AEPD - PS/00341/2020

From GDPRhub
AEPD - PS/00341/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5 GDPR
Article 6(1) GDPR
Type: Complaint
Outcome: Upheld
Decided: 28.10.2020
Published: 03.11.2020
Fine: 30000 EUR
Parties: Vodafone ESPAÑA, S.A.U.
National Case Number/Name: PS/00341/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA (AEPD) held that Vodafone infringed Article 6(1) GDPR by sending the complainant an SMS asking for the payment of a fraudulent contractual service. Vodafone was fined €30000 (guilty, voluntary and early payment reduction applied).

English Summary[edit | edit source]

Facts[edit | edit source]

The complainant filed a complaint to the Spanish DPA in May 2019 because Vodafone requested from the complainant a payment of a bill for a contract performed without the complainant's consent. This request was done via SMS. The complainant subsequently visited the Vodafone store to get the receipt of this debt even though the address and bank account on the bill were not his.

The Vodafone made the Spanish DPA aware of the fact that it had sent a letter to the claimant indicating that it taken action to resolve the issue and apologised. This letter outlined that it had now classified the service concerned in the SMS as fraudulent and erased any outstanding debt from the complainant's patrimonial solvency folder. It also outlined that after internal investigations by Vodafone, it became clear that although the contract was in fact correct, it has not been made by the complainant. The contracted service seemed correct since it passed Vodafone's security procedure. All services made in the name of the claimant that he did not recognise as valid were classified as fraud.

Vodafone outlined to the Spanish DPA that the fraudulent contract was made through Vodafone's Online Shop in accordance to the security policy. All access details were correctly inputted to create and access an online profile in the client section. Therefore, Vodafone notified the agency to state that it was difficult to determine whether the third party was authorised to access the account from which the bill was sent and whether access to the personal data was done legally or not. Vodafone outlined that it was not made aware of the fraudulent action until the complainant filed a complaint.

Dispute[edit | edit source]

Did Vodafone violate Article 6(1) GDPR by sending an SMS asking for the payment of a fraudulent contract to the complainant?

Holding[edit | edit source]

The Spanish DPA held that it was proven that Vodafone has processed the claimant's personal data. Vodafone did not take necessary precautions to authenticate the contracting party. Vodafone also did not have a legal basis for processing the claimant's personal data as there was no valid contract between Vodafone and the claimant. Therefore, Vodafone was in breach of Article 6(1) GDPR.

Similarly, the Spanish DPA held that Vodafone failed to fulfill its obligation to respect the principle of lawfulness and the principle of responsibility [although not mentioned directly by the Spanish DPA, these principles are found under Article 5(1)(a) and Article 5(2) GDPR respectively]. The Spanish DPA even made reference to Recital 40 GDPR on the legality of processing.

The Spanish DPA then reminded that a sanction for violating Article 6(1) GDPR was imposed on Vodafone. The fine to be imposed was to be at a level of €50000. This fine was reduced as Vodafone recognised its responsibility and made an early and voluntary payment of to €30000 (as authorised legally and provided by the Spanish DPA). The reduced fine was paid in October 2020 putting a close to the procedure.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                             1/14









     Procedure Nº: PS / 00341/2020


RESOLUTION R / 00530/2020 OF TERMINATION OF THE PROCEDURE BY PAYMENT
                                   VOLUNTARY


In the sanctioning procedure PS / 00341/2020, instructed by the Spanish Agency for
Data Protection to VODAFONE ESPAÑA, S.A.U., considering the complaint filed
by A.A.A., and based on the following,


                                 BACKGROUND

FIRST: On October 5, 2020, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against VODAFONE
SPAIN, S.A.U. (hereinafter, the claimed), through the Agreement that is transcribed:


<<





Procedure Nº: PS / 00341/2020

935-200320



           AGREEMENT TO INITIATE THE SANCTIONING PROCEDURE




       Of the actions carried out by the Spanish Agency for the Protection of

Data and based on the following:



                                     ACTS




FIRST: D. A.A.A. (hereinafter, the claimant) dated May 12, 2019
filed a claim with the Spanish Agency for Data Protection. The

claim is directed against Vodafone España, S.A.U. with NIF A80907397 (in
forward, the claimed).


       The claimant states that the defendant is requesting the payment of a
invoice, for a service contract carried out without your consent.

       He adds that he had knowledge of this debt through an SMS and appeared

in a shop of the claimed to obtain an invoice for the amount of € 56.88 although the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/14








address that appears and the bank account in which said payment is domiciled are not
his.


       And, among other things, it provides the following documentation:

     Copy of police report No. 4796/19 dated May 9, 2019 where
        the facts denounced and where the information also appears:


           o Who appeared at the Vodafone store on 05/08/2019 when
               learned of this debt through SMS.

           o That the invoice pending payment is for XX, XX €, it is in your name with

               your NIF and the address is *** ADDRESS.1 and the termination of the account
               bank where said direct debit payment is located is YYYY, not being

               this claimant's account.

     Copy of claim before the Consumer Service of the Provincial Directorate
        of Ciudad Real of the Ministry of Health dated 05/10/2019.


     Copy of the Vodafone invoice in the name of the claimant at the address
        *** ADDRESS.1 for an amount of XX, XX € and account number ending in
        YYYY. It also appears as Vodafone account number *** ACCOUNT.1 and as ref.

        domiciliation *** ACCOUNT.1 and issue date 04/22/2019.






SECOND: In view of the facts reported in the claim and the
documents provided by the claimant / of the facts and documents of which he has
this Agency, the Subdirectorate General for Data Inspection

proceeded to carry out preliminary investigation actions for the
clarification of the facts in question, by virtue of the powers of investigation

granted to the control authorities in article 57.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter RGPD), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the Law

Organic 3/2018, of December 5, Protection of Personal Data and guarantee of
digital rights (hereinafter LOPDGDD).




    On November 6, 2019, the respondent declares to this Agency:

    1. That he sent a letter to the claimant informing him of the steps taken to
        settle your claim and apologize to you.


        Provide a copy of the letter sent to the claimant on November 5, 2019 in the
        address *** ADDRESS.2 indicating that the registration of
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/14








        services not recognized as fraudulent excluding debt that
        It consisted in his name of any patrimonial solvency file that in his

        case would have been registered.

    1. That after analyzing the claim submitted by the claimant and making the
        Timely internal investigations have verified that despite the fact that the

        hiring had an appearance of correct, it has been known of
        that it has not been made by the claimant.

    2. That the service request appeared to be correct since it was carried out

        in compliance with the security procedure that the claimed person follows.

    3. That the debt has been excluded from any financial solvency file
        negative in which the defendant could have registered said debt.


        Screenshots of Experian and Equifax are provided where in the section
        of casualties, a search is carried out by the NIF of the complainant without
        results.


    4. That all the service that consisted in the name of the
        claimant and that it does not recognize and that the debt was excluded
        corresponding to the amount of XX, XX € of the patrimonial solvency files

        negative in which the defendant had registered the debt.

    On January 27, 2020, the defendant sends this Agency the following
information:


    1. That the fraudulent hiring in question was carried out on January 5
        2017 through the Vodafone Online Store.

    2. That the management of the discharge of services was carried out in accordance with the policy

        existing VODAFONE security for online mode:

            to. That the contracting person was first asked for an address
                email address with which you can access by creating a profile to the

                private area of the client, as well as a telephone number.

            b. Next, the details of your personal data were requested:
                name, surname, ID, postal address and bank account. That in everything

                At this time the person who completed the information identified himself as the
                claimant.

            c. That once all the requested information is completed, the

                corresponding contract that is sent to the email address
                facilitated.

    3. Manifests:


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/14








        “It is important to bear in mind that Vodafone in this mode of
        hiring has no way of knowing if the person completing the data is

        really the owner of the same or if that person is authorized to make use
        thereof. There is no way to know if the third party has had access to the

        data from D.A.A.A. legally or not.

        In relation to the above, through the website, the contractor was asked,
        alleged offender, the provision of contact information, such as your name,

        surname, DNI and postal address, who in this case provided the data of Mr.
        A.A.A .. The address indicated, in turn, is *** ADDRESS.1, which is
        object of claim by D.A.A.A. In this sense, of no

        How could my represented know or doubt once the
        Hiring Security Policy, that said address provided

        directly by the client, actually the offender, was correct. "

    1. That the defendant only knew that said hiring had no
        appearance of correctness from the notification of the complaint filed by

        the complainant on May 9, 2019 at the General Directorate of the Police.

    2. Provides monthly invoices with issuance dates from 02/01/2017 to
        08/01/2018. All invoices include:


            to. As Owner, the complainant

            b. Postal address *** ADDRESS.1

            c. Last four digits of the bank account: YYYY


            d. Vodafone account number *** ACCOUNT.2

            and. Ref. Domiciliation *** ACCOUNT.2

    3. Provide a copy of the “Vodafone Online Store” contract dated 01/05/2017 to

        name of the complainant and where it appears:

            to. In the customer data section, the address contains "*** ADDRESS.2"

            b. In the billing section there is an account number whose last 4

                digits are RRRR.












C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/14








                             FOUNDATIONS OF LAW




                                              I




        By virtue of the powers that article 58.2 of the RGPD recognizes to each
control authority, and as established in articles 47 and 48 of the LOPDGDD,
the Director of the Spanish Data Protection Agency is competent to initiate

and to solve this procedure.




                                              II



      The RGPD deals in its article 5 with the principles that must govern the

treatment of personal data and mentions among them that of "legality, loyalty and
transparency". The precept provides:



      "1. The personal data will be:

         a) Treaties in a lawful, loyal and transparent manner with the interested party; "




        Article 6 of the RGPD, "Legality of the treatment", details in its section 1 the
cases in which the processing of third party data is considered lawful:



         "1. The treatment will only be lawful if it meets at least one of the following
terms:


      a) the interested party gave their consent for the processing of their data
      personal for one or more specific purposes;

      b) the treatment is necessary for the performance of a contract in which the
      interested is part or for the application at the request of this of measures
      pre-contractual;


      (…) "



      The infringement for which the claimed entity is responsible is found
typified in article 83 of the RGPD that, under the heading "General conditions for
the imposition of administrative fines ”, it states:

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/14










      "5. Violations of the following provisions will be sanctioned, in accordance
with section 2, with administrative fines of maximum 20,000,000 Eur or,

in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:



      a) The basic principles for the treatment, including the conditions for the

      consent in accordance with articles 5,6,7 and 9. "



       Organic Law 3/2018, on the Protection of Personal Data and Guarantee of
Digital Rights (LOPDGDD) in its article 72, under the heading "Infractions

considered very serious ”provides:



      "1. In accordance with the provisions of article 83.5 of the Regulation (E.U.)

2016/679 are considered very serious and will prescribe after three years the infractions that
suppose a substantial violation of the articles mentioned in that and, in
in particular, the following:




        (…)

        a) The processing of personal data without the concurrence of any of the
           conditions of legality of the treatment established in article 6 of the

           Regulation (EU) 2016/679. "



       On the one hand, it is proven that the defendant processed the personal data
of the claimant (name, surname and NIF). Thus, the claimed, when hiring did not have
the necessary precautions to prove the legitimacy of the contractor.




        On the other hand, the claimed person lacked legitimacy for the treatment of the data
claimant's personal.



       They also confirm the absence of legitimacy for the treatment, as
they show that there was no contract between the two.




       It must be taken into account that the documentation in the file
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/14








provides evidence that the defendant violated article 6.1 of the RGPD, since
processed the personal data of the claimant without standing.




        The lack of diligence displayed by the entity in complying with the
Obligations imposed by the regulations for the protection of personal data
It is thus obvious. A diligent compliance with the principle of legality in the treatment
of third-party data requires that the person responsible for the treatment is in conditions
to prove it (principle of proactive responsibility).




      In accordance with the evidence available at this time
procedural, and without prejudice to what results from the instruction of the procedure, it is estimated
that the defendant's conduct could violate article 6.1 of the RGPD and may be

constitutive of the offense typified in article 83.5.a) of the aforementioned Regulation
2016/679.




      In this sense, Recital 40 of the RGPD states:




       "(40) For the treatment to be lawful, personal data must be processed
with the consent of the interested party or on some other legitimate basis established
in accordance with Law, either in this Regulation or by virtue of another Law

of the Union or the Member States referred to in this Regulation,
including the need to comply with the legal obligation applicable to the person responsible for the
treatment or the need to perform a contract to which the interested party or

in order to take measures at the request of the interested party prior to the
conclusion of a contract. "




                                               III



      In order to determine the administrative fine to be imposed, the provisions
visions of articles 83.1 and 83.2 of the RGPD, precepts that indicate:

      "Each supervisory authority will guarantee that the imposition of fines

administrative under this article for the infractions of this
Regulations indicated in paragraphs 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive. "



      "Administrative fines will be imposed, depending on the circumstances of

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/14








each individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:

        a) the nature, severity and duration of the offense, taking into account the

        nature, scope or purpose of the processing operation in question
        as well as the number of affected stakeholders and the level of damage and
        damages they have suffered;

        b) intentionality or negligence in the infringement;

        c) any measure taken by the controller or processor
        to mitigate the damages suffered by the interested parties;


        d) the degree of responsibility of the person in charge of the
        treatment, taking into account the technical or organizational measures that have
        applied by virtue of articles 25 and 32;

        e) any previous infringement committed by the person in charge or the person in charge of the
        treatment;

         f) the degree of cooperation with the supervisory authority in order to

        remedy the violation and mitigate the possible adverse effects of the violation;

        g) the categories of personal data affected by the infringement;

        h) the way in which the supervisory authority learned of the infringement,
        in particular if the person in charge or the person in charge notified the infraction and, in such
        case, to what extent;

        i) when the measures indicated in Article 58 (2) have been
        previously ordered against the person in charge or the person in charge

        in relation to the same matter, compliance with said measures;

        j) adherence to codes of conduct under Article 40 or to mechanisms
        certification approved in accordance with Article 42, and

        k) any other aggravating or mitigating factor applicable to the circumstances of the
        case, such as financial benefits obtained or losses avoided, direct
        or indirectly, through the infringement. "


              Regarding section k) of article 83.2 of the RGPD, the LOPDGDD,

        Article 76, "Sanctions and corrective measures", provides:

      "2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
         The following may also be taken into account:

        a) The continuing nature of the offense.


        b) The linking of the offender's activity with the performance of treatments
        of personal data.


C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/14








        c) The benefits obtained as a result of the commission of the offense.

        d) The possibility that the affected person's conduct could have led to the

        commission of the offense.

        e) The existence of a process of merger by absorption subsequent to the commission of
        the infringement, which cannot be attributed to the absorbing entity.


        f) Affecting the rights of minors.

        g) Have, when not mandatory, a data protection officer.

      h) The submission by the person in charge or in charge, with character
      voluntary, to alternative dispute resolution mechanisms, in those

      assumptions in which there are controversies between those and any interested party. "

      In accordance with the transcribed precepts, and without prejudice to what results from the
      instruction of the procedure, in order to fix the amount of the fine sanction to
      impose the claimed entity as responsible for an offense typified in

      Article 83.5.a) of the RGPD, in an initial assessment, they are considered concurrent in
      the present case the following factors:

      As aggravating factors:

      - That the facts that are the subject of the claim are attributable to a lack of

      diligence of the claimed (article 83.2.b, RGPD).

      - Basic personal identifiers are affected (personal data
      (art.83.2. g) of the RGPD).


      - The evident link between the business activity of the claimed and the
      processing of personal data of clients or third parties (article 83.2.k, of the
      RGPD in relation to article 76.2.b, of the LOPDGDD)

        As mitigating:


      -The measures that the defendant adopted to alleviate the damages suffered
      by the claimant (article 83.2.c).

      -The degree of cooperation with the supervisory authority in order to remedy
      to the violation and mitigate its possible adverse effects (article 83.2.f). The

      The complainant provided information to this Agency on the events that occurred, sent
      an explanatory letter to the claimant in which he apologizes and that he proceeded
      to exclude the corresponding debt.

        Therefore, based on the foregoing,







C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/14








       By the Director of the Spanish Agency for Data Protection,




       HE REMEMBERS:




FIRST: INITIATE SANCTIONING PROCEDURE against VODAFONE ESPAÑA,
S.A.U. with NIF A80907397, for the alleged violation of article 6.1. of the RGPD
typified in article 83.5.a) of the aforementioned RGPD.




SECOND: APPOINT D. C.C.C. as an instructor. and as secretary to Mrs. D.D.D.,

indicating that any of them may be challenged, if applicable, in accordance with the
established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime
Public Sector Legal (LRJSP).




THIRD: INCORPORATE to the sanctioning file, for evidentiary purposes, the
claim filed by the claimant and his documentation, the documents

obtained and generated by the General Subdirectorate for Data Inspection during the
investigation phase, as well as the report of previous Inspection actions.




FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations, the

The corresponding penalty would be 50,000 euros (fifty thousand euros), without
detriment of what results from the instruction.




FIFTH: NOTIFY this agreement to VODAFONE ESPAÑA, S.A.U. with NIF
A80907397, granting him a hearing period of ten business days to formulate

the allegations and present the evidence that it deems appropriate. In his writing of
allegations, you must provide your NIF and the procedure number that appears in the
heading of this document.




If within the stipulated period it does not make allegations to this initiation agreement, the same
It may be considered a resolution proposal, as established in article

64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of
the Public Administrations (hereinafter, LPACAP).



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/14








In accordance with the provisions of article 85 of the LPACAP, in the event that the
penalty to be imposed would be a fine, you may recognize your responsibility within the

term granted for the formulation of allegations to the present initiation agreement; the
which will entail a reduction of 20% of the sanction to be imposed in

this procedure. With the application of this reduction, the sanction would be
established at 40,000 euros, resolving the procedure with the imposition of this
sanction.




In the same way, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which

will mean a reduction of 20% of its amount. With the application of this reduction,
the penalty would be set at 40,000 euros and its payment will imply the termination of the

process.



The reduction for the voluntary payment of the penalty is cumulative to the corresponding

apply for the recognition of responsibility, provided that this recognition
of responsibility is made manifest within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount

in the previous paragraph it may be done at any time prior to the resolution. In
In this case, if both reductions should be applied, the amount of the penalty would be
set at 30,000 euros.




In any case, the effectiveness of either of the two mentioned reductions will be
conditioned to the withdrawal or resignation of any action or remedy in

administrative against the sanction.




In case you choose to proceed to the voluntary payment of any of the amounts

indicated above, 40,000 euros or 30,000 euros, you must make it effective
by entering the account number ES00 0000 0000 0000 0000 0000 open to

name of the Spanish Data Protection Agency in Banco CAIXABANK,
S.A., indicating in the concept the reference number of the procedure that appears in
the heading of this document and the cause of reduction of the amount to which

welcomes.







C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/14








Likewise, you must send proof of admission to the Subdirectorate General of

Inspection to continue the procedure according to the quantity
entered.




The procedure will have a maximum duration of nine months from the date of
date of the initiation agreement or, where appropriate, the draft initiation agreement.

After this period, its expiration will occur and, consequently, the file of
performances; in accordance with the provisions of article 64 of the LOPDGDD.




Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP,
There is no administrative appeal against this act.




Mar Spain Martí

Director of the Spanish Agency for Data Protection











>>

SECOND: On October 27, 2020, the defendant has proceeded to pay the

sanction in the amount of 30,000 euros making use of the two planned reductions
in the Initiation Agreement transcribed above, which implies the recognition of the
responsibility.

THIRD: The payment made, within the period granted to formulate allegations to

the opening of the procedure, entails the waiver of any action or appeal in the process
administrative against the sanction and the recognition of responsibility in relation to
the facts to which the Initiation Agreement refers.


                            FOUNDATIONS OF LAW

                                             I

By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of

control, and as established in art. 47 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/14








is competent to sanction the infractions that are committed against said
Regulation; infractions of article 48 of Law 9/2014, of May 9, General
of Telecommunications (hereinafter LGT), in accordance with the provisions of the

article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the
information and electronic commerce (hereinafter LSSI), as provided in article
43.1 of said Law.

                                            II


Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter, LPACAP), under the rubric
"Termination of sanctioning procedures" provides the following:
"1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility,

the procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction is solely of a pecuniary nature or it is possible to impose a
pecuniary sanction and other non-pecuniary sanction, but the
inadmissibility of the second, the voluntary payment by the presumed responsible, in
any time prior to the resolution, will imply the termination of the procedure,

except in relation to the replacement of the altered situation or the determination of the
compensation for damages caused by the commission of the offense.

3. In both cases, when the sanction is solely of a pecuniary nature, the
competent body to resolve the procedure will apply reductions of, at least,

20% of the amount of the proposed penalty, these being cumulative among themselves.
The aforementioned reductions must be determined in the notice of initiation
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of
any action or appeal in administrative proceedings against the sanction.


The percentage of reduction foreseen in this section may be increased
regulations.

In accordance with the above, the Director of the Spanish Agency for the Protection of
Data RESOLVES:


FIRST: DECLARE the termination of procedure PS / 00341/2020, of
in accordance with the provisions of article 85 of the LPACAP.

SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, S.A.U ..


In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure

Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 14/14










Contentious-Administrative Jurisdiction, within a period of two months from the

day following notification of this act, as provided in article 46.1 of the
referred Law.



                                                                                               936-031219
Mar Spain Martí

Director of the Spanish Agency for Data Protection




























































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es