AEPD (Spain) - PS/00089/2021

From GDPRhub
Revision as of 21:10, 12 April 2021 by Cvl (talk | contribs)
AEPD - PS/00089/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1)(a) GDPR
Article 7 GDPR
Article 21(1) LSSI
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 07.04.2021
Fine: 150000
Parties: ORANGE ESPAGNE, S.A.U.
National Case Number/Name: PS/00089/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Spanish
Original Source: AEPD decision (in ES)
AEPD decision (in ES)
Initial Contributor: n/a

The Spanish DPA fined Orange Spain €150,000 (reduced to €90,000) for sending bulk unsolicited commercial communications without obtaining the consent of the users in accordance with Articles 6 and 7 GDPR.

English Summary

Facts

Several complainants lodged a complaint with the Spanish DPA

Dispute

Holding

in progress

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                              1/3








     Procedure Nº: E / 03276/2021

                  RESOLUTION OF ACTION FILE



Of the actions carried out by the Spanish Agency for Data Protection and
based on the following


                                      FACTS

FIRST: The claim filed by Mr. A.A.A. (hereinafter, the claimant)
has entry dated March 29, 2019, in the Spanish Protection Agency
of data.


The claim is directed against ALDANITI INTERNATIONAL NETWORK, LTD, (in
ahead, the claimed one).

The claim indicates the following:


“I received an email from pulpower to confirm my subscription, as I had not done
no management, delete the mail that I have now been able to recover, as it turns out that without
accept that subscription that I also do not make, I begin to receive spam, not only do I not
I have subscribed, nor confirmed that email that they sent me, but I am subscribed in the
Robinson list, attached certificate certifying it. I request the opening of

sanctioning file. Thank you".

It all started with a confirmation email of a supposed registration in the system, and
He continued with emails where he was offered "tokens" to exchange for gifts. The
claimant does not acknowledge having ever registered in the services of the person in charge, and,
In addition, your email is listed on ADigital's Robinson list.

In the second letter it is denounced that, in the aforementioned web portal,
"cookies" with the mere visit to the page, and no way is offered not to provide or
revoke consent to said treatment.



SECOND: The Subdirectorate General for Data Inspection, learned of
the following points and carried out these actions:

     It was verified that the person responsible for the treatment and owner of the web
       PULPOWER.COM is ALDANITI INTERNATIONAL NETWORK LTD,
       established in the UK.
     The claim was incorporated into the "Internal Market Information System"
       (hereinafter IMI), regulated by Regulation (EU) No. 1024/2012, of the

       European Parliament and of the Council, of October 25, 2012 (Regulation
       IMI), whose objective is to promote cross-border administrative cooperation, the
       mutual assistance between Member States and the exchange of information;
       with IMI number 69346 and dated June 17, 2019. One month is given at
       authorities to manifest.

     On August 24, 2019: the data protection control authority
       in the United Kingdom (ICO) they accept the case, making a provisional file.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/3








     When the time for Brexit to take effect, ICO has not made any
        action on the claim incorporated into IMI.



                            FOUNDATIONS OF LAW

                                             I


In accordance with the investigative and corrective powers that article 58 of the
Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter
RGPD) grants each control authority, and according to the provisions of article 47 of the
Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter LOPDGDD), is competent to
resolve these investigative actions by the Director of the Spanish Agency for

Data Protection.

                                             II

Prior to the initiation of sanctioning actions, it is necessary to identify the

presumed responsible for the administrative offense.

Article 64 of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, referring to the Initiation Agreement in the
procedures of a sanctioning nature, establishes the following:


        "1. The initiation agreement will be communicated to the instructor of the procedure, with
transfer of how many actions exist in this regard, and the interested parties will be notified,
understanding in any case the accused as such. Likewise, the initiation will be communicated
to the complainant when the rules governing the procedure so provide.


        2. The initiation agreement must contain at least:
        a) Identification of the person or persons allegedly responsible.
        ... "

In order to be able to initiate sanctioning actions, the Agency has been requested
State Tax Administration if there was any NIF associated with the entity
claimed, for identification.

The State Tax Administration Agency has responded to the Spanish Agency
of Data Protection that has not been able to locate any NIF related to the

claimed entity.
Therefore, although the claim presented, if detrimental to the possible prescription
of the infringements claimed, could constitute an infringement of the regulations of

data protection, it is not possible to initiate sanctioning actions due to not having
Tax identification of the alleged person responsible.

Therefore, in accordance with the provisions, by the Director of the Spanish Agency for
Data Protection, IT IS AGREED:


FIRST: PROCEED WITH THE FILING of these actions.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/3









SECOND: NOTIFY this resolution to the claimant.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, and in accordance with the provisions of the

arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may
file, optionally, an appeal for reconsideration before the Director of the Agency
Spanish Data Protection within a period of one month from the day
following notification of this resolution or directly contentious appeal

administrative before the Contentious-Administrative Chamber of the National Court,
in accordance with the provisions of article 25 and paragraph 5 of the provision
Additional fourth of Law 29/1998, of July 13, regulating the Jurisdiction
Contentious-Administrative, within two months from the next day

upon notification of this act, as provided in article 46.1 of the aforementioned Law.

                                                                                      940-0419
Mar Spain Martí
Director of the Spanish Agency for Data Protection






































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es