Spanish DPA imposes a 25.000 EUR fine on company for not appointing a DPO and not making the necessary notification to the DPA on time!
Some relevant facts of the case
- A Spanish company (Glovo) had not appointed a DPO but rather a “Data Protection Committee”. No notification was made to the Spanish DPA.
- An investigation procedure was triggered by a complaint filed by two data subjects.
- Glovo notified the appointment of an “official” DPO to the Spanish DPA during the latter’s investigation.
- The Spanish Law which implemented the GDPR imposes a 10-day delay to notify the designation, appointment or dismissal of a DPO to the DPA.
- The Spanish DPA considered that Glovo should have appointed a DPO because, given the number of customers that it has, it performs large scale processing.
- A 25.000 EUR fine is imposed on Glovo for breaching article 37 of the GDPR for not appointing a DPO and not making the necessary notification to the DPA on time.
On a side note: given that non-EU companies don’t benefit from the one-stop-shop principle, they have to notify the appointment of their DPO to all DPA’s in the EU/EEA where they process EU personal data (i.e. potentially 46 (!) different DPA’s).
Just a matter of time until a fine is imposed on a non-EU company for failure to appoint an EU Representative pursuant to Article 27 of the GDPR?
▪️Link to official decision (ESP): https://lnkd.in/eaiyYgH
▪️Non-official English translation by EDPO below:
Procedure Nº: PS/00417/2019
SANCTIONING PROCEDURE RESOLUTION
From the procedure instructed by the Spanish Data Protection Authority and on the basis of the following
FIRST: A.A.A., and B.B.B. (hereinafter, the plaintiffs) respectively lodged a complaint with the Spanish Data Protection Authority on 21 May and 4 November 2019.
Their claims are directed against GLOVOAPP23, S.L. with NIF B66362906 (hereinafter, the defendant).
The reason on which they base their claim is that no Data Protection Officer (hereinafter DPO) has been appointed to address the claims.
SECOND: Upon receipt of the complaint, the Subdirectorate General for Data Inspection carried out the following actions:
On 2 July 2019, the first complaint was transferred to the defendant for analysis and a communication was done to the plaintiffs of the decision taken in this regard.
The defendant responds to the transfer of the complaint by stating that neither within the text of Article 37 of the GDPR or within the one of Article 34 LOPGDD (Spanish Law implementing the GDPR), they have the obligation to designate a DPO.
THIRD: On January 13, 2020, the Director of the Spanish Data Protection Authority agreed to initiate sanctioning proceedings against the defendant, for the alleged violation of Article 37 of the GDPR, as defined under Article 83.4 of the GDPR.
FOURTH: Notified on 22 January 2020 of the aforementioned initiation agreement, the defendant submitted on 31 January 2020 a written statement of allegations in which, in summary, it stated that its personal data processing activity is exempt from the obligations laid down in Articles 37 GDPR and 34 LOPGDD, and therefore exempt from the obligation to designate a Data Protection Officer.
However, it claims that at no time it has denied the existence of a body dedicated, in the context of the organization, to the performance of the functions which are specific to a Data Protection Officer, since on 8 June 2018, it constituted the Data Protection Committee, in order to cover the technical areas of the company and on the same date, a Data Protection Sub-Committee was also appointed in order to comply with the authorization of the Board of Directors to set up that committee.
It concludes by stating that the Data Protection Committee performs the functions of a Data Protection Officer as described in Article 39 of the GDPR.
FIFTH: On 25 February 2020, the investigator of the proceeding agreed on the opening of a period of practice of evidence, taking into account the previous investigation actions, E/06131/2019, as well as the documents provided by the defendant.
SIXTH: A proposal for a resolution is made on 26 February 2020, proposing that the requested entity be sanctioned for a violation of Article 37 of the GDPR, as referred to in Article 83.4 of the GDPR.
SEVENTH: On 13 March 2020, the defendant filed a brief of allegations to the aforementioned proposal, stating that on 23 May 2019, C.C.C. was formally appointed as the defendant’s Data Protection Officer, but it was not until February 2020 that it was decided to make the appointment official to third parties by registering the DPO to the Spanish Data Protection Authority’s Registry, since the Data Protection Committee, the Subcommittee and the Legal Department had been carrying out these functions effectively and with full guarantee of the rights and freedoms of the data subjects.
FIRST: The defendant has not appointed a Data Protection Officer.
SECOND: The defendant claims that its personal data processing activity is exempt from the obligations set out in Articles 37 GDPR and 34 LOPGDD, but that, nevertheless, it has a Data Protection Committee, which performs the functions of a Data Protection Officer as described in Article 39 of the GDPR.
THIRD: It has been found that the defendant, after the start of the present sanctioning procedure on 13 January 2020, communicated on 31 January 2020 to the Spanish Data Protection Authority the appointment of its Data Protection Officer.
The Director of the Spanish Data Protection Authority is competent to resolve this procedure, in accordance with the provisions of Article 58.2 of the GDPR and Articles 47 and 48.1 of the LOPDGDD.
Article 37 of the GDPR provides:
“1. The controller and processor shall appoint a data protection officer provided in any case where
b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or purposes, require a regular and systematic monitoring of data subjects on a large scale”
In this regard, the LOPDGDD determines in Article 34.1 and 3: “Appointment of a data protection officer”
- “The data controllers and processors shall appoint a data protection officer in the cases provided for in Article 37.1 of the Regulation (UE) 2016/679
- The data controllers and processors will communicate within ten days to the Spanish Data Protection Authority or, where appropriate, to the regional data protection authorities, the designations, appointments and dismissals of data protection officers both in cases where they are obliged to be designated and in the case where they are voluntary.”
The failure to designate DPO, when carrying out the claimed processing of personal data on a large scale, is considered to result in the infringement of Article 37(1 b) of the GDPR in conjunction with Article 34 of the LOPDGDD.
In this sense, the defendant states that in its organization it has a Data Protection Committee, which performs the functions of a Data Protection Officer as described in Article 39 of the GDPR.
However, at the beginning of the sanctioning procedure, when accessing the website of the defendant following the link, https://glovoapp.com/en/legal/privacy, no mention was made of the defendant’s Data Protection Office, as the figure guaranteeing compliance with the organization’s data protection regulations.
However, it has been noted on 31 January 2020 that the defendant notified the Spanish Data Protection Authority of the appointment of its Data Protection Officer, a communication that was signed and notified by this Authority to the defendant on 18 February 2020.
Article 83.7 GDPR provides that: “Without prejudice to the corrective powers of the supervisory authorities pursuant to Article 58(2), each Member State may lay down rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State”
Article 58.2 of the GDPR provides that: “Each supervisory authority shall have all of the following corrective powers:
b) to issue reprimands to a controller or processor where processing operations have infringed provisions of this Regulation;
d) order the controller or processor to comply to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period;
i) to impose an administrative fine pursuant to Article 83, in addition to, or instead of the measures referred to in this paragraph, depending on the circumstances of each individual case;
Article 73 of the LOPDDG states that:” Violations considered serious
“Pursuant to Article 83.4 of Regulation (EU) 2016/679, infringements which substantially infringe the articles referred to therein and, in particular the following, shall be regarded as serious and shall be limited after two years:”
v) Failure to comply with the obligation to appoint a data protection officer when its appointment is required under Article 37 of Regulation (EU) 2016/679 and Article 34 of this organic law.”
Article 83.4 of the GDPR provides that “infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher:
a) the obligations of the controller and processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43”
It is also considered that the penalty to be imposed should be graduated according to the following criteria established in Article 83.2 of the GDPR:
The following are aggravating factors:
- In the present case, the number of affected data subjects is found to be an aggravating factor, given that the defendant processes personal data on a large scale given the number of customers that it has (Article 83.2 a)
- Basic personal identifiers are affected (Article 83.2 g)
Therefore, in accordance with the applicable legislation and having assessed the criteria for the graduation of sanctions whose existence has been established,
the Director of the Spanish Data Protection Authority RESOLVES:
FIRST: IMPOSE GLOVOAPP23, S.L., with NIF B66362906, a fine of EUR 25,000 (twenty-five thousand euros) for an infringement to Article 37 of the GDPR, as categorized under Article 83.4 of the GDPR.
SECOND: NOTIFY this resolution to GLOVOAPP23, S.L.
THIRD: To warn the sanctioned party that it must make the sanction imposed effective once this resolution is enforceable, in accordance with Article 98.1(b) of Law 39/2015 of 1 October of the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the voluntary payment period established in Article 68 of the General Collection Regulation, approved by Royal
Decree n° 285 of 29 July on Art. 62 of Law 58/2003, of 17 December, by means of its payment, indicating the tax identification of the sanctioned party and the procedural number that appears in the heading of this document, into the restricted account n° ES00 0000 0000 0000 0000 0000 0000, opened in the name of the Spanish Data Protection Authority at Banco CAIXABANK, S.A. Otherwise, it will be collected during the enforcement period.
Once the notification has been received and once it has been executed, if the date of execution is between the 1st and 15th of each month, inclusive, the term for voluntary payment will be up to the 20th of the following month or immediately following business month, and if it is between the 16th and last day of each month, inclusive, the payment term will be up to 5th of the second month following or the immediately following business month.
In accordance with Article 50 of the LOPDGDD, this Resolution shall be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure pursuant to Article 48.6 of the LOPDGDD, and in accordance with Article 123 of the LPACAP, the interested parties may lodge, optionally, an appeal for the reversal to the Director of the Spanish Data Protection Authority within one month from the day following the notification of this decision or directly an administrative appeal before the Administrative Litigation Chamber of the Audiencia Nacional, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998 of 13 July 1998, regulating the Administrative Litigation Jurisdiction, within two months from the day following the notification of this act, as provided for in Article 46.1 of the aforementioned Law.
Finally, it is noted that, in accordance with Article 90.3 a) of the LPACAP, the final resolution may be suspended as a precautionary measure through administrative channels if the interested party expresses its intention to file an administrative-litigation appeal. If this is the case, the interested party must formally communicate this fact in writing to the Spanish Data Protection Authority, presenting it through the Authority’s Electronic Registry [https://sedeagpd.gob.es/sede-electronica-web/], or through any of other registers provided for in Article 16.4 of the aforementioned Law 39/2015, of 1 October. It shall also transfer to the Authority the documentation proving to the effective filing of the administrative-litigation appeal. If the Authority is not informed of the lodging of the administrative-litigation appeal within two months from the day following the notification of the present decision, it shall terminate the precautionary suspension.
Mar España Martí
Director of the Spanish Data Protection Authority