AEPD (Spain) - PS/00090/2020

From GDPRhub
Revision as of 14:22, 13 July 2020 by Silvialoar (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
AEPD - PS/00090/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 57(1) GDPR
Article 58(1) GDPR
Article 58(2) GDPR
Article 83(1) GDPR
Article 83(2) GDPR
Article 83(5)(e) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 13.07.2020
Published:
Fine: 3000 EUR
Parties: AAA
XFERA Móviles S.A.
National Case Number/Name: PS/00090/2020
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: Agencia Española de Protección de Datos (in ES)
Initial Contributor: Silvia López

Spanish DPA found a company in breach of Article 58(1) GDPR for failing to comply with a DPA's request for access to information in the course of an investigation, conduct sanctioned in Article 83(5)(e) GDPR.

English Summary

Facts

The company has not provided to the Spanish DPA the information it requested in the course of an investigation following a complaint by Ms AAA. With the above-mentioned conduct of the respondent, the power of investigation that the Article 58(1) of the RGPD confers on the supervisory authorities, in this case, the AEPD, has been hampered.

Dispute

What are the consequences of failing to comply with a DPA's request for access to information? What happens if the company penalised recognises its responsibility and proceeds to the voluntary payment of the fine imposed by the DPA?

Holding

The Spanish DPA imposed a fine of EUR 5 000 on the company under investigation, which was reduced to EUR 3 000 for the company's voluntary payment and acknowledgment of its responsibility for the facts (in turn waiving any subsequent appeal against the decision)

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

DECISION R/00260/2020 ON TERMINATION OF PROCEEDINGS FOR PAYMENT
VOLUNTEER
In the sanctioning procedure PS/00090/2020, conducted by the Agency
Spanish Data Protection Agency to XFERA MÓVILES, S.A., in view of the complaint
presented by A.A.A., and based on the following,
LEGAL FOUNDATIONS
I
By virtue of the powers conferred on each individual by Article 58(2) of the GPRS, the
authority, and as set out in Articles 47, 48(1), 64(2) and 68(1) of the
LOPDGDD, the Director of the Spanish Data Protection Agency is
competent to initiate and resolve this procedure.
II
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
3/9
In accordance with the evidence available here
time of agreement to initiate the sanctioning procedure, and without prejudice to
As a result of the investigation, the respondent is deemed not to have provided the Agency with
Española de Protección de Datos the information you requested.
With the above-mentioned conduct of the respondent, the power of investigation that the
Article 58(1) of the RGPD confers on the supervisory authorities, in this case, the AEPD,
has been hampered.
Therefore, the facts described in the "Facts" section are deemed
constitute an infringement, attributable to the defendant, for violation of Article
58.1 of the RGPD, which provides that each supervisory authority shall have, among its
investigative powers:
"(a) to order the controller and the processor and, where appropriate, the
representative of the person in charge or of the person in charge, to provide any
information it requires for the performance of its duties; (b) carry out
investigations in the form of data protection audits
a review of the certificates issued pursuant to Article 42(1)
7; (d) notify the controller or processor of the alleged
(e) obtain from the person responsible and from the
access to all personal data and to all the information contained in the
information necessary for the performance of their duties
all premises of the controller and of the processor, including
any equipment and means of data processing, in accordance with
Procedural law of the Union or of the Member States".
III
In accordance with the evidence available here
time of agreement to initiate the sanctioning procedure, and without prejudice to
As a result of the investigation, it is considered that the facts set out could be
constitute an infringement, attributable to the defendant.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
4/9
This infraction is typified in Article 83.5.e) of the RGPD, which considers
such as: 'failure to provide access in breach of Article 58(1)'.
The same Article states that this infringement may be penalised
with a fine of twenty million euros (20,000,000 euros) maximum or, in the case of
a company, for an amount equivalent to a maximum of four percent (4%) of
total annual turnover for the previous financial year, opting for the
of higher value.
For the purposes of the limitation period of the infringements, the alleged infringement
prescribes after three years, in accordance with Article 72.1 of the LOPDGDD, which qualifies as
very serious the following behavior:
"(ñ) Failure to provide access by staff of the data protection authority
competent to personal data, information, premises, equipment and means of
processing required by the data protection authority to
the exercise of their powers of investigation.
(o) Resistance to or obstruction of the exercise of the inspection function by
competent data protection authority."
IV
In the light of the above facts, without prejudice to the
In the event that the proceedings are opened, it is considered that the defendant should be charged with
the violation of Article 58.1 of the RGPD typified in Article 83.5 e) of the RGPD. The
The sanction that should be imposed is an administrative fine.
The fine to be imposed must, in each individual case, be effective,
proportionate and dissuasive, in accordance with Article 83.1 of the RGPD.
Consequently, the sanction to be imposed should be graduated according to the criteria
established by Article 83.2 of the RGPD, and with the provisions of Article 76 of the
LOPDGDD, with respect to paragraph k) of the aforementioned Article 83.2 RGPD.
V
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
5/9
Finally, the penalty to be imposed should be graduated according to the criteria
established by Article 83.2 of the RGPD, and with the provisions of Article 76 of the
LOPDGDD, with respect to paragraph k) of the aforementioned Article 83.2 RGPD.
The initial assessment shows that no
The following facts have been considered to be aggravating
- Art. 83.2(b) RGPD: the intentionality or negligence in the infringement. These are
of a company that is not newly created and should have
procedures established for the fulfilment of the obligations that
provides for the data protection regulations, among them, to respond to
the requirements of the supervisory authority.
- Art. 83.2(k) RGPD: any other aggravating or mitigating factor applicable to the
circumstances of the case, such as the financial benefits obtained or
losses avoided, directly or indirectly, through the infringement. The
complaint refers to a person's particular case, but the
data processing to which it refers, can potentially affect a
very high number of customers of the responsible entity or users of the
service provided by the responsible entity.
Therefore, on the basis of the above,
By the Director of the Spanish Data Protection Agency,
AGREED:
FIRST: Initiate disciplinary proceedings against XFERA MÓVILES, S.A,
with NIF A82528548, for the infringement of article 58.1 of the RGPD, typified in art.
83. 5 e) of the aforementioned RGPD.
SECOND: To appoint B.B.B. as instructor and C.C.C. as secretary,
indicating that any of them may be challenged, if appropriate, in accordance with the
established in Articles 23 and 24 of Law 40/2015 of 1 October on the
Public Sector Law (LRJSP).
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
6/9
THIRD: TO INCORPORATE into the sanctioning file, for evidential purposes, the
information requirement issued by the Subdirectorate General for the Inspection of
Data in the framework of research actions with reference code
E/95799/2019 and proof of notification.
FOURTH: THAT for the purposes of article 64.2 b) of law 39/2015, of 1
October, of the Common Administrative Procedure for Public Administrations, the
5,000.00, without prejudice to the amount of the fine.
resulting from the instruction.
FIFTH: TO NOTIFY this agreement to XFERA MÓVILES, S.A., with NIF
A82528548, giving you a hearing period of ten working days to formulate
the allegations and submit the evidence he deems appropriate. In its brief of
claims must provide their VAT number and the procedure number in the
heading of this document.
If you do not make representations to this initiating agreement within the stipulated time, the
may be considered as a motion for resolution, as set out in the
Article 64(2)(f) LPACAP.
The procedure shall last a maximum of nine months from
the date of the agreement to initiate or, where appropriate, the draft agreement to initiate.
After this period, the agreement will expire and, consequently, the
actions; in accordance with the provisions of Article 64 of the LOPDGDD.
In accordance with the provisions of Article 85 of the LPACAP, it may
recognize their responsibility within the time allowed for the formulation of
arguments to the present agreement of initiation; this will entail a reduction of
20% of the penalty to be imposed in this procedure. With the
4,000.00,
The procedure was resolved with the imposition of this sanction.
Similarly, at any time prior to the resolution of the
The Commission shall, in accordance with this procedure, carry out the voluntary payment of the proposed penalty
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
7/9
which will result in a 20% reduction in its amount. With the application of this
reduction, the penalty would be set at 4,000.00 euros and its payment would involve the
completion of the procedure
The reduction for the voluntary payment of the penalty is cumulative with the one
The same applies to the recognition of liability, provided that this
recognition of responsibility is shown within the time limit
granted to make representations on the opening of the proceedings. The payment
of the amount referred to in the preceding paragraph may be made at any
moment before the resolution. In this case, if it is appropriate to apply both
reductions, the amount of the penalty would be set at
In any case, the effectiveness of either of the two above-mentioned reductions
shall be conditioned upon the waiver or relinquishment of any action or remedy in the
administrative sanction against the sanction.
If you choose to proceed with the voluntary payment of any of the
amounts indicated above ('4,000.00 or '3,000.00), you must
make it effective by paying it into the account nº ES00 0000 0000 0000 0000
opened on behalf of the Spanish Data Protection Agency at the Bank
CAIXABANK, S.A., indicating in the concept the reference number of
procedure set out in the heading of this document and the cause of
reduction of the amount involved.
You must also send the receipt of the payment to the Subdirectorate General of
Inspection to continue the procedure in accordance with the quantity
admitted.
Finally, it is noted that in accordance with Article 112.1 of the
LPACAP, there is no administrative appeal against this act.
Mar Spain Martí
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
8/9
>>
 SECOND: On June 11, 2020, the claimant paid the
3,000 by making use of the two reductions provided for
in the above transcribed Inception Agreement, which implies recognition of the
responsibility.
THIRD: The payment made, within the period granted to make allegations to
the opening of the procedure, entails the waiver of any action or appeal in
administrative sanctioning and acknowledgement of responsibility in relation to
the facts referred to in the Agreement to Initiate.
LEGAL GROUNDS
I
By virtue of the powers conferred on each authority in Article 58(2) of the GPRS, the
control, and in accordance with Article 47 of Organic Law 3/2018, of 5
December, Protection of Personal Data and Guarantee of Digital Rights (in
(hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency
is competent to penalise infringements committed against it
Regulations; infringements of Article 48 of Law 9/2014 of 9 May, General
of Telecommunications (hereinafter referred to as LGT), in accordance with the
Article 84.3 of the GLT, and the infractions defined in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of 11 July, on services of the company of the
information and electronic commerce (hereinafter referred to as the ISESA), as provided for in
43.1 of that Act
II
Article 85 of Law 39/2015 of 1 October on Administrative Procedure
Commonwealth of Independent States (hereinafter LPACAP), under the heading
"Termination in sanctioning proceedings" provides the following:
"1. Penalty proceedings are initiated if the offender acknowledges his
responsibility, the proceedings may be terminated with the imposition of the penalty
as appropriate.
2. Where the penalty is solely pecuniary in nature or where it is
impose a financial penalty and a non-pecuniary penalty but has been justified
the impropriety of the second, voluntary payment by the alleged perpetrator, in
any time before the resolution, will imply the termination of the procedure,
except as regards the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.
3. In both cases, when the penalty is solely of a pecuniary nature,
the body competent to decide on the procedure shall apply reductions of, at
at least 20 % of the amount of the proposed penalty, which may be cumulated
with each other. These reductions shall be determined in the notification of
initiation of the procedure and its effectiveness shall be conditional upon the withdrawal or
waiver of any action or appeal in administrative proceedings against the sanction.
The percentage of reduction provided for in this paragraph may be increased
by regulation.
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
9/9
As noted,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: TO DECLARE the completion of procedure PS/00090/2020, of
in accordance with Article 85 of the LPACAP.
SECOND: NOTICE this resolution to XFERA MÓVILES, S.A..
In accordance with the provisions of Article 50 of the LOPDGDD, this
The decision will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure as prescribed by
Article 114(1)(c) of Law 39/2015 of 1 October on Administrative Procedure
The interested parties may lodge an appeal with the
administrative litigation before the Administrative Chamber of the
Audiencia Nacional, in accordance with Article 25 and paragraph 5 of
the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the
Contentious-Administrative Jurisdiction, within two months of
day following notification of this act, as provided for in Article 46(1) of
referred to Law.
Mar Spain Martí
Director of the Spanish Data Protection Agency