AN - 578/2021

From GDPRhub
AN - 578/2021
Courts logo1.png
Court: AN (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(d) GDPR
Decided: 26.02.2021
Published:
Parties: Canary Island Cars, S.L.
National Case Number/Name: 578/2021
European Case Law Identifier: ECLI:ES:AN:2021:578
Appeal from: AEPD (Spain)
[[1]]
Appeal to: Unknown
Original Language(s): Spanish
Original Source: Consejo General del Poder Judicial (in Spanish)
Initial Contributor: Paola L.

A car rental company filed an appeal with the Spanish National High Court against a Spanish DPA decision in which a fine of €25,000 was imposed for breaching the principle of accuracy. The Spanish National High Court dismissed the appeal and declared the decision in accordance with the law.

English Summary[edit | edit source]

Facts[edit | edit source]

In the appealed AEPD's decision, PS/00385/2018, two customers had the same name, what caused a failure when verifying customer details, what caused Canary Islands Cars, a rental car company, to incorrectly use the information of customer A to create a car rental contract for customer B, who then committed a traffic offence. Subsequently, the details of customer A were incorrectly passed on to the Directorate General for Traffic (DGT).

Once the DGT contacted the complainant, she/he realised that the contract that Canary Island Cars provided to the DGT for the purposes of issuing the fine was dissimilar to the one she/he had initially signed. Based on the mismatch of information, the complainant appealed the fine upon receiving it.

The AEPD noted the following in resolution PS/00385/2018:

"Knowing that there may be different names and surnames, the defendant has elements to verify identity by the national ID number (DNI), number that matches that of the driving licence, customer number or printing of the copy of the contract, among others. Although these verifications are normally carried out by the employees, it should be noted that in this case they were not carried out. If any of the three elements had been verified, the defect could have been detected in its origin. In other words, the identification document must be required at the right time to make the procedure effective”.

The car rental company decided to appeal the case before the Spanish National High Court (Audiencia Nacional).

In their appeal to this resolution, Canary Islands Cars argued that the accuracy principle had not been breached because the associated name was correct. The car rental company alleged that this was a human error and a fortuitous event. It also argued that the sanction imposed was disproportionate.

Dispute[edit | edit source]

Was the resolution of the AEPD decided in error? Should the appeal of Canary Island Cars be granted?

Holding[edit | edit source]

When analysing the appellant's arguments, the National High Court (Audiencia Nacional) noted that "The mere coincidence of name and surname does not justify the creating of the car rental contract with the data of another person... especially when you have the person in front, to whom the car is handed over and several people or phases intervene: preparation of the contract, data collection and delivery-verification of the vehicle, delivery of a copy of the contract, payment, procedures in all of which must verify the identity of the contracting party and in this case no diligence is accredited".

The National High Court dismissed the appeal and declared that the resolution was in accordance with the law with express imposition of the payment of the procedural costs to the appellant.

Comment[edit | edit source]

This is one of the first cases of an Spanish Court dealing with the GDPR after it become applicable in 2018.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


Page 1
JURISPRUDENCE
Roj: SAN 578/2021 - ECLI: ES: AN: 2021: 578
Cendoj Id: 28079230012021100076
Organ: National Court. Contentious Chamber
Headquarters: Madrid
Section: 1
Date: 02/26/2021
Resource Number: 2202/2019
Resolution No.:
Procedure: Ordinary procedure
Speaker: FERNANDO DE MATEO MENENDEZ
Type of Resolution: Sentence
NATIONAL AUDIENCE
Contentious-Administrative Chamber
SECTION ONE
No. Resource. 0002202 / 2019
Resource Type: ORDINARY PROCEDURE
General Registration No.: 15970/2019
Applicant: CANARY ISLANDS CAR SL
Attorney: JORGE DELEITO GARCIA
Lawyer: ALVARO REQUEIJO PASCUA
Defendant: SPANISH DATA PROTECTION AGENCY
State Attorney
Speaker IImo. Sr .: D. FERNANDO DE MATEO MENÉNDEZ
JUDGMENT No.:
IImo. Mr. President:
D. EDUARDO MENÉNDEZ REXACH
Ilmos. Messrs. Magistrates:
Mrs. FELISA ATIENZA RODRIGUEZ
Mrs. LOURDES SANZ CALVO
D. FERNANDO DE MATEO MENÉNDEZ
Mrs. NIEVES BUISAN GARCÍA
Madrid, February twenty-six, two thousand twenty-one.
Seen by the Chamber, made up of the Judges related to the margin, the writ of appeal
contentious-administrative number 2,202 / 19, filed by the Attorney General Mr. Jorge
Deleito García, on behalf of and on behalf of CANARY ISLANDS CAR, SL , against the resolution of 5 of
September 2019 of the Director of the Spanish Agency for Data Protection, relapse in the procedure
sanctioner PS / 00385/2018, for which a penalty of 25,000 euros is imposed for an infraction of art.
5.1.d) of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, typified
in art. 83.5 of the aforementioned Regulation. It has been part ADMINISTRATION OF THE STATE , represented by
State Attorney. The amount of the appeal was set at 25,000 euros.
1
Page 2
JURISPRUDENCE
FACTUAL BACKGROUND
FIRST.- Once the appeal was admitted and after the appropriate procedural steps had been taken, a transfer was granted to the
plaintiff so that, within twenty days, formalize the claim, which was carried out by means of
brief presented on June 30, 2020 which, after presenting the facts and legal grounds that it considered
opportune, ended up requesting that sentence be passed, "in which, considering this appeal, it is declared that the
administrative action is not in accordance with the law, rendering it without effect and canceling the sanction imposed by
its disagreement with the Law, condemning the defendant Administration to pay the costs of the present
process " .
SECOND .- Once the claim was formalized, it was transferred to the defendant for them to answer it.
within twenty days, which he did by means of the pertinent brief, alleging the facts and grounds
deemed pertinent, requesting the dismissal of the appeal, with express imposition of costs
to the appellant.
THIRD.- Once the claim was answered, the parties were granted ten days to formulate conclusions,
and, once the corresponding writings were presented, the proceedings were concluded for sentencing,
being designated for voting and ruling on February 23 of this year, the date on which it took place.
BEING SPEAKER the Magistrate Ilmo. Mr. Don Fernando de Mateo Menéndez .
RU NDAMENTS OF LAW
FIRST.- The plaintiff challenges the resolution of September 5, 2019 of the Director of the
Spanish Agency for Data Protection, relapse in the sanctioning procedure PS / 00385/2018, by the
that a penalty of 25,000 euros is imposed for an infraction of art. 5.1.d) of Regulation (EU) 2016/679
of the European Parliament and of the Council of April 27, 2016 (hereinafter RGPD), typified in art. 83.5 of the
cited Regulation.
The proven facts on which the sanction is based are the following: "a) The data of the claimant were
assigned to the DGT by the claimed vehicle rental company, for appearing in their information systems
as the driver of the vehicle at the time of a traffic violation on 04/04/2018 at 1:47 PM. Provides the
certified claimant from his company in which that day, between 8 and 15 hours he was working, paying
its ordinary working day from 8 a.m. to 3 p.m.
a) The claimant states that she received the complaint from the DGT, providing the bulletin that bears the date of
05/07/2018 stating your data. The claimant submitted a letter appealing to the DGT the sanction on
05/30/2018.
b) The data of the claimant were delivered by the claimed to the traffic authorities on 05/03/2018 as
driver of the vehicle at the time the offense occurred, stating the finished NIF 162 H,
name and surname, address.
c) The complained party provides a copy of their information systems in which another client appears with the same
name and surname of the claimant, different: DNI, address and client number ending in 38, that of the
Claimant ends in 92, claimant registration date 11/15/2017, of the other person 3/1/2016.
d) The vehicle rental contract of the day that the traffic offense is caused 04/04/2018, figure
completed with the data of the claimant, its client code ending in 92, in letterpress of
computer, including a signature that does not resemble that of the claimant on the DNI whose copy was provided in
your claim. The car was delivered by a CICAR employee. The contract is not dated.
On the reverse side of the contract, the data processing, its purposes and headquarters are reported before which to exercise its
rights in English and Spanish.
e) The respondent manages the delivery of the vehicles and the contracting with a computer application that,
Among other things, it collects data from the driver's license and DNI (normally the same as the DNI and the license
of driving). The employee must indicate to begin the task of hiring and delivery of the vehicle, his
username and password and collect the data if it is the first time, print the contract and verify them. The
claimed states that it will insist on also verifying with the DNI, which coincides with the permit number
of driving.
f) The defendant provided a copy of the contract that the claimant used for the first time. It contains the
same data as the one that motivates this claim, data printed in the document, NIF, date of birth,
customer code ending in 092, vehicle delivery date 12/4/217 to 12/5/2017, and a handwritten signature that is
two
Page 3
JURISPRUDENCE
dissimilar to that of the contract that gives rise to the fine. The copy provided does not include the date on which it was signed
contract.
g) The complainant paid the penalty imposed on the complainant on 07/12/2018 ".
SECOND .- The plaintiff argues in the first place, the absence of typicity, since the
principle of accuracy that is included in art. 5.1.d) RGPD, sanctioned by a fortuitous event in which
a human error came together. The objective element of the type does not concur, because the behavior that is imputed: associate
a name and surname to a specific vehicle is correct behavior. The associated name and surname
They are right; They are the ones that correspond. The problem is that they are the same names and surnames that you have
another different client. There has been an error, but not typical behavior. Acting, moreover, does not refer to
a conduct developed with respect to the client, but rather refers to a response to a request for
identification, where only the data provided by the applicant can be taken as a reference.
The art. 5.1 d) of the RGPD, establishes: "The personal data will be:
d) accurate and, if necessary, up-to-date; all reasonable measures will be taken
so that personal data that are inaccurate with
regarding the purposes for which they are processed ('accuracy'); " .
In other words, the established obligation imposes the need for the personal data to be collected in
any file are accurate and respond, at all times, to the current situation of those affected, being
those responsible for the treatment who is responsible for the fulfillment of this obligation.
For its part, art. 58.2.i) of the RGPD provides: "2. Each control authority will have all the following
corrective powers listed below:
1. impose an administrative fine in accordance with article 83, in addition to or instead of the aforementioned measures
in this section, according to the circumstances of each particular case; " .
And, art. 83.5.a) of the RGPD, establishes: "Violations of the following provisions will be sanctioned,
according to paragraph 2, with administrative fines of maximum EUR 20,000,000 or, in the case of a
company, of an amount equivalent to a maximum of 4% of the total annual global business volume for the year
previous financial statement, opting for the one with the highest amount:
a) the basic principles for the treatment, including the conditions for consent in accordance with the
Articles 5, 6, 7 and 9; " .
While art. 72.1.a) of Organic Law 3/2018, of December 5, on the Protection of Personal Data
and guarantee of digital rights, states: "Violations considered very serious
1. Based on what is established in article 83.5 of Regulation (EU) 2016/679, they are considered very serious
and they will prescribe after three years the infractions that suppose a substantial violation of the articles
mentioned in that and, in particular, the following: 4. The processing of personal data violating the
principles and guarantees established in article 5 of Regulation (EU) 2016/679 ".
Thus, the imputed fact consists of associating a name and surname and the address data with
a specific vehicle, with which a traffic offense had been committed, and such data association
of a personal nature was inaccurate, as the appellant himself acknowledges, since the person to whom he
correspond to the given name and surname, she was not the driver of that vehicle.
And, he used the claimant's data to draw up a vehicle rental contract, and gave rise to the
identification as a driver of a vehicle incurring the infringement of inaccuracy of data in the
treatment carried out, proving that said data was not true, true or truthful. Precisely,
Completing the contract leads to wrongly identifying the cause of the infringement.
To which we have to add, what is highlighted in the sanctioning resolution: "Knowing that
There may be different names and surnames, the claimed has elements to discriminate by DNI,
number that matches the driver's license, customer number or printout of the contract copy,
among others, although these checks are carried out by the employees, it should be noted that in this case no
carried out, if any of the three elements had been verified, the defect could have been detected in
its origin. In other words, the identification document must be required at the right time to make it effective.
to measure".
And provide the inaccurate personal data of the complainant, derived from the contract, in a matter in the
that it does not have any intervention and their rights are indirectly violated when that
3
Page 4
JURISPRUDENCE
as responsible by the traffic authorities in an administrative file for said declaration of the
stop actor.
On the other hand, there is no record that the plaintiff had adopted the appropriate and effective measures that
allowed him to unequivocally identify the client who entered into the contract, and thus, in the demand, it comes
to recognize that "internal protocols have been modified by adding a new operating instruction to the
company personnel in order to carry out an additional check not only of name and number of
client but also by the DNI number, a number that cannot be duplicated between two citizens " .
Therefore, the existence of the infringement attributed to the appellant must be appreciated.
THIRD .- We proceed to analyze below, the question regarding the existence of guilt, invoked
his absence by the plaintiff.
It is said by the recurring company that in order for the responsibility provided by the
legal system for the commission of an administrative offense, a double title of
imputation: (i) the objective imputation, that is, that can be attributed from the point of view of the accusation
material, and (ii) subjective imputation, that is, volitional attribution. It is not enough, then, with the pure
devaluation of the result or with the objective injury of a protected legal asset, the devaluation of the
the action for the fraudulent or culpable commission of the conduct. Simple non-compliance can be understood as referring
to a norm, but the objective non-observance of the norm does not by itself justify the imposition of the sanction.
Thus, it is known that liability may be incurred for the infraction that we are examining.
both intentionally or maliciously or negligently (art. 28 of Law 40/2015, of October 1, on the Regime
Public Sector Legal-). And it should now be recalled that, as the Supreme Court points out in the Sentence
of January 23, 1998, "... although the guilt of the conduct must also be proven, it must be
considered in order to the assumption of the corresponding load that ordinarily the volitional elements and
cognitive factors necessary to appreciate it are part of the proven typical behavior, and that its exclusion
requires that the absence of such elements be accredited, or in its normative aspect, that the
diligence that was required by whoever claims its nonexistence; it is not enough, in short, for the exculpation in front of a
typically unlawful behavior the invocation of the absence of guilt ".
Well, none of the concurrent circumstances in the present case allows us to exclude this element.
subjective of the offense.
On the other hand, the plaintiff invokes two Judgments of this Section in which the existence of
of the element of guilt. The first of them dated December 23, 2013 - appeal no. 341 / 2012-, which is
It was an infringement of the duty of secrecy, by revealing to a third party the personal data that the company
In its files, it dealt with that client who was the holder of said contract, who was not even the one who reported it, so
the circumstances are different. And, secondly, the judgment invoked of September 13, 2019 -
resource no. 150 / 2017-, dealt with the infringement for not having made the prior request before the
inclusion of the personal data of the complainant in a file of patrimonial solvency, and the
sanction when proving that the appellant carried out the necessary procedures to carry out the request
prior to the inclusion of the data of the complainant, therefore, it is also about different circumstances.
And, regarding the existence of administrative precedents, in which it was not sanctioned by the Spanish Agency
of Data Protection, in addition to the fact that the concurrent circumstances are different from the present assumption,
which is intended is to extend, in the field of public law, situations contrary to the legal system,
Well, in the case that concerns us, as we have analyzed, it is possible to appreciate in the behavior of the plaintiff the
infringement of art. art. 5.1.d) of the RGPD.
Therefore, it is not possible to appreciate lack of guilt, having sufficient proof of charge to distort the
presumption of innocence, for which the existence of guilt in the offense is appreciated.
FOURTH .- Finally, the applicant company refers to the lack of proportionality and motivation
quantification of the sanction. It is argued that the sanction imposed is disproportionate. The amount of the
precise sanction that its determination is adequately reasoned by the administrative body attending
to the damages caused, intentionality of the deceased, etc. However, in view of the resolution and
considering similar or even more serious assumptions, it is not possible to know why it has finally been fixed
said sanction in the indicated figure and not in another.
In the sanctioning resolution, after taking into account the provisions of sections 1 and 2 of art. 83 of
RGPD, to which art. 76 Organic Law 3/2018, of December 5, says: "Regarding the duration of
the infringement is committed as soon as the data is reported, materializing at the time the claimed
receives the report bulletin of 05/07/2018, when the defendant files her claim, on 05/30/2018,
4
Page 5
JURISPRUDENCE
leaving the traffic fine in management waiting to clarify the identity of the driver, proceeding from
then on the part of the claimed to collaborate with the traffic authorities until the payment of the sanction
(83.2.a of the RGPD). The data affected are of a basic nature, in correspondence with those that usually
appear in vehicle leasing contracts (83.2.g) data that are otherwise disclosed to a
competent body. The fine was paid to the DGT for the one claimed on 07/12/2018. The claimant does not
suffers economic damage, since the process began with the claimed to clarify the facts.
To comply with the established legal obligation, extreme care must also be taken when
process data, concurring a lack of diligence through an employee regarding the completion of the
contract (article 83.2.b of the RGPD). The mere coincidence of name and surname does not justify the completion of the
vehicle rental contract with the data of another person, the claimant, especially when you have
to the person in front, to whom the vehicle is handed over and several people or phases intervene: preparation of the
contract, data collection and delivery-verification of the vehicle, delivery of a copy of the contract, payment, procedures in
All of which must verify the identity of the contracting party and in this case no diligence is accredited
some, despite the existence of a procedure. The defendant does not explain well what could have happened despite the
coincidence of name and surname, which cannot be used by itself, to understand why the events are happening.
The infringement is not due to the lack of protocol for the treatment of the data, although they must be reinforced
the same, and let employees know that they can lead to the commission of an offense if in their way
If they act, they do not carry out the aforementioned verifications (83.2.d).
The reinforcement that the respondent will remember in the hiring measures is positively valued (83.2.f)
as a way so that infractions such as the one analyzed are not repeated, but it is also appreciated that the same
it was already implemented.
It cannot be considered as indicated in the initiation agreement that there is a lack of collaboration with
the supervisory authority as it is proven that it sent reply briefs without the attached files, and in
Allegations to the agreement, it was seen that the letter was dated 08/16/2018. This is nothing but a will to
respond to the explanations of the AEPD, reflected in said letter without being related to "cooperation
in order to remedy the infringement and mitigate the possible adverse effects ", since they had already
solved and paid the fine, even before receiving the transfer of the complaint by the AEPD
(07/20/2018). It should be emphasized that in the management database of the Subdirectorate General of Inspection
there are no previous infractions on the part of the claimed party. Taking into account these circumstances, it is necessary
a penalty of 25,000 euros ".
The principle of proportionality of sanctions involves, according to the Court's case law
Supreme Court, such as the Judgment of April 12, 2012 -recourse no. 5.149 / 2009-, among others, that must exist
a proper adjustment between the seriousness of the act constituting the offense and the sanction applied, such as
provides art. 29.3 of Law 40/2015, of October 1.
Said principle cannot be exempted from judicial control, since the margin of appreciation granted to the
Administration in the imposition of sanctions within the legally foreseen limits, must be developed
weighing in any case, the concurrent circumstances, in order to achieve the necessary and due
proportion between the imputed facts and the responsibility demanded, since any sanction must be determined
in congruence with the entity of the offense committed and according to a criterion of proportionality in relation to
with the circumstances of the fact. Thus, proportionality constitutes a normative principle that is
imposes on the Administration and that reduces the scope of its sanctioning powers.
Well, in accordance with the considerations set out about the proportionality existing between
the sanction imposed and the seriousness of the sanctioned infraction taking into account the concurrent circumstances in the
In this case, the Chamber considers that the sanctioning resolution has not infringed the principle of proportionality
in determining the sanction imposed, which is weighted and proportionate to the seriousness of the
offense committed and the nature of the facts, and duly motivated, without appreciating reasons that
justify its reduction, especially taking into account the amount to which said sanction of
in accordance with art. 83.5.a) of the RGDP.
Consequently, this last ground of challenge must be rejected, and, therefore, the present appeal
contentious-administrative.
FIFTH .- In accordance with art. 139.1 of the Jurisdiction Law, it is appropriate to impose the procedural costs to the party
actor.
HAVING SEEN the cited articles, and others of general and pertinent application.
5
Page 6
JURISPRUDENCE
WE FAILED:
That dismissing the contentious-administrative appeal filed by the Attorney General Mr.
Jorge Deleito García, on behalf of and on behalf of CANARY ISLANDS CAR, SL , against the resolution of 5
September 2019 of the Director of the Spanish Agency for Data Protection, relapse in the procedure
sanctioner PS / 00385/2018, for which a penalty of 25,000 euros is imposed for an infraction of art.
5.1.d) of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, typified
in art. 83.5 of the aforementioned Regulation, we declare the aforementioned resolution in accordance with the law; with express
imposition of the procedural costs to the plaintiff.
This judgment is subject to a cassation appeal, which must be prepared before this Chamber in the
within 30 days from the day following that of its non - fication; in the brief of preparation of the appeal
Compliance with the requirements established in art. 89.2 of the Jurisdiction Law
justifying the objective appeal interest it presents.
Thus, by this our Judgment, we pronounce it, send it and sign it.
PUBLICATION.- Given, read and published was the previous Judgment in Public Hearing. Attest.
Madrid to
THE LETTER OF THE ADMINISTRATION OF JUSTICE
6