AEPD (Spain) - PS/00357/2020

From GDPRhub
Revision as of 08:30, 2 March 2021 by Mh (talk | contribs)
AEPD - PS/00357/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 13 GDPR
Type: Complaint
Outcome: Partly Upheld
Started:
Decided:
Published: 22.02.2021
Fine: None
Parties: n/a
National Case Number/Name: PS/00357/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: CSO

The Spanish DPA (AEPD) issued a warning to the defendant (a natural person) for not adequately informing users about the data processing it carries out on its website in violation of Article 13 GDPR

English Summary

Facts

A public body for the defense of consumers' rights filed a complaint with the AEPD against the defendant for failing to comply with Article 13 GDPR on its website.

In its investigation, the AEPD found that the defendant's website had a data collection form, but users did not have all the necessary information on the processing of their data according to Article 13 GDPR.

Subsequently, the AEPD verified that the defendant had updated the information on its website.

Dispute

The decision does not establish precisely why the information provided was not in accordance with the GDPR. However, on the basis of the available information it seems that the information appeared under the title "legal notice" instead of "privacy policy". In addition, the text referred to the old Spanish law instead of the current one.

Holding

The AEPD imposes a warning sanction and explains that imposing a sanction under Article 83(5)(b) of the GDPR against the respondent would be a disproportionate burden on it. In addition, the AEPD takes into account two factors: 1) that the main activity of the respondent is not directly linked to the processing of personal data and 2) that there is no record of previous data protection infringements.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                 1/7










     Procedure Nº: PS / 00357/2020


                RESOLUTION OF SANCTIONING PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


                                   BACKGROUND

FIRST: MUNICIPAL INSTITUTE OF CONSUMPTION OF *** LOCALITY. 1 (in
hereinafter, the claimant) on June 26, 2020 filed a claim with the
Spanish Agency for Data Protection.


The claim is directed against A.A.A. with NIF *** NIF.1 (hereinafter, the claimed one).

The reasons on which the claim is based are non-compliance with the regulations of
data protection on the website *** URL.1.


SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5

December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), with reference number E / 06538/2020, a transfer of
said claim to the defendant, on August 14, 2020, to proceed to
your analysis and inform this Agency within a month, of the actions taken
carried out to comply with the requirements set forth in the regulations for the protection of
data, without a reply to this date.


THIRD: On November 26, 2020, the Director of the Spanish Agency
of Data Protection agreed to initiate a sanctioning procedure to the claimed, by the
alleged violation of article 13 of the RGPD, typified in article 83.5 of the RGPD.


FOURTH: Once the aforementioned commencement agreement was notified, the defendant submitted a written
allegations on December 14, 2020 in which, in short, it stated that in the
"Legal Notice" document broadly includes what is established in the regulations of
Data Protection.


Likewise, in relation to the contact form, in which data is collected
personal information, it is indicated that «the link" Privacy Policy "actually directs the
"Legal Notice" document that, due to its content, as already mentioned, responds
more broadly to the requirements of the data protection regulations than the
"Privacy Policy" document ».


In short, the information provided to users, both in the general content of
the website and the contact form itself, adequately comply
with all the requirements established by law, without observing non-compliance in
none of the points regulated in article 13 of the RGPD.


FIFTH: On December 12, 2020, the instructor of the procedure agreed to the
opening of a period of practical tests, taking as incorporated the
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/7








preliminary investigation actions, E / 06790/2020, as well as the documents
provided by the claimed.


SIXTH: On January 19, 2021, a resolution proposal was formulated,
proposing that A.A.A. with NIF *** NIF.1 in accordance with
provided for in article 58.2.b) of the RGPD, for an infringement of article 13 of the RGPD,
typified in article 83.5 of the RGPD, a warning sanction.

In view of all the actions, by the Spanish Agency for Data Protection

In the present proceeding, the following are considered proven facts,

                                       ACTS

FIRST: The breach of the data protection regulations in the
website *** URL.1; specifically because the information provided to customers

on the processing of personal data does not meet the requirements established in
the GDPR.

SECOND: The complained party states that the information provided to the users of the
The website that is the object of this claim meets all the requirements

established in article 13 of the RGPD.

THIRD: It is verified that the information included in the website *** URL.1 complies
all the requirements demanded in article 13 RGPD in response to the requirement of
this Agency.


                           FOUNDATIONS OF LAW

                                            I

By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of

control, and as established in arts. 47 and 48.1 of the LOPDGDD, the Director of
The Spanish Data Protection Agency is competent to resolve this
process.


                                            II

Article 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council
of April 27, 2016, regarding the protection of natural persons in what
Regarding the processing of personal data and the free circulation of these data
(General Data Protection Regulation, hereinafter RGPD), under the rubric
"Definitions", provides that:

"For the purposes of these Regulations, the following shall be understood as:

1) "personal data": any information about an identified natural person or
identifiable ("the interested party"); an identifiable natural person shall be considered any person
whose identity can be determined, directly or indirectly, in particular by means of
an identifier, such as a name, an identification number, data from

location, an online identifier or one or more elements of the identity
physical, physiological, genetic, psychic, economic, cultural or social of said person;

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/7








2) "treatment": any operation or set of operations carried out on
personal data or personal data sets, whether by procedures
automated or not, such as collection, registration, organization, structuring,

conservation, adaptation or modification, extraction, consultation, use,
communication by transmission, broadcast or any other form of authorization of
access, collation or interconnection, limitation, deletion or destruction; "

Therefore, in accordance with these definitions, the collection of character data
personal through forms included in a web page constitutes a treatment
of data, with respect to which the person responsible for the treatment must comply with the
provided for in article 13 of the RGPD, a precept that has been displaced since May 25
from 2018 to article 5 of Organic Law 15/1999, of December 13, on Protection

of Personal Data.
In relation to this matter, it is observed that the Spanish Agency for the Protection of
Data is available to citizens, the Guide for the fulfillment of duty

to inform (https://www.aepd.es/media/guias/guia-modelo-clausula-informativa.pdf) and,
in case of low-risk data processing, the free tool
Facilitates (https://www.aepd.es/herramdamientos/facilita.html).

                                             III

Article 13 of the RGPD, precept in which the information that must
provided to the interested party at the time of data collection, provides:
  "1.When personal data relating to him are obtained from an interested party, the

responsible for the treatment, at the time these are obtained, will provide
all the information indicated below:

a) the identity and contact details of the person in charge and, where appropriate, of their
representative;

b) the contact details of the data protection officer, if applicable;
c) the purposes of the treatment to which the personal data are destined and the legal basis
of the treatment;

d) when the treatment is based on article 6, paragraph 1, letter f), the interests
legitimate rights of the person in charge or of a third party;

e) the recipients or categories of recipients of personal data, in their
case;

f) where appropriate, the intention of the person responsible to transfer personal data to a third party
country or international organization and the existence or absence of a decision of
adequacy of the Commission, or, in the case of transfers indicated in the

Articles 46 or 47 or Article 49, paragraph 1, second subparagraph, reference to the
adequate or appropriate warranties and the means to obtain a copy of these or
to the fact that they have been borrowed.

2. In addition to the information mentioned in section 1, the person responsible for the
treatment will facilitate the interested party, at the time the data is obtained
personal information, the following information necessary to guarantee data processing
loyal and transparent:

a) the period during which the personal data will be kept or, when it is not
possible, the criteria used to determine this period;

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/7








b) the existence of the right to request the data controller for access to the
personal data relating to the interested party, and its rectification or deletion, or the limitation
of its treatment, or to oppose the treatment, as well as the right to portability

of the data;
c) when the treatment is based on article 6, paragraph 1, letter a), or article
9, paragraph 2, letter a), the existence of the right to withdraw consent in

at any time, without affecting the legality of the treatment based on the
consent prior to its withdrawal;

d) the right to file a claim with a supervisory authority;
e) if the communication of personal data is a legal or contractual requirement, or a
necessary requirement to sign a contract, and if the interested party is obliged to provide

personal data and is informed of the possible consequences of not
provide such data;

f) the existence of automated decisions, including profiling, to be
referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information
significant on the applied logic, as well as the importance and consequences
provided for said treatment for the interested party.

3.When the data controller plans the further processing of data
personal data for a purpose other than that for which they were collected, will provide the
interested party, prior to said further processing, information on that other purpose
and any additional relevant information pursuant to section 2.

4.The provisions of paragraphs 1, 2 and 3 shall not apply when and in the
to the extent that the interested party already has the information ”.

For its part, article 11 of the LOPDGDD, provides the following:

"1. When personal data is obtained from the affected party, the person responsible for the
treatment may comply with the duty of information established in article
13 of Regulation (EU) 2016/679, providing the affected party with basic information to the
referred to in the following section and indicating an email address or other

means that allows easy and immediate access to the rest of the information.
2. The basic information referred to in the previous section must contain, at the

less:
a) The identity of the person responsible for the treatment and their representative, if applicable.

b) The purpose of the treatment.

c) The possibility of exercising the rights established in articles 15 to 22 of the
Regulation (EU) 2016/679.

If the data obtained from the affected party were to be processed for the preparation of
profiles, the basic information will also include this circumstance. In this
In this case, the affected party must be informed of their right to oppose the adoption of
automated individual decisions that produce legal effects on him or her

significantly affect in a similar way, when this right to agree
with the provisions of article 22 of Regulation (EU) 2016/679. "
                                             IV



C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/7








By virtue of the provisions of article 58.2 of the RGPD, the Spanish Agency for
Data Protection, as a control authority, has a set of
corrective powers in the event of an infringement of the precepts of the

GDPR.
Article 58.2 of the RGPD provides the following:

“2 Each supervisory authority shall have all the following corrective powers
listed below:

(…)

b) punish any person responsible or in charge of the treatment with warning
when the treatment operations have infringed the provisions of this
Regulation;"

(...)

“D) order the person in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where appropriate,
in a certain way and within a specified period; "

“I) impose an administrative fine in accordance with article 83, in addition to or instead of
the measures mentioned in this section, according to the circumstances of each
particular case;"

Article 83.5.b) of the RGPD establishes that:

 "Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:


 a) the rights of the interested parties in accordance with articles 12 to 22; "

In turn, article 74.a) of the LOPDGDD, under the heading "Violations considered
mild provides:

 "They are considered minor and will prescribe a year the remaining offenses of character
merely formal of the articles mentioned in sections 4 and 5 of article 83
of Regulation (EU) 2016/679 and, in particular, the following:

a) Failure to comply with the principle of transparency of information or the right
of the data subject for not providing all the information required by the articles
13 and 14 of Regulation (EU) 2016/679. "

                                            V

In this case, it is taken into account that the respondent collected the personal data
of users who fill in the form included in the website *** URL.1 without
provide them, prior to their collection, all the information regarding
data protection provided for in article 13 of the reviewed RGPD.

Specifically, the content of points 2 to 7 of the Legal Notice, had to be updated
in accordance with the new personal data protection regulations
modifying the reference to Organic Law 15/1999 by Organic Law 3/2018, of
Protection of Personal Data and guarantee of digital rights.

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/7








It has been verified that the information contained in the
privacy has been modified adapting to data protection regulations
current.

                                           SAW

This being the case, in accordance with the evidence available, the facts
exposed, specifically, that since May 2018 the
information provided to users and clients about the processing of their data,
constitute, on the part of the defendant, an infringement of the provisions of article 13 of the

GDPR.
This infraction will be sanctioned with a warning, in accordance with article 58.2.b)
of the RGPD, when collecting basic data from users and

consider that the administrative fine that may be incurred in accordance with the provisions of
Article 83.5.b) of the GDPR would constitute a disproportionate burden for the
claimed, whose main activity is not directly linked to the treatment of
personal data, since there is no evidence of the commission of any previous infringement in
data protection matters.

Likewise, since the adequacy of the information offered to the
users whose personal data is collected from them to the requirements

contemplated in article 13 of the RGPD, it is not necessary to make a request
any.

Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been proven,


the Director of the Spanish Agency for Data Protection RESOLVES:

FIRST: IMPOSE A.A.A. with NIF *** NIF.1, for a violation of article 13 of the
RGPD, typified in article 83.5 of the RGPD, a warning sanction.


SECOND: NOTIFY this resolution to A.A.A. with NIF *** NIF. 1.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to
counting from the day after the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the

National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating
the Contentious-Administrative Jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.


Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the

C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/7









interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Agency for Data Protection, presenting it through

of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal-

administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.



Mar Spain Martí
Director of the Spanish Agency for Data Protection















































C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es