AEPD - PS/00408/2019 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 58(2) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 24.08.2020 |
Fine: | n/a |
Parties: | Spanish self-employed entrepreneur |
National Case Number/Name: | PS/00408/2019 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD decision (in ES) |
Initial Contributor: | Miguel Garrido de Vega |
24 July 2020 - The Spanish Data Protection Agency (AEPD) decided to impose a warning on a Spanish self-employed entrepreneur (the defendant) for the infringement of its collaboration duties as per Article 58(2) of the GDPR.
English Summary
Facts
The decision is the consequence of a complaint submitted by a Spanish citizen, according to which the AEPD required the defendant to provide certain information.
Dispute
The defendant did not answer to any AEPD investigation requests nor provided the required information, so the AEPD started the corresponding sanction procedure.
Holding
Thus, the AEPD understood that the defendant has infringed its collaboration duties as per Article 58(2) GDPR, according to which, he/she shall provide the AEPD with any information required in the course of an investigation. Consequently, after considering some mitigating circumstances [the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them, as per Art. 83(2)(a)], the AEPD decided to impose a warning to the defendant.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Page 1 1/5 Procedure Nº: PS / 00408/2019938-300320RESOLUTION OF PENALTY PROCEDUREOf the procedure instructed by the Spanish Agency for Data Protection andbased on the followingBACKGROUNDFIRST: On June 19, 2019, he had entry into this Spanish Agency ofData Protection a document submitted by AAA (hereinafter, the claimant),through which you make a claim against BBB with NIF *** NIF.1 (hereinafter, thereclaimed).SECOND: In accordance with the provisions of article 65 of Organic Law 3/2018, ofDecember 5, Protection of Personal Data and guarantee of rights(LOPDGDD hereinafter), the claim was forwarded to the person responsible or toData Protection Officer that in his case he has designated, requiring himto send the requested information and documentation to this Agency. Thisinformation request was made within the framework of the file withreference E / 06805/2019.THIRD: After the expiration of the period of one month that was given to the requested party soinform the Spanish Agency for Data Protection, as indicated in thesecond antecedent, without the respondent providing the relevant response, theClaim was admitted for processing on September 19, 2019.FOURTH: In relation to the research actions referenced with thecode E / 08848/2019, a new information request was sent to the requested party,alluding to the claim outlined in the first antecedent, so that, within theten business days, the information and documentation thatit was pointed out. The requirement, which was practiced in accordance with the regulationsestablished in Law 39/2015, of October 1, of the Administrative ProcedureCommon of Public Administrations (hereinafter, LPACAP), was collected by theresponsible on October 22, 2019, as stated in the certificate ofMail that works in the file.FIFTH: On November 29, 2019 , the Director of the Spanish Agency forData Protection agreed to initiate sanctioning procedure to the claimed, withpursuant to the provisions of articles 63 and 64 of the LPACAP, for the alleged infringementof Article 58.1 of the RGPD, typified in Article 83.5 of the Regulation (EU)2016/679 (General Data Protection Regulation, hereinafter RGPD).C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 2 2/5SIXTH: The aforementioned initiation agreement was collected by the person responsible on date 16December 2019 as stated in the Post Office certificate that works in theproceedings.After the term of ten business days granted in the initiation agreement for thepresentation of allegations, the respondent has not presented allegations.SEVENTH: On February 19, 2020, a resolution was formulated,proposing that by the Director of the Spanish Agency for Data Protection besanction BBB , with NIF *** NIF.1 , for a violation of Article 58.1 of the GDPR,typified in Article 83.5 of the RGPD, with a warning sanction.Likewise, the procedure was revealed so that within ten dayscould claim whatever it considered in its defense and present the documents andinformation that it considers pertinent, in accordance with article 89.2 of theLPACAP.EIGHTH: The motion for a resolution, which was registered out on date 19February 2020 with registration number 015783/2020, was collected by the person in charge,as stated in the Post Office certificate on the record.After the term of ten working days granted in the resolution proposal forFiling Claims, the Respondent has not filed claims.In view of everything that has been done by the Spanish Protection AgencyData in the present procedure, the following are considered proven facts,ACTSFIRST: The information requirements indicated in the second backgroundand fourth were notified in accordance with the provisions of article 42 of the LPACAP.SECOND: The respondent has not responded to the information requestsmade by the Agency within the deadlines granted for it, namely:1st. The request made within the framework with the reference codeE / 06805/2019, in which the deadline to respond was one month.2nd. The request made in the framework of the investigation actionsreferenced with code E / 08848/2019, in which the deadline to respond wasten business days.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 3 3/5THIRD: Notification of the agreement to initiate this proceduresanctioner was collected by the person responsible on December 16, 2019. NoAllegations were made to the initiation agreement.FOURTH: Notification of the proposed resolution was carried out throughCorreos, being collected by the person in charge on February 25, 2020. Notthey presented arguments to the resolution proposal.FUNDAMENTALS OF LAWIBy virtue of the powers that article 58.2 of the RGPD recognizes to eachcontrol authority, and as established in articles 47 and 48.1 of the LOPDGDD,The Director of the Spanish Agency for Data Protection is competent to initiateand solve this procedure.IIThe defendant is charged with the commission of an infraction for not having sought theSpanish Agency for Data Protection the information required. With theindicated conduct of the claimed, the power to investigate that article 58.1 of theRGPD confers on the control authorities, in this case, the AEPD, has beenhampered.Therefore, the proven facts are considered to constitute an infringement, attributable to theclaimed, for violation of article 58.1 of the RGPD, which provides that eachsupervisory authority shall provide, among its investigative powers:" A) order the controller and the person in charge of the treatment and, where appropriate, therepresentative of the person in charge or the person in charge, who provide anyinformation that is required for the performance of its functions; b) carry outinvestigations in the form of data protection audits; c) carry outa review of the certifications issued under article 42, paragraph7; d) notify the controller or the processor of the allegedinfractions of these Regulations; e) obtain from the person in charge and thedata processor access to all personal data and to allinformation necessary for the exercise of its functions; f) obtain access toall premises of the controller and data processor, includingany equipment and means of data processing, in accordance with theProcedural law of the Union or of the Member States . ”C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 4 4/5IIIThis infraction is typified in article 83.5.e) of the RGPD, which considers as such: “ nofacilitate access in breach of article 58, paragraph 1 ”.The same article establishes that this infraction can be sanctioned with a fine.twenty million euros (€ 20,000,000) or, in the case of acompany, with an amount equivalent to a maximum of four percent (4%) of thetotal global annual turnover of the previous financial year, opting for theof greater amount.For the purposes of the statute of limitations for infringements, the imputed infringementprescribed at three years, pursuant to article 72.1 of the LOPDGDD, which qualifies asThe following conduct is very serious:“ Ñ) Failure to facilitate access by the personnel of the data protection authoritycompetent to personal data, information, premises, equipment and means oftreatment that is required by the data protection authority tothe exercise of its investigative powers.o) The resistance or obstruction of the exercise of the inspection function by thecompetent data protection authority . ”IVWithout prejudice to the provisions of article 83 of the RGPD, the aforementioned Regulationprovides in its art. 58.2 b) the possibility of sanctioning with warning, in relationwith what is stated in Recital 148:"In the event of a minor offense, or if the fine is likely to be imposedconstitutes a disproportionate burden on a natural person, instead ofpenalty through fine may be warned. You should howeverpay special attention to the nature, seriousness and duration of the offense, itsintentional, to the measures taken to alleviate the damages and losses suffered,to the degree of responsibility or to any previous pertinent infraction, to the waythat the supervisory authority has had knowledge of the infraction, complianceof measures ordered against the person responsible or in charge, to adherence toconduct and any other aggravating or mitigating circumstance. ”VC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es Page 5 5/5Finally, the penalty to be imposed should be graduated according to the criteria thatestablishes article 83.2 of the RGPD, and with the provisions of article 76 of theLOPDGDD, regarding section k) of the aforementioned article 83.2 RGPD.In the initial assessment, it can be seen that no aggravating circumstance is applicable, andhave considered, as mitigating factors, the following events:- Art. 83.2 a) RGPD: the nature, seriousness and duration of the infraction,taking into account the nature, scope or purpose of the operation oftreatment in question, as well as the number of interested parties affected and thelevel of the damages they have suffered. It has been taken into account that theclaimed is a self-employed entrepreneur.Therefore, in accordance with the applicable legislation and the criteria ofgraduation of sanctions whose existence has been proven, the Director of theSpanish Data Protection Agency RESOLVES:FIRST: IMPOSE BBB , with NIF *** NIF.1 , for a violation of Article 58.1of the RGPD, typified in Article 83.5 of the RGPD, a warning penalty.SECOND: NOTIFY this resolution to BBBIn accordance with the provisions of article 50 of the LOPDGDD, thisResolution will be made public once the interested parties have been notified.Against this resolution, which ends the administrative procedure pursuant to art. 48.6 of theLOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, theinterested parties may file, optionally, appeal for reversal before theDirector of the Spanish Agency for Data Protection within a month tocount from the day after notification of this resolution or directlyadministrative contentious appeal before the Contentious-administrative Chamber of theNational Court, in accordance with the provisions of article 25 and section 5 ofthe fourth additional provision of Law 29/1998, of July 13, regulating theContentious-administrative jurisdiction, within two months fromday after notification of this act, as provided in article 46.1 of thereferred Law. Mar España Martí Director of the Spanish Agency for Data Protection