AEPD - PS/00417/2019

From GDPRhub
AEPD - PS/00417/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 37 GDPR
Article 83(4) GDPR
34(1) of the Spanish Law on Personal Data Protection (LOPDGDD)
34(3) of the Spanish Law on Personal Data Protection (LOPDGDD)
Type: Complaint
Outcome: Upheld
Decided: n/a
Published: 09.06.2020 [[Category:]]
Fine: 25.000 EUR
Parties: Glovo (GlovoApp23, S.L.)
National Case Number/Name: PS/00417/2019
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: Miguel Garrido de Vega

9 June 2020 - The Spanish Data Protection Agency (AEPD) decided to impose a fine up to 25,000 € on Glovo (GlovoApp23, S.L.) for the non-compliance of its duty to appoint a Data Protection Officer (DPO), as per Article 37 of the GDPR.

English Summary

Facts

The decision is the consequence of a complaint submitted by a Spanish citizen stating that Glovo does not have a DPO to whom address any complaints regarding data protection.

Dispute

The defendant answered to the AEPD investigation requests, stating that it is not included among the assumptions of Article 37 GDPR nor among the ones in Article 34 of the Spanish Law on Personal Data Protection (LOPDGDD), so it did not have the need to appoint a DPO. Glovo also stated that, despite these facts, in June 8th, 2018, it created an internal data protection board with exactly the same role and functions as a DPO (and even an internal data protection sub-board in order to incorporate the first one), and that such board effectively develops the activity of a DPO. According to this, the AEPD started the corresponding sanction procedure; to this procedure, Glovo stated that, in March 13th, 2019, it had formally appointed a DPO, but it had decided not to make this appointment public until February 2020, because the board, the sub-board and the legal department of Glovo had been already developing such functions effectively and with full guarantees for the rights and freedoms of any data subjects.

Holding

Thus, the AEPD understood that Glovo has infringed its duties in relation to the need of appointing a DPO as per Article 37 GDPR and 34(1) LOPDGDD, as well as in relation to the need of registering such appointment at the AEPD website [Article 34(3) LOPDGDD], and, after considering some aggravating circumstances [(i) the number of data subjects affected and the level of damage suffered by them, and (ii) the categories of personal data affected by the infringement], it decided to impose a fine of 25,000 € to Glovo.

Comment

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Procedure Nº: PS / 00417/2019RESOLUTION OF PENALTY PROCEDUREOf the procedure instructed by the Spanish Agency for Data Protection and inbase to the followingBACKGROUNDFIRST: AAA, and BBB (hereinafter, the claimants) dated May 21 andNovember 2019 respectively filed a claim with the Spanish AgencyData Protection.Your claims are directed against GLOVOAPP23, SL with NIF B66362906 (inforward, the claimed).The reasons on which they base their claim are that they do not have a Delegate ofData Protection (hereinafter DPD) to whom to direct claims.SECOND: After receiving the claim, the Sub-Directorate General for Inspection ofData proceeded to carry out the following actions:On July 2, 2019, the first claim was transferred to the claimed claimpresented for analysis and communication to the claimant of the decision taken atrespect.The claimed responds to the transfer of the claim stating that there are neitheramong the assumptions of art. 37 GDPR nor that of 34 LOPGDD, so they do not haveobligation to appoint a DPD.THIRD: On January 13, 2020, the Director of the Spanish Agency forData Protection agreed to initiate sanctioning procedure to the claimed, by thealleged violation of article 37 of the RGPD, typified in article 83.4 of the RGPD.FOURTH: Notified on January 22, 2020 the aforementioned initiation agreement, the claimedpresented on January 31, 2020 a brief of allegations in which, in summary, it statedthat its personal data processing activity is exempt from theobligations established in articles 37 GDPR and 34 LOPGDD, and, therefore, exempt fromthe obligation to appoint a Data Protection Officer.However, it alleges that at no time has it denied the existence of an organ thatdedicate, in the context of the organization, to the performance of the functions that areof a Data Protection Officer, since on June 8, 2018, it constitutedthe Data Protection Committee, in order to cover the technical areas of the company andOn the same date, a Subcommittee on Data Protection was also appointed, to givecompliance with the authorization of the Board of Directors to constitute said committee.It concludes by stating that the Data Protection Committee carries out the functionsof a Data Protection Delegate described in article 39 of the RGPD.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 2
2/5FIFTH: On February 25, 2020 the procedure instructor agreed to theopening of a test practice period, taking into account theprevious investigation actions, E / 06131/2019, as well as the documents providedfor the claimed.SIXTH: On February 26, 2020, a motion for a resolution was formulated,proposing that the entity claimed be penalized for an infraction of article 37 of theRGPD, typified in article 83.4 of the RGPD.SEVENTH: On March 13, 2020, the defendant presents a brief of allegationsto said proposal, stating that on May 23, 2019 theappointment of CCC as Delegate of Data Protection of the claimed, but notIt was not until February 2020 when it was decided to make the appointment official in front ofthird parties through their registration in the DPD Registry of the AEPD, since theData Protection, the Subcommittee and the Legal Department have been carrying out saidfunctions effectively and with full guarantee of the rights and freedoms ofinterested.PROVEN FACTSFIRST: The respondent does not have a Data Protection Officer appointed.SECOND: The defendant alleges that his activity of processing personal data isis exempt from the obligations established in articles 37 GDPR and 34LOPGDD, but that nevertheless has a Data Protection Committee, which carriescarry out the functions of a Data Protection Officer described in theArticle 39 of the RGPD.THIRD: It has been found that the claimed, after starting on January 13, 2020, thethis sanctioning procedure, communicated on January 31, 2020 to the AgencyData Protection Agency, the appointment of its Data Protection OfficerData.FUNDAMENTALS OF LAWIThe Agency Director is competent to resolve this procedureSpanish Data Protection, in accordance with the provisions of art. 58.2 ofGDPR and in art. 47 and 48.1 of LOPDGDD.IIArticle 37 of the RGPD, establishes the following:"one. The person in charge and the person in charge of the treatment will designate a delegate ofdata protection provided that:b) the main activities of the person in charge or the person in charge consist oftreatment operations that, due to their nature, scope and / or purposes, requireregular and systematic observation of large-scale stakeholders, ”C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 3
3/5In this sense, the LOPDGDD determines in its article 34.1 and 3: “ Designation ofa data protection officer ”1. “The data controllers and managers must appoint a delegateof data protection in the cases provided for in article 37.1 of the Regulation (EU)2016/6793. The data controllers and managers will communicate within tendays to the Spanish Data Protection Agency or, where appropriate, to the authoritiesdata protection authorities, the appointments, appointments and removals ofdata protection delegates both in the cases in which they are obligedto its designation as in the case in which it is voluntary . ”IIIIt is considered that the lack of designation of DPD, when making the claimed alarge-scale processing of personal data, gives rise to the violation of article 37.1b)of the RGPD in relation to article 34 of the LOPDGDD.In this sense, the defendant states that his organization has theData Protection Committee, which performs the functions of a Delegateof Data Protection described in article 39 of the RGPD.However, at the time of the sanctioning procedure, when accessingto the website of the person claimed by following the link, https://glovoapp.com/en/legal/privacy,no mention was made to the Data Protection Officer of the claimed, as figureguarantor of compliance with the data protection regulations of organizations.However, it has been found that the defendant communicated on January 31, 2020to the Spanish Data Protection Agency, the appointment of its Delegate ofData Protection, communication that was signed and notified by this Agency to theclaimed on February 18, 2020.IVArticle 83.7 of the RGPD establishes that: “ Without prejudice to the corrective powersof supervisory authorities under Article 58 (2), each Member Statemay establish rules on whether and to what extent fines can be imposedadministrative authorities and public bodies established in that Statemember ”Article 58.2 of the RGPD provides the following: “Each supervisory authoritywill have all the following corrective powers indicated below:b) sanction any person responsible or responsible for the treatment with warningwhen the processing operations have violated the provisions of thisRegulation;d) order the data controller or processor that the operations oftreatment comply with the provisions of this Regulation, where appropriate, ofin a certain way and within a specified time frame;C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 4
4/5i) impose an administrative fine pursuant to Article 83, in addition to or instead ofthe measures mentioned in this section, according to the circumstances of each caseparticular;VArticle 73 of the LOPDDG states: ”Infractions considered serious“In accordance with the provisions of article 83.4 of Regulation (EU) 2016/679,they consider serious and will prescribe after two years the infractions that suppose asubstantial violation of the articles mentioned in that and, in particular, thefollowing: ”v) Breach of the obligation to appoint a protection delegate fordata when their appointment is required in accordance with article 37 of the Regulation(EU) 2016/679 and article 34 of this organic law . ”The art. 83.4 of the RGPD establishes that “ violations of the provisionsThe following will be sanctioned, in accordance with section 2, with administrative fines of 10EUR 000 000 maximum or, in the case of a company, an amount equivalent toMaximum 2% of the total annual total turnover of the financial yearabove, opting for the largest amount:a) the obligations of the person in charge and the person in charge pursuant to articles 8, 11, 25 a39, 42 and 43 "Likewise, it is considered that the sanction to be imposed should be graduated in accordance withthe following criteria established by article 83.2 of the RGPD:As aggravating the following:In the present case, the number of interested parties is found to be aggravatingdata, since the claimed party performs personal data processing on a large scalethe by the number of clients it has (article 83.2 a)Basic personal identifiers are affected (article 83.2 g)Therefore, in accordance with the applicable legislation and the criteria ofgraduation of sanctions whose existence has been proven,the Director of the Spanish Agency for Data Protection RESOLVES:FIRST: TO IMPOSE GLOVOAPP23, SL , with NIF B66362906 , for a violation of thearticle 37 of the GDPR, typified in article 83.4 of the RGPD, a fine of € 25,000(twenty five thousand euros).SECOND: NOTIFY this resolution to GLOVOAPP23, SLTHIRD: Warn the sanctioned that he must make effective the sanction imposed oncethat this resolution is executive, in accordance with the provisions of art. 98.1.b)of law 39/2015, of October 1, of the Common Administrative Procedure of thePublic Administrations (hereinafter LPACAP), in the term of voluntary paymentestablished in art. 68 of the General Collection Regulation, approved by RealC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 5
5/5Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17December, by entering, indicating the NIF of the sanctioned and the number ofprocedure in the heading of this document, in the accountrestricted number ES00 0000 0000 0000 0000 0000 , open in the name of the Spanish Agencyof Data Protection at Banco CAIXABANK, SA Otherwise, we will proceed toits collection in the executive period.Notification received and once executive, if the date of enforcement is foundbetween the 1st and 15th of each month, both inclusive, the term to make the paymentvolunteer will be until the 20th of the following month or immediately the next business day, and ifis between the 16th and last day of each month, both inclusive, the payment term will beuntil the 5th of the second month following or immediately following business.In accordance with the provisions of article 50 of the LOPDGDD, thisResolution will be made public once the interested parties have been notified.Against this resolution, which ends the administrative procedure pursuant to art. 48.6 fromthe LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, theinterested parties may file, optionally, an appeal for reversal with the Directorof the Spanish Agency for Data Protection within a month from theday after notification of this resolution or directly contentious appealadministrative before the Contentious-administrative Chamber of the National Court, withpursuant to the provisions of article 25 and paragraph 5 of the fourth additional provisionof Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction,within two months from the day after notification of this act,in accordance with the provisions of article 46.1 of said Law.Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,the firm resolution may be provisionally suspended in administrative proceedings if the interested partymanifests its intention to file a contentious-administrative appeal. If this is theIn this case, the interested party must formally communicate this fact by writing tothe Spanish Agency for Data Protection, presenting it through the RegistryAgency Email [https://sedeagpd.gob.es/sede-electronica-web/], or throughany of the remaining records provided in art. 16.4 of the aforementioned Law 39/2015, of 1 ofOctober. You must also transfer to the Agency the documentation that accredits theeffective filing of the contentious-administrative appeal. If the Agency did not haveknowledge of the filing of the contentious-administrative appeal within twomonths from the day after notification of this resolution, would givethe precautionary suspension ended.

Mar España Martí
Director of the Spanish Agency for Data Protection