AEPD - PS/00324/2019

From GDPRhub
AEPD - PS/00324/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 13 GDPR
Type: Complaint
Outcome: Settled
Decided: 4. 11. 2019
Published: n/a
Fine: None
Parties: El Maestro Cerrajero SL and the Consumer Institute of Madrid
National Case Number: PS/00324/2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language:

Spanish

Original Source: AEPD (in ES)

The AEPD found that the El Maestro Cerrajero SL’s privacy policy complied with Article 13 GDPR, after the page was updated by the controller during the procedure.

English Summary[edit | edit source]

Facts[edit | edit source]

After a complaint submitted by Consumer Institute of Madrid regarding the violation of Article 13 of the GDPR, the AEPD initiated a reprimand procedure against the company El Maestro Cerrajero SL (the controller). The policy still referred to the national law before the introduction of GDPR. During the procedure the controller update the privacy policy.

Dispute[edit | edit source]

Did the old privacy policy comply with Article 13?

Holding[edit | edit source]

The controller updated its privacy policy to comply with the GDPR. Therefore, the AEPD settled the complaint.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the original. Please refer to the Spanish original for more details.


Product No.: PS/00324/2019


DECISION ON DISCIPLINARY PROCEEDINGS

From the procedure instructed by the Spanish Data Protection Agency and based on the following

BACKGROUND

FIRST: MADRID MUNICIPAL CONSUMPTION INSTITUTE (hereinafter referred to as
claimant) on January 22, 2019 filed a complaint with the Spanish Agency for Data Protection against EL MAESTRO CERRAJERO SL (CERRAJEROSMADRID-24H.COM and CERRAJEROSMADRID.COM) with NIF B87043691
(hereinafter referred to as the Respondent).

The reasons on which the claim is based are the collection of personal data by the claimed party, without providing the precise information to the interested parties in accordance with the regulations in force regarding the protection of personal data.

SECOND: It is verified that in the "Privacy Policy" of the mentioned website, it is indicated:

- That the respondent operates the website hosted under the domain name ***URL.1

- That said policy states that "In accordance with Organic Law 15/1999, of December 13, on the Protection of Personal Data (LOPD), and Regulation (EU) 2016/679, of the European Parliament and Council, of April 27 ("General Data Protection Regulation" or "GDPR"), This Privacy Policy applies to the processing of personal data that CERRAJEROS MADRID 24H as responsible and / or responsible for them, in relation to the data that users and / or customers (individuals) provided as a result of hiring services, purchase of products or access to the blog that provides CERRAJEROS MADRID 24H, or collected in any section of the website ***URL.1

Subsequently, the Subdirectorate General for Data Inspection carried out preliminary investigative actions to clarify the facts in question, by virtue of the investigative powers granted to the supervisory authorities in Article 57.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I, Section Two of Organic Law 3/2018 of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD).

As a result of the investigative actions carried out, it has been established that the person responsible for the processing is the one who has been claimed.

Likewise, the following points are noted:

This complaint was brought to the attention of the complainant on 21 June 2019, requiring him to send this Agency, within a period of one month, information on the response given to the complainant on the facts reported, as well as the causes that have
 



reasoned the impact and the measures taken to adapt its "Privacy Policy" to Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GPRS).

After the given deadline, no response has been obtained from the respondent.

THIRD: On October 23, 2019, the Director of the Spanish Data Protection Agency agreed to initiate a sanctioning procedure against the respondent, for the alleged infringement of Article 13 of the RGPD, typified in Article 83.5 of the RGPD.

In view of all that has been done, the following are considered to be proven facts by the Spanish Data Protection Agency in these proceedings,

FACTS

FIRST: The complaint is based on the fact that the privacy policy of the person claimed does not provide all the information required by article 13 of the RGPD when personal data is obtained from the person concerned.

The claimant is informed of this complaint on June 21, 2019, and is requested to send this Agency, within a period of one month, information about the response given to the claimant for the reported facts, as well as the causes that have motivated the incident and the measures adopted to adapt its "Privacy Policy" to Article 13 of Regulation (EU) 2016/679 of the European Parliament and Council of April 27, 2016 (RGPD).

After the given deadline, no response has been obtained from the respondent.

SECOND: The respondent submitted a letter indicating the measures adopted on 11 July 2019, but due to computer problems, access to this information was not available after the initiation of the present sanctioning procedure.

LEGAL GROUNDS

I

By virtue of the powers that article 58.2 of the RGPD recognizes to each control authority, and according to what is established in articles 47 and 48.1 of the LOPDPGDD, the Director of the Spanish Data Protection Agency is competent to resolve this procedure.

II

The defendant is charged with an infringement of Article 13 of the RGPD, which states
"1.Where personal data are obtained from a data subject, the data controller shall, at the time when they are obtained, provide the data subject with all the following information
(a) the identity and contact details of the controller and, where appropriate, of his representative
(b) the contact details of the Data Protection Officer, if any;
 



(c) the purposes of the processing for which the personal data are intended and the legal basis of the processing;
(d) where the processing is based on Article 6(1)(f), the legitimate interests of the controller or of a third party;
(e) the recipients or categories of recipient of the personal data, in their
case;
(f) where appropriate, the controller's intention to transfer personal data to a
third country or international organisation and the existence or absence of a Commission decision on adequacy, or, in the case of transfers referred to in Articles 46 or 47 or the second subparagraph of Article 49(1), reference to adequate or appropriate safeguards and the means of obtaining a copy thereof or the fact that they have been provided.
2.	In addition to the information referred to in paragraph 1, the controller shall provide the data subject, at the time when the personal data are collected, with the following information necessary to ensure fair and transparent processing of the data
(a) the period for which the personal data are held or, where this is not possible, the criteria used to determine this period;
(b) the existence of the right to request the controller to have access to the personal data concerning the data subject and to have them corrected, erased or restricted and the right to object to the processing, as well as the right to the portability of the data;
(c) where the processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time, without prejudice to the lawfulness of the processing based on consent prior to withdrawal;
(d) the right to lodge a complaint with a supervisory authority;
(e) whether the communication of personal data is a legal or contractual requirement, or a requirement for entering into a contract, and whether the data subject is under an obligation to supply the personal data and is informed of the possible consequences of not supplying such data;
(f) the existence of automated decisions, including profiling, as referred to in Article 22(1) and (4) and, at least in such cases, significant information about the logic involved and the significance and the expected impact of the processing on the data subject.
3.	Where the controller plans to further process personal data for a purpose other than that for which they were collected, he shall provide the data subject, prior to such further processing, with information on that other purpose and with any relevant additional information within the meaning of paragraph 2.
4.	The provisions of paragraphs 1, 2 and 3 shall not apply where and insofar as the information is already available to the data subject.
Article 11 of the LOPDGDD provides as follows
"Where personal data are obtained from the data subject, the controller may fulfil the duty of information laid down in Article 13 of Regulation (EU) 2016/679 by providing the data subject with the basic information referred to in the following paragraph and by indicating an electronic address or other means which
 



allows easy and immediate access to the remaining information.
2. The basic information referred to in the previous paragraph shall contain, at
less:
(a) The identity of the controller and of his representative, if any
(b) The purpose of the processing.
(c) the possibility of exercising the rights set out in Articles 15 to 22 of the
Regulation (EU) 2016/679.
If the data obtained from the data subject are to be processed for profiling purposes, the basic information shall also include this circumstance. In this case, the data subject must be informed of his right to object to automated individual decisions which produce legal effects on him or significantly affect him in a similar way, where this right exists in accordance with Article 22 of Regulation (EU) 2016/679.
III
In the present case the infringement is typified in article 83.5 of the RGPD which establishes that
"'The infringements of the following provisions shall be penalised, in accordance with paragraph 2, by administrative fines of not more than EUR 20 000 000 or, in the case of an undertaking, of not more than 4 % of its total annual turnover in the preceding business year, whichever is the greater
(b) the rights of the persons concerned within the meaning of Articles 12 to 22

This infringement is classified as minor in Article 74(a) of the LOPDGDD, under the heading "Offences considered minor provides:
"The remaining infringements of a purely formal nature of the articles mentioned in Article 83(4) and (5) of Regulation (EU) 2016/679, and in particular the following, are considered minor and shall be subject to a limitation period of one year
a Failure to comply with the principle of transparency of information or the right to information of the person concerned by not providing all the information required by Articles 13 and 14 of Regulation (EU) 2016/679'.


IV

The agreement to initiate the sanctioning process that we are dealing with here had its reason to be in the complaint filed against the respondent because his website did not comply with the personal data protection regulations, specifically with the provisions of Article 13 of the RGPD which regulates the information that must be provided when personal data is obtained from the interested party.

The Spanish Data Protection Agency has recently had access to the document that the complainant sent in response to the request made by this Body, where the measures adopted to adapt to the new regulations are indicated, to which this Agency did not have access until now due to computer problems.

This document indicates the following:
 




"The web pages that are the object of your request have been updated and included in the privacy policies.

We hope to comply with all the regulations in force.

We proceed to include the links in which these updates are included.
***LINK.1
***LINK.2
***LINK.3
***LINK.4
***LINK.5
***LINK.6

Specifically in the first link, the following is noteworthy:

"YOUR PRIVACY IS IMPORTANT TO ME.

In this privacy statement I explain what personal data I collect from my users and how I use it. I encourage you to read these terms carefully before providing your personal data on this website. People over the age of thirteen may register with ***URL.1 as users without the prior consent of their parents or guardians.

In the case of minors under thirteen years of age, the consent of their parents or guardians is required for the processing of their personal data.

Under no circumstances will the minor be asked to provide information on the professional or financial situation or on the privacy of other family members without their consent.

If you are under thirteen years of age and have accessed this website without notifying your parents, you should not register as a user.

This website respects and takes care of the personal data of its users. As a user you should know that your rights are guaranteed.

We have made an effort to create a safe and reliable space and that is why I want to share my principles regarding your privacy:

- I never ask for personal information unless it is really necessary to provide you with the services you require.
- I never share my users' personal information with anyone, except to comply with the law or with your express permission.
- I never use your personal information for any purpose other than the one expressed in this privacy policy.
Please note that this Privacy Policy may vary depending on legislative or self-regulatory requirements, so users are advised to visit it periodically. It will be applicable in the event that users decide to fill in any of its contact forms where personal data is collected.
 




In accordance with Law 15/1999 of 13 December on the Protection of Personal Data (LOPD), and Regulation (EU) 2016/679 of the European Parliament and Council of 27 April ("General Regulation on Data Protection" or "RGPD"), this Privacy Policy applies to the processing of personal data that CERRAJEROS MADRID 24H as responsible and / or responsible for them, in relation to the data that the users and/or clients (physical persons) facilitate as a result of the hiring of the services, purchase of products or access to the blog that provides CERRAJEROS MADRID 24H, or obtained in any of the sections of the Web site ***URL.1

If you do not agree with the terms of this Policy, do not access or use the Services. This Privacy Policy does not apply to any other products, services or activities of third parties.

RESPONSIBLE FOR THE PROCESSING OF YOUR DATA
- Company Name: El Maestro Cerrajero SL
- Trade name: CERRAJEROS MADRID 24H
- Address: C/ DEL GENERAL PARDIÑAS 15, 28015 Madrid (Madrid)
- CIF/NIF: B87043691
- Email: ***EMAIL.1
PRINCIPLES THAT I WILL APPLY TO YOUR PERSONAL INFORMATION
When processing your personal data, I will apply the following principles which are in line with the requirements of the new European data protection regulation:

Principle of lawfulness, loyalty and transparency: I will always require your consent for the processing of your personal data for one or more specific purposes which I will inform you about in advance with absolute transparency.

Data minimization principle: I will only request data that is strictly necessary in relation to the purposes for which I require it. The minimum possible.

Principle of limitation of the period of conservation: the data will be kept for no longer than necessary for the purposes of the processing, depending on the purpose, I will inform you of the corresponding period of conservation, in the case of subscriptions, I will periodically review my lists and I will remove those records that have been inactive for a considerable time.

Principle of integrity and confidentiality: your data will be processed in such a way as to ensure adequate security of personal data and to guarantee confidentiality. You should know that I take all necessary precautions to prevent unauthorized access or misuse of my users' data by third parties.

HOW HAVE I OBTAINED YOUR DATA?

The personal data that I treat in CERRAJEROS MADRID 24H comes from

- Contact form.
 



- Registration form.
- Comments in blog.
- Subscription form.
- Service request form.
WHAT ARE YOUR RIGHTS WHEN YOU GIVE ME YOUR DATA?

Any person has the right to obtain confirmation about whether or not in CERRAJEROS MADRID 24H I am processing personal data that concerns me.
Interested persons have the right to:
- Request access to personal data concerning the interested party.
- Request their rectification or suppression.
- Request the limitation of their treatment.
- Oppose to the treatment.
- Request the portability of the data.
(…)

LEGITIMACY FOR THE PROCESSING OF YOUR DATA

The legal basis for the processing of your data is: consent.

To contact or make comments on this website, consent to this privacy policy is required.

The prospective or commercial offer of products and services is based on the consent that is requested, without in any case the withdrawal of this consent conditions the execution of the subscription contract.

CATEGORY OF DATA COLLECTED
The categories of data that are processed are identifying data.
Under no circumstances are specially protected data categories processed.

HOW LONG WILL I KEEP YOUR DATA?
The personal data provided will be kept until you request their deletion.

TO WHICH RECIPIENTS WILL YOUR DATA BE COMMUNICATED?

(…)

TREATMENT PURPOSES
Your personal data collected through the website will be used for the generic purpose of management and control of the contractual or business relationship established and, specifically, for
- Manage the complete access and correct use of the Services by the users of the same.
 



- To communicate with users in response to doubts, requests, comments and questions that they may ask us through the contact forms on our website (including, chats or telephone calls).
- To offer new products, services, special offers or updates,
send newsletters.
- If necessary, manage personnel selection processes in selective processes of workers and/or collaborators.
- Commercial Communications (Marketing): We may use your data to contact you, both electronically and non-electronically, to conduct surveys, obtain your opinion on the service provided, and occasionally to notify you of changes, important developments in the services, offers and/or promotions. These commercial offers will, in any case, be expressly and separately authorized by the user, who can revoke at any time his consent to receive these notifications using the mechanism implemented to that effect in the same.
- We will not process your personal data for any other purpose beyond those described above unless imposed by law or there is a court order.
- Retention period: The personal data provided will be kept and processed while the business relationship is maintained, without prejudice to the possibility of exercising your right to delete it, in which case CERRAJEROS MADRID 24 H will block your data for as long as its legal obligations continue.
The personal data of persons interested in receiving commercial information will be kept in the system indefinitely as long as the person concerned does not request its deletion.

LEGITIMACY OF PROCESSING
The legal basis for the processing of the data is the legitimation based on the consent of the data subject given for the purposes described above, ".

(…)

In this regard, it should be noted that after a detailed study of the measures adopted by the requested entity in the privacy policy of its website, it should be indicated that with the exception of the fact that the former LOPD 15/1999 is still mentioned, which is now practically repealed, and for which reason it is recommended that it be omitted as soon as possible, the privacy policy of the requested entity currently complies with current regulations, and therefore these actions should be filed.


In view of the aforementioned precepts and others of general application
the Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO FILE the sanctioning procedure PS/00324/2019, as it is accredited that
EL MAESTRO CERRAJERO SL (CERRAJEROSMADRID-24H.COM and
CERRAJEROSMADRID.COM) with NIF B87043691 is exempt from
 



liability which could constitute a breach of Article 13 of the GPRS, a breach of Article 83.5 (b) of the GPRS

SECOND: NOTIFY this resolution to EL MAESTRO CERRAJERO SL (CERRAJEROSMADRID-24H.COM and CERRAJEROSMADRID.COM) with NIF B87043691

Against this resolution, which puts an end to the administrative procedure in accordance with the provisions of article 114.1.c) of Law 39/2015, of 1 October, on the Common Administrative Procedure of Public Administrations, and in accordance with the provisions of articles 112 and 123 of the aforementioned Law 39/2015, of 1 October, the interested parties may lodge, optionally, an appeal for reversal with the Director of the Spanish Data Protection Agency within the period of one month starting from the day following the notification of this decision or directly an administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998, of 13 July, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided for in Article 46.1 of the aforementioned Act.


Mar Spain Martí
Director of the Spanish Data Protection Agency