The Core Conflict
In a definitive ruling for 2025, the AEPD sanctioned Euroempresas.es for sending 12 unsolicited marketing emails to a private citizen. The campaign aggressively promoted the "Kit Digital" grant with alarmist subject lines like "Cuidado: podrías quedarte sin tu portátil" (Careful: you could lose your laptop).
The Investigation & Silence
The citizen exercised their Right of Access (Article 15 GDPR) on March 5, 2025, asking two simple questions:
1. "Where did you get my data?"
2. "When did I give consent?"
The company ignored this request for months, violating the statutory one-month response deadline.
The Failed Legal Defense
When finally forced to answer, Euroempresas argued that the email address was a "professional contact" and therefore exempt from consent requirements under Article 19 of the LOPDGDD. They claimed the data was "in their system" from an old project and thus valid for B2B communications.
The AEPD's Precedent-Setting Ruling
The Agency dismantled this defense, establishing three critical compliance rules:
1. Article 19 is Limited: This article allows processing for maintenance of business relations, not for mass commercial prospecting (spam). It does not override the LSSI Article 21 ban on unsolicited advertising.
2. Provenance is Mandatory: Under Article 15 GDPR, a controller must identify the specific source of data (e.g., "Public Registry X," "Purchased from Vendor Y"). Vague answers like "it's in our database" are legally insufficient.
3. Policy Consistency: The company’s own privacy policy promised that "commercial communications require express consent," yet they failed to follow their own rules.
1. The "Source" Audit
Never accept a lead list where the "Source" column is blank. If a user asks "Where did you get my info?", you must be able to name the specific origin (e.g., "LinkedIn Public Profile," "Commercial Registry"). "Internal Database" is not a valid answer.
2. The 30-Day Hard Stop
You have exactly one calendar month to respond to a Right of Access request. Even if you have no data on the person, you must reply stating that. Silence is an automatic infringement.
3. "Professional" ≠ "Spammable"
Stop assuming B2B emails are fair game. You can email a client about current services (contractual relationship), but you cannot email a new business lead about the "Kit Digital" without their prior consent.
4. Align Policy with Practice
Review your Privacy Policy today. If it says "we only send emails with consent," but your sales team is cold-emailing lists, you are documenting your own violation.
Informational Purposes Only: The content provided by ANRO DIGITAL SOLUTIONS S.L.U. (including resolution summaries, infographics, and case analyses) is for educational and informational purposes only.
No Legal Advice: This information does not constitute legal advice, a formal legal opinion, or a substitute for professional legal counsel. The interpretation of data protection laws (including the GDPR, LOPDGDD, and AEPD resolutions) is subject to change and can vary based on specific facts and circumstances.
No Liability: ANRO DIGITAL SOLUTIONS S.L.U. assumes no responsibility or liability for any actions taken, or not taken, based on the information provided on this website. While we strive for accuracy, we make no guarantees regarding the completeness or timeliness of the information.
Consult a Professional: Data protection compliance is a complex legal requirement. You should not act upon this information without seeking advice from a qualified Data Protection Officer (DPO) or a specialist data protection lawyer licensed to practice in your jurisdiction.
Third-Party Links: Links to official AEPD documents are provided for convenience. We are not responsible for the content or availability of these external government portals.
Este resumen tiene carácter meramente informativo. Para más información, consulte nuestro Aviso Legal.