zero cost services
admin2024-01-10T06:30:09+00:00Zero-cost services can be very expensive
– The so-called ‘zero-cost’ service consists of offering services at a very low price or free of charge and paying for them through funds earmarked for worker training.
– The Agency has published an information document, drawn up in collaboration with the Labour and Social Security Inspectorate and the Tax Agency, which sets out the penalties that can be imposed for the administrative infringements that may be involved in contracting this type of service.
– The Agency also warns of other associated fraudulent practices, such as spreading the word that a DPD must be contracted in all cases or the offer of unnecessary services, among others.
The Spanish Data Protection Agency (AEPD) has published an informative document in which it warns SMEs and the self-employed of the risks of contracting data protection compliance services from companies that offer them at ‘zero cost’ The document, which has been drawn up with the collaboration of the Labour and Social Security Inspectorate and the Tax Agency, also includes other fraudulent practices that are usually associated with this type of services.
In the field of data protection, what is “zero cost”?
Compliance with data protection regulations, known as “zero cost”, consists of offering these services at a very low price or even free of charge, paying for them out of the company’s funds allocated to training programmes for workers, which are subsidised by the Social Security.
Contracting the service of adaptation to data protection regulations at zero cost, financed by public funds through rebates on Social Security contributions for vocational training for employment, may result in infringements that will be sanctioned by the Labour and Social Security Inspectorate with fines ranging from 626 euros to 187. 187,515 euros, without prejudice to considering, in each case, an infringement for each company and for each training action, the solidarity of the different parties involved in the organisation and execution of the training in the reimbursement of the amounts unduly obtained and the accessory penalties that may be applicable in each case.
Furthermore, with regard to compliance with tax obligations on the part of the companies, both those offering the service and those contracting it, training activities for employees are exempt from VAT, whereas the rate corresponding to a service of adaptation to a specific legislation would be 21%. If the service actually carried out is disguised, a tax infringement may therefore be committed, punishable by a proportional fine of 50% or more of the amount not paid.
The Agency also warns SMEs and the self-employed, the main recipients of this type of practice, that compliance services require a detailed individual study of the entity, the types of processing carried out, the IT systems and the document management systems, applying the principles of data protection in the procedures. Advice based on generic documents that do not take into account the specific characteristics of the activity is therefore insufficient.
Other fraudulent acts.
On the other hand, making SMEs and the self-employed believe that they are obliged in any case to appoint a data protection officer or offering services that are unnecessary for the processing carried out by the company are other frequent misleading messages.
The document also refers to aggressive practices that could constitute unfair competition, such as acting with the intention of impersonating the Agency in the communications that are made, generating the appearance that one is acting in collaboration with the AEPD, engaging in commercial practices in which the power of decision of the recipients is restricted by reference to the possible imposition of sanctions for non-compliance with data protection regulations, or offering documentation by which an attempt is made to create the appearance of compliance with the regulations in addition to carrying out training actions without having carried out the necessary actions to verify such compliance. In these cases, those affected may bring actions before the commercial courts or report it to the National Markets and Competition Commission if the Law on the Defence of Competition is violated.
The Agency reminds SMEs and the self-employed who wish to or need to contract data protection compliance services to ensure that the services they are offered do not engage in the aforementioned practices.