AN - 1861/2021

From GDPRhub
AN - 1861/2021
Courts logo1.png
Court: AN (Spain)
Jurisdiction: Spain
Relevant Law:
Article 122(1) Spanish DPA Bylaw
Article 24 Spanish Constitution
Decided: 16.02.2021
Published: 03.06.2021
Parties: CECOSA Hipermercados SL
Agencia Española de Protección de Datos
National Case Number/Name: 1861/2021
European Case Law Identifier: ECLI:ES:AN:2021:1861
Appeal from: AEPD (Spain)
Appeal to:
Original Language(s): Spanish
Original Source: CENDOJ (in Spanish)
Initial Contributor: n/a

The Spanish National High Court annulled a fine issued by the Spanish DPA for violating both the Spanish procedural law for administrative sanctions and the principle of the right to effective judicial protection enshrined in the Spanish Constitution.

English Summary[edit | edit source]

Facts[edit | edit source]

On 2019, the Spanish DPA (AEPD) fined a supermarket chain €100,000 for not implementing adequate measures to prevent the leakage of one of their security videos, that involved images from a well-known politician.

This AEPD decision was appealed before the Spanish National High Court (AN).

Holding[edit | edit source]

The AN concluded that the sanctioning proceeding carried out by the AEPD had not respected the procedural law for sanctioning proceedings nor the ethos of the right to effective judicial protection enshrined in the Spanish Constitution.

According to the general principles of the procedural law for sanctioning proceedings, any defendant has the right to a trial period, a draft resolution, and a period for allegations, that the AEPD did not grant to the controller, as they did not respond to the initial notification.

Additionally, the AEPD, in their initial assessment, only contemplated the violation of Article 9 (security of the data) of the former Spanish Data Protection Act, while in their resolution they also found a violation of Article 4 (quality of the data), but did not inform the controller about the allegations against them pursuant to the latter Article.

Furthermore, the DPA conducted an on-site investigation on different premises than where the problem had originated - in order to assess and verify the security protocol of the controller - but did not inform the controller that they could assess other infringements in those other premises.

According to Article 24 of the Spanish Constitution, defendants shall have the right to legal defence, to be informed about the allegations made against them, and to have the opportunity to prove themselves innocent, with whatever means of evidence.

Also, according to Article 122(1) Spanish DPA Bylaw, the DPA should carry out investigation activities that allow them to adequately determine the facts, identify the infringers, and identify all the relevant circumstances for the case, what the DPA failed to properly perform in this case, as they did not carry out all the necessary activities in a first place, and had to broaden their scope in a latter moment, without properly informing the defendant.

The AN considered that there had been a serious restriction of the defendant's rights to defence, which rendered the decision, as well as the fine imposed, null and void.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Page 1
Roj: SAN 1861/2021 - ECLI: ES: AN: 2021: 1861
Cendoj Id: 28079230012021100195
Organ: National Court. Contentious Chamber
Headquarters: Madrid
Section: 1
Date: 02/16/2021
Resource Number: 2031/2019
Resolution No.:
Procedure: Ordinary procedure
Type of Resolution: Sentence
Contentious-Administrative Chamber
No. Resource. 0,002,031 / 2019
General Registration No.: 14814/2019
State Attorney
IImo. Mr. President:
Ilmos. Messrs. Magistrates:
Madrid, February 16, two thousand twenty-one.
Considering the contentious-administrative appeal that before this Administrative Litigation Chamber of the
National Court has promoted CECOSA Hipermercados SL, represented by the Attorney D. José Luis
Pinto-Marabotto Ruiz, against the General State Administration, represented by the State Attorney,
on sanction for serious infringement of the Data Protection Law. The President of this
Section Iltmo. Mr. Eduardo Menéndez Rexach.
FIRST.- The contested act comes from the Director of the Spanish Agency for Data Protection and is the
Resolution of December 2, 2018.
Page 2
SECOND.- Administrative contentious appeal filed before the Administrative Litigation Chamber
of this National High Court, after the administrative file was admitted for processing and requested,
transfer to the appellant to formalize the claim, requesting in the petition the estimate of the resource.
THIRD.- Once the claim was presented, it was transferred to the State Attorney, with delivery of the
administrative file for him to answer it and, once said answer was formalized, he requested in the petition that
the appellant's claims be dismissed and the contested act confirmed as being in accordance with
FOUR.- Once the demand was answered, the trial was received, the proposal was practiced and admitted to
instance of the plaintiff; After the presentation of conclusions by the parties and once the processing is completed,
The proceedings were concluded for sentencing, signaling for voting and ruling on February 2, 2021
in which, indeed, it was voted and failed.
FIRST. - The purpose of this appeal is the Resolution of December 2, 2018 (PS / 00336/2018), of
the Director of the Spanish Data Protection Agency (AEPD), by which the applicant was imposed:
- a fine of 100,000 euros as responsible for an infringement of art. 9 of Organic Law 15/1999, of 13
December, Protection of Personal Data (LOPD), classified as serious in article 44.3
h), in accordance with article 45.2, 4. b), c) and d) and 45.4 j) of the same Law.
- a fine of 50,000 euros for an infraction of article 4.1, classified as serious in article 44.3 c), of
in accordance with the provisions of article 45.2) and 45.4 f) and j) of the LOPD.
SECOND.- The appellant requests that:
A.- In relation to the sanction of 100,000 euros for an alleged violation of article 9 of the Organic Law
15/1999, Protection of Personal Data:
1.- Revoke the sanction in its entirety for not having infringed the aforementioned article 9;
2.- Subsidiarly to the foregoing, with partial estimation of the resource, in the event that the aforementioned has been infringed.
Article 9, quantify the sanction within the range established for minor infractions, in application of the
provided in article 45.5 LOPD, establishing a penalty of FIVE THOUSAND EUROS (5,000.- €),
3.- Subsidiarly to the foregoing, with partial estimation of the resource, in case of quantifying the sanction within
of the range established for serious offenses, reduce the sanction to its minimum degree, that is, FORTY
THOUSAND EUROS (€ 40,000), due to the lack of concurrence of any of the aggravating criteria contained in the
article 45.4 LOPD;
B.- Regarding the penalty of 50,000 euros for an alleged violation of article 4.1 of Organic Law 15/1999:
1.- Revoke the sanction in its entirety for not having infringed the aforementioned article 4;
2.- Subsidiarly to the foregoing, with partial estimation of the resource, in the event that the aforementioned has been infringed.
Article 4, quantify the sanction within the range established for minor infractions, in application of the
provided in article 45.5 LOPD, establishing a penalty of FIVE THOUSAND EUROS (5,000.- €),
3.- Subsidiarly to the foregoing, with partial estimation of the resource, in case of quantifying the sanction within
of the range established for serious offenses, reduce the sanction to its minimum degree, that is, FORTY
THOUSAND EUROS (€ 40,000), due to the lack of concurrence of any of the aggravating criteria contained in the
Article 45.4 LOPD.
In defense of his claim, he alleges that the resolution contains a series of facts that have nothing to do with it.
with the inspection carried out in the Eroski hypermarket of the "Luz del Tajo" shopping center, in Toledo, on the 23rd of
May 2018, but refers to the publication of some images recorded at the time in which
a person of notorious public relevance allegedly stole certain objects from said center
commercial, on May 4, 2011, whose publication had an important media relevance, on which
no action was taken by the Agency.
Regarding the violation of article 9 LOPD, it indicates that it did have legitimate documentary support for
allow the contractor (OMBUDS) access to the organized set of data surrounding the treatment of the
video surveillance file and article 12 of the Law does not require that it must be a contract independent of the rest
of documents that regulate the relationship with a provider that accesses data; on the other hand, it has been
proven that technical conditions of the service were agreed, details of the services to be provided by OMBUDS,
Page 3
general rules, cover letter, prevention activities and Operational Manuals with details of the
level of service, and effective control of OMBUDS employees was not the responsibility of the claimant,
but from his employer, with whom he hired the professional services, and with respect to his own
employees, Eroski Luz del Tajo has different means, procedures and protocols that inform them
on the treatment of data in the matter of video surveillance, adapted to the norms of the LOPD. He adds that
Security measures applicable to the treatment are the basic ones, in the sense of article 81.1 of the Regulation
LOPD, as it also results from the criteria of the "Video surveillance guide" published by the AEPD in 2009 and
that the plaintiff had a security document that protocolizes and deals with video tasks
surveillance; The Resolution, for its part, is limited to transcribing articles 89, 91 and 93 of the LOPD Regulation, without
relate it to the facts derived from the inspection or formulate specific allegations; the fact that
the establishment manager acknowledged that he was not aware of the existence of any protocol
security and that on one of the monitors he had pasted a post-it containing the user code
administrator and password, do not imply lack of access control measures or absence of functions
or staff obligations, but rather unintended human errors, which do not represent the policy of the
plaintiff in terms of data protection embodied, in this regard, in the terms and conditions of
Regarding the physical access control referred to in article 99 of the LOPD Regulation, it would not apply
as it corresponds to the basic level and, in any case, the inspection report reflects that "It is verified that
In the establishment there is an area with restricted access only to staff in which the center is located
security control, the intervention room, access to the central cashier area and customer service desk.
client. Access to this area is through a door that is permanently closed and only
The key is available to the team leader of the company that provides security services.
door opening by means of a button located on the central box ", which shows that it is in
an area of ​​private access and not open to the general public that, in addition, is reinforced by the work of the
security guards who control the access of visitors, so that the treatment or viewing of the
Video surveillance cannot be done by just anyone, as stated in the Resolution that is not in accordance with the Law, for
How much it has not been proven that there is an absence of security conditions in the premises and equipment.
Even if the offense is considered to have been committed, the sanction imposed is disproportionate and does not
None of the aggravating circumstances applied concur, but it is applicable, in the alternative, the
provided in article 45.5 and apply the corresponding sanction to minor infractions specified in a
a fine of 5,000 euros or, if the foregoing is not considered, impose the minimum serious fine.
Regarding the violation of article 4.1 LOPD, consisting of having photographs of people
suspected of theft, alleges that what was exposed on the walls (not visible to the general public but
only in the Video Surveillance and Security Room of the Control Center) were images of people who in
they had repeatedly committed thefts in hypermarkets operated by the applicant, generated by
it, as well as photographs sent by different State Security Forces and Bodies, whose purpose was
the security of goods and people and had their origin in the surveillance systems of CECOSA Hypermarkets
SL, as the inspectors were able to verify; everyone who enters hypermarkets is duly
informed of the capture of images by video surveillance, and that being a purpose such as that of
security of goods and people, no express or explicit consent is required, which excludes infringement
of article 4.1; Regarding the images sent by the State Security Forces and Corps, these
are legitimized for the treatment and, where appropriate, to require the collaboration of commercial companies
that operate establishments open to the public, so the only thing that must be assessed is whether the
maintenance of these images is provided or not, so the article would be equally applicable
45.5 LOPD and impose, alternatively, a fine of 5,000 euros or, if it is not estimated, the corresponding minimum
to serious infractions, according to the criteria of the Chamber expressed in the sentences that it cites.
THIRD.- The representation of the defendant Administration, for its part, opposes that the appealed resolution
it is in accordance with the law; Regarding the violation of article 9 LOPD, it has been proven that no
there are protocols for action and handling of data resulting from access to the video surveillance system
celebrated between the parties, the owner of the supermarket and OMBUDS, neither the employees are knowledgeable nor have they
been informed of their obligations in this regard. In relation to the infringement of article 4.1, the images
the author of a theft, obtained in the same or in another supermarket, cannot be collected
or storage to avoid that in the future they can access the public establishment, but there is the
Obligation to eliminate the images from video surveillance without the appellant having the authorization
for the collection of these data. Regarding the principle of proportionality, it has been respected, in attention to
the concurrent circumstances, for all of which he requests the dismissal of the appeal.
FOURTH.- The contested resolution makes a list of the investigation actions carried out with
reason for the publication in different media on April 25, 2018 "... of images
Page 4
from the recordings recorded by the video surveillance system installed in an establishment
commercial of the EROSKI supermarket chain corresponding to events that occurred on 05/04/2011 " .
report on said actions concludes that: "The lack of implementation of security controls
adequate measures and the supervision of their effectiveness and compliance led, in May 2011, to the unauthorized exit
of the recordings of the cameras of the video surveillance system that have been published in different
communication media " (Report of previous inspection actions E / 02335/2018, Annex I 8., folios
1,123-1140 of the File); within the framework of this specific investigation and "in order to verify how
realizes in practice the management of video surveillance systems, an inspection visit is carried out in a
EROSKI hypermarket managed by CECOSA located within the "Luz del Tajo Shopping Center", in the
municipality of Toledo " , as reflected in the Resolution of initiation of the sanctioning procedure
(Sixth fact). Following this Resolution, notified to CECOSA by electronic means on March 5, 2019
and automatically rejected on the 16th of the same month and year, there is no record of the practice of other
proceedings, the opening of the trial period or the proposed resolution and allegations of the company against
the one that directs the procedure, until the contested resolution, notified and received on September 3,
Under these conditions, it is clear that the rules established for the procedure have not been followed.
sanctioner, whose essential principles and guarantees have been violated, which determines the nullity of the
resolution, as will be discussed below.
In the first place, the actions carried out in the investigation, initiated ex officio, of some
facts in which, in principle, indications of infringement of article 9 LOPD could be appreciated, to sanction
other different ones using the elements collected in the previous investigation, referred to a moment and in
relationship with an establishment of the same organization that no longer existed; in the information request
carried out at CECOSA, the open investigation actions are mentioned " In the framework of the actions
practiced by the General Subdirectorate for Data Inspection initiated ex officio in order to clarify the
circumstances that have led to the publication in various media on April 25,
2018, of information that reproduces images captured by video cameras intended for the security of
one of the establishments of the EROSKI trademark, as shown in the press reports that
attached ... "
The reason why the inspection is carried out does not respond to the existence of indications of infringement of the
data protection rules in the specific establishment where the inspection takes place, but " to the object
to check in an EROSKI establishment that is operational how the management of
video surveillance systems " (Report of previous inspection actions, cited); therefore, neither the
those responsible for the center, nor those of CECOSA were informed of the possible existence of an infraction in the
center of Toledo, since the reason for the initiation of the proceedings was not related to the
operation of the surveillance system of this establishment, which the Agency recognizes in the response
given to the person who appeared in the published images when he requested information, as interested,
about said actions.
FIFTH.- In accordance with the consolidated doctrine of the Constitutional Court (for all St. TC 82/2019, of 17
June), the constitutional guarantees established in article 24 of the Constitution are applicable, with
certain nuances, to the administrative sanctioning procedures; among such guarantees is the
right of defense, the right to be informed of the accusation and the right to use the evidence
adequate in their defense.
The correct exercise of this right requires due notification to the interested party of the initiation of the
procedure, so that you can properly organize your defense, as well as the proper use of the
previous investigation activities that, according to article 122.1 of the LOPD Regulation, have as
object to determine if there are circumstances that justify the initiation of the sanctioning procedure
and "will be aimed at determining, with the greatest possible precision, the facts that could justify the initiation
of the procedure, identify the person or body that could be responsible and set the circumstances
relevant that could concur in the case " .
In this case, the investigative actions are initiated ex officio due to a breach of the principle of security of
the data, related to the operation and custody of the video surveillance system of an establishment
commercial located in the Vallecas neighborhood of this Capital, information requirements are
persons and entities and an inspection is carried out in another establishment, of the same property, to
determine how the management of video surveillance systems is carried out, without actually having any
an indication that the system of that establishment, or of any other, except the one that occurred in May 2011 in the
Vallecas disappeared already on the start date of the procedure, has given rise to a violation of the principle
of security.
Page 5
Thus, the applicant, informed of the opening of the preliminary investigation into those recordings from 2011,
published in 2018, provided the required information and facilitated the inspection visit to another
establishment without being, in turn, informed of the possibility of being sanctioned for the infraction of said
principle, let alone the commission of the second offense, to the principle of consent of the article
4.1 LOPD, which resulted from the inspection itself, which is not reflected until the resolution of initiation of the
sanctioning procedure, several months after the inspection.
In relation to the Initiation Agreement, it has already been said that it is the last action of the administrative procedure
before the Resolution and that there is no record that it came to the knowledge of the interested party, although it is true that
notified electronically in application of the provisions of article 43 of Law 39/2015, it also consists of
the date of making available -March 5, 2019- but also the automatic rejection date -16 of
March of the same year- and the referral data does not include the act in question but a generic "written",
and no other attempts were made so that the content of the initiation reached the knowledge of the interested party;
In addition, the provisions of article 89 of Law 39/2015 have been breached since the proposal was not notified
resolution, eliminating the possibility of submitting allegations; This is so because, although article 64.2
f) of Law 39/2015 contemplates the possibility that, if allegations are not made within the term established on the
content of the initiation agreement, it may be considered a resolution proposal when it contains a
precise pronouncement about the imputed responsibility, this does not exempt the Administration from notifying
the Agreement, this time as a proposed resolution, as indicated in the Agreement, with the aforementioned effects
on your right of defense; On the other hand, all the acts of instruction are prior to the agreement of
initiation, and the elements used in the Resolution to qualify the infractions already existed since the visit
inspection of May 23, 2018, as is clearly deduced from the First and Second Fundamentals
of the contested Resolution, and the sanctioning procedure does not formally begin until March 4
of 2019, which is contrary to the doctrine of the Supreme Court, expressed in the judgment of May 6,
2015 (R. 3438/2012) and the one cited in it, according to which: «[(] it is clear that a period of information
prior, either it consisted in the simple development of some investigative or inspection proceedings, or in
a period formally open as such, must necessarily be short and not conceal an artificial form of
carry out acts of investigation and mask and reduce the duration of the subsequent file itself. This is so
as soon as such preliminary investigative actions offer indications of the existence of an infraction, it is
It is necessary to proceed with the opening of the corresponding file [...] '.
In short, the circumstances set out allow us to consider that in this case there has been a serious
restriction of the plaintiff's right to defense, which determines the nullity of the resolution, leaving
without effect the sanctions imposed.
SIXTH.- For all the above reasons, the appeal must be upheld and, in application of art. 139.1. of the law
of this Jurisdiction, impose the costs of this appeal to the defendant Administration.
FIRST.- To estimate the present appeal No. 2031/2019, filed by the Attorney Mr. Pinto-Marabotto Ruiz,
in the representation it holds, against the Resolution of the Spanish Data Protection Agency described
in the first Foundation of Law, which is annulled for being contrary to law, leaving the sanctions without effect
SECOND.- Impose the defendant Administration the costs of the appeal.
This judgment is subject to a cassation appeal that must be prepared before this Chamber within the term
30 days from the day following that of its non - fication; in the writing of preparation of the appeal, you must
Proof of compliance with the requirements established in article 89.2. of the Jurisdiction Law
justifying the objective appeal interest it presents.
Thus, for this our judgment, testimony of which will be sent along with the administrative file to your
office of origin for its execution, we pronounce it, send it and sign it.