This judgment confirms the resolution of the Spanish Data Protection Agency (AEPD) that sanctioned the company Avon Cosmetics for breaking the rules on data protection. The sanction procedure was initiated by the AEPD following a complaint submitted by an individual whose personal data was processed by Avon. Some practical matters can be drawn from this judgment.
Avon considered that the sanction procedure should have been barred by limitation because a period of more than 12 months elapsed from the submission of the complaint before the AEPD (4 March 2017) to the date when the initiation of the sanction procedure was notified to Avon (11 April 2017 according to Avon). Avon argued that the first notification made available to Avon at its email address on 2 March 2018 should not be considered in order to determine whether the 12 months period had lapsed or not because it had never opened by Avon.
The National High Court rejected Avon’s allegations. Although it is true that electronic notifications shall be deemed made at the time when the recipient downloads them, a different standard applies when assessing the limitation period of a sanction procedure. For these purposes, the limitation period is interrupted when the notification is made available to its addressee, not when it is downloaded. . In the present case the Court ruled that notification made available to Avon on 2 March 2018, although it was not opened by Avon, interrupted the period of limitation.
The importance of protocols
Avon also argued before the Court that it had no commercial relationship with the individual. Avon alleged that it was the victim of a fraud in which a third party impersonated the identity of the individual in order to fraudulently purchase Avon products without paying.
According to the National High Court whether Avon was victim of a fraud or not is not relevant for the case. Avon should have had an adequate protocol for the processing of the personal data of its customers (i.e. a protocol that ensures the accuracy and veracity of the recorded personal data) and Avon did not have it. In this regard, the Court refers to the fact that Avon recorded the individual’s personal data in its system without having any evidence (such as a contract or a photocopy of his/her ID) showing the individual’s consent for the processing of his/her personal data. Finally, the Court points out that if Avon would have had an adequate protocol, the fraud would probably have been avoided.