AEPD - PS/00273/2020
|AEPD - PS/00273/2020|
|Relevant Law:||Article 17 GDPR|
Article 21, Ley 34/2002, de Servicios de la Sociedad ed la Información y Comercio Electrónico
|National Case Number/Name:||PS/00273/2020|
|European Case Law Identifier:||n/a|
|Original Source:||AEPD (in ES)|
The Spanish DPA (AEPD) imposed a €1000 fine on a beauty salon for breaching Article 17 GDPR and Article 21 LSSI. The salon sent a marketing SMS to a client months after confirming that they had deleted the client's personal data.
English Summary[edit | edit source]
Facts[edit | edit source]
A client of a beauty salon sent a request for her data to be deleted. The salon confirmed a month later that the data had been successfully deleted. However, 6 months later the claimant received an SMS from the salon again and therefore lodged a complaint before the Spanish DPA (AEPD).
Dispute[edit | edit source]
Is sending a marketing SMS after having confirmed that the data subject's data had been erased a breach of Article 17 GDPR and Article 21 LSSI?
Holding[edit | edit source]
The Spanish DPA held that apart from data protection obligations, the Spanish Law on Information Society and Electronic Commerce (LSSI), clearly states the obligation of the controller to delete or cancel the data of the user upon their request. In this case, the Spanish DPA held that there was no due diligence from the salon to ensure the actual deletion or cancellation of the personal data and therefore the DPA fined the salon with €1000.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/5 Procedure Nº: PS / 00273/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: A.A.A. (hereinafter, the claimant) dated May 8, 2020 filed a claim with the Spanish Agency for Data Protection. The claim is directed against B.B.B. with NIF *** NIF.1 (hereinafter, the claimed one). The reasons on which the claim is based are that after requesting on September 23, 2019 to the claimed to delete their personal data, confirm through burofax dated October 23, 2019 that have proceeded to cancel them, the May 8, 2020 receives on his mobile phone an SMS from the claimed person offering him his services after proceeding to the opening of its facilities after the closure caused by the health crisis of COVID-19. For this reason, the claimant understands that their data has not been deleted. It provides a screenshot of the received SMS, as well as the request to delete data and the response by agreeing to the cancellation of such data. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), with reference number E / 03900/2020, a transfer of said claim to the defendant, on June 22, 2020, to proceed with its analysis and inform this Agency within a month, of the actions taken carried out to comply with the requirements provided in the data protection regulations. THIRD: On September 16, 2020, the Director of the Spanish Agency of Data Protection agreed to initiate a sanctioning procedure to the claimed, by the alleged violation of article 21 of the LSSI, typified in article 38.4.d) of the LSSI. FOURTH: Once the aforementioned Initiation Agreement was notified, the defendant presented allegations on October 20, 2020, in which it stated that the complainant was a client of the Beauty, in which certain aesthetic treatments were performed, and that, once they were concluded, your data was deleted at your request personal, but that after the closure of the aesthetic center motivated by the crisis health of COVID 19, were remitted or all the clients that were already open the same for the continuation of the treatments, remitting or these effects a message via sms or their mobile phones, also sending the corresponding message to the claimant considering that it was a different client. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/5 FIFTH: On November 5, 2020, the instructor of the procedure agreed to the opening of a period of practical tests, taking as incorporated the preliminary investigation actions, E / 03900/2020, as well as the documents provided by the claimed. SIXTH: On November 6, 2020, a resolution proposal was formulated, proposing that B.B.B. with NIF *** NIF.1, with a fine of € 1,000 (thousand euros) for the violation of article 21 of the LSSI, typified in article 38.4.d) of the LSSI. SEVENTH: On November 25, 2020, the respondent presented allegations to the resolution proposal, reiterating the allegations made on October 20, 2020. In view of all the actions, by the Spanish Agency for Data Protection In this proceeding, the following are considered proven facts, ACTS FIRST: On May 8, 2020, the claimant receives an SMS from the claimed by offering their services, despite having requested on September 23, 2019 to delete your personal data, and have confirmed you through burofax dated October 23, 2019 that they had been canceled. SECOND: The defendant acknowledges that he sent an SMS to the claimant by offering its services after proceeding to the opening of its facilities after the closure caused for the COVID-19 health crisis, claiming that he thought he was a different customer than the claimant because the phone number was on a file of a client with a different name although the same surnames as the claimant. FOUNDATIONS OF LAW I In accordance with the provisions of article 43.1, second paragraph, of the Law 34/2002, of July 11, on Services of the Information Society and Commerce Electronic (hereinafter referred to as LSSI) is competent to initiate and resolve this Sanctioning Procedure the Director of the Spanish Agency for the Protection of Data. II The facts presented, consisting of the sending of a commercial communication, are constituting an infringement, by the defendant to the provisions of article 21 of the current Law 34/2002, of July 11, on Services of the Society of the Information and Electronic Commerce (hereinafter LSSI), which provides the following: "one. The sending of advertising or promotional communications by email or other equivalent electronic means of communication that had not previously been requested or expressly authorized by the recipients of the same. 2. The provisions of the preceding section shall not apply when there is a C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/5 previous contractual relationship, provided that the provider had obtained lawfully the recipient's contact details and will use them to send communications commercial related to products or services of your own company that are similar to those that were initially contracted with the client. In any case, the provider must offer the recipient the possibility of opposing the processing of your data for promotional purposes using a simple procedure and free of charge, both at the time of data collection and at each of the commercial communications that you direct. When the communications have been sent by email, said means must necessarily consist of the inclusion of an email address email or other valid email address where this right can be exercised, being forbidden the sending of communications that do not include said address. " The aforementioned offense is classified as minor in article 38.4.d) of the LSSI, which qualifies as such “Sending commercial communications by email or another equivalent electronic means of communication when such shipments do not meet the requirements established in article 21 and does not constitute a serious offense ”. In the present case, the violation of article 21 of the LSSI that is attributed to the claimed must be classified as a minor offense, considering the number of commercial messages sent to the claimant. In accordance with the provisions of article 39.1.c) of the LSSI, minor infractions may be sanctioned with a fine of up to € 30,000, establishing the criteria for its graduation in article 40 of the same norm, whose literal tenor is the following: "Article 40. Grading of the amount of sanctions. The amount of the fines imposed will be graduated according to the following criteria: a) The existence of intentionality. b) Period of time during which the offense has been committed. c) The recidivism by commission of infractions of the same nature, when thus has been declared by final resolution. d) The nature and amount of the damages caused. e) The benefits obtained by the infringement. f) Billing volume affected by the infringement committed. g) Adherence to a code of conduct or an advertising self-regulation system applicable with respect to the offense committed, that complies with the provisions of article 18 or in the eighth final provision and that has been favorably informed by the competent body or bodies. " III In relation to the criteria for graduation of sanctions contained in the transcript Article 40 of the LSSI, with the evidence available, it is considered that in This assumption aggravates criterion a) of the aforementioned article, since there has been a lack of diligence on the part of the respondent when using the e-mail address of the claimant to send him a communication commercial after confirming that your request for deletion of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/5 personal data, since a special knowledge of the requirements contained in article 21 of the LSSI as it is an entity accustomed to sending this type of message in the development of its activity. IV In the present case, it has been proven that despite the request for deletion exercised by the claimant on September 23, 2019, and having confirmed by means of a burofax dated October 23, 2019 that had proceeded to give download your data, the claimed entity kept your phone number, and used it to offer their services on May 8, 2020 by SMS sent to the mobile phone of the claimant. In its defense, the claimed entity alleges that the telephone number appears in a file of a client with the same surnames as the claimant, which confirms that not all the personal data of the claimant was removed. In accordance with which, it is considered appropriate to the seriousness of the facts analyzed impose on the entity B.B.B., a penalty of 1,000 euros. Therefore, in accordance with the applicable legislation and the criteria of graduation of sanctions whose existence has been proven, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: TO IMPOSE B.B.B., with NIF *** NIF.1, for a violation of article 21 of the LSSI, typified in article 38.4.d) of the LSSI, a fine of 1,000 euros (one thousand euros). SECOND: NOTIFY this resolution to B.B.B .. THIRD: Warn the sanctioned person that the sanction imposed by a Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter LPACAP), within the payment period voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number of procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency Spanish Data Protection in the bank CAIXABANK, S.A .. In case Otherwise, it will be collected in the executive period. Notification received and once executive, if the execution date is found Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment volunteer will be until the 20th day of the following or immediately subsequent business month, and if between the 16th and the last day of each month, both inclusive, the payment term It will be until the 5th of the second following or immediate business month. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/5 In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may file, optionally, an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to count from the day after notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through letter addressed to the Spanish Agency for Data Protection, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web /], or through any of the other records provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es