AEPD - PS/00090/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 57(1) GDPR Article 58(1) GDPR Article 58(2) GDPR Article 83(1) GDPR Article 83(2) GDPR Article 83(5)(e) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 13.07.2020 |
Published: | |
Fine: | 3000 EUR |
Parties: | AAA XFERA Móviles S.A. |
National Case Number/Name: | PS/00090/2020 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | Agencia Española de Protección de Datos (in ES) |
Initial Contributor: | Silvia López |
Spanish DPA found a company in breach of Article 58(1) GDPR for failing to comply with a DPA's request for access to information in the course of an investigation, conduct sanctioned in Article 83(5)(e) GDPR.
English Summary
Facts
The company has not provided to the Spanish DPA the information it requested in the course of an investigation following a complaint by Ms AAA. With the above-mentioned conduct of the respondent, the power of investigation that the Article 58(1) of the RGPD confers on the supervisory authorities, in this case, the AEPD, has been hampered.
Dispute
What are the consequences of failing to comply with a DPA's request for access to information? What happens if the company penalised recognises its responsibility and proceeds to the voluntary payment of the fine imposed by the DPA?
Holding
The Spanish DPA imposed a fine of EUR 5 000 on the company under investigation, which was reduced to EUR 3 000 for the company's voluntary payment and acknowledgment of its responsibility for the facts (in turn waiving any subsequent appeal against the decision)
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
DECISION R/00260/2020 ON TERMINATION OF PROCEEDINGS FOR PAYMENT VOLUNTEER In the sanctioning procedure PS/00090/2020, conducted by the Agency Spanish Data Protection Agency to XFERA MÓVILES, S.A., in view of the complaint presented by A.A.A., and based on the following, LEGAL FOUNDATIONS I By virtue of the powers conferred on each individual by Article 58(2) of the GPRS, the authority, and as set out in Articles 47, 48(1), 64(2) and 68(1) of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. II C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/9 In accordance with the evidence available here time of agreement to initiate the sanctioning procedure, and without prejudice to As a result of the investigation, the respondent is deemed not to have provided the Agency with Española de Protección de Datos the information you requested. With the above-mentioned conduct of the respondent, the power of investigation that the Article 58(1) of the RGPD confers on the supervisory authorities, in this case, the AEPD, has been hampered. Therefore, the facts described in the "Facts" section are deemed constitute an infringement, attributable to the defendant, for violation of Article 58.1 of the RGPD, which provides that each supervisory authority shall have, among its investigative powers: "(a) to order the controller and the processor and, where appropriate, the representative of the person in charge or of the person in charge, to provide any information it requires for the performance of its duties; (b) carry out investigations in the form of data protection audits a review of the certificates issued pursuant to Article 42(1) 7; (d) notify the controller or processor of the alleged (e) obtain from the person responsible and from the access to all personal data and to all the information contained in the information necessary for the performance of their duties all premises of the controller and of the processor, including any equipment and means of data processing, in accordance with Procedural law of the Union or of the Member States". III In accordance with the evidence available here time of agreement to initiate the sanctioning procedure, and without prejudice to As a result of the investigation, it is considered that the facts set out could be constitute an infringement, attributable to the defendant. C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/9 This infraction is typified in Article 83.5.e) of the RGPD, which considers such as: 'failure to provide access in breach of Article 58(1)'. The same Article states that this infringement may be penalised with a fine of twenty million euros (20,000,000 euros) maximum or, in the case of a company, for an amount equivalent to a maximum of four percent (4%) of total annual turnover for the previous financial year, opting for the of higher value. For the purposes of the limitation period of the infringements, the alleged infringement prescribes after three years, in accordance with Article 72.1 of the LOPDGDD, which qualifies as very serious the following behavior: "(ñ) Failure to provide access by staff of the data protection authority competent to personal data, information, premises, equipment and means of processing required by the data protection authority to the exercise of their powers of investigation. (o) Resistance to or obstruction of the exercise of the inspection function by competent data protection authority." IV In the light of the above facts, without prejudice to the In the event that the proceedings are opened, it is considered that the defendant should be charged with the violation of Article 58.1 of the RGPD typified in Article 83.5 e) of the RGPD. The The sanction that should be imposed is an administrative fine. The fine to be imposed must, in each individual case, be effective, proportionate and dissuasive, in accordance with Article 83.1 of the RGPD. Consequently, the sanction to be imposed should be graduated according to the criteria established by Article 83.2 of the RGPD, and with the provisions of Article 76 of the LOPDGDD, with respect to paragraph k) of the aforementioned Article 83.2 RGPD. V C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/9 Finally, the penalty to be imposed should be graduated according to the criteria established by Article 83.2 of the RGPD, and with the provisions of Article 76 of the LOPDGDD, with respect to paragraph k) of the aforementioned Article 83.2 RGPD. The initial assessment shows that no The following facts have been considered to be aggravating - Art. 83.2(b) RGPD: the intentionality or negligence in the infringement. These are of a company that is not newly created and should have procedures established for the fulfilment of the obligations that provides for the data protection regulations, among them, to respond to the requirements of the supervisory authority. - Art. 83.2(k) RGPD: any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or losses avoided, directly or indirectly, through the infringement. The complaint refers to a person's particular case, but the data processing to which it refers, can potentially affect a very high number of customers of the responsible entity or users of the service provided by the responsible entity. Therefore, on the basis of the above, By the Director of the Spanish Data Protection Agency, AGREED: FIRST: Initiate disciplinary proceedings against XFERA MÓVILES, S.A, with NIF A82528548, for the infringement of article 58.1 of the RGPD, typified in art. 83. 5 e) of the aforementioned RGPD. SECOND: To appoint B.B.B. as instructor and C.C.C. as secretary, indicating that any of them may be challenged, if appropriate, in accordance with the established in Articles 23 and 24 of Law 40/2015 of 1 October on the Public Sector Law (LRJSP). C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/9 THIRD: TO INCORPORATE into the sanctioning file, for evidential purposes, the information requirement issued by the Subdirectorate General for the Inspection of Data in the framework of research actions with reference code E/95799/2019 and proof of notification. FOURTH: THAT for the purposes of article 64.2 b) of law 39/2015, of 1 October, of the Common Administrative Procedure for Public Administrations, the 5,000.00, without prejudice to the amount of the fine. resulting from the instruction. FIFTH: TO NOTIFY this agreement to XFERA MÓVILES, S.A., with NIF A82528548, giving you a hearing period of ten working days to formulate the allegations and submit the evidence he deems appropriate. In its brief of claims must provide their VAT number and the procedure number in the heading of this document. If you do not make representations to this initiating agreement within the stipulated time, the may be considered as a motion for resolution, as set out in the Article 64(2)(f) LPACAP. The procedure shall last a maximum of nine months from the date of the agreement to initiate or, where appropriate, the draft agreement to initiate. After this period, the agreement will expire and, consequently, the actions; in accordance with the provisions of Article 64 of the LOPDGDD. In accordance with the provisions of Article 85 of the LPACAP, it may recognize their responsibility within the time allowed for the formulation of arguments to the present agreement of initiation; this will entail a reduction of 20% of the penalty to be imposed in this procedure. With the 4,000.00, The procedure was resolved with the imposition of this sanction. Similarly, at any time prior to the resolution of the The Commission shall, in accordance with this procedure, carry out the voluntary payment of the proposed penalty C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/9 which will result in a 20% reduction in its amount. With the application of this reduction, the penalty would be set at 4,000.00 euros and its payment would involve the completion of the procedure The reduction for the voluntary payment of the penalty is cumulative with the one The same applies to the recognition of liability, provided that this recognition of responsibility is shown within the time limit granted to make representations on the opening of the proceedings. The payment of the amount referred to in the preceding paragraph may be made at any moment before the resolution. In this case, if it is appropriate to apply both reductions, the amount of the penalty would be set at In any case, the effectiveness of either of the two above-mentioned reductions shall be conditioned upon the waiver or relinquishment of any action or remedy in the administrative sanction against the sanction. If you choose to proceed with the voluntary payment of any of the amounts indicated above ('4,000.00 or '3,000.00), you must make it effective by paying it into the account nº ES00 0000 0000 0000 0000 opened on behalf of the Spanish Data Protection Agency at the Bank CAIXABANK, S.A., indicating in the concept the reference number of procedure set out in the heading of this document and the cause of reduction of the amount involved. You must also send the receipt of the payment to the Subdirectorate General of Inspection to continue the procedure in accordance with the quantity admitted. Finally, it is noted that in accordance with Article 112.1 of the LPACAP, there is no administrative appeal against this act. Mar Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/9 >> SECOND: On June 11, 2020, the claimant paid the 3,000 by making use of the two reductions provided for in the above transcribed Inception Agreement, which implies recognition of the responsibility. THIRD: The payment made, within the period granted to make allegations to the opening of the procedure, entails the waiver of any action or appeal in administrative sanctioning and acknowledgement of responsibility in relation to the facts referred to in the Agreement to Initiate. LEGAL GROUNDS I By virtue of the powers conferred on each authority in Article 58(2) of the GPRS, the control, and in accordance with Article 47 of Organic Law 3/2018, of 5 December, Protection of Personal Data and Guarantee of Digital Rights (in (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to penalise infringements committed against it Regulations; infringements of Article 48 of Law 9/2014 of 9 May, General of Telecommunications (hereinafter referred to as LGT), in accordance with the Article 84.3 of the GLT, and the infractions defined in articles 38.3 c), d) and i) and 38.4 d), g) and h) of Law 34/2002, of 11 July, on services of the company of the information and electronic commerce (hereinafter referred to as the ISESA), as provided for in 43.1 of that Act II Article 85 of Law 39/2015 of 1 October on Administrative Procedure Commonwealth of Independent States (hereinafter LPACAP), under the heading "Termination in sanctioning proceedings" provides the following: "1. Penalty proceedings are initiated if the offender acknowledges his responsibility, the proceedings may be terminated with the imposition of the penalty as appropriate. 2. Where the penalty is solely pecuniary in nature or where it is impose a financial penalty and a non-pecuniary penalty but has been justified the impropriety of the second, voluntary payment by the alleged perpetrator, in any time before the resolution, will imply the termination of the procedure, except as regards the restoration of the altered situation or the determination of the compensation for damages caused by the commission of the infringement. 3. In both cases, when the penalty is solely of a pecuniary nature, the body competent to decide on the procedure shall apply reductions of, at at least 20 % of the amount of the proposed penalty, which may be cumulated with each other. These reductions shall be determined in the notification of initiation of the procedure and its effectiveness shall be conditional upon the withdrawal or waiver of any action or appeal in administrative proceedings against the sanction. The percentage of reduction provided for in this paragraph may be increased by regulation. C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/9 As noted, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO DECLARE the completion of procedure PS/00090/2020, of in accordance with Article 85 of the LPACAP. SECOND: NOTICE this resolution to XFERA MÓVILES, S.A.. In accordance with the provisions of Article 50 of the LOPDGDD, this The decision will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by Article 114(1)(c) of Law 39/2015 of 1 October on Administrative Procedure The interested parties may lodge an appeal with the administrative litigation before the Administrative Chamber of the Audiencia Nacional, in accordance with Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the Contentious-Administrative Jurisdiction, within two months of day following notification of this act, as provided for in Article 46(1) of referred to Law. Mar Spain Martí Director of the Spanish Data Protection Agency