AEPD - PS/00247/2019
|AEPD - PS/00247/2019|
|Relevant Law:||Article 32(2) GDPR|
Article 32(4) GDPR
|National Case Number/Name:||PS/00247/2019|
|European Case Law Identifier:||n/a|
|Original Source:||aepd.es (in ES)|
|Initial Contributor:||Pablo Rossi|
AEPD fined travel company EUR 5,000 for an infringement of Article 32(2) and (4) of the GDPR. Medical tests of one employee were scanned and sent from one manager of the company to another. The entity invoked attenuating factors that are foreseen in national administrative law, which led to a reduced fine of EUR 3,000.
English Summary[edit | edit source]
Facts[edit | edit source]
On 13/02/2019 AEPD received a complaint from the claimant against the entity GLOBAL BUSINESS TRAVEL SPAIN, S.L.U. The complaint stated that an employee of the company (the Head of Occupational Risk Prevention) opened, scanned and emailed to his inmediate boss the results of medical tests of the claimant. To clarify the facts, AEPD transferred the complaint to the company, so that it could proceed with its analysis and provide a response within one month to the information requested. Nevertheless, the company did not respond to the AEPD’s request for information. After that, due to an error in the notifications, both the claimant and the respondent were notified of the admission to process the claim. This led to the claimant misconception that it was entitled to appeal against the admission agreement.
In this (erroneous) appeal to the admission agreement, the company stated that the subjects involved were interrogated and that the leaked information was immediately deleted. The appeal was not admitted as the company was not in a position to appeal, but the measures taken by the company were considered.
Dispute[edit | edit source]
Does opening, scanning and forwarding an employee's medical test results imply a violation of Article 32 GDPR?
Holding[edit | edit source]
AEPD considered that the conduct of one of the employees of the respondent- the opening of the envelope with the results of the medical tests to which the claimant was subjected, the scanning of the document and its transmission by e-mail to at least one employee of the entity - infringes Article 32. 2 and 32.4 of the RGPD, an infringement punishable under Article 83.4.a of the GDPR.
Assessing the circumstances modifying liability, both adverse and favourable, contemplated in article 83.2 GDPR, the AEPD established the amount of the administrative fine at EUR 5,000. However, two attenuating circumstances of the Spanish Law on Common Administrative Procedure of Public Administrations (Article 85) could be applied, which may respectively reduce the fine by 20%. The first mitigating factor is to acknowledge their responsibility within the time allowed for the submission of claims. The second mitigating factor is, at any time prior to the resolution of the proceedings, to make voluntary payment of the proposed penalty.
On June 6, 2020, the respondent company proceeded to pay the sanction in the amount of EUR 3000 applying therefore the two previously mentioned reductions. This implied the recognition of their responsibility and the resignation to any action or appeal in administrative channels against the sanction. After these events, the AEPD decided to terminate the procedure.
Comment[edit | edit source]
This case is interesting, as there was an error in the notification of the start of the procedure. Both the defendant and the respondent were notified. This error created a false sense that the respondent could appeal the initiation of the proceedings. The appeal was not accepted, but certain information provided by the company was taken into account (the investigation that was carried out on the company's own initiative and the fact that they made sure that the information that had been read out was deleted). These two aspects were taken as mitigating factors, reducing the amount of the fine.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
DECISION R/00296/2020 ON TERMINATION OF PROCEEDINGS FOR PAYMENT VOLUNTEER In sanction procedure PS/00247/2019, conducted by the Agency Spanish Data Protection Agency to GLOBAL BUSINESS TRAVEL S.L.U., having regard to the complaint submitted by A.A.A., and on the basis of the following BACKGROUND FIRST: On March 30, 2020, the Director of the Spanish Agency of Data Protection agreed to initiate sanctioning procedure to GLOBAL BUSINESS TRAVEL SPAIN S.L.U. (hereinafter, the Respondent), by means of the Agreement which is transcribe: << Product No.: PS/00247/2019 935-240719 AGREEMENT TO INITIATE DISCIPLINARY PROCEEDINGS Of the actions carried out by the Spanish Agency for the Protection of Data and based on the following FACTS FIRST: On 13/02/2019 he joined the Spanish Protection Agency of Data (AEPD) a claim from Ms. A.A.A. (hereinafter, the claimant) against GLOBAL BUSINESS TRAVEL SPAIN, S.L.U., with NIF B85376630 (in go ahead, the one claimed). The claimant states as the basis of her claim that an employee of the company complained of has accessed its health data and communicated it, to the minus two other employees of that entity. C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/16 He says that the head of Occupational Risk Prevention opened, scanned and e-mailed her immediate boss, with a copy to her, the results of the medical tests performed on him at a company sponsored examination and not, as would have been correct, only the report issued by the Mutual with the conclusion of fit or unfit for work. He adds that the Mutual had sent the company claimed the result of his medical tests in a sealed envelope addressed to his care and that their health data were also communicated to other persons in the company as D.ª B.B.B. The claimant explains that she has provided her services to the entity in question as a company travel agent until 02/01/2019 and that on 15/10/2018 a medical examination at the Mutual Valore Prevenzione which was necessary to to work in the facilities of a client company that required the "suitable medical" for outside workers to access the building. That, once the and pending the results of the analysis, the Mutual provided a suitable and it was left to deliver the final product to the work centre once received. He states that, 15 days after the medical examination, he requested the Mutual Insurance Company to upload to the web the result of the recognition to what she replied that because she had been on leave for a long time they could not send it to them online and they would send it in print to the company's headquarters and social, in ***DIRECTION.1, indicating that it had been sent by mail on 29/10/2018 so it would be close to being received. He explained that after the conversation with the Mutual he had sent an email to his superior officer, D.C.C., to inform him that his medical exam was to be received at the headquarters and ask him that, since he planned make a visit to the client company's premises where she was working displaced person, he'll bring it to you in person. And in case the mail doesn't had arrived before that visit, asked him to keep an eye out for her and she would stop by the respondent's office to pick it up personally. She adds that D.C.C.C. replied that they would forward your email to D.D.D., who was responsible for prevention of occupational hazards for the company to help him. The complainant states that on 05/11/2018, on the occasion of the visit that D.C.C. made to the premises where she worked, she informed her that the written medical report "but that another boss, B.B.B., already had the report of the fit I had already gone up to the client's platform and didn't worry about it. On 08/11/2018 reads an email received the day before sent by D. D.D.D., responsible for occupational hazards, to the head of the claimant, D.C.C., with a copy to her, with which it attaches, in addition to the report of the applicant, the full result of the medical examination photocopied and scanned in black and white. The complainant claims that the medical information came in a sealed envelope to her name with the indication that it was confidential and that D.D.D., after scanned the results received, destroyed the document in which they were collected. Attached to your claim are, among others, copies of the following documents: - E-mail dated 05/11/2018 sent by Mr. D.D.D. "To" prevention of occupational hazards, with a copy to the claimant, which states as "Topic" "VR: values informational prevention-Medical recognition A.A.A.". The text is as follows: "E.E.E., please, you can perform the to make arrangements for A.A.A. to continue to enter Iberdrola. Many Thank you." - E-mail sent on 07/11/2018 by D. D.D.D. "for" C.C.C. with copy to the claimant. A pdf document is attached. The text of the message is the next: "Hi, I just got the A.A.A. report, I'm passing it on to you scanned." - E-mail that the complainant sent on 11/16/2018 to the department of Human Resources (HR), for the attention of F.F.F. Explain that you are writing this email to record a very serious incident. - Email sent to the complainant by "Human Resources" on 04/12/2019 in which "Medical Examination Incident" appears as the "Subject A.A.A.". In their text they regret what happened; they confirm that D. D.D. has spoken with the complainant apologizing and informing her that the company has made the necessary arrangements so that all the documentation sent is eliminated and means have been put in place to ensure that this does not happen again. SECOND: A. In accordance with the mechanism prior to the admission to claims made to the AEPD, provided for in Article 65.4 of the Law Organic 3/2018 of 5 December on the Protection of Personal Data and Guarantee of digital rights (hereinafter referred to as LOPDGDD), in the framework of E/4046/2019 gave notice of the claim to the respondent to proceed with its analysis and to give response within one month to the information requested. The letter was notified to the respondent electronically with the date of posting available on the website on 12/04/2019 and the date of acceptance of the notification on 15/04/2019 as attested by the certificate issued by the FNMT work in the file. C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/16 Once the period of one month granted to evacuate the procedure has elapsed, the claimed had not responded to the information request from the AEPD. B. On 18 June 2009, having analysed the documentation in the file, the The Director of the AEPD issued a resolution in the framework of E/ 7551/2019, in which she agreed to admit the claim. The claimant was notified of the settlement and, as a result of a incident in the electronic management of notifications, also to the GLOBAL BUSINESS TRAVEL SPAIN S.L.U., the claimed. Article 65.4 of the LOPDGDD provides that "The decision on the admission or inadmissibility, (...), must be notified to the claimant within three months". (underlining is from the AEPD). This Agency, in compliance with such provision does not communicates the admission agreements to the respondents. The fact that the entity complained of was improperly notified on admission agreement together with the fact that the agreement did not specify who the addressee of the notification - as it is unnecessary since only the and at the same time gave the "interested parties" the possibility of The fact that the defendant was able to file an optional appeal for reconsideration led the defendant to consider that was entitled to appeal the plea agreement. The circumstances described above led the defendant to bring an action before This Agency has the right to appeal against the agreement for admission to The Commission also requested that the above-mentioned agreement be terminated (RR/120/2020). The Agency - as stated in resolution RR/120/2020 - chose to give The applicant did not have the right to bring an action (ex Article 112.1 of Law 39/2015 on Common Administrative Procedure, hereinafter LPACAP). This Agency - having regard to the fact that it had been notified to the the claimant's admission agreement and given that the text of that agreement led to the erroneous interpretation that was entitled to appeal - responded to the appeal made. The decision The rejection of RR/120/2020 was notified to the respondent and the appellant on 11/05/2020 (date of acceptance of the electronic notification) The appellant, now the respondent, has stated that the claimant spent the medical examination before the Mutual on 15/09/2019 and informed his immediate boss, C.C.C., who, given that the report would reach the company, "as soon as I received it, I sent to Iberdrola (not to bring it to you, as the complaint says). Note that it was not specified in the A.A.A. instructions how the shipment should be made, i.e., whether by mail, email or other means, only to be sent to Iberdrola". He added that the report of the Mutua Valora arrived at the headquarters of the claimed entity on 07/11/2019, by mail "in an envelope in the name of the entity" "so given the emergency situation, as explained, the risk prevention manager D.D.D., scanned it and sent it immediately, by email in the chain of emails where the subject was being discussed and where it was, in addition to A.A.A. ..., your immediate boss C.C.C." The defendant has stated that after learning of the events he adopted several measures: asked the people involved who might have had contact with the file an explanation and immediate deletion of the information. The address of HR of the entity requested information from the occupational risk prevention technician who responded by email on 11/19/2018 a copy of which is provided. He adds that this person, D.D.D.D. left the company on 26/03/2019 without specifying the reasons. It also states that it requested information about the incident from D.C.C. employees and D.ª B.B.B. and that the Technology Department proceeded to delete the D.D.D. and Dª. C.C.C. terminals of the transmitted report. The respondent annexed to its writ of appeal for reversal, among others documents, the following emails: - Sent by the claimant to D.C.C. on 11/05/2018: "(...) I have contacted Valora prevención because I have received the email to to ask you for a date for the medical examination when I did it in the past October 15 (...). I am informed in Valora that ... the medical report is not put on the web so you can download it, but print it out and send it to ***DIRECTION.1 for my attention. I have been told that it was printed on last October 29th so if he hasn't arrived yet he's about to the office. I'll let you know in case it's delivered and if you can get it to me to Iberdrola." - Sent by D. D.D.D. on 09/11/2018: "(...) The full report on its I received it in the office on Monday and after scanning it and sending it to you destroyed, you can please request that they send her the full report of new??" - Sent by "Prevention" to "G.G.G., H.H.H., Human Resources..." on 19/11/2018: "As A.A.A. comments in the mail, it is true, from Valora sent the report of their appreciation to my attention to the office of Barcelona and I accidentally scanned it and sent it to him without realizing that he was responding to an email from C.C.C. instead of her alone..." - Sent by D.C.C. to D.D.D. on 28/11/2018: "I confirm that this C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/16 document was deleted that same day because I only opened the page that said that he was fit to work on the premises. The rest I didn't get to look at." LEGAL FOUNDATIONS I By virtue of the powers conferred on each individual by Article 58(2) of the GPRS, the supervisory authority, and as established in Articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and to resolve this procedure. II Article 58 of the RGPD, "Powers", states: "2 Each supervisory authority shall have all the following powers corrections indicated below: (…) (i) to impose an administrative fine pursuant to Article 83, in addition to or instead of of the measures referred to in this paragraph, depending on the circumstances of the individual situation (…)” III Article 5 of the RGPD deals with the principles that should govern the processing of personal data and mentions among them those of "integrity and confidentiality": "1. Personal data shall be: (…) (f) processed in such a way as to ensure appropriate security of the data including protection against unauthorised or unlawful processing or C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/16 their accidental loss, destruction or damage, through the application of technical measures or appropriate organizational arrangements (<<integrity and confidentiality>>) Article 5.2. RGPD adds: "The controller shall be responsible for compliance with provided for in paragraph 1 and capable of demonstrating it (<<proactive responsibility>>)" Under Chapter IV, "Controller and person in charge of treatment", the RGPD dedicates Article 32 to "Security of treatment" precept that you have: "1. Taking into account the state of the art, the implementation costs, and the nature, scope, context and purposes of the processing, as well as risks of variable probability and severity for the rights and freedoms of individuals the controller and the processor shall implement technical and appropriate organisational arrangements to ensure a level of safety appropriate to the risk, which in your case includes, among others: (a) the pseudonymisation and encryption of personal data (b) the ability to ensure the confidentiality, integrity, permanent availability and resilience of processing systems and services; (c) the ability to restore the availability of and access to personal data quickly in the event of a physical or technical incident; (d) a process of regular verification, evaluation and assessment of effectiveness of technical and organisational measures to ensure the security of processing. 2. In assessing the adequacy of the level of security, particular consideration shall be given to takes account of the risks involved in the processing of data, in particular as a result of the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, or the unauthorised disclosure of or access to such data. 3. Adherence to an approved code of conduct within the meaning of Article 40 or to a certification mechanism approved under Article 42 may serve as an element to demonstrate compliance with the requirements set out in paragraph 1 of this Article. 4. The controller and the processor shall take steps to ensure that any person acting under the authority of the controller or the processor and having access to personal data may process such data only on instructions from the controller, unless he or she is required to do so by the law of Union or Member States." (The underlining is from the AEPD) C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/16 The violation of article 32 of the RGPD is typified in the article 83.4 in the following terms: "Violations of the following provisions shall be sanctioned, in accordance with paragraph 2, with administrative fines of a maximum of 10,000,000 Eur or, in the case of a company, for an amount equivalent to a maximum of 4% of total annual turnover for the previous financial year, opting for the largest: (a) the obligations of the person responsible and of the person in charge under Articles 8,11,25 to 39, 42 and 43;" For the purposes of the statute of limitations, Organic Law 3/2018 on Data Protection Personal and Guaranteed Digital Rights (LOPDGDD) qualifies as an infringement Article 73(f) "Failure to take such technical and appropriate organizational arrangements to ensure a level of safety appropriate to the risk of treatment, as required by Article 32(1) of Regulation (EU) 2016/679 The conduct that is the subject of this complaint is specified in the opening by an employee of the claimed entity - the head of Risk Prevention Work - from the envelope containing the results of the medical tests carried out at the claimant by the Mutual, which was allegedly directed to the attention of the claimant; in scanning it and in communicating it by e-mail to other employees of the company. The documentation in the file provided by the claimant corroborates that the claimant's medical report received from the Mutua Valore was opened by D. D.D.D., scanned and emailed as document attached to both D. C.C.C., the head of the claimant, and herself. We We refer to the email of 19/11/2018 sent from "Prevención", we understand that by D.D.D., to Human Resources. On the other hand, according to the documents provided by the claimant and the The claim does not show that the head of the Prevention of Occupational Risks would have known the information that was included in the document. In addition to the above, D. C.C.C., the head of the claimant, who as demonstrated received an email from D. D.D.D. containing as a file C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/16 I attach the document with the results of the medical tests of the affected person, stated in the e-mail sent on 28/11/2018 that he only opened the page that said that the claimant was fit to work on inplants and that the rest of the document didn't get to look at it. The Contentious-Administrative Chamber of the National Court has held repeatedly in its resolutions, during the validity of the Organic Law 15/1999, on the protection of personal data (LOPD), that the violation of The principle of confidentiality, insofar as it is an infringement of result, presupposes that there has been an actual disclosure of data to a third party not entitled to to meet them. So, even if the behavior deployed could lead to a disclosure of data to third parties, if this has not been done in a way effective and has been proven - without the mere presumption being admissible - is not possible to charge an infringement of this nature; infringement of the duty established by the Article 10 of the repealed LOPD and which is now covered by Article 5(1)(f) of the RGPD. Therefore, at this stage of the proceedings, and without prejudice to the outcome of the There is no evidence to attribute to the Respondent, as alleged by the a violation of the principle of confidentiality. The documentation in the file shows that the The company had not implemented the criteria for action among its staff with respect to private documents containing health data from the employees. Furthermore, with the exception of the e-mail sent by D.C.C. at the end November 2018, it seems that the company's personnel give the same treatment to the report issued by the Mutual Insurance Company on fitness for work or unfitness for work than the result of the medical tests the claimant underwent. Article 32 of the RGPD obliges the controller to take measures to ensure that any person acting under his authority and having access a personal data may only be processed on the instructions of the person responsible. These instructions must be based on a prior assessment by the risk involved in each of the processing operations carried out to ensure the security of the data. This is particularly the case when the data is requested, in compliance with the health policy implemented by the client companies (in this Iberdrola) was fully aware that those of its employees who The inplant was to undergo a medical examination and the "fit-for-work report" was to be communicated to the client company. received along with the results of the medical tests performed, results that contained health data for the treatment of which the claimed company lacked legitimacy. In this line of argument, recital 74 of the RGPD states that "It should be established the responsibility of the controller for any processing of personal data carried out by himself or on his behalf. In particular, C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/16 the person responsible should be obliged to implement timely and effective measures and should be able to demonstrate the conformity of the processing activities with the present Regulation, including the effectiveness of the measures. Those measures should have in The nature, scope, context and purposes of the processing, as well as the risk to the rights and freedoms of natural persons." (The underlining is from the AEPD) According to the evidence available at this stage of the procedure and without prejudice to the outcome of the investigation, it is considered that the conduct of the respondent which is the subject of the assessment in this case penalty - specified at the opening of the envelope with the test results the claimant underwent at Mutua Valore, in the scan of the document and in its transmission by e-mail to at least one employee of the entity- violates Article 32.2 and 32.4 of the RGPD, an infraction sanctioned in 83.4.a, of the RGPD. V In order to specify the amount of the administrative fine that would correspond The provisions of Articles 83.1 and 83.2 of the RGPD must be complied with, precepts that they point out: "Each supervisory authority shall ensure that the imposition of fines administrative offences under this Article for violations of this Regulation referred to in paragraphs 4, 9 and 6 are in each individual case effective, proportionate and dissuasive. "Administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j) In deciding to impose a fine and its amount in each individual case will be duly taken into account: (a) the nature, gravity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation concerned as follows as the number of stakeholders affected and the level of damages that have suffered; (b) the intentional or negligent nature of the infringement; (c) any measures taken by the controller or processor to to alleviate the damages suffered by those concerned; (d) the degree of responsibility of the controller or processor, C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/16 taking into account the technical or organisational measures they have implemented under of Articles 25 and 32; (e) any previous breach committed by the controller or processor; (f) the degree of cooperation with the supervisory authority for the purpose of remedying violation and mitigate the possible adverse effects of the violation; (g) the categories of personal data affected by the infringement; (h) the manner in which the supervisory authority became aware of the infringement, in in particular whether the person responsible or the person in charge notified the infringement and, if so, in what measure; (i) where the measures referred to in Article 58(2) have been ordered against the person in charge or the person in charge of the same issue, compliance with those measures; (j) adherence to codes of conduct under Article 40 or to certification approved in accordance with Article 42, and (k) any other aggravating or mitigating factors applicable to the circumstances of the case, as the financial benefits obtained or losses avoided, directly or indirectly, through the infringement." With respect to section 83.2 (k) of the RGPD, the LOPDGDD, section 76, "Sanctions and corrective measures," he says: "In accordance with Article 83(2)(k) of the Regulation (EU) 2016/679 may also be taken into account: (a) the continuing nature of the infringement (b) The linkage of the activity of the offender with the carrying out of processing operations personal data. (c) The profits obtained as a result of the commission of the offence. (d) the possibility that the conduct of the person concerned might have led to the commission of the infraction. (e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the acquiring entity. (f) Affecting the rights of minors. g) To have, when it is not compulsory, a data protection delegate. h) The submission by the person responsible or in charge, on a voluntary basis, to alternative dispute resolution mechanisms, in those cases where C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/16 there are disputes between them and any interested party." Aggravating circumstances are taken into account next: - Article 83(2)(f) of the GPRS which refers to the "extent of cooperation with the authority in order to remedy the infringement and to mitigate the possible adverse effects". Let us recall that the respondent did not respond to the request information of this Agency, prior to the admission to procedure of the claim, in spite of that it is established that service of the application has been properly effected informative. - Article 83(2)(g) of the GPRS on categories of character data The Commission has not been able to identify the personnel affected by the infringement, as this was the complainant's health data. - The obvious link between the business activity of the respondent and the processing of personal data, not only of its employees but also of persons travel is managed for, as this is the business of the company (Article 83.2.k of the RGPD in relation to Article 76.2.b of the LOPDGDD) The following circumstances would apply as mitigating factors: -The one provided for in Article 83(2)(a) RGPD, which refers to the gravity of the infringement taking into account, among other variables, the purpose of the processing operation and the level of damages that the affected person has suffered. The purpose of the operation treatment was lawful: to pass on to the claimant the confidential results of his medical tests, it was not, however, the form used for it. That is, the conduct in which the breach of the obligation incumbent on the The entity to take measures to ensure data security and effectiveness of such measures. Furthermore, according to the documentation in the file does not show that the claimant has suffered significant damage and damages. - That provided for in Article 83(2)(k) of the GPR, which mentions "any other ...mitigating factor applicable to the circumstances of the case. In this regard, the to appreciate that before the complaint was filed with this Agency (on 13/02/2019) the entity had activated internal mechanisms to knowing the events that had taken place, had questioned the people involved in them and ordered that all information relating to the medical findings of the claimant. Thus, in accordance with the foregoing statement, we consider that the the defendant committed an infringement of Article 32(2) and (4) of the RGPD C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 13/16 sanctioned in Article 83.4.a of the aforementioned Regulation (EU) 2016/657 and that, assessed the circumstances modifying the liability, both adverse and In accordance with Article 83(2) of the RGPD, the amount of the fine 5,000 to be imposed. Therefore, on the basis of the above, By the Director of the Spanish Data Protection Agency, AGREED: FIRST: Initiate disciplinary proceedings against GLOBAL BUSINESS TRAVEL SPAIN S.L.U., with NIF B85376630, for the alleged infringement of article 32, paragraphs 2 and 4, of the RGPD typified in article 83.4.a) of the RGPD. SECOND: To appoint R.R.R. as instructor and S.S.S. as secretary, indicating that any of them may be challenged, where appropriate, in accordance with the provisions of Articles 23 and 24 of Law 40/2015 of 1 October on the Legal System for the Sector Public (LRJSP). THIRD: TO INCORPORATE into the sanctioning file, for the purpose of proof, the claimant and its accompanying documentation, as well as the documents obtained and generated by the Subdirección General de Inspección de Data. FOURTH: THAT for the purposes of Article 64.2 b) of Law 39/2015, of 1 October, Common Administrative Procedure for Public Administrations (LPACAP), the sanction that may apply would be an administrative fine for 5,000 (five thousand euros), without prejudice to the outcome of the instruction. FIFTH: TO NOTIFY this agreement to GLOBAL BUSINESS TRAVEL SPAIN S.L.U., with NIF B85376630, granting it a ten working day hearing to make the allegations and submit the evidence it deems appropriate. In your pleading, you must indicate your VAT number and the procedure number you appears in the header of this document. If no allegations are made within the stipulated period, the agreement to commence may be considered as a motion for resolution, in accordance with Article 64(2)(f) of the C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 14/16 LPACAP. In accordance with Article 85 of the LPACAP, if the sanction to be imposed other than a fine, may acknowledge its responsibility within the period granted for the formulation of arguments to the present agreement of beginning what shall be accompanied by a 20% reduction in the penalty to be imposed in the present procedure. With the application of this reduction, the sanction would be established at 4,000, the procedure being resolved with the imposition of this sanction. Similarly, it may, at any time prior to the resolution of the The Commission shall, in accordance with this procedure, carry out the voluntary payment of the proposed penalty which will result in a 20% reduction in its amount. With the application of this reduction, the penalty would be set at 4,000 euros and its payment would involve the termination of the procedure. The reduction for the voluntary payment of the penalty is cumulative with the one The same applies to the recognition of liability, provided that this recognition of responsibility is shown within the time limit granted to make representations on the opening of the proceedings. The payment of the amount referred to in the preceding paragraph may be made at any moment before the resolution. In this case, if it is appropriate to apply both reductions, the amount of the penalty would be set at In any case, the effectiveness of either of the two above-mentioned reductions shall be conditioned upon the waiver or relinquishment of any action or remedy in the administrative sanction against the sanction. If you choose to proceed with the voluntary payment of any of the amounts 40,000 or 30,000 euros, you must pay it by depositing it in the account nº ES00 0000 0000 0000 0000 open to name of the Spanish Data Protection Agency at CAIXABANK Bank, S.A., indicating in the concept the reference number of the procedure in the heading of this document and the reason for the reduction in the amount to which welcomes. Likewise, you must send the proof of admission to the Subdirectorate General of Inspection to continue the procedure in accordance with the quantity admitted. C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 15/16 The procedure will last a maximum of nine months from the date of the agreement to initiate or, where appropriate, the draft agreement to initiate. After this period, the agreement will expire and, consequently, the actions, in accordance with the provisions of Article 64 of the LOPDGDD. Finally, it is noted that in accordance with the provisions of Article 112.1 of the LPACAP, there is no administrative appeal against this act. Mar Spain Martí Director of the Spanish Data Protection Agency SECOND: On June 6, 2020, the claimant paid the 3,000 by making use of the two reductions provided for in the above transcribed Inception Agreement, which implies recognition of the responsibility. THIRD: The payment made, within the period granted to make allegations to the opening of the procedure, entails the waiver of any action or appeal in administrative sanctioning and acknowledgement of responsibility in relation to the facts referred to in the Agreement to Initiate. LEGAL GROUNDS I By virtue of the powers conferred on each authority in Article 58(2) of the GPRS, the control, and in accordance with Article 47 of Organic Law 3/2018, of 5 December, Protection of Personal Data and Guarantee of Digital Rights (in (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to penalise infringements committed against it Regulations; infringements of Article 48 of Law 9/2014 of 9 May, General of Telecommunications (hereinafter referred to as LGT), in accordance with the Article 84.3 of the GLT, and the infractions defined in articles 38.3 c), d) and i) and 38.4 d), g) and h) of Law 34/2002, of 11 July, on services of the company of the information and electronic commerce (hereinafter referred to as the ISESA), as provided for in 43.1 of the said Act. II Article 85 of Law 39/2015 of 1 October on Administrative Procedure Commonwealth of Independent States (hereinafter LPACAP), under the heading "Termination in sanctioning proceedings" provides the following: "1. Penalty proceedings are initiated if the offender acknowledges his responsibility, the proceedings may be terminated with the imposition of the penalty as appropriate. C/ Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 16/16 2. When the sanction is solely of a pecuniary nature or when it fits impose a financial penalty and a non-pecuniary penalty but has been justified the impropriety of the second, voluntary payment by the alleged perpetrator, in any time before the resolution, will imply the termination of the procedure, except as regards the restoration of the altered situation or the determination of the compensation for damages caused by the commission of the infringement. 3. In both cases, when the penalty is solely of a pecuniary nature, the body competent to decide on the procedure shall apply reductions of, at at least 20 % of the amount of the proposed penalty, which may be cumulated with each other. These reductions shall be determined in the notification of initiation of the procedure and its effectiveness shall be conditional upon the withdrawal or waiver of any action or appeal in administrative proceedings against the sanction. The percentage of reduction provided for in this paragraph may be increased by regulation. In accordance with the above, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO DECLARE the termination of procedure PS/00247/2019, of in accordance with Article 85 of the LPACAP. SECOND: NOTICE this resolution to GLOBAL BUSINESS TRAVEL SPAIN S.L.U.. In accordance with the provisions of Article 50 of the LOPDGDD, this The decision will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by Article 114(1)(c) of Law 39/2015 of 1 October on Administrative Procedure The interested parties may lodge an appeal with the administrative litigation before the Administrative Chamber of the Audiencia Nacional, in accordance with Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the Contentious-Administrative Jurisdiction, within two months of day following notification of this act, as provided for in Article 46(1) of referred to Law. Mar Spain Martí Director of the Spanish Data Protection Agency