AEPD - PS/00135/2020
|AEPD - PS/00135/2020|
|Relevant Law:||Article 13 GDPR|
Article 55 GDPR
Article 58(2) GDPR
Article 83(2) GDPR
|Parties:||SCHOOL FITNESS HOLIDAY & FRANCHISING,|
AYUNTAMIENTO DE MADRID - UNIDAD DE CONSUMO
|National Case Number/Name:||PS/00135/2020|
|European Case Law Identifier:||n/a|
|Original Source:||Agencia Española de Protección de Datos (in ES)|
|Initial Contributor:||Silvia López Arnao|
Following a complaint from the Madrid City Council's Health Services Bureau, the Spanish DPA imposed a fine on a gym center for the abusive clauses in the contracts with its clients, which did not comply with the duty to inform the affected person about the treatment of his/her personal data in accordance with Article 13 GDPR.
English Summary[edit | edit source]
Facts[edit | edit source]
The gym center had already been required by the Spanish DPA to make the necessary adjustments in its contracts to respect the GDPR requirements. One year and 5 months after the Madrid City Council's Health Services Bureau required the entity, twice, to modify the abusive clauses contrary to data protection regulations and 8 months after this Agency first requested their modification, the entity started to proceed to modify the contracts. Some old clauses in breach of the GDPR were still active.
Dispute[edit | edit source]
Holding[edit | edit source]
The Spanish DPA imposed a fine of EUR 5000 on the gym for the omission of the duty to inform the affected person about the treatment of their personal data in accordance with Article 13 GDPR. The center paid EUR 3000; the reduction was given because of voluntary payment and acknowledging the facts (after waiving a further appeal against the DPA's decision).
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
DECISION R/00301/2020 ON TERMINATION OF PROCEEDINGS FOR PAYMENT VOLUNTEER In sanction procedure PS/00135/2020, conducted by the Agency Spanish Data Protection Agency to SCHOOL FITNESS HOLIDAY & FRANCHISING, S.L.U., having regard to the complaint lodged by the CITY COUNCIL OF MADRID - UNIT OF CONSUMPTION, and based on the following, BACKGROUND FIRST: On June 16, 2020, the Director of the Spanish Data Protection agreed to start sanctioning procedure against SCHOOL FITNESS HOLIDAY & FRANCHISING, S.L.U. (hereinafter, the Respondent), by means of the that is transcribed: << Procedure No.: E/00135/2020 935-240719 AGREEMENT TO INITIATE DISCIPLINARY PROCEEDINGS Of the actions carried out by the Spanish Data Protection Agency before SCHOOL FITNESS HOLIDAY & FRANCHISING, S.L. with CIF: B82887514, (in hereinafter referred to as "the respondent"), pursuant to the claim made by the MADRID CITY COUNCIL (HEALTH SERVICES AND CONSUMPTION) (hereinafter referred to as "the Claimant"), and on the basis of the following: FACTS The Madrid City Council's Health Services and Consumer Affairs Department has Two letters of complaint were sent to this Agency against the entity claimed by the same facts. These two writings have led to the opening, in this Agency, of two investigation files: E/0065/2019 and E/3498/2019. A) With regard to Procedure E/0065/2019: C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/22 FIRST: On 26/11/18, it was entered into this Agency in writing by the claimant, which, among other things, indicated "Inspection visits were made by the Technical Services for Quality and Consumption at establishment and reference holder on 16/04/18 and 09/05/18, was noted and required the commercial company issued for the purpose of correcting irregularities of unfair terms in the contract presented, in particular in the following terms: (...) NINTH: All members are obliged to show their ID card to requirements of the centre's employees, both at the entrance and during your stay on the premises. Non-observance of this rule will make it impossible to access to or stay in the gymnasium until this is remedied requirement. Upon acceptance of the contract, each member will be required to read the biometric parameters of your fingerprint that will be used for acceptance of it and later for its entry and exit from the centres, through the mechanism provided for this purpose. In accordance with Article 5(1) of Law 15/1999, the member is informed that the data corresponding to the employer The biometrics to be provided will be included in an automated file called "customers and suppliers" that will be used for access by users of the gymnasium and that in no case will be given to third parties. The reading of the data The biometrics do not involve the recording of the fingerprint and the data obtained are not in no way treatable as a fingerprint. The obligation to show the ID card, without specifying valid reasons for requiring the employees, when for acceptance of the contract and for the entry and exit of the centres the reading the biometrics, (...) TWELVE: By signing this contract the partner grants authorisation for the company to use all the images, photographs, videos, voice files, graphic material, etc., (in the images) in which it is involved, or part of them, and include your data in a file duly registered with the Spanish Agency of Data Protection, in accordance with the provisions of the Organic Law 15/1999 of 13 December on the Protection of Personal Data. Likewise, the partner authorizes the communication or transfer of the images to persons whom the company deems appropriate, for the same purpose indicated in the previous section, expressly informing you that in some cases international data transfers shall be carried out for such assignment. At These data may be communicated to third parties, without any additional consent on your part, provided that this communication is limited to this end. The partner grants this authorization with a wide territorial and temporal scope, so the company may use the images, or part of them, in all the Spanish territory and in all the countries of the world without limitation geographical location of any kind. The partner grants this authorization for the use of the images in which it appears, or part of them, in the scope and purposes of both communication and dissemination of the activity of the company. as of any other project, understood this one in its most The aim of the project is to promote the development of a wide range of activities, including, but not limited to, the promotion of the company's activities, in its own centres, its website and in any other means that the company considers, and can be exploited in all the means known at present and those that could be developed in the future, all with the sole exception and limitation of those uses or applications that could be detrimental to the right to honour, morality and public order, as provided for in the legislation in force in each country. This authorization is understood to be given free of charge. The partner exempts the company expressly disclaims all liability for any use that can make a third of the images, outside the territorial scope. material object of this contract. The right of image is regulated in Organic Law 1/1982. of 5 May. on civil protection of the right to Honor. to personal and family intimacy and to one's own image. All of them in case are fundamental rights protected in Article 18(1) of the Spanish Constitution. These are inalienable, unrenounceable and imprescriptible. The indispensable principle for the treatment of the image, the express and unequivocal consent of the owner to obtain, reproduce or publish by any means or medium the image of a person. Art. 2.2, Art. 6 LO 1/1982 the holder of the right has granted the effect their express consent". Clause between the general condition that does not allow the express and unequivocal consent of the image owner (lack of transparency), not being expressed formally and explicitly. Clause The treatment of one's own image is linked to the will of the employer, Art. 85.3 TRLGDCU, which imposes with the exemption of liability to the company. the waiver or limitation of the consumer and user, Art. 86.7 TRLGDCU, which imposes the declarations of acceptance or conformity or adherence of the consumer to a consent of which he has not had the opportunity to take real knowledge of his rights and the consequences of such declarations or the consequences of such can affect. Art. 89.1 TRLGDCU. The responsible body being the AEPD, 60 gives you a copy of the present conditioned to the effect of the appropriate actions within the scope of its competences. C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/22 THIRTEENTH: In accordance with the provisions of Organic Law 15/1999 of Protection of Personal Data (LOPD), the data provided by the partner, including those corresponding to the biometric pattern, will be incorporated to! file "clients and suppliers" whose holder is SCHOOL FITNESS HOLIDAY FRANCHISING S.L.U., domiciled in Las Rozas (28290) Las Rozas, Madrid, calle Rozabella nº 6. Europa Business Park. For this purpose, the data provided by the partner/& is considered to be certain... The biometric pattern data FOURTEENTH: The partner authorizes the company to assign its rights and obligations to a third party. This assignment shall not alter the rights and obligations of the partners". SECOND: In accordance with article 65.4 of the Organic Law 3/2018, of 5 December, on Personal Data Protection and guarantee of the digital rights that has provided for a mechanism, prior to the admission of the complaints to be to the Spanish Data Protection Agency, consisting of transferring to the Data Protection Delegates appointed by the persons responsible or the processors, or to them when they have not been designated, with a date 09/01/19 the claim submitted to the claimed entity was transferred to to proceed with its analysis and to respond to the complainant and this Agency. THIRD: On 22/02/19, this Agency received a written statement of allegations, submitted by the entity in question, in which it set out, inter alia, the following: "Condition adapted to data protection regulations. In the request for information we are asked to modify clauses nine, twelve, thirteen and fourteen to adapt them to Regulation 679/2016 of 27 April (RGPD). In compliance with the requirements, we have proceeded to modify said conditions and to adapt them to the regulations in force. In proof of this we send you as DOC 1 of this writing copies the conditionals in their new terms. To give greater protection and security to the customer and ensure that acceptance is free, voluntary, informed and unambiguous of the specific processing of their data, a specific annex has been introduced in addition to the amendments to the clause called C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/22 "data protection sheet" which is signed by all new registrations whether they are face-to-face or via the web. A copy of this form is attached as DOC 2. In relation to existing contracts and for their adaptation to the new regulations have adopted the following measures, which are currently being implemented due to the volume of customers: (iii) Subscription of annex communicating the change of the conditions of the contract relating to data protection and communication of information of data protection. It is being carried out on a face-to-face basis in the gyms. Referral of electronic communication to all clients informing them of the need to to expressly accept the consent for the processing of your data. Personal request to subscribers by means of access control (lathes) for the subscription of the "Data Protection" file and collection of their signature either on paper or on tablet support. All measures are in the implementation phase and will take some time to be fully effective since: The campaign of mailing has been poorly received by subscribers Not all subscribers go to to the gym every day." FOURTH: Dated 01/03/19, by the Director of the Spanish Agency of Data Protection, a decision was taken to close the proceedings in the framework of the file, E/0065/2019, considering that it was not appropriate to initiate a sanctioning procedure since the complaint presented by the respondent had been dealt with. A) With regard to Procedure E/03498/2019 FIFTH: On 26/09/19, the second document submitted by the complainant entered into this Agency, which resulted in the opening of file E/3498/2019 in which, among other things, was indicated: It is verified in these last inspections that the issued commercial continues issuing with the consumers and would use the same and identical predisposed contract, as the reasoned alleged violation of the recognized rights of data protection in the campaign of inspection and Control of Gyms 2018. Received the letter from the AEPD dated 01.03.19, which informs of the The commercial company will correct the conditions and adopt corrective measures in the areas of its competence, resolving the issue of the filing of actions. This Consumer Unit must proceed to inform again C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/22 the AEPD of what was found in the supply of information by the reported company inaccurate or false and failure to comply with remedial requirements. Having studied the file, originated by the actions of the Technical Services of Quality and Consumption Inspection of this Latino District in the 2019 Gymnasium Inspection and Control Campaign, and the documentation attached to it, is checked that the expedited merchant continues to issue with consumers and the same predisposed contract as the one that is the reason for the inhibition in the Inspection and Control Campaign for Gyms 2018, for the inclusion of clauses abusive in the terms of the contract presented to the file, according to the Royal Legislative Decree 1/2007, of 16 November, approving the Consolidated Text of the General Law for the Defense of Consumers and Users and other complementary laws (TRLGDCU), according to the analysis of the Districts and evaluation of the institute Municipal Consumption. SIXTH: In accordance with article 65.4 of the Organic Law 3/2018 of 5 December on the Protection of Personal Data and the guarantee of digital rights that has provided for a mechanism, prior to the admission of the complaints to be to the Spanish Data Protection Agency, consisting of transferring to the Data Protection Delegates appointed by the persons responsible for or in charge of the processing, or to the latter when they have not been appointed, on 24/10/19, The complaint was forwarded to the entity in question for analysis and response to the complainant and this Agency. SEVENTH: On 26/11/19, this Agency received a written statement of allegations, presented by the entity complained of, in which it set out, among other things, the following "On February 20, 2019 this company replied to the Subdirectorate General of Inspection of the AEPD reporting that we had proceeded to the adaptation of the We will send you a copy of the new conditions together with the data protection sheet and we will communicate the measures taken. that we had adopted and that these were in the implementation phase. Specifically, we explained that specific actions were being carried out and the time required to do so indicating that: C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/22 In relation to existing contracts and for their adaptation to the new regulations have adopted the following measures, which are currently being implemented due to the volume of customers: - Signing of an addendum communicating the modification of the conditions of the contract regarding data protection and communication of the protection sheet of data. It's being conducted on-site at the gyms. - Electronic communication is sent to all clients informing them of the need to expressly accept consent for the treatment of your data. - Personal request to subscribers through access control (volumes) for the subscription of the card, "Data Protection" and collection of your sign either on paper or on tablet All measures are in the implementation phase and will take some time to be fully effective as the mailing campaign has been poorly received by the subscribers Not all subscribers come to the gym every day. The control in lathes is done in blocks of people to avoid collapsing accesses. The adaptation works that have been carried out between February 2019 and current events are as follows: - Modification of the clauses on the website for online contracting - > We have proceeded to modify the clauses of the general conditions and the data protection on the website so that online recruitment is equipped with all the guarantees and adapted to the new regulations. We accompany screen capture as DOC 2. - Acquisition of all new tablets with the appropriate software for the capture of signature of new subscribers and the capture of signature of subscribers who already had contract by subscription of annex to the main contract. We accompany invoices for the new tablets as DOC 3 - Cloud software implementation on central storage server with secure communication between the administrative centre and the operational centres (a total of twenty gyms). We accompany the invoice of the computer consultant which updates the management software as DOC 4 As of today, we can certify that the implementation campaign has been completed in all its phases successfully, both in central services and in each of the VEINC/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/22 TE (20) HOLIDAY GYM gymnasiums. It is worth noting in this report our surprise to see that the complainant has was the Consumer Department of the Madrid City Council, from its Aluche. And we say this because our company is in communication with the Department of Consumer Affairs of Madrid City Council Chamartin district located in Calle del Príncipe de Vergara nº 140 to whom we have gone precisely to ask for help so as not to breach any legal obligations in the field of consumer protection. We can say that part of the process of implementing the new conditions has been to hold meetings with people from that Department of Consumption in the Chamartin district, who have helped us to specify much better the terms and conditions to avoid that our company is committing irregularities or infringements in this matter. It should be noted that on November 5, 2019, we held a meeting with to inform them of this unpleasant situation and to indicate to us the timely guidelines in case we were committing any irregularities. In particular, to This meeting was attended by the Technical Advisor coordinating the 21 districts of Madrid, the Head of the Unit of Sanctioning Procedures, the Prince of Vergara District Consumption and Holiday Gym Representatives. Today we are waiting to receive the approval of the said Office the contract that the AEPD signed on March 1, 2009, with the 2019 archived for agreeing to the proposed conditionality. In short, no irregularity has been committed by this company, although we must acknowledge that the implementation process has been slower than projected. We have been asked to provide copies of the latest contracts from September 2019 and so we provide, indicating that they do not meet the requirements because are contracts signed in the gymnasium and as a result the software operating with the new system and conditions has not been operational until the end of October 2019. A copy of these contracts is enclosed as DOC 5. To demonstrate that the company has properly implemented the new conditionC/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/22 We have attached as AOC 6 a copy of the last contracts signed in the month November, where we can see that our obligations have been fulfilled. In short, we assume the delay in implementation, but we demonstrate that we have fulfilled our obligations to adapt. The following sections of the DCO 6 submitted with the pleading are checked: "All members are obliged to identify themselves sufficiently at the request of the centre's employees, in order to be able to verify the identity, if applicable, of the member who has breached the rules. The Failure to comply with this rule will make it impossible to access or remain in the gymnasium as long as this requirement is not met. Upon acceptance of the contract Each member who wishes to do so will be required to read the biometric parameters of his/her fingerprint that will be used for entry and exit from the centres, through the mechanism provided for this purpose. The member is informed that the data corresponding to the biometric pattern provided will be used for the access of the users of the gym and that in no case will be given to third parties. The reading of the biometric data does not imply the recording of the fingerprint and The data obtained are in no way treatable as fingerprints. (...) TWELVE. By signing this contract, the partner grants permission for the company to use all the images indiscriminately. photographs, videos, voice files, graphic material, etc., (from now on the images) in which it intervenes, or is part of them. Likewise, the partner authorizes the communication or transfer of the images to the persons that the company considers appropriate. with the same object indicated in the previous section, informing him expressly that in some cases for this transfer will perform international data transfers. In particular, these data may be communicated to third parties, without any additional consent by their party, provided that this communication is limited to this purpose. The partner grants this authorization with a wide territorial and temporal scope, so that the The company may use the images, or part of them, throughout the territory and in all the countries of the world without geographical limitation of any class. The partner grants this authorization for the use of the images in those that appear. or part of them. in the field and purposes both of communication and dissemination of the company's activity, as well as any other The project is understood in its broadest form, intended, inter alia, but not limited to the promotion of the company's activities, in its The company's own centres, its website and any other media considered by the company, can be exploited in all the media known at present and those that may be developed in the future, with the sole exception and limitation of those uses or applications that may attempt to right to honour, morals and/or public order, as provided for in the legislation in force in each country. This authorization is understood to be made with free of charge. As a consequence of the assignment, the member expressly exempts the company from any liability for any use that may to make a third party of the images, outside the territorial, temporal and material scope of this contract. All this under the protection of the provisions of the Law Organic Law 1/1982, of 5 May, on the Civil Protection of the Right to Honour, at Personal and family intimacy and self image. as well as the RGPD and others applicable data protection regulations. THIRTEENTH: In accordance with the provisions of current regulations in Personal Data Protection, the company informs that the data of the partners will be incorporated into the processing system owned by the company HOLIDAY M. OESTE, S.L, with registered office at Calle Rozabella, nº 6, 28290, Las Rozas de Madrid, Madrid, for the purpose of processing of the clients' database, to facilitate the management and control of the services provided by HOLIDAY M. OSTE, S.L as well as for communications commercial and promotional advertising. In compliance with the In accordance with current legislation, the company informs that the data will be kept for the period of time strictly necessary ' to comply with the precepts mentioned above on the basis of legitimate interest. As long as the partner does not communicate the contrary, it will be understood that their data have not been modified, committing themselves to notify any variation and giving the company their consent to use them for the mentioned purposes. The company informs that it will process the data in a lawful, fair, transparent, adequate, relevant, limited, accurate and up-to-date manner. It therefore undertakes to adopt all reasonable steps to ensure that these are promptly removed or rectified where they are inaccurate. In accordance with your rights under the current regulations on data protection, the partner may exercise the rights access, rectification, treatment limitation, deletion, portability and opposition to the processing of your personal data, as well as the consent given for the processing of the same, by addressing your request to the legal department of HOLIDAY M. OESTE, SL. at the address Calle Rozabella, nº 6, 28290, Las Rozas de Madrid, Madrid, or to the e-mail ***EMAIL.1.You may also contact the competent Control Authority to make any claim it deems appropriate in the event that considers that its data protection rights are infringed (Regulation C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/22 EU 2016/679 of 27 April 2016). The customer can expressly accept the use of the biometric register for access to the gymnasium. The biometric reading does not involve the recording of the fingerprint and the data obtained are in no way treatable as fingerprints. In information technology (IT), "biometric authentication" or "Computer biometrics" is the application of mathematical and statistical techniques to an individual's physical or behavioural traits for authentication, i.e. to "verify" his identity. The data will be used to fulfil the provision of services contracted by the partner, as well as commercial management and the sending or communication of advertising or information of a commercial nature or satisfaction surveys by any means. At If the member wishes to receive advertising or commercial information, he/she must check the box corresponding to the acceptance of the contract. The acceptance of the contract implies the partner's consent to the communication of its personal data to any company of the group HOLIDAY GYM. in order to allow the access to the gyms. in addition to the above mentioned purposes. FOURTEENTH: The member authorizes the company to transfer its rights and obligations to a third party. By means of this cession the rights and obligations of the members will not be able to be modified". EIGHTH: In view of the facts reported, in accordance with the evidence the Data Inspection of this Spanish Agency for the Protection of Data considers the above, does not comply with current regulations, so that the present penalty proceedings should be initiated. LEGAL GROUNDS I In accordance with the powers granted by Article 58.2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free circulation of these data (RGPD), applicable from 25 May 2018, recoC/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/22 The Director of the Spanish Data Protection Agency is competent to settle this complaint in accordance with Article 12.2, sections i) and j) of Royal Decree 428/1993, of 26 March, which approves the Statute of the Data Protection Agency (RD 428/1993) and the First transitory of the Organic Law 3/2018, of December 5, of Protection of Personal Data and guarantee of the digital rights (LOPDGDD). In accordance with the provisions of Article 55 RGPD, the Spanish Data Protection Agency Data Protection is competent to perform the functions assigned to it in Article 57, including that of enforcing the Regulation and promoting raising awareness of data controllers and processors about the obligations incumbent upon them, as well as to deal with complaints submitted by a and investigate the reason for them. II In the present case, it should be noted that, prior to the opening of the present sanctioning file (PS/135/2020), had been previously processed an investigative file for the same facts, in this Agency, (E/0065/2019), during which time the entity in question was transferred for analysis and response. It was also requested to inform of the measures they would take to avoid similar situations in the future. The process of all the proceedings in the two cases has been as follows: 1.- On 16/04/18 and 09/05/18, the Technical Services for Quality and Consumption of the The Madrid City Council made inspection visits to the complained entity, detecting a series of irregularities in the clauses of the contract that they were making with the clients and that were in breach of data protection regulations. 2.- On 26/11/18, the Technical Services of Quality and Consumption of the Madrid City Council notified this Agency of the facts detected in these inspections. C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 13/22 3.- On 09/01/19, this Agency requested the entity in question information on the reported events. 4.- On 22/02/19, the entity complained of affirms that they had already modified the Unfair terms in the contract with customers, in particular terms that have been denounced for not being adapted to the new RGPD (the ninth, twelfth, thirteenth and fourteenth). 5.- On 01/03/19, this Agency closed the preliminary investigation proceedings (E/0065/2019), considering that the request had been correctly dealt with. On 26 September 19, this Agency received a new complaint from of the Technical Services for Quality and Consumption of the Madrid City Council, indicating that in the last inspections carried out on the issued company, there had been to check again that it continues to issue the same biased contract. 7.- On 24/10/19, this fact was transferred to the entity in question so that to proceed with its analysis and to respond to this Agency. On 26/11/19, this Agency received a written statement of allegations, submitted by the entity in question, claiming that: - In relation to the old contracts, already existing until February 2019, the clauses denounced were eliminated and a new writing them. But its adaptation had not been completed in its entirety, since, as it was carried out in person, and due to the large number of members distributed among the 20 gyms that the entity has in the Community of Madrid, many of whom do not attend the centers regularly, this process was taking a long time. In the contracts signed from February 2019 to October 2019, the entity claims that "they did not meet the requirements because the operating software installed on the entity's computer network has not been C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 14/22 operational until the end of October 2019", which is the same date as the receipt of the second request by this Agency. - For contracts signed from November 2019 onwards, the following is provided A copy of the same, being able to verify the modification of the denounced clauses and their adaptation to the new RGPD. It is noted that the complained entity became aware of the irregularities in its contracts with customers in April/May 2018, through the minutes of The inspection was carried out by the Madrid City Council's Health Services Department, which was also required to remedy the deficiencies and adapt the terms that are abusive to current data protection regulations. Later, in February 2019, this Agency required him to remedy the irregularities detected. On that occasion, the claimed entity stated that, He responded to the injunction and proceeded to eliminate the unfair terms reported and to to draft new ones in accordance with the RGPD, but it is not until November 2019, after having received the second request from this Agency, (the 24/10/19), when, according to the entity, the new contracts are definitively implemented. Consequently, one year and 5 months after the Madrid City Council's Health Services Department required the entity, twice, to modify the abusive clauses contrary to data protection regulations and 8 months After this Agency first requested their modification, the entity complained of, proceeds to modify the contracts. If we add to this the fact that many of the old contracts, made before November 2019, with the old clauses are still active, the facts denounced are clearly contrary to those stipulated in the RGPD. III The facts set out could constitute an infringement, attributable to the claimed, for violation of Article 13 of the GPRS, which establishes the information to be provided to the person concerned at the time of collection of your personal data, indicating in the same that: C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 15/22 "1. Where personal data relating to a data subject are collected, the The person responsible for the processing, at the time when these are obtained, will provide all the information below: (a) the identity and contact details of the person responsible and, where appropriate, his representative; (b) the contact details of the Data Protection Officer, if any; (c) the purposes of the processing for which the personal data are intended and the legal basis of the treatment; (d) where the processing is based on Article 6(1)(f), interest legitimate of the person responsible or of a third party; (e) the recipients or categories of recipient of the personal data, in their case; (f) where appropriate, the controller's intention to transfer personal data to a third party country or international organization and the existence or absence of a adequacy of the Commission, or, in the case of transfers indicated in the Articles 46 or 47 or the second subparagraph of Article 49(1), reference to adequate or appropriate safeguards and the means to obtain a copy of these or to the fact that they're on loan. In addition to the information mentioned in paragraph 1, the person responsible for the processing shall provide the data subject, at the time the data are obtained the following information necessary to ensure the processing of data loyal and transparent: (a) the period of time for which personal data are kept or, where not possible, the criteria used to determine this deadline; (b) the existence of the right to ask the controller for access to the personal data relating to the data subject, and the rectification or deletion of such data or their limitation of their treatment, or to object to the treatment, as well as the right to portability of the data; (c) where the processing is based on Article 6(1)(a) or Article 9(2)(a) the existence of the right to withdraw consent in at any time, without affecting the lawfulness of processing based on the consent prior to withdrawal; (d) the right to lodge a complaint with a supervisory authority; (e) whether the communication of personal data is a legal or contractual requirement or a requirement to enter into a contract, and whether the person concerned is obliged to provide personal data and is informed of the possible consequences of not provide such data; (f) the existence of automated decisions, including profiling, to be referred to in Article 22(1) and (4) and, at least in such cases, information The importance and consequences of the new system for the development of the provided for such processing for the data subject. Where the controller plans the further processing of data for a purpose other than that for which they were collected, will provide the information on that other purpose prior to such further processing and any additional relevant information within the meaning of paragraph 2. 4.The provisions of paragraphs 1, 2 and 3 shall not apply when and where the insofar as the information is already available to the person concerned'. On the other hand, Article 72.1.h) of the LOPDGDD, considers very serious, for the purposes of the omission of the duty to inform the affected person about the treatment of your personal data in accordance with Articles 13 and 14 of the GPRS'. C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 17/22 In accordance with the above-mentioned precepts, and without prejudice to the instruction of the procedure, for the purpose of fixing the amount of the penalty to be imposed in in this case, it is considered that the penalty to be imposed should be graduated in accordance with with the following criteria established by Article 83.2 of the RGPD: a).- As aggravating criteria: - The nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation concerned, as well as the number of stakeholders affected and the level of damage and damages they have suffered. In our case, the claimed entity was aware from May 2018, through the City Council inspections the existence of abusive terms in the contract he signed with customers (section a). - Intentionality or negligence in the infringement. In the present case we are in the event of negligent action, since it is not until the second requirement of this Agency, when the entity complained of modifies the clauses contrary to the new RGPD, (paragraph b). - The categories of personal data affected by the infringement. The data processed are of a markedly personal nature and therefore person identifiers, (section g). - The manner in which the supervisory authority became aware of the infringement. The The way in which this AEPD has been made aware of has been through the communication of the infringement by the Madrid City Council, (section h). (b) As mitigating criteria: - Measures taken by the controller or processor to mitigate the damages suffered by the parties concerned, since it has been found that modified the contract adapting it to the current RGPD, (section c). The non-existence of a previous infringement committed by the person responsible or the person in charge of the processing, for the same facts, (paragraph e). - The degree of cooperation with the supervisory authority in order to remedy to the infringement and to mitigate any adverse effects, (paragraph f). The balance of the circumstances referred to in Article 83(2) of the RGPD, with with regard to the infringement committed in breach of the provisions of Article 13 thereof allows set a penalty of 5,000 euros, (five thousand euros). Therefore, on the basis of the above, by the Director of the Agency Spanish Data Protection, AGREED: START: PENALTY PROCEDURE to the entity SCHOOL FITNESS HOLIDAY & FRANCHISING, S.L. with CIF: B82887514, for the infringement of Article 13 of the RGPD, punishable in accordance with the provisions of art. 83 of the said regulation. APPOINT: Mr. A.A.A. as Instructor and Ms. B.B.B. as Secretary, indicating that any of them may be challenged, if appropriate, in accordance with established in Articles 23 and 24 of Law 40/2015 of 1 October on the Legal System of the Public Sector (LRJSP). INCORPORATE: to the sanctioning file, for evidential purposes, the claim filed by the claimant and his documentation, the documents obtained and generated by the Subdirectorate General for Data Inspection during the investigations, all of which are part of the present administrative file. WHAT: for the purposes of Article 64.2(b) of Law 39/2015 of 1 October, on Common Administrative Procedure of Public Administrations, the sanction that C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 19/22 The fine would be 5,000 euros (five thousand euros), without prejudice to the outcome of the investigation. NOTIFY: the present agreement to initiate sanctioning proceedings to the entity SCHOOL FITNESS HOLIDAY & FRANCHISING, S.L., granting you a period of hearing within ten working days to make the allegations and to present the evidence that you deem appropriate. If, within the stipulated period, he does not make any allegations to this agreement to begin with, the same may be considered as a motion for resolution, as set out in Article 64.2(f) of Law 39/2015 of 1 October on the Common Administrative Procedure of the Public Administration (hereinafter LPACAP). In accordance with Article 85 of the LPACAP, if the penalty to be imposed other than a fine, may acknowledge its responsibility within the period granted for the formulation of arguments to the present agreement of beginning; the which will be accompanied by a 20% reduction in the penalty to be imposed in the present procedure, equivalent in this case to 1,000 euros. With the application of of this reduction, the penalty would be set at procedure with the imposition of this penalty. Similarly, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed penalty, which will result in a reduction of 20% of the amount of the payment, equivalent in this case at 1,000 euros. With the application of this reduction, the penalty would be set at 4,000 and its payment will imply the termination of the procedure. The reduction for the voluntary payment of the penalty can be cumulated with that for apply for recognition of liability, provided that this recognition of the responsibility becomes apparent within the time allowed for formulating allegations to the opening of the procedure. The voluntary payment of the amount referred to in the preceding paragraph may be made at any time prior to the resolution. At in this case, if both reductions were to be applied, the amount of the penalty would be established at 3,000 euros (three thousand euros). C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 20/22 In any case, the effectiveness of either of the two above-mentioned reductions will be conditional upon the withdrawal or waiver of any action or remedy in the administrative sanction against sanction If you choose to pay any of the above amounts voluntarily previously, you will have to make it effective by paying it into the account nº ES00 0000 0000 0000 0000 open on behalf of the Spanish Agency for the Protection of Data in the CAIXABANK, S.A. Bank, indicating in the concept the number of reference of the procedure in the heading of this document and the cause of reduction of the amount claimed. Likewise, you must send the proof of payment to the Subdirectorate General of Inspection to continue the procedure in accordance with the quantity admitted. The procedure will last a maximum of nine months from the date of the agreement to initiate or, where appropriate, the draft agreement to initiate. Once this period has elapsed, the agreement will expire and, consequently, the actions; in accordance with the provisions of Article 64 of the LOPDGDD. Finally, it is noted that in accordance with Article 112.1 of the LPACAP, No administrative appeal is possible against this act. Mar Spain Martí Director of the Spanish Data Protection Agency. >> SECOND: On July 2, 2020, the claimant paid the 3,000 by making use of the two reductions provided for C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 21/22 in the above transcribed Inception Agreement, which implies recognition of the responsibility. THIRD: The payment made, within the period granted to make allegations to the opening of the procedure, entails the waiver of any action or appeal in administrative sanctioning and acknowledgement of responsibility in relation to the facts referred to in the Agreement to Initiate. LEGAL GROUNDS I By virtue of the powers conferred on each authority in Article 58(2) of the GPRS, the control, and in accordance with Article 47 of Organic Law 3/2018, of 5 December, Protection of Personal Data and Guarantee of Digital Rights (in (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to penalise infringements committed against it Regulations; infringements of Article 48 of Law 9/2014 of 9 May, General of Telecommunications (hereinafter referred to as LGT), in accordance with the Article 84.3 of the GLT, and the infractions defined in articles 38.3 c), d) and i) and 38.4 d), g) and h) of Law 34/2002, of 11 July, on services of the company of the information and electronic commerce (hereinafter referred to as the ISESA), as provided for in 43.1 of the said Act. II Article 85 of Law 39/2015 of 1 October on Administrative Procedure Commonwealth of Independent States (hereinafter LPACAP), under the heading "Termination in sanctioning proceedings" provides the following: "1. Penalty proceedings are initiated if the offender acknowledges his responsibility, the proceedings may be terminated with the imposition of the penalty as appropriate. 2. Where the penalty is solely pecuniary in nature or where it is impose a financial penalty and a non-pecuniary penalty but has been justified the impropriety of the second, voluntary payment by the alleged perpetrator, in any time before the resolution, will imply the termination of the procedure, except as regards the restoration of the altered situation or the determination of the compensation for damages caused by the commission of the infringement. 3. In both cases, when the penalty is solely of a pecuniary nature, the body competent to decide on the procedure shall apply reductions of, at at least 20 % of the amount of the proposed penalty, which may be cumulated with each other. These reductions shall be determined in the notification of initiation of the procedure and its effectiveness shall be conditional upon the withdrawal or waiver of any action or appeal in administrative proceedings against the sanction. The percentage of reduction provided for in this paragraph may be increased by regulation. As noted, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO DECLARE the termination of procedure PS/00135/2020, of in accordance with Article 85 of the LPACAP. SECOND: NOTICE this resolution to SCHOOL FITNESS HOLIDAY & FRANCHISING, S.L.U.. In accordance with the provisions of Article 50 of the LOPDGDD, this The decision will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by Article 114(1)(c) of Law 39/2015 of 1 October on Administrative Procedure The interested parties may lodge an appeal with the administrative litigation before the Administrative Chamber of the Audiencia Nacional, in accordance with Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the Contentious-Administrative Jurisdiction, within two months of day following notification of this act, as provided for in Article 46(1) of referred to Law. Mar Spain Martí Director of the Spanish Data Protection Agency