AEPD - E/07449/2019

From GDPRhub
AEPD - E/07449/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 13 GDPR
Type: Appeal
Outcome: Dismissed
Decided: n/a
Published: n/a
Fine: None
Parties: Google LLC
National Case Number: E/07449/2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language:

Spanish

Original Source: AEPD (in ES)

The AEPD dismissed appeal against Google regarding its compliance with the obligation of information as provided for in Article 13 GDPR. It found that there was no new evidence or legal arguments to prove that the contested decision should be reconsidered.

English Summary[edit | edit source]

Facts[edit | edit source]

Appeal was lodged against AEPD's decision which had found Google to be compliant with the requirements laid down in Article 13 GDPR.

The initial complaint related mainly to Google's privacy and transparency policy which allegedly violated the legislation on the protection of personal data. More specifically, the complainant claimed that the information on the said policy had become obsolete since it was not modified according to the requirements of the GDPR.

Holding[edit | edit source]

The AEPD found that Google updated its Privacy Policy in order to comply with the GDPR and it provides detailed information about the data it collects, how it uses it and how it can be modified, managed, downloaded, deleted, etc. Google also provides the web address to access the updated version of its Privacy Policy and the information about Data Transfers.

Finally, the AEPD noted that no new facts or legal arguments have been put forward which would lead to the reconsideration of the validity of the contested decision. Therefore, it dismissed the appeal.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the original. Please refer to the Spanish original for more details.

Having regard to the appeal for reconsideration lodged by Mr A.A.A. against the decision of the Director of the Spanish Data Protection Agency in Case E/07449/2019, and on the basis of the following

FIRST:On 23/10/2019, the Director of the Spanish Data Protection Agency issued a decision in the file of previous actions of inspection E/07449/2019, proceeding to file the actions in application of the principle of presumption of innocence.

SECOND: A.A.A. (hereinafter the appellant) lodged an appeal for reconsideration with the Agency on 10 December 2019, basically on the basis of the allegations made earlier

Competent to decide on this appeal is the Director of the Spanish Data Protection Agency, in accordance with the provisions of Article 123 of Law 39/2015 of 1 October on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP).

The resolution appealed against was based on the following: "II Article 13 of the GDPR establishes the information that must be provided to the interested parties at the time their data is collected, establishing the following: "Information that must be provided when the personal data is obtained from the interested party.1When personal data are obtained from a data subject, the data controller shall, at the time the data are obtained, provide the data subject with all the following information: (a) the identity and contact details of the data controller and, where appropriate, his representative; (b) the contact details of the data protection officer, where appropriate; (c) the purposes of the processing for which the personal data are intended and the legal basis of the processing; 4.5.2016 L 119/40 Official Journal of the European Union EN (d) where the processing is based on Article 6(1)(f), the legitimate interests of the data controller or of a third party (f) where appropriate, the controller's intention to transfer personal data to a third country or international organisation and the existence or otherwise of a Commission decision, or, in the case of transfers pursuant to Article 46 or 47 or the second subparagraph of Article 49(1), reference to adequate or appropriate safeguards and the means to obtain a copy of these safeguards or the fact that they have been provided. 2. In addition to the information referred to in paragraph 1, the controller shall provide the data subject, at the time when the personal data are collected, with the following information necessary to ensure fair and transparent processing of the data(b) the existence of the right to request the controller to have access to the personal data concerning the data subject and to have them rectified, erased or restricted or to object to their processing and the right to have the data processed; (c) where the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time, without prejudice to the lawfulness of processing based on consent prior to withdrawal e) whether the communication of personal data is a legal or contractual requirement, or a necessary requirement for entering into a contract, and whether the data subject is obliged to supply the personal data and is informed of the possible consequences of not supplying such data; f) the existence of automated decisions, including profiling, referred to in Article 22(1) and (4) and, at least in such cases, significant information about the logic involved and the likely importance and consequences of such processing for the data subject. 3. Where the controller plans the further processing of personal data for a purpose other than that for which they were collected, he shall provide the data subject, prior to such further processing, with information regarding that other purpose and any relevant additional information within the meaning of paragraph 2. 4. The provisions of paragraphs 1, 2 and 3 shall not apply where and insofar as the information is already available to the data subject.

In the present case, the complaint lodged relates principally to the infringement of the privacy and transparency policy by Google in relation to the legislation on the protection of personal data, referring to dissatisfaction with and information on the said policy of the entity complained of which has already become obsolete since it is not currently in force as it was subsequently modified by the entity itself when it was adapted to the new GDPR.Initially, this complaint was transferred to the Irish data protection authority, on the understanding that it was the main authority to deal with this case, taking into account that the person responsible had his main place of business in Ireland, in accordance with Article 4 of the PGN. However, the Irish authority denied its competence, arguing that the complaint had been lodged before 21 January, the date on which the data controller actually established his principal place of business in that State.In this sense, it should be noted that Google has updated its current Privacy Policy after months of work in order to update its policies and comply with the new general data protection regulations (GDPR). Thus, Google indicates and details the data it collects, how it uses them and how they can be modified, managed, downloaded, deleted, etc, It provides the web address to access the updated version of its Privacy Policy and the information on Macs for Data Transfer through the URL: https://policies.google.com/privacy. It also provides information on Data Transfers and their adherence to the principles of Privacy Shield and information provided to users on how to contact if they have any questions about practices in relation to this matter. 

In this regard, it is worth mentioning the exceptional nature of the sanctioning procedure, from which it derives that - whenever possible - it should be adopted due to the prevalence of alternative mechanisms in the case that they are not covered by the regulations in force, as is the case in the case submitted to the present appeal for reversal. 

In summary, the principles applicable to the sanctioning procedure and its initiation should be brought up. The sanctioning procedure in matters of data protection is one of the manifestations of the "ius puniendi" of the State. The sanctioning proceedings of the Spanish Data Protection Agency are always initiated ex officio by the Director of the Spanish Data Protection Agency, as the Audiencia Nacional has maintained in rulings such as, among others, that issued in March 2006 (REC 319/2004). Therefore, it is the exclusive competence of the Spanish Data Protection Agency to assess whether there are administrative responsibilities that must be dealt with in a sanctioning procedure and, consequently, the decision on whether to initiate it, and there is no obligation to initiate the procedure in the face of any request made by the third party, but rather it must be based on the existence of elements that justify the initiation of sanctioning activity, circumstances that do not exist in the present case in the face of the arguments put forward by the appellant and the decision on the incidents that have been raised. Therefore, given that, in the present appeal for reversal, no new facts or legal arguments have been put forward that would allow the validity of the contested decision to be reconsidered, it is appropriate to dismiss it. A.A.A. against the resolution of this Agency issued on 23/10/2019, in the file of previous actions of inspection E/07449/2019. SECOND:TO NOTIFY the present resolution to Mr. A.A.A..

In accordance with the provisions of Article 37.2 of the LOPD, in the wording given by Article 82 of Law 62/2003, of 30 December, on fiscal, administrative and social order measures, this Resolution shall be made public, once it has been notified to the interested parties. The publication shall be carried out in accordance with the provisions of Instruction 1/2004, of 22 December, of the Spanish Data Protection Agency on the publication of its Resolutions and in accordance with the provisions of Article 116 of the regulations implementing the LOPD approved by Royal Decree 1720/2007, of 21 December.Against this resolution, which puts an end to the administrative procedure, a period of two months may be interposed starting from the day following the notification of this act in accordance with the provisions of Article 46.1 of Law 29/1998, of 13 July, regulating the Contentious-Administrative Jurisdiction, contentious-administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and section 5 of the fourth additional provision of the aforementioned legal text.