AEPD (Spain) - PS/00051/2020: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00...")
 
 
(6 intermediate revisions by one other user not shown)
Line 18: Line 18:
|Outcome=Upheld
|Outcome=Upheld
|Date_Decided=
|Date_Decided=
|Date_Published=10.09.2020
|Date_Published=10.9.2020
|Year=
|Year=
|Fine=1500
|Fine=1500
Line 26: Line 26:
|GDPR_Article_Link_1=Article 6 GDPR#1a
|GDPR_Article_Link_1=Article 6 GDPR#1a


|GDPR_Article_2=Article 7(3) GDPR
|GDPR_Article_Link_2=Article 7 GDPR#3


|GDPR_Article_3=Article 17 GDPR
|GDPR_Article_Link_3=Article 17 GDPR


|Party_Name_1=VOX España
|Party_Name_1=VOX España
Line 48: Line 52:
}}
}}


10 September 2020 - The Spanish Data Protection Agency (AEPD) decided to impose a fine up to 1,500 € on the far-right political party VOX España (the defendant) for the infringement of the lawfulness principle, as per Article 6(1)(a) of the GDPR.
The Spanish Data Protection Authority (AEPD) imposed a fine of EUR 1,500 to the far-right political party VOX España for the infringement of the lawfulness principle, as per Article 6(1)(a) of the GDPR.


== English Summary ==
==English Summary==


=== Facts ===
===Facts===
The decision is the consequence of a complaint submitted by a Spanish former representative of the defendant stating that, despite the fact that she had fully unsubscribed from the political party and requested the erasure of all her personal data (even receiving a confirmation to that respect by the DPO of the defendant), she later received an email asking her about the possibility of acting as its representative in the Spanish general elections of November 2019 (according to this last communication, personal data of the former representative have not been duly deleted).
The complainant, a former affiliate to the political party, had fully unsubscribed from the political party and requested the erasure of all her personal data (even receiving a confirmation to that respect by the DPO of the controller). Notwithstanding that, she later received an email asking her about the possibility of acting as a party's representative in the Spanish general elections of November 2019. The complainant, therefore, assumes that her personal data had not been duly deleted. The controller answered to the first AEPD investigation stating that, as soon as the data subject sent the deletion request, her personal data were totally erased.


=== Dispute ===
===Dispute===
The defendant answered to the first AEPD investigation requests stating that, as soon as the former representative sent her deletion request, her personal data were totally erased (and it even attached a certificate by the president of VOX España declaring that the claimant was no longer a representative). The AEPD started the corresponding sanction procedure.
The Authority has to assess the lawfulness of the processing following the withdrawal of consent under Article 7(3) GDPR. The Authority also considers the existence of a deletion request under Article 17 GDPR.


=== Holding ===
===Holding===
Thus, the AEPD understood that VOX España has infringed the lawfulness principle included at Article 6(1)(a) GDPR, as it has processed the personal data of its former representative without her consent in order to send her a communication despite she had requested the full erasure of her data. Consequently, after considering some circumstances [(i) the local scope of the processing activity made by the defendant, (ii) only one person has been affected by the processing activity, (iii) there is no evidence that the defendant has adopted any measures in order to prevent such issues to happen again in the future, (iv) there is no evidence of wilful misconduct by the defendant, even being this issue a very serious breach of the law, (v) the link between the activity of the defendant and the processing of personal data, and (vi) the defendant is a national political party], the AEPD decided to impose a fine of 1,500 € to the defendant.
The AEPD concludes that VOX España has infringed the lawfulness principle as per Article 6(1)(a) GDPR.


== Comment ==
The controller has processed the personal data of its former representative without her consent and despite the fact that she had requested the full erasure of her data. Consequently, after considering some circumstances including, (1) the local scope of the processing activity made by the defendant, (2) only one person has been affected by the processing activity, (3) there is no evidence that the defendant has adopted any measures in order to prevent such issues to happen again in the future, (4) there is no evidence of wilful misconduct by the defendant, even being this issue a very serious breach of the law, (5) the link between the activity of the defendant and the processing of personal data, and (6) the defendant is a national political party, the AEPD decided to impose a fine of 1,500 € to the defendant.
 
==Comment==
''Share your comments here!''
''Share your comments here!''


== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.



Latest revision as of 13:52, 13 December 2023

AEPD - PS/00051/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1)(a) GDPR
Article 7(3) GDPR
Article 17 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 10.9.2020
Fine: 1500 EUR
Parties: VOX España
National Case Number/Name: PS/00051/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: Miguel Garrido de Vega

The Spanish Data Protection Authority (AEPD) imposed a fine of EUR 1,500 to the far-right political party VOX España for the infringement of the lawfulness principle, as per Article 6(1)(a) of the GDPR.

English Summary

Facts

The complainant, a former affiliate to the political party, had fully unsubscribed from the political party and requested the erasure of all her personal data (even receiving a confirmation to that respect by the DPO of the controller). Notwithstanding that, she later received an email asking her about the possibility of acting as a party's representative in the Spanish general elections of November 2019. The complainant, therefore, assumes that her personal data had not been duly deleted. The controller answered to the first AEPD investigation stating that, as soon as the data subject sent the deletion request, her personal data were totally erased.

Dispute

The Authority has to assess the lawfulness of the processing following the withdrawal of consent under Article 7(3) GDPR. The Authority also considers the existence of a deletion request under Article 17 GDPR.

Holding

The AEPD concludes that VOX España has infringed the lawfulness principle as per Article 6(1)(a) GDPR.

The controller has processed the personal data of its former representative without her consent and despite the fact that she had requested the full erasure of her data. Consequently, after considering some circumstances including, (1) the local scope of the processing activity made by the defendant, (2) only one person has been affected by the processing activity, (3) there is no evidence that the defendant has adopted any measures in order to prevent such issues to happen again in the future, (4) there is no evidence of wilful misconduct by the defendant, even being this issue a very serious breach of the law, (5) the link between the activity of the defendant and the processing of personal data, and (6) the defendant is a national political party, the AEPD decided to impose a fine of 1,500 € to the defendant.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/12 Procedure Nº: PS / 00051/2020RESOLUTION OF SANCTIONING PROCEDUREOf the procedure instructed by the Spanish Agency for Data Protection andbased on the followingBACKGROUNDFIRST: Ms. AAA (hereinafter, the claimant) filed on 11/14/2019claim before the Spanish Agency for Data Protection. The claim isdirected against VOX ESPAÑA , with NIF G86867108 (hereinafter, the claimed one). Thereasons on which the claim is based are: that on 04-29-2019 he sent an email toVOX with the intention of reporting a series of irregularities and requesting theleave the party; that seeing that she did not receive a response on 05-11-2019 she sent a new oneemail reiterating the unsubscribe and communication to delete all yourdata, receiving acknowledgment of receipt on 05-16-2019 confirming the deletion of thethemselves; that that same day he receives mail for transfer to the department ofaffiliates and on 10-15-2019 an email in your account *** VOX EMAIL.1offering to be a proxy in the general elections of 11/10/2019; that that chargeThey only offer it to affiliates so it follows that they still keep all theirdata.SECOND: Upon receipt of the claim, the Subdirectorate General ofData Inspection proceeded to carry out the following actions:On 12/12/2019, the claim presented was transferred to the entity for analysis andcommunication to the claimant of the decision taken in this regard. Likewise, he isrequired so that within a month it sent to the determined Agencyinformation:- Copy of the communications, of the adopted decision that has been sent to theclaimant regarding the transfer of this claim, and accreditation thatthe claimant has received the communication of that decision.- Report on the causes that have motivated the incidence that has originated theclaim.- Report on the measures adopted to prevent the occurrence ofsimilar incidents.- Any other that you consider relevant.On 12/20/2019, the defendant stated that at the time of having knowledge ofthe request for withdrawal of the former affiliate, it was proceeded as it was answeredby mail and that according to its file was effective on 05/16/2019.Subsequently, on 01/02/2020, a certificate of representative of the aforementioned party was providedpolitical manifesting in that same sense.THIRD: On 02/11/2020, in accordance with article 65 of the LOPDGDD, theDirector of the Spanish Data Protection Agency agreed to admit for processing theclaim filed by the claimant against the defendant.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 2
2/12FOURTH: On 03/24/2020, the Director of the Spanish Protection Agencyof Data agreed to initiate a sanctioning procedure for the one claimed by the allegedinfringement of article 6.1.a), typified in article 83.5.a) of the RGPD.FIFTH: Notified the initiation agreement, the one claimed at the time of the presentresolution has not submitted a brief of allegations, so it is applicableindicated in article 64 of Law 39/2015, of October 1, on the ProcedureCommon Administrative of Public Administrations, which in its section f)establishes that in case of not making allegations within the period provided for thecontent of the initiation agreement, it may be considered a proposal forresolution when it contains a precise pronouncement about the responsibilityimputed, for which a Resolution is issued.SIXTH: Once the commencement agreement was notified, the defendant did not present a writtenallegations within the legal term established for this, so it is applicableindicated in article 64 of Law 39/2015, of October 1, on the ProcedureCommon Administrative of Public Administrations, which in its section f)establishes that in case of not making allegations within the period provided for thecontent of the initiation agreement, it may be considered a proposal forresolution when it contains a precise pronouncement about the responsibilityimputed, for which a Resolution is issued.SEVENTH: Of the actions carried out in this proceeding, there have beenaccredited the following:PROVEN FACTSFIRST: On 11/14/2019 the claimant has a written entry in the AEPDstating that on 04-29-2019 he sent an email to VOX with the intention ofaccount for a series of irregularities and request the withdrawal of the party; that notreceive any response, on 05-11-2019 send a new email reiteratingthe withdrawal and, likewise, communicating for the deletion of all your personal data,receiving acknowledgment of receipt on 05-16-2019 confirming the deletion of the data;that that same day he receives mail for transfer to the affiliate department; that he10-15-2019 receives an email offering to be proxy in the electionsof 11/10/2019, when said position is offered only to affiliates for at leastIt follows that they still keep all your personal data; That thisfact is constitutive of infringement in accordance with the RGPD.SECOND: It is clear that the claimant on 05/11/2019 sent an email to VOXpointing out:“I hereby reiterate that you immediately process my withdrawal from the party. AlreadyAn email was sent to them (04-29-2019) accompanied by a letter signed byme to do so and my account has been charged a fee (which has alreadybeen returned).On the other hand, I take the opportunity to communicate my EXPRESS DESIRE to douse of my RIGHT TO DELETE my data, WITHOUT GIVING CONSENTSOME to VOX political party for no treatment (this includescommunications by any means). All this in accordance with art. 15 of Law 3/2018on Data Protection and guarantee of digital rights.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 3
3/12Likewise, they are given a period of 10 days to issue a certificate, written oranalogous document that states that ALL my data has been deleted,according to art. 19 of Regulation (EU) 2016/679 of the European Parliament and theCouncil on the protection of natural persons with regard to theprocessing of personal data.After this period has elapsed without a response being obtained, theprocessing of the corresponding complaint to the Spanish Agency for the Protection ofData.Those VOX charges in the province of Castellón are also warnedthat, after the deletion of my data, they continue to use my phone number, emailelectronic or any of my data for any type of communication becauseobtained them through the National VOX Headquarters (affiliation form), withoutdetriment to the responsibilities that these persons may incur in their capacityindividual both administrative and criminal.An application file signed by me is attached ”.THIRD: There is an email sent by the VOX DPO of 05/16/2019responding to the claimant and indicating:"Good morning, we proceed to the deletion of your personal data.Receive a cordial greeting "FOURTH: The claimant received an email on 05/16/2019, the purpose of which was"REITERATING WITHDRAWAL OF THE PARTY AND RIGHT TO DELETE DATA",noting the following:“I forward your message to the Affiliate Management Department.(…) "FIFTH: On 10/15/2019 VOX sent the claimant an email with thefollowing message:(…)Again we have General elections. On this occasion, we already have partners inCongress and the Senate. We have the possibility to enter again with moreforce.Vox is making a great effort to enter the institutions and improve SpainTo avoid the problems of previous elections when counting votes,votes unfairly annulled and lack of ballots, we need your help.EVERY VOTE COUNTS.In this sense, we want you to participate as VOX electoral proxy anddefends the votes that will lead us to more Institutions where we will fight for aSpain better. It is not necessary to be an affiliate and is compatible with being a candidate.It's very simple, go to our proxy website and fill out the form:Register as a proxyOnce sent, you will receive an SMS on your mobile to confirm your request.Later, you will receive in your email inbox, a message thatwill ensure that your data has arrived correctly and the campaign coordinatorsC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 4
4/12They will contact you to give you the accreditation and explain your role inthe electoral process.(…)SIXTH: On 01/02/2020, the Secretary General of VOX sent a letter certifying that theclaimant ceased to hold the status of affiliate to said political party from the05/16/2019.FOUNDATIONS OF LAWIBy virtue of the powers that article 58.2 of the RGPD recognizes to eachcontrol authority, and as established in articles 47 and 48 of the LOPDGDD,the Director of the Spanish Data Protection Agency is competent to initiateand to solve this procedure.IILaw 39/2015, of October 1, on the Common Administrative Procedure ofthe Public Administrations, in its article 64 “Agreement of initiation in theprocedures of a sanctioning nature ”, provides:"one. The initiation agreement will be communicated to the instructor of the procedure, withtransfer of how many actions exist in this regard, and the interested parties will be notified,understanding in any case as such the accused.Likewise, the initiation will be communicated to the complainant when the regulationsregulating the procedure so provide.2. The initiation agreement must contain at least:a) Identification of the person or persons allegedly responsible.b) The facts that motivate the initiation of the procedure, its possiblequalification and penalties that may correspond, without prejudice to whatresult of the instruction.c) Identification of the instructor and, where appropriate, Secretary of the procedure, withexpress indication of the regime of challenge of the same.d) Competent body for the resolution of the procedure and regulation thatattributes such competence, indicating the possibility that the allegedresponsible can voluntarily acknowledge their responsibility, with theeffects provided for in article 85.e) Provisional measures that have been agreed by the bodycompetent to initiate the sanctioning procedure, without prejudice to thosecan be adopted during the same in accordance with article 56.f) Indication of the right to make allegations and to a hearing at theprocedure and deadlines for its exercise, as well as an indication that, incase of not making allegations within the term provided on the content of theinitiation agreement, this may be considered a resolution proposalwhen it contains a precise statement about liabilitycharged.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 5
5/123. Exceptionally, when at the time of issuing the initiation agreementthere are insufficient elements for the initial qualification of the facts that motivatethe initiation of the procedure, the aforementioned qualification may be carried out in a phaselater by preparing a Statement of Charges, which must be notified tothe interested".In application of the previous precept and taking into account that they have notformulated allegations to the initiation agreement, it is necessary to resolve the procedure initiated.IIIThe denounced facts materialize in the treatment of the data ofpersonal character by the claimed after the request for withdrawal by theaffected; low that was confirmed by the claimed and after the same andyour confirmation the claimant received an email on 10/15/2019 in whichoffered to be empowered in the general elections of 11/10/2019, which isdeduces that your personal data was still kept and continued to betreated by the claimed.Article 58 of the RGPD, Powers , states:"two. Each supervisory authority shall have all the following powerscorrective measures listed below:(…)i) impose an administrative fine in accordance with article 83, in addition or inplace of the measures mentioned in this section, depending on the circumstancesof each particular case;(…) "Article 5, Principles relating to treatment , of the RGPD establishes that:"one. The personal data will be:a) treated in a lawful, loyal and transparent manner with the interested party (<< legality,loyalty and transparency(…)d) accurate and, if necessary, updated; all measures will be takenreasonable for the personal data to be deleted or rectified without delaythat are inaccurate with respect to the purposes for which they are treated("accuracy");(…)2. The person responsible for the treatment will be responsible for compliance with theprovided in section 1 and capable of demonstrating it (proactive responsibility) "On the other hand, article 6, Legality of treatment, of the RGPD establishes that:C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 6
6/12"one. The treatment will only be lawful if at least one of the following is metterms:a) the interested party gave their consent for the processing of their datapersonal for one or more specific purposes;b) the treatment is necessary for the performance of a contract in which theinterested is part or for the application at the request of this of measurespre-contractual;(…) "And article 4 of the RGPD, Definicione s, in its section 11, states that:"11)" consent of the interested party ": any manifestation of free will,specific, informed and unequivocal by which the interested party accepts, either througha statement or a clear affirmative action, the processing of personal data thatthey concern him ”.Also article 17 of the RGPD, Right of deletion (“the right toI forget »), states:"one. The interested party shall have the right to obtain without undue delay theresponsible for the treatment the deletion of the personal data that concerns him, thewhich will be obliged to delete without undue delay the personal data whenany of the following circumstances concur:a) the personal data is no longer necessary in relation to the purposes forthose that were collected or otherwise treated;b) the interested party withdraws the consent on which the treatment ofin accordance with Article 6 (1) (a) or Article 9 (2) (a), andit is not based on another legal basis;c) the interested party objects to the processing in accordance with article 21, paragraph 1,and no other legitimate reasons for the treatment prevail, or the interested partyobject to the processing pursuant to Article 21 (2);d) the personal data has been unlawfully processed;e) personal data must be deleted to comply with alegal obligation established in the law of the Union or of the Member States thatapplies to the controller;f) the personal data have been obtained in relation to the offer of servicesof the information society mentioned in article 8, paragraph 1.2. When you have made the personal data public and are obliged, by virtue ofof the provisions of section 1, to delete said data, the person responsible for thetreatment, taking into account the available technology and the cost of its application,take reasonable measures, including technical measures, with a view to informingresponsible for processing the personal data of the interested party's request fordeletion of any link to such personal data, or any copy or replica ofthe same.3. Sections 1 and 2 will not apply when the treatment is necessary:C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 7
7/12a) to exercise the right to freedom of expression and information;b) for the fulfillment of a legal obligation that requires the treatment ofdata imposed by the law of the Union or of the Member States that appliesto the person responsible for the treatment, or for the fulfillment of a mission carried out inpublic interest or in the exercise of public powers conferred on the person responsible;c) for reasons of public interest in the field of public health ofin accordance with Article 9, paragraph 2, letters h) and i), and paragraph 3;d) for archival purposes in the public interest, scientific research purposes orhistorical or statistical purposes, in accordance with article 89, paragraph 1, in theTo the extent that the right indicated in paragraph 1 could make it impossible toseriously impede the achievement of the objectives of such treatment, ore) for the formulation, exercise or defense of claims ”.On the other hand, article 6, Treatment based on the consent of theaffected , of the new Organic Law 3/2018, of December 5, on Data ProtectionPersonal and guarantee of digital rights (hereinafter LOPDGDD), statesthan:"one. In accordance with the provisions of article 4.11 of the Regulation (EU)2016/679, the consent of the affected party is understood to be any manifestation of willfree, specific, informed and unequivocal for which it accepts, either through adeclaration or a clear affirmative action, the processing of personal data thatconcern.2. When the data processing is intended to be based on consentof the affected party for a plurality of purposes, it will be necessary to record in aspecific and unequivocal that said consent is granted for all of them.3. The execution of the contract may not be subject to the consent of the affected partyprocessing of personal data for purposes that are not related to themaintenance, development or control of the contractual relationship ”.IVThe offense attributed to the claimed party is classified in theArticle 83.5 a) of the RGPD, which considers that the violation of “the basic principlesfor the treatment, including the conditions for consent under theArticles 5, 6, 7 and 9 ” is punishable, in accordance with section 5 of the aforementionedArticle 83 of the aforementioned Regulation , “with administrative fines of € 20,000,000 asmaximum or, in the case of a company, an amount equivalent to 4% asmaximum total annual global business volume of the previous financial year,opting for the highest amount ”.The LOPDGDD in its article 71, Infractions, states that: “They constituteoffenses the acts and conducts referred to in sections 4, 5 and 6 of theArticle 83 of Regulation (EU) 2016/679, as well as those that are contrary to thepresent organic law ”.And in its article 72, it considers for the purposes of prescription, which are: “Infractionsconsidered very serious:C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 8
8/121. In accordance with the provisions of article 83.5 of the Regulation (EU)2016/679 are considered very serious and will prescribe after three years the infractions thatsuppose a substantial violation of the articles mentioned in that and, inin particular, the following:(…)b) The processing of personal data without the concurrence of any of theconditions of legality of the treatment established in article 6 of the Regulation(EU) 2016/679.(…)VThe documentation provided to the file shows that the complainant hasArticle 6.1.a) of the RGPD has been violated, since it has carried out an illegal treatment ofthe data of the claimant when sending email 10/15/2019 without authorization orconsent to having previously requested their withdrawal from the party andThis has been confirmed by email sent by the claimed to theaffected. In this case, there is no other cause of legitimation of the treatment withafter the request to cancel your data and the response that they hadbeen canceled.The Secretary General of the political organization himself in writing sent toThis directive center has certified that the claimant ceased to hold theAffiliate status of said political party since 05/16/2019.The Administrative Litigation Chamber of the National Court, inSimilar assumptions have been considered that when the owner of the data denies theconsent to the processing of your data corresponds to the burden of proofwho affirms its existence and the person responsible for the treatment must collect andkeep the necessary documentation to prove the consent of the owner. So,SAN of 05/31/2006 (Rec. 539/2004), Fourth Law Foundation.It should be noted that respecting the principle of legality of the data requires thatit is proven that the owner of the data consented to the processing of the data ofpersonal character and deploy a reasonable diligence essential to provethat extreme. Otherwise, the result would be to empty the principle oflegality.SAWC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 9
9/12In order to establish the administrative fine to be imposed, they mustobserve the provisions contained in articles 83.1 and 83.2 of the RGPD, whichpoint out:"one. Each supervisory authority shall ensure that the imposition of finesadministrative under this article for the infractions of thisRegulations indicated in paragraphs 4, 5 and 6 are in each individual caseeffective, proportionate and dissuasive.2. Administrative fines will be imposed, depending on the circumstancesof each individual case, as an additional or substitute for the measures contemplatedin article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fineadministrative and its amount in each individual case will be duly taken into account:a) the nature, severity and duration of the offense, taking into account thenature, scope or purpose of the processing operation of whichtryb) as well as the number of affected stakeholders and the level of damage anddamages they have suffered;b) intentionality or negligence in the infringement;c) any measure taken by the controller or processorto mitigate the damages suffered by the interested parties;d) the degree of responsibility of the person in charge of thetreatment, taking into account the technical or organizational measures that haveapplied by virtue of articles 25 and 32;e) any previous infringement committed by the person in charge or the person in charge of thetreatment;f) the degree of cooperation with the supervisory authority in order toremedy the violation and mitigate the possible adverse effects of the violation;g) the categories of personal data affected by the infringement;h) the way in which the supervisory authority learned of the infringement, inparticular if the person in charge or the person in charge notified the infringement and, in such case,what extent;i) when the measures indicated in Article 58 (2) have beenpreviously ordered against the person in charge or the person in chargein relation to the same matter, compliance with said measures;j) adherence to codes of conduct under article 40 or to mechanismscertification approved in accordance with Article 42, andk) any other aggravating or mitigating factor applicable to the circumstances of thecase, such as financial benefits obtained or losses avoided, director indirectly, through infringement.In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in itsArticle 76, “Sanctions and corrective measures”, establishes that:"two. In accordance with the provisions of article 83.2.k) of Regulation (EU)2016/679 may also be taken into account:a) The continuing nature of the offense.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 10
10/12b) The linking of the offender's activity with the performance of treatmentsof personal data.c) The benefits obtained as a result of the commission of the offense.d) The possibility that the affected person's conduct could have led to thecommission of the offense.e) The existence of a merger process by absorption after the commissionof the infringement, which cannot be attributed to the absorbing entity.f) Affecting the rights of minors.g) To have, when not mandatory, a delegate for the protection ofdata.h) The submission by the person in charge or in charge, with charactervoluntary, to alternative dispute resolution mechanisms, in thoseassumptions in which there are controversies between those and any interested party. "In accordance with the transcribed precepts, and without prejudice to what results from theinstruction of the procedure, in order to fix the amount of the fine sanction toimpose in the present case for the offense typified in article 83.5.a) of the RGPDfor which the claimed person is responsible, in an initial assessment, it is estimatedconcurrent the following factors:The merely local scope of the treatment carried out by the entityclaimed.Only one person has been affected by the offending conduct.Although the damage to the claimant exists, it can be considered that it is notsignificant.The claimed entity does not record that it has adopted measures to preventproduce similar incidents.There is no evidence that the entity acted maliciously, althoughthe action reveals a serious lack of diligence.The linking of the offender's activity with the performance of treatment ofPersonal data.The claimed entity is a nationally established political party.Therefore, in accordance with the applicable legislation and the criteria ofgraduation of sanctions whose existence has been proven,The Director of the Spanish Agency for Data Protection RESOLVES:FIRST: IMPOSE VOX ESPAÑA, with NIF G86867108 , for a violation of thearticle 6.1.a) of the RGPD, typified in article 83.5.a) of the RGPD and considered toprescription effects in article 72.b) of the LOPDGDD as very serious, asanction of € 1,500 (one thousand five hundred euros).SECOND: NOTIFY this resolution to VOX ESPAÑA, with NIF G86867108.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 11
11/12THIRD: Warn the sanctioned person that the sanction imposed by aOnce this resolution is enforceable, in accordance with the provisions of theart. 98.1.b) of Law 39/2015, of October 1, on Administrative ProcedureCommon of Public Administrations (hereinafter LPACAP), within the payment periodvoluntary established in art. 68 of the General Collection Regulations, approvedby Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,of December 17, by means of their entry, indicating the NIF of the sanctioned person and the numberof procedure that appears in the heading of this document, in the accountrestricted number ES00 0000 0000 0000 0000 0000 , opened in the name of the AgencySpanish Data Protection Agency in the bank CAIXABANK, SA. In caseOtherwise, it will be collected in the executive period.Once the notification has been received and once it is executed, if the date of execution isfinds between the 1st and 15th of each month, both inclusive, the deadline to carry out thevoluntary payment will be until the 20th of the following or immediately subsequent business month, and ifis between the 16th and last days of each month, both inclusive, the term of thePayment will be up to the 5th of the second following or immediate business month.In accordance with the provisions of article 50 of the LOPDGDD, theThis Resolution will be made public once it has been notified to the interested parties.Against this resolution, which puts an end to the administrative procedure in accordance with art.48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of theLPACAP, the interested parties may optionally file an appeal for reversalbefore the Director of the Spanish Agency for Data Protection within a period ofmonth from the day after notification of this resolution or directlycontentious-administrative appeal before the Contentious-Administrative Chamber of theNational High Court, in accordance with the provisions of article 25 and section 5 ofthe fourth additional provision of Law 29/1998, of July 13, regulating theContentious-administrative jurisdiction, within a period of two months from theday following notification of this act, as provided in article 46.1 of thereferred Law.Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of theLPACAP, the final resolution may be suspended in an administrative wayIf the interested party expresses his intention to file a contentious appeal-administrative. If this is the case, the interested party must formally communicate thismade by writing to the Spanish Agency for Data Protection,Presenting it through the Electronic Registry of the Agency[https://sedeagpd.gob.es/sede-electronica-web/], or through any of the restrecords provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. Toomust forward to the Agency the documentation that proves the effective filingof the contentious-administrative appeal. If the Agency is not aware of thefiling of the contentious-administrative appeal within a period of two months from theday after the notification of this resolution, would terminate theprecautionary suspension.
Mar España Martí
Director of the Spanish Agency for Data ProtectionC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 12
12/12