AEPD (Spain) - PS/00247/2020: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00...")
 
mNo edit summary
Line 50: Line 50:
}}
}}


The Spanish DPA (AEDP) imposed a penalty of EUR 4000 on ORGANIC NATUR 03 S.L. for infringement of Article 13 GDPR (data privacy policy) and a warning penalty for infringement of Article 7 GDPR regarding the collection of customer consent.
The Spanish DPA (AEPD) imposed a penalty of 4000 on ORGANIC NATUR 03 S.L. for the infringement of Article 13 GDPR (data privacy policy) and a warning penalty for the infringement of Article 7 GDPR regarding the collection of customer consent.


== English Summary ==
==English Summary==


=== Facts ===
===Facts===
The Territorial Delegation of the Department of Health and Families of the Regional Government of Andalusia filed a complaint with the AEPD against ORGANIC AND NATUR 03 S.L. on the issue of a membership contract that incorporates pre-determined clauses regarding data protection, thus preventing effective negotiation and the express consent of the signatory client.
The Territorial Delegation of the Department of Health and Families of the Regional Government of Andalusia filed a complaint with the AEPD against ORGANIC AND NATUR 03 S.L. on the issue of a membership contract that incorporates pre-determined clauses regarding data protection, thus preventing effective negotiation and the express consent of the signatory client.


In the aforementioned contract it was indicated that the client authorised the transfer of all his/her data for the purpose of managing the credit, as well as, to send him/her commercial offers.  
In the aforementioned contract it was indicated that the client authorised the transfer of all his/her data for the purpose of managing the credit, as well as, to send him/her commercial offers.  
The fact that different data processing purposes were being accepted in the same clause without express consent for each one could mean a breach of the duty to inform the customer of the purposes of data processing.
The fact that different data processing purposes were being accepted in the same clause without express consent for each one could mean a breach of the duty to inform the customer of the purposes of data processing.
 
===Dispute===
 
 
 
 
=== Dispute ===
Are the failure to update the privacy policy and the failure to collect consent for each of the purposes of data processing infringements of Articles 13 GDPR and 7 GDPR respectively?
Are the failure to update the privacy policy and the failure to collect consent for each of the purposes of data processing infringements of Articles 13 GDPR and 7 GDPR respectively?


=== Holding ===
===Holding===
To determine the amount of the penalty, the AEPD took into account three criteria in Article 83(2) GDPR: unintentional negligence (paragraph b); the categories of personal data affected by the infringement (paragraph g); and the way in which the AEPD became aware of the infringement, which was reported by the complainant (paragraph h).  
To determine the amount of the penalty, the AEPD took into account three criteria in Article 83(2) GDPR: unintentional negligence (paragraph b); the categories of personal data affected by the infringement (paragraph g); and the way in which the AEPD became aware of the infringement, which was reported by the complainant (paragraph h).  
Account has also been taken of Article 76 (2) (b) LOPDGDD concerning the link between the activity of the offender and the processing of personal data.
Account has also been taken of Article 76 (2) (b) LOPDGDD concerning the link between the activity of the offender and the processing of personal data.


In view of the above, a penalty of EUR 4000 was set for the infringement of Article 13 GDPR and a warning sanction for the infringement of Article 7 GDPR.
In view of the above, a penalty of 4000 was set for the infringement of Article 13 GDPR and a warning sanction for the infringement of Article 7 GDPR.


== Comment ==
==Comment==
''Share your comments here!''
''Share your comments here!''


== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.



Revision as of 17:59, 17 November 2020

AEPD - PS/00247/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 7 GDPR
Article 13 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 26.10.2020
Published:
Fine: 4000 EUR
Parties: ORGANIC AND NATUR 03, S.L
National Case Number/Name: PS/00247/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Francesc Julve Falcó

The Spanish DPA (AEPD) imposed a penalty of € 4000 on ORGANIC NATUR 03 S.L. for the infringement of Article 13 GDPR (data privacy policy) and a warning penalty for the infringement of Article 7 GDPR regarding the collection of customer consent.

English Summary

Facts

The Territorial Delegation of the Department of Health and Families of the Regional Government of Andalusia filed a complaint with the AEPD against ORGANIC AND NATUR 03 S.L. on the issue of a membership contract that incorporates pre-determined clauses regarding data protection, thus preventing effective negotiation and the express consent of the signatory client.

In the aforementioned contract it was indicated that the client authorised the transfer of all his/her data for the purpose of managing the credit, as well as, to send him/her commercial offers.

The fact that different data processing purposes were being accepted in the same clause without express consent for each one could mean a breach of the duty to inform the customer of the purposes of data processing.

Dispute

Are the failure to update the privacy policy and the failure to collect consent for each of the purposes of data processing infringements of Articles 13 GDPR and 7 GDPR respectively?

Holding

To determine the amount of the penalty, the AEPD took into account three criteria in Article 83(2) GDPR: unintentional negligence (paragraph b); the categories of personal data affected by the infringement (paragraph g); and the way in which the AEPD became aware of the infringement, which was reported by the complainant (paragraph h).

Account has also been taken of Article 76 (2) (b) LOPDGDD concerning the link between the activity of the offender and the processing of personal data.

In view of the above, a penalty of € 4000 was set for the infringement of Article 13 GDPR and a warning sanction for the infringement of Article 7 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                               1/8









     Procedure No.: PS / 00247/2020
938-051119
               RESOLUTION OF SANCTIONING PROCEDURE


In the sanctioning procedure PS / 00247/2020, instructed by the Spanish Agency for
Data Protection, before the entity, ORGANIC AND NATUR 03, S.L., with CIF .:
B93484913 (hereinafter, “the claimed entity”), by virtue of the complaint filed
by the COUNCIL OF HEALTH AND FAMILIES OF THE ANDALUSIAN GOVERNMENT
-TERRITORIAL DELEGATION IN *** LOCALIDAD.1, (hereinafter, “the body

claimant ”), and based on the following:

                                  BACKGROUND

FIRST: On 11/28/29, you have an entry in this Agency, complaint filed

by the complaining body in which it indicated, among others, the following:

"In this Consumer Service the corresponding reference file is processed
to the claims filed against the company ORGANlC AND NATUR 03 S.L.
After examining the documentation provided by the claimant, it is verified that in
the sales contract includes the general conditions No. 8 and No. 9, which

may contravene the provisions of articles 5 and 6 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights.
It is an adhesion contract in which the consumer, when he lends his
consent to be bound, accept each and every one of the clauses
predisposed by the professional without the possibility of any negotiation. The

stipulations state:

8.- For knowing the scope and content of Organic Law 15/99 for the protection of
personal data, the buyer gives his informed consent for the
personal data provided under this contract, and those derived from this

relationship can be incorporated into the computerized files or not of ORGANIC
AND NATUR 03 SL. Regardless of the foregoing, the buyer declares to have been
informed and gives your consent so that:

A) Within the credit and equity solvency studies of ORGANIC AND
NATUR 03 SL., Or third parties acting on their behalf or to whom they have assigned the credit

derived from the sale, can carry out the necessary investigations for the
formalization of this contract and scoring procedures may be used.

B) ORGANIC AND NATUR 03 SL, you can send all the information you have for
convenient, provided that it bears reference to the corporate purpose of ORGANIC AND

NATUR 03 SL, for the exercise of the rights recognized by the law of protection of
personal data the buyer must contact ORGANIC AND NATUR 03 SL, in the
registered office indicated on the obverse.

9. - Furthermore, the buyer expressly authorizes ORGANIC AND NATUR 03 SL. to

that you can transfer your personal data to the financial entity to which you transfer this
credit where appropriate, in order to manage it, as well as, to send you
commercial offers from said financial institution that may be of interest to you. Yes
you do not want it or if you wish to access, rectify or cancel your personal data, please
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/8








Address ORGANIC AND NATUR 03 SL at the address listed on the front of this
document.


We believe that it is not possible for all consumers who purchase
products outside the commercial establishment of the company ORGANlC AND NATUR
03 SL. previously know the scope and content of Organic Law 3/2018 ”.
Likewise, it is at all times unlikely that the company's sales representatives, in addition
to expose to those attending the event the characteristics and virtualities of the product that
intend to sell, fully inform them of the obligations of the

company respecting the treatment of personal data in accordance with the
legal regulation contained in the Organic Law. Nor is it credible that a
The average consumer is trained to discern the meaning or the
significance of a scoring procedure. As we consider that
The clauses previously transcribed could be contrary to the provisions of

the Organic Law Organic Law 3/2018 cited, a copy of the contract provided is sent
by the claimant in order for that Agency to carry out the actions that in
Right proceed. Likewise. We are interested in being informed of the result of such
performances ”.

SECOND: In view of the facts set forth in the claim and the documents

provided by the claimant, the Subdirectorate General for Data Inspection proceeded
to carry out actions for its clarification, under the powers of
investigation granted to the control authorities in article 57.1 of the Regulation
(EU) 2016/679 (RGPD). Thus, dated 01/20/20 and 07/24/20, requirements are addressed
informative to the claimed entity.


According to the certificate of the Electronic Notifications and Electronic Address Service
Enabled, the request sent to the claimed entity on 01/20/20, through the
NOTIFIC @ service, was accepted at destination on 01/31/20.


According to the certificate of the Electronic Notifications and Electronic Address Service
Enabled, the request sent to the claimed entity on 07/24/20, through the
NOTIFIC @ service, was rejected on 08/04/20.

THIRD: on 09/09/20, the Director of the Spanish Agency for the Protection of
Data agreed to initiate a sanctioning procedure against the claimed entity, for infringement

of articles 13) of the RGPD, punishable in accordance with the provisions of art. 83 of the
aforementioned rule, by not having its personal data treatment policy adapted to the
new regulations in force and article 7) of the RGPD, by not collecting, in a
individualized, the consent of the client, for the treatment of their data
personal, when its purpose is different from that pursued in the execution of the contract.


FOURTH: On 09/20/20, the entity was notified of the initiation of the file
claimed, which has not submitted to this Agency, any writing or allegation,
within the period granted for this purpose.


                                PROVEN FACTS

1º.- In article 8 of the “General Conditions”, of the adhesion contract between the
claimed entity and the user, it is verified that it continues to do so

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/8








reference to the repealed Organic Law 15/1999, of December 13, on the Protection of
Personal data.


2º.- Regarding the consent given by the user, which is referred to in the
Article 9 of the "General Conditions", of the adhesion contract between the entity
claimed and the user, it states that: "In addition, the buyer authorizes
expressly ORGANIC AND NATUR 03 SL. to which you can transfer your data
personal data to the financial entity to which this credit is assigned, if applicable,
purpose of managing the same, as well as, to send you commercial offers of said

financial entity that may be of interest to you (…) ”.

                            FOUNDATIONS OF LAW

                                            I

The Director of the Spanish Agency is competent to resolve this procedure
of Data Protection, in accordance with the provisions of art. 58.2 of the GDPR in
the art. 47 of LOPDGDD.
                                            II
Regarding article 8 of the "General Conditions", of the adhesion contract between
the claimed entity and the user, it is verified that the same is still done

reference to the repealed Organic Law 15/1999, of December 13, on the Protection of
Personal data.

According to article 99 of the RGPD, the entry into force and application of the new RGPD was,
"Twenty days after its publication in the Official Journal of the European Union (05/25/16)"

and it would be applicable as of May 25, 2018 ”. Therefore, as of 05/25/18,
the LO was repealed. 15/1999, (LOPD), applying obligatorily, from that date
date, the current RGPD and as of 12/07/18 the new LOPDGDD.

For its part, article 13 of the RGPD establishes the information that must be

provide the interested party at the time of collection of their personal data.
Information that does not appear in the "privacy policy" of the website at
question.

Therefore, the known facts are constitutive of an infraction, attributable to the
claimed, for violation of article 13 of the RGPD, which establishes the information that

must be provided to the interested party at the time of collection of their data
personal.

For its part, article 72.1.h) of the LOPDGDD, considers very serious, for the purposes of
prescription, “the omission of the duty to inform the affected party about the treatment of

your personal data in accordance with the provisions of articles 13 and 14 of the RGPD "

This offense can be sanctioned with a fine of € 20,000,000 maximum or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for the

of greater amount, in accordance with article 83.5.b) of the RGPD.




C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/8








In accordance with the indicated precepts and for the purpose of setting the amount of the penalty to
impose in the present case, it is considered that the sanction to be imposed should be adjusted
in accordance with the following criteria established in article 83.2 of the RGPD:


    - The intentionality or negligence in the infraction. In the present case we are
        in the event of unintentional negligent action, (section b).

    - The categories of personal data affected by the infringement.
        (section g).


    - The way in which the supervisory authority learned of the infringement. The
        The way in which this AEPD has learned has been by filing
        the complaint by the complaining body, (section h).


In accordance with the indicated precepts and for the purpose of setting the amount of the penalty to
impose in the present case, it is considered that the sanction to be imposed should be adjusted
in accordance with the following criteria established in article 76.2 of the LOPDGDD:

    - The linking of the offender's activity with the performance of treatment of
        personal data, (section b).


The balance of the circumstances contemplated in article 83.2 of the RGPD, with
Regarding the offense committed by violating the provisions of Article 13 of the
RGPD, allows setting a penalty of 4,000 euros, (four thousand euros).


                                              III
Regarding the consent given by the user, which is referred to in the
Article 9 of the "General Conditions", of the adhesion contract between the entity
claimed and the user, it states that: "In addition, the buyer authorizes
expressly ORGANIC AND NATUR 03 SL. to which you can transfer your data

personal data to the financial entity to which this credit is assigned, if applicable,
purpose of managing the same, as well as, to send you commercial offers of said
financial entity that may be of interest to you (…) ”.

Well, article 6.1. of the RGPD, establishes that the treatment will only be lawful if
meets at least one of the conditions indicated therein, including

finds, in its section b), if the treatment is “necessary for the execution of a
contract in which the interested party is a party or for the application at his request of
pre-contractual measures ”, in which case, the sending of communications that keep
intimate relationship with the end of the signed contract, would be ruled by this precept.


However, for any other type of communication with the client, as in this
case, to "send you commercial offers from the entity (...)", without specifying a
specific purpose, and where, therefore, any type of commercial communication would fit
whether or not related to the ultimate purpose of the signed contract, the
provided in section a) of article 6.1 of the RGPD, where it is specified that, “the

Treatment will only be lawful if the interested party gave their consent for the treatment
of your personal data for one or more specific purposes ”.



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/8








For its part, article 7 of the RGPD establishes, on consent, that: “1.
When the treatment is based on the consent of the interested party, the person in charge
must be able to demonstrate that he consented to the processing of his data

personal. 2. If the consent of the interested party is given in the context of a
written statement that also refers to other matters, the request for
Consent will be presented in such a way that it is clearly distinguishable from others
matters, in an intelligible and easily accessible way and using clear and simple language.
Any part of the declaration that constitutes an infringement of the
these Regulations. 3. The interested party will have the right to withdraw their consent in

any moment. The withdrawal of consent will not affect the legality of the
treatment based on consent prior to withdrawal. Before giving your
consent, the interested party will be informed of it. It will be so easy to remove the
consent how to give it. 4. When evaluating whether consent has been freely given,
account shall be taken to the greatest extent possible of whether, among other things, the

performance of a contract, including the provision of a service, is subject to the
consent to the processing of personal data that are not necessary for the
execution of said contract ”.

In relation to these two cited articles, the recital should be taken into account
(32) of the RGPD, as it indicates that: “Consent must be given through an act

clear affirmative that reflects a manifestation of free will, specific, informed,
and unequivocal of the interested party to accept the processing of personal data
that concern you ... Therefore, silence, already ticked boxes or inaction does not
they must constitute consent. Consent must be given for all
processing activities carried out for the same or the same purposes. When the

treatment has several purposes, consent must be given for all of them ... "

Likewise, article 6.2 of the LOPDGDD establishes, on the treatment based on
the consent of the affected party, that: “When it is intended to establish the treatment of
data in the consent of the affected person for a plurality of purposes will be

It must be specifically and unequivocally stated that said consent is
grants for all of them ”.

Well, in accordance with everything previously expressed, the data processing
requires the existence of a legal basis that legitimizes it, as in this case, if it is
necessary for the execution of a contract in which the interested party is a party, in which

case the sending of correspondence, including commercial, that was linked to the
execution of the contract would be subject to this precept. Not so, when sending
commercial correspondence does not have the same purpose as that included in the contract,
in which case, the valid consent of the interested party is necessary.


This consent must be given for each of the purposes outside the contract
signed by the client. Therefore, a generic acceptance is not valid, such as “sending
of commercial correspondence of the entity ”, without giving the option to give consent
individualized for each of them and above all, if they are unrelated to the purpose of the
contract.


Thus, the known facts could constitute an infraction,
attributable to the defendant, for violation of article 7 of the aforementioned RGPD, to


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/8








carry out the collection of consent through a generic action for all
purposes of data processing.


For its part, article 72.1.c) of the LOPDGDD, considers very serious, for the purposes of
prescription, "Failure to comply with the requirements of article 7 of the RGPD".

This offense can be sanctioned with a fine of € 20,000,000 maximum or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for the

of greater amount, in accordance with article 83.5.b) of the RGPD.

However, Article 58.2) of the RGPD provides that: “Each control authority
have all of the following corrective powers listed below: b)
sanction any person responsible or in charge of the treatment with warning when

the treatment operations have infringed the provisions of this
Regulation; (…); i) impose an administrative fine in accordance with article 83,
in addition to or instead of the measures mentioned in this section, depending on the
circumstances of each particular case, therefore, the sanction that could
Corresponding would be a warning, without prejudice to what results from the instruction
of this file, since in this case, it has not been verified that the entity

claimed has sent commercial correspondence unrelated to the ultimate purpose of
the conditions of the contract.

Based on these criteria, it is considered appropriate to impose a sanction on the defendant
of "APERCIBIMIENTO", for the violation of article 7 of the RGPD.


Therefore, based on the foregoing, by the Director of the Agency
Spanish Data Protection,
                                       RESOLVES


FIRST: IMPOSE the entity, the entity ORGANIC AND NATUR 03, S.L., with
CIF .: B93484913, two sanctions, regarding the privacy policy and collection of
consent, consisting of:

    - 4,000 euros (four thousand euros), for the violation of article 13) of the RGPD,
        regarding its policy of treatment of the personal data of the clients.


    - Warning, for the violation of article 7) of the RGPD, regarding the
        collection of clients' consent for the processing of their data
        personal.


SECOND: REQUEST the entity ORGANIC AND NATUR 03, S.L. so that, in the
within a month from this act of notification, proceed to:

    - Take the necessary measures to adapt its policy on the treatment of
        personal data, as stipulated in article 13 of the RGPD, adapting it to the

        new regulations in force.

    - Take the necessary measures to obtain the client's consent to
        the processing of your personal data.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/8









THIRD: NOTIFY this resolution to the entity ORGANIC AND NATUR
03, S.L, and the claimant on the result of the claim.


Warn the sanctioned person that the sanction imposed must be effective once
this resolution is enforceable, in accordance with the provisions of article 98.1.b)
of Law 39/2015, of October 1, on the Common Administrative Procedure of the
Public Administrations (LPACAP), within the voluntary payment period indicated in the
Article 68 of the General Collection Regulations, approved by Royal Decree

939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17
December, by entering the restricted account number ES00 0000 0000 0000 0000
0000, opened in the name of the Spanish Agency for Data Protection in the Bank
CAIXABANK, S.A. or otherwise, it will be collected in a period
executive.


Notification received and once executive, if the execution date is found
Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment
volunteer will be until the 20th day of the following or immediately subsequent business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediate business month.

In accordance with the provisions of article 82 of Law 62/2003, of 30
December, of fiscal, administrative and social order measures, the present
Resolution will be made public, once it has been notified to the interested parties. The
Publication will be made in accordance with the provisions of Instruction 1/2004, of 22
December, of the Spanish Agency for Data Protection on the publication of its

Resolutions.

Against this resolution, which puts an end to administrative proceedings, and in accordance with
established in articles 112 and 123 of the LPACAP, the interested parties may
file, optionally, an appeal for reconsideration before the Director of the Agency

Spanish Data Protection Agency within a month from the day
following notification of this resolution, or directly contentious appeal
administrative before the Contentious-Administrative Chamber of the National Court,
in accordance with the provisions of article 25 and paragraph 5 of the provision
Additional fourth of Law 29/1998, of 07/13, regulating the Jurisdiction
Contentious-administrative, within a period of two months from the next day

upon notification of this act, as provided in article 46.1 of the aforementioned text
legal.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the

interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
letter addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronicaweb/],
or through any of the other records provided for in art. 16.4 of the aforementioned Law

39/2015, of October 1. You must also forward the documentation to the Agency
that certifies the effective filing of the contentious-administrative appeal. If the
Agency was not aware of the filing of the contentious appeal-


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/8










administrative within a period of two months from the day following notification of the

This resolution would terminate the precautionary suspension.

Mar Spain Martí

Director of the Spanish Agency for Data Protection.
































































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es