AEPD - PS/00221/2020

From GDPRhub
AEPD - PS/00221/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 14 GDPR
Art. 259(4) of the Spanish Law 1/2000 on Civil Procedure
Type: Complaint
Outcome: Upheld
Decided:
Published: 30.12.2020
Fine: n/a
Parties: Lvcentum Legal, S.L.
National Case Number/Name: PS/00221/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: Miguel Garrido de Vega

The Spanish DPA (AEPD) imposed a warning on the law firm Lvcentum Legal, S.L. (defendant) for infringing Article 14 GDPR: the defendant used personal data (IP address) obtained in a judicial proceeding to send personal letters requesting an extrajudicial payment.

English Summary[edit | edit source]

Facts[edit | edit source]

The decision is the consequence of a complaint submitted by the Spanish cooperative company Digitorium Sociedad Cooperativa Pequeña (the claimant), stating that the defendant had obtained the personal data of its members from the preliminary proceedings of an upcoming trial, and had used such data to send those members an individual letter requesting the extrajudicial payment of an amount of money related to the court issue (an Intellectual Property matter).

Dispute[edit | edit source]

The defendant answered to the first AEPD investigation requests stating that the claimant's members are the alleged offenders of the rights of its client, and that, on grounds of procedural economy and good faith, it is quite common for lawyers to try a friendly solution before starting court proceedings; besides, it stated that the judicial authority had already judged that the legal claim of such client was appropriate, and that there was a legitimate interest in processing those personal data for the purpose of defending its rights. The AEPD started the corresponding sanction procedure, and the defendant answered admitting that, although it is true that the members of the claimant had not been informed on all the points of Art. 14 GDPR when the letters were sent, it had already updated its draft letter for communications with third parties, and it attached a sample of such letter.

Holding[edit | edit source]

Thus, the AEPD understood that the defendant has infringed Article 14 of the GDPR, as, although the processing activity could be perfectly based on its legitimate interest, it had not provided the members of the claimant with all the legal information. Consequently, after considering some circumstances [(i) the defendant had already amended its information clause; (ii) there are no previous infringements of the law by the defendant, (iii) the hypothetical imposition of an administrative fine would be disproportionate, considering that the main activity of the defendant is not directly related to the processing of personal data] the AEPD decided to impose a warning to the defendant.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                               1/10










     Procedure Nº: PS / 00221/2020


               RESOLUTION OF SANCTIONING PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


                                  BACKGROUND

FIRST: DIGITORIUM SOCIEDAD COOPERATIVA PEQUEÑA (hereinafter, the
claimant) on June 18, 2019 filed a claim with the Agency
Spanish Data Protection. The claim is directed against LVCENTVM

LEGAL, S.L. with NIF B42557306 (hereinafter, the claimed).

The reasons on which the claim is based are that the defendant is sending letters to
the members that are part of DIGITORIUM SOCIEDAD COOPERATIVA
SMALL, claiming an amount of money from them, after obtaining their personal data

in a Preliminary Proceedings, which exceeds the purpose of the
treatment delimited by article 259.4 LEC.

The communication took place in the framework of a civil judicial procedure of
claim of intellectual property rights, but the producer, CRYSTALIS

ENTERTAINMENT UG, has used it to send letters to IP holders
requesting the extrajudicial payment of an amount.

SECOND: The present claim was transferred to the defendant on August 21,
2019, requiring you to send this Agency within a month,
information on the response given to the claimant for the facts denounced, as well as

as the causes that have motivated the incidence and the measures adopted.

In response to said request, the defendant stated that the claimants are
the alleged infringers of the rights of our client, whose identity and other
Contact details have been disclosed by express order of the Commercial Court no.

*** COURT. 1, first by Order of September 3, 2018 (by which
admits the practice of the requested diligence) and, subsequently, by Order of 5
February 2019 (rejecting the opposition filed by the supplier of
Internet services and the practice of diligence is ordered), all within the framework of the
Preliminary proceedings n ° *** DILIGENCES.1


LVCENTVM LEGAL, S.L. states that in the exercise of our activity
professional, it is usual that, before going to court, the rights of our
clients are claimed by the friendly way. We are commanded not only by him
legislator, but also by the principles of procedural economy and good faith.


In the judicial proceeding initiated by this party, therefore, the judicial body has already
weighed the rights that in terms of data protection may assist the
now claimants, by complying with the requirements that the Law provides
specifically for this, and has assessed the possibility of adopting the measures

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/10








adequate for their protection that the Law also provides when regulating the specific
preliminary diligence adopted.


Indeed, according to art. 258.1 LEC, the measure is only agreed "If the court
I will appreciate that the diligence is adequate to the purpose that the applicant pursues and that
just cause and legitimate interest concur in the request ".

Therefore, the competent judicial body has already determined that in my claim
The client has a legitimate interest and that they have the data of the alleged

offenders is a claim appropriate to the purpose pursued by him, which is no other
that the protection of their intellectual property rights.

For this reason it considers that none of the specific precepts that in
The claim is considered violated:


The data has been transmitted by the internet service provider in
compliance with a court order. The purposes for which such
data, after having been exposed by this party in the procedure of
preliminary proceedings and submitted to the assessment of the competent judicial body, have been
declared legitimate by said judicial body by virtue of the Order provided.


The purpose of the subsequent treatment is identical to that for which the
preliminary diligence: the protection of the intellectual property rights that it holds
our client, which translates into two claims: a) the cessation of the infringement; and b)
the compensation for the damages that the infringement has caused to our client.


THIRD: On September 21, 2020, the Director of the Spanish Agency
of Data Protection agreed to initiate a sanctioning procedure for the claimed party, with
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the
Common Administrative Procedure of Public Administrations (hereinafter,

LPACAP), for the alleged violation of article 14 of the RGPD, typified in article
83.5 of the RGPD.

FOURTH: Once the aforementioned commencement agreement was notified, the defendant submitted a
allegations on October 5, 2020, where he states that both obtaining the
data object of this case, as its use are legitimate in accordance with the

established by the head of the Commercial Court *** COURT. 2 in order no.
*** AUTO. 1 of January 8.

In relation to the breach of article 14 of the RGPD for not informing the holders
of all the points of said precept, the claimed entity, it is admitted that

Although the IP addresses are reported, from which source the
data, the purposes of the treatment, and the identity and contact details of the
responsible, but not for other points of art. 14 RGPD as the right to exercise the
data protection rights before the data controller, or the right to
file a claim with the AEPD, as provided in art. 14.2, letters c) and

and).

The claimed entity informs the Spanish Agency for the Protection of
Data that before knowing the complaint that gave rise to this procedure

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/10








this party had already updated its third-party communications model, so
that the information on data protection that came

providing in such communications.

Attached is one of the letters that has been sent with the information regarding
updated data protection (censoring personal data).

FIFTH: On October 21, 2020, the instructor of the procedure agreed to the

opening of a period of practical tests, taking as incorporated the
preliminary investigation actions, E / 07581/2019, as well as the documents
provided by the claimed.

SIXTH: On October 28, 2020, a resolution proposal was formulated,

proposing that the defendant be imposed for an infringement of article 14 of the
RGPD, typified in article 83.5 of the RGPD, a warning sanction, in
in relation to article 74.a) of the LOPDGDD.

Of the actions carried out in this procedure and of the documentation

Obrante in the file, the following have been accredited:

                                PROVEN FACTS



FIRST: The defendant is sending letters to the claimants, demanding a
amount of money, after obtaining your personal data in a judicial procedure

The communication took place in the framework of a civil judicial procedure of
claim of intellectual property rights.


SECOND: In accordance with the provisions of the head of the Court of
Mercantile nº *** COURT. 2 in car nº *** AUTO.1 of January 8, both obtaining
of the data and its use are legitimate.


THIRD: The claimed entity acknowledges the breach of article 14 of the
RGPD for not informing the holders of all the points of said precept
as the right to exercise data protection rights before the person responsible for the
treatment, or the right to file a claim with the AEPD, as stated
provided in art. 14.2, letters c) and e).


The claimed entity states that it has updated its communications model to
third parties, in accordance with what is required in article 14 of the RGPD.












C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/10









In particular, it states that the information currently offered in the
communications sent by this professional office is, verbatim, the

next:

"Your personal data are processed for the exclusive purpose of exercising the rights of
CRYSTALIS ENTERTAINMENT UG claimed by this communication.
Your data will be kept for five years from the resolution of this
conflict (understood as judicial or extrajudicial satisfaction), with the exception of

the identification data essential to fulfill the eventual commitment not to
to claim again or not to address you again.

We inform you that you have the right to request access to your personal data
object of treatment, its rectification, the limitation of its treatment and portability

of the same (without allowing in this case the deletion, opposition or a limitation
treatment that prevents the satisfaction of the legitimate interest pursued by our
client).

For the exercise of your rights you can direct communication, attaching a copy of your
DNI or equivalent document, to *** EMAIL.1 or to LVCENTVM LEGAL S.L. in the

address at the bottom of this letter. Also, and especially if you consider that
you have not obtained full satisfaction in the exercise of your rights, you may submit
a complaint to the national supervisory authority by addressing the Agency
Spanish Data Protection ”.


                            FOUNDATIONS OF LAW

                                             I

The Director of the Spanish Agency is competent to resolve this procedure

of Data Protection, in accordance with the provisions of art. 58.2 of the RGPD and
in art. 47 and 48.1 of LOPDGDD.

                                             II

Article 6.1 of the RGPD establishes the assumptions that allow the legal

processing of personal data.

Article 14 of the RGPD regulates the right to information that must be provided
when the personal data have not been obtained from the interested party, indicating the
next:


1. When the personal data have not been obtained from the interested party, the person in charge
of the treatment will provide the following information:

a) the identity and contact details of the person in charge and, where appropriate, of their representative

tante;

b) the contact details of the data protection officer, if applicable;


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/10








c) the purposes of the treatment to which the personal data are intended, as well as the basis
legal treatment;


d) the categories of personal data in question;

e) the recipients or categories of recipients of the personal data, in their
case;


f) where appropriate, the intention of the person responsible to transfer personal data to a recipient
a third country or international organization and the existence or absence of a
decision of adequacy of the Commission, or, in the case of the transfers indicated
in articles 46 or 47 or article 49, paragraph 1, second paragraph, reference to the

adequate or appropriate warranties and the means of obtaining a copy of them or by
fact that they have been borrowed.

2. In addition to the information mentioned in section 1, the data controller
ment will provide the interested party with the following information necessary to guarantee a

Fair and transparent data processing with respect to the interested party:

a) the period during which the personal data will be kept or, when that is not
possible, the criteria used to determine this period;


b) when the treatment is based on article 6, paragraph 1, letter f), the interests
gitimos of the person responsible for the treatment or of a third party;

c) the existence of the right to request the data controller for access to the
personal data relating to the interested party, and its rectification or deletion, or the limitation

of its treatment, and to oppose the treatment, as well as the right to portability
of the data;

d) when the treatment is based on article 6, paragraph 1, letter a), or article
9, section 2, letter a), the existence of the right to withdraw consent in any-

at any time, without affecting the legality of the treatment based on the consent
lie before its withdrawal;

e) the right to file a claim with a supervisory authority;


f) the source from which the personal data come and, where appropriate, if they come from
public access sources;

g) the existence of automated decisions, including profiling, to which
referred to in Article 22, paragraphs 1 and 4, and, at least in such cases, significant information

ficative on the applied logic, as well as the importance and expected consequences
of said treatment for the interested party.

3. The data controller will provide the information indicated in sections 1 and
2:





C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/10








a) within a reasonable time, once the personal data has been obtained, and at the latest
give within a month, taking into account the specific circumstances in which
process such data;


b) if the personal data are to be used for communication with the interested party, to
at the latest at the time of the first communication to said interested party, or

c) if it is planned to communicate them to another recipient, at the latest at the time
that the personal data are communicated for the first time.


4. When the person responsible for the treatment plans the subsequent treatment of the data
personal for a purpose other than that for which they were obtained, will provide the
interested party, before said further processing, information on that other purpose and any-
want other relevant information indicated in section 2.


5. The provisions of paragraphs 1 to 4 shall not apply when and to the extent
in which:

a) the interested party already has the information;


b) the communication of said information is impossible or involves a des-
provided, in particular for processing for archival purposes in the public interest
co, scientific or historical research or statistical purposes, subject to the
conditions and guarantees indicated in article 89, paragraph 1, or to the extent that
the obligation mentioned in paragraph 1 of this article may make it impossible to

seriously hamper the achievement of the goals of such treatment. In such cases, the
responsible shall adopt appropriate measures to protect the rights, freedoms and
legitimate interests of the interested party, including making the information public;

c) the obtaining or communication is expressly established by the Law of the

Union or Member States that applies to the controller and that
establish adequate measures to protect the legitimate interests of the data subject, or

d) when personal data should continue to be confidential about the
basis of an obligation of professional secrecy regulated by Union law or
of the Member States, including an obligation of secrecy of a statutory nature.


                                             III

In the present case, it is stated in the first place that the respondent, once he has
of customers' personal data, instead of using the personal data that

has achieved in the Preliminary Proceedings procedure to obtain
exclusively the jurisdictional protection as required by art. 259.4 of the LEC sends them
a letter demanding a sum of money from them.

Therefore, the complainant considers that the data has been used by the complainant

personal for purposes other than those specifically provided for in the regulations,
causing a violation and violation of data protection regulations.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/10








In this sense, this Spanish Agency for Data Protection considers that, in
relationship with the lack of legitimacy for the processing of personal data of the
Euskaltel customers, it is necessary to take into account the response of the head of the Court

of the Mercantile nº *** COURT.1, in the order nº *** AUTO.1 of January 8, 2019, at
Euskaltel's opposition to the provision of personal identification data
holders of the requested IPs.


In the SECOND Legal Reasoning, section 8 it is stated: “8. Application

unnecessary information. The operator alleges that information is requested (landline,
mobile, email) that is part of the privacy of users and exceeds
necessary for the intended purposes.


The Judge does not share Euskaltel's assessment. The data referred to is the necessary

to contact users and be able to file a legal claim against them or,
in his case, extrajudicial. "


Furthermore, in section 9 the Magistrate states the following: “9.1. Legality. Alleges the
operator that the report is the result of interference by a foreign company

in the personal data and content of the communications that constitutes a
infringement of the European Data Protection Regulation. (…)


In this case, there is no evidence that the program for the protection of the rights of

intellectual protection data other than the IP address has been obtained and it is
being used to claim before the civil courts for the infraction of
such rights. Therefore, both the obtaining of the data and the
its use.



In this sense, Regulation (EU) 2016/679 establishes as principles relating to the
treatment, the collection of data for specific, explicit and legitimate purposes to
be treated in accordance with these purposes, and the limitation of the data to what is necessary in
relationship with the purpose for which they are treated (art. 5.1. b and c), and article 6 considers
lawful treatment necessary to satisfy legitimate interests pursued

by the person responsible for the treatment or by a third party, provided that on said
interests do not prevail over interests or fundamental rights and freedoms. In
Regarding the fundamental right to confidentiality of communications, it is not affected
for the ‘obtaining the data relative to the IP address.”



                                            IV


In this case, it is taken into account that the respondent must provide the information
indicated in article 14 of the RGPD, when personal data has not been
obtained from the interested party.

The defendant, in particular, on October 5, 2020, has stated in response to the
requirement of this Agency that the information currently offered in the
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/10








communications sent by this professional office is, verbatim, the
next:

"Your personal data are processed for the exclusive purpose of exercising the rights of
CRYSTALIS ENTERTAINMENT UG claimed by this communication.

Your data will be kept for five years from the resolution of this
conflict (understood as judicial or extrajudicial satisfaction), with the exception of
the identification data essential to fulfill the eventual commitment not to
to claim again or not to address you again.

We inform you that you have the right to request access to your personal data
object of treatment, its rectification, the limitation of its treatment and portability
of the same (without allowing in this case the deletion, opposition or a limitation

treatment that prevents the satisfaction of the legitimate interest pursued by our
client).

For the exercise of your rights you can direct communication, attaching a copy of your
DNI or equivalent document, to *** EMAIL.1 or to LVCENTVM LEGAL S.L. in the
address at the bottom of this letter.

Likewise, and especially if you consider that you have not obtained full satisfaction in the
exercise of your rights, you may file a claim with the national authority
of control by contacting the Spanish Agency for Data Protection "


                                            V


By virtue of the provisions of article 58.2 of the RGPD, the Spanish Agency for
Data Protection, as a control authority, has a set of
corrective powers in the event of an infringement of the precepts of the

RGPD.


Article 58.2 of the RGPD provides the following:

“2 Each supervisory authority shall have all the following corrective powers
listed below:

(…)
b) sanction any person responsible or in charge of the treatment with warning

when the treatment operations have infringed the provisions of this
Regulation;"

(...)
“D) order the person in charge of the treatment that the operations of

treatment are in accordance with the provisions of this Regulation, where appropriate,
in a certain way and within a specified time; "
“I) impose an administrative fine in accordance with article 83, in addition to or instead of

the measures mentioned in this section, according to the circumstances of each
particular case;"



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/10








Article 74.a) of the LOPDGDD, under the heading “Infractions considered minor
has:

 "They are considered minor and will prescribe a year the remaining offenses of character
merely formal of the articles mentioned in sections 4 and 5 of article 83
of Regulation (EU) 2016/679 and, in particular, the following:

a) Failure to comply with the principle of transparency of information or the right
of the data subject for not providing all the information required by the articles
13 and 14 of Regulation (EU) 2016/679. "



In accordance with the facts presented, the defendant has violated article 14 of the
RGPD, the infringement of which is penalized with a warning, in accordance with article
58.2.b) of the RGPD, when collecting through said form basic data of the
users and consider that the administrative fine that may be incurred in accordance with

provisions of article 83.5.b) of the RGPD would constitute a disproportionate burden
for the claimed, whose main activity is not directly linked to the
processing of personal data, since there is no evidence of the commission of any infringement
above regarding data protection.


                                            SAW

On the other hand, article 83.7 of the RGPD provides that, without prejudice to the
corrective powers of the control authorities pursuant to art. 58, paragraph 2,
Each Member State may lay down rules on whether and to what extent it is possible to
impose administrative fines on authorities and public bodies established in

that Member State.

The defendant has proceeded to resolve the facts that are the subject of this proceeding
sanctioning, since currently in the communications sent presents the
following communication:

"Your personal data are processed for the exclusive purpose of exercising the rights of
CRYSTALIS ENTERTAINMENT UG claimed by this communication.

Your data will be kept for five years from the resolution of this
conflict (understood as judicial or extrajudicial satisfaction), with the exception of
the identification data essential to fulfill the eventual commitment not to

to claim again or not to address you again.
We inform you that you have the right to request access to your personal data

object of treatment, its rectification, the limitation of its treatment and portability
of the same (without allowing in this case the deletion, opposition or a limitation
treatment that prevents the satisfaction of the legitimate interest pursued by our
client).

For the exercise of your rights you can direct communication, attaching a copy of your
DNI or equivalent document, to *** EMAIL.1 or to LVCENTVM LEGAL S.L. in the
address at the bottom of this letter.

Likewise, and especially if you consider that you have not obtained full satisfaction in the
exercise of your rights, you may file a claim with the national authority
of control by contacting the Spanish Agency for Data Protection "

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/10











Therefore, the Director of the Spanish Agency for Data Protection RESOLVES:

FIRST: IMPOSE LVCENTVM LEGAL, S.L., with NIF B42557306, for a
infraction of article 14 of the RGPD, typified in article 83.5 of the RGPD, a
warning sanction.


SECOND: NOTIFY this resolution to LVCENTVM LEGAL, S.L.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may file, optionally, an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to

count from the day after notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the

day following notification of this act, as provided in article 46.1 of the
referred Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the

interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the

cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.



Mar Spain Martí
Director of the Spanish Agency for Data Protection












C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es