AEPD (Spain) - EXP202206626

From GDPRhub
Revision as of 13:21, 13 December 2023 by Ar (talk | contribs) (Ar moved page AEPD (Spain) - PS/00427/2022 to AEPD (Spain) - EXP202206626)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - PS/00427/2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(c) GDPR
Article 83(5) GDPR
Type: Complaint
Outcome: Upheld
Started: 08.06.2022
Decided: 30.08.2023
Published: 30.08.2023
Fine: 300 EUR
Parties: n/a
National Case Number/Name: PS/00427/2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Mgrd

The Spanish DPA fined €300 for installing security cameras that focused beyond the private property of the controller's, violating Article 5(1)(c) GDPR.

English Summary

Facts

The data subject states that he is a neighbor of the controller who has installed a video surveillance camera in his own home. Due to the surveillance camera's location and orientation, the system is capable of capturing images of the data subject's home, without being authorized to do so.

The controller affirmed that the cameras were installed in his own property and they do not focus, record or reproduce any personal or material element that is not inside his property. The cameras were installed solely for the security of the persons, property, installations and domestic animals on the property.

In addition, the controller claimed that none of the cameras were placed towards the private property of any neighbor or focused on such property or persons.

Holding

The Spanish DPA highlighted that in no case shall the use of surveillance practices be permitted beyond the area covered by the installation and, in particular, may not affect the surrounding public spaces, adjacent buildings and vehicles other than those accessing the monitored area.

The cameras installed may not obtain images of third parties' private space and/or public space without duly accredited with a justified cause, nor may they affect the privacy of passers through the area.

It is not permitted to place cameras on the private property of neighbors for the purpose of intimidating them or affecting their private sphere without just cause. Nor may images be captured or recorded in spaces owned by third parties without the consent of the owners or, where appropriate, of the persons who are there.

The Spanish DPA concluded that two cameras can focus beyond the private property of the controller's private property.

The Spanish DPA fined €300 the controller for installing security cameras that focused beyond his private property, violating Article 5(1)(c) GDPR. AEPD also determined the removal of the cameras in question or the regularization of the cameras, in accordance with current legislation, so that they do not record or capture images of the data subject's home or of the public or private road next to it.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/12










     File No.: EXP202206626



                RESOLUTION OF SANCTIONING PROCEDURE

From the procedure instructed by the Spanish Data Protection Agency and based
to the following


                                  BACKGROUND

FIRST: Ms. A.A.A. (hereinafter, the complaining party) dated June 8,
2022 filed a claim with the Spanish Data Protection Agency. The

claim is directed against D. B.B.B. with NIF ***NIF.1 (hereinafter, the part
claimed), for the installation of a video surveillance system located in
URBANIZATION ***URBANIZATION.1, ***LOCALITY.1, LLEIDA, existing
indications of a possible non-compliance with the provisions of article 5.1.c) of the Rules-
General Data Protection Regulation (hereinafter, RGPD).


The reasons underlying the claim are the following:

The complaining party states that it is a neighbor of the claimed party and that the latter has
installed in your home a video surveillance camera that, due to its location and
orientation, is capable of capturing images of the complaining party's home,

without having authorization to do so.
Provides image of the camera location.

The documents provided are:
- Photo report


SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to the claimed party, to
to proceed with its analysis and inform this Agency within a period of one month, of the
actions carried out to adapt to the requirements provided for in the regulations of

Data Protection.

The transfer, which was carried out in accordance with the rules established in Law 39/2015, of
October 1, of the Common Administrative Procedure of Public Administrations
cas (hereinafter, LPACAP), was collected on June 15, 2022, as stated

in the acknowledgment of receipt in the file.

No response has been received to this transfer letter.

THIRD: On August 8, 2022, in accordance with article 65 of the

LOPDGDD, the claim presented by the complaining party was admitted for processing.

FOURTH: On October 26, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against the claimed party,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/12








in accordance with the provisions of articles 63 and 64 of the LPACAP, for the alleged
violation of Article 5.1.c) of the RGPD, typified in Article 83.5 of the RGPD.


FIFTH: The aforementioned initiation agreement has been notified in accordance with the rules established in
the LPACAP, the claimed party presented a written statement of allegations in which it only
stated that:
“ON DATE 11/04/2022, NOTIFICATION OF THE AGREEMENT TO START OF
SANCTIONING PROCEDURE.
FOR THIS PART, IT SHOULD BE INDICATED THAT ON DATE 06/09/2022, IT WAS ALREADY

ATTENDED TO THE REQUEST RECEIVED BY THIS DEPARTMENT WITH C.S.V.
XXXXXXXXXX…”

SIXTH: On February 20, 2023, a proposed resolution was formulated,
proposing that the Director of the Spanish Data Protection Agency sanction

to D. A.A.A., with NIF ***NIF.1, for a violation of Article 5.1.c) of the RGPD,
typified in Article 83.5 of the RGPD, with a fine of €300 (three hundred euros).

SEVENTH: On March 16, 2023, the claimed party presents allegations to
the proposed resolution, stating:
1. The proven facts indicate that the claimed party has installed in his home

a video surveillance camera. Totally uncertain thing.
2. The cameras that are installed on my property, at no time
focus, record or reproduce any personal item or material that is not
inside my property.
3. The cameras installed on my property are solely and for the purpose of

preserve the safety of people, property, facilities and domestic animals
that are found therein, and must indicate their accident rate within the
facilities.
5. None of the cameras are placed on any neighbor's private property.
or that could target said property or people.

6. None of the cameras can record images in spaces owned by third parties.
9. The cameras only perceive images from the private area, in this case my
property along with the rear part where the accidents occurred.
17. I request access to the file in order to verify its content and formulate the
allegations, complaints, claims and whatever you think is necessary.
18. Attached is a photographic report of the captures and limits of the cameras.


EIGHTH: Upon request for the file by the claimed party, on June 9
of 2023, said file is transferred, with a new deadline for carrying out the
allegations that it considers pertinent, in view of the same.


NINTH: On July 5, 2023, the claimed party presents new
allegations, after the transfer of the file, in which he states:

1-At no time has any infraction been carried out since the cameras only
perceive the images of a private area, in this case my property along with the part

rear where the accidents occurred that are still under investigation.
(both the toxic ones and the affected species)

2-The insurance company is aware of the installation of cameras and reviews
periodically its location.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/12








3-Public report from the municipal corporation is also attached indicating the reason
of the installation of the cameras and their viewing range.

4-Procedural expert report is attached, which certifies how and what situation
The cameras have, as well as whether they are fixed or mobile and their range.



Of the actions carried out in this procedure and the documentation
recorded in the file, the following have been accredited:



                                 PROVEN FACTS

FIRST: The claiming party states that it is a neighbor of the claimed party and that
He has installed a video surveillance camera in his home that, due to its location and
orientation, is capable of capturing images of the complaining party's home,
without having authorization to do so.

Provides image of the camera location.

SECOND: In the images provided by the claimed party it can be seen that
There are two cameras in which you can see that it is focused beyond the private property of
the claimed part.



                            FOUNDATIONS OF LAW

                                            Yo

                                      Competence

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679

(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency

of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a

subsidiary, by the general rules on administrative procedures."

                                            II
                                 Response Allegations


Having examined the allegations of the claimed party, these allegations are not accepted,
based on the following arguments:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/12








The report of the City Council ***LOCALIDAD.1 that it provides has no validity; only
It is a writing with the letterhead and seal of the City Council, but without any signature.


And in that writing it is stated: “It states that it has to pose perimeter cameras to the
exterior of the seva isolated single-family house. That the street gives the edge of the house,
“It is not a public road, it is part of the urbanization and is privately owned.”

In this sense, Royal Decree 128/2018, of March 16, which regulates the
legal regime of Local Administration officials with authorization of

national character establishes the following:
Article 2. Necessary public functions in all Local Corporations.
1. They are necessary public functions in all Local Corporations, whose
Administrative responsibility is reserved for Local Administration officials
with national authorization, the following:

a) Secretariat, including public faith and mandatory legal advice.
In art. 3 establishes what public faith includes. And although it is not planned
specifically the provision of issuing this type of reports, it is true that any
issue on which you want to determine its reliability, such as the ownership of
one way, would correspond to the secretary of the City Council. From the documentation on hand
In urban planning this information can be obtained and certified.


It is also indicated in the aforementioned municipal report: “That the municipal guard,
Agent 01, close this report on July 3, 2023.”

The functions of the guard or municipal agent are those established in the

GENERAL ORDINANCE OF CIRCULACIÓ, of the Alcoletge City Council, which
points out:
“TITLE FIRST. POWERS OF THE CRAZY POLICE / MUNICIPAL AGENTS
Article 3. Police Agents and Municipal Vigilants.
The agents of the Local Police are competent in the regulation of urban traffic.

formulation of the complaints that arise from the infractions that are committed against
therein provided by this ordinance and the rest of the applicable provisions.
In cases where it is not available to agents of the Local Police, in other words, it is available to
municipal vigilantes, this will determine the competencies that determine the protection of
l’art.1 and 13 of Llei 16/1991 of July 10, local policies (endavant LPL) and
other concordant provisions.

According to what is foreseen in the art. 13 of the LPL, the vigilants will be able to complete them
following performances:
a) Guard and monitor municipal assets, services, facilities and dependencies. b)
Order and regulate traffic within the urban core, in accordance with traffic regulations. c)
Participate in city assistance and civil protection tasks, in accordance with the

They dispose of the laws. d) Vetllar pel compliment of the regulations, of the ordinances, of the
bans, resolutions and other municipal provisions and acts.”

In view of the functions that the municipal guards have according to the Ordinance
cited, among them is not the issue of issuing reports such as the one provided to this
procedure.

Finally, the claimed party alleges that it attaches a procedural expert report, where

It is certified how and what situation the cameras have, as well as whether they are fixed or mobile and
the scope of them.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/12








However, there is no report in the documentation received by this Agency.
of procedural expert.
However, in relation to the range of the cameras, in the photographs sent

For the claimed party, it can be seen that there are two that focus beyond their property
private, as indicated in the Second Proven Fact of this resolution.

                                           III
                             The image is personal data


The physical image of a person, in accordance with article 4.1 of the GDPR, is data
personnel and their protection, therefore, is the subject of said Regulation. In article 4.2
The GDPR defines the concept of “processing” of personal data.


Images generated by a camera or video camera system are data from
personal nature, so its treatment is subject to protection regulations
of data.

It is, therefore, pertinent to analyze whether the processing of personal data (image of the

natural persons) carried out through the reported video surveillance system is
in accordance with the provisions of the RGPD.

                                           IV

                                       Infringement

Article 6.1 of the RGPD establishes the assumptions that allow the
processing of personal data.


Regarding processing for video surveillance purposes, article 22 of the LOPDGDD
establishes that natural or legal persons, public or private, may carry out
carry out image processing through camera or video camera systems
with the purpose of preserving the safety of people and property, as well as their
facilities.


The processing of personal data is subject to the rest of the principles of the
treatment contained in article 5 of the RGPD. We will highlight the principle of
data minimization contained in article 5.1.c) of the RGPD, which provides that
personal data will be “adequate, relevant and limited to what is necessary in relation to

with the purposes for which they are processed.”

This means that in a specific processing only the data can be processed
appropriate personnel, that are relevant and that are strictly necessary
to fulfill the purpose for which they are processed. Treatment must be adjusted and
proportional to the purpose at which it is directed. The relevance in the treatment of

data must occur both at the time of data collection and at the
subsequent treatment carried out on them.

In accordance with the above, the processing of excessive data must be restricted or
proceed to their deletion.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/12








The application of the principle of data minimization in video surveillance
means that images of public roads cannot be captured, since the
processing of images in public places, unless authorization is obtained

governmental, can only be carried out by the Security Forces and Bodies.

On some occasions, for the protection of private spaces, where there have been
installed cameras on facades or inside, it may be necessary to ensure the
security purpose the recording of a portion of the public road.


That is, cameras and video cameras installed for security purposes cannot
obtain images of public roads unless it is essential for this purpose, or
It is impossible to avoid it due to their location. And, in that case
extraordinary, the cameras will only be able to capture the minimum portion necessary to
preserve the safety of people and property, as well as its facilities.


In no case will the use of surveillance practices beyond the environment be permitted.
object of the installation and, in particular, not being able to affect public spaces
surrounding areas, adjacent buildings and vehicles other than those that access the space
guarded


The installed cameras cannot obtain images of third party private space
and/or public space without duly accredited justified cause, nor can they affect
the privacy of passersby who move freely through the area.

Therefore, the placement of cameras towards the private property of

neighbors with the purpose of intimidating them or affecting their private sphere without cause
justified.

Nor can images be captured or recorded in spaces owned by third parties.
without the consent of its owners, or, where appropriate, of the people who are involved in them.

find.

Likewise, it is disproportionate to capture images in private spaces, such as
such as changing rooms, lockers or worker rest areas.

                                            V

                       Obligations regarding video surveillance

In accordance with the above, the processing of images through a system

video surveillance, to be in compliance with current regulations, must comply with the
following requirements:

1.- Natural or legal persons, public or private, can establish a system
video surveillance with the purpose of preserving the security of people and property,

as well as its facilities.

It must be assessed whether the intended purpose can be achieved in another way less
intrusive to the rights and freedoms of citizens. Personal data only
must be processed if the purpose of the processing could not reasonably be achieved by
other means, considering 39 of the RGPD.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/12









2.- The images obtained cannot be used for a further purpose
incompatible with that which motivated the installation of the video surveillance system.


3.- The duty to inform those affected as provided in the articles must be complied with.
12 and 13 of the RGPD, and 22 of the LOPDGDD.

In this sense, article 22 of the LOPDGDD provides in relation to video surveillance
a “layered information” system.


The first layer must refer, at least, to the existence of the treatment
(video surveillance), the identity of the person responsible, the possibility of exercising rights
provided for in articles 15 to 22 of the GDPR and where to obtain more information about the
processing of personal data.


This information will be contained in a device placed in a sufficiently
visible and must be supplied in advance.

The second layer information must be available in one place easily
accessible to the affected person, whether it is an information sheet at a reception, cashier, etc...,

placed in a visible public space or on a web address, and must refer to the
rest of the elements of article 13 of the RGPD.

4.- The processing of images through the installation of camera systems or
video cameras must be lawful and comply with the principle of proportionality and the principle of

data minimization, in the terms already indicated.

5.- Images may be kept for a maximum period of one month, except in
those cases in which they must be kept to prove the commission of acts
that threaten the integrity of people, property or facilities.


In this second case, they must be made available to the authority
competent within a maximum period of 72 hours from becoming aware of the
existence of the recording.

6.- The person responsible must keep a record of treatment activities

carried out under your responsibility that includes the information to which you make
reference article 30.1 of the GDPR.

7.- The person responsible must carry out a risk analysis or, where appropriate, an evaluation
of impact on data protection, to detect those derived from the implementation

of the video surveillance system, evaluate them and, where appropriate, adopt measures to
appropriate security.

8.- When a security breach occurs that affects the processing of
cameras for security purposes, whenever there is a risk to the rights and

freedoms of natural persons, you must notify the AEPD within a maximum period of
72 hours.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/12








A security breach is understood to be the accidental destruction, loss or alteration or
unlawful use of personal data transmitted, stored or otherwise processed, or the
unauthorized communication or access to said data.


9.- When the system is connected to an alarm center, it can only be
installed by a private security company that meets the requirements
contemplated in article 5 of Law 5/2014 on Private Security, of April 4.

The Spanish Data Protection Agency offers through its website

[https://www.aepd.es] access to:

     legislation regarding the protection of personal data, including the
       RGPD and the LOPDGDD (section “Reports and resolutions” / “regulations”),

     the Guide on the use of video cameras for security and other purposes,

     the Guide for compliance with the duty to inform (both available in the
       section “Guides and tools”).

It is also of interest, in the case of low-risk data processing, the
free tool Facilita (in the “Guides and tools” section), which, through

Some specific questions allow us to assess the situation of the person responsible with respect to the
processing of personal data that it carries out, and, where appropriate, generate various
documents, informative and contractual clauses, as well as an annex with measures
indicative safety standards considered minimum.

                                           SAW

                                Administrative violation

In accordance with the proven facts found during the procedure
sanctioning, it is considered that the facts presented violate the provisions of the

article 5.1.c) of the RGPD, so they involve the commission of an infraction classified in
Article 83.5.a) of the GDPR, which provides the following:

“Infringements of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the

global total annual business volume of the previous financial year, opting for
the largest amount:

a) the basic principles for the treatment, including the conditions for the
consent under articles 5, 6, 7 and 9;


For the purposes of the limitation period for infractions, the infraction indicated in the
previous paragraph is considered very serious in accordance with article 72.1 of the LOPDGDD,
which states that:


“Based on what is established in article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that involve
a substantial violation of the articles mentioned therein and, in particular, the
following:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/12









a) The processing of personal data violating the principles and guarantees
established in article 5 of Regulation (EU) 2016/679.


                                           VII
                                        Sanction

Article 58.2 of the GDPR states:


“Each supervisory authority will have all of the following corrective powers:
indicated below:
(...)
d) order the person responsible or in charge of processing that the processing operations
treatment comply with the provisions of this Regulation, where applicable,

in a certain way and within a specified period;
(...)
i) impose an administrative fine in accordance with Article 83, in addition to or instead of
the measures mentioned in this section, according to the circumstances of each
particular case".


According to the provisions of article 83.2 of the GDPR, the measure provided for in article 58.2
d) of the aforementioned Regulation is compatible with the sanction consisting of a fine
administrative.


Regarding the violation of article 5.1.c) of the RGPD, taking into account the facts
proven, it is considered that the sanction that should be imposed is a fine
administrative.

The fine imposed must be, in each case, individual, effective, proportionate
and dissuasive, in accordance with the provisions of article 83.1 of the RGPD.


In order to determine the administrative fine to impose, the following must be observed:
provisions of article 83.2 of the RGPD, which indicates:

"2. Administrative fines will be imposed, depending on the circumstances of each

individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:
a) the nature, severity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question, as well as

such as the number of interested parties affected and the level of damages that
have suffered;
b) intentionality or negligence in the infringement;
c) any measure taken by the person responsible or in charge of the treatment to
alleviate the damages and losses suffered by the interested parties;
d) the degree of responsibility of the person responsible or in charge of the treatment,

taking into account the technical or organizational measures that have been applied under
of articles 25 and 32;
e) any previous infringement committed by the controller or processor;


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/12








f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;
g) the categories of personal data affected by the infringement;

h) the way in which the supervisory authority became aware of the infringement, in
particular whether the controller or processor notified the infringement and, if so, in what
extent;
i) when the measures indicated in Article 58, paragraph 2, have been ordered
previously against the person responsible or the person in charge in question in relation to the
same matter, compliance with said measures;

j) adherence to codes of conduct under Article 40 or to mechanisms of
certification approved in accordance with article 42,
k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, direct or
indirectly, through infringement.”


For its part, in relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in
its article 76, “Sanctions and corrective measures”, provides:
"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation
(EU) 2016/679 will be applied taking into account the graduation criteria
established in section 2 of the aforementioned article.

2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
may also be taken into account:
a) The continuous nature of the infringement.
b) The linking of the offender's activity with the performance of medical treatments.
personal information.

c) The benefits obtained as a consequence of the commission of the infraction.
d) The possibility that the conduct of the affected person could have included the commission
of the infringement.
e) The existence of a merger by absorption process subsequent to the commission of the
infringement, which cannot be attributed to the absorbing entity

f) The impact on the rights of minors
g) Have, when not mandatory, a data protection delegate.
h) The submission by the person responsible or in charge, on a voluntary basis, to
alternative conflict resolution mechanisms, in those cases in which
"There are disputes between those and any interested party."


The balance of the circumstances contemplated, with respect to the violation of the article
5.1 c) of the RGPD, allows a fine of €300 (three hundred euros) to be set.

                                           VIII

                                         Measures

The text of the resolution establishes what infractions have been committed and
the events that have given rise to the violation of the regulations for the protection of

data, from which it is clearly inferred what measures to adopt, without prejudice
that the type of procedures, mechanisms or specific instruments to
implementing them corresponds to the sanctioned party, since it is responsible for the
treatment who fully knows its organization and must decide, based on the
proactive responsibility and risk approach, how to comply with the GDPR and

LOPDGDD.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/12









Please note that failure to comply with the requirements of this organization may be
considered as an administrative offense in accordance with the provisions of the RGPD,

classified as an infraction in its articles 83.5 and 83.6, and such conduct may be motivated by
opening of a subsequent administrative sanctioning procedure.

                                           IV
                                      Conclusion


Therefore, in accordance with the applicable legislation and evaluated the graduation criteria of
the sanction whose existence has been proven, the Director of the Spanish Agency

of Data Protection RESOLVES:

FIRST: IMPOSE D. B.B.B. with NIF ***NIF.1, for a violation of the Article
5.1.c) of the RGPD, typified in Article 83.5 of the RGPD, a fine of 300 euros
(THREE HUNDRED euros).


SECOND: ORDER D. B.B.B. that, pursuant to article 58.2 d) of the GDPR, in the
Within ten business days, take the following measures:

     Prove that you have proceeded to remove the cameras in question, providing
documentary evidence with date and time that certifies such point, or, failing that, accreditation
regularization of the cameras, in accordance with current regulations, so

that does not record or capture images of the complaining party's home or the road
public or private that runs next to the homes.

THIRD: NOTIFY this resolution to B.B.B..


FOURTH: Warn the sanctioned person that he must make the sanction imposed effective
once this resolution is executive, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved

by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by entering it, indicating the NIF of the sanctioned person and the number
of procedure that appears in the heading of this document, in the account
restricted IBAN number: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code:
XXXXXXXX), opened in the name of the Spanish Data Protection Agency in the
banking entity CAIXABANK, S.A.. Otherwise, it will be collected

in executive period.

Once the notification is received and once enforceable, if the enforceable date is
between the 1st and 15th of each month, both inclusive, the deadline to make the payment
voluntary will be until the 20th of the following month or immediately following business month, and if

The payment period is between the 16th and last day of each month, both inclusive.
It will be until the 5th of the second following or immediately following business month.

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/12








Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the

Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within a period of one month to
count from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-administrative Chamber of the

National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.


Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file a contentious-administrative appeal.

If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Data Protection Agency, presenting it through
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the

documentation that proves the effective filing of the contentious appeal
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.



                                                                                938-290523


Sea Spain Martí
Director of the Spanish Data Protection Agency

























C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es