AEPD - PS/00249/2020

From GDPRhub
AEPD - PS/00249/2020
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(b) GDPR
Article 83(5)(a) GDPR
72 (1) (a) LOPDGDD
72 (1) (a) LOPDGDD
Type: Investigation
Outcome: Violation Found
Decided: 24.10.2020
Published: 24.10.2020
Fine: 1800 EUR
Parties: n/a
National Case Number/Name: PS/00249/2020
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Francesc Julve Falcó

The Spanish DPA (AEPD) maintains that a company can not process personal and health data for commercial purposes without the prior consent of the data subject, as this infringes Article 5(1)(b) GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The complainant used the services of the defendant to download weekly menus. The complainant discovered days later that this company has used their personal data, full name and profile picture, and information about her cholesterol tests and her heart disease (hypothyroidism) to advertise their products, without her prior consent.

The Spanish DPA tried to contact the company in question and there was no response so the sanctioning procedure was initiated.

Dispute[edit | edit source]

Is the processing of personal and health data for commercial purposes without prior consent a breach of Article 5(1)(b) GDPR?

Holding[edit | edit source]

The Spanish DPA decided to impose a fine of € 3000 on the company in question for breach of data processing duties, as the complainant had not given their consent for their personal data or data on their state of health to be used for advertising purposes.

In this case, the aggravating factors applied are that it is an unintentional but significant negligent action (Article 83(2)(b) GDPR) and that basic identifiers such as name, surname, and address are affected (Article 83(2)(g) GDPR), including also health data, when reporting the claimant's cholesterol tests, and their illness (hypothyroidism).

Comment[edit | edit source]

The sanctioned company made use of the following penalty reductions: recognition of its responsibility (20%) and voluntary and advance payment (20%). The penalty was therefore reduced from € 3000 to € 1800.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Procedure No.: PS/00249/2020
In the sanctioning procedure PS/00249/2020, conducted by the Agency
Spanish Data Protection Agency to VENU SANZ CHEF, S.L., in view of the complaint
presented by A.A.A., and based on the following,
FIRST: On 3 September 2020, the Director of the Spanish Agency
of Data Protection agreed to initiate sanctioning proceedings against VENU SANZ
CHEF, S.L. (hereinafter, the claimed), by means of the Agreement which is hereby transcribed:
Procedure No.: PS/00249/2020
Of the actions carried out by the Spanish Agency for the Protection of Data and based on the following
FIRST: A.A.A. (hereinafter the complainant) dated 21 January 2020 filed a complaint with the Spanish Data Protection Agency. The claim is directed against VENU SANZ CHEF, S.L. with NIF B54984752 (in the claimed one).
The grounds on which the complaint is based are that the claimant contracted the services
of the claimant to download weekly menus, discovering days later that
this company has used your personal data full name and photo profile, and information about your cholesterol tests and your
hypothyroidism to advertise their products, without their prior consent.
SECOND: In view of the facts denounced, on 3 March 2020 the
The Commission has transferred the present complaint to the one filed by Notification, and on the expiry of
The deadline given for not having access to this document is reiterated by post on 10
March 2020, being returned for "absence from distribution", despite having been referred to
the postal address indicated in the privacy policy of the claimant
responsible for the processing.
THIRD: On 4 April 2020, notification is given of the resolution by which the Director of the
Spanish Data Protection Agency, agrees to admit this
By virtue of the powers conferred on each of the parties by Article 58(2) of the GPRS
authority, and as established in articles 47 and 48.1 of the LOPDPGDD, the
The Director of the Spanish Data Protection Agency is competent to resolve
this procedure.
Article 6.1 of the RGPD, establishes the cases that allow to consider
the processing of personal data is lawful.
For its part, Article 5 of the RGPD establishes that personal data will be
"(a) processed in a lawful, fair and transparent manner in relation to the data subject
("legality, fairness and transparency");
(b) collected for specified, explicit and legitimate purposes and not processed
subsequently in a manner incompatible with those purposes; in accordance with Article 89,
paragraph 1, the further processing of personal data for archiving purposes in
public interest, scientific and historical research or statistical purposes are not
will be considered incompatible with the initial purposes ("purpose limitation");
(c) adequate, relevant and limited to what is necessary in relation to the purposes
for those who are processed ("data minimisation");
(d) accurate and, where necessary, updated; all measures shall be taken
to delete or rectify without delay personal data that
are inaccurate with respect to the purposes for which they are intended ("accuracy");
(e) maintained in such a way as to permit identification of the persons concerned
for no longer than is necessary for the purposes of the processing
personal; personal data may be kept for longer periods
provided that they are processed exclusively for archiving purposes in the public interest, for
scientific or historical research or statistical purposes, in accordance with Article
89(1), without prejudice to the implementation of technical and organisational measures
This Regulation is designed to protect the rights and freedoms of the
freedoms of the data subject ("limitation of the retention period");
(f) processed in such a way as to ensure appropriate security for the
personal data, including protection against unauthorised or unlawful processing and
against their accidental loss, destruction or damage, by implementing measures
appropriate techniques or organisational arrangements ("integrity and confidentiality").
The controller is responsible for compliance with the
provided for in paragraph 1 and capable of demonstrating it ("proactive responsibility").
Likewise, Article 32 of the LOPDGDD regulates the blocking of data,
The following is established:
"1. The data controller shall be obliged to block the data when
proceed to their rectification or deletion.
2. The blocking of the data consists of the identification and reservation of the data,
adopting technical and organisational measures, to prevent their processing, including
its display, except for making the data available to judges and
courts, the Public Prosecutor's Office or the competent public authorities, in
data protection authorities in particular, in order to require possible
responsibilities arising from the treatment and only for the duration of the
themselves. After this period, the data must be destroyed.
3. Blocked data may not be processed for any other purpose
of that indicated in the previous section.
4. When in order to comply with this obligation, the configuration of the
information system does not allow blocking or an adaptation is required that
involves a disproportionate effort, a safe copy of the
information in such a way that there is digital or other evidence to enable
prove the authenticity of the same, the date of the blocking and the non
data during it.
5. The Spanish Data Protection Agency and the regional authorities
within the scope of their respective competences, may
to derogate from the blocking obligation laid down in this Article, in
cases in which, given the nature of the data or the fact that they relate to
a particularly high number of people affected, their mere preservation, even
blocked, could generate a high risk for the rights of those concerned,
as well as in cases where the retention of blocked data
could involve a disproportionate cost for the controller".
In the present case, the personal data of the complainant have been disclosed,
making them accessible to third parties without their consent.
Therefore, in accordance with the evidence available in the
at the present time, and without prejudice to the outcome of the investigation, it is considered that
From the facts denounced, it is clear that Article 5.1 b) of the RGPD has been violated,
governing the principle of purpose limitation, according to which personal data
will be collected for specific, explicit and legitimate purposes and will not be treated
and the responsibility of the Member States for the implementation of the
The proactive nature of the data controller's actions is such that compliance with them can be demonstrated.
Article 72.1.a) of the LOPDGDD states that "in accordance with the provisions
Article 83(5) of Regulation (EU) 2016/679 are considered very serious and
will be subject to a three-year limitation period for infringements involving a substantial breach
of the articles mentioned in that one and, in particular, the following ones:
a) The processing of personal data in violation of the principles and guarantees
set out in Article 5 of Regulation (EU) 2016/679
Article 58(2) of the GPRS provides: "Each supervisory authority
shall have all of the following corrective powers listed below:
(b) to sanction any controller or person in charge of the processing with
warning where processing operations have infringed the provisions of
this Regulation;
(d) order the controller or processor to carry out the processing operations
treatment are in accordance with the provisions of this Regulation, where appropriate,
in a certain way and within a specified time frame;
(i) impose an administrative fine in accordance with Article 83, in addition to or in addition to
place of the measures referred to in this paragraph, depending on the circumstances
of each individual case;
This infringement is punishable by a fine of up to
or, in the case of an enterprise, an amount equivalent to a maximum of 4% of the
total annual turnover for the previous financial year, opting for the
in accordance with article 83.5 of the RGPD.
Likewise, it is considered that the sanction to be imposed should be graduated in accordance with
with the following criteria established in article 83.2 of the RGPD:
The following are aggravating factors:
In the present case we are dealing with unintentional but significant negligent action (Article 83.2 b)
Basic personal identifiers (name, surname, address) are affected, according to Article 83.2 g), including also health data, when
report on the claimant's cholesterol tests, and his cholesterol disease
Therefore, in the light of the above, by the Director of
Spanish Data Protection Agency, 
FIRST: Initiate disciplinary proceedings against VENU SANZ CHEF, S.L,
with NIF B54984752, for the presumed infringement of article 5.1 b) of the RGPD, typified
in Article 83.5 a) of the RGPD, in relation to Article 72.1 a) of the LOPDGDD.
SECOND: ORDER to VENU SANZ CHEF, S.L., with NIF B54984752, according
with the provisions of Article 58.2(d) of the GPRS, so that the operations of
treatment are in accordance with the provisions of the RGPD.
THIRD: To appoint as instructor INSTRUCTOR.1 and, as secretary
SECRETARY.1, indicating that any of them may be challenged, if appropriate,
in accordance with the provisions of Articles 23 and 24 of Law 40/2015 of 1 October,
of the Public Sector Legal System (LRJSP).
FOURTH: TO INCORPORATE into the sanctioning file, for evidential purposes, the
claim by the claimant and his documentation, the documents
obtained and generated by the Subdirectorate General for Data Inspection during the
investigation phase, as well as the report of previous Inspection actions.
FIFTH: THAT for the purposes set forth in Article 64.2 b) of Law 39/2015, of 1
October, of the Common Administrative Procedure for Public Administrations, the
Any penalty would be 3,000 euros (three thousand euros) without prejudice
of what results from the instruction.
SIXTH: TO NOTIFY the present agreement to VENU SANZ CHEF, S.L., with NIF
B54984752, giving you a period of ten working days to present
the allegations and submit the evidence it deems appropriate. In its brief of
claims must provide their VAT number and the procedure number in the
heading of this document.
If you do not make representations to this initiating agreement within the stipulated time, the
may be considered as a motion for resolution, as set out in the Article 64.2.f) of Law 39/2015 of 1 October on Administrative Procedure
Commonwealth of Independent States (LPACAP).
In accordance with Article 85 of the LPACAP, in the event of
that the sanction to be imposed is a fine, may acknowledge its responsibility within
of the time allowed for the submission of representations on this agreement to begin; it
which will be accompanied by a 20% reduction in the penalty to be imposed in
the present procedure. With the application of this reduction, the penalty would be
2,400, with the procedure being resolved by the imposition of this
Similarly, at any time prior to the resolution of the
The Commission will, in accordance with the present procedure, carry out the voluntary payment of the proposed penalty, which will
which will lead to a 20% reduction in its amount. With the implementation of this
reduction, the penalty would be set at 2,400 euros and its payment would involve
termination of the procedure.
The reduction for the voluntary payment of the penalty is cumulative with the one
is to be applied for the recognition of responsibility, provided that this
recognition of responsibility is shown within the time limit
granted to make representations on the opening of the procedure. The payment
of the amount referred to in the previous paragraph may be made at any
moment before the resolution. In this case, if it is appropriate to apply both
reductions, the amount of the penalty would be set at EUR 1 800.
In any case, the effectiveness of either of the two above-mentioned reductions
shall be conditional upon the withdrawal or waiver of any action or remedy in the
administrative sanction against the sanction.
If you choose to proceed with the voluntary payment of any of the
amounts indicated above, ('2,400 or 1,800) must be paid
by depositing it in the account nº ES00 0000 0000 0000 0000 open to
name of the Spanish Data Protection Agency at CAIXABANK Bank,
S.A., indicating in the concept the reference number of the procedure that appears in
the heading of this document and the reason for the reduction in the amount to which
You must also send proof of payment to the Subdirectorate General of
Inspection to continue the procedure in accordance with the quantity
The procedure will last a maximum of nine months from
the date of the agreement to initiate or, where appropriate, the draft agreement to initiate
Once this period has elapsed, it will expire and, consequently, the
actions; in accordance with the provisions of Article 64 of the LOPDGDD
Finally, it should be noted that in accordance with the provisions of Article 112.1 of the
LPACAP, there is no administrative remedy against this act.
Mar Spain Martí
Director of the Spanish Data Protection Agency
 SECOND: On 22 September 2020, the claimant has paid
of the penalty in the amount of EUR 1800 by making use of the two reductions
provided for in the Agreement initialled above, which implies the
recognition of responsibility.
THIRD: The payment made, within the period granted to make representations to
the opening of the procedure, entails the waiver of any action or appeal in
administrative sanction and recognition of responsibility in relation to
the facts referred to in the Home Agreement.
By virtue of the powers conferred on each authority in Article 58(2) of the GPRS
control, and in accordance with Article 47 of Organic Law 3/2018 of 5 December
December, on the Protection of Personal Data and Guarantee of Digital Rights (en
hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency
is competent to penalise infringements committed against it
Regulations; infringements of Article 48 of Law 9/2014 of 9 May, General
of Telecommunications (hereinafter referred to as LGT), in accordance with the
article 84.3 of the GLT, and the offences defined in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of 11 July, on the services of the company
information and electronic commerce (hereinafter referred to as the ISESA), as provided for in Article
43.1 of that Act
Article 85 of Law 39/2015 of 1 October on Administrative Procedure
Commonwealth of Independent States (hereinafter LPACAP), under the heading
"Termination in sanctioning proceedings" provides the following:
"1. A sanctioning procedure has been initiated, if the offender acknowledges his
responsibility, the procedure may be terminated with the imposition of the penalty
as appropriate.
2. When the sanction is solely of a pecuniary nature or when it fits
impose a financial penalty and a non-pecuniary penalty but it has been justified
the unsuitability of the second, voluntary payment by the alleged perpetrator, in
any time before the resolution, will imply the termination of the procedure,
except as regards the restoration of the altered situation or the determination of
compensation for damages caused by the commission of the infringement.
3. In both cases, when the sanction is solely of a pecuniary nature,
the body competent to decide on the procedure shall apply reductions of, at
less 20% of the amount of the proposed penalty, which may be cumulated
each other. These reductions must be determined in the notification of
initiation of the procedure and its effectiveness shall be conditional upon the withdrawal or
waiver of any action or appeal in administrative proceedings against the sanction.
The percentage of reduction provided for in this paragraph may be increased
by regulation.
In accordance with the above,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: TO DECLARE the termination of procedure PS/00249/2020, of
in accordance with Article 85 of the LPACAP.
SECOND: TO NOTIFY this resolution to VENU SANZ CHEF, S.L.
In accordance with the provisions of Article 50 of the LOPDGDD, this
The decision will be made public after it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure as provided for by
Article 114.1.c) of Law 39/2015, of 1 October, on Administrative Procedure
The persons concerned may lodge an appeal with the
administrative litigation before the Administrative Chamber of the
Audiencia Nacional, in accordance with Article 25 and paragraph 5 of
the fourth additional provision of Law 29/1998 of 13 July 1998, regulating
Contentious-Administrative Jurisdiction, within two months from
day following notification of this act, as provided for in Article 46(1) of the
referred to Law.
Mar España Martí
Director of the Spanish Data Protection Agency