AEPD - PS/00221/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 14 GDPR Art. 259(4) of the Spanish Law 1/2000 on Civil Procedure |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 30.12.2020 |
Fine: | n/a |
Parties: | Lvcentum Legal, S.L. |
National Case Number/Name: | PS/00221/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD decision (in ES) |
Initial Contributor: | Miguel Garrido de Vega |
The Spanish DPA (AEPD) imposed a warning on the law firm Lvcentum Legal, S.L. (defendant) for infringing Article 14 GDPR: the defendant used personal data (IP address) obtained in a judicial proceeding to send personal letters requesting an extrajudicial payment.
English Summary
Facts
The decision is the consequence of a complaint submitted by the Spanish cooperative company Digitorium Sociedad Cooperativa Pequeña (the claimant), stating that the defendant had obtained the personal data of its members from the preliminary proceedings of an upcoming trial, and had used such data to send those members an individual letter requesting the extrajudicial payment of an amount of money related to the court issue (an Intellectual Property matter).
Dispute
The defendant answered to the first AEPD investigation requests stating that the claimant's members are the alleged offenders of the rights of its client, and that, on grounds of procedural economy and good faith, it is quite common for lawyers to try a friendly solution before starting court proceedings; besides, it stated that the judicial authority had already judged that the legal claim of such client was appropriate, and that there was a legitimate interest in processing those personal data for the purpose of defending its rights. The AEPD started the corresponding sanction procedure, and the defendant answered admitting that, although it is true that the members of the claimant had not been informed on all the points of Art. 14 GDPR when the letters were sent, it had already updated its draft letter for communications with third parties, and it attached a sample of such letter.
Holding
Thus, the AEPD understood that the defendant has infringed Article 14 of the GDPR, as, although the processing activity could be perfectly based on its legitimate interest, it had not provided the members of the claimant with all the legal information. Consequently, after considering some circumstances [(i) the defendant had already amended its information clause; (ii) there are no previous infringements of the law by the defendant, (iii) the hypothetical imposition of an administrative fine would be disproportionate, considering that the main activity of the defendant is not directly related to the processing of personal data] the AEPD decided to impose a warning to the defendant.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/10 Procedure Nº: PS / 00221/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: DIGITORIUM SOCIEDAD COOPERATIVA PEQUEÑA (hereinafter, the claimant) on June 18, 2019 filed a claim with the Agency Spanish Data Protection. The claim is directed against LVCENTVM LEGAL, S.L. with NIF B42557306 (hereinafter, the claimed). The reasons on which the claim is based are that the defendant is sending letters to the members that are part of DIGITORIUM SOCIEDAD COOPERATIVA SMALL, claiming an amount of money from them, after obtaining their personal data in a Preliminary Proceedings, which exceeds the purpose of the treatment delimited by article 259.4 LEC. The communication took place in the framework of a civil judicial procedure of claim of intellectual property rights, but the producer, CRYSTALIS ENTERTAINMENT UG, has used it to send letters to IP holders requesting the extrajudicial payment of an amount. SECOND: The present claim was transferred to the defendant on August 21, 2019, requiring you to send this Agency within a month, information on the response given to the claimant for the facts denounced, as well as as the causes that have motivated the incidence and the measures adopted. In response to said request, the defendant stated that the claimants are the alleged infringers of the rights of our client, whose identity and other Contact details have been disclosed by express order of the Commercial Court no. *** COURT. 1, first by Order of September 3, 2018 (by which admits the practice of the requested diligence) and, subsequently, by Order of 5 February 2019 (rejecting the opposition filed by the supplier of Internet services and the practice of diligence is ordered), all within the framework of the Preliminary proceedings n ° *** DILIGENCES.1 LVCENTVM LEGAL, S.L. states that in the exercise of our activity professional, it is usual that, before going to court, the rights of our clients are claimed by the friendly way. We are commanded not only by him legislator, but also by the principles of procedural economy and good faith. In the judicial proceeding initiated by this party, therefore, the judicial body has already weighed the rights that in terms of data protection may assist the now claimants, by complying with the requirements that the Law provides specifically for this, and has assessed the possibility of adopting the measures C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/10 adequate for their protection that the Law also provides when regulating the specific preliminary diligence adopted. Indeed, according to art. 258.1 LEC, the measure is only agreed "If the court I will appreciate that the diligence is adequate to the purpose that the applicant pursues and that just cause and legitimate interest concur in the request ". Therefore, the competent judicial body has already determined that in my claim The client has a legitimate interest and that they have the data of the alleged offenders is a claim appropriate to the purpose pursued by him, which is no other that the protection of their intellectual property rights. For this reason it considers that none of the specific precepts that in The claim is considered violated: The data has been transmitted by the internet service provider in compliance with a court order. The purposes for which such data, after having been exposed by this party in the procedure of preliminary proceedings and submitted to the assessment of the competent judicial body, have been declared legitimate by said judicial body by virtue of the Order provided. The purpose of the subsequent treatment is identical to that for which the preliminary diligence: the protection of the intellectual property rights that it holds our client, which translates into two claims: a) the cessation of the infringement; and b) the compensation for the damages that the infringement has caused to our client. THIRD: On September 21, 2020, the Director of the Spanish Agency of Data Protection agreed to initiate a sanctioning procedure for the claimed party, with in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged violation of article 14 of the RGPD, typified in article 83.5 of the RGPD. FOURTH: Once the aforementioned commencement agreement was notified, the defendant submitted a allegations on October 5, 2020, where he states that both obtaining the data object of this case, as its use are legitimate in accordance with the established by the head of the Commercial Court *** COURT. 2 in order no. *** AUTO. 1 of January 8. In relation to the breach of article 14 of the RGPD for not informing the holders of all the points of said precept, the claimed entity, it is admitted that Although the IP addresses are reported, from which source the data, the purposes of the treatment, and the identity and contact details of the responsible, but not for other points of art. 14 RGPD as the right to exercise the data protection rights before the data controller, or the right to file a claim with the AEPD, as provided in art. 14.2, letters c) and and). The claimed entity informs the Spanish Agency for the Protection of Data that before knowing the complaint that gave rise to this procedure C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/10 this party had already updated its third-party communications model, so that the information on data protection that came providing in such communications. Attached is one of the letters that has been sent with the information regarding updated data protection (censoring personal data). FIFTH: On October 21, 2020, the instructor of the procedure agreed to the opening of a period of practical tests, taking as incorporated the preliminary investigation actions, E / 07581/2019, as well as the documents provided by the claimed. SIXTH: On October 28, 2020, a resolution proposal was formulated, proposing that the defendant be imposed for an infringement of article 14 of the RGPD, typified in article 83.5 of the RGPD, a warning sanction, in in relation to article 74.a) of the LOPDGDD. Of the actions carried out in this procedure and of the documentation Obrante in the file, the following have been accredited: PROVEN FACTS FIRST: The defendant is sending letters to the claimants, demanding a amount of money, after obtaining your personal data in a judicial procedure The communication took place in the framework of a civil judicial procedure of claim of intellectual property rights. SECOND: In accordance with the provisions of the head of the Court of Mercantile nº *** COURT. 2 in car nº *** AUTO.1 of January 8, both obtaining of the data and its use are legitimate. THIRD: The claimed entity acknowledges the breach of article 14 of the RGPD for not informing the holders of all the points of said precept as the right to exercise data protection rights before the person responsible for the treatment, or the right to file a claim with the AEPD, as stated provided in art. 14.2, letters c) and e). The claimed entity states that it has updated its communications model to third parties, in accordance with what is required in article 14 of the RGPD. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/10 In particular, it states that the information currently offered in the communications sent by this professional office is, verbatim, the next: "Your personal data are processed for the exclusive purpose of exercising the rights of CRYSTALIS ENTERTAINMENT UG claimed by this communication. Your data will be kept for five years from the resolution of this conflict (understood as judicial or extrajudicial satisfaction), with the exception of the identification data essential to fulfill the eventual commitment not to to claim again or not to address you again. We inform you that you have the right to request access to your personal data object of treatment, its rectification, the limitation of its treatment and portability of the same (without allowing in this case the deletion, opposition or a limitation treatment that prevents the satisfaction of the legitimate interest pursued by our client). For the exercise of your rights you can direct communication, attaching a copy of your DNI or equivalent document, to *** EMAIL.1 or to LVCENTVM LEGAL S.L. in the address at the bottom of this letter. Also, and especially if you consider that you have not obtained full satisfaction in the exercise of your rights, you may submit a complaint to the national supervisory authority by addressing the Agency Spanish Data Protection ”. FOUNDATIONS OF LAW I The Director of the Spanish Agency is competent to resolve this procedure of Data Protection, in accordance with the provisions of art. 58.2 of the RGPD and in art. 47 and 48.1 of LOPDGDD. II Article 6.1 of the RGPD establishes the assumptions that allow the legal processing of personal data. Article 14 of the RGPD regulates the right to information that must be provided when the personal data have not been obtained from the interested party, indicating the next: 1. When the personal data have not been obtained from the interested party, the person in charge of the treatment will provide the following information: a) the identity and contact details of the person in charge and, where appropriate, of their representative tante; b) the contact details of the data protection officer, if applicable; C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/10 c) the purposes of the treatment to which the personal data are intended, as well as the basis legal treatment; d) the categories of personal data in question; e) the recipients or categories of recipients of the personal data, in their case; f) where appropriate, the intention of the person responsible to transfer personal data to a recipient a third country or international organization and the existence or absence of a decision of adequacy of the Commission, or, in the case of the transfers indicated in articles 46 or 47 or article 49, paragraph 1, second paragraph, reference to the adequate or appropriate warranties and the means of obtaining a copy of them or by fact that they have been borrowed. 2. In addition to the information mentioned in section 1, the data controller ment will provide the interested party with the following information necessary to guarantee a Fair and transparent data processing with respect to the interested party: a) the period during which the personal data will be kept or, when that is not possible, the criteria used to determine this period; b) when the treatment is based on article 6, paragraph 1, letter f), the interests gitimos of the person responsible for the treatment or of a third party; c) the existence of the right to request the data controller for access to the personal data relating to the interested party, and its rectification or deletion, or the limitation of its treatment, and to oppose the treatment, as well as the right to portability of the data; d) when the treatment is based on article 6, paragraph 1, letter a), or article 9, section 2, letter a), the existence of the right to withdraw consent in any- at any time, without affecting the legality of the treatment based on the consent lie before its withdrawal; e) the right to file a claim with a supervisory authority; f) the source from which the personal data come and, where appropriate, if they come from public access sources; g) the existence of automated decisions, including profiling, to which referred to in Article 22, paragraphs 1 and 4, and, at least in such cases, significant information ficative on the applied logic, as well as the importance and expected consequences of said treatment for the interested party. 3. The data controller will provide the information indicated in sections 1 and 2: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/10 a) within a reasonable time, once the personal data has been obtained, and at the latest give within a month, taking into account the specific circumstances in which process such data; b) if the personal data are to be used for communication with the interested party, to at the latest at the time of the first communication to said interested party, or c) if it is planned to communicate them to another recipient, at the latest at the time that the personal data are communicated for the first time. 4. When the person responsible for the treatment plans the subsequent treatment of the data personal for a purpose other than that for which they were obtained, will provide the interested party, before said further processing, information on that other purpose and any- want other relevant information indicated in section 2. 5. The provisions of paragraphs 1 to 4 shall not apply when and to the extent in which: a) the interested party already has the information; b) the communication of said information is impossible or involves a des- provided, in particular for processing for archival purposes in the public interest co, scientific or historical research or statistical purposes, subject to the conditions and guarantees indicated in article 89, paragraph 1, or to the extent that the obligation mentioned in paragraph 1 of this article may make it impossible to seriously hamper the achievement of the goals of such treatment. In such cases, the responsible shall adopt appropriate measures to protect the rights, freedoms and legitimate interests of the interested party, including making the information public; c) the obtaining or communication is expressly established by the Law of the Union or Member States that applies to the controller and that establish adequate measures to protect the legitimate interests of the data subject, or d) when personal data should continue to be confidential about the basis of an obligation of professional secrecy regulated by Union law or of the Member States, including an obligation of secrecy of a statutory nature. III In the present case, it is stated in the first place that the respondent, once he has of customers' personal data, instead of using the personal data that has achieved in the Preliminary Proceedings procedure to obtain exclusively the jurisdictional protection as required by art. 259.4 of the LEC sends them a letter demanding a sum of money from them. Therefore, the complainant considers that the data has been used by the complainant personal for purposes other than those specifically provided for in the regulations, causing a violation and violation of data protection regulations. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/10 In this sense, this Spanish Agency for Data Protection considers that, in relationship with the lack of legitimacy for the processing of personal data of the Euskaltel customers, it is necessary to take into account the response of the head of the Court of the Mercantile nº *** COURT.1, in the order nº *** AUTO.1 of January 8, 2019, at Euskaltel's opposition to the provision of personal identification data holders of the requested IPs. In the SECOND Legal Reasoning, section 8 it is stated: “8. Application unnecessary information. The operator alleges that information is requested (landline, mobile, email) that is part of the privacy of users and exceeds necessary for the intended purposes. The Judge does not share Euskaltel's assessment. The data referred to is the necessary to contact users and be able to file a legal claim against them or, in his case, extrajudicial. " Furthermore, in section 9 the Magistrate states the following: “9.1. Legality. Alleges the operator that the report is the result of interference by a foreign company in the personal data and content of the communications that constitutes a infringement of the European Data Protection Regulation. (…) In this case, there is no evidence that the program for the protection of the rights of intellectual protection data other than the IP address has been obtained and it is being used to claim before the civil courts for the infraction of such rights. Therefore, both the obtaining of the data and the its use. In this sense, Regulation (EU) 2016/679 establishes as principles relating to the treatment, the collection of data for specific, explicit and legitimate purposes to be treated in accordance with these purposes, and the limitation of the data to what is necessary in relationship with the purpose for which they are treated (art. 5.1. b and c), and article 6 considers lawful treatment necessary to satisfy legitimate interests pursued by the person responsible for the treatment or by a third party, provided that on said interests do not prevail over interests or fundamental rights and freedoms. In Regarding the fundamental right to confidentiality of communications, it is not affected for the ‘obtaining the data relative to the IP address.” IV In this case, it is taken into account that the respondent must provide the information indicated in article 14 of the RGPD, when personal data has not been obtained from the interested party. The defendant, in particular, on October 5, 2020, has stated in response to the requirement of this Agency that the information currently offered in the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/10 communications sent by this professional office is, verbatim, the next: "Your personal data are processed for the exclusive purpose of exercising the rights of CRYSTALIS ENTERTAINMENT UG claimed by this communication. Your data will be kept for five years from the resolution of this conflict (understood as judicial or extrajudicial satisfaction), with the exception of the identification data essential to fulfill the eventual commitment not to to claim again or not to address you again. We inform you that you have the right to request access to your personal data object of treatment, its rectification, the limitation of its treatment and portability of the same (without allowing in this case the deletion, opposition or a limitation treatment that prevents the satisfaction of the legitimate interest pursued by our client). For the exercise of your rights you can direct communication, attaching a copy of your DNI or equivalent document, to *** EMAIL.1 or to LVCENTVM LEGAL S.L. in the address at the bottom of this letter. Likewise, and especially if you consider that you have not obtained full satisfaction in the exercise of your rights, you may file a claim with the national authority of control by contacting the Spanish Agency for Data Protection " V By virtue of the provisions of article 58.2 of the RGPD, the Spanish Agency for Data Protection, as a control authority, has a set of corrective powers in the event of an infringement of the precepts of the RGPD. Article 58.2 of the RGPD provides the following: “2 Each supervisory authority shall have all the following corrective powers listed below: (…) b) sanction any person responsible or in charge of the treatment with warning when the treatment operations have infringed the provisions of this Regulation;" (...) “D) order the person in charge of the treatment that the operations of treatment are in accordance with the provisions of this Regulation, where appropriate, in a certain way and within a specified time; " “I) impose an administrative fine in accordance with article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each particular case;" C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/10 Article 74.a) of the LOPDGDD, under the heading “Infractions considered minor has: "They are considered minor and will prescribe a year the remaining offenses of character merely formal of the articles mentioned in sections 4 and 5 of article 83 of Regulation (EU) 2016/679 and, in particular, the following: a) Failure to comply with the principle of transparency of information or the right of the data subject for not providing all the information required by the articles 13 and 14 of Regulation (EU) 2016/679. " In accordance with the facts presented, the defendant has violated article 14 of the RGPD, the infringement of which is penalized with a warning, in accordance with article 58.2.b) of the RGPD, when collecting through said form basic data of the users and consider that the administrative fine that may be incurred in accordance with provisions of article 83.5.b) of the RGPD would constitute a disproportionate burden for the claimed, whose main activity is not directly linked to the processing of personal data, since there is no evidence of the commission of any infringement above regarding data protection. SAW On the other hand, article 83.7 of the RGPD provides that, without prejudice to the corrective powers of the control authorities pursuant to art. 58, paragraph 2, Each Member State may lay down rules on whether and to what extent it is possible to impose administrative fines on authorities and public bodies established in that Member State. The defendant has proceeded to resolve the facts that are the subject of this proceeding sanctioning, since currently in the communications sent presents the following communication: "Your personal data are processed for the exclusive purpose of exercising the rights of CRYSTALIS ENTERTAINMENT UG claimed by this communication. Your data will be kept for five years from the resolution of this conflict (understood as judicial or extrajudicial satisfaction), with the exception of the identification data essential to fulfill the eventual commitment not to to claim again or not to address you again. We inform you that you have the right to request access to your personal data object of treatment, its rectification, the limitation of its treatment and portability of the same (without allowing in this case the deletion, opposition or a limitation treatment that prevents the satisfaction of the legitimate interest pursued by our client). For the exercise of your rights you can direct communication, attaching a copy of your DNI or equivalent document, to *** EMAIL.1 or to LVCENTVM LEGAL S.L. in the address at the bottom of this letter. Likewise, and especially if you consider that you have not obtained full satisfaction in the exercise of your rights, you may file a claim with the national authority of control by contacting the Spanish Agency for Data Protection " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/10 Therefore, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: IMPOSE LVCENTVM LEGAL, S.L., with NIF B42557306, for a infraction of article 14 of the RGPD, typified in article 83.5 of the RGPD, a warning sanction. SECOND: NOTIFY this resolution to LVCENTVM LEGAL, S.L. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may file, optionally, an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to count from the day after notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Agency for Data Protection, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web /], or through any of the other records provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es