| AEPD - PS/00127/2020 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 13 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | 05.04.2021 |
| Fine: | None |
| Parties: | IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPERADORA UNIPERSONAL |
| National Case Number/Name: | PS/00127/2020 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | AEPD decision (in ES) |
| Initial Contributor: | n/a |
The Spanish DPA issued a warning to Iberia Líneas Aéreas de España for not informing their workers in accordance with Article 13 GDPR regarding a fingerprint clock-in system.
English Summary
Facts
Iberia Líneas Aéreas de España installed a new fingerprint clock-in system for their workers. They did it following the guidance of the General Labour Confederation. However, Iberia did not inform their workers about the aspects of the general information duty included in Article 13 GDPR.
Dispute
Is this a violation of Article 13 GDPR?
Holding
The AEPD held that there had been a violation of Article 13. According to the Spanish authority, Iberia should have informed their workers about all the relevant aspects included in Article 13, informing in a clear, concise and complete way about the legal basis that allow such processing and about the rest of the relevant information, specially taking into account that the personal data involved are biometric data from Article 9.
The AEPD took also into account the fact that Iberia offered information regarding the processing in their privacy policy since 2018 and, mainly, that they issued a communication to their workers regarding the processing of biometric data in October 2020. Because all of this, the AEPD imposed solely a warning on Iberia.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/12
Procedure Nº: PS / 00127/2020
RESOLUTION OF SANCTIONING PROCEDURE
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following
BACKGROUND
FIRST: The claim filed by Ms. A.A.A. (hereinafter the claimant),
It has an entry dated 04/29/2019 in the Spanish Agency for Data Protection.
The claim is directed against IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A.
UNIPERSONAL OPERATOR, with NIF A85850394 (hereinafter, the claimed one). The
reasons on which the claim is based are: that on 01/24/2019 the C.G.T (Confederación
General del Trabajo) asked the company to follow a series of guidelines: creation and
notification of the mandatory file and obligation to duly inform the
workers before the collection of the fingerprints of the service agents
auxiliaries for a new signing system that would be implemented in the near future. The
02/27/2019 Iberia replies that it is a lawful and adequate treatment, in addition
of measures for safe treatment. However, to date there has been no
provided no document to workers who register their fingerprint.
SECOND: The Subdirectorate General for Data Inspection proceeded to transfer
the claim to the defendant to report on the facts and the measures
taken, having knowledge of the following points:
On 06/18/2019, the claim submitted for analysis was transferred to the defendant
of the decision taken in this regard. Likewise, it was required so that within the period of
one month send the Agency certain information:
- Copy of the communications, of the adopted decision that has been sent to the
claimant regarding the transfer of this claim, and accreditation that
the claimant has received the communication of that decision.
- Report on the causes that have motivated the incidence that has originated the
claim.
- Report on the measures adopted to prevent the occurrence of
similar incidents.
- Any other that you consider relevant, etc.
On 07/19/20196 the respondent responded to the request for information
answering the questions raised and providing the following documentation:
- Letter from the CGT dated 01/24/2019.
- Response from IBERIA on 01/29/2019.
- Letter from CGT dated 03/18/2019.
- Analysis of Impact on privacy on the treatment in question.
- Communication to all employees on 05/25/2018.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/12
- Privacy policy for IBERIA employees.
- Screenshots of the Intranet and the app for employees of the
business.
Subsequently, on 09/12/2019, the defendant was asked to provide the study of
Impact evaluation; giving an answer the next day noting that the aforementioned
The report could only be provided in MS Excel format, not having been accepted as
valid in the electronic office, reason for which it proceeded to present it through the
Agency physical record.
THIRD: On 10/09/2019, in accordance with article 65 of the LOPDGDD, the
Director of the Spanish Agency for Data Protection agreed to admit for processing the
claim filed.
FOURTH: On 09/30/2020, the Director of the Spanish Protection Agency
of Data agreed to initiate a sanctioning procedure for the claimed party, for the alleged
infringement of article 13 of the RGPD, sanctioned in accordance with the provisions of article
58.2.b) of the RGPD.
FIFTH: Notified the initiation agreement, the claimed on 10/15/2010 presented
brief of allegations stating in summary the following: that it was reiterated in the
allegations made in writing dated 07/19/2019 and stated that there had been
prepared and communicated to the staff informative note on biometric treatment
using fingerprint or facial recognition systems
for access control.
SIXTH: On 10/21/2020 a test practice period began,
remembering the following
- To consider reproduced for evidentiary purposes the claim filed by the
claimant and its documentation, the documents obtained and generated by the
Inspection services that are part of file E / 05886/2019.
- To consider reproduced for evidentiary purposes, the allegations to the agreement of
beginning presented by the claimed and the documentation that accompanies them.
SEVENTH: On 02/26/2020 a Resolution Proposal was issued to the effect that
by the Director of the AEPD the claimed person will be sanctioned for violation of article 13
of the RGPD, typified in article 83.5.a) of the RGPD, with warning of
in accordance with article 58.2.b) of the RGPD.
After the period legally indicated at the time of this Resolution, the
The complainant had not submitted any written allegation whatsoever.
EIGHTH: Of the actions carried out in the present procedure, there have been
accredited the following:
PROVEN FACTS
FIRST: The claimant submitted a written entry dated 04/29/2019 in the
Spanish Agency for Data Protection, stating that on 01/24/2019 C.G.T
(General Labor Confederation) asked the company for information on the
implementation of the access system and follow a series of guidelines on the
itself: creation and modification of the mandatory file and obligation to inform
duly to the workers before the collection of the fingerprints of the
Auxiliary service agents for a new signing system that will be implemented in
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/3
a near future; On 02/27/2019, the complainant indicated that it was a lawful treatment,
adequate and safe; without any document being provided to the workers
that register your fingerprint.
SECOND: Letter from CGT of 01/24/2019 has been provided stating its
Disagreement with the guidelines followed by the complainant when collecting fingerprints
fingerprints for the implementation of our signing system in the company, without
at no time had the workers or the
creation and notification of the mandatory file.
THIRD: The respondent's response is stated stating that the replacement of the
magnetic cards for the use of the fingerprint limited exclusively to the area of
airport ramp and the workers who work there implies a lawful treatment
protected in the public interest of the claimed, adequate and secure data
sensitive personnel involved; that the defendant has already informed this type of
treatment within its privacy policy available from May 2018 to
through the internet.
FOURTH: On 03/18/2019 CGT indicated that the information provided by the company
to inform his workers was quite scarce from what he understood that it was
insufficient despite being said to respond to appropriate treatment and
needs of the same.
FIFTH: On 09/13/2019 the respondent provided an Impact Assessment of the treatment
carried out on the treatment of the fingerprint for access control.
SIXTH: On 10/15/2020, the complainant has provided an informative communication
Complementary to employees Informative Note on data processing
biometric through fingerprint recognition systems or
facial recognition for access control.
FOUNDATIONS OF LAW
I
The Director of the Agency is competent to resolve this procedure
Spanish Data Protection, in accordance with the provisions of art. 58.2 of
RGPD and in art. 47 and 48.1 of LOPDGDD.
II
The legitimacy for the treatment of the fingerprint for the control of the
workers by the employer we must look for it in article 9 and 6 of the RGPD.
Article 9 of the RGPD establishes in its sections 1 and 2.b) the following:
"one. The processing of personal data that reveal the origin is prohibited
ethnic or racial, political opinions, religious or philosophical convictions, or
union membership, and the treatment of genetic data, biometric data directed to
uniquely identify a natural person, data related to health or data
relating to the sexual life or sexual orientations of a natural person.
2. Section 1 shall not apply when one of the
following circumstances:
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/12
b) the treatment is necessary for the fulfillment of obligations and the
exercise of specific rights of the person responsible for the treatment or
interested in the field of labor law and security and protection
social, insofar as it is authorized by the law of the Union of the
Member States or a collective agreement under the law of the
Member States to establish adequate guarantees of respect for the
fundamental rights and interests of the interested party. "
Article 6.1.b) of the RGPD indicates:
"one. The treatment will only be lawful if at least one of the following is met
terms:
(…)
b) the treatment is necessary for the performance of a contract in which the
interested is part or for the application at the request of this of measures
pre-contractual. "
The defendant has legitimacy, based on the indicated regulations, to
carry out the labor control of its workers and as long as it meets the requirements
indicated in the fifth Law Foundation.
III
The facts that motivate the claim presented and that are the subject of the
This procedure is materialized in the request made by the claimant to the
claimed in relation to the implementation of a new access system and the
Obligation to duly inform workers.
The facts claimed imply the violation of what is stated in article 13
of the RGPD, by not duly informing of the planned treatment in relation to the
fingerprint check-in control, in accordance with the pronouncements
established in the aforementioned article.
This article determines the information that must be provided to the interested party in the
moment of the collection of your data, establishing the following:
"Article 13. Information that must be provided when personal data is
obtained from the interested party.
1. When personal data relating to him are obtained from an interested party, the
responsible for the treatment, at the time these are obtained, will provide
all the information indicated below:
a) the identity and contact details of the person in charge and, where appropriate, of their
representative;
b) the contact details of the data protection officer, if applicable;
c) the purposes of the treatment to which the personal data are destined and the basis
legal treatment;
d) when the treatment is based on article 6, paragraph 1, letter f), the
legitimate interests of the person in charge or of a third party;
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/12
e) the recipients or categories of recipients of personal data,
in your case;
f) where appropriate, the intention of the person responsible to transfer personal data to a
third country or international organization and the existence or absence of a
Commission adequacy decision, or, in the case of transfers
indicated in articles 46 or 47 or article 49, paragraph 1, second paragraph,
reference to adequate or appropriate guarantees and means of obtaining
a copy of these or the fact that they have been loaned.
2. In addition to the information mentioned in section 1, the person responsible for the
treatment will facilitate the interested party, at the time the data is obtained
personal information, the following information necessary to guarantee data processing
loyal and transparent:
a) the period during which the personal data will be kept or, when not
where possible, the criteria used to determine this deadline;
b) the existence of the right to request the data controller for access
to the personal data relating to the interested party, and its rectification or deletion, or
the limitation of its treatment, or to oppose the treatment, as well as the
right to data portability;
c) when the treatment is based on article 6, paragraph 1, letter a), or the
Article 9, paragraph 2, letter a), the existence of the right to withdraw the
consent at any time, without affecting the legality of the
treatment based on consent prior to withdrawal;
d) the right to file a claim with a supervisory authority;
e) if the communication of personal data is a legal or contractual requirement, or
a necessary requirement to enter into a contract, and if the interested party is
obliged to provide personal data and is informed of the possible
consequences of not providing such data;
f) the existence of automated decisions, including profiling, to
referred to in article 22, paragraphs 1 and 4, and, at least in such cases,
meaningful information about the applied logic, as well as the importance and
expected consequences of said treatment for the interested party.
3. When the person responsible for the treatment plans the subsequent treatment of
personal data for a purpose other than that for which it was collected,
will provide the interested party, prior to said further processing, information
on that other purpose and any additional relevant information pursuant to section 2.
4. The provisions of sections 1, 2 and 3 shall not apply when and in
the extent to which the interested party already has the information ”.
IV
In the present case, the claimant declares to write to the defendant
requesting that workers be duly informed before the collection of
fingerprints for the implementation of a new time control system, without
that any answer was obtained.
However, the documentation provided to the file contains the answer
offered to the claimant, as stated in the second precedent, stating that
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/12
the replacement of the established system by the use of the limited fingerprint
exclusively to the airport ramp area and the workers who there
they worked implied a lawful, adequate and secure treatment of personal data
sensitive parties involved and that it had informed through its privacy policy to
through the intranet.
In relation to the issues raised in this case, first of all
It should be noted that the implementation of a time control system based on the
fingerprint by the employer, must be informed to employees of
complete, clear, concise manner and, in addition, the aforementioned information must be completed
with reference to both the legal bases that cover this type of control of
access, as well as the basic information referred to in article 13 of the
GDPR.
In the case under review, although the response of the respondent to the writing is counted
presented by the claimant stating that the system to be implemented was safe and
relevant, both the information transmitted by the respondent and the system
used to communicate the access and time control system is not the most
adequate given the quality and specialty of the data that was requested, being able to
have made a greater effort in its information policy on the
planned treatment, formulating it in a much more detailed and complete way,
as well as responding to certain casuistry such as the cases of workers who are
they will refuse to provide their fingerprint.
However, it should be noted that the entity in the allegations to the agreement of
initiation of the procedure provided a complementary communication aimed at the
employees Informative Note on the processing of biometric data through
fingerprint recognition or facial recognition systems for the
access control, in accordance with the regulations on the protection of
data and, likewise, the mandatory impact assessment relative to the
data protection regulated in article 35 of the RGPD, providing the document
correspondent.
Secondly, it should be noted that the installation of a
control based on the collection and treatment of the employee's fingerprint
implies the processing of your personal data since personal data is all
that information about an identified or identifiable natural person of
in accordance with article 4.1 of the RGPD.
As for the fingerprint, it is also data that must be
classified as biometric data and in accordance with article 4.14 of the RGPD have
this consideration when they have been “obtained from a technical treatment
specific, relating to the physical, physiological or behavioral characteristics of a
natural person that allow or confirm the unique identification of said person,
such as facial images or fingerprint data ”.
This means that, in accordance with article 9.1 of the RGPD, in the case
present, the specific regime provided for special categories is applied to them
of data provided for in article 9 of the RGPD.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/12
In this sense, recital 51 of the RGPD highlights the nature of
restrictive with which the processing of these data can be admitted:
“(51) ... Such personal data should not be processed, unless it is allowed
its treatment in specific situations contemplated in this Regulation,
given that Member States may lay down provisions
specific data protection in order to adapt the application of the
rules of this Regulation to the fulfillment of a legal obligation or to the
fulfillment of a mission carried out in the public interest or in the exercise of powers
public conferred to the person responsible for the treatment. In addition to the requirements
specific to that treatment, the general principles and other
rules of this Regulation, especially with regard to the conditions of
legality of the treatment. Exceptions to the
general prohibition of treatment of these special categories of personal data,
among other things when the interested party gives their explicit consent or in the case of
specific needs, in particular when the treatment is carried out in the
framework of legitimate activities by certain associations or foundations whose
The objective is to allow the exercise of fundamental freedoms.
And recital 52 indicates that
“(52) Likewise, exceptions to the prohibition to treat
special categories of personal data when established by the Law of the
Union or Member States and provided that appropriate guarantees are given, in order to
to protect personal data and other fundamental rights, when it is in the interest
public, in particular the processing of personal data in the field of legislation
labor law, legislation on social protection, including pensions and for the purposes of
safety, supervision and health alert, prevention or control of diseases
communicable and other serious threats to health ... "
In accordance with these considerations, the processing of biometric data from
special categories will require, in addition to the concurrence of one of the bases
legal provisions established in article 6 of the RGPD, any of the exceptions provided
in article 9.2 of the RGPD.
The analysis of the legal basis of legitimacy to carry out this treatment comes
of article 6 of the RGPD, regarding the legality of the treatment, which in its section 1, letter
b) states: “The treatment will be lawful if at least one of the following is met
conditions: (…) b) the treatment is necessary for the execution of a contract in the
that the interested party is part of or for the application at his request of measures
pre-contractual (…) ”.
By virtue of this precept, the treatment would be lawful and would not require the
consent, when the data processing is carried out for the fulfillment of
contractual relationships of a labor nature.
On the other hand, and as highlighted in recital 51 of the same RGPD,
insofar as biometric data is of a special category in the cases
of biometric identification (art. 9.1 RGPD), it will be necessary for one of the
the exceptions provided in article 9.2 of the RGPD that would allow lifting the
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/8
general prohibition of the treatment of these types of data established in the article
9.1.
At this point, special mention must be made of letter b) of article 9.2 of the
RGPD, according to which the general prohibition of biometric data processing does not
it will be applied when “the treatment is necessary for the fulfillment of
obligations and the exercise of specific rights of the person responsible for the treatment or
of the interested party in the field of labor law and social security and protection,
to the extent authorized by the Union law of the Member States or
a collective agreement in accordance with the law of the Member States that establishes
adequate guarantees of respect for fundamental rights and the interests of the
interested".
In Spanish law, article 20 of the Consolidated Text of the Statute of
workers (TE), approved by Royal Legislative Decree 2/2015, of 23
October, foresees the possibility for the employer to adopt surveillance measures and
control to verify compliance with the labor obligations of their
workers:
"3. The employer may adopt the measures he deems most appropriate in
surveillance and control to verify compliance by the worker with his obligations
and labor duties, keeping in their adoption and application the consideration due to
their dignity and taking into account, where appropriate, the actual capacity of the workers
with disabilities ”.
The possibility of using data-based systems is undeniable
biometric to carry out access and time control, although it does not seem
that is or should be the only system that can be used: thus the use of cards
personal codes, the use of personal codes, the direct visualization of the
marking, etc., which may constitute, by themselves or in combination with any of the
the other systems available, equally effective measures to carry out the
control.
In any case, prior to the decision on the start-up
of such a control system and taking into account its implications,
processing of biometric data aimed at uniquely identifying a
natural person, it would be mandatory to carry out an impact assessment regarding the
protection of personal data to evaluate both the legitimacy of the
treatment and its proportionality as the determination of the existing risks and
the measures to mitigate them in accordance with the provisions of article 35 RGPD.
In the present case, it must be stated that the entity has accredited the
mandatory impact assessment related to data protection regulated in the
Article 35 of the RGPD, providing the corresponding document, since the
09/13/2019 presented the document Impact Evaluation of the treatment carried out
cape.
V
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/12
On the other hand, biometric data is closely linked to a
person, since they can use a certain unique property of an individual
for your identification or authentication.
According to Opinion 3/2012 on the evolution of biometric technologies,
“Biometric data irrevocably changes the relationship between the body and the
identity, as they make the characteristics of the human body legible
by machines and are subject to further use. "
In relation to them, the Opinion specifies that it is possible to distinguish different types of
treatments by stating that “Biometric data can be processed and stored in
different ways. Sometimes the biometric information captured from a person is
stored and treated raw, allowing the source from which it came to be recognized without
special knowledge; for example, a photograph of a face, a photograph of a
fingerprint or voice recording. Other times, raw biometric information
captured is treated in such a way that only certain characteristics or traits are extracted and
they are saved as a biometric template. "
The processing of these data is expressly permitted by the RGPD
when the employer has a legal basis, which is usually his own
Work contract. In this regard, the STS of July 2, 2007 (Rec. 5017/2003),
that he has understood the legitimate treatment of biometric data carried out by the
Administration for the time control of its public employees, without it being necessary
the prior consent of the workers.
However, the following should be noted:
O The worker must be informed about these treatments.
O The principles of limitation of the purpose, necessity,
proportionality and data minimization.
In any case, the treatment must also be adequate, pertinent and not
excessive in relation to that purpose. Therefore, biometric data other than
necessary for that purpose should be suppressed and creation will not always be justified.
of a biometric database (Opinion 3/2012 of the Art. 29 Working Group).
O Use of biometric templates: Biometric data must be stored
as biometric templates whenever possible. The template should be taken from
a way that is specific to the biometric system in question and not used
by other data controllers of similar systems in order to ensure that
a person can only be identified in biometric systems that have
a legal basis for this operation.
O The biometric system used and the security measures chosen must
ensure that reuse of the biometric data in question is not possible
for another purpose.
O Mechanisms based on encryption technologies should be used, in order to
prevent unauthorized reading, copying, modification or deletion of biometric data.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/12
O Biometric systems should be designed so that they can be revoked
the identity bond.
O You must choose to use data formats or specific technologies that
make it impossible to interconnect biometric databases and disclose data
not verified.
O Biometric data should be deleted when they are not linked to the
purpose that motivated their treatment and, if possible, they should be implemented
automated data deletion mechanisms.
SAW
Article 83.5 b) of the RGPD, considers that the infringement of “the rights of
the interested parties according to articles 12 to 22 ”, is punishable, in accordance with the
paragraph 5 of the aforementioned article 83 of the aforementioned Regulation, “with fines
administrative fees of € 20,000,000 maximum or, in the case of a company, a
an amount equivalent to a maximum of 4% of the total global annual business volume of the
previous financial year, opting for the one with the highest amount ”.
The LOPDGDD in its article 71, Infractions, states that:
“The acts and conducts referred to in the
paragraphs 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that
are contrary to this organic law ”.
The LOPDGDD in its article 72 indicates for the purposes of prescription: "Infractions
considered very serious:
"one. Based on the provisions of article 83.5 of the Regulation (EU)
2016/679 are considered very serious and will prescribe after three years the infractions that
suppose a substantial violation of the articles mentioned in that and, in
in particular, the following:
(…)
h) The omission of the duty to inform the affected party about the treatment of their
personal data in accordance with the provisions of articles 13 and 14 of the
Regulation (EU) 2016/679 and 12 of this organic law.
(…) "
VII
The sanctioning procedure that concerns us shows that in the installation of
a new fingerprint attendance control system to be implemented had
been carried out without duly informing with all the guarantees indicated
in the data protection regulations, specifically in accordance with the provisions
in article 13 of the RGPD, being able to have incurred in the violation of the same.
Therefore, the conduct of the defendant would constitute a violation of the provisions
in article 13 of the RGPD.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/12
On the other hand, the RGPD, without prejudice to the provisions of its article 83,
contemplates the possibility of resorting to the sanction of warning to correct the
processing of personal data that does not conform to your forecasts.
Likewise, it is contemplated that the resolution issued will establish the measures
that is appropriate to adopt so that the conduct ceases, the effects of the offense are corrected
that had been committed, the adequacy of the information offered to users to the
requirements contemplated in article 13 of the RGPD, as well as the contribution of
Proof of compliance with what is required.
However, it should be noted that in the allegations to the agreement to initiate the
In this procedure, the complainant has provided a copy of the communication made
to all workers and that it came to complement the information provided with
previously Informative Note on the processing of biometric data through
fingerprint recognition or facial recognition systems for the
access control, in accordance with those indicated in article 13 of the RGPD, by
Therefore, it is not appropriate to urge the adoption of additional measures since
proven that the defendant has adopted reasonable measures and prevent them from returning to
incidents such as the one that gave rise to the claim occur.
Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been proven,
The Director of the Spanish Data Protection Agency RESOLVES:
FIRST: IMPOSE IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPERATOR,
with NIF A85850394, for an infraction of article 13 of the RGPD, typified in the
Article 83.5 of the RGPD, a warning sanction.
SECOND: NOTIFY this resolution to IBERIA LÍNEAS AÉREAS DE
SPAIN, S.A. OPERATOR, with NIF A85850394.
In accordance with the provisions of article 50 of the LOPDGDD, the
This Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which ends the administrative procedure in accordance with art.
48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the
LPACAP, the interested parties may file, optionally, an appeal for reversal
before the Director of the Spanish Agency for Data Protection within a period of
month from the day following notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the
LPACAP, the firm resolution may be suspended in an administrative way
If the interested party expresses his intention to file a contentious appeal-
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/12
administrative. If this is the case, the interested party must formally communicate this
made by writing to the Spanish Data Protection Agency,
Presenting it through the Electronic Registry of the Agency
[https://sedeagpd.gob.es/sede-electronica-web/], or through any of the rest
records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. Too
must forward to the Agency the documentation that proves the effective filing
of the contentious-administrative appeal. If the Agency is not aware of the
filing of the contentious-administrative appeal within a period of two months from the
day after the notification of this resolution, I would terminate the
precautionary suspension.
Mar Spain Martí
Director of the Spanish Agency for Data Protection
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
