https://gdprhub.eu/api.php?action=feedcontributions&user=Isabela.maria.rosal&feedformat=atomGDPRhub - User contributions [en]2024-03-28T18:49:26ZUser contributionsMediaWiki 1.39.6https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_PS-00587-2021&diff=39237AEPD (Spain) - PS-00587-20212024-01-17T15:30:27Z<p>Isabela.maria.rosal: Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS-00587-2021 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00587-2021.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Cod..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=PS-00587-2021<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/documento/ps-00587-2021.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=26.04.2021<br />
|Date_Decided=30.09.2022<br />
|Date_Published=<br />
|Year=2022<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 4 GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR<br />
|GDPR_Article_2=Article 5(1)(f) GDPR<br />
|GDPR_Article_Link_2=Article 5 GDPR#1f<br />
|GDPR_Article_3=Article 5(2) GDPR<br />
|GDPR_Article_Link_3=Article 5 GDPR#2<br />
|GDPR_Article_4=Article 9(1) GDPR<br />
|GDPR_Article_Link_4=Article 9 GDPR#1<br />
|GDPR_Article_5=Article 24 GDPR<br />
|GDPR_Article_Link_5=Article 24 GDPR<br />
|GDPR_Article_6=Article 25 GDPR<br />
|GDPR_Article_Link_6=Article 25 GDPR<br />
|GDPR_Article_7=Article 32 GDPR<br />
|GDPR_Article_Link_7=Article 32 GDPR<br />
|GDPR_Article_8=Article 57(1) GDPR<br />
|GDPR_Article_Link_8=Article 57 GDPR#1<br />
|GDPR_Article_9=Article 58(2) GDPR<br />
|GDPR_Article_Link_9=Article 58 GDPR#2<br />
|GDPR_Article_10=Article 83(4) GDPR<br />
|GDPR_Article_Link_10=Article 83 GDPR#4<br />
|GDPR_Article_11=Article 83(5) GDPR<br />
|GDPR_Article_Link_11=Article 83 GDPR#5<br />
|GDPR_Article_12=Article 83(7) GDPR<br />
|GDPR_Article_Link_12=Article 83 GDPR#7<br />
|GDPR_Article_13=<br />
|GDPR_Article_Link_13=<br />
|GDPR_Article_14=<br />
|GDPR_Article_Link_14=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=Article 28(1) LOPDGDD<br />
|National_Law_Link_1=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_2=Article 4 Law 41/2002<br />
|National_Law_Link_2=https://www.boe.es/buscar/act.php?id=BOE-A-2002-22188<br />
|National_Law_Name_3=Article 47 LOPDGDD<br />
|National_Law_Link_3=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_4=Article 48(1) LOPDGDD<br />
|National_Law_Link_4=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_5=Article 63(2) LOPDGDD<br />
|National_Law_Link_5=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_6=Article 65(4) LOPDGDD<br />
|National_Law_Link_6=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_7=Article 71 LOPDGDD<br />
|National_Law_Link_7=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_8=Article 72 LOPDGDD<br />
|National_Law_Link_8=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_9=Article 73 LOPDGDD<br />
|National_Law_Link_9=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_10=Article 77 LOPDGDD<br />
|National_Law_Link_10=<br />
|National_Law_Name_11=<br />
|National_Law_Link_11=<br />
|National_Law_Name_12=<br />
|National_Law_Link_12=<br />
<br />
|Party_Name_1=Consejeria de Sanidad de la Comunidad de Madrid<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=isabela.maria.rosal<br />
|<br />
}}<br />
<br />
Spanish DPA held a controller responsible for a data breach since they did not have sufficient measures in place to avoid data breaches. Although some measures were applied, they did not provide an adequate level of protection for sensitive data.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A third party unlawfully accessed the medical files of the data subject. The controller had registries of who accessed medical files, proving that the unlawful access really happened, configuring a data breach. Medical files are part of the special categories of data and the processing of sensitive data has higher risks. The data controller had some means of protection and access control of the data, but not enough.<br />
<br />
=== Holding ===<br />
The DPA held that a data breach occurred and that the controller should be considered liable since there were no sufficient measures to avoid unlawful access to the data (Article 5(1)(f) and [[Article 32 GDPR|Article 32 GDPR]]). Even though some measures were in place, they were not adequate for the protection required for sensitive data (Article 9 GDPR).<br />
<br />
== Comment ==<br />
The controller mentioned various measures to be considered as means of avoiding a data breach, but the DPA found them not effective. For example, the access registry has the purpose of posterior control but does not help prevent data breaches. The DPA also highlighted the need of an proactive approach from the controller.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/26<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
File No.: PS/00587/2021<br />
<br />
<br />
<br />
RESOLUTION OF SANCTIONING PROCEDURE<br />
<br />
From the procedure instructed by the Spanish Data Protection Agency and based<br />
to the following<br />
<br />
BACKGROUND<br />
<br />
<br />
FIRST: On November 22, 2020, A.A.A. (hereinafter, the part<br />
claimant) filed a claim with the Spanish Data Protection Agency.<br />
<br />
The claim is directed against the COMMUNITY HEALTH DEPARTMENT<br />
DE MADRID, with NIF S7800001E, (hereinafter, the claimed party).<br />
<br />
The claimant states that, on May 16, 2020, it presented a<br />
<br />
claim before the Management of the University Hospital of La Paz where he worked, for<br />
the alleged improper access to her medical history by a co-worker<br />
work B.B.B. and that he has only received a response that his<br />
<br />
claim to the Medical Directorate of the La Paz Hospital for investigation.<br />
<br />
It indicates that on May 13, 2020, around 8 am, the aforementioned<br />
nurse, from the operating room service in the general building of the University Hospital<br />
<br />
Paz de Madrid, taking advantage of her status as a nurse and using her passwords<br />
personal access, entered, without any assistance relationship, into his<br />
clinical history, located in the "HCIS computer system" database.<br />
<br />
<br />
He states that on the same day, May 13, 2020, he reported the events described to the<br />
nursing supervision of the operating room service where the nurse worked, as well<br />
as well as the Nursing Directorate of Hospital la Paz.<br />
<br />
<br />
Provides a document dated 05/20/2020, where the head of the Information Service of the<br />
La Paz University Hospital informs the claimant of the transfer to the Management<br />
Medical center of the notification about “improper access to your medical history” and the<br />
<br />
claim filed with Salud Madrid.<br />
<br />
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5<br />
December, Protection of Personal Data and Guarantee of Digital Rights<br />
<br />
(hereinafter LOPDGDD), said claim was transferred to the claimed party,<br />
to proceed with its analysis and report to this Agency within a period of one month,<br />
<br />
of the actions carried out to adapt to the requirements provided for in the<br />
data protection regulations.<br />
<br />
There is no response in this Agency to the transfer of the claim.<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 2/26<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
THIRD: On April 26, 2021, in accordance with article 65 of the<br />
LOPDGDD, the Director of the Spanish Data Protection Agency agreed<br />
<br />
admit for processing the claim presented by the complaining party.<br />
<br />
FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out<br />
of previous investigative actions to clarify the facts in<br />
<br />
issue, by virtue of the investigative powers granted to the authorities of<br />
control in article 57.1 of Regulation (EU) 2016/679 (General Regulation of<br />
Data Protection, hereinafter RGPD), and in accordance with the provisions of the<br />
<br />
Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the<br />
following extremes of the claimed part:<br />
<br />
DEPARTMENT OF HEALTH OF THE COMMUNITY OF MADRID, with NIF S7800001E,<br />
<br />
with address at C/ MELCHOR FERNÁNDEZ ALMAGRO, N.º 1 - 28029 MADRID<br />
(MADRID).<br />
<br />
On 05/24/2021, information is required from the claimed party within the framework of the<br />
present investigation file. Not receiving a response, the<br />
request, receiving a response with the following results:<br />
<br />
About access.<br />
<br />
<br />
A copy of the access log to the Hospital information system has been requested<br />
of La Paz on 05/13/2020 where the accesses made by the nurse are recorded<br />
cited by the claimant. It is requested to provide the date and time of the accesses, the details of the<br />
typology of the data accessed, as well as documentation accrediting the justification<br />
tion existing for said accesses.<br />
<br />
Given this, the claimed party only indicates that the La Paz University Hospital has<br />
<br />
conducted an investigation of the facts and has concluded that access has occurred.<br />
are by the nurse cited by the claimant, in the time period in which<br />
She goes to the emergency room at 3:46 a.m. until he is discharged the same day at<br />
10:12 a.m.<br />
<br />
About access investigations.<br />
<br />
A copy of the appropriate investigations mentioned in the document has been requested.<br />
<br />
document from the Patient Care Service, as well as the final response issued<br />
to the claimant, attaching to the request of this Agency a copy of the document<br />
provided by the claimant where the Head of the Hospital Information Service<br />
Universitario La Paz informs you of the transfer to the Medical Directorate of the center of the<br />
notification about “improper access to your medical history” so that “the<br />
<br />
carry out the appropriate investigations.”<br />
<br />
In this regard, the claimed party indicates that the Peace Hospital has carried out<br />
the appropriate investigations to clarify the facts described by the complainant.<br />
<br />
They do not provide a copy of the required investigations. They provide a copy of a writing<br />
dated 12/18/2020, indicating that it is the final response sent to the claimant, in<br />
which the Hospital indicates that the Management will not contact her because “it is<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 3/26<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
An audit is carried out and the appropriate actions are taken, but this does not entail<br />
that the interested party be informed.”<br />
<br />
They indicate to this Agency that the aforementioned Hospital has a protocol according to which “if<br />
improper access has occurred, it must be assessed by the Data Protection Committee.<br />
<br />
Data (PD) what information would be given to the interested party, always informing them that the<br />
right granted to it by the LOPD itself would only cover the<br />
knowledge of the information subjected to processing, but not which people, within<br />
within the scope of the organization of the person responsible for the file have been able to have access to<br />
such information.”<br />
<br />
<br />
Attached is the aforementioned protocol entitled Compliance Verification Audits in the<br />
accesses to HC (Clinical History), a copy of which is present in the present proceedings of<br />
inspection.<br />
<br />
On the actions taken in order to minimize the adverse effects and for the<br />
final resolution of the incident.<br />
<br />
In this regard, they provide a report from the La Paz Hospital in which the sequence is detailed.<br />
of the facts, as well as copies the reports from the Nursing Directorate.<br />
<br />
<br />
In one of these reports from the Nursing Directorate of Hospital La Paz it states:<br />
<br />
“On Thursday, May 13 […the claimant…] requested a meeting with me to<br />
inform me of an event that has occurred and that I, as Supervisor of the<br />
Unity, be knowledgeable. He spent the night in the emergency room because, while<br />
guard in the operating room, begins with […]. During your stay in the emergency room, you receive<br />
a WhatsApp from a colleague of hers from the operating room where she literally says "the<br />
<br />
plate is fine." […the claimant...] responds "how do you know? Have you looked at my<br />
Clinic history? His partner responds that she has indeed consulted him in her<br />
story, apologizing to him at that very moment.<br />
<br />
[…the claimant…] states that this fact seriously violates her privacy and that<br />
This colleague (I quote verbatim) "has been making her life impossible<br />
<br />
for 3 years, and this is the straw that breaks the camel's back.<br />
<br />
Seeing the seriousness of the matter, I notified my Area Deputy and […the claimant…]<br />
expresses its desire that these events do not go unpunished.<br />
<br />
Likewise, we spoke with the colleague who has entered the clinical history<br />
immediately admitting his mistake and apologizing repeatedly.<br />
He expresses his desire to speak with […the claimant…] and apologize to her. Once<br />
<br />
spoken with the two parties involved and, in response to the demand of […the claimant…],<br />
informs you of the ways available in the hospital to make claims that<br />
consider appropriate. He is also informed that his partner is interested in<br />
personally apologize for viewing your Story without your permission and<br />
in case at any point in your professional relationship you have felt wronged with your<br />
attitude toward her.”<br />
<br />
<br />
Regarding the measures adopted to prevent similar incidents from occurring,<br />
implementation dates and controls carried out to verify its effectiveness.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 4/26<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
They only mention again the audit protocol for verification of the<br />
compliance in accesses to HC (Clinical History) of the edition date<br />
03/23/2021, indicating that it can be observed in section 4 (Development), a<br />
<br />
process of reactive and proactive audits, the latter being monthly<br />
and following a specific structure and monitoring, to meet the requirements of<br />
the Ministry of Health in case of improper access to medical records.<br />
<br />
Regarding the security of personal data processing existing with<br />
prior to the events.<br />
<br />
It has been requested to detail the technical and organizational measures adopted to guarantee<br />
<br />
a level of security appropriate to the risks detected in relation to access<br />
by healthcare personnel to the patients' clinical records and the Health Care Policy.<br />
security adopted by the entity in relation to it.<br />
<br />
They mention in this regard that, in the Security Policy of the Ministry of Health,<br />
whose copy they provide, includes a “Decalogue of good practices for users of<br />
information systems of the Ministry of Health” which is mandatory<br />
<br />
compliance for all personnel who provide services in the Ministry (article<br />
12.2).<br />
<br />
Regarding the duty to respect data privacy, among other obligations, in<br />
The Decalogue establishes the following:<br />
<br />
- Users must access, exclusively, the information necessary for the de-<br />
development of the functions inherent to its activity and only to which it is authorized<br />
<br />
(3.1).<br />
<br />
- In accessing this information, users are obliged to comply with all the conditions<br />
security measures established by data protection regulations, and other re-<br />
applicable requirements in accordance with the standards and procedures established in the CSCM<br />
(3.2).<br />
<br />
- All people involved in any phase of data processing<br />
<br />
personal nature are obliged to professional secrecy with respect to these (3.3).<br />
<br />
They indicate that the aforementioned Security Policy contemplates that “Failure to comply with<br />
any of the behavioral guidelines contained in this Decalogue of<br />
good practices may give rise to the corresponding disciplinary responsibility, if<br />
if applicable, in application of the regulatory norms of the legal regime<br />
disciplinary action of the user.”<br />
<br />
<br />
They state that the La Paz University Hospital has a series of measures<br />
established in order to maintain and consolidate the security of information and<br />
privacy, such as the preservation of access traces and the realization<br />
periodic training for staff.<br />
<br />
FIFTH: On January 3, 2022, the Director of the Spanish Agency for<br />
Data Protection agreed to initiate sanctioning proceedings against the claimed party,<br />
<br />
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1,<br />
of the Common Administrative Procedure of Public Administrations (in<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 5/26<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
hereinafter, LPACAP), for the alleged violation of article 5.1.f) of the RGPD and article<br />
32 of the RGPD, typified in articles 83.5 and 83.4 of the RGPD, respectively.<br />
<br />
<br />
The initiation agreement was sent, in accordance with the rules established in the Law<br />
39/2015, of October 1, of the Common Administrative Procedure of the<br />
Public Administrations (hereinafter, LPACAP), through electronic notification,<br />
being received on January 5, 2022, as stated in the certificate included<br />
on the record.<br />
<br />
SIXTH: Once the initiation agreement was notified, the claimed party presented a written<br />
<br />
allegations in which, in summary, he stated:<br />
<br />
-that the Hospital Responsible for Data Processing, Hospital Universitario La<br />
Paz (HULP), carried out an investigation of the events, concluding after it that<br />
There were improper accesses to your medical history during the interval in which the<br />
complainant was in the emergency room (3:46 a.m. until 10:12 a.m. of the same<br />
<br />
day on which you are discharged: June 13, 2020),<br />
<br />
-that there are adequate and sufficient security measures for the management of<br />
Clinical Records, whenever user activities are recorded, retaining<br />
the information necessary to monitor, analyze, investigate and document<br />
<br />
improper or unauthorized activities, allowing the identification of the<br />
person who acts, the center having a protocol established for such purposes, in<br />
which includes a process of reactive and proactive audits, the latter being<br />
on a monthly basis and following a specific structure and monitoring, to address<br />
the requirements of the Ministry of Health in case of improper access to<br />
<br />
medical records,<br />
<br />
-that they have a security policy at the level of the Ministry of Health, which<br />
provides for specific organizational measures to maintain confidentiality<br />
of the information accessed by the organization's workers,<br />
<br />
<br />
-that in the medical records management system there is a segregation of profiles<br />
for the use of the tool, based on the work performance of each of the<br />
positions.<br />
<br />
The document that establishes the assignment of Users and type profiles is attached, in the<br />
<br />
which state that: “it can be verified that due compliance is given to the principle<br />
of minimum privilege, in accordance with the provisions of Annex II [op.acc.3] of the<br />
National Security Scheme strictly limiting each user to the minimum<br />
necessary to fulfill its obligations. Likewise, privileges are limited<br />
that users only access information necessary for the fulfillment of their<br />
<br />
functions.<br />
<br />
Therefore, there are different defined user models, such as:<br />
<br />
• Administrative User<br />
• Medical User (one per specialty)<br />
<br />
• Nurse User (midwives, supervisors, nurses)<br />
• Consultation User (only gives access to view the information, but does not allow registration)<br />
• User for other non-medical groups<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 6/26<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
User models are composed of different profiles, and each profile<br />
allows access to certain functions or competencies, always having<br />
<br />
Please note that, according to Law 41/2002, of November 14, the basic regulation of<br />
patient autonomy and rights and obligations regarding information and<br />
clinical documentation, article 16 indicates that the clinical history is a<br />
instrument intended fundamentally to guarantee adequate assistance to the<br />
patient, that is, the medical history must be accessible in such a way that it can be<br />
ensure that adequate care is provided to each patient, taking into account<br />
<br />
the diversity of health professionals existing in the center. For example, in the<br />
emergency cases, this medical history must be accessible to ensure the<br />
vital interests of each citizen.<br />
<br />
When a professional joins the center, they are assigned the model user<br />
<br />
established, but if the professional changes his functions or requires new functions,<br />
must have the approval of the Management. In the event that a user claims<br />
new functions and there is no established model user, Management values the<br />
relevance of creating a new model user.<br />
<br />
Thus, and as we can see in the protocol, there are no generic users,<br />
<br />
but rather, they are users created according to the functions they have<br />
assigned, with univocal and nominal access for each professional with their access number.<br />
“Personal ID.”<br />
<br />
-that have the signature of a Confidentiality Commitment, through which<br />
<br />
informs the worker at the time of formalizing his contract with the hospital, about the<br />
security and privacy policies that are mandatory for employees of the<br />
Hospital,<br />
<br />
-that training is provided regarding the security of personal data<br />
<br />
staff,<br />
<br />
-that the claimed party acknowledged its mistake and apologized to the complaining party,<br />
indicating the lack of intentionality when accessing your information, from what they understand<br />
that both technical and organizational security measures, carried out by<br />
the person responsible for the Treatment, are optimal and valid to guarantee the security and<br />
<br />
confidentiality of patient data.<br />
<br />
SEVENTH: On March 11, 2022, the instructor of the procedure issued<br />
proposed resolution for violation of the provisions of article 5.1 f) of the RGPD.<br />
<br />
<br />
The aforementioned proposed resolution was sent, in accordance with the rules established in<br />
Law 39/2015, of October 1, on the Common Administrative Procedure of the<br />
Public Administrations (hereinafter, LPACAP), through electronic notification,<br />
being received on March 12, 2022, as stated in the certificate provided<br />
on the record.<br />
<br />
EIGHTH: On March 28, 2022, the claimed entity presented a written statement of<br />
<br />
allegations to the Proposed Resolution, in which, in summary, he stated in relation to<br />
tion with the established security measures that, in application of the National Scheme<br />
Security, user activities are recorded, retaining the information<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 7/26<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
information necessary to monitor, analyze, investigate and document independent activities.<br />
authorized or unauthorized, allowing the identification at all times of the person<br />
túa, which have the implementation of a reactive and proactive audit process.<br />
<br />
The latter are monthly in nature and follow a structure and follow-up.<br />
specifically, to meet the requirements of the Ministry of Health in case of<br />
improper access to medical records, that there is a segregation of profiles for the<br />
use of the tool, based on the work performance of each of the<br />
positions, limiting each user's access to the minimum, which on the part of the employees<br />
two, a Confidentiality Commitment is signed, through which the worker is informed<br />
<br />
lowerer at the time of formalizing his relationship of his duties in this matter and that<br />
An information box (banner) appears warning that access to the platform<br />
It must be done for healthcare purposes.<br />
<br />
And in relation to other considerations, he states that the clinical history is an instrument<br />
<br />
fundamentally intended to guarantee adequate care to the patient, it is<br />
That is, the medical record must be accessible in such a way that it can be ensured that it is<br />
provides adequate assistance to each patient, and training is provided regarding<br />
to the security of personal data, that the appropriate investigations were carried out.<br />
investigations, which led to the necessary actions to solve the problems.<br />
incidents that occurred, being able to identify at all times the person who made the access<br />
<br />
due to the history and that the mitigating measures carried out by the Hospital,<br />
at the request of the affected party, have consisted of a warning<br />
<br />
Finally, it mentions the Sanctioning procedure of the AEPD Procedure No.:<br />
AP/00056/2014. In said resolution issued on February 9, 2021, the AEPD had<br />
<br />
opportunity to speak out on possible improper and unjustified access to history<br />
clinic of a patient worker of the Madrid Health Service. The AEPD, states the<br />
interested, would have come to the conclusion that SERMAS had established<br />
sufficient security measures.<br />
<br />
NINTH: In view of the facts considered proven and in accordance with the<br />
powers that article 58.2 of Regulation (EU) 2016/679 (General Regulation of<br />
<br />
Data Protection, hereinafter RGPD), grants each control authority and according to<br />
the provisions of articles 47 and 48.1 of Organic Law 3/2018, of December 5,<br />
of Personal Data Protection and guarantee of digital rights (hereinafter,<br />
LOPDGDD) and in use of the power provided for in article 90.2 of Law 39/2015, of 1<br />
October, of the Common Administrative Procedure of Public Administrations,<br />
<br />
On August 23, 2022, the claimed party is notified of the consideration of<br />
that, from the proven facts, not only the violation of article 5.1.f) of the<br />
RGPD, but also that of article 32 of the same legal text.<br />
<br />
TENTH: Once the Proposed Resolution was notified, the claimed party presented a written<br />
of allegations in which, in summary, he stated that an adequate provision of the<br />
healthcare involves the participation of several services from the same center for the<br />
<br />
achievement of the ultimate goal of the patient's well-being and health, which, in fact, in the<br />
health practice, it is common that an emergency service can lead to a<br />
operating room service, in which it would be strictly necessary to preserve the<br />
vital interests of the affected person, that the health personnel of both services have<br />
immediate access to the patient's medical history in order to provide adequate<br />
<br />
emergency healthcare.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 8/26<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
They provide a report issued by the University Hospital of La Paz in which it is indicated, in<br />
relation to the measure proposed by the AEPD that each of the professionals<br />
could have access to the medical records of only those patients<br />
<br />
which carry out their activity, that this measure is extremely complex and difficult<br />
to apply both at a technical and organizational level, and above all from the point of view<br />
care, and this is because health professionals and especially the nursing area<br />
mería, are subject to continuous shift changes; can carry out their activity<br />
on a rotating basis, going from morning to afternoon or night shift. Likewise, and<br />
Regarding the unit, service or medical specialty, criteria could not be applied either.<br />
<br />
rios of exclusion since health personnel can change location. A prof-<br />
sional can carry out his activity in a plant or specialty and the next day<br />
or next turn in a different one.<br />
<br />
They therefore consider that health personnel must have access to the different<br />
<br />
diagnostic tests performed or consult reports from other specialists and/or professionals.<br />
sionals that may influence the pathology you are treating. They also add that the<br />
Patients can exercise their right to Free Choice of Specialist, Free Choice<br />
Health Center, request one according to opinion or be referred at optional request<br />
to a different center to carry out a test or treatment not included in the portfolio<br />
of service of the center of origin. In these situations, health professionals,<br />
<br />
They must be able to access the patient's complete clinical history to provide an<br />
adequate care for the patient.<br />
<br />
Finally, they consider it necessary that the configuration system profiles come<br />
configured as they are until now since it is the best way to pre-<br />
<br />
Serve the health of patients who come to the hospital where they receive care<br />
health and indicate that there is already a strong segregation of profiles for the use<br />
of the tool, based on the work performance of each of the positions, limiting<br />
giving each user access to the minimum.<br />
<br />
<br />
In view of everything that has been done, by the Spanish Data Protection Agency<br />
In this procedure, the following are considered proven facts:<br />
<br />
PROVEN FACTS<br />
<br />
FIRST: On November 22, 2020, the claimant filed<br />
<br />
claim before the Spanish Data Protection Agency, for the alleged access<br />
due to her medical history, by a co-worker.<br />
<br />
SECOND: The Hospital Responsible for Data Processing carried out a<br />
investigation of the facts, concluding after the same that accesses occurred<br />
undue additions to her medical history during the interval in which the complainant<br />
<br />
was in the emergency room (3:46 a.m. until 10:12 a.m. on the same day in which<br />
discharged: June 13, 2020).<br />
<br />
FOUNDATIONS OF LAW<br />
<br />
Yo<br />
<br />
<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
(General Data Protection Regulation, hereinafter RGPD), grants each<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 9/26<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
control authority and as established in articles 47 and 48.1 of the Law<br />
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of<br />
digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve<br />
<br />
this procedure, the Director of the Spanish Data Protection Agency.<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: “The procedures<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
regulations dictated in its development and, insofar as they do not contradict them, with a<br />
<br />
subsidiary, by the general rules on administrative procedures.”<br />
<br />
II<br />
In response to the allegations presented by the entity claimed in the Agreement of<br />
<br />
initiation of the sanctioning procedure, the following must be noted:<br />
<br />
The GDPR broadly defines “data security breaches.”<br />
“personal violations” (hereinafter security bankruptcy) as “all those violations of the<br />
security that causes the accidental or unlawful destruction, loss or alteration of<br />
personal data transmitted, stored or otherwise processed, or the<br />
<br />
unauthorized communication or access to said data.”<br />
<br />
In the present case, it is clear that a data security breach occurred<br />
personal in the circumstances indicated above, categorized as a gap of<br />
confidentiality, as a consequence of exposure to a third party, of the<br />
<br />
personal data relating to the health of the complaining party.<br />
<br />
Article 32 of the GDPR states the following:<br />
<br />
"1. Taking into account the state of the art, the application costs, and the<br />
nature, scope, context and purposes of the processing, as well as risks of<br />
<br />
variable probability and severity for people's rights and freedoms<br />
physical, the person responsible and the person in charge of the treatment will apply technical and<br />
appropriate organizational measures to guarantee a level of security appropriate to the risk,<br />
which, if applicable, includes, among others:<br />
<br />
<br />
a) pseudonymization and encryption of personal data<br />
b) the ability to guarantee confidentiality, integrity, availability and resilience<br />
permanent treatment systems and services;<br />
c) the ability to restore the availability and access to personal data of<br />
quickly in case of physical or technical incident;<br />
<br />
d) a process of regular verification, evaluation and assessment of the effectiveness of the<br />
technical and organizational measures to guarantee the security of the treatment.<br />
<br />
2. When evaluating the adequacy of the security level, particular consideration will be given to<br />
takes into account the risks presented by data processing, in particular as<br />
consequence of the accidental or unlawful destruction, loss or alteration of data<br />
<br />
personal data transmitted, preserved or otherwise processed, or the communication or<br />
unauthorized access to said data.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 10/26<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
3. Adherence to a code of conduct approved pursuant to Article 40 or to a<br />
certification mechanism approved pursuant to article 42 may serve as an element<br />
to demonstrate compliance with the requirements established in section 1 of the<br />
<br />
present article.<br />
<br />
4. The controller and the person in charge of the treatment will take measures to ensure that<br />
any person acting under the authority of the person responsible or in charge and<br />
has access to personal data can only process said data following<br />
instructions of the person responsible, unless it is obliged to do so by virtue of the Law of<br />
<br />
the Union or the Member States.”<br />
<br />
The aforementioned article contemplates that “the person responsible and the person in charge of the treatment<br />
Appropriate technical and organizational measures will be applied to ensure a level of<br />
security appropriate to the risk.” Consequently, it does not adopt a closed relationship of<br />
<br />
technical and organizational measures, but these must be appropriate in<br />
depending on the previously analyzed risk level.<br />
<br />
That said, article 32.1 includes an obligation of means and not an obligation<br />
of result. In effect, it indicates that “the person responsible and the person in charge of the treatment applies<br />
appropriate technical and organizational measures will be taken to ensure a level of security.<br />
<br />
“adequate to the risk,” That is, it imposes the obligation to establish a level of security<br />
security, and that level must be a function of the risk analysis that every person responsible<br />
must carry out in accordance with section 2 of said article:<br />
<br />
"2. When evaluating the adequacy of the security level, particular consideration will be given to<br />
<br />
takes into account the risks presented by data processing, in particular as con-<br />
sequence of accidental or unlawful destruction, loss or alteration of data<br />
transmitted, preserved or otherwise processed, or the communication<br />
“unauthorized use or access to said data.”<br />
<br />
<br />
The technological evolution and sophistication of unauthorized access systems to systems<br />
data issues means that regulations cannot unconditionally impose<br />
a total assurance of the absence of integrity or confidentiality breaches.<br />
But it does require that those responsible for the treatments must carry out an analysis of<br />
risks and the implementation of an “adequate security level” for them.<br />
<br />
<br />
This duty is therefore characterized as an obligation of means. This is what he has declared<br />
The Supreme Court stated in its recent ruling of February 15, 2022:<br />
<br />
“The obligation to adopt the necessary measures to guarantee the safety<br />
of personal data cannot be considered an obligation of result, which<br />
<br />
implies that a leak of personal data to a third party exists<br />
responsibility regardless of the measures adopted and the activity<br />
displayed by the person responsible for the file or processing.<br />
<br />
In the obligations of means the commitment that is acquired is to adopt<br />
<br />
the technical and organizational means, as well as deploying diligent activity<br />
in its implementation and use that tends to achieve the expected result with<br />
means that can reasonably be described as suitable and sufficient for its<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 11/26<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
achievement, which is why they are called obligations of "diligence" or "commitment."<br />
treatment".<br />
<br />
<br />
The difference lies in the responsibility in both cases, since while<br />
In the obligation of result, one responds to a harmful result due to the failure of the<br />
security system, whatever its cause and the diligence used. In the<br />
obligation of means, it is enough to establish technically adequate measures and<br />
implement and use them with reasonable diligence.<br />
<br />
<br />
In the latter, the sufficiency of the security measures that the person responsible<br />
must be established must be put in relation to the state of technology in<br />
from time to time and the level of protection required in relation to personal data.<br />
are treated, but a result is not guaranteed. As established in art. 17.1<br />
of Directive 95/46/EC regarding the security of the treatment, the person responsible<br />
<br />
of the treatment has the obligation to apply the technical and organizational measures<br />
"Such measures must guarantee, taking into account the known<br />
existing technical foundations and the cost of application, a level of security<br />
appropriate in relation to the risks presented by the treatment and the nature<br />
nature of the data that must be protected. And in the same sense it is pronounced<br />
nowdays the art. 31 of the European Union Regulation 2016/679, of the<br />
<br />
Parliament and of the Council regarding the protection of natural persons in respect<br />
regarding the processing of personal data and the free circulation of these<br />
data and by which Directive 95/46/EC is repealed, by establishing with respect to the<br />
security of processing than appropriate technical and organizational measures<br />
They are «Taking into account the state of the art, the costs of application, and the<br />
<br />
nature, scope, context and purposes of the processing, as well as risks<br />
of varying probability and severity for the rights and freedoms of persons.<br />
They sound physical […]».<br />
<br />
We have already reasoned that the obligation that falls on the person responsible for the file<br />
<br />
and on the person in charge of the treatment regarding the adoption of necessary measures.<br />
rias to guarantee the security of personal data is not a<br />
obligation of result but of means, without the infallibility of the<br />
measures taken. Only the adoption and implementation of measures is required.<br />
technical and organizational measures, which in accordance with the state of technology and in<br />
connection with the nature of the processing carried out and the personal data in<br />
<br />
issue, reasonably allow to avoid its alteration, loss, treatment or<br />
Unauthorized access."<br />
<br />
Having established the above, that is, that the obligation of means imposed by article 32 of the<br />
RGPD consists of adopting security measures in the treatment, aimed at<br />
<br />
avoid the production of a security breach in it. These obligations of-<br />
must be established based on the risks that have been analyzed, and taking into account<br />
taking into account the state of technology at any given time and the level of protection required.<br />
do in relation to the personal data processed.<br />
<br />
<br />
Consequently, the analysis must be performed to determine whether the incident has occurred.<br />
Compliance consists of determining whether the measures were sufficient to avoid<br />
reduce the risk of a security breach. In this case, it must be checked whether the measures<br />
were adequate to ensure that unauthorized access to the history did not occur.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 12/26<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
clinical history of the claimant such as the one that occurred in this case. This with inde-<br />
whether said access actually occurred or not.<br />
<br />
<br />
It is appropriate to analyze the allegations made in this procedure by the COUNCIL.<br />
HEALTH ESTURY. In relation to the established security measures:<br />
<br />
- In application of the National Security Scheme, activities are recorded<br />
of users, retaining the information necessary to monitor, analyze,<br />
investigate and document improper or unauthorized activities, allowing<br />
<br />
identify at all times the person acting<br />
<br />
- Implementation of a process of reactive and proactive audits, these being<br />
last monthly and following a specific structure and monitoring,<br />
to meet the requirements of the Ministry of Health in case of access<br />
<br />
you are inappropriate for medical records<br />
<br />
<br />
- There is a segregation of profiles for the use of the tool, in<br />
based on the performance of the work of each of the positions, limiting each<br />
user access to the minimum.<br />
<br />
<br />
- A Confidentiality Commitment is signed by employees,<br />
through which the worker is informed at the time of formalizing his/her relationship.<br />
tion of their duties in this matter.<br />
<br />
- An information box (banner) appears warning that access to the platform<br />
<br />
taforma must be carried out for healthcare purposes<br />
<br />
And in relation to other considerations he states:<br />
<br />
- The clinical history is an instrument designed fundamentally to guarantee<br />
adequate patient care, that is, the medical history must be accessible<br />
<br />
possible in such a way as to ensure that adequate assistance is provided.<br />
cia to each patient<br />
<br />
- Training is provided regarding the security of personal data.<br />
sonal<br />
<br />
<br />
- The appropriate investigations were carried out, which led to the actions<br />
necessary to solve the events that occurred, being able to identify in<br />
at all times the person who made the improper access to the history.<br />
<br />
<br />
- The mitigating measures carried out by the Hospital, in response to the request of<br />
the affected person, have consisted of a warning<br />
<br />
Finally, it mentions the Sanctioning procedure of the AEPD Procedure No.:<br />
AP/00056/2014. In said resolution issued on February 9, 2021, the AEPD had<br />
occasion to speak out on possible improper and unjustified access to history<br />
<br />
clinic of a patient worker of the Madrid Health Service. The AEPD, states the<br />
interested, would have come to the conclusion that SERMAS had established measures<br />
sufficient security measures.<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 13/26<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In relation to these allegations, the following must be meant:<br />
<br />
<br />
Of the five security measures described, it can be ruled out from the beginning that<br />
four of them can be effective in preventing unauthorized access. In<br />
First of all, logging access or carrying out audits are measures to<br />
react a posteriori, once the access had occurred. Secondly, the bank<br />
ner has only informative purposes, without preventing the professional from continuing in<br />
in case access was not justified. Finally, the commitment to trust<br />
<br />
Deniality does not, in itself, prevent unauthorized access.<br />
<br />
Only the segmentation of access profiles to medical records could con-<br />
be considered a valid and effective tool for avoiding events such as the presence of<br />
I marry you. The DEPARTMENT OF HEALTH provides a very detailed annex with the profiles<br />
<br />
of each of the types of professional category, distinguishing between<br />
administrative and health, and within this last category, by types and specialties of<br />
staff.<br />
<br />
Now, a measure that would be basic is not reflected in the document, and that is that<br />
each of the health professionals could have access to the medical records<br />
<br />
only of those patients on whom they carry out their care activity.<br />
<br />
In this sense, article 16 of Law 41/2002, of November 14, basic regulation<br />
of patient autonomy and rights and obligations regarding information.<br />
tion and clinical documentation provides that “1. The clinical history is an instrument<br />
<br />
fundamentally aimed at guaranteeing adequate patient care. The teachers<br />
care professionals of the center who carry out the diagnosis or treatment of the patient.<br />
patient have access to their clinical history as a fundamental instrument to<br />
their adequate assistance.<br />
2. Each center will establish the methods that enable access to<br />
<br />
the clinical history of each patient by the professionals who assist them” (the emphasis<br />
is ours).<br />
<br />
From reading this precept it is clearly inferred that, although the clinical history is<br />
the instrument to provide health care to the patient, which must be<br />
guaranteed, so is the fact that access can only occur<br />
<br />
to the clinical history by the professionals who assist you, not in general terms, but<br />
on a particular basis carrying out the diagnosis or treatment of the patient.<br />
<br />
Let us remember that the factual situation that gave rise to this procedure consists of<br />
consists of access by a nursing person from the Operating Room Service<br />
<br />
regarding a patient who received medical assistance in the Emergency Department.<br />
<br />
It is true that, as the interested party states, “the clinical history is an instrument intended<br />
fundamentally to guarantee adequate care to the patient, that is, the<br />
medical history must be accessible in such a way that it can be ensured that it is provided<br />
<br />
adequate assistance to each patient”, but it is no less important that they can implement<br />
measures, based on the patients assigned to each professional, of the service in<br />
that health tasks are performed, and the work shifts of each professional.<br />
nal, that prevent a professional from accessing sensitive medical data.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 14/26<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
regarding a patient for whom no care activity has been entrusted to the patient.<br />
guna. The strong segregation of profiles that they say they have implemented has not prevented<br />
access to a patient's medical history by a nurse who is not<br />
<br />
He was entrusted with the treatment of the patient. This denotes the absence of measures<br />
adequate security.<br />
<br />
The lack of adoption of a measure such as the one described means that it cannot be considered<br />
that there are security measures that provide an adequate level of protection<br />
to existing risks. In fact, the HEALTH DEPARTMENT itself recognizes the<br />
<br />
illegality of the conduct, since a disciplinary file was processed against<br />
the person who carried out the improper access, and which concluded with the imposition of a<br />
warning.<br />
<br />
In relation to the precedent invoked (exp. AP/00056/2014), it is necessary to point out that<br />
<br />
This is a sanctioning procedure that was carried out for very previous events.<br />
res upon the entry into force of the GDPR. The latter came into force in May 2018, while<br />
after the events occurred in May 2013. In said file, a<br />
carried out a file of actions based on the fact that the DEPARTMENT OF HEALTH accredited<br />
had to put into practice the measures required by the now repealed Royal Decree 1720/2007,<br />
of December 21, (RLOPD) by which the regulations for the development of the Law are approved<br />
<br />
Organic 15/1999, of December 13, on Protection of Personal Data.<br />
(LOPD)<br />
<br />
The system established by the previous LOPD differs substantially from that established by<br />
the current GDPR. While that established a system of security measures<br />
<br />
ity established normatively (in conjunction with the RLOPD) to be understood<br />
Once security obligations have been met, the current GDPR is based on the<br />
principles of proactive responsibility and data protection by design, that is,<br />
in establishing the measures that are necessary based on the risks<br />
values inherent to a given treatment. There is, therefore, no number<br />
<br />
rus clausus of measures that the data controller must adopt, but rather<br />
These must be established case by case, based on the risk analysis and the<br />
data that is being processed.<br />
<br />
In this regard, article 5.2 GDPR establishes, after listing the principles<br />
related to the protection of personal data, the following:<br />
<br />
<br />
"2. The person responsible for the treatment will be responsible for compliance with the provisions<br />
put in section 1 and able to demonstrate it (“proactive responsibility”).”<br />
<br />
And regarding the principle of data protection by design, the GDPR requires:<br />
<br />
<br />
"1. Taking into account the state of the art, the cost of the application and the na-<br />
nature, scope, context and purposes of the processing, as well as the risks of diversity<br />
probability and seriousness that the treatment entails for the rights and freedoms<br />
data of natural persons, the person responsible for the treatment will apply, both in the<br />
<br />
time of determining the means of treatment as well as at the time of the procedure.<br />
pio processing, appropriate technical and organizational measures, such as pseudonymization<br />
mization, designed to effectively apply the protection principles<br />
such as data minimization, and integrate necessary safeguards into<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 15/26<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
processing, in order to comply with the requirements of this Regulation and protect<br />
the rights of the interested parties<br />
<br />
<br />
For all these reasons, the reference to the precedent constituted by file AP/00056/2014<br />
lacks any virtuality, since it was processed under the protection of a rational regulation.<br />
radically different from the current one.<br />
<br />
Furthermore, the criteria of the AEPD in relation to this type of access does not authorize<br />
two has a clear precedent, produced in a sanctioning procedure processed<br />
<br />
after the entry into force of the GDPR. This is file reference PS/00250/2021,<br />
in which the EXTREMEÑO HEALTH SERVICE was sanctioned for an identical problem<br />
to the one we are dealing with in this file. In the narration of the events it appears:<br />
<br />
“Inspection actions begin upon receipt of a written complaint.<br />
<br />
mation of A.A.A. (hereinafter, the claimant), in which he states that<br />
improper access to your medical history by a worker<br />
of the Extremadura Health Service (hereinafter SES), with professional category<br />
of nurse. The accesses are made without the authorization of the claimant and without<br />
that mediates a relationship that justifies it.”<br />
<br />
<br />
This procedure should conclude with the imposition of two sanctions for these acts.<br />
two: one for the violation of article 5.1.f) RGPD, in the terms explained in<br />
the proposed resolution and another for that of article 32 of the Regulation. That is the criterion<br />
of this Agency in relation to this type of assumptions.<br />
<br />
<br />
<br />
III<br />
In response to the latest allegations presented by the claimed entity, it must be<br />
point out the following:<br />
<br />
First of all, we are faced with a special category of personal data<br />
(article 9.1 GDPR) to which the principle of prohibition of processing is applicable,<br />
unless any of the circumstances provided for in section 2 occur. Therefore,<br />
incorporate an innate danger, and must be held to a higher standard of protection<br />
high.<br />
<br />
Recital 51 provides, regarding the special categories of personal data,<br />
<br />
that:<br />
<br />
“Personal data deserve special protection, which, by their nature, are<br />
particularly sensitive in relation to fundamental rights and freedoms,<br />
since the context of their treatment could entail significant risks for the<br />
fundamental rights and freedoms. […] Such personal data should not be<br />
<br />
treated, unless treatment is permitted in specific situations<br />
contemplated in this Regulation, taking into account that the States<br />
Members may establish specific provisions on data protection with<br />
in order to adapt the application of the rules of this Regulation to the<br />
compliance with a legal obligation or the fulfillment of a mission carried out in<br />
public interest or in the exercise of public powers conferred on the person responsible for the<br />
<br />
treatment. In addition to the specific requirements of that treatment,<br />
the general principles and other rules of this Regulation, in particular as regards<br />
refers to the conditions of legality of the treatment. They must be established<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 16/26<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
explicit exceptions to the general prohibition of processing of these categories<br />
special personal data, among other things when the interested party gives his or her<br />
explicit consent or in the case of specific needs, in particular<br />
<br />
when the treatment is carried out within the framework of legitimate activities by<br />
certain associations or foundations whose objective is to allow the exercise of the<br />
fundamental liberties".<br />
<br />
It is a priority to determine the role played by the Ministry of Health.<br />
<br />
It follows that the person responsible for processing the data that forms part of the<br />
clinical history is the health center, public or private; They have the obligation to<br />
prepare it, guard it and implement the necessary security measures so that it does not<br />
is lost, is not communicated to uninterested parties or can be accessed by third parties<br />
<br />
Not allowed.<br />
The GDPR explicitly introduces the principle of liability (article 5.2 GDPR),<br />
That is, the person responsible for the treatment will be responsible for compliance with the<br />
<br />
provided in section 1 of article 5 and must be able to demonstrate it<br />
“proactive responsibility”.<br />
<br />
Report 0064/2020 of the Legal Office of the AEPD has clearly expressed<br />
that “The GDPR has represented a paradigm shift in addressing the regulation of<br />
right to the protection of personal data, which is based on the<br />
<br />
principle of “accountability” or “proactive responsibility” as pointed out<br />
repeatedly by the AEPD (Report 17/2019, among many others) and is included in the<br />
Explanation of reasons for Organic Law 3/2018, of December 5, on the Protection of<br />
Personal Data and guarantee of digital rights (LOPDGDD)”.<br />
<br />
The complained party, in its capacity as responsible for said treatment, should<br />
have adopted and implemented, proactively, the technical measures and<br />
organizational measures that are appropriate to evaluate and guarantee a level of<br />
security adequate to probable risks of diverse nature and severity<br />
<br />
linked to the health data processing carried out.<br />
<br />
For these purposes, article 24 of the RGPD under the heading “Responsibility of the<br />
responsible for the treatment” provides:<br />
<br />
"1. Taking into account the nature, scope, context and purposes of the treatment<br />
as well as the risks of varying probability and severity for the rights<br />
rights and freedoms of natural persons, the person responsible for the treatment applied<br />
<br />
will take appropriate technical and organizational measures in order to guarantee and be able to<br />
show that the treatment is in accordance with this Regulation. sayings<br />
Measures will be reviewed and updated when necessary.<br />
2. When provided in relation to treatment activities,<br />
The measures mentioned in paragraph 1 shall include the application, for<br />
part of the person responsible for the treatment, of the appropriate protection policies<br />
<br />
of data. (…)”<br />
<br />
For its part, article 25 of the RGPD under the heading “Data protection from the<br />
master and by default” provides:<br />
<br />
<br />
"1. Taking into account the state of the art, the cost of the application and the na-<br />
nature, scope, context and purposes of the treatment, as well as the risks of<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 17/26<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
deals with the probability and seriousness of the treatment for the rights and<br />
freedoms of natural persons, the person responsible for the treatment will apply, both<br />
at the time of determining the means of treatment as well as at the time<br />
<br />
of the treatment itself, appropriate technical and organizational measures, such as<br />
pseudonymization, designed to effectively apply the principles of<br />
data protection, such as data minimization, and integrate safeguards<br />
necessary in the treatment, in order to comply with the requirements of this Regulation.<br />
ment and protect the rights of interested parties.<br />
<br />
<br />
2. The data controller will apply the technical and organizational measures<br />
with a view to ensuring that, by default, they are only processed<br />
ment the personal data that are necessary for each of the purposes<br />
specific to the treatment. This obligation will apply to the amount of data<br />
personal data collected, to the extent of its treatment, to its conservation period.<br />
<br />
vation and its accessibility. Such measures will ensure in particular that,<br />
Defect, personal data are not accessible, without the intervention of the person.<br />
sona, to an indeterminate number of natural persons. (…)”<br />
<br />
Likewise, the LOPDGDD in article 28.1 states that:<br />
<br />
<br />
“Those responsible and in charge, taking into account the elements enumerated<br />
two in articles 24 and 25 of Regulation (EU) 2016/679, will determine the<br />
appropriate technical and organizational measures that must be applied in order to guarantee<br />
chalk and certify that the treatment is in accordance with the aforementioned regulation, with the<br />
This organic law, its implementing regulations and the applicable sectoral legislation<br />
<br />
wire."<br />
<br />
Consequently, the responsibility of the person responsible for the work must be established.<br />
treatment for any processing of personal data carried out by himself or by<br />
your account. In particular, the person responsible must be obliged to apply opportune measures.<br />
and effective and must be able to demonstrate the conformity of the processing activities.<br />
<br />
compliance with the GDPR, including the effectiveness of the measures (GDPR recital 74).<br />
<br />
In summary, this principle requires a conscious, diligent, committed and<br />
proactive on the part of the controller regarding all data processing<br />
personal actions that you carry out.<br />
<br />
<br />
In the present case, the claimed entity is accused of failing to implement<br />
the technical and organizational measures necessary to guarantee a level of security<br />
appropriate to the risk derived from the processing of patients' health data (categories).<br />
special category of personal data in accordance with the provisions of article 9.1 of the<br />
RGPD), in order to prevent the violation of the principle of confidentiality, as<br />
It emerges from the assessment of the set of facts analyzed.<br />
<br />
In general, it should be noted that in the treatment of medical records there is no<br />
You must wait until the improper access has occurred to react later<br />
<br />
(which would shift the responsibility to the worker instead of the person responsible for the<br />
treatment) but, based on the aforementioned principles of responsibility<br />
proactive and data protection from the design, prevent improper access from<br />
produce.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 18/26<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
From the above, it is evident that the defendant, as responsible for the treatment,<br />
subject of study, has not shown the diligence that was required to establish<br />
<br />
the security measures that are necessary to prevent the filtration or dissemination of<br />
this type of data to third parties. In this sense, the configuration of the technical measures<br />
and organizational must be carried out so that, prior to carrying out the<br />
processing of personal data, it is guaranteed that you can only have access to<br />
the stories of those personnel who carry out their assistance activity on the owner of<br />
<br />
are.<br />
<br />
In the event that the computer application that controls access to medical records<br />
was correctly programmed, it could determine, at the moment in which it was<br />
bids for access, if the person requests it (depending on their specialty, shift or activity in<br />
<br />
that moment) must be legitimate to access it.<br />
<br />
Finally, data protection by design must be complemented by implementation.<br />
Periodic auditing, so that failures in the system can be detected<br />
which, in turn, advise modifying the access protocols in case of independent access.<br />
<br />
bidos.<br />
Consequently, the allegations must be rejected, meaning that the<br />
<br />
arguments presented do not distort the essential content of the infringement that<br />
is declared committed nor do they constitute sufficient justification or exculpation.<br />
<br />
The claimed entity is charged with committing an infraction due to violation of the<br />
article 5.1.f) of the RGPD, which governs the principle of confidentiality and integrity of the<br />
<br />
personal data, as well as the proactive responsibility of the person responsible for the<br />
processing to demonstrate compliance and article 32 of the GDPR.<br />
IV<br />
<br />
<br />
Regarding health data, recital 35 of the GDPR states the following:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 19/26<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
“Personal data related to health must include all data<br />
relating to the state of health of the interested party that provide information about his state of health.<br />
physical or mental health past, present or future. Information is included about the<br />
<br />
natural person collected on the occasion of their registration for health care purposes,<br />
or on the occasion of the provision of such assistance, in accordance with the Directive<br />
2011/24/EU of the European Parliament and of the Council; any number, symbol or data<br />
assigned to a natural person who uniquely identifies him or her for the purposes<br />
sanitary; information obtained from tests or examinations of a part of the body or<br />
of a bodily substance, including that from genetic data and samples<br />
<br />
biological, and any information relating, by way of example, to a disease, a<br />
disability, risk of disease, medical history, treatment<br />
clinical or physiological or biomedical state of the interested party, regardless of their<br />
source, for example a doctor or other healthcare professional, a hospital, a device<br />
medical, or an in vitro diagnostic test.”<br />
<br />
<br />
For its part, article 4 of the GDPR defines:<br />
<br />
“2) “treatment”: any operation or set of operations performed on<br />
personal data or sets of personal data, whether by procedures<br />
automated or not, such as the collection, registration, organization, structuring,<br />
<br />
conservation, adaptation or modification, extraction, consultation, use,<br />
communication by transmission, broadcast or any other form of enabling<br />
access, collation or interconnection, limitation, deletion or destruction;”<br />
<br />
7) "responsible for the treatment" or "responsible": the natural or legal person,<br />
<br />
public authority, service or other body that, alone or jointly with others, determines the<br />
purposes and means of processing; whether Union or Member State law<br />
determines the purposes and means of the treatment, the person responsible for the treatment or the<br />
Specific criteria for their appointment may be established by Union Law.<br />
or of the Member States;<br />
<br />
<br />
10) "third party": natural or legal person, public authority, service or other body<br />
of the interested party, the person responsible for the treatment, the person in charge of the treatment and the<br />
persons authorized to process personal data under the direct authority of the<br />
responsible or the person in charge;”<br />
<br />
<br />
<br />
<br />
<br />
V<br />
The processing of data from medical records is regulated in the Law<br />
<br />
41/2002, of November 14, basic regulation of patient autonomy and<br />
rights and obligations regarding clinical information and documentation.<br />
<br />
Its article 3 states:<br />
<br />
<br />
“Clinical history: the set of documents that contain the data, evaluations and<br />
information of any kind about the situation and clinical evolution of a<br />
patient throughout the care process.”<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 20/26<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In article 16, the uses of medical history are established:<br />
<br />
"1. The clinical history is an instrument designed fundamentally to guarantee<br />
<br />
adequate patient care. The care professionals at the center who<br />
perform the diagnosis or treatment of the patient have access to the medical history<br />
of this as a fundamental instrument for their adequate assistance.<br />
<br />
2. Each center will establish the methods that enable access to<br />
the medical history of each patient by the professionals who assist them.”<br />
<br />
<br />
SAW<br />
Article 5.1.f) of the GDPR<br />
<br />
Article 5.1.f) of the RGPD establishes the following:<br />
<br />
“Article 5 Principles relating to treatment:<br />
<br />
1. The personal data will be:<br />
<br />
<br />
(…)<br />
<br />
f) processed in such a way as to ensure adequate data security<br />
personal data, including protection against unauthorized or unlawful processing and against<br />
<br />
its loss, destruction or accidental damage, through the application of technical measures<br />
or organizational arrangements (“integrity and confidentiality”).”<br />
<br />
In relation to this principle, Recital 39 of the aforementioned GDPR states that:<br />
<br />
“[…]Personal data must be treated in a way that guarantees security and<br />
<br />
appropriate confidentiality of personal data, including to prevent access<br />
or unauthorized use of said data and the equipment used in the treatment.”<br />
<br />
It must be added that, in relation to the category of data to which a third party<br />
someone else has had access to, they are in the special category according to<br />
<br />
provided in art. 9 of the RGPD, a circumstance that represents an added risk that<br />
must be assessed in the risk management study and that the degree requirement increases<br />
of protection in relation to the security and safeguarding of the integrity and<br />
confidentiality of these data.<br />
<br />
<br />
Consequently, it is considered that the proven facts are constitutive of<br />
infringement, attributable to the claimed party, due to violation of article 5.1.f) of the<br />
GDPR.<br />
<br />
VII<br />
Classification of the violation of article 5.1.f) of the RGPD<br />
<br />
<br />
Article 83.5 of the GDPR provides the following:<br />
<br />
"5. Violations of the following provisions will be sanctioned, in accordance with the<br />
paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,<br />
In the case of a company, an amount equivalent to a maximum of 4% of the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 21/26<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
global total annual business volume of the previous financial year, opting for<br />
the largest amount:<br />
<br />
a) the basic principles for the treatment, including the conditions for the<br />
consent in accordance with articles 5, 6, 7 and 9;”<br />
<br />
<br />
For its part, article 71 of the LOPDGDD, under the heading “Infringements” determines what<br />
following:<br />
<br />
“The acts and conduct referred to in sections 4,<br />
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result<br />
<br />
contrary to this organic law.”<br />
<br />
For the purposes of the limitation period for infringements, article 72 of the LOPDGDD,<br />
Under the heading of infractions considered very serious, it establishes the following:<br />
<br />
"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,<br />
considered very serious and will prescribe after three years the infractions that involve<br />
a substantial violation of the articles mentioned therein and, in particular, the<br />
following:<br />
<br />
<br />
a) The processing of personal data violating the principles and guarantees<br />
established in article 5 of Regulation (EU) 2016/679.”<br />
<br />
VIII<br />
<br />
Article 32 of the GDPR<br />
<br />
<br />
Article 32 of the GDPR, security of processing, establishes the following:<br />
<br />
1. Taking into account the state of the art, the application costs, and the<br />
nature, scope, context and purposes of the processing, as well as risks of<br />
variable probability and severity for people's rights and freedoms<br />
physical, the person responsible and the person in charge of the treatment will apply technical and<br />
<br />
appropriate organizational measures to guarantee a level of security appropriate to the risk,<br />
which, if applicable, includes, among others:<br />
<br />
a) pseudonymization and encryption of personal data;<br />
<br />
<br />
b) the ability to guarantee the confidentiality, integrity, availability and<br />
permanent resilience of treatment systems and services;<br />
c) the ability to restore availability and access to data<br />
personnel quickly in the event of a physical or technical incident;<br />
<br />
<br />
d) a process of regular verification, evaluation and assessment of effectiveness<br />
of the technical and organizational measures to guarantee the security of the treatment.<br />
<br />
2. When evaluating the adequacy of the security level, particular consideration will be given to<br />
take into account the risks presented by data processing, in particular as<br />
consequence of the accidental or unlawful destruction, loss or alteration of data<br />
<br />
personal data transmitted, preserved or otherwise processed, or the communication or<br />
unauthorized access to said data (The emphasis is from the AEPD).<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 22/26<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Recital 75 of the GDPR lists a series of factors or assumptions associated with<br />
risks to the guarantees of the rights and freedoms of the interested parties:<br />
<br />
<br />
“The risks to the rights and freedoms of natural persons, of seriousness and<br />
variable probability, may be due to data processing that could cause<br />
physical, material or immaterial damages, particularly in cases where<br />
that the treatment may give rise to problems of discrimination, usurpation of<br />
identity or fraud, financial loss, reputational damage, loss of<br />
<br />
confidentiality of data subject to professional secrecy, unauthorized reversal of the<br />
pseudonymization or any other significant economic or social harm; in the<br />
cases in which the interested parties are deprived of their rights and freedoms or are<br />
prevents you from exercising control over your personal data; in cases where the data<br />
processed personal reveals ethnic or racial origin, political opinions, religion<br />
<br />
or philosophical beliefs, militancy in unions and the processing of genetic data,<br />
data relating to health or data on sexual life, or convictions and offenses<br />
criminal or related security measures; in cases in which they are evaluated<br />
personal aspects, in particular the analysis or prediction of aspects related to the<br />
performance at work, economic situation, health, preferences or interests<br />
personal, reliability or behavior, situation or movements, in order to create or<br />
<br />
use personal profiles; in cases in which personal data of<br />
vulnerable people, particularly children; or in cases where the treatment<br />
involves a large amount of personal data and affects a large number of<br />
interested.”<br />
<br />
<br />
In the present case, as stated in the facts and in the context of the file<br />
E/05028/2021, the AEPD requested to provide the date and time of the accesses, the details of the<br />
typology of the data accessed, as well as the documentation accrediting the<br />
existing justification for such access. In the documentation provided, the<br />
claimed only recognizes the existence of said accesses although it does not pronounce itself<br />
<br />
about their legitimacy nor does it provide a copy of the required investigation.<br />
<br />
The consequence of this implementation of deficient security measures was the<br />
exposure to a third party outside of personal data related to the health of the<br />
complaining party. That is, the affected person has been deprived of control over her<br />
personal data related to your clinical history.<br />
<br />
<br />
It must be added that, in relation to the category of data to which a third party<br />
someone else has had access to, they are in the special category according to<br />
provided in art. 9 of the RGPD, a circumstance that represents an added risk that<br />
must be assessed in the risk management study and that the degree requirement increases<br />
<br />
of protection in relation to the security and safeguarding of the integrity and<br />
confidentiality of these data.<br />
<br />
This risk must be taken into account by the person responsible for the treatment who must<br />
establish the necessary technical and organizational measures to prevent the loss of<br />
<br />
control of the data by the person responsible for the treatment and, therefore, by the<br />
holders of the data who provided them.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 23/26<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Therefore, the proven facts constitute an infringement, attributable to the<br />
claimed party, for violation of article 32 RGPD.<br />
<br />
<br />
IX<br />
<br />
Classification of the violation of article 32 of the RGPD<br />
<br />
The aforementioned violation of article 32 of the RGPD implies the commission of the violations<br />
typified in article 83.4 of the RGPD that under the heading “General conditions<br />
<br />
for the imposition of administrative fines” provides:<br />
<br />
“Infringements of the following provisions will be sanctioned, in accordance with the<br />
paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,<br />
In the case of a company, an amount equivalent to a maximum of 2% of the<br />
<br />
global total annual business volume of the previous financial year, opting for<br />
the largest amount:<br />
<br />
a) the obligations of the controller and the processor pursuant to Articles 8,<br />
11, 25 to 39, 42 and 43; (…)”<br />
<br />
<br />
In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that<br />
“The acts and conduct referred to in sections 4,<br />
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result<br />
contrary to this organic law.”<br />
<br />
<br />
For the purposes of the limitation period, article 73 “Infringements considered serious”<br />
of the LOPDGDD indicates:<br />
<br />
<br />
“Based on what is established in article 83.4 of Regulation (EU) 2016/679,<br />
are considered serious and will prescribe after two years the infractions that involve a<br />
substantial violation of the articles mentioned therein and, in particular, the<br />
following:<br />
<br />
<br />
f) The lack of adoption of those technical and organizational measures that result<br />
appropriate to guarantee a level of security appropriate to the risk of the treatment,<br />
in the terms required by article 32.1 of Regulation (EU) 2016/679”<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
x<br />
<br />
Responsibility<br />
<br />
Establishes Law 40/2015, of October 1, on the Legal Regime of the Public Sector, in<br />
Chapter III relating to the “Principles of the Sanctioning Power”, in article 28<br />
under the heading “Responsibility”, the following:<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 24/26<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
"1. They may only be sanctioned for acts constituting an administrative infraction.<br />
natural and legal persons, as well as, when a Law recognizes their capacity to<br />
act, the groups of affected people, the unions and entities without legal personality and the<br />
<br />
independent or autonomous assets, which are responsible for them<br />
title of fraud or guilt.”<br />
<br />
Lack of diligence in implementing appropriate security measures<br />
with the consequence of the breach of the principle of confidentiality constitutes the<br />
element of guilt.<br />
<br />
<br />
XI<br />
Sanction<br />
<br />
Article 83 “General conditions for the imposition of administrative fines” of the<br />
<br />
GDPR in section 7 establishes:<br />
<br />
“Without prejudice to the corrective powers of the supervisory authorities under the<br />
Article 58(2), each Member State may lay down rules on whether<br />
can, and to what extent, impose administrative fines on authorities and organizations<br />
public establishments in that Member State.”<br />
<br />
<br />
Likewise, article 77 “Regime applicable to certain categories of<br />
responsible or in charge of processing” of the LOPDGDD provides the following:<br />
<br />
"1. The regime established in this article will apply to the treatments of<br />
<br />
who are responsible or in charge:<br />
<br />
(…)<br />
<br />
c) The General Administration of the State, the Administrations of the communities<br />
<br />
autonomous and the entities that make up the Local Administration.<br />
<br />
2. When the persons responsible or in charge listed in section 1 commit<br />
any of the infractions referred to in articles 72 to 74 of this law<br />
organic, the competent data protection authority will dictate<br />
resolution sanctioning them with a warning. The resolution will establish<br />
<br />
Likewise, the measures that should be adopted to stop the conduct or correct it.<br />
the effects of the infraction that has been committed.<br />
<br />
The resolution will be notified to the person responsible or in charge of the treatment, to the body of the<br />
that depends hierarchically, if applicable, and to those affected who have the condition<br />
<br />
of interested party, if applicable.<br />
<br />
3. Without prejudice to what is established in the previous section, the authority for the protection of<br />
data will also propose the initiation of disciplinary actions when there are<br />
sufficient evidence for this. In this case, the procedure and sanctions to apply<br />
<br />
will be those established in the legislation on disciplinary or sanctioning regime that<br />
results of application.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 25/26<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Likewise, when the infractions are attributable to authorities and managers, and are<br />
prove the existence of technical reports or recommendations for the treatment that<br />
had not been duly attended to, in the resolution in which the<br />
<br />
sanction will include a reprimand with the name of the responsible position and<br />
will order the publication in the Official State or autonomous Gazette that<br />
correspond.<br />
<br />
(…)<br />
<br />
<br />
5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions<br />
of the autonomous communities the actions carried out and the resolutions issued<br />
under the protection of this article.”<br />
<br />
In the present case, it is considered appropriate to sanction the party with a warning<br />
<br />
claimed, for violation of article 5.1.f) of the RGPD and for violation of article 32<br />
of the GDPR, due to the lack of diligence in implementing the appropriate measures<br />
of security with the consequence of the breach of the principle of confidentiality.<br />
<br />
XII<br />
Measures<br />
<br />
<br />
Article 58.2 of the GDPR provides: “Each supervisory authority will have all the<br />
following corrective powers indicated below:<br />
<br />
d) order the person responsible or in charge of the treatment that the operations of<br />
treatment comply with the provisions of this Regulation, where applicable,<br />
in a certain manner and within a specified period;”<br />
<br />
<br />
Likewise, it is appropriate to impose the corrective measure described in article 58.2.d) of the<br />
RGPD and order the complained party to, within a period of one month, establish the measures<br />
adequate safety measures so that treatments are adapted to the demands<br />
<br />
contemplated in articles 5.1 f) and 32 of the RGPD, preventing the occurrence of<br />
similar situations in the future.<br />
<br />
The text of the resolution establishes what infractions have been committed and<br />
the events that have given rise to the violation of the regulations for the protection of<br />
data, from which it is clearly inferred what measures to adopt, without prejudice<br />
<br />
that the type of procedures, mechanisms or specific instruments to<br />
implementing them corresponds to the sanctioned party, since it is responsible for the<br />
treatment who fully knows its organization and must decide, based on the<br />
proactive responsibility and risk approach, how to comply with the GDPR and<br />
LOPDGDD.<br />
<br />
<br />
Therefore, in accordance with the applicable legislation and evaluated the criteria of<br />
graduation of the sanctions whose existence has been proven, the Director of the<br />
Spanish Data Protection Agency RESOLVES:<br />
<br />
<br />
FIRST: SANCTION with WARNING the HEALTH DEPARTMENT OF<br />
THE COMMUNITY OF MADRID, with NIF S7800001E, for a violation of the article<br />
5.1.f) of the RGPD, typified in article 83.5 of the RGPD.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 26/26<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
SECOND: SANCTION with WARNING to the HEALTH DEPARTMENT<br />
OF THE COMMUNITY OF MADRID, with NIF S7800001E, for a violation of the article<br />
<br />
32 of the RGPD, typified in article 83.4 of the RGPD.<br />
<br />
THIRD: REQUIRE the HEALTH DEPARTMENT OF THE COMMUNITY OF<br />
MADRID, to implement, within one month, the necessary corrective measures<br />
to adapt their actions to the personal data protection regulations, which<br />
prevent similar events from being repeated in the future, as well as to inform this<br />
Agency in the same period on the measures adopted.<br />
<br />
<br />
FOURTH: NOTIFY this resolution to the HEALTH DEPARTMENT OF THE<br />
COMMUNITY OF MADRID, with NIF S7800001E.<br />
<br />
FIFTH: COMMUNICATE this resolution to the Ombudsman, in accordance<br />
<br />
with the provisions of article 77.5 of the LOPDGDD.<br />
<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
Resolution will be made public once it has been notified to the interested parties.<br />
<br />
<br />
Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the<br />
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the<br />
Interested parties may optionally file an appeal for reconsideration before the<br />
Director of the Spanish Data Protection Agency within a period of one month to<br />
count from the day following the notification of this resolution or directly<br />
<br />
contentious-administrative appeal before the Contentious-administrative Chamber of the<br />
National Court, in accordance with the provisions of article 25 and section 5 of<br />
the fourth additional provision of Law 29/1998, of July 13, regulating the<br />
Contentious-administrative Jurisdiction, within a period of two months from the<br />
<br />
day following the notification of this act, as provided for in article 46.1 of the<br />
referred Law.<br />
<br />
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,<br />
may provisionally suspend the final resolution through administrative channels if the<br />
<br />
interested party expresses his intention to file a contentious-administrative appeal.<br />
If this is the case, the interested party must formally communicate this fact through<br />
writing addressed to the Spanish Data Protection Agency, presenting it through<br />
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-<br />
web/], or through any of the other registries provided for in art. 16.4 of the<br />
<br />
cited Law 39/2015, of October 1. You must also transfer to the Agency the<br />
documentation that proves the effective filing of the contentious appeal<br />
administrative. If the Agency was not aware of the filing of the appeal<br />
contentious-administrative procedure within a period of two months from the day following the<br />
notification of this resolution would terminate the precautionary suspension.<br />
938-120722<br />
Sea Spain Martí<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
</pre></div>Isabela.maria.rosalhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_PD-00207-2022&diff=39235AEPD (Spain) - PD-00207-20222024-01-17T11:38:19Z<p>Isabela.maria.rosal: Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PD-00207-2022 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/pd-00207-2022.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Cod..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=PD-00207-2022<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/documento/pd-00207-2022.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Rejected<br />
|Date_Started=06.07.2022<br />
|Date_Decided=15.11.2024<br />
|Date_Published=<br />
|Year=2024<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 12 GDPR<br />
|GDPR_Article_Link_1=Article 12 GDPR<br />
|GDPR_Article_2=Article 15 GDPR<br />
|GDPR_Article_Link_2=Article 15 GDPR<br />
|GDPR_Article_3=Article 15(3) GDPR<br />
|GDPR_Article_Link_3=Article 15 GDPR#3<br />
|GDPR_Article_4=Article 17 GDPR<br />
|GDPR_Article_Link_4=Article 17 GDPR<br />
|GDPR_Article_5=Article 31 GDPR<br />
|GDPR_Article_Link_5=Article 31 GDPR<br />
|GDPR_Article_6=Article 39 GDPR<br />
|GDPR_Article_Link_6=Article 39 GDPR<br />
|GDPR_Article_7=Article 55 GDPR<br />
|GDPR_Article_Link_7=Article 55 GDPR<br />
|GDPR_Article_8=Article 56(2) GDPR<br />
|GDPR_Article_Link_8=Article 56 GDPR#2<br />
|GDPR_Article_9=Article 57(1)(f) GDPR<br />
|GDPR_Article_Link_9=Article 57 GDPR#1f<br />
|GDPR_Article_10=<br />
|GDPR_Article_Link_10=<br />
|GDPR_Article_11=<br />
|GDPR_Article_Link_11=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=Article 12 LOPDGDD<br />
|National_Law_Link_1=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_2=Article 13 LOPDGDD<br />
|National_Law_Link_2=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_3=Article 37 LOPDGDD<br />
|National_Law_Link_3=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_4=Article 47 LOPDGDD<br />
|National_Law_Link_4=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_5=Article 48(6) LOPDGDD<br />
|National_Law_Link_5=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_6=Article 50 LOPDGDD<br />
|National_Law_Link_6=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_7=Article 64(1) LOPDGDD<br />
|National_Law_Link_7=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_8=Article 64(2) LOPDGDD<br />
|National_Law_Link_8=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_9=Article 65(4) LOPDGDD<br />
|National_Law_Link_9=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_10=<br />
|National_Law_Link_10=<br />
|National_Law_Name_11=<br />
|National_Law_Link_11=<br />
<br />
|Party_Name_1=WORKING CAPITAL MANAGEMENT ESPAÑA<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=isabela.rosal.santos<br />
|<br />
}}<br />
<br />
Spanish DPA dismisses the complaint of a data subject since the data controller did respond to the access and erasure request. The existence of an outstanding debt with the controller justifies the processing of the personal data.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The data subject requested the access and the erasure of their personal data from the list of insolvent persons. The data was initially handled by the data controller, but there was a posterior change of control. Even though the data subject affirmed that their requests were not properly addressed by the initial controller, the company stated that all the answers were timely provided, including the change of control over the data.<br />
<br />
=== Holding ===<br />
The DPA dismissed the complaint of the data subject. Since the controller did provide timely and relevant information to the data controller and they have an outstanding debt with the controller, the complaint should not be upheld.<br />
<br />
== Comment ==<br />
The Spanish DPA highlighted that, whenever possible, alternative mechanisms should be enforced over administrative sanctioning.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/6<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
File No.: EXP202205064<br />
<br />
<br />
<br />
RESOLUTION NO.: R/01128/2022<br />
<br />
Considering the claim made on April 6, 2022 before this Agency by A.A.A. (in<br />
hereinafter, the claiming party), against WORKING CAPITAL MANAGEMENT ESPAÑA,<br />
<br />
S.L. (hereinafter, the claimed party), because their<br />
right of access and deletion.<br />
<br />
The procedural actions provided for in Title VIII of the Law have been carried out<br />
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of<br />
<br />
digital rights (hereinafter LOPDGDD), the following have been verified<br />
<br />
<br />
FACTS<br />
<br />
FIRST: The complaining party exercised the right of access and deletion against the<br />
<br />
claimed, without his request having received the legally established response.<br />
The claimant states that his personal data is registered in systems<br />
common credit information in relation to a debt owed to the claimed entity<br />
which he does not know, so he requests the same information about the debt, as well as the<br />
deletion of your data.<br />
<br />
The complaining party provides various documentation related to the claim raised<br />
before this Agency and on the exercise of the right exercised.<br />
<br />
SECOND: In accordance with article 65.4 of the LOPDGDD, which has provided for a<br />
mechanism prior to the admission for processing of claims made before<br />
<br />
the AEPD, consisting of transferring them to the Data Protection Delegates<br />
designated by those responsible or in charge of the treatment, for the intended purposes<br />
in article 37 of the aforementioned norm, or to these when they have not been designated,<br />
transferred the claim to the claimed entity so that it could proceed with its<br />
analysis and respond to the complaining party and this Agency within a period of one<br />
month.<br />
<br />
<br />
<br />
THIRD: The result of the transfer procedure indicated in the previous Fact does not<br />
allowed the claims of the complaining party to be understood as satisfied. In<br />
consequently, dated July 6, 2022, for the purposes provided for in article 64.2<br />
<br />
of the LOPDGDD, the Director of the Spanish Data Protection Agency agreed<br />
admit the claim presented for processing and the parties were informed that the deadline<br />
maximum to resolve this procedure, which is understood to have been initiated by<br />
said admission agreement for processing will be six months.<br />
<br />
<br />
The aforementioned agreement granted the claimed entity a hearing process, to<br />
that within a period of fifteen business days, present the allegations that it deems<br />
convenient. Said entity formulated, in summary, the following allegations:<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 2/6<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The claimed party states and certifies that it has informed the claimant of all the<br />
process by which the debt incurred passed from one company to another.<br />
Furthermore, regarding the delinquency files, I informed you:<br />
<br />
<br />
“…that your credit is included in the ASNEF asset solvency and credit file-<br />
EQUIFAX, also providing a copy of the information about you<br />
It appears at that time in the aforementioned asset solvency and credit file; and?<br />
During the period of 15 days from the date of said letter, your data will not be<br />
visible in the aforementioned file but that, if after said period it does not regularize its<br />
<br />
situation, your data will be visible in said file, appearing as a creditor Working<br />
Capital Management España, S.L…”<br />
<br />
The defendant affirms that there is a certain and enforceable debt and that he is the creditor of the<br />
same, documentary evidence in the allegations having requested the deletion of<br />
<br />
the claimant's data from the asset solvency entity, but states that the<br />
debt remains unpaid and therefore cannot delete the data.<br />
<br />
FOURTH: Once the allegations presented by the defendant have been examined, they are the subject of<br />
transfer to the complaining party, so that, within a period of fifteen business days, it can formulate<br />
allegations that he considers appropriate. As of the date of resolution of this claim,<br />
<br />
allegations have been made.<br />
<br />
<br />
FOUNDATIONS OF LAW<br />
<br />
<br />
FIRST: The Director of the Spanish Agency for<br />
Data Protection, in accordance with the provisions of section 2 of article 56 in<br />
in relation to section 1 f) of article 57, both of Regulation (EU) 2016/679 of the<br />
European Parliament and of the Council of April 27, 2016 regarding the protection of<br />
natural persons with regard to the processing of personal data and the free<br />
<br />
circulation of this data (hereinafter referred to as GDPR); and in article 47 of the LOPDGDD.<br />
<br />
SECOND: In accordance with the provisions of article 55 of the RGPD, the Agency<br />
Spanish Data Protection Agency is competent to perform the functions that<br />
are assigned to it in its article 57, among them, to enforce the Regulation and<br />
promote awareness of data controllers and those in charge of processing<br />
<br />
about their obligations, as well as dealing with claims<br />
presented by an interested party and investigate the reason for them.<br />
<br />
Correlatively, article 31 of the RGPD establishes the obligation of those responsible<br />
and those in charge of processing to cooperate with the supervisory authority that requests it in<br />
<br />
the performance of their functions. In the event that they have designated a<br />
data protection officer, article 39 of the RGPD attributes to him the function of<br />
cooperate with said authority.<br />
<br />
<br />
<br />
In accordance with this regulation, prior to the admission for processing of the<br />
claim that gives rise to this procedure, it was transferred to the<br />
responsible entity to proceed with its analysis, provide a response to this Agency<br />
within a period of one month and proves that it has provided the claimant with the appropriate response,<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 3/6<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
in the event of exercise of the rights regulated in articles 15 to 22 of the<br />
GDPR.<br />
<br />
<br />
Said agreement of admission to processing determines the opening of this procedure<br />
of lack of attention to a request to exercise the rights established in the<br />
articles 15 to 22 of the RGPD, regulated in article 64.1 of the LOPDGDD, according to the<br />
which:<br />
<br />
"1. When the procedure refers exclusively to the lack of attention of a<br />
<br />
request to exercise the rights established in articles 15 to 22 of the<br />
Regulation (EU) 2016/679, will begin by agreement of admission to processing, which will be<br />
will be adopted in accordance with the provisions of the following article.<br />
In this case, the period to resolve the procedure will be six months from<br />
from the date on which the claimant was notified of the admission agreement to<br />
<br />
Procedure. After this period, the interested party may consider his<br />
claim".<br />
<br />
It is not considered appropriate to clarify administrative responsibilities within the framework<br />
of a sanctioning procedure, the exceptional nature of which implies that it is opted,<br />
whenever possible, due to the prevalence of alternative mechanisms that have<br />
<br />
protection in current regulations.<br />
<br />
It is the exclusive responsibility of this Agency to assess whether there are responsibilities<br />
administrative actions that must be purged in a sanctioning procedure and, in<br />
consequently, the decision on its opening, there being no obligation to initiate a<br />
<br />
procedure for any request made by a third party. Such a decision must<br />
be based on the existence of elements that justify said start of the activity<br />
sanctioning, circumstances that do not occur in the present case, considering that<br />
With this procedure, the guarantees are duly restored and<br />
rights of the claimant.<br />
<br />
<br />
THIRD: The rights of people regarding data protection<br />
personal data are regulated in articles 15 to 22 of the RGPD and 13 to 18 of the<br />
LOPDGDD. The rights of access, rectification, deletion,<br />
opposition, right to limitation of processing and right to portability.<br />
<br />
<br />
The formal aspects related to the exercise of these rights are established in the<br />
articles 12 of the RGPD and 12 of the LOPDGDD.<br />
<br />
Furthermore, what is expressed in Considering 59 and following of the<br />
GDPR.<br />
<br />
<br />
In accordance with the provisions of these regulations, the person responsible for the treatment<br />
must arbitrate formulas and mechanisms to facilitate the interested party in the exercise of their rights.<br />
rights, which will be free (without prejudice to the provisions of articles 12.5 and 15.3<br />
of the RGPD), and is obliged to respond to requests made no later than a<br />
<br />
month, unless you can demonstrate that you are not in a position to identify the<br />
interested, and to express his reasons in case he was not going to attend said<br />
application. It falls on the person responsible to prove compliance with the duty of<br />
respond to the request to exercise their rights made by the affected party.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 4/6<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The communication addressed to the interested party on the occasion of their request must<br />
be expressed in a concise, transparent, intelligible and easily accessible manner, with a<br />
<br />
clear and simple language.<br />
<br />
In the case of the right of access to personal data, in accordance with the<br />
established in article 13 of the LOPDGDD, when the exercise of the right is<br />
refers to a large amount of data, the person responsible may request the affected person to<br />
specify the “data or processing activities to which the request refers”. He<br />
<br />
The right will be deemed granted if the person responsible provides remote access to the data,<br />
considering the request has been attended to (although the interested party may request the information<br />
referring to the extremes provided for in article 15 of the RGPD).<br />
<br />
The exercise of this right may be considered repetitive on more than one occasion.<br />
<br />
during the period of six months, unless there is legitimate cause for it.<br />
<br />
On the other hand, the request will be considered excessive when the affected party chooses a means<br />
different from the one offered that entails a disproportionate cost, which must be<br />
assumed by the affected person.<br />
<br />
<br />
FOURTH: Article 17 of the RGPD, which regulates the right to deletion of data<br />
personal, establishes the following:<br />
<br />
"1. The interested party will have the right to obtain without undue delay from the person responsible for the<br />
processing the deletion of personal data that concerns you, which will be<br />
<br />
obliged to delete personal data without undue delay when any<br />
of the following circumstances:<br />
a) the personal data are no longer necessary in relation to the purposes for which they were<br />
were collected or otherwise treated;<br />
b) the interested party withdraws the consent on which the treatment is based in accordance<br />
<br />
with Article 6(1)(a) or Article 9(2)(a) and this is not<br />
based on another legal basis;<br />
c) the data subject objects to the processing in accordance with Article 21(1) and does not<br />
other legitimate reasons for the processing prevail, or the interested party opposes the<br />
treatment pursuant to Article 21(2);<br />
d) the personal data have been processed unlawfully;<br />
<br />
e) personal data must be deleted for compliance with a legal obligation<br />
established in the law of the Union or of the Member States that applies to the<br />
responsible for the treatment;<br />
f) the personal data have been obtained in relation to the offer of services of the<br />
information society mentioned in Article 8, paragraph 1.<br />
<br />
<br />
2. When you have made personal data public and are obliged, by virtue of the<br />
provided in section 1, to delete said data, the data controller,<br />
taking into account the available technology and the cost of its application, it will adopt<br />
reasonable measures, including technical measures, with a view to informing<br />
<br />
responsible parties who are processing the personal data of the interested party's request for<br />
deletion of any link to that personal data, or any copy or replication of<br />
the same.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 5/6<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
3. Sections 1 and 2 will not apply when treatment is necessary:<br />
a) to exercise the right to freedom of expression and information;<br />
b) for compliance with a legal obligation that requires data processing<br />
<br />
imposed by Union or Member State law applicable to the<br />
responsible for the treatment, or for the fulfillment of a mission carried out in the interest<br />
public or in the exercise of public powers conferred on the person responsible;<br />
c) for reasons of public interest in the field of public health in accordance with<br />
Article 9, paragraph 2, letters h) and i), and paragraph 3;<br />
d) for archival purposes in the public interest, scientific or historical research purposes or<br />
<br />
statistical purposes, in accordance with Article 89(1), to the extent that<br />
the right indicated in paragraph 1 could make it impossible or hinder<br />
seriously the achievement of the objectives of said treatment, or<br />
e) for the formulation, exercise or defense of claims.”<br />
<br />
<br />
FIFTH: In the case analyzed here, the complaining party exercised its rights of<br />
access and deletion and these have been addressed, access has been facilitated and<br />
reasonedly denied deletion. The claimed entity certifies that it gave<br />
response to the claimant's request by letter dated 02/19/2022 and that in<br />
dated 09/15/2022 sent the response again.<br />
<br />
<br />
The claimant incurred a debt with one entity and the debt was assigned to another. This<br />
second entity, current creditor of the debt and party claimed in this<br />
claim, proves having informed the claimant of the entire claim procedure.<br />
change of credit institution, likewise, proves having informed the claimant of the<br />
inclusion in a file of asset solvency in the event of non-payment.<br />
<br />
<br />
Based on the foregoing, considering that this procedure has as its<br />
object that the guarantees and rights of those affected are duly<br />
restored, and since there is an outstanding debt and the claimed party complies with<br />
the regulations denying with reasons, this claim is rejected.<br />
<br />
<br />
Considering the aforementioned precepts and others of general application,<br />
the Director of the Spanish Data Protection Agency RESOLVES:<br />
<br />
FIRST: DISMISS the claim made by A.A.A. vs. WORKING<br />
CAPITAL MANAGEMENT ESPAÑA, S.L.<br />
<br />
<br />
SECOND: NOTIFY this resolution to A.A.A. and WORKING CAPITAL<br />
MANAGEMENT ESPAÑA, S.L.<br />
<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
<br />
Resolution will be made public once it has been notified to the interested parties.<br />
<br />
Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the<br />
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the<br />
Interested parties may optionally file an appeal for reconsideration before the<br />
<br />
Director of the Spanish Data Protection Agency within a period of one month to<br />
count from the day following the notification of this resolution or directly<br />
contentious-administrative appeal before the Contentious-administrative Chamber of the<br />
National Court, in accordance with the provisions of article 25 and section 5 of<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 6/6<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
the fourth additional provision of Law 29/1998, of July 13, regulating the<br />
Contentious-administrative Jurisdiction, within a period of two months from the<br />
<br />
day following the notification of this act, as provided for in article 46.1 of the<br />
referred Law.<br />
<br />
<br />
<br />
1195-281022<br />
Sea Spain Martí<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
</pre></div>Isabela.maria.rosalhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202201247&diff=35533AEPD (Spain) - EXP2022012472023-10-17T16:16:04Z<p>Isabela.maria.rosal: /* Facts */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=PS-00304-2022<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/documento/ps-00304-2022.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Rejected<br />
|Date_Started=14.01.2022<br />
|Date_Decided=<br />
|Date_Published=28.11.2022<br />
|Year=<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 4(11) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#11<br />
|GDPR_Article_2=Article 6 GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR<br />
|GDPR_Article_3=Article 6(1) GDPR<br />
|GDPR_Article_Link_3=Article 6 GDPR#1<br />
|GDPR_Article_4=Article 58(2) GDPR<br />
|GDPR_Article_Link_4=Article 58 GDPR#2<br />
|GDPR_Article_5=Article 83(5) GDPR<br />
|GDPR_Article_Link_5=Article 83 GDPR#5<br />
|GDPR_Article_6=<br />
|GDPR_Article_Link_6=<br />
|GDPR_Article_7=<br />
|GDPR_Article_Link_7=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=Article 47 LOPDGDD<br />
|National_Law_Link_1=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_2=Article 48(1) LOPDGDD<br />
|National_Law_Link_2=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_3=Article 50 LOPDGDD<br />
|National_Law_Link_3=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_4=Article 6(1) LOPDGDD<br />
|National_Law_Link_4=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_5=Article 63(2) LOPDGDD<br />
|National_Law_Link_5=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_6=Article 65(4) LOPDGDD<br />
|National_Law_Link_6=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_7=Article 72(1)(b) LOPDGDD<br />
|National_Law_Link_7=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_8=<br />
|National_Law_Link_8=<br />
|National_Law_Name_9=<br />
|National_Law_Link_9=<br />
<br />
|Party_Name_1=Data Subject<br />
|Party_Link_1=<br />
|Party_Name_2=AUTOMOVILES FERSAN, S.A.<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=isabela.maria.rosal<br />
|<br />
}}<br />
<br />
Spanish DPA ruled that the processing of the personal data of the co-owner of a car bought via a loan is legitimate, even without their direct consent, highlighting that the data subject was not acting as a guarantor.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The data subject made a complaint against the data controller since their personal data was used for allowing the loan for their sister buying a car. The data subject affirms that their personal data were processed by the data controller with no consent and alleged that they were set as the guarantor of the buying without their knowledge. However, there was evidence proving that the data subject knew about the transaction and, as mentioned by the data controller, the data subject is actually the co-owner of the car in dispute, not its guarantor.<br />
<br />
=== Holding ===<br />
The DPA ruled that processing the personal data of a subject who is the co-owner of the car bought via contract is legitimate, considering Article 6 of the GDPR. There is no need for consent of the data subject for the processing of personal data when they are part of a contract with the data controller. Since the data subject is a part of the co-owner of the car bought and does not act as a guarantor, the execution of a contract is a legitimate legal base for the processing of personal data. Thus, the DPA understood there was no breach of the GDPR.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/6<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
- File No.: EXP202201247<br />
<br />
<br />
<br />
<br />
RESOLUTION OF SANCTIONING PROCEDURE<br />
<br />
From the procedure instructed by the Spanish Data Protection Agency and based<br />
<br />
to the following<br />
<br />
BACKGROUND<br />
<br />
FIRST: On January 14, 2022, A.A.A. (hereinafter, the complaining party)<br />
filed a claim with the Spanish Data Protection Agency.<br />
<br />
<br />
The claim is directed against AUTOMOVILES FERSAN, S.A. with NIF A03071248<br />
(hereinafter, the claimed party).<br />
<br />
The reasons on which the claim is based are the following:<br />
<br />
<br />
The claimant states that the claimant has made use of her personal data<br />
to include them in a vehicle purchase contract without your consent.<br />
<br />
The complainant states that her personal data was used without her consent<br />
<br />
to guarantee the sale of a vehicle acquired by his sister, in the processing<br />
for its financing.<br />
<br />
He indicates that his sister made the purchase of the vehicle with the claimed entity, to<br />
which, said entity managed the procedures to formalize a loan contract<br />
financed by BMW BANK GMBH, using the claimant's data, to<br />
<br />
obtain sufficient guarantee and carry out the operation.<br />
<br />
When a non-payment occurs by the purchasing party, the financial institution demands the<br />
payment to the claimant, and by requiring this last justification for the required collection, said<br />
financial institution provides documents, described by the claimant as false, in which<br />
<br />
In addition to the personal data of his sister, as the buyer of the vehicle,<br />
They also add the personal data of the claimant, as well as her signature.<br />
<br />
Provides legal demand, and exclusive credit contract in the name of B.B.B. (sister<br />
of the claimant)<br />
<br />
<br />
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5<br />
December, Protection of Personal Data and guarantee of digital rights (in<br />
hereinafter LOPDGDD), on February 3, 2022, said claim was transferred to<br />
the claimed party, so that it could proceed with its analysis and inform this Agency in the<br />
within one month, of the actions carried out to adapt to the requirements<br />
<br />
provided for in the data protection regulations.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 2/6<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The transfer, which was carried out in accordance with the rules established in Law 39/2015, of<br />
October 1, of the Common Administrative Procedure of Administrations<br />
Public (hereinafter, LPACAP), was collected on February 4, 2022 as<br />
<br />
It appears in the acknowledgment of receipt that is in the file.<br />
<br />
On March 3, 2022, this Agency received a response letter<br />
indicating that AUTOMÓVILES FERSÁN, through BMW Group Financial Services,<br />
has a clear protocol on the documentation that must be requested when<br />
a person applies for financing, this protocol is strictly applied by<br />
<br />
part of the dealership, and this applies to all its commercials.<br />
<br />
The four brothers of the family intervene at different times in this operation.<br />
family (…), appearing as guarantors of the operation.<br />
<br />
<br />
It is stated that the operation was approved and was viable, with the co-ownership of<br />
Mrs. B.B.B. and Mrs. A.A.A..<br />
<br />
The relationship of Ms. A.A.A. and his family with AUTOMÓVILES FERSÁN, SA from a<br />
Chronological point of view is as follows:<br />
<br />
<br />
October 25, 2018. Ms. C.C.C. (Sister of Mrs. A.A.A.) asks for a<br />
budget to AUTOMÓVILES FERSÁN, proposing the purchase and sale contract of the<br />
vehicle in the name of a company that is going to be established.<br />
<br />
October 29, 2018, Ms. C.C.C. Send the census registration and payroll of Ms.<br />
<br />
B.B.B.<br />
<br />
November 8, 2018 – D. D.D.D. (Brother of the claimant) send by<br />
mail the income 2017 (model100) from Ms. B.B.B..<br />
<br />
November 9, 2018, 9:00. Since the operation required an input<br />
The option of having guarantors to guarantee the operation is valued very highly.<br />
<br />
November 9, 2018 - – D. D.D.D. Send payroll and registration by email<br />
Mrs. B.B.B. and he writes to (…) (employee of the claimed entity):<br />
<br />
"Hello (…), I am attaching the payroll and registration.<br />
When they ask you for a guarantor, tell me what documentation I have to provide.<br />
<br />
All the best".<br />
<br />
November 9, 2018, 6:45 p.m. Once the study of Ms. B.B.B.<br />
(sister of the claimant) have to provide collateral or entry of ***AMOUNT.€.<br />
<br />
THIRD: On April 14, 2022, in accordance with article 65 of the<br />
LOPDGDD, the claim presented by the complaining party was admitted for processing.<br />
<br />
<br />
FOURTH: On July 20, 2022, the Director of the Spanish Agency for<br />
Data Protection agreed to initiate sanctioning proceedings against the claimed party,<br />
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1,<br />
of the Common Administrative Procedure of Public Administrations (in<br />
<br />
hereinafter, LPACAP), for the alleged violation of article 6.1 of the RGPD, typified in<br />
Article 83.5 of the GDPR.<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 3/6<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
FIFTH: The aforementioned initiation agreement has been notified in accordance with the rules established in<br />
<br />
Law 39/2015, of October 1, on the Common Administrative Procedure of the<br />
Public Administrations (hereinafter, LPACAP), the claimed party presented a written<br />
of allegations in which, in summary, he stated verbatim the following:<br />
<br />
(…).<br />
<br />
<br />
<br />
See Annex I. (…)<br />
<br />
<br />
<br />
Annex II is sent. (…).<br />
<br />
(…):<br />
<br />
<br />
(…).<br />
(…).<br />
<br />
(…).<br />
(…).<br />
<br />
<br />
(…).<br />
<br />
<br />
<br />
(…).<br />
<br />
SIXTH: On August 11, 2022, the procedure instructor agreed to give<br />
by reproducing for evidentiary purposes the claim filed by the claimant and<br />
your documentation, the documents obtained and generated during the admission phase<br />
<br />
processing the claim, and the report of previous investigation actions that<br />
They are part of the procedure. Likewise, it is considered reproduced for the purposes<br />
evidence, the allegations to the agreement to initiate the sanctioning procedure<br />
referenced, presented by the claimed entity and the documentation that they<br />
accompanies<br />
<br />
<br />
SEVENTH: On August 30, 2022, a proposed resolution was formulated,<br />
proposing that the Director of the Spanish Data Protection Agency<br />
sanction AUTOMOVILES FERSAN, S.A. with NIF A03071248, for an infringement<br />
of article 6.1 of the RGPD, typified in article 83.5 of the RGPD, and for the purposes of<br />
<br />
prescription, by article 72.1 b) of the LOPDGDD, with a fine of 5,000 euros<br />
(five thousand euros)<br />
<br />
EIGHTH: On September 9, 2022, the claimed entity presents<br />
allegations to the proposed resolution pointing out that the claim, in no way<br />
<br />
moment he acts as a guarantor but as a co-owner.<br />
<br />
It is further stated that:<br />
<br />
• (…).<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 4/6<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
• (…).<br />
<br />
<br />
(…)<br />
<br />
Of the actions carried out in this procedure and the documentation<br />
recorded in the file, the following have been accredited:<br />
<br />
<br />
PROVEN FACTS<br />
<br />
FIRST: The claimant affirms that her personal data has been used by the<br />
defendant without his consent to endorse the sale of a vehicle<br />
<br />
purchased by his sister<br />
<br />
Provides legal demand, and exclusive credit contract in the name of B.B.B. (sister<br />
of the claimant)<br />
<br />
<br />
<br />
SECOND: The claimed entity states that the claimant is a co-owner, since<br />
He and his sister bought the vehicle that was the subject of the conflict.<br />
<br />
Provides:<br />
<br />
(…)<br />
(…)<br />
(…)<br />
<br />
(…)<br />
<br />
FOUNDATIONS OF LAW<br />
<br />
<br />
Yo<br />
<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
(General Data Protection Regulation, hereinafter RGPD), grants each<br />
control authority and as established in articles 47 and 48.1 of the Law<br />
<br />
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of<br />
digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve<br />
this procedure the Director of the Spanish Data Protection Agency.<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: “The procedures<br />
<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
regulations dictated in its development and, insofar as they do not contradict them, with a<br />
subsidiary, by the general rules on administrative procedures.”<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 5/6<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
II<br />
<br />
Article 4.11 of the GDPR defines the consent of the interested party as “any<br />
<br />
manifestation of free, specific, informed and unequivocal will by which the<br />
interested party accepts, either by a declaration or a clear affirmative action, the<br />
processing of personal data that concerns you.”<br />
<br />
<br />
<br />
In this sense, article 6.1 of the LOPDGDD establishes that “in accordance with the<br />
provided in article 4.11 of Regulation (EU) 2016/679, consent is understood to be<br />
ment of the affected person any manifestation of free, specific, informed and ineligible will.<br />
<br />
ambiguity by which he accepts, either through a statement or a clear action<br />
“Yes, the processing of personal data that concerns you.”<br />
<br />
For its part, article 6 of the RGPD establishes the following:<br />
<br />
"1. The treatment will only be legal if at least one of the following conditions is met:<br />
<br />
nes:<br />
<br />
a) the interested party gave his consent for the processing of his personal data<br />
for one or more specific purposes;<br />
<br />
b) the processing is necessary for the execution of a contract in which the interested party<br />
<br />
is part of or for the application at his request of pre-contractual measures;<br />
<br />
c) the processing is necessary for compliance with a legal obligation applicable to the<br />
responsible for the treatment;<br />
<br />
d) the processing is necessary to protect vital interests of the interested party or another<br />
<br />
Physical person;<br />
<br />
e) the processing is necessary for the fulfillment of a mission carried out in the interest<br />
public or in the exercise of public powers conferred on the controller;<br />
<br />
f) the processing is necessary for the satisfaction of legitimate interests pursued<br />
by the person responsible for the treatment or by a third party, provided that on said interests<br />
<br />
interests or fundamental rights and freedoms of the interest do not prevail.<br />
s that require the protection of personal data, particularly when the interest<br />
<br />
sado be a child.<br />
<br />
The provisions of letter f) of the first paragraph will not apply to the treatment<br />
carried out by public authorities in the exercise of their functions.”<br />
<br />
<br />
III<br />
<br />
In the present case, the complaining party denounces AUTOMOVILES FERSAN, S.A.<br />
<br />
because they demand payment from him as a guarantor for a vehicle that his<br />
sister B.B.B. despite the fact that, in the financing contract, only his sister appears and<br />
not her.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 6/6<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The claimed entity has provided documentation that allows it to prove that the<br />
claimant is the joint owner of the vehicle that caused the requested debt and therefore,<br />
<br />
requires payment not as guarantor but as co-owner. Specifically, it provides the<br />
judicial claim for non-payment, in which both the claimant and the<br />
B.B.B. as owners of the vehicle and the financing contract.<br />
<br />
Therefore, after proving that the claimant is the joint owner of the vehicle and clarifying in<br />
<br />
concept of what the debt is claimed from, we must consider that the entity<br />
claimed is legitimized for the use of the personal data of the<br />
claimant, based on the prior execution of a purchase and sale contract, and therefore<br />
Therefore, a violation of article 6 of the RGPD indicated in the<br />
legal basis II.<br />
<br />
<br />
Therefore, after becoming aware of these facts, the Director of the Agency<br />
Spanish Data Protection RESOLVES:<br />
<br />
FIRST: PROCEED TO THE ARCHIVE of these proceedings.<br />
<br />
<br />
SECOND: NOTIFY this resolution to the claimant and defendant.<br />
<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
Resolution will be made public once it has been notified to the interested parties.<br />
<br />
<br />
Against this resolution, which puts an end to the administrative procedure as prescribed by<br />
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure<br />
Common of Public Administrations, and in accordance with the provisions of the<br />
arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may<br />
<br />
optionally file an appeal for reconsideration before the Director of the Agency<br />
Spanish Data Protection Agency within a period of one month from the day<br />
following the notification of this resolution or directly contentious appeal<br />
administrative before the Contentious-administrative Chamber of the National Court,<br />
in accordance with the provisions of article 25 and section 5 of the provision<br />
<br />
fourth additional to Law 29/1998, of July 13, regulating the Jurisdiction<br />
Contentious-Administrative, within a period of two months from the following day<br />
to the notification of this act, as provided for in article 46.1 of the aforementioned Law.<br />
<br />
<br />
<br />
Sea Spain Martí<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
</pre></div>Isabela.maria.rosalhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_PS/00117/2022&diff=35532AEPD (Spain) - PS/00117/20222023-10-17T16:12:00Z<p>Isabela.maria.rosal: /* Facts */</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=PS-00117-2022<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/documento/ps-00117-2022.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=10.09.2016<br />
|Date_Decided=<br />
|Date_Published=14.04.2027<br />
|Year=<br />
|Fine=2000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 4(11) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#11<br />
|GDPR_Article_2=Article 6 GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR<br />
|GDPR_Article_3=Article 9 GDPR<br />
|GDPR_Article_Link_3=Article 9 GDPR<br />
|GDPR_Article_4=Article 9 GDPR<br />
|GDPR_Article_Link_4=Article 9 GDPR<br />
|GDPR_Article_5=Article 57(1) GDPR<br />
|GDPR_Article_Link_5=Article 57 GDPR#1<br />
|GDPR_Article_6=Article 58(1) GDPR<br />
|GDPR_Article_Link_6=Article 58 GDPR#1<br />
|GDPR_Article_7=Article 83(1) GDPR<br />
|GDPR_Article_Link_7=Article 83 GDPR#1<br />
|GDPR_Article_8=Article 83(2) GDPR<br />
|GDPR_Article_Link_8=Article 83 GDPR#2<br />
|GDPR_Article_9=Article 83(5) GDPR<br />
|GDPR_Article_Link_9=Article 83 GDPR#5<br />
|GDPR_Article_10=<br />
|GDPR_Article_Link_10=<br />
|GDPR_Article_11=<br />
|GDPR_Article_Link_11=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=Article 6(1) LOPDGDD<br />
|National_Law_Link_1=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_2=Article 63 LPACAP<br />
|National_Law_Link_2=https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565<br />
|National_Law_Name_3=Article 64 LPACAP<br />
|National_Law_Link_3=https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565<br />
|National_Law_Name_4=Article 65(4) LOPDGDD<br />
|National_Law_Link_4=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_5=Article 73(1)(b) LOPDGDD<br />
|National_Law_Link_5=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_6=Article 76 LOPDGDD<br />
|National_Law_Link_6=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_7=<br />
|National_Law_Link_7=<br />
|National_Law_Name_8=<br />
|National_Law_Link_8=<br />
<br />
|Party_Name_1=Data subject<br />
|Party_Link_1=<br />
|Party_Name_2=Data controller<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=isabela.maria.rosal<br />
|<br />
}}<br />
<br />
Spanish DPA fines controller for continuous sending of emails containing personal data for members and non-members of a Personnel Board. The DPA ruled that there is no legal basis for this processing, especially after the data subject's opposition.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The data subject made a complaint regarding the ongoing processing of their personal data via email messages where their email address was available for members and non-members of the Personnel Board which both the data controller and the data subject are part of. Being part of the same labour group could justify processing personal data from the data subject. However, the data controller has shared personal data with various persons, including people outside of the Board. Even after the data subject requested that the information processing stopped, the emails with personal data continued to be sent. Even without the data subject's consent, the data controller justified the processing for laboural reasons, based on Article 9 of the GDPR, which is highlighted by the fact that the email with personal data is a corporate one.<br />
<br />
=== Holding ===<br />
The DPA understood that the processing of the data subject was abusive, especially because personal data as the email of the data subject was processed without their consent. In discordance with the GDPR, even after the request of the data subject to not have their email processed and shared with other people anymore, the activity continued without considering simple features such as "hidden copy" for sending emails that would mitigate risks. Thus, the DPA ruled that the processing was illegal, not complying with Article 6 of the GDPR, since there is no legal basis for the processing. The fact that both the data subject and the data controller were part of the same Personnel Board did not change the outcome, since the email address, reveling personal information was sent for non-members, so the Article 9 of the GDPR does not apply.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/11<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
File No.: PS/00117/2022<br />
<br />
<br />
<br />
RESOLUTION OF SANCTIONING PROCEDURE<br />
<br />
From the procedure instructed by the Spanish Data Protection Agency and based<br />
to the following<br />
<br />
BACKGROUND<br />
<br />
<br />
FIRST: A.A.A. (hereinafter, the complaining party) dated March 11, 2021<br />
filed a claim with the Spanish Data Protection Agency. The<br />
claim is directed against B.B.B. with NIF ***NIF.1 (hereinafter, the part<br />
claimed).<br />
<br />
<br />
The reasons on which the claim is based are the following:<br />
<br />
Both the complaining party and the claimed party are members of the same<br />
personnel meeting, and the claimant states that the claimant has forwarded emails<br />
emails to other members and non-members of this staff board and to<br />
<br />
corporate emails from unions and groups without legitimacy to do so.<br />
<br />
The emails that do not belong to the personnel meeting are the following: ***EMAIL.1,<br />
***EMAIL.2, ***EMAIL.3, ***EMAIL.4, ***EMAIL.5, ***EMAIL.6 and ***EMAIL.7; (in<br />
<br />
forward, reported email addresses),<br />
<br />
In that email, information about the claimant also appears, such as his name and address.<br />
work email.<br />
<br />
<br />
The complainant sent an email on January 22, 2021 to members of the<br />
staff meeting in which he requested that they stop forwarding his email address<br />
electronic to third parties; but the defendant again forwarded emails from the claimant to<br />
<br />
people from outside the personnel meeting on February 16 and 17, 2021 and 16<br />
March 2021.<br />
<br />
Relevant documentation provided by the complaining party:<br />
<br />
<br />
- Printout of email dated January 20, 2021 sent by<br />
***EMAIL.8 to multiple emails including email<br />
work of the claimant and the reported email addresses indicated in his<br />
<br />
claim among others. In this email, we request that they be included among the<br />
recipients of staff board emails to a new board member and<br />
<br />
to the delegate of the STAS-CLM union section.<br />
<br />
- Printout of email dated January 22, 2021 in which the<br />
claimant responds to the recipients of the previous email, except for the addresses<br />
<br />
of mail reported. In this email you request that your email not be sent<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 2/11<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
or other information from the personnel board to the reported email addresses due to<br />
because they do not belong to the personnel board.<br />
<br />
<br />
- Printout of email dated January 28, 2021 in which the<br />
complainant reiterates that he does not want his name or email to be sent to<br />
Other email addresses that do not correspond to board members<br />
<br />
of personal.<br />
<br />
- Printout of email dated February 16, 2021 sent by the<br />
claimed to multiple email addresses that include the email address<br />
<br />
claimant's work email and the following addresses that the claimant<br />
indicates that they do not belong to the personnel board: ***EMAIL.4, ***EMAIL.5,<br />
***EMAIL.9, ***EMAIL.2, ***EMAIL.10 and ***EMAIL.11. The content of this email is<br />
<br />
an attachment with the subject “exit minutes and documents”.<br />
<br />
- Printout of email dated February 17, 2021 sent by the<br />
claimed to multiple email addresses that include the email address<br />
<br />
claimant's work email and the following addresses that the claimant<br />
indicates that they do not belong to the personnel board: ***EMAIL.4, ***EMAIL.5,<br />
<br />
***EMAIL.9, ***EMAIL.2, ***EMAIL.10 and ***EMAIL.11. The content of this email<br />
There are three attachments and the content indicates that they contain FeSP-UGT proposals<br />
for a staff board meeting.<br />
<br />
<br />
- Printout of email dated February 18, 2021 in which the<br />
complainant responds to the previous email of February 17, 2021 reiterates that no<br />
you want those emails to be sent to other email addresses that are not<br />
<br />
correspond to members of the personnel board, and indicate which email addresses<br />
email are the ones that should not have been in the “To” of the email of December 17<br />
February 2021.<br />
<br />
<br />
This claim was complemented by a document presented by the<br />
complainant before the Spanish Data Protection Agency (hereinafter, AEPD) and<br />
entry date on March 26, 2021, in which, among other things, the following is provided<br />
<br />
documentation:<br />
<br />
- Printout of email dated March 16, 2021 sent by the<br />
claimed to multiple email addresses that include the email address<br />
<br />
the claimant's work email address and, among other addresses, the following:<br />
***EMAIL.12, ***EMAIL.2, ***EMAIL.13 and ***EMAIL.9. This email<br />
It contains an attachment and its content is “attachment registered writings.”<br />
<br />
<br />
- Indication that the emails ***EMAIL.12, ***EMAIL.2, ***EMAIL.13 and<br />
***EMAIL.9 correspond to CCOO affiliates not belonging to the board of<br />
staff.<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 3/11<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5<br />
December, Protection of Personal Data and guarantee of digital rights (in<br />
hereinafter LOPDGDD), said claim was transferred to the claimed party, to<br />
<br />
to proceed with its analysis and inform this Agency within a period of one month, of the<br />
actions carried out to adapt to the requirements provided for in the regulations of<br />
Data Protection.<br />
<br />
The transfer, which was carried out in accordance with the rules established in Law 39/2015, of<br />
October 1, of the Common Administrative Procedure of Administrations<br />
<br />
Public (hereinafter, LPACAP), was collected on April 19, 2021 as<br />
It appears in the acknowledgment of receipt that is in the file.<br />
<br />
The background information contained in the information systems is as follows:<br />
<br />
On May 11, 2021, within procedure E/04149/2021, it has entry<br />
<br />
in the AEPD, a document presented on behalf of FSP-UGT, in which<br />
provides, among other things, the following information:<br />
<br />
- Allegation that the email address has been used in a way<br />
<br />
legitimate because it has been used by the union and the claimant is a delegate<br />
of staff and member of the staff board.<br />
<br />
<br />
- Allegation that the defendant understood that, from his actions, no<br />
no infringement regarding the protection of personal data due to<br />
the following reasons:<br />
<br />
<br />
“- The corporate nature of that email account (***EMAIL.14),<br />
<br />
- Its use strictly related to the professional field of the board of directors<br />
“work center staff”<br />
<br />
- Allegation that the emails reported by the claimant have been<br />
<br />
sent from an email account (***EMAIL.15) that is not owned<br />
of FeSP-UGT, and it is indicated that this aspect had already been warned to the<br />
<br />
UGT workers. And the impression of a “Reminder to workers” is provided.<br />
dated January 15, 2020, which indicates, among other things, the following:<br />
“Therefore, any email that is sent by any of the<br />
<br />
workers of this Federation from an unauthorized or unofficial address not<br />
will be considered the responsibility of this body, and the<br />
particular measures that correspond against the issuers.”<br />
<br />
<br />
<br />
THIRD: On August 12, 2021, in accordance with article 65 of the<br />
LOPDGDD, the claim presented by the complaining party was admitted for processing.<br />
<br />
FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out<br />
<br />
of previous investigative actions to clarify the facts in<br />
issue, by virtue of the functions assigned to the control authorities in the<br />
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 4/11<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
2016/679 (General Data Protection Regulation, hereinafter GDPR), and<br />
in accordance with the provisions of Title VII, Chapter I, Second Section, of the<br />
LOPDGDD, having knowledge of the following points:<br />
<br />
<br />
The list of members of the personnel board and the motivation for sending the emails<br />
to email addresses that did not belong to members of that board of directors<br />
personnel could not be verified after having sent a request for<br />
<br />
information to the claimant at the address ***ADDRESS.1.<br />
<br />
It is clear that this information request was notified on February 2,<br />
2022, upon being collected by C.C.C. with NIF ***NIF.2 in ***ADDRESS.1, without<br />
<br />
has received a response to this information request from the AEPD.<br />
<br />
<br />
FIFTH: On June 9, 2022, the Director of the Spanish Agency for<br />
Data Protection agreed to initiate sanctioning proceedings against the complainant, with<br />
<br />
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the<br />
Common Administrative Procedure of Public Administrations (hereinafter,<br />
LPACAP), for the alleged violation of article 6 of the RGPD, typified in article<br />
83.5 of the GDPR.<br />
<br />
<br />
SIXTH: On June 30, 2022, the claimed party presented a written<br />
allegations in which, in summary, he stated that the address to which he was sent<br />
The initial agreement is not your address, but that of the UGT union in your location, the<br />
which is not authorized to collect notifications in your name, which is why it is not<br />
was able to respond to the request carried out on February 2, 2022, causing<br />
<br />
absolute helplessness, which is why he requests that the actions be taken back to<br />
said date.<br />
<br />
In relation to your address, you state that your address for notification purposes is<br />
***ADDRESS.2.<br />
<br />
<br />
The defendant considers that the email addresses sent are from<br />
representatives of workers or union organizations with representation<br />
at the Personnel Board.<br />
<br />
The defendant alleges the non-existence of the infringement under Article 9 of the GDPR, by<br />
<br />
the claimant belongs to a union organization, and said emails are processed<br />
workplace electronics.<br />
<br />
It is alleged that all Board workers have access to the employee portal<br />
with a directory where you can access the name, job, destination, email<br />
<br />
electronic and telephone.<br />
<br />
SEVENTH: On July 7, 2022, the instructor of the procedure agreed to terminate<br />
reproduced for evidentiary purposes the claim filed by A.A.A. and his<br />
documentation, the documents obtained and generated during the admission phase to<br />
processing of the claim, and the report of previous investigation actions that<br />
<br />
They are part of procedure E/08764/2021.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 5/11<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Likewise, it is considered reproduced for evidentiary purposes, the allegations to the agreement of<br />
initiation of the referenced sanctioning procedure, presented by B.B.B., and the<br />
documentation that accompanies them.<br />
<br />
<br />
EIGHTH: On July 19, 2022, a proposed resolution was formulated,<br />
proposing that the Director of the Spanish Data Protection Agency<br />
sanction B.B.B., with NIF ***NIF.1, for a violation of article 6 of the RGPD,<br />
typified in article 83.5 of the RGPD, with a fine of €2,000 (two thousand euros)<br />
<br />
<br />
NINTH: On August 19, 2022, allegations were presented to the proposal<br />
resolution, reiterating those already indicated on June 30, 2022<br />
<br />
Of the actions carried out in this procedure and the documentation<br />
recorded in the file, the following have been accredited:<br />
<br />
<br />
PROVEN FACTS<br />
<br />
FIRST: Dissemination of the email addresses of each member of the<br />
personnel meeting of the claimant's workplace, by sending emails with the minutes of<br />
board meetings to corporate emails from unions and groups without<br />
<br />
legitimation for its reception, as well as to third parties who do not belong to the board of<br />
staff.<br />
<br />
SECOND: The defendant alleges the non-existence of the infringement as the<br />
complainant to a union organization, and said emails be treated as<br />
<br />
labor sphere.<br />
<br />
FOUNDATIONS OF LAW<br />
<br />
Yo<br />
<br />
<br />
Article 4.11 of the GDPR defines the consent of the interested party as “any<br />
manifestation of free, specific, informed and unequivocal will by which the<br />
interested party accepts, either by a declaration or a clear affirmative action, the<br />
processing of personal data that concerns you.”<br />
<br />
<br />
In this sense, article 6.1 of the LOPDGDD establishes that “in accordance with the<br />
provided in article 4.11 of Regulation (EU) 2016/679, consent is understood to be<br />
ment of the affected person any manifestation of free, specific, informed and ineligible will.<br />
ambiguity by which he accepts, either through a statement or a clear action<br />
“Yes, the processing of personal data that concerns you.”<br />
<br />
For its part, article 6 of the RGPD establishes the following:<br />
<br />
"1. The treatment will only be legal if at least one of the following conditions is met:<br />
nes:<br />
<br />
a) the interested party gave his consent for the processing of his personal data<br />
for one or more specific purposes;<br />
<br />
b) the processing is necessary for the execution of a contract in which the interested party<br />
<br />
is part of or for the application at his request of pre-contractual measures;<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 6/11<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
c) the processing is necessary for compliance with a legal obligation applicable to the<br />
responsible for the treatment;<br />
<br />
d) the processing is necessary to protect vital interests of the interested party or another<br />
Physical person;<br />
<br />
e) the processing is necessary for the fulfillment of a mission carried out in the interest<br />
public or in the exercise of public powers conferred on the controller;<br />
<br />
f) the processing is necessary for the satisfaction of legitimate interests pursued<br />
by the person responsible for the treatment or by a third party, provided that on said interests<br />
<br />
interests or fundamental rights and freedoms of the interest do not prevail.<br />
s that require the protection of personal data, particularly when the interest<br />
sado be a child.<br />
<br />
The provisions of letter f) of the first paragraph will not apply to the treatment<br />
carried out by public authorities in the exercise of their functions.”<br />
<br />
<br />
III<br />
<br />
In the present case, the complaining party denounces the claimed party because<br />
<br />
Emails have been repeatedly forwarded to other members and<br />
non-members of the personnel board of which he is a member and to corporate emails of<br />
unions and groups without legitimacy or consent on the part of the claimant.<br />
<br />
A document submitted on behalf of FSP-UGT has been entered into the AEPD,<br />
<br />
where two aspects are revealed, on the one hand the corporate nature of the<br />
email account object of this assumption (***EMAIL.14), which makes its use<br />
is strictly related to the professional field of the personnel board<br />
of the workplace.”<br />
<br />
<br />
Secondly, it is alleged that the emails reported by the claimant<br />
have been sent from an email account (***EMAIL.15) that is not<br />
property of FeSP-UGT, and it is indicated that this aspect had already been warned to the<br />
UGT workers.<br />
<br />
Print is provided of a “Reminder to workers” dated January 15,<br />
<br />
2020 which indicates, among other things, the following:<br />
<br />
“Therefore, any email that is sent by any of the<br />
workers of this Federation from an unauthorized or unofficial address not<br />
will be considered the responsibility of this body, and measures may be adopted<br />
<br />
individuals that correspond against the issuers.”<br />
<br />
Thus, it seems that FSP-UGT is exempt from all responsibility, but not<br />
the defendant, since the issuance of emails on the 16th and 17th of<br />
February 2021 and March 16, 2021, despite the claimant's request that<br />
<br />
stop forwarding your email address to third parties.<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 7/11<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The defendant, in a written statement of allegations dated June 30, 2022, requests feedback from<br />
the actions for not having received the information request dated 2<br />
February 2022.<br />
<br />
<br />
In this sense we must indicate that the actions carried out in the month of February<br />
They are prior actions that are carried out in accordance with article 65.4 of the<br />
LOPDGDD, carried out prior to the start of the sanctioning procedure.<br />
<br />
Therefore, defenselessness can only be considered in the event that once the<br />
<br />
initiation agreement, and not before, the defendant would not have been able to exercise the rights<br />
that law 39/2015 on common administrative procedure confers in all<br />
sanctioning procedure, such as the right to know the facts that are<br />
accused and be able to present allegations and evidence, or exercise their right to<br />
audience.<br />
<br />
<br />
Since we are not in any of these cases, retroaction does not apply.<br />
of the performances.<br />
<br />
Secondly, the defendant resorts to article 9 of the RGPD, justifying that the<br />
The data processed is about union membership and was disseminated in a work environment.<br />
<br />
<br />
However, it is considered that the processing of the claimant's personal data<br />
has been excessive because the emails subject to this complaint were<br />
They also referred people outside the personnel board, and more so when possible<br />
its omission with the use of tools such as blind copy, when required<br />
<br />
by the owner of that personal data that it is not used when expressing<br />
expressly that you do not consent to the processing of your email, in the exercise of<br />
your right to object.<br />
<br />
Therefore, it is considered that we are dealing with illegal processing of personal data,<br />
<br />
by sending emails to other members and non-members of the board of directors<br />
personnel of which the claimant is a member, and to corporate emails of unions and<br />
collectives, incurring a violation of article 6 of the RGPD, indicated in the<br />
legal basis II, since the personal data have been processed without counting<br />
with any type of legitimation.<br />
<br />
<br />
IV<br />
<br />
In accordance with the transcribed precepts, in order to set the amount of the sanction of<br />
fine to impose we must take into account article 83.5.a) of the RGPD, where<br />
indicates that “violations of the following provisions will be sanctioned, in accordance with<br />
<br />
in accordance with paragraph 2, with administrative fines of EUR 20 000 000 as<br />
maximum or, in the case of a company, an amount equivalent to 4% as<br />
maximum of the total global annual turnover of the previous financial year,<br />
opting for the highest amount:<br />
<br />
<br />
a) the basic principles for the treatment, including the conditions for the<br />
consent in accordance with articles 5, 6, 7 and 9;”<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 8/11<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Article 72.1 b) of the LOPDGDD states that “based on what is established by the<br />
article 83.5 of Regulation (EU) 2016/679, are considered very serious and will prescribe<br />
after three years, infractions that involve a substantial violation of the<br />
<br />
articles mentioned in that and in particular, the following:<br />
<br />
b) The processing of personal data without any of the conditions of<br />
legality of the treatment established in article 6 of Regulation (EU) 2016/679.”<br />
<br />
V<br />
<br />
<br />
In order to determine the administrative fine to impose, the following must be observed:<br />
provisions of articles 83.1 and 83.2 of the RGPD, provisions that indicate:<br />
<br />
“Each control authority will guarantee that the imposition of administrative fines<br />
<br />
under this Article for infringements of this Regulation<br />
indicated in sections 4, 5 and 6 are effective in each individual case,<br />
proportionate and dissuasive.”<br />
<br />
<br />
“Administrative fines will be imposed, depending on the circumstances of each<br />
individual case, as an additional or substitute for the measures contemplated in the<br />
<br />
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine<br />
administrative and its amount in each individual case will be duly taken into account:<br />
<br />
a) the nature, severity and duration of the infringement, taking into account the<br />
nature, scope or purpose of the processing operation in question<br />
such as the number of interested parties affected and the level of damages that<br />
have suffered;<br />
<br />
<br />
b) intentionality or negligence in the infringement;<br />
<br />
c) any measure taken by the person responsible or in charge of the treatment to<br />
alleviate the damages and losses suffered by the interested parties;<br />
<br />
d) the degree of responsibility of the person responsible or in charge of the treatment,<br />
taking into account the technical or organizational measures that have been applied under<br />
of articles 25 and 32;<br />
<br />
e) any previous infringement committed by the controller or processor;<br />
<br />
<br />
f) the degree of cooperation with the supervisory authority in order to remedy the<br />
infringement and mitigate the possible adverse effects of the infringement;<br />
<br />
g) the categories of personal data affected by the infringement;<br />
<br />
h) the way in which the supervisory authority became aware of the infringement, in<br />
particular whether the controller or processor notified the infringement and, if so, in what<br />
extent;<br />
<br />
<br />
i) when the measures indicated in Article 58, paragraph 2, have been ordered<br />
previously against the person responsible or the person in charge in question in relation to the<br />
same matter, compliance with said measures;<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 9/11<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
j) adherence to codes of conduct under Article 40 or to mechanisms of<br />
certification approved in accordance with Article 42, and<br />
<br />
k) any other aggravating or mitigating factor applicable to the circumstances of the case,<br />
such as financial benefits obtained or losses avoided, direct or<br />
<br />
indirectly, through infringement.”<br />
<br />
<br />
Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76,<br />
“Sanctions and corrective measures” provides:<br />
<br />
"2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679<br />
may also be taken into account:<br />
<br />
<br />
a) The continuous nature of the infringement.<br />
<br />
b) The linking of the offender's activity with the performance of medical treatments.<br />
personal information.<br />
<br />
c) The benefits obtained as a consequence of the commission of the infraction.<br />
<br />
<br />
d) The possibility that the conduct of the affected person could have induced the commission<br />
of the infringement.<br />
<br />
e) The existence of a merger by absorption process subsequent to the commission of the<br />
infringement, which cannot be attributed to the absorbing entity.<br />
<br />
<br />
f) The impact on the rights of minors.<br />
<br />
g) Have, when not mandatory, a data protection delegate.<br />
<br />
h) The submission by the person responsible or in charge, on a voluntary basis, to<br />
alternative conflict resolution mechanisms, in those cases in which<br />
<br />
"There are disputes between them and any interested party."<br />
<br />
<br />
<br />
In accordance with the transcribed precepts, in order to set the amount of the sanction of<br />
fine to be imposed on B.B.B. with NIF ***NIF.1, as responsible for an infringement<br />
<br />
typified in article 83.5.a) of the RGPD, are considered concurrent in this<br />
case, as aggravating factors, the following factors:<br />
Intentionality or negligence in the infringement, since given the activity<br />
<br />
Greater care is required from the claimant in the processing of the data.<br />
(83.2.b) GDPR)<br />
<br />
Therefore, in accordance with the applicable legislation and evaluated the criteria of<br />
graduation of sanctions whose existence has been proven,<br />
<br />
<br />
the Director of the Spanish Data Protection Agency RESOLVES:<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 10/11<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
FIRST: IMPOSE B.B.B., with NIF ***NIF.1, for a violation of article 6 of the<br />
RGPD, typified in article 83.5 of the RGPD, a fine of €2,000 (two thousand euros).<br />
<br />
<br />
SECOND: NOTIFY this resolution to B.B.B..<br />
<br />
THIRD: Warn the sanctioned person that he must make the sanction imposed effective<br />
once this resolution is executive, in accordance with the provisions of the<br />
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure<br />
Common Public Administrations (hereinafter LPACAP), within the payment period<br />
<br />
voluntary established in art. 68 of the General Collection Regulations, approved<br />
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,<br />
of December 17, by entering it, indicating the NIF of the sanctioned person and the number<br />
of procedure that appears in the heading of this document, in the account<br />
restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency<br />
<br />
Spanish Data Protection in the banking entity CAIXABANK, S.A.. In case<br />
Otherwise, it will be collected during the executive period.<br />
<br />
Once the notification is received and once enforceable, if the enforceable date is<br />
between the 1st and 15th of each month, both inclusive, the deadline to make the payment<br />
voluntary will be until the 20th of the following month or immediately following business month, and if<br />
<br />
The payment period is between the 16th and last day of each month, both inclusive.<br />
It will be until the 5th of the second following or immediately following business month.<br />
<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
Resolution will be made public once it has been notified to the interested parties.<br />
<br />
<br />
Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the<br />
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the<br />
Interested parties may optionally file an appeal for reconsideration before the<br />
Director of the Spanish Data Protection Agency within a period of one month to<br />
<br />
count from the day following the notification of this resolution or directly<br />
contentious-administrative appeal before the Contentious-administrative Chamber of the<br />
National Court, in accordance with the provisions of article 25 and section 5 of<br />
the fourth additional provision of Law 29/1998, of July 13, regulating the<br />
Contentious-administrative Jurisdiction, within a period of two months from the<br />
day following the notification of this act, as provided for in article 46.1 of the<br />
<br />
referred Law.<br />
<br />
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,<br />
may provisionally suspend the final resolution through administrative channels if the<br />
interested party expresses his intention to file a contentious-administrative appeal.<br />
<br />
If this is the case, the interested party must formally communicate this fact through<br />
writing addressed to the Spanish Data Protection Agency, presenting it through<br />
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-<br />
web/], or through any of the other registries provided for in art. 16.4 of the<br />
cited Law 39/2015, of October 1. You must also transfer to the Agency the<br />
<br />
documentation that proves the effective filing of the contentious appeal<br />
administrative. If the Agency was not aware of the filing of the appeal<br />
contentious-administrative within a period of two months from the day following the<br />
notification of this resolution would terminate the precautionary suspension.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 11/11<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
938-120722<br />
<br />
Sea Spain Martí<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
</pre></div>Isabela.maria.rosalhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202201247&diff=35466AEPD (Spain) - EXP2022012472023-10-17T10:04:30Z<p>Isabela.maria.rosal: Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS-00304-2022 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00304-2022.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Cod..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=PS-00304-2022<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/documento/ps-00304-2022.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Rejected<br />
|Date_Started=14.01.2022<br />
|Date_Decided=<br />
|Date_Published=28.11.2022<br />
|Year=<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 4(11) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#11<br />
|GDPR_Article_2=Article 6 GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR<br />
|GDPR_Article_3=Article 6(1) GDPR<br />
|GDPR_Article_Link_3=Article 6 GDPR#1<br />
|GDPR_Article_4=Article 58(2) GDPR<br />
|GDPR_Article_Link_4=Article 58 GDPR#2<br />
|GDPR_Article_5=Article 83(5) GDPR<br />
|GDPR_Article_Link_5=Article 83 GDPR#5<br />
|GDPR_Article_6=<br />
|GDPR_Article_Link_6=<br />
|GDPR_Article_7=<br />
|GDPR_Article_Link_7=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=Article 47 LOPDGDD<br />
|National_Law_Link_1=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_2=Article 48(1) LOPDGDD<br />
|National_Law_Link_2=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_3=Article 50 LOPDGDD<br />
|National_Law_Link_3=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_4=Article 6(1) LOPDGDD<br />
|National_Law_Link_4=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_5=Article 63(2) LOPDGDD<br />
|National_Law_Link_5=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_6=Article 65(4) LOPDGDD<br />
|National_Law_Link_6=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_7=Article 72(1)(b) LOPDGDD<br />
|National_Law_Link_7=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_8=<br />
|National_Law_Link_8=<br />
|National_Law_Name_9=<br />
|National_Law_Link_9=<br />
<br />
|Party_Name_1=Data Subject<br />
|Party_Link_1=<br />
|Party_Name_2=AUTOMOVILES FERSAN, S.A.<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=isabela.maria.rosal<br />
|<br />
}}<br />
<br />
Spanish DPA ruled that the processing of the personal data of the co-owner of a car bought via a loan is legitimate, even without their direct consent, highlighting that the data subject was not acting as a guarantor.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The data subject affirms that their personal data were processed by the data controller with no consent for approving the buying of a car by the data subject's sister. The data controller defends that the data subject is co-owner of the car in dispute.<br />
<br />
=== Holding ===<br />
The DPA ruled that processing the personal data of a subject who is the co-owner of the car bought via contract is legitimate, considering Article 6 of the GDPR. Since the data subject is a part of the contract of ownership and does not act as a guarantor, there is a legitimate legal base for the processing of personal data.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/6<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
- File No.: EXP202201247<br />
<br />
<br />
<br />
<br />
RESOLUTION OF SANCTIONING PROCEDURE<br />
<br />
From the procedure instructed by the Spanish Data Protection Agency and based<br />
<br />
to the following<br />
<br />
BACKGROUND<br />
<br />
FIRST: On January 14, 2022, A.A.A. (hereinafter, the complaining party)<br />
filed a claim with the Spanish Data Protection Agency.<br />
<br />
<br />
The claim is directed against AUTOMOVILES FERSAN, S.A. with NIF A03071248<br />
(hereinafter, the claimed party).<br />
<br />
The reasons on which the claim is based are the following:<br />
<br />
<br />
The claimant states that the claimant has made use of her personal data<br />
to include them in a vehicle purchase contract without your consent.<br />
<br />
The complainant states that her personal data was used without her consent<br />
<br />
to guarantee the sale of a vehicle acquired by his sister, in the processing<br />
for its financing.<br />
<br />
He indicates that his sister made the purchase of the vehicle with the claimed entity, to<br />
which, said entity managed the procedures to formalize a loan contract<br />
financed by BMW BANK GMBH, using the claimant's data, to<br />
<br />
obtain sufficient guarantee and carry out the operation.<br />
<br />
When a non-payment occurs by the purchasing party, the financial institution demands the<br />
payment to the claimant, and by requiring this last justification for the required collection, said<br />
financial institution provides documents, described by the claimant as false, in which<br />
<br />
In addition to the personal data of his sister, as the buyer of the vehicle,<br />
They also add the personal data of the claimant, as well as her signature.<br />
<br />
Provides legal demand, and exclusive credit contract in the name of B.B.B. (sister<br />
of the claimant)<br />
<br />
<br />
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5<br />
December, Protection of Personal Data and guarantee of digital rights (in<br />
hereinafter LOPDGDD), on February 3, 2022, said claim was transferred to<br />
the claimed party, so that it could proceed with its analysis and inform this Agency in the<br />
within one month, of the actions carried out to adapt to the requirements<br />
<br />
provided for in the data protection regulations.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 2/6<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The transfer, which was carried out in accordance with the rules established in Law 39/2015, of<br />
October 1, of the Common Administrative Procedure of Administrations<br />
Public (hereinafter, LPACAP), was collected on February 4, 2022 as<br />
<br />
It appears in the acknowledgment of receipt that is in the file.<br />
<br />
On March 3, 2022, this Agency received a response letter<br />
indicating that AUTOMÓVILES FERSÁN, through BMW Group Financial Services,<br />
has a clear protocol on the documentation that must be requested when<br />
a person applies for financing, this protocol is strictly applied by<br />
<br />
part of the dealership, and this applies to all its commercials.<br />
<br />
The four brothers of the family intervene at different times in this operation.<br />
family (…), appearing as guarantors of the operation.<br />
<br />
<br />
It is stated that the operation was approved and was viable, with the co-ownership of<br />
Mrs. B.B.B. and Mrs. A.A.A..<br />
<br />
The relationship of Ms. A.A.A. and his family with AUTOMÓVILES FERSÁN, SA from a<br />
Chronological point of view is as follows:<br />
<br />
<br />
October 25, 2018. Ms. C.C.C. (Sister of Mrs. A.A.A.) asks for a<br />
budget to AUTOMÓVILES FERSÁN, proposing the purchase and sale contract of the<br />
vehicle in the name of a company that is going to be established.<br />
<br />
October 29, 2018, Ms. C.C.C. Send the census registration and payroll of Ms.<br />
<br />
B.B.B.<br />
<br />
November 8, 2018 – D. D.D.D. (Brother of the claimant) send by<br />
mail the income 2017 (model100) from Ms. B.B.B..<br />
<br />
November 9, 2018, 9:00. Since the operation required an input<br />
The option of having guarantors to guarantee the operation is valued very highly.<br />
<br />
November 9, 2018 - – D. D.D.D. Send payroll and registration by email<br />
Mrs. B.B.B. and he writes to (…) (employee of the claimed entity):<br />
<br />
"Hello (…), I am attaching the payroll and registration.<br />
When they ask you for a guarantor, tell me what documentation I have to provide.<br />
<br />
All the best".<br />
<br />
November 9, 2018, 6:45 p.m. Once the study of Ms. B.B.B.<br />
(sister of the claimant) have to provide collateral or entry of ***AMOUNT.€.<br />
<br />
THIRD: On April 14, 2022, in accordance with article 65 of the<br />
LOPDGDD, the claim presented by the complaining party was admitted for processing.<br />
<br />
<br />
FOURTH: On July 20, 2022, the Director of the Spanish Agency for<br />
Data Protection agreed to initiate sanctioning proceedings against the claimed party,<br />
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1,<br />
of the Common Administrative Procedure of Public Administrations (in<br />
<br />
hereinafter, LPACAP), for the alleged violation of article 6.1 of the RGPD, typified in<br />
Article 83.5 of the GDPR.<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 3/6<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
FIFTH: The aforementioned initiation agreement has been notified in accordance with the rules established in<br />
<br />
Law 39/2015, of October 1, on the Common Administrative Procedure of the<br />
Public Administrations (hereinafter, LPACAP), the claimed party presented a written<br />
of allegations in which, in summary, he stated verbatim the following:<br />
<br />
(…).<br />
<br />
<br />
<br />
See Annex I. (…)<br />
<br />
<br />
<br />
Annex II is sent. (…).<br />
<br />
(…):<br />
<br />
<br />
(…).<br />
(…).<br />
<br />
(…).<br />
(…).<br />
<br />
<br />
(…).<br />
<br />
<br />
<br />
(…).<br />
<br />
SIXTH: On August 11, 2022, the procedure instructor agreed to give<br />
by reproducing for evidentiary purposes the claim filed by the claimant and<br />
your documentation, the documents obtained and generated during the admission phase<br />
<br />
processing the claim, and the report of previous investigation actions that<br />
They are part of the procedure. Likewise, it is considered reproduced for the purposes<br />
evidence, the allegations to the agreement to initiate the sanctioning procedure<br />
referenced, presented by the claimed entity and the documentation that they<br />
accompanies<br />
<br />
<br />
SEVENTH: On August 30, 2022, a proposed resolution was formulated,<br />
proposing that the Director of the Spanish Data Protection Agency<br />
sanction AUTOMOVILES FERSAN, S.A. with NIF A03071248, for an infringement<br />
of article 6.1 of the RGPD, typified in article 83.5 of the RGPD, and for the purposes of<br />
<br />
prescription, by article 72.1 b) of the LOPDGDD, with a fine of 5,000 euros<br />
(five thousand euros)<br />
<br />
EIGHTH: On September 9, 2022, the claimed entity presents<br />
allegations to the proposed resolution pointing out that the claim, in no way<br />
<br />
moment he acts as a guarantor but as a co-owner.<br />
<br />
It is further stated that:<br />
<br />
• (…).<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 4/6<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
• (…).<br />
<br />
<br />
(…)<br />
<br />
Of the actions carried out in this procedure and the documentation<br />
recorded in the file, the following have been accredited:<br />
<br />
<br />
PROVEN FACTS<br />
<br />
FIRST: The claimant affirms that her personal data has been used by the<br />
defendant without his consent to endorse the sale of a vehicle<br />
<br />
purchased by his sister<br />
<br />
Provides legal demand, and exclusive credit contract in the name of B.B.B. (sister<br />
of the claimant)<br />
<br />
<br />
<br />
SECOND: The claimed entity states that the claimant is a co-owner, since<br />
He and his sister bought the vehicle that was the subject of the conflict.<br />
<br />
Provides:<br />
<br />
(…)<br />
(…)<br />
(…)<br />
<br />
(…)<br />
<br />
FOUNDATIONS OF LAW<br />
<br />
<br />
Yo<br />
<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
(General Data Protection Regulation, hereinafter RGPD), grants each<br />
control authority and as established in articles 47 and 48.1 of the Law<br />
<br />
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of<br />
digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve<br />
this procedure the Director of the Spanish Data Protection Agency.<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: “The procedures<br />
<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
regulations dictated in its development and, insofar as they do not contradict them, with a<br />
subsidiary, by the general rules on administrative procedures.”<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 5/6<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
II<br />
<br />
Article 4.11 of the GDPR defines the consent of the interested party as “any<br />
<br />
manifestation of free, specific, informed and unequivocal will by which the<br />
interested party accepts, either by a declaration or a clear affirmative action, the<br />
processing of personal data that concerns you.”<br />
<br />
<br />
<br />
In this sense, article 6.1 of the LOPDGDD establishes that “in accordance with the<br />
provided in article 4.11 of Regulation (EU) 2016/679, consent is understood to be<br />
ment of the affected person any manifestation of free, specific, informed and ineligible will.<br />
<br />
ambiguity by which he accepts, either through a statement or a clear action<br />
“Yes, the processing of personal data that concerns you.”<br />
<br />
For its part, article 6 of the RGPD establishes the following:<br />
<br />
"1. The treatment will only be legal if at least one of the following conditions is met:<br />
<br />
nes:<br />
<br />
a) the interested party gave his consent for the processing of his personal data<br />
for one or more specific purposes;<br />
<br />
b) the processing is necessary for the execution of a contract in which the interested party<br />
<br />
is part of or for the application at his request of pre-contractual measures;<br />
<br />
c) the processing is necessary for compliance with a legal obligation applicable to the<br />
responsible for the treatment;<br />
<br />
d) the processing is necessary to protect vital interests of the interested party or another<br />
<br />
Physical person;<br />
<br />
e) the processing is necessary for the fulfillment of a mission carried out in the interest<br />
public or in the exercise of public powers conferred on the controller;<br />
<br />
f) the processing is necessary for the satisfaction of legitimate interests pursued<br />
by the person responsible for the treatment or by a third party, provided that on said interests<br />
<br />
interests or fundamental rights and freedoms of the interest do not prevail.<br />
s that require the protection of personal data, particularly when the interest<br />
<br />
sado be a child.<br />
<br />
The provisions of letter f) of the first paragraph will not apply to the treatment<br />
carried out by public authorities in the exercise of their functions.”<br />
<br />
<br />
III<br />
<br />
In the present case, the complaining party denounces AUTOMOVILES FERSAN, S.A.<br />
<br />
because they demand payment from him as a guarantor for a vehicle that his<br />
sister B.B.B. despite the fact that, in the financing contract, only his sister appears and<br />
not her.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 6/6<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The claimed entity has provided documentation that allows it to prove that the<br />
claimant is the joint owner of the vehicle that caused the requested debt and therefore,<br />
<br />
requires payment not as guarantor but as co-owner. Specifically, it provides the<br />
judicial claim for non-payment, in which both the claimant and the<br />
B.B.B. as owners of the vehicle and the financing contract.<br />
<br />
Therefore, after proving that the claimant is the joint owner of the vehicle and clarifying in<br />
<br />
concept of what the debt is claimed from, we must consider that the entity<br />
claimed is legitimized for the use of the personal data of the<br />
claimant, based on the prior execution of a purchase and sale contract, and therefore<br />
Therefore, a violation of article 6 of the RGPD indicated in the<br />
legal basis II.<br />
<br />
<br />
Therefore, after becoming aware of these facts, the Director of the Agency<br />
Spanish Data Protection RESOLVES:<br />
<br />
FIRST: PROCEED TO THE ARCHIVE of these proceedings.<br />
<br />
<br />
SECOND: NOTIFY this resolution to the claimant and defendant.<br />
<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
Resolution will be made public once it has been notified to the interested parties.<br />
<br />
<br />
Against this resolution, which puts an end to the administrative procedure as prescribed by<br />
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure<br />
Common of Public Administrations, and in accordance with the provisions of the<br />
arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may<br />
<br />
optionally file an appeal for reconsideration before the Director of the Agency<br />
Spanish Data Protection Agency within a period of one month from the day<br />
following the notification of this resolution or directly contentious appeal<br />
administrative before the Contentious-administrative Chamber of the National Court,<br />
in accordance with the provisions of article 25 and section 5 of the provision<br />
<br />
fourth additional to Law 29/1998, of July 13, regulating the Jurisdiction<br />
Contentious-Administrative, within a period of two months from the following day<br />
to the notification of this act, as provided for in article 46.1 of the aforementioned Law.<br />
<br />
<br />
<br />
Sea Spain Martí<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
</pre></div>Isabela.maria.rosalhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_PS/00117/2022&diff=35460AEPD (Spain) - PS/00117/20222023-10-17T09:45:02Z<p>Isabela.maria.rosal: Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS-00117-2022 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00117-2022.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Cod..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=PS-00117-2022<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/documento/ps-00117-2022.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=10.09.2016<br />
|Date_Decided=<br />
|Date_Published=14.04.2027<br />
|Year=<br />
|Fine=2000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 4(11) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#11<br />
|GDPR_Article_2=Article 6 GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR<br />
|GDPR_Article_3=Article 9 GDPR<br />
|GDPR_Article_Link_3=Article 9 GDPR<br />
|GDPR_Article_4=Article 9 GDPR<br />
|GDPR_Article_Link_4=Article 9 GDPR<br />
|GDPR_Article_5=Article 57(1) GDPR<br />
|GDPR_Article_Link_5=Article 57 GDPR#1<br />
|GDPR_Article_6=Article 58(1) GDPR<br />
|GDPR_Article_Link_6=Article 58 GDPR#1<br />
|GDPR_Article_7=Article 83(1) GDPR<br />
|GDPR_Article_Link_7=Article 83 GDPR#1<br />
|GDPR_Article_8=Article 83(2) GDPR<br />
|GDPR_Article_Link_8=Article 83 GDPR#2<br />
|GDPR_Article_9=Article 83(5) GDPR<br />
|GDPR_Article_Link_9=Article 83 GDPR#5<br />
|GDPR_Article_10=<br />
|GDPR_Article_Link_10=<br />
|GDPR_Article_11=<br />
|GDPR_Article_Link_11=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=Article 6(1) LOPDGDD<br />
|National_Law_Link_1=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_2=Article 63 LPACAP<br />
|National_Law_Link_2=https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565<br />
|National_Law_Name_3=Article 64 LPACAP<br />
|National_Law_Link_3=https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565<br />
|National_Law_Name_4=Article 65(4) LOPDGDD<br />
|National_Law_Link_4=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_5=Article 73(1)(b) LOPDGDD<br />
|National_Law_Link_5=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_6=Article 76 LOPDGDD<br />
|National_Law_Link_6=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_7=<br />
|National_Law_Link_7=<br />
|National_Law_Name_8=<br />
|National_Law_Link_8=<br />
<br />
|Party_Name_1=Data subject<br />
|Party_Link_1=<br />
|Party_Name_2=Data controller<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=isabela.maria.rosal<br />
|<br />
}}<br />
<br />
Spanish DPA fines controller for continuous sending of emails containing personal data for members and non-members of a Personnel Board. The DPA ruled that there is no legal basis for this processing, especially after the data subject's opposition.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
Both the data controller and the data subject are part of the same Personnel Board, which could justify processing personal data from the data subject. However, the data controller has shared personal data with various persons, including people outside of the Board. Even after the data subject requested that the information processing stopped, the emails with personal data continued to be sent. Even without the data subject's consent, the data controller justified the processing for laboral reasons, based on Article 9 of the GDPR, which is highlighted by the fact that the email with personal data is a corporate one.<br />
<br />
=== Holding ===<br />
The DPA understood that the processing was abusive, especially because personal data as the email of the data subject was processed without their consent. Even after the request of the data subject to not have their email processed anymore, the activity continued without considering simple features such as "hidden copy" for sending emails that would mitigate risks. Thus, the DPA ruled that the processing was illegal, not complying with Article 6 of the GDPR, since there is no legal basis for the processing.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/11<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
File No.: PS/00117/2022<br />
<br />
<br />
<br />
RESOLUTION OF SANCTIONING PROCEDURE<br />
<br />
From the procedure instructed by the Spanish Data Protection Agency and based<br />
to the following<br />
<br />
BACKGROUND<br />
<br />
<br />
FIRST: A.A.A. (hereinafter, the complaining party) dated March 11, 2021<br />
filed a claim with the Spanish Data Protection Agency. The<br />
claim is directed against B.B.B. with NIF ***NIF.1 (hereinafter, the part<br />
claimed).<br />
<br />
<br />
The reasons on which the claim is based are the following:<br />
<br />
Both the complaining party and the claimed party are members of the same<br />
personnel meeting, and the claimant states that the claimant has forwarded emails<br />
emails to other members and non-members of this staff board and to<br />
<br />
corporate emails from unions and groups without legitimacy to do so.<br />
<br />
The emails that do not belong to the personnel meeting are the following: ***EMAIL.1,<br />
***EMAIL.2, ***EMAIL.3, ***EMAIL.4, ***EMAIL.5, ***EMAIL.6 and ***EMAIL.7; (in<br />
<br />
forward, reported email addresses),<br />
<br />
In that email, information about the claimant also appears, such as his name and address.<br />
work email.<br />
<br />
<br />
The complainant sent an email on January 22, 2021 to members of the<br />
staff meeting in which he requested that they stop forwarding his email address<br />
electronic to third parties; but the defendant again forwarded emails from the claimant to<br />
<br />
people from outside the personnel meeting on February 16 and 17, 2021 and 16<br />
March 2021.<br />
<br />
Relevant documentation provided by the complaining party:<br />
<br />
<br />
- Printout of email dated January 20, 2021 sent by<br />
***EMAIL.8 to multiple emails including email<br />
work of the claimant and the reported email addresses indicated in his<br />
<br />
claim among others. In this email, we request that they be included among the<br />
recipients of staff board emails to a new board member and<br />
<br />
to the delegate of the STAS-CLM union section.<br />
<br />
- Printout of email dated January 22, 2021 in which the<br />
claimant responds to the recipients of the previous email, except for the addresses<br />
<br />
of mail reported. In this email you request that your email not be sent<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 2/11<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
or other information from the personnel board to the reported email addresses due to<br />
because they do not belong to the personnel board.<br />
<br />
<br />
- Printout of email dated January 28, 2021 in which the<br />
complainant reiterates that he does not want his name or email to be sent to<br />
Other email addresses that do not correspond to board members<br />
<br />
of personal.<br />
<br />
- Printout of email dated February 16, 2021 sent by the<br />
claimed to multiple email addresses that include the email address<br />
<br />
claimant's work email and the following addresses that the claimant<br />
indicates that they do not belong to the personnel board: ***EMAIL.4, ***EMAIL.5,<br />
***EMAIL.9, ***EMAIL.2, ***EMAIL.10 and ***EMAIL.11. The content of this email is<br />
<br />
an attachment with the subject “exit minutes and documents”.<br />
<br />
- Printout of email dated February 17, 2021 sent by the<br />
claimed to multiple email addresses that include the email address<br />
<br />
claimant's work email and the following addresses that the claimant<br />
indicates that they do not belong to the personnel board: ***EMAIL.4, ***EMAIL.5,<br />
<br />
***EMAIL.9, ***EMAIL.2, ***EMAIL.10 and ***EMAIL.11. The content of this email<br />
There are three attachments and the content indicates that they contain FeSP-UGT proposals<br />
for a staff board meeting.<br />
<br />
<br />
- Printout of email dated February 18, 2021 in which the<br />
complainant responds to the previous email of February 17, 2021 reiterates that no<br />
you want those emails to be sent to other email addresses that are not<br />
<br />
correspond to members of the personnel board, and indicate which email addresses<br />
email are the ones that should not have been in the “To” of the email of December 17<br />
February 2021.<br />
<br />
<br />
This claim was complemented by a document presented by the<br />
complainant before the Spanish Data Protection Agency (hereinafter, AEPD) and<br />
entry date on March 26, 2021, in which, among other things, the following is provided<br />
<br />
documentation:<br />
<br />
- Printout of email dated March 16, 2021 sent by the<br />
claimed to multiple email addresses that include the email address<br />
<br />
the claimant's work email address and, among other addresses, the following:<br />
***EMAIL.12, ***EMAIL.2, ***EMAIL.13 and ***EMAIL.9. This email<br />
It contains an attachment and its content is “attachment registered writings.”<br />
<br />
<br />
- Indication that the emails ***EMAIL.12, ***EMAIL.2, ***EMAIL.13 and<br />
***EMAIL.9 correspond to CCOO affiliates not belonging to the board of<br />
staff.<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 3/11<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5<br />
December, Protection of Personal Data and guarantee of digital rights (in<br />
hereinafter LOPDGDD), said claim was transferred to the claimed party, to<br />
<br />
to proceed with its analysis and inform this Agency within a period of one month, of the<br />
actions carried out to adapt to the requirements provided for in the regulations of<br />
Data Protection.<br />
<br />
The transfer, which was carried out in accordance with the rules established in Law 39/2015, of<br />
October 1, of the Common Administrative Procedure of Administrations<br />
<br />
Public (hereinafter, LPACAP), was collected on April 19, 2021 as<br />
It appears in the acknowledgment of receipt that is in the file.<br />
<br />
The background information contained in the information systems is as follows:<br />
<br />
On May 11, 2021, within procedure E/04149/2021, it has entry<br />
<br />
in the AEPD, a document presented on behalf of FSP-UGT, in which<br />
provides, among other things, the following information:<br />
<br />
- Allegation that the email address has been used in a way<br />
<br />
legitimate because it has been used by the union and the claimant is a delegate<br />
of staff and member of the staff board.<br />
<br />
<br />
- Allegation that the defendant understood that, from his actions, no<br />
no infringement regarding the protection of personal data due to<br />
the following reasons:<br />
<br />
<br />
“- The corporate nature of that email account (***EMAIL.14),<br />
<br />
- Its use strictly related to the professional field of the board of directors<br />
“work center staff”<br />
<br />
- Allegation that the emails reported by the claimant have been<br />
<br />
sent from an email account (***EMAIL.15) that is not owned<br />
of FeSP-UGT, and it is indicated that this aspect had already been warned to the<br />
<br />
UGT workers. And the impression of a “Reminder to workers” is provided.<br />
dated January 15, 2020, which indicates, among other things, the following:<br />
“Therefore, any email that is sent by any of the<br />
<br />
workers of this Federation from an unauthorized or unofficial address not<br />
will be considered the responsibility of this body, and the<br />
particular measures that correspond against the issuers.”<br />
<br />
<br />
<br />
THIRD: On August 12, 2021, in accordance with article 65 of the<br />
LOPDGDD, the claim presented by the complaining party was admitted for processing.<br />
<br />
FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out<br />
<br />
of previous investigative actions to clarify the facts in<br />
issue, by virtue of the functions assigned to the control authorities in the<br />
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 4/11<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
2016/679 (General Data Protection Regulation, hereinafter GDPR), and<br />
in accordance with the provisions of Title VII, Chapter I, Second Section, of the<br />
LOPDGDD, having knowledge of the following points:<br />
<br />
<br />
The list of members of the personnel board and the motivation for sending the emails<br />
to email addresses that did not belong to members of that board of directors<br />
personnel could not be verified after having sent a request for<br />
<br />
information to the claimant at the address ***ADDRESS.1.<br />
<br />
It is clear that this information request was notified on February 2,<br />
2022, upon being collected by C.C.C. with NIF ***NIF.2 in ***ADDRESS.1, without<br />
<br />
has received a response to this information request from the AEPD.<br />
<br />
<br />
FIFTH: On June 9, 2022, the Director of the Spanish Agency for<br />
Data Protection agreed to initiate sanctioning proceedings against the complainant, with<br />
<br />
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the<br />
Common Administrative Procedure of Public Administrations (hereinafter,<br />
LPACAP), for the alleged violation of article 6 of the RGPD, typified in article<br />
83.5 of the GDPR.<br />
<br />
<br />
SIXTH: On June 30, 2022, the claimed party presented a written<br />
allegations in which, in summary, he stated that the address to which he was sent<br />
The initial agreement is not your address, but that of the UGT union in your location, the<br />
which is not authorized to collect notifications in your name, which is why it is not<br />
was able to respond to the request carried out on February 2, 2022, causing<br />
<br />
absolute helplessness, which is why he requests that the actions be taken back to<br />
said date.<br />
<br />
In relation to your address, you state that your address for notification purposes is<br />
***ADDRESS.2.<br />
<br />
<br />
The defendant considers that the email addresses sent are from<br />
representatives of workers or union organizations with representation<br />
at the Personnel Board.<br />
<br />
The defendant alleges the non-existence of the infringement under Article 9 of the GDPR, by<br />
<br />
the claimant belongs to a union organization, and said emails are processed<br />
workplace electronics.<br />
<br />
It is alleged that all Board workers have access to the employee portal<br />
with a directory where you can access the name, job, destination, email<br />
<br />
electronic and telephone.<br />
<br />
SEVENTH: On July 7, 2022, the instructor of the procedure agreed to terminate<br />
reproduced for evidentiary purposes the claim filed by A.A.A. and his<br />
documentation, the documents obtained and generated during the admission phase to<br />
processing of the claim, and the report of previous investigation actions that<br />
<br />
They are part of procedure E/08764/2021.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 5/11<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Likewise, it is considered reproduced for evidentiary purposes, the allegations to the agreement of<br />
initiation of the referenced sanctioning procedure, presented by B.B.B., and the<br />
documentation that accompanies them.<br />
<br />
<br />
EIGHTH: On July 19, 2022, a proposed resolution was formulated,<br />
proposing that the Director of the Spanish Data Protection Agency<br />
sanction B.B.B., with NIF ***NIF.1, for a violation of article 6 of the RGPD,<br />
typified in article 83.5 of the RGPD, with a fine of €2,000 (two thousand euros)<br />
<br />
<br />
NINTH: On August 19, 2022, allegations were presented to the proposal<br />
resolution, reiterating those already indicated on June 30, 2022<br />
<br />
Of the actions carried out in this procedure and the documentation<br />
recorded in the file, the following have been accredited:<br />
<br />
<br />
PROVEN FACTS<br />
<br />
FIRST: Dissemination of the email addresses of each member of the<br />
personnel meeting of the claimant's workplace, by sending emails with the minutes of<br />
board meetings to corporate emails from unions and groups without<br />
<br />
legitimation for its reception, as well as to third parties who do not belong to the board of<br />
staff.<br />
<br />
SECOND: The defendant alleges the non-existence of the infringement as the<br />
complainant to a union organization, and said emails be treated as<br />
<br />
labor sphere.<br />
<br />
FOUNDATIONS OF LAW<br />
<br />
Yo<br />
<br />
<br />
Article 4.11 of the GDPR defines the consent of the interested party as “any<br />
manifestation of free, specific, informed and unequivocal will by which the<br />
interested party accepts, either by a declaration or a clear affirmative action, the<br />
processing of personal data that concerns you.”<br />
<br />
<br />
In this sense, article 6.1 of the LOPDGDD establishes that “in accordance with the<br />
provided in article 4.11 of Regulation (EU) 2016/679, consent is understood to be<br />
ment of the affected person any manifestation of free, specific, informed and ineligible will.<br />
ambiguity by which he accepts, either through a statement or a clear action<br />
“Yes, the processing of personal data that concerns you.”<br />
<br />
For its part, article 6 of the RGPD establishes the following:<br />
<br />
"1. The treatment will only be legal if at least one of the following conditions is met:<br />
nes:<br />
<br />
a) the interested party gave his consent for the processing of his personal data<br />
for one or more specific purposes;<br />
<br />
b) the processing is necessary for the execution of a contract in which the interested party<br />
<br />
is part of or for the application at his request of pre-contractual measures;<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 6/11<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
c) the processing is necessary for compliance with a legal obligation applicable to the<br />
responsible for the treatment;<br />
<br />
d) the processing is necessary to protect vital interests of the interested party or another<br />
Physical person;<br />
<br />
e) the processing is necessary for the fulfillment of a mission carried out in the interest<br />
public or in the exercise of public powers conferred on the controller;<br />
<br />
f) the processing is necessary for the satisfaction of legitimate interests pursued<br />
by the person responsible for the treatment or by a third party, provided that on said interests<br />
<br />
interests or fundamental rights and freedoms of the interest do not prevail.<br />
s that require the protection of personal data, particularly when the interest<br />
sado be a child.<br />
<br />
The provisions of letter f) of the first paragraph will not apply to the treatment<br />
carried out by public authorities in the exercise of their functions.”<br />
<br />
<br />
III<br />
<br />
In the present case, the complaining party denounces the claimed party because<br />
<br />
Emails have been repeatedly forwarded to other members and<br />
non-members of the personnel board of which he is a member and to corporate emails of<br />
unions and groups without legitimacy or consent on the part of the claimant.<br />
<br />
A document submitted on behalf of FSP-UGT has been entered into the AEPD,<br />
<br />
where two aspects are revealed, on the one hand the corporate nature of the<br />
email account object of this assumption (***EMAIL.14), which makes its use<br />
is strictly related to the professional field of the personnel board<br />
of the workplace.”<br />
<br />
<br />
Secondly, it is alleged that the emails reported by the claimant<br />
have been sent from an email account (***EMAIL.15) that is not<br />
property of FeSP-UGT, and it is indicated that this aspect had already been warned to the<br />
UGT workers.<br />
<br />
Print is provided of a “Reminder to workers” dated January 15,<br />
<br />
2020 which indicates, among other things, the following:<br />
<br />
“Therefore, any email that is sent by any of the<br />
workers of this Federation from an unauthorized or unofficial address not<br />
will be considered the responsibility of this body, and measures may be adopted<br />
<br />
individuals that correspond against the issuers.”<br />
<br />
Thus, it seems that FSP-UGT is exempt from all responsibility, but not<br />
the defendant, since the issuance of emails on the 16th and 17th of<br />
February 2021 and March 16, 2021, despite the claimant's request that<br />
<br />
stop forwarding your email address to third parties.<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 7/11<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The defendant, in a written statement of allegations dated June 30, 2022, requests feedback from<br />
the actions for not having received the information request dated 2<br />
February 2022.<br />
<br />
<br />
In this sense we must indicate that the actions carried out in the month of February<br />
They are prior actions that are carried out in accordance with article 65.4 of the<br />
LOPDGDD, carried out prior to the start of the sanctioning procedure.<br />
<br />
Therefore, defenselessness can only be considered in the event that once the<br />
<br />
initiation agreement, and not before, the defendant would not have been able to exercise the rights<br />
that law 39/2015 on common administrative procedure confers in all<br />
sanctioning procedure, such as the right to know the facts that are<br />
accused and be able to present allegations and evidence, or exercise their right to<br />
audience.<br />
<br />
<br />
Since we are not in any of these cases, retroaction does not apply.<br />
of the performances.<br />
<br />
Secondly, the defendant resorts to article 9 of the RGPD, justifying that the<br />
The data processed is about union membership and was disseminated in a work environment.<br />
<br />
<br />
However, it is considered that the processing of the claimant's personal data<br />
has been excessive because the emails subject to this complaint were<br />
They also referred people outside the personnel board, and more so when possible<br />
its omission with the use of tools such as blind copy, when required<br />
<br />
by the owner of that personal data that it is not used when expressing<br />
expressly that you do not consent to the processing of your email, in the exercise of<br />
your right to object.<br />
<br />
Therefore, it is considered that we are dealing with illegal processing of personal data,<br />
<br />
by sending emails to other members and non-members of the board of directors<br />
personnel of which the claimant is a member, and to corporate emails of unions and<br />
collectives, incurring a violation of article 6 of the RGPD, indicated in the<br />
legal basis II, since the personal data have been processed without counting<br />
with any type of legitimation.<br />
<br />
<br />
IV<br />
<br />
In accordance with the transcribed precepts, in order to set the amount of the sanction of<br />
fine to impose we must take into account article 83.5.a) of the RGPD, where<br />
indicates that “violations of the following provisions will be sanctioned, in accordance with<br />
<br />
in accordance with paragraph 2, with administrative fines of EUR 20 000 000 as<br />
maximum or, in the case of a company, an amount equivalent to 4% as<br />
maximum of the total global annual turnover of the previous financial year,<br />
opting for the highest amount:<br />
<br />
<br />
a) the basic principles for the treatment, including the conditions for the<br />
consent in accordance with articles 5, 6, 7 and 9;”<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 8/11<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Article 72.1 b) of the LOPDGDD states that “based on what is established by the<br />
article 83.5 of Regulation (EU) 2016/679, are considered very serious and will prescribe<br />
after three years, infractions that involve a substantial violation of the<br />
<br />
articles mentioned in that and in particular, the following:<br />
<br />
b) The processing of personal data without any of the conditions of<br />
legality of the treatment established in article 6 of Regulation (EU) 2016/679.”<br />
<br />
V<br />
<br />
<br />
In order to determine the administrative fine to impose, the following must be observed:<br />
provisions of articles 83.1 and 83.2 of the RGPD, provisions that indicate:<br />
<br />
“Each control authority will guarantee that the imposition of administrative fines<br />
<br />
under this Article for infringements of this Regulation<br />
indicated in sections 4, 5 and 6 are effective in each individual case,<br />
proportionate and dissuasive.”<br />
<br />
<br />
“Administrative fines will be imposed, depending on the circumstances of each<br />
individual case, as an additional or substitute for the measures contemplated in the<br />
<br />
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine<br />
administrative and its amount in each individual case will be duly taken into account:<br />
<br />
a) the nature, severity and duration of the infringement, taking into account the<br />
nature, scope or purpose of the processing operation in question<br />
such as the number of interested parties affected and the level of damages that<br />
have suffered;<br />
<br />
<br />
b) intentionality or negligence in the infringement;<br />
<br />
c) any measure taken by the person responsible or in charge of the treatment to<br />
alleviate the damages and losses suffered by the interested parties;<br />
<br />
d) the degree of responsibility of the person responsible or in charge of the treatment,<br />
taking into account the technical or organizational measures that have been applied under<br />
of articles 25 and 32;<br />
<br />
e) any previous infringement committed by the controller or processor;<br />
<br />
<br />
f) the degree of cooperation with the supervisory authority in order to remedy the<br />
infringement and mitigate the possible adverse effects of the infringement;<br />
<br />
g) the categories of personal data affected by the infringement;<br />
<br />
h) the way in which the supervisory authority became aware of the infringement, in<br />
particular whether the controller or processor notified the infringement and, if so, in what<br />
extent;<br />
<br />
<br />
i) when the measures indicated in Article 58, paragraph 2, have been ordered<br />
previously against the person responsible or the person in charge in question in relation to the<br />
same matter, compliance with said measures;<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 9/11<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
j) adherence to codes of conduct under Article 40 or to mechanisms of<br />
certification approved in accordance with Article 42, and<br />
<br />
k) any other aggravating or mitigating factor applicable to the circumstances of the case,<br />
such as financial benefits obtained or losses avoided, direct or<br />
<br />
indirectly, through infringement.”<br />
<br />
<br />
Regarding section k) of article 83.2 of the RGPD, the LOPDGDD, article 76,<br />
“Sanctions and corrective measures” provides:<br />
<br />
"2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679<br />
may also be taken into account:<br />
<br />
<br />
a) The continuous nature of the infringement.<br />
<br />
b) The linking of the offender's activity with the performance of medical treatments.<br />
personal information.<br />
<br />
c) The benefits obtained as a consequence of the commission of the infraction.<br />
<br />
<br />
d) The possibility that the conduct of the affected person could have induced the commission<br />
of the infringement.<br />
<br />
e) The existence of a merger by absorption process subsequent to the commission of the<br />
infringement, which cannot be attributed to the absorbing entity.<br />
<br />
<br />
f) The impact on the rights of minors.<br />
<br />
g) Have, when not mandatory, a data protection delegate.<br />
<br />
h) The submission by the person responsible or in charge, on a voluntary basis, to<br />
alternative conflict resolution mechanisms, in those cases in which<br />
<br />
"There are disputes between them and any interested party."<br />
<br />
<br />
<br />
In accordance with the transcribed precepts, in order to set the amount of the sanction of<br />
fine to be imposed on B.B.B. with NIF ***NIF.1, as responsible for an infringement<br />
<br />
typified in article 83.5.a) of the RGPD, are considered concurrent in this<br />
case, as aggravating factors, the following factors:<br />
Intentionality or negligence in the infringement, since given the activity<br />
<br />
Greater care is required from the claimant in the processing of the data.<br />
(83.2.b) GDPR)<br />
<br />
Therefore, in accordance with the applicable legislation and evaluated the criteria of<br />
graduation of sanctions whose existence has been proven,<br />
<br />
<br />
the Director of the Spanish Data Protection Agency RESOLVES:<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 10/11<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
FIRST: IMPOSE B.B.B., with NIF ***NIF.1, for a violation of article 6 of the<br />
RGPD, typified in article 83.5 of the RGPD, a fine of €2,000 (two thousand euros).<br />
<br />
<br />
SECOND: NOTIFY this resolution to B.B.B..<br />
<br />
THIRD: Warn the sanctioned person that he must make the sanction imposed effective<br />
once this resolution is executive, in accordance with the provisions of the<br />
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure<br />
Common Public Administrations (hereinafter LPACAP), within the payment period<br />
<br />
voluntary established in art. 68 of the General Collection Regulations, approved<br />
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,<br />
of December 17, by entering it, indicating the NIF of the sanctioned person and the number<br />
of procedure that appears in the heading of this document, in the account<br />
restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency<br />
<br />
Spanish Data Protection in the banking entity CAIXABANK, S.A.. In case<br />
Otherwise, it will be collected during the executive period.<br />
<br />
Once the notification is received and once enforceable, if the enforceable date is<br />
between the 1st and 15th of each month, both inclusive, the deadline to make the payment<br />
voluntary will be until the 20th of the following month or immediately following business month, and if<br />
<br />
The payment period is between the 16th and last day of each month, both inclusive.<br />
It will be until the 5th of the second following or immediately following business month.<br />
<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
Resolution will be made public once it has been notified to the interested parties.<br />
<br />
<br />
Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the<br />
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the<br />
Interested parties may optionally file an appeal for reconsideration before the<br />
Director of the Spanish Data Protection Agency within a period of one month to<br />
<br />
count from the day following the notification of this resolution or directly<br />
contentious-administrative appeal before the Contentious-administrative Chamber of the<br />
National Court, in accordance with the provisions of article 25 and section 5 of<br />
the fourth additional provision of Law 29/1998, of July 13, regulating the<br />
Contentious-administrative Jurisdiction, within a period of two months from the<br />
day following the notification of this act, as provided for in article 46.1 of the<br />
<br />
referred Law.<br />
<br />
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,<br />
may provisionally suspend the final resolution through administrative channels if the<br />
interested party expresses his intention to file a contentious-administrative appeal.<br />
<br />
If this is the case, the interested party must formally communicate this fact through<br />
writing addressed to the Spanish Data Protection Agency, presenting it through<br />
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-<br />
web/], or through any of the other registries provided for in art. 16.4 of the<br />
cited Law 39/2015, of October 1. You must also transfer to the Agency the<br />
<br />
documentation that proves the effective filing of the contentious appeal<br />
administrative. If the Agency was not aware of the filing of the appeal<br />
contentious-administrative within a period of two months from the day following the<br />
notification of this resolution would terminate the precautionary suspension.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 11/11<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
938-120722<br />
<br />
Sea Spain Martí<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
</pre></div>Isabela.maria.rosalhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202206776&diff=34870AEPD (Spain) - EXP2022067762023-09-18T09:09:57Z<p>Isabela.maria.rosal: Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS-00420-2022 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00430-2022.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Cod..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=PS-00420-2022<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/documento/ps-00430-2022.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Rejected<br />
|Date_Started=13.06.2022<br />
|Date_Decided=01.09.2023<br />
|Date_Published=01.09.2023<br />
|Year=2023<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 4(1) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#1<br />
|GDPR_Article_2=Article 4(2) GDPR<br />
|GDPR_Article_Link_2=Article 4 GDPR#2<br />
|GDPR_Article_3=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_3=Article 5 GDPR#1c<br />
|GDPR_Article_4=Article 12 GDPR<br />
|GDPR_Article_Link_4=Article 12 GDPR<br />
|GDPR_Article_5=Article 13 GDPR<br />
|GDPR_Article_Link_5=Article 13 GDPR<br />
|GDPR_Article_6=Article 13 GDPR<br />
|GDPR_Article_Link_6=Article 13 GDPR<br />
|GDPR_Article_7=Article 14 GDPR<br />
|GDPR_Article_Link_7=Article 14 GDPR<br />
|GDPR_Article_8=Article 58(2) GDPR<br />
|GDPR_Article_Link_8=Article 58 GDPR#2<br />
|GDPR_Article_9=Article 83(5) GDPR<br />
|GDPR_Article_Link_9=Article 83 GDPR#5<br />
|GDPR_Article_10=<br />
|GDPR_Article_Link_10=<br />
|GDPR_Article_11=<br />
|GDPR_Article_Link_11=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=Article 22 LOPDGDD<br />
|National_Law_Link_1=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_2=Article 47 LOPDGDD<br />
|National_Law_Link_2=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_3=Article 48(1) LOPDGDD<br />
|National_Law_Link_3=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_4=Article 48(6) LOPDGDD<br />
|National_Law_Link_4=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_5=Article 50 LOPDGDD<br />
|National_Law_Link_5=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_6=Article 63 LOPDGDD<br />
|National_Law_Link_6=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_7=Article 64(2) LOPDGDD<br />
|National_Law_Link_7=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_8=Article 68(1) LOPDGDD<br />
|National_Law_Link_8=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_9=<br />
|National_Law_Link_9=<br />
|National_Law_Name_10=<br />
|National_Law_Link_10=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=isabela_maria_rosal<br />
|<br />
}}<br />
<br />
Spanish DPA dismissed a complaint about the use of surveillance camera in public spaces because the equipment was never put into use, so there was no processing of personal data.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A data subject made a complaint against the installation and use of cameras in a private property facing public spaces and other private spaces. There was no sign informing about the existence of the surveillance camera. The controller informed that even though the camera was real, it was not functioning. Later, the controller also sent evidence proving the return of the surveillance instrument.<br />
<br />
=== Holding ===<br />
The Spanish DPA held that there was no breach of the data protection rules since there was no processing of personal data. Even though the camera was real, it was never functional.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/6<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
File No.: EXP202206776<br />
<br />
<br />
<br />
RESOLUTION OF SANCTIONING PROCEDURE<br />
<br />
From the procedure instructed by the Spanish Data Protection Agency and based<br />
to the following<br />
<br />
<br />
BACKGROUND<br />
<br />
FIRST: On 06/13/2022, a document submitted to this Agency was entered<br />
by A.A.A. (hereinafter, the complaining party), through which the claim is made<br />
<br />
vs. B.B.B. with NIF ***NIF.1 (hereinafter, the claimed part), for the installation of<br />
a video surveillance system located in ***ADDRESS.1, there being indications of a<br />
possible non-compliance with the provisions of the data protection regulations of<br />
personal character.<br />
<br />
The reasons underlying the claim are the following:<br />
<br />
<br />
“1º This Chamber is located on the façade of a property that is not property of the<br />
person who installed it.<br />
<br />
2º It lacks all types of plates informing that said camera exists.<br />
<br />
<br />
3º The location of said camera covers all recording of public roads and entrances to<br />
the homes included in that section, as well as the owners' vehicles.<br />
<br />
(…)”<br />
<br />
<br />
Attach a photograph of the location of the video surveillance camera and the area<br />
affected by this.<br />
<br />
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5<br />
December, Protection of Personal Data and guarantee of digital rights (in<br />
<br />
hereinafter LOPDGDD), on 06/14/2022 said claim was transferred to the party<br />
claimed, so that it could proceed with its analysis and inform this Agency within the period<br />
of one month, of the actions carried out to adapt to the planned requirements<br />
in data protection regulations.<br />
<br />
<br />
The transfer, which was carried out in accordance with the rules established in Law 39/2015, of<br />
October 1, of the Common Administrative Procedure of Administrations<br />
Public (hereinafter, LPACAP), was collected on 06/20/2022 as stated in the<br />
acknowledgment of receipt that appears in the file. To date, it has not been received<br />
response to this transfer letter.<br />
<br />
<br />
THIRD: On 08/09/2022, in accordance with article 65 of the LOPDGDD,<br />
The claim presented by the complaining party was admitted for processing.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 2/6<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
FOURTH: On 10/24/2022, the Director of the Spanish Protection Agency<br />
of Data agreed to initiate sanctioning proceedings against the claimed party, in accordance with<br />
the provisions of articles 63 and 64 of LPACAP, for the alleged violations of the<br />
<br />
articles 5.1.c) and 13 of the RGPD, typified in article 83.5 of the RGPD.<br />
<br />
This agreement was notified in accordance with the rules established in the LPACAP<br />
by postal notification, it was delivered to the claimed party on 11/07/2022.<br />
<br />
FIFTH: On 11/16/2022, the claimed party presented a written document, on time and<br />
<br />
form, before this Agency in which he stated the following:<br />
<br />
“[…]<br />
<br />
FOURTH.- That the security camera is not my property, nor is it located<br />
<br />
Located on my facade, it belongs to my father who asked me to install it in his<br />
façade for their own safety and interests (written supporting contribution).<br />
<br />
FIFTH.- That the camera is known to me that it is not in operation, and will not be placed<br />
in operation while it does not meet the requirements set by the protection regulations<br />
of data.<br />
<br />
<br />
[…]”<br />
<br />
Along with the written allegations, it provides, among others, the following documentation:<br />
<br />
<br />
- Copy of the document, dated 01/01/2019, by virtue of which C.C.C. authorizes<br />
the claimed party to “carry out any management, work or procedure that is necessary<br />
for maintenance, repair or anything else he deems appropriate<br />
for the interests of my assets.”<br />
<br />
<br />
SIXTH: On 01/19/2023, the investigating body of the procedure agreed to<br />
opening of a trial period, considering the claim incorporated<br />
filed by the complaining party and its documentation, as well as the allegations to the<br />
initiation agreement PS/00430/2022 presented by the claimed party and the<br />
documentation that accompanies them.<br />
<br />
<br />
Likewise, the investigating body required the claimed party to provide a photograph,<br />
invoice, purchase receipt or any other document that proves non-operation<br />
of the chamber in question, or, failing that, provide a responsible declaration signed in<br />
which states, under its responsibility, that the camera is not in<br />
functioning/has been removed.<br />
<br />
<br />
SEVENTH: On 03/03/2023, this Agency receives a letter from the party<br />
claimed in which it indicates the withdrawal of the device in question. Attach proof<br />
return to the selling company.<br />
<br />
<br />
EIGHTH: On 06/15/2023, the investigative body of the sanctioning procedure<br />
formulated a proposed resolution, in which it proposes that the Director of the Agency<br />
Spanish Data Protection Agency orders the file due to lack of operation<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 3/6<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
of the camera object of the claim and, consequently, the sign is not necessary<br />
informative of video-surveillance area as there is no pure data processing.<br />
<br />
<br />
This proposed resolution that was notified to the claimed party in accordance with the<br />
standards established in the LPACAP, was delivered on 06/22/2023, as<br />
It appears in the acknowledgment of receipt that is in the file. To date, there has been no<br />
received any allegation from the claimed party.<br />
<br />
In view of everything that has been done, by the Spanish Data Protection Agency<br />
<br />
In this procedure, the following are considered proven facts:<br />
<br />
<br />
PROVEN FACTS<br />
<br />
FIRST: In the claim of 06/13/2022 the installation of<br />
<br />
a white video surveillance camera on the façade of the property, located in<br />
***ADDRESS.1, oriented towards public roads and the entrance to third party homes<br />
people. In addition, it does not have the mandatory video surveillance area information sign.<br />
<br />
These two extremes are proven with the photograph provided by the party.<br />
claimant.<br />
<br />
<br />
SECOND: On 11/16/2022, the claimed party uses security reasons for its<br />
father for installing the camera, which is real, but which is not in<br />
functioning.<br />
<br />
<br />
THIRD: On 03/03/2023 the claimed party communicates the withdrawal of the device and<br />
provides a screenshot of his profile in the Amazon app, which warns that,<br />
Within the “My orders” section, the return of a camera is included.<br />
white video surveillance. Specifically, the following is observed: “2022. Return<br />
completed. Your return has been completed. Your refund has been processed.”<br />
<br />
<br />
<br />
FOUNDATIONS OF LAW<br />
<br />
Yo<br />
Competition and applicable regulations<br />
<br />
<br />
In accordance with the powers that article 58.2 of the RGPD grants to each authority of<br />
control and in accordance with the provisions of articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD,<br />
The Director of the Agency is competent to initiate and resolve this procedure.<br />
Spanish Data Protection.<br />
<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
regulations dictated in its development and, insofar as they do not contradict them, with a<br />
<br />
subsidiary, by the general rules on administrative procedures."<br />
<br />
II<br />
The image is personal data<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 4/6<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The physical image of a person, in accordance with article 4.1 of the GDPR, is data<br />
personnel and their protection, therefore, is the subject of said Regulation. In article 4.2<br />
<br />
The GDPR defines the concept of “processing” of personal data.<br />
<br />
Images generated by a camera or video camera system are data from<br />
personal nature, so its treatment is subject to protection regulations<br />
of data.<br />
<br />
<br />
III<br />
Data minimization<br />
<br />
Article 5.1.c) of the RGPD states the following:<br />
<br />
<br />
"1. The personal data will be:<br />
<br />
(…)<br />
<br />
c) adequate, relevant and limited to what is necessary in relation to the purposes for<br />
those that are processed (“data minimization”)”<br />
<br />
<br />
Regarding processing for video surveillance purposes, article 22 of the LOPDGDD<br />
establishes that natural or legal persons, public or private, may carry out<br />
carry out image processing through camera or video camera systems<br />
with the purpose of preserving the safety of people and property, as well as their<br />
<br />
facilities. However, only the capture of images of public roads is allowed.<br />
to the extent that it is essential for the aforementioned purpose.<br />
<br />
In no case will the use of surveillance practices beyond the environment be permitted.<br />
object of the installation and, in particular, not being able to affect public spaces<br />
<br />
surrounding areas, adjacent buildings and vehicles other than those that access the space<br />
guarded<br />
<br />
The installed cameras cannot obtain images of third party private space<br />
and/or public space without duly accredited justified cause, nor can they affect<br />
the privacy of passersby who move freely through the area.<br />
<br />
<br />
IV<br />
Transparency of personal data processing<br />
<br />
Article 5 of the GDPR “Principles regarding processing” indicates that:<br />
<br />
<br />
"1. The personal data will be:<br />
<br />
a) treated in a lawful, fair and transparent manner in relation to the interested party<br />
(“legality, loyalty and transparency”)”.<br />
<br />
<br />
This principle is developed in article 12 of the GDPR and, depending on whether the data<br />
personal data are obtained from the interested party or not, the information that must be provided<br />
It is listed in articles 13 or 14 of the GDPR.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 5/6<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Regarding processing for video surveillance purposes, article 22.4 of the LOPDGDD<br />
provides that:<br />
<br />
<br />
“The duty of information provided for in article 12 of Regulation (EU) 2016/679 is<br />
will be deemed fulfilled by placing an information device in place<br />
sufficiently visible identifying, at least, the existence of the treatment, the<br />
identity of the person responsible and the possibility of exercising the rights provided for in the<br />
articles 15 to 22 of Regulation (EU) 2016/679. It may also be included in the<br />
<br />
information device a connection code or internet address to this<br />
information."<br />
<br />
V<br />
Allegations alleged<br />
<br />
<br />
This Agency has no evidence that the claimed party has submitted a written<br />
of allegations against the proposed resolution.<br />
<br />
However, as already indicated in the proposed resolution, on 11/16/2022<br />
receives a written statement of allegations regarding the agreement to initiate this procedure<br />
<br />
sanctioning by the claimed party, in which it acknowledges having installed the camera in<br />
the facade of his father's home, at his request, for security reasons.<br />
However, although the device is real, it is not working.<br />
<br />
As a result of the test requirement carried out by the instructing body, on 03/03/2023 the<br />
<br />
claimed party communicated the withdrawal of the camera in question and, in addition, contributed<br />
copy of the return receipt.<br />
<br />
The camera that is the subject of the claim, being inoperative, has not captured any image<br />
of an identified or identifiable natural person, so there is no data processing<br />
<br />
of a personal nature. In this sense, the lack of said treatment causes the<br />
obligation to report under article 13 of the GDPR; It is not necessary to place a sign<br />
video surveillance area information.<br />
<br />
Consequently, in light of the above, it is concluded that it has not been proven<br />
at this moment of resolution that the facts object of transfer constitute a<br />
<br />
administrative offense in the matter at hand.<br />
<br />
This Agency wishes to remember that article 28.7 of LPACAP provides that: “The<br />
Interested parties will be responsible for the veracity of the documents they present.”<br />
<br />
<br />
Therefore, in accordance with the applicable legislation and evaluated the criteria of<br />
graduation of sanctions whose existence has been proven,<br />
<br />
the Director of the Spanish Data Protection Agency RESOLVES:<br />
<br />
<br />
FIRST: ORDER the FILE of this sanctioning procedure against B.B.B.,<br />
with NIF ***NIF.1, since the commission of the infractions of the<br />
articles 5.1.c) and 13 of the RGPD due to the camera not having been in operation<br />
object of claim.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 6/6<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
SECOND: NOTIFY this resolution to B.B.B..<br />
<br />
<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
Resolution will be made public once it has been notified to the interested parties.<br />
<br />
<br />
Against this resolution, which puts an end to the administrative procedure in accordance with article 48.6<br />
of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the<br />
Interested parties may optionally file an appeal for reconsideration before the<br />
Director of the Spanish Data Protection Agency within a period of one month to<br />
count from the day following the notification of this resolution or directly<br />
<br />
contentious-administrative appeal before the Contentious-administrative Chamber of the<br />
National Court, in accordance with the provisions of article 25 and section 5 of<br />
the fourth additional provision of Law 29/1998, of July 13, regulating the<br />
Contentious-administrative Jurisdiction, within a period of two months from the<br />
<br />
day following the notification of this act, as provided for in article 46.1 of the<br />
referred Law.<br />
<br />
Finally, it is noted that in accordance with the provisions of article 90.3 a) of the LPACAP,<br />
The final resolution may be provisionally suspended administratively if the<br />
<br />
interested party expresses his intention to file a contentious-administrative appeal.<br />
If this is the case, the interested party must formally communicate this fact through<br />
writing addressed to the Spanish Data Protection Agency, presenting it through<br />
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-<br />
web/], or through any of the other registries provided for in art. 16.4 of the<br />
<br />
cited Law 39/2015, of October 1. You must also transfer to the Agency the<br />
documentation that proves the effective filing of the contentious appeal<br />
administrative. If the Agency was not aware of the filing of the appeal<br />
contentious-administrative within a period of two months from the day following the<br />
<br />
notification of this resolution would terminate the precautionary suspension.<br />
<br />
<br />
938-010623<br />
Sea Spain Martí<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
</pre></div>Isabela.maria.rosalhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202209175&diff=34869AEPD (Spain) - EXP2022091752023-09-18T08:45:56Z<p>Isabela.maria.rosal: Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS-00624-2022 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00624-2022.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Cod..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=PS-00624-2022<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/documento/ps-00624-2022.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=29.07.2022<br />
|Date_Decided=01.09.2023<br />
|Date_Published=01.09.2023<br />
|Year=2023<br />
|Fine=300<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1c<br />
|GDPR_Article_2=Article 13 GDPR<br />
|GDPR_Article_Link_2=Article 13 GDPR<br />
|GDPR_Article_3=Article 15 GDPR<br />
|GDPR_Article_Link_3=Article 15 GDPR<br />
|GDPR_Article_4=Article 16 GDPR<br />
|GDPR_Article_Link_4=Article 16 GDPR<br />
|GDPR_Article_5=Article 17 GDPR<br />
|GDPR_Article_Link_5=Article 17 GDPR<br />
|GDPR_Article_6=Article 18 GDPR<br />
|GDPR_Article_Link_6=Article 18 GDPR<br />
|GDPR_Article_7=Article 19 GDPR<br />
|GDPR_Article_Link_7=Article 19 GDPR<br />
|GDPR_Article_8=Article 20 GDPR<br />
|GDPR_Article_Link_8=Article 20 GDPR<br />
|GDPR_Article_9=Article 21 GDPR<br />
|GDPR_Article_Link_9=Article 21 GDPR<br />
|GDPR_Article_10=Article 22 GDPR<br />
|GDPR_Article_Link_10=Article 22 GDPR<br />
|GDPR_Article_11=Article 58(2) GDPR<br />
|GDPR_Article_Link_11=Article 58 GDPR#2<br />
|GDPR_Article_12=Article 83(5) GDPR<br />
|GDPR_Article_Link_12=Article 83 GDPR#5<br />
|GDPR_Article_13=<br />
|GDPR_Article_Link_13=<br />
|GDPR_Article_14=<br />
|GDPR_Article_Link_14=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=Article 22(3) LOPDGDD<br />
|National_Law_Link_1=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_2=Article 47 LOPDGDD<br />
|National_Law_Link_2=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_3=Article 48(1) LOPDGDD<br />
|National_Law_Link_3=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_4=Article 50 LOPDGDD<br />
|National_Law_Link_4=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_5=Article 63(2) LOPDGDD<br />
|National_Law_Link_5=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_6=Article 64(2) LOPDGDD<br />
|National_Law_Link_6=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_7=Article 65(4) LOPDGDD<br />
|National_Law_Link_7=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_8=Article 68(1) LOPDGDD<br />
|National_Law_Link_8=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_9=Article 74 LOPDGDD<br />
|National_Law_Link_9=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_10=<br />
|National_Law_Link_10=<br />
|National_Law_Name_11=<br />
|National_Law_Link_11=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=isabela_maria_rosal<br />
|<br />
}}<br />
<br />
Spanish DPA fines controller for providing incomplete information about the use of video cameras. Article 13 of GDPR was breached since the sign had no information about the identity of the controller and how to exercise subjects' rights.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The data subject presented a complaint against the controller alleging that the video cameras installed on private property were also gathering images from a public space. Even though the Spanish DPA held that the public space filmed was not significant, the sign informing data subjects about the video cameras did not comply with data protection rules. The sign did not present enough information about the identity of the controller or about how to exercise the data subjects' rights. For that, the Spanish DPA understood that there was a breach of Article 13 of the GDPR and Article 22 of the LOPDGDD.<br />
<br />
=== Holding ===<br />
The DPA held that there was a breach of Article 13 of the GDPR since the sign informing citizens about the video surveillance cameras did not present enough information. Even though there was a sign on the private property, it did not mention the identity of the controller nor provided information about how to exercise the data subjects' rights.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/5<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
File No.: EXP202209175<br />
<br />
<br />
<br />
RESOLUTION OF SANCTIONING PROCEDURE<br />
<br />
From the procedure instructed by the Spanish Data Protection Agency and based<br />
to the following<br />
<br />
BACKGROUND<br />
<br />
<br />
FIRST: A.A.A. (hereinafter, the complaining party) dated July 29, 2022<br />
filed a claim with the Spanish Data Protection Agency. The<br />
claim is directed against B.B.B. with NIF ***NIF.1 (hereinafter, the part<br />
claimed). The reasons on which the claim is based are the following:<br />
<br />
<br />
The complaining party states that the complained party is responsible for a camera<br />
video surveillance that is oriented towards public roads, without authorization<br />
prior administrative for this and without it being properly signposted<br />
through the mandatory video surveillance area information signs.<br />
Provides images of the camera location.<br />
<br />
<br />
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5<br />
December, Protection of Personal Data and guarantee of digital rights (in<br />
hereinafter LOPDGDD), said claim was transferred to the claimed party, to<br />
to proceed with its analysis and inform this Agency within a period of one month, of the<br />
<br />
actions carried out to adapt to the requirements provided for in the regulations of<br />
Data Protection.<br />
<br />
The transfer, which was carried out in accordance with the rules established in Law 39/2015, of<br />
October 1, of the Common Administrative Procedure of Administrations<br />
<br />
Public (hereinafter, LPACAP), was collected on 09/14/2022, as stated in the<br />
acknowledgment of receipt that appears in the file.<br />
<br />
On 10/28/2022, this Agency received a written response indicating:<br />
<br />
-That the claimed party is responsible for the video surveillance system.<br />
<br />
-That the surveillance system is made up of two cameras.<br />
-A photograph of the sign that warns of the existence of the area is attached.<br />
video-surveillance.<br />
-That the maintenance of the system has been contracted with the company ***COMPANY.1.<br />
-That the recording of images is maintained for 7 days.<br />
<br />
<br />
THIRD: On October 29, 2022, in accordance with article 65 of the<br />
LOPDGDD, the claim presented by the complaining party was admitted for processing.<br />
<br />
FOURTH: On March 16, 2023, the Director of the Spanish Agency for<br />
<br />
Data Protection agreed to initiate sanctioning proceedings against the claimed party,<br />
for the alleged violation of Article 5.1.c) of the RGPD and Article 13 of the RGPD,<br />
typified in Article 83.5 of the RGPD.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 2/5<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
FIFTH: The aforementioned initiation agreement has been notified in accordance with the rules established in<br />
Law 39/2015, of October 1, on the Common Administrative Procedure of the<br />
Public Administrations (hereinafter, LPACAP), the claimed party presented a written<br />
<br />
of allegations in which, in summary, he stated:<br />
<br />
-That the images captured by the “patio 1” camera are part of the property<br />
of the identity without, at any time, affecting the promenade, beach or<br />
include buildings.<br />
<br />
<br />
In this regard, this Agency points out that, having studied the documents on record<br />
in the file, mainly the images that correspond to the space<br />
captured by the cameras, it is not observed, in fact, that they affect excessively<br />
considered contrary to data protection regulations, to public areas<br />
or adjacent buildings. The alleged allegation is therefore accepted and we proceed to<br />
<br />
archive the infringement alleged by article 5.1.c of the RGPD.<br />
<br />
-That he does not agree with the imputation of the infraction to the provisions of the<br />
article 13 RGPD since the precise and regulatory information is included, the poster being<br />
provided by the company in charge of maintaining the video surveillance system.<br />
<br />
<br />
In this regard, this Agency points out that, although in the photo provided with the<br />
response to the transfer, a zone warning sign is indeed observed<br />
video-surveillance, this does not comply with the requirements established in article 22.4<br />
of the LOPDGDD, since neither the identity of the person responsible nor the<br />
possibility of exercising the rights provided for in articles 15 to 22 of the<br />
<br />
GDPR<br />
<br />
-That, currently, there are no cameras installed on the property as a result of<br />
the works that are being carried out on the property. This point is credited with the<br />
photographs that, as annexes, are attached.<br />
<br />
<br />
In this regard, this Agency points out that, although currently it is not<br />
observe installed video surveillance cameras, if there were any at the time of<br />
present the claim by the complaining party, for which it is appreciated<br />
breach of the aforementioned article 13 of the RGPD, although, logically, it is not<br />
measures will be imposed in relation to the need to complete the information<br />
<br />
provided on the posters, since currently no<br />
data treatment.<br />
<br />
SIXTH; On April 26, 2023, a proposed resolution was formulated,<br />
proposing:<br />
<br />
<br />
That the Director of the Spanish Data Protection Agency sanction<br />
B.B.B., with NIF ***NIF.1, for a violation of Article 13 of the RGPD, typified in the<br />
Article 83.5 of the RGPD, with a fine of €300 (Three hundred euros).<br />
<br />
<br />
SEVENTH: Postal notification of the proposed resolution was attempted, it has not been<br />
collected at the address of the claimed party, the acknowledgment of receipt being returned with<br />
the result “absent”.<br />
No allegations have been presented to the proposed resolution.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 3/5<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In view of everything that has been done, by the Spanish Data Protection Agency<br />
In this procedure, the following are considered proven facts:<br />
<br />
<br />
PROVEN FACTS<br />
<br />
FIRST: It is proven that, at the time of filing the claim, the<br />
claimed party had video surveillance cameras installed on its property, although<br />
From the images of their field of vision it is clear that they do not capture<br />
<br />
images of public roads, at least not in excess that is punishable, according to the regulations<br />
of data protection, nor adjacent buildings.<br />
<br />
SECOND: It is proven that, although according to the image provided by the party<br />
claimed, there are signs warning of the existence of video cameras, the information<br />
<br />
that they provide is insufficient and does not meet the requirements demanded by the article<br />
22 of the LOPDGDD, as it does not contain either the identity of the person responsible or the<br />
possibility of exercising the rights provided for in articles 15 to 22 of the RGPD.<br />
<br />
FOUNDATIONS OF LAW<br />
<br />
<br />
Yo<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
(General Data Protection Regulation, hereinafter RGPD), grants each<br />
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the<br />
Organic Law 3/2018, of December 5, on Protection of Personal Data and<br />
<br />
guarantee of digital rights (hereinafter, LOPDGDD), is competent to<br />
initiate and resolve this procedure the Director of the Spanish Protection Agency<br />
of data.<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures<br />
<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
regulations dictated in its development and, insofar as they do not contradict them, with a<br />
subsidiary, by the general rules on administrative procedures."<br />
<br />
<br />
<br />
II<br />
The installation of a video camera entails the unavoidable obligation to warn of the<br />
sence of it through an informative device, in a sufficiently visible place.<br />
<br />
ble, identifying at least the existence of the treatment, the identity of the person responsible, and<br />
the possibility of exercising the rights provided for in articles 15 to 22 of the GDPR.<br />
<br />
In the present case, although the claimed party has provided a photograph of a poster<br />
<br />
placed next to the cameras, it is observed that it does not comply with all the requirements.<br />
requirements established for this purpose in article 22 of the LOPDGDD, as it is incomplete and<br />
the information provided is sufficient.<br />
<br />
<br />
Therefore, it is considered that the facts presented violate the provisions of the<br />
Article 13 of the RGPD, which means the commission of an offense classified in the<br />
Article 83.5 of the GDPR, which provides the following:<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 4/5<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
“Infringements of the following provisions will be sanctioned, according to<br />
with paragraph 2, with administrative fines of EUR 20 000 000 as<br />
<br />
maximum or, in the case of a company, an amount equivalent to 4%<br />
maximum of the overall total annual turnover of the financial year<br />
above, opting for the highest amount:<br />
<br />
(…)<br />
b) the rights of the interested parties under articles 12 to 22; (…)”.<br />
<br />
<br />
For the purposes of the limitation period, article 74 “Infringements considered minor” of<br />
The LOPDGDD indicates:<br />
<br />
“The remaining infractions of violations are considered minor and will expire after one year.”<br />
purely formal nature of the articles mentioned in sections 4 and<br />
5 of article 83 of Regulation (EU) 2016/679 and, in particular, the following:<br />
a) Failure to comply with the principle of transparency of information or the<br />
right to information of the affected person for not providing all the required information<br />
<br />
by articles 13 and 14 of Regulation (EU) 2016/679.<br />
(…)”<br />
<br />
<br />
III<br />
<br />
In light of the facts presented, it is considered that it is appropriate to impute a sanction to<br />
the party claimed for the violation of Article 13 of the GDPR typified in Article<br />
83.5 of the GDPR. The sanction that must be imposed is an administrative fine for<br />
an amount of 300 euros (THREE HUNDRED EUROS)<br />
<br />
<br />
Therefore, in accordance with the applicable legislation and evaluated the criteria of<br />
graduation of sanctions whose existence has been proven,<br />
the Director of the Spanish Data Protection Agency RESOLVES:<br />
<br />
FIRST: IMPOSE B.B.B., with NIF ***NIF.1, for a violation of Article 13<br />
of the RGPD, typified in Article 83.5 of the RGPD, a fine of 300 euros<br />
<br />
(THREE HUNDRED EUROS)<br />
<br />
SECOND: NOTIFY this resolution to B.B.B..<br />
<br />
THIRD: Warn the sanctioned person that he must make the sanction imposed effective<br />
<br />
once this resolution is executive, in accordance with the provisions of the<br />
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure<br />
Common Public Administrations (hereinafter LPACAP), within the payment period<br />
voluntary established in art. 68 of the General Collection Regulations, approved<br />
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,<br />
<br />
of December 17, by entering it, indicating the NIF of the sanctioned person and the number<br />
of procedure that appears in the heading of this document, in the account<br />
restricted IBAN number: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code:<br />
CAIXESBBXXX), opened on behalf of the Spanish Data Protection Agency in<br />
the banking entity CAIXABANK, S.A.. Otherwise, it will be<br />
collection in executive period.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 5/5<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Once the notification is received and once enforceable, if the enforceable date is<br />
between the 1st and 15th of each month, both inclusive, the deadline to make the payment<br />
<br />
voluntary will be until the 20th of the following month or immediately following business month, and if<br />
The payment period is between the 16th and last day of each month, both inclusive.<br />
It will be until the 5th of the second following or immediately following business month.<br />
<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
<br />
Resolution will be made public once it has been notified to the interested parties.<br />
<br />
Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the<br />
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the<br />
Interested parties may optionally file an appeal for reconsideration before the<br />
<br />
Director of the Spanish Data Protection Agency within a period of one month to<br />
count from the day following the notification of this resolution or directly<br />
contentious-administrative appeal before the Contentious-administrative Chamber of the<br />
National Court, in accordance with the provisions of article 25 and section 5 of<br />
the fourth additional provision of Law 29/1998, of July 13, regulating the<br />
<br />
Contentious-administrative Jurisdiction, within a period of two months from the<br />
day following the notification of this act, as provided for in article 46.1 of the<br />
referred Law.<br />
<br />
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,<br />
<br />
may provisionally suspend the final resolution through administrative channels if the<br />
interested party expresses his intention to file a contentious-administrative appeal.<br />
If this is the case, the interested party must formally communicate this fact through<br />
writing addressed to the Spanish Data Protection Agency, presenting it through<br />
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-<br />
<br />
web/], or through any of the other registries provided for in art. 16.4 of the<br />
cited Law 39/2015, of October 1. You must also transfer to the Agency the<br />
documentation that proves the effective filing of the contentious appeal<br />
administrative. If the Agency was not aware of the filing of the appeal<br />
contentious-administrative within a period of two months from the day following the<br />
<br />
notification of this resolution would terminate the precautionary suspension.<br />
<br />
<br />
938-010623<br />
Sea Spain Martí<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
</pre></div>Isabela.maria.rosalhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202208230&diff=34745AEPD (Spain) - EXP2022082302023-09-11T09:49:21Z<p>Isabela.maria.rosal: Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS-00243-2023 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00243-2023.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=PS-00243-2023<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00243-2023.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Other Outcome<br />
|Date_Started=29.06.2022<br />
|Date_Decided=21.08.2023<br />
|Date_Published=21.08.2023<br />
|Year=2023<br />
|Fine=96000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 4(7) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#7<br />
|GDPR_Article_2=Article 4(8) GDPR<br />
|GDPR_Article_Link_2=Article 4 GDPR#8<br />
|GDPR_Article_3=Article 28 GDPR<br />
|GDPR_Article_Link_3=Article 28 GDPR<br />
|GDPR_Article_4=Article 57(1) GDPR<br />
|GDPR_Article_Link_4=Article 57 GDPR#1<br />
|GDPR_Article_5=Article 58(1) GDPR<br />
|GDPR_Article_Link_5=Article 58 GDPR#1<br />
|GDPR_Article_6=Article 58(2) GDPR<br />
|GDPR_Article_Link_6=Article 58 GDPR#2<br />
|GDPR_Article_7=Article 83(2) GDPR<br />
|GDPR_Article_Link_7=Article 83 GDPR#2<br />
|GDPR_Article_8=Article 83(4) GDPR<br />
|GDPR_Article_Link_8=Article 83 GDPR#4<br />
|GDPR_Article_9=Article 83(5) GDPR<br />
|GDPR_Article_Link_9=Article 83 GDPR#5<br />
|GDPR_Article_10=Article 83(6) GDPR<br />
|GDPR_Article_Link_10=Article 83 GDPR#6<br />
|GDPR_Article_11=<br />
|GDPR_Article_Link_11=<br />
|GDPR_Article_12=<br />
|GDPR_Article_Link_12=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=Article 47 LOPDGDD<br />
|National_Law_Link_1=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_2=Article 48(1) LOPDGDD<br />
|National_Law_Link_2=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_3=Article 53.2 LOPDGDD<br />
|National_Law_Link_3=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_4=Article 65 LOPDGDD<br />
|National_Law_Link_4=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_5=Article 68(1) LOPDGDD<br />
|National_Law_Link_5=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_6=Article 71 LOPDGDD<br />
|National_Law_Link_6=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_7=Article 73 LOPDGDD<br />
|National_Law_Link_7=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_8=Article 76(2) LOPDGDD<br />
|National_Law_Link_8=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_9=<br />
|National_Law_Link_9=<br />
|National_Law_Name_10=<br />
|National_Law_Link_10=<br />
<br />
|Party_Name_1=FOURTH PARTY LOGISTICS, S.L.<br />
|Party_Link_1=<br />
|Party_Name_2=Data Subject<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=isabela_maria_rosal<br />
|<br />
}}<br />
<br />
Spanish DPA decided that non-existing contracts between subprocessors and processors can justify initiating a sanctioning procedure. Especially when the controller was not notified about subprocessors being involved in the data processing activities.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A package from CARREFOUR was to be delivered to the data subject's address. In case the data subject was not at home, they gave the permission to deliver their package to their neighbour. However, the package was delivered to someone else. As the controller, CARREFOUR has a contract with a processor responsible for deliveries, FOURTH PARTY LOGISTICS SL. In this contract, it is established that the processor should notify the controller in case of contracting a subprocessor. Even though a subprocessor did the delivery, CARREFOUR was not notified of the existence of any subprocessor. The processor explained that there were two subprocessors involved in the delivery, ENVIALIA WORLD SL and THE BEE LOGISTICS SL, however no contract between these parties was presented to the DPA. Considering that the subprocessor had to process personal data controlled by CARREFOUR, there was a breach of the GDPR since the processor did not comply with their contract with the controller and there are no formal agreements with the subprocessors.<br />
<br />
=== Holding ===<br />
The DPA held that there was enough evidence to start a sanctioning procedure. Especially considering the lack of legally binding instruments between the processor and the subprocessors involved in the delivery of a package to the data subject. With this, the Spanish DPA established that a possible fine of €90.000 could be imposed for the breach of Articles 28(2) and 28(3) of the GDPR. The data processor decided to finalize the procedure by paying the reduced fine of €72000, which would imply admitting the breach of the data protection rules.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/15<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
File No.: EXP202208230<br />
<br />
<br />
RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE<br />
VOLUNTEER<br />
<br />
From the procedure instructed by the Spanish Data Protection Agency and based<br />
<br />
to the following<br />
<br />
BACKGROUND<br />
<br />
FIRST: On June 16, 2023, the Director of the Spanish Agency for<br />
Data Protection agreed to initiate sanctioning proceedings against FOURTH PARTY<br />
<br />
LOGISTICS, S.L. (hereinafter, the claimed party), through the Agreement that is<br />
transcribes:<br />
<br />
<<<br />
<br />
<br />
<br />
File No.: EXP202208230<br />
<br />
<br />
AGREEMENT TO START SANCTIONING PROCEDURE<br />
<br />
<br />
Of the actions carried out by the Spanish Data Protection Agency and in<br />
based on the following<br />
<br />
FACTS<br />
<br />
<br />
FIRST: Ms. A.A.A. (hereinafter, the complaining party) dated June 29,<br />
2022 filed a claim with the Spanish Data Protection Agency. The<br />
The claim is directed against “Envialia”.<br />
<br />
The claim is stated:<br />
<br />
<br />
“Today, June 28 at 2:30 p.m., the messenger with telephone number ***TELÉFONO.1 calls me to<br />
give me a package from Carrefour. Not being at home, I told him to leave it to him.<br />
my neighbor on the first left, B.B.B.. He told me it was perfect. When 20 arrived<br />
Minutes later, at home, my neighbor tells me that they haven't delivered anything. He called the<br />
<br />
transporter and tells me that a boy with a cap came through the portal and told him that it was him and<br />
He gave it to her without further ado. I have complained to the transport company and they tell me that they have<br />
carried by a certain C.C.C. and search among the neighbors, when they should do it.<br />
It is no longer just the lack of a solution for the literal theft of my package, but in the<br />
In addition to my merchandise, all my personal information, ID, telephone number,<br />
address, name, surname and an invoice for what was purchased with my bank details,<br />
<br />
data that I have not at any time authorized them to give to a<br />
unknown that can be used illicitly, causing me great harm. For the<br />
I pray you intercede.”<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 2/15<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Along with the claim, a thread of emails exchanged with “Envialia” is provided.<br />
<br />
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5<br />
<br />
December, Protection of Personal Data and guarantee of digital rights (in<br />
hereinafter LOPDGDD), said claim was transferred to ENVIALIA WORLD (in<br />
hereinafter, EW) to proceed with its analysis and inform this Agency in the<br />
period of one month, of the actions carried out to adapt to the requirements<br />
provided for in the data protection regulations.<br />
<br />
<br />
The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of<br />
October 1, of the Common Administrative Procedure of the Administrations<br />
Public (hereinafter, LPACAP), was collected on July 28, 2022 as<br />
It is stated in the certificate that is in the file.<br />
<br />
<br />
On August 25 of that same year, this Agency received a letter of<br />
response indicating that "...has not been aware of it until the notification<br />
received from the AEPD, therefore it has not been possible to respond to the claimant, since<br />
We did not have the claim or their contact information. It proceeds to give<br />
response to the e-mail that appears in Annex 1 (***USUARIO.1@hotmail.com) and<br />
Attached is a copy of the response given.<br />
<br />
b) Regarding the decision adopted regarding this claim: It is necessary<br />
understand the roles of the various companies involved in the delivery process:<br />
Client: Hire the services of the cargo agency.<br />
Charge agency: Acts as Data Controller, has a contract with<br />
Envialia World that makes the Envialia Network made up of other agencies available to you<br />
<br />
with whom you have a contract.<br />
Envialia World: Acts as Data Processor.<br />
Cargo Agency: Acts as sub-processor<br />
Recipient: It is the interested party and in this case harmed by the malpractice of the<br />
cargo agency courier<br />
<br />
<br />
At Envialia World we consider this fact as a theft and in this situation we<br />
Inform the responsible agencies to file the corresponding complaint.<br />
On the other hand, whether it is the Cargo agency, such as ENVIALIA WORLD or the<br />
destination are only responsible for the data that appears on the label that accompanies<br />
the package to be delivered, in no case can they be responsible for the data that may<br />
<br />
be inside the package (such as the invoice mentioned by the interested party with their data<br />
banking) since none of the ENVIALIA companies or agencies involved<br />
access nor should access and does not even know what is inside the package.<br />
We understand that if there is any type of violation of the rights of the<br />
interested is on the part of the sub-in-charge of treatment, which is the processing agency.<br />
<br />
destination. For this reason, we proceed to inform you of the claim received and<br />
analyze the reasons that gave rise to the poor delivery practice and demand the<br />
application of measures to prevent the problem from recurring…”<br />
<br />
THIRD: On August 30, 2022, in accordance with article 65 of the<br />
<br />
LOPDGDD, the claim presented by the complaining party was admitted for processing.<br />
<br />
FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out<br />
of previous investigative actions to clarify the facts in<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 3/15<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
issue, by virtue of the functions assigned to the control authorities in the<br />
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)<br />
2016/679 (General Data Protection Regulation, hereinafter GDPR), and<br />
<br />
in accordance with the provisions of Title VII, Chapter I, Second Section, of the<br />
LOPDGDD, having knowledge of the following points:<br />
<br />
On April 12, 2023, information was requested from EW to provide:<br />
<br />
"1. Description of all parties involved in the business relationship and the process<br />
<br />
collection/delivery of shipments.<br />
2. Documentation that proves the relations of ENVIALIA WORLD S.L. with the<br />
subjects that you describe in your answer, and in particular the commission contract of the<br />
data processing, since point 2.b) of your answer defines ENVIALIA<br />
WORLD S.L. as the person in charge of the treatment.”<br />
<br />
<br />
On April 27, 2023, a response to it was received, in the following<br />
terms:<br />
<br />
- Respond in the FIRST point to point 1 of the requirement: "Client:<br />
SHOPPING CENTERS CARREFOUR, S.A., with NIF A28425270, and<br />
<br />
domiciled in P.I. "Las Mercedes", Calle Campezo 16, 28022 Madrid. Agency<br />
of charge; FOURTH PARTY LOGISTICS, S.L., with NIF B86496007 and with<br />
address at Avenida Switzerland 2, 28821, Coslada, Madrid. FOURTH PARTY<br />
LOGISTICS SL, operates under the ENVIALIA brand, within a national network of<br />
transportation. FOURTH PARTY LOGISTICS subcontracts the services of<br />
<br />
FOURTH PARTY SERVICES, S.L., a company from the same network, which maintains<br />
relations with ENVIALIA WORD, S.L., established in a contract of<br />
transportation and courier. ENVIALIA WORLD SL, puts its transport network at<br />
available to FOURTH PARTY SERVICES SL, to carry out the<br />
management and provision of services. In this case, courier shipping<br />
<br />
was carried out directly by FOURTH PARTY SERVICES SL, through the<br />
company THE BEE LOGISTICS, SLU, which was the one who had to deliver the package<br />
to Ms. A.A.A.. The courier delivered the package to the neighbor indicated by Ms.<br />
A.A.A., a fact not disputed by the complainant, what happens is that she<br />
indicates that his name is B.B.B. and the package is delivered to C.C.C., who picks it up and<br />
Provide your ID. On the other hand, the data available only<br />
<br />
FOURTH PARTY SERVICES SL, are those that appear on the package,<br />
only identifying information, and in no case are there bank details, nor<br />
national identity document or equivalent. In any case, after<br />
occurred, FOURTH PARTY SERVICES SL, requested THE BEE LOGISTICS,<br />
SLU. to adopt preventive and reactive measures, and to review with its<br />
<br />
workers the Envialia Operations Manual, for its proper<br />
compliance. The collection and delivery process is as follows:<br />
1. The customer buys at Carrefour, through its online platform, and the latter, once<br />
completed the purchase process, gives the order to your transport provider and<br />
courier, FOURTH PARTY LOGISTICS SL, to carry out the delivery. The<br />
<br />
daily communication of the list of shipments that will travel through the Envialia network,<br />
It is done through a SOAP Service, where an XML is extracted, with the data<br />
necessary for the correct management and delivery of the same (address, type of<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 4/15<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
service, observations, etc.). The label is generated from a ZPL code, with a<br />
barcode in CODE 128.<br />
2. FOURTH PARTY LOGISTICS, through FOURTH PARTY SERVICES, carries out<br />
carry out the delivery of this package, with the collaboration of the transport company<br />
THE BEE LOGISTICS, contracted for this service.<br />
<br />
3. THE BEE LOGISTICS SLU, makes the delivery to the person indicated by the<br />
buyer - Mrs. A.A.A.-.”<br />
<br />
- Respond in point SECOND to point 2 of the requirement: “Responding<br />
To this question, we attach the current contract, formalized between<br />
CARREFOUR AND FOURTH PARTY LOGISTICS SL. The contract between FOURTH<br />
<br />
PARTY LOGISTICS and THE BEE LOGISTICS SLU, is a verbal contract, for<br />
Since RD-Law 3/2022 did not come into force until September 2022, which<br />
established the obligation that continuous transportation contracts<br />
were in writing, also giving full validity to the contracts of<br />
sporadic transportation only the corresponding consignment note.”<br />
<br />
<br />
EW provides a copy of a service provision contract between FOURTH<br />
PARTY LOGISTICS S.L. and CARREFOUR S.A. SHOPPING CENTERS<br />
for the distribution, home delivery and delivery of the merchandise sold.<br />
<br />
FOUNDATIONS OF LAW<br />
<br />
<br />
Yo<br />
Competence<br />
<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
(General Data Protection Regulation, hereinafter GDPR), grants each<br />
<br />
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the<br />
Organic Law 3/2018, of December 5, on the Protection of Personal Data and<br />
guarantee of digital rights (hereinafter, LOPDGDD), is competent to<br />
initiate and resolve this procedure the Director of the Spanish Protection Agency<br />
of data.<br />
<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
regulations dictated in its development and, insofar as they do not contradict them, with a<br />
subsidiary, by the general rules on administrative procedures."<br />
<br />
<br />
II<br />
Possible administrative violation.<br />
<br />
Article 4 of the GDPR, points 7 and 8, specifies what should be understood by<br />
responsible for the treatment and in charge of the treatment. So we have, like:<br />
<br />
<br />
“7) “responsible for the treatment” or “responsible” is the natural person or<br />
legal entity, public authority, service or other body that, alone or together with others,<br />
determine the purposes and means of the processing; If the law of the Union or of the<br />
Member States determine the purposes and means of the processing, the controller<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 5/15<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
of the treatment or the specific criteria for its appointment may<br />
establish them by the law of the Union or of the Member States;<br />
<br />
<br />
8) "processor" or "processor" is the natural or legal person,<br />
public authority, service or other body that processes personal data for<br />
account of the person responsible for the treatment;..”<br />
<br />
In short, the person responsible for the treatment is the natural or legal person or authority<br />
public, which decides on the processing of personal data, determining the<br />
<br />
purposes and means of said processing.<br />
<br />
Under the principle of proactive responsibility, the data controller<br />
must apply technical and organizational measures to, in response to the risk that<br />
involves the processing of personal data, complying with and being able to demonstrate the<br />
<br />
compliance.<br />
<br />
For its part, the person in charge of the treatment is the natural or legal person, authority<br />
public, service or other body that provides a service to the person responsible that entails<br />
the processing of personal data on its behalf.<br />
<br />
<br />
In this sense, the person responsible is the one who decides the “why” and “how” relative to the<br />
personal data and the person in charge is the one who is responsible for carrying out the processing<br />
position of the person responsible.<br />
<br />
The figure of the person in charge of treatment in the RGPD is defined in its article 28, where<br />
<br />
The requirements that must be met regarding data protection are established:<br />
1.When treatment is to be carried out on behalf of a person responsible for the<br />
treatment, this will only choose a manager who offers sufficient guarantees<br />
to apply appropriate technical and organizational measures, so that the<br />
treatment complies with the requirements of this Regulation and ensures the<br />
<br />
protection of the rights of the interested party.<br />
2.The person in charge of the treatment will not resort to another person in charge without prior authorization<br />
in writing, specific or general, from the person responsible. In the latter case, the manager<br />
will inform the person responsible of any planned change in the incorporation or<br />
replacement of other managers, thus giving the person in charge the opportunity to oppose<br />
to these changes.<br />
<br />
3.The treatment by the processor will be governed by a contract or other legal act with<br />
under the law of the Union or of the Member States, binding the person in charge<br />
regarding the person responsible and establishes the object, duration, nature and<br />
purpose of the processing, the type of personal data and categories of interested parties, and the<br />
obligations and rights of the person in charge. Said contract or legal act shall stipulate, in<br />
<br />
particular, that the person in charge:<br />
<br />
a) will process personal data only following documented instructions from the<br />
responsible, including with respect to transfers of personal data to a<br />
third country or an international organization, unless obliged to do so under<br />
<br />
of Union or Member State law applicable to the processor; in<br />
In such case, the person in charge will inform the person responsible of that legal requirement prior to the<br />
treatment, unless such Law prohibits it for important reasons of interest<br />
public;<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 6/15<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
b) will ensure that the persons authorized to process personal data have<br />
committed to respecting confidentiality or are subject to an obligation to<br />
<br />
confidentiality of a statutory nature;<br />
<br />
c) take all necessary measures in accordance with article 32;<br />
<br />
d) will respect the conditions indicated in sections 2 and 4 to resort to another<br />
treatment manager;<br />
<br />
<br />
e) will assist the person responsible, taking into account the nature of the treatment, through<br />
appropriate technical and organizational measures, whenever possible, so that this<br />
can fulfill its obligation to respond to requests that are intended<br />
the exercise of the rights of interested parties established in Chapter III;<br />
<br />
<br />
f) will help the person responsible to ensure compliance with obligations<br />
established in articles 32 to 36, taking into account the nature of the treatment<br />
and the information available to the person in charge;<br />
<br />
g) at the discretion of the controller, delete or return all personal data once<br />
<br />
once the provision of treatment services is completed, and will delete copies<br />
existing unless the retention of personal data is required under<br />
of the law of the Union or of the Member States;<br />
<br />
h) will make available to the person responsible all the information necessary to demonstrate<br />
<br />
compliance with the obligations established in this article, as well as<br />
to enable and assist in the performance of audits, including inspections, by<br />
part of the person in charge or of another auditor authorized by said person in charge.<br />
<br />
In relation to the provisions of letter h) of the first paragraph, the person in charge shall inform<br />
<br />
immediately to the controller if, in their opinion, an instruction violates this<br />
Regulation or other provisions on data protection of the Union or of<br />
the member states.<br />
<br />
4. When a person in charge of the treatment uses another person in charge to carry out<br />
certain treatment activities on behalf of the person in charge, will be imposed on<br />
<br />
this other person in charge, by means of a contract or other legal act established in accordance with the<br />
Law of the Union or of the Member States, the same obligations of<br />
data protection than those stipulated in the contract or other legal act between the<br />
responsible and the person in charge referred to in section 3, in particular the provision<br />
of sufficient guarantees of application of appropriate technical and organizational measures<br />
<br />
so that the treatment is in accordance with the provisions of this<br />
Regulation. If that other person in charge breaches his data protection obligations,<br />
the initial processor will remain fully accountable to the controller<br />
treatment with regard to the fulfillment of the obligations of the other<br />
in charge. (…).<br />
<br />
<br />
These specific obligations may be supervised by the enforcement authorities.<br />
data protection, without prejudice to the control that may be carried out in relation to<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 7/15<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
with compliance with the RGPD or the LOPDGDD by the person in charge or the<br />
treatment manager.<br />
<br />
In accordance with the provisions of article 28 GDPR, the person in charge and the person in charge<br />
of data processing must regulate the processing of data in a contract or act<br />
<br />
legal linking the person in charge with respect to the person in charge; that contract or legal act<br />
must establish the object, duration, nature and purpose of the treatment, the<br />
type of personal data and categories of interested parties, the obligations and rights of the<br />
responsible etc<br />
<br />
The person in charge of the treatment, in turn, may resort to another person in charge<br />
<br />
(“sub-processor”) provided that you have the prior written authorization of the<br />
responsible for the treatment, either a specific or general authorization. In these<br />
cases, the person in charge is obliged to inform the person responsible for the<br />
changes in the incorporation or substitution of other managers, so that said<br />
person responsible can oppose such changes.<br />
<br />
<br />
The relationship that links the person responsible for the treatment and the person in charge, or the latter and another<br />
commissioned, must be formalized in writing, including in electronic format. In<br />
Both cases must be imposed on the person in charge or “sub-processor” the same<br />
obligations referred to in section 3 of article 28 transcribed.<br />
<br />
<br />
In the present case, EW explains that:<br />
<br />
“- Envialia World has a transport and courier contract with Fourth Party<br />
Logistics. - Fourth Party Logistics subcontracts the services of Fourth Party Services.<br />
- Envialia World puts its transportation network at the service of Fourth Party Services to<br />
that carries out the provision of the service.<br />
<br />
- Fourth Party Logistics has a verbal courier contract with The Bee Logistics,<br />
company that it identifies as a "charging agency" and that would be responsible for the<br />
delivery of the package.”<br />
<br />
A copy of a service contract between SHOPPING CENTERS is provided<br />
CARREFOUR SA with NIF A28425270 (as a client, although his signature does not appear) and<br />
<br />
FOURTH PARTY LOGISTICS SL with NIF B86496007 (as carrier), for<br />
delivery of goods at home, in whose section on data protection<br />
declares that the first is responsible, and the second in charge, of the treatment of the<br />
personal information.<br />
<br />
Said contract expressly establishes that "...In those cases in which the<br />
<br />
subcontracted service involves access or processing of personal data<br />
owned by CARREFOUR by the subcontracted company on<br />
CARRIER must guarantee that the subcontracting is carried out in<br />
compliance with the provisions of the applicable legislation and, in particular, with the provisions<br />
in the Personal Data Protection regulations.<br />
<br />
<br />
In the event that authorized subcontractors have access to personal data<br />
responsibility of CARREFOUR, will act as sub-manager of the treatment,<br />
the following being applicable:<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 8/15<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
• The CARRIER will notify CARREFOUR of the identity of the sub-manager before<br />
to proceed with subcontracting;<br />
• The processing of data by the sub-processor must comply with the<br />
CARREFOUR instructions; and<br />
• The CARRIER and the sub-manager will sign a contract/clause that<br />
<br />
in accordance with the provisions of the Data Protection regulations.<br />
<br />
The CARRIER will notify CARREFOUR of the execution of this contract with the<br />
sub-manager and will provide you with a copy if you so request..."<br />
<br />
EW states that between FOURTH PARTY LOGISTICS SL and THE BEE LOGISTICS SL<br />
<br />
there is a verbal service contract, but it is not accredited.<br />
<br />
It is evident that between ENVIALIA WORLD SL, FOURTH PARTY SERVICES SL and<br />
FOURTH PARTY LOGISTICS SL there are contractual relationships; although it has not been<br />
provided documentation thereof.<br />
<br />
<br />
Consequently, FOURTH PARTY LOGISTICS SL, ENVIALIA WORLD SL, FOURTH<br />
PARTY SERVICES SL, and THE BEE LOGISTICS SL would necessarily have to<br />
also process personal data; although, FOURTH PARTY<br />
LOGISTICS SL would do so in its capacity as data processor and ENVIALIA<br />
WORLD S.L., FOURTH PARTY SERVICES SL and THE BEE LOGISTICS SL., as<br />
<br />
sub-managers thereof.<br />
<br />
Analyzing the relationship of the different participants, it is evident that the<br />
subcontracting does not comply with the provisions of data protection regulations<br />
in force, due to the lack of formalization of contracts or legal acts, as well as the<br />
lack of authorizations prior to their formalization.<br />
<br />
<br />
In accordance with the evidence available in this agreement of<br />
initiation of the sanctioning procedure, and without prejudice to what results from the<br />
instruction, it is considered that the known facts could constitute a<br />
infringement, attributable to FOURTH PARTY LOGISTICS SL for violation of the<br />
articles 28.2 and 28.3 of the GDPR.<br />
<br />
<br />
<br />
IV.<br />
Classification of the infringement of article 28.2 of the GDPR<br />
<br />
If confirmed, the aforementioned infringement of article 28.2 of the GDPR could lead to the<br />
<br />
commission of the offenses typified in article 83.4 of the GDPR that under the<br />
The heading "General conditions for the imposition of administrative fines" provides:<br />
<br />
Violations of the following provisions will be sanctioned, in accordance with the<br />
paragraph 2, with administrative fines of maximum EUR 10,000,000 or,<br />
<br />
in the case of a company, an amount equivalent to a maximum of 2% of the<br />
total annual global business volume of the previous financial year, opting for<br />
the largest amount:<br />
a) the obligations of the controller and the person in charge under articles 8, 11, 25 to<br />
39, 42 and 43;<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 9/15<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
(…)”<br />
<br />
In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that<br />
<br />
"The acts and behaviors referred to in sections 4,<br />
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result<br />
contrary to this organic law.”<br />
<br />
For the purposes of the limitation period, article 73 "Infractions considered serious"<br />
of the LOPDGDD indicates:<br />
<br />
"Based on what is established in article 83.4 of Regulation (EU) 2016/679,<br />
are considered serious and will prescribe after two years the infractions that suppose a<br />
<br />
substantial violation of the articles mentioned therein and, in particular, the<br />
following:<br />
(…)<br />
<br />
l) The contracting by a person in charge of the treatment of other managers without counting<br />
with the prior authorization of the person in charge, or without having informed him about the changes<br />
<br />
produced in subcontracting when legally required. (…)”.<br />
<br />
V<br />
Penalty for violation of article 28.2 of the GDPR<br />
<br />
<br />
For the purposes of deciding on the imposition of an administrative fine and its amount,<br />
it is appropriate to graduate the sanction to be imposed according to the following criteria that<br />
Article 83.2 of the GDPR establishes:<br />
<br />
As aggravating factors:<br />
<br />
<br />
- b) The link between the offender's activity and the performance of processing<br />
of personal data.<br />
<br />
The Judgment of the National Court of 10/17/2007 (rec. 63/2006), in which,<br />
with respect to entities whose activity involves continuous data processing<br />
<br />
of clients, indicates that "...the Supreme Court has understood that there is<br />
recklessness whenever a legal duty of care is neglected, that is, when the<br />
offender does not behave with the required diligence. And in assessing the degree of<br />
diligence, the professionalism or not of the subject must be specially considered, and not<br />
there is no doubt that, in the case now examined, when the activity of the appellant<br />
<br />
is of constant and abundant handling of personal data, it must be insisted on<br />
the rigor and exquisite care to comply with the legal provisions in this regard.”<br />
<br />
FOURTH PARTY LOGISTICS SL is a company that is dedicated to Transportation of<br />
goods by rail traffic by normal and narrow track, freight transport<br />
by road, other land transport, maritime transport of goods<br />
<br />
international (except crude oil and gases), cabotage and road transport<br />
inland waterways (except for crude oil and gases).<br />
<br />
Transport companies handle a very significant amount of data, both<br />
data of the clients, the respective ones to their shipments, as well as that of the employees as<br />
<br />
suppliers.<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 10/15<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
FOURTH PARTY LOGISTICS SL is registered in the Mercantile Registry of Madrid, it is<br />
a small-sized company whose share capital is in the range of 50,001 -<br />
<br />
€100,000, with a number of employees between 11 and 50 and a sales amount of<br />
between €3,000,001 and €50,000,000.<br />
<br />
The balance of the circumstances contemplated in article 83.2 of the RGPD and the<br />
article 76.2 of the LOPDGDD, with respect to the infraction committed by violating the<br />
established in article 28.2 of the RGPD, allows initially setting a sanction of<br />
<br />
€60,000 (SIXTY THOUSAND EUROS).<br />
<br />
SAW<br />
Classification of the violation of article 28.3 of the RGPD<br />
<br />
<br />
If confirmed, the aforementioned violations of article 28.3 of the RGPD could mean the<br />
commission of the infractions classified in article 83.4 of the RGPD that under the<br />
The section “General conditions for the imposition of administrative fines” provides:<br />
<br />
“Infringements of the following provisions will be sanctioned, in accordance with the<br />
paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,<br />
<br />
In the case of a company, an amount equivalent to a maximum of 2% of the<br />
global total annual business volume of the previous financial year, opting for<br />
the largest amount:<br />
a) the obligations of the controller and the processor in accordance with articles 8, 11, 25 a<br />
39, 42 and 43;<br />
<br />
(…)”<br />
<br />
In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that<br />
“The acts and conduct referred to in sections 4,<br />
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result<br />
<br />
contrary to this organic law.”<br />
<br />
For the purposes of the limitation period, article 73 “Infringements considered serious”<br />
of the LOPDGDD indicates:<br />
<br />
“Based on what is established in article 83.4 of Regulation (EU) 2016/679,<br />
are considered serious and will prescribe after two years the infractions that involve a<br />
substantial violation of the articles mentioned therein and, in particular, the<br />
following:<br />
<br />
(…)<br />
k) Entrust the processing of data to a third party without the prior formalization of a<br />
<br />
contract or other written legal act with the content required by article 28.3 of the<br />
Regulation (EU) 2016/679. (…)”.<br />
<br />
VII<br />
Penalty for violation of article 28.3 of the GDPR<br />
<br />
<br />
For the purposes of deciding on the imposition of an administrative fine and its amount,<br />
The sanction to be imposed should be graduated according to the following criteria:<br />
Article 83.3 of the GDPR establishes:<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 11/15<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
As aggravating factors:<br />
<br />
<br />
- b) The linking of the offender's activity with the performance of treatments<br />
of personal data.<br />
<br />
The Judgment of the National Court of 10/17/2007 (rec. 63/2006), in which,<br />
with respect to entities whose activity involves continuous data processing<br />
of clients, indicates that "...the Supreme Court has understood that there is<br />
<br />
recklessness whenever a legal duty of care is neglected, that is, when the<br />
offender does not behave with the required diligence. And in the assessment of the degree of<br />
diligence, the professionalism or otherwise of the subject must be especially considered, and not<br />
There is no doubt that, in the case now examined, when the activity of the appellant<br />
is constant and abundant handling of personal data, it must be insisted on<br />
<br />
the rigor and exquisite care to comply with the legal preventions in this regard.”<br />
<br />
FOURTH PARTY LOGISTICS SL is a company dedicated to transportation of<br />
goods by rail traffic on normal and narrow gauge, transport of goods<br />
by road, other land transport, maritime transport of goods<br />
international (except for crude oil and gases), cabotage transport and by routes<br />
<br />
inland navigable vessels (except crude oil and gases).<br />
<br />
Transport companies handle a very important amount of data, both the<br />
customer data, those corresponding to their shipments, as well as that of employees such as<br />
suppliers.<br />
<br />
<br />
FOURTH PARTY LOGISTICS SL is registered in the Commercial Registry of Madrid, it is<br />
a small-sized company whose share capital is in the range of 50,001 -<br />
€100,000, with a number of employees between 11 and 50 and a sales amount of<br />
between €3,000,001 and €50,000,000.<br />
<br />
<br />
The balance of the circumstances contemplated in article 83.2 of the RGPD and the<br />
article 76.2 of the LOPDGDD, with respect to the infraction committed by violating the<br />
established in article 28.3 of the RGPD, allows initially setting a sanction of<br />
€60,000 (SIXTY THOUSAND EUROS).<br />
<br />
<br />
VIII<br />
Adoption of measures<br />
<br />
If the infraction is confirmed, it could be agreed to impose on the person responsible the adoption of<br />
appropriate measures to adjust its actions to the regulations mentioned in this<br />
<br />
act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the<br />
which each control authority may “order the person responsible or in charge of the<br />
treatment that the processing operations comply with the provisions of the<br />
this Regulation, where appropriate, in a certain manner and within a<br />
specified term…”. The imposition of this measure is compatible with the sanction<br />
<br />
consisting of an administrative fine, as provided in art. 83.2 of the GDPR.<br />
<br />
It is warned that failure to comply with the possible order to adopt measures imposed by<br />
This body in the sanctioning resolution may be considered as a<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 12/15<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
administrative offense in accordance with the provisions of the RGPD, classified as<br />
infringement in its article 83.5 and 83.6, and such conduct may be motivated by the opening of a<br />
subsequent administrative sanctioning procedure.<br />
<br />
<br />
Therefore, in accordance with the above, by the Director of the Agency<br />
Spanish Data Protection,<br />
<br />
HE REMEMBERS:<br />
<br />
<br />
FIRST: START SANCTIONING PROCEDURE for FOURTH PARTY<br />
LOGISTICS, S.L., with NIF B86496007, for the alleged violation of articles 28.2<br />
and 28.3 of the RGPD, both typified in article 83.4 a) of the RGP.<br />
<br />
SECOND: APPOINT D.D.D. and, as secretary, to E.E.E.,<br />
<br />
indicating that any of them may be challenged, if applicable, in accordance with the<br />
established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime<br />
Legal Department of the Public Sector (LRJSP).<br />
<br />
THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the<br />
claim filed by the complaining party and its documentation, as well as the<br />
<br />
documents obtained and generated by the General Subdirectorate of Inspection of<br />
Data in the actions prior to the start of this sanctioning procedure.<br />
<br />
FOURTH: THAT for the purposes provided for in article 64.2 b) of Law 39/2015, of 1<br />
October, of the Common Administrative Procedure of Public Administrations (in<br />
<br />
hereinafter, LPACAP), the sanction that may apply, without prejudice to what<br />
result of the instruction, would be:<br />
<br />
SIXTY THOUSAND EUROS (€60,000) for alleged violation of article 28.2 typified in<br />
Article 83.4 a) GDPR.<br />
<br />
<br />
SIXTY THOUSAND EUROS (€60,000) for alleged violation of article 28.3 typified in<br />
Article 83.4 a) GDPR.<br />
<br />
FIFTH: NOTIFY this agreement to FOURTH PARTY LOGISTICS, S.L., with<br />
NIF B86496007, granting a hearing period of ten business days so that<br />
<br />
formulate the allegations and present the evidence you consider appropriate. In its<br />
written allegations must provide your NIF and the procedure number that appears<br />
at the top of this document.<br />
<br />
If within the stipulated period you do not make allegations to this initial agreement, the same<br />
may be considered a proposal for a resolution, as established in the article<br />
<br />
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of<br />
Public Administrations (hereinafter, LPACAP).<br />
<br />
In accordance with the provisions of article 85 of the LPACAP, you may recognize your<br />
responsibility within the period granted for the formulation of allegations to the<br />
<br />
present initiation agreement; which will entail a 20% reduction in the<br />
sanction that may be imposed in this procedure. With the application of this<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 13/15<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
reduction, the penalty would be established at 96,000.00 euros, resolving the<br />
procedure with the imposition of this sanction.<br />
<br />
<br />
Likewise, you may, at any time prior to the resolution of this<br />
procedure, carry out the voluntary payment of the proposed sanction, which<br />
will mean a reduction of 20% of its amount. With the application of this reduction,<br />
The penalty would be established at 96,000.00 euros and its payment will imply termination<br />
<br />
of the procedure, without prejudice to the imposition of the corresponding measures.<br />
<br />
The reduction for the voluntary payment of the penalty is cumulative with that corresponding<br />
apply for recognition of responsibility, provided that this recognition<br />
of the responsibility becomes evident within the period granted to formulate<br />
<br />
allegations at the opening of the procedure. Voluntary payment of the referred amount<br />
in the previous paragraph may be done at any time prior to the resolution. In<br />
In this case, if both reductions were to be applied, the amount of the penalty would remain<br />
established at 72,000.00 euros.<br />
<br />
<br />
In any case, the effectiveness of any of the two mentioned reductions will be<br />
conditioned upon the withdrawal or waiver of any action or appeal pending.<br />
administrative against the sanction.<br />
<br />
In the event that you choose to proceed with the voluntary payment of any of the amounts<br />
<br />
indicated above (96,000.00 euros or 72,000.00 euros), you must make it effective<br />
by depositing it into the IBAN account number: ES00-0000-0000-0000-0000-0000<br />
(BIC/SWIFT Code: CAIXESBBXXX) opened in the name of the Spanish Agency of<br />
Data Protection in the banking entity CAIXABANK, S.A., indicating in the<br />
concept the reference number of the procedure appearing in the heading<br />
<br />
of this document and the reason for the reduction of the amount to which it applies.<br />
<br />
Likewise, you must send proof of income to the General Subdirectorate of<br />
Inspection to continue the procedure in accordance with the quantity<br />
entered.<br />
<br />
<br />
The procedure will have a maximum duration of twelve months from the date<br />
of the initiation agreement. After this period, its expiration will occur and, in<br />
consequently, the file of actions; in accordance with the provisions of the<br />
Article 64 of the LOPDGDD.<br />
<br />
<br />
Finally, it is noted that in accordance with the provisions of article 112.1 of the<br />
LPACAP, there is no administrative appeal against this act.<br />
<br />
<br />
935-290523<br />
Sea Spain Martí<br />
<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
>><br />
<br />
<br />
SECOND: On July 3, 2023, the claimed party has proceeded to pay<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 14/15<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
the penalty in the amount of 72,000 euros making use of the two reductions<br />
provided for in the initiation Agreement transcribed above, which implies the<br />
recognition of responsibility.<br />
<br />
<br />
THIRD: The payment made, within the period granted to formulate allegations to<br />
The opening of the procedure entails the renunciation of any action or appeal pending.<br />
administrative against sanction and recognition of responsibility in relation to<br />
the facts referred to in the Initiation Agreement.<br />
<br />
<br />
<br />
FOUNDATIONS OF LAW<br />
<br />
Yo<br />
Competence<br />
<br />
<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
(General Data Protection Regulation, hereinafter RGPD), grants each<br />
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the<br />
Organic Law 3/2018, of December 5, on Protection of Personal Data and<br />
guarantee of digital rights (hereinafter, LOPDGDD), is competent to<br />
<br />
initiate and resolve this procedure the Director of the Spanish Protection Agency<br />
of data.<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
regulations dictated in its development and, insofar as they do not contradict them, with character<br />
subsidiary, by the general rules on administrative procedures."<br />
<br />
II<br />
<br />
Termination of the procedure<br />
<br />
Article 85 of Law 39/2015, of October 1, on Administrative Procedure<br />
Common for Public Administrations (hereinafter, LPACAP), under the heading<br />
"Termination in disciplinary proceedings" provides the following:<br />
<br />
<br />
"1. Initiated a disciplinary procedure, if the offender acknowledges his responsibility,<br />
The procedure may be resolved with the imposition of the appropriate sanction.<br />
<br />
2. When the sanction is solely pecuniary in nature or a penalty can be imposed<br />
pecuniary sanction and another of a non-pecuniary nature but the<br />
<br />
inadmissibility of the second, the voluntary payment by the alleged responsible, in<br />
Any time prior to the resolution, will imply the termination of the procedure,<br />
except in relation to the restoration of the altered situation or the determination of the<br />
compensation for damages caused by the commission of the infringement.<br />
<br />
<br />
3. In both cases, when the sanction has only a pecuniary nature, the<br />
body competent to resolve the procedure will apply reductions of, at least,<br />
20% of the amount of the proposed penalty, these being cumulative with each other.<br />
The aforementioned reductions must be determined in the initiation notification.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 15/15<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of<br />
<br />
any administrative action or appeal against the sanction.<br />
<br />
The reduction percentage provided for in this section may be increased<br />
“regularly.”<br />
<br />
<br />
According to what has been stated,<br />
the Director of the Spanish Data Protection Agency RESOLVES:<br />
<br />
<br />
FIRST: DECLARE the termination of the procedure EXP202208230, of<br />
in accordance with the provisions of article 85 of the LPACAP.<br />
<br />
SECOND: NOTIFY this resolution to FOURTH PARTY LOGISTICS, S.L..<br />
<br />
<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
Resolution will be made public once it has been notified to the interested parties.<br />
<br />
Against this resolution, which puts an end to the administrative procedure as prescribed by<br />
<br />
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure<br />
Common of Public Administrations, interested parties may file an appeal<br />
administrative litigation before the Administrative Litigation Chamber of the<br />
National Court, in accordance with the provisions of article 25 and section 5 of<br />
<br />
the fourth additional provision of Law 29/1998, of July 13, regulating the<br />
Contentious-Administrative Jurisdiction, within a period of two months from the<br />
day following the notification of this act, as provided for in article 46.1 of the<br />
referred Law.<br />
<br />
<br />
<br />
936-040822<br />
Sea Spain Martí<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
</pre></div>Isabela.maria.rosalhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_PS/00281/2022&diff=32924AEPD (Spain) - PS/00281/20222023-05-23T08:59:37Z<p>Isabela.maria.rosal: Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00281/2022 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00281-2022.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=PS/00281/2022<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00281-2022.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=24.03.2021<br />
|Date_Decided=21.04.2023<br />
|Date_Published=21.04.2023<br />
|Year=2023<br />
|Fine=50000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 1 GDPR<br />
|GDPR_Article_Link_1=Article 1 GDPR<br />
|GDPR_Article_2=Article 4(1) GDPR<br />
|GDPR_Article_Link_2=Article 4 GDPR#1<br />
|GDPR_Article_3=Article 4(7) GDPR<br />
|GDPR_Article_Link_3=Article 4 GDPR#7<br />
|GDPR_Article_4=Article 5(1) GDPR<br />
|GDPR_Article_Link_4=Article 5 GDPR#1<br />
|GDPR_Article_5=Article 15(3) GDPR<br />
|GDPR_Article_Link_5=Article 15 GDPR#3<br />
|GDPR_Article_6=Article 15(4) GDPR<br />
|GDPR_Article_Link_6=Article 15 GDPR#4<br />
|GDPR_Article_7=Article 58(2)(c) GDPR<br />
|GDPR_Article_Link_7=Article 58 GDPR#2c<br />
|GDPR_Article_8=Article 83(1) GDPR<br />
|GDPR_Article_Link_8=Article 83 GDPR#1<br />
|GDPR_Article_9=Article 83(2) GDPR<br />
|GDPR_Article_Link_9=Article 83 GDPR#2<br />
|GDPR_Article_10=Article 83(5) GDPR<br />
|GDPR_Article_Link_10=Article 83 GDPR#5<br />
|GDPR_Article_11=Article 83(6) GDPR<br />
|GDPR_Article_Link_11=Article 83 GDPR#6<br />
|GDPR_Article_12=<br />
|GDPR_Article_Link_12=<br />
|GDPR_Article_13=<br />
|GDPR_Article_Link_13=<br />
<br />
|EU_Law_Name_1=Article 8(1) European Charter of Human Rights<br />
|EU_Law_Link_1=https://www.echr.coe.int/documents/convention_eng.pdf<br />
|EU_Law_Name_2=Directive 2016/943<br />
|EU_Law_Link_2=<br />
|EU_Law_Name_3=Directive 95/46<br />
|EU_Law_Link_3=<br />
|EU_Law_Name_4=<br />
|EU_Law_Link_4=<br />
|EU_Law_Name_5=<br />
|EU_Law_Link_5=<br />
<br />
|National_Law_Name_1=Article 18(1) Spanish Constitution<br />
|National_Law_Link_1=https://www.boe.es/buscar/act.php?id=BOE-A-1978-31229<br />
|National_Law_Name_2=Article 18(2) Spanish Constitution <br />
|National_Law_Link_2=https://www.boe.es/buscar/act.php?id=BOE-A-1978-31229<br />
|National_Law_Name_3=Article 71 LOPDGDD<br />
|National_Law_Link_3=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_4=Article 72(1) LOPDGDD<br />
|National_Law_Link_4=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_5=Article 76 LOPDGDD<br />
|National_Law_Link_5=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_6=Ley 5/2014<br />
|National_Law_Link_6=https://www.boe.es/buscar/act.php?id=BOE-A-2014-3649<br />
|National_Law_Name_7=<br />
|National_Law_Link_7=<br />
|National_Law_Name_8=<br />
|National_Law_Link_8=<br />
<br />
|Party_Name_1=Securitas Direc España, S.A.<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=isabela.maria.rosal<br />
|<br />
}}<br />
<br />
Spanish DPA (AEPD) held that logging information of a security instrument connected to a specific individual is personal data and part of the right to access, even if it is technical data.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
A data subject had a contract for security services with the controller. Their house was robbed and the security center provided by the company had been destroyed, but the data subject was never notified. They made an access request to all the information regarding the security system in their house. However, the controller denied such access, since personal data would be shared. The data subject complained to the Spanish DPA (AEPD), which confirmed that the company had to facilitate their access to the data. After receiving a file with some logging information, the data subject filed a procedure to guarantee the exercise of their rights to the Spanish DPA (AEPD) stating that the controller's response was insufficient to fulfill their request. With another decision from the DPA, the controller sent another file with more information. Considering the new response, the data subject filed yet another complaint to the DPA, since they consider that the information provided by the company was not useful and incomplete taking into account their contractual clauses. The data subject affirmed that the information provided was not understandable and the response was filled with technical irrelevant data. The response would not have data that should be provided by the company as foreseen in the contract (e.g., images of possible invaders). On the other hand, the controller affirms that logging information would not be personal data of the data subject, then this information should not be part of the right to access of the data subject.<br />
<br />
=== Holding ===<br />
The DPA highlighted the new Guideline 01/2022 from the EDPB about the right to access, reaffirming that personal data can be related to more than one subject. Considering that the requested data is fully connected to instruments that identify the data subject, all the logging information should be considered personal data and part of the right to access.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
File No.: PS/00281/2022<br />
<br />
RESOLUTION OF SANCTIONING PROCEDURE<br />
<br />
<br />
Of the procedure instructed by the Spanish Agency for Data Protection and in<br />
based on the following<br />
<br />
BACKGROUND<br />
<br />
<br />
FIRST: On 03/23 and 24/2021, a claim from A.A.A. is received, hereinafter,<br />
the claimant) against SECURITAS DIREC ESPAÑA, S.A. with NIF A26106013<br />
(hereinafter, the claimed party).<br />
<br />
In it, it indicates that in procedure TD/01593/2017, the Agency issued a<br />
<br />
resolution as follows: "Securitas must provide access to the appellant the<br />
information on the servers (...) related to the records and signals sent<br />
by the alarm equipment (...), as well as the existing copies of the records<br />
contained in the internal memory of the alarm between 11/26 and 12/13 of the year<br />
2015". This resolution was appealed by Securitas Direct S.A. and confirmed by the<br />
National audience.<br />
<br />
<br />
This procedure for the exercise of rights occurs as a consequence of the fact that the<br />
claimant had previously exercised his right of access to the respondent on<br />
04/07/2017: "regarding all the information on the Securitas servers<br />
Direct relative to the records and signals sent by the alarm equipment installed in”<br />
their property, “as well as existing copies of the records contained in the<br />
<br />
internal memory of the alarm between November 26 and December 18 of the<br />
year 2015 (before and after the robbery there were other security incidents that should be<br />
also clarify)", "given that they have the unequivocal classification of data<br />
personal”. The information to which access is requested makes direct or<br />
indirectly to events and occurrences (entries, exits, movements, jumps of<br />
alarm, activation and deactivation of the alarm by certain user, etc.)<br />
<br />
occurred inside my home, from which it can be inferred, directly or<br />
indirectly, acts or behaviors related to myself, other people<br />
of my family or even third parties authorized to access the home”.<br />
<br />
In relation to this right of access, the defendant responded on 05/11/2017 that<br />
“the records contained in the alarm do not fall into the data category<br />
<br />
personal", according to a copy of document 5 that he provides.<br />
<br />
Not agreeing with the answer given by the security company, the claimant<br />
mante files a claim with the Agency on 06/28/2017, in which, among other<br />
issues, indicates that on the afternoon of 12/4/2015, he discovered, upon accessing his home,<br />
who had suffered a robbery and found "the alarm center" destroyed, without having been<br />
warned, receiving only a call from the security company of that same morning.<br />
<br />
morning in which they indicated that there were connection problems. In the text of the re-<br />
complaint filed with the Agency, the claimant states that the claimant "is<br />
has refused to clarify the circumstances of the intrusion into our home or to<br />
reveal the cause of the malfunctioning alarm system, ensure<br />
checking that the system worked correctly", being the clients the ones who had to<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 2/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
telephone the security company to inform them that the alarm center that<br />
had installed had been destroyed by thieves.<br />
<br />
<br />
<br />
The aforementioned claim was resolved on 01/2/2018 in the appeal for replacement of the<br />
<br />
procedure for the exercise of rights TD/01593/2017, estimating the appeal and<br />
requiring within a period that the right be met.<br />
<br />
The defendant appealed the resolution before the National Court (AN), which in the<br />
Judgment of the Administrative Litigation Chamber, first section, of 07/23/2019,<br />
<br />
appeal 146/2018, dismissed his claim.<br />
The judgment of the National Court was appealed before the Supreme Court in<br />
appeal, admitted for processing on 05/29/2020, appeal 78/2020, however, the<br />
<br />
claimed withdrew from it.<br />
The claimant alludes in his new claim, that he has once again requested access on<br />
<br />
02/2/2021 and received a response from the defendant of 02/23/2021, which highlights:<br />
<br />
<br />
1) Responds: "in compliance, first of the resolution of the appeal for reversal<br />
RR 779/2017 of the AEPD and the judgment of the National Court.", "attaching as<br />
<br />
document 1, a list of "logs associated with said alarm system that are data<br />
of a personal nature”.<br />
<br />
Document 1 starts:<br />
<br />
“In order to understand the configuration of the table that we have prepared with the logs<br />
<br />
which are personal data…”, and explains the meanings of the three columns.<br />
<br />
The provided Excel table of logs contains in the first column the date/s and time/<br />
s in which the log, or logs, is generated. They are not arranged chronologically.<br />
beginning by 5/12/2015. Only one log appears chronologically defined between two<br />
<br />
dates, 5/12/2015 18:38:10 and 20:15:17. It comprises a total of 94 lines of<br />
logs, plus that of the period, so it is unknown how many there would be in total.<br />
<br />
The generation date or dates of the logs are correlated or grouped with the<br />
“log name/nomenclature”, and with a basic description such as “Signal<br />
<br />
information”, “CRA Action” (alarm receiving center), “tests and verifications<br />
mandatory as part of the maintenance of the installation“.<br />
<br />
In the last column, with "extended description of the log", which according to the defendant<br />
contains a description of the meaning of the log, in some cases the key N/A appears,<br />
associated with a nomenclature, for example "CRA action Skip voicemail",<br />
<br />
“operator gets to talk to contact”, or “the contacts the operator gets to<br />
Securitas tries to locate, they don't answer”.<br />
<br />
In others, it is not specified either by indicating: "a message is left on voice mail".<br />
<br />
<br />
In some log it refers to "contact", without identifying or specifying which contact<br />
refers, as "contact does not remember the password to prove the identity and<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 3/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
close the incident”, or “the contacts that the Securitas operator tries to<br />
locate no answer”, “operator manages to speak with contact”.<br />
<br />
It is observed that there are logs that include: "automatically generated code and<br />
randomly by the system for the security guard to deactivate the alarm"-,<br />
<br />
name: “High priority central”, or another name of the log: “tests and<br />
obligatory verifications as part of the maintenance of the installation” connected<br />
with “extended name: “the technician performs regulatory checks to<br />
ensure the proper functioning of the system. At the request of the client you can modify<br />
some parameter of the system itself.<br />
<br />
<br />
The defendant points out that: "To simplify the information there are different dates and<br />
hours associated with a log, and this is because we have grouped the dates and<br />
hours in which they were generated in Mr.'s system.”<br />
<br />
The claimant considers that it has not been answered satisfactorily, because:<br />
<br />
<br />
-Access to the information on the servers has been filtered/reduced by<br />
Securitas to the logs that they consider personal data, an issue that does not<br />
corresponds to do.<br />
<br />
-"The table provided with schematic information does not satisfy the right of<br />
<br />
exercised access. For example, on page one, in the nomenclature column<br />
"CRA Action", it is stated "different generic actions of the operator<br />
Securitas human resources in the event of a specific incident (e.g. authorization of the<br />
speak/listen; call to the different listed contacts; internal comments on<br />
relation to the information transmitted to you by contacts)" but without any indication of<br />
What kind of action/information has been registered regarding the incidents<br />
<br />
listed, which prevents the applicant for the right of access, understand and analyze said<br />
logs, which is the ultimate goal of this access request.”<br />
<br />
-"Finally, the response from Securitas is non-existent regarding the second part of the<br />
access request contained in the resolution: "existing copies of the records<br />
contained in the internal memory of the alarm", "not having indicated in any<br />
<br />
moment if those copies do not exist or access is not given because they do not consider that<br />
they are not "personal data logs".<br />
<br />
With the presentation of the claim by the claimant, he states that he has not<br />
correctly attended to his right and with the elapsed time he is caused<br />
helplessness<br />
<br />
<br />
SECOND: The claim gave rise to the AEPD resolving on 09/17/2021 a<br />
procedure for lack of attention to the exercise of rights (arts. 15 to 22 of the GDPR),<br />
TD/00167/2021, in which in the process of transferring the claim for<br />
Resolution (E/4382/2021), the defendant, stated on 05/19/2021:<br />
<br />
-"The claimant of the right of access did not request at any time after the firmness<br />
<br />
of the sentence its execution or that the<br />
<br />
resolution of the Agency that was appealed in the same”.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 4/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Confirms receipt of the claimant's letter requesting the exercise of the right of<br />
access, to which he "responded with receipt of 03/03/2021."<br />
<br />
<br />
-Consider that not all the logs that record the signals of the alarm equipment,<br />
as well as the contents in the internal memory of the same can be considered that<br />
contain personal data, and that was inferred from the verbatim of the sentence:<br />
"Among the information on the servers..., if there are data of a<br />
personnel of the owner of such contracted alarm”. For this reason, it commissioned a report in 2020 to<br />
a legal office that established it so, to differentiate them, which does not contribute, but<br />
<br />
"makes available to the AEPD".<br />
<br />
It indicates that, as a result of this exercise and this report, it currently has<br />
a “management protocol”.<br />
<br />
<br />
It explains its position based on said Report, which is summarized below.<br />
<br />
Based on the legal concept of personal data, in order to determine if the<br />
information has the status of personal data because it relates to a natural person<br />
identified or identifiable, it will be necessary to analyze the affectation that the information<br />
produces in it.<br />
<br />
<br />
"Regarding its content, the information must assume an attribute of any kind<br />
predicable directly from the interested party in question, there being a direct relationship between-<br />
three attribute and person.<br />
<br />
Regarding its purpose, the processing of information must have as its purpose the co-<br />
knowledge of the mentioned attribute of that person.<br />
<br />
As for its effects. the information must refer to aspects that affect the interest<br />
resed as a consequence of the aforementioned attribute.”<br />
<br />
In the explanatory term of what personal data is, it is defined by "all information<br />
<br />
information about a natural person", it starts from when it refers to her, "and as con-<br />
sequence, at the moment in which the information provided is not derived or linked<br />
directly to the physical person, but to objects that belong to him or are under his control.<br />
creep, only indirectly can the information be considered to refer to that<br />
person and provided that it allows inferring data referring to that natural person and<br />
<br />
not to the object itself. Therefore, information about an object will only have the<br />
consideration of personal data when a connection or link is established between the<br />
object and the affected party in order to generate information about said person”.<br />
<br />
The defendant has differentiated two categories in which the<br />
different logs.<br />
<br />
In the first category would be the logs that they consider do not imply<br />
<br />
processing of personal data, which may include:<br />
<br />
“- those in which information about an interested party is not collected through<br />
said logs that individualize it from the rest of the population,<br />
<br />
<br />
-The knowledge of said information is not intended in order to carry out a<br />
analyzing or influencing behavior, and<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 5/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
- your rights and freedoms are not affected.“<br />
<br />
<br />
List the categories of logs that would be found in this scenario:<br />
<br />
1) "Emission of signals of a purely technical nature for communication between the dis-<br />
positive as part of the verification protocol of its correct functioning or<br />
to register a technical failure.<br />
<br />
<br />
2) Registration of informative signals in relation to, among others, the version of the system,<br />
model or category of the installed device.<br />
<br />
3) Descriptive record of internal and technical procedures before a specific event.<br />
<br />
<br />
4) Recording of technical signals in relation to device configurations<br />
that do not provide information about the interested party or their habits but simply<br />
reflected in calibrations of the Securitas systems for their correct functioning.<br />
I lie.<br />
<br />
5) Statistical information about the devices.“<br />
<br />
<br />
<br />
It also alludes that "said logs" could contain information on technical processes.<br />
Internal data of the defendant whose disclosure to third parties could imply dissemination of sec-<br />
trade creds. For this purpose, it mentions recital 63 of the GDPR, as legitimate<br />
maker of "discriminating the information that can be provided to the person who exercises<br />
the access."<br />
<br />
In a second category would be the logs that do consider that they imply treatment.<br />
processing of personal data, to the extent that:<br />
<br />
- "They collect information about an interested party and their intrinsic characteristics,<br />
<br />
-Knowledge of said information is sought to analyze it or influence its behavior.<br />
<br />
treatment,<br />
-Your rights and freedoms are affected."<br />
<br />
Adding or specifying that "not all logs in this category would imply the processing of<br />
<br />
data processing of the contract holders", but rather "could imply the processing<br />
processing of personal data of third parties”. In this category would be included<br />
the following logs.”<br />
<br />
1) “Processes carried out by Securitas operators or technicians, who occasionally<br />
These may be considered personal data of a third party other than the client of Securi-<br />
tas”<br />
<br />
<br />
2) "The active interactions of the user himself -or third parties- with the physical systems<br />
or through the mobile application.<br />
<br />
3) "Passive interactions of the user or of third parties that may provide information<br />
tion in relation to their way of acting at a given moment or their availability<br />
<br />
in front of an event.<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 6/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
4) Records of identifiers of the interested parties that are contained in the logs, such<br />
such as first and last name or email addresses.”<br />
<br />
<br />
5) Images or data in connection with an intrusion or sabotage. In this sense, it is pre-<br />
ciso indicate that if the intruder is captured by the security camera, to the extent that<br />
that said person is identifiable as a result of the image obtained, we would find ourselves<br />
before a personal data of the same.”<br />
<br />
<br />
6) Pulsations entering codes that determine a particular situation of the in-<br />
teresado.<br />
<br />
7) Configurations of the user himself that determine a knowledge of his tastes<br />
or behavior patterns.<br />
<br />
<br />
<br />
It states that the access response provided to the claimant contained the logs<br />
which are personal data that affect the client, being "excluded the<br />
<br />
technical or that affect third parties”.<br />
<br />
-They add that they have sent an email to the claimant on 05/18/2021, provide a copy of do-<br />
document 4 in which they refer to what was already sent on 02/26/2021, received by the claimant<br />
keep on 03/03/2021.<br />
<br />
-State that the causes that have motivated the original incidence of the claim<br />
are due to the fact that "not all the logs generated by an alarm system are data from<br />
personal character".<br />
<br />
-On 06/07/2021, the Director of the AEPD agreed to "the agreement of admi-<br />
processing, and the initiation of a procedure for the exercise of rights of the articles<br />
<br />
15 to 22 GDPR”, procedure TD/00167/2021.<br />
-At the heart of said procedure, the defendant, (...), states:<br />
<br />
<br />
<br />
a) In relation to the content of the "internal memory of the alarm installed in the<br />
address of the claimant”, this generated logs until 11/27/2021, 20:09, time and date<br />
in which the intrusion into the home occurred - as you already know - during which<br />
said alarm system was completely disabled. As of that date, no<br />
could generate more logs of any kind. Therefore, in the time frame between 11/26 and<br />
<br />
12/18/2015, the internal memory could only generate logs on 11/26 and 27/2015, and after<br />
the analysis of the logs generated in the internal memory of the alarm, only consisted of a<br />
log generated in that time frame, which was included in the response given to the claim<br />
kept on 02/23/2021. They provide document 1, which is the table with columns of the access<br />
so that the claimant was given on that date, in which it appears marked in green<br />
fluorescent that log, and in which you can read:<br />
<br />
<br />
<br />
“11/27/2015 20:09:47/HIGH PRIORITY CENTRAL CENTER/Automatically generated code and<br />
<br />
randomly by the system for the security guard to deactivate the alarm”.<br />
They consider that they have complied with the right of access.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 7/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Already within the processing of TD/00167/2021, on 06/23/2021, the claimant was sent<br />
Keep the copy of the response given by the defendant, and dated 07/16/2021, the re-<br />
plaintiff stated:<br />
<br />
-On the one hand, the information must be provided in a transparent and<br />
intelligible. “The incomplete list of logs provided by Securitas Direct does not allow<br />
<br />
to this party to understand in a transparent and intelligible manner the information contained in<br />
your servers regarding the operation of the existing alarm system in my<br />
home".<br />
<br />
On the other hand, it indicates that what the defendant has done has been to prepare a list<br />
of logs filtered by the contracted law firm, differentiating those that<br />
<br />
may be considered to contain personal data of those that do not. Add<br />
that this differentiation does not correspond to the one claimed and states that "the Hearing<br />
Nacional considered that all the logs are personal data and from this it deduces<br />
that access has been incomplete.”<br />
<br />
<br />
-Considers that giving access to the log is not fulfilled, but to "the information contained<br />
in the servers relative to the registers and signals of the alarm equipment installed in<br />
his property". It would consider that the resolution is fulfilled when "it has been given<br />
access to all existing information on the servers in relation to the operation<br />
of the alarm installed in my home”. "The information operating on the servers in<br />
<br />
relation to the operation of the alarm installed in my home goes much further<br />
of these logs to which the Securitas Direct access right is intended, and<br />
includes any information in the form of text, images, alphanumeric etc. existing<br />
on its servers that is related to the records and signals of the<br />
alarm installed in my home.<br />
<br />
<br />
-Considers that the refusal of the defendant to provide access to the information<br />
operating on its servers may be due to the fact that it intends to evade its responsibilities<br />
individuals in relation to the damages caused in this robbery and “delay and<br />
make it as difficult as possible to properly investigate the reasons for<br />
poor functioning of the alarm system installed in my home”.<br />
<br />
<br />
-About the response provided to the log of the internal memory of the alarm,<br />
considers implausible the assertion that the alarm center generated logs up to<br />
20:09 on 11/27/2015, when the intrusion occurred and said system was disabled,<br />
since that supposed intrusion actually refers to a jump of the alarm of the<br />
<br />
perimeter detector of the garage door, room that is physically located<br />
separated from the home and that it was not affected by the theft and estimates that the<br />
intrusion into the home occurred on a date after 11/27, since "if the central<br />
alarm was” destroyed, Securitas could hardly have disconnected<br />
remotely the same.<br />
<br />
<br />
It emphasizes that the request for access to the records contained in the memory is<br />
They refer to both "the destroyed alarm center and the one that was installed in my home<br />
on 12/5/2015 and that it continued generating signals and records”.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 8/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
On 09/17/2021, the procedure for exercising rights was resolved,<br />
agreeing to estimate the claim and granting a term to address the right. The<br />
resolution was appealed for replacement on 10/18/2021, resolving on 10/27/2021 its<br />
<br />
dismissal, and the defendant was notified electronically on 10/28/2021.<br />
<br />
<br />
It is interesting to highlight from it, that the defendant, appellant, stated:<br />
<br />
-The resolution of the procedure for the exercise of rights considers addressing the right,<br />
but it does not determine the information that should be considered personal data, it does not<br />
<br />
Give reasons for your conclusion. Nor does it establish “that the<br />
All the logs generated by the installed alarm system have<br />
effectively the consideration of personal data”. It only details what the<br />
claimed, that "it does not meet all of what was requested, specifying the reason", "without<br />
determine if that totality will incorporate information that has nothing to do with the<br />
data protection regulations”.<br />
<br />
<br />
"Nor is the claimant's claim that the SAN of 07/23/2019<br />
will indicate that all the information or all the logs generated by the alarm system<br />
have to be considered personal data.", since the sentence on its grounds<br />
of the fourth right, indicates that "within the logs there are personal data", which<br />
<br />
which allows us to conclude that "not all of them should be considered as such". Esteem<br />
that "it is not possible to exercise the right of access to personal data with respect to<br />
information that at no time can be considered personal data”, and adds<br />
that the AEPD in the different resolutions relapsed in this case has not defined that<br />
information contains data that must be subject to the regulations for the protection of<br />
<br />
data, "it is evident that" the defendant can define what information the<br />
mentioned character”.<br />
<br />
"Neither the judgment of the AN nor the resolution have defined what information it contains<br />
data that should be considered subject to the data protection regulations”, therefore<br />
that they will be the ones who have to delimit it.<br />
<br />
<br />
Reproduces part of opinion 4/2017 on the concept of personal data adopted<br />
on 06/20, WP 136:<br />
<br />
“Sometimes, the information provided by the data refers not so much to<br />
<br />
people as objects. These objects usually belong to someone, or may be<br />
under the influence of or exert influence over a person or may have<br />
a certain physical or geographical proximity to people or other objects. In those<br />
cases, only indirectly can the information be considered to refer to those<br />
people or objects.<br />
<br />
<br />
A similar analysis can be applied when the data refer in the first instance to<br />
processes or events, such as the operation of a machine when it is<br />
human intervention is necessary. Under certain circumstances, this information<br />
it can also be considered information “about” a person.”<br />
<br />
<br />
It shows its disagreement with the content of the resolution, which indicates "since the<br />
claimant is the holder of the alarm contract, the regulations are applicable<br />
on Data Protection regarding the right to access the logs on the<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 9/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
operation of the alarm installed on your property”.<br />
<br />
"In addition to recitals 26 to 28 for the conceptualization of the data<br />
<br />
personal, not only have this condition the information that allows the identification<br />
of the interested party, but also that which allows their identification.<br />
<br />
For these purposes, the explanatory report of convention 223 of the Council of Europe on<br />
10/10/2018 tries to clarify the content of individualization or singularization in<br />
these terms:<br />
<br />
<br />
“This individualization could be done, for example, by referring to him or her<br />
specifically, or to a device or a combination of devices (computer,<br />
mobile phone, camera, game devices etc.) on the basis of a number<br />
identification, a pseudonym, biometric or genetic data, location data,<br />
<br />
an IP address or other identifier. The use of a pseudonym or any<br />
digital identifier/digital identity does not give rise to the anonymization of the data, since<br />
that the interested party can still be identifiable or individualized. Therefore, the data<br />
pseudonyms should be considered personal data and are covered by the<br />
provisions of the agreement."<br />
<br />
<br />
“The defendant considers that the information included in the alarm system may not<br />
refer to an interested party, nor to its characteristics, attributes or behaviors, nor even<br />
least affect it in any other way or allow the inference of information regarding<br />
the same. Indeed, in general, these logs would consist of information that<br />
They only refer to the communication between data systems merely<br />
<br />
operational and technical that have nothing to do with an interested party or are linked to that of<br />
no way, and only some of these logs could allow obtaining<br />
information about the physical person who owns the alarm”. Give three examples<br />
related in the five cases in which in his report he considered "no data<br />
personal”, specifically:<br />
<br />
<br />
In 1), "the battery level of the device, disconnection from the network, inhibition, etc."<br />
It was about the "Issuance of signals of a purely technical communication nature<br />
between the devices as part of the verification protocol of their correct<br />
operation or to record a technical failure”.<br />
<br />
<br />
In 3), "waiting times processed before an event, collection and description<br />
of the event, capture process and making available to the operators of the<br />
images or sounds, modification of internal parameters, transfer of the event to a<br />
operator etc. It referred to “Descriptive record of internal procedures and<br />
technicians before a specific event”.<br />
<br />
<br />
In 5) "number of photos captured, activated devices, quality of responses<br />
of the devices, number of disconnections, etc.). He meant "Information<br />
statistics about devices.<br />
<br />
<br />
He also gives examples of what he has previously classified as "data from<br />
personal character”, such as:<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 10/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In 1), “Securitas Direct personnel whose activity is registered in the<br />
own logs”. It referred to: "Processes carried out by operators or technicians of<br />
Securitas, which can sometimes be considered personal data of a third party<br />
<br />
different from the Securitas client”<br />
<br />
<br />
In 3), "the Securitas Direct operator initiates a call and it is answered, or not<br />
by the user, the security code is requested and the user includes it<br />
correctly or not, no movements are recorded for a period of time<br />
determined in the monitored area, etc. He was referring to: “Passive interactions of the<br />
<br />
user or third parties who may provide information in relation to their form<br />
to act at a certain moment or their availability in the face of an event.<br />
<br />
In 6) "panic button or inclusion of the alarm deactivation code under<br />
duress”, referred to: Images or data in connection with an intrusion or sabotage. In<br />
In this sense, it is necessary to indicate that if the intruder is captured by the security camera,<br />
<br />
security, to the extent that said person is identifiable from the image<br />
obtained, we would find ourselves before a personal data of the same.”<br />
<br />
<br />
In point 76 “the different (...)s that he uses, times of said (...)s, configurations<br />
Personal information about device volume, language, selected parameters<br />
<br />
on air quality or designation of names of users and zones, etc.”, which<br />
relates to: "Settings of the user himself that determine a knowledge of<br />
their tastes or behavior patterns.<br />
<br />
If all generated logs were given access, anyone would have the right to<br />
said type of access due to the fact of having contracted the installation of a<br />
<br />
alarm, with internal technical operations being "publicly accessible"<br />
unrelated to a person and that reveal substantial information about the effectiveness and<br />
operation of the commercialized systems, being able to violate the law of secrets<br />
business 1/2019 of 02/20 and relates it to recital 63 of the GDPR.”<br />
<br />
<br />
Regarding the claimant's expression that it is not possible to understand the logs (action<br />
CRA...) points out that the format to satisfy the right of access was to comply with<br />
with the provisions of article 12 of the GDPR "in a concise, transparent,<br />
intelligible and easily accessible, with clear and simple language" and that "the information is<br />
is listed in the table attached to the brief of 02/23/2021", and that "even those<br />
<br />
data is registered in a technical way and little intelligible for any person not<br />
well-versed in the terminology of alarm systems, and even in the terminology itself<br />
internal Securitas, so that its reading would not reveal the information that if<br />
incorporated into the form sent to the interested party”. He states that he “carried out a<br />
adaptation of the logs to a clear and simple language to attend to the law”. indicates<br />
They have no objection to delivering the information in "lines of code formats",<br />
<br />
although compliance with the requirements would satisfy the right to a lesser extent<br />
required by the GDPR.<br />
<br />
THIRD: On 11/4/2021, the claimant submits a document in which<br />
states that the provisions of resolution TD/00167/2021 are still not being complied with.<br />
<br />
On 12/2/2021, the AEPD sent a letter to the defendant, reiterating the request of the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 11/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
compliance with the resolution, granting a term and warning of the consequences of its<br />
breach.<br />
<br />
<br />
On 12/21/2021, the defendant submits a document in which she states "satisfying<br />
compliance with the resolution" and provide a copy of the letter of 12/14/2021 and documents<br />
letter sent to the claimant. It states: “A job has been carried out again<br />
exhaustive to provide D.xxx with any records and signals sent by the<br />
alarm equipment that could be linked to the performance, behavior or<br />
its characteristics, excluding information that is not considered<br />
<br />
tion of personal data as it is exclusively technical information that also<br />
affects the legitimate interest of Securitas Direct in the confidentiality of its secrets<br />
business.”<br />
<br />
<br />
In relation to the records contained in the internal memory of the alarm between the<br />
days November 26 and December 18, 2015, the (micro card or chip) of the<br />
Securitas Direct alarm systems record and store information<br />
from events with a technical origin and from events originating in the<br />
interaction of devices installed in customers' homes. In the case of<br />
<br />
equipment installed to D. xxx the records of the internal memory reach up to the moment<br />
in which it was rendered useless and all records collected prior to that<br />
At the moment, they are events of a technical nature, so it is not personal information.”<br />
<br />
It accompanies the records in "excel" sheets with the chronological ordering of logs by date.<br />
<br />
date and time and more informative columns such as event”, “event (...)”, “Zone”, “***COLUM-<br />
NA.3”, “***COLUMN.4”. “***COLUMN.1””area”, “time of (...)” to name only va-<br />
laughs.<br />
<br />
The description column contains short descriptive terms that are not common.<br />
understandable, for example, EVENT: word whose specific meaning is not understandable<br />
, the same as in “event (...)”, and in general in all columns.<br />
<br />
<br />
According to the defendant, it is the "literal transcription, in the format in which it is included in the<br />
SD systems from the records and signals sent by the alarm equipment.“<br />
<br />
FOURTH: On 05/07/2022, the claimant submits a document in which he states<br />
that the response of the defendant persists in classifying the logs that are data<br />
personal of those who do not, when it does not correspond, reiterating that the matter has already been<br />
<br />
ruled by the AN. He points out that the right continues to be ignored for years, returning<br />
to the origins of the judgment of the AN. The picture is unintelligible, the expression of the<br />
description is imprecise, the print is very small, most of the logs correspond to<br />
the technical intervention to replace the destroyed alarm the day after the theft:<br />
12/5/2015, therefore “completely useless and irrelevant”. “They continue without<br />
<br />
provide the information that motivates the exercise of the right of access, which is not<br />
other than clarifying the circumstances of the robbery in my home and settling possible<br />
responsibilities”, and that “you need to know what happened with the alarm”.<br />
<br />
It requests, "the forced execution of its resolution be agreed...", without prejudice to the<br />
"opening of a disciplinary procedure".<br />
<br />
<br />
FIFTH: On 06/8/2022, the Director of the AEPD agreed:<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 12/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
"INITIATE SANCTION PROCEDURE against SECURITAS DIRECT ESPAÑA, S.A.,<br />
with NIF A26106013, for the violation of article 58.2 c) of the GDPR, typified in art.<br />
83.6 of the aforementioned GDPR and 72.1.m) of the LOPDGDD.”<br />
<br />
<br />
"For the purposes specified in the art. 64.2 b) of Law 39/2015, of 1/10, on Procedure<br />
Common Administrative System of Public Administrations (LPACAP, hereinafter), the<br />
sanction that could correspond would be 50,000 euros, without prejudice to what<br />
results from the instruction."<br />
<br />
<br />
Said initiation agreement was duly notified, granting the defendant a term<br />
to make allegations<br />
<br />
SIXTH: On 07/06/2022, the defendant made the following allegations:<br />
<br />
1) He reiterates that during the year 2020, they commissioned a law firm to<br />
<br />
report, of which they provide a copy in DOCUMENT 1 (signature date 01/29/2021) (already<br />
mentions the same before in the response to the transfer of the claim of 05/19/2021,<br />
content supra regarding TD/00167/2021), on the “application of the concept of<br />
personal data to the signals or logs generated by the alarm systems”, with the<br />
object of whether all or part of them have the status of personal data to the<br />
<br />
effects of the application of substantive regulations, and secondarily as<br />
<br />
<br />
2) Document that for the future allows to attend the requests of exercise of<br />
rights.<br />
<br />
<br />
The report has on the cover: "confidential", unaware if it would reach all of its<br />
content.<br />
<br />
The report based on the historical definitions in the personal data legislation,<br />
considers that the GDPR introduces an extensive concept, considering that "not only<br />
<br />
The information that allows the identification of the interested party will have this condition, but<br />
also the one that allows its "singularization", even when it was not possible to know<br />
directly or indirectly to the person to whom the data refers.<br />
<br />
It alludes to Convention 108 of the Council of Europe, of 01/28/1981, on the protection of<br />
<br />
people in relation to the automated processing of their personal data, in<br />
the wording resulting from the reform operated by Agreement 223, of the Council of<br />
Europe, of October 10, 2018 (hereinafter, by the name commonly<br />
accepted "108+ Agreement") establishes in its article 2 a) that for the purposes of the<br />
Convention, personal data means "any information about a natural person<br />
<br />
identified or identifiable" and in relation to the concept of identifiable person,<br />
following the same line established in recital 26 of the GDPR, indicates the<br />
paragraph §18 of its explanatory report: “The notion of "identifiable" refers not only to<br />
the civil or legal identity of the individual as such, but also to what he can allow<br />
"individualize" or single out (and therefore allow to treat differently) a<br />
person from others. This "individualization" could be done, for example,<br />
<br />
referring to him or her specifically, or to a device or a combination of<br />
devices (computer, mobile phone, camera, gaming devices, etc.) on the<br />
basis of an identification number, a pseudonym, biometric or genetic data,<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 13/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
location data, an IP address or other identifier. The use of a pseudonym or<br />
any digital identifier / digital identity does not give rise to the anonymization of the<br />
data, since the data subject can still be identifiable or individualized. Therefore, the<br />
<br />
pseudonymous data should be considered personal data and is covered by the<br />
provisions of the Convention. The quality of the applied pseudonymization techniques<br />
should be duly taken into account when assessing the adequacy of safeguards<br />
implemented to mitigate risks to stakeholders.”<br />
<br />
It follows that said concept is characterized by the necessary concurrence of<br />
<br />
four essential elements:<br />
<br />
-Personal data is, in any case, information.<br />
<br />
-This information must refer to a certain person since it must be about the<br />
<br />
same.<br />
<br />
-The person to whom the information refers must be a natural person, remaining<br />
excluded from the concept of personal data are legal persons or entities without<br />
legal personality.<br />
<br />
<br />
-The person must be identified or identifiable in the broad sense established by the<br />
recital 26 of the GDPR and paragraph 18 of the agreement 108 + that identify the<br />
concepts “that identifies” and identifiability, singularization and individualization.”<br />
<br />
He mentions various jurisprudence of the most noteworthy cases on the concept of<br />
<br />
personal data from the European Union.<br />
<br />
It considers that in order to determine, in accordance with the jurisprudence of the CJEU, whether a<br />
information has the status of personal data because it refers to (or deals with) a<br />
natural person identified or identifiable, it will be necessary to analyze the affectation that the<br />
<br />
information produces in it:<br />
<br />
Regarding its content, that is, the information must assume an attribute, so<br />
any kind, predicable directly from the interested party in question, there being a<br />
direct relationship between said attribute and said person. In this way, the information<br />
must appear linked to the interested party, excluding the concept of personal data<br />
<br />
that information that is not linked to a characteristic or activity of the former.<br />
<br />
Regarding its purpose, that is, the processing of information must have as its<br />
object the knowledge of the mentioned attribute predicable directly from that<br />
person, the purpose of the treatment being linked to the analysis of said attribute.<br />
<br />
<br />
Regarding its effects, that is, the information must refer to aspects that<br />
affect the interested party precisely as a consequence of the aforementioned attribute. Are<br />
measures may vary in their intensity (e.g. from the mere fact of<br />
contact him until a profiling is carried out and decisions are made that<br />
<br />
significantly affect).”<br />
<br />
It also analyzes several sentences handed down in Spain on the concept and scope<br />
of personal data and the analysis of the concept of personal data of Opinion 4/2007<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 14/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
on the concept of personal data, adopted by GT29 (document WP136, from<br />
06/20/2007).<br />
<br />
<br />
It is indicated in the Opinion: "a piece of information refers to a person if it refers to his<br />
identity, characteristics or behavior or if that information is used to<br />
determine or influence the way in which it is treated or evaluated”.<br />
<br />
"A consequence of the foregoing will be that at the moment in which the information<br />
provided does not derive or is directly linked to the physical person but to objects<br />
<br />
that belong to him or are under his influence, can only indirectly be considered<br />
that the information refers to that person and provided that it allows inferring<br />
data referring to that natural person and not to the object itself.", cites example 5 "value of<br />
a house" that refers to the application of the data protection regulations according to the<br />
use of that information.<br />
<br />
<br />
“The value of a home is information about an object. Clearly, the rules<br />
on data protection will not apply when that information is used<br />
solely to illustrate the level of housing prices in a certain area.<br />
However, under certain circumstances, that information must also be<br />
considered as personal data. In effect, the home is an asset of your<br />
<br />
owner and, as such, will be taken into account, for example, when calculating the<br />
taxes to be paid by that person. In this context, it is unquestionable that such<br />
information should be considered as personal data”.<br />
<br />
“The Working Group has previously addressed the question of when it can<br />
<br />
information is considered to be "about" a person. Within the framework of his<br />
discussions on data protection issues raised by labels<br />
RFID, the Working Group noted that a "data refers to a person if it does<br />
reference to his identity, his characteristics or his behavior or if that<br />
information is used to determine or influence the way in which it is treated or<br />
<br />
evaluates». Taking into account the cases mentioned above, and following the<br />
same line of reasoning, it could be affirmed that in order to consider that the data<br />
are "about" a person there must be an element "contained" or an element<br />
"purpose", or a "result" element.<br />
<br />
The "content" element is present in those cases where - in accordance with the<br />
<br />
that a society tends to generally and vulgarly understand by the word "on" - is<br />
provides information about a specific person, regardless of<br />
any purpose that may be harbored by the data controller or<br />
a third party, or the repercussion of that information on the interested party. Information<br />
is "about" a person when it "refers" to that person, which should be<br />
<br />
evaluated taking into account all the circumstances surrounding the case. By<br />
For example, the results of a medical analysis clearly refer to the patient, or the<br />
information contained in the file of a company under the name of<br />
certain client clearly refers to him: In the same way, the information<br />
contained in an RFID tag or a barcode embedded in the document<br />
<br />
identity of a certain person refers to that person, as in the<br />
future passports that will incorporate an RFID microprocessor.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 15/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The presence of an element "purpose" may also be what determines that the<br />
information to be "about" a certain person. It can be considered that<br />
element "purpose" exists when the data is used or is likely to be used,<br />
<br />
taking into account all the circumstances surrounding the specific case, with the<br />
purpose of evaluating, treating in a certain way or influencing the situation or the<br />
behavior of a person."<br />
<br />
Based on this, the defendant considers that "in order to consider that" information<br />
is “about” a person must be found in at least one of the following three<br />
<br />
assumptions or circumstances:<br />
<br />
1. "Content": that is, that the information refers directly to a person<br />
concrete physics. If this circumstance occurs, it will be irrelevant what the purpose is.<br />
of the person in charge of the treatment or of a third party recipient of the information or that<br />
<br />
repercussion will have the treatment of this information in the interested party.<br />
<br />
2. "Purpose": the information collected, although it does not refer directly to a<br />
natural person, is used or is likely to be used for the purpose of evaluating, treating<br />
in a certain way or influence a person's situation or behaviour.<br />
<br />
<br />
3. "Result": even assuming that none of the situations occur<br />
above, information will be "about" a person when its use has repercussions on<br />
the rights and interests of the same, being able to be treated differently from<br />
other people as a result of the processing of such information.”<br />
<br />
<br />
The defendant states that:<br />
<br />
- "Therefore, information about an object will only be considered as<br />
personal data when a connection or link is established between the object and the<br />
affected (particularly, but not necessarily, its owner) in order to<br />
<br />
generate information about said person or promote an action on his part.<br />
<br />
The defendant states that: "Once the concept of personal data has been analyzed from<br />
legal, doctrinal and jurisprudential perspectives, it is now necessary to analyze the application<br />
of the mentioned concept to the logs generated by the alarm systems of<br />
Securitas Direct, in order to determine which of them will have the status of "data<br />
<br />
personal", with the consequent application in relation to them of the regulations<br />
of data protection.”<br />
<br />
“To carry out the analysis and qualification of the logs provided by Securitas Direct<br />
As personal data, the following aspects have been taken into consideration:<br />
<br />
<br />
to. It must be information, in any known format or form that<br />
effectively imply the actual existence of data.<br />
<br />
b. Said information must refer to a specific natural person, so the<br />
<br />
The information contained in the logs must, at least, be found in one of the<br />
following situations:<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 16/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
- Is directly linked to a specific individual, in such a way that<br />
provide direct information about their way of acting, their mental characteristics<br />
or physical, your preferences, your abilities or any other pattern of behavior that<br />
<br />
can be directly attributed to it; either<br />
<br />
- Can be used to evaluate or influence an individual in any way<br />
determined or in his conduct; either<br />
<br />
- Can directly affect the rights and interests of an individual<br />
<br />
certain.<br />
<br />
-"The information included in an alarm system may not refer to an interested party<br />
nor to its characteristics, attributes or behaviors, nor even less affect it in any way.<br />
any other way or allow the inference of information related to it. In<br />
<br />
effect, in general, the aforementioned logs will consist of information that<br />
They only refer to the communication between data systems merely<br />
operational and technical that have nothing to do with an interested party, nor are they linked to it in any way.<br />
no way and only some of these logs could allow information to be obtained<br />
on the physical person who owns the alarm.”<br />
<br />
<br />
Based on these elements, two fundamental categories have been differentiated in<br />
where the various logs provided by Securitas Direct could be found,<br />
<br />
to. “Logs that do not imply processing of personal data”. Reiterate the reasons and the<br />
categories that he exhibited on 05/19/2021.<br />
<br />
<br />
-Provides the differentiation in the same document 1:<br />
<br />
An Annex I, which includes the specific "study" of the different logs that the security systems<br />
Securitas generated in connection with the provision of its services to the claimant. Gave-<br />
Cho Annex I contains, in turn, two different tables, grouping those lines of log<br />
belonging to the claimant not considered as personal data (table I) (p. 23 to<br />
30/105) and those that would have that consideration, in view of the analysis carried out<br />
<br />
carried out throughout the Report (table II), (p. 30/105).<br />
<br />
In Annex II, the "general analysis and without specific application to an interested party" is attached<br />
specifically, of the consideration as personal data of the generic log lines that<br />
can normally be used in Securitas Direct systems during the de-<br />
development of its activity."<br />
<br />
-Regarding Annex I, "given the amount of information provided, in relation to<br />
with the logs”, we have proceeded to identify them (both for table I and table II) by means of<br />
you three columns:<br />
<br />
1. In the first one, "date of the log line", the "dates and times<br />
<br />
concrete appearance”. It is appreciated that various dates and times can be grouped<br />
<br />
2. In the second, the "name of the information" is included.<br />
3. The following is: “extended description”, “made up of both the information provided<br />
<br />
by Securitas Direct during the various meetings held, as well as the<br />
documents and tables received and the rest of the explanatory columns that are contained<br />
in the log itself.”<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 17/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The defendant continues that: "Next, the" assessment of the<br />
character of personal data of each of the logs" by including two co-<br />
additional columns:<br />
<br />
b. "In the fourth column, we proceed to assess whether the information contained in the line<br />
particular log file allows Securitas Direct to collect information about the Claimant or<br />
<br />
a third party, or analyze and cause an impact on their behavior”, under the denomination<br />
tion of: “linking, directly or through inference, to conduct or information<br />
insult of a natural person”.<br />
<br />
It is observed that they contain terms, such as operator, client, authorized user, con-<br />
<br />
tacts designated by this, interested applicant of the right.<br />
<br />
c. The last column specifies whether the log line can be considered, starting from<br />
everything indicated, as personal data or not, with the literal Is it considered personal data?<br />
No, in all those of table I, while table II, in "Is it considered personal data"?<br />
nal?” figure "Yes", and a column is added: "It is likely to be provided<br />
<br />
in response to the exercise of the right of access of the interested party?, appearing in some<br />
In our cases: yes, and in other different annotations, since "lines of<br />
log that could be considered personal data but refer to third parties<br />
interested parties other than the Complainant himself and, it should be remembered, the request for access<br />
exclusively allows the Claimant to have access to the personal data that<br />
<br />
on his person deals with Securitas and not those on other natural persons.”<br />
<br />
In table I, "Information not considered personal data in relation to the request for<br />
analyzed access” (23 to 30), highlight:<br />
<br />
<br />
- In three descriptors figure - "Linking directly or through inference, to<br />
conduct or information of a natural person”: “There is no direct link<br />
with information of the interested party to the extent that these are personal communications<br />
periodic machine-machine device status checks”, all with:<br />
“extended description: Signals sent by the alarm that correspond to the state<br />
of operation of the devices”, which can respond in: “name of<br />
<br />
information:<br />
In one case: “Superv Photo PIR RADIO, RADIO REPEATER, RADIO VOLUMETRIC”,<br />
other: “radio repeater superv” and “radio volumetric superv”<br />
<br />
-- - "Link directly or through inference, to a behavior or information<br />
<br />
of a natural person": "There is no direct link with information of the inter-<br />
resed to the extent that this log line does not collect information about the data subject.<br />
nor is it intended to analyze or impact your behavior, it simply<br />
allows an internal Securitas Direct process in relation to an initial alarm signal.<br />
ma”, and in “extended description”: “Before the initial alarm signal, a time is given<br />
<br />
type of margin in case it is a mistake or forgetfulness on the part of the user when not<br />
deactivate the alarm.”, “name of the information: trust wait 35 seconds<br />
for a possible disconnection”.<br />
<br />
--- "Linking directly or through inference, to a behavior or information<br />
of a natural person”: “Information of a technical nature from Securitas Direct. In the me-<br />
<br />
extent in which direct information about an attribute of the interested party is not transferred nor<br />
Securitas Direct intends to analyze a pattern of conduct or to influence it in an al-<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 18/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
none, the information provided by the analyzed log line should not be considered<br />
as personal data”, “extended description: Detection of lack of electrical current<br />
in the device”, “name of the information: electric current-auto”.<br />
<br />
<br />
--- "Linking directly or through inference, to a behavior or information<br />
of a natural person": "It is a change of internal priority of the incidence<br />
motivated by a non-disconnected alarm signal” and in “extended description”:<br />
"Change the priority because the incident is sent to a manual queue.", "name<br />
of information” “PRIO 25---20.”<br />
<br />
<br />
<br />
--"Linking directly or through inference, to a behavior or information of<br />
a natural person": "There is no direct link to customer information<br />
to the extent that they are informative signals of a technical nature”. and in “des-<br />
<br />
extended encryption: panel coverage level”, “name of the information: se-<br />
informative signal”.<br />
<br />
--"Linking directly or through inference, to a behavior or information of<br />
a natural person”: “This log line, although it provides information about a jump<br />
alarm in the sensors, to the extent that direct information is not transferred<br />
<br />
on an attribute of the data subject nor does Securitas Direct intend to analyze a pattern of<br />
conduct or influence him in any way, the information provided by the log line<br />
analyzed should not be considered as personal data. In this sense, it would be<br />
of a description of the technical and internal process of Securitas Direct", and in "description<br />
extended”: “These log lines describe the process of the system and sensors in<br />
<br />
detection of an intrusion. "Denomination of the information:-"INTRUSION VOLU-<br />
METRIC RADIO, 27 11 2015, 20:09:47<br />
<br />
--"Linking directly or through inference, to a behavior or information of<br />
a physical person”: “The signal, given its relevance, is transmitted to a machine operator<br />
<br />
machine or human to start the management process. However, it is a process<br />
internal data from which no personal data of the user can be inferred”, “external description<br />
tended”: “Indicative that the incident is transmitted to a human or machine operator<br />
na”, “name information (...): 0”.<br />
<br />
-The only one that includes periods of days and dates indicates: -“Linking in a di-<br />
<br />
directly or through inference, to a conduct or information of a natural person": "Without<br />
detriment to the fact that as a result of any of these signals some type of action may be initiated.<br />
situation that does involve the processing of personal data, the procedures and procedures<br />
internal verification processes are essentially technical and it is not possible to infer any<br />
some personal data about them”, “extended description”: “They describe periods in<br />
<br />
where there is a loss of connection between the Securitas Direct servers and<br />
the device installed in the address of the interested party. In this way, the devices<br />
emit a periodic technical signal to confirm that it is indeed in<br />
connection and ready to carry out their activity. Also, the logs describe the<br />
internal and technical actions carried out as a result of this disconnection”, “deno-<br />
<br />
information mining: (...) TRANSFER”.<br />
<br />
--"Linking directly or through inference, to a behavior or information of<br />
a natural person": "There is no link with the user to the extent that<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 19/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
This is an internal procedure that must be followed to provide the service<br />
correct”, and in “extended description”: Technical information that the incident is<br />
transferred to a human operator for management.", "name: GTI: incident<br />
<br />
cancelled, client already exists in manual queue 14”.<br />
<br />
- -"Linking directly or through inference, to a behavior or information<br />
of a natural person”: “Information of a procedural and internal nature of Securitas<br />
Direct”, without extended description, “name of the information: GTI: incident<br />
cancelled, pending maintenance”.<br />
<br />
<br />
--"Linking directly or through inference, to a behavior or information of<br />
a natural person”: “This log line, although it provides information about a jump<br />
alarm in the sensors, to the extent that direct information is not transferred<br />
on an attribute of the data subject nor does Securitas Direct intend to analyze a pattern of<br />
<br />
conduct or influence him in any way, the information provided by the log line<br />
analyzed should not be considered as personal data. In this sense, it would be<br />
of a descriptive of the technical and internal process for the disposition of the images of<br />
the detectors”, and in “extended description: These log lines describe the<br />
different processes of the systems and sensors since the actual intrusion is detected:<br />
detection zone, image capture, availability of the same for the operator<br />
<br />
ador, etc.”, “name: PIR Radio photo intrusion”, is considered personal data<br />
is added: "NO (notwithstanding the foregoing, the captured images, in case there are<br />
have captured a subject, they would be considered personal data and<br />
should be provided to the interested party in the event that they had recruited him and not a<br />
third).<br />
<br />
<br />
--"Linking directly or through inference, to a behavior or information of<br />
a natural person”: “Information of a technical nature of Securitas Direct in relation to<br />
with the movement detections through the different sensors of the system”, and<br />
in “extended description: System information in relation to a request for fo-<br />
<br />
tography or image”, “name of the information: Informative signal”. Indicates no<br />
is considered personal data, "Notwithstanding if these detections could imply the re-<br />
collection of some type of information from an interested party, they could consider<br />
tion of personal data and should be provided to the interested party in the event that they<br />
they would have captured him and not a third party.”<br />
<br />
<br />
--"Linking directly or through inference, to a behavior or information of<br />
a natural person”: “no information is provided in relation to any character-<br />
characteristic behavior pattern or other user information”, without extended description,<br />
“name of the information: no reason.”<br />
<br />
<br />
<br />
--"Linking directly or through inference, to a behavior or information of<br />
a natural person”: “information of a technical nature from Securitas Direct”, without description<br />
extended mention, “name of the information: power cuts: incidence with<br />
restoration."<br />
<br />
<br />
In table II, "information considered personal data in relation to the request for<br />
<br />
analyzed access” (p. 31 to 48/105). In the column "Is it likely to be pro-<br />
portioned in response to the exercise of the right of access of the interested party?, usually<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 20/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
figure Yes, but in some there are observations with caveats and in one figure,<br />
NO.<br />
<br />
The defendant informs that "certain records in the tables of this Annex ca-<br />
They are of a specific date because they are general comments, independent of<br />
tes of a specific line and with transversal affectation to the entire document.”<br />
<br />
-They appear without date:<br />
<br />
-"Linking directly or through inference, to a behavior or information of<br />
<br />
a natural person: “Of the joint information provided by: (i) alarm mode<br />
selected by the user; (ii) date of the specific log and (iii) information derived from the<br />
"time of (...)", the knowledge of certain behavior patterns of<br />
a user (e.g. from a certain hour in the afternoon on weekdays the interested party<br />
applies a (...) determined with what it is possible that you are not at home)”,<br />
“extended description: “alarm connection mode and time the alarm takes<br />
<br />
connected in said mode”, “name of the information: (...) and time of (...).”<br />
<br />
- "Link directly or through inference, to a behavior or information of<br />
a natural person: The highest priorities are directly related to the user<br />
while low priorities correspond to logs of control and technical verification.<br />
co from which user information cannot be inferred”, “extended description:<br />
The different figures included in the column "***COLUMNA.3" of the log are priorities<br />
assigned according to the type of signal being received. The lower the numerical value, the higher the priority.<br />
<br />
ty (generally with the interested party's own actions such as SOS calls); to ma-<br />
higher numerical value, lower priority (generally related to incidents of<br />
technical character). There is an added annotation of: "Is it likely to be proportionate?"<br />
nothing in response to the exercise of the right of access of the interested party?": "Only<br />
Select those priorities qualified as high and connected with an action or situation.<br />
<br />
particular decision of the interested party (e.g. priorities linked to situations of panic or distress)<br />
rro).”<br />
<br />
--"Linking directly or through inference, to a behavior or information of<br />
a natural person: these denominations of the areas, insofar as they are areas of the<br />
property of the user defined by the same and carry information about the choices of the user.<br />
interested, would imply personal data”, “extended description: throughout the log<br />
find denominations, decided by the interested party, to name certain areas<br />
<br />
of the property, perimeter example, garage door, etc.”, “name of the information<br />
mation: user defined area names on all blogs”<br />
<br />
-Already with the log date, they appear, in all of them, that they are considered personal data, and<br />
among others:<br />
<br />
-"Linking directly or through inference, to a behavior or information of<br />
a natural person: insofar as they are configurations carried out<br />
by the interested party would imply knowledge of characteristics and preferences of the same<br />
so they would be considered personal data", in "extended description<br />
<br />
the device informs about different characteristics related to its configuration and pro-<br />
programming, for example, in entry and exit times, siren volume, among others”,<br />
“name of the information signal information”.<br />
<br />
-"Linking directly or through inference, to a behavior or information of<br />
a natural person”: There is no direct link to information from a client<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 21/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
to the extent that they are informative signals of a technical nature and are not provided<br />
provides information regarding any characteristic, behavior pattern, or other<br />
information of a natural person.", "extended description: Automatically generated code<br />
<br />
automatically and randomly by the system for the security guard to deactivate the alarm”, “referred to as<br />
information mining: central high priority”. “It is likely to be proportionate<br />
Is it in response to the exercise of the right of access of the interested party?" ": No.<br />
11/27/2015<br />
<br />
It is unknown why it is not classified in Table I.<br />
<br />
- "Link directly or through inference, to a behavior or information of<br />
a natural person: Direct action of an operator”. “Extended Description“: “The<br />
operator begins incident management and makes verification calls<br />
to the user and other persons indicated by the same in case of incident.” “name-<br />
<br />
information actuation Central Receiver Alarms-call to H/E”- “Is it sus-<br />
capable of being provided in response to the exercise of the right of access by the<br />
interested?" "In this sense, without prejudice to the fact that it is personal data, it is<br />
of the operator and not of the interested party who exercises his right of access, since he does not<br />
It is information about said interested party.”<br />
<br />
- "Link directly or through inference, to a behavior or information of<br />
<br />
a natural person: The actions of an operator, which includes interaction with the<br />
user or the contacts designated by the latter, involve obtaining information about<br />
about said interested parties", extended description: "Different generic actions of the<br />
Securitas Direct human operator in the event of a specific incident (e.g. authorization<br />
from speaking/listening calls to the different listed contacts; internal comments on<br />
regarding the information transmitted by contacts, etc.).” denomination of the<br />
<br />
CRA performance training” “Is it likely to be provided in response to the<br />
exercise of the right of access of the interested party? “They should only be provided as<br />
part of the right of access to the records of actions directly related<br />
with the applicant for the right and not the rest of the communications with other<br />
authorized users or contacts provided by it. Also, you should not<br />
<br />
provide the applicant with any information or analysis on the performance of the operator<br />
provider, to the extent that it is a third party other than the interested party who<br />
had exercised the right of access”<br />
<br />
- Linking directly or through inference, to a behavior or information of<br />
a natural person: The actions of an operator, which includes interaction with the<br />
user or the contacts designated by the latter, involve obtaining information about<br />
about said interested parties.”, “extended description. The contacts that the operator<br />
<br />
of Securitas Direct tries to locate they do not answer", "name of the information<br />
“CRA-communicating performance. Is it likely to be provided as an answer<br />
to the exercise of the right of access of the interested party? However, they should only<br />
be provided as part of the right of access to the records of communications related to<br />
related to the applicant for the right and not the rest of the communications with<br />
<br />
other authorized users.<br />
<br />
- Linking directly or through inference, to a behavior or information of<br />
a natural person”: The actions of an operator, which includes interaction with the<br />
user or the contacts designated by the latter, involve obtaining information about<br />
about said interested parties.", name of the information, "action CRA-salta mailbox<br />
of voice” It is likely to be provided as a response to the exercise of the right<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 22/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
of access of the interested party? However, they should only be provided as part of the<br />
right of access to records of communications related to the applicant<br />
of the right and not the rest of the communications with other authorized users.”<br />
<br />
-Linking directly or through inference, to a behavior or information of<br />
a natural person": The actions of an operator, which includes interaction with the<br />
tacts designated by the user, involve obtaining information about said<br />
<br />
interested parties, denomination of the information "CRA-operator performance gets ha-<br />
speak with contact” or “CRA action-incorrect keyword”, and CRA-LO action-<br />
CSIN-localized without keyword with “extended description: contact does not remember<br />
the keyword to prove the identity and close the incident ”“Is it susceptible to<br />
be provided in response to the exercise of the data subject's right of access?”:<br />
“However, only the data must be provided as part of the right of access.<br />
<br />
records of communications related to the applicant of the right and not the<br />
other communications with other authorized users.”<br />
<br />
- Linking directly or through inference, to a behavior or information of<br />
a natural person”: These logs provide information regarding the actions<br />
tasks of an operator, that is, the verification that he actually follows the processes<br />
internal Securitas Direct for these purposes”, “extended description: Display of<br />
keywords by the operator in case there is a contact with the<br />
<br />
user for identification purposes.”, name of the information “operator viewed<br />
codewords on demand”, It is likely to be provided as a response to the exercise<br />
exercise of the right of access of the interested party? "Without prejudice to the fact that it is a data<br />
personal, should not be provided to the data subject to the extent that it affects a<br />
third person other than the exerciser of the right of access.”<br />
<br />
- Linking directly or through inference, to a behavior or information of<br />
a natural person”: “The actions of an operator, which includes interaction with the<br />
user, involve obtaining information about the interested party”, extended description<br />
<br />
given: “the user is contacted”, name of the information: “Service Req.:<br />
***NUMBER.1”, Is it likely to be provided as a response to the exercise of the<br />
right of access of the interested party?<br />
<br />
- Linking, directly or through inference, to a behavior or information.<br />
tion of a natural person”: Information relating to an operator of a procedural nature<br />
mental and internal Securitas Direct, “extended description” Internal registration of the operator<br />
that a specific incident is taking place”, name of the information:<br />
<br />
REGISTERED ACCESS: The user ***USER.1 accessed the client file, In<br />
your case could be considered a personal data of the operator itself and, therefore, not<br />
would be capable of being transferred to the interested party exercising the right of access.”<br />
<br />
- Linking directly or through inference, to a behavior or information of<br />
a physical person": In principle, the routine tests and verifications that must be carried out<br />
The Securitas Direct technician does not provide any information about the user.<br />
unless they are specifically requested by said user, extended description<br />
<br />
given: “The technician carries out the regulatory checks to ensure the<br />
proper functioning of the systems. At the customer's request, you can modify some parameters.<br />
system itself (e.g. sound, time, sensors, etc.), name of the information<br />
mation: Compulsory tests and verifications as part of the maintenance of the ins-<br />
felling”. Is it likely to be provided as a response to the exercise of the right?<br />
cho of access? If the technician introduces modifications or specific configurations<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 23/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
in the device at the request of the user, these parameters would be considered<br />
as personal data that must be delivered to the interested party.”<br />
<br />
-" Linking directly or through inference, to a behavior or information of<br />
a physical person”: The registration of user actions supposes the obtaining of information<br />
personal training on it”, “extended description alarm cancellation<br />
<br />
for the user codes to be entered”, “name of the information: code-<br />
user charges”, “It is likely to be provided as a response to the exercise of the<br />
right of access of the interested party?, YES.”<br />
<br />
- "Link directly or through inference, to a behavior or information of<br />
a natural person": The record of actions related to a real intrusion, in case<br />
of having captured an image of the intrusion provides personal information”,<br />
extended description: log line that refers to the image captured by the<br />
<br />
systems when detecting a real intrusion. Name of the information “VIDEO-VID”<br />
Is it likely to be provided as a response to the exercise of the right of action?<br />
termination of the interested party? should not be provided to the requester of the right of access in-<br />
formation relative to the images captured to the extent that it showers information<br />
deals with an interested party other than the exercise of the right of access”<br />
<br />
- "Link directly or through inference, to a behavior or information of<br />
<br />
a natural person": the record of user actions supposes the obtaining of information<br />
personal training on it”, extended description: service injected event<br />
from the application by the user- remote connections and disconnections. Diver-<br />
many requests made from the user's mobile terminal”, “name of the in-<br />
central formation security low priority”<br />
<br />
- "Link directly or through inference, to a behavior or information of<br />
a natural person": the record of situations that may affect the user such as the<br />
<br />
communication of a power outage involves obtaining information<br />
staff about the same”, “extended description: in this case the client is informed<br />
by means of an email from a (...) due to a power outage of your alarm”, “<br />
denomination of the information electric current car”.<br />
<br />
-Linking directly or through inference, to a behavior or information of<br />
a natural person": the record of user actions supposes the obtaining of information<br />
personal training on it”, “extended description: des(...) by app client<br />
<br />
remote web”, “name of user code information”.<br />
<br />
-Linking directly or through inference, to a behavior or information of<br />
a natural person": the record of user actions supposes the obtaining of information<br />
personal training on it”, “extended description: confirmation of (...) ex-<br />
total external, “name of the central information safety priority low<br />
<br />
In ANNEX II, entitled "GENERAL STUDY ON THE CONSIDERATION OF DATA<br />
PERSONNEL OF EACH LOG”, (p. 53 at the end) we proceed to carry out the analysis,<br />
“generally”, and “without specific application to a specific interested party”, of the consi-<br />
<br />
deration as personal data from the generic log lines that can normally be<br />
be used in the Securitas Direct systems during the development of its activity.<br />
<br />
<br />
<br />
“Those log lines not derived directly from the ser-<br />
security system defects provided by Securitas (i.e. logs with denomination<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 24/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
tion: FR0 to FSZ; ROF and ROI). Likewise, they have not been the object of study<br />
The log lines that, according to the information provided by Securitas, do not<br />
have practical application at the date of writing this report: IAC, ICA, PID,<br />
<br />
PDD, TLL and TWC”<br />
The table contains the identification of the logs based on three columns.<br />
<br />
-The first column includes the “(...) of the signal”, in alphabetical order, which usually includes<br />
<br />
learn a code of three capital letters, which is “described” in the second column.<br />
na with a general description, usually in English, some keys like FG ,SK<br />
masking”, OPDI Shutter, Sent when CP detects RX failure in FG, which they then refer to<br />
in the third column: “extended description provided by SD”<br />
<br />
It is observed that keys that appear in the document delivered to the claimant on<br />
12/14/2021, in the “Signal classification” field, such as RPT, IGC do not appear in those classes.<br />
see Annex II. In addition, there are codes such as the TAC that appears delivered to the<br />
<br />
claimant as data and in annex II it is indicated that it is not personal data.<br />
<br />
There are also keys (TTR or TTS) that appear NO in Is it considered personal data?<br />
nal?, which indicates “This log line, although it conveys information about a possible sabotage,<br />
The sensors do not provide information directly about the interested party or,<br />
neither, on a pattern of behavior or an analysis of his personality. Therefore<br />
to the extent that direct information about an attribute of interest is not conveyed<br />
sado nor Securitas Direct intends to analyze or influence a pattern of conduct in<br />
<br />
In any way, the information provided by the analyzed log line should not be con-<br />
considered as personal data. In this sense, it is a description of the process<br />
Securitas Direct technician and intern”<br />
<br />
Some keys are related to “extended description provided by Securitas:<br />
carrying out Securitas tests to verify the status of the FOG system”, or in another<br />
“verification under the Securitas Direct action protocol of the status of the system<br />
<br />
ma FOG”, or “information coverage level (…) of panel”.<br />
-The fourth column is titled: "Linking directly or through inference, to<br />
<br />
conduct or information of a physical person”, in which it is introduced in some lines<br />
lines the reasoning on this question, and that as a consequence, gives rise to the in-<br />
formation of the last column, called "Is it considered personal data?" with if, or<br />
No. In the no, it can be associated with: "There is no direct link with information<br />
of a client insofar as they are informative signals of a technical nature<br />
<br />
and no information is provided in relation to any characteristic, pattern of con-<br />
conduct or other information of a natural person.”<br />
<br />
<br />
2) Summarizes its actions over time, after obtaining the aforementioned report, in order to<br />
to assess their performance in the exercise of the claimant's right.<br />
<br />
a) -02/26/2021, response to the burofax received on 02/9/2021, in “in which we are required to<br />
<br />
the “logs” generated by the alarm system for the requested period. In this writing<br />
To provide the "logs" that we consider to be personal data, as they are<br />
registered in our systems, and due to its configuration a description is included.<br />
tion of it in order to make them intelligible, something that exceeds what we could do.<br />
be done. This letter was received by the claimant on 03/03/2021. See pgs. 26 to 31<br />
<br />
of the documentation in the file. “<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 25/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
-18/05/2021, as a consequence of the receipt of file E/04382/2021 (transfer-<br />
of the claim in the procedure for the exercise of rights of the then: TD/<br />
00167/2021), "the claimant is sent again, by email, the same response<br />
<br />
provided on 02/26/2021, that is, the “logs” that have been considered to be da-<br />
personal coughs. in accordance with the report made.<br />
<br />
-12/14/2021, it is sent to the claimant again, as a consequence of the resolution of the<br />
Appeal for Reversal No. RR/00658/2021 against TD/00167/2021, the same information<br />
mation provided in the writings dated 02/26 and 05/18/2021. "This time in a<br />
different format, per event, rather than aggregated, to make it easier to understand<br />
these. See pgs. 153 to 160 of the documentation in the file.”<br />
<br />
“They have been sent in two different formats, grouped by event and individualized,<br />
as they are registered in the systems by event date”, “including information<br />
<br />
information that would allow the claimant to understand it”. It includes a des-<br />
description of the meaning of the event. “The records generated by the systems have been<br />
contributed as they are generated in them, and even so, efforts have been made to in-<br />
They even exceeded the obligation of my client, so that the receiver could find<br />
tend the event they reflect.”<br />
<br />
3) “SECURITAS DIRECT in writing submitted to the Agency on 06/18/2021, pages<br />
<br />
106 and 107 of the file (within the TD/00167/2021) showed that it generates<br />
ro logs until 8:09 p.m. on 11/27/2015, time and date on which the in-<br />
burglary of the claimant's residence and during which said alarm system was<br />
completely disabled from that date could not generate more logs.”<br />
<br />
In relation to the internal memory of the device, the one claimed also demonstrated<br />
<br />
I state in its letter of 06/18/2021 that "after the analysis of the internal memory of the<br />
alarm installed only had a log generated for that time frame which<br />
It was recorded in our burofax of 02/26/2021 ”.<br />
<br />
<br />
He considers that "in December 2021 he had executed the exercise of the right of<br />
access to data made by the claimant repeatedly”” in two formats<br />
<br />
different, grouped by event and individualized, as recorded in the<br />
systems by event date. A description of the significance of the event is included.<br />
<br />
4) "The Agency considers in the initiation agreement that, without prejudice to having sent<br />
to the claimant the records and signals requested and generated that are data<br />
personal, “it would be possible to have provided all the “logs” to the<br />
Agency, down to the smallest detail and mark them as confidential in the event that they are<br />
<br />
opposed any eventual diffusion”.<br />
<br />
It calls into question the possibility of addressing in this way the right of access, to<br />
not be reflected in any standard, considering it an indirect access to information through<br />
through the AEPD, even when these are not personal data. Indicates that<br />
<br />
has sent the claimant the personal data contained in the requested information<br />
after its conclusion of its legal analysis report on logs, "within the period<br />
requested”, “in two different ways”, and on three occasions.<br />
<br />
5) Those that do not consider personal data are "logs of a technical nature, signals<br />
information, descriptive records of internal and technical processes, configurations<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 26/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
of devices or statistical information, information containing technical processes<br />
SD internals whose disclosure to third parties would imply in many cases the<br />
communication of our know how”.<br />
<br />
<br />
<br />
"Wanting to comply with what was stated by the Agency in the written agreement<br />
start”, attached:<br />
<br />
DOCUMENT 2, Excel table, which "contains all the records issued by the<br />
alarm system on which the request falls "ordered chronologically", of<br />
<br />
so that they appear sequentially, as they are produced: "In green color are data<br />
personal according to the report.", and those of "red color, those that are not,<br />
because they are technical and confidential, being subject to the regulations of secrets<br />
industrial, and can be used only by the Agency”.<br />
<br />
"Of the total logs collected from the claimant's alarm system for the period<br />
<br />
requested- 412 records- a total of 412 records have already been made available to the claimant.<br />
273 records.”<br />
<br />
The Excel sheets provided are similar to the format provided to the claimant on<br />
12/14/2021, and "reflect the records as they are, and appear recorded in the<br />
<br />
systems.”<br />
<br />
Sometimes logs of the same date and time appear that are seen to be<br />
considered personal data and another that is not, appearing with different keys of the "(...) of the<br />
event”, distinguished in red those considered not personal data, example<br />
<br />
11/27/2016 20:09:47. There are even two logs in red, not personal data, at the same<br />
Date and Time.<br />
<br />
DOCUMENTS 3 and 4, Excel tables, somehow related to 2. They gather in<br />
separately, those that are personal data logs (3), and those that are not (4), also in<br />
the same colors as document 2. Document 3 contains, according to the<br />
<br />
claimed, "the records issued by the alarm system on which the<br />
petition. This document was provided to the claimant by burofax dated 12/14/2021<br />
and reflects the records as they are, and appear registered in the systems.” Appears<br />
ordered chronologically, the first date being 11/27/2015, 8:09 p.m., and the same<br />
day there are several records, the last one at 20:17:07, and the next one goes to 12/4/2015,<br />
<br />
11:05:04<br />
<br />
Document 4, with the technical logs that are not considered by the defendant of<br />
personal character, begin in the record on 11/26/2015, and the following date is<br />
11/27/2015, being the first of 9:39:43, and the last of 20:11:34. Despite the<br />
<br />
statement of the defendant that the alarm was destroyed on 11/27/2015 at<br />
20:09, there are logs (technical only) between 11/28 and 12/4/2015, except for 11/29. Each<br />
day, four logs are reflected, with the common term “GTI MISSING TEST”, (Log that<br />
reports loss of communication with the device) up to 4, one per day. The day<br />
12/4/2015 figure GTI: canceled incident, customer already exists in manual queue 14, without<br />
any key in description or signal classification.<br />
<br />
<br />
It summarizes that the logs associated with the claimant's alarm system that "does not<br />
we consider data of a personal nature”, are of a technical nature, signals<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 27/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
information, descriptive records of internal and technical processes, configurations<br />
of devices with statistical information, information that contains processes<br />
internal Securitas Direct technicians whose disclosure to third parties would imply in many<br />
<br />
cases of communication of our "know now" with the damage that could be caused by<br />
directly and with respect to the safety of all its customers indirectly”.<br />
<br />
6) -About the amount of the sanction of the initiation agreement:<br />
<br />
a) Regarding 83.2.a) of the GDPR, consider that 2017 cannot be taken as<br />
<br />
temporary start date as an aggravating circumstance since the first guardianship that year was<br />
inadmissible by the Agency on the grounds that the logs were not considered data of a character<br />
staff.<br />
<br />
“Regarding the time elapsed in connection with the damage caused and the safety of<br />
<br />
the facilities, the claimant has not gone to court, always through<br />
administrative data protection, having used the claimed the "levers<br />
laws" that agreed to their right and were offered within their reach, which cannot be<br />
penalized." A response was given to the requested access before the start of the<br />
disciplinary proceedings up to three times.<br />
<br />
<br />
b) Regarding article 83.2.b) of the GDPR, “negligent action”, based on the fact that the<br />
claimant considered in October 2021, subjectively, that it had not yet been<br />
complied with his request, he considers that it is not an entirely true approximation, since<br />
that he had complied with the exercise of the right of access on two occasions, in<br />
February and May 2021.”<br />
<br />
<br />
“What happened in December 2021, because this part, said without intention of<br />
offend, he no longer knew how to comply again with the exercise of law, he proceeded to<br />
submit to the claimant the same information already submitted in February and May of<br />
2021 but with a different format (if both documents are collated, you can<br />
<br />
check that the information of both is the same). Furthermore, in none of the<br />
resolutions issued by the Agency, the possibility of contributing to it the<br />
all the logs, marking the confidential ones, "as if it has been done in<br />
this initiation agreement, without determining which article of the current regulatory framework<br />
I contemplated such a possibility”. The mere and repeated disagreement of the claimant, not<br />
must be, by itself, the cause that motivates the infringement or, failing that, the imposition<br />
<br />
of a fine"<br />
<br />
7) Regarding the statement that there is a link between the offender's activity and the<br />
data processing within the framework of the provision of its services, considers that<br />
precisely, what is at issue in this case is whether the logs generated by the<br />
<br />
alarm are personal data or not, something, that after the report that has been provided as<br />
Document 1 allows us to differentiate that some are, that they have been delivered in various<br />
occasions to the claimant and others that are not.<br />
<br />
8) It considers that there are proven a series of mitigating factors that would allow the application of<br />
<br />
“a degree less than that proposed in the initiation agreement”. These mitigations would be:<br />
<br />
a) It cannot be described as not having responded to the requests for the exercise of the right<br />
as a serious infringement of article 72.1.k) of the GDPR, given that access was given in<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 28/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
February and May 2021, in part, but not in full, the right if it had been attended,<br />
"It would be a mitigation to apply to the aforementioned article and consider it as a<br />
minor offense that would fit into article 74.c of the LOPDGDD.”, which indicates:<br />
<br />
<br />
"The remaining infractions of a legal nature are considered minor and will prescribe after a year.<br />
<br />
merely formal of the articles mentioned in sections 4 and 5 of article 83<br />
of Regulation (EU) 2016/679 and, in particular, the following:<br />
<br />
c) Failure to respond to requests to exercise the rights established in the<br />
Articles 15 to 22 of Regulation (EU) 2016/679, unless it is applicable<br />
<br />
provided in article 72.1.k) of this organic law.”<br />
<br />
<br />
-There is due diligence, "for the sole purpose of complying with the claimant's request and<br />
<br />
of the scope of the right of access to your personal data, making<br />
an effort, including economic, was placed in the hands of a third party independent of<br />
recognized prestige, for the purpose of disaggregating, among all its logs, which are<br />
those considered as personal data (according to the definition of "data of<br />
personal character") and which are not, and which are trade secrets"<br />
<br />
<br />
-There is good faith, as demonstrated by the fact that "the right has been complied with<br />
up to three times", "once he was clear about the criteria that logs are data<br />
personal and which are not”, always giving the same information. Depending on the criteria<br />
of the AEPD, based on the initial agreement, all the logs have been provided.<br />
<br />
<br />
-Considers that the action of the claimant expressing his dissatisfaction "with what<br />
subjectively, it considers what the logs are and how they should be represented<br />
on paper, it cannot be an additional condition for him to propose to impose<br />
a fine that they understand to be disproportionate, but the opposite, should be grounds for<br />
that the penalty is less than the proposal.”<br />
<br />
<br />
Request that the exercise of the right be considered fulfilled with all the logs now<br />
contributed.<br />
<br />
<br />
SEVENTH: On 11/23/2022, it was agreed to start a test practice period.<br />
<br />
<br />
<br />
1-The claim filed by the<br />
claimant and its documentation, the documents obtained and generated during the<br />
phase of admission to processing of the claim, and the report of previous actions of<br />
<br />
investigation that are part of procedure TD/00167/2021.<br />
<br />
Likewise, it is considered reproduced for evidentiary purposes, the allegations to the<br />
initiation of the referenced disciplinary procedure, presented by the defendant, and the<br />
accompanying documentation.<br />
<br />
<br />
2-Because they are related to the original petition, they are incorporated as evidence into the<br />
procedure:<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 29/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
a) The documentation provided by the claimant and that obtained and collected from the<br />
claimed regarding the protection of rights 1564/2016, resolved on 09/08/2016, as well<br />
as documentation of both parties produced in its processing.<br />
<br />
<br />
b) The documentation provided by the claimant and that obtained and collected from the<br />
claimed regarding the protection of rights 1593/2017, as well as documentation of<br />
both parties produced in the appeal for reversal resolved on 01/2/2018,<br />
RR/779/2017, and the documents that are part of said files.<br />
<br />
<br />
c) The documentation provided by the claimant and that obtained and collected from the<br />
claimed regarding the protection of rights resolved by Agency TD/00167/2021,<br />
the procedures related to it, including the transfer of the same to the defendant<br />
E/4382/2021, and the admission for processing and management and processing thereof, as well as the<br />
subsequent reversal appeal resolved RR 658/2021 of 10/27/2021.<br />
<br />
<br />
d) The Judgment of the National Court (AN), Chamber of Administrative Litigation<br />
first section, of 07/23/2019, resource 146/2018, and by relation, the order of the TS room<br />
of Administrative Litigation first section, of 05/29/2020 number of<br />
procedure 378/2020 for admission to processing of the appeal of the<br />
claimed, from which he later withdrew, appearing as such, in the order of the TS, appeal<br />
<br />
378/2020 of 09/15/2020 in which it is indicated that the representative of Securitas<br />
"presented a brief on 07/24/2020, withdrawing from the appeal prepared", declaring<br />
"terminated the appeal for withdrawal", and communicated to the AEPD in writing of the<br />
Lawyer of the Admin. of Justice of 10/29/2020, appearing as an associated object of the<br />
file: PS 2181 22 san and ts.<br />
<br />
<br />
3. The defendant is requested to provide or report within fifteen days:<br />
<br />
3.1-Provide a copy of the terms contained in the exercise of the right of access<br />
Formulated by the claimant on 02/02/2021.<br />
<br />
<br />
Response received on 12/30/2022.<br />
<br />
In the first place, it stresses that the procedure followed is for infringement of the<br />
Article 58.2.c) of the GDPR:<br />
<br />
<br />
“order the person in charge or person in charge of the treatment to attend to the requests for<br />
exercise of the rights of the interested party under this Regulation”.<br />
<br />
For this, it considers relevant the distinction between the logs that have the condition of<br />
personal data or those that refer to "aspects simply related to the<br />
<br />
operation of commercialized alarm systems, the disclosure of which could<br />
generate a violation of their right to trade secret, and the risk of<br />
its future operation, by informing third parties unrelated to the<br />
organization".<br />
<br />
<br />
He believes that some of the questions that are raised in tests by the instructor,<br />
"They are not related to the object of the procedure, but rather to the appropriate<br />
operation of the contracted alarm system”. The information you will provide<br />
will be circumscribed "to the object of the procedure", on whether it gave "adequate compliance to<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 30/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
what was agreed by the AEPD”, as well as “if the information that was not provided to the claimant,<br />
in application of what has already been invoked in the allegations, they did or did not contain personal data<br />
of that, without understanding that it is appropriate to provide information related to the<br />
<br />
behavior in relation to the events that occurred at the claimant’s home.”<br />
<br />
<br />
Provides burofax of the claimant on the exercise of law signed on 02/02/2021, with<br />
shipping 02/9/2021, handwritten: received 02/10/2021.<br />
<br />
<br />
The brief is based on the fact that "on December 4, 2015, the house suffered a<br />
assault and robbery without the indicated alarm system being activated, which<br />
detected, issued and received the proper alarm signal, being seriously damaged<br />
the switchboard and resulting in the first news that Securitas Direct Spain had was the<br />
Call from my represented, reporting on it. The alarm system came<br />
<br />
suffering certain incidents with certain connectivity problems”, to pass<br />
to assess the demandability of the claimant by Securitas for the replacement costs of the<br />
switchboard, after the incident, the suspension of the service from 12/23/2016, apparently<br />
by cut due to non-payment of replacement costs, indicating the holders who gave<br />
for terminated the contract and in turn requires a series of refunds of amounts in<br />
various concepts.<br />
<br />
<br />
Immediately afterwards, it reiterates the request for the information on servers regarding<br />
the records and signals sent by the alarm equipment between 11/26 and<br />
12/18/2015. He mentions the sentence of the AN, its firmness and requires his<br />
compliance.<br />
<br />
<br />
3.2-Copy of the contract signed with the claimant in which the conditions appear<br />
general and specific information on the service and the exercise of rights,<br />
including clause 14 of the privacy policy to which it alludes in its exercise of<br />
rights from 04/07/2017.<br />
<br />
<br />
Copy of the instructions delivered to the user, in writing, of the operation of the<br />
service, informing you of the technical and functional characteristics of the system and the<br />
responsibilities that come with joining it.<br />
<br />
It is provided, as DOCUMENT NUMBER 3 contract number *** NUMBER.2<br />
<br />
entered into on 07/30/2014 with the claimant (hereinafter, the “Agreement”), including, in<br />
pages 9 and 10 of the document, clause 14, referring to data protection<br />
personal.<br />
From the "security service" contract, it is worth mentioning:<br />
<br />
<br />
Particular conditions:<br />
<br />
-Personal data is collected: e-mail, name, surname, address and telephone.<br />
-The service includes the installation, maintenance and operation of<br />
alarms.<br />
<br />
<br />
General conditions<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 31/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
-"2. description and scope of the services object of the contract, A) service of<br />
installation and maintenance”, states that the installation will include the elements and<br />
components contemplated in the particular conditions of this contract and<br />
<br />
Securitas Direct will provide a basic maintenance service that includes for the<br />
client: remote verification services of the operation of all<br />
components (technical check according to current regulations).<br />
<br />
It also refers to the definition and distinction of fault, "the damage that prevents the<br />
proper functioning of a security system to fulfill the purpose for which it is<br />
<br />
is intended" and "technical problem" "that incident that implies the necessary<br />
intervention by SECURITAS DIRECT for verification, whether or not in person, and that,<br />
In no case prevent the full operation of the security system of the vehicle.<br />
CUSTOMER."<br />
<br />
<br />
Point B) refers to the connection service to the alarm receiving center.<br />
<br />
-in 6: "customer obligations", it is established among others:<br />
<br />
<br />
a) "You must, in any case, connect the alarm system every time you intend to avoid<br />
<br />
the access of unauthorized persons to the place and, especially, each time the place<br />
left abandoned and unguarded. Accreditation of the alarm connection<br />
corresponds, in any case, to the CLIENT. Therefore, the contracting of the service of all<br />
the controlled codes will be a requirement to reliably prove the<br />
alarm connection status. If the CLIENT has not contracted the service<br />
<br />
that allows you to prove that the alarm is connected, it corresponds to him to prove the<br />
connection because the connection is an act that derives from the actions of the contracting party<br />
the service and not SECURITAS DIRECT.”<br />
<br />
o) Notify at all times possible changes in contact persons or<br />
<br />
telephone numbers in case it is necessary to locate him.”<br />
<br />
<br />
“10. RIGHTS OVER THE INSTALLATION Due to the rapid evolution<br />
technology makes control and communication systems obsolete,<br />
SECURITAS DIRECT will retain ownership of the installed security system for<br />
<br />
be able to update the software and its components, for the sole purpose of providing<br />
the most advanced security services.<br />
<br />
- 14. PRIVACY POLICY<br />
<br />
<br />
A) INFORMATION REGARDING CUSTOMER DATA PROTECTION: The<br />
personal data provided by the CLIENT to SECURITAS DIRECT, as well as<br />
any other data that could be provided throughout the contractual relationship, will be<br />
included in a file, whose responsibility is SECURITAS DIRECT ESPAÑA, SAU…,<br />
sole recipient of the data, with the main purpose of carrying out the relationship<br />
<br />
contractual, own management of the activity, maintenance, development and control of<br />
the contractual relationship. “<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 32/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
"C) TREATMENT OF IMAGES AND/OR SOUNDS OBTAINED THROUGH THE<br />
SECURITY SYSTEM WHEN THE EQUIPMENT INCORPORATES SYSTEMS<br />
PHOTODETECTION. - When verifying an alarm jump by SECURITAS DIRECT<br />
<br />
<br />
“SECURITAS DIRECT through its Alarm Receiving Center will capture and record<br />
images and/or sounds through the security devices installed in the<br />
places subject to protection of the CLIENT, in accordance with article 48 of the<br />
Private Security Regulations, that is, verifying through all means<br />
technicians within their reach the alarms received and once said verification is exhausted if<br />
<br />
If appropriate, it will transmit said images and/or sounds obtained as a result of the<br />
alarm jump treated to the competent police or judicial authority.<br />
<br />
SECURITAS DIRECT acquires the status of Responsible for the management file of<br />
video surveillance systems with access to the CLIENT's images, due to their<br />
<br />
natural person and that the security system with access to images is<br />
made at your private home. It will not be considered illegitimate interference<br />
in the right to honor, to personal privacy and to one's own image, recruitment,<br />
reproduction and processing of images and sounds due to a jump in<br />
alarm generated by the image protection element installed and treated at<br />
through the SECURITAS DIRECT Alarm Receiving Center.<br />
<br />
<br />
The CLIENT may only have access to information on any incident or<br />
recording made due to an alarm jump, sending a written request to<br />
through the means that allow it, indicated in clause 20 of the<br />
general conditions, in which the identity of the contract holder must be stated<br />
<br />
accompanying a photocopy of your DNI, CIF, NIE or valid passport, as well as the date,<br />
time and place where the recording presumably took place. SECURITAS DIRECT,<br />
will guard the recordings obtained as a result of alarm jumps<br />
generated by the security system installed, and will comply with its obligations of<br />
conservation, uselessness and destruction.”<br />
<br />
<br />
The aforementioned contract includes in its Annex I, "the installation project", with the<br />
characteristics of the study of location and risks, with the proposal of the design of<br />
security and with the elements configured in the installation plan, as well as the<br />
elements and risk areas protected through verification of alarm signals<br />
by audio, image-video, and face-to-face.<br />
<br />
<br />
Annex II refers to the: "ACTION PLAN", which includes, among others:<br />
<br />
<br />
-"contact list", four people identified by first and last name, ordered<br />
<br />
by increasing number, all with “keys”. The first, the claimant, as a "client", the<br />
person “who signs the contract, owner of the alarm system” associated with two<br />
phones. The other three: "relationship with the subscriber": "relatives" with a telephone.<br />
The four people are listed in the “standard action plan” in the chart, ordered<br />
as "contact" from 1, the claimant, to 4.<br />
<br />
<br />
-the password or "master" of the client, the duress password and the SECURITAS password.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 33/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Within the Action Plan, the "CONDITIONS OF THE SERVICE OF<br />
OPERATION OF THE ALARM RECEIVER CENTER" highlighting among others:<br />
<br />
<br />
<br />
-"CLIENT: Natural/legal person who signs the CONTRACT, who is the owner of the<br />
alarm system described in the aforementioned CONTRACT and that is the holder of the word<br />
master key. The CLIENT may in any case have the status of user "<br />
<br />
"USER: Natural person to whom the CLIENT authorizes access to the property and the<br />
<br />
use of the alarm system, making available the means of connection and/or<br />
disconnection from it.<br />
<br />
"CONTACT PERSONS: Natural person who may or may not coincide with the<br />
CLIENT of the contract and who owns the master keyword."<br />
<br />
<br />
2. KEYWORD It constitutes a necessary data for the provision of the service<br />
hired. Its holder is obliged to maintain its confidentiality,<br />
should not transmit it to third parties.<br />
<br />
Keyword Types:<br />
<br />
<br />
- SECURITAS code: Identifies SECURITAS DIRECT and must be provided by the same<br />
in any telephone communication with any of the persons described in<br />
section 1 of this document.<br />
<br />
<br />
- CLIENT MASTER Password: Identifies the CLIENT and the main contacts.<br />
It must be provided by them when they contact SECURITAS DIRECT<br />
by phone. Allows and gives access to all kinds of procedures and modifications,<br />
whether administrative (contract, action plan, etc.), or operational (verification of<br />
alarm jumps).<br />
<br />
<br />
- COACTION code: In the verification call before an alarm jump, you must<br />
provided to SECURITAS DIRECT, by whoever is in the property before a<br />
situation of real danger to their physical and/or patrimonial integrity<br />
<br />
3. VERIFICATION PROCEDURE BEFORE ALARM TRIPS<br />
<br />
<br />
The SECURITAS DIRECT Alarm Center will execute the pertinent process of<br />
verification of alarm jumps registered by the installed security system,<br />
through the means at its disposal contracted or arranged by the CLIENT, such<br />
such as, speaking, listening, image and/or call to the fixed telephone of the property, calling the<br />
<br />
contact telephone numbers provided by the CLIENT in this document and, in its<br />
case, sending the Go Service accompaniment to the Police or the Go Service to<br />
Full Service verification, in the event that the CLIENT had contracted the latter<br />
service.<br />
<br />
<br />
SECURITAS DIRECT will issue the corresponding notice to the Security Forces and Bodies<br />
Security (hereinafter, "F.C.S.") only in the event that reality is proven<br />
of the event generating the alarm jump, once the verification has been carried out<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 34/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
valid, through existing means, in accordance with current regulations in<br />
private security matter.<br />
<br />
<br />
For the purposes of initiating the action protocol, the alarm signals are considered to be<br />
received at the Alarm Receiving Center from the capture of the<br />
intrusion detection elements, the SOS button, the anti-robbery button, and the<br />
coercion.<br />
<br />
-In the contract there is a section that includes the protocol in cases of jumps in<br />
<br />
alarm, "from pressing the SOS button, anti-robbery button, code of<br />
duress and when the duress keyword is provided.”, in case of “without<br />
user disconnection”: verifying “by accessing the speech-listening module of the<br />
system and/or call to the fixed telephone number of the property, as long as this is available<br />
last. If through these means:<br />
<br />
<br />
- An answer is obtained: the person will be identified with the keyword<br />
teacher or contact If the keyword is correct, the user will be provided with the<br />
precise technical instructions for you to disconnect the system.<br />
<br />
- If the keyword is not correct or no response is obtained: SECURITAS<br />
<br />
DIRECT will proceed to comply with the verification procedures provided<br />
in the current Private Security regulations as well as to use the means<br />
complementary verification procedures such as proceeding to the verification call to<br />
the MAIN and/or OPERATIONAL CONTACTS established, and/or the Warden of<br />
Security and/or F.C.S. if it were a confirmed real alarm. In any case, the<br />
<br />
The decision to issue the notice will correspond exclusively to SECURITAS DIRECT.<br />
<br />
In the event that "user disconnection" occurs, it is the case in which the<br />
alarm, and in less than 20 seconds (from the alarm jump), it receives<br />
disconnection signal in the CRA. In this case, "an automatic<br />
<br />
locution recorded through the speech listening module of the system, in which<br />
will inform the client of the signal received as well as of the execution of the disconnection<br />
by the user or authorized person and the cancellation of the incident”<br />
<br />
"In the event that the disconnection signal is received in a time greater than the<br />
indicated in the previous paragraph, SECURITAS DIRECT will proceed to verify the jump of<br />
<br />
alarm by accessing the system's speech-listening module and/or calling the<br />
Landline telephone of the property, provided that it is available, to carry out the<br />
verifications that it deems appropriate according to its diligence as a Company of<br />
Security and that are adjusted to the applicable Private Security regulations.”<br />
<br />
<br />
In document ANNEX III "certificate of installation and connection", it is indicated that "the<br />
security elements and devices installed to the client correspond to the<br />
security level 2, established in article 2 of order INT/316/11 of 1/02 and<br />
have the corresponding approval according to the characteristics<br />
established in UNE-EN 50130, 50131, 50132, 50133, 50136 and in the UNE Standard<br />
<br />
CLC/TS 50398<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 35/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
- In a table, the type of device of the elements that make up the system appears<br />
installed.<br />
<br />
<br />
As DOCUMENT NUMBER 4, it provides the user manual of the<br />
alarm (hereinafter, the "Manual") in its existing version at the time of the<br />
contract with the claimant. Highlights of it:<br />
<br />
-Control panel with GPRS transmission: GPRS communications (...), SMS, card<br />
Securitas Direct SIM included. Supports image transmission. Talk/listen loud<br />
<br />
sensitivity. The only one with a personal portable intercom to ask for help.<br />
SOS button. Indoor siren. Supports up to 32 home automation control user interfaces<br />
<br />
-Key reader/smart keys: allows you to easily activate and deactivate your alarm<br />
without having to memorize complicated codes. Different modes can be activated: day,<br />
<br />
perimeter…<br />
<br />
-Motion detector with color camera and flash from our central station<br />
we can see what happens in your home or business in case of alarm<br />
take sequences of images built-in flash for night vision and deterrence<br />
<br />
<br />
-Communications: "supervision of communications through a periodic test."<br />
<br />
-For activation, it has various modes, how fully activated when leaving your home<br />
so that all the detection zones of the security system are protected.<br />
security, or partial modes: that can be activated day mode or activated mode<br />
<br />
night or perimeter mode activated.<br />
<br />
In description and use of the control panel with keyboard, the different<br />
functions of the buttons listed, from the SOS function, in case of emergency that<br />
can be sent to Securitas Direct with a light indicator indicating that it has been<br />
<br />
correctly received the coverage light signal from the control panel, “(...)”,<br />
“hands-free” function to receive incoming calls and to answer,<br />
calls to 112, and another series of functions.<br />
<br />
<br />
3.3-Description of the operation of the contracted alarm system that was installed in<br />
<br />
the claimant's property, composition of elements (switchboard of the<br />
alarm located in the home, its components, control panel, sensors or<br />
alarm detectors included in the system, alarm kit or other<br />
system accessories and connection to the Alarm Receiving Center).<br />
<br />
<br />
They are also asked to report the system or communication channel used by the<br />
device installed in the claimant's home.<br />
<br />
Point out that the manual describes on pages two and three the basic elements of<br />
alarm system<br />
<br />
<br />
The contract also included in terms of additional elements contracted:<br />
<br />
A remote control, to connect-disconnect the alarm.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 36/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
An external siren flash, which is located inside the installation and sounds when,<br />
for example, the alarm is activated.<br />
<br />
<br />
Two magnetic detectors, two seismic detectors (although the contract includes<br />
Separately, they are the same devices, known as “shocksensors”, that detect<br />
opening, closing and vibration, do not collect images.”)<br />
<br />
An element of verification by audio speaks listens, "(It is located inside the<br />
control panel and is to perform audio and listening checks in case of jump<br />
<br />
alarm, it is also used to talk to the customer through the switchboard).”<br />
<br />
Three verification elements by video sensor photodetector image, (Detectors with<br />
camera that react to temperature changes detected by movement,<br />
in such a way that, if they detect movement while connected, they trigger the alarm and<br />
<br />
collect images.)<br />
<br />
An external perimeter detector with image (Same description as the photodetectors<br />
but from outside)<br />
<br />
A smart key reader (tag reader) which is the device used to<br />
<br />
arm/disarm the alarm. Which is related to 6 tags (intelligent keys that are<br />
are used to disconnect the alarm by passing them in front of the key reader<br />
smart.<br />
<br />
“The only modification with respect to the initial state was the change of the two<br />
<br />
magnetic/seismic by three volumetric devices, which are cameraless detectors<br />
that react to changes in temperature detected by movement, so<br />
that if they detect movement while connected, they trigger the alarm”. It indicates then that<br />
after discharge from service, at the time of the intrusion there were three photodetectors, and<br />
three volumetric, in addition to the rest of the elements already mentioned.<br />
<br />
<br />
Refers to the information included in the manual to complete the operation of the<br />
system.<br />
<br />
"Regarding the connection system with the Alarm Receiving Center (hereinafter,<br />
“CRA”), this is carried out by means of a SIM card integrated into the control panel.<br />
<br />
control."<br />
<br />
3.4-a) Way in which the logs of the operation of the system are generated and stored<br />
alarm system. If in addition to the operation or generation by the machine, is<br />
Can Securitas operators create logs? Under what circumstances?<br />
<br />
<br />
It states that "the system generates and stores records derived from:<br />
<br />
-Customer interactions with the alarm system, for example: connection,<br />
disconnection.<br />
<br />
<br />
-Internal verifications of the system: example coverage (...), and<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 37/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
-Activities of the alarm system in the performance of its function, for example jump<br />
alarm.”<br />
<br />
<br />
"Regarding the possible generation of new logs by SECURITAS operators<br />
DIRECT, it is necessary to indicate that the catalog of logs that can be generated by the<br />
interaction of the installed system and the CRA is closed, that is, it is not possible to<br />
creation of new logs other than those that the system allows to generate. For other<br />
part, obviously, some of these previously configured logs will be generated<br />
as a consequence of the interaction of the system with an activity carried out by<br />
<br />
an operator or user authorized by SECURITAS DIRECT, as well as by the<br />
owner of the system or the persons authorized by it. However, as has been<br />
indicated, they would be found in the catalog of those that can be generated in<br />
the system and would not present any type of novelty with respect to the existing ones,<br />
be it impossible."<br />
<br />
<br />
b) Report if the alarm system control unit itself is capable of storing<br />
records or only originates and sends signals, and which signals or records originate and which<br />
it would be fate.<br />
<br />
He replied that: "The switchboard (control panel) of the alarm system is capable of<br />
<br />
store records, in fact, holds ***NUMBER.3 events which are<br />
deleting cyclically, depending on the records that are generated and<br />
recording continuously. As new records are generated and recorded,<br />
they delete the oldest ones maintaining a temporary order of recording and deletion<br />
always within the ***NUMBER.3 records that it can hold.”<br />
<br />
<br />
Within these recorded events, a distinction must be made between:<br />
<br />
(i) those that generate a log, a copy of which has been provided in the<br />
Document No. 2 of those provided together with the pleadings to the Agreement of<br />
<br />
Start (they collect mixed technical logs together with those considered data logs of<br />
personal character, in sequential order of date and time, with keys of: "classification<br />
signal”, key that is specified in ANNEX II of allegations to the initiation agreement together<br />
whether or not it is considered personal data and why), the description, the most<br />
wide (called in column “(...)”), comment, event, event extension,<br />
priority, zone.<br />
<br />
<br />
(ii) and other merely technical events related to the interconnection<br />
produced for the submission of the logs to the CRA of SECURITAS DIRECT (e.g. channel<br />
by which the log is sent, successful connection, acknowledgment, etc.). Since the<br />
mentioned in point ii only refer to the referral and not to any type of<br />
<br />
specific action, not generating a log, would not be part of what was requested by the<br />
claimant.<br />
<br />
"The destination of these records is the CRA, although the information mentioned in the<br />
point (ii) as well as the logs that do not reflect a relevant event related to the<br />
<br />
alarm operation are not communicated and remain in the internal memory of<br />
the switchboard and are only accessible by SECURITAS DIRECT personnel in case of<br />
an event occurs that requires forensic analysis. Throughout<br />
case, the logs that remained in the internal memory of the switchboard disabled by the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 38/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
action occurred on November 27, 2015 have been incorporated into the information<br />
provided in the aforementioned Document No. 2 of the pleadings to the Agreement of<br />
Start."<br />
<br />
<br />
c) When talking about the internal memory of the device, where is that internal memory located?<br />
What events does it record, differences with the signals that it can send to the control center?<br />
alarms the control panel? .<br />
<br />
It responds that it is housed in the motherboard of the switchboard-control panel-.<br />
<br />
<br />
As for the events it reflects, you have already detailed them.<br />
<br />
d) Inform if it is possible and under what circumstances, activate or deactivate the alarm<br />
from the CRA, and if the operation can be recorded in logs and if, in this case, it has been<br />
<br />
any event of this type occurred in the requested access period.<br />
<br />
Answer that "From the CRA, operators have the ability to activate or<br />
deactivate the alarm only at the customer's request, within the framework of an interaction<br />
phone with him. This petition is duly registered, through its<br />
corresponding log.”<br />
<br />
<br />
"In the case analyzed in this file, said functionality was used<br />
within the requested period, and proof of this are the records detailed below.<br />
below, which are part of the information sent to the Agency:<br />
<br />
<br />
• (...):<br />
<br />
o 12/18/2015 at 20:08:57 - Order sent (...) Total per user: B.B.B.. o<br />
12/18/2015 at 20:09:08 - (...) external Total.<br />
o 12/18/2015 at 20:19:59 - Order sent (...) Total per user: B.B.B.. o<br />
<br />
12/18/2015 at 20:19:59 - (...) external Total.<br />
Or 12/18/2015 at 20:20:07 - Order sent (...) Perimeter by user: B.B.B..<br />
<br />
o 12/18/2015 at 20:20:19 - (...) external Perimeter<br />
<br />
• (...):<br />
<br />
<br />
o 12/18/2015 at 20:18:56 - Order sent Disarm by user: B.B.B..<br />
<br />
o 12/18/2015 at 20:19:11 - De(...) external: ***NUMBER.4.<br />
3.5-Verification mode/s of the applicable alarm/s in this case, and which logs are<br />
<br />
generate and indicate those that with this description appear in the period requested by the<br />
claimant.<br />
<br />
It responds that "the logs that are generated to verify the operation of the<br />
alarm can be classified as follows:<br />
<br />
<br />
(i) those that are generated as a consequence of an interaction of the holder of the<br />
contract or an authorized by the same with the alarm system;<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 39/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
(i) those derived from a human interaction produced from the CRA; and<br />
<br />
<br />
(ii) those that are generated automatically, without human intervention of any<br />
<br />
guy.<br />
<br />
In this sense, and taking into account that only the logs listed in the<br />
points (i) and (ii) imply a processing of personal data, and of these only the<br />
listed in point (i) involves the processing of the Claimant's data or the<br />
<br />
persons authorized by it, in Document No. 1 provided by the defendant<br />
along with his pleadings, it was clarified that the right of access by the<br />
interested in their own data, only affected the contents in the aforementioned<br />
point (i) and not to those listed in points (ii) and (iii), which do not include data<br />
Claimant's personal<br />
<br />
<br />
Specifically, and with regard to all the logs provided to the Agency, they would fit<br />
In what is described in this answer, the following logs that represent verifications of<br />
alarm:<br />
<br />
• Logs from 11/27/2015 from 20:09:47 to 20:17:07,<br />
<br />
moment in which an action plan is contacted.<br />
<br />
• Logs from 12/06/2015 from 01:15:04 to 01:17:40.<br />
<br />
3.6-a) Report on the aspects of configuration operation and types of<br />
<br />
configuration of the device in the security system contracted by the claimant,<br />
and by the different types of users that were contemplated and had access in the<br />
device settings, if any. The way in which they are identified in the logs<br />
the various actions of potential users in their various roles that may<br />
assume: holder, authorized, contacts in the different elements of the system. In one<br />
of the log names appears "user ***USER.1 accessed the client's file",<br />
<br />
who is this user, given that in other cases they refer to the staff of the<br />
entity as “technician”, “operator”.<br />
<br />
<br />
a) Regarding the term used in logs, "designated contact", description of who<br />
<br />
they refer to, and their relationship, where appropriate, with those authorized to access the system, and in<br />
In this case, if the designated contact is only the holder of the alarm contract? Relationship<br />
of actions carried out by the owner or authorized persons regarding situations<br />
techniques in which the system can be found, (...)/(...), and if they can be<br />
identifiable such actions relating them to the person who interacts.<br />
<br />
<br />
b) Report the number of authorized Users in the contracted alarm system<br />
per claimant, number of designated contacts, and if only the designated contact was the<br />
holder of the contract, roles that differentiate in their actions and their limits to the user<br />
authorized in front of the designated contact. For what type of actions each one? and<br />
What type of actions can only be carried out by the holder?<br />
<br />
<br />
c) Document in which the holder of the service has given the data of the users<br />
authorized, designated contacts.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 40/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
He answers that "to clarify the way of interaction of the alarm systems with the<br />
CRA, is answered jointly. The authorized contacts are understood to be, for the<br />
<br />
owner who contracted the system, the claimant, while the users with access to the<br />
system would correspond to SD staff.<br />
<br />
Authorized or designated contacts may interact, in any case or under<br />
certain circumstances with the CRA, making a communication to it in which<br />
modification of certain characteristics of the action plan may be requested<br />
<br />
established in the contract (e.g. delay time in the activation/deactivation of the<br />
system, update of contact telephone numbers, etc.). In any case, that<br />
interaction must be preceded by the keyword also established in the contract.<br />
Likewise, the authorized contacts, in their order, will be the recipients of the<br />
calls that SECURITAS DIRECT can make in the event of any kind of<br />
<br />
impact on the operation of the system. In this specific case, how can<br />
verified, the Claimant designated four authorized contacts in the Contract,<br />
also establishing their order in the event that it was<br />
interaction with them is necessary (see the last two tables on page 16<br />
of the contract). Together with the authorized contacts and the contract holder, the other<br />
natural persons operating in the system are the users, identified as the<br />
<br />
SECURITAS DIRECT agents who can receive a specific incident<br />
as a consequence of an interaction with the owner or those designated contacts and<br />
where appropriate, they carry out the operations requested by them. This would give rise to the<br />
generation of the consequent log that in the valuation attached to the document of<br />
allegations to the Initiation Agreement were considered as personal data of the<br />
<br />
Claimant, when proceeding from an action urged by him or his authorized.<br />
<br />
So that authorized users of SECURITAS DIRECT are not<br />
directly identifiable or accessible by third parties, each of them has<br />
with a unique name or "registration" made up of alphanumeric characters<br />
<br />
that exclusively allows its internal identification by the company. such is the code<br />
"***USER.1" that appears in one of the logs and about the one that has been raised by the<br />
AEPD the question of users. In this case, the registration of the interested party is recorded and not<br />
its generic name given that the access occurred as a consequence of the<br />
interaction carried out by the contract holder, thus guaranteeing traceability<br />
of what was requested and the determination by SECURITAS DIRECT of who attended said<br />
<br />
application.<br />
<br />
Finally, within the users of the system, reference should be made to the remaining<br />
technicians or operators, (...). In this case, the log generated by your activity does not generate<br />
a license plate, since the aforementioned guarantee of traceability is not necessary.<br />
<br />
<br />
For the purposes of the logs provided in this case, those that generate an interaction<br />
between the owner or a contact designated by the latter and SECURITAS DIRECT are the<br />
between 12/05/2015 at 14:19:04 and 14:45:45, where ***USER.1<br />
access the customer file to manage and agree on maintenance with the customer<br />
<br />
associated with the event that occurred on 11/26/2015.<br />
<br />
Subsequently, also at 18:38:10 on 12/05/2015, the log shows the<br />
registration ***MATRICULA.1, which is the technician who physically travels to the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 41/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
address of the claimant to carry out the corresponding maintenance, and connects<br />
to the system to do it.<br />
<br />
<br />
Finally, on 12/18/2015 at 20:08:18 the SECURITAS employee logged in<br />
DIRECT B.B.B., as a result of a customer call to SECURITAS<br />
DIRECT where it consults the connection status of the alarm at that moment. For<br />
For this, the employee must access through an internal tool, which requires the<br />
logged in from your professional email and password, through which you<br />
You can check the connection status of the system and interact with the system under<br />
<br />
what the client requests. Although this interaction is recorded in the logs, the<br />
how it should be executed is implying that in registration instead of registration<br />
the email appears (without @securitasdirect.es). In this case, the claimant<br />
contacted the SECURITAS DIRECT operator that is identified in these<br />
logs and that at the moment of initiating the connection it had to be previously identified<br />
<br />
before the Claimant, therefore the latter already had the identifying information of this<br />
used at the time the connection was made.”<br />
<br />
3.7 a) Operation of the programming of the device when entering the home with the<br />
security system active, to deactivate, or vice versa, to leave it configured<br />
when the house is abandoned, also considering that there may be different<br />
<br />
users, and how it has to operate when accessed by another user other than the one that left<br />
programmed to output the alarm.<br />
<br />
He replied that "the Manual incorporates the activation and deactivation procedure<br />
of the alarm system as a consequence of the interaction of a user, not being<br />
<br />
These effects require that activation and deactivation be carried out by a<br />
same user.”<br />
<br />
a) Indicate if the contracted service included the control of the application with a device or<br />
mobile telephone terminal and how it interacted with the logs stored in the<br />
<br />
server in the requested period.<br />
<br />
It indicates that "the contracted system allowed its activation and deactivation from the<br />
application (hereinafter, the "App") that the user could install on his device<br />
mobile (this application exists in iOS and Android version). Taking into account what<br />
above, when there is an interaction between the owner or an authorized contact that<br />
<br />
involves the connection or disconnection of the alarm system, said incident is recorded<br />
in the internal memory of the device, although it is only transmitted to the CRA in case of<br />
that the action responds to the existence of a security incident. In that<br />
of course, that is, when a security incident occurs (e.g. disconnection<br />
as a consequence of an alarm jump) and later the<br />
<br />
system, the log is registered in the CRA identifying the user (key, command or<br />
code) that performed the action. Similarly, if the disconnection or connection is<br />
performed from the App, the log is transmitted to the CRA, reflecting that a<br />
action through an Iphone or Android device, but the number of<br />
phone from which this action is performed.<br />
<br />
<br />
In the present case these records would be the following:<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 42/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
• 12/06/2015 at 1:15:27 – Disconnection. KF 00 - User: 07 Disconnection by jump of<br />
alarm at 1:15:04 (...). This log records a deactivation of the alarm system<br />
by means of a remote control following an alarm jump.<br />
<br />
<br />
.Regarding logs associated with interactions with the alarm system through the<br />
APP installed on the claimant's mobile", refers to requests from IPhones from different<br />
type: status request, of (...), of image on various dates from 12/06/2015.<br />
<br />
<br />
<br />
In any case, the internal memory of the control unit (Control Panel) to which it has been able to<br />
access my client, that is, the one initially installed and destroyed in the facts<br />
occurred on 11/27/2015, does not incorporate, within the time period with respect to the<br />
that the right of access was exercised, no log referred to (...) or from (...) of the system<br />
alarm, this being, and no other, the reason why the information provided to the<br />
<br />
Claimant does not incorporate any record of this nature in relation to the<br />
disabled device. Regarding the logs that appear in the internal memory of the<br />
installed on December 5, 2015, as will be analyzed when responding to<br />
the question formulated in point 4.14 of the letter of that AEPD”, (3.14 of this<br />
proposal) "my principal was not able at any time to access the information, so<br />
that it was not possible for him to provide it to the interested party.”<br />
<br />
<br />
3.8-a) If in accordance with the specific regulations of the sector of the operation of<br />
alarms, periodic reviews are carried out, what would these be, and if they are done<br />
appear in the logs, determining which are the specific logs that respond to<br />
such reviews. If the so-called record of incidents, which is discussed in the OM<br />
<br />
316/2011 of 1/02 on the operation of alarm systems saves any<br />
relation to the logs generated by the system.<br />
<br />
It responds that: "periodic reviews are provided for in article 43 of the RD<br />
2364/1994 approving the Private Security Regulations and article 5<br />
<br />
of Order INT/316/2011. These reviews would include at least the obligation to<br />
carry out only one face-to-face annual review. The SECURITAS DIRECT CRA has<br />
ability to perform these checks remotely, typically every<br />
three months. In addition, it indicates that daily tests of communication and correct<br />
Transmission of the alarm system with the CRA automatically.“<br />
<br />
<br />
Examples of the aforementioned verifications are attached:<br />
<br />
12/06/2015 18:45:42 Panel use: Tot 00, Parc 00, Per 00, Anx 00<br />
12/05/2015 18:38:10 INSTALLATION IN TESTS<br />
12/05/2015 18:38:10 INSTALLATION UNDER TESTS FOR MAINTENANCE -<br />
<br />
***NUMBER.1 BY TECHN<br />
05/12/2015 18:38:10 000:08:00 ALL ZONES<br />
12/05/2015 18:38:10 TECHNICIAN: ***REGISTRATION.1-C.C.C.<br />
<br />
"On-site reviews are recorded in the log of the management system of<br />
<br />
CRA alarms, since the technician must check a series of<br />
system parameters and carrying out the various functional checks.<br />
Likewise, as contemplated in the regulations, if revisions were made<br />
remote, these would be reflected in the event memory of the alarm system<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 43/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
(art 5.2 OM and annex III quarterly face-to-face maintenance with a possible alternative to<br />
automated self-test and bidirectional.”<br />
<br />
<br />
b) Difference between inspections and maintenance operations of the installation<br />
in operational state, where the latter are regulated, and through which modality they are<br />
carry out these maintenance operations.<br />
<br />
He indicated that "The review is a mandatory, preventive and periodic task described in the<br />
aforementioned Private Security Regulation and Ministerial Order 316/2011, and the<br />
<br />
Maintenance is a corrective task aimed at solving specific incidents<br />
that do not allow the correct functioning of the alarm system, and that have as<br />
purpose of correcting these incidents. The review is carried out, as<br />
has been revealed in section a), while maintenance will depend<br />
of the need and nature of the incidence, and can be carried out in a<br />
<br />
face-to-face or remote.<br />
<br />
3.9- If there is any relationship between the revision record books, revision record books,<br />
alarms, incident record, OM 316/2011 of 1/02 of operation of the<br />
alarm systems, and the logs generated by the device installed in the residence of the<br />
claimant, if data from the logs are transferred to said books, and their relationship with the<br />
<br />
consideration of personal data of the owner.<br />
<br />
He replied that "Security companies, depending on the activity for which they are<br />
are authorized by the Ministry of the Interior, are obliged to carry<br />
certain books. In the case of SECURITAS DIRECT, you must bring the following<br />
<br />
Books, the models of which have been officially approved by the Ministry of the Interior:<br />
<br />
• Alarm Record Book. Completed and custody by SECURITAS<br />
DIRECT It is intended to record the confirmed alarm messages that are<br />
notify the Security Forces and Bodies. "In the present case, there was no<br />
<br />
no confirmed alarm, so they would not be included in this book”” Provides<br />
printing of part of the book in which there is no inscription.<br />
<br />
• Company Review Record Book. Completed and guarded by Securitas<br />
Direct, is intended to record all periodic face-to-face reviews<br />
that are made to the alarm systems of its operational clients.<br />
<br />
<br />
• Record Book of Communications with the Security Forces and Corps, whose<br />
object is the record of the collaborations and aids that are carried out during the year<br />
with the Security Forces and Bodies.<br />
<br />
<br />
"In none of the aforementioned books are logs or signals of the<br />
alarm systems as recorded by the system itself, but rather the<br />
information of that event communicated to the Security Forces and Corps<br />
providing the data requested in the book”.<br />
<br />
<br />
<br />
3.10-To verify the way in which the raw record or log appears in the system, it is necessary to<br />
requests that they provide a copy of the raw log:<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 44/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
a) From 12/15/2015, 4:50:24-Informative signal- which was the first to appear in<br />
the right of access delivered to the claimant in his brief of 02/23/2021.<br />
<br />
<br />
a) One of the logs of 11/27/2015, which appear grouped in "CRA Action",<br />
and in "extended description" there is "different generic actions of the operator<br />
human…"<br />
<br />
<br />
Indicates that all the logs generated in the system appear collected in its<br />
completeness in the document provided as document two, together with the brief of<br />
<br />
allegations to the initiation agreement.<br />
<br />
They provide document 5 with the extract of the specific logs requested<br />
<br />
The logs of 11/27 occupy 8 lines, central alarm receiving action.<br />
<br />
<br />
<br />
b) Indicate how the information referred to in "extended log description" comes out before<br />
the elaboration, or where one goes so that in some cases it is so generic or<br />
description open. If these generic descriptions cannot be detailed<br />
further.<br />
<br />
<br />
He replied that "As can be verified in the information contained in the<br />
previous answer, the “extended description of the log”, which was incorporated in the first<br />
of the responses given to the Claimant by my client, is not contained in the logs<br />
generated by the system, which were reproduced as they are shown in the second<br />
of the answers. This description was introduced in the first reply to the<br />
Claimant with the sole and exclusive purpose of clarifying the scope and meaning of<br />
<br />
the same. In this sense, SECURITAS DIRECT considered that the information<br />
provided to the Claimant in the rough (document number 2 of those provided together with the<br />
allegations to the Commencement Agreement) and without a minimal description of the meaning of the<br />
logs may be of no use to the Claimant.”<br />
<br />
<br />
3.11-In their allegations, they indicated that:<br />
<br />
"... the records considered as personal data have been provided in three<br />
occasions and in two different formats and including complementary information that<br />
enable the claimant to understand it. It should be remembered that the records<br />
<br />
generated by the systems of my represented have been provided as indicated<br />
generated in them, and even so efforts have been made that even exceeded the<br />
obligation of my represented, so that the recipient could understand the event that<br />
reflect”.<br />
<br />
It is requested that they provide or inform about the complementary information that<br />
<br />
It helps to understand it and where it comes from.<br />
<br />
It responds that "the supplementary information referred to in this<br />
question is the one referred to the “extended log description”, already mentioned in the<br />
previous section that my client incorporated into the responses provided to the interested party<br />
<br />
at the time of responding on all occasions together with each of the<br />
logs, trying to expose, even through a brief description, the actions<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 45/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
to which each of them responded. In this sense, my client did all the<br />
efforts reasonably required to address as clearly as possible what<br />
requested by the Claimant, not limiting himself to providing the logs in the format in which they were<br />
<br />
generated in the SECURITAS DIRECT systems, but by briefly clarifying the<br />
scope of each of the Code lines provided.”<br />
<br />
3.12 Regarding the "active interactions of the user himself with the systems in<br />
physical or through the mobile application.", "passive interactions of the user or of<br />
third parties that can provide information with their way of acting”, point out<br />
<br />
examples, and if in all cases they could be personal data or not, and logs<br />
that can be found within these categories.<br />
<br />
He responded that "The user's own active interactions with the system remain<br />
reflected in the corresponding log. In particular, reference should be made to the<br />
<br />
connections and disconnections of the alarm system, which are only registered in<br />
in case of having produced a previous alarm trip, as indicated in the<br />
response to the question raised in point 4.4 of the letter of that AEPD”, (in this<br />
proposal 3.4).<br />
<br />
Along with these physical interactions, the client may have other complementary or<br />
<br />
extras like e.g. press the “112” button that generates a direct call through<br />
from the switchboard to 112. Also, as a physical interaction, you can press the “SOS” from<br />
the switchboard and from the key reader (tag reader). Similarly, you can click<br />
a "duress code" through the numbers indicated on the switchboard or you can<br />
intentionally generate a tamper/sabotage or tamper signal, consistent<br />
<br />
to remove a device for a certain reason (e.g. because the<br />
house) or without it (e.g. because you hit it accidentally).<br />
<br />
Finally, through the mobile application, connections can be made and<br />
alarm disconnections, query system status, review invoices or perform<br />
<br />
a request for images.<br />
<br />
Examples related to physical interactions of the system are defined in the column<br />
“***COLUMN.2 (...)”.<br />
<br />
Regarding the "passive interactions", they do not imply the performance of an activity<br />
<br />
of the owner or his contacts, but rather contain information that, in the event of<br />
be analyzed, something that SECURITAS DIRECT does not carry out, could reveal habits<br />
behavior of those (e.g. reiteration of periods in which the system is (...), which<br />
would denote absence of the dwelling object of the security system), for which reason<br />
considered personal data and were provided to the Claimant. Consequently,<br />
<br />
this information is not derived from a specific log but from a more detailed analysis<br />
of the logs that, as indicated, is not carried out by my represented.”<br />
<br />
3.13- They stated that "we inform you that (...) the Securitas alarm systems<br />
Direct register and store the information coming from the events with origin<br />
<br />
technician and events originating from the interaction of the devices installed in<br />
the domicile of clients. Specify about this internal memory in which device<br />
exists, what is its function, and what events does it record, where do they come from, how long<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 46/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
are stored and when they are collected, as well as what devices you interact with. AND<br />
How is the saving produced and with what periodicity, and its destination?<br />
<br />
He replied that "the internal memory of the device is located on the motherboard of the<br />
alarm switchboard (Control Panel), its function being to record the events in the<br />
<br />
system that are generated and storing only the last ***NUMBER.3<br />
carried out, as indicated in question 4.4.b) (in this proposal 3.4.b).<br />
These records are deleted, cyclically, depending on the new records<br />
that are generated and recorded, so that the generation of a new record<br />
implies the deletion of the oldest of those ***NUMBER.3. Such events can<br />
respond to panel interactions with:<br />
<br />
<br />
(i) the owners and contacts authorized by it;<br />
<br />
(i) the remaining devices of the system (e.g. volumetric sensors or<br />
photodetectors); either<br />
<br />
<br />
(iii) the backend of SECURITAS DIRECT.”<br />
<br />
The defendant stated that "After accessing the records contained in the memory<br />
of the alarm it has been verified that it was connected from the day<br />
11/22/2015 at 11:56 and that there was no anomaly, likewise, the<br />
<br />
alarm recorded and sent movement detection signals at 8:09 p.m.<br />
11/27/2015, not registering any event afterwards.”<br />
<br />
<br />
3-14 The claimant stated in the procedure for the exercise of rights<br />
TD/00167/2021, that "the request for access to the records contained in the memory<br />
<br />
They refer to both "the destroyed alarm center and the one that was installed in my<br />
housing on 12/5/2015 and that continued to generate signals and records”. For this purpose, it<br />
requests that they report on the one that the claimant says was installed on 12/5/2015, if it was<br />
within the same contract?, reason why it is installed and what impact does it have on the<br />
logs of the destroyed one?, and why weren't the internal memory logs given from<br />
said date to 12/13/2015.?<br />
<br />
<br />
He replied that "First of all, it is necessary to indicate that my client did facilitate that<br />
information referring to the logs generated during the period of time indicated in your<br />
application, as it appears in the file, in which the two answers are incorporated<br />
provided to the Claimant by SECURITAS DIRECT (the first one incorporating<br />
a detailed description of the logs and the second by providing the logs as they are<br />
<br />
collected in the systems of my represented).<br />
<br />
In this sense, both the logs<br />
stored in the CRA, such as those coming from the internal memory contained in the<br />
switchboard (Control Panel) destroyed on 11/27/2015. Regarding the generated logs<br />
<br />
from the installation of a new switchboard, the CRA, and therefore my principal,<br />
can only access the logs that are transmitted to it from the<br />
internal memory of the device, but not those of a merely technical nature that are<br />
generated in said internal memory, given that SECURITAS DIRECT only<br />
You can access the content of that device in the event that it had occurred<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 47/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
an incident that requires your forensic analysis. In this case, given that said incident did not<br />
took place, the device remained in Claimant's home until the<br />
termination of the Contract, without at any time SECURITAS DIRECT being able to<br />
<br />
access said internal memory nor was it necessary to carry out any analysis<br />
forensic analysis of its content, as there has not been an incident that required it. As<br />
It can be verified that these answers do contain information referring to the<br />
period mentioned in the question raised. However, it is clarified that said<br />
events are incorporated into the document provided by my client as No.<br />
2 to the pleadings to the Commencement Agreement, and generated from the aforementioned day 5<br />
<br />
December 2015.<br />
<br />
On the other hand, in case of destruction of the switchboard (Control Panel), and always<br />
Within the scope of the contracted services, the former is replaced by<br />
a different one, being said installation, and the logs generated from the moment of the<br />
<br />
Installation part of the development of the aforementioned contract. In the case at hand,<br />
the reason for the replacement of the switchboard (Control Panel) on December 5,<br />
2015, was due to the damage suffered as a result of the intrusion that occurred on the date<br />
11/27/2015. As already indicated in the answer to a previous question, the logs do not<br />
are modified by the fact that this substitution occurs in the device,<br />
being those derived from the interaction of the alarm system with the CRA.”<br />
<br />
<br />
3.15 For what reason do you indicate in the appeal for reversal against the<br />
exercise of law TD/167/2021 that "in lines of code format" would satisfy in<br />
to a lesser extent, compliance with the requirements demanded by the GDPR so that the<br />
right of access can be considered adequately addressed”? and what is the<br />
<br />
format "lines of code", if it is the one of the logs chronologically, without grouping? Input<br />
copy of a format lines of code as an example, the one of the fifth access point<br />
delivered to the claimant on 02-23-2021 "CRA performance" and indicate what it refers to in<br />
the reversal appeal against the TD/00 167/2021 with which the information "was<br />
is listed in the table attached to the letter of 02/23/2021", if it is the<br />
<br />
general explanation of what each column contains or what other information, and where<br />
Was it listed?, forwarding a copy of it and whether it was sent to the claimant.<br />
<br />
<br />
It responds that "Given that in accordance with the requirements of article 12.1 GDPR the<br />
information provided to the interested party requesting the right of access must be provided<br />
<br />
in a "concise, transparent, intelligible and easily accessible" manner, and as has already been<br />
repeatedly stated in this letter, SECURITAS DIRECT considered that the mere<br />
reproduction of the lines of code corresponding to the logs generated by the<br />
system, in the format in which they are visible to my principal, I would not allow the<br />
Claimant to know the scope, sense and significance of each of the logs<br />
<br />
sent in response to your request to exercise your right of access.<br />
<br />
For this reason, the information was sent indicating the corresponding log, the<br />
date and time of its generation and the description of the meaning of said log.<br />
<br />
<br />
Notwithstanding this, and given that the interested party did not agree with the information<br />
provided, the raw information was also delivered and as<br />
generated in the SECURITAS DIRECT systems, said information being the one that is<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 48/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
collected, shaded in green, in Document Number 2 provided by this<br />
part together with its brief of allegations to the Commencement Agreement.”<br />
<br />
<br />
3.16 The defendant is requested to report how they are similar, and what differences<br />
exist among the accesses delivered to the claimant in writings of 02/23/2021,<br />
05/18/2021 and those of 12/14/2021, in terms of quantity and content of logs, and why<br />
In the latter and in May, no keys or clear indication of various<br />
expressions used in that table.<br />
<br />
<br />
He replied that: ”As has been indicated on various occasions throughout the<br />
present writing, the differences between the two responses provided to the<br />
interested is only in their format, containing in both<br />
Assuming the same logs. Thus, in the one provided on February 23, 2021, it stated<br />
each of the logs collected in the SECURITAS DIRECT systems that<br />
<br />
contained personal data, including in the first column the times when<br />
had been generated and in the third of them a summary description of the meaning<br />
of the corresponding log. For its part, in the information provided on May 18, 2021, and<br />
subsequently reproduced on December 14, 2021, before consideration<br />
of the Claimant that the information provided had not been delivered to him in the<br />
format in which it is collected in the systems of my client, the aforementioned was reproduced<br />
<br />
information, not including the explanatory description of the logs. In this way, each line<br />
of the document (those marked in green in Document Number 2 attached to the<br />
allegations to the Initiation Agreement) reference was made to an individualized log, being<br />
the lines in which said log was repeated were logically similar.<br />
Apart from the aforementioned differences, referring only to the way of presentation of the<br />
<br />
information, but not to its content, there is no difference of any kind<br />
additional."<br />
<br />
3-17 a) Indicate for the service contracted by the claimant, which logs would be generated<br />
when the alarm has gone off, according to the different circumstances that may occur, and<br />
<br />
what action or actions would be carried out. Indicate the logs that are related<br />
with any type of jump alarm that exist in the boxes, and the differences<br />
between them, and characteristics taken into account for them to be considered as<br />
contain personal data of the claimant or not.<br />
<br />
It responded that "the logs generated with the alarm jump suffered by the Claimant on<br />
<br />
dated 11/27/2015 appear in the document provided by SECURITAS DIRECT together with<br />
the brief of allegations to the Initiation Agreement, being understood between the first of<br />
those generated on November 27, 2015 at 20:09:47 and the one generated the same day<br />
at 8:17:07 p.m. Likewise, the aforementioned document includes the remaining<br />
assumptions in which an alarm jump occurred and the logs generated, differentiating<br />
<br />
those that do or do not contain personal data, depending on whether they are shaded in color<br />
green or red and based on the information included in the report that was attached<br />
as Document No. 1 together with the allegations to the Commencement Agreement of this<br />
procedure. As can be seen, these logs are started by the<br />
detection of a volumetric alarm alert at 20:09:47, generating a code<br />
<br />
random (1155) that is generated with any alarm jump) so that, if it is sent to<br />
a guard, he can disconnect it (in this case, it was not used to send to<br />
no guard, since it was determined that it was not necessary). From that moment,<br />
the system verification logs are recorded for the transfer of information to a<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 49/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
operator, who from that moment makes the pertinent calls to those who<br />
they appear as designated contacts in the Agreement entered into by the Claimant.<br />
As can be seen, these attempts are unsuccessful with respect to the three<br />
<br />
first contacts, when the voicemail is sent, communication can be made<br />
with the room of contacts which, however, does not provide the word that allows<br />
establish communication and that is also previously established by the<br />
Claimant in the Contract, concluding the processing of the alert on November 27<br />
of 2015 at 20:17:07 hours.<br />
<br />
<br />
As can also be verified, all the actions related to the jump of<br />
alarm and contact attempts have been considered personal data and provided<br />
to the Claimant, not having such consideration the logs exclusively related to<br />
with the way in which the SECURITAS DIRECT systems manage and channel the<br />
actions to be carried out in these cases or those that refer exclusively to the operator<br />
<br />
intervener. The justifying explanation of the consideration or not of the information<br />
as personal data is contained in the report provided by my client as<br />
Document No. 1 together with the allegations to the Initiation Agreement. Also, you can<br />
check the existence of different logs related to alarm jumps<br />
subsequently deactivated on December 5, 2015 from 18:56:37,<br />
all of them having been provided to the Claimant because they are considered to incorporate<br />
<br />
personal data related to it, given that these are actions aimed at<br />
test the operation of the system installed in your home, carrying out different<br />
alarm tests (volumetric, seismic, duress or magnetic). I also know<br />
produces an alarm jump on December 6, 2015 at 01:15:04 hours,<br />
being able to check the logs generated by the system, and which concludes with the<br />
<br />
communication with the owner indicating at 01:17:22 hours that the alarm jump<br />
it may have been generated by the chimney.”<br />
<br />
a) In the requested access, inform if, as a result of any alarm jump, it was<br />
communicated to the Police the possible access to the property, and if it is registered in<br />
<br />
logs, indicating which one it would be.<br />
<br />
He responds that "communication with the police generates the corresponding log, which in<br />
this case was not generated because that contact did not take place.”<br />
<br />
b) Likewise, report if the logs contain any "unconfirmed alarm" event,<br />
<br />
indicating what they would be and if personal data has been considered.<br />
<br />
"In the response given to the first of the questions contained in this section, it is<br />
they have indicated the alarm jumps produced and their vicissitudes. The explanation about<br />
whether or not the generated logs contain personal data is included in the document<br />
<br />
No. 1 attached to the allegations to the Commencement Agreement.”<br />
<br />
<br />
3-18-If when an alarm jump occurs, all the actions related to<br />
with the device remain in the logs and if additionally, they can be generated or created<br />
<br />
others by the operators themselves, and what they would be, indicating if they would all be data<br />
personal, or not, and the logs of each one of them (if personal data of the claimant,<br />
No).<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 50/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
He answered that: "in the answer to the previous question, the jumps of<br />
alarm produced in the Claimant's system with the generated logs, being able to<br />
differentiate between those that do or do not contain personal data. Likewise, as already<br />
<br />
has indicated, the logs generated by the system are not left to the discretion of the users<br />
of the same or of SECURITAS DIRECT personnel, being those previously<br />
constituted in the system, although logically the actions of said personnel give rise to<br />
to the generation of the corresponding previously configured logs.”<br />
<br />
<br />
<br />
3-19 a) Regarding the protocols that Securitas must carry out voluntarily - checks and<br />
technical verifications, and related to system maintenance, specify the<br />
articles and the specific norm that regulates them, periodicity or motu proprio, the protocol<br />
internal summary of actions carried out by them, and if the regulations of<br />
application provides for monthly activity reports for each alarm<br />
<br />
for the owners, if these reports are fed from logs extracted from the registry of the<br />
device.<br />
<br />
He answers that: "First of all, one must start from the difference between a revision and a<br />
maintenance to which reference has already been made in the answer given to the question<br />
included in point 4.8 ”(in this proposal 3.8) of the writing of that AEPD. Starting off<br />
<br />
of said base, revisions and maintenance are regulated in articles 43 to 45 of the<br />
Private Security Regulations and in article 5 of Order INT/316/2011. In<br />
They refer to the periodicity of the reviews, as well as the way in which<br />
face-to-face and remote reviews must be carried out, both in accordance with the<br />
Annexes II and III of the aforementioned Order. The verification tests of the correct<br />
<br />
communication and transmission of the alarm, is a test that must be carried out depending on the<br />
the characteristics of the property, based on its different risk of robbery or<br />
intrusion (so, for example, in a jewelry store there is a greater risk, so the systems<br />
alarm must have periodic communication tests with a periodicity<br />
less, than in a system installed in a private residence). This aspect is<br />
<br />
It is also related to the degrees of security and the certification of the<br />
systems in accordance with the UNE or UNE-EN standards that are applicable. In addition,<br />
Article 45 of the Private Security Regulation regulates the delivery to the holders of<br />
the installations of a manual of use and preventive and corrective maintenance that the<br />
The user himself must carry out, including actions such as changing the<br />
stacks of devices, control over object placement that prevents uptake<br />
<br />
detectors, etc. The regulations do not regulate the obligation to send reports of<br />
alarm activity, so that each company determines if the alarm is carried out.<br />
periodic sending of this information. In addition, the client can consult in the App the<br />
connections and disconnections that you have made with the different keys placed at your<br />
provision. The only case in which the submission of a report to the holder of the<br />
<br />
contract as well as to the Security Forces and Corps, occurs in the event that<br />
a confirmed alarm jump has occurred and it has not been transmitted to the<br />
Security Forces and Corps, in which the reasons for the<br />
that this transmission did not take place.”<br />
<br />
<br />
b) In their allegations they indicate: “Securitas generated logs until 20:09 on the day<br />
11/27/2015, time and date on which the intrusion into the residence of the<br />
claimant and during which said alarm system was completely<br />
disabled from that date could not generate more logs”. However, in the annex<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 51/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I, which includes the logs, contains logs after 11/27/2015, 8:09 PM. How I know<br />
explain this fact? And what is the origin and purpose of these logs, and why not them?<br />
considered personal data of the claimant.<br />
<br />
<br />
It responds that: "The logs generated from the moment the jump of<br />
alarm, and once those related to attempts to communicate with the<br />
the contacts designated by the Complainant, refer to successive attempts to<br />
communication between SECURITAS DIRECT and the system installed in the domicile of the<br />
Complainant, which were unsuccessful and being machine-to-machine interactions<br />
<br />
of a technical nature."<br />
<br />
<br />
3.20 Explanation of why there are logs with different signs, according to what was provided,<br />
considered personal data or not, and within these more than one, which coincide in<br />
<br />
the exact recording of the time, example in the Excel tables provided in allegations<br />
appears as non-personal data, 11/27/2015, 20:09:47, volumetric alarm. Intrusion<br />
volumetric, seismic-according to panel version. Devices that do not need restoration<br />
V8.8 to 9.5)- volumetric intrusion radius Volume, and the log of the day 12/5/2015,<br />
18:56:37/ALARM/URGEN/XPO09 RP-Perimeter alarm SER Volumetric-photo.<br />
Volumetric intrusion, seismic-according to panel version. Devices that don't need<br />
<br />
restore V8.8 to 9.5)-<br />
<br />
<br />
Answer: "As already indicated in the answer to the question raised in the<br />
section 4.17” (in this proposal 3.17) “of the letter of that AEPD, the two logs<br />
<br />
mentioned therein differ in terms of their content, given that in the first<br />
of the assumptions a volumetric alarm jump of unknown origin occurs,<br />
that does not provide information about the interested party, Claimant, while the<br />
The second is due to the performance by the former of various tests in the<br />
alarm reinstalled by SECURITAS DIRECT, deducing from it the existence<br />
<br />
of personal data of the interested party, which generates the jump of the alarm system<br />
in order to verify its proper functioning.<br />
<br />
<br />
3.21 In the table that was given to the claimant on 12/14/2021, as well as in document 3,<br />
green table that you provided in allegations, and which are personal data, there are<br />
<br />
various codes in the columns, numerical, or letters, without which it is not clear<br />
information. You are asked if the creation or collection of the meaning would be possible<br />
of these keys, which appear in almost all the columns.<br />
<br />
He replied that: "Regarding the alphanumeric codes that appear on the<br />
<br />
"SIGNAL" column, it is the message generated in the system's own language<br />
alarm that is translated into the information that appears in the rest of the columns and<br />
essentially in the column of “***COLUMN.2 (...)”.<br />
<br />
Therefore, to understand the meaning of the code, one must go to the field of<br />
<br />
column “***COLUMN.2 (...)”. The system sends messages that incorporate codes<br />
alphanumeric codes that are later translated into the different columns of the Log<br />
presented. The "SIGNAL" column collects the part of the "raw" message from the system,<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 52/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
in their own language (machine language) which is then translated into the rest of the<br />
columns.<br />
<br />
For this purpose:<br />
<br />
<br />
• The column “***COLUMN.2 (...) is the translation of the system language event<br />
to technical language, so that the agent/operator understands what the message is about.<br />
This information is complemented by the columns “***COLUMN.1” and<br />
"***COLUMN.2" that contain complementary information so that the<br />
agent/operator can understand the event that is received at the CRA.<br />
<br />
<br />
• The "ZONE" column identifies the alarm device in which the alarm occurs.<br />
event (eg (...), identifies a recording photosensor in programming position 2) and<br />
the “AREA” column describes the zone of the installation that corresponds (eg, Home<br />
living room)<br />
<br />
<br />
• The column “***COLUMN.3” indicates the priority of the signal, being the values<br />
lower priority ones.<br />
<br />
• The column “***COLUMNA.4”, contains the type of signal that represents the event<br />
(e.g. INF is the code that is associated with "information", which appears in the<br />
***COLUMN.2 (...), SS is associated with “supervision”, as also included in the<br />
<br />
***COLUMN.2 (...), CC is associated with “coercion”, SO is associated with “SOS”, AAC is associated<br />
to “power outage”, etc…). In this way, these codes are directly linked<br />
with the information contained in the column ***COLUMN.2 (...).”<br />
<br />
3.22 In the report of 01/29/2021, provided by the defendant in allegations,<br />
document I, table II, containing personal data, provided in their allegations,<br />
<br />
the entry is recorded: 12/05/2015 14:19:04/REGISTERED ACCESS: The user<br />
***USER.1 accessed the file of the client/Internal registration of the operator who is<br />
acting on a specific incident/ Information related to a character operator<br />
procedural and internal Securitas Direct / personal data is considered: YES / If applicable<br />
would be considered personal data of the operator itself and therefore would not be<br />
capable of being provided to the interested party requesting the right of access.<br />
<br />
<br />
You are asked to answer who the mentioned user is, and if you access the file of the<br />
client, is related to their data, or accesses from the time the alarm is<br />
working, why shouldn't they be provided? In fact, in the access<br />
has provided you.<br />
<br />
<br />
Answer that: "As already indicated in the answer to the question raised in the<br />
section 4.6 of the document of that AEPD, "(in this proposal 3.6)" the reference<br />
alphanumeric to the user refers to the registration of the same in its condition of<br />
employee of SECURITAS DIRECT, maintaining this information pseudonymized to<br />
so that its disclosure to the Claimant does not imply a transfer of the data of said<br />
<br />
user, since access to the Claimant's customer file does not imply the<br />
processing of personal data of the latter, but only of the employee who accesses<br />
said information. The data has been provided to the Claimant in order to deliver to the Claimant<br />
all the information that could be possible to provide without, therefore, harming the<br />
ordinary activity of SECURITAS DIRECT nor the information that would be found<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 53/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
protected by trade secret. However, it is reiterated that the aforementioned log does not<br />
releases any personal data referred to him. In this sense, it is reiterated<br />
doctrine of the AEPD by virtue of which the right of access does not include access to the<br />
information referring to the specific users of the data controller who have<br />
accessed the personal data of the applicant.”<br />
<br />
<br />
3.23 In the same report and same table of the previous case, there is the log of 12/18/2015,<br />
20:08:18 ***COLUMN.1 Logged: B.B.B., explain that “The record of actions of<br />
a user supposes the obtaining of personal information about it. If it's about<br />
of a personal data of a third user other than the exerciser of the right of access<br />
and, therefore, it would not be possible to provide the interested party requesting the right of<br />
<br />
access", as they know that under this log it is not the owner who exercises the right,<br />
reason then for which it appeared in the table delivered to the claimant on 02-23-2021<br />
(There are others with the same reference).<br />
<br />
Answer that: "As a prior consideration, it must be ruled out that the person to whom<br />
<br />
referred to in the aforementioned log is the applicant for access, not corresponding to the<br />
Claimant, nor with any of the persons authorized by the claimant as contacts<br />
in his contract, as can be seen from the identification made in the matter<br />
raised. Having made this consideration, we refer to what is indicated in the answer<br />
given to the question raised in point 4.6 of the letter of that AEPD.” (in this<br />
proposal 3.6).<br />
<br />
<br />
3.24 In document 2 presented in the registry named in allegations<br />
”confidential client total logs”, which contains the logs in red and green, you are prompted<br />
to clarify, because:<br />
<br />
The notice appears as no personal data in red:<br />
<br />
<br />
11/27/2015 20:09:47/comment volumetric alarm/intrusion description<br />
volumetric-seismic according to panel version devices that do not need restoration v<br />
8, 8 to 9.5 volumetric intrusion radius.<br />
<br />
In table I (report of 01/29/2021, provided by the defendant in allegations)<br />
<br />
the log is also contained.<br />
<br />
It is requested that they report if the alarm was activated by the owner and the following occurs<br />
that appears in the information "radio volumetric intrusion", why don't they consider it<br />
personal data, by being related to information, last configuration made,<br />
or that it could have been by the owner or another user?, and what relationship does it have with the<br />
<br />
next one that appears in green, as personal data, is the same date and time, with<br />
different codes, and with another in red, same date and time "description level of<br />
panel coverage”<br />
<br />
In addition, it is observed that the same description appears in green as data<br />
<br />
personnel on different dates from the same chart, example 12/5/2015 18:59:08, 18:59:<br />
27, 18:59:48 18:59:57.<br />
<br />
Answer that: "As described in the answer to the question<br />
incorporated into section 4.17 of the AEPD document” (in this proposal 3.17) “the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 54/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
information marked in red responds to a technical event in which there is no data<br />
any personnel of the Claimant (in this case the detection of an alarm jump) and<br />
Therefore, it is not part of the information that must be delivered in the<br />
<br />
case of attention to a request to exercise the right of access made<br />
by the aforementioned Claimant, in accordance with article 15 of the GDPR. This is indicated in the<br />
report provided by my client as Document No. 1 attached to the writ of<br />
allegations to the Commencement Agreement (page 25) the following: This log line, although<br />
provides information about an alarm jump in the sensors, insofar as the<br />
that direct information on an attribute of the interested party is not transferred, nor is Securitas<br />
<br />
Direct is intended to analyze a pattern of behavior or influence it in any way, the<br />
information provided by the analyzed log line should not be considered as<br />
personal data. In this sense, it would be a description of the technical and<br />
internal Securitas Direct.” The remaining logs generated on that date and time have<br />
been provided to the Claimant when they include personal data that could<br />
<br />
refer to it, not being provided in the event that they are events<br />
merely technical, following the content of the aforementioned report (see pages 23 to<br />
26 and 36 to 38 thereof). The logs generated on 12/5/2015 to which this<br />
question do not derive from an exclusively technical event, but from the interaction of the<br />
user with the system, triggering the alarm to check its operation,<br />
for which they effectively reveal personal data of that person and for this reason they have<br />
<br />
been delivered to the interested party when exercising their right of access, as well as<br />
described in the response to the question raised in section 4.17 of the letter of<br />
that AEPD.” (in this proposal 3.17).<br />
<br />
3-25 a) Clarify document 1, table I, logs of non-personal data, from the<br />
<br />
01/29/2021, provided by the defendant in allegations, what does it mean or to what<br />
reply:<br />
<br />
“Logs, 12/06/2015 1:17:12, 12/06/2015 1:17:26/ NO REASON N/A Not provided<br />
information regarding any characteristic, pattern of behavior, or other<br />
<br />
user information. NO”(p. 26/105).”<br />
<br />
Answer that: "As indicated in the answer to question 4.17" (in this<br />
proposal 3.17) "the cited logs respond to a technical incident, which gives rise to<br />
an interaction with the owner from which it can be deduced that said incident may have<br />
be caused by the chimney and that there is no anomalous situation. Are<br />
<br />
interactions have been communicated to the interested party in the response provided to their<br />
Exercise of the right of access."<br />
<br />
Despite the response, it can be seen that the logs appear in red in document 2<br />
of allegations to the initiation agreement.<br />
<br />
<br />
-Table I, after the previous one: all grouped in (...): 0 “27/11/2015<br />
20:11:34 ,12/04/2015 11:04:50, 12/05/2015 9:30:10, 12/05/2015 10:48:31, 12/05/2015<br />
13:14:21, 12/05/2015 14:17:44, 12/06/2015 1:15:22, 12/06/2015 16:33:51, 12/09/2015<br />
8:54:14, 12/15/2015 2:38:08 12/15/2015 4:54:57”- Indicative that the incident was<br />
<br />
transmitted to a human or machine operator. The signal, given its relevance, is<br />
transmitted to a machine or human operator to start the management process. No<br />
However, it is an internal procedure from which no personal data can be inferred.<br />
of the user. NO". It is requested to clarify the key meaning (...):0, what would be the incidence?,<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 55/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Does the signal come from the home alarm switchboard? And why doesn't it say that<br />
incidence is treated and does not clarify defining who is transmitted.?<br />
<br />
<br />
It responds that "The callsign (...):0 is limited solely to recording in the system,<br />
as indicated, that a (...) is produced, either to an employee so that<br />
carry out the actions that are established based on the event that has caused it<br />
generated, either to the system itself, to carry out the verifications<br />
coming. In this way, (...), but exclusively the internal procedure<br />
followed by SECURITAS DIRECT in the event of an incident that appears in a previous log, with<br />
<br />
the one that can coincide in the generation time, given the automaticity with which<br />
Opera."<br />
<br />
<br />
3-26 -in table I, of non-personal data, Logs existing between the dates:<br />
<br />
<br />
a) 11/28/201 22:21:18 and 12/04/2015 9:04:26<br />
b) 12/04/2015 11:08:02 and 12/05/2015 13:16:56<br />
c) 12/06/2015 16:33:51 and 12/06/2015 16:33:57<br />
d) 12/15/2015 2:38:08 and 12/15/2015 2:38:12<br />
e) 12/15/2015 4:50:38<br />
<br />
f) 12/15/2015 23:24:51 and 12/16/2015 12:20:34 / (...) transfer, “Also, the logs<br />
describe the internal and technical actions carried out as a result of this<br />
disconnection”<br />
<br />
Report how and by whom this procedure is initiated, and before what event is usually<br />
<br />
produce<br />
<br />
Answer that: ”As also indicated in the answer to question 4.17” (in<br />
this proposal 3.17) "of the writing of that AEPD, these records are derived from the signal<br />
that the system performs automatically to verify that it is<br />
<br />
finds operational. As there is no response from the system installed at the home of the<br />
holder, the logs to which reference is being made are generated, being able, from<br />
that log automatically open a maintenance procedure, so that a<br />
technician proceed to repair the device if necessary. In this sense, as<br />
appears in the information already provided, on December 4, 2015 at 11:25:04 mi<br />
principal communicates with the authorized contact number 2 of those designated by the<br />
<br />
Claimant in his contract that indicates, as stated in the documentation, that my<br />
principal contacts them the next day to carry out<br />
tests according to COM LOG that we call the next day for tests. for this<br />
reason, the aforementioned communications of December 4, 2015 do contain data<br />
personal and have been delivered to the interested party as a result of the exercise<br />
<br />
of your right of access” It is appreciated that the log in which you contact no. 2, the<br />
4/12/2015, could be the one at 11:06:07<br />
<br />
3-27 Since the log can indicate that an intrusion is detected and gives information about<br />
alarm jumps, which is why the log of 12/6/2015 1:15:04 and those grouped in<br />
<br />
PHOTO PIR RADIO intrusion in table I of document 1, it is considered not to be data<br />
personal, it is not indicating that they give the data of the image, but the information of<br />
that there has been an intrusion, and why it would not be personal data said<br />
information.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 56/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
It is also observed that a log with the same date and time appears as personal data,<br />
in green in document 2 of allegations agreement start, although with another description:<br />
<br />
"code to disarm the alarm" "Central high priority" In other instant logs<br />
later figure "everything is fine", "indicates that it could be the chimney" interspersed with other<br />
red logs, no personal data, about "panel coverage, images so that<br />
CRA downloads them or "images already in CR".<br />
<br />
Answer that: "As indicated in the answer to question 4.17", (in this<br />
<br />
proposal 3.17) "the cited log responds to a technical incident produced in a<br />
photodetector which, in the claimant's judgment, had been generated by the<br />
home chimney. This incident gives rise to a volumetric alarm jump, that is,<br />
that is, an intrusion or anomalous event is identified, and the contract holder may<br />
access the generated photograph through its App.”<br />
<br />
<br />
3.28 a) same table and document mentioned above, logs from 12/15/2015<br />
2:42:11 and 12/15/2015 4:50:19 ELECTRICAL CURRENT (AUTO) Detection of lack of<br />
electrical current in the device. Securitas technical information<br />
direct. To the extent that direct information about an attribute of the<br />
data subject nor does Securitas Direct intend to analyze a pattern of conduct or influence<br />
<br />
him in any way, the information provided by the parsed log line should not<br />
be considered as personal data. Indicate what the denomination implies, and if the<br />
device was (...) by the owner, because this log would not be considered information<br />
of its owner since it could affect his right.<br />
<br />
<br />
Answer that: "The log to which this question refers has an exclusively<br />
technical and is limited to detecting the existence of a cut in the electrical supply that<br />
affects the device. SECURITAS DIRECT cannot know the reasons why<br />
which the power failure has occurred. However, the system remains<br />
operation, since it is equipped with an auxiliary battery that allows its<br />
<br />
supply when the alarm is armed in order to identify the<br />
incidents that could occur during the cut produced. For this purpose, it is<br />
irrelevant who and under what circumstances proceeded to (...) the alarm system, given<br />
that the only thing that the log reflects is the existence of the absence of electric current in<br />
the device, so that no natural person can be identified by the<br />
occurrence of this event nor does it provide any information about a person<br />
<br />
identified or identifiable. This incident generates the remission of a communication to the<br />
owner, indicating that the (...) system has been modified as a consequence<br />
of the aforementioned cut, as can be verified in the documentation provided<br />
by my client The log generated by said communication does contain data<br />
personal data, and this is reflected in the document sent to the interested party (logs generated on<br />
<br />
day 12/15/15 at 4:50:24 that appear in the document sent to him).”<br />
<br />
It is observed that in the logs of that day they begin with annotations of no data, in red<br />
at 2:38:07, four logs, and the next one at 2:38:23 if it is a personal data log, with<br />
information (...) and at 4:50: an email sent to the claimant's address,<br />
<br />
continuing to include several logs of non-personal data with references to "failure<br />
supervision”, “incident cancelled, maintenance pending”.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 57/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
-b) because in several of these logs in Are they considered to be personal data?, they indicate<br />
As a general rule, no, but images are collected when they are detected<br />
movements through the sensors, in case they had captured the interested party,<br />
<br />
would be personal data and should be provided to him, and how do they know that the person<br />
who accesses is the owner, an authorized person, another user?, and if, should not inform the owner<br />
from the fact that images have been collected, if anything.<br />
<br />
He answers that: "In relation to these logs, not all the sensors installed in the<br />
Complainant's home include photographs (e.g. at that point reference was made to<br />
<br />
volumetric sensors).<br />
<br />
In any case, SECURITAS DIRECT can know if the image, if it is<br />
collected if an alarm jump implies the development of the corresponding protocol (see,<br />
for example, the response given to point 4.17 of the letter of that AEPD)” (in this<br />
<br />
proposal 3.17) "which involves communication with the person or contacts<br />
designated. In this way, if from said communication it is derived that the image is<br />
refers to the interested party, a copy of the same would be provided, which would also be<br />
accessible by him from the App.”<br />
<br />
3.29 What does the extended description that appears in a table consist of as<br />
<br />
"Internal registration of the operator that is acting on an incident".<br />
Answer: "It has already been indicated in the answer to the question contained in point 4.6"<br />
(3.6 in this proposal) "the internal registration of the operator that is acting in a<br />
incidence" is the internal alphanumeric code that uniquely identifies the<br />
SECURITAS DIRECT employee who is working on the device to<br />
<br />
solve or manage a technical incident that occurred in it.”<br />
<br />
3.30 What are they referring to when they state that the system performs<br />
“Autonomous system checks that are performed without user or intervention<br />
nor the service provider", and object, between which equipment is produced and if it appears<br />
<br />
regulated in private security regulations or in its own protocol and that can<br />
assume its non-performance.<br />
<br />
It responds that: "For "Autonomous verifications of the system that are carried out without<br />
intervention neither of the user nor of the service provider", and following what is stated in<br />
question 4.8” (in this proposal 3.8) “we were referring to the tests<br />
<br />
periodic communication and correct transmission of the alarm system with the CRA.”<br />
<br />
3.31 a In annex II, information, they indicated that:<br />
<br />
<br />
<br />
- "Those log lines not derived directly from the results have not been analyzed.<br />
security system services provided by Securitas (i.e. logs with<br />
designation: FR0 to FSZ; ROF and ROI). Likewise, they have not been subject to<br />
I study those log lines that, according to the information provided by<br />
Securitas, have no practical application as of the date of writing this report:<br />
<br />
IAC, ICA, PID, PDD, TLL and TWC”. Explanation of the meaning of this is requested<br />
annotation.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 58/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Answer that: "The meaning of these expressions refers, as the content of the<br />
own report can be deduced, to logs that no longer operate in the<br />
SECURITAS DIRECT or that are not related to the operation of the<br />
<br />
Claimant's alarm, so they do not fit what was requested by the Claimant."<br />
<br />
<br />
b) There is a log that indicates: “VCA/ Available Photo/Video Alarm in CRA Images already<br />
in CRA./ …Notwithstanding the foregoing, the captured images, in case they<br />
had captured a subject, it would be personal data and should be provided<br />
<br />
to the interested party provided that the applicant for the right of access coincides with the person<br />
captured in the images./ Personal data is considered: Yes. Explain why if the<br />
images captured by the owner himself when the alarm was detected, said images will not<br />
They can be transferred to the owner of the device, including if they are their own.”<br />
<br />
<br />
He replied that: "In relation to the delivery to the interested party of images captured<br />
will have to differentiate:<br />
<br />
(i) the situation in which the person appearing in the images is solely the<br />
applicant for the right of access, in which case they must be granted together with the<br />
the rest of the relevant personal data and,<br />
<br />
<br />
(i) the situation where the device captures images from a third party, in which case<br />
could not be granted with the right of access as it would imply a communication of<br />
personal information. In this sense, the criterion supported by SECURITAS DIRECT<br />
would coincide with that established by the AEPD itself in relation to the exercise of<br />
<br />
rights in relation to video surveillance systems. Thus, in section 2.3.10 of<br />
its Guide on the use of video cameras for security and other purposes indicates that<br />
this right "has unique characteristics, since it requires contributing as<br />
complementary documentation an updated image that allows the person in charge<br />
verify and verify the presence of the affected party in their records. It turns out practically<br />
<br />
impossible to access images without compromising the image of a<br />
third. For this reason, access can be facilitated by certified writing in which, with<br />
as accurately as possible and without affecting the rights of third parties, specify the<br />
data that have been processed”. In any case, the holders of the<br />
SECURITAS DIRECT alarm systems have access, through the App, to the<br />
images captured by the devices at the time an incident occurs<br />
<br />
by jump alarm by means of a device capable of capturing images.<br />
Likewise, these images are made available to the Corps and Forces of<br />
State Security if necessary. In any case, the possible access by the owner<br />
of an alarm system to the images, without prejudice to its legality as a transfer of<br />
data, would not form part of the right of access of the interested party, as<br />
<br />
It follows from the doctrine of that AEPD that has just been reproduced, by not referring to<br />
your own data<br />
<br />
b) Explain the meaning of this log: “SID Inactivity time Periodic verification of<br />
movement within the home. From the joint information provided by: (i) the<br />
<br />
time without motion detection; and (ii) date of the specific log in the case of a<br />
analysis of a real log, knowledge of certain patterns of<br />
behavior of a user, so this log line could be considered as data<br />
staff. YEAH.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 59/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
It responds that: "The report provided as Document No. 1 attached to the allegations<br />
to the Initiation Agreement, not only analyzed the specific logs generated in relation to the<br />
<br />
alarm system contracted and located in the Claimant's home, but the<br />
all the logs that an alarm system could produce, including those<br />
which in no case occurred in the controversial case, since my principal<br />
wanted to know the scope of the application of the concept of personal data in the<br />
operation of said alarm systems. For this reason, the report<br />
differentiated in three tables the logs generated in the specific relation of the Complainant<br />
<br />
with SECURITAS DIRECT, distinguishing those that would be considered data<br />
personnel (table 1 of annex I) and those who do not (table 2 of annex I), as well as the rest<br />
logs that could be generated by any alarm system, analyzing whether they<br />
whether or not they fit into the concept of personal data (Annex II). The log to which this refers<br />
question is not among those generated in the case of the alarm system of the<br />
<br />
complainant, so it can be considered that the question raised is irrelevant<br />
for the purposes of this file.”<br />
<br />
<br />
3.32 If it is possible that the logs overlap, existing for example the one that is<br />
registered the (...) alarm by the owner and subsequently others have been registered<br />
<br />
events.<br />
<br />
He responded that: ”Each log line is a unique record with date and time, and even<br />
there can be several in the same minute and second as they are "machines" but this<br />
It does not suppose an "overlay", but the generation of several simultaneous logs."<br />
<br />
<br />
3.33 a) It is requested that they inform if the table can be provided to the claimant<br />
ANNEX II containing the (...) of the signal and the descriptors, (report of 01/29/2021,<br />
provided by the defendant in allegations) and reason in case it was negative.<br />
<br />
<br />
It responds that: "Annex II refers to logs that have never been generated<br />
in the claimant's alarm system, so that said information in no way<br />
case would be related to your Contract, regardless of whether or not it had<br />
the character of personal data. At the same time, as has also been shown<br />
manifest in the allegations to the Initiation Agreement, the operation of the systems<br />
of alarm of my represented and the logs that they generate constitutes an asset of<br />
<br />
SECURITAS DIRECT protected by the rules that regulate trade secrets. Of<br />
this way, the information being irrelevant to the interested party and being, for<br />
On the contrary, my principal, protected by trade secret, considers that neither the<br />
regulations for the protection of personal data, nor any other authorize that<br />
have access to that information.<br />
<br />
<br />
It is appreciated that Annex II, called "general analysis on the consideration of data<br />
staff" found in document 1 provided in allegations to the agreement,<br />
contains a letter key called “(...) of the signal” which also appears in the box<br />
of document 2, signs in green, data of the claimant, and that it coincides with the<br />
<br />
format delivered to the claimant on 12/14/2021. By way of example, it appears in both<br />
annex II as in the table delivered to the claimant: IDE, the description of the signal<br />
“External disarm”, as well as the extended description provided by SD and a<br />
explanation of linkage directly or through inference to behavior or<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 60/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
information of a natural person, and YES in personal data, so it would be<br />
explanations that have to do with the content of what has been provided to you<br />
<br />
<br />
b)-Reason why annex I, tables I and II, does not contain the key (...) of the signal and<br />
its description that is contained in the table of ANNEX II<br />
<br />
He replied that: "Reference must be made again to the scope of the report to which<br />
this question refers to, in which it was possible to differentiate the logs actually generated in<br />
the Claimant's system of those that had not been generated, so that while<br />
<br />
the first could be differentiated according to the moment in which they were produced, the<br />
seconds could only be referenced by a specific denomination. that and<br />
no other is the reason why the tables of both annexes differ, in the same way<br />
that the tables contained in annex I indicate whether or not to include the<br />
corresponding log in the response provided to the request to exercise the right of<br />
<br />
access, which for obvious reasons does not appear in the table in annex II.”<br />
<br />
3.34 In the event of an alarm at home, to whom would the<br />
information?, to the last user that appears logged in in the alarm connection?, to the<br />
headline? Under what assumptions? And how do you identify them in the logs? -Detail in this<br />
case, some log that considers personal data and that motivated by the alarm jump, is<br />
<br />
have given information to that person.<br />
<br />
Respond that: "The action protocol in the event of an alarm jump, and<br />
that was followed in the case of the Claimant in the alarm jump dated 11/27/2015, it is<br />
the next:<br />
<br />
<br />
• Call to speak/listen to the alarm center. (Audio Verification).<br />
<br />
• Call to the landline telephone of the home where the system is located, if<br />
have that data.<br />
<br />
<br />
• Call the designated contacts in the order established by the holder of the<br />
contract in the action plan that appears in the Contract and verification of the word<br />
clue.<br />
<br />
• Contact information in case of communication with it and the<br />
<br />
keyword verification.<br />
<br />
• Notification to the Security Forces and Bodies in the event of indications<br />
evidence of the possible existence of a crime (in the case of November 27,<br />
2015 was not executed because it was not considered a confirmed alarm).<br />
<br />
<br />
"In relation to the specific assumption analyzed, as described in various<br />
previous answers, the interested party designates in the Contract up to four contacts,<br />
also establishing an order of priority in the communication to them of<br />
a certain incident. Once you get in touch with one of the contacts<br />
<br />
designated, you are prompted for the password, without which you are not provided with the<br />
information about the identified incident. This is how it happened in the alarm jump<br />
produced on November 27, 2015, in whose logs it can be seen how<br />
attempted contact successively with the persons designated first, second, and<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 61/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
third place, being unsuccessful, and since the contactee in fourth place did not facilitate the<br />
keyword."<br />
<br />
<br />
3.35 In their allegations to the initiation agreement, they indicated that:<br />
<br />
"After presenting the information, the Agency also mentions the" time jump<br />
between 11/27/2015 at 8:17 p.m. and 12/4/2015 at 11:05 a.m., without explaining the reason for<br />
that absence of “logs” in that time interval”. On this statement you cannot<br />
this part but to state, said without the intention of offending the Agency, that it is not<br />
<br />
corresponds to reality and it is enough to refer to the document presented by this party to the<br />
Agency on 06/18/2021 (pages 106 and 107 of the file) where my<br />
represented shows (we quote verbatim what was stated by<br />
SECURITAS DIRECT) "it generated "logs" until 8:09 p.m. on 11/27/2015,<br />
time and date on which the intrusion into the claimant's home occurred and during<br />
<br />
which, said alarm system was completely disabled. from that<br />
date, it could not generate more logs”. In addition, and in relation to the internal memory of the<br />
device, this party also revealed in its letter of 06/18/2021<br />
(pages 106 and 107 of the file) "(...) after analyzing the internal memory of the<br />
installed alarm only had a "log" generated for that time frame, which<br />
It was recorded in our burofax dated 02/26/2021”.<br />
<br />
<br />
a) Note that there are logs in that period that are considered non-data<br />
personal. In this regard, you are requested to indicate how such logs are started and how<br />
end.<br />
<br />
<br />
They respond that: ”As has already been indicated on several occasions, the logs to which<br />
the question refers to correspond to those generated directly from a<br />
SECURITAS DIRECT operator at the CRA, and basically consist of the<br />
successive attempts to communicate with the interested parties to report the incident<br />
and check the alarm status. It is not about the communications from the switchboard<br />
<br />
located in the claimant's home, which, when rendered useless, could not generate<br />
no type of log or signal, as evidenced by the logs that the system generated<br />
between 22:21:18 on November 28, 2015 and 11:04:50 on the 4th<br />
December 2015, to which reference has been made earlier in this<br />
written."<br />
<br />
<br />
a) Also explain how the interruption is linked to the first log of<br />
resumption, (cataloged in green) 12-4-2015, 11:05:04, what event produces it and what<br />
personal information would provide this.<br />
<br />
Answer that: "The aforementioned log is the result of technical verifications through<br />
<br />
an automatic system called GTI (as it appears in the log itself) that is<br />
is in charge of carrying out various checks to know the technical state of the<br />
system, proceeding to the opening of a maintenance when necessary. In<br />
In this case, an operator is in charge of calling the client to make a review with the<br />
customer online and if this is not possible, arrange a visit by a technician to verify the<br />
<br />
system state”.<br />
<br />
It can be seen that on 12/4/2015, as in previous days, the logs appear in red,<br />
while as of 11/28/2015 they are all in red.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 62/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
3.36 a) In document 2 of allegations, -total logs- Excel table of all logs,<br />
differentiated in red-no data-, green, yes, figure:<br />
<br />
<br />
With different keys of the "(...) of the event" distinguished in red those considered not<br />
personal data, example, there are two in red, from 11/27/2016 20:09:47, and another one<br />
date and time, in green. How are they similar and how are they different in terms of the<br />
references of its contents in terms of information on personal data that<br />
can contain.<br />
<br />
<br />
b) In this case, for example, detail the difference of these two logs (of no data<br />
personal) in terms of origin and because at the same time, in this case, one does<br />
considered personal data and the other not.<br />
<br />
<br />
Likewise, if you wish, comment on other logs -not personal data- that coincide with the date and<br />
hour.<br />
<br />
Answer that: "As stated in the response to the question contained in the<br />
point 4.17” (3.17 in this proposal)” the logs refer to different events: the<br />
first involves the detection of an alarm jump detected by a sensor<br />
<br />
volumetric; the second involves the generation of a deactivation code in case<br />
that it is necessary to go to the house once the verifications have been carried out<br />
corresponding, which also appear in the logs table; and the third refers to<br />
the coverage (...).”<br />
<br />
<br />
c) Explain if it seems possible that as it happens with the marks of the non-data logs<br />
personal that there may be more than one on the same date and time, if you could also<br />
there should be two of the same date and time so that logs of those considered<br />
personal data, some example, and if in those of the claimant it occurs in any case.<br />
<br />
<br />
Answer that: "The answer to this question would be that it is possible and an example of<br />
These are the following logs marked in green that refer to maintenance<br />
alarm change presence. There are several logs that occur at the same time<br />
temporary. 12/05/2015 18:38:10:”, indicating four movements of the same date and<br />
hour.<br />
<br />
<br />
<br />
EIGHTH: On 02/2/2023, a proposal for a resolution of the literal is issued:<br />
<br />
<br />
"That the Director of the Spanish Agency for Data Protection sanctions<br />
<br />
SECURITAS DIRECT ESPAÑA, S.A., with NIF A26106013, for a violation of article<br />
58.2 c) of the GDPR, in accordance with article 83.6 of the GDPR, classified as very<br />
serious in article 72.1.m) of the LOPDGDD, with a fine of 50,000 euros.<br />
<br />
In accordance with article 58.2.c) of the GDPR, it is proposed that compliance with the<br />
right of full and understandable access, as specified in the last foundation of<br />
law and follows from the meaning of this proposal.”<br />
<br />
<br />
<br />
NINTH: On 02/20/2023, the defendant made the following allegations:<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 63/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
A) About the technical logs and their assimilation with personal data, states:<br />
<br />
1-The device will at no time be under the influence of the claimant, nor would it have<br />
ability to exert influence over the claimant since he does not have the ability to<br />
<br />
configure or modify the technical parameters that affect the mode of operation and<br />
the configuration established by SD for its interaction with the receiving center of<br />
alarms.<br />
<br />
2-"Although the number that identifies the device in relation to the contract entered into with<br />
a certain client must be considered personal data when linking with the party in<br />
said contract", the interpretation carried out by the AEPD in its proposal distorts the<br />
<br />
concept of personal data, and, consequently, the application of the GDPR, understanding that<br />
each technical action on that device is a personal data of the claimant, it is<br />
that is, that it constitutes information "about" him, and that, therefore, must have been provided in<br />
the right of access.<br />
<br />
<br />
- The information in the technical logs has no impact on or on the interested party, nor if-<br />
want indirectly, as they are signals and communications carried out between machines that,<br />
in any case, they are unrelated to the owner of the home on which the system is installed and<br />
They do not affect it, directly or indirectly.<br />
<br />
3- Reiterates the meaning of Opinion 4/20007, on the requirements that should be met in<br />
<br />
the information to understand that it can be considered personal data, when it<br />
“be seen on an identified or identifiable person”. In the framework of their discussions on<br />
data protection issues raised by RFID tags, the Group of<br />
work pointed out that a «data refers to a person if it refers to his identity, and<br />
their characteristics or behavior or if that information is used to determine or<br />
<br />
influence the way she is treated or evaluated.”<br />
<br />
To consider that the information referring to a specific object, the alarm device,<br />
installed in the claimant's home may be considered personal data, as it relates to<br />
about a person, there must be an element of content, or purpose, or result.<br />
<br />
In the report provided in the initiation agreement it was already indicated:<br />
<br />
The information must refer to a specific natural person, so the information<br />
in the logs must, at least, be in one of the following situations:<br />
<br />
<br />
a.1 Be directly linked to a specific individual, in such a way that<br />
provide direct information about their way of acting, their mental characteristics or<br />
physical features, preferences, abilities, or any other pattern of behavior that may<br />
be directly attributed to it, or<br />
<br />
<br />
a.2 Can be used to evaluate or influence in any way a particular individual<br />
or in his conduct, or<br />
<br />
<br />
<br />
a.3 Can have a direct impact on the rights and interests of an individual<br />
certain.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 64/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
From this conclusion, it was inferred that the technical logs could not be considered personal data.<br />
personal because it refers only to an object and is not found in any of the sub-<br />
mentioned positions.<br />
<br />
<br />
The evaluation of the proposal only alludes to the fact that technical logs are personal data<br />
due to the fact that they are linked to the alarm system identifier, and this, via contract<br />
to the claimant. It considers that the "content" requirements do not meet: It does not provide<br />
information directly about the interested party, of the "purpose": the objective of the<br />
technical logs is not to evaluate, treat in a certain way or influence the situation or<br />
<br />
behavior of a person, nor of "result": that "would occur if the use of the<br />
information affects or could affect the rights and interests of the<br />
claimant" , "since there is no possibility that through the information obtained from<br />
technical logs may in any way affect the rights and interests of the<br />
interested party that is not related in any way to the operations that constitute said<br />
<br />
logs”. The “use of this information could imply differential or discriminatory treatment<br />
of the interested party or an affectation in his personal sphere”.<br />
<br />
4- The consideration as personal data of the information contained in the technical logs<br />
is not affected because it refers to the ARC-alarm device interconnection<br />
installed in the domicile of the claimant, since the purpose of this, in nothing can<br />
determine the nature of the personal data or not of the signals that it emits. Whether<br />
<br />
follows this reasoning any information related to an object could lead<br />
to consider it as personal data, when its usefulness or purpose is affected<br />
for which it has been acquired or is derived from a service contracted by the<br />
interested,<br />
<br />
In addition, it considers that information related to machines or systems has no<br />
necessarily the condition of personal data in case they do not reveal information<br />
<br />
about an identified person.<br />
<br />
He gives as an example the mixed data (personal and non-personal) that can<br />
be inextricably linked or not, being able to enter the scope of the right of access, or<br />
No, which means that only the personal data in the group is accessible to the user.<br />
interested party, as stated in the EDPB guidelines 1/2022 on the right to<br />
access. It ends by indicating that these circumstances can be extrapolated to the present case,<br />
<br />
in which the internal operation of the device and its interaction with the CRA, without incorporating<br />
more information than is relevant to verify and analyze the operation of the<br />
contracted alarm systems.<br />
<br />
Regarding compliance and its manner, regarding the claimant's request for access,<br />
states:<br />
<br />
1- Regardless of the consideration that one has about the nature of personal data of the<br />
<br />
technical logs, which is not the object of this allegation, the excluded information does not have the<br />
character of personal data, having been given access only to what refers to the<br />
personal data processed by the person in charge receiving the request.<br />
<br />
<br />
<br />
2-Has tried to respond to the claimant in the terms that the claimant has requested, and<br />
even facilitate the understanding of the information provided. It was the claimant who,<br />
<br />
once information was provided that was intended to clarify the scope of each of the logs<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 65/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
provided considered that what should be provided were the "raw" logs, without the<br />
grouping and clarification previously carried out, to later consider that this<br />
The information did not satisfy him either, as it was, in his opinion, not very understandable. Which<br />
<br />
pursued by the claimant is the information generated by the alarm system, given that<br />
understands that there was a failure in its operation that led to the theft in its<br />
property<br />
<br />
<br />
<br />
B) Regarding the disclosure of "know how", he states:<br />
<br />
1-Law 1/2019 of 02/20/2019, on business secrets, aims to guarantee and<br />
protect undisclosed know-how and business information from<br />
<br />
its illegal obtaining, use and disclosure. In this case, it has lace as<br />
information being referenced, which reveals internal processes and the<br />
mode of operation of the installed alarm systems and in consideration of the<br />
article 1.1 of said Law<br />
<br />
2-The information of its systems and processes constitute an asset. The security that<br />
can communicate with the technical logs must be adequately protected to avoid<br />
<br />
access by third parties that could circumvent or circumvent the operation of said<br />
systems.<br />
<br />
The information that is provided in the logs contains an informative activity and<br />
recorded through their own information systems (i.e. current status of<br />
programs, security, access, network connectivity, etc.), and therefore, said<br />
<br />
information results generate a standardized work methodology that is<br />
owned by SECURITAS DIRECT.<br />
<br />
Links the disclosure of this information to the safety of users of your systems<br />
alarm, as a guarantee of the general interest and the preservation of security that<br />
It affects all the generated logs. It considers that the individual right of the<br />
claimant cannot prevail over the guarantee of the integrity and security of all<br />
<br />
Your clients.<br />
<br />
3-Employees have access to the information due to their employment relationship, and it lacks<br />
relevance what is indicated in the proposal, as it is left out of the application of the<br />
regulation of business secrets, whose effectiveness is external to the company. “The logs<br />
used in the devices owned by him, provided to the Claimant, contain<br />
non-personal information that, used automatically and in aggregate,<br />
<br />
provides a series of signals that, studied in aggregate form, provide<br />
SECURITAS DIRECT relevant and proper information for the improvement of services<br />
security that provides, in addition to describing, in its sequential reproduction, the<br />
internal procedures followed by the systems of my client, whose disclosure to<br />
third parties could produce an impairment of their rights.”<br />
<br />
<br />
<br />
4-The "trade secret" to be protected does not come from the study of a single log (remember<br />
than without data processing), but said "commercial secret" comes from the study<br />
set of all logs, which allows SECURITAS DIRECT to be able to<br />
anticipate events that may occur and affect the safety of its customers,<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 66/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
being able to adopt the measures and guarantees that derive from the study and analysis of those<br />
logs.<br />
<br />
5-Of the technical logs, only common technical and algorithmic measurements are observed<br />
to all devices, used together to provide users with a<br />
<br />
high level of security in the service provided. He considers that "it is not appropriate<br />
the disclosure of your know how, by providing logs that are used in a manner<br />
exclusively to provide the service it offers to all its clients, since<br />
to do so, you would not only be placing yourself at a disadvantage with the rest of your competitors, but<br />
that, what is much more serious, the right to personal integrity of<br />
<br />
its clients and those who reside with them, although we consider at least<br />
similar protection to the right to the protection of personal data.”<br />
<br />
6-In addition, on the legal basis X of the proposal, it is deemed necessary<br />
provide the description of the processes through the keys that allow to clarify the<br />
mentioned table and its sections that make the tables of the data understandable in<br />
line or raw format, as obtained by the defendant, which considers that<br />
<br />
multiplies the risk of harm for all its customers. He believes that in order to "guarantee the<br />
integrity and proper functioning of its services, considers that it cannot<br />
provide the claimant with all the logs, since doing so would be<br />
jeopardizing the safety of more than a million and a half customers who hire<br />
its services".<br />
<br />
7-Consider that the trade secret of your rights is much more relevant, for<br />
<br />
general interest and the preservation of security.<br />
<br />
<br />
<br />
C) By virtue of the aforementioned, he requests the file of the imputation. Besides,<br />
Regarding the graduation of the sanction, it states:<br />
<br />
<br />
1-On the application of article 83.2.a) of the GDPR, based on the fact that it is confused<br />
<br />
what is an element of the sanctioning type with an aggravating circumstance and the<br />
indicated circumstances are taken into account to delimit the alleged infringement, as well as<br />
as if to aggravate it, "which violates all proportionality."<br />
<br />
2-Considers that the information provided is neither incomplete nor a mere<br />
“summary with sparse information”, and which was provided in two different ways and<br />
complementary.<br />
<br />
<br />
He requests that, as mitigating circumstances, it be taken into account that he attended the<br />
request of the interested party granting it in various formats, denying good faith in the<br />
proposal.<br />
<br />
TENTH: Of the actions carried out in this procedure and of the<br />
documentation in the file, the following have been accredited:<br />
<br />
<br />
<br />
PROVEN FACTS<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 67/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
1) The claimant has a holiday residence on which since 07/30/2014,<br />
had signed a security service contract with the defendant that included installation,<br />
maintenance and operation of an alarm center.<br />
<br />
<br />
<br />
2) The claimant states that when accessing his home, on 12/4/2015 in the afternoon, he discovered<br />
brio, who had suffered a robbery found "the alarm center" destroyed without having been<br />
notified, receiving a call from the Company that same morning indicating the existence<br />
ence of connection problems.<br />
<br />
<br />
3) The claimant exercised his right of access before the respondent on 04/07/2017 “regarding<br />
all the information on the Securitas Direct servers related to the records and<br />
signals sent by the alarm equipment installed on your property, as well as the copies<br />
of the records contained in the internal memory of the alarm between the days<br />
<br />
11/26 and 12/18/2015”. The defendant replied that the records contained in the alarm did not<br />
fall within the category of personal data, the claimant going to the AEPD that<br />
resolved in an appeal for reversal on 01/2/2018, to estimate the claimant's claim and indicate<br />
when the right was provided. The defendant challenged the agreement in the contentious<br />
civil-administrative, resolving the National Court, first section, on 07/23/2019, in<br />
his appeal 146/2018, dismissing his claim and confirming the resolution.<br />
<br />
<br />
4) On 03/23 and 24/2021, the claimant submits a new document to the AEPD, according to<br />
noting that he exercised the same right before the defendant on 02/02/2021, receiving a<br />
02/23/2021, with an Excel table that the claimant estimates that he does not meet the demand.<br />
right.<br />
<br />
<br />
The Excel table containing the access provided to the claimant comprises a<br />
total of 94 log lines, plus one from a time period of 12/5/2015,<br />
related, according to the defendant, with tests on the alarm system as part of the<br />
<br />
facility maintenance.<br />
<br />
The table is an elaboration of the one claimed, of what it indicates, "are data<br />
personal”. It starts by date, not chronologically ordered and is grouped by name,<br />
"nomenclature of the generated log" together with a description made by the defendant,<br />
"extended description of the log" that aims to inform or define what it consists of. That<br />
<br />
definition or "extended description of the log" is generic in the detail of the incident. The<br />
“generated log nomenclature” also has a general name like: “Signal<br />
informative””***COLUMN.1” or within it there are several, such as “action<br />
CRA”, which includes “communicating”, “voicemail skip”, LOCSIN. To mention<br />
Some examples:<br />
<br />
<br />
a) "(...) external perimeter" "nomenclature of the generated log":" "Central Security priority<br />
low."<br />
<br />
b) "Different generic actions of the Securitas human operator in the event of an incident<br />
<br />
concrete, example speech/listening enablement, call to the different listed contacts,<br />
internal comments in relation to information transmitted by contacts<br />
etcetera”- “nomenclature of the generated log”:” “CRA action”.<br />
<br />
In some logs, it refers to "contact", without identifying or specifying which contact it refers to.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 68/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
refers, as "contact does not remember the password to prove the identity and close the<br />
incidence”, or “the contacts that the Securitas operator tries to locate are not<br />
answer”, “operator gets to talk to contact”.<br />
<br />
<br />
5) The claim gave rise to the AEPD processing the procedure for exercising the right<br />
TD/00167/2021 in which the claimed before its admission to processing and initiation, the<br />
05/19/2021 stated that not all the logs that record the signals of the<br />
alarms, as well as the contents in its internal memory can be considered<br />
containing personal data. He states that he has prepared a report through<br />
<br />
a law firm, signed on 01/29/2021 entitled "application of the concept of data<br />
personnel to the signals or logs generated by the alarm systems” that indicated the logs<br />
which it considers "do not imply processing of personal data, and lists the categories of<br />
the logs that it considers would be found in this assumption:<br />
<br />
<br />
1) "Issuance of signals of a purely technical nature for communication between the<br />
devices as part of the verification protocol of their correct operation or to<br />
the record of a technical failure”. He puts as examples in his writ of appeal against the<br />
TD/00167/2021: “device battery level, network disconnection, inhibition, etc.<br />
tera”. It was about the "Issuance of signals of a purely technical communication nature"<br />
between the devices as part of the verification protocol of their correct functioning.<br />
<br />
performance or for the recording of a technical failure”.<br />
<br />
2) Registration of informative signals in relation to, among others, the version of the<br />
system, model or category of installed device.<br />
<br />
<br />
3) Descriptive record of internal and technical procedures before a con-<br />
creto”. He gives as examples in his writ of appeal against the TD/00167/2021: "times<br />
waiting procedures before an event, collection and description of the event, process of<br />
capturing and making available to the operators the images or sounds, modification<br />
of internal parameters, transfer of the event to an operator, etc. He was referring to “Record<br />
<br />
description of internal and technical procedures before a specific event”.<br />
<br />
<br />
4) Registration of technical signals in relation to the configurations of the devices.<br />
sites that do not provide information about the interested party or their habits but simply<br />
This is reflected in the calibrations of the Securitas systems for their correct operation.<br />
to.<br />
<br />
<br />
5) Statistical information about the devices." He gives as examples in<br />
his writ of appeal against TD/00167/2021: "number of photos captured, devices<br />
activated, quality of device responses, number of disconnections, etc.).<br />
It was referring to “Statistical information about the devices”.<br />
<br />
<br />
In addition, it indicates:<br />
<br />
-"these logs" could contain information on internal technical processes of the claim-<br />
information whose disclosure to third parties could imply diffusion of trade secrets. Mencio-<br />
For this purpose, recital 63 of the GDPR.<br />
<br />
<br />
-The access to logs provided to the claimant excluded technical ones or those that affect third parties-<br />
ros.<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 69/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
A copy of the aforementioned report was provided on 07/06/2022 in allegations to the initiation agreement<br />
as document 1.<br />
<br />
<br />
1) On 06/07/2021, the Director agreed to admit the procedure for processing<br />
of “exercise of rights arts. 15 to 22”, TD/00167/2021 in which the defendant states<br />
on 06/18/2021:<br />
<br />
"In relation to the content of the" internal memory of the alarm installed in the home<br />
of the claimant, it generated logs until 11/27/2021, 8:09 p.m., the time and date on which the<br />
<br />
the intrusion into the home occurred during which said alarm system was completely<br />
totally unused. According to the defendant, the system registered and sent capture signals<br />
movement at 20:09 on 11/27/2015. As of that date, he could not generate more<br />
logs of any kind. Therefore, in the time frame between 11/26 and 12/18/2015, the memorandum<br />
Internal management could only generate logs on 11/26 and 27/2015, and there was only one generated log<br />
<br />
within that time frame which was stated in the response given to the claimant the<br />
02/23/2021. They provide document 1, which is the table with columns of the access that was<br />
gave to the claimant on that date, which is marked in fluorescent green that<br />
log:<br />
<br />
“11/27/2015 20:09:47/HIGH PRIORITY CENTRAL/Code generated automatically and randomly<br />
through the system for the security guard to deactivate the alarm”.<br />
<br />
The claimant stated that he has not been given the data of the records contained<br />
in memory from the new installation of 12/5/2015 that is included in the request<br />
<br />
tion.<br />
On 09/17/2021 the guardianship was resolved, agreeing to uphold the claim and<br />
<br />
grants a term to address the right, the decision being appealed by the defendant<br />
in replacement on 10/18/2021, resolving its dismissal on 10/27/2021, appearing<br />
electronically notified to the defendant on 10/28/2021.<br />
<br />
2) On 12/21/2021, the defendant submitted a document in which she stated that she had<br />
sent a copy of access to the claimant, providing a written referral of 12/14/2021, in<br />
<br />
which contains a copy of the documentation that has been sent to the claimant by burofax. He<br />
The document includes the submission of the logs in "lines of code" format, which is<br />
collects in the SD systems the records and signals sent by the<br />
alarm. According to the defendant, it is the "literal transcription, in the format in which the<br />
in the SD systems of the records and signals sent by the alarm equipment.“<br />
<br />
<br />
<br />
The claimant submitted a document on 05/07/2022 in which he considers that compliance is still not being met<br />
with what has been resolved since the defendant classifies the logs that are personal data of which<br />
they are not, it is an unintelligible picture, the expression of imprecise descriptions, the letter<br />
very small.<br />
<br />
<br />
<br />
<br />
The table with "excel" sheets provided to the claimant, on 12/14/2021, contains<br />
the logs in chronological order of date and time and there are a total of 19 informative columns<br />
capable of containing definitions such as: "(...) of the signal", which would correspond to<br />
the tables in annex II provided by the defendant in allegations to the initiation agreement,<br />
where its meaning is described in an extended way, not provided to the claimant, .<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 70/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Fields such as description and a<br />
more extensive description in “description (...)”, “event”, “event (...)” “Zone”,<br />
“***COLUMN.3”, “***COLUMN.4”. “***COLUMN.1”, “time of (...)”, to name only<br />
several with meanings and keys that were not given to the claimant.<br />
<br />
In evidence, the defendant explained, for example, that the alphanumeric codes that<br />
<br />
appear in the “SIGNAL” column, it is the message generated in the language itself<br />
of the alarm system (machine language) that is translated into the information that appears<br />
in the rest of the columns and essentially in the column of “***COLUMN.2 (...)”.<br />
To understand the meaning of the code, you have to go to the field of this column. The system<br />
sends messages that incorporate alphanumeric codes that are later translated<br />
in the different columns of the log presented. The “SIGNAL” column collects the part<br />
<br />
of the “raw” message from the system that is then translated into the rest of the columns.<br />
<br />
To this end, the defendant explains that:<br />
<br />
• The column “***COLUMN.2 (...)” is the translation of the system language event<br />
so that the agent/operator understands what the message is about. This information is<br />
<br />
complemented with the columns "***COLUMNA.1" and "***COLUMNA.2", which contain<br />
complementary information so that the agent/operator can understand the event that<br />
is received at the CRA.<br />
<br />
It also appears in the personal logs provided to the claimant.<br />
<br />
<br />
• The "ZONE" column identifies the alarm device in which the event occurs.<br />
(eg (...), identifies a recording photosensor in programming position 2) and the<br />
"AREA" column describes the corresponding area of the facility (eg, Home Salon)<br />
<br />
• The column “***COLUMN.3” indicates the priority of the signal, being the values<br />
<br />
lower priority ones.<br />
<br />
• The column “***COLUMN.4”, contains the type of signal that represents the event (e.g.<br />
INF is the code associated with “information”, which appears in ***COLUMN.2 (...),<br />
SS is associated with “supervision”, as is also included in ***COLUMN.2 (...), CC is<br />
associated with "coercion", SO is associated with "SOS", AAC is associated with "power outage", etc...).<br />
<br />
In this way, these codes are directly linked to the information contained in the<br />
column ***COLUMN.2 (...).”<br />
<br />
In document 1 (REPORT of 01/29/2021, provided by the defendant in allegations),<br />
ANNEX II offers a general analysis of the consideration as personal data of the<br />
generic log lines that can be used in SD systems during the<br />
<br />
development of its activity, without specific application to any interested party. The painting relates<br />
the different “signal classes” to which the different types of logs are associated,<br />
completed with "description", "extended description" explained by SD, "link with<br />
the physical person" and "whether it is considered personal data or not,<br />
<br />
However, there are 19 columns that contain keys and even descriptions.<br />
<br />
unspecific as "information signal" that are not understandable without a<br />
explanatory correlation.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 71/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
3) In the security contract signed between the claimant and the respondent, it was stated that the<br />
The alarm system contracted by the claimant had, among other things, photodetectors,<br />
device that has an infrared movement sensor, a microcamera and<br />
<br />
a flash, in case of intrusion, bypass the alarm triggered by the camera and send the notice and<br />
the images captured to the Alarm Receiving Center (CRA), verification element<br />
by audio, talk-listen, which is located inside the control panel and serves to<br />
carry out audio and listening checks in the event of an alarm jump, it also serves to<br />
talk to the customer through the switchboard or control panel<br />
<br />
<br />
4) The basic maintenance included for the client: the remote checking services<br />
the operation of all components (technical check according to current regulations),<br />
updating the software and its components, with the sole purpose of providing the services<br />
security trades.<br />
<br />
<br />
10) In the contract, the defendant indicates that it has an image management file<br />
and sounds that you can capture through your video surveillance systems when it occurs<br />
an alarm jump in the homes of customers. It is added that "The CLIENT may only<br />
have access to information on any incident or recording made as a result of<br />
an alarm jump, sending a written request through the means that allow it in-<br />
<br />
indicated in clause 20 of the general conditions, in which the identity of the<br />
of the contract holder, accompanying a photocopy of their DNI, CIF, NIE or valid passport.<br />
gor, as well as the date, time and place where the recording presumably took place”.<br />
<br />
11) As part of the contract there is the "action plan" in which the definitions appear:<br />
<br />
<br />
-"CLIENT: Natural/legal person who signs the CONTRACT, who is the owner of the<br />
alarm system described in the aforementioned CONTRACT and that is the holder of the word<br />
master key. The CLIENT may in any case have the status of user "<br />
<br />
<br />
USER: Natural person to whom the CLIENT authorizes access to the property and the use of the<br />
alarm system, making available the means of connection and/or disconnection<br />
of the same.<br />
<br />
"CONTACT PERSONS: Natural person who may or may not coincide with the CLIENT<br />
of the contract and that it owns the master keyword.”<br />
<br />
<br />
- CLIENT MASTER Password: Identifies the CLIENT and the main contacts. Has to<br />
be provided by them when they contact SECURITAS DIRECT<br />
by phone. It allows and gives access to all kinds of procedures and modifications, whether<br />
administrative (contract, action plan, etc.), or operational (verification of jumps in<br />
<br />
alarm). So that you identifies itself to Securitas")<br />
<br />
- COACTION code: In the verification call before an alarm jump, it must be provided<br />
to SECURITAS DIRECT, by whoever is in the property in a situation of<br />
real danger to their physical and/or patrimonial integrity.<br />
<br />
<br />
There is also a “SECURITAS PASSWORD”, “for Securitas to identify itself to you.”<br />
<br />
They include:<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 72/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
-"contact list", four people identified by name and first surname,<br />
numbered, the claimant, client, with two telephones, the rest with one, all with keys.<br />
<br />
<br />
All four are listed in another “standard action plan” listing in the chart, ordered<br />
as "contact" from 1, the claimant, to 4.<br />
<br />
In the particular conditions, the claimant adds his email.<br />
<br />
12) Asked the defendant in evidence about the way in which they identify themselves in the<br />
<br />
logs, the different actions of possible users in their different roles that they can assume<br />
mir: owner, authorized, contacts and in the different elements of the system, stated that<br />
They are identified by the reproduction in the log of the interaction that may occur with<br />
each of them, clarifying that the "users with access to the system" correspond to<br />
with SD personnel who may receive a specific incident with the owner or those<br />
<br />
designated contacts and, where appropriate, carry out the operations requested by them,<br />
that give rise to logs that were considered as personal data of the claimant, to the<br />
Proceed from an action urged by him or his authorized. There are other logs that respond<br />
given to this premise as those between 12/05/2015 at 14:19:04 and<br />
14:45:45, provided to the claimant, where ***USER.1 accesses the customer file<br />
to manage and agree on maintenance with the client associated with the event that occurred on<br />
<br />
11/26/2015.<br />
<br />
If the Excel table of access provided to the claimant between 05/12/2015 is examined<br />
at 14:19:04 and 14:45:45, it only shows “the operator views the low code words<br />
demand”, “event (...)” and that accesses the client's file, without indicating which owner or contact<br />
<br />
causes the request.<br />
<br />
On 12/18/2015 at 20:08:18, as a result of a customer call to<br />
SECURITAS DIRECT in the same sense, without mentioning which owner or contact causes the<br />
petition. Appreciating that on that same day, there are logs provided to the claimant,<br />
<br />
that respond to "APP service injected event, remote disconnection connections", without<br />
that the cause of the request be correlated, outside the owner or one of the contacts<br />
authorized.<br />
<br />
13) In addition, through an application installed on the mobile phone, users or per-<br />
Authorized contact persons can interact with the alarm system, being the telephone<br />
<br />
mobile phone a means of communication for security personnel with the claimant to whom<br />
They send SMS or emails. The defendant in evidence stated that "with the mobile device<br />
can connect or disconnect the alarm system, and that said incident is recorded in<br />
the internal memory of the device, although it is only transmitted to the CRA in case the ac-<br />
situation responds to the existence of a security incident. In that case, it is<br />
<br />
that is, when a security incident occurs (e.g. disconnection as a consequence of<br />
of an alarm jump) and later the system is disconnected, the log is recorded<br />
in the CRA identifying the user (key, command or code) that has carried out the action. Equal-<br />
Mindfully, if the connection or disconnection is made from the App, the log is transmitted to the<br />
CRA, reflecting that an action has taken place through an Iphone or An-<br />
<br />
droid, but the phone number from which this action is performed is not reflected. Add<br />
In this case, the records would be the following:<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 73/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
• 12/06/2015 at 1:15:27 – Disconnection. (…) 00 - User: 07 Disconnection due to jump of<br />
alarm at 1:15:04 (...). This log records a deactivation of the alarm system by<br />
by means of a remote control following an alarm jump.<br />
<br />
<br />
Regarding logs associated with interactions with the alarm system through the APP,<br />
installed on the claimant's mobile, these would be the following:<br />
<br />
Indicates the logs started on 12/06/2015 14:06:47 Status Request from iPhone to<br />
21:06:08 with different requests from iPhone. In the access boxes<br />
<br />
provided to the claimant, on said date and time it is not contained or inferred that the<br />
request is correlated with the claimant or may be through any of the contacts<br />
authorized. In such a way that in view of the Excel table -provided access-<br />
does not know who the person is: owner or authorized contact who requests and arms the system or<br />
the images.<br />
<br />
<br />
14) The control panel, also called the alarm control console, is usually located<br />
inside the house, is the one that receives the signals from the sensors, and where<br />
activates (arms) or deactivates (disarms), so if it is not activated (armed), it does not recognize<br />
It will generate the signals from the sensors. The home alarm device is connected<br />
7/365 with the CRA. The defendant reported that the connection system and the CRA are carried out<br />
<br />
carried out using a SIM card integrated into the control panel.<br />
<br />
The defendant stated that the control panel of the alarm system stores records<br />
others. In fact, it can store up to ***NUMBER.3 events, which are deleted over time.<br />
cyclically, depending on the records that are generated and recorded<br />
<br />
continually. As new records are generated and recorded, they are deleted automatically.<br />
cyclically the oldest ones maintaining a temporal order of recording and deleting<br />
always within the ***NUMBER.3 records it can hold.<br />
<br />
15) The defendant stated in evidence on the question of the way in which they are generated and<br />
<br />
store the logs of the operation of the alarm system, which the system generates and al-<br />
stores in the control panel records derived from:<br />
<br />
-Customer interactions with the alarm system, for example: connection, disconnection.<br />
<br />
-Internal verifications of the system: example coverage (...), and<br />
<br />
<br />
-Activities of the alarm system in the performance of its function, for example, jump<br />
alarm.<br />
<br />
In addition, the defendant pointed out that the catalog of logs that can be generated by the<br />
<br />
interaction of the installed system and the CRA is closed, not being possible the creation of<br />
new logs different from those that the system generates. Some of these logs previously<br />
configured, they will be generated as a consequence of the interaction of the system with a<br />
activity carried out by an operator or authorized user of SECURITAS DIRECT, as well as<br />
as well as by the owner of the system or the persons authorized by it.<br />
<br />
<br />
The internal memory of the device is located on the motherboard of the control panel.<br />
control. According to the defendant, said internal memory records events, among which are<br />
distinguish:<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 74/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
(i) those that generate a log, a copy of which has been provided in the document.<br />
Item No. 2 of those provided together with the pleadings to the Commencement agreement.<br />
<br />
(logs as they leave the SD system, together, those that contain data and those that do not, for<br />
chronological order).<br />
<br />
(ii) and other merely technical events related to the interconnection produced<br />
for sending the logs to the CRA of SECURITAS DIRECT (e.g. channel through which<br />
sends the log, successful connection, acknowledgment, etc.). Since they only refer to<br />
<br />
the referral and not to any type of specific action, they consider that they would not be part of what<br />
requested by the claimant.<br />
<br />
According to the defendant, in both cases, the destination of said records is the CRA, "although the<br />
information mentioned in point (ii) as well as the logs that do not reflect a relevant event<br />
<br />
related to the operation of the alarm do not communicate and remain in<br />
the internal memory of the switchboard and are only accessible by SECURITAS personnel<br />
DIRECT in the event of an event that requires the performance of a fo-<br />
laugh.<br />
<br />
In evidence, the defendant indicated that from the CRA, the operators have the capacity<br />
<br />
to activate or deactivate the alarm only at the customer's request, within the framework of a<br />
telephone interaction with him. This request is duly registered, through<br />
its corresponding log. The assumption was given in the records provided to the claimant<br />
on the day 12/18/2015.<br />
<br />
<br />
16) The defendant maintains that the claimant's alarm device generated logs (re-<br />
event records) until 20:09 on 11/27/2015, time and date on which the<br />
the intrusion into the home and during which said alarm system was completely<br />
useless mind. As of that date, that device could not generate any more logs.<br />
<br />
<br />
17) In the records, there is a time jump in logs considered personal data that are<br />
They gave the claimant between 11/27/2015 at 20:17 and 12/4/2015 at 11:05.<br />
<br />
18) The first resumption log after 11/27/2015, (cataloged in green when considered<br />
that contains personal data and delivered to the claimant is that of 12-4-2015, 11:05:04,<br />
that the defendant explains that it is produced as a result of technical verifications<br />
<br />
through an automatic system called GTI (it appears in the log itself) that is<br />
in charge of carrying out various checks to know the technical state of the system,<br />
proceeding to the opening of a maintenance when necessary. In this case,<br />
an operator is in charge of calling the client to do a review with the client online<br />
and if this is not possible, arrange a visit from a technician to verify the state of the system.<br />
<br />
<br />
19) It can be seen that until this resumption, as well as in previous days, there are logs in<br />
red color, no personal data, as of 11/28/2015.<br />
<br />
20) On 12/05/2015, a new alarm device was placed at the claimant's home.<br />
<br />
te, which replaced the destroyed one, being discharged from service on 12/23/2016.<br />
<br />
21) Regarding whether it is possible that the logs overlap, the defendant indicated in<br />
proves that "each log line is a unique time-stamped record, and can even<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 75/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
there may be several in the same minute and second, as they are "machines" but this does not<br />
it supposes an “overlay”, but rather the generation of several simultaneous logs.”<br />
<br />
<br />
22) With the alarm on 11/27/2015, the defendant proceeded to the pertinent verification<br />
confirmation of the same by attempting to access the system's speech/listening module. To the<br />
not be possible, and disconnection was not received by the user, the mechanism was activated<br />
of contact with the people and telephone numbers established in the document "PLAN OF<br />
ACTION", informing "contact four" of what has happened up to that moment. Of is-<br />
These facts are reflected in the logs with personal data provided to the claimant.<br />
<br />
<br />
<br />
23) The defendant also has logs that it does not consider personal data generated<br />
on 11/27/2015 at 20:09:47, as well as all those of the previous day, 26. The first log that was<br />
generates the claimant as personal data is that of 11/27/2015 20:09:47. At the same time,<br />
Two logs appear as non-personal data, in red, with different codes that<br />
that appear in the claimant's log with a note: "intrusion seismic volumetric garage door-<br />
panel coverage level and coverage, volumetric intrusion description radius, and the second “se-<br />
<br />
informative signal”. There are also different red logs of the same 27 and all of the<br />
28 to 12/4/2015, 1104:50. Between 28 and 12/4, except for 29, se-<br />
according to the comment that appears test of Logs that report the loss of communication<br />
with the device) up to 4, one per day.<br />
<br />
<br />
The defendant stated that the logs of 11/27/2015, 20:09:47, begin by means of the<br />
detection of a volumetric alarm alert at 20:09:47, generating a code<br />
random (1155) that is generated with any alarm jump, so that if it is sent to a<br />
watchman, he can disconnect it (in this case, it was not used to send any<br />
vigilante, since it was determined that it was not necessary). From that moment on, there are<br />
<br />
system verification logs for the transfer of information to an operator, who<br />
From that moment, make the relevant calls to those who appear as contacts<br />
designated in the contract by the claimant. These attempts are unsuccessful with respect to<br />
the first three contacts, when the voicemail is sent, being able to carry out the<br />
communication with the room of contacts which, however, does not provide the word that<br />
allows establishing communication, concluding the processing of the alert on 11/27/2015<br />
<br />
at 20:17:07 hours, last log of personal data that is recorded and<br />
delivered to the claimant.<br />
<br />
The defendant stated that "all actions related to the alarm and<br />
contact attempts have been considered personal data and provided to the<br />
<br />
claimant, not having such consideration the logs exclusively related to the<br />
the way in which the SECURITAS DIRECT systems manage and channel the<br />
actions to be carried out in these cases or those that refer exclusively to the operator<br />
intervener. The justifying explanation of the consideration or not of the information as<br />
personal data is contained in the report provided as Document No. 1 in the<br />
<br />
allegations to the Commencement Agreement.“<br />
<br />
The defendant indicated that the logs generated from the moment the jump occurred<br />
alarm of 11/27/2015, 8:09 p.m., and once those related to the<br />
attempts to communicate with the contacts designated by the Complainant, refer to<br />
successive communication attempts between SECURITAS DIRECT and the system installed in<br />
<br />
the Claimant's address, which were unsuccessful and being machine interactions to<br />
technical machine.<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 76/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Likewise, there are different logs related to alarm jumps later<br />
deactivated on 12/5/2015 from 18:56:37, provided to the claimant by<br />
<br />
considered to incorporate personal data related to it, given that it is<br />
actions aimed at different tests on the operation of the installed system<br />
in your home, carrying out different alarm tests (volumetric, seismic, for<br />
duress or magnetic). There is also an alarm jump on 12/6/2015 at<br />
01:15:04 hours, being able to check the logs generated by the system, and that concludes<br />
with the communication with the owner that indicates at 01:17:22 hours that the jump of the<br />
<br />
alarm may have been generated by the fireplace.<br />
<br />
24) For the purpose of initiating the action protocol, the alarm signals are considered to be<br />
received at the Alarm Receiving Center from the capture of the elements<br />
intrusion detection, SOS button, anti-robbery button, and duress code<br />
<br />
tion. In the contract there is a protocol in this regard that distinguishes if it jumps, "without disconnecting"<br />
user connection", in which case SD verifies "by accessing the speech-listening module"<br />
system tab and/or call to the landline of the property, provided that there is<br />
the latter. If through these means:<br />
<br />
- An answer is obtained: the person will be identified with the keyword<br />
<br />
teacher or contact If the keyword is correct, the user will be provided with the<br />
precise technical instructions for you to disconnect the system.<br />
<br />
- If the keyword is not correct or no response is obtained: SECURITAS DIRECT<br />
proceed to comply with the verification procedures provided for in the<br />
<br />
current Private Security regulations as well as to use the complementary means<br />
verification such as proceeding to the verification call to the CONTACTS<br />
PRINCIPAL and/or OPERATORS established, and/or the Security Guard and/or F.C.S. Yeah<br />
it was a confirmed real alarm. In any case, the decision to issue the notice<br />
will correspond exclusively to SECURITAS DIRECT.<br />
<br />
<br />
In the event that "user disconnection" occurs, it is the case in which the alarm goes off,<br />
and in less than 20 seconds (since the alarm jump), an alarm signal is received.<br />
disconnection in the CRA. In this case, "an announcement will be automatically issued<br />
recorded through the speech listening module of the system, in which the client will be informed<br />
of the signal received as well as the execution of the disconnection by the user or person<br />
<br />
authorized and the cancellation of the incident”<br />
"In the event that the disconnection signal is received in a time greater than the<br />
indicated in the previous paragraph, SECURITAS DIRECT will proceed to verify the jump of<br />
alarm by accessing the system's speech-listening module and/or calling the telephone<br />
of the property, provided that the latter is available, to carry out the<br />
<br />
verifications that it deems appropriate according to its diligence as a Company of<br />
Security and that are adjusted to the applicable Private Security regulations.”<br />
<br />
The one claimed in tests, to the question of Verification mode/s of the applicable alarm/<br />
s in this case, and which logs are generated and indicate those with this description that appear in the<br />
<br />
period requested by the claimant, responded that they can be classified as:<br />
<br />
(i) those that are generated as a consequence of an interaction of the holder of the contra-<br />
to or an authorized by the same with the alarm system;<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 77/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
(ii) those derived from a human interaction produced from the CRA; and<br />
<br />
<br />
(iii) those that are generated automatically, without human intervention of any kind.<br />
<br />
<br />
It considers that "only the logs listed in points (i) and (ii) imply a<br />
processing of personal data, and of these, only the one listed in point (i) supposes the<br />
data processing of the claimant or the persons authorized by the claimant, in the<br />
Document No. 1 (report of 01/29/2021, provided by the defendant in allegations)<br />
<br />
provided by the defendant together with her pleadings, it was clarified that the<br />
right of access by the interested party to their own data, only affected the<br />
contained in the aforementioned point (i) and not to those related in points (ii) and (iii), which do not<br />
incorporate personal data of the Claimant. “<br />
<br />
Specifically, and with regard to all the logs contributed to the Agency, they would fit into<br />
<br />
As described in this answer the following logs that represent verifications of<br />
alarm:<br />
<br />
• Logs from 11/27/2015 from 20:09:47 to 20:17:07,<br />
moment in which an action plan is contacted. These are 21 logs in which<br />
<br />
description they are all related to the action of the CRA, with additions such as call,<br />
communicating, skips voicemail, leaves message on voicemail, operator gets<br />
talk to contact 4, wrong word, or other mentions to contact 1, 2, 3, call to<br />
H/E, H/E audio is not sent to FCS and other keys in the various frames, which as already<br />
mentioned are not understandable without an understandable key and explanation and<br />
<br />
Brief of its meaning.<br />
<br />
• Logs from 12/06/2015 from 01:15:04 to 01:17:40. In the<br />
that several logs appear, "indicates that it may be the chimney", and in the same sense with<br />
keys in the different tables, which are not understandable without a key and explanation<br />
understandable and brief of its meaning.<br />
<br />
<br />
The defendant reported in evidence that, in the case of the data period requested by the<br />
complainant, there was no confirmed alarm notification record that was<br />
notify the Police.<br />
<br />
<br />
25) The defendant states that "the internal memory of the switchboard (Control Panel)<br />
initially installed and destroyed in the events that occurred on 11/27/2015, not<br />
incorporates, within the time period for which the right of access was exercised,<br />
no log referring to (...) or des(...) of the alarm system, this being, and no other, the reason<br />
for which the information provided to the Claimant does not incorporate any record of this<br />
<br />
nature in relation to the disabled device.<br />
<br />
Regarding the logs that were recorded in the internal memory of the system installed on the date<br />
12/5/2015, the defendant indicates that she could not access the information at any time,<br />
Therefore, it was not possible for him to provide it to the interested party. As for the reason, he points out that<br />
the CRA, can only access the logs that are transmitted to it from the<br />
<br />
internal memory of the device, but not those of a merely technical nature that are<br />
generated in said internal memory, since SECURITAS DIRECT can only<br />
access the content of said device in the event of a<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 78/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
incident requiring forensic analysis. In this case, given that said incident had no<br />
Instead, the device remained in the Claimant's home until the end of the<br />
Contract, without at any time SECURITAS DIRECT being able to access said<br />
<br />
internal memory nor was it necessary to carry out any forensic analysis of its<br />
content, in the absence of an incident that required it. how can<br />
verified, these answers do contain information referring to the period<br />
mentioned in the question posed.<br />
<br />
26) The defendant stated in evidence that after accessing the records contained in<br />
<br />
the memory of the alarm, it has been verified that it was connected from the<br />
day 11/22/2015 at 11:56 and that it did not present any anomaly.<br />
<br />
27) Regarding access to personal data contained in the internal memory of the panel<br />
of control, after the placement of the new one on 5/12/2015, do not appear in the access<br />
<br />
provided from 12/14/2021 nor in the precedent of 02/23/2021.<br />
<br />
28) In document 2 of allegations, -total logs- Excel table of all logs,<br />
differentiated in red-considered as non-personal data by the defendant-, and<br />
in green, considered as personal data by the defendant, figure yes:<br />
<br />
<br />
With different keys of the "(...) of the event" distinguished in red those considered non-data<br />
personal, example, there are two in red, from 11/27/2016 20:09:47, and another with the same date and<br />
time, in green. The defendant stated that the logs refer to different events: the<br />
first it involves the detection of an alarm jump detected by a volumetric sensor;<br />
the second involves the generation of a deactivation code in case it is<br />
<br />
necessary to go to the house once the corresponding verifications have been carried out, which<br />
they also appear in the log table; and the third refers to coverage (...).” Add<br />
that dates and times can also coincide in the logs that have personal data,<br />
providing the example of 12/5/2015 18:38:10 in which there are five different, related<br />
with on-site maintenance of alarm change.<br />
<br />
<br />
29) The defendant reported in evidence that the periodic reviews of the fund system<br />
operation of alarms provided for in article 43 of RD 2364/1994 approving<br />
under the Private Security Regulations and article 5 of Order INT/316/2011, are<br />
carried out from your CRA remotely, normally every three months. In addition, rea-<br />
Conducts daily communication tests and correct transmission of the alarm system with the CRA<br />
<br />
automatically. Give some examples from 5/12/2015 that are included in the<br />
logs provided to the claimant and from 12/6/2015, 18:45:42, which is not considered a log of<br />
Personal data of the claimant, appearing in red.<br />
<br />
On-site reviews are recorded in the log of the management system of the<br />
<br />
CRA alarms, since the technician must check a series of parameters of the<br />
system and carrying out the various functional checks.<br />
<br />
If remote reviews were carried out, these would be reflected in the event memory<br />
of the alarm system.<br />
<br />
<br />
<br />
On the other hand, maintenance tasks are corrective, aimed at resolving<br />
specific incidents that do not allow the proper functioning of the system of the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 79/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
alarm, and are intended to rectify said incidents, and can be carried out<br />
according to the nature or need, in person or remotely.<br />
<br />
<br />
FUNDAMENTALS OF LAW<br />
<br />
Yo<br />
<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
(General Data Protection Regulation, hereinafter GDPR) recognizes each<br />
Control Authority, and as established in articles 47, 48.1, 64.2 and 68.1 of the<br />
<br />
LOPDGDD, is competent to initiate and resolve this procedure the Director of the<br />
Spanish Data Protection Agency.<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
<br />
regulations dictated in its development and, insofar as they do not contradict them, with character<br />
subsidiary, by the general rules on administrative procedures."<br />
<br />
II<br />
<br />
Article 4 of the GDPR, under the heading "Definitions", provides the following:<br />
<br />
<br />
1) “personal data: any information about an identified natural person or<br />
identifiable (“the data subject”); An identifiable natural person shall be considered any person<br />
whose identity can be determined, directly or indirectly, in particular by means of a<br />
<br />
identifier, such as a name, an identification number, data of<br />
location, an online identifier or one or more elements of identity<br />
physical, physiological, genetic, mental, economic, cultural or social of said person;”<br />
<br />
"7) "responsible for the treatment" or "responsible": the natural or legal person, authority<br />
<br />
public authority, service or other body that, alone or jointly with others, determines the purposes and<br />
means of treatment; if the law of the Union or of the Member States determines<br />
the purposes and means of the treatment, the person in charge of the treatment or the criteria<br />
for their appointment may be established by the Law of the Union or of the<br />
Member states"<br />
<br />
<br />
<br />
In the present case, in accordance with the provisions of article 4.1 of the GDPR, the<br />
processing of personal data, since SECURITAS DIRECT<br />
carries out, among other treatments, the collection, conservation, consultation, use, access<br />
of the personal data of the clients-users, such as: name, surname, email<br />
electronics, credentials…, etc.<br />
<br />
SECURITAS DIRECT carries out this activity in its capacity as the person responsible for the<br />
<br />
treatment, since it is who determines the purposes and means of such activity, by virtue of the<br />
article 4.7 of the GDPR.<br />
<br />
This disciplinary procedure is initiated because the complaining party considers<br />
that their right of access derived from TD/00167/2021 has not been met, alleging<br />
that not all your personal data (logs) have been provided and that those that have been<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 80/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
sent are unintelligible to you, in the terms established in the background of this<br />
resolution proposal.<br />
<br />
Thus, in this sanctioning procedure, it is a question of elucidating, through the instruction of the<br />
itself and taking into account the allegations and documentation provided by the claimed party,<br />
<br />
whether the right of access has been fully met, and how it has been carried out<br />
carried out, in the terms established in the GDPR, and, therefore, if there has been an infringement<br />
of the data protection regulations.<br />
<br />
<br />
II<br />
<br />
<br />
As highlighted in the Statement of Motives of Law 5/2014, of 4/04, on Private Security<br />
vada, security is one of the fundamental pillars of society, it is found in the<br />
basis of freedom and equality and contributes to the full development of individuals. Bliss<br />
<br />
law considers private security as an activity with its own entity, but at the same time<br />
as an integral part of public security.<br />
<br />
The activity of operating a security system through a CRA is that<br />
exclusive, complementary service or activity of a commercial nature and prevention of<br />
crime, subordinated to public security, developed and provided by companies of<br />
<br />
Security approved by the Ministry of the Interior, subject to the regulations of<br />
Private security, which use means, technical measures, protection elements,<br />
regulated and approved, through electronic security systems against<br />
risks of theft or intrusion with the functional characteristics described in the Standards<br />
UNE for its commercialization, sale, installation in a private area demanding<br />
Private security. This is materialized through the signing of a contract of<br />
<br />
leasing of maintenance services and connection of said system to a Center<br />
Control integrated in the Alarm Center also authorized, for the reception,<br />
treatment, verification of alarm signals emitted by said security systems<br />
installed, through the technical and human procedures provided for in the Order<br />
316/2011 of 1/02 on the operation of alarm systems in the field of<br />
<br />
private security, in such a way that its reality can be determined or not, and its<br />
communication in case of being confirmed as real to the Police.<br />
The purpose of this contract is the provision or material delivery by the Company of<br />
<br />
Security of a Security System and its installation with a service purpose of<br />
Alarm Receiving Center, and later the maintenance of the system in<br />
proper functioning for the provision of contracted services at home<br />
(home) of the contracting user.<br />
<br />
Upon finding the installation of the device and security elements linked to the<br />
maintenance of the same as a system or product that is linked to a service of<br />
<br />
exploitation through an alarm receiving center, it is a contract of<br />
service linked to the maintenance service of the installed system, dedicated<br />
exclusively for reception of alarm signals emitted by the security system<br />
installed and to the treatment of said signals for the determination of their real origin or<br />
false by complying with established regulatory procedures.<br />
<br />
<br />
The mentioned order of operation of the alarm systems establishes that the CRA<br />
I carried out verifications through rules contained in technical procedures described<br />
and complementarily human. After completing these formal requirements and<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 81/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
materials required, said alarm signal confirmed by the CRA can be communicated<br />
as real to the Police.<br />
<br />
The judgment of the Provincial Court of Madrid, section 11, 98/2014, of 03/11/2014,<br />
analyzes the nature of the security contract in its mode of provision of<br />
<br />
central alarm services by a company dedicated to it, indicating in its<br />
second legal basis:<br />
<br />
“As this same Chamber already stated in its Judgment of June 30, 2011,<br />
<br />
which refers to the one of April 29, 2010, which in turn refers to the one issued on<br />
June 2007, citing the Judgment of the A.P. of Barcelona of December 30, 2004,<br />
"...the contract signed by the parties is a service lease contract and not a<br />
work, and this based on doctrinal criteria accepted in the jurisprudence of the Court<br />
Supreme Court (S. 4.2.1950, among others), which are supported to establish the difference, in the<br />
<br />
immediate object of the lease obligation, so that if the lease agrees to the<br />
provision of a service or work of an activity itself, not the result that<br />
that provision produces, which is the case at hand, the lease is of<br />
service. And on the other hand, if the provision of a result is obligated, without considering the<br />
work that creates it, the lease is work. Well, the obligation of the<br />
<br />
defendant, appealed today, is an obligation of activity, and not of results.<br />
<br />
It is evident that the purpose of the contract was to provide the commercial premises with<br />
security measures aimed at preventing the commission of criminal acts and the<br />
Defendant's fundamental obligation was to provide the services necessary for the<br />
the installed security mechanisms work correctly.<br />
<br />
<br />
Pursuant to the security services lease contract, the entity<br />
defendant, undertook, not to avoid the possible commission of robberies in the farm, nor to<br />
ensure in any case the restitution (in kind or in cash equivalent) of what<br />
third parties could steal, but exclusively to respond as normal<br />
operation of a security system, consisting of a burglar alarm with<br />
<br />
telephone connection with the alarm center, making the detection by<br />
sensors located at various points throughout the offices, so that the system<br />
had to transmit -via telephone- a signal to the Alarm Center, which in turn had to<br />
give notice of the possible crime to the security forces, so that they prevent their<br />
consummation, therefore, had an essentially preventive and protective purpose, therefore,<br />
<br />
as has been exposed, the object is in the activity, and in these terms, they are the only<br />
possible to demand responsibility".<br />
<br />
The sending and receiving of signals by the device and the CRA occurs in a home<br />
particular, understanding as such, a suitable space to develop private life in it,<br />
on which its inviolable nature will affect, as provided for by the EC in its article 18.2<br />
infringement that can occur regardless of whether, at the time of the<br />
entry, whether the holder of the right is inside or outside his domicile. In addition, there is<br />
a close relationship between the inviolability of the home and the right to privacy<br />
<br />
enshrined in art. 18.1, as STC 22/1984 rightly pointed out, "the inviolable domicile is<br />
a space in which the individual lives without necessarily being subject to the uses and<br />
social conventions and exercises his most intimate freedom".<br />
<br />
The inviolability of the home therefore guarantees that intimate sphere of personal privacy and<br />
family (within the limited space that the person himself chooses), in front of all kinds of<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 82/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
invasions or attacks by other people or public authorities not consented to by<br />
the right holder. The constitutional protection of the domicile thus has an institutional character.<br />
instrumental.<br />
<br />
<br />
IV.<br />
<br />
<br />
The defendant provided some details about the operation and components of a<br />
alarm system.<br />
<br />
Basically, a control panel is installed at home, which is usually accompanied by<br />
an alarm kit (additional items such as motion detectors/camera and that<br />
may allow viewing via a mobile device connected via a<br />
<br />
installed application, together with other means such as remote control, sirens, reader of<br />
keys, smart keys that allow the alarm to be disconnected simply by bringing the<br />
key to reader, magnetic detectors etc.)<br />
<br />
The control panel that is usually installed inside the home, in a place that is not<br />
be very visible, it is connected to the CRA, where notifications and warnings arrive<br />
<br />
like alarm jumps.<br />
<br />
In turn, the CRA must carry out operations to verify and analyze the anomalies that<br />
can occur, control of power outages, alarm triggering for different<br />
Reasons to give some examples. At the same time, in remote mode, the ARC can<br />
activate, configure and verify the functions of the alarm system, perform diagnostics of<br />
connection, and control the alarm detectors.<br />
<br />
<br />
The control panel allows to activate the system, arm, disarm the alarm, connects with the<br />
additional elements such as sensors and receives signals from detectors<br />
installed peripherals. For example:<br />
<br />
-if a door contact or a movement sensor is activated, the panel will give the signal, if<br />
the alarm is not deactivated with a valid user code, the system assumes that there is a<br />
intrusion and will give an audible or light signal, at the same time as communicating with the CRA.<br />
<br />
<br />
-If the panic, SOS or anti-robbery button is activated, it directly communicates with the CRA<br />
It also allows bidirectional communication with the CRA via microphone and speaker.<br />
integrated (listening speech module).<br />
<br />
The CRA is in charge of analyzing and interpreting the alarm jumps, it is the headquarters of control of<br />
alarm systems.<br />
<br />
When the alarm jump is attended, the CRA has to analyze the information<br />
<br />
thoroughly to determine what type of emergency it is or if it is a<br />
false alarm.<br />
<br />
In any case, the CRA will contact the owner or contacts<br />
designated to inform you of what happened.<br />
<br />
The communication between the control panel and the CRA can occur by various means and<br />
method. In general, the communication between the alarm systems and the CRA, is<br />
<br />
given through two different communication paths to allow communication<br />
is continuous, even if one of the ways fails or is sabotaged.<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 83/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Bidirectional communication with the alarm system is allowed from the CRA,<br />
being able to access the system through the software for remote control of the system, this<br />
also regardless of whether the system has lost mains power<br />
<br />
installation.<br />
<br />
Systems in general, record the activity of authorized users (customer and<br />
contact persons designated by him), as well as operators of the claimed,<br />
including machine-to-machine operations generating access traces: -log in-,<br />
origin, uptime, actions, and connections.<br />
<br />
The information in these records is essential for preparing management reports and for<br />
<br />
monitoring. Among the events that the different systems record, are for example<br />
the start, end of session, access, modification of files and directories, change in the<br />
main configurations, program launches, etc.<br />
<br />
The activity records of the different systems and equipment are the data from the<br />
which it is possible not only to detect performance failures or malfunctions, but<br />
also detect errors and intrusions. With them, systems of<br />
<br />
monitoring that properly configured can generate alerts in time<br />
real. On the other hand, they facilitate forensic analysis for the diagnosis of the causes that<br />
cause the incidents. Finally, they are necessary to verify compliance with<br />
certain legal or contractual requirements during audits.<br />
<br />
V<br />
<br />
<br />
Putting things this way, the claimed party considers that the "technical" or<br />
"internal", are not personal data of the complaining party, not having, for<br />
therefore, obligation to provide said data as part of the right of access<br />
exercised by the latter.<br />
<br />
The question excepted by the claimed regarding the data of<br />
personal nature of those named by the defendant: “technical” or “internal” logs, which<br />
<br />
are characterized, as he defends, by not referring to any person, specifically or<br />
even the claimant and for not containing information about any person, or<br />
even the claimant. Adding also that it considers them confidential, worthy<br />
of the protection of business secrets.<br />
<br />
It must be based on article 1 of the RGPD in which it is established as an object<br />
<br />
<br />
"1. This Regulation establishes the rules relating to the protection of<br />
natural persons with regard to the processing of personal data and the rules<br />
<br />
relating to the free movement of such data.<br />
<br />
2. This Regulation protects the fundamental rights and freedoms of<br />
natural persons and, in particular, their right to the protection of personal data.<br />
<br />
The exercise of the right of access is carried out both within the framework of the legislation in<br />
<br />
data protection, in accordance with the objectives of the legislation in<br />
data protection, such as, more specifically, in the framework of the "rights<br />
and fundamental freedoms of natural persons” and, in particular, their right to “the<br />
protection of personal data”, as established in article 1, paragraph 2, of the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 84/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
GDPR.<br />
<br />
It is essential to understand that it is about determining how to apply the<br />
provisions to certain situations in which individual rights are at stake<br />
<br />
game for the processing of your personal data.<br />
Article 8.1 of the Charter of Fundamental Rights of the European Union states: “1.<br />
Everyone has the right to the protection of personal data that<br />
<br />
concern.<br />
<br />
Recital (26) indicates: "The principles of data protection must be applied to<br />
all information relating to an identified or identifiable natural person. The data<br />
pseudonymous personal data, which could be attributed to a natural person through the<br />
use of additional information, should be considered information about a person<br />
<br />
identifiable physics. In order to determine if a natural person is identifiable, the<br />
into account all means, such as singling out, that you can reasonably use<br />
the data controller or any other person to directly or<br />
indirectly to the natural person. To determine whether there is a reasonable probability<br />
that means are used to identify a natural person, must be taken into account<br />
<br />
all objective factors, such as costs and time required for identification,<br />
taking into account both the technology available at the time of treatment and the<br />
technological advances. Therefore the principles of data protection should not<br />
apply to anonymous information, that is, information that is not related to a<br />
identified or identifiable natural person, nor to the data converted into anonymous of<br />
<br />
so that the interested party is not identifiable, or ceases to be. Consequently, the<br />
This Regulation does not affect the treatment of said anonymous information, including<br />
for statistical or research purposes.”<br />
<br />
<br />
Opinion 4/2007 of the Article 29 Working Group on the concept of data<br />
personal, indicates that it is: all information about an identified physical person or<br />
identifiable.<br />
<br />
<br />
<br />
The definition reflects the intention of the legislator to maintain a broad concept of "data<br />
personal", which requires a broad interpretation that includes all information that<br />
can be linked to a person, or refer to an identifiable person, in order to<br />
to protect the freedoms and fundamental rights of natural persons, among others,<br />
particularly your right to privacy in regards to data processing<br />
personal.<br />
<br />
<br />
This breadth in terms of the extension of the term "personal data", such as the<br />
diversity of fields in which it can be manifested, is confirmed in various<br />
judgments of the CJUE, by way of example in that of 12/20/2017, case C-434/16, paragraphs<br />
33 to 35:<br />
<br />
<br />
“33. As the Court of Justice has already pointed out, the scope of application of the Directive<br />
95/46 is very broad, and the personal data to which it refers are<br />
heterogeneous (judgment of May 7, 2009, Rijkeboer, C-553/07, EU:C:2009:293,<br />
paragraph 59 and cited jurisprudence).<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 85/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
34 Indeed, the use of the expression "all information" in the definition of the<br />
concept of "personal data", which appears in Article 2(a) of the Directive<br />
95/46, evidences the objective of the Union legislator to attribute to this concept a<br />
very broad meaning, which is not limited to confidential data or data related to the<br />
privacy, but can cover all kinds of information, both objective and<br />
<br />
subjective, in the form of opinions or appreciations, as long as they are "about" the person<br />
in question.<br />
<br />
35 This last requirement is met when, due to its content, purpose or effects,<br />
the information is related to a specific person...” (The underlining is ours).<br />
<br />
<br />
The doctrine elaborated by the CJEU regarding the breadth with which the<br />
concept of personal data has been adapted, taking into account the various advances<br />
technological. Thus, in the judgment of 11/24/2011, case C-70/10, in its<br />
paragraph 51 considered that IP addresses are protected data of a personal nature, since<br />
that make it possible to specifically identify such users. This criterion is maintained and<br />
<br />
extends to the cases in which it is even dynamic IP addresses,<br />
those temporarily assigned by network access providers to their<br />
clients, considering that they continued to constitute personal data when the person in charge<br />
to store them, in this case the owner of a website, did not have the data<br />
necessary for the identification of the specific user, but that they were in<br />
possession of a third party, picking up this criterion, again favorable to an interpretation<br />
<br />
of the concept of personal data, in the STJUE of 10/19/2016, in case C-<br />
582/14, Patrick Breyer and Bundesrepublik Deutschland, when asserting that IP is data<br />
of a personal nature for the service provider: "article 2, letter a), of the<br />
Directive 95/46 must be interpreted in the sense that a dynamic IP address<br />
recorded by an online media service provider on the occasion of the query<br />
by a person from an Internet site that that provider makes accessible to the public<br />
<br />
constitutes personal data with respect to said provider, within the meaning of the aforementioned<br />
provision, when he has the legal means that allow him to identify the<br />
person concerned thanks to the additional information available to the service provider<br />
Internet access of said person” (paragraph 49).<br />
<br />
More recently, in its judgment of 06/17/2021 (Case C-597/19), analyzing a<br />
<br />
load assumption, from the terminal equipment of a user of a network between peers (peer-<br />
to-peer) and towards the equipment of other users of said network, of parts, previously<br />
downloaded by the aforementioned user, from a multimedia file that contains a work<br />
protected, even if those parts are only usable by themselves from a<br />
certain download volume and in which it is the software itself that<br />
automatically gives rise to the aforementioned charge, in its paragraph 97 it recalls that "With<br />
<br />
preliminary nature, it is necessary to point out that in the main matter there are two<br />
different personal data processing; namely, one that you already initially performed<br />
Media Protector on behalf of Mircom, in the context of peer-to-peer networks.<br />
peer ), consisting of registering the IP addresses of users whose peer connections<br />
The Internet was supposedly used, at one point, to upload works<br />
<br />
protected in the aforementioned networks, and another that, according to Mircom, should be carried out by Telenet<br />
in a later phase, consisting, on the one hand, of identifying those users by comparing<br />
the aforementioned IP addresses with which, at that very moment, Telenet had assigned<br />
to the aforementioned users to carry out said charge and, on the other hand, to notify<br />
Mircom the names and addresses of those same users”.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 86/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In light of the broad scope of the definition of personal data, a restrictive assessment<br />
of such a definition by the data controller would lead to a<br />
<br />
misdetermination of what is personal data and, ultimately, to a<br />
violation of the contents by the RGPD to the interested parties, among which is the<br />
Right of access.<br />
<br />
<br />
The AEPD, as part of its function of supervising the application of the legislation on<br />
data protection, must interpret the exceptions to the application of the concept of<br />
personal data such as the one defended by the defendant, since if her theory were validated<br />
<br />
on a part the logs of the alarm system, perhaps they would be outside the scope of<br />
application of the GDPR.<br />
<br />
The aforementioned breadth in the definition of personal data is defined by:<br />
<br />
-"all information", including all data that provides information,<br />
<br />
whatever the class of this that is to have a broad interpretation, encompassing<br />
subjective or objective information, including evaluations, diagnoses or opinions.<br />
<br />
-“about” a natural person, thus relating any type of information about a<br />
Physical person. Here it is essential to connect the purpose of the information with the<br />
<br />
"on" whom it is treated and the effects it may have for that person.<br />
<br />
-"identified" or "identifiable". Refers to any person whose identity can be determined,<br />
<br />
directly or indirectly, in the sense that, to qualify data information<br />
personal, it is not necessary that such information by itself allow the identification of the<br />
interested. In this case, the information that makes it identifiable are the logs, which both<br />
the so-called technicians by the defendant, such as those considered to be personal data<br />
claimant's staff, appear in relation to a device, structured in a single and<br />
unitary compact block set chronologically ordered to reflect the<br />
<br />
events from the device referred to said claimant that is identifiable.<br />
<br />
Opinion 4/2007 adds: "In cases where, at first sight, the identifiers<br />
available do not make it possible to single out a specific person, this person can still be<br />
"identifiable", because that information combined with other data (whether the<br />
<br />
responsible for their treatment is aware of them as if not) will allow to distinguish<br />
to that person from others”. In this case, not everyone can identify you, but the<br />
Securitas personnel yes, and if there is someone who can do it, it would be enough,<br />
<br />
<br />
-regardless of the content or nature of the origin of the information.<br />
<br />
<br />
-As the defendant has already reproduced in his report of 01/29/2021, provided by the<br />
claimed in allegations, regarding information "about" a person, the Opinion<br />
4/2007, exemplifies its meaning with: "the data included in the personal file of a<br />
person saved in the personnel department of your company, who are<br />
<br />
clearly related to your status as an employee of said company. But not<br />
It is always so obvious to establish that the information is "about" a person<br />
concrete. On some occasions, the information provided by the data refers not to<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 87/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
both people and objects. These objects usually belong to someone, or can<br />
be under the influence of a person or their authorized, or exert an influence on<br />
it or may have a certain physical or geographical proximity to persons or other<br />
<br />
objects. In such cases, the information can only be considered indirectly<br />
refers to those people or objects. A similar analysis can be applied when the data<br />
refer in the first instance to processes or facts, such as the<br />
operation of a machine when human intervention is necessary. Low<br />
In certain circumstances, this information may also be considered information<br />
"about" a person.<br />
<br />
<br />
- "We are before a third category of «envelope» when there is an element of<br />
"result". Despite the absence of an element of "content" or "purpose"<br />
<br />
data can be considered to be "about" a particular person because,<br />
taking into account all the circumstances surrounding the specific case, it is likely<br />
that its use affects the rights and interests of a certain person. Enough with<br />
that the person may be treated differently by other people as<br />
consequence of the processing of such data.”<br />
<br />
<br />
<br />
It should be noted that the scope of the concept of personal data and, therefore, the<br />
differentiation between personal data and other data, would form an integral part of the<br />
evaluation carried out by the data controller to determine the scope of the<br />
data to which the interested party has the right to obtain access, elements that would be<br />
<br />
to include in the “privacy by design” configuration. In this case, the<br />
The defendant indicates that it was not until 2020, when it began to analyze the treatment of<br />
the logs, of the alarm devices connected to the CRA, serving the report of<br />
01/29/2021 also as a management tool, of the requests to exercise<br />
rights.<br />
<br />
<br />
In this case, it is the installation of an alarm, a device that controls<br />
24 hours a day, every day of the year, the security of the<br />
housing in a private address, which is implemented through a security contract and<br />
that has a device installed in the claimant's home connected with elements<br />
additional verification, and that, for its correct functioning, it also requires<br />
<br />
maintenance and monitoring, and must be connected. From system settings<br />
It is correlated that, from its use, interactions and alarm jumps, logs are generated that are<br />
correspond unequivocally with personal data of identified persons,<br />
identifiable and information about each other, those identified and those who<br />
may be identifiable.<br />
<br />
<br />
Focusing on the refusal of the defendant to classify as logs that are data from<br />
of a personal nature, to the so-called technical logs, that is, because they do not collect information<br />
<br />
about an interested party, nor does it pretend to know information, and their<br />
rights and freedoms, it must be remembered that these logs that are discarded from the scope of<br />
application of the GDPR, the claimed party classifies them into categories, which would consist of<br />
briefly, in:<br />
<br />
-technical communication signals between devices in order to verify the correct<br />
<br />
operation or failure records.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 88/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
-gather information through informative signs,<br />
<br />
-Internal records before a specific event.<br />
<br />
<br />
<br />
It is observed in the report of 01/29/2021, provided by the defendant in allegations, in the<br />
Table I, which appear as descriptions of this type of technical logs, and which are<br />
would therefore find in one of the three categories explained above, assumptions<br />
such as: "information on alarm jumps", "alarm jump on sensors", or<br />
<br />
“periods in which there is a loss of connection between SD servers and the<br />
device installed in the home of the interested party", the "cancellation of the incident",<br />
“relevant signal that is transmitted to an operator to start the management process”,<br />
”issuance of periodic technical signals to confirm that it is indeed<br />
connection and willingness to carry out the activity”. All of them, according to the defendant, respond to<br />
<br />
internal communication-verification protocols, without explaining how it considers that these<br />
logs, both for their content and for their effects, does not estimate that they can affect the<br />
rights and interests of the interested party or how he considers that they are not referred to him, if,<br />
In addition, when extracting them from the system they appear grouped and related to the person in the<br />
claimant and his home to use them for the purposes of security control of events and<br />
correct functioning of the system, and that would constitute information that concerns you.<br />
<br />
<br />
<br />
The consideration of personal data that "concerns" you should not be interpreted<br />
way too restrictive. This is how Directives 1/2022 interpret it, on the<br />
<br />
rights of the interested parties, right of access, version 1.0, adopted on 01/18/2022,<br />
by the European Committee for Data Protection and that appears on its website, although in consultation<br />
public from 01/28 to 03/11/2022. In its numeral 103, it indicates that "the classification of the<br />
data such as personal data relating to the data subject does not depend on the fact that such<br />
personal data also refer to another person. Therefore, it is possible that the<br />
personal data refers to more than one person at the same time and in its numeral<br />
<br />
104, that "The words "personal data concerning you" should not be interpreted<br />
in an "overly restrictive" manner by data controllers, as already<br />
declared the Working Group of Article 29 in relation to the right to portability of<br />
the data. Transposed to the right of access, the CEPD considers, for example, that the<br />
recordings of telephone conversations (and their transcription) between the interested party<br />
<br />
included in the right of access, provided that the latter are data<br />
personal”.<br />
<br />
The aforementioned Directive 4/2007 establishes, as already mentioned, that: "in some<br />
Sometimes, the information provided by the data refers not so much to people<br />
like objects. These objects usually belong to someone or are under the influence of<br />
a person or exert an influence on it”, and that in those cases, there is the<br />
<br />
possibility that the information refers to those people, albeit indirectly.<br />
<br />
<br />
Well, in the case that we are examining, all the logs, including those<br />
generated and stored in which the owner-users do not intervene, is operated by<br />
SD employees in processes in which the owner does not interact, be it in operations<br />
internal techniques that reveal information about the effectiveness and operation, by<br />
be the alarm installed in your home, linked to the contract for the provision of<br />
subscribed services, establish a connection between the object (the alarm) and the affected,<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 89/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
since the alarm is identified with a unique identifier (a numbering<br />
specific for each alarm device) for that service that inevitably links<br />
the interested party with the device and everything that is generated and recorded in relation to the<br />
<br />
same. If we take any of the submitted logs in isolation, they would identify the<br />
that person.<br />
<br />
According to SAN 3091/2019, of July 23, 2019, "On the one hand, it is a<br />
natural person, and therefore fully identifiable, who signs an installation contract and<br />
maintenance of an alarm for the protection of your home with the company<br />
<br />
actor security. Signature of the contract from which a series of<br />
rights regarding custody and security of said home. On the other hand, and this<br />
It is important to highlight it, the right of access is exercised with respect to records and<br />
signals captured and sent by the alarm equipment installed in a private home,<br />
being exercised precisely by the person who owns said domicile.”<br />
<br />
<br />
Thus, in this case, with this link between the alarm and the interested party, through the<br />
unique identifier that links the alarm to the contract and to the interested party, alarm system that<br />
put into operation or programmed, generates information about that person, so<br />
that all the logs discussed are considered personal data.<br />
<br />
<br />
Apart from the fact that the information may relate directly to the claimant, for<br />
be identified or be able to be identifiable as it is in active interactions or<br />
passive, it is also identified indirectly because the information of the<br />
logs, all, including the technicians, associated with the object or device, which would indicate that the<br />
information will be about the claimant because they are affected by their right to<br />
<br />
security of your own home and in your own home, affecting those logs.<br />
<br />
Both the technical logs named after the defendant, as well as the rest, remain<br />
stored and guarded by the defendant, document and contain information<br />
directly or indirectly on the safe operation of your contracted system, is its object,<br />
<br />
as regards the claimant or concerns him, at least. His interpretation does not<br />
would be complete if it is considered to separate this information that the defendant calls<br />
"technical logs" that he considers should not remain but stored in his possession, without<br />
that have to be used as an instrument provided to the claimant for his knowledge.<br />
<br />
In addition, all logs and event records, both the so-called<br />
<br />
technical by the claimed party as well as those that are not, are included in the same<br />
"raw" or "online" format, because they appear interrelated and conditioned, so<br />
chronologically, with the difficulty of its understanding if not completely, and<br />
advising their protection in terms of integrity in their security jointly.<br />
It should not be forgotten that one of the functions of the logs can be to avoid the<br />
<br />
modifications or their follow-up to know the events. On the other hand, for<br />
For example, an access due to a security breach would obtain full information by<br />
appear ordered according to a single purpose. On the other hand, that the software<br />
used or its options configure the logs as "technical" cannot be used to<br />
extend the total and automatic exclusion of the entire log, but exclusive and<br />
<br />
exceptionally, of the data that, based on the descriptive or key qualities that<br />
hold, have a substantial impact on the trade secret.<br />
<br />
Consider, for example, the technical logs collected on the day of the intrusion and the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 90/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
subsequent days, which relate to internal operations for which the defendant can<br />
deduce what happened, and the consequences drawn from the connection of the days<br />
later, days of lack of connection, all of them affect the right of the claimant<br />
<br />
because they are related to the right to security of their goods and property that the<br />
tries to protect by permanent operation of the device and warranty<br />
by signing a contract with obligations and rights for both parties.<br />
In this way, only the defendant could understand what happened to the system<br />
contracted by the claimant, when the technical logs, which are linked to the<br />
person of the claimant, are also considered to affect directly or not the<br />
<br />
claimant's rights. In addition, it must be added that in the face of the same events,<br />
events that occurred at the same moments, such as alarm jumps, or<br />
power cuts, that other type of logs are generated that the defendant considers must be<br />
have a differentiated treatment for being technical.<br />
<br />
<br />
In short, the processing of log data is for the purpose of executing the<br />
security contract, resulting in one of its objects being the log record,<br />
which are all related to home security. The relationship between the<br />
system, signals and owner of the alarm system given the purpose of the treatment<br />
of the logs and the object on which it falls is evident, since the technical logs that<br />
identify the claimant also concern his right that he holds as owner and<br />
<br />
responsible for the correct use of the contracted system, in front of which said<br />
registration of events, fundamental means for the affected right of the claimant.<br />
<br />
These log record data, which in this case the defendant denies are of a<br />
personnel, defining them as technicians, grouped by responding to internal protocols of<br />
<br />
communication-verification, registration of signals or internal procedures, can<br />
actually be used for example also for forensic purposes in a case of<br />
responsibility for the operation of the system of which the owner is the claimant.<br />
<br />
Undoubtedly, the system with all its records is identified with the claimant,<br />
<br />
affecting their rights and interests. It cannot be deduced that these data are not<br />
information about an identified or identifiable person and also part of their<br />
rights affected, such as the theft suffered, are related to the logs,<br />
including those that the defendant considers technical and that actually identify the<br />
claimant and directly affect their rights.<br />
<br />
<br />
In conclusion:<br />
<br />
1. The GDPR determines what personal data is in its article 4: “data<br />
personal: any information about an identified or identifiable natural person ("the<br />
interested"); An identifiable natural person shall be considered any person whose identity<br />
<br />
can be determined, directly or indirectly, in particular by means of an identifier,<br />
such as a name, an identification number, location data, a<br />
online identifier or one or several elements of physical, physiological,<br />
genetic, psychological, economic, cultural or social of said person;”<br />
<br />
<br />
2. The complaining party has entered into a security contract with the complaining party. For<br />
For this, an alarm device is installed at the home of the claimant.<br />
<br />
3. The alarm device located in the claimant's home is identified with a<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 91/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
unique and permanent identifier (a specific numbering for each device of<br />
alarm) for that specific contract for the provision of services.<br />
<br />
<br />
4. Through the alarm system, logs linked to the alarm device are generated<br />
installed in the domicile of the complaining party, attached in turn to the contract signed by<br />
the latter with Securitas Direct. The SAN 3091/2019, of July 23, 2019, defines the<br />
logs as "records and signals captured and sent by the alarm equipment installed in<br />
a private residence."<br />
<br />
<br />
5. Each one of the logs without distinction inevitably links, therefore, the interested party with<br />
the device, with everything that is generated and recorded in relation to it, and with the<br />
signed contract. Each of the logs uniquely identifies the interested party.<br />
<br />
6. In addition, all logs concern the interested party in relation to his rights, since<br />
<br />
that the logs are connected to the security of the home, affecting the<br />
claimant regarding his right to the safety of his home and security in his<br />
own home.<br />
<br />
7. The logs identify the claimant, as it is information about a natural person<br />
identified.<br />
<br />
<br />
<br />
Therefore, in this specific case and considering the context, and having examined all the<br />
concurrent circumstances, the access content must include all logs<br />
generated by the alarm system, including what the claimed party calls<br />
<br />
as “technical” logs, as they are considered personal data under the terms of the<br />
Article 4 of the GDPR, including those that have not been delivered because they are classified as<br />
technicians for the claimant.<br />
<br />
<br />
It is concluded, in this specific case, that all the logs are personal data,<br />
<br />
including those called technicians by the defendant, who identify the claimant and<br />
affect the claimant in one way or another, so they would enter into the right of access<br />
that should be provided.<br />
<br />
SAW<br />
<br />
Regarding the statement by the defendant that the "logs that do not imply treatment-<br />
data processing”, that is, the “technical” logs, could contain information about procedures<br />
internal technical data, whose disclosure to third parties would imply the assignment to third parties of your<br />
"know how" or trade secrets, recital 63 of the GDPR states:<br />
<br />
<br />
Interested parties must have the right to access the personal data collected that<br />
concerned and to exercise that right with ease and at reasonable intervals, in order to<br />
<br />
know and verify the legality of the treatment. This includes the right of data subjects to<br />
access data related to health, for example the data of your medical records that<br />
contain information such as diagnoses, test results, evaluations of<br />
physicians and any treatments or interventions performed. all interested<br />
must, therefore, have the right to know and to be communicated, in particular, the<br />
purposes for which the personal data is processed, its processing period, its<br />
<br />
recipients, the implicit logic in any automatic processing of personal data and, therefore,<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 92/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
at least when it is based on profiling, the consequences of said<br />
treatment. If possible, the data controller should be empowered to<br />
provide remote access to a secure system that offers the interested party direct access to<br />
<br />
your personal information. This right must not adversely affect the rights and<br />
liberties of third parties, including trade secrets or intellectual property and, in<br />
In particular, intellectual property rights that protect computer programs. No<br />
However, these considerations must not result in a refusal to provide all<br />
the information to the interested party. If you process a large amount of information relating to the<br />
data subject, the data controller should be empowered to request that, before<br />
<br />
If the information is provided, the interested party specifies the information or activities of<br />
treatment referred to in the request.” (The underlining is ours).<br />
<br />
Reference is made to the limits in terms of the modality of obtaining the right of access that<br />
It is contained in article 15.3 and 4 of the GDPR, which indicates:<br />
<br />
<br />
"3. The person responsible for the treatment will provide a copy of the personal data object of<br />
treatment...<br />
<br />
4. The right to obtain a copy mentioned in section 3 will not negatively affect<br />
the rights and liberties of others.”<br />
<br />
Thus, the right to obtain a copy regarding the right of access "must not infringe<br />
the rights or freedoms of third parties, including business or proprietary secrecy<br />
intellectual property, including copyright protection software. However, it<br />
reiterates, these considerations should not lead to the denial of all information<br />
<br />
to the interested party<br />
<br />
Directive (EU) 2016/943 of the European Parliament and of the Council of 06/08/2016 on<br />
to the protection of undisclosed know-how and business information<br />
(trade secrets) against their unlawful collection, use and disclosure, which has been<br />
transposed into our legal system by the Business Secrets Law 1/2019 of<br />
02/20, indicates in its recitals 34 and 35:<br />
<br />
“(34) This Directive respects fundamental rights and observes the principles<br />
recognized, in particular, in the Charter, especially the right to respect for private life.<br />
<br />
da and familiar, the right to the protection of personal data, the freedom of<br />
expression and information, professional freedom and the right to work, freedom of<br />
company, the right to property, the right to good administration, in particular<br />
access to the files, while respecting the commercial secret, the de-<br />
right to effective judicial protection and an impartial judge and the right to defense.<br />
<br />
(35) It is important that the right to respect for private and family life and to<br />
the protection of personal data of any person whose personal data may<br />
<br />
be processed by the holder of a trade secret when steps are taken for the<br />
protection of trade secrets, or of any person involved in a legal proceeding related to<br />
against the unlawful acquisition, use or disclosure of trade secrets, in accordance with<br />
this Directive, and whose personal data are processed. Directive<br />
95/46/CE of the European Parliament and of the Council regulates the processing of personal data<br />
<br />
procedures carried out in the Member States in the context of this Directive and under<br />
the supervision of the competent authorities of the Member States, in particular the<br />
independent public authorities designated by them. Therefore, this Directive<br />
should not affect the rights and obligations provided for in Directive 95/46/EC, in<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 93/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
particular the rights of the interested party to access those of their personal data that<br />
are subject to treatment and to obtain the rectification, deletion or blocking of the data<br />
due to its incomplete or inaccurate nature and, where appropriate, the obligation to process the data<br />
<br />
of a sensitive nature in accordance with article 8, paragraph 5, of the same Directive<br />
goes."<br />
<br />
A similar limitation to that provided for in article 15.4 of the GDPR applies to the right to<br />
<br />
portability that is developed in article 20 of the GDPR, establishing its number 4 that<br />
“The right mentioned in paragraph 1 shall not adversely affect the rights and<br />
freedoms of others”. Bearing in mind that the right of access to the copy, such as the<br />
right to data portability are among the components<br />
fundamentals of the GDPR, the reasoning that for this<br />
limitation indicated by Working Group 29 in the guidelines on the right to<br />
<br />
data portability, adopted on 12/13/2016 determine that: "It can be understood,<br />
although they are not directly related to portability, that mention includes<br />
also "commercial secrets or intellectual property and, in particular, the rights<br />
intellectual property rights that protect computer programs. However, although<br />
These rights must be taken into consideration before responding to a request for<br />
<br />
data portability, “these considerations should not result in the refusal<br />
to provide all the information to the interested party”.<br />
As a conclusion to the allegations of the defendant, considering the right of access<br />
<br />
of the interested party and the rights of the claimed party, attention must be paid to the conciliation of<br />
rights of both parties in accordance with paragraph 4 of article 15 of the GDPR in the<br />
execution the execution of part of the content of the copy of the logs that make up the de-<br />
right of access<br />
<br />
In this way, the condition provided for in article 15.4 of the GDPR would be restricted not to the copy<br />
of the logs, which are all the logs as it has been motivated, but to the part of the copy of<br />
log data that may denote information affected by the trade secret in the terms<br />
<br />
Minos that in the following foundation of law we will explain.<br />
<br />
VII<br />
<br />
<br />
Any person enjoys, by virtue of article 15 of the GDPR, the right of access<br />
to the personal data that concern you and are subject to treatment, which establishes:<br />
<br />
<br />
<br />
"1. The interested party shall have the right to obtain confirmation from the data controller<br />
of whether or not personal data concerning you are being processed and, in such a case, right<br />
of access to personal data…”<br />
<br />
<br />
"3. The person responsible for the treatment will provide a copy of the personal data object of<br />
treatment. The person in charge may receive for any other copy requested by the<br />
interested party a reasonable fee based on administrative costs. when the<br />
The interested party submits the application by electronic means, and unless he requests that<br />
<br />
otherwise provided, the information will be provided in a user-friendly electronic format.<br />
common.<br />
<br />
4. The right to obtain a copy mentioned in section 3 will not negatively affect<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 94/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
the rights and liberties of others.”<br />
<br />
The right of access called habeas data or "habeas scriptum" constitutes the core<br />
essential of the right regulated in art.18.4 of the Constitution -STC 292/2000 and consists<br />
in which the affected party can demand that the person in charge make a provision. The scope of the<br />
right of access is determined by the scope of the concept of personal data<br />
defined in article 4, paragraph 1, of the GDPR.<br />
<br />
The right of access should not be considered in isolation, as it is closely<br />
<br />
related to other provisions of the GDPR, in particular the principles of<br />
data protection, including fairness and lawfulness of processing, the obligation to<br />
transparency of the data controller and other rights of the interested parties<br />
provided for in chapter III of the GDPR. Special importance in this procedure<br />
Articles 5.1 b) to d), which recall:<br />
<br />
1. Personal data will be:<br />
<br />
<br />
b) collected for specific, explicit and legitimate purposes, and will not be processed<br />
subsequently in a manner incompatible with said purposes; according to article 89,<br />
section 1, the further processing of personal data for archiving purposes in the interest<br />
public, scientific and historical research purposes or statistical purposes shall not be considered<br />
incompatible with the initial purposes ("purpose limitation");<br />
<br />
c) adequate, pertinent and limited to what is necessary in relation to the purposes for which<br />
<br />
are processed ("data minimization");<br />
<br />
d) accurate and, if necessary, up-to-date; all measures will be taken<br />
Reasonable reasons to delete or rectify without delay the personal data that is<br />
inaccurate with respect to the purposes for which they are processed ("accuracy");<br />
<br />
The protection of the fundamental right to the respect of Data Protection of character<br />
This implies, in particular, that any natural person can ensure that the data<br />
<br />
information about you are accurate and used lawfully. The aforementioned right<br />
of access may be essential, in particular, to enable the data subject to obtain, in<br />
where appropriate, of the data controller, a rectification, deletion or the<br />
blocking of such data and, consequently, exercise other rights that are related to<br />
the purposes for which they were collected.<br />
<br />
In this sense, although alluding to the then current Directive 95/46 of Parliament<br />
<br />
European Union and of the Council, of 24/10/1995, regarding the protection of natural persons in<br />
with regard to the processing of personal data and the free movement of such data,<br />
The Court of Justice of the European Union ruled in the "Rijkeboer" case,<br />
C/553/07, of 05/07/2009:<br />
<br />
51“The aforementioned right of access is essential for the interested party to be able to exercise<br />
<br />
the rights provided for in Article 12(b) and (c) of the Directive, namely,<br />
In your case, when the treatment does not conform to the provisions of the same, obtain<br />
of the data controller, rectification, deletion or blocking<br />
of the data [letter b)], or that proceeds to notify the third parties to whom<br />
communicated the data, any rectification, deletion or blocking carried out, if it is not<br />
impossible or involves a disproportionate effort [letter c)].<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 95/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
52 The right of access is also a necessary condition for the exercise by the<br />
interested party of the right to oppose the processing of their personal data, contemplated<br />
in Article 14 of the Directive, as it is for the right to appeal for damages<br />
<br />
suffered, provided for in articles 22 and 23 of this.”<br />
<br />
The general objective of the right of access is to provide individuals with information<br />
sufficient, transparent and easily accessible information about the processing of your data<br />
personal so that they can know and verify the legality of the treatment and the accuracy<br />
of the processed data.<br />
<br />
Unless expressly indicated otherwise, the request must be understood in the<br />
<br />
sense that it refers to all personal data relating to the interested party.<br />
<br />
"Thus, if full access is not given, the data subject must be informed of the reasons and<br />
<br />
specific circumstances that allow knowing the reasons in case the claimant wishes to<br />
take measures against that consideration", as indicated in point 172 of the<br />
aforementioned Directives 1/2022. The data controller must search for personal data<br />
in all computer systems and in non-computer files on the basis of<br />
search criteria that reflect the way the information is structured.<br />
<br />
<br />
In the event that the person in charge is going to apply exceptions or restrictions to the right of<br />
access should carefully check which parts of the information the information refers to.<br />
exception and provide all information that is not excluded by the exception. This<br />
<br />
forecast would be part of the data processing from the design, having established<br />
previously said aspect sufficiently developed, explicit and documented.<br />
<br />
The communication of data and other complementary information about the treatment must<br />
be provided in a concise, transparent, intelligible and easily accessible form, using a<br />
clear and simple language. The more precise requirements in this regard depend on the<br />
circumstances of data processing, as well as the ability of the interested party to<br />
<br />
understand communication.<br />
<br />
In this sense, in addition, the access provided on 02/23/2021 is not adequate, for<br />
incomplete, it is not the original format, but a summary, with little information and<br />
chronologically disordered in the content of the account of the events that appear<br />
registered, limiting itself in an unordered way to the grouping of dates and<br />
<br />
naming of logs, adding an own explanation that given the diversity and the<br />
The nature of the situations that may arise does not even minimally satisfy the<br />
content of the right of access.<br />
<br />
Differs from the one provided on 12/14/2021 in that the latter is the original format<br />
and containing all the features of the log. However, the claimed party has not included<br />
all the logs, since what he calls “technical” logs are missing, also resulting in<br />
<br />
that are incomprehensible in attention to the keys and abbreviations that appear in<br />
document whose meaning is unknown.<br />
<br />
Thus, and notwithstanding the foregoing, if the data consists of "codes" as in this<br />
case, or other “raw data” from the service, must be explained to make sense to<br />
the interested. No such explanation has been supplied in the disclosure provided on<br />
12/14/2021.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 96/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Access to personal data means access to actual personal data, not<br />
only a general description of the data nor a mere reference to the categories of<br />
personal data processed by the data controller.<br />
<br />
Raw data could be explained as unanalyzed data underlying a<br />
<br />
treatment. Raw data can exist at different levels, where the highest level is<br />
data base can only be machine readable (as "bits"). It should be noted that the<br />
Information provided to the interested party must always be in a format readable by the user.<br />
human.<br />
<br />
Because all the logs appear in a single block referring to the claiming device,<br />
<br />
both the so-called technical logs and those that were considered personal data<br />
by the claimed party, have for their complete understanding various columns with<br />
various descriptors that need to be deciphered, the translation of the keys to<br />
all logs.<br />
<br />
When providing data in a raw format, it is important that the data controller<br />
adopt the necessary measures to ensure that the data subject understands the data,<br />
for example, by providing an explanatory document that translates the raw format into a format<br />
<br />
easy to use slider. In addition, it could be explained in such a document what the<br />
abbreviations and other acronyms.<br />
<br />
Regarding the application of article 15.4 of the GDPR, reference is made to the condition as<br />
to the modality of care of the right of access in order to reconcile the rights in<br />
conflicts with the claimed party, given that it should not affect the right of access itself<br />
as we have indicated previously.<br />
<br />
It should be taken into account that the GDPR has established that the right of access includes<br />
provide complete information.<br />
<br />
The condition provided for in article 15.4 of the GDPR, would be restricted only to the delivery of a copy<br />
to the party claiming the data that may be affected by the trade secret,<br />
<br />
that is to say to part of its content. Thus, the claimant can receive the response of the exercise<br />
use of the right of access in another modality that is not the copy, or even combining<br />
several modalities if the circumstances require it, as in this case of rights that<br />
They can converge in divergences of interests.<br />
<br />
It follows that since the content of all the logs is completed with the keys,<br />
table descriptions, comments, events, etc., the secret can be revealed<br />
<br />
all the logs according to the thesis of the defendant. Security-sensitive content to the<br />
When dealing with the circumstances that arise with the devices can affect both<br />
log types.<br />
<br />
There is a key for “(...) of the signal”, a description, and another somewhat broader one in the field.<br />
type “***COLUMN.2 (...)”, “***COLUMN.1”, “event” etc common elements with the data<br />
personal data, but it is not appreciated what would be such a trade secret, or "know how" in<br />
awareness of the performance of events that could jeopardize safety.<br />
<br />
of the measures of the claimed. In any case, this must be subject to interpretation.<br />
restrictive. Thus, the risk to trade secrets, or more specifically, the risk that<br />
log the way of acting of the complaining party is revealed, it must be sufficiently<br />
shown case by case that it affects, or can affect. There may be times when a<br />
only indicative of indications of such knowledge or it may be that even with several keys they do not<br />
<br />
any secret is revealed.<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 97/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
As a way of respecting the "know how" of the defendant, you can, exceptionally, if<br />
If applicable, justify the reason why additional joint information complementary to<br />
each log that forms the access table, or the joint keys of the same must not<br />
<br />
be provided in copy mode. This is in relation to considering that if<br />
certify that a specific way of acting in the face of an event that could<br />
repercussions that the "know how" could be known unjustifiably.<br />
<br />
<br />
<br />
In conclusion,<br />
<br />
1. The complaining party has the right to access all the logs, which are their data<br />
personal.<br />
<br />
<br />
2. Two combined and complementary access modalities are established. and it in<br />
attention to the consideration of the rights and interests concerned, taking into account<br />
Consider also the right of the claimed party to trade secret.<br />
<br />
3. A modality of access is the copy.<br />
<br />
Taking into account the right of the claimed party to trade secret, in<br />
virtue of art. 15.4 of the GDPR, the content of the copy containing all the<br />
<br />
logs.<br />
<br />
The limitation to the modality of the right of access to the copy, implies, in this case, not<br />
provide the claimant with data on the content of the logs in those cases in which<br />
may be affected by trade secret. The claimed party must justify such<br />
affectation.<br />
<br />
4. In the other modality, and complementary, to the previous one, the claimed party will have to<br />
<br />
enable a form of access to all the personal data of the claimant, affected or<br />
not for commercial secret, without prejudice to what is established for copying.<br />
<br />
5. In both modes of access, personal data must be provided in<br />
original format, understandable and intelligible, with complementary information for its<br />
comprehension.<br />
<br />
VIII<br />
<br />
<br />
From the analysis of the specific case examined and taking into account the circumstances<br />
specific facts revealed throughout the administrative file, of what is<br />
delivered to the claimant, of its content and scope, Securitas has provided under<br />
of what was previously resolved by the AEPD, the "logs" raw, untreated, but having<br />
previously filtering the "logs" and excluding the information that it considers to be not<br />
<br />
personal data "since it is exclusively technical information" and abiding by<br />
trade secret.<br />
<br />
Likewise, of the logs that it considers contain personal data of the claimant<br />
did not provide the indicatives and keys that would make it possible to fully know their<br />
meaning.<br />
<br />
It is considered that the claimed party has breached the resolution of the Spanish Agency<br />
<br />
of Data Protection in relation to the measures imposed on it.<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 98/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The facts are considered to constitute an infringement, attributable to the claimed party,<br />
for violation of article 58.2.c) of the GDPR, which provides the following:<br />
<br />
"2. Each control authority will have all the following corrective powers<br />
indicated below:<br />
<br />
<br />
"c) order the person in charge or person in charge of the treatment to attend to the requests for<br />
exercise of the rights of the interested party under this Regulation<br />
<br />
This infringement is typified in article 83.6 of the GDPR, which stipulates the following:<br />
<br />
"Failure to comply with the resolutions of the control authority under article 58,<br />
section 2, will be penalized in accordance with section 2 of this article with fines<br />
administrative costs of a maximum of EUR 20,000,000 or, in the case of a company, a<br />
<br />
amount equivalent to a maximum of 4% of the total global annual turnover of the<br />
previous financial year, opting for the one with the highest amount.”<br />
<br />
That empowers the AEPD to proceed in accordance with the power granted by article 58.2<br />
<br />
“i) impose an administrative fine in accordance with article 83, in addition to or instead of the<br />
measures mentioned in this section, according to the circumstances of each case<br />
particular;"<br />
<br />
In this case, it proceeds due to the lack of attention to comply with its terms, scope and<br />
<br />
content the essential content of the right of access, and for the impediment that<br />
deprive of the data that is the object of treatment, an administrative fine.<br />
<br />
Article 71 of the LOPDGDD indicates:<br />
<br />
"Infractions are the acts and conducts referred to in sections 4, 5 and<br />
6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to<br />
the present organic law.”<br />
<br />
<br />
For the purposes of the limitation period for infringements, the alleged infringement prescribes<br />
three years, in accordance with article 72.1 of the LOPDGDD, states:<br />
<br />
"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,<br />
are considered very serious and will prescribe after three years the infractions that suppose a<br />
substantial violation of the articles mentioned therein and, in particular, the<br />
following:”<br />
<br />
<br />
"m) Failure to comply with the resolutions issued by the authority for the protection of<br />
competent data in exercise of the powers conferred by article 58.2 of the<br />
Regulation (EU) 2016/679.”<br />
<br />
IX<br />
<br />
The fine imposed must be, in each individual case, effective, proportionate and<br />
<br />
dissuasive, in accordance with the provisions of article 83.1 of the GDPR. Consequently, it<br />
must graduate the sanction to be imposed in accordance with the criteria established by the<br />
Article 83.2 of the GDPR, and with the provisions of Article 76 of the LOPDGDD, regarding the<br />
section k) of the aforementioned article 83.2 of the GDPR.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 99/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The following circumstances are taken into consideration:<br />
<br />
-Article 83.2.a) "the nature, seriousness and duration of the infringement, taking into account<br />
the nature, scope or purpose of the processing operation in question<br />
such as the number of interested parties affected and the level of damages that have<br />
<br />
suffered;”<br />
<br />
On the occasions that access was provided, the first two with the same content,<br />
and a third after the resolution of the procedure for the exercise of rights was<br />
incomplete, not partial, since neither all of its content is reflected nor is its content provided.<br />
comprehension. These are data processing operations, in a matter such as<br />
<br />
related to home security. Such elements would operate as<br />
aggravating factors. Failure to comply with the obligation to attend to the right cannot have the<br />
same consequences depending on the duration, persistence of the negative reasons or<br />
repeated responses, accrediting in this case a greater seriousness that qualifies the<br />
sanctioning response.<br />
<br />
-Article 83.2.b) of the GDPR, "intentionality or negligence in the infringement" that is<br />
<br />
states that on 09/17/2021 the procedure on the exercise of rights was resolved,<br />
TD/00167/2021, although appealed in replacement, on 10/27/2021 confirms the resolution of the<br />
TD, notified the day after the claim. There is no record that he complied with the attention of the<br />
right within the term granted in the resolution, which exceeds widely, and which<br />
only after the claimant makes the mandatory declaration of not having received anything at the<br />
In this regard, the AEPD had to contact the defendant who, only then, agreed to<br />
<br />
send you the last letter of 12/14/2021, which continues without satisfying the content of the<br />
right. The action denotes a clear negligence in the fulfillment of the duty that<br />
corresponds.<br />
<br />
The defendant states that she acts diligently when hiring an entity to study<br />
the logs in their relationship with personal data in order to meet the request of the<br />
<br />
claimant<br />
<br />
Regarding this statement, it seems to contradict another that the defendant pointed out in<br />
allegations to the same initiation agreement, that the contracting of the legal service that was<br />
embodied in the report of document 1, it was done mainly for the purpose of compliance<br />
normative that foresees assessing what data is being processed. Being the logs common data<br />
to all products derived from an alarm, which manages the claimed, from the<br />
<br />
entry into force of the GDPR should have implemented the treatment from the design<br />
that has been mentioned in the resolution, in order for the person in charge to put into<br />
technical and organizational measures to implement the principles and<br />
safeguards of individual rights. In essence, this means that you must integrate the<br />
data protection in its processing activities and commercial practices, from the<br />
<br />
design stage and throughout the life cycle. Helps make sure you meet<br />
fundamental principles and requirements of the GDPR, and is part of the approach of<br />
responsibility. This supposed diligence is neither more nor less than the fulfillment that<br />
the regulations establish.<br />
<br />
-Article 76.2 b) of the LOPDGDD: "The link between the offender's activity and the<br />
processing of personal data”. The defendant has products<br />
<br />
What offer for those who are essential their usual management of data processing that<br />
they appear listed in contracts next to their devices.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 100/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Regarding the allegations with which the defendant intends to mitigate the penalty for<br />
state that he attended, although partially the right, on three occasions, it must be<br />
indicate that the access of 02/23/2021, reproduced on 05/18/2021 are mere accesses<br />
<br />
repeated formals, own elaborations with a log description with explanation<br />
generic, attention that is incomplete, not partial. Not only is it not from the original, it's a<br />
elaboration of the claimed, it lacks the keys for its understanding and the description of<br />
the events, but also does not include the logs that the defendant calls<br />
improperly “technical”. In addition, deducing that it has been a partial compliance,<br />
tries to tie the consequence that access is a minor non-compliance to the<br />
<br />
effects of the prescription of article 74.c) of the LOPDGD. On the contrary, the offense<br />
in such a way, both as a result of accesses with the same content, as the one that has<br />
place with the one provided on 12/14/2021, it must be qualified as substantial, ruling out its<br />
even formal character, at least "merely formal", having an impact on the fact that it had no<br />
nor has he had access to all the information and the repercussions it has for the affected party.<br />
<br />
Regarding the alleged good faith, "it has been complied with up to three times", it is considered<br />
<br />
that it is not important the times in which compliance is given, because with one it would be<br />
sufficient, estimating that the occasions in which it has been provided have been with<br />
incomplete content, not partial as claimed. On the other hand, good faith does not<br />
certifies the absence of guilt and illegality.<br />
<br />
It is considered that based on the aforementioned factors, due to the infringement of article<br />
<br />
58.2 of the GDPR, it is agreed to impose a fine of 50,000 euros.<br />
<br />
x<br />
<br />
<br />
As corrective power, it corresponds to this AEPD: "order the person in charge or in charge<br />
of the treatment that meet the requests for the exercise of the rights of the interested party in<br />
under this Regulation”. (Article 58.2.c) of the GDPR)<br />
<br />
The defendant must complete the requested access, providing all the logs it has<br />
excepted to date, including all the logs contained by<br />
chronological order in document 2 of the table provided in the allegations to the agreement<br />
beginning, which were marked in red, in which they complement each other and succeed each other.<br />
logically the device registers.<br />
<br />
<br />
The information must contain the keys that allow clarifying the aforementioned table and its<br />
sections that make the data tables understandable in line format or in<br />
gross as obtained by the defendant.<br />
<br />
The specificities of the foundation of law VI and VII will be taken into account as<br />
mode of compliance with the measure imposed.<br />
<br />
The imposition of this measure is compatible with the sanction consisting of a fine<br />
<br />
administration, according to the provisions of art. 83.2 of the GDPR.<br />
<br />
It is noted that not meeting the requirements of this body may be<br />
considered as an administrative offense in accordance with the provisions of the GDPR,<br />
classified as an infraction in its article 83.5 and 83.6, being able to motivate such conduct the<br />
opening of a subsequent administrative sanctioning procedure.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 101/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Therefore, in accordance with the applicable legislation and assessed the criteria of<br />
graduation of sanctions whose existence has been accredited,<br />
<br />
<br />
the Director of the Spanish Data Protection Agency RESOLVES:<br />
<br />
FIRST: IMPOSE SECURITAS DIRECT ESPAÑA, S.A., with NIF A26106013, for<br />
an infringement of article 58.2 c) of the GDPR, typified in article 83.6 of the aforementioned<br />
GDPR, and qualified, for the purposes of prescription as serious in article 72.m) of the<br />
LOPDGDD, an administrative sanction of 50,000 euros.<br />
<br />
<br />
SECOND: Pursuant to article 58.2.c) of the GDPR, which authorizes to “order the<br />
person in charge or person in charge of the treatment that attends to the requests for the exercise of the<br />
rights of the interested party under this Regulation;” you are required to in the<br />
within fifteen days attends to the right that is the subject of this claim in the manner indicated.<br />
<br />
<br />
Failure to comply with the provisions could lead to the exercise of the power<br />
sanctioning in accordance with the provisions of article 83.6 of the GDPR.<br />
<br />
THIRD: NOTIFY this resolution to SECURITAS DIRECT ESPAÑA, S.A.<br />
<br />
<br />
FOURTH: Warn the penalized person that they must make the imposed sanction effective once<br />
that this resolution be enforceable, in accordance with the provisions of art.<br />
98.1.b) of the LPACAP within the voluntary payment period established in art. 68 of the<br />
General Collection Regulations, approved by Royal Decree 939/2005, of 07/29, in<br />
relation to art. 62 of Law 58/2003, of 12/17, by entering it, indicating the NIF<br />
<br />
of the sanctioned party and the number of the procedure that appears in the heading of this<br />
document, in the restricted account IBAN number: ES00-0000-0000-0000-0000-0000, open<br />
in the name of the Spanish Data Protection Agency in the bank<br />
CAIXABANK, S.A. Otherwise, it will be collected in the period<br />
executive.<br />
<br />
<br />
Once the notification has been received and once executed, if the execution date is between<br />
on the 1st and 15th of each month, both inclusive, the period for making the voluntary payment<br />
It will be until the 20th day of the following or immediately following business month, and if it is between<br />
on the 16th and last day of each month, both inclusive, the payment period will be until the 5th of<br />
second following or immediately following business month.<br />
<br />
<br />
Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the<br />
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the<br />
Interested parties may optionally file an appeal for replacement before the Director<br />
of the Spanish Agency for Data Protection within a period of one month from the<br />
<br />
day following the notification of this resolution or directly contentious appeal<br />
before the Contentious-Administrative Chamber of the National Court,<br />
in accordance with the provisions of article 25 and section 5 of the additional provision<br />
fourth of Law 29/1998, of 13707, regulating the Contentious Jurisdiction-<br />
administration, within a period of two months from the day following the notification<br />
<br />
of this act, as provided in article 46.1 of the aforementioned Law.<br />
<br />
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,<br />
may provisionally suspend the firm resolution in administrative proceedings if the interested party<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 102/102<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
expresses its intention to file a contentious-administrative appeal. If this is the one<br />
case, the interested party must formally communicate this fact by writing to<br />
the Spanish Data Protection Agency, presenting it through the Registry<br />
<br />
Email from the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through<br />
any of the other records provided for in art. 16.4 of the aforementioned LPCAP. Also<br />
must transfer to the Agency the documentation that proves the effective filing of the<br />
Sponsored links. If the Agency were not aware of the<br />
<br />
filing of the contentious-administrative appeal within a period of two months from the<br />
day following the notification of this resolution, would terminate the suspension<br />
precautionary<br />
<br />
<br />
<br />
938-181022<br />
Mar Spain Marti<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
</pre></div>Isabela.maria.rosalhttps://gdprhub.eu/index.php?title=Data_Protection_in_Portugal&diff=32479Data Protection in Portugal2023-05-03T13:31:38Z<p>Isabela.maria.rosal: /* National constitutional protections */</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
! colspan="2" |Data Protection in Portugal<br />
[[Category:Country Overview]]<br />
|-<br />
| colspan="2" |[[File:pt.png|center|250px]]<br />
|-<br />
|Data Protection Authority:||[[CNPD (Portugal)]]<br />
|-<br />
|National Implementation Law (Original):||[https://dre.pt/application/file/a/123813850 Lei n.º 58/2019]<br />
|-<br />
|English Translation of National Implementation Law:||n/a<br />
|-<br />
|Official Language(s):||Portuguese<br />
|-<br />
|National Legislation Database(s):||[https://dre.pt/ Link]<br />
|-<br />
|English Legislation Database(s):||[https://dre.pt/web/en/home Link]<br />
|-<br />
|National Decision Database(s):||[http://www.dgsi.pt/ Link]<br />
|}<br />
<br />
==Legislation==<br />
===History===<br />
''You can help us fill this section!''<br />
<br />
===National constitutional protections===<br />
The Portuguese Constitution foresees, in its Article 35, that the concept of personal data and the possibilities for processing and protection will be defined by the law. The same article reaffirms the data subjects' rights. <br />
<br />
Article 35 of the Constitution also establishes that it is prohibited the attribution to an unique national number to the citizens.<br />
<br />
===National GDPR implementation law===<br />
In Portugal the GDPR is implemented by the ''Lei n.º 58/2019''.<br />
<br />
====Age of consent====<br />
In Portugal the Age of consent is 13 years old.<br />
<br />
====Freedom of Speech====<br />
''You can help us fill this section!''<br />
<br />
====Employment context====<br />
''You can help us fill this section!''<br />
<br />
====Research====<br />
''You can help us fill this section!''<br />
<br />
====Other relevant national provisions and laws====<br />
''You can help us fill this section!''<br />
<br />
===National ePrivacy Law===<br />
''You can help us fill this section!''<br />
<br />
==Data Protection Authority==<br />
The Comissão Nacional de Protecção de Dados is the national data protection authority for Portugal.<br />
<br />
→ Details see [[CNPD (Portugal)]]<br />
<br />
==Judicial protection==<br />
===Civil Courts===<br />
[[Tribunal da Relação de Lisboa - 842/16.5T8ALQ.L1-3]] on the monitoring the speed of vehicles through radar and the use of photographic evidence provided by radars on criminal and administrative proceedings, without infringing the right to privacy of drivers.<br />
<br />
[[Tribunal da Relação de Coimbra - 4354/19.7T8CBR-A.C2]] on balancing the fundamental right to equal pay for equal work with the right to privacy of workers not included in the lawsuit.<br />
<br />
===Administrative Courts===<br />
[[Supreme Administrative Court - 0856/20.0BELRA]] on the understanding of the National Tax Number of the owner of a building as personal data, protected under the right to privacy, or personal data that should be publicly available, under the right of information.<br />
<br />
===Constitutional Court===<br />
[[Tribunal Constitucional - Ruling 464/2019]] on whether the access to traffic data provided for in articles 3 and 4 of the Organic Law of SIS and SIED (Portuguese national security and information agencies) by information officers conforms to the exception contained in the second part of n. 4 of article 34 of the CRP, which allows access to data of this nature in the cases provided for by the law in the area of criminal proceedings.</div>Isabela.maria.rosalhttps://gdprhub.eu/index.php?title=Data_Protection_in_Portugal&diff=32478Data Protection in Portugal2023-05-03T13:29:41Z<p>Isabela.maria.rosal: /* National constitutional protections */</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
! colspan="2" |Data Protection in Portugal<br />
[[Category:Country Overview]]<br />
|-<br />
| colspan="2" |[[File:pt.png|center|250px]]<br />
|-<br />
|Data Protection Authority:||[[CNPD (Portugal)]]<br />
|-<br />
|National Implementation Law (Original):||[https://dre.pt/application/file/a/123813850 Lei n.º 58/2019]<br />
|-<br />
|English Translation of National Implementation Law:||n/a<br />
|-<br />
|Official Language(s):||Portuguese<br />
|-<br />
|National Legislation Database(s):||[https://dre.pt/ Link]<br />
|-<br />
|English Legislation Database(s):||[https://dre.pt/web/en/home Link]<br />
|-<br />
|National Decision Database(s):||[http://www.dgsi.pt/ Link]<br />
|}<br />
<br />
==Legislation==<br />
===History===<br />
''You can help us fill this section!''<br />
<br />
===National constitutional protections===<br />
The Portuguese Constitution foresees, in its Article 35, that the concept of personal data and the possibilities for processing and protection will be defined by the law. The same article also reaffirm the data subjects' rights.<br />
<br />
===National GDPR implementation law===<br />
In Portugal the GDPR is implemented by the ''Lei n.º 58/2019''.<br />
<br />
====Age of consent====<br />
In Portugal the Age of consent is 13 years old.<br />
<br />
====Freedom of Speech====<br />
''You can help us fill this section!''<br />
<br />
====Employment context====<br />
''You can help us fill this section!''<br />
<br />
====Research====<br />
''You can help us fill this section!''<br />
<br />
====Other relevant national provisions and laws====<br />
''You can help us fill this section!''<br />
<br />
===National ePrivacy Law===<br />
''You can help us fill this section!''<br />
<br />
==Data Protection Authority==<br />
The Comissão Nacional de Protecção de Dados is the national data protection authority for Portugal.<br />
<br />
→ Details see [[CNPD (Portugal)]]<br />
<br />
==Judicial protection==<br />
===Civil Courts===<br />
[[Tribunal da Relação de Lisboa - 842/16.5T8ALQ.L1-3]] on the monitoring the speed of vehicles through radar and the use of photographic evidence provided by radars on criminal and administrative proceedings, without infringing the right to privacy of drivers.<br />
<br />
[[Tribunal da Relação de Coimbra - 4354/19.7T8CBR-A.C2]] on balancing the fundamental right to equal pay for equal work with the right to privacy of workers not included in the lawsuit.<br />
<br />
===Administrative Courts===<br />
[[Supreme Administrative Court - 0856/20.0BELRA]] on the understanding of the National Tax Number of the owner of a building as personal data, protected under the right to privacy, or personal data that should be publicly available, under the right of information.<br />
<br />
===Constitutional Court===<br />
[[Tribunal Constitucional - Ruling 464/2019]] on whether the access to traffic data provided for in articles 3 and 4 of the Organic Law of SIS and SIED (Portuguese national security and information agencies) by information officers conforms to the exception contained in the second part of n. 4 of article 34 of the CRP, which allows access to data of this nature in the cases provided for by the law in the area of criminal proceedings.</div>Isabela.maria.rosalhttps://gdprhub.eu/index.php?title=CNPD_(Portugal)&diff=32473CNPD (Portugal)2023-05-03T13:25:07Z<p>Isabela.maria.rosal: /* Annual Reports */</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
! colspan="2" |Comissão Nacional de Protecção de Dados<br />
[[Category:DPA]]<br />
|-<br />
| colspan="2" style="padding: 20px; background-color:#ffffff;" |[[File:logoPT.png|center|250px]]<br />
|-<br />
|Name:||Comissão Nacional de Protecção de Dados<br />
|-<br />
|Abbreviation :||CNPD<br />
|-<br />
|Jurisdiction:||[[Data Protection in Portugal|Portugal]]<br />
[[Category: Portugal]]<br />
|-<br />
|Head:||Filipa Calvão<br />
|-<br />
|Deputy:||n/a<br />
|-<br />
|Adress:||Av. D. Carlos I, 134, 1º <br />
<br />
1200-651 Lisboa<br />
<br />
PORTUGAL<br />
|-<br />
|Webpage:||[http://www.cnpd.pt/ www.cnpd.pt]<br />
|-<br />
|Email:||[mailto:geral@cnpd.pt geral@cnpd.pt]<br />
|-<br />
|Phone:||+351 21 392 84 00<br />
|-<br />
|Twitter:||n/a<br />
|-<br />
|Procedural Law:||Lei n.º 43/2004 - Diário da República n.º 194/2004, Série I-A de 2004-08-18, alterada pela lei 58/2019 de 2019-08-08,<ref name=":0">https://dre.pt/web/guest/legislacao-consolidada/-/lc/123536792/202001240436/73736769/exportPdf/normal/1/cacheLevelPage?_LegislacaoConsolidada_WAR_drefrontofficeportlet_rp=diploma</ref><br />
|-<br />
|Decision Database:||https://www.cnpd.pt/bin/decisoes/decisoes.asp<br />
|-<br />
|Translated Decisions:||[[:Category:CNPD (Portugal)]]<br />
|-<br />
|Head Count:||27 (2018)<ref>https://www.cnpd.pt/bin/relatorios/anos/Relatorio_201718.pdf, p- 35</ref><br />
|-<br />
|Budget:||3.363.152,02 € (2018)<ref>https://www.cnpd.pt/bin/relatorios/anos/Relatorio_201718.pdf p. 36</ref><br />
|}<br />
<br />
The Portuguese Data Protection Authority (''Comissão Nacional de Protecção de Dados'') is the national Data Protection Authority for Portugal. It resides in Lisbon and is in charge of enforcing GDPR in Portugal.<br />
<br />
==Structure==<br />
The CNPD, the Portuguese Data Protection Authority, is composed by members of recognized integrity and merit. The status of the members guarantees their independence in exercising their functions. They have a five-year mandate and take office before the President of the Parliament.<br />
<br />
The Portuguese Data Protection Authority is composed of seven members: <br />
<br />
*The Chairman and two members elected by the Parliament;<br />
*One legal magistrate, with over 10 years’ experience, appointed by the Magistrature Council;<br />
*One magistrate from the Public Prosecution Service, with over 10 years’ experience, appointed by the Public Prosecution Council;<br />
*Two members appointed by the Government.<br />
<br />
==Procedural Information==<br />
<br />
===Applicable Procedural Law===<br />
Law 43/2004 - Diário da República n.º 194/2004, Série I-A de 2004-08-18, altered by Law 58/2019, of 8 of August (Portuguese Data Protection Law, supplementing the GDPR)''<ref name=":0" />''<br />
<br />
Regulation n.º 757/2020, of 10 September, on the organisation and functioning of of support services for the CNPD [https://dre.pt/home/-/dre/142326908/details/maximized].<br />
<br />
Regulation n.º 301/2020, of March 31, on the value of fees to provide GDPR related services (accreditation of certificate issuing organisations, DPIA prior consultation, among others) [https://dre.pt/home/-/dre/130779269/details/maximized].<br />
<br />
===Complaints Procedure under Art 77 GDPR===<br />
''You can help us by filling in this section!''<br />
<br />
===''Ex Officio'' Procedures under Art 57 GDPR===<br />
''You can help us by filling in this section!''<br />
<br />
===Appeals===<br />
''You can help us by filling in this section!''<br />
<br />
==Practical Information==<br />
<br />
===Filing with the DPA===<br />
The DPA provide one general and three specific forms to submit a '''complaint''':<br />
<br />
* General complaints, only in Portuguese: https://www.cnpd.pt/cidadaos/participacoes/geral/<br />
* Unsolicited marketing (spam), only in Portuguese: https://www.cnpd.pt/cidadaos/participacoes/marketing-nao-solicitado-spam/<br />
* Biometric data, only in Portuguese: https://www.cnpd.pt/cidadaos/participacoes/dados-biometricos/<br />
* Video surveillance, only in Portuguese: https://www.cnpd.pt/cidadaos/participacoes/videovigilancia/<br />
<br />
===Known Problems===<br />
''You can help us by filling in this section!''<br />
<br />
===Filing an Appeal===<br />
''You can help us by filling in this section!''<br />
<br />
==Decision Database==<br />
''You can help us by filling in this section!''<br />
<br />
==Statistics==<br />
<br />
===Funding===<br />
The CNPD's 2020 budget was 2.385.701,00 euros, with 2.375.701,00 coming from the Portuguese National Budget and 10.000,00 euros from the CNPD itself (self-funding).<br />
<br />
The CNPD's 2019 budget was 2.152.445,00 euros, with 2.077. 445,00 euros allocated to the CNPD by the Portuguese National Budget, 75.000,00 euros from the CNPD itself (self-funding) and 181.600 euros as a "special credit" from past budget surpluses (7.104.093,21 euros in positive cash flow).<br />
<br />
===Personal===<br />
In 2020, the CNPD had 24 employees.<br />
<br />
In 2019, the CNPD had 25 employees.<br />
<br />
===Caseload===<br />
''You can help us by filling in this section!''<br />
<br />
===Fines===<br />
''You can help us by filling in this section!''<br />
<br />
===Annual Reports===<br />
CNPD 2022 Annual Report (in Portuguese): https://www.cnpd.pt/media/tutpevyh/relato-rio_2022.pdf<br />
<br />
CNPD 2021 Annual Report (in Portuguese): https://www.cnpd.pt/media/meuizrj4/relato-rio-atividades-cnpd-2021.pdf<br />
<br />
CNPD 2019/2020 Annual Report<br />
<br />
Summary<br />
<br />
<br />
{{DataProtectionAuthorities}}<br />
<references /></div>Isabela.maria.rosalhttps://gdprhub.eu/index.php?title=CNPD_(Portugal)&diff=32470CNPD (Portugal)2023-05-03T13:20:55Z<p>Isabela.maria.rosal: /* Filing with the DPA */</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
! colspan="2" |Comissão Nacional de Protecção de Dados<br />
[[Category:DPA]]<br />
|-<br />
| colspan="2" style="padding: 20px; background-color:#ffffff;" |[[File:logoPT.png|center|250px]]<br />
|-<br />
|Name:||Comissão Nacional de Protecção de Dados<br />
|-<br />
|Abbreviation :||CNPD<br />
|-<br />
|Jurisdiction:||[[Data Protection in Portugal|Portugal]]<br />
[[Category: Portugal]]<br />
|-<br />
|Head:||Filipa Calvão<br />
|-<br />
|Deputy:||n/a<br />
|-<br />
|Adress:||Av. D. Carlos I, 134, 1º <br />
<br />
1200-651 Lisboa<br />
<br />
PORTUGAL<br />
|-<br />
|Webpage:||[http://www.cnpd.pt/ www.cnpd.pt]<br />
|-<br />
|Email:||[mailto:geral@cnpd.pt geral@cnpd.pt]<br />
|-<br />
|Phone:||+351 21 392 84 00<br />
|-<br />
|Twitter:||n/a<br />
|-<br />
|Procedural Law:||Lei n.º 43/2004 - Diário da República n.º 194/2004, Série I-A de 2004-08-18, alterada pela lei 58/2019 de 2019-08-08,<ref name=":0">https://dre.pt/web/guest/legislacao-consolidada/-/lc/123536792/202001240436/73736769/exportPdf/normal/1/cacheLevelPage?_LegislacaoConsolidada_WAR_drefrontofficeportlet_rp=diploma</ref><br />
|-<br />
|Decision Database:||https://www.cnpd.pt/bin/decisoes/decisoes.asp<br />
|-<br />
|Translated Decisions:||[[:Category:CNPD (Portugal)]]<br />
|-<br />
|Head Count:||27 (2018)<ref>https://www.cnpd.pt/bin/relatorios/anos/Relatorio_201718.pdf, p- 35</ref><br />
|-<br />
|Budget:||3.363.152,02 € (2018)<ref>https://www.cnpd.pt/bin/relatorios/anos/Relatorio_201718.pdf p. 36</ref><br />
|}<br />
<br />
The Portuguese Data Protection Authority (''Comissão Nacional de Protecção de Dados'') is the national Data Protection Authority for Portugal. It resides in Lisbon and is in charge of enforcing GDPR in Portugal.<br />
<br />
==Structure==<br />
The CNPD, the Portuguese Data Protection Authority, is composed by members of recognized integrity and merit. The status of the members guarantees their independence in exercising their functions. They have a five-year mandate and take office before the President of the Parliament.<br />
<br />
The Portuguese Data Protection Authority is composed of seven members: <br />
<br />
*The Chairman and two members elected by the Parliament;<br />
*One legal magistrate, with over 10 years’ experience, appointed by the Magistrature Council;<br />
*One magistrate from the Public Prosecution Service, with over 10 years’ experience, appointed by the Public Prosecution Council;<br />
*Two members appointed by the Government.<br />
<br />
==Procedural Information==<br />
<br />
===Applicable Procedural Law===<br />
Law 43/2004 - Diário da República n.º 194/2004, Série I-A de 2004-08-18, altered by Law 58/2019, of 8 of August (Portuguese Data Protection Law, supplementing the GDPR)''<ref name=":0" />''<br />
<br />
Regulation n.º 757/2020, of 10 September, on the organisation and functioning of of support services for the CNPD [https://dre.pt/home/-/dre/142326908/details/maximized].<br />
<br />
Regulation n.º 301/2020, of March 31, on the value of fees to provide GDPR related services (accreditation of certificate issuing organisations, DPIA prior consultation, among others) [https://dre.pt/home/-/dre/130779269/details/maximized].<br />
<br />
===Complaints Procedure under Art 77 GDPR===<br />
''You can help us by filling in this section!''<br />
<br />
===''Ex Officio'' Procedures under Art 57 GDPR===<br />
''You can help us by filling in this section!''<br />
<br />
===Appeals===<br />
''You can help us by filling in this section!''<br />
<br />
==Practical Information==<br />
<br />
===Filing with the DPA===<br />
The DPA provide one general and three specific forms to submit a '''complaint''':<br />
<br />
* General complaints, only in Portuguese: https://www.cnpd.pt/cidadaos/participacoes/geral/<br />
* Unsolicited marketing (spam), only in Portuguese: https://www.cnpd.pt/cidadaos/participacoes/marketing-nao-solicitado-spam/<br />
* Biometric data, only in Portuguese: https://www.cnpd.pt/cidadaos/participacoes/dados-biometricos/<br />
* Video surveillance, only in Portuguese: https://www.cnpd.pt/cidadaos/participacoes/videovigilancia/<br />
<br />
===Known Problems===<br />
''You can help us by filling in this section!''<br />
<br />
===Filing an Appeal===<br />
''You can help us by filling in this section!''<br />
<br />
==Decision Database==<br />
''You can help us by filling in this section!''<br />
<br />
==Statistics==<br />
<br />
===Funding===<br />
The CNPD's 2020 budget was 2.385.701,00 euros, with 2.375.701,00 coming from the Portuguese National Budget and 10.000,00 euros from the CNPD itself (self-funding).<br />
<br />
The CNPD's 2019 budget was 2.152.445,00 euros, with 2.077. 445,00 euros allocated to the CNPD by the Portuguese National Budget, 75.000,00 euros from the CNPD itself (self-funding) and 181.600 euros as a "special credit" from past budget surpluses (7.104.093,21 euros in positive cash flow).<br />
<br />
===Personal===<br />
In 2020, the CNPD had 24 employees.<br />
<br />
In 2019, the CNPD had 25 employees.<br />
<br />
===Caseload===<br />
''You can help us by filling in this section!''<br />
<br />
===Fines===<br />
''You can help us by filling in this section!''<br />
<br />
===Annual Reports===<br />
CNPD 2019/2020 Annual Report<br />
<br />
Summary<br />
<br />
<br />
{{DataProtectionAuthorities}}<br />
<references /></div>Isabela.maria.rosalhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202105333&diff=32408AEPD (Spain) - EXP2021053332023-05-02T10:19:31Z<p>Isabela.maria.rosal: Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS-00..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=PS-00505-2022<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00505-2022.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=19.10.2021<br />
|Date_Decided=<br />
|Date_Published=25.04.2023<br />
|Year=<br />
|Fine=70000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 4(1) GDPR<br />
|GDPR_Article_Link_1=Article 4 GDPR#1<br />
|GDPR_Article_2=Article 6(1) GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR#1<br />
|GDPR_Article_3=Article 6(1) GDPR<br />
|GDPR_Article_Link_3=Article 6 GDPR#1<br />
|GDPR_Article_4=Article 6(1)(b) GDPR<br />
|GDPR_Article_Link_4=Article 6 GDPR#1b<br />
|GDPR_Article_5=Article 57(1) GDPR<br />
|GDPR_Article_Link_5=Article 57 GDPR#1<br />
|GDPR_Article_6=Article 58 GDPR<br />
|GDPR_Article_Link_6=Article 58 GDPR<br />
|GDPR_Article_7=Article 58(1) GDPR<br />
|GDPR_Article_Link_7=Article 58 GDPR#1<br />
|GDPR_Article_8=Article 58(2) GDPR<br />
|GDPR_Article_Link_8=Article 58 GDPR#2<br />
|GDPR_Article_9=Article 83(2)(e) GDPR<br />
|GDPR_Article_Link_9=Article 83 GDPR#2e<br />
|GDPR_Article_10=Article 83(2)(f) GDPR<br />
|GDPR_Article_Link_10=Article 83 GDPR#2f<br />
|GDPR_Article_11=Article 83(2)(g) GDPR<br />
|GDPR_Article_Link_11=Article 83 GDPR#2g<br />
|GDPR_Article_12=Article 83(2)(k) GDPR<br />
|GDPR_Article_Link_12=Article 83 GDPR#2k<br />
|GDPR_Article_13=Article 83(5) GDPR<br />
|GDPR_Article_Link_13=Article 83 GDPR#5<br />
|GDPR_Article_14=Article 83(5)(a) GDPR<br />
|GDPR_Article_Link_14=Article 83 GDPR#5a<br />
|GDPR_Article_15=<br />
|GDPR_Article_Link_15=<br />
|GDPR_Article_16=<br />
|GDPR_Article_Link_16=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=Article 47 LOPDGDD<br />
|National_Law_Link_1=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_2=Article 48(1) LOPDGDD<br />
|National_Law_Link_2=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_3=Article 63 LPACAP<br />
|National_Law_Link_3=https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565<br />
|National_Law_Name_4=Article 63(2) LOPDGDD<br />
|National_Law_Link_4=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_5=Article 64 LPACAP<br />
|National_Law_Link_5=https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565<br />
|National_Law_Name_6=Article 64(2) LOPDGDD<br />
|National_Law_Link_6=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_7=Article 65(4) LOPDGDD<br />
|National_Law_Link_7=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_8=Article 68(1) LOPDGDD<br />
|National_Law_Link_8=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_9=Article 72(1) LOPDGDD<br />
|National_Law_Link_9=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_10=<br />
|National_Law_Link_10=<br />
|National_Law_Name_11=<br />
|National_Law_Link_11=<br />
<br />
|Party_Name_1=Data subject<br />
|Party_Link_1=<br />
|Party_Name_2=DIGI SPAIN TELECOM, S.L.<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_To_Body=AEPD - Directoria<br />
|Appeal_To_Case_Number_Name=REPOSICION-PS-0505-2022<br />
|Appeal_To_Status=Appealed - Confirmed<br />
|Appeal_To_Link=https://www.aepd.es/es/documento/reposicion-ps-00505-2022.pdf<br />
<br />
|Initial_Contributor=isabela.maria.rosal<br />
|<br />
}}<br />
<br />
The data subject filed a complaint claiming that they had suffered identity theft after a third party obtained a duplicate of their SIM card from the controller. The DPA fined the telephone company 70.000 euros for breaching [[Article 6 GDPR#1|Article 6(1) GDPR]].<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The data controller received a call requesting a duplicate of the SIM card of the data subject. On this call, the data controller confirmed various personal information to authenticate the identity of the person requesting the new SIM card. However, this request was made for a third party, who got the duplicate SIM card after receiving a confirmation code via the call. This led to the financial loss of the data subject since the third party could make various transfers from their bank account. From this, the data subject filed a complaint claiming that they had suffered identity theft after a third party obtained a duplicate of their SIM card from the controller.<br />
<br />
=== Holding ===<br />
The AEPD concluded that the controller facilitated the access to the SIM card by a third party, not complying with the obligation of protecting its clients' data. Even though the DPA considered that having the SIM card was insufficient to proceed with the financial transactions, it also confirmed that a third party had access to personal data illegally. The data controller did not provide sufficient safeguards to avoid vulnerabilities to the GDPR. None of the mitigating circumstances presented by the data controller were accepted.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/16<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
File No.: EXP202105333<br />
<br />
<br />
<br />
RESOLUTION OF SANCTIONING PROCEDURE<br />
<br />
Of the procedure instructed by the Spanish Agency for Data Protection and based on<br />
to the following<br />
<br />
<br />
BACKGROUND<br />
<br />
<br />
FIRST: Ms. A.A.A. (hereinafter, "the complaining party") dated October 19<br />
<br />
of 2021 filed a claim with the Spanish Agency for Data Protection. The<br />
claim is directed against DIGI SPAIN TELECOM, S.L. with NIF B84919760 (in<br />
hereinafter, "the claimed party" or "DIGI"). The reasons on which the claim is based are<br />
the following:<br />
<br />
The complaining party declares to have suffered identity theft, in relation to<br />
<br />
with the obtaining by a third party of a duplicate of your SIM card, which caused you<br />
economic damage, since numerous transfers were made from its<br />
Bank account.<br />
<br />
It indicates as the date on which the events occurred September 2, 2021.<br />
<br />
<br />
And, provide the following relevant documentation:<br />
<br />
- Report to the Civil Guard.<br />
<br />
<br />
- Extracts of the bank movements with notes of the transfers made<br />
for the third.<br />
<br />
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5<br />
December, Protection of Personal Data and guarantee of digital rights (in<br />
forward LOPDGDD), said claim was transferred to the claimed party, for<br />
<br />
to proceed with its analysis and inform this Agency within a month of the<br />
actions carried out to adapt to the requirements established in the regulations of<br />
Data Protection.<br />
<br />
The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of<br />
<br />
October 1, of the Common Administrative Procedure of the Administrations<br />
Public (hereinafter, LPACAP), was collected on January 4, 2022 as<br />
It appears in the acknowledgment of receipt that is in the file.<br />
<br />
On February 3, 2022, this Agency received a written response<br />
<br />
indicating that once the facts have been analyzed by the data controller, they have<br />
verified that on September 2, 2021 they received a call from a<br />
person who identified themselves as the claimant requesting the issuance of a duplicate<br />
of the SIM card, which in this call, the issuer was able to correctly provide<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 2/16<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
all the personal data of the claimant, including the last four digits of the<br />
Bank account; being able to pass the established security policy. likewise<br />
provided a numerical code, necessary to be able to continue with the next phase of the<br />
<br />
process of obtaining the duplicate.<br />
<br />
After being aware of the facts, the person responsible recommended to the<br />
claimant make a new duplicate of the fraudulently issued SIM card and<br />
that it could recover control of its line, proceeding to issue a new one on<br />
September 3, 2021, the previously issued duplicate being blocked<br />
and the possibility of making a new one of said mobile line.<br />
<br />
<br />
The data controller adopted a series of measures to resolve the<br />
incidence, including:<br />
<br />
- Immediate rectification of the element causing the incident: issuing a<br />
new duplicate and proceeding to deactivate the previous one. (activation<br />
fraudulent was operational from 7:09 p.m. on 09/02/2021 until 2:26 p.m.<br />
approximately on 09/03/2021, in which the claimant was able to recover the<br />
<br />
line).<br />
<br />
- After the detection of the incident and the restitution of control of the line to the<br />
claimant, they proceeded to the preventive blocking of new procedures related to the<br />
itself, limiting its processing to the prior receipt of an authorization signed together with<br />
with a photocopy of the DNI of the owner of the services.<br />
<br />
Finally, in order to put a stop to future episodes of SIM Swapping, by the entity<br />
<br />
Security measures are being strengthened to prevent fraudulent actions of the<br />
same type as that contemplated in the claim.<br />
<br />
<br />
THIRD: In accordance with article 65 of Organic Law 3/2018, of 5<br />
December, Protection of Personal Data and guarantee of digital rights<br />
(LOPDGDD), when submitted to the Spanish Data Protection Agency<br />
<br />
(hereinafter, AEPD) a claim, it must evaluate its admissibility for processing,<br />
must notify the claimant of the decision on the admission or non-admission to<br />
procedure, within three months from the date the claim was entered into this<br />
Agency. If, after this period, there is no such notification, it will be understood<br />
that the processing of the claim continues in accordance with the provisions of Title<br />
<br />
VIII of the Law. Said provision is also applicable to the procedures<br />
that the AEPD would have to process in the exercise of the powers assigned to it<br />
attributed by other laws.<br />
<br />
In this case, taking into account the foregoing and that the claim is<br />
filed with this Agency, on October 19, 2021, the party is informed<br />
<br />
claimant that his claim has been admitted for processing on January 19,<br />
2022, as three months have elapsed since it entered the AEPD.<br />
<br />
FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out<br />
of previous investigative actions to clarify the facts in<br />
<br />
matter, by virtue of the functions assigned to the control authorities in the<br />
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)<br />
2016/679 (General Data Protection Regulation, hereinafter GDPR), and<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 3/16<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
in accordance with the provisions of Title VII, Chapter I, Second Section, of the<br />
LOPDGDD, having knowledge of the following extremes:<br />
<br />
<br />
<br />
RESULT OF INVESTIGATION ACTIONS<br />
<br />
(…)<br />
<br />
<br />
FIFTH: On October 3, 2022, the Director of the Spanish Agency for<br />
Data Protection agreed to initiate disciplinary proceedings against the claimed party,<br />
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1,<br />
of the Common Administrative Procedure of Public Administrations (in<br />
hereinafter, LPACAP), for the alleged infringement of Article 6.1 of the GDPR, typified in<br />
<br />
Article 83.5 of the GDPR.<br />
<br />
<br />
SIXTH: On October 13, 2022, DIGI requests the extension of the legal term<br />
conferred to answer said requirements and a copy of the file.<br />
<br />
SEVENTH: On October 25, 2022, it is received at this Agency, on time and<br />
form, written by the representative of DIGI in which, in summary, it is argued that<br />
<br />
reiterate in the allegations previously presented, first pointing out that<br />
chronological manner in which the events occurred, indicating the security protocol and<br />
the measures adopted for these events, stating that DIGI has not made available<br />
disposition of the alleged criminals personal information of the complainant<br />
different from what they already had before. Consequently, it has not been<br />
produced an unauthorized processing of personal data. That is, during the<br />
<br />
process of request and delivery of the duplicate there is a treatment of the data<br />
personal information provided to DIGI in order for it to verify the identity of the<br />
interlocutor, first by telephone and later in person.<br />
<br />
In addition, DIGI states that it has been proven that in this case<br />
<br />
They followed the established security protocols, as can be seen from the<br />
documentary in this file.<br />
<br />
The procedure established by DIGI required the display of the document, but it was not<br />
preserved its image, while said treatment was not considered<br />
<br />
essential.<br />
<br />
On the other hand, it points out that the AEPD unequivocally imposes on DIGI a<br />
strict liability, in which, regardless of the diligence and measures<br />
deployed, the entity is found guilty. The AEPD seems to confuse the<br />
concept of proactive responsibility with the obligation of result imposed by the<br />
<br />
strict liability. In the present case, the existence of a<br />
strict control, before and after the application of the duplicate, the establishment of<br />
prior and subsequent measures, as well as the existence of measures aimed at<br />
Avoid these practices in advance.<br />
<br />
<br />
For this reason, the claimed party considers that this Startup Agreement is not<br />
adjusted to law, since it imposes on DIGI an obligation of result, based on<br />
only in the harmful result that is produced by the fraudulent activity of a<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 4/16<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
third, regardless of the diligence used and without considering the deployment of measures<br />
technically adequate and implemented.<br />
<br />
<br />
In addition, it indicates that the following extenuating circumstances currently exist<br />
that have not been considered in the appropriate graduation of the sanction:<br />
The absence of previous infringements committed by DIGI (art. 83.2 e) GDPR).<br />
At no time have special categories of data been processed (Art. 83.2 g)<br />
GDPR)<br />
The degree of cooperation of DIGI with the AEPD in order to remedy a<br />
<br />
alleged infringement and mitigate its possible adverse effects (art. 83.2 f) GDPR).<br />
The non-existent benefit obtained (Art. 83.2 k).<br />
<br />
It requests that a resolution be issued by means of which it indicates the file of the<br />
procedure.<br />
<br />
<br />
Subsidiarily warning and, ultimately, moderate or modulate the<br />
proposal included in the Initiation Agreement<br />
<br />
EIGHTH: On October 27, 2022, the instructor of the procedure agreed<br />
practice the following tests: 1. They are considered reproduced for probative purposes the<br />
<br />
claim filed by Ms. A.A.A. and its documentation, the documents<br />
obtained and generated during the phase of admission to processing of the claim, and the<br />
report of previous investigation actions that are part of the procedure<br />
AI/00074/2022. 2. Likewise, it is considered reproduced for evidentiary purposes, the<br />
allegations to the agreement to initiate the aforementioned sanctioning procedure,<br />
<br />
presented by DIGI SPAIN TELECOM, S.L., and the documentation that they<br />
accompanies.<br />
<br />
NINTH: On December 2, 2022, a resolution proposal was formulated,<br />
proposing that the Director of the Spanish Data Protection Agency<br />
sanction DIGI SPAIN TELECOM, S.L., with NIF B84919760, for an infringement of the<br />
<br />
Article 6.1 of the GDPR, typified in Article 83.5 a) of the GDPR, the sanction that<br />
would correspond would be a fine for an amount of 70,000 euros (seventy thousand euros).<br />
<br />
TENTH: Once the proposed resolution was notified, the defendant requested an extension<br />
term to formulate allegations that was granted, presented a brief of<br />
<br />
allegations on February 2, 2023 in which, in summary, it is argued that it is reiterated in<br />
the allegations previously presented, and that in the report issued by the Agency<br />
of Cybersecurity of the European Union ratifies that, to make a duplicate<br />
SIM fraud, the fraudster needs to have access to some of the data<br />
personal data of the victim, client of the operator. That is, that cybercriminals,<br />
have personal data of their victims prior to going before the<br />
<br />
Mobile Network Operator.<br />
<br />
He points out that this is what happened in this case, the victim lost control<br />
about your personal data in favor of the impersonator prior to the latter<br />
contact DIGI, as evidenced by the recording provided and that proves that<br />
<br />
the applicant unequivocally provides the personal data of the Claimant.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 5/16<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
"Furthermore, for more emphasis, in the present case and as they have had the opportunity to<br />
set forth earlier in the writings of this part, the store clerk<br />
expressly states that it did carry out said verification, without it being possible to question<br />
<br />
doubt his statement without further argument than the result of the impersonation of<br />
identity. Thus, there is the possibility that even following the protocol and having<br />
Requested a copy of the DNI is false. Furthermore, the fact that<br />
had made a photocopy of that document would not have added more<br />
operational security.<br />
<br />
<br />
That is why the claimed party considers that the Proposal is not adjusted to<br />
right, since it imposes on DIGI an obligation of result, consisting of the<br />
establishment of infallible measures, when imputing a violation of article 6.1 of the<br />
GDPR based solely on the harmful result that is produced by the<br />
fraudulent intervention by a third party, regardless of the diligence used and without<br />
<br />
consider the deployment of technically adequate and implemented measures.<br />
<br />
DIGI cannot anticipate or know what the applicable duty of care is.<br />
<br />
On the lack of proportionality of the proposed sanction and that prior to the procedures<br />
timely, a resolution is issued by means of which the file of the procedure is indicated<br />
<br />
No. PS/0533/2021”.<br />
<br />
Of the actions carried out in this procedure and of the documentation<br />
in the file, the following have been accredited:<br />
<br />
<br />
PROVEN FACTS<br />
<br />
FIRST: The claimant filed a claim with this Agency on the 19th of<br />
October 2021 in which it is stated that they have suffered identity theft<br />
on September 2, 2021, in connection with the obtaining by a third party of a<br />
<br />
duplicate of your SIM card, which caused economic damage, since it was<br />
made numerous transfers from his bank account.<br />
<br />
SECOND: DIGI accredits, that effectively on September 2, 2021<br />
received a call from a third person who identified himself as the party<br />
claimant requesting the issuance of a duplicate SIM card.<br />
<br />
<br />
THIRD: It is verified that the claimed party proceeded to issue a code of<br />
application for a duplicate SIM card, that same day the applicant appears<br />
at a DIGI distribution point. There they proceed to issue the SIM card to said<br />
third party that was not the owner of the line.<br />
<br />
<br />
FUNDAMENTALS OF LAW<br />
<br />
<br />
Yo<br />
<br />
Competence<br />
<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
<br />
(General Data Protection Regulation, hereinafter GDPR), grants each<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 6/16<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the<br />
Organic Law 3/2018, of December 5, Protection of Personal Data and<br />
guarantee of digital rights (hereinafter, LOPDGDD), is competent to<br />
<br />
initiate and resolve this procedure the Director of the Spanish Protection Agency<br />
of data.<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: "Procedures<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
<br />
regulations dictated in its development and, insofar as they do not contradict them, with character<br />
subsidiary, by the general rules on administrative procedures.”<br />
<br />
II<br />
<br />
Breached Obligation<br />
<br />
The claimed party is accused of committing an offense for violation of the<br />
<br />
Article 6 of the GDPR, "Legacy of the treatment", which indicates in its section 1 the<br />
cases in which the processing of third-party data is considered lawful:<br />
<br />
"1. Processing will only be lawful if at least one of the following is fulfilled<br />
conditions:<br />
<br />
<br />
a) the interested party gave his consent for the processing of his personal data<br />
for one or more specific purposes;<br />
<br />
b) the treatment is necessary for the execution of a contract in which the interested party<br />
<br />
is part of or for the application at the request of the latter of pre-contractual measures;<br />
<br />
c) the processing is necessary for compliance with a legal obligation applicable to the<br />
responsible for the treatment;<br />
<br />
d) the processing is necessary to protect the vital interests of the data subject or of another<br />
Physical person;<br />
<br />
e) the treatment is necessary for the fulfillment of a mission carried out in the interest<br />
<br />
public or in the exercise of public powers conferred on the data controller;<br />
<br />
f) the treatment is necessary for the satisfaction of legitimate interests pursued<br />
by the person in charge of the treatment or by a third party, provided that on said<br />
interests do not outweigh the interests or fundamental rights and freedoms of the<br />
interested party that require the protection of personal data, in particular when the<br />
interested is a child. The provisions of letter f) of the first paragraph shall not apply.<br />
<br />
application to processing carried out by public authorities in the exercise of their<br />
functions”.<br />
<br />
II<br />
<br />
Classification and classification of the offense<br />
<br />
The infringement is typified in article 83.5 of the GDPR, which considers as such:<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 7/16<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
"5. Violations of the following provisions will be penalized, in accordance with the<br />
section 2, with administrative fines of a maximum of 20,000,000 EUR or,<br />
in the case of a company, an amount equivalent to a maximum of 4% of the<br />
<br />
total annual global business volume of the previous financial year, opting for<br />
the highest amount:<br />
<br />
a) The basic principles for the treatment, including the conditions for the<br />
consent in accordance with articles 5,6,7 and 9.”<br />
<br />
<br />
The LOPDGD, for the purposes of the prescription of the infringement, qualifies in its article 72.1<br />
very serious infringement, in this case the limitation period is three years, "b)<br />
The processing of personal data without the fulfillment of any of the conditions of<br />
legality of the treatment established in article 6 of Regulation (EU) 2016/679”.<br />
<br />
<br />
<br />
In response to the allegations presented by the respondent entity, it should be noted<br />
the next:<br />
<br />
Regarding Digi not making available to the alleged criminals<br />
personal information of the claimant other than that already held by those with<br />
<br />
anteriority. Consequently, there has been no unauthorized treatment of<br />
personal information.<br />
<br />
Indeed, the issuance of a duplicate is not enough to carry out operations<br />
bank accounts on behalf of the holders, certainly, to complete the scam, it is<br />
<br />
necessary for a third party to "supplant the identity" of the owner of the data before the entity<br />
financial.<br />
<br />
What entails a priori, a treatment outside the principle of legality because a<br />
third party is processing data, since it has access to them, without any legal basis, in addition<br />
<br />
of the violation of other principles such as confidentiality.<br />
<br />
For this reason, this is a process where the diligence provided by the<br />
operators is essential to avoid this type of scam and violation of the GDPR.<br />
Diligence that translates into the establishment of adequate measures to guarantee<br />
that the data processing is in accordance with the GDPR.<br />
<br />
<br />
Identical considerations deserve the actions of banking entities that<br />
provide payment services, in which area this type of scam starts, since<br />
the third party has access to the affected user's credentials and poses as<br />
this.<br />
<br />
<br />
While these entities are responsible for the processing of the data of their<br />
customers, they are responsible for the same obligations as those indicated up to now for the<br />
operators referring to compliance with the RGPD and the LOPDGDD, and also the<br />
derived from Royal Decree-Law 19/2018, of November 23, on payment services and<br />
<br />
other urgent financial measures.<br />
<br />
From the Proven Facts, it can be deduced that Digi has provided duplicate SIM cards to<br />
a third party other than the legitimate owner of the mobile line, after overcoming by third parties<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 8/16<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
people of the existing security policy, which evidences a breach of the<br />
duty to protect customer information.<br />
<br />
<br />
Denying any negligent action by Digi would be tantamount to<br />
recognize that their conduct -by action or omission- has been diligent. Obviously not<br />
We share this perspective of the facts, since the<br />
lack of due diligence. It is very illustrative, the SAN of October 17, 2007<br />
(rec. 63/2006), assuming that these are entities whose activity involves<br />
in continuous treatment of customer data, indicates that "...the Supreme Court comes<br />
<br />
understanding that imprudence exists whenever a legal duty of<br />
be careful, that is, when the offender does not behave with the required diligence. And in the<br />
assessment of the degree of diligence, professionalism must be especially considered<br />
or not of the subject, and there is no doubt that, in the case now examined, when the<br />
The appellant's activity is constant and abundant handling of personal data.<br />
<br />
staff must insist on rigor and exquisite care in adjusting to the<br />
legal provisions in this regard.<br />
<br />
<br />
It is proven in the file that security has not been guaranteed<br />
appropriate in the processing of personal data, taking into account the result that<br />
identity theft has occurred. That is, a third party has managed to access<br />
<br />
to the personal data of the owner of the line.<br />
<br />
Regarding the fact that criminals have not managed to obtain personal data from<br />
Digi, so there can be no talk of breach of protection measures,<br />
point out that access to a duplicate SIM card that makes its user identifiable<br />
<br />
owner, responds to the definition of personal data in article 4.1) of the GDPR.<br />
<br />
Regarding Digi's responsibility, it should be noted that, in general, Digi<br />
processes the data of its clients under the provisions of article 6.1 b) of the GDPR,<br />
as it is considered a necessary treatment for the execution of a contract in which<br />
the interested party is part or for the application at his request of measures<br />
<br />
pre-contractual In other cases, it bases the legality of the treatment on the bases<br />
provided for in article 6.1.a), c), e) and f) of the GDPR.<br />
<br />
On the other hand, to complete the scam, it is necessary for a third party to "impersonate the<br />
identity” of the owner of the data, to receive the duplicate of the SIM card. Which<br />
<br />
entails a priori, a treatment outside the principle of legality since a third party is<br />
processing data, since it has access to them, without any legal basis, in addition to the<br />
violation of other principles such as confidentiality.<br />
<br />
Certainly, the principle of responsibility provided for in article 28 of the LRJSP,<br />
<br />
provides that: "They may only be penalized for acts constituting an infringement<br />
administrative authority for natural and legal persons, as well as when a Law<br />
recognize capacity to act, affected groups, unions and entities without<br />
legal personality and independent or autonomous estates, which result<br />
responsible for them by way of fraud or negligence.”<br />
<br />
<br />
However, the mode of attribution of liability to legal persons is not<br />
corresponds to the willful or reckless forms of guilt that are imputable<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 9/16<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
to human behavior. So, in the case of offenses committed by<br />
legal persons, even if the element of guilt must be present, it will be<br />
necessarily applies differently from what is done with respect to persons<br />
physical.<br />
<br />
<br />
According to STC 246/1991 "(...) this different construction of the imputability of self-<br />
The infringement of the legal entity arises from the very nature of legal fiction<br />
to which these subjects respond. The volitional element in the strict sense is lacking in them.<br />
to, but not the ability to break the rules to which they are subject.<br />
<br />
<br />
Infringement capacity and, therefore, direct reproach that derives from the good<br />
protected by the rule being infringed and the need for such protection<br />
is really effective and because of the risk that, consequently, the person must assume<br />
that is subject to compliance with said standard" (in this sense STS of 24<br />
November 2011, Rec 258/2009).<br />
<br />
<br />
To the foregoing must be added, following the judgment of January 23, 1998,<br />
partially transcribed in the SSTS of October 9, 2009, Rec 5285/2005, and of 23<br />
of October 2010, Rec 1067/2006, that "although the guilt of the conduct must<br />
also be the object of proof, must be considered in order to assume the<br />
corresponding charge, which ordinarily the volitional and cognitive elements<br />
<br />
necessary to appreciate it are part of the typical behavior tested, and that its<br />
exclusion requires that the absence of such elements be proven, or in its aspect<br />
regulations, that the diligence that was required by the person claiming their<br />
nonexistence; In short, it is not enough to exculpate a behavior<br />
the invocation of the absence of guilt is typically unlawful".<br />
<br />
<br />
Accordingly, the plea is dismissed. ultimate responsibility<br />
on the treatment continues to be attributed to the person in charge, who is the one who determines the<br />
existence of the treatment and its purpose. Let us remember that, in general, the<br />
operators process the data of their customers under the provisions of article 6.1<br />
b) of the GDPR, as it is considered a necessary treatment for the execution of a<br />
<br />
contract in which the interested party is a party (…). In this sense, DIGI has a<br />
network of sales representatives, points of sale and authorized distributors through a<br />
distribution contract to offer DIGI services. Among these services<br />
offered from their points of sale, is making duplicate SIM cards<br />
corresponding to a mobile telephone line.<br />
<br />
<br />
Regarding the breach of the principle of proportionality, the GDPR provides<br />
expressly the possibility of graduation, through the provision of fines<br />
subject to modulation, in response to a series of circumstances of each case<br />
individual.<br />
<br />
Regarding the imposition of a warning, warning, or the adoption of<br />
<br />
corrective measures pursuant to article 58 of the GDPR, a deterrent fine is<br />
one that has a genuine deterrent effect. In this regard, the Judgment of the<br />
CJEU, of June 13, 2013, Versalis Spa v Commission, C-511/11,<br />
ECLI:EU:C:2013:386, says:<br />
<br />
<br />
“ 94. Regarding, firstly, the reference to the Showa Denko v Commission judgment,<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 10/16<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
quoted above, it should be noted that Versalis interprets it incorrectly. Indeed,<br />
the Court of Justice, when stating in section 23 of said judgment that the factor<br />
deterrent is assessed taking into consideration a multitude of elements and not only the<br />
<br />
particular situation of the company in question, referred to points 53 to 55 of<br />
the conclusions presented in that case by Advocate General Geelhoed, who<br />
had stated, in essence, that the deterrent multiplier factor<br />
may be aimed at not only "general deterrence", defined as an action<br />
to discourage all companies, in general, from committing the infringement of<br />
in question, but also a "specific deterrence", consisting of dissuading the<br />
<br />
particular defendant so that he or she does not break the rules again in the future. For the<br />
Therefore, the Court of Justice only confirmed, in that judgment, that the Commission did not<br />
was required to limit its assessment to factors related solely to the<br />
particular situation of the company in question.”<br />
<br />
<br />
“102. According to settled case law, the objective of the dissuasive multiplying factor and<br />
consideration, in this context, of the size and overall resources of the<br />
company in question lies in the desired impact on said company, since the<br />
sanction should not be insignificant, especially in relation to the ability<br />
of the company (in this sense, see, in particular, the judgment of 17<br />
June 2010, Lafarge v Commission, C-413/08 P, ECR p. I-5361, section 104, and the writ<br />
<br />
of February 7, 2012, Total and Elf Aquitaine v Commission, C-421/11 P, paragraph 82).<br />
We must attend to the unique circumstances of the claim presented, through<br />
<br />
from which it can be seen that, from the moment the person<br />
impersonator performs the SIM replacement, the victim's phone is left without<br />
service passing control of the line to the impersonators. Consequently,<br />
their powers of disposal and control over their personal data are affected, which<br />
constitute part of the content of the fundamental right to data protection<br />
<br />
as indicated by the Constitutional Court in Judgment 292/2000, of 30<br />
November 2000 (FJ 7). So, when getting a duplicate SIM card,<br />
Under certain circumstances, access to the contacts or the<br />
applications and services that have as a key recovery procedure the<br />
sending an SMS with a code to be able to modify the passwords. Definitely,<br />
may impersonate the identity of those affected, being able to access and control, for<br />
<br />
example: email accounts; bank accounts; apps like<br />
WhatsApp; social networks, such as Facebook or Twitter, and a long etc. in short<br />
accounts, once the password has been modified by the impersonators, they lose<br />
control of your accounts, applications and services, which poses a great threat.<br />
<br />
In short, it is the data controller who has the obligation to integrate the<br />
necessary guarantees in the treatment, with the purpose of, by virtue of the principle of<br />
proactive responsibility, comply and be able to demonstrate compliance, at the same<br />
<br />
while respecting the fundamental right to data protection.<br />
<br />
In the present case, it is proven that on September 2, 2021 DIGI<br />
processed the issuance of a duplicate SIM card for line ***TELEPHONE.1,<br />
belonging to the complaining party.<br />
<br />
However, it should be noted that Sim Swapping is a fraud that allows you to impersonate<br />
<br />
identity by kidnapping the phone number by obtaining a duplicate of<br />
the SIM card.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 11/16<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In any case, the operator must be able to prove that for this specific case<br />
have followed the verification protocols implemented when requesting a<br />
duplicate SIM card.<br />
<br />
Well then, the result was that the defendant issued the SIM card to a third party who did not<br />
<br />
he was the owner of the line.<br />
<br />
In view of the foregoing, DIGI is unable to prove that this<br />
procedure.<br />
<br />
In fact, the establishment where the duplicate SIM card was issued must have<br />
<br />
the original of the identification document has been verified, provided that, if<br />
If this operation had been carried out correctly, the duplicate should have been<br />
denied.<br />
<br />
In the explanation provided by the claimed party, it does not indicate which could have<br />
been the specific cause that led to the issuance of the duplicate, beyond<br />
<br />
some generic explanations about a fraudulent activity of a third party. Throughout<br />
case, the claimed party has not been able to prove that for this case<br />
follow the procedure implanted by herself, since, if she had done so, she would<br />
should have produced duplicate SIM card denial.<br />
<br />
Based on the foregoing, in the case analyzed, the<br />
diligence used by the defendant to identify the person who requested<br />
<br />
a duplicate SIM card.<br />
<br />
Based on the available evidence, it is estimated that the conduct<br />
of the claimed party could violate article 6.1 of the GDPR and may be<br />
constituting the offense classified in article 83.5.a) of the aforementioned Regulation<br />
2016/679.<br />
<br />
In this sense, Recital 40 of the GDPR states:<br />
<br />
<br />
"(40) For processing to be lawful, personal data must be processed with the<br />
consent of the interested party or on some other legitimate basis established in accordance<br />
a Law, either in this Regulation or under other Union law<br />
or of the Member States referred to in this Regulation, including the<br />
<br />
the need to comply with the legal obligation applicable to the data controller or the<br />
need to execute a contract to which the interested party is a party or for the purpose of<br />
take measures at the request of the interested party prior to the conclusion of a<br />
contract."<br />
<br />
IV.<br />
<br />
<br />
Fine sanction. Determination of the amount.<br />
<br />
The determination of the sanction that should be imposed in the present case requires<br />
observe the provisions of articles 83.1 and 2 of the GDPR, precepts that,<br />
respectively, provide the following:<br />
<br />
"1. Each control authority will guarantee that the imposition of fines<br />
administrative proceedings under this article for violations of this<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 12/16<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Regulations indicated in sections 4, 9 and 6 are in each individual case<br />
effective, proportionate and dissuasive.”<br />
<br />
"2. Administrative fines will be imposed, depending on the circumstances of each<br />
individual case, in addition to or in lieu of the measures contemplated in<br />
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine<br />
<br />
administration and its amount in each individual case shall be duly taken into account:<br />
<br />
a) the nature, seriousness and duration of the offence, taking into account the<br />
<br />
nature, scope or purpose of the processing operation in question, as well as<br />
such as the number of interested parties affected and the level of damages that<br />
have suffered;<br />
<br />
b) intentionality or negligence in the infringement;<br />
<br />
<br />
c) any measure taken by the person in charge or in charge of the treatment to<br />
settle the damages suffered by the interested parties;<br />
<br />
d) the degree of responsibility of the person in charge or of the person in charge of the treatment, habi-<br />
gives an account of the technical or organizational measures that have been applied by virtue of the<br />
articles 25 and 32;<br />
<br />
<br />
e) any previous infringement committed by the controller or processor;<br />
<br />
f) the degree of cooperation with the supervisory authority in order to remedy the<br />
infringement and mitigate the potential adverse effects of the infringement;<br />
<br />
<br />
g) the categories of personal data affected by the infringement;<br />
<br />
h) the way in which the supervisory authority became aware of the infringement, in<br />
particular whether the person in charge or the person in charge notified the infringement and, if so, in what<br />
extent;<br />
<br />
i) when the measures indicated in article 58, paragraph 2, have been ordered<br />
<br />
previously against the person in charge or the person in charge in relation to the<br />
same matter, compliance with said measures;<br />
<br />
j) adherence to codes of conduct under article 40 or to certification mechanisms.<br />
fications approved in accordance with article 42, and<br />
<br />
<br />
k) any other aggravating or mitigating factor applicable to the circumstances of the case,<br />
as the financial benefits obtained or the losses avoided, directly or indirectly.<br />
mind, through infraction.”<br />
<br />
Within this section, the LOPDGDD contemplates in its article 76, entitled "Sancio-<br />
<br />
and corrective measures”:<br />
<br />
"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation<br />
(UE) 2016/679 will be applied taking into account the graduation criteria<br />
established in section 2 of said article.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 13/16<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679<br />
may also be taken into account:<br />
<br />
a) The continuing nature of the offence.<br />
<br />
<br />
b) The link between the activity of the offender and the performance of data processing.<br />
personal information.<br />
<br />
c) The benefits obtained as a consequence of the commission of the infraction.<br />
<br />
<br />
d) The possibility that the conduct of the affected party could have led to the commission<br />
of the offence.<br />
<br />
e) The existence of a merger by absorption process subsequent to the commission of the<br />
violation, which cannot be attributed to the absorbing entity.<br />
<br />
<br />
f) The affectation of the rights of minors.<br />
<br />
g) Have, when it is not mandatory, a data protection delegate.<br />
<br />
h) Submission by the person responsible or in charge, on a voluntary basis, to<br />
alternative conflict resolution mechanisms, in those cases in which<br />
<br />
there are controversies between those and any interested party.<br />
<br />
3. It will be possible, complementary or alternatively, the adoption, when appropriate, of<br />
the remaining corrective measures referred to in article 83.2 of the Regulation<br />
(EU) 2016/679.”<br />
<br />
<br />
Digi requests that the following extenuating circumstances be appreciated:<br />
<br />
<br />
(I) "the absence of prior infringements" (art. 83.2 e) GDPR).<br />
(II) "At no time have special categories of data been processed" (art. 83.2 g).<br />
(III) "cooperation with the supervisory authority in responding to the transfer of the<br />
claim and having provided the requested information”, article 83.2 f) of the GDPR.<br />
(IV) "The non-existence of benefits obtained through the infringement", article 83.2 k)<br />
of the GDPR and 76.2 c) of the LOPDGDD.<br />
<br />
<br />
None of the invoked mitigations are allowed.<br />
<br />
Regarding (I) and (II), it should be noted that such circumstances can only operate as<br />
aggravating and in no case as mitigating.<br />
<br />
<br />
The pronouncement made by the National Court in its SAN of May 5, 2021<br />
(Rec. 1437/2020) on section e) of article 83.2. of the GDPR, the commission of<br />
previous violations:<br />
<br />
<br />
"Considers, on the other hand, that the non-commission should be considered as mitigating<br />
from a previous violation. Well, article 83.2 of the GDPR establishes that<br />
must be taken into account for the imposition of the administrative fine, among<br />
others, the circumstance "e) any previous infringement committed by the person responsible or<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 14/16<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
the person in charge of the treatment". This is an aggravating circumstance, the fact<br />
The fact that the budget for its application does not meet implies that it cannot be<br />
taken into consideration, but does not imply or allow, as the plaintiff claims,<br />
<br />
its application as a mitigation”;<br />
<br />
(III) Article 83.2.f) of the GDPR refers to the "degree of cooperation with the<br />
control in order to remedy the infringement and mitigate the possible effects<br />
adverse effects of the offence;”. The respondent's response to the information request<br />
of the Sub-directorate of Inspection did not meet these purposes, so it is not<br />
<br />
framed in that mitigation.<br />
<br />
(IV) On the application of article 76.2.c) of the LOPDGDD, in connection with the<br />
Article 83.2.k), non-existence of benefits obtained, it should be noted that such<br />
circumstance can only operate as an aggravating circumstance and in no case as a mitigating circumstance.<br />
<br />
<br />
Article 83.2.k) of the GDPR refers to "any other aggravating or mitigating factor<br />
applicable to the circumstances of the case, such as the financial benefits obtained or the<br />
losses avoided, directly or indirectly, through the breach.” and the article<br />
76.2c) of the LOPDGDD says that “2. In accordance with the provisions of article 83.2.k) of the<br />
Regulation (EU) 2016/679 may also be taken into account: [..] c) The benefits<br />
<br />
obtained as a consequence of the commission of the infraction.” Both provisions<br />
mentioned as a factor that can be taken into account in grading the sanction<br />
the "benefits" obtained, but not the "absence" of these, which is what Digi alleges.<br />
<br />
In addition, in accordance with article 83.1 of the GDPR, the imposition of fine sanctions<br />
<br />
is governed by the following principles: they must be individualized for each<br />
particular case, be effective, proportionate and dissuasive. The admission that it operates<br />
as a mitigation, the absence of benefits is contrary to the spirit of article 83.1<br />
of the GDPR and the principles governing the determination of the amount of the<br />
fine penalty. If, as a result of the commission of a violation of the GDPR, it is classified as<br />
<br />
mitigating the fact that there have been no benefits, the dissuasive purpose that<br />
is fulfilled through the sanction. Accept Digi's thesis in a case like the one<br />
we are dealing with would mean introducing an artificial reduction in the penalty that truly<br />
it should be imposed; the one that results from considering the circumstances of article 83.2<br />
GDPR that must be valued.<br />
<br />
<br />
The Administrative Litigation Chamber of the National Court has warned that the<br />
fact that in a specific case not all the elements that<br />
constitute a circumstance that modifies liability that, by its nature,<br />
has an aggravating nature, cannot lead to the conclusion that said circumstance is applicable<br />
as a mitigation. The pronouncement made by the National Court in its<br />
<br />
SAN of May 5, 2021 (Rec. 1437/2020) -even though that resolution is seen<br />
on the circumstance of section e) of article 83.2. of the GDPR, the commission of<br />
previous infractions - can be extrapolated to the question raised, the claim of the<br />
demanded that the "absence" of benefits be accepted as mitigation, thus<br />
that both the GDPR and the LOPDGDD refer only to "the benefits obtained":<br />
<br />
<br />
"Considers, on the other hand, that the non-commission should be considered as mitigating<br />
from a previous violation. Well, article 83.2 of the GDPR establishes that<br />
must be taken into account for the imposition of the administrative fine, among<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 15/16<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
others, the circumstance "e) any previous infringement committed by the person responsible or<br />
the person in charge of the treatment". This is an aggravating circumstance, the fact<br />
The fact that the budget for its application does not meet implies that it cannot be<br />
<br />
taken into consideration, but does not imply or allow, as the plaintiff claims,<br />
its application as a mitigation”;<br />
<br />
In accordance with the transcribed precepts, and without prejudice to what results from the<br />
instruction of the procedure, in order to set the amount of the fine to<br />
impose on the entity claimed as responsible for an infringement classified in the<br />
article 83.5.a) of the RGPD and 72.1 b) of the LOPDGDD, are considered concurrent in the<br />
present case the following factors:<br />
<br />
<br />
As aggravating factors:<br />
<br />
- The evident link between the business activity of the defendant and the<br />
treatment of personal data of clients or third parties (article 83.2.k, of the<br />
GDPR in relation to article 76.2.b, of the LOPDGDD).<br />
<br />
The Judgment of the National Court of 10/17/2007 (rec. 63/2006), in which,<br />
with respect to entities whose activity entails the continuous processing of<br />
customer data, indicates that "...the Supreme Court has understood that<br />
recklessness exists whenever a legal duty of care is neglected, that is<br />
<br />
that is, when the offender does not behave with the required diligence. And in the<br />
assessment of the degree of diligence, special consideration must be given to the<br />
professionalism or not of the subject, and there is no doubt that, in the case now<br />
examined, when the appellant's activity is constant and abundant<br />
handling of personal data must insist on rigor and exquisite<br />
<br />
Be careful to comply with the legal provisions in this regard.”<br />
<br />
As mitigations:<br />
<br />
The claimed party proceeded to resolve the incident that is the subject of the claim<br />
effective (art. 83.2 c).<br />
<br />
<br />
<br />
The balance of the circumstances contemplated in article 83.2 of the GDPR, with<br />
regarding the offense committed by violating the provisions of article 6.1 of the<br />
GDPR allows a penalty of 70,000 euros (seventy thousand euros) to be set.<br />
<br />
<br />
Therefore, in accordance with the applicable legislation and assessed the criteria of<br />
graduation of sanctions whose existence has been accredited, the Director of the<br />
<br />
Spanish Data Protection Agency RESOLVES:<br />
<br />
FIRST: IMPOSE DIGI SPAIN TELECOM, S.L., with NIF B84919760, for a<br />
violation of Article 6.1 of the GDPR, typified in Article 83.5 of the GDPR, a fine<br />
of 70,000 euros (seventy thousand euros)-<br />
<br />
<br />
SECOND: NOTIFY this resolution to DIGI SPAIN TELECOM, S.L.<br />
<br />
THIRD: Warn the penalized person that they must make the imposed sanction effective<br />
Once this resolution is enforceable, in accordance with the provisions of Article<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 16/16<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure<br />
Common of Public Administrations (hereinafter LPACAP), within the payment term<br />
voluntary established in art. 68 of the General Collection Regulations, approved<br />
<br />
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,<br />
of December 17, by means of its income, indicating the NIF of the sanctioned and the number<br />
of procedure that appears in the heading of this document, in the account<br />
restricted IBAN number: ES00 0000 0000 0000 0000 0000, open in the name of the Agency<br />
Spanish Data Protection Agency at the bank CAIXABANK, S.A.. In the event<br />
Otherwise, it will proceed to its collection in the executive period.<br />
<br />
<br />
Once the notification has been received and once executed, if the execution date is<br />
between the 1st and 15th of each month, both inclusive, the term to make the payment<br />
voluntary will be until the 20th day of the following or immediately following business month, and if<br />
between the 16th and the last day of each month, both inclusive, the payment term<br />
<br />
It will be until the 5th of the second following or immediately following business month.<br />
<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
Resolution will be made public once the interested parties have been notified.<br />
<br />
Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the<br />
<br />
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the<br />
Interested parties may optionally file an appeal for reversal before the<br />
Director of the Spanish Agency for Data Protection within a period of one month from<br />
count from the day following the notification of this resolution or directly<br />
contentious-administrative appeal before the Contentious-administrative Chamber of the<br />
<br />
National Court, in accordance with the provisions of article 25 and section 5 of<br />
the fourth additional provision of Law 29/1998, of July 13, regulating the<br />
Contentious-administrative jurisdiction, within a period of two months from the<br />
day following the notification of this act, as provided for in article 46.1 of the<br />
referred Law.<br />
<br />
<br />
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,<br />
may provisionally suspend the firm resolution in administrative proceedings if the<br />
The interested party expresses his intention to file a contentious-administrative appeal.<br />
If this is the case, the interested party must formally communicate this fact through<br />
writing addressed to the Spanish Data Protection Agency, presenting it through<br />
<br />
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-<br />
web/], or through any of the other registries provided for in art. 16.4 of the<br />
aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the<br />
documentation proving the effective filing of the contentious appeal-<br />
administrative. If the Agency was not aware of the filing of the appeal<br />
<br />
contentious-administrative proceedings within a period of two months from the day following the<br />
Notification of this resolution would terminate the precautionary suspension.<br />
<br />
Mar Spain Marti<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
</pre></div>Isabela.maria.rosalhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202200429&diff=32156AEPD (Spain) - EXP2022004292023-04-18T12:47:07Z<p>Isabela.maria.rosal: Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=AEPD..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=AEPD PS-00137-2022<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00137-2022.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=29.11.2021<br />
|Date_Decided=<br />
|Date_Published=11.04.2023<br />
|Year=<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 5(1)(c) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1c<br />
|GDPR_Article_2=Article 12 GDPR<br />
|GDPR_Article_Link_2=Article 12 GDPR<br />
|GDPR_Article_3=Article 15(1) GDPR<br />
|GDPR_Article_Link_3=Article 15 GDPR#1<br />
|GDPR_Article_4=Article 17 GDPR<br />
|GDPR_Article_Link_4=Article 17 GDPR<br />
|GDPR_Article_5=Article 17 GDPR<br />
|GDPR_Article_Link_5=Article 17 GDPR<br />
|GDPR_Article_6=Article 58(2) GDPR<br />
|GDPR_Article_Link_6=Article 58 GDPR#2<br />
|GDPR_Article_7=Article 83(5) GDPR<br />
|GDPR_Article_Link_7=Article 83 GDPR#5<br />
|GDPR_Article_8=Article 83(5)(a) GDPR<br />
|GDPR_Article_Link_8=Article 83 GDPR#5a<br />
|GDPR_Article_9=Article 83(5)(b) GDPR<br />
|GDPR_Article_Link_9=Article 83 GDPR#5b<br />
|GDPR_Article_10=Article 83(6) GDPR<br />
|GDPR_Article_Link_10=Article 83 GDPR#6<br />
|GDPR_Article_11=Article 83(7) GDPR<br />
|GDPR_Article_Link_11=Article 83 GDPR#7<br />
|GDPR_Article_12=<br />
|GDPR_Article_Link_12=<br />
|GDPR_Article_13=<br />
|GDPR_Article_Link_13=<br />
<br />
|EU_Law_Name_1=Article 4 Ley 39/2015<br />
|EU_Law_Link_1=https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
|EU_Law_Name_3=<br />
|EU_Law_Link_3=<br />
<br />
|National_Law_Name_1=Article 123 Ley 39/2015<br />
|National_Law_Link_1=https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565<br />
|National_Law_Name_2=Article 13 Ley 39/2015<br />
|National_Law_Link_2=https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565<br />
|National_Law_Name_3=Article 13 LOPDGDD<br />
|National_Law_Link_3=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_4=Article 48(6) LOPDGDD<br />
|National_Law_Link_4=https://www.boe.es/eli/es/lo/2018/12/05/3/con<br />
|National_Law_Name_5=Article 53 Ley 39/2015<br />
|National_Law_Link_5=https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565<br />
|National_Law_Name_6=Article 62 Ley 39/2015<br />
|National_Law_Link_6=https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565<br />
|National_Law_Name_7=Article 64(1) LOPDGG<br />
|National_Law_Link_7=https://www.boe.es/eli/es/lo/2018/12/05/3/con<br />
|National_Law_Name_8=Article 64(2)(b) Ley 39/2015<br />
|National_Law_Link_8=https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565<br />
|National_Law_Name_9=Article 65(4) LOPDGDD<br />
|National_Law_Link_9=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_10=Article 71 LOPDDGG<br />
|National_Law_Link_10=https://www.boe.es/eli/es/lo/2018/12/05/3/con<br />
|National_Law_Name_11=Article 71(1)(a) LOPDGDD<br />
|National_Law_Link_11=https://www.boe.es/eli/es/lo/2018/12/05/3/con<br />
|National_Law_Name_12=Article 72(1)(k) LOPDGDD<br />
|National_Law_Link_12=https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673<br />
|National_Law_Name_13=Article 74(c) LOPDGDD<br />
|National_Law_Link_13=https://www.boe.es/eli/es/lo/2018/12/05/3/con<br />
|National_Law_Name_14=Article 77 Ley 39/2015<br />
|National_Law_Link_14=https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565<br />
|National_Law_Name_15=Article 78 Ley 39/2015<br />
|National_Law_Link_15=https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565<br />
|National_Law_Name_16=<br />
|National_Law_Link_16=<br />
|National_Law_Name_17=<br />
|National_Law_Link_17=<br />
<br />
|Party_Name_1=Data subject<br />
|Party_Link_1=<br />
|Party_Name_2=Municipality of Ibiza<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=isabela.maria.rosal<br />
|<br />
}}<br />
<br />
The data subject reported their neighbors to the Municipality of Ibiza due to irregular constructions. The Municipality notified the denounced informing them of the personal data of the denouncer/data subject. The data subject filed a complaint with the DPA which issued a reprimand for violation of Articles 12 and 5(1)(c) GDPR.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
In 2017, the Ayuntamiento de Ibiza (the data controller) started a sanctioning procedure against the data subject, considering a construction without a license. In the following year, the data subject requested a license and, later, requested the discontinuance of the procedure involving them since the irregular construction was demolished. Still in 2016, the data subject presented a document to the data controller informing the public authority about other irregular constructions. This form was used as the initial complaint for at least one investigation. In this new procedure, personal data from the data subject was shared with third parties.<br />
In 2019, the data subject requested the exclusion of their personal data, considering that the information was shared with third parties, leading to threatening behaviour of their neighbors. Later, the data subject requested access to all the documentation related to them and all the complaints that contained their name. Before the beginning of the procedure in the AEPD, none of the requests were responded by the data controller. In 2022, the data controller responded in the procedure to the data subject request, informing that the public authority would send the information requested and then proceed to the exclusion of the personal data. The data controller informed that one of the reasons for the lack of response was personnel changes.<br />
<br />
=== Holding ===<br />
The DPA held the data controller responsible for the data breach. The data shared with third parties was not necessary for the purposes of following the investigation of possible irregular constructions. Thus, the DPA fined the data controller with a reprimand for violation of Articles 12 and 5(1)(c) GDPR, imposing the need for the controller to respond to the data subject rights requests.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/19<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
File No.: EXP202200429<br />
<br />
<br />
<br />
RESOLUTION OF SANCTIONING PROCEDURE<br />
<br />
Of the procedure instructed by the Spanish Agency for Data Protection and based on<br />
the following<br />
<br />
<br />
BACKGROUND<br />
<br />
<br />
FIRST: A.A.A. (hereinafter, the claimant) on 11/29/2021 filed<br />
<br />
claim before the Spanish Data Protection Agency. The claim is directed<br />
against EIVISSA CITY COUNCIL with NIF P0702600H (hereinafter, the party<br />
claimed). The reasons on which the claim is based are the following:<br />
<br />
In 2016, a disciplinary file of<br />
XXXXXXXXXXXXX, for placing some architectural elements without enabling title<br />
<br />
(violation of articles 133 and 134 of Law 2/2014 of 03/25, on the management and use of<br />
soil of the Balearic Islands, according to the copy of the resolution of XX/XX/2017 of the Mayor's Office<br />
from Eivissa, which accompanies (origin complaint from the Local Police of 05/24/2016).<br />
<br />
He states that he made allegations and presented in said proceeding, on X/XX/2016, a<br />
<br />
writing, model: "general instance" (attaches a copy), informing the<br />
claimed that "all (...) are irregularly", in the request "that it be verified<br />
and if it is illegal, act accordingly”. The document contains your name<br />
and surname, address, (...), and NIF number. It does not refer to any procedure with which<br />
relate, and contains the literal:<br />
<br />
<br />
"The data collected may be used by the owner of the file for the exercise of the<br />
own functions within the scope of their powers" and information on the exercise of<br />
the rights on the LOPD.<br />
<br />
The claimant indicates that: "After a few months a neighbor appeared threatening",<br />
<br />
alleging that I had denounced them in the City Hall and that my name appeared in<br />
the complaint. To prove it, attach a partial copy (a sheet of the resolution of<br />
XX/XX/2019 addressed to that other neighbor, coinciding with the address of the irregularity<br />
planning with one of those that appeared in the claimant's brief of X/XX/2016).<br />
<br />
<br />
As one of the points, figure:<br />
<br />
"Having seen the XXXX/2016 report issued by the municipal technical services on<br />
09/1/2016, of the tenor "Subject: Technical Report at the request of the Delegate Councilor of<br />
XXXXXXXXXXXX activities and housing, in relation to the denounced facts<br />
<br />
constituting a possible urban infraction "...." Considering the complaint filed<br />
by (data of the claimant Ms. A.A.A.) by letter dated X/XX/2016 by the<br />
which is brought to the attention of this Regiduría the execution of the works consistent<br />
in… presumably without protection of enabling title…”” In application of articles 69.2<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 2/19<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
of Law 30/1992 and 149 of Law 2/2014 of 25/03 on the planning and use of the land of the<br />
Illes Balears…”REPORT: First: that once a visit to the indicated property in<br />
dated 08/31/2016, it has been possible to verify that the roof of the building on the street...<br />
<br />
observe…”<br />
<br />
The claimant states that "I called the City Council to ask for explanations and they did not<br />
they understood. I never got a response from the council. “<br />
<br />
"Apparently, in this process they have sent to some XXXX neighbors the complaint of the<br />
<br />
City Council using my name to file said complaint instead of being<br />
They are the ones to do it and not in my name.”<br />
<br />
On date XX/X/2019, he submitted a letter to the City Council requesting the deletion of<br />
your data. Attach a copy of the letter in which it appears: "In 2016 I presented a<br />
<br />
complaint to the Department of XXXXXXXXXXXXX of the Ibiza Town Hall on the occasion<br />
of a file initiated by him in which he urged me to demolish a wall built in<br />
my home. As a result of this, my identification data has appeared in various<br />
files of third parties, neighbors of my street, in which I was indicated as<br />
complainant person“ “the complaint presented in my 2016 brief did not refer to<br />
no concrete person, manifested some visible and verifiable facts by any<br />
<br />
person who walked down the street and at no time did I file a complaint”<br />
<br />
“Your personal data has been communicated to third parties without a legal basis for<br />
it."<br />
“As a consequence of the communication of my personal data to third parties,<br />
<br />
I have suffered threats and insults from various people.”<br />
<br />
He states that he did not receive a response to that exercise.<br />
<br />
He continues stating that on ***DATE.1, he submitted a new document, without having obtained<br />
<br />
answer. It is, according to the accompanying copy, indicating that it received a complaint in<br />
question of XXXXXXXXXX (a wall that was being built to put a<br />
XXXXXXX) , and made a "complaint", alluding to his letter of X/XX/2016 as an allegation and<br />
irregularities ”I made a complaint alleging that in my group there were more people with<br />
irregularities” (colla: term in Catalan to refer to a group of acquaintances or friends),<br />
"I never gave names." Add again, on the back of the document that "received<br />
<br />
threats from several neighbors who showed up at his home", and another neighbor showed him<br />
the complaint with her name, coincides with the partial copy of the one she provides, so<br />
XX/XX/2019, who "found threatening notes in the car", had to "rent a<br />
parking" to avoid damage to the car and "I have moved house for fear of suffering<br />
damage". He requested the deletion of his data and no one answered him. Request: "All<br />
<br />
documentation corresponding to my case and all the complaints that appear in my<br />
name…"<br />
<br />
The claimant considers that her personal data has been unlawfully disclosed and<br />
have met their data protection rights.<br />
<br />
<br />
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5/12, of<br />
Protection of Personal Data and guarantee of digital rights (hereinafter<br />
LOPDGDD), said claim was transferred to the claimed party, so that<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 3/19<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
proceed to its analysis and inform this Agency within a month of the<br />
actions carried out to adapt to the requirements established in the regulations of<br />
Data Protection.<br />
<br />
<br />
The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of<br />
1/10, of the Common Administrative Procedure of Public Administrations (in<br />
hereafter, LPACAP), was collected on 01/21/2022, as stated in the acknowledgment of<br />
receipt that works in the file.<br />
<br />
<br />
The claimed party responds to the transfer of the claim dated 02/21/2022, which<br />
following:<br />
<br />
-The deletion of data was not addressed "due to a human error derived from the month in which the<br />
that we were (August) and the change of staff due to the holidays<br />
<br />
summer.”<br />
<br />
-"Regarding the right of access presented on ***DATE.1, it was transferred to the<br />
responsible for the file, and due to internal ignorance, no response was given to the<br />
applicant."<br />
<br />
<br />
-Provides doc 1, of 02/18/2022, expte. ***FILE.1, copy of response to<br />
claimant, stating:<br />
<br />
On the request of ***DATE.1, "we have to convey to you...our most sincere<br />
apologies, since although it is true, they contacted you by telephone, to<br />
<br />
indicate the error made on our part, however, we do not reply in writing<br />
indicating that we had proceeded to delete your personal data. "…we have<br />
proceeded to correct the error committed.”<br />
<br />
It is noted that in said letter it was not the one in which he exercised the right to suppress<br />
<br />
his data, it was in one of 2019. It does not provide documentary evidence of having proceeded to the<br />
deletion that he claims to have executed.<br />
<br />
“By Decree we proceed to make your request for access to information effective,<br />
as established in article 13 of the LOPDGDD, and once the<br />
information, taking into account the right of access formulated by you, we will proceed to the<br />
<br />
exercise of data deletion requested in accordance with the current legislation of the<br />
Public administrations."<br />
<br />
Attached, copy of Decree of 02/18/2022, number XXXX/2022, which indicates: "for his<br />
request of ***DATE.1 in which access is requested to all the corresponding documentation<br />
<br />
to my case and all the complaints where my name appears”<br />
<br />
"...as established in article 13 of the LOPDGDD", it is agreed:<br />
<br />
-Informs you of the data it possesses about her, as they have been presented differently<br />
<br />
formalities. Access consists of a brief reference to the procedure in question and a<br />
identification number. Among them, it appears "presents general instance of denunciation<br />
due to irregular works on the terraces of the numbers…. of the street…, XXXXX/2016”, which<br />
matches your instance of X/XX/2016.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 4/19<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
-“Once this is sent, in accordance with the right of access formulated by you,<br />
proceed to the exercise of data deletion requested in accordance with the legislation<br />
<br />
in force of the Public Administrations.”<br />
<br />
It also provides a document of delivery to the claimant of 02/19/2022, "response to the<br />
Right of access".<br />
<br />
It is noted that what the claimant was asking for was to know the files open to other<br />
<br />
people in whom his reference as a complainant was contemplated, just like the one who is<br />
provided together with this claim, dated XX/XX/2019, from one of them.<br />
<br />
-They indicate that despite having a procedure for attention to the exercise of rights, it has<br />
prepared and approved on 02/16/2022 a new one, to "prevent situations from occurring<br />
<br />
Similar". They have sent a statement to all employees informing them of this and<br />
remembering deadlines to respond. Provide a copy of the second version of 02/14/2022.<br />
<br />
-In 2021, training was given on the exercise of data protection rights,<br />
provides certificate.<br />
<br />
<br />
THIRD: On 02/28/2022, in accordance with article 65 of the LOPDGDD, the<br />
admitted for processing the claim presented by the claimant.<br />
<br />
FOURTH: On 03/03/2022, the claimant provides a copy of what was received from the<br />
City hall:<br />
<br />
<br />
a) Decree of the Mayor's Office XXXX/2022 that gives summary access to your data in relation to<br />
with the procedures requested, and that "proceeds to the requested data deletion exercise".<br />
<br />
b) Copy of the response to your brief of XX/XX/2020, from the claimed party, of 02/18/2022,<br />
<br />
exte ***FILE.1.<br />
<br />
You state that you want the procedure to continue.<br />
<br />
FIFTH: On 06/2/2022 it was agreed by the Director of the AEPD:<br />
<br />
<br />
"START SANCTION PROCEDURE for EIVISSA CITY COUNCIL, with NIF<br />
P0702600H, for the alleged infringement of the GDPR, articles:<br />
<br />
-12 of the GDPR, in accordance with article 83.5.b) of the GDPR and 72.1.k) of the<br />
LOPDGDD, and<br />
<br />
-5.1.c) of the GDPR, in accordance with article 83.5.a) of the GDPR and 72.1.a) of the<br />
LOPDGDD.”<br />
<br />
"For the purposes specified in the art. 64.2 b) of Law 39/2015, of 1/10, on Procedure<br />
Common Administrative Law of Public Administrations, the sanction that could<br />
<br />
to correspond would be a warning, without prejudice to what results from the instruction.”<br />
<br />
No claims were received.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 5/19<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
SIXTH: On 11/24/2022, it is agreed to open a test practice period, according to<br />
the provisions of article 77 and 78 of the LPACAP. It is agreed to practice the following<br />
evidence:<br />
<br />
<br />
1. Consider reproduced for evidentiary purposes the claim filed by the<br />
claimant and its documentation, the documents obtained and generated during the phase<br />
of admission to process the claim, and those of transfer actions that form<br />
part of procedure AT/00174/2022.<br />
<br />
<br />
2. Likewise, the writings presented by<br />
the claimant after the commencement agreement.<br />
<br />
3. The defendant is requested to report or provide the following:<br />
<br />
<br />
a) The Ibiza Town Hall initiated a procedure against the claimant for works<br />
illegal/construction on the roof without enabling title/, complaint date X/XX/2016, with<br />
report of "municipal XXXXXXX from which it can be deduced that the claimant performs<br />
work... still unfinished", as can be seen from the letter to the claimant, from the<br />
Town Hall of XX/XX/2017. It is also included in it, that on 01/24/2017, the<br />
claimant submitted a project requesting a license. The brief of XX/XX/2017 agreed<br />
<br />
initiate a disciplinary file for commission of urban infraction and initiate the<br />
reposition to altered physical reality.<br />
<br />
Regarding the document -which is attached to this brief of evidence of the claimant -of<br />
X/XX/2016 and its content and references and information, you are requested to report:<br />
<br />
<br />
-If said document of X/XX/2016, is part of, or is included in the process of any<br />
procedure initiated to the claimant, as allegations made by the claimant.<br />
<br />
-If before the aforementioned letter of XX/XX/2017, any action had been communicated<br />
<br />
related to the facts of that file to the claimant, indicating the date and type of<br />
communication and related to what matter.<br />
<br />
b) Inform the number of files in which the letter of the<br />
claimant of X/XX/2016 as an initiating cause of procedures or actions<br />
against other people, and the dates on which the proceedings began against each of them.<br />
<br />
<br />
c) If the content in the writings of initiation of proceedings has changed by<br />
complaints in matters of XXXXXXXXXXXX in which natural persons put into question<br />
knowledge of the City Council allegedly illegal events, so that in front of the<br />
alleged infringers reported do not contain data of the person who puts it in<br />
<br />
knowledge of the City.<br />
<br />
d) In writing addressed to the claimant dated 02/18/2022, exte ***EXPEDIENTE.1, they state<br />
at the end that: "once the information is sent to you, taking into account the right of access<br />
formulated by you, the exercise of data deletion requested from<br />
<br />
accordance with the current legislation of the Public Administrations.”<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 6/19<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
You are requested to report providing a copy of the response on this right of<br />
deletion that are supposed to have responded to the claimant, with proof of their<br />
delivery.<br />
<br />
<br />
After the allotted time, no response was received.<br />
<br />
SEVENTH: On 12/20/2022, the following proposed resolution was issued:<br />
<br />
"1-That the Director of the Spanish Data Protection Agency sanctions<br />
<br />
EIVISSA CITY COUNCIL, with NIF P0702600H:<br />
<br />
-with a warning, for the infringement of article 12 of the GDPR, in accordance with the<br />
Article 83.5.b) of the GDPR and 72.1.k) of the LOPDGDD.<br />
<br />
<br />
-with a warning, for the infringement of article 5.1.c) of the GDPR, in accordance<br />
with article 83.5.a) of the GDPR and 72.1.a) of the LOPDGDD.<br />
<br />
2-That in application of article 58.2.c) of the RGPD that establishes corrective powers to the<br />
AEPD to: "order the person in charge or person in charge of the treatment to attend to the<br />
requests to exercise the rights of the interested party under this<br />
Regulation;", you are urged to prove the content of the right of deletion that has been<br />
carried out with the claimant, and if it has been communicated to her.”<br />
<br />
<br />
EIGHTH: On 12/20/2022, a literal resolution proposal was issued.<br />
<br />
<br />
"1-That the Director of the Spanish Data Protection Agency sanctions<br />
EIVISSA CITY COUNCIL, with NIF P0702600H:<br />
<br />
-with a warning, for the infringement of article 12 of the GDPR, in accordance with the<br />
Article 83.5.b of the GDPR and 72.1.k) of the LOPDGDD.<br />
<br />
-with a warning, for the infringement of article 5.1.c) of the GDPR, in accordance<br />
with article 83.5.a) of the GDPR and 72.1.a) of the LOPDGDD.<br />
<br />
2-That in application of article 58.2.c) of the RGPD that establishes corrective powers to the<br />
<br />
AEPD to: "order the person in charge or person in charge of the treatment to attend to the<br />
requests to exercise the rights of the interested party under this<br />
Regulation;", you are urged to prove the content of the right of deletion that has been<br />
carried out with the claimant, and if it has been communicated to her.”<br />
<br />
NINTH: On 01/04/2023, the following allegations are received:<br />
<br />
<br />
-They understand that the violation of article 12 of the GDPR, would be of 83.5.b) of the GDPR, not<br />
of letter a) of the same article 83.5 that is dragging on the file.<br />
<br />
The conduct that typifies said infraction does not occur, because it is not explained clearly.<br />
motivated which consists of the impediment, obstruction, or reiterated non-attention of the<br />
<br />
exercise of the established rights, Explains the literal meaning that the RAE gives to each<br />
one of the words, and it may be considered in any case that said word must be completed<br />
response or not, but not qualify as non-attention. He adds that in fact<br />
claimant exercised the right and the defendant did not put up an obstacle to said exercise.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 7/19<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
-He considers that only a single right of deletion has been exercised (08/22/2019) and a<br />
only right of access (***DATE.1), which are both answered on 02/18/2022, both<br />
<br />
in writing and by phone. In the configuration of the consideration of the facts<br />
as a violation of article 12 of the GDPR, it cannot be treated as a reiteration of the<br />
petition, the fact that on the occasion of the request for access to documents mentions<br />
that he had requested the right of deletion and had not been answered, since this has to be<br />
considered as a new request, in this case, for access. In any case, it cannot be<br />
classify as ignoring the request when he was told that after giving him access, he was leaving<br />
<br />
to proceed with the deletion, so it cannot be described as reiterated.<br />
<br />
-Indicates that article 64.1 of the LOPDGG talks about the procedure of lack of attention<br />
of a request to exercise rights that is related to articles 15 to 22 and does not<br />
It is classified as very serious.<br />
<br />
<br />
The aforementioned non-motivation would give rise to its classification as mild in article 74.c of the<br />
LOPDGDD.<br />
<br />
Counting from the date on which the deletion could be considered as not addressed,<br />
09/22/2019, more than a year has passed from the period that would entail its qualification as<br />
<br />
mild, so it must be considered prescribed. It shows that the same is true of<br />
regarding the right of access, prescribed on 01/17/2022.<br />
<br />
-Regarding the infringement of article 5.1.c) of the GDPR, the provision of the<br />
The identity of the complainant is in accordance with Article 62 of the LPCAP, since complaints must be<br />
<br />
express the identity of the people who inform the Administration<br />
the facts and, from this moment, it is the Public Administration that gives the course<br />
that the Law establishes, taking into account the form of initiation. We are before a<br />
complaint whose purpose is to maintain legality and observance of the law<br />
planning, in which the complainant can acquire the status of interested party. Esteem<br />
<br />
that the claimant would have a direct interest and it affects her interests, since she was<br />
object of an administrative file for the same facts, which, if allowed with<br />
with respect to the rest of the neighbors it would suppose a comparative grievance. "In this scenario, it is<br />
preferential application of the LPCAP and transparency legislation. Article 53 LPACP<br />
prevails over data protection regulations.” The defendant has the right to<br />
access to the file and obtain a copy of it.<br />
<br />
<br />
The AEPD affirms that "the interference in the data of the claimant, because it is not precise,<br />
necessary, adequate or proportional, must not be made known in the procedure that<br />
start the administration of the defendant", but the City Council cannot be required to<br />
eliminate said information as it would imply the non-satisfaction of a right to<br />
<br />
complainant. In addition, if the Administration included the complainant's data, it was in<br />
For the sake of maximum transparency in the exercise of its sanctioning power.<br />
<br />
-Provides indications of AEPD procedures in which it reproduces parts that<br />
indicate that it is in accordance with the LOPD to obtain a copy of the file including the identity<br />
<br />
of the complaining party that is delivered to the accused. One of them indicates that it is a<br />
case like this, report 197/2006.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 8/19<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
-Ends by indicating that: "Taking into account that the administrative files have<br />
completed, the City Council, complementing the response given on 02/18/2022, has given<br />
instructions for the deletion of the data of the complainant from the files<br />
<br />
administrative documents in which it is recorded. A letter will be provided confirming this point.”<br />
<br />
TENTH: In view of all the proceedings, by the Spanish Protection Agency<br />
of Data in this procedure the following are considered proven facts:<br />
<br />
<br />
<br />
PROVEN FACTS<br />
<br />
<br />
1) The Ibiza Town Hall initiated on XX/XX/2017 a disciplinary procedure against the<br />
claimed for illegal works / construction on the roof without enabling title /, and initiate the<br />
restoration to the altered physical reality, dated complaint X/XX/2016, with report of<br />
<br />
"XXXXXXX municipal from which it can be deduced that the claimant is carrying out works... even without<br />
conclude". It is also stated therein that on 01/24/2017, the claimant filed a<br />
project requesting license.<br />
<br />
Related to this, it appears that on 10/26/2017, the claimant sent a letter to the<br />
<br />
claimed requesting that the file be archived because it has complied by demolishing what<br />
built.<br />
<br />
<br />
2) The claimant completed a claimant's form dated X/XX/2016,<br />
“general instance”, informing the defendant that three addresses that<br />
<br />
identified by street (same as yours) and numbers, have architectural elements<br />
irregular, describing what these are. The document contains the literal:<br />
"The data collected may be used by the owner of the file for the exercise of the<br />
own functions within the scope of their powers”, and information on the exercise of<br />
the rights on the LOPD. In the "I request", it appears: "That it be verified and in the case of<br />
<br />
be illegal to act accordingly." In addition, the document contains your data<br />
personal, ID and address.<br />
<br />
<br />
3) The claimant claims that her data has been delivered to files that have been<br />
<br />
opened as of his letter of X/XX/2016, since one of the accused appeared in<br />
Your domicile. The claimant provides a partial copy, with only one page, of a resolution of<br />
XX/XX/2019 that the City Council addressed to one of the owners of the houses that<br />
complainant indicated in its brief of X/XX/2016. As one of the points, figure: "seen<br />
the XXXX/2016 report issued by the municipal technical services on 09/1/2016,<br />
of the tenor "Subject: Technical Report at the request of the Delegate Councilor of<br />
<br />
XXXXXXXXXXXX activities and housing, in relation to the denounced facts<br />
constituting a possible urban infraction "...." Considering the complaint filed<br />
by (data of the claimant Ms. A.A.A., the claimant) by writing dated X/XX/<br />
2016, by which the execution of the works is made known to this Councilor<br />
consisting of... presumably without protection of enabling title..."" In application of the<br />
<br />
Articles 69.2 of Law 30/1992 and 149 of Law 2/2014 of 25/03 on the management and use of<br />
soil of the Balearic Islands…” REPORT: First: that once a visit to the indicated<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 9/19<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
property on 08/31/2016, it has been verified that the roof of the building of the<br />
street ... it is observed ...<br />
<br />
On date XX/X/2019, the claimant submits a letter to the City Council requesting the<br />
deletion of your data, specifying that it is your identity that has been included in<br />
<br />
disciplinary resolutions of third parties, and that some of the denounced appeared in<br />
your address, and that: "as a result of the communication of my personal data to<br />
third parties, I have suffered threats and insults from various people”.<br />
The request was not met.<br />
<br />
4) On ***DATE.1, the claimant requests: “all documentation<br />
<br />
corresponding to my case and all the complaints that appear in my name”. points at<br />
the letter that "several neighbors showed up at her home threatening her" The petition<br />
was not attended.<br />
<br />
<br />
<br />
5) In the transfer of the claim, the claimed party declares that in writing of<br />
02/18/2022, on the request of *** DATE.1, they have answered the request for access to<br />
your data. In said response, he informs her of the data he possesses about her, for having been<br />
presented different procedures. The access consists of the brief reference of the procedure of<br />
that it is, and an identification number. Among them, it appears "presents instance<br />
general denunciation for irregular works on the terraces of the numbers…. of the<br />
<br />
calle…, XXXXX/2016”, which refers to your instance of X/XX/2016. It is also observed<br />
that what the claimant was asking for was to know the files open to other people in<br />
which included his reference as complainant, as well as the documentation of<br />
the same.<br />
<br />
6) In the same response to the access, on 02/18/2022, he indicates the part<br />
<br />
claimed to the claimant, without any reference to her request for suppression of XX/X/2019, and<br />
the terms in which it was requested, that: "Once the present is forwarded, in response to the<br />
right of access formulated by you, proceed to the exercise of deletion of data<br />
requested in accordance with the current legislation of Public Administrations.", without<br />
know the scope of the supposed deletion of data carried out by the party<br />
claimed.<br />
<br />
<br />
-In allegations to the proposal, the defendant stated that "Taking into account that the<br />
administrative files have concluded, the City Council, complementing the<br />
response given on 02/18/2022, has given instructions for the deletion of the data from the<br />
complainant of the administrative files in which it is recorded. Written will be provided<br />
confirming this point."<br />
<br />
<br />
FUNDAMENTALS OF LAW<br />
<br />
Yo<br />
<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
<br />
(General Data Protection Regulation, hereinafter GDPR), grants each<br />
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Law<br />
Organic 3/2018, of 12/5, Protection of Personal Data and guarantee of rights<br />
(hereinafter, LOPDGDD), is competent to initiate and resolve this<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 10/19<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
procedure the Director of the Spanish Data Protection Agency.<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures<br />
<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
regulations dictated in its development and, insofar as they do not contradict them, with character<br />
subsidiary, by the general rules on administrative procedures."<br />
<br />
II<br />
<br />
<br />
<br />
Article 12 of the GDPR establishes:<br />
<br />
<br />
1. The person in charge of the treatment will take the appropriate measures to facilitate the<br />
interested all information indicated in articles 13 and 14, as well as any<br />
communication pursuant to articles 15 to 22 and 34 relating to processing, in the form<br />
concise, transparent, intelligible and easily accessible, with clear and simple language, in<br />
<br />
particular any information directed specifically to a child. The information will be<br />
provided in writing or by other means, including, if applicable, by electronic means.<br />
When requested by the interested party, the information may be provided orally provided that<br />
the identity of the interested party is proven by other means.<br />
<br />
2. The data controller will facilitate the interested party to exercise their rights in<br />
virtue of articles 15 to 22…<br />
<br />
3. The person responsible for the treatment will provide the interested party with information regarding their<br />
proceedings on the basis of a request under articles 15 to 22, without delay<br />
<br />
improper and, in any case, within a period of one month from receipt of the<br />
application…"<br />
<br />
<br />
4. If the person in charge of the treatment does not process the request of the interested party, he will inform him<br />
without delay, and no later than one month after receipt of the request, of the ra-<br />
reasons for their failure to act and the possibility of filing a claim before an auto-<br />
control and exercise judicial actions.<br />
<br />
<br />
Regarding the lack of attention to the right of deletion requested on 08/22/2019, the article<br />
17 of the GDPR indicates:<br />
<br />
"1. The interested party shall have the right to obtain without undue delay from the person responsible for the<br />
<br />
treatment the deletion of personal data that concerns you, which will be<br />
obliged to delete personal data without undue delay when any of the<br />
the following circumstances..."<br />
<br />
The claimant in her request for deletion makes it based on the same facts that<br />
explained in this claim. It is about the appearance of your data in files with your<br />
<br />
data as a complainant, clarifying that she did not file any complaint. The<br />
claimant indicates that he is making known some facts. It is also observed that the<br />
competent authority through its employees, visited the address that<br />
The claimant provided in its brief of X/XX/2016 to verify the legality of the<br />
buildings.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 11/19<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
One of the points that favors deletion is that of point d of the aforementioned article 17:<br />
<br />
“d) the personal data have been processed unlawfully;” although it is also stated that<br />
<br />
<br />
"3. Sections 1 and 2 will not apply when the treatment is necessary:<br />
<br />
a) to exercise the right to freedom of expression and information;<br />
<br />
b) for compliance with a legal obligation that requires data processing<br />
imposed by the law of the Union or of the Member States that applies to the<br />
<br />
responsible for the treatment, or for the fulfillment of a mission carried out in the interest<br />
public or in the exercise of public powers conferred on the person responsible;<br />
<br />
c) for reasons of public interest in the field of public health in accordance with the<br />
Article 9, paragraph 2, letters h) and i), and paragraph 3;<br />
<br />
<br />
d) for archiving purposes in the public interest, scientific or historical research purposes or<br />
statistical purposes, in accordance with Article 89(1), to the extent that the<br />
right indicated in paragraph 1 could make impossible or seriously impede the<br />
achievement of the objectives of such processing, or<br />
<br />
e) for the formulation, exercise or defense of claims.”<br />
<br />
<br />
In accordance with the ruling of the National Court, contentious court<br />
administrative section 1, resource 165/2005 of 12/14/2006 "Regulates art. 15 of the LO<br />
15/1999 the right called habeas data or habeas scriptum which consists of the fact that the<br />
affected may require the person responsible for the file to make a service consisting of<br />
<br />
the mere display of your data and, where appropriate, its rectification or cancellation. Is about<br />
an essential right in the matter that is included in art.8.b) and c) of the<br />
Convention 108 of the Council of Europe and 12 and 13 of Directive 95/46/CE”" For the rest,<br />
It is indisputable that the right of access constitutes the essential core of the regulated law<br />
in art.18.4 of the Constitution -STC 292/2000”<br />
<br />
<br />
The defendant did not process in any way the claimant's exercise of rights, nor<br />
when the suppression first entered, on 08/22/2019 (the resolution in which<br />
their data appear in one of the denounced was from XX/XX/2019), nor when in the letter<br />
subsequent request for documentation and access, *** DATE.1 also made<br />
reference and recalled in numerous details the one he had presented earlier, noting<br />
including the date of the aforementioned deletion, without obtaining his attention in any of them.<br />
<br />
Presumably, given the omission in the response provided and not being taken into<br />
account of the deletion, your data could have continued to be provided in other<br />
files of other defendants. This could be deduced from the statement made by<br />
about what:<br />
<br />
<br />
"Taking into account that the administrative files have concluded, the City Council,<br />
complementing the answer given on 02/18/2022, has given instructions for the<br />
deletion of the data of the complainant from the administrative files in which<br />
for the record A letter will be provided confirming this point.”<br />
<br />
On the other hand, for the first petition, the defendant indicates that "they began to carry out<br />
<br />
actions to respond to his request, but no written response was received in<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 12/19<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
term and form, due to a human error derived from the month in which we were<br />
(August) and the change of staff due to the summer holidays. “<br />
<br />
Regarding her exercise of access, presented on ***DATE.1, the defendant states<br />
<br />
that "the person responsible for the file was transferred, and due to internal ignorance, no<br />
response to the applicant.<br />
<br />
Both reasons do not agree with the content of this right, which in this case implies<br />
a non-response in either of them, which implies a refusal to facilitate the<br />
<br />
requested information, resulting in the fact that it does not seem possible to be a major impediment other than the<br />
absolute disregard for the exercise of rights, in such a way that said right becomes<br />
useless or completely ineffective.<br />
<br />
Understands the defendant, who has given effect to it on 02/18/2022, by telephone and in a<br />
writing stating:<br />
<br />
"Once the information is sent to you, in accordance with the right of access formulated by<br />
you, the requested data deletion exercise will be carried out in accordance with the<br />
current legislation of Public Administrations.", without the wording being<br />
fortunate, since the exercise of the right corresponds to the claimant, and without having<br />
<br />
any accredited writing of attention in any sense of said right, consigning in<br />
their allegations that "Taking into account that the administrative files have<br />
completed, the City Council, complementing the response given on 02/18/2022, has given<br />
instructions for the deletion of the data of the complainant from the files<br />
administrative documents in which it is recorded. A written document will be provided confirming this point.", and<br />
<br />
In addition, both the claimant and this AEPD are unaware of the number of files<br />
in which your data was included and if the complete copy of your writ of<br />
X/XX/2016, which was one of the key points of his access exercise.<br />
<br />
"The interested party shall have the right to obtain from the data controller confirmation of<br />
whether or not personal data concerning you is being processed and, in such a case, the right to<br />
access to personal data and the following information:”, article 15.1 of the GDPR.<br />
<br />
<br />
Regarding telephone information, based on the principle of meeting the requirement of<br />
proactive responsibility established in article 5.2 of the GDPR, is not guaranteed<br />
nor that it had been produced, nor of the same content, considering in this case that it<br />
satisfies the right.<br />
<br />
Summarizing, the fact is that it was not answered, which implies a refusal to facilitate the<br />
<br />
information requested within the established period and manner. However, this absolute<br />
inattention has made law illusory, in which the completion of the<br />
response, waiting for the moment in which it has been considered that the<br />
files, The defendant has stated that it was going to proceed with the suppression of the<br />
data, although the terms in which they have been carried out, the scope and the<br />
<br />
how you have deleted the data. Regarding the exercise of the right of access,<br />
nor is the response contemplated as to whether their data appeared in other files.<br />
<br />
This supposes the commission of the infringement of article 12 of the GDPR that is attributed to the<br />
claimed.<br />
<br />
II<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 13/19<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The defendant considered the claimant as a complainant in the X/XX/2016 form<br />
and yielded such data, in the record of his name and surname at the beginning of<br />
<br />
procedures to third parties. With the mention of (...) that the houses to which he referred<br />
on the aforementioned form, it could have been identified without great difficulty.<br />
<br />
The LPACAP, states in its article 62, "Initiation of the complaint procedure":<br />
<br />
1. A complaint is understood to be the act by which any person, in compliance or not<br />
of a legal obligation, notifies an administrative body of the existence<br />
of a certain fact that could justify the ex officio initiation of a procedure<br />
administrative.<br />
<br />
<br />
2. The complaints must express the identity of the person or persons presenting them.<br />
so and the account of the facts that are brought to the attention of the Administration. When<br />
said facts could constitute an administrative infraction, they will collect the date of their<br />
commission and, when possible, the identification of the alleged perpetrators.<br />
<br />
[…]”<br />
<br />
<br />
"5. The presentation of a complaint does not confer, by itself, the condition of interested party<br />
in the procedure."<br />
<br />
And in article 13: "Rights of individuals in their relations with<br />
Public administrations:<br />
<br />
Those who, in accordance with article 3, have the capacity to act before the<br />
<br />
Public Administrations, are holders, in their relations with them, of the following<br />
rights:<br />
<br />
h) To the protection of personal data, and in particular to the security and<br />
confidentiality of the data contained in the files, systems and applications of the<br />
Public administrations."<br />
<br />
<br />
Article 4 of the LPCAP attributes the status of interested party in a procedure<br />
administrative to:<br />
<br />
<br />
“a) Those who promote it as holders of rights or legitimate individual interests or<br />
collective.<br />
<br />
<br />
<br />
b) Those who, without having initiated the procedure, have rights that may be<br />
affected by the decision adopted therein.<br />
<br />
<br />
<br />
c) Those whose legitimate interests, individual or collective, may be affected<br />
by the resolution and appear in the procedure as long as no resolution has been handed down<br />
definitive.”<br />
<br />
<br />
Seen from the perspective of the defendant, as an interested party (art 64.1 LPCAP), affected<br />
directly because a sanctioning procedure in urban matters is initiated,<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 14/19<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Article 53.1 of the LPCAP, grants the right to "access and obtain a copy of the<br />
documents contained in the aforementioned procedures”. Obviously, this aspect is<br />
different from the content of the resolutions and agreements that are notified, which is the case<br />
<br />
which is dealt with here. Access to a copy of the documents in the file should be to the<br />
essential data, not giving access to data not necessary for the exercise of the<br />
right of defense or that have nothing to do with the matter, which must, if applicable,<br />
remain anonymous. As an example, give in the copy of the file the data of the NIF or<br />
of the address could constitute data processing that, depending on the circumstances, could<br />
not be necessary for this purpose.<br />
<br />
<br />
However, what is being analyzed here is that the data of the name and surname in the agreement<br />
that the claimant provided as proof of access to her data, violates article 5.1.c<br />
of the GDPR, which indicates:<br />
<br />
<br />
1. Personal data will be:<br />
<br />
c) adequate, pertinent and limited to what is necessary in relation to the purposes for which<br />
are processed ("data minimization");<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The claimant informs the City Council of some facts, so that the<br />
verify, circumstance that it performs, in some addresses of (...). irregularities<br />
urban planning evidenced by the claimant, were thus verified by the<br />
inspection authority with competences in the matter, who enjoy the status of<br />
<br />
agent of the authority, in order to attest to the facts as thus formalized in<br />
the aforementioned agreement to start the procedure.<br />
<br />
<br />
<br />
The issue could affect the defendants who are mentioned in the agreements<br />
<br />
identity of the complainant. In at least one of the cases it was found that<br />
the claimant was referred to.<br />
<br />
<br />
<br />
Although from the partial copy of the resolution of a defendant provided by the claimant, it is<br />
<br />
confirms that only his name and first surname were listed, it is enough to be<br />
identified, especially when the (...) and the claimant alludes to the fact that they are part of her<br />
"colla" "group".<br />
<br />
<br />
<br />
<br />
The mention of your data proceeding to your identification or being identifiable, puts<br />
evidence of the conflict between the claimant's right to privacy and<br />
preservation and reserve of knowledge of your data, against the right of the accused to<br />
that in the agreement to initiate a disciplinary procedure, it relates<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 15/19<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
the specific origin of the claimant's identification data,<br />
with the category of complainant.<br />
<br />
There is no question in an initiation agreement of disclosing or not to the person denounced the<br />
<br />
identity of the complainant, but if in accordance with the purpose of the agreement<br />
communication and the rights at stake, if such is necessary, proportional and appropriate.<br />
communication with such content.<br />
<br />
<br />
<br />
<br />
Considering that the status of complainant does not attribute per se the quality of interested party.<br />
In this case, given that the purpose of disclosing the facts was the<br />
protection of urban legality and its eventual restoration to a previous situation,<br />
situation in which the claimant was not involved. Taking into account that the<br />
urban planning authority verified the facts and initiated the disciplinary procedure ex officio<br />
<br />
(Article 63.1 LPCAP: ”The procedures of a sanctioning nature will begin<br />
always ex officio by agreement of the competent body"). It is considered that giving<br />
Knowing the identity data of the person claiming may cause damage<br />
As in this case, it is not estimated that the data that the defendant had collected and that<br />
were brought to the attention of at least one denounced person, were the appropriate ones,<br />
relevant and limited to what is necessary for the purpose for which the processing is carried out<br />
<br />
of data. Its incorporation in cases like this, can give rise to the same or<br />
similar effects on the people who make known facts such as those<br />
here are analyzed that may give rise to disciplinary proceedings.<br />
<br />
<br />
Add the claimed, which complied with the provisions of the LPCAP, but, among the content<br />
of the agreement to start the disciplinary procedure of the LPCAP, article 64, does not appear to give<br />
know the identity of the person complaining.<br />
<br />
<br />
In a case like the one analyzed here, proof of identification of the person in the<br />
<br />
agreement addressed to the sanctioned party, does not contribute anything substantial to it, nor does it imply a<br />
loss of his right to defense, stating below that the facts were<br />
verified by the urban authority. Lack of any effect for the defendant, which<br />
prevents the data processing of the claimed party.<br />
<br />
Although it is not possible to generalize, and must be analyzed on a case-by-case basis, in accordance with the<br />
<br />
circumstances, in this case, the reconciliation of the rights of the parties leads to<br />
resolve that it was not appropriate, pertinent or necessary for said agreement to<br />
contain the identification data of the claimant. This extreme can only be reached<br />
analyzing the various elements that come together in the rights in dispute of the parties.<br />
The consequence must be that the interference with the data of the claimant, which is<br />
<br />
embodied in the record in an agreement to start a disciplinary file,<br />
It can happen in environments where everyone knows each other, and it could also cause serious<br />
risks for claimants and discourage this type of claim in addition to<br />
may suffer other consequences. In this way, it is only estimated that the aforementioned<br />
constancy would be precise if the knowledge of the identity were determinant in the<br />
configuration of the facts or was related to them, affecting the rights to<br />
<br />
exercise by the defendant, especially his right of defense. Not being the one<br />
case, it is determined that the aforementioned article 5.1.c) is infringed)<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 16/19<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
IV.<br />
<br />
<br />
Violations of articles 12 and 5.1.c) of the GDPR are typified in article<br />
83.5.a) of the GDPR, which indicates:<br />
<br />
Violations of the following provisions will be sanctioned, in accordance with the<br />
paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of<br />
of a company, in an amount equivalent to a maximum of 4% of the volume of<br />
<br />
overall annual total business of the previous financial year, opting for the one with the highest<br />
amount:<br />
<br />
a) the basic principles for the treatment, including the conditions for the<br />
consent under articles 5, 6, 7 and 9;<br />
<br />
<br />
b) the rights of the interested parties in accordance with articles 12 to 22;”<br />
<br />
The LOPDGDD also contemplates these infractions in terms of the term of their<br />
prescription in the following articles:<br />
<br />
71<br />
<br />
<br />
"Infractions are the acts and conducts referred to in sections 4, 5 and<br />
6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to<br />
the present organic law.”<br />
<br />
article 72<br />
<br />
<br />
"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,<br />
are considered very serious and will prescribe after three years the infractions that suppose a<br />
substantial violation of the articles mentioned therein and, in particular, the<br />
following:<br />
<br />
a) The processing of personal data in violation of the established principles and guarantees<br />
<br />
in article 5 of Regulation (EU) 2016/679.”<br />
<br />
"k) The impediment or the obstruction or the reiterated non-attention of the exercise of the<br />
rights established in articles 15 to 22 of Regulation (EU) 2016/679.”<br />
<br />
<br />
Regarding the allegation that the infringement typified in 72.1.k) of the LOPDGDD,<br />
not having been motivated, should be classified as minor, for obeying article 74 c) of<br />
the LOPDGDD that indicates: "Not responding to requests for the exercise of rights<br />
established in articles 15 to 22 of Regulation (EU) 2016/679, unless it is<br />
<br />
application of the provisions of article 72.1.k) of this organic law.", it must be indicated that<br />
it has been explained that it falls within a substantial non-compliance, total of two years<br />
of law, and that when answered on 02/18/2022 it has not been fully provided, for<br />
what is incardinated in this type the referred conduct.<br />
<br />
V<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 17/19<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Article 58.2 of the GDPR indicates as powers of the control authority:<br />
<br />
"c) order the person in charge or person in charge of the treatment to attend to the requests for<br />
exercise of the rights of the interested party under this Regulation;”<br />
<br />
“i) impose an administrative fine in accordance with article 83, in addition to or instead of the<br />
<br />
measures mentioned in this section, according to the circumstances of each case<br />
particular"<br />
<br />
The claimed party has not explained how and when it proceeded to delete the data<br />
of the claimant in the specific sense in which it was requested, without knowing the<br />
scope of compliance of the exercise that was carried out.<br />
<br />
<br />
It is also not known if your data was provided in the course of the proceedings.<br />
open with cause in his brief of X/XX/2016, which was one of the motions in the<br />
Exercise of the right of access.<br />
<br />
The imposition of this measure is compatible with the sanction, according to the provisions of art.<br />
83.2 of the GDPR.<br />
<br />
Article 83.7 of the GDPR adds:<br />
<br />
<br />
"Without prejudice to the corrective powers of the control authorities under the<br />
Article 58(2), each Member State may lay down rules on whether<br />
can, and to what extent, impose administrative fines on authorities and bodies<br />
public establishments established in that Member State.”<br />
<br />
<br />
The Spanish legal system has chosen not to penalize entities<br />
public, as indicated in article 77.1. c) and 2. 4. 5. and 6. of the LOPDDGG:<br />
<br />
<br />
"1. The regime established in this article will be applicable to the treatment of<br />
who are responsible or in charge:<br />
<br />
"c) The General Administration of the State, the Administrations of the communities<br />
<br />
autonomous entities and the entities that make up the Local Administration.”<br />
<br />
"2. When the managers or managers listed in section 1 commit<br />
any of the offenses referred to in articles 72 to 74 of this organic law,<br />
the competent data protection authority will issue a resolution<br />
sanctioning them with warning. The resolution will also establish the<br />
<br />
measures that should be adopted to cease the conduct or to correct the effects of the<br />
offense that was committed.<br />
<br />
The resolution will be notified to the person in charge or in charge of the treatment, to the body of the<br />
that depends hierarchically, where appropriate, and those affected who have the status of<br />
interested, if any.<br />
<br />
<br />
3. Without prejudice to what is established in the previous section, the data protection authority<br />
data will also propose the initiation of disciplinary actions when there are<br />
enough evidence for it. In this case, the procedure and the sanctions to be applied<br />
will be those established in the legislation on the disciplinary or sanctioning regime that<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 18/19<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
be applicable.<br />
<br />
Likewise, when the infractions are attributable to authorities and executives, and<br />
certify the existence of technical reports or recommendations for treatment that do not<br />
<br />
have been duly attended to, in the resolution in which the sanction is imposed<br />
a reprimand will be included with the name of the responsible position and the<br />
publication in the corresponding Official State or regional Gazette.<br />
<br />
4. The data protection authority must be informed of the resolutions that<br />
<br />
fall in relation to the measures and actions referred to in the sections<br />
previous.<br />
<br />
5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions<br />
of the autonomous communities the actions carried out and the resolutions issued to the<br />
under this article.<br />
<br />
<br />
6. When the competent authority is the Spanish Data Protection Agency,<br />
This will publish on its website with the proper separation the resolutions referring to the<br />
entities of section 1 of this article, with express indication of the identity of the<br />
responsible or in charge of the treatment that had committed the infringement.”<br />
<br />
<br />
Therefore, in accordance with the applicable legislation and assessed the criteria of<br />
graduation of sanctions whose existence has been accredited.<br />
<br />
<br />
the Director of the Spanish Data Protection Agency RESOLVES:<br />
<br />
FIRST: SANCTION THE CITY COUNCIL OF EIVISSA, with NIF P0702600H, with a<br />
warning for each of the following infractions:<br />
<br />
-article 12 of the GDPR, in accordance with article 83.5.b) of the GDPR, and for the purposes of<br />
<br />
prescription, typified in article 72.1.k) of the LOPDGDD.<br />
<br />
-article 5.1.c) of the GDPR, in accordance with article 83.5.a) of the GDPR, and for the purposes<br />
of prescription, typified in article 72.1.a) of the LOPDGDD.<br />
<br />
<br />
SECOND: In accordance with the provisions of article 58.2.c) of the GDPR, you must complete<br />
the rights subject to claim in the sense that is included in the last foundation<br />
of law, for which a term of ten days is granted, having to inform of its<br />
compliance.<br />
<br />
<br />
It is noted that not meeting the requirements of this body may be<br />
considered as an administrative offense in accordance with the provisions of the GDPR,<br />
classified as an infraction in its article 83.5 and 83.6, being able to motivate such conduct the<br />
opening of a subsequent administrative sanctioning procedure.<br />
<br />
THIRD: NOTIFY this resolution to EIVISSA CITY COUNCIL.<br />
<br />
<br />
FOURTH: COMMUNICATE this resolution to the Ombudsman, in accordance<br />
with the provisions of article 77.5 of the LOPDGDD.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 19/19<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
Resolution will be made public once the interested parties have been notified.<br />
<br />
<br />
Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the<br />
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the<br />
Interested parties may optionally file an appeal for replacement before the Director<br />
of the Spanish Agency for Data Protection within a period of one month from the<br />
<br />
day following the notification of this resolution or directly contentious appeal<br />
before the Contentious-Administrative Chamber of the National Court,<br />
in accordance with the provisions of article 25 and section 5 of the additional provision<br />
fourth of Law 29/1998, of July 13, regulating the Contentious Jurisdiction-<br />
administration, within a period of two months from the day following the notification<br />
<br />
of this act, as provided in article 46.1 of the aforementioned Law.<br />
<br />
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,<br />
may provisionally suspend the firm resolution in administrative proceedings if the interested party<br />
expresses its intention to file a contentious-administrative appeal. If this is the one<br />
<br />
case, the interested party must formally communicate this fact by writing to<br />
the Spanish Data Protection Agency, presenting it through the Registry<br />
Email from the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through<br />
any of the other records provided for in art. 16.4 of the aforementioned Law 39/2015, of 1<br />
October. You must also transfer to the Agency the documentation proving the<br />
<br />
effective filing of the contentious-administrative appeal. If the Agency did not have<br />
knowledge of the filing of the contentious-administrative appeal within the period of<br />
two months from the day following the notification of this resolution, it would consider<br />
the injunction has ended.<br />
<br />
<br />
<br />
938-181022<br />
Mar Spain Marti<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
</pre></div>Isabela.maria.rosalhttps://gdprhub.eu/index.php?title=User:Isabela.maria.rosal&diff=32113User:Isabela.maria.rosal2023-04-17T13:36:03Z<p>Isabela.maria.rosal: Created page with "Isabela is a legal researcher at CiTiP (KU Leuven) where she works on cybersecurity, non-discrimination, privacy, and data protection projects. Prior to joining CiTiP, Isabe..."</p>
<hr />
<div>Isabela is a legal researcher at CiTiP (KU Leuven) where she works on cybersecurity, non-discrimination, privacy, and data protection projects. <br />
<br />
Prior to joining CiTiP, Isabela worked as a lawyer at a prestigious firm and as a project manager at the CEDIS-IDP (2020-2022), where she contributed to projects such as “Effective LGPD” and “LGPD in the Courts”. She has also worked as head of Data Governance and Digital Economy” at LAPIN and as an assistant at the Brazilian Antitrust Authority(CADE). <br />
<br />
She obtained an LL.M degree in Civil Law (summa cum laude) from the University of Brasília (UnB, Brazil) in 2022, presenting a thesis on “The processing of personal data for marketing purposes”. She also holds a Master’s degree in Law from UnB (summa cum laude), having written her thesis on “The definition of the legitimate interest” according to the GDPR and the Brazilian Data Protection Law (LGPD). As a recipient of the SANTANDER grant, she studied at the University of Granada (Spain) in 2016-2017.<br />
<br />
You can connect with Isabela via her LinkedIn profile: https://www.linkedin.com/in/isabelarosal/</div>Isabela.maria.rosal