Rp: Created page with “{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202406574 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00255-2024.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code…”
|Jurisdiction=Spain
|DPA-BG-Color=background-color:#ffffff;
|DPAlogo=LogoES.jpg
|DPA_Abbrevation=AEPD
|DPA_With_Country=AEPD (Spain)
|Case_Number_Name=EXP202406574
|ECLI=
|Original_Source_Name_1=AEPD
|Original_Source_Link_1=https://www.aepd.es/documento/ps-00255-2024.pdf
|Original_Source_Language_1=Spanish
|Original_Source_Language__Code_1=ES
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=
|Type=Complaint
|Outcome=Upheld
|Date_Started=22.03.2024
|Date_Decided=10.10.2025
|Date_Published=12.02.2026
|Year=2025
|Fine=500
|Currency=EUR
|GDPR_Article_1=Article 5(1)(a) GDPR
|GDPR_Article_Link_1=Article 5 GDPR#1a
|GDPR_Article_2=Article 6(1) GDPR
|GDPR_Article_Link_2=Article 6 GDPR#1
|GDPR_Article_3=
|GDPR_Article_Link_3=
|GDPR_Article_4=
|GDPR_Article_Link_4=
|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=
|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=
|Party_Name_1=VOX España
|Party_Link_1=https://www.voxespana.es/
|Party_Name_2=
|Party_Link_2=
|Party_Name_3=
|Party_Link_3=
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=
|Appeal_To_Link=
|Initial_Contributor=RP
|
}}
The AEPD fined a right-wing political party €500 for publishing a proof of delivery on Facebook that showed a person’s name, ID number and signature without a legal basis under [[Article 6 GDPR|Article 6 GDPR]].
== English Summary ==
=== Facts ===
On 22 March 2024, a data subject filed a complaint with the Spanish Data Protection Agency (AEPD) against VOX España.
VOX had sent a certified letter to a municipal company. On 8 February 2024, the data subject received the letter at their workplace and signed the proof of delivery. The document included the data subject’s name, national identification number and signature.
On 16 March 2024, VOX published an image of that proof of delivery on its Facebook page. The publication made the data subject’s personal data visible without restrictions. A notary confirmed that the publication remained online for five days.
The data subject stated that they had not consented to the publication of their personal data on social media.
On 29 April 2024, the AEPD informed VOX about the complaint and invited it to submit observations. VOX replied that the publication had been an oversight and that it deleted the post once it became aware of the issue. On 2 October 2024, the AEPD verified that the post was no longer accessible.
On 17 February 2025, the AEPD opened formal proceedings against VOX for a possible infringement of [[Article 6 GDPR]]. VOX argued that the publication was unintentional, that it had caused no real harm, that it had acted in good faith, and that the fine would be disproportionate.
=== Holding ===
The AEPD held that VOX had processed personal data by publishing the proof of delivery on Facebook. The authority considered that VOX acted as controller because it determined the purpose and means of the publication.
The AEPD found that the processing had no legal basis under [[Article 6 GDPR]]. The data subject had not given consent within the meaning of [[Article 6 GDPR#1a|Article 6(1)(a)]], and none of the other legal grounds in [[Article 6 GDPR#1|Article 6(1) GDPR]] applied.
The AEPD rejected VOX’s arguments on lack of intent and absence of harm. It stated that negligence was sufficient to establish liability. The authority also held that the later deletion of the post did not remove the infringement, although it could reduce the fine.
The AEPD concluded that VOX had infringed [[Article 6 GDPR]]. It imposed an administrative fine of €500.
== Comment ==
”Share your comments here!”
== Further Resources ==
”Share blogs or news articles here!”
== English Machine Translation of the Decision ==
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
<pre>
1/21
• File No.: EXP202406574
RESOLUTION OF SANCTIONING PROCEEDINGS
Based on the proceedings initiated by the Spanish Data Protection Agency and the following:
BACKGROUND
FIRST: On March 22, 2024, a complaint was filed with the Spanish Data Protection Agency regarding a possible infringement attributable to VOX
ESPAÑA, with Tax Identification Number G86867108 (hereinafter, VOX).
The facts brought to the attention of this authority are as follows:
The complainant states that the political party being sued published, on March 16, 2024, on its Facebook profile in ***LOCATION.1
(***LOCATION.2), VOX ***LOCATION.1, an image of the acknowledgment of receipt for a certified letter sent by the party to a municipal corporation.
The complainant was the person who signed the receipt. The document published shows the complainant’s name, surname, signature, and national identity document number (DNI).
The following is attached to the complaint:
– the Facebook profile of VOX ***LOCATION.1 where, among other posts, the acknowledgment of receipt can be seen with the complainant’s name, surname, DNI, and signature.
– Notarial statement dated March 21, 2024, which includes the following:
“That on February 8, 2024, he received a letter with acknowledgment of receipt addressed to the entity ‘***COMPANY.1’ at his workplace (***LOCATION.1,
***LOCATION.2), signing the corresponding receipt.
That, naturally, the postal worker who delivered the document requested his National Identity Document and his signature (…).
That he was surprised that the sender of said certified letter published a photocopy of the acknowledgment of receipt, which includes his name, signature, and National Identity Document, on the social network ‘Facebook,’ specifically on the page ‘VOX ***LOCATION.1’.
That he was not informed that this document, containing his personal data, would be published on Facebook.” a social network and has not given either
express or tacit consent for it.
– that the aforementioned, (…), constitutes a crime against the fundamental right
to personal privacy, since their personal data, name, National Identity Document number, and
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 2/21
personal signature, have been obtained by a third party, who is misusing it
(publishing data on a social network) and revealing it to other people, without the
requesting party being able to know the extent of its use by a third party.
– presents me at this time, a screenshot of the referenced page, in which
the publication on the social network “FACEBOOK” “VOX ***LOCALITY.1” appears, and from which
the stated data is derived. I, the Notary, certify that the data presented coincides with that previously indicated by the requesting party, returning the document to the requesting party.
-which has nothing to do with the statements published on the page “VOX
***LOCALIDAD.1” resulting from immediately preceding publications and which could be misunderstood by third parties, as the requesting party’s name and details appear immediately after those publications.
-which, to date, is verified by the information provided by Facebook and by the periodic reviews carried out by the requesting party since its publication, which has been published for five days.
(…)”.
SECOND: In accordance with Article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), the complaint was forwarded to VOX so that it could analyze it and inform this Agency, within one month, of the actions taken to comply with the requirements of data protection regulations.
Notification of the transfer of the complaint, which was carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), was made on April 29, 2024, as evidenced by the acknowledgment of receipt included in the file. On May 12, 2024, this Agency received a written response stating:
The publication was an unintentional oversight. The party was unaware of the fact that the personal data appeared in a receipt.
As soon as they became aware of it, they deleted it.
THIRD: On May 30, 2024, in accordance with Article 65 of the LOPDGDD (Organic Law on the Protection of Personal Data and Guarantee of Digital Rights), the complaint was admitted for processing.
FOURTH: On October 2, 2024, an investigation was carried out confirming that the publication referred to by the complainant no longer appears on the social network.
FIFTH: On February 17, 2025, the Spanish Data Protection Agency (AEPD) decided to initiate sanction proceedings against the respondent, pursuant to Articles 63 and 64 of the LPACAP (Law on the Common Administrative Procedure of Public Administrations), for the alleged infringement of Article 6 of the GDPR, as defined in Article 83.5.a) of the GDPR.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 3/21
SIXTH: Having been notified of the aforementioned initiation agreement in accordance with the rules established in the LPACAP, the respondent submitted a statement of allegations which, in summary, stated the following:
1. Violation of the principle of culpability. Principle of presumption of innocence.
The events that prompted the opening of the disciplinary proceedings did not occur as a result of intent or negligence, and therefore would violate Article 25.1 of the Spanish Constitution and established case law.
It states that the publication on the social network Facebook of a letter related to the municipal group, and that the automated upload process included the data from a receipt confirmation embedded in the document, constituted a non-culpable oversight.
It adds that the receipt confirmation data is irrelevant to the purpose of the processing, should not appear in the publication, and appears unintentionally, due to an oversight that was not intended to cause any harm to the person who signed the receipt.
It adds that the established legal doctrine is clear and understands that any attempt to construct strict liability is prohibited, and that in the area of administrative liability, it is not enough for the conduct to be unlawful and typical; it must also be culpable.
Finally, it states that when they became aware of the publication, they removed it, and this is reflected in the initial agreement.
Furthermore, it states that the Court of Justice of the European Union has determined in its recent rulings that only a culpable infringement of the GDPR can lead to the imposition of an administrative fine.
Thus, it indicates that the CJEU expressly states that Article 83 of the GDPR establishes that an administrative fine cannot be imposed for an infringement of the Regulation without demonstrating that the data controller committed the infringement intentionally or negligently. Therefore, culpability is an indispensable requirement
for imposing the fine, understood as the situation in which
the data controller could not have been unaware of the infringing nature of their
conduct, whether or not they were conscious of the infringement in question.
Likewise, VOX states that the presumption of innocence is a fundamental right
of citizens enshrined in Article 24.2 of the Constitution, Article 6.2 of the
European Convention on Human Rights, and, for administrative proceedings,
enshrined in Article 53.2.b) of Law 39/2015, which establishes that the
interested party in an administrative proceeding has the right to the presumption of
no administrative liability until proven otherwise.
It also refers to:
– the Supreme Court ruling of July 10, 2007 (appeal no. 306/2002), which states that the burden of proof lies with the Administration to demonstrate guilt, since “it is not the interested party who must prove the lack of guilt.”
– the Supreme Court ruling of November 27, 2011 (appeal no. 2515/2009), which states that “the burden of proving the facts constituting the infraction falls inescapably on the acting Public Administration, without requiring the accused to bear an impossible burden of proof of the negative facts.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 4/21
SEVENTH: On November 5, 2025, a proposed resolution was issued,
recommending that the Presidency of the Spanish Data Protection Agency sanction VOX ESPAÑA, with Tax Identification Number G86867108, for an infringement of Article 6 of the GDPR, classified under Article 83.5.a) of the GDPR, with a fine of €500 (five hundred euros).
EIGHTH: Having been notified of the proposed resolution in accordance with the rules established in the LPACAP (Law on the Common Administrative Procedure of Public Administrations), VOX submitted a statement of objections on November 10, 2025, which raises the following points:
1. Principle of minimum intervention (Article 83.2 GDPR and Article 76.2 LOPDGDD).
VOX states that the AEPD should only impose sanctions when the infringement is of sufficient magnitude, and that, in cases like this, where there has been brief dissemination, without actual damage, without profit motive or recidivism, the principle of proportionality and the option of dismissal should be applied.
It refers to “Criteria 1/2019 of the Spanish Data Protection Agency (AEPD) on the gradation of sanctions,” which states that “the exercise of sanctioning powers must be proportionate and appropriate to the nature, circumstances, and magnitude of the facts, avoiding sanctions for cases of little relevance.”
2. Merely formal and remedied infringement.
VOX indicates that the publication was voluntarily removed before the resolution and without a court order, and understands that this is what the AEPD doctrine considers a “spontaneous cessation of processing” with a mitigating or exonerating effect if no damage persists.
It cites the resolution PS/00486/2020 of a local political association, which states that “the processing ceased as soon as it was known, there being no harm to the affected party, therefore no sanction is warranted and the case is closed.”
This circumstance would be met in this case, where the withdrawal was immediate and voluntary, eliminating any public access and guaranteeing that the act would not be repeated.
3. Lack of actual harm.
The GDPR requires that the processing actually affect rights or freedoms. In the absence of mass dissemination or proven harm, there is no relevant impact and, therefore, the principle of discretionary sanctions may be applied.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 5/21
In this regard, it refers to Opinion 1251 of the Council of State, according to which
“the principle of proportionality requires the dismissal of proceedings when the infringement is merely formal and has not caused irrelevant harm or risk.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 5/21
the principle of discretionary sanctions may be applied.
In this respect, it refers to Opinion 1251 of the Council of State, according to which
“the principle of proportionality requires the dismissal of proceedings when the infringement is merely formal and has not caused irrelevant harm or risk.”
VOX maintains that there is no evidence of any harm resulting from the brief publication, nor of any claims or damages, whether financial or moral. It insists that the potential harm was merely hypothetical and of negligence.
4. Lack of intent or gross negligence.
VOX states that the Spanish Data Protection Agency (AEPD) distinguishes between “occasional human error” and “continued negligence.” It adds that since training, supervision, and immediate withdrawal of the content did occur, there is insufficient evidence of culpability, according to Article 28.1 of Law 40/2015.
Furthermore, it cites PS/00261/2022 and states that “no gross negligence or intent is found; the incident was due to a material error and was promptly rectified. The case should be closed.”
It insists that the incident that prompted this investigation was due to an unintentional error,
without any intention of violating regulations or obtaining any benefit. Furthermore, internal review and training protocols have been adopted to prevent a similar situation from occurring.
5. Cooperation and good faith (Article 83.2.f of the GDPR).
VOX wishes to state that active cooperation with the Spanish Data Protection Agency (AEPD) and the prompt correction of the error constitute significant mitigating factors and may even justify dismissal of the case, in accordance with the principle of efficiency and procedural economy (Article 130.2 of the LPACAP).
It cites PS/00347/2021, in which “the respondent cooperated fully, removed the content, and adopted preventive measures. Based on the principle of proportionality, the case is dismissed.”
VOX insists that it has fully and transparently cooperated with the Spanish Data Protection Agency (AEPD),
providing the required information and demonstrating the removal of the content, as well as
the preventive measures adopted as a result of this incident.
6. Principle of proportionality and effectiveness (Article 89 of the LPACAP).
Article 89 of Law 39/2015 allows for dismissal or closure of the case when the
infringement lacks sufficient seriousness, or the offender has voluntarily corrected
their conduct.
VOX considers the proposed fine of 500 euros disproportionate to the
absence of harm, the cooperation shown, and the corrective measures adopted, and
that the preventive purpose of the regulation has already been fulfilled.
7. Request for dismissal.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 6/21
In light of the allegations presented and in accordance with the principles of Given the minimal intervention, proportionality, lack of actual harm, and spontaneous cessation of treatment, it is appropriate to order the dismissal of the disciplinary proceedings without imposing a sanction.
From the actions carried out in these proceedings and the documentation contained in the file, the following have been established:
PROVEN FACTS
FIRST: VOX ***LOCALITY.1 sent a communication by certified mail with return receipt requested to the complainant’s workplace.
SECOND: The complainant was the person responsible for collecting the document on February 8, 2024, signing with their name, surname, ID number, and signature.
THIRD: On March 16, 2024, the receipt for the document sent by VOX was published on the VOX ***LOCALITY.1 Facebook page, bearing the complainant’s name, surname, ID number, and signature, as they were the person who received it.
the document was collected.
FOURTH: The sworn statement executed before a Notary Public on March 21, 2024, confirms that the information has been published for five days.
FIFTH: On October 2, 2024, it was verified that the publication of the acknowledgment of receipt, including the name and surname of the claimant, had been removed from the VOX ***LOCALIDAD.1 Facebook page.
LEGAL BASIS
I
Jurisdiction
In accordance with the powers granted to each supervisory authority by Article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR)
and as established in Articles 47, 48.1, 64.2, and 68.1 of the Spanish Data Protection Act (LOPDGDD), the Presidency of the Spanish Data Protection Agency (AEPD) has jurisdiction to resolve this matter.
II
Procedure
Likewise, Article 63.2 of the LOPDGDD (Organic Law on the Protection of Personal Data and Guarantee of Digital Rights) establishes that: “The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of
Regulation (EU) 2016/679, this Organic Law, the implementing regulations issued thereunder, and, insofar as they do not contradict them, subsidiarily, by the general rules on administrative procedures.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 7/21
III
Allegations against the initiation agreement
In response to the allegations presented by the respondent, the following should be noted:
1. Violation of the principle of culpability. Principle of presumption of innocence.
VOX states that the events that motivated the opening of the disciplinary proceedings did not occur as a result of intent or negligence, but rather that it would be a Non-culpable oversight.
Furthermore, it adds that the details of the acknowledgment of receipt are irrelevant to the processing.
Despite VOX’s statements, it must be taken into account that the alleged facts are the publication on the Facebook social network of an acknowledgment of receipt with the name, surname, signature, and ID number of the claimant, without the consent of the data subject.
As already stated in the initial agreement, Recital 32 of the GDPR establishes that: “Consent must be given by a clear affirmative act which reflects a freely given, specific, informed and unambiguous indication of the data subject’s wishes to agree to the processing of personal data relating to him or her, such as a written statement, including by electronic means, or an oral statement.” This could include ticking a box on a website, selecting
technical parameters for using information society services, or
any other statement or conduct that clearly indicates in this context that the
data subject accepts the proposed processing of their personal data. Therefore,
silence, pre-ticked boxes, or inaction should not constitute consent.
Consent must be given for all processing activities carried out for the
same purpose or purposes. When processing has several purposes,
consent must be given for all of them. If the data subject’s consent is to be given
following a request by electronic means, the request must be clear, concise, and not
unnecessarily disrupt the use of the service for which it is provided.
Article 4 of the GDPR, concerning definitions, states in paragraph 11:
“11) ‘data subject’s consent’ means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;”
This is the act attributed to VOX, and despite its statements
that the legal doctrine is clear and considers any attempt to establish strict liability prohibited, and that in the realm of
administrative liability it is not enough for the conduct to be unlawful and typical, but
that it must also be culpable, it must be pointed out that the conduct
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 8/21
attributed did occur negligently, and this is deduced from VOX’s own
words when it states that the publication occurred due to an
oversight.
Thus, the principle of liability established in Article 28.1 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector, stipulates that: “Only natural and legal persons, as well as, when a law recognizes their legal capacity, groups of affected parties, associations and entities without legal personality, and independent or autonomous estates, who are responsible for such acts due to intent or negligence, may be sanctioned for acts constituting administrative offenses.”
To that effect, the Judgment of the Court of Justice of the European Union of 5 December 2023 in Case C-807/21 (Deutsche Wohnen) states:
“76. In this respect, it should be further clarified, as regards the question of whether an infringement has been committed intentionally or negligently and may therefore be sanctioned with an administrative fine under Article 83 of the GDPR, that a controller may be sanctioned for conduct falling within the scope of the GDPR when it could not have been unaware of the infringing nature of its conduct, whether or not it was conscious of infringing the provisions of the GDPR (see, by analogy, the judgments of 18 June 2013, Schenker & Co. and Others, C-681/11, EU:C:2013:404, paragraph 1) 37 and cited case law; of 25 March
2021, Lundbeck v Commission, C 591/16 P, EU:C:2021:243, paragraph 156, and of 25 March
2021, Arrow Group and Arrow Generics v Commission, C 601/16 P, EU:C:2021:244,
paragraph 97).
The courts of our country express themselves along the same lines.
Thus, the Supreme Court (Administrative Law Chamber, Section
5) in Judgment no. Judgment 179/2023, of February 15, 2023, establishes: Judgment (STS
354/2023)
(…) we must begin by recalling that culpability is indeed a
requirement for administrative offenses, inherent in Article 25 of the
Constitution, which has undergone extensive doctrinal development within the field of
Criminal Law, from which Administrative Sanctioning Law derives. This requirement
entails, in brief for the purposes of the debate at hand, that the act that
is defined in the offense can and must be attributable to the subject who is
sanctioned, who is considered guilty of it, that is, responsible, according to
the terminology of the Law on Common Administrative Procedure of
Public Administrations. This imputation entails an intellectual element, according to which the typical action is not only carried out by the subject himself, but is done consciously and willingly, that is, intentionally, or through more or less intense negligence, insofar as the diligence required in the execution of the act to avoid the harmful effect has been omitted.
In turn, the Judgment of the National Court, dated January 21, 2010, states:
“The appellant also maintains that there is no culpability whatsoever in her actions.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 9/21
While it is true that the principle of culpability precludes the admission of strict liability in administrative law, it is also true that the absence of intent is secondary, since this type of infraction is normally committed through culpable or negligent conduct, which is sufficient to establish the subjective element of fault. XXX’s actions are clearly negligent because she must be aware of the obligations imposed by the Spanish Data Protection Act (LOPD) on all those who handle personal data of third parties. XXX is obligated to guarantee the fundamental right to the protection of personal data of her clients and potential clients with the intensity required by the content of the right itself.”
Furthermore, it should be noted that the Supreme Court (Judgments of April 16 and 22, 1991) considers that the element of culpability implies “…that the action or omission, classified as an administratively sanctionable offense, must, in all cases, be attributable to its perpetrator, whether through intent, recklessness, negligence, or inexcusable ignorance.”
The same Court reasons that “it is not enough… for exoneration from conduct that is typically unlawful to invoke the absence of fault,” but rather that “it is necessary that the diligence required of the person alleging its absence was exercised” (Supreme Court Judgment of January 23, 1998).
Also related to the degree of diligence that the data controller is
obligated to exercise in complying with the obligations imposed by
data protection regulations, we can cite the Judgment of the National Court
of October 17, 2007 (Appeal No. 63/2006), which specified: “(…) the Supreme Court has consistently held
that negligence exists whenever a legal duty of care is disregarded, that is, when the offender does not act with the required diligence.”
Furthermore, the National Court, in matters of personal data protection, has declared that “simple negligence or failure to comply with the duties imposed by law on those responsible for files or data processing to exercise extreme diligence is sufficient…” (Judgment of the National Court
of June 29, 2001).
As can be seen, there are numerous rulings on this matter within our legal system.
Regarding VOX’s statement that it “understands that any
attempt to establish strict liability is prohibited,” it is necessary to cite Supreme Court Judgment 7887/2011 of
November 24, 2011, Appeal No. 258/2009, which states:
“(…) since its Judgment 76/1990, of April 26, the Constitutional Court has consistently
declared that strict liability or liability without fault is not permissible in the field of administrative sanctions, a doctrine reaffirmed in Judgment 164/2005, of June 20,
2005, which excludes the possibility of imposing sanctions based solely on
the result, without establishing a minimum level of culpability, even for mere negligence. However, the method of attributing liability to legal entities does not
correspond to the forms of intentional or negligent culpability that are
attributable to the conduct human.”
Thus, in the case of infringements committed by legal entities, although the element of culpability must be present (see the judgment of this Court of the Supreme Court of November 20, 2011, appeal in the interest of the law
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es
48/2007), it is necessarily applied differently than it is with respect to natural persons.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es
Supreme Court of November 20, 2011, appeal in the interest of the law
48/2007 According to Constitutional Court Ruling 246/1991, “(…) this distinct construction of
the imputability of the authorship of the infringement to the legal entity arises from the very
nature of legal fiction to which these subjects respond. They lack the
volitional element in the strict sense, but not the capacity to infringe the rules to which
they are subject. This capacity for infringement, and therefore direct culpability,
derives from the legal interest protected by the infringed rule and the need for
that protection to be truly effective, and from the risk that, consequently,
the legal entity subject to compliance with said rule must assume.”
To the foregoing, it must be added, following the judgment of January 23, 1998,
partially transcribed in STS 6262/2009, of October 9, 2009, Rec 5285/2005,
and STS 6336/2009, of October 23, 2009, Rec 1067/2006, that “although the
culpability of the conduct must also be proven, it must be considered,
in order to assume the corresponding burden, that ordinarily the volitional and cognitive elements necessary to assess it form part of the proven
typical conduct, and that their exclusion requires proof of the absence of such
elements, or, in its normative aspect, that the diligence required
by the one alleging their non-existence has been employed; in short, it is not enough for exculpation from
typically unlawful conduct “Invocation of the absence of guilt.”
On the other hand, regarding the statements concerning the right to the presumption of innocence, which VOX refers to when it asserts that Article 53.2.b) of Law 39/2015 establishes that the interested party in an administrative procedure has the right to the presumption of no administrative liability until proven otherwise, it must be pointed out that for the existence of a lack of due process to be established, it is not enough that a formal infraction has occurred; rather, there must have been a lack of due process of a material nature.
In this regard, in the words of the Constitutional Court (STC 290/1993, legal basis 4), “For a situation to be considered constitutionally relevant, placing the interested party
without any possibility of alleging and defending their rights in the proceedings, a mere formal violation is not enough. It is necessary that this formal violation result in a material effect of defenselessness, an effective and real impairment of the
right to defense (STC 149/1998, legal basis 3), with the consequent
real and effective harm to the affected parties (SSTC 155/1988, legal basis 4, and 112/1989, legal basis 2).”
The National Court has also ruled on this matter, among others, in
its Judgment, Administrative Chamber, Section 1, of June 25, 2009 (appeal no. 638/2008), which states that, “this Chamber has reiterated on numerous occasions (SAN 8-3-2006, Appeal no. 319/2004, among others), echoing the doctrine of the Constitutional Court, that for a procedural defect to entail the nullity of the appealed act, it is necessary that it not be a matter of mere procedural irregularities,
but rather defects that cause a situation of material defenselessness, not merely formal, that is, that they have caused the appellant a real impairment of their right to defense, causing them real and effective harm (Constitutional Court Judgments 155/1988, of July 22, 212/1994, of July 13 and 78/1999, of April 26).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 11/21
In short, for the prohibition against being left defenseless to be violated, it is necessary that
a situation of defenselessness actually exists, which has not occurred in this case.
In the present case, the publication on the social network Facebook of the name and surname, as well as the ID number and signature of the claimant, has been proven,
a circumstance that has been acknowledged by VOX.
Furthermore, VOX has been duly notified of the existence of the sanctioning procedure, having received the initiation agreement on February 19, 2025.
Likewise, it submitted objections to the initiation agreement on March 4, 2025, which have been duly addressed in the proposed resolution.
Therefore, none of the circumstances in this case allow for the exclusion of the
subjective element of the infringement, nor has the accusation resulted in a lack of due process for
the reasons already stated, and this allegation must be rejected.
However, in this case, it is worth highlighting the diligence shown by VOX
in removing the publication once it became known, a circumstance
that will be taken into account when determining the amount of the sanction.
IV
Response to the allegations against the proposed resolution of the sanctioning procedure
1. Principle of minimum intervention (Article 83.2 GDPR and Article 76.2 LOPDGDD).
VOX argues that the principle of proportionality should be applied, which,
as they claim, would mean that a sanction should only be imposed when the infringement
is of sufficient magnitude. However, in the case at hand, the alleged infringement
has been clearly established, as the complainant’s name and surname, as well as their national identity document number and signature, were published on the Facebook page of VOX ***LOCALIDAD.1 without the complainant’s consent and without any of the legal bases provided for in Article 6 of the GDPR being applicable.
Furthermore, VOX refers to a “Criteria 1/2019 of the Spanish Data Protection Agency (AEPD) on the determination of sanctions,” which would state that “the exercise of sanctioning powers must be proportionate and appropriate to the nature, circumstances, and seriousness of the facts, avoiding sanctions for cases of little relevance.”
This Criteria 1/2019, as such, has not been published. Circular 1/2019, dated March 7, from the Spanish Data Protection Agency, regarding the processing of personal data relating to political opinions and the sending of electoral propaganda by electronic means or messaging systems by political parties, federations, coalitions, and groups of voters, pursuant to Article 58 bis of Organic Law 5/1985, of June 19, on the General Electoral System, is applicable in this case, as its subject matter is not related to sanctioning procedures.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 12/21
In this regard, this Agency does not share the position defended by VOX regarding the “limited relevance” of the case. VOX fails to consider that the personal data of
the complainant was disseminated through a social network without any
access restrictions, meaning it could be accessed by any third party, nor does it consider the risks involved in disclosing a person’s name and surname
associated with their national identity card number and signature. This risk can persist
even after the publication is removed.
Therefore, this claim must be rejected.
2. Merely formal and remedied infringement.
VOX indicates that the publication was voluntarily removed before the resolution and without
a court order, and understands that this is what the Spanish Data Protection Agency (AEPD) doctrine considers a
“spontaneous cessation of processing” with a mitigating or exonerating effect if no
damage persists. In this regard, it cites the resolution issued by this Agency in case file PS/00486/2020, which states that the case was dismissed due to the cessation of data processing and the absence of harm.
VOX, however, has not demonstrated when the “cessation of data processing” occurred, or whether it
withdrew the publication of the disputed document before or after becoming aware of the
complaint that prompted these proceedings during the transfer process
initiated by this Spanish Data Protection Agency (AEPD) on April 29, 2024.
In any case, the diligence shown by VOX in withdrawing the publication is a
circumstance taken into account when determining the amount of the fine,
resulting in a reduction of the amount determined in the
initiation of the proceedings.
VOX cites resolution PS/00486/2020 concerning a local political association, which allegedly states that “the processing ceased as soon as it was discovered, and there was no harm to the affected party; therefore, no sanction is warranted, and the case is closed.”
After analyzing the case to which VOX refers, it is concluded that it is unrelated to the procedure mentioned. It should be clarified that in PS/00486/2020, the procedure was not closed, but rather the infraction was deemed to have been committed, resulting in a warning instead of an administrative fine, in accordance with Article 77 of the LOPDGDD (Organic Law on the Protection of Personal Data and Guarantee of Digital Rights), as the responsible entity was included among those mentioned in paragraph 1 of said article.
Therefore, this allegation must be rejected.
3. Lack of actual harm.
According to VOX, the GDPR requires that the processing actually affect rights or freedoms. Based on this, it understands that, in the absence of mass dissemination or proven harm, there is no relevant impact and, therefore, the principle of timely sanctions can be applied.
In this regard, it refers to Opinion 1251/2019 of the Council of State, according to which,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 13/21
“the principle of proportionality requires the dismissal of proceedings when the infringement is merely formal and has not caused irrelevant harm or risk.”
VOX maintains that there is no evidence of any harm resulting from the brief publication, nor of any claims or financial or moral damages. It insists that the potential harm was merely hypothetical and of negligible magnitude.
Regarding these statements, it should be noted, contrary to what VOX has indicated, that the infringement committed was not of a formal nature and that the complainant’s data was disseminated
on the internet without any restriction. If we add to this what was stated in point 1 above, it follows that there was indeed a serious infringement of the complainant’s rights. Consequently, this allegation cannot be taken into account.
4. Lack of intent or gross negligence.
VOX states that the Spanish Data Protection Agency (AEPD) distinguishes between “occasional human error” and “continuous negligence.” It adds that, if training, supervision, and immediate removal of the data were provided, there is insufficient culpability, according to Article 28.1 of Law 40/2015.
Furthermore, it cites PS/00261/2022 and states that “no gross negligence or intent is found; the incident was due to a material error and was rectified promptly. The case should be closed.”
It insists that the incident that prompted this investigation was due to an unintentional error,
without any intention of violating regulations or obtaining any benefit. Furthermore,
internal review and training protocols have been adopted to prevent a similar situation from occurring.
Regarding this issue of culpability, it should be noted that it has already been
addressed in the response to the allegations against the initial agreement, to which we
refer. When assessing the negligence observed in VOX’s conduct,
it is important to clarify, however, that the complainant’s data was disseminated
through a social network without such dissemination being necessary. VOX itself
has acknowledged that the complainant’s data included in the published
acknowledgment of receipt is irrelevant to the purpose of the processing and should not have appeared
in the publication.
Furthermore, VOX refers to PS/00261/2022, which also does not coincide with what VOX alleges, as the proceedings concluded with an infringement under Article 5.1.c) of the GDPR. In these proceedings, a resolution was issued concluding the proceedings due to voluntary payment of the fine and acknowledgment of responsibility by the responsible entity.
5. Cooperation and good faith (Article 83.2.f) of the GDPR).
VOX wishes to state that active cooperation with the Spanish Data Protection Agency (AEPD) and the prompt correction of the error constitute qualified mitigating factors and may even justify dismissal in accordance with the principle of efficiency and procedural economy (Article 130.2 of the LPACAP).
VOX cites PS/00347/2021, in which, according to VOX, “the respondent fully cooperated
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 14/21
at all times, removed the content, and adopted preventive measures. In accordance with the principle of
proportionality, the case is dismissed.”
VOX insists that it has fully and transparently cooperated with the Spanish Data Protection Agency (AEPD),
providing the required information and demonstrating the removal of the content, as well as
the preventive measures adopted as a result of this incident.
Regarding cooperation and good faith, as referred to in Article 83.2.f) of the GDPR, it should be noted that cooperation must be considered mandatory, not merely a mitigating factor. The removal of the content, which did limit or prevent negative consequences for the complainant, has already been taken into account when determining the amount of the penalty, which has been set at €500. Therefore, this argument cannot be considered.
Regarding the PS referenced by VOX, it should be noted that it involved a case alleging an infringement of the LSSI (Law on Information Society Services and Electronic Commerce) and does not present the same circumstances as the present case. Therefore, this argument cannot be admitted. In accordance with said regulations, in this case it was agreed
to initiate proceedings for the issuance of a warning, which is associated
with the possibility of requiring the responsible entity to adopt measures to
rectify the illegal situation. Therefore, the correction of the facts that determined the
infringement justifies the dismissal of the proceedings.
6. Principle of proportionality and effectiveness (Article 89 LPACAP).
Article 89 of Law 39/2015 allows for dismissal or closure when the
infringement lacks sufficient gravity, or the offender has voluntarily corrected
their conduct.
It is understood that the proposed sanction of 500 euros is disproportionate given the
absence of harm, the cooperation shown, and the corrective measures adopted, and
that the preventive purpose of the regulation has already been fulfilled.
However, Article 89 of Law 39/2015 refers to the proposed resolution in sanctioning proceedings and establishes the following:
1. The investigating body shall resolve to terminate the proceedings, archiving the case file, without the need to formulate a proposed resolution, when, during the investigation, it becomes clear that any of the following circumstances exist:
a) The non-existence of the facts that could constitute the infraction.
b) When the facts are not proven.
c) When the proven facts do not manifestly constitute an administrative infraction.
d) When the person or persons responsible do not exist or have not been identified, or appear to be exempt from responsibility.
e) When it is concluded, at any time, that the infraction has prescribed.
In the case at hand, none of the circumstances described in Article
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 15/21
89 of the LPACAP apply, therefore, this claim must be rejected.
V
Preliminary Issues
Article 4.1) of the GDPR defines “personal data” as: “any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Article 4.2 of the GDPR defines “processing” as: “any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
Article 4.7 of the GDPR defines “controller” as: “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for its appointment may be laid down by Union or Member State law.” Article 4.8 of the GDPR defines the “processor” as the natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.
In this case, in accordance with Articles 4.1 and 4.2 of the GDPR, personal data processing has taken place, since VOX has published on the social network Facebook the acknowledgment of receipt of a communication it sent to the complainant’s workplace, which includes their name, surname, signature, and national identity document number.
VOX carries out this activity in its capacity as controller, given that it determines the purposes and means of such processing, pursuant to Article 4.7 of the GDPR.
VI
Obligation breached. Lawfulness of Processing
Article 6 of the GDPR, which governs the lawfulness of processing, states the following in paragraph 1:
“1. Processing shall be lawful only if at least one of the following conditions applies:
a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 16/21
b) processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
f) the Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided that such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The provisions of point (f) of the first paragraph shall not apply to processing carried out by public authorities in the exercise of their functions.
In this case, it is established that an acknowledgment of receipt was published on the Facebook social network, on the account managed by VOX, which includes the name and surname of the claimant, as well as their signature and national identity document number.
VOX acknowledges this in its statement dated May 12, 2024, where it states:
“While this circumstance is true, the publication was an oversight made unintentionally. The party was unaware of this situation, in which these personal data appeared in a
acknowledgment of receipt, and as soon as it became aware of it, it removed it.
There is no malice or intent; it is a human or technical error, not an error
of law. As soon as the error was discovered, the publication was removed.
The jurisprudence of the Supreme Court affirms that in the area of sanctions, “any attempt to establish strict liability is prohibited” and that “in the area of administrative liability, it is not enough for the conduct to be unlawful and
typical; it is also necessary that it be culpable, that is, the consequence of an
action or omission attributable to its author due to malice or recklessness, negligence, or
inexcusable ignorance (…) in other words, as a requirement…” Derived from Article 25.1 of the Constitution, no one may be convicted or sanctioned except for acts constituting an offense that can be attributed to them on the grounds of intent or negligence (principle of culpability).
In relation to this matter, it should be noted that the principle of liability established in Article 28.1 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector, stipulates that: “Only natural and legal persons, as well as, when a law recognizes their legal capacity, groups of affected parties, associations and entities without legal personality, and independent or autonomous estates, who are responsible for such acts on the grounds of intent or negligence, may be sanctioned for acts constituting an administrative offense.”
Furthermore, it is necessary to refer to the Judgment of the Court of Justice of the European Union of 5 December 2023 in Case C-807/21 (Deutsche Wohnen), which states:
76 In this respect, it should also be clarified, as regards the question of whether an infringement has been committed intentionally or negligently and, therefore, may be sanctioned with an administrative fine under Article 83 of the GDPR, that a controller may be sanctioned for conduct falling within the scope of the GDPR when it could not have been unaware that its conduct was infringing, whether or not it was conscious of infringing the provisions of the GDPR (see, by analogy, the judgments of 18 of June 2013, Schenker & Co. and
others, C 681/11, EU:C:2013:404, paragraph 37 and the case law cited; of 25 March
2021, Lundbeck v Commission, C 591/16 P, EU:C:2021:243, paragraph 156, and of 25 March
2021, Arrow Group and Arrow Generics v Commission, C 601/16 P, EU:C:2021:244,
paragraph 97).” (emphasis added).
To the foregoing, it must be added, following the judgment of January 23, 1998,
partially transcribed in STS 6262/2009, of October 9, 2009, Rec 5285/2005,
and STS 6336/2009, of October 23, 2009, Rec 1067/2006, that “although the
culpability of the conduct must also be proven, it must be considered,
in order to assume the corresponding burden, that ordinarily the
volitional and cognitive elements necessary to assess it form part of the
proven typical conduct, and that their exclusion requires proof of the absence of such
elements, or, in its normative aspect, that the diligence required
by the one alleging their non-existence has been employed; in short, it is not enough for exculpation from
typically unlawful conduct “Invocation of absence of fault.”
In this regard, VOX had published on the social network Facebook the acknowledgment of receipt
which contained the name and surname, signature, and ID number of the claimant. VOX has
acknowledged the facts, but has stated that it was an oversight, carried out
unintentionally.
Likewise, on October 2, 2024, it was confirmed that the information to which
the claimant referred had been deleted from VOX’s Facebook profile.
***LOCALITY.1.
Therefore, this Agency considers that VOX processed the complainant’s data without being covered by any of the
legal bases provided for in Article 6 of the GDPR, and without their
consent, insofar as it has been established that they published on the
Facebook social network the acknowledgment of receipt containing the complainant’s name, surname,
signature, and national identity document number.
In this regard, Recital 32 of the GDPR states that: “Consent must be given by a clear affirmative action which reflects a freely given, specific, informed and unambiguous indication of the data subject’s wishes to agree to the processing of personal data relating to him or her, such as a written statement, including by electronic means, or an oral statement. This could include ticking a box on a website, choosing technical parameters for the use of information society services, or any other statement or conduct which clearly indicates in this context that the data subject agrees to the proposed processing of his or her personal data. Therefore, silence, pre-ticked boxes, or inaction should not constitute consent. Consent must be given for all processing activities carried out for the same purpose or purposes. Where processing has several purposes, consent must be given for all
of them. If the data subject’s consent is to be given following a request by
electronic means, the request must be clear, concise, and not unnecessarily disrupt
the use of the service for which it is provided.”
In turn, Article 4 of the GDPR, concerning definitions, states in paragraph 11:
“11) ‘data subject’s consent’ means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;”
Furthermore, it is taken into account that the complainant is an anonymous individual and that the publication of their personal data has no public relevance,
so its disclosure is not in the public interest. Furthermore, as previously stated, VOX itself has acknowledged that the complainant’s data included in the published acknowledgment of receipt is irrelevant to the purpose of the processing, which further underscores the infringement resulting from the publication of that document without having previously deleted the personal data in question.
Therefore, the known facts are considered to constitute an infringement attributable to VOX, for violation of Article 6 of the GDPR.
VII
Classification of the infringement of Article 6 of the GDPR and its classification for the purposes of the statute of limitations
Article 83.5 of the GDPR classifies as an administrative infringement the violation of the following article, which shall be sanctioned, in accordance with paragraph 2, with administrative fines of up to EUR 20,000,000 or, in the case of an undertaking, up to 4% of its total global annual turnover of the preceding financial year, whichever is higher:
“(a) the basic principles for processing, including the conditions for consent pursuant to Articles 5, 6, 7 and 9;”
For its part, the LOPDGDD, in its Article 71, Infringements, states that:
“The acts and conduct referred to in paragraphs 4, 5, and 6 of Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this Organic Law, constitute infringements.”
For the sole purpose of determining the statute of limitations, Article 72.1 of the LOPDGDD (Spanish Data Protection Law)
establishes the following:
“In accordance with the provisions of Article 83.5 of Regulation (EU) 2016/679, the following infringements are considered very serious and will be subject to a three-year statute of limitations:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 19/21
and, in particular, the following:
b) The processing of personal data without any of the conditions for lawful processing established in Article 6 of Regulation (EU) 2016/679 being met.”
VIII
Sanction for infringement of Article 6 of the GDPR
In order to determine the administrative fine to be imposed, the provisions of Articles 83.1 and 83.2 of the GDPR must be observed. These provisions state:
“1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article for infringements of this Regulation referred to in paragraphs 4, 9 and 6 is, in each individual case, effective, proportionate and dissuasive.
2. Administrative fines shall be imposed, depending on the circumstances of each individual case, as an additional measure to, or in lieu of, the measures provided for in Article 58(2)(a) to (h) and (j). When deciding on the imposition of an administrative fine and its amount in each individual case, due consideration shall be given to:
(a) the nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the the processing operation in question, as well as the number of data subjects affected and the level of damage suffered by them;
b) the intentionality or negligence of the infringement;
c) any measures taken by the controller or processor to remedy the damage suffered by the data subjects;
d) the degree of responsibility of the controller or processor, taking into account the technical or organizational measures implemented pursuant to Articles 25 and 32;
e) any previous infringements committed by the controller or processor;
f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate its possible adverse effects;
g) the categories of personal data affected by the infringement;
h) how the supervisory authority became aware of the infringement, in particular whether and, if so, to what extent the controller or processor notified the infringement;
i) where the measures referred to in Article 58(1)(a) 2. have been previously ordered against the controller or processor concerned in relation to the same matter, requiring compliance with such measures;
(j) adherence to codes of conduct pursuant to Article 40 or to approved certification mechanisms pursuant to Article 42; and
(k) any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.
For its part, Article 76 “Sanctions and Corrective Measures” of the LOPDGDD (Spanish Data Protection Law)
stipulates:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 20/21
“1. The sanctions provided for in paragraphs 4, 5, and 6 of Article 83 of Regulation (EU) 2016/679 shall be applied taking into account the criteria for determining the severity of the sanction established in paragraph 2 of said article.
2. In accordance with the provisions of Article 83.2.k) of Regulation (EU) 2016/679, the following may also be taken into account:
a) The continuing nature of the infringement.
b) The connection between the infringer’s activity and the processing of personal data.
c) The benefits obtained as a result of committing the infringement.
d) The possibility that the data subject’s conduct could have induced the processing of personal data. Commission of the infringement.
e) The existence of a merger by acquisition subsequent to the commission of the infringement, which cannot be attributed to the acquiring entity.
f) The impact on the rights of minors.
g) Having a data protection officer, when not mandatory.
(h) The voluntary submission by the controller or processor to alternative dispute resolution mechanisms in cases where disputes arise between them and any data subject.
In this case, considering the seriousness of the potential infringement, and especially the consequences for those affected, a fine is warranted, in addition to the adoption of measures, if applicable.
The fine imposed must be, in each individual case, effective, proportionate, and dissuasive, in accordance with Article 83.1 of the GDPR.
For the purposes of deciding on the imposition of an administrative fine and its amount, it is considered that the balance of the circumstances contemplated in Article 83.2 of the GDPR and Article 76.2 of the LOPDGDD, with respect to the infringement committed by violating Article 6 of the GDPR, allows for the imposition of an administrative fine of €500.00. euros.
Therefore, in accordance with applicable legislation and having assessed the criteria for
graduating the sanctions, the existence of which has been proven,
the Presidency of the Spanish Data Protection Agency RESOLVES:
FIRST: TO IMPOSE on VOX ESPAÑA, with Tax Identification Number G86867108, for an infringement of
Article 6 of the GDPR, classified in Article 83.5.a) of the GDPR, a fine of 500.00 euros (five hundred euros).
SECOND: TO NOTIFY VOX ESPAÑA of this resolution.
THIRD: This resolution will be enforceable once the deadline for filing the
optional appeal for reconsideration (one month from the day following the
notification of this resolution) has expired without the interested party having exercised this right.
The sanctioned party is advised that they must pay the imposed sanction once
this resolution becomes enforceable, in accordance with the as provided in Article 98.1.b)
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 21/21
of the LPACAP, within the voluntary payment period established in Article 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to Article 62 of Law 58/2003, of December 17, by depositing the amount,
indicating the Tax Identification Number (NIF) of the sanctioned party and the procedure number shown in the heading of this document, into the restricted account IBAN: ES00-0000-0000-0000-0000-0000, opened in the name of the Spanish Data Protection Agency at the bank CAIXABANK, S.A. Otherwise, the following will apply: its
collection during the enforcement period.
Once the notification is received and the enforcement period is enforceable, if the enforcement date falls
between the 1st and 15th of each month, inclusive, the deadline for making a voluntary payment will be the 20th of the following month or the next business day thereafter. If it falls
between the 16th and the last day of each month, inclusive, the payment deadline will be
the 5th of the second following month or the next business day thereafter.
In accordance with Article 50 of the LOPDGDD (Organic Law on the Protection of Personal Data and Guarantee of Digital Rights), this
Resolution will be made public. Publication will take place once it has been notified to
the interested parties.
Against this resolution, which concludes the administrative process pursuant to Article 48.6 of the
LOPDGDD, and in accordance with Article 123 of the LPACAP (Law on the Common Administrative Procedure of Public Administrations), the
interested parties may, at their discretion, file an appeal for reconsideration with the
President of the Spanish Data Protection Agency within the established timeframe. within one month from the day following notification of this resolution, or directly file an administrative appeal with the Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Jurisdiction, within two months from the day following notification of this act, as provided for in Article 46.1 of the aforementioned Law.
Finally, it should be noted that, pursuant to Article 90.3 a) of the LPACAP, the final administrative decision may be provisionally suspended if the interested party expresses their intention to file an administrative appeal.
If this is the case, the interested party must formally communicate this fact by means of a written statement addressed to the Spanish Data Protection Agency, submitting it to through
the Agency’s Electronic Registry [https://sedeaepd.gob.es/sede-electronica-
web/], or through any of the other registries provided for in Article 16.4 of the aforementioned Law 39/2015, of October 1. You must also submit to the Agency the documentation that proves the effective filing of the administrative appeal.
If the Agency is not notified of the filing of the administrative appeal within two months from the day following the notification of this resolution, the precautionary suspension will be terminated.
938-101025
Lorenzo Cotino Hueso
President of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es
</pre>