AEPD - PS/00112/2020

From GDPRhub
AEPD - PS/00112/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 13 GDPR
Article 21(1) of the Spanish Law on Information Society Services (LSSI)
Type: Complaint
Outcome: Upheld
Decided: n/a
Published: 14.08.2020 [[Category:]]
Fine: n/a
Parties: Secreyo Servicios de Telesecretariado, S.L.
National Case Number/Name: PS/00112/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: Miguel Garrido de Vega

14 August 2020 - The Spanish Data Protection Agency (AEPD) decided to impose a warning on Secreyo Servicios de Telesecretariado, S.L. (the defendant) for the infringement of its duty of not sending unsolicited commercial communications, as per Article 21(1) of the Spanish Law on Information Society Services (LSSI), as well as for the infringement of Article 13 of the GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The decision is the consequence of a complaint submitted by a Spanish lawyer stating that he had received a commercial communication by the defendant, although he did not give his consent to the defendant nor maintained any contract relationship with it. Moreover, the link to unsubscribe to commercial communications did not work, the data protection information was insufficient and not compliant, as well as the privacy policy at the website of the defendant.

Dispute[edit | edit source]

The defendant answered to the AEPD investigation requests stating that it did not know the place from which it collected the personal details of the claimant; every year, the defendant carries out new customer acquisition campaigns addressed to contacts provided by satisfied customers as well as to contacts obtained from the public browser at the national and/or local bar association websites. The defendant also sent an apologies email to the claimant. The AEPD started the corresponding sanction procedure.

Holding[edit | edit source]

Thus, the AEPD understood that the defendant has infringed its duties as per Article 21(1) LSSI (according to which, unsolicited commercial communications are expressly forbidden unless there is consent or a previous contract relationship and the services/products are similar to those previously contracted) and Article 13 GDPR (as it was confirmed that the website of the defendant is not compliant with the data protection information requirements). Consequently, after considering some mitigating circumstances [(i) the number of communications sent, and (ii) the lack of damages caused nor advantages obtained], the AEPD decided to impose a formal warning on the defendant. The AEPD also required the defendant to correct the infringement of both legal articles in the period of one (1) month since the holding, and to provide evidences on such compliance.

Comment[edit | edit source]

Although, according to Article 72 of the Spanish Law on Personal Data Protection and Digital Guarantees (LOPDGDD), the infringement of Article 13 GDPR is considered a very serious breach and could be fined with the amounts established in Article 83(5) GDPR, in this case, the AEPD considered that the defendant had already been notified (when the sanctioning procedure started) on the need to comply with the data protection laws, so, considering that the law [Article 58(2) and Whereas 148 GDPR] also makes possible for the supervisory authorities to decide whether to impose an economic fine or a warning, it chose this last option; besides, it also considered that the defendant has also been informed on the possibility of new sanctioning procedures in case it does not comply with the abovementioned correction period of one (1) month.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/10 Procedure No.: PS / 00112/2020RESOLUTION OF SANCTIONING PROCEDUREOf the procedure instructed by the Spanish Agency for Data Protection andbased on the followingBACKGROUNDFIRST: Mr. AAA (hereinafter, the claimant), dated 10/31/2019, filedclaim before the Spanish Agency for Data Protection. The claim isdirects against SECREYO SERVICIOS DE TELESECRETARIADO, SL . with NIFB14851612 (hereinafter, the claimed one). The reasons on which you base the claim are:that without consent for the processing of personal data, nor havemaintained any type of commercial relationship with the claimed, has received a message fromcommercial content email, without mentioning the origin of the data. Hemessage contains a supposed link to unsubscribe, but it is completelyinoperative (since it does not link to any page). Also, information onprotection of personal data included in the message is insufficient and does not comply withthe existing regulations and neither does the privacy policy of the website.SECOND: Upon receipt of the claim, the Subdirectorate General ofData Inspection proceeded to carry out the following actions:On 12/11/2019, the claim presented for hisanalysis and was also required so that within a month to send to theAgency certain information:- Copy of the communications, of the adopted decision that has been sent to theclaimant regarding the transfer of this claim, and accreditation that theclaimant has received the communication of that decision.- Report on the causes that have motivated the incidence that has originated theclaim.- Report on the measures adopted to prevent the occurrence ofsimilar incidents.- Any other that you consider relevant.On 02/28/2020, the respondent indicated in summary not knowing exactly aboutwhere you got the data of the claimant; indicates that they carry out recruitment campaignsfrom customers and that their addresses are usually obtained or from other satisfied customerswith his work or the lists of the bar associations. You have sent an emailelectronic apology to the claimant.THIRD: On 03/19/2020, in accordance with article 65 of the LOPDGDD, theDirector of the Spanish Data Protection Agency agreed to admit for processing theclaim filed by the claimant against the defendant.FOURTH: On 06/16/2020, the Director of the Spanish Protection Agencyof Data agreed to initiate a sanctioning procedure for the one claimed by a) The allegedC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 2
2/10infringement of article 13 of the RGPD, typified in accordance with the provisions of article83.5.b) of the RGPD and b) the alleged infringement of article 22.1) of the LSSI, punishablein accordance with the provisions of article 38.4.d) of the aforementioned Law.FIFTH: Notified the initiation agreement, the one claimed at the time of the presentresolution has not submitted a brief of allegations, so it is applicableindicated in article 64 of Law 39/2015, of October 1, on the ProcedureCommon Administrative of Public Administrations, which in its section f)establishes that in case of not making allegations within the period provided for thecontent of the initiation agreement, it may be considered a proposal forresolution when it contains a precise pronouncement about the responsibilityimputed, for which a Resolution is issued.SIXTH: Of the actions carried out in this proceeding, there have beenaccredited the following:PROVEN FACTSFIRST: On 10/31/2019 the claimant submitted a written document to the Spanish Agency forData Protection, stating that without consent for the treatmentof personal data or having maintained any type of commercial relationship with thesending company, received e-mail message with commercial content; thanthe aforementioned message contained a supposed link to unsubscribe, beingcompletely inoperative; that, likewise, the information included in it does not comply withthe regulations on data protection (nor does the privacy policywebsite privacy).SECOND: The claimant provides a copy of the mail sent by the claimed on10/31/2019, as well as its header, whose purpose is: SPECIAL OFFER 1 MONTHFREE LAWYERS AND ATTORNEYS , with the following content:"SPECIAL OFFER FOR THE LEGAL SECTOR: WE MANAGE YOUR CALLS AND YOUR APPOINTMENTS IN REAL TIME. WE ANSWER WITH THE NAME OF YOUR OFFICE IN LARGE HOURSLABOR. WE MAKE CALLS TO REMEMBER AN INVOICE, CHANGE ANAPPOINTMENT ORCONFIRM IT, ORGANIZE A MEETING, MAKE A RESERVATION ETC. EMAIL MANAGEMENT, SMS SENDING, PERSONALIZED VOICE MAILBOXOUTSIDESCHEDULE. ALL YOUR CALLS ATTENDED PROFESSIONALLY AND NOBODYYou will noticeWE ARE NOT IN HIS OFFICE ”.The Legal Notice included in the e-mail does not contain any reference to the regulations inmatter of protection of personal data.THIRD: On 02/18/2020, the respondent responded stating that: "... afterSummer is usually when we launch one of our campaigns, and this time,We look for contacts on Icab pages in Barcelona, ​​looking for addresses ofC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 3
3/10lawyers and mediators, to send you some emails or emails with ouroffers in order to work with us.This was the case of this Mr. Solsona, which we located his email address throughof these web pages of Barcelona of the Icab, or Web page of the Bar Association,through the Lawyers search option ”.FOUNDATIONS OF LAWIBy virtue of the powers that article 58.2 of the RGPD recognizes to eachcontrol authority, and as established in articles 47 and 48 of the LOPDGDD,the Director of the Spanish Data Protection Agency is competent to initiateand to solve this procedure.In parallel, in accordance with the provisions of article 43.1, paragraphsecond, of Law 34/2002, of July 11, on Services of the Society of theInformation and Electronic Commerce (hereinafter LSSI) is competent to initiate andresolve this sanctioning procedure the Director of the Spanish Agency forData Protection, in relation to the violation of the LSSI.IILaw 39/2015, of October 1, on the Common Administrative Procedure ofthe Public Administrations, in its article 64 “Agreement of initiation in theprocedures of a sanctioning nature ”, provides:"one. The initiation agreement will be communicated to the instructor of the procedure, withtransfer of how many actions exist in this regard, and the interested parties will be notified,understanding in any case as such the accused.Likewise, the initiation will be communicated to the complainant when the regulationsregulating the procedure so provide.2. The initiation agreement must contain at least:a) Identification of the person or persons allegedly responsible.b) The facts that motivate the initiation of the procedure, its possiblequalification and penalties that may correspond, without prejudice to whatresult of the instruction.c) Identification of the instructor and, where appropriate, Secretary of the procedure, withexpress indication of the regime of challenge of the same.d) Competent body for the resolution of the procedure and regulation thatattributes such competence, indicating the possibility that the allegedresponsible can voluntarily acknowledge their responsibility, with theeffects provided for in article 85.e) Provisional measures that have been agreed by the bodycompetent to initiate the sanctioning procedure, without prejudice to thosecan be adopted during the same in accordance with article 56.f) Indication of the right to make allegations and to a hearing at theprocedure and deadlines for its exercise, as well as an indication that, incase of not making allegations within the term provided on the content of theinitiation agreement, this may be considered a resolution proposalC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 4
4/10when it contains a precise statement about liabilitycharged.3. Exceptionally, when at the time of issuing the initiation agreementthere are insufficient elements for the initial qualification of the facts that motivatethe initiation of the procedure, the aforementioned qualification may be carried out in a phaselater by preparing a Statement of Charges, which must be notified tothe interested".In application of the previous precept and taking into account that they have notformulating allegations to the initiation agreement, the procedure must be resolvedinitiated.IIIThe defendant is charged with two infractions: the violation of article 21.1 of theLSSI and the violation of article 13 of the RGPD.A) Violation of the LSSIAccredited facts consisting of sending a communicationunauthorized commercial, via e-mail, to the e-mail address owned by theclaimant evidences the violation of the provisions of article 21.1 of the Law34/2002, of July 11, on Services of the Information Society and CommerceElectronic (hereinafter LSSI), which provides the following:"one. The sending of advertising or promotional communications is prohibitedby email or other equivalent electronic means of communication thathad not previously been requested or expressly authorized by therecipients of the same.2. The provisions of the preceding section shall not apply when there is aprevious contractual relationship, provided that the provider had obtained lawfullythe recipient's contact details and will use them to send communicationscommercial related to products or services of your own company that aresimilar to those that were initially contracted with the client.In any case, the provider must offer the recipient the possibility ofobject to the processing of your data for promotional purposes through asimple and free procedure, both at the time of data collection andin each of the commercial communications that I address.When the communications have been sent by email,said means must necessarily consist of the inclusion of an address ofemail or other valid email address where you can exercise thisright, being prohibited the sending of communications that do not include saiddirection."The aforementioned offense is classified as minor in article 38.4.d) ofthe LSSI, which qualifies as such "Sending commercial communications by mailC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 5
5/10electronic or other equivalent electronic means of communication when in saidshipments do not meet the requirements established in article 21 and do not constituteSerious offense".In the present case, the violation of article 21.1 of the LSSI that is attributed to theclaimed must be classified as a minor infraction in consideration of the number ofcommercial messages sent to the complainant (1).On the other hand, in article 39 bis of the LSSI, under the heading “Moderation ofthe sanctions ”, stipulates the following:"one. The sanctioning body will establish the amount of the sanction applying thescale relative to the class of infractions that immediately precedes severity tothat in which the considered one is integrated in the case in question, in the followingassumptions:a) When there is a qualified decrease in the guilt of theaccused or the unlawfulness of the fact as a consequence of thesignificant concurrence of several of the criteria set forth in article 40.b) When the offending entity has regularized the irregular situation ofdiligent way.c) When it can be appreciated that the behavior of the affected person has been able to inducethe commission of the offense.d) When the offender has spontaneously acknowledged his guilt.e) When there has been a fusion process by absorption and theinfraction was prior to said process, not being attributable to the entityabsorbent.2. The bodies with sanctioning competence, considering the nature of thefacts and the significant concurrence of the criteria established in sectionabove, they may agree not to initiate the sanctioning procedure and, in theirplace, warn the responsible subject, so that within the period that the bodysanctioner determines, certifies the adoption of the corrective measures that, in eachappropriate, provided that the following assumptions are met:a) That the facts constitute a minor or serious infraction in accordance with theprovided in this Law.b) That the competent body had not sanctioned or warned withprior to the offender as a result of the commission of infractionsprovided for in this Law.If the warning is not attended within the period that the sanctioning bodydetermined, the corresponding procedure will proceedsanctioner for said breach. "For its part, article 40 of the LSSI, in relation to the "Graduation of theamount of sanctions ”, determines the following:"Article 40. Grading of the amount of sanctions.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 6
6/10The amount of the fines that are imposed will be graduated according to thefollowing criteria:a) The existence of intentionality.b) Period of time during which the offense has been committed.c) The recidivism by commission of infractions of the same nature, whenso it has been declared by final resolution.d) The nature and amount of the damages caused.e) The benefits obtained by the infringement.f) Billing volume affected by the infringement committed.g) Adherence to a code of conduct or self-regulation systemadvertising applicable regarding the infringement committed, which complies withprovided in article 18 or in the eighth final provision and that has beenfavorably informed by the competent body or bodies. "In the present case, the requirements set forth in letters a) andb) of the aforementioned section 2 of article 39 bis. Along with this, there is a decrease in theguilt of the accused taking into account the number of communicationscommercials sent (one) and that the circumstances significantly concurof non-existence of damages and lack of proof of benefits obtained by thecommission of the offense.In accordance with these criteria, the sanction ofawareness.IVB) RGPD infringementThe facts claimed also evidence the violation of the RGPD asconsequence of the absence of information on protection of data of characterpersonal contained in the privacy policy in breach of the provisions of the article13 of the RGPD.This article determines the information that must be provided to the interested party.at the time of collecting your data, establishing the following:"Article 13. Information that must be provided when personal data isobtained from the interested party.1.When personal data relating to him are obtained from an interested party, theresponsible for the treatment, at the time these are obtained, will provideall the information indicated below:a) the identity and contact details of the person in charge and, where appropriate, theirrepresentative;b) the contact details of the data protection officer, if applicable;c) the purposes of the treatment to which the personal data are intended and the basislegal treatment; 4.5.2016 L 119/40 Official Journal of the European UnionIT ISC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 7
7/10d) when the treatment is based on article 6, paragraph 1, letter f), thelegitimate interests of the controller or a third party;e) the recipients or categories of recipients of personal data,in your case;f) where appropriate, the intention of the person responsible to transfer personal data to athird country or international organization and the existence or absence of aadequacy decision of the Commission, or, in the case of transfersindicated in articles 46 or 47 or article 49, paragraph 1, second paragraph,reference to adequate or appropriate guarantees and means to obtaina copy of these or the fact that they have been loaned.2. In addition to the information mentioned in section 1, the person responsible for thetreatment will facilitate the interested party, at the time the data is obtainedpersonal information, the following information necessary to guarantee data processingloyal and transparent:a) the period during which the personal data will be kept or, when notwhere possible, the criteria used to determine this deadline;b) the existence of the right to request the data controller for accessto the personal data relating to the interested party, and its rectification or deletion, orthe limitation of its treatment, or to oppose the treatment, as well as theright to data portability;c) when the treatment is based on article 6, paragraph 1, letter a), or theArticle 9, paragraph 2, letter a), the existence of the right to withdraw theconsent at any time, without affecting the legality of thetreatment based on consent prior to withdrawal;d) the right to file a claim with a supervisory authority;e) if the communication of personal data is a legal or contractual requirement, ora necessary requirement to sign a contract, and if the interested party isobliged to provide personal data and is informed of the possibleconsequences of not providing such data;f) the existence of automated decisions, including profiling, toreferred to in article 22, paragraphs 1 and 4, and, at least in such cases,meaningful information about the applied logic, as well as the importance andexpected consequences of said treatment for the interested party.3. When the person responsible for the treatment plans the subsequent treatment ofpersonal data for a purpose other than that for which it was collected,will provide the interested party, prior to said further processing, informationon that other purpose and any additional relevant information pursuant to section 2.4. The provisions of paragraphs 1, 2 and 3 shall not apply when and inthe extent to which the interested party already has the information ”.The claimed privacy policy does not contain any reference to thecompliance with the provisions of article 13 of the RGPD previously mentioned,having to establish reference to what is indicated in it as the identity of theresponsible, the purposes for which the data is intended, the rights that the interested partycan exercise before the person in charge, etc.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 8
8/10VArticle 83.5 b) of the RGPD, considers that the infringement of “the rights ofinterested parties according to articles 12 to 22 ”, is punishable, in accordance with theparagraph 5 of the aforementioned article 83 of the aforementioned Regulation, “with finesadministrative fees of € 20,000,000 maximum or, in the case of a company, aamount equivalent to a maximum of 4% of the total annual global business volume of theprevious financial year, opting for the highest amount ”.The LOPDGDD in its article 72 indicates: “Violations considered very serious:"one. Based on what is established in article 83.5 of the Regulation (EU)2016/679 are considered very serious and will prescribe after three years the infractions thatsuppose a substantial violation of the articles mentioned in that and, inin particular, the following:(…)h) The omission of the duty to inform the affected party about the treatment of theirpersonal data in accordance with the provisions of articles 13 and 14 of the Regulation(EU) 2016/679 and 12 of this organic law.(…) "However, article 58.2 of the REPD provides the following: “Each authoritycontrol will have all the following corrective powers indicated tocontinuation:(…)b) sanction any person responsible or in charge of the treatment withwarning when the processing operations have violated the provisions ofthese Regulations;(…) "Therefore, the RGPD, without prejudice to what is established in its article 83, contemplatesin its article 58.2. b) the possibility of attending the warning to correct theprocessing of personal data that does not conform to your forecasts. Aboutwhen it is appropriate to choose one way or another, the application of article 83 of the RGPDor the corrective measure of warning of article 58.2.b), the rule itself in itsRecital 148 of Regulation 2016/679 which establishes the following:"In the event of a minor offense, or if the fine likely to be imposedconstitutes a disproportionate burden for an individual, rather thansanction by fine may be imposed a warning. It must howeverpay special attention to the nature, severity and duration of the offense, itsintentional character, to the measures taken to alleviate the damages suffered,to the degree of responsibility or to any relevant prior infringement, to the way in whichthat the supervisory authority has had knowledge of the infraction, to the fulfillmentof measures ordered against the person in charge or in charge, adherence to codes ofconduct and any other aggravating or mitigating circumstance. "However, the commencement agreement already indicated to the defendant that he shouldprovide sufficient probative documentation to prove correct complianceC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 9
9/10of those indicated in the RGPD, among others the information referred to in theArticle 13, without prejudice to making as many allegations as deemed necessary.Since the defendant has not responded to the initial agreement, it is reiterated thatYou must adopt the necessary measures in order to adapt your privacy policy to whatprovided in article 13 of the RGPD, in order to provide users with the informationrequired in the aforementioned precept and prevent incidents such as theevidenced in the claim made, as well as the contribution of theProof of proof of compliance with the requirements.On the other hand, not correct the aforementioned deficiencies by adopting the measuresadequate to avoid infractions such as those contemplated in articles 22.1 of theLSSI and 13 of the RGPD or reiterate the behaviors shown in theclaim and that have been the cause of the opening of this proceduresanctioner, as well as not immediately informing this AEPD of the measuresadopted could give rise to the exercise of possible actions before the person responsible for thetreatment so that appropriate measures are effectively applied toguarantee and not compromise the confidentiality of personal data and theright to privacy of people.Therefore, in accordance with the applicable legislation and the criteria ofgraduation of sanctions whose existence has been proven,The Director of the Spanish Agency for Data Protection RESOLVES:FIRST: IMPOSE SECREYO SERVICIOS DE TELESECRETARIADO, SL, withNIF B14851612:A) For an infringement of article 21.1 of the LSSI, typified in Article 38.4.d) of theLSSI, a sanction of warning.B) For an infringement of article 13 of the RGPD, typified in article 83.5.b) of theRGPD, a warning sanction in accordance with article 58.2.b) of theRGPD.SECOND: REQUEST SECREYO SERVICIOS DE TELESECRETARIADO, SL,with NIF B14851612 , so that within a month from the notification of thisresolution, certify: the adoption of the necessary and pertinent measures ofcompliance with both the LSSI and the regulations on the protection ofpersonal data, RGPD, in order to prevent them from occurring again in the futureincidents such as those that have given rise to the claim correcting the effects ofoffenses , adapting to the requirements set forth in articles 21.1 ofthe LSSI and 13 of the RGPD.THIRD: NOTIFY this resolution to SECREYO SERVICIOS DETELESECRETARIADO, SL, with NIF B14851612.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 10
10/10In accordance with the provisions of article 50 of the LOPDGDD, theThis Resolution will be made public once it has been notified to the interested parties.Against this resolution, which puts an end to the administrative procedure in accordance with art.48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of theLPACAP, the interested parties may optionally file an appeal for reversalbefore the Director of the Spanish Agency for Data Protection within a period ofmonth from the day after notification of this resolution or directlycontentious-administrative appeal before the Contentious-Administrative Chamber of theNational High Court, in accordance with the provisions of article 25 and section 5 ofthe fourth additional provision of Law 29/1998, of July 13, regulating theContentious-administrative jurisdiction, within a period of two months from theday following notification of this act, as provided in article 46.1 of thereferred Law.Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of theLPACAP, the final resolution may be suspended in an administrative wayIf the interested party expresses his intention to file a contentious appeal-administrative. If this is the case, the interested party must formally communicate thismade by writing to the Spanish Agency for Data Protection,Presenting it through the Electronic Registry of the Agency[https://sedeagpd.gob.es/sede-electronica-web/], or through any of the restrecords provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. Toomust forward to the Agency the documentation that proves the effective filingof the contentious-administrative appeal. If the Agency is not aware of thefiling of the contentious-administrative appeal within a period of two months from theday after the notification of this resolution, would terminate theprecautionary suspension.
Mar España Martí
Director of the Spanish Agency for Data Protection