AEPD (Spain) - PS/00062/2020
From GDPRhub
| AEPD - PS/00062/2020 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 13 GDPR Article 11 LOPDGDD |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | 28.01.2021 |
| Published: | 08.02.2021 |
| Fine: | 5000 EUR |
| Parties: | Predase Servicios Integrales SL Predase Servicios Integrales SL |
| National Case Number/Name: | PS/00062/2020 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | n/a |
The Spanish DPA (AEPD) imposed a fine of €5,000 on Predase Servicios Integrales SL for infringing Article 13 GDPR. PSI did not have a privacy policy, nor any information on processing in the contact section of its webpage (which required the provision of personal data).
English Summary
Facts
Predase Servicios Integrales SL (PSI) provides advice on a range of issues such as occupational risk prevention; data protection or insurance. On its webpage, PSI has a section of interested parties which included requirements to fill in address, telephone number and had a data collection form.
However, investigations by the Spanish DPA showed that PSI's website did not have a privacy policy, nor provided information in accordance with Article 13 GDPR.
To justify this, PSI mentioned that the contact form was not operational, so an email address was provided instead.
The Spanish DPA encountered many errors (server permission denial and object not found) attempting to access the website during its investigation. At the time of the decision, the website was still not accessible
Dispute
Does the lack of a privacy policy or information on data processing on a webpage's contact section breach Article 13 GDPR even if the contact form is not operational?
Holding
The Spanish DPA (AEPD) held that the defendant, PSI, violated Article 13 GDPR by failing to provide information to parties interested in their services. The Spanish DPA also refered to Article 11 of the national Spanish Law on Data Protection and Digital Rights (LOPDGDD) on the provision of information to data subjects.
The Spanish DPA therefore went to conclude that PSI violated Article 13 GDPR by provided a contact section that included requirements for telephone, an email and a data collection form without providing information on the data processing at stake.
The argument that the contact section was not operational and therefore not collecting personal data could not be verified by the DPA due to the website's errors. Therefore, this argument was dismissed by the DPA. Similarly, the DPA held that the fact that the form is not operational, does not mean that the controller in charged of a webpage does not have to comply with the duty to provide information as per Article 12 and 13 GDPR. This is the case as the website would process personal data even if interested parties contact PSI via the email address provided.
The Spanish DPA therefore imposed a fine of €5000 on Predase Servicios Integrales SL for infringing Article 13 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/16
Procedure No.: PS / 00062/2020
RESOLUTION OF SANCTIONING PROCEDURE
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following
BACKGROUND
FIRST: A.A.A. (hereinafter, the claimant) dated March 20, 2019
filed a claim with the Spanish Data Protection Agency. The
claim is directed against PREDASE SERVICIOS INTEGRALES SOCIEDAD
LIMITED with NIF B02547164 (hereinafter, the claimed). The reasons on which it bases
the claim are as follows:
"[….] SECOND. - On the Internet page with the domain name
«Www.predase.es», and under the trade name «PREDASE», are offered, among others,
regulatory compliance services within the scope of Regulation (EU) 2016/679 and of
Organic Law 3/2018. […]
THIRD. - Scrolling down the sidebar of the browser on the page of
start, you have access to various links related to the presence in different
Internet social networks of the natural or legal person acting under the name
commercial «PREDASE».
In relation to data protection services, it stands out, in the margin
left of the screen, the image of a padlock that includes the legend «RGPD /
LOPD », […]
BEDROOM. - By clicking on the image of the aforementioned padlock, you are linked to a
publication in the public profile of «PRÉDASE» on the social network Google+, in which
a quadrilateral appears that groups the graphic symbols of «PRÉDASE» and of the
SPANISH AGENCY FOR DATA PROTECTION, without distinguishing between them,
and adding to the set the contact details of the natural or legal person that
acts under said trade name. […]
SIXTH.- In this sense, the grouping of the graphic symbols of «PRÉDASE» and of
the SPANISH DATA PROTECTION AGENCY, considered as a whole
homogeneous within the same quadrilateral, without distinguishing between its components, and
adding to the set the contact details of the natural or legal person acting
under said trade name, it could be constitutive of an unlawful act consisting of
generate «the appearance that it is acting in the name, on behalf of or in
collaboration with the Spanish Agency for Data Protection ”, in relation to the
indiscriminate publication or communication of its offer of services in the field of
data protection to your entire network of contacts in the social network Google+ and to
Anyone responsible and in charge of the treatments who visit your page of
Internet for the purpose of contracting professional compliance services
normative in this area.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/16
SEVENTH. - As a consequence, this alleged misleading and illegitimate use of the
graphic symbol of the SPANISH DATA PROTECTION AGENCY can
suppose an aggressive practice in terms of data protection, generating the
Image of a false endorsement of the aforementioned supervisory authority in relation to the services
offered by the natural or legal person acting under the trade name
«PRÉDASE».
EIGHTH. - This practice has its supposed continuation in a second performance
that allegedly could incur in letter c) of the Additional Provision
sixteenth of Organic Law 3/2018, which considers aggressive practice in matters
of data protection the performance of "commercial practices in which the
decision-making power of the recipients by referring to the possible imposition
of sanctions for breach of the personal data protection regulations »:
"It can not be true!!!!! You are not yet adapted to the new general regulation of
data protection (RGPD). DO NOT wait for them to sanction you, find out at C /
*** ADDRESSB.1 or *** URL.1 ”[…]
NINTH.- As a corollary of what has been stated so far, the facts and factual elements
related in this brief could suppose an alleged conjunction of
aggressive practices in terms of data protection, through interference
undue not only in the image and powers of the Spanish Protection Agency
of Data, but also in the autonomy of the will of those responsible and
those in charge of the treatments, through an alleged distortion of the spirit of the
legal regulations on data protection.
TENTH. - The Internet page with the domain name "*** URL.1" does not facilitate the
general information established in article 10 of Law 34/2002, of July 11, on
information society and electronic commerce services.
Likewise, despite having a personal data collection form,
nor does it provide a privacy policy in order to comply with
what is established in articles 12 (right of transparency) and 13 (right of
information) of Regulation (EU) 2016/679 of the European Parliament and of the Council,
of April 27, 2016, regarding the protection of natural persons in what
Regarding the processing of personal data and the free circulation of these data and
repealing Directive 95/46 / EC (General Regulation for the protection of
data)."
Along with the claim, it provides screenshots of the web, of the social network Google+
and Facebook for evidential purposes of what is stated in the brief. It also incorporates
copy of the Notarial Accountability Deed granted before the notary of the city of
*** LOCALIDAD.1, D. B.B.B., dated March 18, 2019, Protocol No. 620, of the
content of the web page that leads to the PREDASE profile on the social network
GOOGLE +.
SECOND: On April 23, 2019, proceedings are carried out in this Agency to
to state that, after an analysis of the web page that is the object of the
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/16
claim (www.predase.es), does not have the same identification of your
responsible or information regarding privacy policy.
THIRD: The claim was admitted for processing on April 29, 2019.
FOURTH: In view of the facts reported in the claim and the documents
provided by the claimant, the Subdirectorate General for Data Inspection proceeded
to carry out preliminary investigation actions to clarify the
facts in question, by virtue of the powers of investigation granted to the
control authorities in article 57.1 of Regulation (EU) 2016/679 (Regulation
General Data Protection, hereinafter RGPD), and in accordance with the
established in Title VII, Chapter I, Second Section, of Organic Law 3/2018,
of December 5, Protection of Personal Data and guarantee of rights
digital (hereinafter LOPDGDD).
As a result of the investigative actions carried out, the report prepared
by the acting inspector reveals the following:
“Regarding the fact of the use of the logo of this Agency together with
the logo and contact information of PREDASE, this is verified by
the notarial deed presented by the claimant of the content of the page
web that leads to the PREDASE profile on the GOOGLE social network + done appear
grouped together, and as a whole, the PREDASE logo, the logo of this Agency, the
European flag, and PREDASE contact information.
Regarding the denounced fact of the publication on the social network FACEBOOK and the
indicated in the claim according to the sixteenth additional provision, letter c) that
establishes aggressive practice regarding data protection:
“Carry out commercial practices in which the decision-making power of the
recipients by referring to the possible imposition of sanctions for
breach of the personal data protection regulations ”.
It is found that in PREDASE's FACEBOOK profile, dated March 12
2019, the following content was published:
"It can not be true!!!!! You are not yet adapted to the new general regulation of
data protection (RGPD). DO NOT wait for them to sanction you, find out at C /
*** ADDRESS.1 or *** URL.1. "
Access to this publication is still available at the date of this report. Diligence is recorded in
the SIGRID system with the screen print of the publication.
It is also verified that the website of PREDASE, a company of
advice, among other issues, on data protection, lacks policy
of privacy and collect data in your contact form without the need for the
acceptance of treatment.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/16
It is recorded in the SIGRID diligence system with the only content page of the site
Web.
Nor is the ownership of the website reported as stated in article 10 of
Law 34/2002, of July 11, on information society services and
e-commerce, mentioning the commercial brand as a company name
PREDASE
On June 28, 2019, it is received at this Agency, with registration number
032629/2019, letter sent by ORANGE ESPAGNE, S.A.U. informing that the
ownership of the line *** TELEPHONE. 1 that appears on the website corresponds to
C.C.C., with DNI *** NIF.1 and installation address on the street *** ADDRESS.1,
*** LOCALITY. 1.
After a search in the Central Mercantile Registry, the
PREDASE SERVICIOS INTEGRALES SOCIEDAD LIMITADA, with registered office
coinciding with the one that appears on the website denounced and in which the owner of the
The contact telephone number that appears on the website appears as the sole administrator.
The Mercantile Registry report is recorded in the SIGRID system, as an associated object.
Central.
For all the above, it can be affirmed that the facts denounced are true and
that the company responsible for the website referred to in the claim is PREDASE
SERVICIOS INTEGRALES SOCIEDAD LIMITADA. "
FIFTH: Consulted on March 10, 2020, the application of the AEPD was
verifies that the only sanctioning procedure in which the claim appears as
mercantile PREDASE SERVICIOS INTEGRALES SOCIEDAD LIMITADA with NIF
B02547164, is the present procedure.
SIXTH: On March 17, 2020, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure for the complained party, by the
alleged infringement of article 13 of the RGPD, typified in article 83.5 of the aforementioned
rule.
SEVENTH: Once the aforementioned commencement agreement was notified, the defendant submitted a written
allegations on June 25, 2020 where he requested the filing of the procedure
sanctioner and revealed the following:
"[...]
Regarding the data form, it is not operational (nor has it ever been). Of
In fact, it is an addition of a template in order to use the "blue popup" style of the
Contact Form. You can see that it does not display any error message in case of
do not enter data (or do it wrongly), nor do you have a satisfactory message in
shipping case. It just redirects directly to the home screen.
It is enough to note that if said form were functional and operational, the
email address to the left of it (since it would be redundant
and unnecessary). "
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/16
[…] "
EIGHTH: On August 10, 2020, the procedure instructor agreed to the
opening of a period of practice of tests, being considered reproduced, for the purpose of
evidencing the claim filed by the claimant, the data obtained and
generated by the Subdirectorate General for Data Inspection and the allegations
presented by the defendant. Since it was not possible to notify this opening of the period
test practice, due to the expiration of the electronic notification, on the 1st of
September 2020, a reiteration of the document was sent, which was notified on
same day 1.
NINTH: On October 5, 2020, the
Checks carried out on September 21, 25 and 29 and October 5, 2020
on the web www.predase.es.
TENTH: On October 19, 2020, a resolution proposal was formulated,
proposing a penalty of warning be imposed on the defendant, for a
infringement of article 13 of the RGPD, typified in article 83.5 of the same rule.
In this proposal, a period of 10 days was granted so that the defendant could
allege whatever is considered in his defense, as well as present the documents and
information deemed pertinent, in accordance with article 89.2 of the Law
39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations (hereinafter, LPACAP).
The proposed resolution was notified on October 30 and the defendant submitted
brief of allegations on November 13, stating the following:
"[...]
FIRST: In points THIRD, FOURTH and SIXTH (since the point
FIFTH) of the complaint, interprets the alleged union of the PRÉDASE and
of the AEPD as an attempt of association in the face of potential clients.
Assuming that it is a mere question of structural organization of the design
web and graphic, any minimally informed person knows how to distinguish between the
Spanish Data Protection Agency and a service provider company
(call it PRÉDASE, AUDIDAT or any other).
As indicated by the complainant and appears, clearly in capital letters, on the
header of said website, said image belongs to the SOCIAL NETWORKS of the
company (not to the services provided, estimates, invoices, or any other
public document that could, effectively, imply an improper use
of the AEPD logo).
Indeed, said publication was made on March 12, 2019 and the link
corresponds to the social network Google+, which has not been operational since April 2,
2019 (it was canceled by Google on that date). Following your twisted reasoning
and personal, the use of the Facebook, Google or Twitter logos would also imply
a deception of any customer who visited your website by giving rise to the mistake that
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/16
PRÉDASE (as in your case AUDIDAT) are part of or act on behalf of said
Business.
SECOND: Again at the SEVENTH, EIGHTH and NINTH points the
complainant once again attributes judicial powers (which border on insult and
slander) by directly labeling it as "misleading, illicit, image of false authority,
aggressive practices or restricting the ability to make decisions "(since the use of
adjective "presumed" preceding all these niceties does not reduce the least or
lessens their accusations) which in any company is a simple
advertising campaign on social networks.
THIRD: In reference to the alleged breach of Art. 10 of Law 34/2002 of
July 11, as you will have been able to verify (and according to assures you have captures of
screen 'notarized') all contact information: Name (commercial),
address, phone and email are clearly visible. Not being mandatory for a
autonomous (name under which the company operated at the time of its
complaint) the registration in the Mercantile Registry.
However, and as you can see in the attached document (“Metadata
*** METADATA.1 ”) and despite not being mandatory, a simple search in the
metadata of the web (and therefore publicly accessible in any search engine or
web browser) if the owner's information "C.C.C. - *** NIF.1" appears under the "meta
tag "*** META TAG.1.
Regarding the data form and as you will also have been able to verify in your
Flawless detective work, it is not operational (nor has it ever been). Of
In fact, it is an addition of a template in order to use the "blue popup" style of the
Contact Form. You can see that it does not display any error message in case of
do not enter data (or do it wrongly), nor do you have a satisfactory message in
shipping case. It just redirects directly to the home screen (I hope there
left this also duly registered in a notarial public deed).
It is enough to note that if said form were functional and operational, the
email address to the left of it (since it would be redundant
and unnecessary).
FOURTH: The denounced facts must be considered prescribed based on the
Sections 1 and 2 of Art. 30 of Law 40/2015 of October 1, on the Legal Regime
of the Public Sector, therefore applicable to the AEPD, regarding the prescription of
infractions:
1. The infractions and sanctions will prescribe according to the provisions of the laws that
establish. If they do not set limitation periods, very serious offenses
They will prescribe after three years, the serious ones after two years and the minor ones after six months; the
Sanctions imposed for very serious offenses will prescribe after three years, those imposed
for serious offenses after two years and those imposed for minor offenses after one year.
2. The statute of limitations for infringements will begin to run from the day on which
that the offense had been committed. In the case of ongoing or
permanent, the term will begin to run from the end of the offending conduct.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/16
For all the above, WE REQUEST:
That the COMPLAINT IS Filed from the Spanish Agency for Data Protection
based both on the lack of veracity of the facts denounced, as well as on the
prescription of time limits from the date of the complaint.
LASTLY: From PRÉDASE SERVICIOS INTEGRALES S.L. (current company name
of the company) we do not know the motivation of the complainant in light of the facts above
exposed. Only understandable under the eagerness to intimidate and try to eliminate the
competition through denunciations and "chuscas y barriobajeras" actions such as the
detailed inspection of our website (which by the way, we are updating
together with the IT company, in order to correct the slightest error).
In their eagerness to discredit us or for us to desist in the provision of our
services, Mr. A.A.A. (on behalf of AUDIDAT) demonstrates a manifest
incompetence in your complaint by being unable to locate our postal address at the
to direct the complaint, which was clearly indicated on the same website
object of your complaint (thus forcing the AEPD to resort to Orange
Espagne SAU to provide an address that we do not know at all and that nothing
it has to do with our mercantile). "
In view of all the actions, by the Spanish Agency for Data Protection
In the present proceeding, the following are considered proven facts,
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/16
ACTS
FIRST: PREDASE SERVICIOS INTEGRALES S.L. is a company of
advice on various matters such as occupational risk prevention, protection
of data or insurance that the web page had on the internet *** URL.1.
SECOND: The website had a contact section for potential interested parties
in your services, including address, telephone, email and a form
data collection.
THIRD: The website lacked a privacy policy and did not provide the
information regulated in article 13 of the RGPD, as shown in the
previous investigation actions carried out.
FOURTH: The defendant states that the form was not operational and that for that reason
reason the email address was provided.
FIFTH: The website is not accessible in the checks carried out on
days 21, 25 and 29 of September and 5 of October of 2020 since it returns an error of
access by server permission denial (Error 403) and object not found
(Additional 404 error).
SIXTH: The website is still not accessible in the checks carried out on the 8th and
January 12, 2021, returning the same error indicated in the previous event.
FOUNDATIONS OF LAW
I
By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in arts. 47 and 48.1 of the LOPDGDD, the Director of
The Spanish Data Protection Agency is competent to resolve this
process.
II
The defendant is charged with committing an offense for violation of article 13
of the RGPD, regarding the information that must be provided when the data is
obtained from the interested party, which establishes that:
"1. When personal data relating to him are obtained from an interested party, the
responsible for the treatment, at the time these are obtained, will provide
all the information indicated below:
a) the identity and contact details of the person in charge and, where appropriate, of their
representative;
b) the contact details of the data protection officer, if applicable;
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/16
c) the purposes of the treatment to which the personal data are destined and the legal basis
of the treatment;
d) when the treatment is based on article 6, paragraph 1, letter f), the interests
legitimate rights of the person in charge or of a third party;
e) the recipients or categories of recipients of personal data, in their
case;
f) where appropriate, the intention of the person responsible to transfer personal data to a third party
country or international organization and the existence or absence of a decision of
adequacy of the Commission, or, in the case of transfers indicated in the
Articles 46 or 47 or Article 49, paragraph 1, second subparagraph, reference to the
adequate or appropriate warranties and the means to obtain a copy of these or
to the fact that they have been borrowed.
2. In addition to the information mentioned in section 1, the person responsible for the
treatment will facilitate the interested party, at the time the data is obtained
personal information, the following information necessary to guarantee data processing
loyal and transparent:
a) the period during which the personal data will be kept or, when it is not
possible, the criteria used to determine this deadline;
b) the existence of the right to request the data controller for access to the
personal data relating to the interested party, and its rectification or deletion, or the limitation
of its treatment, or to oppose the treatment, as well as the right to portability
of the data;
c) when the treatment is based on article 6, paragraph 1, letter a), or article
9, paragraph 2, letter a), the existence of the right to withdraw consent in
at any time, without affecting the legality of the treatment based on the
consent prior to its withdrawal;
d) the right to file a claim with a supervisory authority;
e) if the communication of personal data is a legal or contractual requirement, or a
necessary requirement to sign a contract, and if the interested party is obliged to provide
personal data and is informed of the possible consequences of not
provide such data;
f) the existence of automated decisions, including profiling, to be
referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information
significant on the applied logic, as well as the importance and consequences
provided for said treatment for the interested party.
3.When the data controller plans the further processing of data
personal data for a purpose other than that for which they were collected, will provide the
interested party, prior to said further processing, information on that other purpose
and any additional relevant information pursuant to section 2.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/16
4.The provisions of paragraphs 1, 2 and 3 shall not apply when and in the
to the extent that the interested party already has the information. "
The violation of this article is classified as an infringement in article 83.5 of the RGPD,
which it considers as such:
"Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:
[…] B) the rights of the interested parties pursuant to Articles 12 to 22; […]. "
For the purposes of the statute of limitations for the offense, article 72.1 of the LOPDGDD
establishes:
"Based on what is established in article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that suppose
a substantial violation of the articles mentioned therein, and, in particular, the
following:
[…] H) The omission of the duty to inform the affected party about the treatment of their
personal data in accordance with the provisions of articles 13 and 14 of the Regulation
(EU) 2016/679. […] ”.
III
This sanctioning procedure has its origin, as indicated in the agreement
of initiation and it was reiterated in the resolution proposal, in the absence of
privacy of the website www.predase.es. As regards the
complaints regarding aggressive practices in terms of data protection
(specifically framed in letters b) and c) of the additional provision
sixteenth of the LOPDGDD: «to generate the appearance that it is acting in
name, on behalf of or in collaboration with the Spanish Agency for the Protection of
Data or an autonomous data protection authority in carrying out
any communication to those responsible and in charge of the treatments in which the
sender offers its products or services "and" carry out commercial practices in the
that the decision-making power of the recipients is curtailed by referring to the
possible imposition of sanctions for non-compliance with the regulations for the protection of
personal data ”, respectively), it means that its regulation is carried out
by Law 3/1991, of January 10, on Unfair Competition, not showing the Agency
Spanish Data Protection competences in this matter.
"Article 5 of the RGPD, regarding the principles of personal data processing
enunciates in his letter to the one of "legality, loyalty and transparency", principle in which to his
Considering 39: “All processing of personal data must be lawful and
loyal. For natural persons it must be completely clear that they are being collected,
using, consulting or otherwise processing personal data that
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/16
concern, as well as the extent to which said data is or will be processed. The beginning
transparency requires that all information and communication regarding the treatment of
such data is easily accessible and easy to understand, and that a language is used
simple and clear. This principle refers in particular to the information of the
interested parties about the identity of the person responsible for the treatment and the purposes of the same and
to the information added to ensure fair and transparent treatment with
regarding the affected natural persons and their right to obtain confirmation and
communication of personal data concerning them that are the subject of
treatment. Natural persons must be aware of the risks, the
rules, safeguards and rights regarding the processing of personal data
as well as the way to enforce your rights in relation to the treatment. In
In particular, the specific purposes of the processing of personal data must be
explicit and legitimate, and must be determined at the time of collection. The data
Personal data must be adequate, relevant and limited to what is necessary for the purposes
for those who are treated. This requires, in particular, ensuring that it is limited to a
Strict minimum its conservation period. Personal data should only be processed if
the purpose of the treatment could not reasonably be achieved by other means. For
ensure that personal data is not kept longer than necessary, the
responsible for the treatment has to establish deadlines for its deletion or revision
periodic. All reasonable steps must be taken to ensure that
rectify or delete personal data that are inaccurate. Personal information
should be treated in a way that ensures adequate security and confidentiality
of personal data, including to prevent unauthorized access or use of
said data and the equipment used in the treatment. "
Recital 60 links the duty of information with the principle of transparency,
by establishing that “The principles of fair and transparent treatment require that
inform the interested party of the existence of the treatment operation and its purposes. The
responsible for the treatment must provide the interested party with all the information
complementary is necessary to guarantee fair and transparent treatment,
taking into account the specific circumstances and context in which the
personal information. The interested party must also be informed of the profiling
and the consequences of such elaboration. If the personal data is obtained from
interested parties must also be informed if they are obliged to provide them and of the
consequences should they fail to do so […] '. In this order, article 12.1 of the
RGPD regulates the conditions to ensure its effective implementation and article 13
specifies what information should be provided when the data is obtained from the
interested.
In turn, article 11 LOPDGDD introduces the information rule by layers when
has:
"1. When personal data is obtained from the affected party, the person responsible for the
treatment may comply with the duty of information established in article
13 of Regulation (EU) 2016/679, providing the affected party with basic information to the
referred to in the following section and indicating an email address or other
means that allows easy and immediate access to the rest of the information.
2. The basic information referred to in the previous section must contain, at the
less:
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/16
a) The identity of the person responsible for the treatment and their representative, if applicable.
b) The purpose of the treatment.
c) The possibility of exercising the rights established in articles 15 to 22 of the
Regulation (EU) 2016/679. […] ”.
In relation to the foregoing, the proven facts show that the website
It had a contact section for potential clients that included the
telephone, an email and a data collection form, without stating
no section that provides the information that, in accordance with article 13 of the
RGPD, must be provided about the processing of data likely to be generated
by providing personal damage through any of the means of contact
referrals.
With regard to the claimed claim made in the brief of
response of June 25, 2020 to the commencement agreement, in the sense that the
form was not operational and that by not collecting data effectively,
indicated next to the email address, it has not been possible to verify the
veracity of said statement about the functionality of the aforementioned form as it is not
possible access to the website in the checks carried out. Now the
The fact that the form has not been operational, does not prevent the web page
must comply with the duty of information established in article 12 of the RGPD and
specified in the subsequent article 13 for situations in which the information is
obtained from the interested party, since the collection of personal data is susceptible to
also be done through the rest of the published means of contact (and
particularly, as the complainant himself points out, by means of the email address
electronic that has been indicated supplying the lack of functionality of the form).
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/16
And with regard to the allegations presented by the defendant to the proposal of
resolution, and that they are objectified in the alleged prescription of the imputed infringement and
in the statement that the website is in the process of being updated,
the following is noted:
Regarding the possible prescription of the offense, the defendant alleges that it would be
applicable those provided in article 30 of Law 40/2015, of October 1, of the
Legal Regime of the Public Sector (hereinafter, LRJSP) and that the facts
denounced should be considered prescribed since, according to the underlined that
accompanies this writing, the defendant seems to understand that the alleged infringement is
would consider mild (and prescribe at 6 months) and that the term would begin to
computed from the day it was committed. These arguments cannot
to qualify for several reasons:
1. Article 30.1 of the LRJSP provides that “Infractions and sanctions
They will prescribe according to the provisions of the laws that establish them. […] ”. In this
In this sense, the LOPDGDD has a Title, IX, dedicated to the regime
sanctioner. Within this title, article 71 establishes that they constitute
offenses the acts and conducts typified in article 83, sections 4, 5 and
6 of the RGPD as well as those contrary to the LOPDGDD itself and dedicates the
Articles 72 to 74 to determine a gradation of infractions in very
serious, serious and minor, instituting the statute of limitations for each of the
the levels. Therefore, the applicable statute of limitations will be the
provided in the LOPDGDD.
2. The imputed infringement is subsumed, for these purposes of prescription, in the
article 72.1.h) of the LOPDGDD and in this article it is specified that
considered very serious and that he will prescribe after 3 years. This is reflected in the
Legal Basis V of the initiation agreement and is recalled in the Basis
Legal II of the proposed resolution.
3. Regarding the time of the beginning of the calculation of the term of
prescription, the LOPDGDD does not establish any specific regime, so
At this point, the provisions of article 30.2 of the LRJSP are applicable with
supplementary character. Well, going to this article, it is observed that
makes a distinction between “single” or ongoing commission offenses.
Taking into account the nature of the alleged offense, it seems clear that the
omission of the duty to provide the information was maintained, at least,
until the date of February 7, 2020, the day on which the diligence is carried out
about the website mentioned in the previous action report
inspection that has been collected in the fourth Antecedent. Also, this
limitation period would have been interrupted by the notification of the
initiation agreement, as provided in article 75 of the LOPDGDD.
In conclusion, therefore, in the most favorable case for the defendant, the term of
3-year prescription would have started on February 7, 2020, leaving
interrupted on June 5, 2020, the date on which the notification took place
effective of the agreement to initiate the sanctioning procedure.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 14/16
Regarding the statement of the claimed that the web page is in
update to correct possible errors, it is not possible to verify it, since
that, as has been reflected in the sixth proven fact of this resolution, the
mentioned web (*** URL.1) is not available.
The rest of the allegations are not taken into consideration as they do not refer to
the object of this sanctioning procedure.
IV
The corrective powers available to the Spanish Agency for the Protection of
Data, as a control authority, are established in article 58.2 of the RGPD. Between
they have the power to sanction with warning -article 58.2 b) -, the
Power to impose an administrative fine in accordance with article 83 of the RGPD
-article 58.2 i) -, or the power to order the person in charge of the treatment
that the processing operations comply with the provisions of the RGPD, when
proceed, in a certain way and within a specified period - article 58. 2
d) -.
According to the provisions of article 83.2 of the RGPD, the measure provided for in article 58.2
d) of the aforementioned Regulation is compatible with the sanction consisting of a fine
administrative.
IV
In accordance with the provisions of the RGPD in its art. 83.2, when deciding to impose a
administrative fine and its amount in each individual case will take into account the
aggravating and mitigating factors that are listed in the indicated article, as well as
any other that may be applicable to the circumstances of the case.
For the purposes of setting the sanction to be imposed on the claimed party, the
following aggravating circumstances:
1. Intentionality or negligence in the infringement (article 83.2.a) RGPD) since it is
It is about a company that offers advice, among other issues on the subject of
data protection, which requires greater diligence in complying with
the obligations of the matter with respect to which it claims to advise.
2. The continuing nature of the offense (article 76.2.a) LOPDGDD), since the
The claim submitted is dated March 20, 2019 and the diligence of the
previous inspection actions that corroborate the maintenance of the situation in
The website www.predase.es was carried out on February 7, 2020.
On the other hand, the following circumstances have also been taken into account
mitigating:
1. There is no record of the commission of any prior infraction regarding the protection of
data by the claimed party (article 83.2.e) RGPD).
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 15/16
2. It is a micro-SME for the purposes of the provisions of the Recommendation of the
Commission, of May 6, 2003, on the definition of micro, small and
medium businesses.
Based on the foregoing, it is appropriate to propose a fine of FIVE THOUSAND EUROS (5,000.00
€).
Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of the sanctions whose existence has been accredited, the Director of the
Spanish Agency for Data Protection RESOLVES:
FIRST: IMPOSE PREDASE SERVICIOS INTEGRALES S. L., with NIF
B02547164, for an infringement of article 13 of the RGPD, typified in article 83.5
GDPR, a fine of FIVE THOUSAND EUROS (€ 5,000.00).
SECOND: NOTIFY this resolution to PREDASE SERVICIOS
INTEGRALES S.L. and inform A.A.A ..
THIRD: Warn the sanctioned person that the sanction imposed by a
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number
procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency
Spanish Data Protection in the banking entity CAIXABANK, S.A .. In case
Otherwise, it will be collected in the executive period.
Received the notification and once executive, if the date of execution is found
Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment
volunteer will be until the 20th of the following or immediately subsequent business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediate business month.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to
counting from the day after the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 16/16
Contentious-administrative jurisdiction, within two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.
938-131120
Mar Spain Martí
Director of the Spanish Agency for Data Protection
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
