AEPD - PS/00402/2019

From GDPRhub
AEPD - PS/00402/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6 GDPR

Article 83 GDPR

Type: Investigation
Outcome: Violation
Decided: 7.2.2020
Published: n/a
Fine: 20.000 euro
Parties: IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A.
National Case Number: PS/00402/2019
European Case Law Identifier n/a
Appeal: n/a
Original Language:

Spanish

Original Source: AEPD (in ES)

Following an investigation the AEPD imposed a fine of 20.000 EUR on IBERIA Airlines for the violation of Article 6(1)(f) GDPR, when further sending unsolicited emails after a customer has requested the deletion of his data.

English Summary[edit | edit source]

Facts and questions arising[edit | edit source]

In 2019, Mr D, a customer of Iberia Airlines, requested the company to delete all his personal data, including those concerning an ongoing Loyalty Program. Although the controller confirmed the deletion, Mr D continued to receive unsolicited marketing emails from the company. These facts led to a first complaint which ended in the sanctioning procedure PS/00370/2018. Notwithstanding the first formal notice, the sending of promotional did not stop. Therefore, Mr D lodged a second complaint alleging the ongoing violation of Article 6 GDPR.

Holding[edit | edit source]

The AEPD finds the violation of Article 6 quite apparent and focuses on the criteria to assess the amount of the fine under Article 83 GDPR. In particular, the Agency finds a certain "recidivism" due to the commission of infringements of the same nature, already sanctioned in the context of a previous procedure.

This integrate the aggravating criteria under Art. 83(2)(b) (intentional or negligent character of the infringement) and (e) (previous infringements) of the GDPR. For these reasons, the controller was given a penalty of 20.000 euros.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the original. Please refer to the Spanish original for more details.

Procedure No.: PS/00402/2019



DECISION ON DISCIPLINARY PROCEEDINGS

From the procedure instructed by the Spanish Data Protection Agency and based on the following

BACKGROUND


FIRST: D. A.A.A. (hereinafter, the claimant) on 14 June 2019 filed a complaint with the Spanish Data Protection Agency. The claim is directed against IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPERADORA UNIPERSONAL with NIF A85850394 (hereinafter the claimed party). The reasons on which the complaint is based are that having been a customer with an Iberia loyalty card (Iberia Plus), you applied for cancellation of the loyalty programme and of your personal data with that company.

Subsequently, you received written confirmation of the cancellation and deletion of your data. However, he continued to receive emails. In view of these facts, he filed a complaint with this Agency in August 2018, from which the sanctioning procedure PS/00370/2018 was derived.

This being the case, he has again received emails from the requested party at the same email address in which it is clear that this company has not cancelled its data and is still listed as being linked to the Iberia Plus loyalty programme.

The following documentation, among others, is provided

-	Copy of the e-mail received in your mailbox. It informs you that you can authenticate in your personal Iberia Plus space not only with your Iberia Plus number, but also with your email and password.

SECOND: In view of the facts set forth in the complaint and the documents provided by the complainant, the Subdirectorate General for Data Inspection proceeded to carry out actions for its clarification, under the investigative powers granted to the supervisory authorities in Article 57.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD).

As a result of the investigative actions carried out, it has been established that the person responsible for the processing is the one who has been requested.

The following points are also noted:


As a result of the consultation made to the application of the AEPD that manages previous sanctions and warnings on data protection, that IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPERADORA UNIPERSONAL with NIF A85850394, it is recorded that on August 1, 2018, another claim was filed with the Spanish Data Protection Agency against the claimed party, in which the claimant stated that he continued to receive commercial communications from IBERIA after this entity confirmed him, On October 20, 2017, the cancellation of your personal data in response to your request, dated October 3, 2017, to cancel the "Iberia Plus Loyalty Card" and to cancel your personal data. These facts led to the sanctioning procedure PS/00370/2018.

2.- The claimed party states in response to this complaint: "Despite the fact that the claimant was removed from the Iberia Plus program on 09/10/2017, due to a new change implemented at the corporate level to provide more security for access to the private area of customers on the web portal, a mass communication was sent out with the requirements for new access to accounts and the actions that each user had to carry out. However, at the time of the design of the "mailing" for the sending of communication, which is carried out manually, due to an unintentional error, the e-mail of this former member of the program was erroneously included".

They state that: "after the analysis of the case, they have created a new project to review the processes of cancellation of all commercial communications of the company, and they are going to incorporate exclusion lists and automate their application, to avoid possible human errors in the realization of the manual processes of preparation of distribution list. They are going to accompany it with a training process for the people in charge of selecting the target audience".

THIRD: On November 19, 2019, the Director of the AEPD agreed:

"INITIATE PENALTIY PROCEEDINGS against IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPERADORA UNIPERSONAL, with NIF A85850394, for the presumed infringement of Article 6.1 of the RGPD typified in Article 83.5 a) of the aforementioned RGPD". opting for a penalty that could correspond to 20,000 euros (twenty thousand euros), being notified on 21 November 2019.

FOURTH: The following proven facts have emerged from the proceedings in these proceedings:

As a result of the consultation made to the application of the AEPD that manages previous sanctions and warnings on data protection, that IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPERADORA UNIPERSONAL with NIF A85850394, it is recorded that on August 1, 2018 another claim was filed with the Spanish Data Protection Agency against the claimed party, in which the claimant stated that he continued to receive commercial communications from IBERIA after the said entity confirmed, on October 20, 2017, the cancellation of his personal data in response to his request, dated October 3, 2017, to be removed from la “Tarjeta de Fidelización Iberia Plus”	y de	cancellation of your personal data.

These facts led to the sanctioning procedure PS/00370/2018.

2.- The claimed party states in response to this complaint: "Despite the fact that the claimant was removed from the Iberia Plus program on 09/10/2017, due to a new change implemented at the corporate level to provide more security for access to the private area of customers on the web portal, a mass communication was sent out with the requirements for new access to accounts and the actions that each user had to carry out. However, at the time of the design of the "mailing" for the sending of communication, which is carried out manually, due to an unintentional error, the e-mail of this former member of the program was erroneously included".

They state that: "after the analysis of the case, they have created a new project to review the processes of cancellation of all commercial communications of the company, and they are going to incorporate exclusion lists and automate their application, to avoid possible human errors in the realization of the manual processes of preparation of distribution list. They are going to accompany it with a training process for the people in charge of selecting the target audience".

The respondent has not submitted any arguments to the agreement to initiate the present proceedings.



LEGAL FOUNDATIONS

I

By virtue of the powers that Article 58.2 of the RGPD grants to each supervisory authority, and as established in Articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure.
II

In the present case, from the complaint and documentation presented, it is noted that, the claimant has continued to receive e-mails from the complained party. As the latter acknowledges, in its reply to the transfer of the claim.

Consequently, given that in the case in question there is recidivism due to the commission of infringements of the same nature, given that the complainant continued to receive emails from the requested party, even after the resolution of the PS/00370/2018 sanctioning procedure was issued.

Therefore, the known facts constitute an infringement, attributable to the defendant, for violation of Article 6.1, of the RGPD, which states that: "in accordance with the provisions of Article 4.11 of Regulation (EU) 2016/679, consent of the affected party is understood as any free, specific, informed and unequivocal expression of will by which the affected party accepts, either by statement or clear affirmative action, the processing of personal data concerning you".

Article 72.1(b) of the LOPDGDD defines "very serious" as "the processing of personal data without meeting any of the conditions for the lawfulness of processing set out in Article 6 of the RGPD".

III

This infringement may be sanctioned with a fine of up to 20,000,000 euros or, in the case of a company, of up to 4 % of the total annual turnover of the previous financial year, whichever is greater, in accordance with Article 83.5 of the RGPD.

In accordance with the precepts indicated for the purposes of setting the amount of the penalty to be imposed in this case, it is considered that the penalty to be imposed should be graduated in accordance with the following criteria established in Article 83.2 of the RGPD:

As aggravating criteria:

-	Intentionality or negligence in the infringement (paragraph b).

-	For other previous infringements committed by the controller or processor (section e).

The balance of the circumstances referred to in Article 83.2 of the RGPD, with respect to the infringement committed by violating the provisions of Article 6 thereof, allows for a penalty of 20,000 euros (twenty thousand euros), classified as "very serious", for the purposes of prescription, in Article 72.1.b) of the LOPDGDD.

Therefore, in accordance with the applicable legislation and assessed the criteria for the graduation of the sanctions whose existence has been accredited,

the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: TO IMPOSE on IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPERADORA UNIPERSONAL, with NIF A85850394, for an infringement of Article 6.1 of the RGPD, typified in Article 83.5 of the RGPD, a fine of

SECOND: TO NOTIFY this resolution to IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPERADORA UNIPERSONAL.

THIRD : To warn the sanctioned party that he/she must make the sanction imposed effective once this resolution is enforceable, in accordance with the provisions of article 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the voluntary payment period established in article. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of 29 July, in relation to article 62 of Law 58/2003, of 17 December, by means of its entry, indicating the tax identification number of the person sanctioned and the number of procedure that appears in the heading of this document, in the restricted account nº ES00 0000 0000 0000 0000, opened in the name of the Spanish Data Protection Agency at the CAIXABANK, S.A. Bank.

Once the notification has been received and once it has been executed, if the date of execution is between the 1st and 15th of each month, inclusive, the period for making the voluntary payment will be up to the 20th of the following month or the immediately following working month, and if it is between the 16th and last day of each month, inclusive, the period for payment will be up to the 5th of the second following month or the immediately following working month.

In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with Article 48.6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, the interested parties may lodge, optionally, an appeal for reversal with the Director of the Spanish Data Protection Agency within a period of one month from the day following notification of this decision or directly an administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided for in Article 46.1 of the aforementioned Act.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final resolution may be suspended as a precautionary measure through administrative channels if the interested party expresses its intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact by writing to the Spanish Data Protection Agency, presenting it through the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other registers provided for in Article 16.4 of the aforementioned Law 39/2015, of 1 October. It must also send to the Agency the documentation that proves the effective lodging of the contentious-administrative appeal. If the Agency is not informed of the lodging of the contentious-administrative appeal within two months from the day following the notification of the present decision, it shall terminate the precautionary suspension.

Mar Spain Marti

Director of the Spanish Data Protection Agency