respected the Spanish implementation of ePrivacy Directive (Ley 34/2002, Servicios de la Sociedad de la Información y ComercioElectrónico - LSSI). In particular if, under Article 22 LSSI, the controller has provided a clear and complete information on the use of cookies.

Holding

After thorough investigation, the AEPD considers that some statements in the complaint are not - or no longer - accurate.

For example, the controller has convincingly demonstrated that its personnel can now only access those data and resources required to carry out their tasks. Printed manuals and personal data are stored into locked filing cabinets and access to the office is only allowed to authorized personnel. Because of that, the AEPD decided to dismiss this part of the complaint.

The Authority then addresses the second point of the complaint.

According to the analysis, the pop-up notification (first layer) does not allow users to understand the use of cookies, as it happens, for instance, for phrases like “improve our services”. The Cookie Policy (second layer) does not describe which type of cookies is used or provide information regarding their sources (first or third-party). Also, it does not include any tool to manage cookies in a granular way. For these reasons, the Authority found a violation of Article 22(2) LSSI.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


Page 1
1/12
936-031219
 Procedure No.: PS / 00473/2019
RESOLUTION R / 00258/2020 OF TERMINATION OF THE PAYMENT PROCEDURE
VOLUNTARY
In the sanctioning procedure PS / 00473/2019, instructed by the Agency
Spanish Data Protection to HAPPY FRIDAY, SL , given the complaint
presented by AAA , and based on the following,
BACKGROUND
FIRST: On April 2, 2020, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning procedure to HAPPY FRIDAY, SL
(hereinafter, the claimed), through the Agreement that is transcribed:
<<
Procedure Nº: PS / 00473/2019
935-240719
PENALTY PROCEDURE STARTING AGREEMENT
Of the actions carried out by the Spanish Agency for Data Protection before
the entity, HAPPY FRIDAY, SL, with CIF: B54660980, owner of the website
https://happvfridavhome.com , (hereinafter “the claimed entity”), by virtue of-
nuncia presented by DAAA , (hereinafter “the claimant”) and based on
the following:
ACTS
FIRST: On 05/10/19, you have entered this Agency, complaint filed
by the claimant indicating, among others, the following:
"In the company Happy Friday, SL, everything is being done wrong, regarding the treatment
of personal data and others: -Works with personal folders
shared on the server where all the files that each
Save your daily work in your own personal folder. Folders accessible by
any other user regardless of the department to which it corresponds, without
no type of server authentication, no password or
type of permissions. Anyone can access any document from another worker
regardless of their profile, department or the sensitivity of the information from which
concerned.
No login credentials required, no password to lock
screen etc. In addition, all computers use illegal software both at the level of
operating system and applications, with the risk that this implies. And without the
security of updates typically provided by software manufacturers.
Processing thousands of customer data accessible to any of the 25 workers
without any control. Well, in the management application (Eneboo) the start of
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 2
12/12
session, but everyone can access any part of the application
regardless of their role and department without any authentication or log of
who has performed each action. I also consider that they are not acting according to
current legislation regarding the processing of personal data:
When entering the web https://happvfridavhome.com a pop-up opens requesting the
subscription to the newsletter with an "I accept the Terms and Conditions", but it is not noticed
Nor does it inform about the cookies they use and the tracking they carry out since accessing
the Web. Nor is any consent requested for the collection of this
information. Cookies that are already started on the cover without accepting them, nor
have shown us their information. As you can see they don't indicate anything
on the next page https://happvfridavhome.com/en/cookies
You can navigate
with full functionality on the web without having accepted any cookie policy,
Privacy".
SECOND: In view of the facts set forth in the claim and the documents
contributed by the claimant, the General Sub-Directorate for Data Inspection proceeded
to carry out actions for its clarification, under the powers of
investigation granted to the control authorities in article 57.1 of the Regulation
(EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD). So,
dated 07/12/19, an informative request is addressed to the claimed entity.
THIRD: On 08/08/19, the requested entity sends this Agency written in
who, among others, reports the following:
“On the measures and regulations related to the identification and authentication of personnel
authorized to access personal data.
a) .- All users of the system are assigned an identifier and a password.
The authentication system is based on a password environment under one system
operating Microsoft Windows 10. The user enters his identifier (which identifies him
as an authorized user to access) and your password (which authenticates you as the user
river identified), which are verified on the computer itself, which recognizes it as
system user, allowing access to directories, files and databases
for the performance of their work.
b) .- Passwords are one of the basic components of the security of
the data, and must therefore be specially protected. As access keys to
system, passwords must be strictly confidential and personal, and
Any incident that compromises your confidentiality must be immediately
communicated to the administrator and corrected in the shortest possible time.
-
The password file must be protected (in computerized format)
they would be intelligible through the encryption system used by the system
operational issue) and under the responsibility of the system administrator.
-
Passwords will be 13 alphanumeric characters, modified by the
responsible for the file every 12 months.
-
The File Manager, or on his behalf the System Administrator
in charge of the treatment, it will eliminate the passwords of the users that
have unsubscribed from the organization.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 3
12/3
c) .- The staff will only access those data and resources that they need for the development.
he of his functions. The person responsible for the file will establish mechanisms to avoid
that a user can access resources other than those authorized in the following
shape:
-
Different user profiles will be created in which they will be authorized /
They will deny the different accesses to the allowed functions.
-
The staff will be informed of the applications, tools and documentation at
which has access to perform its functions.
-
Only the person responsible for the file is authorized to grant, alter or cancel
authorized access to data and resources.
d) .- Annex II includes the updated users list with authorized access.
do to each information system. Also, the type of authorized access is included
for each of them. This list will be updated when necessary by modification.
tions on the staff, by the person responsible for the file.
-
If there are personnel outside the person responsible for the file with access to the resources
must be subject to the same conditions and security obligations
than own staff.
-
Manual documents are located in locked cabinets at each station.
work of authorized users.
e) .- About the criteria for filing and storing information in ma-
manual or non-automated.
The archiving of the supports or documents will be carried out in accordance with the established criteria.
blecidos by the person in charge of the file: The office has a work area
made up of desks with computers and some locked metal filing cabinets, in
those that manual documentation is kept, its content correctly identified
and access only by authorized personnel.
As long as the documents with personal data are not filed in the
devices mentioned above, by working with them, people
who are in charge of them must guard them and prevent in any way
ment that it can be accessed by unauthorized persons.
The office is located in an industrial warehouse. To access it you must call a
external bell, enter with prior authorization, cross the nave and the bottom, going up some
stairs, access to the second floor of the warehouse, where the management is located
administrative office of the company.
The security of the personal data of the Files not only supposes the confidentiality
of them but also entails the integrity and availability of those
data. To guarantee these two fundamental aspects of security, it is necessary to
ary that there are backup and recovery processes that, in case of failure
of the computer system, allow to recover and, where appropriate, reconstruct the data of the Fi-
chero.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 4
4/12
-
The person responsible for the File will be responsible for periodically obtaining a
backup, for backup and recovery purposes in case of failure.
-
A backup is made daily on the Storage Device.
(NAS) located in the company, as well as another parallel copy in another Device
positive storage (NAS) located in a Ship used as warehouse-
cen, inside a locked cabinet where only the Res-
File manager and authorized person.
With this current method that we have, the company guarantees an adequate level of security
when in the processing of personal data.
f) .- About Cookies.
Regarding the measures adopted to provide clear and complete information on the
use of Cookies, the purposes of the treatment of the data collected by them, and the
procedure to obtain the consent of users about their installation
In the browser, we inform you that since the launch of our
WEB Yes, there is a notice to users at the bottom of the page, appearing
I give an information and authorization sign for the use of Cookies framed in
black on white letters that could accept or obtain more information,
I am thus complying with our obligation.
After having received this notification and after a Management meeting with the
Computer department we have seen fit to improve our website by doing more
Visible the section on Cookies, in order to have greater transparency for
users who use our website. You can check it out at: https: //happyfridayhome.-
com / ”.
FOURTH: On 09/10/19, In ​​view of the facts set forth in the information
provided by the claimed entity, the General Sub-Directorate for Data Inspection
proceeded to request additional information about, Security policies or in its
to the following procedures: User authentication procedure; Procedures
Access Control method; List of users with access to home information system
training (Annex II) and Storage procedure and backup copies.
FIFTH: On 10/10/19, the claimed entity remits to this Agency, written in
which, among others, reports the following:
a) .- All users are assigned an identifier and a password. The system
Authentication is based on Microsoft Windows 10 operating system.
The user enters his identifier (which identifies him as an authorized user) and his
password (which authenticates you as the user), which are verified in the computer itself
nador, which recognizes you as a user, allowing you to access directories, files,
you and databases for the performance of your work. Passwords are 12 characters
Alphanumeric racteres, modifying by the person in charge of the file every 12 months.
The staff only access those data and resources that they need for the development of
its functions. The person responsible for the File establishes mechanisms to prevent a
user can access resources other than those authorized in the following way:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 5
12/5
-
The different user profiles in which authorization is authorized have been drawn up.
They will / deny the different accesses to the allowed functions.
-
The staff have been informed of the applications, tools and documents
tion to which it has access to perform its functions.
Exclusively the person in charge of the file is authorized to grant, alter or
void authorized access to data and resources. Manual documents
They are located in 2 locked cabinets, and are only accessed by authorized users.
two.
b) .- Storage of information in manual or non-automated files:
The office has a work area made up of desks with a computer.
res and some locked metal filing cabinets, in which the documentation is kept
manual, correctly identified its content and access only by staff
authorized for it.
As long as the documents with personal data are not filed in the
devices mentioned above, by working with them, people
who are in charge of them must guard them and prevent in any way
ment that it can be accessed by unauthorized persons.
The office is located in an industrial warehouse. To access it you must call a
external bell, enter with prior authorization, cross the nave and the bottom, going up some
stairs, access to the second floor of the warehouse, where the management is located
administrative office of the company.
c) .- Storage of information in computer files.
All files are located on the company server (SERVER
2019). Users are assigned an identifier and password. Access is
through the PC of each user in Windows 10 environment with username and
password and have access only to the files they use and for which they are
duly authorized.
d) .- Backups:
The person responsible for the File is responsible for periodically obtaining a copy of
file security.
A daily backup is made to the Storage Device
(NAS), located in the company, as well as another parallel copy in another device of
storage (NAS) located in a Warehouse used as a warehouse, inside an
Mario locked with a key where only the File Manager and person have access.
authorized end.
SIXTH: In view of the facts denounced, in accordance with the evidence of
that is available, the Data Inspection of this Spanish Agency for the Protection of
Data considers that the cookie policy that is made by the claimed entity, not
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 6
6/12
complies with the conditions imposed by current regulations, for which reason the opening
ra of the present sanctioning procedure.
FUNDAMENTALS OF LAW
I
Competition
- About security measures:
By virtue of the powers that art 58.2 of Regulation (EU) 2016/679, of
European Parliament and of the Council, of 04/27/16, relative to the Protection of
Individuals with regard to the Processing of Personal and Free Data
Circulation of these Data (RGPD) recognizes each Control Authority and, according to the
established in arts. 47, 64.2 and 68.1 of Organic Law 3/2018, of December 5,
Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD),
The Director of the Spanish Agency for Data Protection is competent to initiate
this procedure.
Sections 1) and 2) of article 58 of the RGPD, list, respectively, the
investigative and corrective powers that the supervisory authority may dispose to
effect, mentioning in point 1.d), that of: “notify the person in charge or commission of the
treatment of the alleged infractions of these Regulations ”and in 2.i), that of:
“Impose an administrative fine pursuant to article 83, in addition to or instead of
measures mentioned in this section, according to the circumstances of each
case.".
- About the Cookies Policy:
In accordance with the provisions of art. 43.1, second paragraph, of the Law
34/2002, of July 11, on Services of the Information Society and Commerce
Electronic (LSSI), is competent to initiate and resolve this Procedure
Sanctioner, the Director of the Spanish Agency for Data Protection.
II
A) .- About security measures in computer systems:
In the present case, the claimant denounces the lack of security measures,
in the management of the existing computer system in the claimed company.
However, from the information and documentation provided by the company,
Several aspects emerge that must be taken into account:
a) .- There is a work area made up of desks with computers and
some
locked metal filing cabinets, in which manual documentation is kept,
correctly identified.
b) .- Access is only allowed to authorized personnel. While the
documents with personal data are not stored on the devices
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 7
12/7
mentioned above, by working with them, the people who
are in charge of them are responsible for guarding them and preventing
can be used by other unauthorized persons.
c) .- The office is located in an industrial warehouse. To access it you must call
an external bell, enter with authorization, cross the ship and access the second
plant where the administrative management area of ​​the company is located.
d) .- About the storage of information in computer files: all
Files are located on the company's server (SERVER 2019). The
Users are assigned an identifier and password. Access is through the
PC of each user in Windows 10 environment, with username and password. You only have
access to files that are used and for which they are duly authorized.
e) .- About backup copies: the person responsible for the file is in charge of
periodically obtain a backup copy of the file. A copy of
daily security on the storage device (NAS), located in the
company, as well as another parallel copy on another storage device (NAS),
located in another warehouse, inside a locked cabinet where you only have access
the person responsible for the file and the authorized personnel.
f) .- According to the person in charge, the company has made the adaptation to the new
Regulation which includes a Security Document on Measures,
Norms, Procedures, Rules and Security Standards, in which they are made explicit
the measures and standards related to the identification and authentication of personnel with
access to personal data based on a password system environment
Windows 10.
g) .- Regarding Access Control, the personnel only access those
data and resources required for the development of its functions for which the
responsible will establish mechanisms to prevent a user from accessing resources
for those who do not have privileges based on the creation of different user profiles
in which access to authorized functions will be authorized / denied. Talk about
that staff will be informed of the applications, tools and documentation to the
who has access to perform their functions. Annex II, sent to that Agency,
includes an updated list of users, with access allowed to each system
of information, as well as the type of access.
Regarding the security of the entity's computer systems, indicate
that the RGPD establishes a new data protection system based on the
proactive responsibility. This means that they must be responsible for
treatment which will establish the appropriate technical and organizational measures to
guarantee an adequate level of security based on the risks detected in the
Previous analysis.
Therefore, the information and documentation provided by the entity claimed is not
it follows that the security policy, implemented in their computer systems,
contravene the guidelines set by the GDPR in this regard.
III
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 8
12/8
B) .- About the Cookies Policy, and following the recommendations of the "Guide on
Cookies ”published by the Spanish Agency for Data Protection, in November
2019, when entering the website https://happvfridavhome.com , the
following features:
a) On the initial page (first layer), there is a banner with the following legend:
"We use our own and third party cookies to improve our services and
show you advertising related to your preferences, by analyzing
your browsing habits. You can get more information, or know
how to change the settings, in our Cookies Policy. Press
ACCEPT to confirm that you have read and accepted the information presented.
After accepting, we will not show you this message again ”
a) In the second layer, "Cookies Policy". If you access the "Policy of
Cookies ”, information is provided on some aspects of cookies,
such as what they are, the types of cookies that exist but are not given
information on cookies, both own and third party, that are loaded when
you browse the web or the time they will remain installed on the computer
terminal. Nor is it possible, in this second layer, a mechanism that
allow you to manage the installation of cookies in granular form and / or to reject
all cookies.
IV
Thus, in the banner on cookies of the first layer, the information on the
Cookies provided do not allow users to understand their purposes and the use that is
it will give them since an unclear language is used, with phrases like “ (…) improve
our services (…) ” without further information on this matter.
In the second layer, which is accessed through the link, "Cookies Policy", there is no
informs about the type of cookies used, whether they are their own or from third parties or the period of
keeping them on the computer; whether or not it exists is not reported
international data transfer or if there is profiling. I do not know
includes a panel to manage cookies in a granular way or another that allows, in its
case, reject all cookies. The page is only limited to offering information about
tools that disable cookies and refer to the configuration of the
browser for it.
The exposed facts could suppose on the part of the entity demanded the commission
of the violation of article 22.2 of the LSSI, according to which: “The providers of
services may use data storage and recovery devices in
terminal equipment of the recipients, provided that they have given their
consent after clear and complete information has been provided to them
on its use, in particular, for the purposes of data processing, with
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 9
12/9
pursuant to the provisions of Organic Law 15/1999, of December 13, on protection
of personal data.
When technically possible and effective, the recipient's consent to
Accepting the data processing may be facilitated by using the parameters
browser or other applications. The above will not prevent the possible
storage or access of a technical nature for the sole purpose of transmitting
a communication by an electronic communications network or, to the extent that
it is strictly necessary, for the provision of a service of the company of the
information expressly requested by the recipient ”.
This Infringement is classified as mild in article 38.4 g) of the aforementioned Law, which
considers as such: “Use data storage and recovery devices
when the information had not been provided or the consent of the
recipient of the service in the terms required by article 22.2. ", and may be
sanctioned with a fine of up to € 30,000, in accordance with article 39 of the aforementioned
LSSI.
V
After the evidence obtained in the preliminary investigation phase, and without prejudice to
whatever results from the instruction, it is considered appropriate to graduate the sanction to
impose in accordance with the following criteria established by art. 40 of the LSSI:
- The existence of intentionality, an expression to be interpreted as
equivalent to degree of guilt according to the Judgment of the
National Hearing of 11/12/07 relapse in Resource no. 351/2006,
corresponding to the entity denounced the determination of a system of
Obtaining informed consent that is appropriate to the LSSI mandate.
- Period of time during which the offense has been committed, as it is the
claim May 2019, (section b).
In accordance with these criteria, it is considered appropriate to impose on the entity claimed
a penalty of 2,500 euros (two thousand five hundred euros), for the violation of the article
22.2 of the LSSI. Therefore, in accordance with the foregoing, by the Director of
the Spanish Data Protection Agency,
HE REMEMBERS:
START: SANCTIONING PROCEDURE to the entity HAPPY FRIDAY, SL, with
CIF: B54660980, owner of the website https://happvfridavhome.com , for Infringement
of article 22.2) of the LSSI, punishable in accordance with the provisions of art. 39.1.c) and
40) of the aforementioned Law, regarding its Cookies Policy.
NAME: as Instructor to DRRR, and Secretary, where appropriate, to Ms SSS , indi-
Whereas any of them may be challenged, if applicable, in accordance with the provisions of
cited in articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the
Public Sector (LRJSP).
INCORPORATE: to the sanctioning file, for evidentiary purposes, the inter-
put by the claimant and its documentation, the documents obtained and generated
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 10
12/10
by the General Sub-Directorate for Data Inspection during the investigation phase
tions, all of them part of this administrative file.
WHAT: for the purposes provided in art. 64.2 b) of law 39/2015, of October 1, of the
Common Administrative Procedure of Public Administrations, the sanction that
could correspond would be a fine of 2,500 euros for the violation of article 22.2
of the LSSI, without prejudice to what results from the instruction.
REQUIRE: the entity HAPPY FRIDAY, SL, to take the appropriate measures
to include in the web pages of your ownership, information about the cookies that are
They install and a mechanism that enables or disables all cookies and another that
enable granular cookies to manage preferences
of the user.
NOTIFY: this agreement to initiate sanctioning proceedings against the entity
HAPPY FRIDAY, SL, granting you a hearing period of ten business days so that
formulate the allegations and present the evidence that you consider appropriate.
If, within the stipulated period, no allegations are made to this initial agreement, the same
may be considered a resolution proposal, as established in the article
64.2.f) of Law 39/2015, of October 1, of the Common Administrative Procedure of
Public Administrations (hereinafter, LPACAP).
In accordance with the provisions of article 85 of the LPACAP, in the event that the
sanction to impose were a fine, you can recognize your responsibility within the
zo granted for the formulation of allegations to this initial agreement; what
will entail a reduction of 20% of the sanction to be imposed in the
this procedure, equivalent in this case to 500 euros. With the application of
this reduction, the sanction would be established at 2000 euros, resolving the
transfer with the imposition of this sanction.
In the same way, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which means
will give a reduction of 20% of the amount thereof, equivalent in this case to 500
euros. With the application of this reduction, the sanction would be established in 2000
euros and their payment will imply the termination of the procedure.
The reduction for the voluntary payment of the sanction is cumulative to the one that corresponds
apply for the acknowledgment of responsibility, provided that this acknowledgment
of the responsibility is revealed within the term granted to formulate
allegations to the opening of the procedure. Voluntary payment of the referred amount
in the previous paragraph it may be done at any time prior to the resolution. In
In this case, if both reductions were to apply, the amount of the sanction would be
established at 1,500 euros (one thousand five hundred euros).
In any case, the effectiveness of any of the two mentioned reductions will be
conditioned to the withdrawal or resignation of any action or recourse through administrative
against the sanction.
If you choose to proceed to the voluntary payment of any of the amounts indicated
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 11
12/11
previously, you must make it effective by entering the account number ES00
0000 0000 0000 0000 0000 opened in the name of the Spanish Agency for the Protection of
Data in Banco CAIXABANK, SA, indicating in the concept the reference number
cia of the procedure that appears in the heading of this document and the cause
reduction of the amount to which it avails.
Likewise, you must send the proof of income to the General Subdirectorate of Ins-
request to continue with the procedure in accordance with the amount entered
gives.
The procedure will have a maximum duration of nine months from the date
cha of the initiation agreement or, where appropriate, the draft initiation agreement. Elapsed
this period will expire and, consequently, the filing of proceedings; of
in accordance with the provisions of article 64 of the LOPDGDD. Finally, it was pointed out
which in accordance with the provisions of article 112.1 of the LPACAP, against this
act there is no administrative appeal.
Sea Spain Martí
Director of the Spanish Agency for Data Protection.
>>
SECOND : On June 15, 2020, the requested party has paid the
sanction in the amount of 1500 euros making use of the two planned reductions
in the Initiation Agreement transcribed above, which implies the recognition of the
responsibility.
THIRD : The payment made, within the period granted to make allegations to
the opening of the procedure, implies the waiver of any action or recourse
administrative against the sanction and the recognition of responsibility in relation to
the facts referred to in the Home Agreement.
FUNDAMENTALS OF LAW
I
By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in art. 47 of Organic Law 3/2018, of 5 of
December, on Personal Data Protection and guarantee of digital rights (in
hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection
is competent to sanction the infractions that are committed against said
Regulation; infractions of article 48 of Law 9/2014, of May 9, General
Telecommunications (hereinafter LGT), in accordance with the provisions of the
article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the
information and electronic commerce (hereinafter LSSI), as provided in the article
43.1 of said Law.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 12
12/12
II
Article 85 of Law 39/2015, of October 1, of the Administrative Procedure
Common of Public Administrations (hereinafter, LPACAP), under the heading
" Termination in sanctioning procedures " provides as follows:
"one. Initiated a sanctioning procedure, if the offender acknowledges his
responsibility, the procedure may be resolved with the imposition of the sanction
that proceed.
2. When the sanction is solely pecuniary or fits
impose a pecuniary and a non-pecuniary sanction but it has been justified
the inadmissibility of the second, the voluntary payment by the alleged responsible, in
any time prior to the resolution, will imply the termination of the procedure,
except with regard to the replacement of the altered situation or the determination of the
compensation for the damages caused by the commission of the offense.
3. In both cases, when the sanction is solely pecuniary in nature,
the competent body to resolve the procedure will apply reductions of, to
less, 20% on the amount of the proposed sanction, these being cumulative
each. The aforementioned reductions must be determined in the notification of
initiation of the procedure and its effectiveness will be conditioned to the withdrawal or
waiver of any action or administrative remedy against the sanction.
The reduction percentage provided in this section may be increased
by regulation.
According to what was stated,
the Director of the Spanish Agency for Data Protection RESOLVES :
FIRST: DECLARE the termination of the procedure PS / 00473/2019 , of
in accordance with the provisions of article 85 of the LPACAP.
SECOND: NOTIFY this resolution to HAPPY FRIDAY, SL .
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.
Against this resolution, which ends the administrative route as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, of the Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within two months from
day after notification of this act, as provided in article 46.1 of the
referred Law.
Sea Spain Martí
Director of the Spanish Agency for Data Protection
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es