AEPD - PS/00273/2020

From GDPRhub
AEPD - PS/00273/2020
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 17 GDPR
Article 21, Ley 34/2002, de Servicios de la Sociedad ed la Información y Comercio Electrónico
Type: Complaint
Outcome: Upheld
Decided: 14.01.2021
Fine: 1000 EUR
Parties: n/a
National Case Number/Name: PS/00273/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA (AEPD) imposed a €1000 fine on a beauty salon for breaching Article 17 GDPR and Article 21 LSSI. The salon sent a marketing SMS to a client months after confirming that they had deleted the client's personal data.

English Summary[edit | edit source]

Facts[edit | edit source]

A client of a beauty salon sent a request for her data to be deleted. The salon confirmed a month later that the data had been successfully deleted. However, 6 months later the claimant received an SMS from the salon again and therefore lodged a complaint before the Spanish DPA (AEPD).

Dispute[edit | edit source]

Is sending a marketing SMS after having confirmed that the data subject's data had been erased a breach of Article 17 GDPR and Article 21 LSSI?

Holding[edit | edit source]

The Spanish DPA held that apart from data protection obligations, the Spanish Law on Information Society and Electronic Commerce (LSSI), clearly states the obligation of the controller to delete or cancel the data of the user upon their request. In this case, the Spanish DPA held that there was no due diligence from the salon to ensure the actual deletion or cancellation of the personal data and therefore the DPA fined the salon with €1000.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


     Procedure Nº: PS / 00273/2020


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


FIRST: A.A.A. (hereinafter, the claimant) dated May 8, 2020
filed a claim with the Spanish Agency for Data Protection. The
claim is directed against B.B.B. with NIF *** NIF.1 (hereinafter, the claimed one).

The reasons on which the claim is based are that after requesting on September 23,
2019 to the claimed to delete their personal data, confirm through burofax
dated October 23, 2019 that have proceeded to cancel them, the
May 8, 2020 receives on his mobile phone an SMS from the claimed person offering him his

services after proceeding to the opening of its facilities after the closure caused by
the health crisis of COVID-19.

For this reason, the claimant understands that their data has not been deleted.

It provides a screenshot of the received SMS, as well as the request to delete
data and the response by agreeing to the cancellation of such data.

SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), with reference number E / 03900/2020, a transfer of

said claim to the defendant, on June 22, 2020, to proceed with its
analysis and inform this Agency within a month, of the actions taken
carried out to comply with the requirements provided in the data protection regulations.

THIRD: On September 16, 2020, the Director of the Spanish Agency

of Data Protection agreed to initiate a sanctioning procedure to the claimed, by the
alleged violation of article 21 of the LSSI, typified in article 38.4.d) of the

FOURTH: Once the aforementioned Initiation Agreement was notified, the defendant presented allegations on

October 20, 2020, in which it stated that the complainant was a client of the
Beauty, in which certain aesthetic treatments were performed, and
that, once they were concluded, your data was deleted at your request
personal, but that after the closure of the aesthetic center motivated by the crisis
health of COVID 19, were remitted or all the clients that were already open
the same for the continuation of the treatments, remitting or these effects a

message via sms or their mobile phones, also sending the corresponding
message to the claimant considering that it was a different client.

C / Jorge Juan, 6
28001 - Madrid 2/5

FIFTH: On November 5, 2020, the instructor of the procedure agreed to the
opening of a period of practical tests, taking as incorporated the
preliminary investigation actions, E / 03900/2020, as well as the documents

provided by the claimed.

SIXTH: On November 6, 2020, a resolution proposal was formulated,
proposing that B.B.B. with NIF *** NIF.1, with a fine of € 1,000 (thousand
euros) for the violation of article 21 of the LSSI, typified in article 38.4.d) of the

SEVENTH: On November 25, 2020, the respondent presented allegations to
the resolution proposal, reiterating the allegations made on October 20,

In view of all the actions, by the Spanish Agency for Data Protection
In this proceeding, the following are considered proven facts,


FIRST: On May 8, 2020, the claimant receives an SMS from the

claimed by offering their services, despite having requested on September 23,
2019 to delete your personal data, and have confirmed you through burofax
dated October 23, 2019 that they had been canceled.

SECOND: The defendant acknowledges that he sent an SMS to the claimant by offering

its services after proceeding to the opening of its facilities after the closure caused
for the COVID-19 health crisis, claiming that he thought he was a different customer than
the claimant because the phone number was on a file of a client with
a different name although the same surnames as the claimant.

                           FOUNDATIONS OF LAW

In accordance with the provisions of article 43.1, second paragraph, of the Law
34/2002, of July 11, on Services of the Information Society and Commerce
Electronic (hereinafter referred to as LSSI) is competent to initiate and resolve this

Sanctioning Procedure the Director of the Spanish Agency for the Protection of


The facts presented, consisting of the sending of a commercial communication, are
constituting an infringement, by the defendant to the provisions of article 21
of the current Law 34/2002, of July 11, on Services of the Society of the
Information and Electronic Commerce (hereinafter LSSI), which provides the following:

"one. The sending of advertising or promotional communications by
email or other equivalent electronic means of communication that

had not previously been requested or expressly authorized by the
recipients of the same.
2. The provisions of the preceding section shall not apply when there is a

C / Jorge Juan, 6
28001 - Madrid 3/5

previous contractual relationship, provided that the provider had obtained lawfully
the recipient's contact details and will use them to send communications
commercial related to products or services of your own company that are

similar to those that were initially contracted with the client.
In any case, the provider must offer the recipient the possibility of opposing the
processing of your data for promotional purposes using a simple procedure

and free of charge, both at the time of data collection and at each of the
commercial communications that you direct.

When the communications have been sent by email, said
means must necessarily consist of the inclusion of an email address
email or other valid email address where this right can be exercised,
being forbidden the sending of communications that do not include said address. "

The aforementioned offense is classified as minor in article 38.4.d) of the LSSI,
which qualifies as such “Sending commercial communications by email or
another equivalent electronic means of communication when such shipments do not
meet the requirements established in article 21 and does not constitute a serious offense ”.

In the present case, the violation of article 21 of the LSSI that is attributed to the
claimed must be classified as a minor offense, considering the number of

commercial messages sent to the claimant.
In accordance with the provisions of article 39.1.c) of the LSSI, minor infractions may
be sanctioned with a fine of up to € 30,000, establishing the criteria for its

graduation in article 40 of the same norm, whose literal tenor is the following:
"Article 40. Grading of the amount of sanctions.

The amount of the fines imposed will be graduated according to the following

a) The existence of intentionality.

b) Period of time during which the offense has been committed.

c) The recidivism by commission of infractions of the same nature, when thus
has been declared by final resolution.

d) The nature and amount of the damages caused.
e) The benefits obtained by the infringement.

f) Billing volume affected by the infringement committed.

g) Adherence to a code of conduct or an advertising self-regulation system
applicable with respect to the offense committed, that complies with the provisions of article
18 or in the eighth final provision and that has been favorably informed by the
competent body or bodies. "


In relation to the criteria for graduation of sanctions contained in the transcript
Article 40 of the LSSI, with the evidence available, it is considered that in
This assumption aggravates criterion a) of the aforementioned article, since
there has been a lack of diligence on the part of the respondent when using the

e-mail address of the claimant to send him a communication
commercial after confirming that your request for deletion of
C / Jorge Juan, 6
28001 - Madrid 4/5

personal data, since a special knowledge of the
requirements contained in article 21 of the LSSI as it is an entity accustomed to
sending this type of message in the development of its activity.


In the present case, it has been proven that despite the request for deletion
exercised by the claimant on September 23, 2019, and having confirmed
by means of a burofax dated October 23, 2019 that had proceeded to give

download your data, the claimed entity kept your phone number, and used it to
offer their services on May 8, 2020 by SMS sent to the mobile phone
of the claimant.

In its defense, the claimed entity alleges that the telephone number appears in a

file of a client with the same surnames as the claimant, which confirms that
not all the personal data of the claimant was removed.

In accordance with which, it is considered appropriate to the seriousness of the facts analyzed
impose on the entity B.B.B., a penalty of 1,000 euros.

Therefore, in accordance with the applicable legislation and the criteria of
graduation of sanctions whose existence has been proven,

the Director of the Spanish Agency for Data Protection RESOLVES:

FIRST: TO IMPOSE B.B.B., with NIF *** NIF.1, for a violation of article 21 of
the LSSI, typified in article 38.4.d) of the LSSI, a fine of 1,000 euros (one thousand

SECOND: NOTIFY this resolution to B.B.B ..

THIRD: Warn the sanctioned person that the sanction imposed by a
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved

by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number
of procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency
Spanish Data Protection in the bank CAIXABANK, S.A .. In case

Otherwise, it will be collected in the executive period.

Notification received and once executive, if the execution date is found
Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment
volunteer will be until the 20th day of the following or immediately subsequent business month, and if

between the 16th and the last day of each month, both inclusive, the payment term
It will be until the 5th of the second following or immediate business month.

C / Jorge Juan, 6
28001 - Madrid 5/5

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may file, optionally, an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to

count from the day after notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the

day following notification of this act, as provided in article 46.1 of the
referred Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the

interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
letter addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [
web /], or through any of the other records provided for in art. 16.4 of the

cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.

Mar Spain Martí
Director of the Spanish Agency for Data Protection

C / Jorge Juan, 6
28001 - Madrid