AEPD - PS/00357/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 13 GDPR |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | |
Decided: | |
Published: | 22.02.2021 |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | PS/00357/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | CSO |
The Spanish DPA (AEPD) issued a warning to the defendant (a natural person) for not adequately informing users about the data processing it carries out on its website in violation of Article 13 GDPR.
English Summary
Facts
A public body for the defense of consumers' rights filed a complaint with the AEPD against the defendant for failing to comply with Article 13 GDPR on its website.
In its investigation, the AEPD found that the defendant's website had a data collection form, but users did not have all the necessary information on the processing of their data according to Article 13 GDPR.
Subsequently, the AEPD verified that the defendant had updated the information on its website.
Dispute
The decision does not establish precisely why the information provided was not in accordance with the GDPR. However, on the basis of the available information it seems that the information appeared under the title "legal notice" instead of "privacy policy". In addition, the text referred to the old Spanish law instead of the current one.
Holding
The AEPD imposes a warning sanction and explains that imposing a sanction under Article 83(5)(b) of the GDPR against the respondent would be a disproportionate burden on it. In addition, the AEPD takes into account two factors: 1) that the main activity of the respondent is not directly linked to the processing of personal data and 2) that there is no record of previous data protection infringements.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/7 Procedure Nº: PS / 00357/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: MUNICIPAL INSTITUTE OF CONSUMPTION OF *** LOCALITY. 1 (in hereinafter, the claimant) on June 26, 2020 filed a claim with the Spanish Agency for Data Protection. The claim is directed against A.A.A. with NIF *** NIF.1 (hereinafter, the claimed one). The reasons on which the claim is based are non-compliance with the regulations of data protection on the website *** URL.1. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), with reference number E / 06538/2020, a transfer of said claim to the defendant, on August 14, 2020, to proceed to your analysis and inform this Agency within a month, of the actions taken carried out to comply with the requirements set forth in the regulations for the protection of data, without a reply to this date. THIRD: On November 26, 2020, the Director of the Spanish Agency of Data Protection agreed to initiate a sanctioning procedure to the claimed, by the alleged violation of article 13 of the RGPD, typified in article 83.5 of the RGPD. FOURTH: Once the aforementioned commencement agreement was notified, the defendant submitted a written allegations on December 14, 2020 in which, in short, it stated that in the "Legal Notice" document broadly includes what is established in the regulations of Data Protection. Likewise, in relation to the contact form, in which data is collected personal information, it is indicated that «the link" Privacy Policy "actually directs the "Legal Notice" document that, due to its content, as already mentioned, responds more broadly to the requirements of the data protection regulations than the "Privacy Policy" document ». In short, the information provided to users, both in the general content of the website and the contact form itself, adequately comply with all the requirements established by law, without observing non-compliance in none of the points regulated in article 13 of the RGPD. FIFTH: On December 12, 2020, the instructor of the procedure agreed to the opening of a period of practical tests, taking as incorporated the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/7 preliminary investigation actions, E / 06790/2020, as well as the documents provided by the claimed. SIXTH: On January 19, 2021, a resolution proposal was formulated, proposing that A.A.A. with NIF *** NIF.1 in accordance with provided for in article 58.2.b) of the RGPD, for an infringement of article 13 of the RGPD, typified in article 83.5 of the RGPD, a warning sanction. In view of all the actions, by the Spanish Agency for Data Protection In the present proceeding, the following are considered proven facts, ACTS FIRST: The breach of the data protection regulations in the website *** URL.1; specifically because the information provided to customers on the processing of personal data does not meet the requirements established in the GDPR. SECOND: The complained party states that the information provided to the users of the The website that is the object of this claim meets all the requirements established in article 13 of the RGPD. THIRD: It is verified that the information included in the website *** URL.1 complies all the requirements demanded in article 13 RGPD in response to the requirement of this Agency. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in arts. 47 and 48.1 of the LOPDGDD, the Director of The Spanish Data Protection Agency is competent to resolve this process. II Article 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, regarding the protection of natural persons in what Regarding the processing of personal data and the free circulation of these data (General Data Protection Regulation, hereinafter RGPD), under the rubric "Definitions", provides that: "For the purposes of these Regulations, the following shall be understood as: 1) "personal data": any information about an identified natural person or identifiable ("the interested party"); an identifiable natural person shall be considered any person whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, data from location, an online identifier or one or more elements of the identity physical, physiological, genetic, psychic, economic, cultural or social of said person; C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/7 2) "treatment": any operation or set of operations carried out on personal data or personal data sets, whether by procedures automated or not, such as collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, broadcast or any other form of authorization of access, collation or interconnection, limitation, deletion or destruction; " Therefore, in accordance with these definitions, the collection of character data personal through forms included in a web page constitutes a treatment of data, with respect to which the person responsible for the treatment must comply with the provided for in article 13 of the RGPD, a precept that has been displaced since May 25 from 2018 to article 5 of Organic Law 15/1999, of December 13, on Protection of Personal Data. In relation to this matter, it is observed that the Spanish Agency for the Protection of Data is available to citizens, the Guide for the fulfillment of duty to inform (https://www.aepd.es/media/guias/guia-modelo-clausula-informativa.pdf) and, in case of low-risk data processing, the free tool Facilitates (https://www.aepd.es/herramdamientos/facilita.html). III Article 13 of the RGPD, precept in which the information that must provided to the interested party at the time of data collection, provides: "1.When personal data relating to him are obtained from an interested party, the responsible for the treatment, at the time these are obtained, will provide all the information indicated below: a) the identity and contact details of the person in charge and, where appropriate, of their representative; b) the contact details of the data protection officer, if applicable; c) the purposes of the treatment to which the personal data are destined and the legal basis of the treatment; d) when the treatment is based on article 6, paragraph 1, letter f), the interests legitimate rights of the person in charge or of a third party; e) the recipients or categories of recipients of personal data, in their case; f) where appropriate, the intention of the person responsible to transfer personal data to a third party country or international organization and the existence or absence of a decision of adequacy of the Commission, or, in the case of transfers indicated in the Articles 46 or 47 or Article 49, paragraph 1, second subparagraph, reference to the adequate or appropriate warranties and the means to obtain a copy of these or to the fact that they have been borrowed. 2. In addition to the information mentioned in section 1, the person responsible for the treatment will facilitate the interested party, at the time the data is obtained personal information, the following information necessary to guarantee data processing loyal and transparent: a) the period during which the personal data will be kept or, when it is not possible, the criteria used to determine this period; C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/7 b) the existence of the right to request the data controller for access to the personal data relating to the interested party, and its rectification or deletion, or the limitation of its treatment, or to oppose the treatment, as well as the right to portability of the data; c) when the treatment is based on article 6, paragraph 1, letter a), or article 9, paragraph 2, letter a), the existence of the right to withdraw consent in at any time, without affecting the legality of the treatment based on the consent prior to its withdrawal; d) the right to file a claim with a supervisory authority; e) if the communication of personal data is a legal or contractual requirement, or a necessary requirement to sign a contract, and if the interested party is obliged to provide personal data and is informed of the possible consequences of not provide such data; f) the existence of automated decisions, including profiling, to be referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information significant on the applied logic, as well as the importance and consequences provided for said treatment for the interested party. 3.When the data controller plans the further processing of data personal data for a purpose other than that for which they were collected, will provide the interested party, prior to said further processing, information on that other purpose and any additional relevant information pursuant to section 2. 4.The provisions of paragraphs 1, 2 and 3 shall not apply when and in the to the extent that the interested party already has the information ”. For its part, article 11 of the LOPDGDD, provides the following: "1. When personal data is obtained from the affected party, the person responsible for the treatment may comply with the duty of information established in article 13 of Regulation (EU) 2016/679, providing the affected party with basic information to the referred to in the following section and indicating an email address or other means that allows easy and immediate access to the rest of the information. 2. The basic information referred to in the previous section must contain, at the less: a) The identity of the person responsible for the treatment and their representative, if applicable. b) The purpose of the treatment. c) The possibility of exercising the rights established in articles 15 to 22 of the Regulation (EU) 2016/679. If the data obtained from the affected party were to be processed for the preparation of profiles, the basic information will also include this circumstance. In this In this case, the affected party must be informed of their right to oppose the adoption of automated individual decisions that produce legal effects on him or her significantly affect in a similar way, when this right to agree with the provisions of article 22 of Regulation (EU) 2016/679. " IV C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/7 By virtue of the provisions of article 58.2 of the RGPD, the Spanish Agency for Data Protection, as a control authority, has a set of corrective powers in the event of an infringement of the precepts of the GDPR. Article 58.2 of the RGPD provides the following: “2 Each supervisory authority shall have all the following corrective powers listed below: (…) b) punish any person responsible or in charge of the treatment with warning when the treatment operations have infringed the provisions of this Regulation;" (...) “D) order the person in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, where appropriate, in a certain way and within a specified period; " “I) impose an administrative fine in accordance with article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each particular case;" Article 83.5.b) of the RGPD establishes that: "Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the highest amount: a) the rights of the interested parties in accordance with articles 12 to 22; " In turn, article 74.a) of the LOPDGDD, under the heading "Violations considered mild provides: "They are considered minor and will prescribe a year the remaining offenses of character merely formal of the articles mentioned in sections 4 and 5 of article 83 of Regulation (EU) 2016/679 and, in particular, the following: a) Failure to comply with the principle of transparency of information or the right of the data subject for not providing all the information required by the articles 13 and 14 of Regulation (EU) 2016/679. " V In this case, it is taken into account that the respondent collected the personal data of users who fill in the form included in the website *** URL.1 without provide them, prior to their collection, all the information regarding data protection provided for in article 13 of the reviewed RGPD. Specifically, the content of points 2 to 7 of the Legal Notice, had to be updated in accordance with the new personal data protection regulations modifying the reference to Organic Law 15/1999 by Organic Law 3/2018, of Protection of Personal Data and guarantee of digital rights. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/7 It has been verified that the information contained in the privacy has been modified adapting to data protection regulations current. SAW This being the case, in accordance with the evidence available, the facts exposed, specifically, that since May 2018 the information provided to users and clients about the processing of their data, constitute, on the part of the defendant, an infringement of the provisions of article 13 of the GDPR. This infraction will be sanctioned with a warning, in accordance with article 58.2.b) of the RGPD, when collecting basic data from users and consider that the administrative fine that may be incurred in accordance with the provisions of Article 83.5.b) of the GDPR would constitute a disproportionate burden for the claimed, whose main activity is not directly linked to the treatment of personal data, since there is no evidence of the commission of any previous infringement in data protection matters. Likewise, since the adequacy of the information offered to the users whose personal data is collected from them to the requirements contemplated in article 13 of the RGPD, it is not necessary to make a request any. Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of sanctions whose existence has been proven, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: IMPOSE A.A.A. with NIF *** NIF.1, for a violation of article 13 of the RGPD, typified in article 83.5 of the RGPD, a warning sanction. SECOND: NOTIFY this resolution to A.A.A. with NIF *** NIF. 1. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to counting from the day after the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/7 interested party expresses his intention to file contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Agency for Data Protection, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web /], or through any of the other records provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es