AEPD - PS/00062/2020
|AEPD - PS/00062/2020|
|Relevant Law:||Article 13 GDPR|
Article 11 LOPDGDD
|Parties:||Predase Servicios Integrales SL|
Predase Servicios Integrales SL
|National Case Number/Name:||PS/00062/2020|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
English Summary[edit | edit source]
Facts[edit | edit source]
Predase Servicios Integrales SL (PSI) provides advice on a range of issues such as occupational risk prevention; data protection or insurance. On its webpage, PSI has a section of interested parties which included requirements to fill in address, telephone number and had a data collection form.
To justify this, PSI mentioned that the contact form was not operational, so an email address was provided instead.
The Spanish DPA encountered many errors (server permission denial and object not found) attempting to access the website during its investigation. At the time of the decision, the website was still not accessible
Dispute[edit | edit source]
Holding[edit | edit source]
The Spanish DPA (AEPD) held that the defendant, PSI, violated Article 13 GDPR by failing to provide information to parties interested in their services. The Spanish DPA also refered to Article 11 of the national Spanish Law on Data Protection and Digital Rights (LOPDGDD) on the provision of information to data subjects.
The Spanish DPA therefore went to conclude that PSI violated Article 13 GDPR by provided a contact section that included requirements for telephone, an email and a data collection form without providing information on the data processing at stake.
The argument that the contact section was not operational and therefore not collecting personal data could not be verified by the DPA due to the website's errors. Therefore, this argument was dismissed by the DPA. Similarly, the DPA held that the fact that the form is not operational, does not mean that the controller in charged of a webpage does not have to comply with the duty to provide information as per Article 12 and 13 GDPR. This is the case as the website would process personal data even if interested parties contact PSI via the email address provided.
The Spanish DPA therefore imposed a fine of €5000 on Predase Servicios Integrales SL for infringing Article 13 GDPR.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.