AEPD - PS/00189/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 58(2) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 18.11.2020 |
Fine: | 2000 EUR |
Parties: | Anmavas 61, S.L. (La Cueva Sex Club) |
National Case Number/Name: | PS/00189/2020 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD decision (in ES) |
Initial Contributor: | Miguel Garrido de Vega |
The Spanish DPA (AEPD) imposed a fine of €2000 on the sex club company Anmavas 61, S.L. for not granting (nor reasonably denying) the right to erasure, even after receiving a warning by the AEPD, and the consequent infringement of Article 58(2) GDPR.
English Summary
Facts
The decision is the consequence of a complaint submitted by a Spanish citizen (the claimant) stating that he had requested his right to erasure to the defendant, but that he did not receive any kind of answer.
Dispute
The AEPD requested the defendant to grant or to reasonably deny such right to erasure to the claimant within a period of ten days. The defendant did not answer any requirements of the AEPD, so the AEPD started the corresponding sanction procedure.
Holding
Thus, the AEPD understood that the defendant has infringed Article 58(2) GDPR, as it did not give any answer to the claimant when he requested his right to erasure, nor it followed the request of the AEPD. Consequently, after considering some circumstances [(i) there is a wilful misconduct by the defendant, and (ii) basic personal data have been affected], the AEPD decided to impose a fine of € 2000 to the defendant.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/8 Procedure Nº: PS / 00189/2020 938-300320 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following: BACKGROUND FIRST: The Spanish Agency for Data Protection proceeded to open the guardianship of law, TD / 00128/2019, upon having knowledge of the following facts: On November 23, 2018, D. A.A.A. (hereinafter, the claimant) exercised the right of deletion before the entity ANMAVAS 61, S.L. (LA CUEVA SEX CLUB) with NIF B01528736 (hereinafter, the claimed one), without your request having received the legally established reply. The complaining party provided various documentation on the exercise of the right exercised. On January 15, 2019, this Agency through the Support of the Electronic Notifications and Enabled Address (Notific @ platform), put to disposition of the defendant the claim presented by the claimant party and 25 of January 2019 the person responsible for the treatment accepts the Electronic Notification, to that within a maximum period of one month the allegations that consider convenient, as well as the relevant documentation related to the procedures carried out to facilitate the right exercised or the reasoned refusal, without having received in this Agency written allegations. On March 26, 2019, in accordance with article 65.4 of the Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights and for the purposes provided in its article 64.2, the Director of the Spanish Data Protection Agency agreed to admit the claim for processing presented by the complaining party against the claimed party and it is agreed to transfer the claim, so that within fifteen business days present the allegations that considers convenient and the parties are informed that the maximum to resolve the procedure will be six months. On April 4, 2019, this Agency through the Support of the Electronic Notifications and Enabled Address (Notific @ platform), put The claim presented by the party is again available to the defendant claimant and on April 5, 2019, the person responsible for the treatment accepts the Electronic Notification, so that within a maximum period of fifteen present the allegations that they consider appropriate, without having received in this Agency a written allegations. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/8 SECOND: The Director of the Spanish Agency for Data Protection, issued on July 23, 2019, resolution of protection of right TD / 00128/2019, proceeding to “estimate the claim made by D. A.A.A. and urge the claimed party to, within the period of ten business days following notification of this resolution, send to the party Claimant certification stating that he has met the right of deletion exercised by the latter or is reasonedly denied indicating the reasons for which the requested deletion. Actions carried out as a consequence of this Resolution They must be communicated to this Agency within the same period. Failure to comply with this resolution could lead to the commission of the offense typified in article 72.1 m) of the LOPDGDD, to be sanctioned, in accordance with art. 58.2 of the RGPD ”. Said agreement was notified through the Notification Service Support Electronic and Authorized Address (Notific @ platform) to the claimed party, stating as not withdrawn on August 4, 2019. THIRD: On August 29, 2019 and February 25, 2020, it was received at this Agency two submissions from the claimant in which he states that after the time limits granted the claimed party failed to comply with said resolution. Despite having upheld the resolution regarding the right to erasure, which was not attended, the claimed party still does not attend. The claimant requested the right of deletion, therefore he claims to this Agency that act accordingly. FOURTH: The claimed entity has not sent the claimant certification in which it makes certify that the right of deletion exercised by him or her has been denied motivated indicating the reasons why the requested deletion does not proceed, despite the resolution of protection of right TD / 00128/2019 issued by the Director of the Agency Spanish Data Protection. FIFTH: On July 1, 2020, the Director of the Spanish Agency for the Protection of Data agreed to initiate a sanctioning procedure for the claimed party, for the alleged infraction of the Article 58.2 of the RGPD, typified in Article 83.5 e) of the RGPD. Said agreement was notified through the Notification Service Support Electronic and Authorized Address (Notific @ platform) to the claimed party, stating as not withdrawn on July 12, 2020. SIXTH: Formally notified of the initiation agreement, the one claimed at the time of this resolution has not submitted a brief of allegations, so what is indicated in Article 64 of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations, which in its section f) establishes that in case of not carrying out allegations within the term provided on the content of the initiation agreement, this may be considered a motion for a resolution when it contains a precise pronouncement about the imputed responsibility, for which a Resolution is issued. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/8 In view of all the actions, by the Spanish Agency for Data Protection In this proceeding, the following are considered proven facts, ACTS FIRST: On November 23, 2018, the claimant exercised the right of deletion before the claimed, without your request having received the legally established answer. SECOND: The claimed entity has not sent the claimant certification in which it makes certify that the right of deletion exercised by him or her has been denied motivated indicating the reasons why the requested deletion does not proceed, despite the resolution of protection of right TD / 00128/2019 issued by the Director of the Agency Spanish Data Protection. THIRD: On July 1, 2020, this sanctioning procedure was initiated for the violation of the Article 58.2 of the RGPD, being notified on July 12, 2020. Not having carried out allegations, the one claimed, to the initial agreement. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in arts. 47 and 48.1 of the LOPDGDD, the Director of the Agency Spanish Data Protection is competent to resolve this procedure. II Article 58 of the RGPD, "Powers", says: “2 Each supervisory authority shall have all the following corrective powers listed below: (…) b) punish any person in charge or in charge of the treatment with warning when the treatment operations have infringed the provisions of this Regulation; (...) d) order the person in charge of the treatment that the treatment operations are comply with the provisions of this Regulation, where appropriate, of a certain manner and within a specified time. (…) i) impose an administrative fine in accordance with article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of the particular case. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/8 III The RGPD deals in its article 58 with the powers of each control authority. The section 1.a) provides: "1. Each supervisory authority will have all the powers of investigation indicated then: a) order the person in charge and the person in charge of the treatment and, where appropriate, the representative of the person in charge or the person in charge, who provide any information required for the performance of their duties. The offense for which the claimed entity is responsible is classified in article 83 of the RGPD that, under the heading “General conditions for the imposition of administrative fines ”, it states: "5. Violations of the following provisions will be sanctioned, in accordance with the section 2, with administrative fines of a maximum of 20,000,000 Euros or, in the case of a company, of an amount equivalent to a maximum of 4% of the total turnover annual global of the previous financial year, opting for the highest amount: e) failure to comply with a resolution or a temporary or definitive limitation of the treatment or suspension of data flows by the supervisory authority with pursuant to article 58 (2), or failure to provide access in breach of article 58, Paragraph 1." Organic Law 3/2018, on Protection of Personal Data and Guarantee of Rights Digital (LOPDGDD) in its article 72.1 m), under the rubric “Infractions considered very grave ”provides: "1. In accordance with the provisions of article 83.5 of Regulation (E.U.) 2016/679, considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: (…) m) Failure to comply with the resolutions issued by the protection authority of competent data in exercise of the powers conferred by article 58.2 of the Regulation (EU) 2016/679. " IV In the case analyzed here, it has been proven that the claimant exercised his right of deletion before the claimed entity, your request did not obtain the answer legally enforceable. Likewise, after the evidence obtained, there is no record that the claimed party attended the right of the claimant, as required by the Director of the Protection Agency of Data, in the estimated resolution of the protection of right TD / 00128/2019, consisting of C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/8 send the claimant a certification stating that he has met the right to deletion exercised by the latter or justly denied, it should be considered that the entity claimed violated article 83.5.e) of the RGPD, which sufficiently motivates the present sanctioning procedure. It is clear that on August 4, 2019 the resolution of legal protection was notified to the claimed party, urging it to, within the following ten business days, send certification to the claimant stating that he has complied with the right to erasure exercised by the latter, or is reasonedly denied indicating the reasons for which the requested deletion, however, it has not been verified that any of the the two senses. It must be stated that the claim was transferred to the claimed party on January and April 4, 2019, with January 25 and April 5 as the acceptance date of the same year. On July 24, 2019, compliance with said resolution with the date of receipt and not withdrawn on August 4, 2019. On July 12, 2020, the agreement to initiate this proceeding was notified sanctioner, without having made any allegations to it. V In order to determine the administrative fine to be imposed, the provisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate: "Each supervisory authority will guarantee that the imposition of administrative fines in accordance with this article for the infractions of this Regulation indicated in the Sections 4, 9 and 6 are in each individual case effective, proportionate and dissuasive. " "Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures referred to in article 58, section 2, letters a) to h) and j). When deciding to impose an administrative fine and its amount in each individual case, the following will be duly taken into account: a) the nature, severity and duration of the offense, taking into account the nature, scope o purpose of the treatment operation in question as well as the number of interested parties affected and the level of damages they have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the person in charge or in charge of the treatment to alleviate the damages and losses suffered by the interested parties; d) the degree of responsibility of the controller or processor, taking into account the technical or organizational measures that have been applied by virtue of articles 25 and 32; e) any previous infringement committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the violation; g) the categories of data from personal character affected by the offense; h) the way in which the supervisory authority learned of the infringement, in In particular if the person in charge or the person in charge notified the infringement and, if so, to what extent; C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/8 i) when the measures indicated in article 58, paragraph 2, have been ordered previously against the person in charge or the person in charge in relation to the same subject, compliance with said measures; j) adherence to codes of conduct under article 40 or to mechanisms of certification approved in accordance with Article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through through the offense. " Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76, “Sanctions and corrective measures ”, provides: "2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 The following may also be taken into account: a) The continuing nature of the offense. b) The linking of the offender's activity with the performance of treatments of personal data. c) The benefits obtained as a result of the commission of the offense. d) The possibility that the affected person's conduct could have led to the commission of the offense. e) The existence of a process of merger by absorption subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity. f) Affecting the rights of minors. g) To have, when not mandatory, a delegate for the protection of data. h) The submission by the person in charge or in charge, with character voluntary, to alternative conflict resolution mechanisms, in those cases where the that there are controversies between those and any interested party. " In accordance with the transcribed precepts, in order to set the amount of the sanction of fine to be imposed in the present case on the entity claimed as responsible for a offense typified in article 83.5.e) of the RGPD, the following are considered concurrent factors: - The intentionality or negligence of the infringement (83.2b) of the RGPD. - Basic personal identifiers (83.2 g) RGPD are affected. The sanction to be imposed on ANMAVAS 61, S.L. (LA CUEVA SEX CLUB) with NIF B01528736 and set it at the amount of € 2,000 for the violation of article 58.2 of the RGPD. C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/8 Therefore, in accordance with the applicable legislation and the criteria of graduation of the sanctions whose existence has been accredited, the Director of the Agency Spanish Data Protection RESOLVES: FIRST: IMPOSE ANMAVAS 61, S.L. (LA CUEVA SEX CLUB), with NIF B01528736, for a violation of Article 58.2 of the RGPD, typified in Article 83.5 of the RGPD, a fine of two thousand euros (2,000 euros). SECOND: NOTIFY this resolution to ANMAVAS 61, S.L. (LA CUEVA SEX CLUB). THIRD: Warn the sanctioned person that the sanction imposed must be effective once the This resolution is executive, in accordance with the provisions of art. 98.1.b) of the law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations Public (hereinafter LPACAP), within the voluntary payment period established in art. 68 of General Regulation of Collection, approved by Royal Decree 939/2005, of July 29, in relationship with art. 62 of Law 58/2003, of December 17, by means of your entry, indicating the NIF of the sanctioned person and the procedure number that appears in the heading of this document, in the restricted account number ES00 0000 0000 0000 0000 0000, opened in the name of the Spanish Agency for Data Protection in the banking entity CAIXABANK, S.A .. In case Otherwise, it will be collected in the executive period. Notification received and once executive, if the execution date is found Between the 1st and the 15th of each month, both inclusive, the deadline for making the voluntary payment will be until the 20th day of the following or immediately subsequent business month, and if it is among the 16th and last day of each month, both inclusive, the payment term will be until the 5th of the second next month or immediately after business. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties They may optionally file an appeal for reconsideration before the Director of the Agency Spanish Data Protection Agency within a month from the day after the notification of this resolution or directly administrative contentious appeal before the Chamber of the Contentious-administrative of the National Court, in accordance with the provisions of the Article 25 and in section 5 of the fourth additional provision of Law 29/1998, of 13 July, regulating the Contentious-administrative Jurisdiction, within two months to count from the day after notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses its intention to file an administrative contentious appeal. If this is the case, the interested party must formally communicate this fact by writing to the Agency Spanish Data Protection, presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the rest records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also forward to the Agency the documentation that proves the effective filing of the appeal C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/8 contentious-administrative. If the Agency was not aware of the filing of the contentious-administrative appeal within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. Mar España Martí Director of the Spanish Agency for Data Protection C / Jorge Juan 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es