https://gdprhub.eu/api.php?action=feedcontributions&user=Teresa.lopez&feedformat=atomGDPRhub - User contributions [en]2024-03-28T11:06:20ZUser contributionsMediaWiki 1.39.6https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_PS-00446-2023&diff=40285AEPD (Spain) - PS-00446-20232024-03-08T09:28:51Z<p>Teresa.lopez: Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS-00446-2023 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00446-2023.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Cod..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=PS-00446-2023<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/documento/ps-00446-2023.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=20.05.2023<br />
|Date_Decided=<br />
|Date_Published=06.03.2024<br />
|Year=<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 6(1) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Teresa.lopez<br />
|<br />
}}<br />
<br />
The Spanish Data Protection Authority fined a controller €2,000 for requiring an employee to use their personal cell phone for work purposes without establishing an appropriate legal basis for the processing.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
An ex-employee of the controller filed a complaint with the Spanish Data Protection Authority, alleging that the company, for which they provided services, compelled them to utilize their personal cell phone for work purposes. This requirement involved installing an application, specifically a company wallet card platform. <br />
<br />
Despite the complaints raised, the controller's response was adamant that they would not provide the employee with a company cell phone. Subsequently, the ex-employee mentioned that even after leaving the company, their phone number remained part of two WhatsApp groups. Consequently, they continued to receive messages from former colleagues, appearing in those groups as a former member, with their phone number and name still visible.<br />
<br />
=== Holding ===<br />
The Spanish Data Protection Authority ruled that the processing activities conducted by the controller violated Article 6.1 of the GDPR. As a result, the DPA imposed a fine of €2,000 on the controller.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/12<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
File No.: EXP202310230<br />
<br />
<br />
<br />
RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE<br />
VOLUNTEER<br />
<br />
<br />
From the procedure instructed by the Spanish Data Protection Agency and based<br />
to the following<br />
<br />
<br />
BACKGROUND<br />
<br />
<br />
FIRST: On January 8, 2024, the Director of the Spanish Agency for<br />
Data Protection agreed to initiate sanctioning proceedings against VUKMAL TRADE,<br />
S.L. (hereinafter, the claimed party), through the Agreement transcribed:<br />
<br />
<<<br />
<br />
File No.: EXP202310230<br />
<br />
<br />
AGREEMENT TO START SANCTIONING PROCEDURE<br />
<br />
<br />
Of the actions carried out by the Spanish Data Protection Agency and in<br />
based on the following<br />
<br />
FACTS<br />
<br />
FIRST: Mr. A.A.A., with DNI ***NIF.1 (hereinafter, the claiming party) with date<br />
<br />
05/28/2023 filed a claim with the Spanish Data Protection Agency.<br />
The claim is directed against VUKMAL TRADE, S.L. with NIF B09966508 (in<br />
forward, the claimed part). The grounds on which the claim is based are:<br />
following:<br />
<br />
<br />
The claimant states that the company for which he provided his services until<br />
on ***DATE.1, required him to use his personal mobile phone for work, having<br />
have to install an application (Soldo as a wallet card platform<br />
company, which I had to enter daily to make transfers and to<br />
account for expenses, requiring access to a phone to send the code<br />
<br />
verification) to access a website in Ireland, and that, in addition, the company<br />
shared your personal mobile number with other employees without their consent.<br />
<br />
After notifying the situation, the company's response was that they were not going to give him<br />
a company cell phone; The claimant states that, although he no longer works in the<br />
company, his personal phone was included in two WhatsApp groups (Notices<br />
<br />
Expofactory and Central Services, the first for HR issues and the second<br />
for work issues), being contacted by former colleagues, appearing<br />
in these groups as a former member, with your phone number and name. The company<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 2/12<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
refuses to delete such groups and continues to force its employees to use their phones<br />
personal to work.<br />
<br />
<br />
The claimant emphasizes that, in the two months that he worked in the company, for<br />
part of the HR manager (whatsapp group administrator) and the<br />
CFO of the company, he was told that it was nonsense regarding the<br />
use of personal cell phone at work, with the financial director telling him not to<br />
would give a company cell phone to the claimant.<br />
<br />
<br />
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5<br />
December, Protection of Personal Data and guarantee of digital rights (in<br />
hereinafter LOPDGDD), on 07/21/2023 said claim was transferred to the party<br />
claimed, so that it could proceed with its analysis and inform this Agency within the period<br />
of one month, of the actions carried out to adapt to the planned requirements<br />
<br />
in data protection regulations.<br />
<br />
The transfer, which was carried out in accordance with the rules established in the Law<br />
39/2015, of October 1, of the Common Administrative Procedure of the<br />
Public Administrations (hereinafter, LPACAP) through electronic notification,<br />
was not collected by the person responsible, within the period of making it available,<br />
<br />
understood to be rejected in accordance with the provisions of art. 43.2 of the LPACAP in<br />
date 08/01/2023, as stated in the certificate in the file.<br />
<br />
Although the notification was validly carried out by electronic means,<br />
the procedure being considered completed in accordance with the provisions of article 41.5 of the<br />
<br />
LPACAP, for information purposes, a copy was sent by postal mail that was notified<br />
reliably on 08/10/2023. In said notification, he was reminded of his<br />
obligation to relate electronically with the Administration, and were informed<br />
of the means of access to said notifications, reiterating that, from now on, you will be<br />
would notify exclusively by electronic means.<br />
<br />
<br />
THIRD: On 08/28/2023, in accordance with article 65 of the LOPDGDD,<br />
The claim presented by the complaining party was admitted for processing.<br />
<br />
<br />
FOURTH: In writing dated 09/13/2023, the defendant has stated that on ***DATE.1<br />
<br />
The complainant asked the company to remove him from the WhatsApp group and<br />
the Soldo application and how many it will be used on; that the next day he was informed that<br />
their data had been deleted in accordance with what was requested; that he<br />
claimed has carried out a risk analysis on the processing of data of a nature<br />
personnel, has drawn up a protocol of technical and security measures<br />
<br />
organizational measures implemented to comply with data protection regulations and<br />
has drafted a safety policy document to inform workers of<br />
your rights and obligations regarding the processing of personal data;<br />
that to date, WhatsApp groups were created to speed up the day-to-day life of the<br />
company requesting only verbal consent; which since 05/03/2023 has been requested<br />
<br />
written consent to all workers.<br />
<br />
FOUNDATIONS OF LAW<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 3/12<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Yo<br />
<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
<br />
(General Data Protection Regulation, hereinafter RGPD), grants each<br />
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the<br />
Organic Law 3/2018, of December 5, on Protection of Personal Data and<br />
guarantee of digital rights (hereinafter, LOPDGDD), is competent to<br />
initiate and resolve this procedure the Director of the Spanish Protection Agency<br />
of data.<br />
<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: "The<br />
Procedures processed by the Spanish Data Protection Agency will be governed<br />
by the provisions of Regulation (EU) 2016/679, in this organic law, by the<br />
regulatory provisions dictated in its development and, as far as they are not<br />
<br />
contradict, on a subsidiary basis, by the general rules on the<br />
administrative procedures."<br />
<br />
II<br />
The reported events materialize in the inclusion in WhatsApp groups<br />
without basis of legitimation, which could violate the regulations on protection<br />
<br />
of personal data.<br />
<br />
Article 58 of the GDPR, Powers, states:<br />
<br />
"2. Each supervisory authority will have all of the following powers<br />
<br />
corrective measures indicated below:<br />
<br />
(…)<br />
d) order the person responsible or in charge of the treatment that the operations of<br />
treatment comply with the provisions of this Regulation, when<br />
<br />
appropriate, in a certain manner and within a specified period;<br />
(…)<br />
i) impose an administrative fine in accordance with Article 83, in addition to or in<br />
instead of the measures mentioned in this section, according to the<br />
circumstances of each particular case;<br />
(…)”<br />
<br />
<br />
III<br />
Article 5 of the GDPR, Principles relating to processing, states that:<br />
<br />
"1. The personal data will be:<br />
<br />
<br />
a) treated in a lawful, fair and transparent manner in relation to the interested party<br />
("legality, loyalty and transparency");<br />
(…)”<br />
<br />
<br />
Article 6.1 of the RGPD establishes the assumptions that allow considering<br />
lawful processing of personal data:<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 4/12<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
"1. The treatment will only be legal if it meets at least one of the following<br />
conditions:<br />
<br />
a) the interested party gave their consent for the processing of their data<br />
personal for one or more specific purposes;<br />
<br />
b) the processing is necessary for the performance of a contract in which the<br />
interested party is part or for the application at his request of measures<br />
pre-contractual;<br />
c) the processing is necessary for compliance with a legal obligation<br />
applicable to the data controller;<br />
d) the processing is necessary to protect the vital interests of the interested party or<br />
<br />
of another natural person.<br />
e) the processing is necessary for the fulfillment of a mission carried out in<br />
public interest or in the exercise of public powers conferred on the person responsible<br />
of the treatment;<br />
f) the processing is necessary for the satisfaction of legitimate interests<br />
<br />
pursued by the person responsible for the treatment or by a third party, provided that<br />
The interests or rights and freedoms do not prevail over said interests.<br />
fundamentals of the interested party that require the protection of personal data,<br />
particularly when the interested party is a child.<br />
<br />
The provisions of letter f) of the first paragraph will not apply to the<br />
<br />
processing carried out by public authorities in the exercise of their functions.”<br />
<br />
Likewise, Recital 40 of the aforementioned GDPR provides that "In order for<br />
processing is lawful, personal data must be processed with the<br />
consent of the interested party or on some other legitimate basis established in accordance<br />
a Law, whether in this Regulation or under other Union law<br />
<br />
or of the Member States referred to in this Regulation, including the<br />
need to comply with the legal obligation applicable to the data controller or the<br />
need to execute a contract to which the interested party is a party or for the purpose of<br />
take measures at the request of the interested party prior to the conclusion of a<br />
contract."<br />
<br />
<br />
On the other hand, article 4 of the RGPD, Definitions, in sections 1, 2 and 11,<br />
notes that:<br />
<br />
“1) “personal data”: any information about an identified natural person<br />
or identifiable ("the interested party"); Any identifiable natural person will be considered<br />
person whose identity can be determined, directly or indirectly, in particular<br />
<br />
by means of an identifier, such as a name, an identification number,<br />
location data, an online identifier or one or more elements of the<br />
physical, physiological, genetic, mental, economic, cultural or social identity of said<br />
person;<br />
<br />
<br />
“2) “treatment”: any operation or set of operations performed<br />
on personal data or sets of personal data, whether by procedures<br />
automated or not, such as the collection, registration, organization, structuring,<br />
conservation, adaptation or modification, extraction, consultation, use,<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 5/12<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
communication by transmission, broadcast or any other form of habilitation of<br />
access, collation or interconnection, limitation, deletion or destruction;<br />
<br />
<br />
“11) “consent of the interested party”: any manifestation of free will,<br />
specific, informed and unequivocal by which the interested party accepts, either through<br />
a statement or a clear affirmative action, the processing of personal data that<br />
concern him.”<br />
<br />
IV<br />
<br />
The infraction attributed to the defendant is classified in the<br />
article 83.5 a) of the GDPR, which considers that the violation of “the basic principles<br />
for processing, including the conditions for consent under the<br />
articles 5, 6, 7 and 9” is punishable, in accordance with section 5 of the aforementioned<br />
article 83 of the aforementioned Regulation, “with administrative fines of €20,000,000 as<br />
<br />
maximum or, in the case of a company, an amount equivalent to 4% as<br />
maximum of the total global annual turnover of the previous financial year,<br />
opting for the highest amount.”<br />
<br />
The LOPDGDD in its article 71, Infractions, states that: “They constitute<br />
infractions the acts and conduct referred to in sections 4, 5 and 6 of the<br />
<br />
article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the<br />
present organic law.”<br />
<br />
And in its article 72, it considers for the purposes of prescription, which are: “Infringements<br />
considered very serious:<br />
<br />
<br />
1. Based on what is established in article 83.5 of the Regulation (EU)<br />
2016/679 are considered very serious and will prescribe after three years the infractions that<br />
involve a substantial violation of the articles mentioned therein and, in<br />
in particular, the following:<br />
<br />
<br />
(…)<br />
b) The processing of personal data without any of the<br />
conditions of legality of the treatment established in article 6 of the<br />
Regulation (EU) 2016/679.<br />
(…)”<br />
<br />
<br />
V<br />
The processing of personal data requires the existence of a database<br />
legal that legitimizes it.<br />
<br />
<br />
In accordance with article 6.1 of the GDPR, in addition to consent,<br />
There are other possible bases that legitimize the processing of data without the need for<br />
have the authorization of its owner. in particular, when necessary for the<br />
execution of a contract to which the affected party is a party or for the application, at the request<br />
of this, pre-contractual measures, or when necessary for the satisfaction of<br />
<br />
legitimate interests pursued by the data controller or by a third party,<br />
provided that the interests or rights do not prevail over said interests and<br />
fundamental freedoms of the affected party that require the protection of such data. He<br />
Treatment is also considered lawful when it is necessary for the fulfillment of<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 6/12<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
a legal obligation applicable to the data controller, to protect interests<br />
vital of the affected person or of another natural person or for the fulfillment of a mission<br />
carried out in the public interest or in the exercise of public powers conferred on the<br />
<br />
responsible for the treatment.<br />
<br />
The claimant in his writing of 05/28/2023 stated that the claimant is obliged<br />
its workers to use their personal mobile phone to work (through the<br />
Soldo application) and, furthermore, that having stopped providing services for the same<br />
continues to be included in two WhatsApp groups, with the company refusing to delete the<br />
<br />
themselves and forcing their employees to use their personal phones for work.<br />
<br />
The defendant in writing dated 09/13/2023 has stated that “To date,<br />
They created WhatsApp groups to streamline the day-to-day life of the company, it was not a<br />
mandatory requirement, but only verbal consent was requested, since 31<br />
<br />
May 2023, written consent is requested from all workers.”<br />
<br />
Therefore, it is considered that the conduct of the defendant violates the principle of<br />
legality enshrined in article 6.1 of the RGPD, typified in article 83.5 a) of the<br />
GDPR.<br />
<br />
<br />
SAW<br />
In order to establish the administrative fine that should be imposed, they must<br />
The provisions contained in articles 83.1 and 83.2 of the RGPD must be observed, which<br />
they point out:<br />
<br />
<br />
"1. Each supervisory authority will ensure that the imposition of fines<br />
administrative sanctions under this article for violations of this<br />
Regulations indicated in sections 4, 5 and 6 are in each individual case<br />
effective, proportionate and dissuasive.<br />
<br />
<br />
2. Administrative fines will be imposed, depending on the circumstances<br />
of each individual case, as an additional or substitute for the measures contemplated<br />
in Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine<br />
administrative and its amount in each individual case will be duly taken into account:<br />
<br />
a) the nature, severity and duration of the infringement, taking into account the<br />
<br />
nature, scope or purpose of the processing operation in question<br />
as well as the number of interested parties affected and the level of damage and<br />
damages they have suffered;<br />
b) intentionality or negligence in the infringement;<br />
c) any measure taken by the person responsible or in charge of the treatment<br />
<br />
to alleviate the damages and losses suffered by the interested parties;<br />
d) the degree of responsibility of the person responsible or in charge of the<br />
treatment, taking into account the technical or organizational measures that have been<br />
applied under articles 25 and 32;<br />
e) any previous infraction committed by the person responsible or in charge of the<br />
<br />
treatment;<br />
f) the degree of cooperation with the supervisory authority in order to put<br />
remedy the infringement and mitigate the possible adverse effects of the infringement;<br />
g) the categories of personal data affected by the infringement;<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 7/12<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
h) the way in which the supervisory authority became aware of the infringement, in<br />
particular whether the person responsible or the person in charge notified the infringement and, in that case,<br />
what extent;<br />
<br />
i) when the measures indicated in Article 58(2) have been<br />
previously ordered against the person responsible or the person in charge in question<br />
in relation to the same matter, compliance with said measures;<br />
j) adherence to codes of conduct under Article 40 or to mechanisms<br />
of certification approved in accordance with Article 42, and<br />
k) any other aggravating or mitigating factor applicable to the circumstances of the<br />
<br />
case, such as financial benefits obtained or losses avoided, direct<br />
or indirectly, through infringement.<br />
<br />
In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its<br />
Article 76, “Sanctions and corrective measures”, establishes that:<br />
<br />
<br />
"2. In accordance with the provisions of article 83.2.k) of the Regulation (EU)<br />
2016/679 may also be taken into account:<br />
<br />
a) The continuous nature of the infringement.<br />
b) The linking of the offender's activity with the performance of treatments<br />
<br />
of personal data.<br />
c) The benefits obtained as a consequence of the commission of the infraction.<br />
d) The possibility that the conduct of the affected person could have induced the<br />
commission of the infraction.<br />
e) The existence of a merger by absorption process after the commission<br />
<br />
of the infringement, which cannot be attributed to the absorbing entity.<br />
f) The impact on the rights of minors.<br />
g) Have, when it is not mandatory, a delegate for the protection of<br />
data.<br />
h) Submission by the person responsible or in charge, with character<br />
<br />
voluntary, to alternative conflict resolution mechanisms, in those<br />
cases in which there are disputes between them and any<br />
interested."<br />
<br />
<br />
In accordance with the transcribed precepts, and without prejudice to what results from the<br />
<br />
instruction of the procedure, for the purposes of setting the amount of the fine sanction<br />
impose in the present case for the violation of article 6.1 of the RGPD, typified in the<br />
article 83.5.a) of the RGPD for which the defendant is held responsible, in an assessment<br />
initial, it is considered appropriate to establish a penalty of €2,000 (two thousand euros).<br />
<br />
<br />
<br />
VII<br />
If the violation is confirmed, it could be agreed to impose the person responsible<br />
adoption of appropriate measures to adjust its actions to the aforementioned regulations<br />
in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD,<br />
<br />
according to which each control authority may “order the person responsible or in charge<br />
of the processing that the processing operations comply with the provisions of the<br />
this Regulation, where appropriate, in a certain manner and within a<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 8/12<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
specified period…” The imposition of this measure is compatible with the sanction<br />
consisting of an administrative fine, as provided in art. 83.2 of the GDPR.<br />
<br />
<br />
Therefore, it would be considered appropriate to order that the defendant within the period of<br />
six months adapt the treatments object of this procedure to the regulations<br />
applicable. The text of this agreement establishes the facts that<br />
have given rise to the violation of data protection regulations, which is<br />
clearly infers what measures to adopt, without prejudice to the type of<br />
specific procedures, mechanisms or instruments to implement them<br />
<br />
corresponds to the sanctioned party, since it is the one who fully knows its organization<br />
and must decide, based on proactive responsibility and a risk approach, how<br />
comply with the RGPD and the LOPDGDD. Specifically, to proceed to comply with the<br />
required by data protection regulations, legitimizing the processing<br />
which is carried out both in the use of the app and in the WhatsApp groups in the<br />
<br />
company or such processing is terminated.<br />
<br />
Please note that failure to comply with the order imposed by this body may be<br />
<br />
considered as an administrative offense in accordance with the provisions of the RGPD,<br />
classified as an infraction in its articles 83.5 and 83.6, and such conduct may be motivated by<br />
opening of a subsequent administrative sanctioning procedure.<br />
<br />
<br />
<br />
Therefore, in light of the above,<br />
<br />
<br />
By the Director of the Spanish Data Protection Agency,<br />
<br />
HE REMEMBERS:<br />
<br />
FIRST: START SANCTIONING PROCEDURE against VUKMAL TRADE, S.L., with<br />
NIF B09966508, for the alleged violation of article 6.1 of the RGPD, typified in the<br />
<br />
article 83.5.a) of the RGPD.<br />
<br />
SECOND: APPOINT B.B.B. Instructor. and Secretary to C.C.C., indicating that<br />
Any of them may be challenged, if applicable, in accordance with the provisions of the<br />
articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sector<br />
<br />
Public (LRJSP).<br />
<br />
THIRD. INCORPORATE into the sanctioning file, for evidentiary purposes, the<br />
claim filed by the claimant and its documentation, the documents<br />
obtained and generated by the Inspection Services; documents all of which<br />
<br />
make up the file.<br />
<br />
ROOM. THAT for the purposes provided for in art. 64.2 b) of law 39/2015, of 1<br />
October and article 58.2.b) of the RGPD, the sanction that may apply for the<br />
violation of article 6.1 of the RGPD would be €2,000 (two thousand euros), without prejudice to<br />
what results from the instruction.<br />
<br />
<br />
FIFTH. NOTIFY this Agreement to VUKMAL TRADE, S.L., with NIF<br />
B09966508, expressly indicating your right to a hearing in the procedure<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 9/12<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
and granting you a period of TEN WORKING DAYS to formulate the allegations and<br />
propose the evidence you consider appropriate. In his brief of allegations<br />
You must provide your NIF and the procedure number that appears in the heading<br />
<br />
of this document.<br />
<br />
If within the stipulated period you do not make allegations to this initial agreement, the<br />
The same may be considered a proposal for a resolution, as established in the<br />
article 64.2.f) of Law 39/2015, of October 1, on Administrative Procedure<br />
Common of Public Administrations (hereinafter, LPACAP).<br />
<br />
<br />
In accordance with the provisions of article 85 of the LPACAP, in case of<br />
that the sanction to be imposed was a fine, may recognize its responsibility within<br />
of the period granted for the formulation of allegations to this initiation agreement; it<br />
which will entail a reduction of 20% of the sanction that may be imposed in<br />
<br />
the present procedure. With the application of this reduction, the sanction would be<br />
established at 1,600 euros, resolving the procedure with the imposition of this<br />
sanction.<br />
<br />
Likewise, you may, at any time prior to the resolution of the<br />
this procedure, carry out the voluntary payment of the proposed sanction, which<br />
<br />
which will mean a 20% reduction in the amount. With the application of this<br />
reduction, the penalty would be established at 1,600 euros and its payment will imply the<br />
termination of the procedure, without prejudice to the measures that, if applicable,<br />
impose<br />
<br />
<br />
The reduction for the voluntary payment of the penalty is cumulative with that<br />
It is appropriate to apply for the recognition of responsibility, provided that this<br />
acknowledgment of responsibility becomes evident within the deadline<br />
granted to formulate allegations at the opening of the procedure. The pay<br />
voluntary of the amount referred to in the previous paragraph may be made at any<br />
<br />
moment before the resolution. In this case, if it were appropriate to apply both<br />
reductions, the amount of the penalty would be established at 1,200 euros.<br />
<br />
In any case, the effectiveness of any of the two reductions mentioned<br />
will be conditioned on the withdrawal or waiver of any action or resource pending.<br />
administrative against the sanction.<br />
<br />
<br />
In the event that you choose to proceed with the voluntary payment of any of the<br />
amounts indicated above (1,600 or 1,200 euros), you must make it effective<br />
by depositing it into account number ES00 0000 0000 0000 0000 0000 open to<br />
name of the Spanish Data Protection Agency at CAIXABANK Bank,<br />
<br />
S.A., indicating in the concept the reference number of the procedure that appears in<br />
the heading of this document and the reason for the reduction of the amount to which<br />
welcomes<br />
<br />
Likewise, you must send proof of income to the General Subdirectorate of<br />
<br />
Inspection to continue the procedure in accordance with the quantity<br />
entered.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 10/12<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The procedure will have a maximum duration of twelve months counting from the<br />
date of the initiation agreement or, where applicable, of the draft initiation agreement.<br />
After this period, its expiration will occur and, consequently, the file of<br />
<br />
performances; in accordance with the provisions of article 64 of the LOPDGDD.<br />
<br />
In compliance with articles 14, 41 and 43 of the LPACAP, it is noted that,<br />
From now on, the notifications sent to you will be made exclusively<br />
electronically, through the Unique Enabled Electronic Address<br />
(dehu.redsara.es), and that, if you do not access them, your rejection will be recorded in the<br />
<br />
file, considering the procedure completed and the procedure being followed. You will<br />
informs that you can identify an email address to this Agency<br />
to receive the notice of making notifications available and that the lack of<br />
practice of this notice will not prevent the notice from being fully considered<br />
valid.<br />
<br />
<br />
Finally, it is noted that in accordance with the provisions of article 112.1 of the<br />
LPACAP, there is no administrative appeal against this act.<br />
<br />
Sea Spain Martí<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
>><br />
<br />
<br />
SECOND: On January 16, 2024, the claimed party has proceeded to pay<br />
of the penalty in the amount of 1,200 euros making use of the two reductions<br />
provided for in the initiation Agreement transcribed above, which implies the<br />
recognition of responsibility.<br />
<br />
<br />
THIRD: The payment made, within the period granted to formulate allegations to<br />
The opening of the procedure entails the renunciation of any action or appeal pending.<br />
administrative against sanction and recognition of responsibility in relation to<br />
the facts referred to in the Initiation Agreement.<br />
<br />
FOURTH: In the initiation Agreement transcribed previously it was stated that,<br />
<br />
If the infringement is confirmed, it could be agreed to impose on the person responsible the adoption of<br />
appropriate measures to adjust its actions to the regulations mentioned in this<br />
act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the<br />
which each control authority may “order the person responsible or in charge of the<br />
treatment that the processing operations comply with the provisions of the<br />
<br />
this Regulation, where appropriate, in a certain manner and within a<br />
specified period…”<br />
<br />
Having recognized responsibility for the infraction, the imposition of penalties proceeds.<br />
the measures included in the Initiation Agreement.<br />
<br />
<br />
<br />
FOUNDATIONS OF LAW<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 11/12<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Yo<br />
Competence<br />
<br />
<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
(General Data Protection Regulation, hereinafter RGPD), grants each<br />
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the<br />
Organic Law 3/2018, of December 5, on Protection of Personal Data and<br />
guarantee of digital rights (hereinafter, LOPDGDD), is competent to<br />
initiate and resolve this procedure the Director of the Spanish Protection Agency<br />
<br />
of data.<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
<br />
regulations dictated in its development and, insofar as they do not contradict them, with a<br />
subsidiary, by the general rules on administrative procedures."<br />
<br />
II<br />
Termination of the procedure<br />
<br />
<br />
Article 85 of Law 39/2015, of October 1, on Administrative Procedure<br />
Common Public Administrations (hereinafter, LPACAP), under the heading<br />
“Termination in sanctioning procedures” provides the following:<br />
<br />
"1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility,<br />
<br />
The procedure may be resolved with the imposition of the appropriate sanction.<br />
<br />
2. When the sanction is solely pecuniary in nature or a penalty can be imposed<br />
pecuniary sanction and another of a non-pecuniary nature but the<br />
inadmissibility of the second, the voluntary payment by the alleged responsible, in<br />
<br />
Any time prior to the resolution, will imply the termination of the procedure,<br />
except in relation to the restoration of the altered situation or the determination of the<br />
compensation for damages caused by the commission of the infringement.<br />
<br />
3. In both cases, when the sanction has only a pecuniary nature, the<br />
body competent to resolve the procedure will apply reductions of, at least,<br />
<br />
20% of the amount of the proposed penalty, these being cumulative with each other.<br />
The aforementioned reductions must be determined in the initiation notification.<br />
of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of<br />
any administrative action or appeal against the sanction.<br />
<br />
<br />
The reduction percentage provided for in this section may be increased<br />
“regularly.”<br />
<br />
According to what was stated,<br />
the Director of the Spanish Data Protection Agency RESOLVES:<br />
<br />
<br />
FIRST: DECLARE the termination of the procedure EXP202310230, of<br />
in accordance with the provisions of article 85 of the LPACAP.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 12/12<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
SECOND: ORDER from VUKMAL TRADE, S.L. so that within 6 months<br />
Since this resolution is final and enforceable, notify the Agency of the<br />
adoption of the measures described in the legal foundations of the<br />
Initiation agreement transcribed in this resolution.<br />
<br />
<br />
THIRD: NOTIFY this resolution to VUKMAL TRADE, S.L..<br />
<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
<br />
Resolution will be made public once it has been notified to the interested parties.<br />
<br />
Against this resolution, which puts an end to the administrative procedure as prescribed by<br />
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure<br />
<br />
Common of Public Administrations, interested parties may file an appeal<br />
administrative litigation before the Administrative Litigation Chamber of the<br />
National Court, in accordance with the provisions of article 25 and section 5 of<br />
the fourth additional provision of Law 29/1998, of July 13, regulating the<br />
<br />
Contentious-Administrative Jurisdiction, within a period of two months from the<br />
day following the notification of this act, as provided for in article 46.1 of the<br />
referred Law.<br />
<br />
<br />
1259-16012024<br />
<br />
Sea Spain Martí<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
</pre></div>Teresa.lopezhttps://gdprhub.eu/index.php?title=AN_-_SAN_487/2024&diff=40085AN - SAN 487/20242024-02-29T11:58:16Z<p>Teresa.lopez: Created page with "{{COURTdecisionBOX |Jurisdiction=Spain |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=AN |Court_Original_Name=Audiencia Nacional |Court_English_Name=National Audience |Court_With_Country=AN (Spain) |Case_Number_Name=SAN 487/2024 |ECLI=ECLI:ES:AN:2024:487 |Original_Source_Name_1=CENDOJ |Original_Source_Link_1=https://www.poderjudicial.es/search/AN/openDocument/39bddda1a78bb456a0a8778d75e36f0d/20240223 |Original_Source_Language_1=Spanish |Original_Sourc..."</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=AN<br />
|Court_Original_Name=Audiencia Nacional<br />
|Court_English_Name=National Audience<br />
|Court_With_Country=AN (Spain)<br />
<br />
|Case_Number_Name=SAN 487/2024<br />
|ECLI=ECLI:ES:AN:2024:487<br />
<br />
|Original_Source_Name_1=CENDOJ<br />
|Original_Source_Link_1=https://www.poderjudicial.es/search/AN/openDocument/39bddda1a78bb456a0a8778d75e36f0d/20240223<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Date_Decided=05.02.2024<br />
|Date_Published=<br />
|Year=2024<br />
<br />
|GDPR_Article_1=<br />
|GDPR_Article_Link_1=<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=19.7 III Convenio colectivo de ámbito estatal del sector de contact center<br />
|National_Law_Link_1=https://www.boe.es/diario_boe/txt.php?id=BOE-A-2023-13741<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
<br />
|Party_Name_1=<br />
|Party_Link_1=<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Not appealed<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Teresa.lopez<br />
|<br />
}}<br />
<br />
A Spanish court held that despite individual contracts between employees and employers, mandating the use of personal phones for 2-factor authentication purposes infringed upon more protective data protection measures established by collective bargaining, rendering it unlawful.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
On 29 November 2023, the Spanish trade union CCOO initiated legal action against the controller concerning a collective labor dispute.<br />
<br />
In response to the pandemic, some employees of the controller transitioned to telecommuting arrangements. The controller proposed a telecommuting agreement, which the Workers' Legal Representation did not accept, ending the negotiation process without consensus. The controller then entered into individual agreements with the employees regulating, among other topics, the use of personal devices of employees for 2-factor authentication purposes (2FA).<br />
<br />
The Worker’s Legal Representation brought proceedings before the court seeking annulment, among others, of the clause that mandated the employee to provide their cell phone numbers for receiving SMS messages and/or accessing applications to confirm identity during established working hours.<br />
<br />
=== Holding ===<br />
The court held that the clause was void since, according to Article 19.7 of the sectorial worker's agreement, workers' personal tools, applications, or devices are prohibited even for using two-factor authentication systems. <br />
<br />
If a two-factor authentication system is deemed necessary, the controller should furnish the requisite tools and means, rather than relying on workers' personal devices. In exceptional cases and exclusively for this purpose, if the employee refuses the tool provided by the company, they may consent to use devices or tools of their own.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
The resolutions that make up this database are disseminated for the purposes of knowledge and consultation of the decision criteria of the Courts, in compliance with the competence granted to the General Council of the Judiciary by art. 560.1.10º of the Organic Law of the Judiciary. The user of the database may consult the documents as long as they do so for their own personal use. The use of the database for commercial uses, nor the massive downloading of information, is not permitted. The reuse of this information for the creation of databases or for commercial purposes must follow the procedure and conditions established by the CGPJ through its Judicial Documentation Center. Any action that contravenes the above indications may give rise to the adoption of appropriate legal measures.<br />
</pre></div>Teresa.lopezhttps://gdprhub.eu/index.php?title=AN_-_136/2019&diff=40058AN - 136/20192024-02-28T13:46:02Z<p>Teresa.lopez: Created page with "{{COURTdecisionBOX |Jurisdiction=Spain |Court-BG-Color= |Courtlogo=Courts_logo1.png |Court_Abbrevation=AN |Court_Original_Name=Audiencia Nacional |Court_English_Name=National Audience |Court_With_Country=AN (Spain) |Case_Number_Name=136/2019 |ECLI=ECLI:ES:AN:2019:136 |Original_Source_Name_1=CENDOJ |Original_Source_Link_1=https://www.poderjudicial.es/search/AN/openDocument/8ed60e51766c4e3e/20190219 |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=E..."</p>
<hr />
<div>{{COURTdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|Court-BG-Color=<br />
|Courtlogo=Courts_logo1.png<br />
|Court_Abbrevation=AN<br />
|Court_Original_Name=Audiencia Nacional<br />
|Court_English_Name=National Audience<br />
|Court_With_Country=AN (Spain)<br />
<br />
|Case_Number_Name=136/2019<br />
|ECLI=ECLI:ES:AN:2019:136<br />
<br />
|Original_Source_Name_1=CENDOJ<br />
|Original_Source_Link_1=https://www.poderjudicial.es/search/AN/openDocument/8ed60e51766c4e3e/20190219<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Date_Decided=06.02.2019<br />
|Date_Published=<br />
|Year=2019<br />
<br />
|GDPR_Article_1=<br />
|GDPR_Article_Link_1=<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=20.3 Estatuto de los Trabajadores<br />
|National_Law_Link_1=https://www.boe.es/buscar/act.php?id=BOE-A-2015-11430<br />
|National_Law_Name_2=5 LOPD<br />
|National_Law_Link_2=https://www.boe.es/buscar/pdf/1999/BOE-A-1999-23750-consolidado.pdf<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
|National_Law_Name_4=<br />
|National_Law_Link_4=<br />
<br />
|Party_Name_1=TELEPIZZA, S.A.U.<br />
|Party_Link_1=https://www.telepizza.es<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_From_Body=<br />
|Appeal_From_Case_Number_Name=<br />
|Appeal_From_Status=<br />
|Appeal_From_Link=<br />
|Appeal_To_Body=Tribunal Supremo<br />
|Appeal_To_Case_Number_Name=STS 518/2021<br />
|Appeal_To_Status=Appealed - Confirmed<br />
|Appeal_To_Link=https://www.poderjudicial.es/search/AN/openCDocument/e5e0cf323aea82ebeb9f320e282b0b426fc1fe0a6a91fc8d<br />
<br />
|Initial_Contributor=Teresa.lopez<br />
|<br />
}}<br />
<br />
Spanish Audiencia Nacional invalidated contractual clauses obliging employees of a pizza delivery chain to supply their personal phones for geolocation purposes in updating customers about their delivery status.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
On November 26, 2018, a lawsuit was filed by UGT (Spanish trade union) regarding a collective labor conflict. Another lawsuit was filed on December 12, 2018, by CCOO (Spanish trade union) concerning the same collective labor conflict.<br />
<br />
TELEPIZZA S.A.U., a pizza delivery chain, wanted to implement the "Proyecto Tracker" (Tracker Project), which required delivery drivers to provide their personal cell phones with internet connection for geolocation purposes during their working hours. Telepizza's purpose was to ensure that customers ordering their pizzas were aware of the status of their order at all times. The company argued that its main competitor, as well as other digital food delivery platforms, offered geolocation systems for orders, which made its implementation necessary to maintain a similar offer.<br />
<br />
The Collective Agreement for cooked product manufacturers for home delivery did not regulate the requirement for workers to provide mobile phones. Telepizza initiated an amendment of working contracts to be signed by new employees to include the mandatory provision of personal devices and the installation of a company-developed app for this purpose. Employees would be responsible for activating the app at the beginning of their shift so geolocation would start, as well as for its deactivation at the end of the shift. The trade unions also complained about the app accessing the phone's gallery. In compensation, the employer was to pay a monthly amount that it determined unilaterally.<br />
<br />
The repeated refusal or supervening impossibility of providing the personal phone by the employee was foreseen to be sufficient cause for the termination of the employment contract. The company explained that the acceptance of this system would be voluntary in the case of delivery drivers already contracted.<br />
<br />
=== Holding ===<br />
The Court declared the nullity of the "Tracker Project" as well as the nullity of the clauses introduced in the contracts that required the contribution of the cell phone with internet connection of the worker for the benefit of the company.<br />
<br />
The Court considered that the information provided to the workers' representatives was insufficient to have an informed opinion since it omitted essential data. The Court held that it is necessary to explain the specific operation of the application, including how it is installed on the cell phone, what data of the terminal it must access, what specific data the worker must provide to access the application, what data, if any, the application must store and how they will be processed. Said information, along with the possibility to exercise the rights of access, rectification, limitation of processing, and erasure, must be provided to workers and their representatives prior to the installation of geolocation systems.<br />
<br />
The Court also noted that even if there is a judicial doctrine admitting that employers may impose geolocation systems on workers, the implementation of such a measure must pass the proportionality test. Any limitations or modulations must be those indispensable and strictly necessary to satisfy a business interest worthy of protection. If there are other possibilities for satisfying this interest that are less aggressive and affect the right in question, those alternatives must be used.<br />
<br />
The Court held that Telepizza's intended processing did not pass the necessary proportionality test. The same purpose could have been achieved with measures that involve less interference in the fundamental rights of employees, such as the implementation of geolocation systems in the motorcycles in which orders are transported or bracelets with such devices that do not imply the need for the employee to provide their own means and personal data.<br />
<br />
Moreover, the Court asserted that the mandate for employees to provide a cell phone with a data connection for work purposes is a clear abuse of law. This requirement not only disregards the essential detachment of resources typically associated with the employment contract but also shifts the responsibility of providing necessary tools for work from the employer to the employee. Consequently, any hindrance in activating the geolocation system results in, at the very least, the suspension of the employment contract and subsequent loss of wages. Furthermore, the compensation offered for this provision is deemed entirely inadequate. The valuation of a basic mobile device, priced at 110 euros and expected to last three years, along with the internet data contract, which is reimbursed solely based on work-related usage, fails to account for whether the employee desires such services for personal use.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
The resolutions that make up this database are disseminated for the purposes of knowledge and consultation of the decision criteria of the Courts, in compliance with the competence granted to the General Council of the Judiciary by art. 560.1.10º of the Organic Law of the Judiciary. The user of the database may consult the documents as long as they do so for their own personal use. The use of the database for commercial uses, nor the massive downloading of information, is not permitted. The reuse of this information for the creation of databases or for commercial purposes must follow the procedure and conditions established by the CGPJ through its Judicial Documentation Center. Any action that contravenes the above indications may give rise to the adoption of appropriate legal measures.<br />
</pre></div>Teresa.lopezhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_PS/00331/2022&diff=39933AEPD (Spain) - PS/00331/20222024-02-22T21:15:47Z<p>Teresa.lopez: Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00331/2022 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00331-2022.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Cod..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=PS/00331/2022<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/documento/ps-00331-2022.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=05.08.2021<br />
|Date_Decided=<br />
|Date_Published=28.07.2023<br />
|Year=<br />
|Fine=2,500,000<br />
|Currency=BGN<br />
<br />
|GDPR_Article_1=Article 25 GDPR<br />
|GDPR_Article_Link_1=Article 25 GDPR<br />
|GDPR_Article_2=Article 32 GDPR<br />
|GDPR_Article_Link_2=Article 32 GDPR<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=32 bis 4 Ley 10/2010, de 28 de abril, de prevención del blanqueo de capitales y de la financiación del terrorismo<br />
|National_Law_Link_1=https://www.boe.es/buscar/act.php?id=BOE-A-2010-6737<br />
|National_Law_Name_2=32.4 Ley 10/2010, de 28 de abril, de prevención del blanqueo de capitales y de la financiación del terrorismo<br />
|National_Law_Link_2=https://www.boe.es/buscar/act.php?id=BOE-A-2010-6737<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
|National_Law_Name_4=<br />
|National_Law_Link_4=<br />
<br />
|Party_Name_1=OPEN BANK, S.A.<br />
|Party_Link_1=https://www.openbank.es/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Teresa López<br />
|<br />
}}<br />
<br />
AEPD fined OPEN BANK, S.A. €2,500,000 for failing to implement adequate technical and organizational measures in its request for anti-money laundering verification information.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
On 5 August 2021, the data subject filed a complaint with the Bavarian Data Protection Authority against OPEN BANK, S.A. The data subject complained that OPENBANK requested to prove the origin of several amounts received in their bank account in compliance with anti-money laundering regulations. The claimant was not provided with a mechanism to securely provide this information besides unencrypted mail. Despite expressing concerns about the data protection risks, they were not offered an alternative to provide such information.<br />
<br />
=== Holding ===<br />
The Spanish Sueprvisory Authority (AEPD) was competent to act as the lead supervisory authority as OPENBANK has its registered office and main establishment in Spain. <br />
<br />
AEPD found that OPENBANK violated [[Article 25 GDPR|Article 25 GDPR]] by failing to include the processing of personal data for anti-money laundering verifications in its data protection impact assessment at the time of the incident. This omission led to a lack of appropriate technical and organizational measures to uphold data protection principles and comply with GDPR requirements, thus failing to protect data subject rights. Despite having a policy in place allowing information to be sent via postal mail or in person at bank offices, the communication effectively sent to clients did not specify these options. The AEPD emphasized that having protocols or templates alone is insufficient for compliance with data protection by design and default principles.<br />
<br />
Furthermore, the AEPD noted OPENBANK's failure to implement corrective measures after the data subject's expressed concerns. OPENBANK did not implement remedial actions until over a year later.<br />
<br />
Moreover, the AEPD stated that simply carrying out the obligatory Data Protection Impact Assessment as mandated by Article 32.4 Spanish or 32 bis.4 of Law 10/2010, of 28 April, on the prevention of money laundering and terrorism financing (LPBCFT), is insufficient to fulfil the requirements of privacy by design outlined in Article 25 of the GDPR. This is because [[Article 25 GDPR|Article 25 GDPR]] obligations go beyond merely adhering to the data protection regulations specified in the LPBCFT, emphasizing that data protection by design entails more than just performing an impact assessment.<br />
<br />
Additionally, the AEPD held that OPENBANK infringed [[Article 32 GDPR|Article 32 GDPR]], since it did not offer a secure mean to provide the documentation and the documentation was sent without the appropriate security measures. AEPD stated that standard e-mail cannot be considered an appropriate means to guarantee a level of security adequate to the risk in the sending of documentation containing personal data of those provided under Chapter II of the LPBCFT which require special protection.<br />
<br />
As a result of these infringements, the AEPD imposed a total fine of €2,500,000 on OPENBANK: €1,500,000 for violating Article 25 and €1,000,000 for violating Article 32 of the GDPR.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
File No.: EXP202101565<br />
<br />
IMI Reference: A56ID 318964 - A60DD 432357 - Case Register 321773<br />
<br />
<br />
RESOLUTION OF SANCTIONING PROCEDURE<br />
<br />
From the procedure instructed by the Spanish Data Protection Agency and based<br />
<br />
to the following<br />
<br />
BACKGROUND<br />
<br />
FIRST: A.A.A. (hereinafter, the complaining party) filed a claim, dated<br />
<br />
August 5, 2021, before the Bavarian data protection authority (Bavarian<br />
Lander Office for Data Protection Supervision). The claim is directed against OPEN<br />
BANK, S.A. with NIF A-28021079 (hereinafter, OPENBANK). The reasons on which it is based<br />
The claim are as follows:<br />
<br />
The OPENBANK banking entity has asked the complaining party to prove the origin<br />
<br />
of various amounts received in your bank account, in compliance with regulations<br />
against money laundering. However, no mechanism has been offered<br />
to provide this information encrypted or by direct upload to the web portal. The<br />
The only valid option has been sending by e-mail.<br />
<br />
<br />
Along with the notification, the following is provided:<br />
<br />
- Copy of email sent from the address ***EMAIL.1 to ***EMAIL.2 (hereinafter,<br />
email of the complaining party) dated July 7, 2021. In this email, it is required<br />
to the complaining party to provide the necessary documentation to prove which is<br />
<br />
the origin of the funds from three deposits made by the claiming party, in<br />
compliance with anti-money laundering and anti-fraud legislation<br />
terrorist financing; and it is indicated that, in the event of not receiving this<br />
documentation within a period of 15 days, OPENBANK must block the execution of<br />
new payments into your account in accordance with current regulations.<br />
<br />
<br />
- Copy of email sent from the email of the complaining party to ***EMAIL.1 of<br />
date July 10, 2021. In this email the complaining party indicates that it contributes under<br />
protest the documentation corresponding to the year 2019 through an email<br />
unencrypted email because, as he indicated in a telephone conversation, he does not<br />
There is the possibility of sending this documentation electronically from another<br />
<br />
manner.<br />
<br />
- Automatic reply to the previous email dated July 10, 2021 sent by<br />
***EMAIL.3 towards the complaining party indicating that their email has been received<br />
email and they will reply to you soon.<br />
<br />
<br />
SECOND: Through the “Internal Market Information System” (hereinafter<br />
IMI), regulated by Regulation (EU) No. 1024/2012, of the European Parliament and of the<br />
Council, of October 25, 2012 (IMI Regulation), whose objective is to promote the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 2/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
cross-border administrative cooperation, mutual assistance between States<br />
members and the exchange of information, the aforementioned claim was transmitted on the 24th<br />
August 2021 and was given an entry registration date at the Spanish Agency of<br />
<br />
Data Protection (AEPD) on August 30, 2021. The transfer of this<br />
claim to the AEPD is made in accordance with the provisions of article 56<br />
of Regulation (EU) 2016/679, of the European Parliament and of the Council, of<br />
04/27/2016, regarding the Protection of Natural Persons with regard to the<br />
Processing of Personal Data and the Free Circulation of these Data (as far as<br />
hereinafter, RGPD), taking into account its cross-border nature and that this Agency<br />
<br />
is competent to act as the main supervisory authority, given that OPENBANK<br />
It has its headquarters and main establishment in Spain.<br />
<br />
The data processing carried out affects interested parties in several<br />
Member states. According to the information incorporated into the IMI System,<br />
<br />
in accordance with the provisions of article 60 of the RGPD, acts as<br />
“interested supervisory authority”, in addition to the German data protection authority<br />
data from Bavaria, the authorities of the Netherlands, Portugal and the authorities<br />
Germans from North Rhine-Westphalia, Hesse, Berlin and Baden-Württemberg. All<br />
them under article 4.22.b) of the RGPD, given that interested parties residing in<br />
the territory of these control authorities are substantially affected or are<br />
<br />
likely to be substantially affected by the treatment subject to this<br />
procedure.<br />
<br />
THIRD: On September 9, 2021, in accordance with the then<br />
current article 64.3 of Organic Law 3/2018, of December 5, on the Protection of<br />
<br />
Personal Data and guarantee of digital rights (hereinafter, LOPDGDD),<br />
admitted for processing the claim presented by the complaining party.<br />
<br />
FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out<br />
of previous investigative actions to clarify the facts in<br />
<br />
issue, by virtue of the functions assigned to the control authorities in the<br />
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)<br />
2016/679 (General Data Protection Regulation, hereinafter GDPR), and<br />
in accordance with the provisions of Title VII, Chapter I, Second Section, of the<br />
LOPDGDD, having knowledge of the following points:<br />
<br />
<br />
In response to a request for information formulated by this Agency,<br />
On May 19, 2022, OPENBANK provided, among other things, the following information:<br />
<br />
1. Indication that OPENBANK has delegated the information request service<br />
to clients to the entity Santander Global Operations, S.A. (hereinafter, SGO), which<br />
<br />
belongs to the Santander group, and which acts in this case as in charge of the<br />
treatment.<br />
<br />
2. Indication that they have defined an internal procedure called “Protocol<br />
of communications to clients due to AML/FT alerts: Opening and management of GAPS”<br />
<br />
to establish the form of action of SGO when it is necessary to request<br />
information or documentation supporting an unusual income. This<br />
procedure would apply in all countries in which OPENBANK provides<br />
service under the regime of free provision of services, which include<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 3/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Spain and Germany. As indicated in the writing, this procedure consists of<br />
that “the Openbank call center (hereinafter, “call center”),<br />
will contact the client to request said information at the telephone number<br />
<br />
mobile phone registered in the Openbank database. Additionally, a<br />
email to the address registered in our database from the<br />
mailbox from ***EMAIL.4 to Spanish clients or from ***EMAIL.1 to clients<br />
Germans. In those cases in which the client requests information about other<br />
channels through which you can send the required documentation,<br />
informs that the following are available to you: (i) by postal mail and (ii)<br />
<br />
in person at any of the two branches that Openbank has in<br />
Madrid.". And it states that the communication model is provided for both<br />
contact channels, which would be the following:<br />
<br />
Dear Customer:<br />
<br />
The reason for our communication is to inform you that Openbank is<br />
obliged, in compliance with current legislation, to know the activity<br />
economic and origin of its clients' funds.<br />
A. For a specific operation: In this communication we ask you<br />
documentation that proves the origin of the funds that on […]<br />
<br />
deposited in Openbank for a total amount of [...] €. You can send us<br />
any document that justifies the origin of the aforementioned funds.<br />
B. For regular operations: In this communication we ask you<br />
documentation that proves the origin of the funds that are regularly<br />
has been entering from [...] and to date for a total amount of<br />
[...] €. You can send us any document that justifies the origin of<br />
<br />
the aforementioned funds.<br />
You can send this documentation to the following email address<br />
email: [***EMAIL.5 for Spanish customers or ***EMAIL.1 for customers<br />
Germans] indicating your full name in the email.<br />
We inform you that Openbank, acting as responsible for the<br />
<br />
processing of your personal data, will process the same for the<br />
compliance with the legal obligations to which Openbank is subject<br />
adopting sufficient technical and organizational measures to guarantee the<br />
security of the information. More information about your rights and<br />
data protection in [***URL.1 for Spanish clients or ***URL.2 for<br />
<br />
German clients]<br />
Remaining at your disposal for any clarifications you need, receive a<br />
best regard<br />
<br />
3. Regarding the measures taken to guarantee the confidentiality of the<br />
<br />
documentation sent by the client to justify an unusual income, it is indicated,<br />
among other measures, the following:<br />
<br />
Finally, taking into account the security that we offer in our<br />
web pages and mobile applications, and that Openbank is a 100% bank<br />
digital we inform you that there are different processes in the entity, such as<br />
<br />
contracting a mortgage loan, personal loan or checking account,<br />
that allow clients to send us documentation through the area<br />
client's private address where they will be identified with their identification document<br />
identity and access code. In this sense, we would like to indicate that this<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 4/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
functionality is implemented and in operation to provide<br />
compliance with the AML/CFT obligation to apply measures to ensure<br />
Openbank's knowledge of its clients and ensure that<br />
<br />
documents, data and information available are up to date.<br />
We attach them as an example as Annex V: Update flow of<br />
KYC and customer documentation.<br />
<br />
And screen prints of the know your customer form are provided in<br />
<br />
which it is observed that, upon completing the completion of the form, the<br />
option to update the “Economic activity document” documents and<br />
“Address Verification” by uploading them at that time.<br />
<br />
4. As “Annex IV: Contractual support for the service provided by SGO”, it is provided<br />
copy of a document called “ANNEX 12 SERVICE PREVENTION OF<br />
<br />
MONEY LAUNDERING”, which indicates that it is annexed to the framework contract<br />
of leasing of services between OPENBANK (as client) and SGO (as<br />
supplier) subscribed on January 1, 2020 for one year extendable for periods<br />
annual. This annex is dated October 16, 2020 and its purpose is “the<br />
provision by the Supplier to the Client of a Back Office service for the<br />
<br />
activities related to the prevention of money laundering and financing<br />
of terrorism”, with the following relevant content:<br />
<br />
- In the first clause:<br />
<br />
<br />
(…).<br />
<br />
- In the fifth clause, regarding the protection of personal data,<br />
indicates that (…).<br />
<br />
<br />
Furthermore, this fifth clause indicates that (…).<br />
And, in clause five.d) the following is indicated:<br />
<br />
(…).<br />
<br />
<br />
<br />
- The sixth clause, on cybersecurity requirements, includes the<br />
following section on data transfers:<br />
<br />
(…).<br />
<br />
<br />
- In the eleventh clause, on subcontracting, the following is indicated<br />
Regarding activities that cannot be subcontracted:<br />
<br />
(…).<br />
<br />
<br />
<br />
CONCLUSIONS OF PREVIOUS RESEARCH ACTIONS<br />
<br />
<br />
1. Communications with clients for money laundering prevention alerts<br />
capital and terrorist financing are subcontracted to CGO both in Spain<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 5/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
like in Germany. They report that there is a protocol to carry out these<br />
communications indicating that, in these cases, the client is contacted<br />
using the telephone number that you have previously registered and, additionally, you are sent<br />
<br />
an email to the email address you have previously registered.<br />
<br />
2. In accordance with this protocol, in the communication sent by mail<br />
email to request information from the client regarding money laundering alerts,<br />
The channels that would be offered to the client to send documentation would be the<br />
following: email, postal mail or in person at the offices of<br />
<br />
OPENBANK in Madrid.<br />
<br />
3. OPENBANK has a way to upload documents securely (a<br />
through its website) for some procedures (for example, to update the<br />
documents “Economic activity document” and “Domicile verification” in the<br />
<br />
know your customer form). This way of uploading documents is not<br />
offers the client within the protocol for money laundering alerts, in accordance<br />
with what is indicated in the claim.<br />
<br />
FIFTH: On August 26, 2022, the Director of the AEPD adopted a<br />
draft decision to initiate sanctioning proceedings. Following the process<br />
<br />
established in article 60 of the GDPR, on August 30, 2022 it was transmitted through<br />
of the IMI system this draft decision and the authorities were informed<br />
interested parties who had four weeks from that moment to formulate objections<br />
relevant and motivated. Within the period for this purpose, the control authorities<br />
interested parties did not present relevant and reasoned objections in this regard, so<br />
<br />
It was considered that all the authorities were in agreement with said draft of<br />
decision and were bound by it, in accordance with the provisions of the<br />
section 6 of article 60 of the GDPR.<br />
<br />
This draft decision was notified to OPENBANK in accordance with the regulations<br />
<br />
established in Law 39/2015, of October 1, on Administrative Procedure<br />
Common Public Administrations (LPACAP) on August 29, 2022,<br />
as stated in the acknowledgment of receipt in the file.<br />
<br />
SIXTH: On October 3, 2022, the Director of the Spanish Agency for<br />
Data Protection agreed to initiate sanctioning proceedings against OPENBANK, with<br />
<br />
in accordance with the provisions of articles 63 and 64 of the LPACAP, for the alleged infringement<br />
of Article 25 of the RGPD, typified in Article 83.4 of the RGPD, as well as by the<br />
alleged violation of article 32 of the RGPD, typified in article 83.4 of the RGPD.<br />
In said Startup Agreement, OPENBANK was told that it had a period of ten<br />
days to present allegations.<br />
<br />
<br />
This Commencement Agreement, which was notified to OPENBANK in accordance with the regulations<br />
established in Law 39/2015, of October 1, on Administrative Procedure<br />
Common Public Administrations (LPACAP), was collected on date 3<br />
October 2022, as stated in the acknowledgment of receipt in the file.<br />
<br />
<br />
SEVENTH: On October 6, 2022, OPENBANK submitted a document through<br />
of which he requested an extension of the deadline to present allegations and that he be provided with<br />
copy of the file.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 6/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
EIGHTH: On October 14, 2022, the investigating body of the procedure<br />
agreed to the requested extension of the deadline up to a maximum of five days, in accordance with<br />
<br />
the provisions of article 32.1 of the LPACAP, and that it be sent to OPENBANK<br />
copy of the file.<br />
<br />
The aforementioned agreement was notified to OPENBANK on October 14, 2022, as<br />
It appears in the acknowledgment of receipt that is in the file.<br />
<br />
<br />
NINTH: On October 26, 2022, it was received at this Agency, on time and<br />
form, a letter from OPENBANK in which it alleged allegations to the Initiation Agreement,<br />
accompanied by the following documentation:<br />
<br />
1.- Document “Communications protocol to clients for AML/FT alerts:<br />
<br />
OPENING AND MANAGEMENT OF GAPS (March 2021 version)”.<br />
2.- Document “Communications protocol to clients for surveillance alerts<br />
transactional prevention of money laundering and terrorist financing<br />
(PBC/FT) (October 2022 version).”<br />
3.- Document “Certificate on sections 3.10 and 3.11 of the Character Manual<br />
OPENBANK's internal policy on AML/CFT matters.<br />
<br />
4.- Document “Impact Evaluation - Monitoring of clients and operations<br />
sensitive (version August 2021)”.<br />
5.- Document “Impact Evaluation - Monitoring of clients and operations<br />
sensitive (version October 2022)”.<br />
6.- Document “Approval report referring to Santander Global Operations,<br />
<br />
S.A.”<br />
7.- Document “Internal security certificate issued by Santander Global<br />
Technology and Operations, S.L.”<br />
8.- Document “EVALUATION (…)”.<br />
9.- Document “VENDOR RISK ASSESSMENT - DP REPORT”.<br />
<br />
10.- Uploading documentation to the client's private area.<br />
11.- Images of “Section: Frequently Asked Questions on the Openbank website”.<br />
12.- Document “Certificate of availability for uploading documents, issued on the 21st<br />
October 2022.”<br />
13.- Document “Certificate of operational and customer analysis number<br />
shocked.”<br />
<br />
<br />
TENTH: On December 1, 2022, the investigating body of the procedure<br />
agreed to open a period of testing practice, considering themselves incorporated<br />
the claim filed by the complaining party and its documentation, the<br />
documents obtained and generated during the admission phase for processing of the<br />
<br />
claim, and the report of previous investigation actions that are part of the<br />
procedure E/09448/2021, being considered reproduced for evidentiary purposes, the<br />
allegations to the agreement to initiate the referenced sanctioning procedure,<br />
presented by OPENBANK, and the documentation that accompanied them.<br />
<br />
<br />
That same day, this Agency requested OPENBANK so that within a period of ten days<br />
skilled will present the following information:<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 7/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Provide documentary evidence regarding data protection from the design and by<br />
defect, for which OPEN BANK, S.A. is required to the impact assessment of<br />
data protection in force on 07/07/2021, date on which OPEN BANK, S.A. solicitous<br />
<br />
sending documentation to the complaining party, since in the attached documentation<br />
to the allegations of OPEN BANK, S.A. later versions are provided,<br />
specifically, the modified versions of August 2021 and October 2022.<br />
<br />
The opening of the trial period was notified to OPENBANK in accordance with the regulations<br />
established in Law 39/2015, of October 1, on Administrative Procedure<br />
<br />
Common Public Administrations (LPACAP) on December 1, 2022,<br />
as stated in the acknowledgment of receipt in the file.<br />
<br />
On December 19 and 28, 2022, OPENBANK has presented its response to the<br />
cited requirement.<br />
<br />
<br />
ELEVENTH: On April 11, 2023, diligence is formulated by the<br />
instructor of the procedure by which the document is incorporated into the file<br />
“2021 Annual Report” of the Santander Group, which includes the corporate structure of the<br />
Santander Group and its business volume. This report states that the volume of<br />
Total global annual business of Banco Santander, S.A. and dependent companies<br />
<br />
(Santander Group) in the financial year prior to the commission of the infringement,<br />
fiscal year 2020, was 44,279 million euros (see pages 555 and 843 of the aforementioned<br />
“2021 Annual Report”).<br />
<br />
TWELFTH: On May 23, 2023, the instructing body of the<br />
<br />
procedure issued a proposed resolution in which it was proposed, in accordance with the<br />
provided in articles 63 and 64 of the LPACAP, impose a fine of 1,500,000<br />
euros to OPENBANK for violating article 25 of the GDPR, and a fine of<br />
1,000,000 euros for the violation of article 32 of the RGPD, both classified in the<br />
article 83.4 of the GDPR. Likewise, he was told that he had a period of ten days to<br />
<br />
present allegations.<br />
<br />
This resolution proposal, which was notified to OPENBANK in accordance with the regulations<br />
established in Law 39/2015, of October 1, on Administrative Procedure<br />
Common Public Administrations (LPACAP), was collected on June 1<br />
of 2023, as stated in the acknowledgment of receipt in the file.<br />
<br />
<br />
THIRTEENTH: On June 1, 2023, OPENBANK presents a letter to<br />
through which he requests the extension of the deadline to present allegations and that he be<br />
Provide a copy of the file.<br />
<br />
FOURTEENTH: On June 2, 2023, the instructing body of the<br />
<br />
procedure agrees to send to OPENBANK the copy of the file, which will be<br />
received by courier on June 8, 2023, as stated in the acknowledgment of receipt<br />
what is in the file<br />
<br />
FIFTEENTH: On June 5, 2023, the instructor body of the<br />
<br />
procedure denies the requested extension of the deadline to present allegations.<br />
<br />
The aforementioned agreement is notified to OPENBANK that same day, as stated in the acknowledgment<br />
receipt that is in the file.<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 8/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
SIXTEENTH: On June 14, 2023, this Agency receives, in<br />
time and form, letter from OPENBANK in which it alleges allegations to the proposal of<br />
resolution. In these allegations, in summary, he stated that:<br />
<br />
<br />
- The content of the resolution proposal is the same as the initiation agreement<br />
of this sanctioning procedure, so it will reproduce the allegations<br />
already presented.<br />
- Money laundering prevention regulations do not apply.<br />
- There are no financial data.<br />
- The so-called “high level measures” are not required.<br />
<br />
- The non bis in idem principle is being violated, or alternatively there would be a<br />
medial contest of infractions.<br />
- OPENBANK complies with the principle of data protection by design.<br />
- OPENBANK has not violated article 32 of the GDPR.<br />
- The principle of proportionality is being violated.<br />
<br />
<br />
<br />
Of the actions carried out in this procedure and the documentation<br />
recorded in the file, the following have been accredited:<br />
<br />
<br />
<br />
PROVEN FACTS<br />
<br />
FIRST: In the document, unsigned, that accompanies the allegations to the agreement<br />
initiation of this procedure, called “PROTOCOL OF<br />
COMMUNICATIONS TO CUSTOMERS FOR AML/CFT ALERTS: OPENING AND<br />
GAPS MANAGEMENT”, it is indicated that the first approved version is from 04/03/2018 and<br />
<br />
that on 03/10/2021 the “Review, update and modification of<br />
some deadlines (reduction thereof)”. In point 4 of the aforementioned document,<br />
details:<br />
<br />
"4. FOLLOW-UP OF THE GAP REQUEST AND BLOCKING OF ACCOUNTS<br />
The following process and deadlines are established to be able to track the<br />
<br />
request for information regarding AML/FT alerts and establish the alerts in<br />
account, where applicable:<br />
D: SGO opens GAP requesting the Contact Center to contact the Client requesting<br />
information/documentation. In case the request is urgent or the size<br />
If the request does not fit in GAP, SGO will also send it by email to<br />
Contact Center recording this point in GAP.<br />
<br />
D+1: Contact Center contacts the client and requests the information/documentation<br />
following the First Communication model of Annex I. In the first instance, the<br />
Contact will be by telephone and an email will also be sent to the client.<br />
(See First Communication of Annex I) detailing the required documentation. Of<br />
If there is no valid email address, the request will be sent by email.<br />
<br />
Postcard.<br />
The Contact Center will register in the GAP both the sending of this communication and<br />
any contact with the customer, or the inability to make such contact, and<br />
will reassign the GAP to SGO.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 9/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
SGO reviews GAP and records in the GAP comment the date of the next review<br />
(D+15).<br />
D+15: If the required documentation has not been received on said SGO date<br />
<br />
will indicate to the Contact Center that it must reiterate the request for information to the client at<br />
via a comment and reassignment of the GAP.<br />
D+16: Contact Center contacts the customer again, following the same process<br />
used in D+1 but in this case using the Second Communication of the Annex<br />
I in which the client is warned of the possibility of blocking.”(…)”<br />
<br />
<br />
In Annex I of the aforementioned document, it is indicated:<br />
<br />
<br />
“(…)”<br />
<br />
<br />
SECOND: On July 7, 2021, an email was sent from the address<br />
***EMAIL.1 to ***EMAIL.2. The content of the email is as follows<br />
(unofficial translation of the German original):<br />
<br />
“Dear Mr. A.A.A.<br />
The reason for our communication is to inform you that Openbank is obliged, in<br />
<br />
in accordance with current legislation, to know the economic activity and the origin of the<br />
funds from their clients. In this communication, we request the documents that<br />
prove the origin of the funds.<br />
Amounts deposited in Openbank (account ending in XXXX).<br />
- to (…)<br />
<br />
- he (…)<br />
- he (…)<br />
Please send us documents proving the origin of these funds.<br />
You can send us any document that justifies the origin of said funds (for example<br />
example, income tax, payroll, employment contract, contract<br />
<br />
sale if it is a real estate transaction).<br />
We guarantee the absolute confidentiality of the documentation you send us.<br />
If you do not receive the requested documentation within 15 days from the<br />
date of this notice, Openbank may, in compliance with the applicable regulations,<br />
prevent new deposits from being made to your accounts.<br />
If you have any questions about this, please do not hesitate to contact us<br />
<br />
every day from 08:00 to 22:00 at ***PHONE.1.<br />
Sincerely<br />
Your Openbank team”<br />
<br />
THIRD: On July 10, 2021, an email was sent from the party's email<br />
<br />
complainant to ***EMAIL.1. The content of the email is as follows<br />
(unofficial translation of the German original):<br />
<br />
“Dear Mr. or Mrs.,<br />
I have had a demand money account at Openbank S.A./Madrid since last year.<br />
<br />
Now I have been asked to provide evidence of demand deposits of more than XXXXX<br />
euros, but also more than XXXX euros. I can understand this as part of the<br />
fight against "money laundering". However, the bank does not offer the possibility of<br />
upload data securely, for example through the customer portal. In its<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 10/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Firstly, I am forced to transmit my personal data through a simple email<br />
unencrypted electronic. Despite asking, they only offered me this option, which I found<br />
<br />
forced to use.<br />
I ask you to check the process from the point of view of the protection of<br />
data and, where appropriate, take the appropriate measures.<br />
If you are not the competent authority, please refer the matter to me and send me<br />
a filing notice.<br />
<br />
Yours sincerely<br />
“A.A.A.”<br />
<br />
FOURTH: On July 13, 2021, the complaining party receives a<br />
automatic reply sent by ***EMAIL.3. The content of the email<br />
<br />
is as follows (unofficial translation from the German original):<br />
<br />
“Thank you for your request. We confirm that it has been duly received and<br />
We will send our response shortly.<br />
We remind you that our email hours are Monday to Sunday from<br />
<br />
08:00 to 22:00.<br />
<br />
This is an automated response. If you have any questions, please contact<br />
contact ***EMAIL.4.<br />
<br />
<br />
Receive a cordial greeting,<br />
“OPENBANK”<br />
<br />
FIFTH: Document 4 provided by OPENBANK along with the allegations to the agreement<br />
The beginning of this sanctioning procedure is entitled “Evaluation of<br />
<br />
impact- Monitoring of clients and sensitive operations”, is not signed and indicates<br />
which is from August 2021. On page 41 it includes the following:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
SIXTH: Dated May 19, 2022, in response to the information request<br />
formulated by this Agency, OPENBANK stated:<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 11/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
1.- That the service of requesting information from clients was delegated to the entity<br />
Santander Global Operations, S.A. (SGO), which belongs to the Santander group, and which<br />
acts in this case as the person in charge of the treatment, according to the contract dated 16<br />
<br />
October 2020.<br />
<br />
In the document “Annex IV: Contractual support for the service provided by SGO” of the<br />
response to the information request of this Agency, in point 6.1 of the<br />
sixth clause of “ANNEX 12 SERVICE FOR THE PREVENTION OF MONEY LAUNDERING<br />
CAPITAL TO THE FRAMEWORK LEASING AGREEMENT FRAMEWORK<br />
<br />
SERVICES AND/OR EXECUTION AND/OR DEVELOPMENT OF SUBSCRIBED PROJECTS<br />
BETWEEN SANTANDER GLOBAL OPERATIONS S.A. AND OPEN BANK, S.A. SUBSCRIBED<br />
BETWEEN OPENBANK, S.A. AND SANTANDER GLOBAL OPERATIONS, S.A. ON THE 1ST OF<br />
JANUARY 2020” can be seen:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
2.- That it had defined an internal procedure called “Protocol of<br />
communications to clients due to AML/FT alerts: Opening and management of GAPS” whose<br />
The purpose was to establish the update protocol for the management of requests for<br />
information to clients by Santander Global Technology and Operations (in<br />
hereinafter, “SGTO”), an entity belonging to the Santander Group in which Openbank<br />
<br />
This service is delegated as the person in charge of treatment.<br />
<br />
3.- That this procedure for managing requests for information from clients is<br />
applied in all countries in which OPENBANK provides services under a<br />
free provision of services, including Spain and Germany.<br />
<br />
<br />
4.- That this procedure consisted of “the call center of<br />
Openbank (hereinafter, “call center”), will contact the client to request said<br />
information to the mobile phone number registered in the Openbank database.<br />
Additionally, an email is sent to the address registered in our<br />
<br />
database from the ***EMAIL.4 mailbox to Spanish clients or from<br />
***EMAIL.1 to German customers. In those cases in which the client requests<br />
information about other channels through which you can submit documentation<br />
requested, you are informed that you have the following at your disposal: (i) by postal mail and<br />
(ii) in person at any of the two branches that Openbank has in<br />
Madrid.".<br />
<br />
<br />
5.- That the communication model for both contact channels was the following:<br />
<br />
(…).<br />
<br />
<br />
1.Customers may send by email attaching the<br />
Encrypted documentation and password via phone call<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 12/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
SEVENTH: Document 5 provided by OPENBANK together with the allegations to the<br />
agreement to initiate this sanctioning procedure is titled “Evaluation<br />
<br />
of impact- Monitoring of clients and sensitive operations”, is not signed and indicates<br />
which is from October 2022.<br />
<br />
On page 4, in point “1. EXECUTIVE SUMMARY”, in the section “Name and<br />
<br />
description of the processing”, describes the data processing applicable to this case of<br />
the following form: “Monitoring of clients and operations in compliance with the<br />
AML/CFT regulations, specifically what is established in article 17, entities<br />
financial entities to examine with special attention any event or operation, with<br />
regardless of its amount, which, by its nature, may be related to the<br />
<br />
money laundering or the financing of terrorism, in particular any operation or<br />
pattern of behavior that is complex, unusual, or without an economic or legal purpose<br />
apparent, or that presents signs of simulation or fraud.”<br />
<br />
<br />
On page 15 of the aforementioned document, the risk is classified as follows:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
And on page 43 of the aforementioned document the following is included:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
EIGHTH: In the document, unsigned, that accompanies the allegations to the agreement of<br />
initiation of this procedure, called “PROTOCOL OF<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 13/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
COMMUNICATIONS TO CUSTOMERS FOR SURVEILLANCE ALERTS<br />
TRANSACTIONAL PREVENTION OF MONEY LAUNDERING AND<br />
FINANCING OF TERRORISM (PBC/FT)”, it is indicated that the first version<br />
approved is from 04/03/2018 and that on 03/10/2021 the “Review” was carried out<br />
updating and modifying some deadlines (reduction thereof).” The revision<br />
<br />
3 of the document indicates that it was carried out on 05/06/2022 and consisted of the “Review<br />
updating and modifying the communications of Annex I”, while the<br />
revision 4 indicates was carried out on 10/17/2022 and consisted of the “Review and update of the<br />
protocol with the aim of adapting it to the new documentation upload process<br />
via private website, eliminating the need for the client to send it to an address<br />
of e-mail. Document reviewed together with the contact center and Operations<br />
<br />
Compliance". Point 4 of the aforementioned document details:<br />
<br />
"4. SENDING AND RECEIVING DOCUMENTATION BY CLIENTS<br />
TES<br />
<br />
<br />
In all cases (customers from Spain and passport countries -Germany, Netherlands-<br />
jos and Portugal) clients will be informed to upload the required documentation to the<br />
space enabled for this in the private area of the Openbank website indicating, within<br />
In the text field, the information that allows justifying the operation carried out.<br />
<br />
The contact center manager will provide assistance to customers when they have difficulties.<br />
<br />
instructions for uploading documentation. In case the customer has forgotten his<br />
username and/or password to access the Openbank website, you will be informed of the next steps.<br />
guide to reestablish it. In addition, a help guide has been prepared for<br />
managers and incorporated information for clients within the FAQ section of the<br />
Web."<br />
<br />
<br />
And in “Annex I- Communications to clients to request information and/or documents<br />
tion by an AML/CFT transactional surveillance alert” explains:<br />
<br />
“(…)”<br />
<br />
NINTH: As of October 13, 2022, OPENBANK had enabled within the<br />
<br />
private area of the bank's website (which requires a username and password)<br />
access) a space so that clients could provide the required documentation<br />
in compliance with the provisions of article 6 of Law 10/2010, of April 28, of<br />
prevention of money laundering and terrorist financing.<br />
<br />
TENTH: During the trial period, OPENBANK provided an Excel type file<br />
<br />
“DOCUMENTO_NUM._1.XLSX” without signature or date, in which in the tab “0.Sheet of<br />
Control” can be seen at the beginning and in red “Data Privacy Impact Assessment<br />
(DPIA)”. And in the tab “2. Life Cycle” of this file, under the title “Capture of<br />
Data”, is contemplated in the section “Processing activities or operations”.<br />
“Extraction of the client's transactional operations from the core systems of the<br />
<br />
Bank". (…):<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 14/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
2. Treatment life cycle<br />
<br />
General information<br />
<br />
affected personnel. It is necessary to indicate, broadly speaking, what the life cycle of the treatment would be like, from when the data is captured, how it is stored or classified, for what purpose it is<br />
used, the existence of assignments or transfers (whether to other national or international companies) and finally a description of how they are destroyed.<br />
<br />
<br />
Processing life cycle Data capture Storage / Use / processing Transfer of data or Destruction /<br />
classification Tracking and monitoring transfers to a third party Data is not destroyed,<br />
of the transactional profile are stored<br />
Extraction of client operations, through indefinite transfer of client data. However<br />
Client transactional processing activities or operations Data storage in analysis of their positions and through the tool limits the depth<br />
Banks core systems of internal fraud lists. operational in the different Edit historical information<br />
contracted products with which one consults<br />
Openbank and client weighting.<br />
Character data Character data Character data Character data<br />
identifying identifying identifying identifying<br />
Flow and processed data Economic data, Economic data, Economic data, Economic data, N/A<br />
financial and insurance financial and financial insurance and financial insurance and insurance<br />
<br />
<br />
GEOBAN (in charge of<br />
Participants in the activities or operations of alert monitoring)<br />
treatment (includes treatment managers) N/A N/A (Analysis of Sepblac operations N/A<br />
second level)<br />
<br />
<br />
<br />
Technology involved in the activities of the Partenon Office tools Norkom Editran tool N/A<br />
treatment (Excel). FIOC Application<br />
<br />
<br />
<br />
<br />
<br />
ELEVENTH: Banco Santander, S.A. has direct participation of 100%<br />
<br />
from Open Bank, S.A. (see page 816 of the “2021 Annual Report” of the Santander Group).<br />
<br />
<br />
<br />
<br />
The total global annual business volume of Banco Santander, S.A. and societies<br />
<br />
dependents (Santander Group) in the financial year prior to the commission of the<br />
<br />
infringement, fiscal year 2020, was 44,279 million euros (see pages 555 and 843 of the<br />
<br />
<br />
“2021 Annual Report”).<br />
<br />
<br />
<br />
TWELFTH: OPENBANK's total number of clients is greater than 1.7<br />
<br />
million customers (Source: ***URL.3)<br />
<br />
<br />
<br />
<br />
THIRTEENTH: The number of requests, made by OPENBANK, for analysis<br />
<br />
of operations in compliance with art. 6 of Law 10/2010, of April 28, of<br />
<br />
<br />
prevention of money laundering and terrorist financing and the number of<br />
<br />
clients therefore impacted during the years 2020, 2021 and 2022 has been the following,<br />
<br />
according to what is stated in Document 13 that accompanies his allegations to the<br />
<br />
agreement to initiate this sanctioning procedure:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
FOUNDATIONS OF LAW<br />
<br />
<br />
<br />
Yo<br />
<br />
<br />
Competition and applicable regulations<br />
<br />
<br />
<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
<br />
(General Data Protection Regulation, hereinafter RGPD), grants each<br />
<br />
<br />
control authority and as established in articles 47, 48.1, 64.2 and 68.1 and 68.2<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
<br />
28001 – Madrid sedeagpd.gob.es 15/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
of Organic Law 3/2018, of December 5, on Protection of Personal Data and<br />
guarantee of digital rights (hereinafter, LOPDGDD), is competent to<br />
initiate and resolve this procedure the Director of the Spanish Protection Agency<br />
<br />
of data.<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: “The procedures<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
regulations dictated in its development and, insofar as they do not contradict them, with a<br />
<br />
subsidiary, by the general rules on administrative procedures.”<br />
<br />
II<br />
Previous Issues<br />
<br />
<br />
In the present case, in accordance with the provisions of article 4.1 and 4.2 of the RGPD,<br />
involves the processing of personal data, since<br />
OPENBANK, through the entity Santander Global Operations, S.A. as<br />
responsible for the treatment, carries out the collection, conservation and communication of, among<br />
others, the following personal data of natural persons: name, surname, number<br />
tax identity, email and the origin of the clients' income, among<br />
<br />
other treatments.<br />
<br />
OPENBANK carries out this activity in its capacity as data controller,<br />
given that he is the one who determines the ends and means of such activity, by virtue of article<br />
4.7 of the GDPR.<br />
<br />
<br />
The GDPR provides, in its article 56.1, for cases of cross-border processing,<br />
provided for in its article 4.23), in relation to the competence of the authority of<br />
main control, that, without prejudice to the provisions of article 55, the authority of<br />
control of the main establishment or the sole establishment of the person responsible or the<br />
<br />
person in charge of the treatment will be competent to act as a control authority<br />
principal for the cross-border processing carried out by said controller or<br />
commissioned in accordance with the procedure established in article 60. In the case<br />
examined, as stated, OPENBANK has its main establishment in<br />
Spain, so the Spanish Data Protection Agency is competent to<br />
act as the main supervisory authority.<br />
<br />
<br />
For its part, article 25 of the GDPR regulates data protection from the design and<br />
by default, which the data controller will apply, both at the time of<br />
determine the means of treatment as at the time of the treatment itself and,<br />
On the other hand, article 32 of the RGPD regulates the security measures that must be<br />
<br />
be adopted to guarantee a level of security appropriate to the risk presented by the<br />
processing of personal data.<br />
<br />
<br />
III<br />
<br />
Allegations alleged<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 16/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In relation to the allegations alleged in the proposed resolution of this<br />
sanctioning procedure, we proceed to respond to them according to the order<br />
exposed by OPENBANK.<br />
<br />
FIRST.- GENERAL CONSIDERATIONS REGARDING THE CONTENT OF THE<br />
<br />
MOTION FOR RESOLUTION<br />
<br />
OPENBANK alleges that the structure and content of the proposed resolution not only<br />
extremely complex and difficult to follow, but as a consequence of<br />
All of this, the AEPD incurs numerous contradictions.<br />
<br />
<br />
In this sense, he alleges that the proposed resolution dedicates the basis of<br />
right III to respond to the allegations alleged by OPENBANK to the agreement<br />
of the beginning of this sanctioning procedure, for the purpose of which it reproduces almost<br />
literally the allegations made by OPENBANK trying to<br />
counterargue, one by one, what is stated in each of them, but that,<br />
<br />
Subsequently, the proposed resolution reproduces in the legal foundations<br />
IV and following, practically literally and with minimal alterations, the content<br />
of the aforementioned initial agreement, without making any reasoning or addition to what has already been<br />
invoked by the Agency at the time the procedure was initiated.<br />
<br />
And alleges that what is stated in the legal basis III of the proposed resolution<br />
<br />
comes into open contradiction with what was mentioned based on its foundation of<br />
right IV, given that in the first of these grounds the AEPD denies supporting the<br />
argumentation or reasoning that is subsequently reproduced and used to ratify itself<br />
in its position on the following legal bases.<br />
<br />
He indicates that this leads first of all to an obvious conclusion: if the reasoning of<br />
<br />
The AEPD is exactly the same as that maintained in the initial agreement,<br />
OPENBANK cannot but confirm itself in each and every one of the allegations<br />
made prior to the aforementioned agreement.<br />
<br />
In this regard, this Agency recognizes that it is possible that the wording of the<br />
legal foundations subsequent to the one that responds to the allegations<br />
<br />
presented by OPENBANK could be improved, which is why a new<br />
wording that simplifies the reading of the resolution, while improving the<br />
motivation in relation to the commission of the infraction, as well as the sanction to be imposed<br />
and avoid possible confusion.<br />
<br />
SECOND.- ABOUT THE PREMISES SUPPORTED BY THE AEPD THROUGHOUT<br />
<br />
LENGTH OF THE PROCEDURE<br />
<br />
OPENBANK, in its allegations to the Initiation Agreement, showed how that<br />
(and the Proposal) was based on three essential arguments: (i) that OPENBANK<br />
was subject to compliance with the obligations of diligence<br />
<br />
due, as established in article 32 of Law 10/2010, of April 28, of<br />
prevention of money laundering and terrorist financing (hereinafter,<br />
the “LPBCFT”) and 60.2 of its development regulations, approved by Royal Decree<br />
304/2014, of May 5 (hereinafter, the “RPBCFT”); (ii) that the AEPD considered that<br />
The information requested by OPENBANK from the complaining party was considered<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 17/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
of “financial data”, which required the adoption of reinforced measures and not valued by<br />
OPENBANK; and (iii) that “high-level” security measures had to be implemented.<br />
<br />
<br />
It is alleged that the proposed resolution does not contradict what was argued by<br />
OPENBANK, but denies the application by the Startup Agreement of the aforementioned<br />
premises, something that, in his opinion, directly contradicts the very fact of the<br />
reading of the proposal itself, given that the paragraphs transcribed by OPENBANK<br />
continue to appear, literally, in the foundations of law IV and following of<br />
same.<br />
<br />
<br />
In this regard, this Agency reiterates that:<br />
<br />
(i) the object of this procedure is not the violation of the provisions of the<br />
regulations on the prevention of money laundering but rather the violation of the provisions of<br />
<br />
Articles 25 and 32 of the GDPR, regulations applicable to data protection<br />
personal rights of natural persons, which is the responsibility of this Agency;<br />
<br />
(ii) the information requested by OPENBANK from the complaining party does have the<br />
consideration of “financial data”, which required the application of a series of measures<br />
reinforced to effectively apply data protection principles and<br />
<br />
integrate the necessary guarantees into the treatment in order to meet the requirements of the<br />
GDPR and protect the rights of the interested parties (in accordance with the provisions of the<br />
article 25 of the GDPR), as well as the application of technical and organizational measures<br />
appropriate to guarantee a level of security appropriate to the risk (in accordance with the<br />
provided in article 32 of the RGPD);<br />
<br />
<br />
(iii) that in the present case it is not a question of whether security measures should be implemented<br />
“high level” security, but rather that measures had to be implemented that<br />
guarantee a level of security appropriate to the risk to rights and freedoms<br />
of natural persons.<br />
<br />
<br />
However, this Agency recognizes that it is possible that the wording of the<br />
legal foundations subsequent to the one that responds to the allegations<br />
presented by OPENBANK could be improved, which is why a new<br />
wording that simplifies the reading of the resolution, while improving the<br />
motivation in relation to the commission of the infraction and the sanction to be imposed and avoid<br />
<br />
possible confusion.<br />
<br />
1. On the applicability of the regulations for the prevention of money laundering<br />
<br />
OPENBANK alleges that, in relation to the alleged applicability to the obligations of<br />
<br />
due diligence of what is established in article 32 of the LPBCFT, the proposal of<br />
resolution establishes a premise: that the provisions of the regulations for the prevention of<br />
Money laundering and terrorist financing are irrelevant at present<br />
case, given that (i) “the classification of the facts is not motivated by a violation of<br />
articles 32 and 32 bis of Law 10/2010, as OPENBANK says in its<br />
<br />
allegations, but by articles 25 and 32 of the RGPD”; (ii) “is not the subject of the present<br />
procedure whether or not the provisions of article 32 or 32 bis of the<br />
LPBCFT, since it is not the competent authority for this and the legal right<br />
protected by the aforementioned regulations is different from the legal good protected by the regulations<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 18/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
“data protection”; and (iii) in relation to OPENBANK's invocation of the<br />
reports from the AEPD itself “what cannot be done is, as intended<br />
OPENBANK, use them to interpret the content of an article, 32.bis, in<br />
<br />
contrast to article 32, when article 32.bis did not exist on the date of the<br />
issuance of such reports, being added later by art. 3.15 of the Real<br />
Decree-law 7/2021, of April 27, in force as of 04/29/2021.”<br />
<br />
Regarding the first of the aforementioned issues, OPENBANK considers that<br />
A mere reading of the legal basis IV of the Proposed Resolution is enough<br />
<br />
to show how the AEPD continues to substantiate all the imputability of<br />
OPENBANK in its alleged non-compliance with article 32 of the LPBCFT<br />
and how said precept refers solely and exclusively to compliance by the<br />
obligated entities in matters of prevention of money laundering to the<br />
provisions relating to the obligations of special examination of operations and<br />
<br />
initial communication to the Executive Service of the Prevention Commission<br />
Money Laundering and Monetary Offenses (hereinafter, the “SEPBLAC”).<br />
<br />
In this regard, this Agency recognizes that it is possible that the wording of the<br />
legal foundations subsequent to the one that responds to the allegations<br />
presented by OPENBANK could be improved, which is why a new<br />
<br />
wording that simplifies the reading of the resolution, while improving the<br />
motivation in relation to the commission of the infraction and the sanction to be imposed and avoid<br />
possible confusion.<br />
<br />
Likewise, OPENBANK alleges that the proposed resolution errs in indicating<br />
<br />
that the provisions of articles 32 and 32 bis of the LPBCFT are outside of<br />
the powers of the AEPD, since these are two rules that regulate the<br />
obligations of the obligated subjects regarding the protection of personal data and<br />
not the substantive aspects of the anti-money laundering prevention regulations themselves.<br />
capitals. And that these precepts are formed as a special norm referring to<br />
<br />
protection of personal data in the environment of crime prevention regulations<br />
money laundering, in the same way that numerous sectoral regulations include<br />
data protection provisions regarding which the AEPD has never denied<br />
its competence, since they are nothing more than the particularization for a case or sector<br />
specific to the rules contained in the RGPD and the LOPDGDD.<br />
<br />
<br />
OPENBANK indicates that the aforementioned precepts are those that particularize the<br />
obligations that must be fulfilled by the obligated subjects to comply<br />
to the proactive responsibility duties established in the protection regulations<br />
of personal data in relation to data processing of this nature that<br />
must be carried out in compliance with the obligations established in the Law, and, in<br />
<br />
With regard to this case, with regard to compliance with the duty of<br />
knowledge of the origin of the funds established in the regulations of<br />
prevention of money laundering.<br />
<br />
That is, compliance with the principle of proactive responsibility, and in particular the<br />
<br />
of privacy from the design, is materialized in the adoption of the measures that<br />
establishes the LPBCFT itself, without it being admissible to disaggregate this law from its own<br />
RGPD, as if they were independent legal regulations referring to realities<br />
different. The LPBCFT indicates what these obligations are, clearly differentiating<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 19/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
evident (and in force at the time of the occurrence of the events that gave rise to the present<br />
file) among the obligations related to the treatments carried out<br />
in compliance with due diligence and those related to the treatments<br />
<br />
carried out to comply with the special operations examination, so that<br />
In the present case, the application of the provisions of article 32 bis of the<br />
LPBCFT.<br />
<br />
In this regard, this Agency wishes to point out that it cannot but agree with everything<br />
affirmed by OPENBANK in this sense. Although clarifying that the management of the<br />
<br />
regulatory compliance provided for in article 25 of the GDPR is not limited to the application<br />
of the precepts of the LPBCFT that particularize some of the obligations in<br />
regarding data protection, further reinforcing some of the obligations in<br />
relationship with certain treatments.<br />
<br />
<br />
In this way, OPENBANK alleges, compliance with the privacy principle from the<br />
design in the treatments carried out in compliance with Chapter II of the<br />
LPBCFT is translated into article 32 bis.4 of the law, which provides that “the subjects<br />
obligated parties must carry out an impact assessment on the data protection of the<br />
treatments referred to in this article in order to adopt technical measures and<br />
reinforced organizational structures to guarantee the integrity, confidentiality and availability<br />
<br />
of personal data. These measures must in any case guarantee the<br />
traceability of data access and communications.”<br />
<br />
And it is undeniable, in his opinion, that OPENBANK carried out the aforementioned evaluation of<br />
impact on data protection in relation to the aforementioned treatments, such as<br />
<br />
that he did not conceive and apply this obligation as a static process, but as a<br />
dynamic process, recording in the file the various evaluations carried out<br />
by OPENBANK, as well as the measures successively implemented by it,<br />
among which is currently the fact that the information for the<br />
Compliance with due diligence obligations will be facilitated in the private area<br />
<br />
of the client made available to him by OPENBANK.<br />
<br />
In this regard, this Agency wishes to point out that compliance with the privacy principle<br />
from the design to the treatments carried out in compliance with Chapter II of<br />
The LPBCFT translates into much more than what is indicated in article 32 bis.4 of the law.<br />
Everything indicated in article 25 of the RGPD applies to these treatments,<br />
<br />
as it applies to all subjects included in its scope of application.<br />
However, in the specific case of entities subject to the LPBCFT regime, the<br />
obligation to carry out an impact assessment in order to adopt reinforced measures<br />
to guarantee the integrity, confidentiality and availability of personal data<br />
(and at a minimum, guarantee the traceability of the accesses and communications of the<br />
<br />
data), is an obligation for adults, due to the very nature of the treatments<br />
carried out in compliance with Chapter II of the LPBCFT, which require<br />
greater protection given the greater risk to the rights and freedoms of<br />
Physical persons.<br />
<br />
<br />
It should also be noted that privacy by design is not limited to<br />
carry out the data protection impact assessments referred to in the LPBCFT.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 20/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In the present case, the lack of design of the treatment by the<br />
of OPENBANK, since the data collection activity of<br />
clients in the so-called “treatment life cycle” of their Excel file<br />
<br />
data protection impact assessment document (provided during the<br />
trial period of this procedure); Therefore, by not even foreseeing this<br />
activity, the appropriate technical and organizational measures have not been applied to<br />
effectively apply data protection principles (among others, the<br />
confidentiality) and comply with the requirements of the GDPR and protect the rights of<br />
interested.<br />
<br />
<br />
Regarding the analyzes carried out by OPENBANK in the documents called<br />
“Impact Assessment - Monitoring of clients and sensitive operations”, in its<br />
August 2021 version, which was not even current at the time of the<br />
events that are the subject of the claim, which took place in the month of July 2021,<br />
<br />
it had only been foreseen as a possibility for clients to send information<br />
through an encrypted message sending the password through another channel. And even in<br />
The aforementioned document mentions that “an internal lawsuit has been requested so that<br />
Interested parties can upload documents directly through the<br />
website, once they have logged in.” However, it has been possible<br />
verify that the complaining party was never given that possibility, not even in the<br />
<br />
initial communication sent by OPENBANK nor subsequently when it requested a<br />
secure alternative route for sending that communication. It was also found that<br />
In the communication model that was sent to clients, none of<br />
these options, only mention was made of the possibility of replying to the email<br />
email that was sent without giving further instructions on how it could be protected<br />
<br />
such information.<br />
<br />
It is curious that, despite not providing any sufficiently secure means to its<br />
clients to provide the information to which they were obliged, both documents<br />
in their 2021 and 2022 versions they recognize that the risk inherent in such treatment<br />
<br />
It had a high impact on the rights and freedoms of the interested parties.<br />
<br />
And, however, it is only in the October 2022 version that OPENBANK indicates<br />
that “customers will identify themselves by means of a DNI and access code to the private area of<br />
customer".<br />
<br />
<br />
What is certain is that the communication directed to the client complied with the provisions of the<br />
document provided by OPENBANK as a protocol to request documentation<br />
to clients under the LPBCFT and the communication addressed to clients does not<br />
indicated no means of providing that information, beyond the possibility of<br />
respond to the aforementioned email.<br />
<br />
<br />
In any case, to comply with data protection from the design and therefore<br />
Indeed, it is not enough to simply have a protocol document or<br />
communication model, if later upon reviewing said documents it is found that they do not<br />
A forecast was made in conditions on the technical and organizational measures<br />
<br />
appropriate to effectively apply the principles of data protection and<br />
provide the necessary guarantees in the processing in order to comply with the requirements of the RGPD<br />
and protect the rights of the interested parties, as provided in article 25.1 of the<br />
GDPR.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 21/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Nor is it sufficient to have documents that establish protocols or procedures.<br />
to follow, if later in practice when carrying out the treatment they are not also provided.<br />
<br />
little appropriate measures to implement data protection principles nor are they inter-<br />
great guarantees necessary to comply with the requirements of the GDPR.<br />
<br />
In the present case, it has been proven that in July 2021 the party was asked to<br />
complainant to send certain information, which could have a high impact<br />
for your rights and freedoms, by email, without giving you further information.<br />
<br />
nes on how he could send such information through a secure channel.<br />
<br />
It has also been proven that the complaining party had told the bank<br />
his concern in this regard and had requested that a safe means be provided<br />
to share such information. But, given the bank's refusal, he had no other option.<br />
<br />
tion than sending the requested information through a simple email, to<br />
his displeasure and despite having expressed his reluctance. And even the complaining party<br />
expressly gave that his concern be taken into account and a means be enabled<br />
safe in the future to share this type of information.<br />
<br />
However, in the August 2021 documents that OPENBANK provided together with<br />
<br />
their allegations to the initial agreement, no other means is foreseen.<br />
<br />
From the content of the documentation that appears in the file, it has been proven<br />
do:<br />
<br />
<br />
- That in “Annex I - Communications to clients to request information and/or<br />
documentation by PBC” of the document ““COMMUNICATION PROTOCOL-<br />
NES TO CUSTOMERS FOR AML/CFT ALERTS: OPENING AND MANAGEMENT OF<br />
GAPS”, dated March 2021, in the first communication addressed to the<br />
client, in which he is asked to prove the origin of the funds, there is no provision<br />
<br />
indicate a specific means by which you must provide such information to OPEN-<br />
BANK. And that in the second communication that is addressed to the client, it is not foreseen<br />
nor indicate a means by which to provide such documentation to the bank, but<br />
The text includes the threat that if the documentation is not received<br />
requested in the next 15 days OPENBANK may prevent the realization<br />
tion of new income into your accounts.<br />
<br />
<br />
- That on July 7, 2021, OPENBANK requested the complaining party to send<br />
documentation that accredited the origin of certain funds, under the<br />
threat that in 15 days they could prevent new deposits into your account, without<br />
indicate any means by which such information should be provided.<br />
<br />
<br />
- That on July 10, 2021, the complaining party provided the requested documentation.<br />
tada expressing his disagreement because when he asked about the form of<br />
send such information, they told him to do so by email, without<br />
further. And in this email that is sent, the complaining party indicates that it does not<br />
<br />
considers it a safe means, which is done through this medium because it is<br />
was forced to do so, and even he himself provides as an example of half-hearted<br />
I guarantee the possibility of sending it “through the client portal”, a possibility that<br />
it was not provided to you from OPENBANK. Also please check the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 22/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
process from the point of view of data protection and take measures<br />
timely. However, this email only received an acknowledgment of receipt<br />
automatic from the bank, on July 13, 2021.<br />
<br />
<br />
- In the document “Impact evaluation - Customer and operation monitoring -<br />
“sensitive information”, dated August 2021, it is expected that the interested party can respond to the<br />
email with an encrypted message sending the password via<br />
another channel. And it has been requested that it could be done directly through<br />
from the website section, once logged in.<br />
<br />
<br />
- In the document “Impact evaluation - Customer and operation monitoring -<br />
sensitive data”, October 2022, it is expected that clients will authenticate<br />
using your ID and access code to the private client area.<br />
<br />
<br />
- In the document “COMMUNICATIONS PROTOCOL TO CUSTOMERS BY<br />
TRANSACTIONAL MONEY PREVENTION SURVEILLANCE ALERTS<br />
CAPITAL CHALLENGE AND FINANCING OF TERRORISM (PBC/FT)”, from<br />
October 2022, it is indicated that clients will be informed to upload the document<br />
mention through the private area of the OPENBANK website. And in the “Annex<br />
I- Communications to clients to request information and/or documentation by<br />
<br />
an AML/CFT transactional surveillance alert” the client is instructed to send<br />
documentation through the “Customer Area” of the OPENBANK website.<br />
<br />
That is, the protocol in force at the time of the events (March 2021) does not pre-<br />
provided information on the method of sending the requested documentation.<br />
<br />
da, notwithstanding the risks to the rights and freedoms present in such treatment<br />
of data.<br />
<br />
In July 2021, the complaining party drew attention to this issue in the email<br />
which he sends on July 10, 2021 to OPENBANK. But the bank ignores it and not even<br />
<br />
In any case, he was given an answer to his concern, which clearly dealt with a question.<br />
protection of personal data, which also shows the lack of a process<br />
OPENBANK's internal system to channel these issues.<br />
<br />
In August 2021, OPENBANK foresees the possibility for clients to send the reference<br />
documentation through an encrypted email and providing the password.<br />
<br />
ña through another email (without specifying which one). And it is indicated that the possibility was requested<br />
that this documentation could be provided through the customer area of the<br />
OPENBANK website.<br />
<br />
And it is not until October 2022 that communication protocols and documents<br />
<br />
of the supposed impact assessment of this issue specifically incorporate<br />
that clients can provide the requested documentation through the website<br />
of OPENBANK, logging into your client area.<br />
<br />
That is, the solution was adopted to be able to provide this information through the<br />
<br />
client area a year and a half after the update protocol was adopted.<br />
March 2021 and more than a year after the complaining party had called<br />
drawn attention to this specific issue and that the document of alleged<br />
impact assessment of this issue would have already foreseen it as a possibility<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 23/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
which had to be followed up.<br />
<br />
All of this shows that OPENBANK did not apply a data protection approach<br />
<br />
of the design neither before nor during the performance of the treatment, so it is rejected.<br />
the present allegation.<br />
<br />
OPENBANK alleges that it is perfectly aware that the principle of privacy<br />
by design requires that reinforced measures to guarantee the rights of<br />
interested parties are carried out prior to the practice of the treatment, but that the<br />
<br />
obligation to obtain from the interested party information about the origin of the funds<br />
is provided for in the LPBCFT, whose validity is more than eight years prior to that of the<br />
GDPR. And that OPENBANK was obliged to carry out the processing of the data at<br />
referred to in this file long before they were adopted or<br />
the rules contained in the RGPD and the LOPDGDD become fully applicable. By<br />
<br />
Therefore, strict application of the principle can hardly be required (in the case of<br />
meaning that the measures had to be prior to the treatment), under penalty of failing to comply<br />
its obligations regarding the prevention of money laundering and financing<br />
of terrorism.<br />
<br />
In this regard, this Agency wishes to point out that Organic Law 15/1999, of 13<br />
<br />
December, Protection of Personal Data was approved for more than 10 years<br />
before the LPBCFT and that the LPBCFT itself contained in its original wording a<br />
reference to the personal data protection regulations in its article 32. And that<br />
There is no doubt that the subjects to whom the LPBCFT was applicable<br />
were fully subject to the provisions of the regulations then in force on<br />
<br />
personal data protection. Regardless of whether there was an article 32 of<br />
the LPBCFT specific for the treatments of Chapter III of the aforementioned Law (which<br />
imposed a series of greater obligations for those responsible for treatment), this<br />
This did not prevent the regulations from applying to the rest of the treatments.<br />
protection of personal data in force at all times: initially, the LOPD of<br />
<br />
1999, until the RGPD and the LOPDGDD became applicable, which displaced<br />
that.<br />
<br />
While it is true that the approach of the RGPD and the LOPDGDD was completely<br />
novel compared to the previous data protection regulations, it is no less true<br />
that OPENBANK had more than enough time throughout the three years (six<br />
<br />
years if counted from the adoption of the RGPD text) that elapsed between when<br />
approved the GDPR (April 2016), until the GDPR became applicable (May 2018,<br />
which allowed two long years for preparation and adaptation to the RGPD) and the<br />
facts that are the subject of the claim that gave rise to this procedure<br />
sanctioner (July 2021) to adapt their treatments to the provisions of the<br />
<br />
articles 25 and 32 of the GDPR (four years considering that they were recently adopted<br />
the measures so that clients could share the requested information through<br />
of your private area in October 2022).<br />
<br />
Of course, it would have been impossible to have a protection approach.<br />
<br />
data from the design before carrying out the treatment, when it took place many<br />
years before the GDPR existed, but it is undeniable that the principle of<br />
Data protection by design does not only imply that the measures should<br />
be prior to the treatment, but article 25 of the RGPD itself indicates “both in the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 24/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
at the time of determining the means of treatment and at the time of the treatment itself.<br />
treatment”, that is, not only beforehand but throughout that treatment<br />
takes place and whenever the means of treatment are determined, which is a<br />
<br />
decision that is also made over time, as they change<br />
the circumstances and possibilities of each moment.<br />
<br />
Furthermore, it should be noted that, without disregarding the legal obligations<br />
imposed through the LPBCFT, the legal obligations provided for in the GDPR are<br />
at least at the same level, especially when the latter protects a right<br />
<br />
fundamental. Obligations that must be fulfilled by OPENBANK,<br />
regardless of compliance with those accruing from the LPBCFT; and this without<br />
that compliance with the provisions of this last standard makes compliance impossible<br />
of those of the GDPR.<br />
<br />
<br />
OPENBANK is focusing on its risks, on the risks for the organization if not<br />
complies with the LPBCFT, and not on the risks to the rights and freedoms of its<br />
clients regarding data protection.<br />
<br />
Finally, OPENBANK alleges that article 32 of the LPBCFT is only<br />
applicable to the obligations contained in its Chapter III. And this to the point of<br />
<br />
urge the legislator to adopt a rule that specifically established the<br />
scope of said obligations regarding the protection of personal data in<br />
relationship with what was established in Chapter II of that Law, as finally stated<br />
materialized in article 32 bis of the LPBCFT, added by art. 3.15 of the Real<br />
Decree-law 7/2021, of April 27. And that only in this way can the<br />
<br />
conclusion reached by Report 195/2013 of the Legal Office of this AEPD<br />
when he indicates that “the interpretation that the high security level is the one<br />
referred to in article 32.5 of Law 10/2010 is only enforceable in relation to the<br />
files created to comply with the obligations established in the Chapter<br />
III of the aforementioned Law must be considered consistent with the fact that the Law itself<br />
<br />
establishes certain limitations to the affected party in relation only to said<br />
files, this required level being an additional guarantee established as a counterweight<br />
of the aforementioned limitations” and the fact that in Report 41/2018 the AEPD urged<br />
to the legislator the need to regulate data protection obligations in the<br />
framework for compliance with the duties of due diligence and special examination of<br />
operations, recommending the drafting of differentiated rules for each type<br />
<br />
of treatments.<br />
<br />
In summary, OPENBANK alleges that the arguments put forward by the AEPD must<br />
decline, given that it substantiates the alleged non-compliance by OPENBANK with the<br />
principle of privacy from the design and implementation of security measures<br />
<br />
security in a standard, article 32 of the LPBCFT, which is not applicable to the case,<br />
because the Agency itself had even indicated this.<br />
<br />
In this regard, this Agency agrees that it is not applicable to the obligations of the<br />
Chapter II of the LPBCFT article 32 of the LPBCFT, but rather article 32 bis of the<br />
<br />
same, which is why a new wording will be given to the legal foundations<br />
subsequent to the one that responds to the allegations presented by OPENBANK.<br />
<br />
IN CONCLUSION:<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 25/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
1.- The management of regulatory compliance with article 25 of the RGPD, the<br />
Privacy by design is not exhausted by compliance with the<br />
<br />
data protection obligations provided for in the LPBCFT.<br />
<br />
2.- The management of regulatory compliance with article 25 of the RGPD does not end<br />
by carrying out data protection impact assessments.<br />
<br />
3.- OPENBANK had not foreseen the treatment activity consisting of the<br />
<br />
collection of financial data from clients for the prevention of money laundering<br />
of capitals.<br />
<br />
4.- The data protection impact assessments carried out by the party<br />
claimant at the time the events occurred did not include the<br />
<br />
processing activity consisting of the collection of financial data from<br />
clients for the prevention of money laundering.<br />
<br />
5.- Since this activity was not foreseen by OPENBANK, they had not been identified and<br />
evaluated the risks to the rights and freedoms of clients present in<br />
such treatment.<br />
<br />
<br />
5.- By not identifying and evaluating the risks, they have not been established and applied<br />
the appropriate technical and organizational measures to effectively apply<br />
data protection principles (including confidentiality) and comply<br />
the requirements of the GDPR and protect the rights of data subjects (of all<br />
<br />
Your clients).<br />
<br />
6.- All of the above clearly shows that OPENBANK<br />
did not comply with its obligation to apply article 25 of the GDPR, privacy<br />
from the design or before or during the treatment.<br />
<br />
<br />
<br />
2. Regarding the reference made by the AEPD to the financial data<br />
<br />
OPENBANK alleges that the proposed resolution is clearly contradictory,<br />
given that it introduces in two consecutive paragraphs of the legal basis III two<br />
<br />
considerations that are diametrically opposed and that seem to base his reproach<br />
sanctioner.<br />
<br />
Thus, it is indicated that “it is not appropriate to determine the level of risk and the need for<br />
adopt appropriate security measures based on the financial data of<br />
<br />
in isolation, but in accordance with the provisions of the applicable data protection regulations.<br />
to the case, that is, depending on the type of treatment, as well as specifically,<br />
regarding the prevention of money laundering”, which seems to reinforce the idea, since<br />
previously refuted, that it is the nature of the treatment, and not that of the typology<br />
of the data, which justifies his reproach.<br />
<br />
<br />
But he immediately adds that “the factual circumstances of the present case<br />
determine that reinforced security measures must be adopted given that the<br />
processing of the personal financial data of the complaining party presents a<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 26/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
high level of risk.” That is, it is the nature of the data, considered<br />
financial, and not the purpose of the treatment, which justifies the adoption of certain<br />
measures that the AEPD considers not fulfilled.<br />
<br />
<br />
In this regard, this Agency wishes to point out that the analysis and adoption of measures<br />
technical and organizational measures to effectively apply the principles of data protection.<br />
data and integrate the necessary guarantees to comply with the requirements of the RGPD and<br />
protect the rights of data subjects (Article 25 of the GDPR) and to apply<br />
appropriate technical and organizational measures to ensure a level of security<br />
<br />
appropriate to the risk to the rights and freedoms of natural persons (article 32<br />
of the RGPD), should not be done solely by virtue of the nature or purpose of the<br />
treatment that is carried out or solely by virtue of the typology of the data that is<br />
treated as if they were exclusive aspects, but must be carried out taking into account<br />
takes into account all the aspects that the treatment in question could entail.<br />
<br />
<br />
The analysis carried out by OPENBANK on the concept of “financial data” to determine<br />
terminate if the treatment we are facing entails a greater risk and if<br />
This category of data deserves special protection is not correct, since<br />
intends to separately assess the concept “financial data” of the regulations of<br />
LPBCFT, when the need for a data protection impact assessment and<br />
<br />
the consequent adoption of reinforced measures that guarantee the integrity and confidentiality<br />
confidentiality of personal data, as well as guaranteeing the traceability of accesses.<br />
processes and data communications are already established by the legal system.<br />
legal.<br />
<br />
<br />
In compliance with the LPBCFT, obligated entities can process data<br />
financial, but not only data of this category are also processed<br />
personal of diverse nature: identification, contact or economic<br />
(business, professional, investment...). Data protection in<br />
Compliance with the LPBCFT cannot be limited by the applicable criteria as<br />
<br />
to only one of these data, as OPENBANK tries to reason, when what it tries to<br />
protect is the access to the information that all this personal data entails, not<br />
only individually, but to their treatment together.<br />
<br />
OPENBANK indicates that the previously alleged is reinforced by the fact that the<br />
legal basis IV of the proposed resolution once again considers the<br />
<br />
reference to financial data made by recital 28 of the GDPR as<br />
essential to determine the need for OPENBANK to have established a<br />
additional measure in the collection of data related to the origin of funds.<br />
<br />
In this regard, this Agency wishes to point out that it does not understand the reference made<br />
<br />
to recital 28 of the RGPD, since it deals with the pseudonymization of the<br />
data. In any case, the reference to the financial data is decisive,<br />
given that they are data that deserve special protection as their treatment involves a<br />
greater risk to the rights and freedoms of natural persons.<br />
<br />
<br />
OPENBANK alleges that, regarding the reference made by the AEPD to the<br />
Guidelines of the Article 29 Working Group (hereinafter, “WG29”), suffice it to point out<br />
that the controversial treatment does not imply any type of “evaluation or scoring” of<br />
interested parties nor its contrast with “a credit reference database or a<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 27/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
database against money laundering and terrorist financing”, but<br />
only obtaining information on the origin of the funds corresponding to<br />
certain operations.<br />
<br />
<br />
In this regard, this Agency wishes to recall the content of the “Guidelines on the<br />
data protection impact assessment (DPIA) and to determine whether the<br />
treatment 'probably entails a high risk' for the purposes of Regulation (EU)<br />
2016/679”, in what is of interest here: “In order to offer a more concrete set of<br />
treatment operations that require a DPIA due to their inherent high risk<br />
<br />
(…) the following nine criteria must be considered: 1. Evaluation or scoring,<br />
including profiling and prediction, especially of “aspects<br />
related to performance at work, economic situation, health,<br />
personal preferences or interests, reliability or behavior, situation or<br />
the movements of the interested party" (considerations 71 and 91). Some examples of this<br />
<br />
may include a financial institution that investigates its clients on a database<br />
credit reference data or in an anti-money laundering database<br />
and the financing of terrorism or fraud…” (emphasis added).<br />
<br />
This Agency considers that the activity carried out by OPENBANK under the<br />
provided in Chapter II of the LPBCFT, by which clients are requested to<br />
<br />
provide the “supports that justify a certain income, since they will allow<br />
clarify the origin of the funds that have been deposited into the client's account in<br />
OPENBANK” does fall within a financial institution that investigates<br />
your clients in a possible anti-money laundering and anti-fraud database.<br />
financing of terrorism, which is why they are operations that involve<br />
<br />
probably a higher risk.<br />
<br />
And so much so, that they are operations that probably entail greater risk,<br />
that the LPBCFT itself considered it convenient to incorporate the need to carry out a<br />
data protection impact assessment of the treatments to which<br />
<br />
referred to in said article in order to adopt reinforced technical and organizational measures to<br />
guarantee the integrity, confidentiality and availability of personal data.<br />
<br />
Likewise, OPENBANK alleges that the proposed resolution seems to indicate that<br />
OPENBANK has not carried out any evaluation of the impact of the treatment on the<br />
data protection, which comes into direct contradiction with the file<br />
<br />
administrative, which includes it, as well as the measures adopted to alleviate<br />
the risks on data protection derived from the processing.<br />
<br />
In this regard, this Agency wishes to remember that the purpose of this procedure is not<br />
is whether or not OPENBANK carried out an impact evaluation as required by the<br />
<br />
article 32 of the LPBCFT, but whether the organization had incorporated the principles of<br />
data protection by design and by default (Article 25 of the GDPR) and whether there were<br />
adopted appropriate security measures in relation to the risk to human rights<br />
and freedoms of the interested parties (article 32 of the RGPD).<br />
<br />
<br />
In the present case, the lack of design of the treatment by the<br />
of OPENBANK, since the data collection activity of<br />
clients in the so-called “treatment life cycle” of their Excel file<br />
data protection impact assessment document (provided during the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 28/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
trial period of this procedure); Therefore, by not even foreseeing this<br />
activity, the appropriate technical and organizational measures have not been applied to<br />
effectively apply data protection principles (among others, the<br />
<br />
confidentiality) and comply with the requirements of the GDPR and protect the rights of<br />
interested.<br />
<br />
Furthermore, this Agency reiterates what has already been answered in the allegation regarding the<br />
applicability of the regulations for the prevention of money laundering regarding the<br />
analysis of the content of the communications sent to the complaining party as well as<br />
<br />
of the documentation provided to the file, all of which shows that OPENBANK<br />
did not apply a data protection by design approach before or during<br />
carrying out the treatment.<br />
<br />
OPENBANK alleges that, both the European Legislation Manual on the Protection of<br />
<br />
Data such as the AEPD Risk Management Guide refer, when mentioning the<br />
financial data, to those related to payment methods, even when the proposal<br />
resolution seems to deny, in a categorical and unfounded manner, said statement.<br />
<br />
In this regard, this Agency wishes to recall the content of Chapter 9.2 of the Manual of<br />
European legislation on data protection, prepared by the Agency for<br />
<br />
European Union for Fundamental Rights, the Council of Europe, the Court<br />
European Human Rights and the European Data Protection Supervisor<br />
where it refers to “financial data”: “Although the financial data is not<br />
considered sensitive data under Convention 108 or the General Regulation of<br />
data protection, its processing requires special guarantees that guarantee the<br />
<br />
accuracy and security of data. In particular, electronic payment systems<br />
need to incorporate data protection measures, that is, protection of the<br />
privacy or data by design and by default.” The mention of the protection of<br />
privacy regarding electronic payment systems highlights the<br />
importance of these, but it does not exclude that, in the same way, other financial data<br />
<br />
may require special guarantees, as is the case in the present case with the<br />
data collected pursuant to the provisions of Chapter II of the LPBCFT.<br />
<br />
Regarding the Guide on risk management and impact assessment in<br />
personal data processing of the AEPD, there is a difference between three types of<br />
economic data that must be assessed when determining the level of risk of a<br />
<br />
certain treatment for performing the DPIA, differentiating between these three<br />
data categories:<br />
• Data related to the “[e]conomic situation, (e.g., without being exhaustive,<br />
personal income, monthly income, assets (movable/immovable property),<br />
Employment situation)". These data are assigned a “medium risk.”<br />
<br />
• Data related to the “[f]ancial status (e.g., without being exhaustive, only<br />
financial maturity, debt capacity, debt level (Loans<br />
personal property, mortgages), solvency lists, defaults, assets (investment funds)<br />
sion, returns generated, shares, accounts receivable, income received,<br />
etc.), liabilities (expenses on food, housing, education, health, taxes,<br />
<br />
payments of credits, credit cards or personal expenses, etc.; or debts u<br />
obligations)". These data are also assigned a “medium risk.”<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 29/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
• “Data on payment methods (e.g., without being exhaustive, credit cards and information).<br />
formation of access to virtual currency services). In the case of these<br />
data is assigned a “high risk.”<br />
<br />
<br />
OPENBANK added in its allegations to the agreement to initiate this procedure:<br />
sanctioning authority that, in the criteria established by the AEPD for carrying out<br />
A DPIA includes in number 4 “[t]reatments that involve the use of catheters.<br />
special categories of data referred to in article 9.1 of the GDPR, data related to<br />
to convictions or criminal offenses referred to in Article 10 of the GDPR or<br />
<br />
data that allows determining the financial situation or solvency of assets or<br />
“produce information about individuals related to special categories of data.”<br />
<br />
And that the high risk that should justify the implementation of what said Agreement<br />
What is called “high-level security measures” would only be predicable, in<br />
<br />
OPENBANK, of the information that:<br />
• It refers to means of payment, that is, referring to the related data<br />
with those instruments that allow the interested party to acquire goods<br />
and services or enable you to cancel debts that you may have<br />
with third parties, apart from the non-exhaustive list of the document.<br />
• The one that allows determining the financial situation or solvency of a person.<br />
<br />
sona.<br />
<br />
In this regard, this Agency considers that the documentation requested by OPENBANK<br />
by virtue of the provisions of Chapter II of the LPBCFT, that is, “the support<br />
documentary related to the origin of a fund in your bank account (e.g., your<br />
<br />
payroll, employment contract, purchase and sale contract if it is an operation<br />
real estate, donation or inheritance, the invoice for the services provided that are<br />
satisfied by the beneficiary of those, the resolution declaring the<br />
perception of a certain aid, etc.)” contains data related to the<br />
economic situation and financial status of clients, of which allow<br />
<br />
determine the financial situation or asset solvency of a person, so<br />
require greater protection.<br />
<br />
Finally, OPENBANK alleges that this Agency's conclusion according to which “the<br />
data in relation to three deposits into bank accounts should be considered as<br />
“financial data”, and the information related to the origin of this income, without having<br />
<br />
strictly financial nature, is closely related to these<br />
banking movements, therefore, when information is provided on the origin of the<br />
income, in turn the movements in the bank account of the company are revealed.<br />
claiming party that the activities originating those income produce”, lacks<br />
any support that accredits it. And that, in any case, it is evident that they would not be<br />
<br />
same - and it cannot be claimed to be - the data classified as “financial”<br />
(bank account deposits) than the remaining data (information related to the origin<br />
of these incomes), which the proposed resolution considers “intimately<br />
related” to banking movements.<br />
<br />
<br />
In this regard, this Agency insists that it considers that the information regarding the origin<br />
of income in clients' bank accounts is information that is<br />
closely related to such banking movements and that contains data<br />
related to the economic situation and financial status of clients,<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 30/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
that allow determining the financial situation or capital solvency of a<br />
person, so they require greater protection in response to the risks in<br />
the rights and freedoms of the interested parties.<br />
<br />
<br />
In this sense, we cannot fail to indicate that personal financial data<br />
jointly considered (those sent by the client by themselves, to which<br />
can add those that the bank already has) can reveal multiple aspects<br />
about the client, such as the financial situation or asset solvency as<br />
we have indicated.<br />
<br />
<br />
Thus, Opinion 1/15 of the Court of Justice (Grand Chamber) of July 26, 2017<br />
establishes that, “128 On the other hand, even though some of the PNR data,<br />
taken in isolation, do not appear to be able to reveal important information about<br />
the private life of the people affected, it remains true that, together<br />
<br />
considered, such data may reveal, among other things, a travel itinerary<br />
complete, travel habits, existing relationships between two or several people as well as<br />
information about the economic situation of air passengers, their habits<br />
food or your health status, and could even provide sensitive data<br />
on such passengers, as defined in Article 2(e) of the Agreement<br />
foreseen”, risk that is also included in the STJUE of August 1, 2022.<br />
<br />
<br />
In any case, the LPBCFT itself recognizes that they are operations that entail<br />
probably a greater risk, so it was considered convenient to incorporate the<br />
need to carry out a data protection impact assessment of the<br />
treatments referred to in said article in order to adopt technical measures and<br />
<br />
reinforced organizational structures to guarantee the integrity, confidentiality and availability<br />
of personal data.<br />
<br />
IN CONCLUSION, the documentation requested by OPENBANK pursuant to the<br />
provided in Chapter II of the LPBCFT, that is, “the documentary support related<br />
<br />
with the origin of a fund from your bank account (e.g., your payroll, employment contract,<br />
purchase and sale contract if it is a real estate transaction, donation or<br />
inheritance, the invoice for the services provided that are satisfied by the<br />
beneficiary of those, the resolution by which the perception of a<br />
certain aid, etc.)” contains financial data related to the situation<br />
economic and financial status of the clients, which allow determining the<br />
<br />
financial situation or asset solvency of a person, so their<br />
treatment require greater protection in response to the risks in<br />
rights and freedoms of the interested parties.<br />
<br />
Therefore, this claim is rejected.<br />
<br />
<br />
3. Regarding the enforceability of the so-called “high level measures”<br />
<br />
OPENBANK alleges that in the agreement to initiate this procedure<br />
sanctioner had invoked the requirement of a “high” security level, which did not<br />
<br />
was enforceable since the entry into force of the GDPR, and the proposed resolution is limited<br />
to indicate that it reproduced the text of article 32 of the LPBCFT in its current wording<br />
at the time the events occurred (which only reinforces what has already been indicated in<br />
relation to its improper application). But it must also be added that, although<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 31/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Unless otherwise indicated, the Initiation Agreement, and the Proposed Resolution do<br />
They intended to mimetically apply to OPENBANK the regime prior to full<br />
application of the GDPR, since they refer to a measure, data encryption, which<br />
<br />
was expressly associated in said regulation with the so-called “security measures”.<br />
high level security.”<br />
<br />
And at this point, the proposal once again denies, although, in its opinion, there is a<br />
evidence that contradicts it in the file, that OPENBANK carried out a<br />
evaluation of the impact of the treatment on the rights of the interested parties, to<br />
<br />
determine the scope of the measures to be adopted, placing all the blame on<br />
OPENBANK in the fact that only one of all its clients “drew the attention [of<br />
OPENBANK] on this point”, not being satisfactory, in the opinion of the Agency, the<br />
response given by OPENBANK to that one.<br />
<br />
<br />
And this leads OPENBANK to question whether what the AEPD considers violated<br />
In this case it is your duty to adopt technical and organizational measures<br />
aimed at alleviating the risks of treatment, after analyzing said risks to<br />
through a data protection impact assessment, something that (in his opinion) the<br />
AEPD will not be able to deny that OPENBANK has carried out, or the object of the reproach of<br />
the AEPD is that it has not given the interested party's “concern” the response that it<br />
<br />
Authority considers appropriate, even though it is not possible to deny (in its opinion) that<br />
OPENBANK did respond to the request.<br />
<br />
In this regard, this Agency wishes to point out that the present sanctioning procedure<br />
refers solely and exclusively to the fact that OPENBANK did not apply, before and during the<br />
<br />
carrying out the processing in question, data protection from the design and by<br />
default, to ensure compliance with the principles enshrined by the GDPR<br />
(Article 25 of the GDPR), and did not adopt appropriate security measures based<br />
of the risk to protect the rights and freedoms of the interested parties (article 32 of the<br />
RGPD), in relation to the processing of data that is the subject of this procedure. I know<br />
<br />
has also indicated, and for greater completeness, that data protection from the<br />
Design is not exhausted by carrying out an impact evaluation.<br />
<br />
The references made by this Agency to the LPBCFT are to be understood only<br />
to reinforce the violations of data protection regulations that this Agency<br />
I would have noticed.<br />
<br />
<br />
However, this Agency will give a new wording to the legal foundations<br />
later, as indicated above.<br />
<br />
Likewise, this Agency wishes to point out that it has reviewed the measures adopted by<br />
<br />
OPENBANK regarding the information shared by users to give<br />
compliance with the obligations provided for by the LPBCFT and the reality is that they are not<br />
provided a secure means for customers to provide requested information,<br />
information that, in relation to the risks, could have a high impact on the<br />
rights and freedoms of its clients if it materialized, as can be seen from the<br />
<br />
own analysis carried out by OPENBANK in its documents called<br />
“Impact Assessment - Monitoring of clients and sensitive operations”, both in<br />
its version of August 2021 as that of October 2022. The fact that even when the<br />
The complaining party drew attention to this point by sending an email<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 32/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
to the address indicated to send the financial documentation, without obtaining<br />
no response from OPENBANK, further evidences the lack of awareness<br />
on this issue, given that he was also not provided with an alternative means of<br />
<br />
not even when he requested it. That is, what this Agency considers<br />
violated in this case is not only that OPENBANK, at the time of the<br />
facts, had not been carried out before carrying out the treatment in question or during<br />
carrying out an analysis that would ensure compliance with the principles of<br />
data protection nor did it adopt measures appropriate to the risk for the<br />
freedoms and rights of the interested parties, but also that OPENBANK has not given<br />
<br />
the “concern” of the interested party an adequate response, all of which does nothing more than<br />
demonstrate the non-adoption of data protection principles from the design and<br />
default.<br />
<br />
Regarding the analyzes carried out by OPENBANK in the documents called<br />
<br />
“Impact Assessment - Monitoring of clients and sensitive operations”, in its<br />
August 2021 version, which was not even current at the time of the<br />
events that are the subject of the claim, which took place in the month of July 2021,<br />
it had only been foreseen as a possibility for clients to send information<br />
through an encrypted message sending the password through another channel. And even in<br />
The aforementioned document mentions that “an internal lawsuit has been requested so that<br />
<br />
Interested parties can upload documents directly through the<br />
website, once they have logged in.” However, it has been possible<br />
verify that the complaining party was never given that possibility, not even in the<br />
initial communication sent by OPENBANK nor subsequently when it requested a<br />
secure alternative route for sending that communication. It was also found that<br />
<br />
In the communication model that was sent to clients, none of<br />
these options, only mention was made of the possibility of replying to the email<br />
email that was sent without giving further instructions on how it could be protected<br />
such information.<br />
<br />
<br />
It is curious that, despite not providing any sufficiently secure means to its<br />
clients to provide the information to which they were obliged, both documents<br />
in their 2021 and 2022 versions they recognize that the risk inherent in such treatment<br />
It had a high impact on the rights and freedoms of the interested parties.<br />
<br />
And, however, it is only in the October 2022 version that OPENBANK indicates<br />
<br />
that “customers will identify themselves by means of a DNI and access code to the private area of<br />
customer".<br />
<br />
Finally, OPENBANK alleges that in no case has it failed to respond to the<br />
concerns of the complaining party nor can it be considered that they exist in said response<br />
<br />
any threat of any kind, as indicated in the Proposed Resolution.<br />
OPENBANK has limited itself to highlighting that the absence of information to the<br />
same in relation to the origin of the funds in the disputed income will require<br />
that OPENBANK proceeds to block the account, as there may be<br />
indications, due to non-compliance with the regulations on the prevention of money laundering,<br />
<br />
of the existence of illicit conduct on the part of his client.<br />
<br />
In this regard, this Agency wishes to point out that it has not been provided to the party<br />
complainant a satisfactory response to his concern, since he was not<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 33/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
provided an adequate means to provide the information requested by OPENBANK<br />
under Chapter II of the LPBCFT.<br />
<br />
In any case, it is worth clarifying at this time that, what OPENBANK calls<br />
“concern” on the part of the client, is nothing more than a person, his client, who intends<br />
<br />
your Fundamental Right to the Protection of Personal Data becomes effective<br />
Staff.<br />
<br />
As to whether there was any type of threat to the complaining party, we wish to remember<br />
the content of the customer communication model, effective in July 2021:<br />
<br />
<br />
“ Second communication: D+16<br />
(…)<br />
In the event of not receiving the requested documentation in the next 15 days counting<br />
From the date of this communication, we inform you that Openbank can im-<br />
request the making of new deposits into your accounts in compliance with the regulations.<br />
<br />
is in force. (…)” (emphasis added)<br />
<br />
And the email sent to the complaining party on July 7, 2021 by<br />
OPENBANK said the following:<br />
<br />
“Dear Mr. A.A.A.<br />
<br />
(…)<br />
If you do not receive the requested documentation within 15 days from the<br />
date of this notice, Openbank may, in compliance with the applicable regulations,<br />
prevent new deposits from being made to your accounts. (…)” (emphasis is<br />
our)<br />
<br />
<br />
The content of the communications sent by OPENBANK to clients (among<br />
them, the complaining party), which requests the sending of the documentation in<br />
under Chapter II of the LPBCFT, contain a notice that if the aforementioned<br />
documentation within a period of 15 days, OPENBANK may prevent<br />
new income in your accounts.<br />
<br />
<br />
The dictionary of the Royal Spanish Academy explains that “threat” is a “said or<br />
fact that is threatened.” While “threatening” is that<br />
“said of something bad or harmful: Presenting itself as imminent to someone or something” and<br />
also “give indications of going to suffer something bad or harmful.”<br />
<br />
Blocking new deposits from customer accounts, of course it is something<br />
<br />
bad or harmful for those who suffer from it, no matter how much it may be, as OPENBANK says, “at<br />
there may be indications, due to non-compliance with the regulations on the prevention of money laundering<br />
of capital, of the existence of illicit conduct on the part of his client.”<br />
<br />
Including this information in communications directed to clients makes them<br />
<br />
The latter send the requested documentation even if they are not provided with the means<br />
appropriate for this (as the complaining party should have done), for fear of the<br />
possible unfavorable consequences for them, in this case, the blocking of their<br />
accounts.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 34/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
For all the above reasons, this allegation is rejected.<br />
<br />
THIRD.- ABOUT THE VIOLATION OF THE NON BIS IN IDEM O PRINCIPLE<br />
<br />
SUBSIDIARY TO THE EXISTENCE OF A MEDIA COMPETITION IN THE<br />
PRESENT CASE<br />
<br />
OPENBANK alleges that it is intended to be punished twice as a result of<br />
the same fact and for the violation of the same legal right, considering that it does not<br />
had established adequate security measures for the transmission (and<br />
<br />
consequent receipt by the former) of what was erroneously considered “data<br />
financial” and, at the same time, not having adopted such measures from the design<br />
of the treatment.<br />
<br />
Likewise, he alleges that, in the denied assumption that it was not considered that<br />
<br />
we were faced with a double sanction for the same act, resulting in violation<br />
the same protected legal asset, there was no doubt that the supposed<br />
absence of adequate security measures in the sending of documentation<br />
necessarily had its cause, in the opinion of the AEPD, inadequate analysis of<br />
risks carried out by OPENBANK, so that it would not have foreseen the implementation<br />
of such measures. In this way, if the violation of the non bis in principle was denied<br />
<br />
idem, what there was no doubt about was the existence of a medial competition between<br />
both violations.<br />
<br />
OPENBANK cites the proposed resolution of this sanctioning procedure<br />
in which the following is expressly stated in relation to the alleged violation<br />
<br />
of article 25 of the GDPR:<br />
<br />
“In this protocol, OPENBANK did not plan to offer its clients any<br />
communication channel with a high level of security, despite the fact that in the<br />
sixth clause of the contract with your treatment manager indicates that “the<br />
<br />
electronic transfers of Customer Information over networks<br />
Public or unsecured activities are carried out safely using security methods.<br />
appropriate encryption in accordance with Grupo Santander Policies.”<br />
<br />
By applying the aforementioned protocol, OPENBANK places the responsibility on the client.<br />
responsibility for secure communication, this being the one who must ensure<br />
<br />
the confidentiality and integrity of your personal data. In this point,<br />
Let us remember that, by virtue of the principle of proactive responsibility<br />
enshrined in article 5.2 of the RGPD, the controller, in<br />
In this case, OPENBANK is the one who must ensure the effective privacy and<br />
integrity of the personal data being processed.”<br />
<br />
<br />
OPENBANK indicates that the weight of the accusation of the alleged violation of the<br />
Article 25 of the RGPD is based on the fact that it had not established, in the opinion<br />
of the AEPD “no communication channel with a high level of security” transferring<br />
the interested party the responsibility of ensuring “the confidentiality and integrity of their<br />
<br />
personal information".<br />
<br />
That is to say, it is the Proposed Resolution itself that clearly indicates that the<br />
alleged lack of design of adequate technical and organizational measures refers,<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 35/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
specifically, to the alleged lack of security measures in the shipment of the<br />
documentation, subsequently making an assessment about the supposed<br />
ineffectiveness of email encryption to ensure the integrity and<br />
<br />
data confidentiality.<br />
<br />
In this way, OPENBANK finds it certainly surprising that the company itself<br />
Proposal for a resolution states in a different place that in the present case it is not<br />
referring, when talking about the technical and organizational measures appropriate to the<br />
risk, to the measures related to the sending of documentation, whose supposed<br />
<br />
absence has been what has given rise to the communication directed by the party<br />
complainant to OPENBANK.<br />
<br />
In this regard, this Agency reiterates that a new wording will be given to the<br />
subsequent legal grounds, as indicated above.<br />
<br />
<br />
OPENBANK alleges that to support the alleged differentiation and, failing that,<br />
disconnection between both infractions, the AEPD points out in the legal basis<br />
III of the Proposed resolution, that the alleged violation of article 25 of the<br />
GDPR does not refer to the failure to take specific measures in the referral of<br />
the documents, but to the fact that said measures have not been communicated to the<br />
<br />
complaining party when it expressed concern about the way<br />
referral of those.<br />
<br />
However, OPENBANK understands that such an argument cannot be sustained, given that<br />
This alleged lack of communication would be caused by the fact that the measures of<br />
<br />
security whose violation is attributed to OPENBANK, and which were also<br />
subsequently implemented, did not exist at the time of the referral of such<br />
concern to OPENBANK.<br />
<br />
That is, we would simply find ourselves faced with the addition of a new element that<br />
<br />
does not alter the causal relationship between the infractions attributed to OPENBANK, given that<br />
the one now argued by the AEPD as the basis for the imputation of article 25 of the<br />
RGPD (lack of attention to the concern expressed by the interested party, who, even though<br />
might seem the opposite from reading the Proposal, if a response was given) it would bring<br />
its cause of the fact that, in the opinion of the AEPD, no security measures had been adopted.<br />
adequate security because OPENBANK had allegedly failed to carry out<br />
<br />
an adequate analysis of the risks of the treatment for the rights of the<br />
interested parties and adopted such technical and organizational measures.<br />
<br />
And all this would return us to the initial conclusion already expressed by OPENBANK:<br />
is imposing a double sanction for the same acts and the alleged<br />
<br />
violation of the same legal right or, at least, one of the alleged<br />
violations brings a direct cause and subsumes the other, to the point that if it is not<br />
If I had committed this one, the second one would not have been committed.<br />
<br />
And to this end, OPENBANK indicates that it is paradigmatic to observe how, despite its<br />
<br />
enormous effort, the Proposed Resolution does nothing more than ratify what was alleged<br />
Initiation Agreement, when the following is indicated on page 64 of the Proposal:<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 36/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
“From the examination of the proven facts and the documentation in the<br />
file, two infringements can be clearly differentiated based on<br />
different facts and foundations. The commission of the violation of article 32 of the<br />
<br />
GDPR arises from OPENBANK's documentation requirement for<br />
clients (and specifically, the complaining party) following the<br />
communication provided for this purpose, in which the client is not informed of any<br />
secure means to provide the requested information. Not even when<br />
client requests the bank for an alternative means, as happened in the specific case<br />
of the complaining party, which had no choice but to send the aforementioned<br />
<br />
documentation by email since when contacting OPENBANK to<br />
that another option was provided, this did not happen.<br />
<br />
Therefore, no technical and organizational security measures were applied.<br />
appropriate by OPENBANK to carry out the treatment in<br />
<br />
question in general or even in response to the request made by the complaining party,<br />
data processing is carried out (remember that data collection is<br />
a processing operation according to article 4.2) of the GDPR), without the measures<br />
adequate security measures to guarantee the confidentiality of the treatment.<br />
<br />
On the other hand, the commission of the violation of article 25 of the RGPD is<br />
<br />
based on the fact that the OPENBANK protocol in force at the time of the<br />
events (March 2021) did not provide information on the<br />
method of sending the requested documentation. Lack of design is punished<br />
of an adequate system to comply with the principles of treatment, the<br />
GDPR requirements and guarantee the rights of data subjects.”<br />
<br />
<br />
That is, article 32 of the RGPD is considered violated because “it is not indicated to the<br />
client no secure means to provide the requested information” and by article 25<br />
of the GDPR because the OPENBANK protocol “did not provide for providing information<br />
about the method of sending the requested documentation”, which is exactly what<br />
<br />
the same thing that has just been invoked as a reason for the imputation of article 32 of the<br />
GDPR.<br />
<br />
First of all, this Agency would like to point out that the violation of article 25 of the GDPR<br />
and the violation of article 32 of the RGPD, are violations that are classified as<br />
differentiated manner by violating different precepts that protect legal assets<br />
<br />
different, as will be explained below. Therefore it is something foreseen by the<br />
legislator, without the violation of one of the precepts preventing the other, which<br />
Furthermore, it does not per se violate the principle of non bis in idem.<br />
<br />
Likewise, although both infractions are classified as serious for the purposes of the<br />
<br />
prescription in the LOPDGDD, are outlined in different sections of article 73 of the<br />
LOPDGDD:<br />
<br />
“(…)<br />
d) The lack of adoption of those technical and organizational measures that<br />
<br />
are appropriate to effectively apply the protection principles<br />
of data from the design, as well as the non-integration of guarantees<br />
necessary in the treatment, in the terms required by article 25 of the<br />
Regulation (EU) 2016/679.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 37/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
e) Failure to adopt appropriate technical and organizational measures<br />
to ensure that, by default, only personal data will be processed<br />
necessary for each of the specific purposes of the treatment, in accordance with<br />
as required by article 25.2 of Regulation (EU) 2016/679.<br />
f) The lack of adoption of those technical and organizational measures that<br />
<br />
are appropriate to guarantee a level of security appropriate to the risk<br />
of the treatment, in the terms required by article 32.1 of the Regulation<br />
(EU) 2016/679.<br />
g) The bankruptcy, as a consequence of the lack of due diligence,<br />
of the technical and organizational measures that have been implemented in accordance<br />
as required by article 32.1 of Regulation (EU) 2016/679. (…)”.<br />
<br />
<br />
Therefore, these are perfectly differentiated infractions.<br />
<br />
Secondly, article 31 of Law 40/2015, of October 1, on the Regime<br />
Law of the Public Sector (hereinafter, LRJSP) establishes: “No sanctions may be imposed<br />
<br />
the facts that have been criminal or administrative, in cases in which<br />
appreciate the identity of the subject, fact and foundation.”<br />
<br />
In the present case, the infringement for violating the provisions of article 25 of the RGPD<br />
is determined by inadequate data protection from the design and by default, in<br />
under which “the data controller will apply both at the time of<br />
<br />
determine the means of treatment as at the time of the treatment itself,<br />
appropriate technical and organizational measures. These measures do not have to<br />
be strictly security measures, an issue that is covered<br />
specifically in article 32 of the RGPD regarding the specific treatment, for<br />
which “the person responsible and the person in charge of the treatment will apply technical measures and<br />
“appropriate organizational measures to guarantee a level of security appropriate to the risk.”<br />
<br />
<br />
Article 25 of the GDPR is violated when those measures have not been adopted<br />
technical and organizational measures that are appropriate to effectively apply the<br />
principles of data protection from the design, as well as the non-integration of the<br />
necessary guarantees in the treatment, in the terms required by article 25 of the<br />
Regulation (EU) 2016/679, which may or may not occur due to absence or deficiency<br />
<br />
about security measures. The technical and organizational measures to which<br />
reference article 25 of the GDPR to apply data protection principles<br />
From the design they are not limited to strictly security measures.<br />
<br />
This would simplify the essence and spirit that inspires the GDPR, as well as the will<br />
of the legislator, since compliance with the RGPD is not limited to the implementation of<br />
<br />
technical and organizational security measures; which would mean, in the present<br />
case, reduce the guarantee required by Article 25 of the GDPR to its achievement only<br />
with security measures, leaving without effect and de facto the guarantees established by<br />
le GDPR.<br />
<br />
<br />
In this sense, article 25 of the GDPR establishes:<br />
<br />
“Taking into account the state of the art, the cost of the application and the<br />
nature, scope, context and purposes of the processing, as well as the risks of<br />
varying probability and severity that the treatment entails for the rights and<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 38/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
freedoms of natural persons, the person responsible for the treatment will apply, both<br />
at the time of determining the means of treatment as well as at the time<br />
of the treatment itself, appropriate technical and organizational measures, such as<br />
<br />
pseudonymization, designed to effectively apply the principles of<br />
data protection, such as data minimization, and integrate safeguards<br />
necessary in the treatment, in order to comply with the requirements of this<br />
Regulation and protect the rights of the interested parties” (emphasis is<br />
our)<br />
<br />
<br />
This Agency reiterates that there are multiple technical or organizational measures that do not<br />
are security and can be implemented by the person responsible for the treatment as a channel<br />
to guarantee this principle.<br />
<br />
However, article 32 of the GDPR includes the obligation to implement<br />
<br />
appropriate technical and organizational security measures to ensure a level of<br />
security appropriate to the risk. Of security. Just for security.<br />
<br />
Furthermore, its objective is to guarantee a level of security appropriate to the risk while<br />
that in the case of article 25 of the RGPD, the management of the<br />
regulatory compliance with all GDPR. Therefore, as can be seen, the two<br />
<br />
articles pursue different purposes and protect different legal rights, although<br />
they may be related.<br />
<br />
Regarding the examination of non bis in idem, the Judgment of the National Court of 23<br />
of July 2021 (rec. 1/2017) provides that:<br />
<br />
<br />
“(…) In accordance with the legislation and jurisprudence set forth, the principle non bis in<br />
idem prevents punishing the same subject twice for the same act with<br />
support on the same foundation, the latter understood as the same interest<br />
legal protected by the sanctioning regulations in question. Indeed,<br />
<br />
When the triple identity of subject, fact and foundation exists, the sum of<br />
sanctions creates a sanction unrelated to the proportionality judgment made by the<br />
legislator and materializes the imposition of a sanction not legally provided for<br />
which also violates the principle of proportionality.<br />
<br />
But for it to be possible to speak of "bis in idem" a triple<br />
<br />
identity between the terms compared: objective (same facts), subjective<br />
(against the same subjects) and causal (for the same foundation or reason of<br />
punish):<br />
<br />
a) Subjective identity assumes that the affected subject must be the same,<br />
<br />
whatever the nature or judicial or administrative authority that<br />
prosecute and regardless of who the accuser or specific body is that<br />
has been resolved, or that it is tried alone or in conjunction with other<br />
affected.<br />
<br />
<br />
b) Factual identity assumes that the facts prosecuted are the same, and<br />
rules out the cases of real competition of infractions in which there is no<br />
before the same illegal act but before several.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 39/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
c) The identity of foundation or cause implies that the measures<br />
sanctions cannot occur if they respond to the same nature, that is<br />
That is, if they participate in the same teleological foundation, what happens<br />
<br />
between criminal and administrative sanctions, but not between<br />
punitive and merely coercive.”<br />
<br />
Taking as reference what was previously explained in this procedure<br />
sanctioning party, the non bis in idem principle has not been violated, since the violation<br />
of article 25 of the RGPD results in not having carried out adequate management of the<br />
<br />
regulatory compliance, while the violation of art. 32 of the GDPR boils down to<br />
absence and deficiency of security measures (security only) detected,<br />
present regardless of the request made by the complaining party. Although<br />
the complaining party had not made any request (many other clients<br />
will have limited themselves to sending the required documentation without considering anything) the measures<br />
<br />
security measures would, in themselves, be inadequate.<br />
<br />
And all this in the face of the allegations made by OPENBANK, which considers that in<br />
Both precepts require a single conduct, which is to implement security.<br />
appropriate. This is not true, since article 25 of the GDPR is not restricted to<br />
guarantee of security appropriate to the risk, but rather the adoption of measures that<br />
<br />
ensure the effective application of data protection principles and<br />
compliance with the requirements of the GDPR and protect the rights of data subjects. AND<br />
this not only through security measures, but through all types of measures<br />
appropriate technical or organizational<br />
<br />
<br />
Furthermore, this Agency reiterates what was stated in the aforementioned proposed resolution.<br />
tion.<br />
<br />
Regarding the violation of the provisions of article 25 of the RGPD, it is worth remembering that<br />
Data Protection by Design and by Default (PDDD) is a legal obligation,<br />
<br />
whose violation constitutes an infraction according to the provisions of article 83 of the<br />
GDPR.<br />
<br />
Data protection by design is part of the data management system.<br />
regulatory compliance, which involves conceiving and planning the treatment, verifying its<br />
compliance and being able to demonstrate it, all framed in a review process and<br />
<br />
continuous improvement, where privacy by design plays a fundamental role.<br />
<br />
Organizations must worry about establishing a true culture of<br />
data protection in the organization, where data protection is integrated into<br />
the regulatory compliance policies of those, from the very beginning of the design<br />
<br />
of the processing of personal data.<br />
<br />
For its part, the AEPD's “Privacy by Design Guide” defines it as follows:<br />
follows: “Privacy by design (hereinafter, PbD) involves using a<br />
risk management and proactive responsibility-oriented approach to<br />
<br />
establish strategies that incorporate privacy protection throughout<br />
the life cycle of the object (whether it is a system, a hardware or software product,<br />
a service or a process). The life cycle of the object means all the stages<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 40/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
that it goes through, from its conception to its withdrawal, passing through the phases<br />
development, putting into production, operation, maintenance and retirement.”<br />
<br />
<br />
And in the resolution of the sanctioning procedure PS/00001/2021, this Agency has<br />
considered that “Proactive responsibility implies the implementation of a model<br />
compliance and management of the GDPR that determines widespread compliance<br />
of data protection obligations. It includes the establishment,<br />
maintenance, updating and control of data protection policies in a<br />
organization, especially if it is a large company, - understood as the set of<br />
<br />
guidelines that govern the performance of an organization, practices, procedures and<br />
tools -, from privacy from the design and by default, that guarantee the<br />
compliance with the RGPD, that prevent the materialization of risks and that allows<br />
demonstrate compliance."<br />
<br />
<br />
In the present case, the lack of design of the treatment by the<br />
of OPENBANK, since the data collection activity of<br />
clients in the so-called “treatment life cycle” of their Excel file<br />
data protection impact assessment document (provided during the<br />
trial period of this procedure); Therefore, by not even foreseeing this<br />
activity, the risks present in the treatment are not identified or evaluated, it is not<br />
<br />
have applied the appropriate technical and organizational measures to effectively implement<br />
effective data protection principles (among others those provided for in article<br />
5 of the GDPR, relating to confidentiality) and comply with the requirements of the GDPR and<br />
protect the rights of interested parties.<br />
<br />
<br />
It has also become clear that the organization did not have a<br />
appropriate procedure to properly respond to a customer's concern<br />
on a data protection issue, since in the present case the party<br />
In his email dated July 10, 2021, the complainant expressed his disagreement regarding<br />
to send the data via an unencrypted email. It even indicates that<br />
he asked OPENBANK but was offered no other option. Furthermore, the complaining party<br />
<br />
provides the solution that is later adopted by OPENBANK, as it said “…the<br />
bank does not offer the possibility to upload data securely, for example, to<br />
through the client portal (…)”. And he requested that they “check the process from the<br />
point of view of data protection and, where appropriate, take the appropriate measures.”<br />
However, it is not until the beginning of this sanctioning procedure that<br />
<br />
OPENBANK has reviewed this issue and adopted a new solution in order to<br />
comply with data protection regulations.<br />
<br />
Regarding the violation of article 32 of the RGPD, this is based on<br />
that the only communication channel for sending documents offered to<br />
<br />
clients (including the complaining party), as stated in the proven facts,<br />
was to reply to the email itself, and that said means of delivery was not a means<br />
appropriate depending on the risk that could exist for the rights and freedoms of the<br />
interested. In the specific case, OPENBANK did not provide its client with a means<br />
appropriate to provide the documentation even despite the warnings of the<br />
complaining party in this sense, so the shipment was made without the measures of<br />
<br />
adequate security.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 41/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
And this despite the fact that documents 4 and 5 presented by OPENBANK together with its<br />
allegations, called “Impact evaluation - Customer monitoring and<br />
sensitive operations”, version August 2021 and October 2022, respectively, in<br />
<br />
section “13. Security” the risk has been classified as high impact. Besides,<br />
In the October 2022 version, the following indication has been included on page 43<br />
on “Control and residual risk”: “It has been ensured that the communication channels<br />
with clients as a result of issues related to the prevention of money laundering<br />
and financing of terrorism, you have the necessary technical measures to guarantee<br />
the protection of your personal data. Clients will identify themselves by means of their ID and<br />
<br />
access key to the private client area.”<br />
<br />
Subsidiarily, regarding the application of technical and organizational measures<br />
reinforced to the treatment in question, it can be stated that the fact that a treatment<br />
as a whole is not considered high risk and does not have to undergo a<br />
<br />
data protection impact assessment, does not mean that they should not be applied<br />
security measures appropriate to the greatest risk presented by any of the<br />
activities or stages of the processing in question, in accordance with the provisions of the article<br />
32 of the GDPR. According to OPENBANK's approach, only<br />
certain reinforced security measures, to high-risk treatments, but<br />
This idea does not correspond to what is established in the RGPD where the measures must<br />
<br />
be appropriate to the risk present in each of the treatment phases.<br />
<br />
In the treatment cycle, which includes various and different activities, not all<br />
risk has to be uniform, there may be different levels of risks in the<br />
different stages of treatment, depending on the activities that constitute it. AND<br />
<br />
if in a phase there is a greater risk, although not all the treatment is of a greater risk<br />
risk, appropriate measures should be implemented.<br />
<br />
Consequently, these are two different facts with different legal bases. In<br />
Article 25 of the RGPD, the legal good that is protected is compliance with the RGPD,<br />
<br />
regarding the obligation to design the treatment in its entirety, identifying<br />
and assessing the risks to the rights and freedoms of the interested parties for the purposes of<br />
implement appropriate technical and organizational measures for effective application of<br />
the principles of data protection, to comply with the management of compliance with the<br />
GDPR; which has not happened in this case, as it has not even been evaluated (not even before<br />
nor during the performance of the treatment) the possibility for clients to send the<br />
<br />
information required under Chapter II of the LPBCFT and how to ensure the<br />
compliance with the provisions of the GDPR. And not even a response was given to the<br />
concern, to the problem raised by the complaining party regarding the protection of<br />
your personal data in this matter. The system did not even have a planned<br />
alarm at any issue that could affect the rights and freedoms of<br />
<br />
clients regarding data protection, this is a procedure implemented by the<br />
responsible for the treatment that was launched in the event of any failure of the<br />
system, whether alerted by a client, by an employee or detected by the company itself<br />
company. In this case it was the submission of documentation with financial data, but<br />
could have been any data protection issue raised that affected the<br />
<br />
rights and freedoms of the interested parties. On the contrary, the system limited itself to answering<br />
with an automatic response, without analyzing the substance of what was raised by the party<br />
complainant and without providing a satisfactory response (that is, without providing a<br />
appropriate means to share such information). And the person responsible for the treatment,<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 42/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
OPENBANK also did not get to work after the request made by the client,<br />
implementing a system that would prevent leaving its clients helpless when they<br />
ask any question, any problem regarding the protection of<br />
<br />
data. It should be remembered that this is a fundamental right. Of risks in<br />
rights and freedoms of the interested parties. To avoid its materialization. If nothing is<br />
provides, in the terms of the preventive risk approach system established by the<br />
GDPR, sooner or later the risk is going to materialize.<br />
<br />
For its part, article 32 GDPR refers to the security of the processing, that is, to<br />
<br />
the protection of personal data subject to processing regarding the application<br />
of measures that guarantee a level of security appropriate to the risk, established by<br />
the person responsible for the treatment, a provision violated in the present case, where<br />
carried out a treatment by OPENBANK, in which the<br />
interested party a secure means to provide the information required by OPENBANK, which<br />
<br />
which caused that in the specific case of the complaining party had to send the<br />
documentation requested through a simple email, despite having<br />
requested the bank for an alternative means to do so, without this having been provided.<br />
All this despite the fact that OPENBANK in its documents recognizes that it was a<br />
risk of “high” impact on the rights and freedoms of the interested parties.<br />
<br />
<br />
For all the above reasons, this allegation is rejected.<br />
<br />
Regarding the existence of a medial competition of infractions, in addition to what has already<br />
stated, this Agency wishes to point out that article 29 of the LRJSP does not result from<br />
application to the sanctioning regime imposed by the RGPD, given that the RGPD has its<br />
<br />
own principle of proportionality.<br />
<br />
And this is because the GDPR is a closed and complete system.<br />
<br />
The GDPR is a European standard directly applicable in the Member States, which<br />
<br />
contains a new, closed, complete and global system intended to guarantee the<br />
protection of personal data uniformly throughout the Union<br />
European.<br />
<br />
In relation, specifically and also, to the sanctioning regime provided in the<br />
same, its provisions are applicable immediately, directly and<br />
<br />
integral, providing for a complete system without gaps that must be understood,<br />
be interpreted and integrated in an absolute, complete, integral manner, thus leaving the<br />
Its ultimate purpose is the effective and real guarantee of the fundamental right to<br />
Personal data protection. The opposite determines the loss of the<br />
guarantees of the rights and freedoms of citizens.<br />
<br />
<br />
In fact, a specific example of the lack of loopholes in the system of<br />
GDPR is article 83 of the GDPR that determines the circumstances that can operate<br />
as aggravating or mitigating circumstances with respect to an infringement (art. 83.2 of the RGDP) or that<br />
specifies the existing rule regarding a possible medial competition (art. 83.3 of the<br />
<br />
GDPR).<br />
<br />
To the above we must add that the RGPD does not allow the development or realization of<br />
its provisions by the legislators of the Member States, safe from what<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 43/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
the European legislator himself has specifically provided for, delimiting it in a very<br />
concrete (for example, the provision of art. 83.7 of the RGPD). The LOPDGDD only<br />
develops or specifies some aspects of the RGPD as far as it allows and with the<br />
scope that it allows.<br />
<br />
<br />
This is because the intended purpose of the European legislator is to implement a<br />
uniform system throughout the European Union that guarantees the rights and freedoms of<br />
natural persons, that corrects behavior contrary to the RGPD, that encourages<br />
compliance, which enables the free circulation of this data.<br />
<br />
In this sense, recital 2 of the GDPR determines that:<br />
<br />
<br />
“(2) The principles and rules relating to the protection of natural persons in<br />
With regard to the processing of your personal data, they must,<br />
Whatever their nationality or residence, respect their freedoms and<br />
fundamental rights, in particular the right to data protection<br />
<br />
of a personal nature. This Regulation aims to contribute to the full<br />
realization of an area of freedom, security and justice and of a union<br />
economic, to economic and social progress, to the reinforcement and convergence of<br />
economies within the internal market, as well as the well-being of<br />
Physical persons". (emphasis is ours)<br />
<br />
<br />
And recital 13 of the GDPR indicates that:<br />
<br />
“(13) To ensure a consistent level of protection of natural persons<br />
throughout the Union and avoid divergences that hinder the free flow of data<br />
within the internal market, a regulation is necessary that<br />
provide legal certainty and transparency to economic operators,<br />
<br />
including micro, small and medium-sized enterprises, and offer<br />
natural persons in all Member States the same level of<br />
enforceable rights and obligations and responsibilities for<br />
responsible and in charge of the treatment, in order to guarantee a<br />
consistent supervision of personal data processing and sanctions<br />
equivalents in all Member States, as well as effective cooperation<br />
<br />
between the supervisory authorities of the different Member States. The good<br />
functioning of the internal market requires that the free circulation of data<br />
personal property in the Union is not restricted or prohibited for reasons related<br />
with the protection of natural persons with regard to the processing of<br />
personal information". (emphasis is ours)<br />
<br />
<br />
In this system, the determining factor of the GDPR is not the fines. The corrective powers<br />
of the control authorities provided for in art. 58.2 of the RGPD conjugated with the<br />
provisions of art. 83 of the GDPR show the prevalence of corrective measures<br />
against fines.<br />
<br />
<br />
Thus, art. 83.2 of the GDPR says that “Administrative fines will be imposed, in<br />
depending on the circumstances of each individual case, in addition to or in lieu of<br />
the measures contemplated in article 58, paragraph 2, letters a) to h) and j).<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 44/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In this way the corrective measures, which are all those provided for in art. 58.2 of<br />
RGPD except the fine, have prevalence in this system, the fine being relegated<br />
economic to cases in which the circumstances of the specific case determine<br />
<br />
that a fine be imposed together with corrective measures or in lieu of the<br />
themselves.<br />
<br />
And all this with the purpose of forcing compliance with the RGPD, avoiding<br />
non-compliance, encourage compliance and ensure that infringement is not more profitable<br />
than non-compliance.<br />
<br />
<br />
Therefore, art. 83.1 of the RGPD prevents that “Each supervisory authority will guarantee<br />
that the imposition of administrative fines pursuant to this article for the<br />
infringements of this Regulation indicated in paragraphs 4, 5 and 6 are in<br />
each individual case effective, proportionate and dissuasive.”<br />
<br />
<br />
Fines must be effective, proportionate and dissuasive to achieve<br />
the purpose intended by the GDPR.<br />
<br />
For this system to work with all its guarantees, it is necessary that several<br />
elements are deployed in an integral and complete manner. The application of foreign rules<br />
<br />
to the RGPD regarding the determination of fines in each of the States<br />
members applying their national law, whether due to aggravating circumstances or<br />
extenuating circumstances not provided for in the RGPD -or in the LOPDGDD in the Spanish case<br />
allow it by the RGPD itself-, either by the application of a media competition other than the<br />
provided in the RGPD, would reduce the effectiveness of the system, which would lose its meaning, its<br />
<br />
teleological purpose, the will of the legislator, resulting in the fines imposed<br />
for different infractions they would cease to be effective, proportionate and dissuasive. And of<br />
This way would also deprive the interested parties of the effective guarantee of their<br />
rights and freedoms, weakening the uniform application of the GDPR. The<br />
mechanisms for the protection of the rights and freedoms of citizens and would be<br />
<br />
contrary to the spirit of the GDPR.<br />
<br />
The GDPR is endowed with its own principle of proportionality that must be<br />
applied in its strict terms.<br />
<br />
And this is because there is no legal loophole, there is no supplementary application of art. 29 of the GDPR.<br />
<br />
<br />
In addition to the above, it should be noted that there is no legal gap regarding the application<br />
of the media contest. Neither the RGPD allows nor the LOPDGDD requires the application<br />
supplementary provisions of art. 29 of the LRJSP.<br />
<br />
<br />
In Title VIII of the LOPDGDD related to “Procedures in case of possible<br />
violation of data protection regulations”, article 63 that opens the Title is<br />
provides that "The procedures processed by the Spanish Protection Agency<br />
of Data will be governed by the provisions of Regulation (EU) 2016/679, in this<br />
organic law, by the regulatory provisions issued in its development and, in<br />
<br />
as long as they do not contradict them, on a subsidiary basis, by the general rules on<br />
administrative procedures.". Although there is a clear reference to the LPACAP, it does not<br />
a subsidiary application is established in no way with respect to the LRJSP that does not<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 45/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
contains in its articles any provision relating to administrative procedure<br />
some.<br />
<br />
<br />
In the same way that the AEPD is not applying the aggravating and mitigating circumstances provided<br />
in art. 29 of the LRJSP, since the RGPD establishes its own, therefore,<br />
There is no legal loophole or subsidiary application of the same, nor is it possible to apply<br />
section relating to media competition and for identical reasons.<br />
<br />
For its part, regarding the analysis of the specific case that is the object of this procedure<br />
<br />
sanctioning, it should be noted that without the application of art. 29 of the LRJSP<br />
For the reasons stated, there would be no media competition either.<br />
<br />
Article 29.5 of the LRJSP establishes that “When an infraction is committed<br />
necessarily derives the commission from another or others, only the<br />
<br />
“sanction corresponding to the most serious infraction committed.”<br />
<br />
Well, the medial competition takes place when in a specific case the commission of<br />
An infraction is a necessary means to commit a different one.<br />
<br />
The established facts determine the commission of two different infractions, without the<br />
<br />
violation of article 25 of the RGPD, as OPENBANK asserts, is the means<br />
necessary by which the violation of article 32 of the RGPD occurs.<br />
<br />
It is possible that in the application by the controller of the<br />
privacy by design and by default, in order to meet the requirements of the GDPR and<br />
<br />
protect the rights and freedoms of data subjects, incorporating an approach of<br />
data protection from the design and by default, technical measures are adopted<br />
and organizational security that do not guarantee a level of security adequate to the<br />
risk to the rights and freedoms of natural persons.<br />
<br />
<br />
And vice versa, a data controller may not perform an analysis in<br />
conditions of the measures that guarantee regulatory compliance with the<br />
organization, but that has adopted security measures that do<br />
are appropriate, because they serve that purpose and were already implemented.<br />
<br />
As previously indicated, in the present case, the<br />
<br />
lack of treatment design by OPENBANK, since it has not been<br />
including the activity of collecting customer data in the so-called “collection cycle”.<br />
treatment life” of your Excel file of impact evaluation document of<br />
data protection (provided during the trial period of this<br />
procedure); Therefore, since this activity is not even foreseen, the rules have not been applied.<br />
<br />
appropriate technical and organizational measures to effectively apply the<br />
data protection principles (among others, confidentiality) and comply with the<br />
GDPR requirements and protect the rights of data subjects.<br />
<br />
It has also become clear that the organization did not have a<br />
appropriate procedure to properly respond to a customer's concern<br />
<br />
on a data protection issue, since in the present case the party<br />
In his email dated July 10, 2021, the complainant expressed his disagreement regarding<br />
to send the data via an unencrypted email. It even indicates that<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 46/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
he asked OPENBANK but was offered no other option. Furthermore, the complaining party<br />
provides the solution that is later adopted by OPENBANK, as it said “…the<br />
bank does not offer the possibility to upload data securely, for example, to<br />
<br />
through the client portal (…)”. And he requested that they “check the process from the<br />
point of view of data protection and, where appropriate, take the appropriate measures.”<br />
However, it is not until the beginning of this sanctioning procedure that<br />
OPENBANK has reviewed this issue and adopted a new solution in order to<br />
comply with data protection regulations.<br />
<br />
<br />
Regarding the violation of article 32 of the RGPD, this is based on<br />
that the only communication channel for sending documents offered to<br />
clients (including the complaining party), as stated in the proven facts,<br />
was to reply to the email itself, and that said means of delivery was not a means<br />
appropriate depending on the risk that could exist for the rights and freedoms of the<br />
<br />
interested. In the specific case, OPENBANK did not provide its client with a means<br />
appropriate to provide the documentation even despite the warnings of the<br />
complaining party in this sense, so the shipment was made without the measures of<br />
adequate security.<br />
<br />
And this despite the fact that documents 4 and 5 presented by OPENBANK together with its<br />
<br />
allegations, called “Impact evaluation - Customer monitoring and<br />
sensitive operations”, version August 2021 and October 2022, respectively, in<br />
section “13. Security” the risk has been classified as high impact. Besides,<br />
In the October 2022 version, the following indication has been included on page 43<br />
on “Control and residual risk”: “It has been ensured that the communication channels<br />
<br />
with clients as a result of issues related to the prevention of money laundering<br />
and financing of terrorism, you have the necessary technical measures to guarantee<br />
the protection of your personal data. Clients will identify themselves by means of their ID and<br />
access key to the private client area.”<br />
<br />
<br />
For all the above reasons, this allegation is rejected.<br />
<br />
FOURTH.- ABOUT OPENBANK'S COMPLIANCE WITH THE PRINCIPLE OF<br />
DATA PROTECTION BY DESIGN<br />
<br />
OPENBANK alleges that:<br />
<br />
<br />
• Privacy by design refers to the comprehensive analysis of the treatment and<br />
of the risks that it may bring for the rights and freedoms of<br />
the interested. In this way, this principle could only be considered to have<br />
been breached if it is proven that the sanctioned party had not carried out<br />
<br />
carried out that process, so that the fact that the result of it is not<br />
coincident with what the AEPD considers appropriate does not imply a lack of<br />
compliance with article 25 of the RGPD but, where appropriate, the infringement of another of<br />
their forecasts.<br />
<br />
<br />
The AEPD in its Proposed Resolution does not even make a minimum assessment<br />
about this allegation, which he completely ignores, trying again to link<br />
the alleged non-compliance with the principle of privacy by design with the simple<br />
fact that the interested party has not been offered an alternative means for sending<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 47/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
the documents that were requested by OPENBANK to prove the origin of<br />
the funds from three operations carried out therein, as imposed by the<br />
LPBCFT.<br />
<br />
<br />
In this regard, this Agency wishes to point out that article 25 of the RGPD does not entail<br />
only a “comprehensive analysis of the treatment and the risks that it may present”<br />
provide for the rights and freedoms of the interested parties”, but also requires<br />
that appropriate technical and organizational measures are applied to effectively apply<br />
data protection principles are effective and the necessary guarantees are integrated<br />
<br />
to comply with the requirements of the GDPR and protect the rights of data subjects. In<br />
In this sense, article 73. d) of the LOPDGDD considers a serious infringement for the purposes<br />
of the prescription “The lack of adoption of those technical and organizational measures<br />
that are appropriate to effectively apply the principles of protection of<br />
data from the design, as well as the failure to integrate the necessary guarantees in the<br />
<br />
treatment, in the terms required by article 25 of the Regulation (EU)<br />
2016/679”.<br />
<br />
In the present case, it is not only that it was not offered to the interested party (nor to<br />
clients in general) an alternative means for sending documents<br />
requested under Chapter II of the LPBCFT, but rather it is that the<br />
<br />
responsible for the treatment did not foresee said treatment, which is evident<br />
in the impact assessment document valid in July 2021 (document<br />
provided during the evidence phase of this sanctioning procedure) in which<br />
The aforementioned treatment was not even contemplated (the sending of such documentation by<br />
part of the clients). And that only in August 2021 was such treatment incorporated in<br />
<br />
the client monitoring impact evaluation, although it was not until October<br />
2022 that the possibility was incorporated for clients to send documentation to<br />
through the OPENBANK client area, a possibility raised by the party<br />
claimant already in July 2021 and that the same 2021 document provided as<br />
possibility to be implemented. And this is not even taking into account that the same<br />
<br />
2021 impact assessment considered that the potential impact on human rights<br />
and freedoms of the interested parties was high.<br />
<br />
OPENBANK also alleges that the legal basis III of the Proposal<br />
Resolution adds an additional issue that was not in the Initiation Agreement<br />
and that is now incorporated into it in order to justify the change of focus<br />
<br />
in the imposition of this sanction: the lack of privacy by design is due to the fact that<br />
OPENBANK has not foreseen mechanisms that allow “feedback” to the analysis<br />
previously carried out and take into account the feedback that the person responsible for the<br />
treatment the interested parties can provide.<br />
<br />
<br />
That is, privacy by design not only requires an analysis of the risks<br />
derived from the treatment which, it must be said, in this case have not been<br />
materialized in any way, but requires modifying the circumstances and<br />
characteristics of this treatment based on the feedback received from the interested parties,<br />
so that, in response to a communication addressed to OPENBANK by an interested party<br />
<br />
Specifically, Article 25 of the GDPR will only be considered complied with if OPENBANK<br />
modifies the risk assessment previously carried out and also modifies the<br />
technical and organizational measures that the processing entails, even when<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 48/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
said feedback only refers to an alleged potential risk, and never accredited,<br />
referred by a single client.<br />
<br />
<br />
In this regard, this Agency wishes to point out that OPENBANK is correct in stating that the<br />
data protection from design and by default implies adopting the mechanisms<br />
necessary to continually reevaluate the treatments carried out, which<br />
It implies, among other measures, having “mechanisms that allow “feedback” to the<br />
analysis previously carried out and take into account the feedback that the person responsible for the<br />
treatment that the interested parties can provide”, if applicable.<br />
<br />
<br />
Regarding the need for the risks derived from the treatment to be<br />
materialize, it should be noted that Article 25 of the GDPR does not require that such risks<br />
occur, on the contrary, requires that appropriate measures be adopted<br />
precisely to prevent such risks from materializing.<br />
<br />
<br />
Finally, this Agency wishes to indicate that it is not intended that a communication<br />
made by a specific interested party “only article 25 of the<br />
GDPR if OPENBANK modifies the previously carried out risk assessment and<br />
It also modifies the technical and organizational measures that the treatment entails,<br />
even if said feedback only refers to an alleged potential risk, and<br />
<br />
never accredited, referred by a single client.” But in the present case neither<br />
has not even been given a course due to the problems presented by the party<br />
claimant nor has it been proven that mechanisms had been arbitrated<br />
to provide you with other means, more appropriate depending on the existing risk to<br />
your rights and freedoms, for which you could provide the information<br />
<br />
requested. What's more, in August 2021 the impact assessment document of<br />
customer monitoring had already indicated that the impact on rights and<br />
freedoms of the interested parties was high and that the possibility of<br />
Clients will provide the requested information through the bank's private area.<br />
But it was not until October 2022, more than a year later, that such a possibility was<br />
<br />
enabled. All this only shows that OPENBANK had not implemented<br />
in your organization a data protection approach by design and by default,<br />
at least in relation to the treatment that is the subject of this sanctioning procedure.<br />
<br />
OPENBANK alleges that it had carried out an adequate risk assessment<br />
derived from the treatment, establishing the appropriate measures to alleviate them and<br />
<br />
including adopting measures related to the issue analyzed herein<br />
file prior to the moment in which the complaining party contacted<br />
contact with it, even if its implementation was later.<br />
<br />
And that at the time the events that gave rise to the present occurred<br />
<br />
procedure, OPENBANK had carried out an impact assessment on the<br />
data protection in relation to treatments linked to compliance with the<br />
due diligence obligations provided for in the LPBCFT. That is, he had made<br />
a detailed analysis of the risks derived from the treatment and implemented the<br />
appropriate measures to mitigate these risks. In this sense, the fact that the<br />
<br />
AEPD considers a supposedly insufficient measure cannot imply that due to the<br />
itself denies that the measures were adopted, as seems to be indicated in the<br />
Resolution Proposal.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 49/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In this regard, this Agency wishes to point out that document 4 provided together with the<br />
allegations to the agreement to initiate this sanctioning procedure indicates that it is<br />
dated August 2021, while the first email sent to the complaining party<br />
<br />
is from July 7, 2021. Therefore, this document is after the events<br />
claimed.<br />
<br />
Regarding the analysis of the risks carried out in the aforementioned document, this Agency<br />
reiterates what has already been indicated above about why the article is considered violated<br />
25 of the GDPR.<br />
<br />
<br />
OPENBANK indicates that it has provided the various impact evaluations on the<br />
data protection that has been carried out in relation to this processing, although it does not<br />
can deny his surprise at the fact that it does not appear in the file<br />
administrative the one sent in response to the request for evidence made by<br />
<br />
that one and that was attached to the letter addressed by OPENBANK to that AEPD on date 19<br />
December (page 699 of the administrative file), which is not accompanied by the aforementioned<br />
Impact evaluation.<br />
<br />
In this regard, this Agency wishes to point out that when the copy of the file is generated for<br />
sending to OPENBANK, the document with the impact evaluation at the time of the<br />
<br />
In fact, since it is an Excel file, its contents do not appear in the copy.<br />
generated, but it is incorporated into the information systems of<br />
this Agency and reference is made to its content both in the proven facts and<br />
on the legal foundations of this resolution.<br />
<br />
<br />
OPENBANK also alleges that the AEPD seems to deny the virtuality of the aforementioned<br />
documents, even going so far as to refer to qualifying as “alleged evaluation<br />
of impact” that which provided for the establishment of mechanisms so that<br />
documents could be provided by interested parties in their private area of the website and<br />
the OPENBANK App, something that is expressly stated in the evaluation carried out by<br />
<br />
OPENBANK.<br />
<br />
And at this point, OPENBANK wishes to clarify that the evaluations provided (its<br />
content, actually) may not coincide with what that AEPD expects, but in<br />
in no way can they be classified as “supposed” unless the Agency accredits<br />
have evidence that allows making such an assertion. Understand OPENBANK<br />
<br />
that the consideration made by that AEPD lacks the slightest foundation and<br />
represents a very serious accusation directed against OPENBANK which, as<br />
At the very least, it should have some support that allows converting a document<br />
adopted by OPENBANK in a “supposed” document. At the same time, hardly<br />
A document in which measures are incorporated can be classified as “supposed”.<br />
<br />
that, with greater or lesser speed, have been effectively implemented by<br />
OPENBANK.<br />
<br />
In this regard, this Agency wishes to point out that the documents provided by<br />
OPENBANK together with its allegations to the initiation agreement and during the<br />
<br />
evidence of this sanctioning procedure is not properly presented<br />
signed, making it impossible to prove their authenticity and integrity or<br />
guarantee your date. Nor has this Agency entered into evaluating the content of the<br />
cited documents as to whether or not they comply with the requirements demanded of a<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 50/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
personal data protection impact assessment in the terms required by<br />
the GDPR. Hence the qualification of “assumptions” that this Agency made in its<br />
resolution proposal.<br />
<br />
<br />
OPENBANK alleges that the AEPD does not in any way prove that the risks<br />
invoked by it throughout the procedure have not only materialized, what<br />
that in no case has happened, but that they exist in reality, since it focuses its<br />
foundation on the alleged insufficiency of email as a means of<br />
communication, despite the fact that OPENBANK has already demonstrated the validity of this means<br />
<br />
for the transmission of information.<br />
<br />
In this regard, this Agency reiterates that article 25 of the RGPD does not require that such<br />
risks occur, on the contrary, it requires that measures be adopted<br />
appropriate precisely to prevent such risks from materializing.<br />
<br />
<br />
Likewise, OPENBANK alleges that, taking into consideration that both the AEPD<br />
and the EDPB consider that the evaluation of the impact of treatment on the<br />
rights of interested parties must be a dynamic and successively reviewed process,<br />
OPENBANK carried out successive evaluations. However, the AEPD denies value<br />
any to the fact that this process implied the subsequent adoption of other measures<br />
<br />
complementary for the contribution of the documents, given that the continuous review<br />
of treatments, defended by the AEPD itself, is now considered by the AEPD<br />
a reactive process (even if at the time it occurred there was no<br />
any claim on the matter) and constituting a mere “patch”. And if for<br />
“patch” should be understood, according to the Dictionary of the Royal Spanish Academy, a<br />
<br />
“provisional, and in the long run unsatisfactory, solution given to some problem”,<br />
It seems that this apparently insufficient solution is the one that the AEPD<br />
considered applicable in this case.<br />
<br />
OPENBANK considers, at this point, that the Proposed Resolution cannot<br />
<br />
simultaneously maintain one idea and the opposite with the objective of sanctioning it: do not<br />
It is possible to say that OPENBANK did not adopt measures from the design to achieve the<br />
minimization of treatment risks through successive review of the<br />
impact evaluations carried out in relation to the treatment and, at the same time<br />
time, consider that the measures adopted as a consequence of that evaluation,<br />
that coincide with those that the AEPD considers appropriate, are a mere patch, it is<br />
<br />
That is, they are not satisfactory to solve the supposed problem posed in<br />
relation to the means used to send documents.<br />
<br />
Nor is it possible to blame OPENBANK for the fact that the measures were not implemented.<br />
“before the system is in operation”, referring again to the<br />
<br />
consideration of the measures implemented as a “patch”. As has already been said,<br />
OPENBANK is obliged to require its clients to provide proof of the origin of<br />
the funds, that is, to put the aforementioned “system” into operation, from the<br />
less the entry into force of the LPBCFT. And on that date there was no rule that<br />
made reference to the principle of privacy by design or the obligation to<br />
<br />
carrying out an impact assessment on data protection, without prejudice to<br />
that OPENBANK adopt the technical and organizational measures that it considered<br />
appropriate to mitigate any risk that the treatment could cause in the<br />
right to the protection of personal data of their clients. The AEPD seems<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 51/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
consider that OPENBANK had to be aware of a series of obligations that,<br />
However, they would not be adopted into a legal text until six years after the start of the<br />
treatment and were not fully applicable until eight years had elapsed<br />
<br />
since said date.<br />
<br />
OPENBANK considers that it is not reasonable to require obligations from it<br />
unknown or that proceeds to interrupt the compliance processes of the<br />
regulations for the prevention of money laundering, with the consequent non-compliance<br />
of this regulation, as a consequence of the entry into force of the RGPD, although in<br />
<br />
In any case, it reiterates that it carried out the corresponding impact evaluation on the<br />
data protection as well as the adoption of technical and organizational measures that<br />
They allowed us to mitigate any risks derived from the treatment.<br />
<br />
In this regard, this Agency recognizes that it is possible that the use of the term<br />
<br />
“patch” in your proposed resolution has not been the most accurate, which is why<br />
a new wording will be given, which does not prevent this Agency from maintaining that<br />
OPENBANK has not implemented data protection by design and by default,<br />
Regarding the treatment that is the subject of this sanctioning procedure, for<br />
all the reasons previously detailed in detail. The answer has been<br />
reactive and not proactive, and generated once the claim raised by the<br />
<br />
interested before the supervisory authority.<br />
<br />
Finally, this Agency reiterates that although it is true that the approach of the RGPD and<br />
The LOPDGDD was completely new with respect to the regulations for the protection of<br />
previous data, it is no less true that OPENBANK had more time than<br />
<br />
sufficient throughout the three years (six years if counted from the adoption of the<br />
RGPD text) that elapsed between the approval of the RGPD (April 2016), until<br />
that the RGPD was applicable (May 2018, which granted two long years for<br />
the preparation and adaptation to the RGPD) and the facts that are the subject of the claim to which it gave<br />
this sanctioning procedure takes place (July 2021) to adapt its<br />
<br />
treatments in accordance with the provisions of articles 25 and 32 of the RGPD (four years if you have<br />
Keep in mind that measures were recently adopted so that customers could<br />
share the requested information through your private area in October 2022).<br />
Of course, it would have been impossible to have a protection approach.<br />
data from the design before carrying out the treatment, when it took place many<br />
years before the GDPR existed, but it is undeniable that the principle of<br />
<br />
Data protection by design does not only imply that the measures should<br />
be prior to the treatment, but article 25 of the RGPD itself indicates “both in the<br />
at the time of determining the means of treatment and at the time of the treatment itself.<br />
treatment”, that is, not only beforehand but throughout that treatment<br />
takes place and whenever the means of treatment are determined, which is a<br />
<br />
decision that is also made over time, as they change<br />
the circumstances and possibilities of each moment.<br />
<br />
For all the above reasons, this allegation is rejected.<br />
<br />
<br />
FIFTH.- REGARDING THE ALLEGED VIOLATION BY OPENBANK OF THE<br />
ARTICLE 32 OF THE GDPR<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 52/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
It is alleged that the measure adopted by OPENBANK could not be considered contrary to<br />
established in article 32 of the RGPD, resulting in the existing measure at the time of<br />
events occur, that is, the sending of documentation proving the origin<br />
<br />
of funds, appropriate in view of the risks that the treatment could produce in<br />
the rights of clients.<br />
<br />
And that in no case could the conclusion be reached that the email did not<br />
was the appropriate means to carry out said shipments in view of the above<br />
by the National Cryptological Center, which, far from considering the use of email as<br />
<br />
undesirable, showed how the main providers of this service<br />
had adopted measures aimed at encrypting and authenticating emails<br />
electronics.<br />
<br />
However, it is recognized that the report from the National Cryptological Center indicated that<br />
<br />
There are users who make “careless” use of the email service. Without<br />
However, it alleges that it is not possible for OPENBANK to adopt the measures<br />
technical and organizational applicable to the data processing carried out by it<br />
taking into account the more or less careless use that users may make of the<br />
email services, since this implies moving to OPENBANK the<br />
responsibility for the actions of their clients, which in no way can<br />
<br />
considered in accordance with the principle of responsibility enshrined in our<br />
sanctioning regulations.<br />
<br />
It is alleged that in the face of these arguments, the Proposed Resolution, however<br />
carry out the reproduction of the content of the Home Agreement in its basis of<br />
<br />
right VIII, limits itself to refuting the allegations with the categorical statement that “this<br />
Agency if it doubts that email constitutes a means of communication<br />
secure way to send documentation when its confidentiality must be guaranteed,<br />
As is the case, this is the reason for the imputation of the violation of article 32 of the<br />
RGPD”, subsequently invoking what was stated in the aforementioned Center report<br />
<br />
National Cryptology.<br />
<br />
In this sense, OPENBANK alleges that, barring error on its part, in the numerous<br />
reports, resolutions, guides and directives from that AEPD, as well as in the<br />
emanating from the EDPB, there is no known indication that would allow OPENBANK<br />
consider that the use of email should be a measure that had to be<br />
<br />
prohibited regarding the receipt of personal data for subsequent processing.<br />
refers. There is no doubt that this measure constitutes the usual and customary technique of<br />
communication between subjects bound by data protection regulations,<br />
belonging to any sector of activity, and their clients and, however, they are not<br />
knows that it had been questioned by that AEPD until now<br />
<br />
sanctioning file.<br />
<br />
This represents a change in criteria that, at the very least, can be described as<br />
surprising for OPENBANK and which, however, implies the imposition of<br />
sanctions for a total amount of 2,500,000 euros. And this sanction is imposed<br />
<br />
based on the mere existence of a communication addressed to OPENBANK by<br />
a client in which the production is in no way credited, much less the<br />
materialization of a risk to your right to data protection. Thus,<br />
we would find ourselves facing what the ruling of the Contentious Chamber<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 53/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Administrative of the National Court of December 23, 2022 (recourse<br />
104/2021) qualifies as “a potential infraction that is not punishable by the regulations<br />
of data protection”.<br />
<br />
<br />
In this regard, this Agency wishes to point out that, in the present case, due to the special<br />
protection that the data provided by clients required, due to the greater risk that<br />
what it meant for their rights and freedoms, as explained in detail<br />
Previously, reinforced security measures had to be adopted.<br />
<br />
<br />
In the present case, this Agency considers that the sending of the requested information<br />
under Chapter II of the LPBCFT by a simple email was not<br />
an appropriate measure based on the risk to the rights and freedoms of<br />
Physical persons. And this not only because of the careless use that could be made of the mail<br />
electronic. The aforementioned report from the National Cryptological Center indicated that some of<br />
<br />
the measures referred to, adopted by the most important mail providers<br />
known, were susceptible to being attacked and that, even if they were<br />
establish communication satisfactorily, the mail servers through which<br />
Pass the email until reaching the destination, they would have access to its content. Hence<br />
concluded that “it follows that it is not enough to delegate email security<br />
electronic to the underlying technologies responsible for delivering it to your<br />
<br />
addressee".<br />
<br />
Nor was it foreseen in the client monitoring protocols to provide any type of<br />
customer assistance to encrypt sent documents or any other facility, for<br />
what information sent via email would be expected to<br />
<br />
Nor will it have such an additional security measure, which is not found either.<br />
widespread among users and requires certain technical knowledge. In this<br />
sense this Agency indicated that making security depend on the level of<br />
technical knowledge of the client himself and that he has the appropriate tools<br />
This involved a transfer of risk from OPENBANK to the client.<br />
<br />
<br />
Regarding the fact that OPENBANK should have adopted the measures based on the most or<br />
less careless that users can make of mail services<br />
electronic, this Agency considers that it implies a transfer of the risk<br />
to OPENBANK for the actions of its clients, but it is a more risky<br />
that probable and expected, that OPENBANK should have evaluated and tried to prevent<br />
<br />
produce, especially taking into account that the bank itself assessed that the impact<br />
that could have such treatment in the rights and freedoms of natural persons was<br />
high, as stated in the impact evaluation of August 2021.<br />
<br />
As to the fact that neither in the reports, resolutions, guides and directives of the AEPD nor of the<br />
<br />
EDPB is aware of any indication that would allow OPENBANK to consider that the use<br />
of email should be a measure that had to be outlawed in terms of<br />
receipt of personal data for subsequent processing is concerned, it is necessary<br />
remember that it is not the case that sending email constitutes a means not<br />
safe in any case and with respect to any treatment, but it is undeniable<br />
<br />
that in the present case it was not an appropriate means to share the information<br />
required under Chapter II of the LPBCFT, which required the adoption of certain<br />
reinforced measures.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 54/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Regarding the fact that it is sanctioned with a fine of 2,500,000 euros on the basis of a<br />
communication addressed to OPENBANK by a client in which the<br />
materialization of a risk to your right to data protection, this Agency<br />
wishes to point out that the violation of article 32 of the RGPD, although it was known<br />
as a result of a complaint from an OPENBANK client, it is no less<br />
<br />
It is true that the infringement that is verified is not only with respect to that client<br />
but of all OPENBANK clients, since the only possibility<br />
provided to its clients for the sending of the documentation requested under the<br />
Chapter II of the LPBCFT until October 2022 was to send the aforementioned information<br />
through a simple email. And regarding the fact that the<br />
risk to their rights and freedoms, this Agency points out that article 32 of the<br />
<br />
GDPR does not require that such a risk materialize, on the contrary, it is about<br />
take appropriate measures to prevent such risk from materializing. Therefore, not<br />
In the present case, it is “a potential infraction that is not punishable by the<br />
data protection regulations”, but it has been found that the measures<br />
adopted for the sending of the documentation requested under Chapter II of the<br />
<br />
LPBCFT were not appropriate based on the increased risk that this information<br />
could imply for the rights and freedoms of natural persons.<br />
<br />
Finally, OPENBANK wants to clarify what it provided as Document number 9 together<br />
with his brief of allegations to the Startup Agreement (page 654 of the file<br />
administrative), certification issued by the Director of Technology and Operations of<br />
<br />
OPENBANK, which literally stated the following:<br />
<br />
“That in accordance with what is defined in the Technological Development Plan of<br />
Openbank, as of October 13, 2022, the entity has enabled within the area<br />
private of the web page (access username and password required) a<br />
space for clients to provide the required documentation in<br />
<br />
compliance with the provisions of article 6 of Law 10/2010, of April 28,<br />
prevention of money laundering and terrorist financing<br />
whose text reads like this:<br />
“Article 6. Continuous monitoring of the business relationship.<br />
The obligated subjects will apply continuous monitoring measures to the<br />
business relationship, including scrutiny of operations<br />
<br />
carried out throughout said relationship in order to guarantee that they coincide<br />
with the knowledge that the obligated subject has of the client and his<br />
business and risk profile, including source of funds and<br />
ensure that the documents, data and information available<br />
are up to date.”<br />
<br />
<br />
And that the proposed resolution is limited to indicating that OPENBANK does not accredit the<br />
date of making the described procedure available to its clients.<br />
<br />
In this regard, this Agency wishes to point out that it is certain that 13 of<br />
October 2022 the possibility that customers can provide the information<br />
<br />
required under Chapter II of the LPBCFT through its private area of the<br />
OPENBANK website.<br />
<br />
SIXTH.- ABOUT THE VIOLATION OF THE PRINCIPLE OF<br />
PROPORTIONALITY<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 55/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
OPENBANK alleges that the aggravating circumstances for the violation of article 25 of the RGPD and the<br />
Article 32 of the GDPR of the proposed resolution contains almost literally the<br />
<br />
same considerations, which, in his opinion, only highlights the<br />
absolute identity of the two conducts imputed to OPENBANK, thus<br />
The non bis in idem principle, already invoked previously, is applicable.<br />
<br />
In this regard, this Agency reiterates what has already been stated in its response to the alleged<br />
violation of the non bis in idem principle.<br />
<br />
<br />
OPENBANK points out that the AEPD considers that the sanction is proportional, given that<br />
is significantly lower than the 885 million euros that constitutes 2% of the<br />
turnover volume of Grupo Santander, to which OPENBANK belongs, in the year<br />
2021. And that for this purpose it invokes the doctrine of the Court of Justice of the European Union<br />
<br />
in relation to the consideration of the term “company”, citing various<br />
sentences.<br />
<br />
However, OPENBANK considers it necessary to disagree with this consideration, given<br />
that the AEPD has in no way demonstrated at any time during the procedure<br />
that, beyond holding 100% of the share capital of OPENBANK, the Group<br />
<br />
Santander plays a decision-making role in OPENBANK's policies and, even less so, that<br />
their actions regarding compliance with data protection regulations<br />
(including conducting data protection impact assessments or<br />
determination of the technical or organizational measures to be adopted in<br />
relation to a certain treatment) proceeds or is even interfered with<br />
<br />
minimally by the Santander Group, this power of influence being the determining factor<br />
used by the jurisprudence invoked in the Proposed Resolution so that<br />
It is appropriate to apply the concept of company established in Union law and that,<br />
Therefore, the amount of the penalty can be calculated from the turnover volume<br />
of the Santander Group and not exclusively of OPENBANK.<br />
<br />
<br />
And in this sense, it is necessary to reiterate that it is up to the AEPD to accredit<br />
that decision-making power, beyond the ownership of the shareholding, without having<br />
no proof of charge has been made in this sense. On the contrary, as it will turn out<br />
evident to the naked eye by simply consulting their websites, the policies of<br />
privacy of OPENBANK and the other companies of the Santander Group are<br />
<br />
different, with OPENBANK having a data protection delegate who does not<br />
links maintained with those of the other companies of the Group.<br />
<br />
Therefore, it is not possible to carry out the calculation established in the Proposed Resolution and<br />
which, at most, must be carried out on OPENBANK's business volume, for<br />
<br />
more than that OPENBANK is a company that is part of the Santander Group.<br />
<br />
On the contrary, as will be evident at first glance by simply consulting<br />
their websites, the privacy policies of OPENBANK and the other<br />
Santander Group companies are different, with OPENBANK having a delegate<br />
<br />
of data protection that no connection maintains with those of the remaining<br />
Group companies.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 56/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In this regard, this Agency wishes to remember that, as stated in the “Annual Report<br />
2021” from the Santander Group, Banco Santander S.A. owns 100% of the stake<br />
direct from OPENBANK, as well as 100% of the voting rights in OPENBANK.<br />
<br />
Therefore, the decision-making power that Banco Santander S.A. has. about OPENBANK<br />
It is more than decisive, it is absolute. The fact of having policies of<br />
different privacy or a data protection officer without any connection with<br />
those of the remaining companies of the Group would not change this situation either.<br />
<br />
In this sense, article 39.1 “Functions of the data protection officer” of the<br />
<br />
GDPR states that:<br />
<br />
"1. The data protection officer will have at least the following functions:<br />
a) inform and advise the person responsible or in charge of the treatment and the<br />
employees who are in charge of the processing of the obligations that they<br />
<br />
are incumbent under this Regulation and other provisions of<br />
data protection of the Union or the Member States;<br />
b) supervise compliance with the provisions of this Regulation, in order<br />
other Union or State data protection provisions<br />
members and the policies of the controller or processor in<br />
matters of personal data protection, including the assignment of<br />
<br />
responsibilities, awareness and training of personnel who participate in<br />
treatment operations, and the corresponding audits;<br />
c) offer the advice requested about the evaluation of<br />
impact relating to data protection and monitor its application of<br />
accordance with article 35;<br />
<br />
d) cooperate with the supervisory authority;<br />
e) act as a contact point for the supervisory authority for issues<br />
relating to the treatment, including the prior consultation referred to in the article<br />
36, and make consultations, where appropriate, on any other matter.”<br />
<br />
<br />
As can be seen, in none of these functions is there any reference to the fact that the<br />
data protection officer has some type of decision-making power, which is<br />
reserved to the person responsible for processing personal data, logically.<br />
<br />
Therefore, this claim is rejected.<br />
<br />
<br />
OPENBANK alleges that the Proposed Resolution considers that it is not appropriate to take into account<br />
takes into account the measures taken to allow the upload of related documents<br />
with the origin of the funds through the clients' private area, although it does not provide<br />
a single argument in this sense.<br />
<br />
<br />
And that, however, the AEPD is perfectly aware that such a measure was already<br />
agreed as corrective at the time of carrying out the impact assessment<br />
in the data protection carried out in August 2021 and recorded in the file,<br />
although, as the AEPD knows perfectly well, the implementation processes of<br />
technical measures within the framework of an organization like OPENBANK imply<br />
<br />
successive processes that extend over time.<br />
<br />
On the contrary, OPENBANK alleges that the proposal does not hesitate to consider that the<br />
The fact that this measure has been adopted must harm or aggravate the conduct of the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 57/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
bank, given that, surprisingly, the AEPD understands that this corroborates the lack of<br />
OPENBANK's diligence, which is incomprehensible, given that it would harm the<br />
that adopts a process that is even more guaranteeing than that required for the benefit of those who do not<br />
<br />
takes any action in this regard.<br />
<br />
In this regard, this Agency wishes to point out that at the beginning of this<br />
sanctioning procedure (August 26, 2022), not even to the signing of the<br />
initial agreement in which the aggravating factors of the violations of the<br />
articles 25 and 32 of the GDPR (October 3, 2022), OPENBANK had not yet<br />
<br />
implemented the possibility for clients to provide the requested information in<br />
under Chapter II of the LPBCFT through its private area of the website, the<br />
which was newly enabled as of October 13, 2022, so it cannot be<br />
valued as mitigating. However, this circumstance has been taken into account<br />
account when assessing the duration of the infractions as well as to not impose<br />
<br />
measures that OPENBANK must adopt in this regard.<br />
<br />
Regarding the fact that having adopted this measure seems to harm the bank, this<br />
Agency wishes to reject such statement. It is not that it harms you but that it is<br />
Agency considers that the fact that in the impact assessment document of<br />
August 2021 the possibility of implementing such a measure would have already been requested,<br />
<br />
taking into account the possible high impact that such treatment could have on the<br />
rights and freedoms of natural persons and that it was not until October 2022,<br />
more than a year later, that such possibility was implemented, even though the<br />
implementation processes require certain deadlines, in the opinion of this Agency the<br />
mentioned deadlines have exceeded what is reasonable and has shown a negligent attitude<br />
<br />
by OPENBANK in this regard.<br />
<br />
Finally, this Agency wishes to highlight that of course this criterion in<br />
any “would harm anyone who adopts a process that is even more guaranteeing than that required in<br />
benefit of those who do not carry out any measure in this sense", but rather<br />
<br />
On the contrary, whoever did not adopt any measure in this sense would obviously have a<br />
greater reproach, his attitude would be assessed as even more seriously negligent, the<br />
The duration of the violation would be longer and in addition to the fine, measures would be imposed.<br />
to comply with the provisions of the RGPD.<br />
<br />
Regarding the number of people affected by the treatment, OPENBANK alleges that<br />
<br />
The Proposed Resolution contains two paragraphs that cannot be considered, in<br />
in no way acceptable on their own terms. In fact, the<br />
The argument made by the AEPD on this point is, in its entirety, the following:<br />
<br />
“OPENBANK describes the application of this criterion as “a prioriism lacking<br />
<br />
of the slightest foundation.” However, it obeys the purest logic to consider<br />
that a sanction cannot be graduated in the same way when, due to the lack of<br />
With appropriate measures, the treatment potentially affects nearly two million<br />
of clients, as in the present case. If a person were punished in the same way<br />
entity with a small number of interested parties that could be potential<br />
<br />
affected than a large company, then the principle of<br />
proportionality.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 58/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Furthermore, OPENBANK alleges that according to the certificate provided by the bank, the number<br />
of clients impacted by this type of operations, an average of close to 13,000<br />
interested parties in the last two years confirms that the lack of measures<br />
<br />
appropriate technical and organizational measures can put a large number of people at risk.<br />
people, most of whom email personal data<br />
relating to his assets without any measure to protect his confidentiality.”<br />
<br />
OPENBANK indicates that the most basic arithmetic rule allows us to conclude that it is not<br />
possible to refer, as terms equal or equivalent to two million<br />
<br />
clients and 13,000 (in total, and not as an annual average). However, from the reasoning<br />
from the AEPD it seems to be deduced that both terms are equal, given that the reproach<br />
which was incorporated in the Commencement Agreement, which only took into account the potential<br />
affectation of two million clients is maintained in the proposed Resolution that,<br />
However, he seems to consider that 13,000 is the figure that must be taken into account. AND<br />
<br />
Keep in mind that the ruling of the National Court of December 23,<br />
2022, already mentioned, denies the AEPD the ability to impose sanctions for<br />
potential breaches of personal data protection regulations,<br />
The doctrine supported in said sentence being perfectly extrapolated to the<br />
present case.<br />
<br />
<br />
In this regard, this Agency reiterates that in the present case it is not about<br />
“potential breaches of personal data protection regulations” but<br />
that breaches of articles 25 and 32 of the RGPD have taken place, even<br />
when the risks that these articles are intended to avoid have not materialized,<br />
which is the purpose of such regulations.<br />
<br />
<br />
Regarding the number of people affected, this Agency will take into consideration that the number<br />
of potential affected is the total number of OPENBANK clients (two million<br />
of clients), which are those whom the bank could request to provide the<br />
documentation required under Chapter II of the LPBCFT, while the<br />
<br />
The number of interested parties directly affected has been 13,000 clients on average<br />
annually, which would give a total of 65,000 clients, taking into account that there would be 13,000<br />
customers directly affected by year, since May 2018 (when it resulted from<br />
application of the RGPD) to October 2022 (when the possibility of providing the<br />
documentation through the private area of the bank's website), which would be the<br />
clients who OPENBANK has required to provide documentation under<br />
<br />
of what is provided for in Chapter II of the LPBCFT, who have not been provided with a<br />
appropriate means for shipment.<br />
<br />
Regarding the alleged aggravation of the sanction as a consequence of the alleged<br />
appreciated negligence, and regardless of whether the concurrence of<br />
<br />
that in its conduct, OPENBANK alleges that what was stated by the AEPD is<br />
It follows that the existence of fraud or negligence in the actions of a person responsible or<br />
treatment manager must be taken into consideration to aggravate your<br />
responsibility, when in reality this fact cannot simply be considered<br />
aggravating factor, but rather a sine qua non condition to be able to appreciate the concurrence of<br />
<br />
responsibility, as an essential element so that it can be subject<br />
of sanctioning reproach for a certain conduct.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 59/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
That is, with the reasoning carried out by the AEPD, the conclusion is reached that<br />
an element that, in any case, must be valued to appreciate the responsibility of<br />
an entity also operates as an aggravating factor. In this way, any violation of<br />
<br />
The data protection regulations are aggravated by the fact that<br />
responsibility in the insertion.<br />
<br />
In this regard, this Agency wishes to point out that the negligence appreciated in the conduct<br />
of OPENBANK is not the mere negligence required by our legal system,<br />
as a subjective element of the infringement. But it is negligence<br />
<br />
especially serious, since every time the company did not carry out an analysis in<br />
conditions of risks to the rights and freedoms of the interested parties, which<br />
could entail sharing the documentation required under the LPBCFT to<br />
through a medium that was not sufficiently secure, nor were security measures adopted.<br />
appropriate security measures to provide an environment that would not jeopardize the<br />
<br />
confidentiality of this information, not even when a client (as in the case<br />
specific of the complaining party) requested an alternative means of providing the<br />
required documentation, you were not provided with a response to your concern nor were you provided with<br />
a secure means of communication for this purpose, nor was an adequate course given to such<br />
request that would allow the suitability of the chosen means of communication to be re-evaluated<br />
by the entity to share such information.<br />
<br />
<br />
OPENBANK also alleges that the Proposed Resolution refers to the nature<br />
of the data being processed as an aggravating circumstance, limiting itself to indicating<br />
that it does not take into consideration the fact that they are qualified<br />
as “financial data”, something that OPENBANK considers distorted. However, at<br />
<br />
Regardless of the nature of such data, what cannot be denied is that the AEPD has<br />
considered to have occurred the infractions referred to in the Proposal for<br />
Resolution based on the nature of the data being processed, so<br />
that converts what has been considered an element of the type into a circumstance<br />
aggravating circumstance, thus violating the most basic principles of administrative law<br />
<br />
sanctioner.<br />
<br />
In this regard, this Agency rejects that in the present case the nature of the data<br />
object of treatment constitute an element of the offending type. The obligation to<br />
adopt data protection from design and by default, as well as the obligation to<br />
have appropriate security measures based on the risk for the<br />
<br />
rights and freedoms of natural persons, must be fulfilled regardless of the<br />
nature of the data being processed. What is certain is that in the present<br />
In this case, these are data that deserve special protection, so it is clear<br />
application of the aggravating circumstance detailed in section g) of article 83.2 of the RGPD.<br />
<br />
<br />
Finally, OPENBANK alleges that the AEPD takes into consideration the business or traffic of the<br />
bank repeatedly to aggravate the amount of the penalty. Thus, (i) the first<br />
of the circumstance is taken into consideration to reinforce the potential impact of<br />
the facts; (ii) at the same time, with respect to negligence, the conduct of the<br />
OPENBANK, understanding that due to its sector of activity, a special<br />
<br />
diligence; and (iii) finally, OPENBANK's business or traffic is considered to be<br />
linked to the performance of treatments, which must entail this triple aggravation<br />
derived from this fact. That is, in the opinion of the AEPD when an entity<br />
belonging to the banking sector commits an alleged infraction, his conduct must be<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 60/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
be triply aggravated by the mere fact of what their activity is, which<br />
can hardly be considered in accordance with the principle of proportionality.<br />
<br />
<br />
In this regard, this Agency wishes to point out that it only considers the turn or traffic of the<br />
bank to aggravate the amount of the sanction with respect to the aggravating factor contemplated in the<br />
article 76.2 of the LOPDGDD, on the linking of the offender's activity with the<br />
processing of personal data, whenever the business activity<br />
OPENBANK requires continuous processing of personal data. However, not<br />
It is less true that in assessing the degree of diligence required, the<br />
<br />
also the professionalism of the subject, so when the activity of the person responsible<br />
is “constant and abundant handling of personal data” requires a<br />
greater diligence, in accordance with the provisions of the Court's Judgment<br />
National of 10/17/2007 (Rec. 63/2006).<br />
<br />
<br />
IV<br />
Assessment of the test carried out<br />
<br />
The lack of a secure means of sending documentation in the “Protocol of<br />
communications to clients due to AML/FT alerts: OPENING AND MANAGEMENT OF GAPS<br />
March 2021 version”, argued in the initiation agreement, motivated the need<br />
<br />
to verify effective compliance with the data protection principles of the<br />
treatment in question, for which it was deemed appropriate to analyze the evaluation of<br />
impact of data protection carried out by OPENBANK.<br />
<br />
On the occasion of the allegations to the initiation agreement presented, the<br />
<br />
document 4.- “Impact Evaluation - Monitoring of clients and operations<br />
sensitive (version August 2021)”, and document 5.-, “Impact Assessment -<br />
Monitoring of clients and sensitive operations (version October 2022)”, both<br />
documents incorporated into the file of this procedure. However, none<br />
of these documents was in force at the time of the events, since<br />
<br />
The request made by OPENBANK to the complaining party occurred on July 7,<br />
2021. Consequently, it was deemed appropriate to open a trial period.<br />
<br />
In the document provided by OPENBANK during the trial period, there is no<br />
contemplates in its risk assessment the data collection activity when its<br />
Clients were required to send documentation in compliance with the LPBCFT, as<br />
<br />
occurs in the alleged object of this sanctioning procedure.<br />
<br />
IV<br />
Special protection of data provided under Chapter II of the Law<br />
10/2010, of April 28, on the prevention of money laundering and financing<br />
<br />
of terrorism (LPBCFT)<br />
<br />
The need for special protection of personal data of a nature<br />
financial is a criterion shared with the European Data Protection Committee<br />
(CEPD), which, in compliance with the objective of guaranteeing the coherent application of the<br />
<br />
General Data Protection Regulation (as attributed to article 70 of the<br />
GDPR) has developed guidance to provide a clear and<br />
transparent for setting sanctions by supervisory authorities<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 61/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
national laws (Guidelines 04/2022 on the calculation of administrative sanctions under<br />
the GDPR).<br />
<br />
<br />
In section 4.2.3 of the aforementioned Guidelines, the following is stated (translation not<br />
official):<br />
<br />
“Categories of personal data affected<br />
58. Regarding the requirement to take into account the categories of personal data<br />
affected (Article 83(2)(g) GDPR), the GDPR clearly highlights<br />
<br />
the types of data that deserve special protection and therefore a response<br />
stricter in terms of fines. This refers, at a minimum, to the data types<br />
covered by articles 9 and 10 of the GDPR, and to data outside the scope of<br />
application of these articles whose dissemination causes immediate harm or distress to the<br />
interested party (e.g. location data, data on private communications,<br />
<br />
national identification numbers or financial data, such as summaries of<br />
transactions or credit card numbers).”<br />
<br />
For its part, article 32 bis of Law 10/2010, added by art. 3.15 of the Real<br />
Decree-Law 7/2021, of April 27, requires reinforced measures for subjects<br />
obliged to process personal data related to the scope of application<br />
<br />
standard:<br />
<br />
“… 4. The obligated subjects must carry out an impact evaluation on the<br />
data protection of the treatments referred to in this article in order to<br />
adopt reinforced technical and organizational measures to guarantee the integrity,<br />
<br />
confidentiality and availability of personal data. These measures must in<br />
"In any case, guarantee the traceability of data access and communications." (he<br />
emphasis is ours)<br />
<br />
In compliance with the LPBCFT, obligated entities can process data<br />
<br />
financial, but not only data of this category are also processed<br />
personal of diverse nature: identification, contact or economic<br />
(business, professional, investment...). Data protection in<br />
Compliance with the LPBCFT cannot be limited by the applicable criteria as<br />
only one of these data, when what you are trying to protect is access to the<br />
information that all these personal data represent, not only individually,<br />
<br />
but to their joint treatment.<br />
<br />
For its part, the “Guidelines on impact assessment relating to the protection of<br />
data (DPIA) and to determine whether the treatment "is likely to entail a high<br />
"risk" for the purposes of Regulation (EU) 2016/679", in what is of interest here they indicate:<br />
<br />
“In order to offer a more concrete set of treatment operations that<br />
require a DPIA due to their inherent high risk (…) the<br />
following nine criteria: 1. Evaluation or scoring, including the development of<br />
profiling and prediction, especially of “performance-related aspects.”<br />
at work, economic situation, health, personal preferences or interests,<br />
<br />
the reliability or behavior, situation or movements of the interested party»<br />
(considerations 71 and 91). Some examples of this may include an institution<br />
financial institution that investigates its clients in a credit reference database<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 62/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
or in a database against money laundering and terrorist financing<br />
or about fraud…” (emphasis added).<br />
<br />
<br />
The activity carried out by OPENBANK under the provisions of Chapter II of the<br />
LPBCFT, by which clients are asked to provide the “support that justifies<br />
a certain income, since they will allow clarifying the origin of the funds that<br />
have been entered into the client's account at OPENBANK” is part of<br />
a financial institution that researches its clients in a possible database<br />
against money laundering and terrorist financing, which is why they are<br />
<br />
operations that probably involve greater risk.<br />
<br />
And so much so, that they are operations that probably entail greater risk,<br />
that the LPBCFT itself considered it convenient to incorporate the need to carry out a<br />
data protection impact assessment of the treatments to which<br />
<br />
referred to in said article in order to adopt reinforced technical and organizational measures to<br />
guarantee the integrity, confidentiality and availability of personal data.<br />
<br />
For completeness, Chapter 9.2 of the Manual on European legislation on the subject<br />
of data protection, prepared by the European Union Agency for<br />
Fundamental Rights, the Council of Europe, the European Court of Rights<br />
<br />
Human and the European Data Protection Supervisor where it refers to the<br />
“financial data”: “Although financial data is not considered data<br />
sensitive under Convention 108 or the General Regulation for the Protection of<br />
data, its processing requires special guarantees that guarantee the accuracy and<br />
data security. In particular, electronic payment systems need<br />
<br />
incorporate data protection measures, that is, protection of privacy or<br />
the data from the design and by default.” The mention of privacy protection<br />
Regarding electronic payment systems, the importance of these is highlighted,<br />
but it does not exclude that, in the same way, other financial data may require<br />
special guarantees, as occurs in the present case with the data collected in<br />
<br />
by virtue of the provisions of Chapter II of the LPBCFT.<br />
<br />
Regarding the Guide on risk management and impact assessment in<br />
personal data processing of the AEPD, there is a difference between three types of<br />
economic data that must be assessed when determining the risk level of a<br />
certain treatment for performing the DPIA, differentiating between these three<br />
<br />
data categories:<br />
• Data related to the “[e]conomic situation, (e.g., without being exhaustive,<br />
personal income, monthly income, assets (movable/immovable property),<br />
Employment situation)". These data are assigned a “medium risk.”<br />
• Data related to the “[f]ancial status (e.g., without being exhaustive, only<br />
<br />
financial maturity, debt capacity, debt level (Loans<br />
personal property, mortgages), solvency lists, defaults, assets (investment funds)<br />
sion, returns generated, shares, accounts receivable, income received,<br />
etc.), liabilities (expenses on food, housing, education, health, taxes,<br />
payments of loans, credit cards or personal expenses, etc.; or debts u<br />
<br />
obligations)". These data are also assigned a “medium risk.”<br />
• “Data on payment methods (e.g., without being exhaustive, credit cards and information).<br />
formation of access to virtual currency services). In the case of these<br />
data is assigned a “high risk.”<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 63/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The documentation requested by OPENBANK pursuant to the provisions of Chapter II<br />
of the LPBCFT, that is, “the documentary support related to the origin of a fund<br />
<br />
from your bank account (e.g. your payroll, employment contract, sales contract if<br />
It is a real estate transaction, donation or inheritance, the invoice for the services<br />
provided that are satisfied by the beneficiary of those, the resolution by the<br />
that the receipt of a certain aid is declared, etc.)” contains data<br />
related to the economic situation and financial status of clients,<br />
that allow determining the financial situation or capital solvency of a<br />
<br />
person, so they require greater protection.<br />
<br />
Information regarding the origin of income in clients' bank accounts<br />
is information that is closely related to such banking movements and<br />
containing data related to the economic situation and financial status of<br />
<br />
clients, of which they allow the financial situation or solvency to be determined<br />
assets of a person, which is why they require greater protection.<br />
<br />
In summary, all of the above means:<br />
<br />
1.- That the personal data requested under Chapter II of the LPBCFT<br />
<br />
deserve special protection, due to the greater risk they imply for the<br />
rights and freedoms of natural persons.<br />
<br />
2.- That the obligated subjects must carry out a protection impact evaluation<br />
of data for this type of processing, in order to adopt technical measures and<br />
<br />
reinforced organizational structures to guarantee the integrity, confidentiality and availability<br />
of personal data.<br />
<br />
<br />
SAW<br />
<br />
Data protection by design and by default<br />
<br />
Article 25 “Data protection by design and by default” of the GDPR<br />
establishes:<br />
<br />
“1.Taking into account the state of the art, the cost of the application and the nature,<br />
<br />
scope, context and purposes of the treatment, as well as the risks of varying probability and<br />
seriousness that the treatment entails for the rights and freedoms of people<br />
physical, the person responsible for the treatment will apply, both at the time of determining the<br />
means of treatment such as at the time of the treatment itself, technical measures and<br />
appropriate organizational measures, such as pseudonymization, designed to apply<br />
<br />
effective data protection principles, such as data minimization, and<br />
integrate the necessary guarantees in the treatment, in order to meet the requirements of the<br />
this Regulation and protect the rights of the interested parties.<br />
<br />
2.The data controller will apply the technical and organizational measures<br />
<br />
with a view to ensuring that, by default, they are only processed<br />
the personal data that are necessary for each of the specific purposes of the<br />
treatment. This obligation will apply to the amount of personal data collected, to<br />
the extension of its treatment, its conservation period and its accessibility. Such<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 64/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
measures will in particular ensure that, by default, personal data are not<br />
accessible, without human intervention, to an indeterminate number of people<br />
physical.<br />
<br />
<br />
3.A certification mechanism approved in accordance with Article 42 may be used<br />
as an element that certifies compliance with the obligations established in the<br />
sections 1 and 2 of this article.”<br />
<br />
This article is part of the general obligations that Chapter IV of the<br />
<br />
GDPR establishes the controller, imposing a design obligation<br />
at the time of determining the means of treatment, which must guarantee<br />
effectively comply with data protection principles.<br />
<br />
In the present case, the lack of design of the treatment by the<br />
<br />
of OPENBANK, since the data collection activity of<br />
clients in the so-called “treatment life cycle” of their Excel file<br />
data protection impact assessment document (provided during the<br />
trial period of this procedure) in force at the time of the events<br />
claimed; Therefore, since this activity is not even foreseen, the rules have not been applied.<br />
appropriate technical and organizational measures to effectively apply the<br />
<br />
data protection principles (among others, confidentiality) and comply with the<br />
GDPR requirements and protect the rights of data subjects.<br />
<br />
Regarding the analyzes carried out by OPENBANK in the documents called<br />
“Impact Assessment - Monitoring of clients and sensitive operations”, in its<br />
<br />
August 2021 version, which was not even current at the time of the<br />
events that are the subject of the claim, which took place in the month of July 2021,<br />
it had only been foreseen as a possibility for clients to send information<br />
through an encrypted message sending the password through another channel. And even in<br />
The aforementioned document mentions that “an internal lawsuit has been requested so that<br />
<br />
Interested parties can upload documents directly through the<br />
website, once they have logged in.” However, it has been possible<br />
verify that the complaining party was never given that possibility, not even in the<br />
initial communication sent by OPENBANK nor subsequently when it requested a<br />
secure alternative route for sending that communication. It was also found that<br />
In the communication model that was sent to clients, none of<br />
<br />
these options, only mention was made of the possibility of replying to the email<br />
email that was sent without giving further instructions on how it could be protected<br />
such information.<br />
<br />
It is curious that, despite not providing any sufficiently secure means to its<br />
<br />
clients to provide the information to which they were obliged, both documents<br />
in their 2021 and 2022 versions they recognize that the risk inherent in such treatment<br />
It had a high impact on the rights and freedoms of the interested parties.<br />
<br />
And, however, it is only in the October 2022 version that OPENBANK indicates<br />
<br />
that “customers will identify themselves by means of a DNI and access code to the private area of<br />
customer".<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 65/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
What is certain is that the communication directed to the client complied with the provisions of the<br />
document provided by OPENBANK as a protocol to request documentation<br />
to clients under the LPBCFT and the communication addressed to clients does not<br />
<br />
indicated no means of providing that information, beyond the possibility of<br />
respond to the aforementioned email.<br />
<br />
In any case, to comply with data protection from the design and therefore<br />
Indeed, it is not enough to simply have a protocol document or<br />
communication model, if later upon reviewing said documents it is found that they do not<br />
<br />
A forecast was made in conditions on the technical and organizational measures<br />
appropriate to effectively apply the principles of data protection and<br />
provide the necessary guarantees in the processing in order to comply with the requirements of the RGPD<br />
and protect the rights of the interested parties, as provided in article 25.1 of the<br />
GDPR.<br />
<br />
<br />
Nor is it sufficient to have documents that establish protocols or procedures.<br />
to follow, if later in practice when carrying out the treatment they are not also provided.<br />
little appropriate measures to implement data protection principles nor are they inter-<br />
great guarantees necessary to comply with the requirements of the GDPR.<br />
<br />
<br />
In the present case, it has been proven that in the current impact evaluation<br />
At the time of the claimed events, the treatment of<br />
the data provided by clients under the provisions of Chapter II of<br />
the LPBCFT. And that in July 2021 the complaining party was asked to send<br />
finished information, which could have a high impact on their rights and freedom.<br />
<br />
des, by email, without giving him further instructions on how he could send<br />
such information through a secure channel.<br />
<br />
It has also been proven that the complaining party had told the bank<br />
his concern in this regard and had requested that a safe means be provided<br />
<br />
to share such information. But, given the bank's refusal, he had no other option.<br />
tion than sending the requested information through a simple email, to<br />
his displeasure and despite having expressed his reluctance. And even the complaining party<br />
expressly gave that his concern be taken into account and a means be enabled<br />
safe in the future to share this type of information.<br />
<br />
<br />
However, in the August 2021 documents that OPENBANK provided together with<br />
their allegations to the initial agreement, no other means is foreseen.<br />
<br />
From the content of the documentation that appears in the file, it has been proven<br />
do:<br />
<br />
<br />
- That in “Annex I - Communications to clients to request information and/or<br />
documentation by PBC” of the document ““COMMUNICATION PROTOCOL-<br />
NES TO CUSTOMERS FOR AML/CFT ALERTS: OPENING AND MANAGEMENT OF<br />
GAPS”, dated March 2021, in the first communication addressed to the<br />
<br />
client, in which he is asked to prove the origin of the funds, there is no provision<br />
indicate a specific means by which you must provide such information to OPEN-<br />
BANK. And that in the second communication that is addressed to the client, it is not foreseen<br />
nor indicate a means by which to provide such documentation to the bank, but<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 66/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The text includes the threat that if the documentation is not received<br />
requested in the next 15 days OPENBANK may prevent the realization<br />
tion of new income into your accounts.<br />
<br />
<br />
- That on July 7, 2021, OPENBANK requested the complaining party to send<br />
documentation that accredited the origin of certain funds, under the<br />
threat that in 15 days they could prevent new deposits into your account, without<br />
indicate any means by which such information should be provided.<br />
<br />
<br />
- That on July 10, 2021, the complaining party provided the requested documentation.<br />
tada expressing his disagreement because when he asked about the form of<br />
send such information, they told him to do so by email, without<br />
further. And in this email that is sent, the complaining party indicates that it does not<br />
considers it a safe means, which is done through this medium because it is<br />
<br />
was forced to do so, and even he himself provides as an example of half-hearted<br />
I guarantee the possibility of sending it “through the client portal”, a possibility that<br />
it was not provided to you from OPENBANK. Also please check the<br />
process from the point of view of data protection and take measures<br />
timely. However, this email only received an acknowledgment of receipt<br />
automatic from the bank, on July 13, 2021.<br />
<br />
<br />
- In the document “Impact evaluation - Customer and operation monitoring -<br />
“sensitive information”, dated August 2021, it is expected that the interested party can respond to the<br />
email with an encrypted message sending the password via<br />
another channel. And it has been requested that it could be done directly through<br />
<br />
from the website section, once logged in.<br />
<br />
- In the document “Impact evaluation - Customer and operation monitoring -<br />
sensitive data”, October 2022, it is expected that clients will authenticate<br />
using your ID and access code to the private client area.<br />
<br />
<br />
- In the document “COMMUNICATIONS PROTOCOL TO CUSTOMERS BY<br />
TRANSACTIONAL MONEY PREVENTION SURVEILLANCE ALERTS<br />
CAPITAL CHALLENGE AND FINANCING OF TERRORISM (PBC/FT)”, from<br />
October 2022, it is indicated that clients will be informed to upload the document<br />
mention through the private area of the OPENBANK website. And in the “Annex<br />
<br />
I- Communications to clients to request information and/or documentation by<br />
an AML/CFT transactional surveillance alert” the client is instructed to send<br />
documentation through the “Customer Area” of the OPENBANK website.<br />
<br />
That is, the protocol in force at the time of the events (March 2021) does not pre-<br />
<br />
provided information on the method of sending the requested documentation.<br />
gives.<br />
<br />
In July 2021, the complaining party drew attention to this issue in the email<br />
which he sends on July 10, 2021 to OPENBANK. But the bank ignores it and not even<br />
<br />
At any rate, he was given an answer to his concern, which clearly dealt with a question.<br />
protection of personal data, which also shows the lack of a process<br />
OPENBANK's internal system to channel these issues.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 67/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In August 2021, OPENBANK foresees the possibility for clients to send the reference<br />
documentation through an encrypted email and providing the password.<br />
ña through another email (without specifying which one). And it is indicated that the possibility was requested<br />
<br />
that this documentation could be provided through the customer area of the<br />
OPENBANK website.<br />
<br />
And it is not until October 2022 that communication protocols and documents<br />
of the supposed impact assessment of this issue specifically incorporate<br />
that clients can provide the requested documentation through the website<br />
<br />
of OPENBANK, logging into your client area.<br />
<br />
That is, the solution was adopted to be able to provide this information through the<br />
client area a year and a half after the update protocol was adopted.<br />
March 2021 and more than a year after the complaining party had called<br />
<br />
drawn attention to this specific issue and that the document of alleged<br />
impact assessment of this issue would have already foreseen it as a possibility<br />
which had to be followed up.<br />
<br />
All of this shows that OPENBANK did not apply a data protection approach<br />
of the design neither before nor during the treatment.<br />
<br />
<br />
In article 25 of the RGPD, the legal good that is protected is compliance with the<br />
GDPR, regarding the obligation to design the treatment in its entirety,<br />
identifying and assessing the risks to the rights and freedoms of the interested parties<br />
the effects of implementing appropriate technical and organizational measures to<br />
<br />
effective application of data protection principles, to comply with management<br />
compliance with the GDPR; which has not happened in this case, as there has not even been<br />
evaluated (neither before nor during the treatment) the possibility that the<br />
Clients will submit the information required under Chapter II of the LPBCFT and<br />
How to ensure compliance with the provisions of the GDPR. And you don't even know<br />
<br />
responded to the concern raised by the complaining party regarding the protection<br />
of your personal data in this matter. The system did not even have a planned<br />
alarm at any issue that could affect the rights and freedoms of<br />
clients in terms of data protection, this is a procedure that was put<br />
running in the event of any failure of the system itself. On the contrary, the system was limited to<br />
respond with an automatic response, without analyzing the substance of what was raised by the<br />
<br />
complaining party and without providing a satisfactory response (that is, without providing<br />
an appropriate means of sharing such information).<br />
<br />
Therefore, in the present case, it is not only that the interest was not offered<br />
provided (nor to clients in general) an alternative means for sending documents.<br />
<br />
ments requested under Chapter II of the LPBCFT, but rather it is that in<br />
the impact evaluation document in force in July 2021 (document provided<br />
during the testing phase of this sanctioning procedure) it was not even con-<br />
tempered the aforementioned treatment (the sending of such documentation by the clients).<br />
tes). And that only in August 2021 was such treatment incorporated into the evaluation of<br />
<br />
impact of customer monitoring, although it was not until October 2022 that it was incorporated<br />
created the possibility for clients to send documentation through the customer service area.<br />
OPENBANK client, a possibility raised by the complaining party already in July<br />
2021 and that the same 2021 document provided as a possibility to be implemented.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 68/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
gives. And this is not even taking into account that the same 2021 impact assessment<br />
considered that the possible impact on the rights and freedoms of the interested parties<br />
he was tall.<br />
<br />
<br />
In accordance with the evidence available at this time<br />
resolution of sanctioning procedure, it is considered that the known facts are<br />
constituting an infraction, attributable to OPENBANK, due to violation of article<br />
25 of the GDPR.<br />
<br />
<br />
VII<br />
Classification of the violation of article 25 of the GDPR<br />
<br />
The aforementioned violation of article 25 of the RGPD implies the commission of the violations<br />
typified in article 83.4 of the RGPD that under the heading “General conditions<br />
<br />
for the imposition of administrative fines” provides:<br />
<br />
“Infringements of the following provisions will be sanctioned, in accordance with the<br />
paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,<br />
In the case of a company, an amount equivalent to a maximum of 2% of the<br />
global total annual business volume of the previous financial year, opting for<br />
<br />
the largest amount:<br />
<br />
a) the obligations of the controller and the processor pursuant to Articles 8,<br />
11, 25 to 39, 42 and 43; (…)”<br />
<br />
<br />
For the purposes of the limitation period, article 73 “Infringements considered serious”<br />
of the LOPDGDD indicates:<br />
<br />
“Based on what is established in article 83.4 of Regulation (EU) 2016/679,<br />
are considered serious and will prescribe after two years the infractions that involve a<br />
<br />
substantial violation of the articles mentioned therein and, in particular, the<br />
following:<br />
(…)<br />
d) The lack of adoption of those technical and organizational measures that<br />
are appropriate to effectively apply the principles of<br />
data protection from the design, as well as the non-integration of the<br />
<br />
necessary guarantees in the treatment, in the terms required by the<br />
article 25 of Regulation (EU) 2016/679. (…)”<br />
<br />
VIII<br />
Penalty for violation of article 25 of the GDPR<br />
<br />
<br />
For the purposes of deciding on the imposition of an administrative fine and its amount,<br />
in accordance with the evidence currently available<br />
resolution of the sanctioning procedure, it is considered appropriate to graduate the<br />
sanction to be imposed in accordance with the following criteria established in the article<br />
<br />
83.2 of the GDPR:<br />
<br />
As aggravating factors:<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 69/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
- The nature, severity and duration of the infraction, taking into account the<br />
nature, scope or purpose of the processing operation in question<br />
as well as the number of interested parties affected and the level of damage and<br />
damages they have suffered (section a): For not having applied certain measures<br />
appropriate technical and organizational measures, which guarantee the effective application of<br />
<br />
the principles of personal data protection, and integrate the guarantees<br />
necessary in order to comply with the requirements of the GDPR and protect the rights of<br />
two million potentially affected customers and 65,000 customers<br />
directly affected, at least from May 2018 to October 2022.<br />
<br />
Section 54.b.iv of CEPD Guidelines 04/2022 includes, as one of<br />
<br />
the circumstances to be assessed in the graduation of the sanction: “The number of<br />
specifically interested, but also potentially affected”, and, clarifies<br />
in relation to this criterion: “The higher the number of interested parties<br />
involved, the greater weight the control authority may have attributing<br />
this factor. In many cases it can also be considered that the infringement<br />
<br />
assumes "systematic" connotations and, therefore, can affect, even in<br />
different times, additional data subjects who have not submitted<br />
complaints or reports to the supervisory authority. The supervisory authority may, in<br />
Depending on the circumstances of the case, consider the relationship between the number of<br />
affected stakeholders and the total number of stakeholders in that context (e.g.<br />
example, the number of citizens, clients or employees) in order to evaluate<br />
<br />
“if the violation is systemic in nature.”<br />
<br />
- Intentionality or negligence in the infringement (section b):<br />
OPENBANK has been seriously negligent, since every time the<br />
company did not carry out a proper analysis on how to properly apply<br />
effective data protection principles and integrate guarantees<br />
<br />
necessary in sending the documentation requested to clients under<br />
of the LPBCFT, in order to comply with the requirements of the RGPD and protect the rights<br />
of the interested parties not even when a client (as in the specific case of<br />
the complaining party) drew attention to this issue, nor was it given a course<br />
appropriate to such request that would allow reevaluation of the adequacy of the means of<br />
communication chosen by the entity to share such information. By the way<br />
<br />
of the degree of diligence that the person responsible for the treatment is obliged to<br />
deploy in compliance with the obligations imposed by the regulations<br />
of data protection, the Judgment of the National Court of<br />
10/17/2007 (Rec. 63/2006). Although it was issued before the GDPR came into force, its<br />
This statement can be perfectly extrapolated to the case at hand. The<br />
cited Judgment, after alluding to the fact that the entities in which the development<br />
<br />
of its activity involves continuous processing of customer and third party data<br />
must observe an adequate level of diligence, stated that “(...) the<br />
Supreme Court has been understanding that imprudence exists whenever<br />
disregards a legal duty of care, that is, when the offender fails to comply<br />
behaves with the required diligence. And in the assessment of the degree of diligence<br />
<br />
The professionalism or not of the subject must be especially considered, and it is not possible<br />
doubt that, in the case now examined, when the activity of the appellant<br />
is constant and abundant handling of personal data must<br />
insist on rigor and exquisite care to comply with preventions<br />
legal in this regard.”<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 70/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
- The categories of personal data affected by the<br />
infringement (section g): In the present case, it is requested that the origin<br />
<br />
of various amounts received in the interested party's account, which implies a<br />
greater risk to the rights and freedoms of the data subject, so<br />
These are data that deserve special protection.<br />
<br />
Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the<br />
following criteria established in section 2 of article 76 “Sanctions and measures<br />
<br />
“corrective measures” of the LOPDGDD:<br />
<br />
As an aggravating factor:<br />
<br />
- The linking of the offender's activity with the performance of treatment<br />
<br />
personal data (section b): The development of the business activity that<br />
OPENBANK performs requires continuous processing of personal data.<br />
<br />
The balance of the circumstances contemplated in article 83.2 of the RGPD and 76.2 of<br />
the LOPDGDD, with respect to the infraction committed by violating the provisions of the<br />
article 25 of the RGPD, allows imposing a penalty of €1,500,000 (one and a half million<br />
<br />
of euros).<br />
<br />
IX<br />
Security measures<br />
<br />
<br />
Article 32 “Security of processing” of the GDPR establishes:<br />
<br />
"1. Taking into account the state of the art, the application costs, and the<br />
nature, scope, context and purposes of the processing, as well as risks of<br />
variable probability and severity for people's rights and freedoms<br />
<br />
physical, the person responsible and the person in charge of the treatment will apply technical and<br />
appropriate organizational measures to guarantee a level of security appropriate to the risk,<br />
which, if applicable, includes, among others:<br />
<br />
a) pseudonymization and encryption of personal data;<br />
<br />
<br />
b) the ability to guarantee confidentiality, integrity, availability and resilience<br />
permanent treatment systems and services;<br />
<br />
c) the ability to restore the availability and access to personal data of<br />
quickly in case of physical or technical incident;<br />
<br />
<br />
d) a process of regular verification, evaluation and assessment of the effectiveness of the<br />
technical and organizational measures to guarantee the security of the treatment.<br />
<br />
2. When evaluating the adequacy of the security level, particular consideration will be given to<br />
<br />
takes into account the risks presented by data processing, in particular as<br />
consequence of the accidental or unlawful destruction, loss or alteration of data<br />
personal data transmitted, preserved or otherwise processed, or the communication or<br />
unauthorized access to said data.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 71/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
3. Adherence to a code of conduct approved pursuant to Article 40 or to a<br />
certification mechanism approved pursuant to article 42 may serve as an element<br />
<br />
to demonstrate compliance with the requirements established in section 1 of the<br />
present article.<br />
<br />
4. The controller and the person in charge of the treatment will take measures to ensure that<br />
any person acting under the authority of the person responsible or in charge and<br />
has access to personal data can only process said data following<br />
<br />
instructions of the person responsible, unless it is obliged to do so by virtue of the Law of<br />
the Union or the Member States.<br />
<br />
In the present case, neither in the March 2021 protocol nor in the email<br />
sent by OPENBANK to the complaining party on July 7, 2021,<br />
<br />
indicated no means of communication for sending the requested documentation<br />
by OPENBANK. The only communication channel for sending documents was<br />
reply to the email itself, since, furthermore, no other one offered the<br />
customer.<br />
<br />
In the specific case, OPENBANK did not provide its client with an appropriate means to<br />
<br />
provide the documentation even despite the warnings of the complaining party in<br />
this sense, so the shipment was made without adequate security measures.<br />
<br />
And this despite the fact that documents 4 and 5 presented by OPENBANK together with its<br />
allegations, called “Impact evaluation - Customer monitoring and<br />
<br />
sensitive operations”, version August 2021 and October 2022, respectively, in<br />
section “13. Security” the risk has been classified as high impact. Just in<br />
In the October 2022 version, the following indication has been included on page 43<br />
on “Control and residual risk”: “It has been ensured that the communication channels<br />
with clients as a result of issues related to the prevention of money laundering<br />
<br />
and financing of terrorism, you have the necessary technical measures to guarantee<br />
the protection of your personal data. Clients will identify themselves by means of their ID and<br />
access key to the private client area.”<br />
<br />
In this sense, email cannot be considered an appropriate medium for<br />
guarantee a level of security appropriate to the risk in the sending of documentation that<br />
<br />
contains personal data of those provided under Chapter II of the<br />
LPBCFT, of which require special protection, taking into account the<br />
regulations on the prevention of money laundering, the nature of the data that is<br />
are dealing with and the GDPR.<br />
<br />
<br />
Regarding email security, the “Good Practices Report” of<br />
May 2021, CNN-CERT BP02, from the National Cryptological Center, a service assigned to the<br />
National Intelligence Center, whose mission is to contribute to the improvement of<br />
Spanish cybersecurity, includes a series of email vulnerabilities and<br />
of the various ways in which they can be attacked, as well as recommendations<br />
<br />
of security. Section 4.2 of said Report describes the “Security of<br />
communications via email”, with the following statements on pages 37 to 39:<br />
“The protocol involved in this sending process is SMTP. This protocol has been<br />
used since 1982 and when it was implemented, measures were not taken into account<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 72/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
security measures such as encryption or authentication of communications. This<br />
This means that the entire sending process described above would be carried out in text<br />
plane, that is, at any point in the transmission an attacker could see and<br />
<br />
manipulate the content of emails. Due to these shortcomings in SMTP they have gone<br />
developed various technologies and extensions that allow incorporating measures of<br />
security to guarantee authentication, integrity and encryption of communications<br />
via email. Some of the best known technologies are STARTTLS,<br />
SPF, DKIM and DMARC…Although the best-known email providers such as<br />
Google, Yahoo and Outlook encrypt and authenticate emails using this type of<br />
<br />
technologies, many organizations continue to make careless use of email<br />
electronic. Also keep in mind that these technologies must be<br />
implemented at both the source and destination so that they can be used.<br />
Likewise, some of these measures are susceptible to attack. For example,<br />
STARTTLS is susceptible to downgrade attacks, where an attacker on a<br />
<br />
man-in-the-middle situation may force you not to carry out the negotiation<br />
TLS (replacing the STARTTLS string would suffice).<br />
Even if TLS communication is established successfully,<br />
The mail servers through which the email passes until reaching the destination would have<br />
access to its content. Due to these facts, it follows that it is not enough to<br />
delegate email security to the underlying technologies in charge<br />
<br />
to send it to its recipient.”<br />
<br />
In light of the security deficiencies noted above, it is evident<br />
the need to adopt reinforced measures to appropriately guarantee the<br />
integrity and confidentiality of personal data sent by email,<br />
<br />
when personal data that deserve special protection is communicated, such as<br />
in the present case, measures that have not been applied, which has posed a risk<br />
higher for OPENBANK clients who submit personal data through this<br />
half.<br />
<br />
<br />
It should be noted that the GDPR does not establish a list of security measures that<br />
are applicable in accordance with the data that is the object of processing, but,<br />
By virtue of the principle of proactive responsibility of article 5.2 of the GDPR itself, the<br />
which entails the requirement that the person responsible for the treatment ensure the effective<br />
privacy and integrity of the data, both the person responsible and the person in charge of the<br />
treatment will apply technical and organizational measures that are appropriate to the risk<br />
<br />
that the treatment entails, taking into account the state of the art, the costs of<br />
application, the nature, scope, context and purposes of the processing, the risks of<br />
probability and seriousness for the rights and freedoms of the persons concerned.<br />
Furthermore, the person responsible must be able to demonstrate that he has<br />
implemented these measures and that they are appropriate to achieve the purpose<br />
<br />
persecuted<br />
<br />
Likewise, security measures must be appropriate and proportionate to the<br />
detected risk, pointing out that the determination of the technical measures and<br />
organizational measures must be carried out taking into account: pseudonymization and encryption,<br />
<br />
ability to guarantee confidentiality, integrity, availability and resilience, the<br />
ability to restore availability and access to data after an incident, process<br />
verification (not audit), evaluation and assessment of the effectiveness of the<br />
measures.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 73/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In any case, when evaluating the adequacy of the security level, the<br />
particularly taking into account the risks presented by data processing, such as<br />
consequence of the accidental or unlawful destruction, loss or alteration of data<br />
personal data transmitted, preserved or otherwise processed, or the communication or<br />
<br />
unauthorized access to said data and that could cause damages and losses<br />
physical, material or immaterial.<br />
<br />
In this same sense, recital 83 of the GDPR states that:<br />
<br />
“(83) In order to maintain security and prevent processing from violating the provisions of<br />
<br />
this Regulation, the controller or processor must assess the risks<br />
inherent to the processing and apply measures to mitigate them, such as encryption. Are<br />
measures must ensure an adequate level of security, including the<br />
confidentiality, taking into account the state of the art and the cost of its application<br />
regarding the risks and the nature of the personal data that must be<br />
<br />
protect yourself. When assessing risk in relation to data security,<br />
take into account the risks arising from the processing of personal data,<br />
such as accidental or unlawful destruction, loss or alteration of personal data<br />
transmitted, preserved or otherwise processed, or the communication or access is not<br />
authorized to such data, which may in particular cause damage and harm<br />
physical, material or immaterial.”<br />
<br />
<br />
For all the above, the technical and organizational measures applied by OPENBANK<br />
in the request for information to its clients (and specifically to the complaining party), in<br />
compliance with anti-money laundering regulations, not<br />
guaranteed a level of security appropriate to the risk, as required by article 32<br />
of the RGPD, by virtue of the nature of the personal data that is processed, which<br />
<br />
They deserve special protection in terms of their confidentiality and integrity.<br />
<br />
Subsidiarily, regarding the application of technical and organizational measures<br />
reinforced to the treatment in question, it can be stated that the fact that a treatment<br />
as a whole is not considered high risk and does not have to undergo a<br />
data protection impact assessment, does not mean that they should not be applied<br />
<br />
security measures appropriate to the risk presented by any of the activities or<br />
stages of the treatment in question, in accordance with the provisions of article 32 of the<br />
GDPR.<br />
<br />
In the treatment cycle, which includes various and different activities, not all<br />
risk has to be uniform, there may be different levels of risks in the<br />
<br />
different stages of treatment, depending on the activities that constitute it. AND<br />
If there is a high risk in a phase, although not all of the treatment is high risk,<br />
Appropriate measures should be implemented.<br />
<br />
In accordance with the evidence available at this time<br />
<br />
resolution of sanctioning procedure, it is considered that the known facts are<br />
constituting an infraction, attributable to OPENBANK, due to violation of article<br />
32 of the GDPR.<br />
<br />
x<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 74/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Classification of the violation of article 32 of the RGPD<br />
<br />
The aforementioned violation of article 32 of the RGPD implies the commission of the violations<br />
<br />
typified in article 83.4 of the RGPD that under the heading “General conditions<br />
for the imposition of administrative fines” provides:<br />
<br />
“Infringements of the following provisions will be sanctioned, in accordance with the<br />
paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,<br />
In the case of a company, an amount equivalent to a maximum of 2% of the<br />
<br />
global total annual business volume of the previous financial year, opting for<br />
the largest amount:<br />
<br />
a) the obligations of the controller and the processor pursuant to Articles 8,<br />
11, 25 to 39, 42 and 43; (…)”<br />
<br />
<br />
For the purposes of the limitation period, article 73 “Infringements considered serious”<br />
of the LOPDGDD indicates:<br />
<br />
“Based on what is established in article 83.4 of Regulation (EU) 2016/679,<br />
are considered serious and will prescribe after two years the infractions that involve a<br />
<br />
substantial violation of the articles mentioned therein and, in particular, the<br />
following:<br />
(…)<br />
f) The lack of adoption of those technical and organizational measures that<br />
are appropriate to guarantee a level of security adequate to the<br />
<br />
risk of the treatment, in the terms required by article 32.1 of the<br />
Regulation (EU) 2016/679.<br />
<br />
XI<br />
Penalty for violation of article 32 of the GDPR<br />
<br />
<br />
For the purposes of deciding on the imposition of an administrative fine and its amount,<br />
in accordance with the evidence currently available<br />
resolution of the sanctioning procedure, it is considered appropriate to graduate the<br />
sanction to be imposed in accordance with the following criteria established in the article<br />
83.2 of the GDPR:<br />
<br />
<br />
As aggravating factors:<br />
<br />
- The nature, severity and duration of the infraction, taking into account the<br />
nature, scope or purpose of the processing operation in question<br />
<br />
as well as the number of interested parties affected and the level of damage and<br />
damages they have suffered (section a): For not having a means<br />
appropriate for sending the documentation requested under the<br />
LPBCFT, from May 2018 to October 2022, directly affecting<br />
the rights and freedoms of 65,000 interested parties and potentially two<br />
<br />
millions of customers.<br />
<br />
Section 54.b.iv of CEPD Guidelines 04/2022 includes, as one of<br />
the circumstances to be assessed in the graduation of the sanction: “The number of<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 75/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
specifically interested, but also potentially affected”, and, clarifies<br />
in relation to this criterion: “The higher the number of interested parties<br />
involved, the greater weight the control authority may have attributing<br />
this factor. In many cases it can also be considered that the infringement<br />
assumes "systematic" connotations and, therefore, can affect, even in<br />
<br />
different times, additional data subjects who have not submitted<br />
complaints or reports to the supervisory authority. The supervisory authority may, in<br />
Depending on the circumstances of the case, consider the relationship between the number of<br />
affected stakeholders and the total number of stakeholders in that context (e.g.<br />
example, the number of citizens, clients or employees) in order to evaluate<br />
“if the violation is systemic in nature.”<br />
<br />
<br />
- Intentionality or negligence in the infringement (section b): OPEN-<br />
BANK has been seriously negligent in determining the means of delivery.<br />
sending the documentation required to clients under the LPBCFT, all<br />
time the company did not adopt appropriate security measures based on<br />
<br />
of the risk to the rights and freedoms of natural persons, not even<br />
when a customer (as in the specific case of the complaining party) called the<br />
attention to this issue, even when its own evaluation document<br />
impact assessment had indicated the need to adopt the sending of information<br />
tion requested under the LPBCFT through the private area of the website of the<br />
bank and had indicated that it was a high-impact treatment for<br />
<br />
rights and freedoms. Regarding the degree of diligence that the person responsible<br />
ble of the treatment is obliged to deploy in compliance with the obligatory<br />
imposed by data protection regulations, the Sen-<br />
ruling of the National Court of 10/17/2007 (Rec. 63/2006). Although it was dictated<br />
before the GDPR came into force, its pronouncement is perfectly extrapolated.<br />
ble to the case at hand. The aforementioned Judgment, after alluding to the fact that<br />
<br />
entities in which the development of their activity involves continuous work<br />
processing of customer and third party data must observe an adequate level of<br />
diligence, specified that “(...) the Supreme Court has understood that there are<br />
imprudence whenever a legal duty of care is neglected, i.e.<br />
when the offender does not behave with the required diligence. And in the assessment<br />
In the degree of diligence, professionalism or lack of professionalism must be especially considered.<br />
<br />
of the subject, and there is no doubt that, in the case now examined, when the activity<br />
life of the appellant is one of constant and abundant handling of data of a<br />
The personnel must insist on rigor and exquisite care in adjusting to the<br />
legal preventions in this regard.” Due to the high impact that this could have<br />
for those interested, OPENBANK was obliged to find solutions that<br />
do not pose a greater risk to the rights and freedoms of their clients and<br />
<br />
that guarantee the security of the data.<br />
<br />
- The categories of personal data affected by the<br />
infringement (section g): In the present case, it is requested that the origin<br />
of various amounts received in the account of the interested party, which, by facilitating<br />
<br />
that information without adequate security measures, could increase its<br />
vulnerability to possible attacks, which implied a greater risk for the<br />
rights and freedoms of the data subject.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 76/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Likewise, it is considered that it is appropriate to graduate the sanction to be imposed in accordance with the<br />
following criteria established in section 2 of article 76 “Sanctions and measures<br />
“corrective measures” of the LOPDGDD:<br />
<br />
<br />
As an aggravating factor:<br />
<br />
- The linking of the offender's activity with the performance of treatment<br />
personal data (section b): The development of the business activity that<br />
OPENBANK performs requires continuous processing of personal data.<br />
<br />
<br />
The balance of the circumstances contemplated in article 83.2 of the RGPD and 76.2 of<br />
the LOPDGDD, with respect to the infraction committed by violating the provisions of the<br />
article 32 of the RGPD, allows imposing a penalty of €1,000,000 (one million<br />
euros).<br />
<br />
<br />
<br />
<br />
Therefore, in accordance with the applicable legislation and evaluated the criteria of<br />
graduation of sanctions whose existence has been proven,<br />
the Director of the Spanish Data Protection Agency RESOLVES:<br />
<br />
<br />
FIRST: IMPOSE OPEN BANK, S.A., with NIF A28021079, for the violation of the<br />
article 25 of the RGPD a fine of 1,500,000.00 (ONE MILLION FIVE HUNDRED THOUSAND<br />
EUROS), for the violation of article 32 of the RGPD a fine of 1,000,000.00 (UN<br />
MILLION EUROS), both classified in article 83.4 of the RGPD.<br />
<br />
<br />
SECOND: NOTIFY this resolution to OPEN BANK, S.A.<br />
<br />
THIRD: Warn the sanctioned person that he must make the sanction imposed effective<br />
once this resolution is executive, in accordance with the provisions of the<br />
<br />
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure<br />
Common Public Administrations (hereinafter LPACAP), within the payment period<br />
voluntary established in art. 68 of the General Collection Regulations, approved<br />
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,<br />
of December 17, by entering it, indicating the NIF of the sanctioned person and the number<br />
of procedure that appears in the heading of this document, in the account<br />
<br />
restricted IBAN number: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code:<br />
XXXXXXXXXXXX), opened in the name of the Spanish Data Protection Agency in<br />
the banking entity CAIXABANK, S.A.. Otherwise, it will be<br />
collection in executive period.<br />
<br />
<br />
Once the notification is received and once enforceable, if the enforceable date is<br />
between the 1st and 15th of each month, both inclusive, the deadline to make the payment<br />
voluntary will be until the 20th of the following month or immediately following business month, and if<br />
The payment period is between the 16th and last day of each month, both inclusive.<br />
It will be until the 5th of the second following or immediately following business month.<br />
<br />
<br />
In accordance with the provisions of article 76.4 of the LOPDGDD and given that the<br />
The amount of the sanction imposed is greater than one million euros, it will be subject to<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 77/77<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
publication in the Official State Gazette of the information that identifies the offender, the<br />
violation committed and the amount of the penalty.<br />
<br />
<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
Resolution will be made public once it has been notified to the interested parties.<br />
<br />
<br />
Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the<br />
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the<br />
Interested parties may optionally file an appeal for reconsideration before the<br />
Director of the Spanish Data Protection Agency within a period of one month to<br />
count from the day following the notification of this resolution or directly<br />
<br />
contentious-administrative appeal before the Contentious-administrative Chamber of the<br />
National Court, in accordance with the provisions of article 25 and section 5 of<br />
the fourth additional provision of Law 29/1998, of July 13, regulating the<br />
Contentious-administrative Jurisdiction, within a period of two months from the<br />
<br />
day following the notification of this act, as provided for in article 46.1 of the<br />
referred Law.<br />
<br />
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,<br />
may provisionally suspend the final resolution through administrative channels if the<br />
<br />
interested party expresses his intention to file a contentious-administrative appeal.<br />
If this is the case, the interested party must formally communicate this fact through<br />
writing addressed to the Spanish Data Protection Agency, presenting it through<br />
of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-<br />
web/], or through any of the other registries provided for in art. 16.4 of the<br />
<br />
cited Law 39/2015, of October 1. You must also transfer to the Agency the<br />
documentation that proves the effective filing of the contentious appeal<br />
administrative. If the Agency was not aware of the filing of the appeal<br />
contentious-administrative within a period of two months from the day following the<br />
<br />
notification of this resolution would terminate the precautionary suspension.<br />
<br />
938-010623<br />
Sea Spain Martí<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
</pre></div>Teresa.lopezhttps://gdprhub.eu/index.php?title=Article_1_GDPR&diff=39920Article 1 GDPR2024-02-21T18:19:48Z<p>Teresa.lopez: /* Interpretation in light of fundamental rights */</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Overview of GDPR|←]] Article 1: Subject-matter and objectives [[Article 2 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text ==<br />
<br />
<br />
'''Article 1: Subject-matter and objectives'''<br />
<br />
<span id="1">1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.</span><br />
<br />
<span id="2">2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.</span><br />
<br />
<span id="3">3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.</span><br />
<br />
==Relevant Recitals==<br />
{{Recital/1 GDPR}}{{Recital/2 GDPR}}{{Recital/3 GDPR}}{{Recital/4 GDPR}}{{Recital/5 GDPR}}{{Recital/6 GDPR}}{{Recital/7 GDPR}}{{Recital/8 GDPR}}{{Recital/9 GDPR}}{{Recital/10 GDPR}}{{Recital/11 GDPR}}{{Recital/12 GDPR}}<br />
<br />
==Commentary==<br />
Article 1 GDPR is mainly programmatic and sets out the general objectives of the GDPR. While this is relevant for the understanding and interpretation of the GDPR, Article 1 has limited legal relevance for controllers and data subjects in daily practice. The aims can function as guiding principles to interpreting the GDPR.<ref>''Hornung and Spiecker'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 1 (Beck 2019) (accessed 2 September 2021).</ref><br />
<br />
===(1) Subject-matter===<br />
Article 1(1) establishes the GDPR's two main aims. First, it aims at protecting natural persons with regard to the processing of their personal data, at the same time it recognizes the EU internal market interest in the free movement of such data. Both objectives are already named in the title of the GDPR. <br />
<br />
==== Data protection and the free flow of data ====<br />
The European Union is based on the idea of a common market, that provide for four freedoms, namely the free movement of goods, capital and people, as well as the freedom to establish and provide services. Different national data protection laws - or indeed the lack of such laws - would conflict with these freedoms. If Member States would, for example, prohibit the transfer of personal data to another Member State where there is no equivalent protection, trade between these Member States would be more complicated.<blockquote><u>Example:</u> If France would protect personal data, but Germany would not, the French protections could only be enforced if personal data would not leave France. Such national limitations would limit the European common market.</blockquote>Consequently the GDPR aims to provide a common level of protection, allowing personal data to flow freely within the European common market.<ref>See Recital 10</ref> <br />
<br />
==== Limit to natural persons ====<br />
Article 1(1) also clarifies that the GDPR applies to the processing of personal data concerning natural persons. It follows that the GDPR does not apply to the processing of data belonging to companies, public bodies or other legal entities.<ref>See Recital 14</ref><br />
<br />
However, if data about a legal entity contains or relates to a natural person or a natural person engages in a professional activity, such data is still within the scope of the GDPR, as clarified by the CJEU in [[CJEU - C-398/15 - Salvatore Manni|C-398/15 - ''Salvatore Manni'']].<ref>CJEU in [[CJEU - C-398/15 - Salvatore Manni|C-398/15 - Salvatore Manni]], paragraph 34 with further references.</ref><blockquote><u>Example:</u> If the 'Peter Smith Limited' company is wholly owned by Peter Smith, who is also the only manager of the company, information as to the revenue about 'Peter Smith Limited' can be directly linked to Peter Smith, making the GDPR applicable to such information. Equally, the email peter.smith@examplecompany.com that is used professionally by Peter Smith can be linked to Peter Smith and therefore relates to a natural person. It does not matter if this person acts in a commercial or private capacity.</blockquote>You can find more details about the scope of the term 'personal data' under [[Article 4 GDPR|Article 4(1) GDPR]].<br />
<br />
==== Human rights approach ====<br />
Non-EU citizens can rely on the GDPR as its application is generally independent of nationality.<ref>See Recital 2 GDPR</ref> This is also in line with Article 8 CFR ("''Everyone has the right to the protection of personal data''") as the right to data protection is a human right, that generally applies to all humans, not just EU citizens.<br />
<blockquote><u>Example:</u> A Chinese or South African citizen can generally be subject to the GDPR, as the right to data protection is a human right, not a citizen right.</blockquote><br />
While citizenship is not a factor in the GDPR, there are other geographic factors that limit the application of the GDPR. You can find further details about the territorial scope in [[Article 3 GDPR]].<br />
<br />
===(2) Protection of fundamental rights and freedoms ===<br />
According to Article 1(2), the Regulation generally protects the fundamental rights and freedoms of the individual as well as 'in particular''<nowiki/>''' the right to the protection of personal data. Thus, the provisions of the GDPR on the protection of personal data seem to have two objectives. On the one hand, the protection of personal data - which may not come as a surprise. On the other hand, the legislator took the view that the protection of personal data also (indirectly) protects other 'fundamental rights and freedoms'.<ref>''Hornung and Spiecker'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 36 (Beck 2019) (accessed 2 September 2021).</ref><blockquote><u>Case Law:</u> In the joined cases C‑293/12 and C‑594/12 - ''Digital Rights Ireland'' - on so-called 'data retention' where communication metadata was stored for up to two year for criminal investigations, the CJEU held that "''it is not inconceivable that the retention of the data in question might have an effect on... their exercise of the freedom of expression guaranteed by Article 11 of the Charter''".</blockquote><br />
<br />
==== Protection of the fundamental right to data protection ====<br />
Article 8(1) CFR provides for 'the right to the protection of personal data' of a natural person. Some requirements to the processing of data follow from Article 8(2) CFR, which explicitly mentions the principles of fairness and purpose limitation, as well as lawfulness. <br />
<br />
==== Protection of other fundamental rights and freedoms ====<br />
Another essential fundamental right that is clearly protected by the GDPR is the right to privacy in Article 7 CFR. This concerns the right to respect for 'private and family life' and 'communications' and is distinct from, and often broader than, the right to data protection in Article 8 CFR.<br />
However, the fundamental rights and freedoms enshrined in Articles 7 and 8 of the CFR do not appear to be the only interests protected by the GDPR. Indeed, processing operations are able to impact other fundamental rights such as personality rights, freedom of expression, freedom of information, freedom of communication, the right of assembly, freedom of religion and other anti-discrimination rights.<ref>See Recital 4</ref><ref>''Hornung and Spiecker'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 40 (Beck 2019) (accessed 3 September 2021).</ref> The fundamental rights to privacy, personality and data protection are the backbone of a free society. There can be no freedom where the individual is not in control of their data, feels observed, tracked or continuously assessed.<ref>''Hornung et al'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 29 (Beck 2019) (accessed 2 September 2021).</ref> Indeed, Recital 4 clearly states that “''the processing of personal data should be designed to serve mankind''”, not the opposite.<blockquote><u>Example:</u> A person may be only really free to vote, if the secrecy of the ballot is ensured. If a person is afraid that her political beliefs may become known to her employer, spouse or friends, she may not actually vote according to her true convictions.</blockquote>The right to data protection can therefore be seen as an enabler for other fundamental rights. The protection of personal data often forms a precondition for the exercise of other fundamental rights.<br />
==== Conflicts with other fundamental rights ====<br />
Obviously the right to data protection can conflict with a range of other interests, such as the right to freedom of speech, commercial interests, public interests or security and safety interests. <br />
<br />
Recital 4 accepts that the right to data protection has to be balanced against these other interests and fundamental rights, but also highlights that these other rights and interests were already taken into consideration when the GDPR was drafted. There is consequently no need to 'balance' the GDPR against other rights for a second time, as the GDPR is already the result of a political balancing of Article 8 CFR and other rights and interests. <blockquote><u>Common Misunderstanding:</u> Some lawyers argue that the GDPR would have to be 'balanced' with the right to conduct a business under Article 16 CFR. However, Article 16 CFR has a limited scope and e.g. ensures that everyone can open a business and can decide over business partners.<ref>''Bezemek'', in Holoubek/Lienbacher, GRC-Kommentar, Article 16, marginal numbers 6 and 7 (MANZ 2014).</ref> There is also only a freedom to conduct a business 'in accordance with community law' - not in violation of community law (such as the GDPR).</blockquote>While there is no general balancing test, the GDPR foresees specific flexible provisions, like the recognition of legitimate interests in [[Article 6 GDPR|Article 6(1)(f) GDPR]] which allows to balance conflicting rights e.g. in the case of fraud prevention or the need to enforce legal claims. There are also a number of opening clauses, like [[Article 85 GDPR|Article 85]] on freedom of speech or [[Article 86 GDPR|Article 86]] on freedom of information. In many cases Member States have the option to come up with legal requirements to process personal data in the public interest or restrict the GDPR insofar as these national laws are necessary and proportionate.<ref>See for example [[Article 23 GDPR]]</ref><br />
<br />
==== Interpretation in light of fundamental rights ====<br />
The fact that the GDPR implements the protection of fundamental rights in secondary legislation, also requires that the GDPR is interpreted in the light of these fundamental rights.<blockquote><u>Case Law:</u> In [[CJEU - C-311/18 - Schrems II|C-311/18 - ''Schrems II'']] on data transfers from the EU to the US, where secret services can access such personal data, the CJEU has highlighted that the GDPR must be interpreted in light of the CFR. This is not only limited to the right to data protection in Article 8 CFR and the closely related right to privacy in Article 7 CFR, but for example also includes the right to an effective remedy and to a fair trial under Article 47 CFR.<ref>See for example CJEU in [[CJEU - C-311/18 - Schrems II|C-311/18 - Schrems II]], paragraphs 99, 101, 105, 122, 137, 138, 140, 149, 161, 178, 198 or 199.</ref> </blockquote>This means that any interpretation of the GDPR that would disproportionally limit the right to data protection under Article 8 CFR could not be sustained. This also allows the application of the proportionality test under Article 52(1) CFR, which often leads to a clear answer when interpreting the GDPR.<ref>See for example CJEU in [[CJEU - C-311/18 - Schrems II|C-311/18 - Schrems II]], paragraphs 174, 178 and 185.</ref><br />
<br />
In its case law, the CJEU has also repeatedly stressed<ref>See for example [[CJEU - C‑40/17 - Fashion ID|C-40/17 ''Fashion ID'']], paragraph 50, with further references to [[CJEU - Case C-101/01 - Bodil Lindqvist|C‑101/01 ''Lindqvist'']]'', [[CJEU - C-524/06 - Huber|C‑524/06 Huber]]'' or C‑468/10 and C‑469/10 ''ASNEFF and FECEMD''</ref> that the GDPR (and the previous [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A31995L0046 Directive 95/46/EC]) is aiming for a "''high level of protection''".<ref>See Recital 6 and 10</ref> This term was regularly used to convey a more protective interpretation of the GDPR by the CJEU, and is taken from Recitals 6 and 10 of the GDPR. Although conflicting views exist,<ref>''Scorza'', in Riccio, Scorza, Belisario, GDPR e normativa privacy - Commentario, Article 62 GDPR (Wolters Kluwer 2018).</ref> the approach that gives the right to data protection prevalence over other legally relevant interests is preferred by the CJEU,<ref>''Hornung et al,'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 28 (Beck 2019) (accessed 2 September 2021). In the same direction, ''Hijmans'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 56 (Oxford University Press 2020).</ref> in order to uphold the this high level of protection foreseen by the GDPR. <br />
<br />
Existing CJEU case law contains useful examples of the current state of play. In the joined cases C‑293/12 and C‑594/12 - ''Digital Rights Ireland'' the CJEU has, for example, held that the prevention of terrorism does not allow the retention of meta data from phone records.<ref>See CJEU in Joined Cases C‑293/12 and C‑594/12, Digital Rights Ireland</ref><br />
<br />
Similarly, in other cases, public interest in financial transparency in the public sector was not seen to override the interest of employees<ref>See CJEU in C-465/00 ''Österreichischer Rundfunk.''</ref> or recipients of subsidies.<ref>See CJEU in Joined Cases C-92/09 and C-93/09 ''Volker und Markus Schecke und Eifert''.</ref> While these judgments were mainly concerning public sector violations of Article 7 and 8 CFR, they seem to also apply to private actors, given that the GDPR must be interpreted in light of the CFR.<blockquote><u>Example:</u> If in the joined cases C‑293/12 and C‑594/12 - ''Digital Rights Ireland'' the CJEU prohibited governments to keep phone records to fight terrorism and serious crime, it seems hard to argue that private entities could claim a legitimate interest under [[Article 6 GDPR|Article 6(1)(f) GDPR]] for communication data for purposes that are even less serious. Such a legitimate interest would have to cross the red lines set in the CJEU case law, given that the GDPR must be interpreted in the light of Article 8 CFR. </blockquote><br />
===(3) Free movement of personal data===<br />
Under [[Article 1 GDPR#3|Article 1(3) GDPR]], the free movement of personal data within the Union shall be neither restricted nor prohibited for reasons related to personal data protection. The provision is mainly aimed at Member States, which may have an interest to pass so-called data localization laws. <br />
<br />
The free movement of personal data is limited to the Union, meaning the European Economic Area (EEA). The EEA includes all EU Member States, Iceland, Liechtenstein and Norway. The status of various special territories of EU Member States require additional checks, as some form part of the EEA, while others do not. The UK is not a Member State anymore. <br />
<br />
Non-EU/EEA countries do not benefit from the free flow of personal data. In fact, the CJEU has set rather high standards for international data transfers.<ref>See for example CJEU in C-364/14 ''Schrems I'' and [[CJEU - C-311/18 - Schrems II|C-311/18 ''Schrems II'']].</ref> The free flow of personal data is explicitly limited to the EEA. Rules on transfers to non-EU/EEA countries ('third countries') can be found in Chapter V of the GDPR. <blockquote><u>Example:</u> When a Czech controller is storing personal data with a Norwegian cloud provider, the companies do not have to worry about international data flows, because the GDPR prohibits limitations on such data flows. However, when a Spanish controller is using a Swiss provider, there needs to be an additional legal basis for these data flows. </blockquote>There is an ongoing discussion on whether the free flow of personal data only protects data flowing between systems that are on EEA territory, or if systems on non-EEA territory - that are under the effective control of an EEA controller or processor - would still benefit from the free flow of personal data, given that the GDPR would still apply to them. The European Commission has recently taken an entity-based approach (focusing on the question of whether the controlling entity falls under the territorial scope in [[Article 3 GDPR]]), not a data-based approach (focusing on the question of whether the data is physically staying in the EEA).<ref>See Article 1(1) of Commission Implementing Decision (EU) 2021/914 and the European Commission's FAQs available at https://ec.europa.eu/info/sites/default/files/questions_answers_on_sccs_en.pdf, page 13.</ref> The wording of the GDPR does not seem to support an entity-based approach.<ref>Article 1(3) GDPR focuses on the "''movement of personal data within the Union''", Article 44 GDPR equally regulated the "''transfer of personal data''", not the transfer to an entity that is not governed by the GDPR.</ref> At the same time, however, the definition of the GDPR's territorial scope of application is explicitly uncoupled from the question of whether the processing 'takes place in the Union or not' (cf. Art. 3(1)).<br />
<references /><br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 1 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>Teresa.lopezhttps://gdprhub.eu/index.php?title=Article_1_GDPR&diff=39919Article 1 GDPR2024-02-21T18:17:45Z<p>Teresa.lopez: /* Interpretation in light of fundamental rights */ Corrected mistake</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Overview of GDPR|←]] Article 1: Subject-matter and objectives [[Article 2 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text ==<br />
<br />
<br />
'''Article 1: Subject-matter and objectives'''<br />
<br />
<span id="1">1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.</span><br />
<br />
<span id="2">2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.</span><br />
<br />
<span id="3">3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.</span><br />
<br />
==Relevant Recitals==<br />
{{Recital/1 GDPR}}{{Recital/2 GDPR}}{{Recital/3 GDPR}}{{Recital/4 GDPR}}{{Recital/5 GDPR}}{{Recital/6 GDPR}}{{Recital/7 GDPR}}{{Recital/8 GDPR}}{{Recital/9 GDPR}}{{Recital/10 GDPR}}{{Recital/11 GDPR}}{{Recital/12 GDPR}}<br />
<br />
==Commentary==<br />
Article 1 GDPR is mainly programmatic and sets out the general objectives of the GDPR. While this is relevant for the understanding and interpretation of the GDPR, Article 1 has limited legal relevance for controllers and data subjects in daily practice. The aims can function as guiding principles to interpreting the GDPR.<ref>''Hornung and Spiecker'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 1 (Beck 2019) (accessed 2 September 2021).</ref><br />
<br />
===(1) Subject-matter===<br />
Article 1(1) establishes the GDPR's two main aims. First, it aims at protecting natural persons with regard to the processing of their personal data, at the same time it recognizes the EU internal market interest in the free movement of such data. Both objectives are already named in the title of the GDPR. <br />
<br />
==== Data protection and the free flow of data ====<br />
The European Union is based on the idea of a common market, that provide for four freedoms, namely the free movement of goods, capital and people, as well as the freedom to establish and provide services. Different national data protection laws - or indeed the lack of such laws - would conflict with these freedoms. If Member States would, for example, prohibit the transfer of personal data to another Member State where there is no equivalent protection, trade between these Member States would be more complicated.<blockquote><u>Example:</u> If France would protect personal data, but Germany would not, the French protections could only be enforced if personal data would not leave France. Such national limitations would limit the European common market.</blockquote>Consequently the GDPR aims to provide a common level of protection, allowing personal data to flow freely within the European common market.<ref>See Recital 10</ref> <br />
<br />
==== Limit to natural persons ====<br />
Article 1(1) also clarifies that the GDPR applies to the processing of personal data concerning natural persons. It follows that the GDPR does not apply to the processing of data belonging to companies, public bodies or other legal entities.<ref>See Recital 14</ref><br />
<br />
However, if data about a legal entity contains or relates to a natural person or a natural person engages in a professional activity, such data is still within the scope of the GDPR, as clarified by the CJEU in [[CJEU - C-398/15 - Salvatore Manni|C-398/15 - ''Salvatore Manni'']].<ref>CJEU in [[CJEU - C-398/15 - Salvatore Manni|C-398/15 - Salvatore Manni]], paragraph 34 with further references.</ref><blockquote><u>Example:</u> If the 'Peter Smith Limited' company is wholly owned by Peter Smith, who is also the only manager of the company, information as to the revenue about 'Peter Smith Limited' can be directly linked to Peter Smith, making the GDPR applicable to such information. Equally, the email peter.smith@examplecompany.com that is used professionally by Peter Smith can be linked to Peter Smith and therefore relates to a natural person. It does not matter if this person acts in a commercial or private capacity.</blockquote>You can find more details about the scope of the term 'personal data' under [[Article 4 GDPR|Article 4(1) GDPR]].<br />
<br />
==== Human rights approach ====<br />
Non-EU citizens can rely on the GDPR as its application is generally independent of nationality.<ref>See Recital 2 GDPR</ref> This is also in line with Article 8 CFR ("''Everyone has the right to the protection of personal data''") as the right to data protection is a human right, that generally applies to all humans, not just EU citizens.<br />
<blockquote><u>Example:</u> A Chinese or South African citizen can generally be subject to the GDPR, as the right to data protection is a human right, not a citizen right.</blockquote><br />
While citizenship is not a factor in the GDPR, there are other geographic factors that limit the application of the GDPR. You can find further details about the territorial scope in [[Article 3 GDPR]].<br />
<br />
===(2) Protection of fundamental rights and freedoms ===<br />
According to Article 1(2), the Regulation generally protects the fundamental rights and freedoms of the individual as well as 'in particular''<nowiki/>''' the right to the protection of personal data. Thus, the provisions of the GDPR on the protection of personal data seem to have two objectives. On the one hand, the protection of personal data - which may not come as a surprise. On the other hand, the legislator took the view that the protection of personal data also (indirectly) protects other 'fundamental rights and freedoms'.<ref>''Hornung and Spiecker'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 36 (Beck 2019) (accessed 2 September 2021).</ref><blockquote><u>Case Law:</u> In the joined cases C‑293/12 and C‑594/12 - ''Digital Rights Ireland'' - on so-called 'data retention' where communication metadata was stored for up to two year for criminal investigations, the CJEU held that "''it is not inconceivable that the retention of the data in question might have an effect on... their exercise of the freedom of expression guaranteed by Article 11 of the Charter''".</blockquote><br />
<br />
==== Protection of the fundamental right to data protection ====<br />
Article 8(1) CFR provides for 'the right to the protection of personal data' of a natural person. Some requirements to the processing of data follow from Article 8(2) CFR, which explicitly mentions the principles of fairness and purpose limitation, as well as lawfulness. <br />
<br />
==== Protection of other fundamental rights and freedoms ====<br />
Another essential fundamental right that is clearly protected by the GDPR is the right to privacy in Article 7 CFR. This concerns the right to respect for 'private and family life' and 'communications' and is distinct from, and often broader than, the right to data protection in Article 8 CFR.<br />
However, the fundamental rights and freedoms enshrined in Articles 7 and 8 of the CFR do not appear to be the only interests protected by the GDPR. Indeed, processing operations are able to impact other fundamental rights such as personality rights, freedom of expression, freedom of information, freedom of communication, the right of assembly, freedom of religion and other anti-discrimination rights.<ref>See Recital 4</ref><ref>''Hornung and Spiecker'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 40 (Beck 2019) (accessed 3 September 2021).</ref> The fundamental rights to privacy, personality and data protection are the backbone of a free society. There can be no freedom where the individual is not in control of their data, feels observed, tracked or continuously assessed.<ref>''Hornung et al'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 29 (Beck 2019) (accessed 2 September 2021).</ref> Indeed, Recital 4 clearly states that “''the processing of personal data should be designed to serve mankind''”, not the opposite.<blockquote><u>Example:</u> A person may be only really free to vote, if the secrecy of the ballot is ensured. If a person is afraid that her political beliefs may become known to her employer, spouse or friends, she may not actually vote according to her true convictions.</blockquote>The right to data protection can therefore be seen as an enabler for other fundamental rights. The protection of personal data often forms a precondition for the exercise of other fundamental rights.<br />
==== Conflicts with other fundamental rights ====<br />
Obviously the right to data protection can conflict with a range of other interests, such as the right to freedom of speech, commercial interests, public interests or security and safety interests. <br />
<br />
Recital 4 accepts that the right to data protection has to be balanced against these other interests and fundamental rights, but also highlights that these other rights and interests were already taken into consideration when the GDPR was drafted. There is consequently no need to 'balance' the GDPR against other rights for a second time, as the GDPR is already the result of a political balancing of Article 8 CFR and other rights and interests. <blockquote><u>Common Misunderstanding:</u> Some lawyers argue that the GDPR would have to be 'balanced' with the right to conduct a business under Article 16 CFR. However, Article 16 CFR has a limited scope and e.g. ensures that everyone can open a business and can decide over business partners.<ref>''Bezemek'', in Holoubek/Lienbacher, GRC-Kommentar, Article 16, marginal numbers 6 and 7 (MANZ 2014).</ref> There is also only a freedom to conduct a business 'in accordance with community law' - not in violation of community law (such as the GDPR).</blockquote>While there is no general balancing test, the GDPR foresees specific flexible provisions, like the recognition of legitimate interests in [[Article 6 GDPR|Article 6(1)(f) GDPR]] which allows to balance conflicting rights e.g. in the case of fraud prevention or the need to enforce legal claims. There are also a number of opening clauses, like [[Article 85 GDPR|Article 85]] on freedom of speech or [[Article 86 GDPR|Article 86]] on freedom of information. In many cases Member States have the option to come up with legal requirements to process personal data in the public interest or restrict the GDPR insofar as these national laws are necessary and proportionate.<ref>See for example [[Article 23 GDPR]]</ref><br />
<br />
==== Interpretation in light of fundamental rights ====<br />
The fact that the GDPR implements the protection of fundamental rights in secondary legislation, also requires that the GDPR is interpreted in the light of these fundamental rights.<blockquote><u>Case Law:</u> In [[CJEU - C-311/18 - Schrems II|C-311/18 - ''Schrems II'']] on data transfers from the EU to the US, where secret services can access such personal data, the CJEU has highlighted that the GDPR must be interpreted in light of the CFR. This is not only limited to the right to data protection in Article 8 CFR and the closely related right to privacy in Article 7 CFR, but for example also includes the right to an effective remedy and to a fair trial under Article 47 CFR.<ref>See for example CJEU in [[CJEU - C-311/18 - Schrems II|C-311/18 - Schrems II]], paragraphs 99, 101, 105, 122, 137, 138, 140, 149, 161, 178, 198 or 199.</ref> </blockquote>This means that any interpretation of the GDPR that would disproportionally limit the right to data protection under Article 8 CFR could not be sustained. This also allows the application of the proportionality test under Article 52(1) CFR, which often leads to a clear answer when interpreting the GDPR.<ref>See for example CJEU in [[CJEU - C-311/18 - Schrems II|C-311/18 - Schrems II]], paragraphs 174, 178 and 185.</ref><br />
<br />
In its case law, the CJEU has also repeatedly stressed<ref>See for example [[CJEU - C‑40/17 - Fashion ID|C-40/17 ''Fashion ID'']], paragraph 50, with further references to [[CJEU - Case C-101/01 - Bodil Lindqvist|C‑101/01 ''Lindqvist'']]'', [[CJEU - C-524/06 - Huber|C‑524/06 Huber]]'' or C‑468/10 and C‑469/10 ''ASNEFF and FECEMD''</ref> that the GDPR (and the [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A31995L0046 previous Directive 95/46/EC]) is aiming for a "''high level of protection''".<ref>See Recital 6 and 10</ref> This term was regularly used to convey a more protective interpretation of the GDPR by the CJEU, and is taken from Recitals 6 and 10 of the GDPR. Although conflicting views exist,<ref>''Scorza'', in Riccio, Scorza, Belisario, GDPR e normativa privacy - Commentario, Article 62 GDPR (Wolters Kluwer 2018).</ref> the approach that gives the right to data protection prevalence over other legally relevant interests is preferred by the CJEU,<ref>''Hornung et al,'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 28 (Beck 2019) (accessed 2 September 2021). In the same direction, ''Hijmans'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 56 (Oxford University Press 2020).</ref> in order to uphold the this high level of protection foreseen by the GDPR. <br />
<br />
Existing CJEU case law contains useful examples of the current state of play. In the joined cases C‑293/12 and C‑594/12 - ''Digital Rights Ireland'' the CJEU has, for example, held that the prevention of terrorism does not allow the retention of meta data from phone records.<ref>See CJEU in Joined Cases C‑293/12 and C‑594/12, Digital Rights Ireland</ref><br />
<br />
Similarly, in other cases, public interest in financial transparency in the public sector was not seen to override the interest of employees<ref>See CJEU in C-465/00 ''Österreichischer Rundfunk.''</ref> or recipients of subsidies.<ref>See CJEU in Joined Cases C-92/09 and C-93/09 ''Volker und Markus Schecke und Eifert''.</ref> While these judgments were mainly concerning public sector violations of Article 7 and 8 CFR, they seem to also apply to private actors, given that the GDPR must be interpreted in light of the CFR.<blockquote><u>Example:</u> If in the joined cases C‑293/12 and C‑594/12 - ''Digital Rights Ireland'' the CJEU prohibited governments to keep phone records to fight terrorism and serious crime, it seems hard to argue that private entities could claim a legitimate interest under [[Article 6 GDPR|Article 6(1)(f) GDPR]] for communication data for purposes that are even less serious. Such a legitimate interest would have to cross the red lines set in the CJEU case law, given that the GDPR must be interpreted in the light of Article 8 CFR. </blockquote><br />
===(3) Free movement of personal data===<br />
Under [[Article 1 GDPR#3|Article 1(3) GDPR]], the free movement of personal data within the Union shall be neither restricted nor prohibited for reasons related to personal data protection. The provision is mainly aimed at Member States, which may have an interest to pass so-called data localization laws. <br />
<br />
The free movement of personal data is limited to the Union, meaning the European Economic Area (EEA). The EEA includes all EU Member States, Iceland, Liechtenstein and Norway. The status of various special territories of EU Member States require additional checks, as some form part of the EEA, while others do not. The UK is not a Member State anymore. <br />
<br />
Non-EU/EEA countries do not benefit from the free flow of personal data. In fact, the CJEU has set rather high standards for international data transfers.<ref>See for example CJEU in C-364/14 ''Schrems I'' and [[CJEU - C-311/18 - Schrems II|C-311/18 ''Schrems II'']].</ref> The free flow of personal data is explicitly limited to the EEA. Rules on transfers to non-EU/EEA countries ('third countries') can be found in Chapter V of the GDPR. <blockquote><u>Example:</u> When a Czech controller is storing personal data with a Norwegian cloud provider, the companies do not have to worry about international data flows, because the GDPR prohibits limitations on such data flows. However, when a Spanish controller is using a Swiss provider, there needs to be an additional legal basis for these data flows. </blockquote>There is an ongoing discussion on whether the free flow of personal data only protects data flowing between systems that are on EEA territory, or if systems on non-EEA territory - that are under the effective control of an EEA controller or processor - would still benefit from the free flow of personal data, given that the GDPR would still apply to them. The European Commission has recently taken an entity-based approach (focusing on the question of whether the controlling entity falls under the territorial scope in [[Article 3 GDPR]]), not a data-based approach (focusing on the question of whether the data is physically staying in the EEA).<ref>See Article 1(1) of Commission Implementing Decision (EU) 2021/914 and the European Commission's FAQs available at https://ec.europa.eu/info/sites/default/files/questions_answers_on_sccs_en.pdf, page 13.</ref> The wording of the GDPR does not seem to support an entity-based approach.<ref>Article 1(3) GDPR focuses on the "''movement of personal data within the Union''", Article 44 GDPR equally regulated the "''transfer of personal data''", not the transfer to an entity that is not governed by the GDPR.</ref> At the same time, however, the definition of the GDPR's territorial scope of application is explicitly uncoupled from the question of whether the processing 'takes place in the Union or not' (cf. Art. 3(1)).<br />
<references /><br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 1 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>Teresa.lopezhttps://gdprhub.eu/index.php?title=Article_1_GDPR&diff=39918Article 1 GDPR2024-02-21T17:50:21Z<p>Teresa.lopez: /* (2) Protection of fundamental rights and freedoms */</p>
<hr />
<div>{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"<br />
![[Overview of GDPR|←]] Article 1: Subject-matter and objectives [[Article 2 GDPR|→]]<br />
|-<br />
| style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]]<br />
|-<br />
|<br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 1 GDPR|Article 1: Subject-matter and objectives]]<br /><br />
[[Article 2 GDPR|Article 2: Material scope]]<br /><br />
[[Article 3 GDPR|Article 3: Territorial scope]]<br /><br />
[[Article 4 GDPR|Article 4: Definitions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 5 GDPR|Article 5: Principles relating to processing of personal data]]<br /><br />
[[Article 6 GDPR|Article 6: Lawfulness of processing]]<br /><br />
[[Article 7 GDPR|Article 7: Conditions for consent]]<br /><br />
[[Article 8 GDPR|Article 8: Conditions applicable to child’s consent in relation to information society services]]<br /><br />
[[Article 9 GDPR|Article 9: Processing of special categories of personal data]]<br /><br />
[[Article 10 GDPR|Article 10: Processing of personal data relating to criminal convictions and offences]]<br /><br />
[[Article 11 GDPR|Article 11: Processing which does not require identification]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 12 GDPR|Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject]]<br /><br />
[[Article 13 GDPR|Article 13: Information to be provided where personal data are collected from the data subject]]<br /><br />
[[Article 14 GDPR|Article 14: Information to be provided where personal data have not been obtained from the data subject]]<br /><br />
[[Article 15 GDPR|Article 15: Right of access by the data subject]]<br /><br />
[[Article 16 GDPR|Article 16: Right to rectification]]<br /><br />
[[Article 17 GDPR|Article 17: Right to erasure (‘right to be forgotten’)]]<br /><br />
[[Article 18 GDPR|Article 18: Right to restriction of processing]]<br /><br />
[[Article 19 GDPR|Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing]]<br /><br />
[[Article 20 GDPR|Article 20: Right to data portability]]<br /><br />
[[Article 21 GDPR|Article 21: Right to object]]<br /><br />
[[Article 22 GDPR|Article 22: Automated individual decision-making, including profiling]]<br /><br />
[[Article 23 GDPR|Article 23: Restrictions]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 24 GDPR|Article 24: Responsibility of the controller]]<br /><br />
[[Article 25 GDPR|Article 25: Data protection by design and by default]]<br /><br />
[[Article 26 GDPR|Article 26: Joint controllers]]<br /><br />
[[Article 27 GDPR|Article 27: Representatives of controllers or processors not established in the Union]]<br /><br />
[[Article 28 GDPR|Article 28: Processor]]<br /><br />
[[Article 29 GDPR|Article 29: Processing under the authority of the controller or processor]]<br /><br />
[[Article 30 GDPR|Article 30: Records of processing activities]]<br /><br />
[[Article 31 GDPR|Article 31: Cooperation with the supervisory authority]]<br /><br />
[[Article 32 GDPR|Article 32: Security of processing]]<br /><br />
[[Article 33 GDPR|Article 33: Notification of a personal data breach to the supervisory authority]]<br /><br />
[[Article 34 GDPR|Article 34: Communication of a personal data breach to the data subject]]<br /><br />
[[Article 35 GDPR|Article 35: Data protection impact assessment]]<br /><br />
[[Article 36 GDPR|Article 36: Prior consultation]]<br /><br />
[[Article 37 GDPR|Article 37: Designation of the data protection officer]]<br /><br />
[[Article 38 GDPR|Article 38: Position of the data protection officer]]<br /><br />
[[Article 39 GDPR|Article 39: Tasks of the data protection officer]]<br /><br />
[[Article 40 GDPR|Article 40: Codes of conduct]]<br /><br />
[[Article 41 GDPR|Article 41: Monitoring of approved codes of conduct]]<br /><br />
[[Article 42 GDPR|Article 42: Certification]]<br /><br />
[[Article 43 GDPR|Article 43: Certification bodies]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 44 GDPR|Article 44: General principle for transfers]]<br /><br />
[[Article 45 GDPR|Article 45: Transfers on the basis of an adequacy decision]]<br /><br />
[[Article 46 GDPR|Article 46: Transfers subject to appropriate safeguards]]<br /><br />
[[Article 47 GDPR|Article 47: Binding corporate rules]]<br /><br />
[[Article 48 GDPR|Article 48: Transfers or disclosures not authorised by Union law]]<br /><br />
[[Article 49 GDPR|Article 49: Derogations for specific situations]]<br /><br />
[[Article 50 GDPR|Article 50: International cooperation for the protection of personal data]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 51 GDPR|Article 51: Supervisory authority]]<br /><br />
[[Article 52 GDPR|Article 52: Independence]]<br /><br />
[[Article 53 GDPR|Article 53: General conditions for the members of the supervisory authority]]<br /><br />
[[Article 54 GDPR|Article 54: Rules on the establishment of the supervisory authority]]<br /><br />
[[Article 55 GDPR|Article 55: Competence]]<br /><br />
[[Article 56 GDPR|Article 56: Competence of the lead supervisory authority]]<br /><br />
[[Article 57 GDPR|Article 57: Tasks]]<br /><br />
[[Article 58 GDPR|Article 58: Powers]]<br /><br />
[[Article 59 GDPR|Article 59: Activity reports]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 60 GDPR|Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned]]<br /><br />
[[Article 61 GDPR|Article 61: Mutual assistance]]<br /><br />
[[Article 62 GDPR|Article 62: Joint operations of supervisory authorities]]<br /><br />
[[Article 63 GDPR|Article 63: Consistency mechanism]]<br /><br />
[[Article 64 GDPR|Article 64: Opinion of the Board]]<br /><br />
[[Article 65 GDPR|Article 65: Dispute resolution by the Board]]<br /><br />
[[Article 66 GDPR|Article 66: Urgency procedure]]<br /><br />
[[Article 67 GDPR|Article 67: Exchange of information]]<br /><br />
[[Article 68 GDPR|Article 68: European Data Protection Board]]<br /><br />
[[Article 69 GDPR|Article 69: Independence]]<br /><br />
[[Article 70 GDPR|Article 70: Tasks of the Board]]<br /><br />
[[Article 71 GDPR|Article 71: Reports]]<br /><br />
[[Article 72 GDPR|Article 72: Procedure]]<br /><br />
[[Article 73 GDPR|Article 73: Chair]]<br /><br />
[[Article 74 GDPR|Article 74: Tasks of the Chair]]<br /><br />
[[Article 75 GDPR|Article 75: Secretariat]]<br /><br />
[[Article 76 GDPR|Article 76: Confidentiality]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 77 GDPR|Article 77: Right to lodge a complaint with a supervisory authority]]<br /><br />
[[Article 78 GDPR|Article 78: Right to an effective judicial remedy against a supervisory authority]]<br /><br />
[[Article 79 GDPR|Article 79: Right to an effective judicial remedy against a controller or processor]]<br /><br />
[[Article 80 GDPR|Article 80: Representation of data subjects]]<br /><br />
[[Article 81 GDPR|Article 81: Suspension of proceedings]]<br /><br />
[[Article 82 GDPR|Article 82: Right to compensation and liability]]<br /><br />
[[Article 83 GDPR|Article 83: General conditions for imposing administrative fines]]<br /><br />
[[Article 84 GDPR|Article 84: Penalties]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 85 GDPR|Article 85: Processing and freedom of expression and information]]<br /><br />
[[Article 86 GDPR|Article 86: Processing and public access to official documents]]<br /><br />
[[Article 87 GDPR|Article 87: Processing of the national identification number]]<br /><br />
[[Article 88 GDPR|Article 88: Processing in the context of employment]]<br /><br />
[[Article 89 GDPR|Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes]]<br /><br />
[[Article 90 GDPR|Article 90: Obligations of secrecy]]<br /><br />
[[Article 91 GDPR|Article 91: Existing data protection rules of churches and religious associations]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 92 GDPR|Article 92: Exercise of the delegation]]<br /><br />
[[Article 93 GDPR|Article 93: Committee procedure]]<br /><br />
</small><br />
</div></div><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><br />
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div><br />
<div class="mw-collapsible-content"><br />
<small><br />
[[Article 94 GDPR|Article 94: Repeal of Directive 95: /46: /EC]]<br /><br />
[[Article 95 GDPR|Article 95: Relationship with Directive 20: 02: /58: /EC]]<br /><br />
[[Article 96 GDPR|Article 96: Relationship with previously concluded Agreements]]<br /><br />
[[Article 97 GDPR|Article 97: Commission reports]]<br /><br />
[[Article 98 GDPR|Article 98: Review of other Union legal acts on data protection]]<br /><br />
[[Article 99 GDPR|Article 99: Entry into force and application]]<br /><br />
</small><br />
</div><br />
</div><br />
|}<br />
<br />
==Legal Text ==<br />
<br />
<br />
'''Article 1: Subject-matter and objectives'''<br />
<br />
<span id="1">1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.</span><br />
<br />
<span id="2">2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.</span><br />
<br />
<span id="3">3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.</span><br />
<br />
==Relevant Recitals==<br />
{{Recital/1 GDPR}}{{Recital/2 GDPR}}{{Recital/3 GDPR}}{{Recital/4 GDPR}}{{Recital/5 GDPR}}{{Recital/6 GDPR}}{{Recital/7 GDPR}}{{Recital/8 GDPR}}{{Recital/9 GDPR}}{{Recital/10 GDPR}}{{Recital/11 GDPR}}{{Recital/12 GDPR}}<br />
<br />
==Commentary==<br />
Article 1 GDPR is mainly programmatic and sets out the general objectives of the GDPR. While this is relevant for the understanding and interpretation of the GDPR, Article 1 has limited legal relevance for controllers and data subjects in daily practice. The aims can function as guiding principles to interpreting the GDPR.<ref>''Hornung and Spiecker'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 1 (Beck 2019) (accessed 2 September 2021).</ref><br />
<br />
===(1) Subject-matter===<br />
Article 1(1) establishes the GDPR's two main aims. First, it aims at protecting natural persons with regard to the processing of their personal data, at the same time it recognizes the EU internal market interest in the free movement of such data. Both objectives are already named in the title of the GDPR. <br />
<br />
==== Data protection and the free flow of data ====<br />
The European Union is based on the idea of a common market, that provide for four freedoms, namely the free movement of goods, capital and people, as well as the freedom to establish and provide services. Different national data protection laws - or indeed the lack of such laws - would conflict with these freedoms. If Member States would, for example, prohibit the transfer of personal data to another Member State where there is no equivalent protection, trade between these Member States would be more complicated.<blockquote><u>Example:</u> If France would protect personal data, but Germany would not, the French protections could only be enforced if personal data would not leave France. Such national limitations would limit the European common market.</blockquote>Consequently the GDPR aims to provide a common level of protection, allowing personal data to flow freely within the European common market.<ref>See Recital 10</ref> <br />
<br />
==== Limit to natural persons ====<br />
Article 1(1) also clarifies that the GDPR applies to the processing of personal data concerning natural persons. It follows that the GDPR does not apply to the processing of data belonging to companies, public bodies or other legal entities.<ref>See Recital 14</ref><br />
<br />
However, if data about a legal entity contains or relates to a natural person or a natural person engages in a professional activity, such data is still within the scope of the GDPR, as clarified by the CJEU in [[CJEU - C-398/15 - Salvatore Manni|C-398/15 - ''Salvatore Manni'']].<ref>CJEU in [[CJEU - C-398/15 - Salvatore Manni|C-398/15 - Salvatore Manni]], paragraph 34 with further references.</ref><blockquote><u>Example:</u> If the 'Peter Smith Limited' company is wholly owned by Peter Smith, who is also the only manager of the company, information as to the revenue about 'Peter Smith Limited' can be directly linked to Peter Smith, making the GDPR applicable to such information. Equally, the email peter.smith@examplecompany.com that is used professionally by Peter Smith can be linked to Peter Smith and therefore relates to a natural person. It does not matter if this person acts in a commercial or private capacity.</blockquote>You can find more details about the scope of the term 'personal data' under [[Article 4 GDPR|Article 4(1) GDPR]].<br />
<br />
==== Human rights approach ====<br />
Non-EU citizens can rely on the GDPR as its application is generally independent of nationality.<ref>See Recital 2 GDPR</ref> This is also in line with Article 8 CFR ("''Everyone has the right to the protection of personal data''") as the right to data protection is a human right, that generally applies to all humans, not just EU citizens.<br />
<blockquote><u>Example:</u> A Chinese or South African citizen can generally be subject to the GDPR, as the right to data protection is a human right, not a citizen right.</blockquote><br />
While citizenship is not a factor in the GDPR, there are other geographic factors that limit the application of the GDPR. You can find further details about the territorial scope in [[Article 3 GDPR]].<br />
<br />
===(2) Protection of fundamental rights and freedoms ===<br />
According to Article 1(2), the Regulation generally protects the fundamental rights and freedoms of the individual as well as 'in particular''<nowiki/>''' the right to the protection of personal data. Thus, the provisions of the GDPR on the protection of personal data seem to have two objectives. On the one hand, the protection of personal data - which may not come as a surprise. On the other hand, the legislator took the view that the protection of personal data also (indirectly) protects other 'fundamental rights and freedoms'.<ref>''Hornung and Spiecker'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 36 (Beck 2019) (accessed 2 September 2021).</ref><blockquote><u>Case Law:</u> In the joined cases C‑293/12 and C‑594/12 - ''Digital Rights Ireland'' - on so-called 'data retention' where communication metadata was stored for up to two year for criminal investigations, the CJEU held that "''it is not inconceivable that the retention of the data in question might have an effect on... their exercise of the freedom of expression guaranteed by Article 11 of the Charter''".</blockquote><br />
<br />
==== Protection of the fundamental right to data protection ====<br />
Article 8(1) CFR provides for 'the right to the protection of personal data' of a natural person. Some requirements to the processing of data follow from Article 8(2) CFR, which explicitly mentions the principles of fairness and purpose limitation, as well as lawfulness. <br />
<br />
==== Protection of other fundamental rights and freedoms ====<br />
Another essential fundamental right that is clearly protected by the GDPR is the right to privacy in Article 7 CFR. This concerns the right to respect for 'private and family life' and 'communications' and is distinct from, and often broader than, the right to data protection in Article 8 CFR.<br />
However, the fundamental rights and freedoms enshrined in Articles 7 and 8 of the CFR do not appear to be the only interests protected by the GDPR. Indeed, processing operations are able to impact other fundamental rights such as personality rights, freedom of expression, freedom of information, freedom of communication, the right of assembly, freedom of religion and other anti-discrimination rights.<ref>See Recital 4</ref><ref>''Hornung and Spiecker'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 40 (Beck 2019) (accessed 3 September 2021).</ref> The fundamental rights to privacy, personality and data protection are the backbone of a free society. There can be no freedom where the individual is not in control of their data, feels observed, tracked or continuously assessed.<ref>''Hornung et al'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 29 (Beck 2019) (accessed 2 September 2021).</ref> Indeed, Recital 4 clearly states that “''the processing of personal data should be designed to serve mankind''”, not the opposite.<blockquote><u>Example:</u> A person may be only really free to vote, if the secrecy of the ballot is ensured. If a person is afraid that her political beliefs may become known to her employer, spouse or friends, she may not actually vote according to her true convictions.</blockquote>The right to data protection can therefore be seen as an enabler for other fundamental rights. The protection of personal data often forms a precondition for the exercise of other fundamental rights.<br />
==== Conflicts with other fundamental rights ====<br />
Obviously the right to data protection can conflict with a range of other interests, such as the right to freedom of speech, commercial interests, public interests or security and safety interests. <br />
<br />
Recital 4 accepts that the right to data protection has to be balanced against these other interests and fundamental rights, but also highlights that these other rights and interests were already taken into consideration when the GDPR was drafted. There is consequently no need to 'balance' the GDPR against other rights for a second time, as the GDPR is already the result of a political balancing of Article 8 CFR and other rights and interests. <blockquote><u>Common Misunderstanding:</u> Some lawyers argue that the GDPR would have to be 'balanced' with the right to conduct a business under Article 16 CFR. However, Article 16 CFR has a limited scope and e.g. ensures that everyone can open a business and can decide over business partners.<ref>''Bezemek'', in Holoubek/Lienbacher, GRC-Kommentar, Article 16, marginal numbers 6 and 7 (MANZ 2014).</ref> There is also only a freedom to conduct a business 'in accordance with community law' - not in violation of community law (such as the GDPR).</blockquote>While there is no general balancing test, the GDPR foresees specific flexible provisions, like the recognition of legitimate interests in [[Article 6 GDPR|Article 6(1)(f) GDPR]] which allows to balance conflicting rights e.g. in the case of fraud prevention or the need to enforce legal claims. There are also a number of opening clauses, like [[Article 85 GDPR|Article 85]] on freedom of speech or [[Article 86 GDPR|Article 86]] on freedom of information. In many cases Member States have the option to come up with legal requirements to process personal data in the public interest or restrict the GDPR insofar as these national laws are necessary and proportionate.<ref>See for example [[Article 23 GDPR]]</ref><br />
<br />
==== Interpretation in light of fundamental rights ====<br />
The fact that the GDPR implements the protection of fundamental rights in secondary legislation, also requires that the GDPR is interpreted in the light of these fundamental rights.<blockquote><u>Case Law:</u> In [[CJEU - C-311/18 - Schrems II|C-311/18 - ''Schrems II'']] on data transfers from the EU to the US, where secret services can access such personal data, the CJEU has highlighted that the GDPR must be interpreted in light of the CFR. This is not only limited to the right to data protection in Article 8 CFR and the closely related right to privacy in Article 7 GDPR, but for example also includes the right to an effective remedy and to a fair trial under Article 47 CFR.<ref>See for example CJEU in [[CJEU - C-311/18 - Schrems II|C-311/18 - Schrems II]], paragraphs 99, 101, 105, 122, 137, 138, 140, 149, 161, 178, 198 or 199.</ref> </blockquote>This means that any interpretation of the GDPR that would disproportionally limit the right to data protection under Article 8 CFR could not be sustained. This also allows the application of the proportionality test under Article 52(1) CFR, which often leads to a clear answer when interpreting the GDPR.<ref>See for example CJEU in [[CJEU - C-311/18 - Schrems II|C-311/18 - Schrems II]], paragraphs 174, 178 and 185.</ref><br />
<br />
In its case law, the CJEU has also repeatedly stressed<ref>See for example [[CJEU - C‑40/17 - Fashion ID|C-40/17 ''Fashion ID'']], paragraph 50, with further references to [[CJEU - Case C-101/01 - Bodil Lindqvist|C‑101/01 ''Lindqvist'']]'', [[CJEU - C-524/06 - Huber|C‑524/06 Huber]]'' or C‑468/10 and C‑469/10 ''ASNEFF and FECEMD''</ref> that the GDPR (and the [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A31995L0046 previous Directive 95/46/EC]) is aiming for a "''high level of protection''".<ref>See Recital 6 and 10</ref> This term was regularly used to convey a more protective interpretation of the GDPR by the CJEU, and is taken from Recitals 6 and 10 of the GDPR. Although conflicting views exist,<ref>''Scorza'', in Riccio, Scorza, Belisario, GDPR e normativa privacy - Commentario, Article 62 GDPR (Wolters Kluwer 2018).</ref> the approach that gives the right to data protection prevalence over other legally relevant interests is preferred by the CJEU,<ref>''Hornung et al,'' in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 1 GDPR, margin number 28 (Beck 2019) (accessed 2 September 2021). In the same direction, ''Hijmans'', in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 56 (Oxford University Press 2020).</ref> in order to uphold the this high level of protection foreseen by the GDPR. <br />
<br />
Existing CJEU case law contains useful examples of the current state of play. In the joined cases C‑293/12 and C‑594/12 - ''Digital Rights Ireland'' the CJEU has, for example, held that the prevention of terrorism does not allow the retention of meta data from phone records.<ref>See CJEU in Joined Cases C‑293/12 and C‑594/12, Digital Rights Ireland</ref><br />
<br />
Similarly, in other cases, public interest in financial transparency in the public sector was not seen to override the interest of employees<ref>See CJEU in C-465/00 ''Österreichischer Rundfunk.''</ref> or recipients of subsidies.<ref>See CJEU in Joined Cases C-92/09 and C-93/09 ''Volker und Markus Schecke und Eifert''.</ref> While these judgments were mainly concerning public sector violations of Article 7 and 8 CFR, they seem to also apply to private actors, given that the GDPR must be interpreted in light of the CFR.<blockquote><u>Example:</u> If in the joined cases C‑293/12 and C‑594/12 - ''Digital Rights Ireland'' the CJEU prohibited governments to keep phone records to fight terrorism and serious crime, it seems hard to argue that private entities could claim a legitimate interest under [[Article 6 GDPR|Article 6(1)(f) GDPR]] for communication data for purposes that are even less serious. Such a legitimate interest would have to cross the red lines set in the CJEU case law, given that the GDPR must be interpreted in the light of Article 8 CFR. </blockquote><br />
===(3) Free movement of personal data===<br />
Under [[Article 1 GDPR#3|Article 1(3) GDPR]], the free movement of personal data within the Union shall be neither restricted nor prohibited for reasons related to personal data protection. The provision is mainly aimed at Member States, which may have an interest to pass so-called data localization laws. <br />
<br />
The free movement of personal data is limited to the Union, meaning the European Economic Area (EEA). The EEA includes all EU Member States, Iceland, Liechtenstein and Norway. The status of various special territories of EU Member States require additional checks, as some form part of the EEA, while others do not. The UK is not a Member State anymore. <br />
<br />
Non-EU/EEA countries do not benefit from the free flow of personal data. In fact, the CJEU has set rather high standards for international data transfers.<ref>See for example CJEU in C-364/14 ''Schrems I'' and [[CJEU - C-311/18 - Schrems II|C-311/18 ''Schrems II'']].</ref> The free flow of personal data is explicitly limited to the EEA. Rules on transfers to non-EU/EEA countries ('third countries') can be found in Chapter V of the GDPR. <blockquote><u>Example:</u> When a Czech controller is storing personal data with a Norwegian cloud provider, the companies do not have to worry about international data flows, because the GDPR prohibits limitations on such data flows. However, when a Spanish controller is using a Swiss provider, there needs to be an additional legal basis for these data flows. </blockquote>There is an ongoing discussion on whether the free flow of personal data only protects data flowing between systems that are on EEA territory, or if systems on non-EEA territory - that are under the effective control of an EEA controller or processor - would still benefit from the free flow of personal data, given that the GDPR would still apply to them. The European Commission has recently taken an entity-based approach (focusing on the question of whether the controlling entity falls under the territorial scope in [[Article 3 GDPR]]), not a data-based approach (focusing on the question of whether the data is physically staying in the EEA).<ref>See Article 1(1) of Commission Implementing Decision (EU) 2021/914 and the European Commission's FAQs available at https://ec.europa.eu/info/sites/default/files/questions_answers_on_sccs_en.pdf, page 13.</ref> The wording of the GDPR does not seem to support an entity-based approach.<ref>Article 1(3) GDPR focuses on the "''movement of personal data within the Union''", Article 44 GDPR equally regulated the "''transfer of personal data''", not the transfer to an entity that is not governed by the GDPR.</ref> At the same time, however, the definition of the GDPR's territorial scope of application is explicitly uncoupled from the question of whether the processing 'takes place in the Union or not' (cf. Art. 3(1)).<br />
<references /><br />
<br />
==Decisions==<br />
→ You can find all related decisions in [[:Category:Article 1 GDPR]]<br />
<br />
==References==<br />
<references /><br />
<br />
[[Category:GDPR Articles]]</div>Teresa.lopezhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_PS/00214/2022&diff=30938AEPD (Spain) - PS/00214/20222023-02-03T12:44:14Z<p>Teresa.lopez: Links added</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=PS 00214-2022<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00214-2022.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=26.02.2021<br />
|Date_Decided=<br />
|Date_Published=16.01.2023<br />
|Year=<br />
|Fine=40,000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 6(1) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1<br />
|GDPR_Article_2=Article 9(2) GDPR<br />
|GDPR_Article_Link_2=Article 9 GDPR#2<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=AGROXARXA, S.L.<br />
|Party_Link_1=https://www.agroxarxa.com/<br />
|Party_Name_2=THOMAS INTERNATIONAL SYSTEMS, S.A.<br />
|Party_Link_2=https://www.thomas.co/<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Teresa López<br />
|<br />
}}<br />
<br />
The Spanish DPA fined a talent acquisition company €40,000 for collecting data on ethnicity and disability of data subjects during their aptitude testing process without a valid exception as per [[Article 9 GDPR#2|Article 9(2) GDPR]].<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
THOMAS INTERNATIONAL SYSTEMS, S.A. (the Controller 1) is a talent acquisition company that carries out aptitude testing on behalf of the entities that contract such services. In this context, AGROXARXA, S.L. (the Controller 2), requested a job candidate (the data subject) to complete a behavioural survey accessible through the website of the Controller 1 in order to carry out a selection process.<br />
<br />
Following the instructions received, the data subject completed the assessment presented by Controller 1 on behalf of Controller 2 for the purposes of assessing their suitability for the open position in Controller's 2 company. Once they completed the survey, Controller 1 asked them to fill in a second questionnaire for the purposes of research and improvement of the evaluations. This second questionnaire collected several personal data: gender, year of birth, disability, ethnicity, mother tongue, level of education, current employment status, current industry, current role, current level of leadership, level of job happiness, job rating, description of disability and consideration of leadership. To answer each question, except for that related to description of disability, the data subject was presented with a drop-down that included the option “''I prefer not to answer''”.<br />
<br />
Additionally, before accessing this second questionnaire, the data subject was presented with an informative text that stated that their participation was entirely voluntary, being able to skip any question they did not wish to answer.<br />
<br />
On 21 February 2021, the data subject filled a complaint with the Spanish Data Protection Authority against Controller 2 for the request of disability and ethnicity data in the questionnaire sent by its human resources department. The data subject stated that they were unaware of what uses would the company make of such data. <br />
<br />
After a request from the DPA, Controller 2 furnished the data protection agreement in place with Controller 1. In this sense, the Agreement identified Controller 1 as a data processor for the purposes of carrying out the behavioural survey on behalf of the Controller 2. With respect to the second questionnaire, Controller 1 identified as a controller, since it was aimed at ensuring the assessment tools were designed in such a way that they do not discriminate against the persons being assessed.<br />
<br />
=== Holding ===<br />
The DPA held that Controller 1 processed data relating to ethnicity and disability without justifying the applicability of any circumstances or exceptions established in [[Article 9 GDPR#2|Article 9(2) GDPR]], therefore not overcoming the prohibition on the processing of such personal data. <br />
<br />
Firstly, the DPA held that the exception alleged by Controller 1, that of [[Article 9 GDPR|Article 9(2)(j)]] “''scientific research purposes''”, did not apply. Controller 1 could not invoke any legal rule covering such data processing, not fulfilling [[Article 9 GDPR|Article 9(2)(j) GDPR]], according to which the processing of special category data for scientific research purposes must be carried out 'on the basis of Union or Member State law. <br />
<br />
The DPA also dismissed the claim that the processing of sensitive data was based on consent due to the optative nature of the survey. A mere indication of voluntariness does not meet the requirements of [[Article 9 GDPR|Article 9(2)(a) GDPR]], that states that consent to the processing of special categories of personal data must be “explicit”. Additionally, Controller 1 did not duly inform the data subject about purpose, legal basis or the right to withdraw consent in accordance with the provisions of [[Article 13 GDPR]], and the privacy policy was only provided in English.<br />
<br />
Secondly, the DPA held that it was unclear if Controller 1 even had an appropriate [[Article 6 GDPR]] legal basis. The information contained in their privacy policy was too generic and limited to listing the types of legitimate basis, but without specifying which of these corresponded to each specific processing operations carried out.<br />
<br />
Additionally, the DPA held that Controller 1 had also failed to provide sufficient evidence to prove that proportionality requirements were met. Based on the information provided, it could not be concluded whether the processing was appropriate for the proposed purpose, whether it was necessary or not, or whether there were less intrusive alternative measures.<br />
<br />
For all these reasons, the DPA found that Controller 1 had breached [[Article 9 GDPR]], imposing a sanction according to [[Article 83 GDPR#5a|Article 83(5)(a) GDPR]] and Article 72(1)(e) Spanish Data Protection Law. The following were considered aggravating factors:<br />
<br />
* Based on [[Article 83 GDPR|Article 83(2)(a) GDPR]]: (1) The nature and gravity of the offence, given that the data subject was clearly not aware of the controller of the processing and the use to be made of the personal data. This had an impact on the ability of data subjects to exercise effective control over their personal data. (2) The duration of the infringement, since the data processing actions subject of this procedure, dated as early as July 2019. (3) The number of data subjects: the infringement affects all data subjects who are assessed by the Controller 1. (4) The harm suffered by the data subjects: the data subjects saw increased risks to their privacy.<br />
* Based on [[Article 83 GDPR|Article 83(2)(b) GDPR]]: Negligence in the commission of the offence. The DPA understood that Controller 1 processes personal data systematically and continuously and should have taken great care to comply with its data protection obligations.<br />
* Based on Article [[Article 83 GDPR|83(2)(d) GDPR]]: Controller 1 did not have adequate procedures in place for the collection and processing of ethnicity and disability data. The infringement was not the result of an anomaly in the operation of those procedures, but a defect in the personal data management system designed by the controller on its own initiative.<br />
* Based on Article 76(2)(b) Spanish Data Protection Law: The close link between the controller's activity and the processing of personal data.<br />
<br />
Considering the above factors, the DPA set a fine of €50,000 euros. The DPA also ordered Controller 1 to delete from the survey the collection of personal data relating to ethnicity and disability; as well as to cease the use of the data it had previously collected on this basis. Controller 1 ended paying €40,000 making use of the reduction due to voluntary payment of the proposed penalty provided for in Spanish administrative law.<br />
<br />
== Comment ==<br />
The Spanish Data Protection Authority gave an example of what measures would have constituted an adequate remedy and mitigation to the breach according to [[Article 83 GDPR#2f|Article 83(2)(f) GDPR]]: “''Mitigating the adverse effects or mitigating the damage caused by breaches involves restoring the rights of data subjects, which in this case entails deleting the ethnicity and disability data collected from data subjects and suspending their collection''”.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
File No.: PS/00214/2022<br />
<br />
<br />
RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT<br />
VOLUNTEER<br />
<br />
Of the procedure instructed by the Spanish Agency for Data Protection and based on<br />
to the following<br />
<br />
<br />
BACKGROUND<br />
<br />
FIRST: On May 5, 2022, the Director of the Spanish Agency for<br />
Data Protection agreed to initiate sanction proceedings against THOMAS<br />
<br />
INTERNATIONAL SYSTEMS, S.A. (hereinafter the claimed party). Notified on<br />
initiation agreement and after analyzing the allegations presented, on December 14,<br />
November 2022, the proposed resolution was issued as follows:<br />
transcribe:<br />
<br />
<<<br />
<br />
<br />
<br />
File No.: PS/00214/2022<br />
<br />
<br />
<br />
PROPOSED RESOLUTION OF SANCTION PROCEDURE<br />
<br />
Of the procedure instructed by the Spanish Agency for Data Protection and based on<br />
to the following:<br />
<br />
<br />
BACKGROUND<br />
<br />
<br />
FIRST: On 02/26/2021, he entered this Spanish Agency for<br />
Data Protection a document presented by A.A.A. (hereinafter, the part<br />
claimant), for which he files a claim against the entity Agroxarxa, S.L., with<br />
<br />
NIF B25269358 (hereinafter, Agroxarxa), for the processing of personal data of<br />
special categories.<br />
<br />
The complaining party states that (...) it should have carried out psychotechnical tests, accessible<br />
through a link from an entity specialized in these services. As he claims,<br />
<br />
in one of the forms used to carry out the process, they requested data<br />
sensitive (disability and ethnicity), ignoring the use that the company would make of<br />
these dates. It adds that the completion of these forms was required by the<br />
Agroxarxa Human Resources department.<br />
<br />
<br />
Provide a screenshot of the questionnaire in which the data is requested<br />
controversial, available on the web "***URL.1" (hereinafter "Questionnaire of<br />
Thomas Research” or “Questionnaire”), the content of which is outlined in the<br />
Fact Proven Second. In its upper left corner is the logo of the entity<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 2/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
"Thomas International Ltd.", to which said form belongs according to the indication<br />
inserted therein (“Copyright”). On the screen provided by the claimant<br />
the options detailed in Proven Fact Six are selected.<br />
<br />
SECOND: During the phase of admission for processing of the claim reviewed, by the<br />
<br />
General Subdirectorate of Data Inspection accessed the Privacy Policy of<br />
the entity "Thomas International Ltd.", dated 07/03/2019 and in English (the<br />
detail of the content of this document, in what interests the present<br />
procedure, is outlined in the Fourth Proven Fact).<br />
<br />
<br />
THIRD: In accordance with article 65.4 of Organic Law 3/2018, of 5<br />
December, Protection of Personal Data and guarantee of digital rights (in<br />
forward LOPDGDD), the claim made was transferred to the entity Agroxarxa<br />
to proceed with its analysis and inform this Agency, within a month,<br />
<br />
of the actions carried out to adapt to the requirements established in the<br />
data protection regulations.<br />
<br />
The term granted for this to Agroxarxa elapsed without this Agency<br />
receive any written response.<br />
<br />
<br />
FOURTH: On 06/29/2021, in accordance with article 65 of the LOPDGDD,<br />
The claim presented by the complaining party was admitted for processing.<br />
<br />
FIFTH: In view of the facts denounced in the claim and the documents<br />
provided by the complaining party, the General Subdirectorate of Data Inspection<br />
proceeded to carry out preliminary investigation actions for the<br />
<br />
clarification of the facts in question, by virtue of the investigative powers<br />
granted to control authorities in article 57.1 of Regulation (EU)<br />
2016/679 (General Data Protection Regulation, hereinafter GDPR), and<br />
in accordance with the provisions of Title VII, Chapter I, Second Section, of the<br />
LOPDGDD. The inspection services of the AEPD carried out the actions<br />
following:<br />
<br />
<br />
1. The Inspection Services of this Agency sent Agroxarxa a<br />
information request, which was attended by said entity by means of a written<br />
12/21/2021, in which he reports the following:<br />
<br />
. (…).<br />
<br />
<br />
. In reference to the personnel selection process, it warns that it does not request or require<br />
to the candidates the inclusion in the curricula of personal data<br />
concerning race, ethnicity or disability.<br />
<br />
Explain the process that follows to select the finalists, who are<br />
<br />
requests that they complete a "behavioral survey" with the aim of<br />
know if the candidate adjusts -in terms of skills and competencies- to<br />
the conditions required for the job, which is done through the<br />
platform owned by the company "Thomas International Ltd", who informs of<br />
its terms and conditions, privacy policy, cookies and other legal requirements<br />
<br />
in the mail that candidates receive to complete the survey.<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 3/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Once the candidates carry out the survey on the "Thomas<br />
<br />
International Ltd.”, and based on the analysis of the result it issues, a<br />
Final interview to select the person to be hired.<br />
<br />
. In reference to the information provided to the candidates.<br />
<br />
<br />
The company "Thomas International Ltd.", when sending the mail to participate in the<br />
survey sends the link to its rules where you can see in detail the treatment<br />
of data.<br />
<br />
<br />
Agroxarxa incorporates one of these emails as an example, whose text is the following:<br />
<br />
“Dear…<br />
…(name), from Agroxarxa, SLU has invited you to complete a brief evaluation of<br />
behaviour.<br />
Click on the following link or copy and paste it into your browser to start the<br />
evaluation<br />
<br />
https://open.***URL.1/Login/Login...<br />
There is a possibility that you will be asked to enter the following user data and<br />
password:<br />
User…<br />
Password…<br />
Visit the Thomas candidate area https://www.***URL.1/en-us/candidates.aspx for<br />
Learn more about this evaluation.<br />
Regards<br />
… (Name)<br />
Agroxarxa, SLU<br />
<br />
… (phone)<br />
rrhh_desenvolupament@Agroxarxa.com<br />
See our privacy policy www.***URL.1/es-es/Privacycookies.as.x”<br />
<br />
According to Agroxarxa, this makes it clear that "the information available to the<br />
<br />
candidates and the processing of data that informs the company, not<br />
Agroxarxa, SLU”.<br />
<br />
. In reference to the contract signed with "Thomas International Ltd.".<br />
<br />
<br />
Those responsible for the entity provide a copy of the contract for the provision of services and<br />
contract for data processing (“Data Processing Agreement”) signed in<br />
dated 05/30/2018 with the entity THOMAS INTERNACIONAL SYSTEMS, S.A. (in<br />
hereinafter THOMAS INTERNATIONAL SYSTEMS). The content of this "Agreement of<br />
<br />
data processing", as far as this procedure is concerned, consists of<br />
detailed in the Third Proven Fact.<br />
<br />
. In reference to the reason why "Thomas International Ltd." collect ethnicity data<br />
<br />
and disability.<br />
<br />
As indicated by the representatives of Agroxarxa, they are not expressly collected<br />
this data for the entity. Thomas International Ltd. uses the same<br />
"Questionnaire" for all your customers.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 4/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In addition, the data requested in the "Questionnaire" regarding "disability" and<br />
“ethnic group” are voluntary, the person surveyed can choose the option “I prefer not to<br />
to answer". They provide the image of said "Questionnaire", whose content coincides with the<br />
<br />
described in the Second Proven Fact. The answers are in this image.<br />
following:<br />
<br />
. Sex: "Female".<br />
. Year of birth: “2017”.<br />
. Disability: "I prefer not to answer."<br />
<br />
. Ethnicity: "I prefer not to answer."<br />
<br />
Thomas International Ltd. only has the information that people<br />
Candidates contribute voluntarily, without it being mandatory and necessary to<br />
Agroxarxa have the data in question. Agroxarxa at no time has<br />
<br />
requested that this information be collected for any selection process.<br />
<br />
Therefore, “Thomas International Ltd.” only have information regarding<br />
ethnicity and disability when the candidate expressly and completely<br />
voluntarily and informed, provides it, without this information being provided to Agroxarxa,<br />
to which only the corresponding competency profile report is sent and<br />
<br />
skills, but never the answers.<br />
<br />
. In reference to the treatments carried out by Agroxarxa with the data related to ethnicity<br />
and disability and retention period.<br />
<br />
<br />
The application of “Thomas International Ltd.” not expressly designed<br />
for Agroxarxa selection processes, who (like the rest of the clients) do not<br />
participates in the preparation of the forms used by said company.<br />
<br />
That is why Agroxarxa does not collect, process or keep data related to ethnicity and<br />
<br />
disability.<br />
<br />
. In reference to the data contained in Agroxarxa relating to the complaining party.<br />
<br />
It does not have data related to ethnicity or disability of the complaining party. (…).<br />
<br />
<br />
<br />
With its response, Agroxarxa provided a copy of two reports as an example of the<br />
information about the candidates that “Thomas International Ltd.” facilitates the<br />
Agroxarxa:<br />
<br />
<br />
a) The first of them contains some graphics and scores related to "Mask of<br />
work”, “Behavior under pressure” and “self-image”.<br />
<br />
b) The second describes the "APP Profile" of the person assessed in relation to the<br />
“Self-image”, “Self-motivation”, “Work emphasis”, “Descriptive words”, “Mask”<br />
<br />
(“how others see you”), “Behavior under pressure” and “General comments”.<br />
<br />
<br />
2. On 12/30/2021, the Inspection Services of this Agency sent to<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 5/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Agroxarxa a new request for information, which was answered as follows:<br />
<br />
. In the selection process, Agroxarxa at no time gives data to the entity<br />
<br />
"Thomas International Ltd.", but hires this company to carry out a<br />
analysis of skills and competencies.<br />
<br />
The only data that Agroxarxa communicates to "Thomas Internacional Ltd." are the<br />
name and surname and contact email, used to facilitate access<br />
to the platform.<br />
<br />
<br />
. It is in your interest to proceed to a reassessment of the selection process and protocol<br />
of people with the aim of simplifying and improving the process, as well as facilitating the<br />
candidates more and better information.<br />
<br />
<br />
<br />
3. (…):<br />
<br />
Its activity is to provide psychometric tools for companies to use.<br />
apply in their evaluation and recruitment processes.<br />
<br />
<br />
On 05/30/2018, a "Data Processing Agreement" was signed with the company<br />
Agroxarxa (provide a copy).<br />
<br />
(…).<br />
<br />
<br />
In the contract signed between the parties (Annex 1), it is contemplated that "Thomas<br />
International" will process, by order of Agroxarxa, the data information<br />
personal information of candidates selected by it and will be stored and controlled<br />
by the person responsible for the data, Agroxarxa, in the “Thomas International” hub that<br />
has previously been hired. Agroxarxa has tools for the<br />
<br />
maintenance of personal data resulting from the evaluation processes and<br />
during the time that Agroxarxa deems appropriate.<br />
<br />
In section 2.3 of the Contract it is specified that Agroxarxa is the one who controls the<br />
information of the personal data entered in the evaluation systems of<br />
Thomas International Ltd. through the tools provided by it, and that<br />
<br />
the data of the candidates (results of the evaluations) will be processed by<br />
indication of Agroxarxa, having the latter the only access to the processed results<br />
by “Thomas International” systems.<br />
<br />
In section 2.4 it is indicated that Agroxarxa is responsible for personal data<br />
<br />
that are introduced in the evaluation processes of "Thomas International" so that<br />
are processed and evaluation results are obtained that are analyzed and<br />
received by Agroxarxa for the development of its business activity. Likewise,<br />
Agroxarxa has previously contracted tools for unique access and<br />
exclusive to the "Thomas International" hub (where the results of the<br />
<br />
evaluations) to analyze, view, delete, maintain, etc. information<br />
processed by "Thomas International" by indication of Agroxarxa.<br />
<br />
According to section 3.1.1, the “Thomas International” systems process the data<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 6/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
personal information of Agroxarxa candidates by indication and following the instructions<br />
provided by it.<br />
<br />
<br />
And section 3.1.2 stipulates that “Thomas International” acts according to the instructions<br />
provided by the client, Agroxarxa.<br />
<br />
Section 3.2 provides that they must promptly comply with the instructions<br />
provided by Agroxarxa.<br />
<br />
<br />
In section 4 Agroxarxa authorizes "Thomas International Ltd." to send a<br />
form for permitted research purposes, to be filled out<br />
voluntarily and anonymously by the people who access the procedures<br />
authorized and contracted by Agroxarxa as long as the three<br />
sections 4.1; 4.2 and 4.3.<br />
<br />
<br />
THOMAS INTERNATIONAL SYSTEMS ends by noting that, according to the agreement<br />
signed between the parties, "Thomas International" is not obliged to provide information<br />
to the candidates that are going to be evaluated for Agroxarxa, which is the owner of the<br />
information relating thereto, and “Thomas International Ltd.” only processes the<br />
information that is provided by Agroxarxa and at its request. Thomas<br />
<br />
International Ltd.” does not know the personal data of the candidates who are going to be<br />
evaluated according to the needs determined by Agroxarxa in its policies of<br />
evaluation of candidates for certain jobs.<br />
<br />
In relation to the data on ethnic origin and disability, it indicates that they were collected from<br />
<br />
voluntarily and optionally, with the option not to respond. Any information<br />
collected through this optional survey is part of the psychometric evaluation<br />
and does not affect the results obtained by the candidate in his evaluation. All the<br />
information collected by the aforementioned optional survey would be used by the research team<br />
“Thomas International Sciences” to ensure that their assessment tools<br />
<br />
Psychometrics are designed in such a way that they do not discriminate against the people evaluated.<br />
<br />
THOMAS INTERNATIONAL SYSTEMS provides a copy of the form "authorized by<br />
part of Agroxarxa to be sent to the personnel who access the systems of<br />
Thomas International Ltd. according to the assumptions of section 4” (“the Questionnaire”),<br />
whose content coincides with that outlined in the Second Proven Fact, and a copy of the<br />
<br />
following prior information that you provide. After the informative text are included the<br />
“I disagree” and “Next” buttons.<br />
<br />
SIXTH: On 04/25/2022, by the General Sub-Directorate of Data Inspection<br />
the information available about the entity THOMAS INTERNACIONAL is accessed<br />
<br />
SYSTEMS in “Axesor”. (…).<br />
<br />
SEVENTH: On May 5, 2022, the Director of the Spanish Agency for<br />
Data Protection agreed to initiate sanction proceedings against THOMAS<br />
INTERNACIONAL SYSTEMS, in accordance with the provisions of articles 63 and 64 of the<br />
<br />
LPACAP, for the alleged violation of article 9 of the GDPR, typified in article<br />
83.5.a) of the aforementioned Regulation; and classified as very serious for prescription purposes<br />
in article 72.1.e) of the LOPDGDD.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 7/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In the opening agreement it was determined that the sanction that could correspond,<br />
attention to the existing evidence at the time of opening and without prejudice to the<br />
resulting from the instruction, would amount to a total of 50,000 euros.<br />
<br />
Likewise, it was warned that the imputed infractions, if confirmed, may<br />
<br />
entail the imposition of measures, according to the aforementioned article 58.2 d) of the GDPR.<br />
<br />
EIGHTH: Notification of the aforementioned initiation agreement in accordance with the established regulations<br />
at the LPACAP, THOMAS INTERNATIONAL SYSTEMS submitted a brief of<br />
allegations in which it requests the filing of the procedure or, alternatively, that it be<br />
issue a warning, based on the following considerations:<br />
<br />
<br />
1. From the actions of THOMAS INTERNATIONAL SYSTEMS.<br />
<br />
THOMAS INTERNATIONAL SYSTEMS is a Spanish company that<br />
provides services to different entities in Spain consisting of facilitating the use of the<br />
<br />
platform specialized in the evaluation, training and consulting of users of<br />
said clients “www.***URL.1”. Client entities access a restricted area<br />
on the platform using a username and password and are in charge of managing the<br />
candidates, selecting those who performed the evaluations, and obtaining<br />
the final reports made on said valuations.<br />
<br />
<br />
Based on the foregoing, it concludes that THOMAS INTERNATIONAL<br />
SYSTEMS has not carried out any processing of personal data on the part<br />
claimant.<br />
<br />
2. From the performances of “Thomas”.<br />
<br />
<br />
The “Thomas International group”, as a group, and specifically the parent company<br />
“Thomas International Limited LTD”, provides psychometric, evaluation,<br />
training and/or auditing to those clients who contract it through the platform<br />
www.***URL.1.<br />
<br />
Said platform offers said psychometric evaluation services, fulfilling<br />
<br />
all current legislation, the strictest international standards of<br />
psychometrics, as well as the strictest technical and organizational security measures<br />
and legal in general, and especially in matters of data protection and<br />
psychometry.<br />
<br />
Precisely, one of the measures adopted to guarantee compliance with the<br />
<br />
international standards and norms of psychometrics is the "Questionnaire of<br />
Thomas investigation" object of this procedure, which is carried out<br />
completely independent of user evaluations: only once you<br />
When the evaluation is finished and it is closed irreversibly, the user is offered to perform<br />
questionnaire". The user can choose to do it or not, without having any<br />
<br />
conditioning or consequence its completion or not, nor its responses, which are not<br />
are shared with client entities or with third parties.<br />
<br />
The sole purpose of this "Questionnaire" is to be able to comply with the standards<br />
international psychometrics required by regulations and protocols<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 8/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
international; as well as being able to guarantee the reliability of the evaluations and<br />
demoscopic questionnaires carried out by "Thomas International" through its<br />
platform.<br />
<br />
Customers are informed about this questionnaire through the order contract of the<br />
<br />
treatment (clause 4). Also to users who, before completing<br />
access a notice stating that “Thomas International” is the<br />
responsible for it, which has the purpose of scientific research, of the<br />
independence and conditionality of carrying it out or not of any evaluation that<br />
carried out previously, of the anonymous and confidential nature in the treatment of<br />
the information and that no information will be shared with the entity or person<br />
<br />
would have invited you to carry out the evaluation (in no case the data collected<br />
through the "Questionnaire" are known by the clients of the platform or other<br />
third parties and not even by those partners or employees of the Group).<br />
<br />
On this issue of transparency in the processing of data that entails the<br />
<br />
"Questionnaire", THOMAS INTERNATIONAL SYSTEMS states that it has<br />
entrusted to new professionals and a new DPD to perfect the<br />
compliance with data protection regulations. Provide a copy of the new<br />
informative clause, which is reproduced in the Second Proven Fact.<br />
<br />
3. Of the legitimacy of the treatment of the questionnaire.<br />
<br />
<br />
The processing of personal data that is carried out in the "Questionnaire" object of the<br />
This file is carried out legitimately and in accordance with the provisions of the<br />
article 9.2 j) of the GDPR, in relation to article 89.1 of the same Regulation, and<br />
other regulations applicable to the sector in which the entity is dedicated.<br />
<br />
<br />
The "International company", prior to carrying out the "Questionnaire", has<br />
taken all necessary technical, organizational and legal measures to:<br />
<br />
a) Process data of a sensitive nature that obeys exclusively<br />
for the purpose of scientific research and to comply with the requirements demanded in<br />
international standards and norms of psychometrics, in order to guarantee the<br />
<br />
reliability required in its evaluations (limitation of the purpose), without the entity<br />
get any benefit from completing the questionnaire.<br />
b) Treat, in any case, the minimum data possible to fulfill said purposes and<br />
needs. The "Thomas Research Questionnaire" is carried out by the minimum<br />
necessary people, during the time strictly necessary and the data is processed<br />
strictly necessary for the fulfillment of the indicated purpose, fulfilling<br />
<br />
scrupulously observe the principle of data minimization and anonymization of the<br />
identifying data. Applies robust pseudo-anonymization processes and<br />
amonimization to their treatments.<br />
c) Apply all technical, organizational and legal measures necessary for a<br />
correct treatment of said information; establishing a robust system of<br />
<br />
minimization of information, access restricted to professional collegiate personnel of<br />
psychologists, who have duly signed the agreements of rules of use of the<br />
necessary information, confidentiality agreements and codes of ethics; Y<br />
also applying a system of anonymization of the information obtained,<br />
previously tested and continuously monitored.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 9/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
d) Applying equally robust security systems, encrypting the<br />
"Questionnaire", applying the highest security measures that guarantee the<br />
confidentiality, integrity and availability of information. Once<br />
Once completed, the form is stored in encrypted servers of the entity,<br />
with the highest security measures and anonymously in three tables. The<br />
<br />
system has obtained the ISO 9001 Certificates.<br />
e) Analyze and previously evaluate all possible risks and incidents, with<br />
adoption of the necessary measures to evidence and/or mitigate any incidence, and<br />
complying with all measures and/or obligations regarding data protection,<br />
concretely the principles established in article 5 of the GDPR.<br />
f) Respect the principle of accuracy of the data: the need for accuracy in the<br />
<br />
evaluations provided by "Thomas" through its platform makes it necessary to<br />
existence of the “Thomas Research Questionnaire”. Likewise, they have established<br />
all necessary measures to ensure accuracy in the collection process,<br />
storage and conservation of the processed data.<br />
g) Keep the data strictly for the purpose described. By anonymizing the<br />
<br />
data and irreversibly break down the identifying data of the responses<br />
given, the minimum conservation period is fully guaranteed, as it is<br />
securely and irreversibly destroy personal data immediately in<br />
the system of three tables. Therefore, only non-personal data that<br />
meet the purpose of scientific research and compliance with standards<br />
required scientists.<br />
<br />
<br />
In relation to the legality and loyalty of the data processing of the questionnaire, it indicates the<br />
Next:<br />
<br />
The data required through the "Questionnaire", among which are data from<br />
sensitive character (such as ethnicity and possible disabilities), it is necessary to<br />
<br />
in compliance with the requirements of international standards and regulations of<br />
psychometry; in such a way that the evaluations carried out on the platform measure with<br />
scientific rigor what they say they do, they do it accurately and they do it<br />
fair. And at the same time ensure they meet the right demographic<br />
and that no discrimination is made, as required by the standards and<br />
international standards listed below:<br />
<br />
<br />
. The “Questionnaire” is validated in accordance with the Federation Guidelines<br />
European Associations of Psychologists (FEAP) or EFPA in its acronym in English<br />
(European Federation Psychologists Associations). EFPA is an organization<br />
European Union of which most of the European associations of<br />
psychology. Its proof review model is used throughout Europe, and serves as a<br />
<br />
tool to evaluate psychometric evaluations from two points of view:<br />
on the one hand, to check if a group or sample is representative of a population<br />
broader and calculate the relative position in that sample of examinees; and by<br />
other hand, to ensure the fairness of the test.<br />
<br />
<br />
. International Testing Commission (ITC), Guidelines on the use of tests, which<br />
they also refer to the fairness of the tests, whether they are fair for use with<br />
various groups; and the need to control changes in the population through the<br />
demographic information provided by test takers.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 10/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
. Code of Conduct of the Business Psychology Association ***URL.2.<br />
<br />
It adds that the information collected is necessary, according to the aforementioned formulation<br />
survey (CIT or ITC in its acronym in English), since it allows to ensure, through<br />
anonymous statistical studies, that their psychometric assessment tools<br />
<br />
(personality, intelligence, aptitudes, emotional intelligence, etc.) do not discriminate against<br />
people evaluated, precisely for reasons of ethnicity or disability, among others<br />
circumstances. Therefore, it understands that "Thomas International", as designer of<br />
evaluations and questionnaires, is legitimized and protected in its objectives by the<br />
art.89.1 of the GDPR, which accepts the collection of data for research purposes and<br />
global statistics, with the guarantee that this data is anonymized and is<br />
<br />
impossible for them to be associated with a specific candidate, through the aforementioned<br />
CIT.<br />
<br />
The relevance of the activity of “Thomas International” and its CIT survey is based on<br />
the requirements of guaranteeing good practices in the design, development and monitoring<br />
<br />
of psychometric tests, according to the standards defined by the BPS (British<br />
Psychological Society), the EFPA (European Federation Psychologists Associations) or<br />
the COP (Official Association of Psychologists), who ensure good practices in<br />
psychometrics, certify the validity and reliability of a test and demand that the standards of<br />
quality are kept up-to-date through macro-statistical studies parallel to<br />
throughout the technical life of these tests, using statistical meta-analyses<br />
<br />
obligatorily anonymous, global and longitudinal. There has recently emerged a<br />
new application standard in this field, ISO.30414 Human Resources Management,<br />
that results in the requirement of carrying out an adequate use of the tests<br />
psychometrics, as well as the requirement of their discriminating power.<br />
<br />
In addition, it adds that "Thomas International" carried out the analyzes and evaluations of<br />
<br />
necessary impact, having assessed the proportionality of data processing and<br />
the need for them for scientific research, before making the<br />
platform evaluations.<br />
<br />
Likewise, both the evaluations and the questionnaires have been designed<br />
exclusively by prestigious collegiate psychology professionals who<br />
<br />
carry out their activity in "Thomas International", which are the ones that deal exclusively with<br />
the questionnaire data. These professionals are covered by agreements of<br />
confidentiality and strict compliance with standards and regulations<br />
International Psychometrics.<br />
<br />
4. Bearing in mind that (...) without any discrimination, he did not suffer an infraction or damage<br />
<br />
(...), without having expressed any objection to the treatment of the "Questionnaire of<br />
Thomas investigation”; that Agroxarxa did not know whether or not the interested party made said<br />
"Questionnaire" or what you answered; that “Thomas International” has not obtained any<br />
benefit or harm; and has not had any claim or incident;<br />
THOMAS INTERNATIONAL SYSTEMS understands that there is no infringement and/or<br />
<br />
breach of data protection.<br />
<br />
5. Of the non-existence of illegality in the treatment of information: it also understands,<br />
THOMAS INTERNATIONAL SYSTEMS that data processing is carried out<br />
personal data of a sensitive nature in accordance with article 9.2 j) of the GDPR; and once they have<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 11/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
anonymized the data; therefore, it cannot be considered that there is a treatment of<br />
personal information.<br />
<br />
6. From the lack of intent and/or fault of "Thomas International": for there to be<br />
a punishable offence, there must be not only an unlawful act but also a<br />
<br />
intentionality in the commission or omission that causes it, as stated in the<br />
Resolutions and Judgments of the National Court of 02/25/2010, (which establishes<br />
that is not admissible in administrative law sanctioning responsibility<br />
objective, which is proscribed, after STC 76/1999; Judgment of the Hearing<br />
National 04/29/2010), 04/29/2020, 10/19/2010 and 02/10/2011.<br />
<br />
<br />
"Thomas International" has had a proactive attitude and compliant with its<br />
obligations regarding data protection in all the treatments it carries out,<br />
applying the highest safety standards in their treatments.<br />
<br />
7. Of the non-existence of seriousness of "Thomas International": in the hypothetical case that<br />
<br />
it is considered that "Thomas International" has not informed correctly, so<br />
subsidiary, the attitude of "Thomas International" cannot be sanctioned with a<br />
serious infraction, since all the indicated circumstances that occur in the present<br />
case and that have been accredited, lead to determine the total non-existence of<br />
Serious offense.<br />
<br />
<br />
In addition, as a result of what is known in this case, it has taken additional measures<br />
to avoid any incident or infringement, such as appointing a new Delegate<br />
of Data Protection of proven experience and knowledge (ANNEX No. 15);<br />
initiate a new risk analysis and impact assessment on the treatments of<br />
personal data in order to identify possible risks and apply the measures<br />
necessary to avoid and/or mitigate its damages; write new informative clauses<br />
<br />
on the treatment carried out in the "Thomas Research Questionnaire";<br />
reinforce the information and training of all the agents involved in the treatments<br />
of personal data, such as clients, collegiate psychological staff and personal<br />
technology, people who agree to carry out the evaluations and questionnaires.<br />
<br />
Therefore, it considers that the provisions of Recital<br />
<br />
148 of the GDPR, as stated in the following AEPD resolutions:<br />
<br />
a) In the Resolution issued in procedure E/00660/2020, regarding a<br />
very serious infringement for illegal data processing, the proceedings for the<br />
adaptation to the regulations carried out before the presentation of the claim<br />
before the AEPD.<br />
<br />
<br />
b) In the procedures indicated with the numbers PS/00077/2021 and<br />
PS/00416/2020, regarding serious infractions due to security breaches of the<br />
information, is sanctioned with a warning for the measures adopted to resolve<br />
the problem and for the suspension of the website involved in the events, which was migrated to<br />
<br />
another server, adopting measures to avoid events similar to those that motivated<br />
the claim.<br />
<br />
c) In the actions followed with the number E/05039/2018, the procedure<br />
sanctioning is transformed into a file according to the measures adopted to<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 12/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
solve the problem and the low relevance of the deficiencies.<br />
<br />
d) In the case of procedures PS/00040/2021, PS/00041/2021, PS/00067/2021,<br />
<br />
PS/00071/2021, PS/00240/2020, PS/00366/2020, PS/00285/2020, PS/00311/2020,<br />
PS/00355/2020, PS/00371/2020, PS/00381/2020, PS/00399/2020, PS/00414/2020,<br />
PS/00441/2020, PS/00453/2020, PS/00454/2020, PS/00455/2020, PS/00457/2020 and<br />
PS/00490/2020, the disciplinary procedure becomes a warning in<br />
based on fundamentals such as those expressed below:<br />
<br />
<br />
. It is verified that the claimed party updated the information.<br />
. The Privacy Policy is prepared after the claim.<br />
. The consent is express because the treatment of the data is based on the<br />
Consent given by filling in and submitting the form and checking the box<br />
accepting data processing (PS/00040/2021).<br />
<br />
. The fine is considered disproportionate for the claimed party, whose activity<br />
principal is not directly linked to the processing of personal data, and that it does not<br />
there is evidence of the commission of any previous infraction in terms of data protection<br />
(PS/00041/2021 and others).<br />
. The provisions of article 58.2 of the GDPR (PS/00067/2021 and others) are complied with.<br />
. Absence of intentionality; adoption of measures to comply with the GDPR;<br />
<br />
appointment of a DPO; there is no recidivism; appropriate measures have been taken<br />
and reasonable to avoid incidents such as the claimed party (PS/00071/2021).<br />
. Rectification, once the file has been initiated, of the deficiency found in the<br />
existing form on the web and acceptance of the privacy conditions before the<br />
sending said form and enabling a box to consent to the sending of<br />
<br />
commercial communications (PS/00311/2020).<br />
. There is no record of any previous violation of data protection.<br />
. The privacy policies were conveniently modified.<br />
<br />
Finally, he highlights that he has a proactive attitude; all your staff are<br />
<br />
duly trained; its activity has not caused damage to the rights of the<br />
interested parties, that they have not received any claim or incidence or breach of<br />
security up to date; and that, upon learning of the matter, has initiated a<br />
review of its protocols, analyzes and evaluations, and has proceeded to appoint<br />
proven specialists in the field.<br />
<br />
<br />
With its allegations, it provides the following documentation:<br />
<br />
. Contract signed with Agroxarxa.<br />
. Partner agreement between "Thomas IS" and "Thomas LTD".<br />
. Explanation of the anonymization and minimization process in three tables that are<br />
<br />
performs the "Thomas Research Questionnaire".<br />
. Protocols and security policy applied, including a version of the<br />
Privacy Policy dated 03/31/2020.<br />
. EFPA Guidelines.<br />
. ICT Guidelines.<br />
<br />
. Code of conduct.<br />
. Executive summary of Thomas International's practices and compliance with the<br />
GDPR.<br />
. Protocol for the preparation of tests for Dyslexia and Occupational Tests.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 13/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
. Deontological Code.<br />
. Psychologist contract.<br />
<br />
<br />
<br />
PROVEN FACTS<br />
<br />
<br />
<br />
FIRST: The entity THOMAS INTERNATIONAL SYSTEMS provides services of<br />
evaluation and consultancy in personnel selection processes carried out by the<br />
entities that contract such services.<br />
<br />
The evaluation of candidates by THOMAS INTERNATIONAL SYSTEMS<br />
<br />
requires them to complete accessible behavioral tests or surveys<br />
through the website of said entity, "***URL.1", for, based on the information<br />
obtained, assess the suitability of the candidate for the job offered.<br />
<br />
The entity that summons the selection process makes a pre-selection of the<br />
<br />
Candidates who must be evaluated by THOMAS INTERNATIONAL SYSTEMS.<br />
These finalist candidates receive an email from the latter entity with the<br />
instructions to access your platform, the "candidate area", and be able to carry out the<br />
poll. The username and password that you must use for the<br />
access and includes a link to start the evaluation; and others that lead to<br />
<br />
information available on the "candidate area" and the Privacy Policy<br />
available on the web “***URL.1”.<br />
<br />
As a result of the provision of the service, THOMAS INTERNATIONAL SYSTEMS<br />
provides client entities with a report or profile on skills and abilities of<br />
<br />
the candidate person.<br />
<br />
SECOND: Once the candidates finish completing the tests<br />
necessary to carry out the evaluation, THOMAS INTERNATIONAL SYSTEMS<br />
asks them to fill in a new questionnaire, which he calls the "Questionnaire<br />
<br />
of Thomas Research”, which includes questions related to sex, year of<br />
birth, disability, ethnicity, mother tongue, educational level, employment status<br />
current sector currently working in current role current level of command<br />
level of happiness in the job (on a scale from 1 to 7), qualification of your work (with<br />
scale from 1 to 7), description of the disability (text field) and consideration<br />
<br />
about leadership. To answer each question, except for the description of the<br />
disability, a drop-down is shown with the options that the interested party can<br />
select, including the option “I prefer not to answer”.<br />
<br />
Prior to completing this "Questionnaire", the<br />
<br />
interested parties the following information regarding the protection of personal data:<br />
<br />
Thank you for completing the form.<br />
A notification has been sent to the person who invited you to take the assessment. Please,<br />
contact him for more information on this evaluation Thomas.<br />
Welcome to the Thomas Research Quiz.<br />
At Thomas International, we are committed to continuous improvement of our<br />
evaluations. As part of our research and development initiative, we ask that you<br />
provide us with information to help us improve our assessments. Information<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 14/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
collected will be used for research purposes only and will not be provided to your employer.<br />
Our psychologists abide by ethical guidelines and all information we collect will be<br />
confidential and only global results will be reported. Participation is entirely<br />
voluntary and you can choose to skip any question you do not want to answer.<br />
<br />
After the informative text, the buttons "I do not agree" and<br />
<br />
"Next".<br />
<br />
The entity THOMAS INTERNACIONAL SYSTEMS, on the occasion of the process of<br />
<br />
allegations at the opening of the procedure, has reported that the informative clause<br />
above has been modified, remaining as follows:<br />
<br />
Thank you for completing the form.<br />
A notification has been sent to the person who invited you to take the assessment. Please,<br />
<br />
contact him for more information on this evaluation Thomas.<br />
Welcome to the Thomas Research Quiz.<br />
At Thomas International we are committed to the continuous improvement of our<br />
evaluations. As part of this, Thomas International, as the controller of the<br />
data, regularly conducts research to ensure that our assessments<br />
are valid, reliable and, above all, fair. This allows us to ensure that we adhere to the<br />
international best practice standards. We would appreciate your help in this<br />
<br />
important research by filling in the following questionnaire.<br />
Completion of the questionnaire is voluntary and independent of the person who has<br />
asked to do the evaluation. In no case will the information of this<br />
questionnaire to the person who invited you to carry out the mentioned evaluation. Information<br />
collected in this questionnaire will be used solely for scientific research purposes, it will be<br />
treated only by Thomas International registered psychologists and will be treated<br />
anonymously. To exercise your rights and/or for more information, consult our<br />
<br />
privacy policy (***URL.3), or contact our Privacy Policy<br />
Data Protection in ***EMAIL.1. Our psychologists are governed by ethical guidelines and all<br />
information we collect will be kept confidential and only the results will be communicated<br />
anonymous aggregates. Participation is completely voluntary and you can choose to skip<br />
any questions you don't want to answer."<br />
<br />
<br />
After the informative text, the buttons "I do not agree" and<br />
"Next".<br />
<br />
THIRD: To formalize the provision of the services outlined in the Fact<br />
<br />
Tried First, the entity has arranged a form called “Agreement of<br />
data processing" that it signs with its clients.<br />
<br />
<br />
Of the stipulations contained in this agreement, which is declared reproduced at<br />
evidentiary purposes, the following should be noted:<br />
<br />
Background<br />
<br />
<br />
(...)<br />
(...)<br />
<br />
(…)<br />
<br />
(…)<br />
<br />
<br />
Thomas's Duties<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 15/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
(…):<br />
<br />
<br />
(…);<br />
(…);<br />
(…);<br />
<br />
(…)<br />
<br />
<br />
Research<br />
<br />
(…):<br />
<br />
(…);<br />
<br />
<br />
(…);<br />
<br />
(…).<br />
<br />
(...)”.<br />
<br />
<br />
FOURTH: The Privacy Policy available on the web "***URL.1", in its version of<br />
dated 07/03/2019, includes the following information:<br />
<br />
<br />
“1.3 Do we always act as data controllers? Although Thomas acts<br />
often as data controller, in some of our activities<br />
We can also act as data processor or sub-processor...<br />
<br />
Among the examples of cases where Thomas acts as data controller<br />
<br />
Data includes, but is not limited to, the following:<br />
(…)<br />
. Processing of personal data of candidates for research purposes.<br />
. Processing of personal data of candidates to create an anonymous form of<br />
Personal information…<br />
<br />
<br />
2.5 Do we use personal data in our research?<br />
We are committed to continually improving our assessments. To do this, we ask the<br />
Candidates who provide us with additional information, such as age group, educational level,<br />
ethnicity and similar issues. Providing this information is voluntary and is not<br />
necessary to complete an assessment.<br />
When we process any of this personal data for research, we do so as<br />
<br />
responsible for data processing.<br />
Any personal information provided to us for research will be used exclusively<br />
for research purposes and will not be disclosed to third parties. Both during and after<br />
our psychologists evaluate your personal information, we will store it safely and with<br />
the highest confidence. If we share our results with third parties, only the results will be shared.<br />
anonymous and aggregate results from which no individual can be identified.<br />
<br />
<br />
2.6 In case we are data controller: What legal basis<br />
we have to use your personal data?<br />
(…)<br />
. you have consented to the use of your personal data;<br />
<br />
. the use we make of your personal data is in our legitimate interest as<br />
business organization; In these cases, we will process your information at all times<br />
manner that is proportionate and respectful of your right to privacy. You will also have the right to<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 16/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
object to the processing, as explained in section 7;<br />
. the use of your personal data is necessary to perform a contract or take steps to<br />
enter into a contract with you; either<br />
. our use of your personal data is necessary to comply with a legal obligation or<br />
pertinent regulatory…” (Unofficial translation).<br />
<br />
<br />
The content of the transcribed sections is similar to that included in the version of the<br />
Privacy Policy dated 03/31/2020, contributed to the proceedings by THOMAS<br />
INTERNATIONAL SYSTEMS.<br />
<br />
<br />
FIFTH: Agroxarxa called a personnel selection process and hired the<br />
services of THOMAS INTERNATIONAL SYSTEMS to carry out the<br />
evaluations of the candidates shortlisted by Agroxarxa. For this reason,<br />
both entities signed a contract (“Data Processing Agreement”) in<br />
dated 05/30/2018, in the terms indicated in the Third Proven Fact.<br />
<br />
<br />
SIXTH: The complaining party participated in a personnel selection process<br />
summoned by Agroxaxa indicated in the Fifth Proven Fact and was selected<br />
as a finalist to be evaluated by THOMAS INTERNATIONAL SYSTEMS.<br />
After carrying out the surveys arranged to carry out this evaluation to<br />
<br />
Through the web "***URL.1", he was asked to fill in the "Questionnaire of<br />
Thomas Investigation", through which the claimed party provided the data<br />
following:<br />
<br />
. Sex: “XXXXXX”.<br />
<br />
. Year of birth: “XXXX”.<br />
. Disability: “XX”.<br />
. Ethnicity: “XXXXXXXXXXXX”.<br />
<br />
<br />
<br />
FUNDAMENTALS OF LAW<br />
<br />
Yo<br />
<br />
By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of<br />
<br />
control, and as established in articles 47 and 48 of Organic Law 3/2018, of 5<br />
December, Protection of Personal Data and guarantee of digital rights<br />
(hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency<br />
is competent to initiate and resolve this procedure.<br />
<br />
<br />
Article 63.2 of the LOPDGDD determines that: "The procedures processed by the<br />
Spanish Data Protection Agency will be governed by the provisions of the GDPR, in<br />
this organic law, by the regulatory provisions issued in its<br />
development and, as long as they do not contradict them, on a subsidiary basis, by the rules<br />
general on administrative procedures”.<br />
<br />
<br />
II<br />
<br />
The claim that has motivated these proceedings questions the treatment of<br />
personal data relating to ethnicity and disability carried out by THOMAS<br />
<br />
INTERNACIONAL SYSTEMS during the candidate selection process for a<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 17/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
job offered by the entity Agroxarxa, constituting this question the<br />
sole purpose of this proceeding.<br />
<br />
<br />
Thus, the conclusions derived from the procedure do not imply any<br />
pronouncement regarding issues unrelated to said object.<br />
<br />
<br />
<br />
II<br />
<br />
The personnel selection process (...) begins with the publication, for this reason<br />
entity, of and with the following examination of the profile of the candidates who have<br />
interested in the position to select the finalists, who are asked to<br />
<br />
complete a “behavioral survey.”<br />
<br />
This "behavioral survey" is carried out through the entity's platform<br />
THOMAS INTERNATIONAL SYSTEMS. These are psychological tests that<br />
value intelligence, personality, emotional intelligence, and the potential of<br />
<br />
candidates.<br />
<br />
THOMAS INTERNATIONAL SYSTEMS sends an email to the candidate with access to<br />
your platform. In this email you warn that the reason is to carry out an evaluation of<br />
behavior for Agroxarxa, indicates the link to access the platform, as well<br />
<br />
as the username and password to use. In addition, it indicates the links for<br />
access the information contained in the candidate area and the privacy policy.<br />
<br />
As a result of this action, THOMAS INTERNATIONAL SYSTEMS sends to<br />
Agroxarxa a report on the profile of skills and abilities of the person<br />
<br />
candidate.<br />
<br />
The selection process ends with a final interview carried out by Agroxarxa.<br />
<br />
The tasks that THOMAS INTERNATIONAL SYSTEMS performs within the framework of this<br />
<br />
process were entrusted to him by Agroxarxa through a contract for the provision of<br />
services subscribed by both entities. Said contract includes an "Agreement of<br />
data processing", formalized on 05/30/2018, which defines the role of<br />
THOMAS INTERNATIONAL SYSTEMS as the person in charge of the treatment and points out that<br />
Said entity follows the instructions of Agroxarxa, which intervenes as<br />
<br />
responsible for the treatment.<br />
<br />
The figures of "responsible for the treatment" and "in charge of the treatment" are defined<br />
in article 4 of the GDPR as follows:<br />
<br />
. "Responsible for the treatment or responsible: the natural or legal person, public authority,<br />
<br />
service or other body which, alone or jointly with others, determines the ends and means of the<br />
treatment; if the law of the Union or of the Member States determines the ends and means<br />
of the treatment, the person in charge of the treatment or the specific criteria for their appointment<br />
they may be established by the law of the Union or of the Member States”.<br />
<br />
. "In charge of the treatment or in charge: the natural or legal person, public authority,<br />
service or other body that processes personal data on behalf of the data controller<br />
treatment".<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 18/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Article 24 of the GDPR, referring to the "Liability of the person responsible for the<br />
treatment”, states the following:<br />
<br />
"one. Taking into account the nature, scope, context and purposes of the treatment as well as<br />
<br />
risks of varying probability and severity for the rights and freedoms of individuals<br />
physical, the person in charge of the treatment will apply appropriate technical and organizational measures to<br />
In order to guarantee and be able to demonstrate that the treatment is in accordance with this<br />
Regulation. These measures will be reviewed and updated when necessary.<br />
2. When they are provided in relation to the treatment activities, among the<br />
measures mentioned in section 1 will include the application, by the person responsible for the<br />
treatment, of the appropriate data protection policies…”.<br />
<br />
<br />
Report 0064/2020 of the Legal Office of the AEPD has emphatically expressed<br />
that "The GDPR has meant a paradigm shift when addressing the regulation of the<br />
right to the protection of personal data, which is based on the<br />
<br />
principle of "accountability" or "proactive responsibility" as indicated<br />
repeatedly by the AEPD (Report 17/2019, among many others) and is included in the<br />
Explanation of reasons for the Organic Law 3/2018, of December 5, Protection of<br />
Personal Data and guarantee of digital rights (LOPDGDD)”.<br />
<br />
<br />
The said report goes on to say the following:<br />
<br />
“…the criteria on how to attribute the different roles remain the same (paragraph 11),<br />
reiterates that these are functional concepts, which are intended to assign responsibilities<br />
<br />
according to the real roles of the parties (paragraph 12), which implies that in most<br />
of the assumptions must be addressed to the circumstances of the specific case (case by case)<br />
based on their actual activities rather than the formal designation of an actor as<br />
"responsible" or "in charge" (for example, in a contract), as well as autonomous concepts,<br />
whose interpretation must be carried out under the European regulations on the protection of<br />
personal data (section 13), and taking into account (section 24) that the need for a<br />
factual assessment also means that the role of a controller is not<br />
derives from the nature of an entity that is processing data but from its activities<br />
<br />
concrete in a specific context…”.<br />
<br />
The concepts of data controller and data processor are not formal, but<br />
functional and must attend to the specific case.<br />
<br />
<br />
The person responsible for the treatment is from the moment he decides the purposes and the<br />
means of treatment, not losing such condition by the fact of leaving a certain margin<br />
of action to the person in charge of the treatment or for not having access to the databases<br />
<br />
of the manager<br />
<br />
This is undoubtedly expressed in the Guidelines 07/2020 of the European Committee of<br />
Data Protection (CEPD) on the concepts of data controller and<br />
<br />
in charge in the GDPR:<br />
<br />
“A controller is the one who determines the purposes and means of the processing.<br />
treatment, that is, the why and how of the treatment. The data controller must<br />
decide on both purposes and means. However, some more practical aspects of the<br />
implementation ("non-essential media") can be left to the person in charge of<br />
treatment. It is not necessary for the controller to actually have access to the data that is<br />
<br />
they are trying to qualify themselves as responsible” (the translation is ours).<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 19/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In the present case, it is clear that Agroxarxa is responsible for the processing of<br />
personal data that have a cause in the personnel selection process in which<br />
<br />
the complaining party participated, since, as defined in article 4.7 of the GDPR,<br />
is the entity that determines the purpose and means of the treatments carried out. In its<br />
condition of controller is obliged to comply with the provisions of<br />
the transcribed article 24 of the RGPD and, especially, that related to the effective control and<br />
of the “appropriate technical and organizational measures in order to guarantee and<br />
be able to demonstrate that the processing is in accordance with this Regulation”, among<br />
<br />
which are those provided in article 28 of the GDPR in relation to the<br />
person in charge of the treatment that acts in the name and on behalf of the person in charge.<br />
<br />
Agroxarxa is responsible for data processing for the purpose of<br />
solve the selection process even if you do not have access to said data. In<br />
<br />
In this sense, in Directives 07/2020 of the European Committee for Data Protection<br />
(CEPD), on the concepts of data controller and processor in the GDPR,<br />
it is indicated that “42. It is not necessary for the data controller to actually have<br />
access to the data being processed. Whoever outsources an activity<br />
treatment and, in doing so, have a determining influence on the purpose and<br />
(essential) means of treatment (for example, adjusting the parameters of a<br />
<br />
service in such a way as to influence whose personal data will be processed), it must be<br />
considered as responsible although it will never have real access to the data” (the<br />
translation is ours).<br />
<br />
On the other hand, the existence of a data processor depends on a decision<br />
<br />
adopted by the person responsible for the treatment, which he may decide to carry out himself<br />
certain processing operations or hire all or part of the<br />
treatment with a manager.<br />
<br />
The essence of the function of the person in charge of the treatment is that the personal data<br />
<br />
are processed in the name and on behalf of the data controller. In practice,<br />
it is the person in charge who determines the purpose and the means, at least the essential ones,<br />
while the person in charge of the treatment has the function of providing services to the<br />
data controllers. In other words, “acting in the name and on behalf of<br />
of the person in charge of the treatment” means that the person in charge of the treatment is aware of the<br />
serving the interest of the controller in carrying out a task<br />
<br />
specific and, therefore, follows the instructions established by it, at least in<br />
regarding the purpose and the essential means of the treatment entrusted.<br />
<br />
The person responsible for the treatment is the one who has the obligation to guarantee the application<br />
of data protection regulations and the protection of the rights of<br />
<br />
interested parties, as well as being able to prove it (articles 5.2, 24, 28 and 32 of the GDPR).<br />
The control of compliance with the law extends throughout the treatment,<br />
From the beginning to the end. The data controller must act, in<br />
any case, in a diligent, conscious, committed and active way.<br />
<br />
<br />
This mandate of the legislator is independent of the fact that the treatment is carried out<br />
directly the person in charge of the treatment or to carry it out using a<br />
treatment manager.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 20/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In addition, the treatment carried out materially by a person in charge of treatment by<br />
account of the person responsible for the treatment belongs to the sphere of action of the latter<br />
last, in the same way as if he did it directly himself. The person in charge of<br />
<br />
Treatment, in the case examined, is an extension of the person responsible for the<br />
treatment, and may only perform treatment on documented instructions<br />
of the controller, unless he is required to do so by Union law or by<br />
a Member State, which is not the case (Article 29 of the GDPR).<br />
<br />
Therefore, the data controller must establish clear modalities for<br />
<br />
said assistance and give precise instructions to the person in charge of the treatment on how<br />
comply with them adequately and document it previously through a contract or<br />
either in another (binding) agreement and verify at all times the development of the<br />
contract compliance in the manner established therein.<br />
<br />
<br />
Only the person in charge of the treatment will be fully responsible when it is<br />
fully responsible for the damages caused in terms of the rights and<br />
freedoms of the affected parties.<br />
<br />
By establishing the responsibility of the person in charge of the treatment in the commission of<br />
infringements of the GDPR, its article 28.10 also meets the criterion of determining<br />
<br />
of the purposes and means of processing. Pursuant to this article, if the manager<br />
determines the purposes and means of treatment will be considered responsible for it:<br />
<br />
“10. Without prejudice to the provisions of articles 82, 83 and 84, if a data processor<br />
infringes this Regulation when determining the purposes and means of processing, it will be<br />
considered responsible for the treatment with respect to said treatment”.<br />
<br />
<br />
In the present case, the correct legal classification under the GDPR of THOMAS<br />
INTERNACIONAL SYSTEMS is in charge of the treatment, since it acts in<br />
name and on behalf of Agroxarxa.<br />
<br />
However, the proceedings have revealed that THOMAS<br />
<br />
INTERNACIONAL SYSTEMS performs, for its own benefit, data processing<br />
of the candidates for the position offered by Agroxarxa or, in general, by<br />
any other client. Regarding these treatments, THOMAS INTERNATIONAL<br />
SYSTEMS determines the measures and purposes and holds the status of person responsible for the<br />
treatment, according to the provisions of the aforementioned article 28.10 of the GDPR.<br />
<br />
<br />
When carrying out the behavioral surveys commissioned by Agroxarxa, the entity<br />
THOMAS INTERNATIONAL SYSTEMS includes a "Questionnaire" for you to<br />
completed by the applicants for the job through which the applicants are requested to<br />
interested personal data related to sex, year of birth, disability, ethnicity,<br />
mother tongue, educational level, current employment status, sector in which you work<br />
<br />
currently, current role, current level of command, level of job happiness (with<br />
scale from 1 to 7), qualification of your work (on a scale from 1 to 7), description of the<br />
disability (text field) and leadership consideration. In order to respond<br />
For each question, except for the description of the disability, a<br />
drop-down menu with the options that the interested party can select (in the<br />
<br />
The specific "Questionnaire" provided by the claimant appears selected<br />
following options: Sex: “XXXXX”; Year of birth: “XXXX”; Disability:<br />
"XX"; Ethnicity: “XXXXXXXXXXXX”).<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 21/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
It is THOMAS INTERNATIONAL SYSTEMS who decides the collection of this data<br />
personal data and their use for their own purposes (research purposes and improvement of<br />
evaluations), for their own benefit. Ultimately, it is said entity that<br />
determines to carry out these personal data processing operations. is it<br />
<br />
same as saying that THOMAS INTERNATIONAL SYSTEMS is the entity that<br />
determines why (purpose) and how (means) such personal data is processed<br />
to achieve the intended purpose.<br />
<br />
<br />
Regarding the "means of treatment", the Directives 07/2020 of the European Committee<br />
of Data Protection (CEPD) on the concepts of data controller and<br />
in charge of the GDPR, already cited, state the following:<br />
<br />
As regards the determination of the means, a distinction can be made between<br />
essential and non-essential media. "Essential media" are traditionally and inherently<br />
<br />
reserved for the data controller. While non-essential media also<br />
can be determined by the manager, the essential means must be determined by<br />
the data controller. "Essential media" means media that are closely<br />
related to the purpose and scope of the treatment, such as the type of personal data that<br />
are processed ("what data will be processed?"), the duration of the treatment ("for how long will<br />
will they treat?"), categories of recipients ("who will have access to them?"), and categories<br />
of data subjects ("whose personal data is being processed"). Along with the purpose of<br />
treatment, the essential means are also closely related to the issue<br />
<br />
Whether the processing is lawful, necessary and proportionate. "Non-essential media" refers to<br />
to more practical aspects of the application, such as choosing a particular type of<br />
software or detailed security measures that can be left to the developer.<br />
treatment for you to decide” (the translation is ours.<br />
<br />
THOMAS INTERNATIONAL SYSTEMS holds the status of person in charge of the<br />
<br />
treatment regarding the collection and use of personal data relating to<br />
ethnicity and disability to which the claim refers, as well as that same entity<br />
has recognized and according to the record accredited by the documentation incorporated into the<br />
performances.<br />
<br />
<br />
The "Data processing agreement" formalized by Agroxarxa and THOMAS<br />
INTERNATIONAL SYSTEMS, referred to above, contemplates in its stipulation 4 the<br />
use of personal data as controller by THOMAS<br />
<br />
INTERNATIONAL SYSTEMS for research purposes. It is expressly said:<br />
<br />
“Thomas may act as a data controller in relation to the Personal Data<br />
of the Company and such processing may be carried out solely for the Purposes of<br />
investigation allowed.<br />
<br />
<br />
Likewise, in the Privacy Policy available on the web "***URL.1" the<br />
following information:<br />
<br />
2.5 Do we use personal data in our research?<br />
We are committed to continually improving our assessments. To do this, we ask the<br />
Candidates who provide us with additional information, such as age group, educational level,<br />
<br />
ethnicity and similar issues. Providing this information is voluntary and is not<br />
necessary to complete an assessment.<br />
When we process any of this personal data for research, we do so as<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 22/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
responsible for data processing.<br />
Any personal information provided to us for research will be used exclusively<br />
for research purposes and will not be disclosed to third parties…” (Unofficial translation).<br />
<br />
<br />
This condition of responsible for the treatment of the response is also deduced<br />
provided by THOMAS INTERNATIONAL SYSTEMS to the Inspection Services of<br />
this Agency, when it states that data on ethnic origin and disability do not form<br />
part of the psychometric evaluation nor do they affect the results obtained by the<br />
<br />
candidate in his evaluation; and that said information is used by the team of “Thomas<br />
International Sciences” to ensure that their assessment tools<br />
Psychometrics are designed in such a way that they do not discriminate against the people evaluated.<br />
<br />
<br />
With this response, said entity provided a copy of the "Questionnaire" whose<br />
completion requests the interested parties (candidates for the position offered) and the<br />
previous information that In this information the form is referred to as<br />
"Thomas Research Questionnaire" and warn that the data will be used with<br />
research purposes, to improve their assessments.<br />
<br />
<br />
On the other hand, the entity Agroxarxa has reported that it does not collect data on ethnicity and<br />
disability, that these data are not collected by THOMAS INTERNATIONAL<br />
SYSTEMS for Agroxarxa nor are you provided with the answers contained in the form<br />
in question. Likewise, it has declared that THOMAS INTERNATIONAL SYSTEMS<br />
<br />
uses the same form for all its clients.<br />
<br />
THOMAS INTERNATIONAL SYSTEMS, in its allegations at the opening of the<br />
procedure, has not questioned the previous arguments, which were already set out in<br />
<br />
said opening agreement.<br />
<br />
IV.<br />
<br />
Personal data related to ethnicity and disability, by its nature, belongs to<br />
<br />
special categories of data, regulated in article 9 of the GDPR, which establishes<br />
a general prohibition of its treatment. This article provides the following:<br />
<br />
“Processing of special categories of personal data<br />
<br />
1. The processing of personal data that reveals ethnic or racial origin, the<br />
<br />
political opinions, religious or philosophical convictions, or trade union membership, and the<br />
treatment of genetic data, biometric data aimed at uniquely identifying a person<br />
natural person, data relating to health or data relating to sexual life or sexual orientation<br />
of a physical person.<br />
<br />
2. Section 1 shall not apply when one of the following circumstances occurs:<br />
<br />
a) the interested party gave his explicit consent for the processing of said personal data<br />
for one or more of the specified purposes, except where the law of the Union or of the<br />
<br />
Member States provide that the prohibition referred to in paragraph 1 cannot be<br />
raised by the interested party;<br />
b) the treatment is necessary for the fulfillment of obligations and the exercise of rights<br />
specific to the person responsible for the treatment or the interested party in the field of labor law and<br />
security and social protection, to the extent that it is authorized by Union Law or<br />
of the Member States or a collective agreement under the law of the Member States<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 23/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
members that establish adequate guarantees of respect for fundamental rights and<br />
the interests of the interested party;<br />
c) the processing is necessary to protect vital interests of the data subject or of another person<br />
physically, in the event that the interested party is not able, physically or legally, to give his/her<br />
consent;<br />
<br />
d) the treatment is carried out, within the scope of its legitimate activities and with the due<br />
guarantees, by a foundation, an association or any other non-profit organization, whose<br />
purpose is political, philosophical, religious or trade union, provided that the treatment refers to<br />
exclusively to current or former members of such bodies or to persons who<br />
maintain regular contact with them in relation to their purposes and provided that the data<br />
personal data are not communicated outside of them without the consent of the interested parties;<br />
<br />
e) the treatment refers to personal data that the interested party has manifestly made<br />
public;<br />
f) the treatment is necessary for the formulation, exercise or defense of claims or<br />
when the courts act in the exercise of their judicial function;<br />
g) the processing is necessary for reasons of essential public interest, on the basis of the<br />
Union or Member State law, which must be proportional to the objective<br />
<br />
persecuted, essentially respect the right to data protection and establish measures<br />
adequate and specific to protect the interests and fundamental rights of the interested party;<br />
h) the treatment is necessary for the purposes of preventive or occupational medicine, evaluation of the<br />
work capacity of the worker, medical diagnosis, provision of assistance or treatment of<br />
health or social type, or management of health and social care systems and services, on<br />
the basis of Union or Member State law or by virtue of a contract with a<br />
<br />
health professional and without prejudice to the conditions and guarantees contemplated inthe paragraph<br />
3;<br />
i) the processing is necessary for reasons of public interest in the field of public health,<br />
such as protection against serious cross-border threats to health, or to ensure<br />
high levels of quality and safety of health care and medicines or<br />
medical devices, on the basis of Union or Member State law that<br />
establish appropriate and specific measures to protect the rights and freedoms of the<br />
<br />
concerned, in particular professional secrecy,<br />
j) processing is necessary for archiving purposes in the public interest, research purposes<br />
scientific or historical or statistical purposes, in accordance with article 89, paragraph 1, on the<br />
basis of Union or Member State law, which must be proportional to the objective<br />
persecuted, essentially respect the right to data protection and establish measures<br />
appropriate and specific to protect the interests and fundamental rights of the interested party.<br />
<br />
<br />
3. The personal data referred to in section 1 may be processed for the purposes mentioned in the<br />
section 2, letter h), when your treatment is carried out by a professional subject to the obligation<br />
of professional secrecy, or under its responsibility, in accordance with the Law of the Union or of<br />
Member States or with the rules established by national bodies<br />
authorities, or by any other person also subject to the obligation of secrecy in accordance<br />
<br />
with the law of the Union or of the Member States or of the rules established by the<br />
competent national bodies.<br />
<br />
4. Member States may maintain or introduce additional conditions, including<br />
limitations, regarding the treatment of genetic data, biometric data or data related to<br />
to health”.<br />
<br />
<br />
In general, this precept prohibits the performance of treatment of<br />
special categories of data, unless such treatment can be covered by<br />
any of the exceptions regulated in article 9.2 of the GDPR.<br />
<br />
<br />
Thus, a general prohibition of personal data processing is established that<br />
reveal ethnic or racial origin and health-related data, such as those relating to<br />
<br />
28001 – Madrid 6 sedeagpd.gob.es 24/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
the disability of the person (Recital 35 and article 4.15 of the GDPR); and, in his<br />
Section 2 regulates the exceptions that lift said prohibition, some of them<br />
<br />
on the basis of Union or Member State law, which must<br />
incorporate into their own regulation the adequate guarantees so that the right to<br />
data protection is respected, also respect the principle of proportionality and<br />
establish adequate and specific measures to safeguard the rights<br />
fundamentals and the interests of the people affected.<br />
<br />
<br />
Specifically, for the processing of special categories of data that are<br />
necessary for scientific research purposes referred to in letter j) of the aforementioned<br />
Article 9.2 of the GDPR, the person in charge must inevitably go to a specific<br />
legal norm that protects it and, in addition, comply with the aforementioned principles and establish<br />
<br />
additional guarantees that safeguard the rights of the affected persons.<br />
<br />
In relation to the processing of personal data related to health, the provision<br />
additional seventeenth of the LOPDGDD establishes that they are covered by<br />
letters g), h), i) and j) of the aforementioned article 9.2 of the GDPR the treatments that are<br />
<br />
regulated in the laws that it lists, among which is the consolidated text of the Law<br />
General of the rights of people with disabilities and their social inclusion,<br />
approved by Royal Legislative Decree 1/2013 of November 29. Nonetheless<br />
does not rule out those data treatments that are carried out in application of other<br />
standards other than those indicated in the aforementioned additional provision.<br />
<br />
<br />
Article 89 of the GDPR expressly refers to "Guarantees and exceptions<br />
applicable to processing for archiving purposes in the public interest, research purposes<br />
scientific or historical or statistical purposes”:<br />
<br />
1. Processing for archiving purposes in the public interest, scientific research purposes or<br />
<br />
historical or statistical purposes will be subject to the appropriate guarantees, in accordance with this<br />
Regulation, for the rights and freedoms of the interested parties. Such guarantees will<br />
technical and organizational measures are in place, in particular to ensure respect for the<br />
principle of minimization of personal data. Such measures may include the<br />
pseudonymization, provided that such purposes can be achieved in this way. As long as<br />
those purposes can be achieved through further processing that does not or no longer allows<br />
the identification of the interested parties, those purposes will be achieved in this way.<br />
<br />
(…)”.<br />
<br />
<br />
The GDPR includes the principles related to treatment in its article 5: legality, loyalty and<br />
transparency; purpose limitation; data minimization; accuracy; limitation of<br />
conservation period; and integrity and confidentiality.<br />
<br />
On the other hand, once the general prohibition with the coverage of the<br />
<br />
Article 9.2 of the GDPR, to legalize the processing of special category data<br />
it is necessary to resort to the cases of article 6 of the same Regulation. So indicated<br />
the Article 29 Working Group (whose functions have been assumed by the Committee<br />
European Union of Data Protection) in its opinion "Guidelines on decisions<br />
<br />
automated individuals and profiling for the purposes of the Regulation<br />
2016/679”, adopted on 10/03/2017 and revised on 02/06/2018, indicating that “The<br />
Data controllers can only process category personal data<br />
especially if one of the conditions provided for in Article 9(2) is met, as well as<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 25/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
as a condition of article 6”.<br />
<br />
This article 6 of the GDPR establishes the assumptions that allow the treatment of<br />
<br />
data is considered lawful:<br />
<br />
"Article 6. Legality of the treatment<br />
<br />
<br />
1. Processing will only be lawful if at least one of the following conditions is met:<br />
<br />
a) the interested party gave his consent for the processing of his personal data for one or<br />
various specific purposes;<br />
b) the treatment is necessary for the execution of a contract in which the interested party is a party<br />
or for the application at his request of pre-contractual measures;<br />
<br />
c) the processing is necessary for compliance with a legal obligation applicable to the<br />
responsible for the treatment;<br />
d) the processing is necessary to protect the vital interests of the data subject or of another person<br />
physical;<br />
e) the processing is necessary for the fulfillment of a task carried out in the public interest<br />
or in the exercise of public powers conferred on the data controller;<br />
f) the treatment is necessary for the satisfaction of legitimate interests pursued by the user.<br />
<br />
responsible for the treatment or by a third party, provided that such interests are not<br />
the interests or fundamental rights and freedoms of the data subject prevail<br />
require the protection of personal data, in particular when the data subject is a child.<br />
<br />
The provisions of letter f) of the first paragraph shall not apply to the treatment carried out by<br />
public authorities in the exercise of their functions.<br />
<br />
<br />
2. Member States may maintain or introduce more specific provisions in order to<br />
adapt the application of the rules of this Regulation with respect to the treatment in<br />
compliance with section 1, letters c) and e), setting more precisely requirements<br />
treatment and other measures that guarantee lawful and equitable treatment, with<br />
inclusion of other specific treatment situations under chapter IX.<br />
<br />
<br />
3. The basis of the treatment indicated in section 1, letters c) and e), must be established by:<br />
<br />
a) Union law, or<br />
b) the law of the Member States that applies to the data controller.<br />
<br />
<br />
The purpose of the treatment must be determined in said legal basis or, as regards<br />
to the treatment referred to in section 1, letter e), will be necessary for the fulfillment of<br />
a mission carried out in the public interest or in the exercise of public powers vested in the<br />
responsible for the treatment. Said legal basis may contain specific provisions for<br />
adapt the application of the rules of this Regulation, among others: the conditions<br />
general rules that govern the legality of the treatment by the person in charge; data types<br />
object of treatment; affected stakeholders; the entities to which you can communicate<br />
<br />
personal data and the purposes of such communication; purpose limitation; the terms of<br />
data storage, as well as processing operations and procedures,<br />
including measures to ensure lawful and equitable treatment, such as those relating to<br />
other specific situations of treatment according to chapter IX. Union law or<br />
of the Member States will meet a public interest objective and be proportionate to the end<br />
legitimate pursued.<br />
<br />
<br />
4. When the treatment for a purpose other than that for which the data was collected<br />
personal information is not based on the consent of the interested party or on Union Law or<br />
of the Member States which constitutes a necessary and proportional measure in a company<br />
<br />
28001 – Madrid 6 sedeagpd.gob.es 26/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
democracy to safeguard the objectives indicated in article 23, paragraph 1, the<br />
responsible for the treatment, in order to determine if the treatment for another purpose is<br />
compatible with the purpose for which the personal data was initially collected, will take into account<br />
account, among other things:<br />
<br />
<br />
a) any relationship between the purposes for which the personal data was collected and<br />
the purposes of the intended further processing;<br />
b) the context in which the personal data was collected, in particular with regard to<br />
to the relationship between the interested parties and the data controller;<br />
c) the nature of the personal data, in particular when dealing with special categories<br />
of personal data, in accordance with article 9, or personal data relating to convictions<br />
and criminal offenses, in accordance with article 10;<br />
d) the possible consequences for data subjects of the planned further processing;<br />
<br />
e) the existence of adequate guarantees, which may include encryption or pseudonymization”.<br />
<br />
<br />
V<br />
<br />
<br />
In the present case, THOMAS INTERNATIONAL SYSTEMS performs<br />
a treatment of data related to ethnicity and disability, for which we find ourselves<br />
in the case of treatment of special categories of personal data subject<br />
to the general rule of prohibition established in article 9.1 of the GDPR.<br />
<br />
<br />
On the other hand, it does not appear in the proceedings, nor has it been justified by the<br />
entity THOMAS INTERNATIONAL SYSTEMS, that none of the<br />
circumstances or exceptions established in section 2 of said article that<br />
save the prohibition of treatment of such personal data.<br />
<br />
<br />
The aforementioned entity considers the exception provided for in article 9.2.j) applicable.<br />
considering that those data of ethnicity and disability are subjected to treatment<br />
for scientific research purposes, and dedicates its allegations to justify the need<br />
and proportionality of that treatment and the additional guarantees established for<br />
<br />
respect the right to data protection of the affected persons, among them, the<br />
regarding the security, technical and organizational measures implemented, the non-<br />
communication of data to third parties, or compliance with the limitation principles<br />
of the purpose, minimization, limitation of the conservation and accuracy of the data.<br />
<br />
<br />
However, THOMAS INTERNATIONAL SYSTEMS does not invoke any legal norms<br />
that covers such data processing, in the context in which it is carried out, in<br />
so that the basic budget established in article 9.2.j) of the<br />
GDPR, according to which the treatment of data of special categories for the purpose of<br />
<br />
Scientific research must be carried out “on the basis of Union law or of the<br />
Member States, which must be proportional to the objective pursued, respect as far as<br />
the right to data protection is essential and establish appropriate measures and<br />
to protect the interests and fundamental rights of the interested party”.<br />
<br />
<br />
In this regard, the aforementioned entity has limited itself to stating that it complies with the<br />
international psychometric standards recommended by the European Federation<br />
Associations of Psychologists (FEAP), the International Testing Commission (ITC) or<br />
Association of Business Psychology, which do not constitute norms "of the Law of<br />
<br />
the Union or of the Member States.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 27/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
This requirement cannot be saved, as THOMAS INTERNATIONAL claims.<br />
SYSTEMS, for the establishment of the guarantees referred to in its letter of<br />
<br />
allegations or for compliance with the principles relating to treatment, nor for the<br />
measures that it claims to have taken as a result of this case, with which it has sought to<br />
improve the information offered to the interested parties and mitigate the possible damages with<br />
new risk assessments.<br />
<br />
<br />
The legal basis that legitimizes the treatment of these<br />
data in accordance with the provisions of article 6 of the GDPR, nor THOMAS<br />
INTERNACIONAL SYSTEMS clearly informs the interested parties in this regard. The<br />
information contained in the Privacy Policy in relation to this aspect is<br />
<br />
generic, limiting itself to enumerating the types of legitimation base, but without<br />
specify which of them corresponds to the specific treatments carried out:<br />
<br />
“2.6 In case we are responsible for data processing: What legal basis<br />
we have to use your personal data?<br />
<br />
<br />
We will only collect, use and share your personal data if we are convinced<br />
that we have an adequate legal basis for it. Based on the variety of<br />
services we provide, we may rely on one of the following legal bases for the<br />
treatment of your data:<br />
. you have consented to the use of your personal data;<br />
. the use we make of your personal data is in our legitimate interest as<br />
business organization; In these cases, we will process your information at all times<br />
manner that is proportionate and respectful of your right to privacy. You will also have the right to<br />
object to the processing, as explained in section 7;<br />
. the use of your personal data is necessary to perform a contract or take steps to<br />
<br />
enter into a contract with you; either<br />
. our use of your personal data is necessary to comply with a legal obligation or<br />
pertinent regulatory…” (Unofficial translation).<br />
<br />
The processing of data object of the proceedings is not necessary for the<br />
<br />
compliance with the contractual relationship that THOMAS INTERNATIONAL SYSTEMS<br />
formalizes with its clients as a service provider, since said treatment<br />
is carried out outside of said commercial relationship, for the exclusive benefit of THOMAS<br />
INTERNATIONAL SYSTEMS; nor does it respond to the fulfillment of an obligation<br />
legal; nor is a legitimate interest invoked that prevails over the rights and freedoms<br />
<br />
stakeholder fundamentals.<br />
<br />
THOMAS INTERNATIONAL SYSTEMS has only stated in this regard that<br />
ethnicity and disability data were collected on a voluntary and optional basis,<br />
<br />
offering the interested party the option not to respond.<br />
<br />
From this, it seems to be deduced that the legal basis invoked by this entity to<br />
legitimize the data processing that it carries out is the consent of the interested parties.<br />
<br />
<br />
However, in relation to the processing of personal data relating to ethnicity and<br />
disability, the provision of valid consent has not been justified by the<br />
interested.<br />
<br />
It is true that the information offered prior to completing the<br />
<br />
form warns interested parties that "participation is entirely voluntary and<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 28/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
You may choose to skip any question you do not want to answer”; and what after<br />
<br />
the informative text includes the buttons "I do not agree" and "Next".<br />
In addition, in the dropdown of answers that are shown for any of the<br />
questions also includes the option "I prefer not to answer".<br />
<br />
<br />
But there is no mechanism that allows the interested party to lend their<br />
consent and the mere completion of the form, in this case, cannot<br />
be accepted as a rendering of such consent.<br />
<br />
<br />
In accordance with the provisions of article 9.2.a) of the GDPR, the consent to<br />
processing of special categories of personal data must be “explicit”, so<br />
in such a way that a mere affirmative action that can be<br />
conclude that the interested party consents to the treatment, but it is necessary to have<br />
formal proof of the provision of said consent, a declaration or<br />
<br />
express confirmation of consent.<br />
<br />
The most obvious way would be to make a written statement, although in the environment<br />
digital or online forms can be enabled that could imply consent<br />
<br />
valid explicit: fill in an electronic form, send an email that<br />
contains the consent, use the electronic signature or upload a document<br />
scanned with handwritten signature. Similarly, in the case of web pages, this<br />
explicit consent could be collected by inserting some boxes with the options<br />
<br />
to accept and not accept together with a text referring to the consent that is clear to<br />
the interested.<br />
<br />
This is how the European Data Protection Committee understands it in the document<br />
"Guidelines 05/2020 on consent under Regulation 2016/679",<br />
<br />
updating the guidelines on consent adopted by the Group of<br />
Work of Article 29 on 11/28/2017, revised and approved on 04/10/2018:<br />
<br />
“91. Explicit consent is required in certain situations where there is a<br />
serious risk in relation to data protection and in which it is considered appropriate that<br />
<br />
there is a high level of control over personal data. Under the GDPR, the<br />
explicit consent has an important role in article 9 on the treatment of<br />
special categories of personal data…<br />
<br />
92. The GDPR stipulates that the prerequisite for “normal” consent is “a statement<br />
or clear affirmative action. Since the “normal” consent requirement in the GDPR is no longer<br />
has been raised to a higher level compared to the consent requirement<br />
referred to in Directive 95/46/EC, it should be clarified what additional efforts should be<br />
perform the data controller in order to obtain the explicit consent of the<br />
<br />
interested in line with the GDPR.<br />
<br />
93. The explicit term refers to the way in which the interested party expresses consent.<br />
It means that the interested party must make an express declaration of consent. A<br />
obvious way to ensure that consent is explicit would be to confirm<br />
express such consent in a written statement. When appropriate, the person in charge<br />
could ensure that the data subject signs the written statement, in order to remove<br />
any possible doubts or lack of proof in the future.<br />
<br />
<br />
94. However, said signed statement is not the only way to obtain consent<br />
explicit and the GDPR cannot be said to prescribe written and signed declarations in all<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 29/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
circumstances requiring valid explicit consent. For example, in the context<br />
digitally or online, an interested party can issue the required declaration by filling out a form<br />
by sending an email, uploading a scanned document with your signature, or<br />
using an electronic signature. In theory, the use of verbal statements can also be<br />
a sufficiently manifest way of expressing explicit consent, however,<br />
It may be difficult for the controller to demonstrate that all the requirements have been met.<br />
conditions for valid explicit consent when the statement was recorded”.<br />
<br />
<br />
And other requirements that grant validity to the consent are not met, according to the<br />
definition contained in article 4 of the GDPR:<br />
<br />
“Article 4 Definitions<br />
<br />
For the purposes of this Regulation, the following shall be understood as:<br />
11. "consent of the interested party": any expression of free, specific, informed will<br />
and unequivocal by which the interested party accepts, either by means of a declaration or a clear<br />
affirmative action, the processing of personal data that concerns you”.<br />
<br />
In relation to the provision of consent, the following must be taken into account:<br />
<br />
established in article 6 of the GDPR and in articles 7 of the GDPR and 7 of the<br />
LOPDGDD.<br />
<br />
Article 7 "Conditions for consent" of the GDPR:<br />
<br />
<br />
"one. When the treatment is based on the consent of the interested party, the person in charge must<br />
be able to demonstrate that he consented to the processing of his personal data”.<br />
<br />
Article 6 "Treatment based on the consent of the affected party" of the LOPDGDD:<br />
<br />
<br />
"one. In accordance with the provisions of article 4.11 of Regulation (EU) 2016/679,<br />
The consent of the affected person is understood to be any manifestation of free, specific,<br />
informed and unequivocal by which he accepts, either by means of a declaration or a clear<br />
affirmative action, the processing of personal data concerning you.<br />
2. When it is intended to base the processing of the data on the consent of the affected party<br />
for a plurality of purposes it will be necessary to state in a specific and unequivocal way<br />
<br />
that said consent is granted for all of them.<br />
3. The execution of the contract may not be made subject to the fact that the affected party consents to the processing of<br />
personal data for purposes that are not related to the maintenance, development<br />
or control of the contractual relationship”.<br />
<br />
Consent is understood as a clear affirmative act that reflects a<br />
<br />
expression of free, specific, informed and unequivocal will of the interested party<br />
accept the processing of personal data that concerns you, provided with<br />
sufficient guarantees to prove that the interested party is aware of the fact that<br />
give your consent and to the extent that you do so. And it must be given to all<br />
<br />
treatment activities carried out for the same purpose or purposes, so that,<br />
where processing is for multiple purposes, consent must be given for all<br />
them in a specific and unequivocal manner, without the execution of the<br />
contract to which the affected party consents to the processing of their personal data for<br />
<br />
purposes that are not related to the maintenance, development or control of the<br />
business relationship. In this regard, the legality of the treatment requires that the interested party be<br />
informed about the purposes for which the data is intended (consent<br />
informed).<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 30/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Consent must be given freely. It is understood that the consent<br />
is free when the interested party does not enjoy true or free choice or cannot<br />
deny or withdraw your consent without prejudice; or when you don't know<br />
allows separate authorization of the different data processing operations<br />
<br />
despite being appropriate in the specific case, or when compliance with a<br />
contract or provision of service is dependent on consent, even when it<br />
is not necessary for such compliance. This occurs when consent is<br />
included as a non-negotiable part of the general conditions or when<br />
<br />
imposes the obligation to agree to the use of additional personal data to<br />
those strictly necessary.<br />
<br />
Without these conditions, the provision of consent would not offer the interested party a<br />
<br />
true control over your personal data and its destination, and this would<br />
illegal processing activity.<br />
<br />
The European Committee for Data Protection analyzed these issues in its document<br />
<br />
"Guidelines 05/2020 on consent in accordance with Regulation 2016/679", of<br />
05/04/2020 From what is indicated in this document, it is now interesting to highlight some<br />
aspects related to the validity of consent, specifically regarding the<br />
“specific”, “informed” and “unambiguous” elements:<br />
<br />
<br />
“3.2. Expression of specific will<br />
Article 6(1)(a) confirms that the data subject's consent to the<br />
The processing of your data must be given "for one or more specific purposes" and that an interested party<br />
may choose with respect to each such purpose. The requirement that consent<br />
should be "specific" is intended to ensure a level of control and transparency for the<br />
interested. This requirement has not been changed by the GDPR and remains closely<br />
linked to the requirement of "informed" consent. At the same time, it must be interpreted<br />
<br />
in line with the “disassociation” requirement to obtain “free” consent. In sum,<br />
To comply with the "specific" character, the data controller must apply:<br />
<br />
i) the specification of the purpose as a guarantee against the deviation of the use,<br />
ii) dissociation in consent requests, and<br />
iii) a clear separation between information related to obtaining consent<br />
for data processing activities and information relating to other matters.<br />
<br />
<br />
(…)<br />
<br />
“3.3. Manifestation of informed will<br />
The GDPR reinforces the requirement that consent must be informed. in accordance<br />
with article 5 of the GDPR, the requirement of transparency is one of the principles<br />
fundamental, closely related to the principles of loyalty and legality. To ease<br />
<br />
information to the interested parties before obtaining their consent is essential so that they can<br />
make informed decisions, understand what they are authorizing, and, for example,<br />
exercise your right to withdraw your consent. If the person in charge does not provide information<br />
accessible, user control will be illusory and consent will not constitute a valid basis<br />
for data processing.<br />
If the requirements for informed consent are not met, the consent will not<br />
will be valid and the person in charge may be in breach of article 6 of the GDPR.<br />
<br />
<br />
3.3.1. Minimum content requirements for consent to be "informed"<br />
For the consent to be informed, it is necessary to communicate to the interested party certain<br />
elements that are crucial to be able to choose. Therefore, GT29 is of the opinion that it is required, at<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 31/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
least, the following information to obtain valid consent:<br />
i) the identity of the data controller,<br />
ii) the purpose of each of the processing operations for which the authorization is requested;<br />
consent,<br />
iii) what (type of) data is to be collected and used,<br />
iv) the existence of the right to withdraw consent,<br />
<br />
v) information on the use of data for automated decisions in accordance with the<br />
Article 22(2)(c), where relevant, and<br />
vi) information on the possible risks of data transfer due to the absence of<br />
an adequacy decision and adequate guarantees, as described in article<br />
46”.<br />
<br />
In the alleged case, there is no evidence of the provision of a<br />
<br />
valid consent on the part of the interested parties that covers the treatments of<br />
personal data object of the claim. This entity does not even report<br />
duly about this data processing, about its purpose and legal basis or the<br />
right to withdraw consent, where appropriate, in accordance with the provisions of<br />
Article 13 of the GDPR; nor has it established any mechanism for interested parties to<br />
<br />
can give explicit consent.<br />
<br />
Regarding the information, it should be noted that only the Privacy Policy is presented.<br />
Privacy of the British parent of the Group, Thomas International Ltd., in language<br />
English, and that it does not duly inform about the legal basis of the treatment and the<br />
<br />
purpose of the treatment, which is described simply by referring to the purposes of<br />
research.<br />
<br />
Finally, the entity THOMAS INTERNACIONAL SYSTEMS has not contributed<br />
sufficient elements to determine compliance with the judgment of the<br />
<br />
proportionality requirements demanded by the Constitutional Court, so that<br />
The suitability of the treatment for the proposed purpose can be concluded, if the same<br />
whether or not it is necessary or whether there are alternative, less intrusive measures.<br />
<br />
In this sense, the Constitutional Court has indicated (Judgment 14/2003, of 28<br />
<br />
January) that "to verify if a restrictive measure of a fundamental right<br />
passes the proportionality judgment, it is necessary to verify if it complies with the three<br />
following requirements or conditions: if such a measure is likely to achieve the<br />
proposed objective (suitability judgement); if, moreover, it is necessary, in the sense of<br />
that there is no other more moderate measure for the achievement of said purpose with<br />
<br />
equal efficacy (judgment of necessity); and, finally, if it is weighted or<br />
balanced, because it derives from it more benefits or advantages for the general interest than<br />
damages to other goods or values in conflict (judgment of proportionality in<br />
Strict sense)".<br />
<br />
<br />
In this regard, the principle of minimum intervention must be taken into account (art. 5.1.c)<br />
and art. 25.1 GDPR), since it is necessary to prove that there is no other measure<br />
moderate to achieve the intended purpose with equal effectiveness, in the<br />
framework of the proactive responsibility of the data controller.<br />
<br />
<br />
Therefore, from the facts and legal grounds set forth, it results that, on the part<br />
of THOMAS INTERNATIONAL SYSTEMS, data processing is carried out<br />
personal of special categories against the prohibition established in the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 32/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Article 9 of the GDPR and without any of the exceptions provided for<br />
lift that ban. This breach of what is established in article 9 of the<br />
<br />
GDPR gives rise to the application of the corrective powers that article 58 of the aforementioned<br />
Regulation grants the Spanish Data Protection Agency.<br />
<br />
<br />
<br />
SAW<br />
<br />
THOMAS INTERNATIONAL SYSTEMS has indicated that there is no infringement<br />
punishable in the absence of intentionality in the commission or omission that causes said<br />
infraction, adding that it has had a proactive attitude and complied with its<br />
<br />
obligations.<br />
<br />
In this regard, it should be noted, first of all, that the incident occurs in the<br />
scope of responsibility of THOMAS INTERNATIONAL SYSTEMS and this entity<br />
<br />
you must answer for it. In no way can it be considered that the lack of<br />
alleged intentionality excludes its responsibility, especially when the<br />
infraction could have been avoided by the use of greater diligence. In this case, the<br />
offense committed is incompatible with the diligence that said entity is obliged to<br />
To watch.<br />
<br />
<br />
This diligence must be manifested in the specific case being analyzed, and not in the<br />
general circumstances that the entity alleges to justify a proactive action,<br />
which cannot be taken as circumstances that prevent demanding the<br />
responsibilities that derive from the concrete irregular action.<br />
<br />
<br />
Accept the approach made by THOMAS INTERNATIONAL SYSTEMS in its<br />
allegations would amount to admitting that the application of the GDPR and the<br />
LOPDGDD, distorting the entire system established on the legality of the<br />
<br />
processing of personal data.<br />
<br />
It should be remembered, on the other hand, that the offense may be committed intentionally or<br />
guilty. The National Court in Judgment of September 21, 2004 (RCA<br />
937/2003), is pronounced in the following terms:<br />
<br />
<br />
"Furthermore, as regards the application of the principle of guilt, it results (following the criterion of<br />
this Chamber in other Judgments such as the one dated January 21, 2004 issued in the appeal<br />
1139/2001) that the commission of the offense provided for in article 44.3.d) can be both<br />
fraudulent as culpable... because although in penalizing matters the principle of guilt governs,<br />
As can be inferred from the simple reading of Article 130 of Law 30/1992, the truth is that the expression<br />
"simple non-observance" of Art. 130.1 of Law 30/1992, allows the imposition of the sanction, without<br />
doubt in fraudulent cases, and also in culpable cases, sufficing the non-observance of the<br />
<br />
duty of care”.<br />
<br />
In this line it is worth mentioning the SAN of January 21, 2010, in which the Court<br />
exposes:<br />
<br />
<br />
“The appellant also maintains that there is no guilt in her actions. Is<br />
true that the principle of guilt prevents the admission in administrative law<br />
sanctioning of strict liability, it is also true that the absence of<br />
intentionality is secondary since this type of infraction is normally committed<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 33/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
due to negligent or negligent action, which is enough to integrate the subjective element<br />
of guilt. XXX's performance is clearly negligent because... he must know... the<br />
obligations imposed by the LOPD on all those who handle personal data of third parties.<br />
XXX is obliged to guarantee the fundamental right to the protection of personal data<br />
of its clients and hypothetical clients with the intensity required by the content of its own<br />
<br />
right".<br />
<br />
The principle of guilt is required in the disciplinary procedure and thus the STC<br />
246/1991 considers it inadmissible in the field of penalizing administrative law<br />
a responsibility without fault. But the fault principle does not imply that it can only<br />
<br />
punish an intentional or voluntary action, and in this regard article 28<br />
of Law 40/2015 on the Legal Regime of the Public Sector, under the rubric<br />
"Responsibility" provides the following:<br />
<br />
"one. They may only be penalized for acts constituting an administrative offense<br />
physical and legal persons, as well as, when a Law recognizes their capacity to act, the<br />
affected groups, unions and entities without legal personality and estates<br />
independent or self-employed, who are responsible for them by way of fraud or<br />
<br />
fault".<br />
<br />
The facts set forth in the preceding Basis show that<br />
THOMAS INTERNATIONAL SYSTEMS did not act with the diligence to which it came<br />
obliged, who acted with a lack of diligence. The Supreme Court (Sentences of 16 and<br />
<br />
04/22/1991) considers that from the guilty element it follows “...that the action or<br />
omission, classified as an administratively punishable infraction, must be, in all<br />
case, attributable to its author, due to intent or imprudence, negligence or ignorance<br />
inexcusable". The same Court reasons that "it is not enough... for exculpation against<br />
a typically unlawful behavior the invocation of the absence of guilt" but<br />
<br />
that it is necessary "that the diligence that was required by the person claiming his<br />
non-existence” (STS January 23, 1998).<br />
<br />
Also connected to the degree of diligence that the data controller is<br />
obliged to deploy in compliance with the obligations imposed by the<br />
<br />
data protection regulations can be cited the SAN of 10/17/2007 (Rec. 63/2006),<br />
which specified: "(...) the Supreme Court has been understanding that there is imprudence<br />
whenever a legal duty of care is neglected, that is, when the offender does not<br />
behaves with the required diligence”.<br />
<br />
<br />
In addition, the National Court on data protection of<br />
personal nature, has declared that "simple negligence or breach of<br />
the duties that the Law imposes on the persons responsible for files or the<br />
data processing to be extremely diligent..." (SAN 06/29/2001).<br />
<br />
<br />
It is therefore concluded, contrary to what was objected to by the defendant entity, that the<br />
subjective element is present in the declared infringement.<br />
<br />
<br />
VII<br />
<br />
<br />
In the event of an infringement of the provisions of the GDPR, among the<br />
corrective powers available to the Spanish Data Protection Agency,<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 34/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
as supervisory authority, article 58.2 of said Regulation contemplates the<br />
following:<br />
<br />
"2 Each control authority will have all the following corrective powers indicated to<br />
continuation:<br />
<br />
(…)<br />
b) send a warning to any person in charge or person in charge of the treatment when the<br />
processing operations have infringed the provisions of this Regulation;”<br />
(...)<br />
d) order the person in charge or in charge of the treatment that the treatment operations are<br />
conform to the provisions of this Regulation, where appropriate, of a given<br />
manner and within a specified period;<br />
(…)<br />
<br />
i) impose an administrative fine in accordance with article 83, in addition to or instead of the<br />
measures mentioned in this section, according to the circumstances of each case<br />
particular;".<br />
<br />
According to the provisions of article 83.2 of the GDPR, the measure provided for in letter d)<br />
<br />
above is compatible with the sanction consisting of an administrative fine.<br />
<br />
<br />
VIII<br />
<br />
<br />
It is considered that the facts exposed fail to comply with the provisions of article 9 of the<br />
GDPR, which implies the commission of an infringement classified in section 5.a) of the<br />
Article 83 of the GDPR.<br />
<br />
<br />
Article 83.5.a) of the GDPR, under the heading "General conditions for the<br />
imposition of administrative fines" provides the following:<br />
<br />
"5. Violations of the following provisions will be penalized, in accordance with the<br />
<br />
paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a<br />
company, of an amount equivalent to a maximum of 4% of the total annual turnover<br />
of the previous financial year, opting for the highest amount:<br />
<br />
a) the basic principles for treatment, including the conditions for consent to<br />
tenor of articles 5, 6, 7 and 9”.<br />
<br />
<br />
On the other hand, Article 71 of the LOPDGDD considers any offense<br />
breach of this Organic Law:<br />
<br />
"Infractions are the acts and conducts referred to in sections 4, 5 and 6 of the<br />
<br />
Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this<br />
organic Law".<br />
<br />
Section 1.e) of article 72 of the LOPDGDD considers, as “very serious”, a<br />
prescription effects:<br />
<br />
<br />
"one. Based on what is established in article 83.5 of Regulation (EU) 2016/679,<br />
are considered very serious and will prescribe after three years the infractions that suppose a<br />
substantial violation of the articles mentioned therein and, in particular, the following:<br />
<br />
e) The processing of personal data of the categories referred to in article 9 of the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 35/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Regulation (EU) 2016/679, without the occurrence of any of the circumstances provided for in said<br />
precept and in article 9 of this Organic Law.<br />
<br />
<br />
In order to determine the administrative fine to be imposed, the<br />
provisions of articles 83.1 and 83.2 of the GDPR, precepts that state:<br />
<br />
"one. Each control authority will guarantee that the imposition of administrative fines with<br />
under this article for the infringements of this Regulation indicated in the<br />
<br />
paragraphs 4, 9 and 6 are in each individual case effective, proportionate and dissuasive.<br />
<br />
2. Administrative fines will be imposed, depending on the circumstances of each case<br />
individually, in addition to or in lieu of the measures contemplated in article 58,<br />
section 2, letters a) to h) and j). When deciding to impose an administrative fine and its amount<br />
in each individual case due account shall be taken of:<br />
a) the nature, seriousness and duration of the offence, taking into account the<br />
<br />
nature, scope or purpose of the processing operation in question<br />
such as the number of interested parties affected and the level of damages that<br />
have suffered;<br />
b) intentionality or negligence in the infraction;<br />
c) any measure taken by the controller or processor to<br />
<br />
alleviate the damages and losses suffered by the interested parties;<br />
d) the degree of responsibility of the controller or processor,<br />
taking into account the technical or organizational measures that they have applied under<br />
of articles 25 and 32;<br />
e) any previous infringement committed by the controller or processor;<br />
<br />
f) the degree of cooperation with the supervisory authority in order to remedy the<br />
infringement and mitigate the potential adverse effects of the infringement;<br />
g) the categories of personal data affected by the infringement;<br />
h) the way in which the supervisory authority became aware of the infringement, in<br />
<br />
particular whether the person in charge or the person in charge notified the infringement and, if so, in what<br />
extent;<br />
i) when the measures indicated in article 58, paragraph 2, have been ordered<br />
previously against the person in charge or the person in charge in relation to the<br />
same matter, compliance with said measures;<br />
<br />
j) adherence to codes of conduct under article 40 or to mechanisms of<br />
certification approved in accordance with article 42, and<br />
k) any other aggravating or mitigating factor applicable to the circumstances of the case,<br />
such as financial benefits obtained or losses avoided, directly or<br />
<br />
indirectly, through the infringement.”<br />
<br />
For its part, article 76 "Sanctions and corrective measures" of the LOPDGDD<br />
has:<br />
<br />
<br />
"one. The sanctions provided for in sections 4, 5 and 6 of article 83 of Regulation (EU)<br />
2016/679 will be applied taking into account the graduation criteria established in the<br />
section 2 of said article.<br />
2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 also<br />
may be taken into account:<br />
<br />
a) The continuing nature of the offence.<br />
b) Linking the offender's activity with data processing<br />
personal.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 36/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
c) The benefits obtained as a consequence of the commission of the infraction.<br />
d) The possibility that the conduct of the affected party could have led to the commission of the<br />
infringement.<br />
e) The existence of a merger process by absorption subsequent to the commission of the infraction,<br />
<br />
that cannot be attributed to the absorbing entity.<br />
f) The affectation of the rights of minors.<br />
g) Have, when it is not mandatory, a data protection delegate.<br />
h) Submission by the person responsible or in charge, on a voluntary basis, to<br />
alternative conflict resolution mechanisms, in those cases in which there are<br />
disputes between those and any interested party”.<br />
<br />
<br />
Regarding the infringement of article 9 of the GDPR, based on the facts<br />
exposed, it is considered that the sanction that would correspond to be imposed is a fine<br />
administrative.<br />
<br />
The fine imposed must be, in each individual case, effective, proportionate<br />
<br />
and dissuasive, in accordance with the provisions of article 83.1 of the GDPR. Thus<br />
considers, in advance, the condition of small business and volume of<br />
business of THOMAS INTERNATIONAL SYSTEMS (Recorded in the proceedings that<br />
said entity (…).<br />
<br />
<br />
In accordance with the precepts indicated, for the purpose of setting the amount of the sanction to<br />
imposed in the present case, the following criteria are considered applicable:<br />
<br />
The following graduation criteria are considered concurrent as aggravating factors:<br />
<br />
<br />
. Article 83.2.a) of the GDPR: "a) the nature, seriousness and duration of the<br />
infringement, taking into account the nature, scope or purpose of the operation<br />
treatment in question as well as the number of interested parties affected and the<br />
level of damages they have suffered”.<br />
<br />
<br />
. The nature and seriousness of the infringement, taking into account that the interested party does not<br />
clearly knows the entity responsible for the treatment and the use that is<br />
will make of the personal data, which affects the ability of the<br />
<br />
interested in exercising true control over their personal data.<br />
<br />
. In relation to the duration of the infringement, it is stated in the proceedings that the<br />
Privacy Policy that includes data processing actions<br />
personal data that it carries out, including those that are the subject of this<br />
<br />
procedure, is dated 07/03/2019.<br />
<br />
. The number of interested parties: the infringement affects all the interested parties who<br />
are evaluated by the entity THOMAS INTERNATIONAL SYSTEMS.<br />
<br />
<br />
. The damages suffered by the interested parties: taking into account all<br />
the exposed circumstances, it is clear that the interested parties have seen<br />
increased risks to your privacy.<br />
<br />
<br />
. Article 83.2.b) of the GDPR: "b) intentionality or negligence in the infringement".<br />
<br />
The negligence appreciated in the commission of the infraction. In this respect, one has<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 37/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
taking into account what was declared in the National Court Judgment of 10/17/2007 (rec.<br />
63/2006) that, based on the fact that these are entities whose activity<br />
coupled with continuous data processing, indicates that "...the Supreme Court<br />
<br />
has been understanding that imprudence exists whenever a duty is neglected<br />
legal care, that is, when the offender does not behave with due diligence<br />
callable. And in assessing the degree of diligence, consideration must be<br />
especially the professionalism or not of the subject, and there is no doubt that, in the<br />
case now examined, when the appellant's activity is constant and<br />
copious handling of personal data must insist on rigor and<br />
<br />
Exquisite care to comply with the legal provisions in this regard”.<br />
<br />
It is a company that performs personal data processing in a<br />
systematic and continuous in the workplace and that extreme care should be taken in the<br />
compliance with its obligations regarding data protection.<br />
<br />
<br />
. Article 83.2.d) of the GDPR: "d) the degree of responsibility of the controller or the<br />
processor, taking into account technical or organizational measures<br />
that they have applied by virtue of articles 25 and 32”.<br />
<br />
The accused entity does not have adequate procedures in place<br />
<br />
action in the collection and processing of personal data, in what<br />
refers to data relating to ethnicity and disability, so the offense<br />
is not the consequence of an anomaly in the operation of said<br />
procedures but a defect in the personal data management system<br />
designed by the person in charge at his initiative.<br />
<br />
<br />
. Article 76.2.b) of the LOPDGDD: "b) Linking the offender's activity<br />
with the processing of personal data”.<br />
<br />
The high link between the activity of the offender and the performance of treatments<br />
<br />
of personal data. The level of implementation of the Group at which<br />
belongs to THOMAS INTERNATIONAL SYSTEMS and the activity it develops.<br />
This circumstance determines a greater degree of demand and professionalism and,<br />
consequently, of the responsibility of said entity in relation to the<br />
data treatment.<br />
<br />
<br />
Considering the exposed factors, the valuation that reaches the fine, for the<br />
Violation of article 9 of the GDPR, is 50,000 euros (fifty thousand euros).<br />
<br />
THOMAS INTERNATIONAL SYSTEMS, in its statement of allegations at the opening of the<br />
procedure has not made any statement on the criteria of<br />
<br />
graduation exposed, which were exposed in said agreement with the same amplitude and<br />
detail.<br />
<br />
However, it has requested that, instead of sanctioning with an administrative fine,<br />
issues a warning considering that it has taken additional measures to<br />
<br />
avoid any incident, such as appointing a new data protection delegate<br />
data, carry out a new risk analysis and impact assessment, and write<br />
new informative clauses on the treatments involved in the "Questionnaire",<br />
in addition to reinforcing the information and training of its staff.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 38/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In support of his approach, he cites various precedents processed by this Agency,<br />
that are mentioned in the Eighth Antecedent, in which the<br />
<br />
actions or a warning was addressed in accordance with the regulatory adequacy<br />
carried out by the responsible entity.<br />
<br />
THOMAS INTERNACIONAL SYSTEMS highlights the actions developed by the<br />
complaining party in the precedents that cites, among them, the suspension of the web<br />
implicated in the facts, the updating of the information regarding the protection of<br />
<br />
data offered to the interested parties, the improvement of the mechanisms to grant the<br />
consent by checking a box, appointment of a delegate<br />
of data protection, or the non-commission of any previous infraction by the party<br />
claimed.<br />
<br />
<br />
Finally, he highlights that he has a proactive attitude; all your staff are<br />
duly trained; its activity has not caused damage to the rights of the<br />
interested parties, that they have not received any claim or incidence or breach of<br />
security up to date; and that, upon learning of the matter, has initiated a<br />
review of its protocols, analyzes and evaluations, and has proceeded to appoint<br />
proven specialists in the field.<br />
<br />
<br />
In response to these allegations, it is reiterated that, in this case, considering the<br />
seriousness of the verified infringement, the imposition of a fine is appropriate, in addition to the<br />
adoption of measures. The request made by THOMAS cannot be accepted<br />
INTERNATIONAL SYSTEMS to impose other corrective powers that<br />
<br />
would have allowed the correction of the irregular situation, such as the warning,<br />
which is provided, in general, for natural persons and when the sanction<br />
constitutes a disproportionate burden (recital 148 of the GDPR).<br />
<br />
In addition, THOMAS INTERNATIONAL SYSTEMS has not justified, or even<br />
<br />
mentioned, what are the similarities between the present case and the assumptions of<br />
fact examined in the precedents that it invokes.<br />
<br />
In any case, it should be noted that the measures adopted are insufficient for the<br />
intended effects, since they do not restore the rights of the interested parties.<br />
THOMAS INTERNATIONAL SYSTEMS has not raised in any way the termination<br />
<br />
of conduct that violates the legal system.<br />
<br />
Nor can the measures that said entity has adopted be assessed as<br />
a mitigation. These measures are not adequate to "remedy the<br />
infringement and mitigate the possible adverse effects of the infringement”, according to the terms<br />
<br />
of article 83.2.f) of the GDPR, or "to alleviate the damages suffered by the<br />
interested parties" as a consequence of the infringement, according to section 2.c) of the same<br />
Article. Mitigate the adverse effects or alleviate the damages caused by the<br />
infringements implies restoring the rights of the interested parties, which in this<br />
case entails the suppression of the ethnicity and disability data collected from the<br />
<br />
interested and suspend their collection.<br />
<br />
On the other hand, none of the grading factors considered is attenuated<br />
due to the fact that the entity THOMAS INTERNATIONAL SYSTEMS has not been<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 39/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
previously subject to a disciplinary procedure.<br />
<br />
In this regard, the Judgment of the AN, of 05/05/2021, rec. 1437/2020, indicates:<br />
<br />
<br />
"It considers, on the other hand, that the non-commission of a<br />
previous violation. Well, article 83.2 of the GDPR establishes that it must be taken into account<br />
for the imposition of the administrative fine, among others, the circumstance "e) any infraction<br />
committed by the person in charge or the person in charge of the treatment". It is a<br />
aggravating circumstance, the fact that the budget for its application does not exist<br />
entails that it cannot be taken into consideration, but it does not imply or allow, as it claims<br />
the plaintiff, its application as attenuated.e”<br />
<br />
<br />
According to the aforementioned article 83.2 of the GDPR, when deciding to impose a fine<br />
administration and its amount must take into account "any previous infraction committed<br />
by the person responsible." It is a normative provision that does not include the inexistence of<br />
previous infractions as a factor for grading the fine, which must be<br />
be understood as a criterion close to recidivism, although broader.<br />
<br />
<br />
Nor can it be accepted that there has been no damage to the rights of the<br />
interested parties, since they have seen an increased risk in their<br />
privacy.<br />
<br />
<br />
<br />
IX<br />
<br />
If the infringement is confirmed, it could be agreed to impose on the person responsible the adoption of<br />
adequate measures to adjust its performance to the regulations mentioned in this<br />
act, in accordance with the provisions of the aforementioned article 58.2.d) of the GDPR, according to the<br />
<br />
which each control authority may "order the person responsible or in charge of the<br />
processing that the processing operations comply with the provisions of the<br />
this Regulation, where appropriate, in a certain way and within a certain<br />
specified term…”.<br />
<br />
This act establishes the offense committed and the facts that<br />
<br />
give rise to the violation of data protection regulations, from which it can be inferred<br />
clearly what are the measures to adopt, notwithstanding that the type of<br />
specific procedures, mechanisms or instruments to implement them<br />
corresponds to the sanctioned party, since it is the person responsible for the treatment who<br />
He fully knows his organization and has to decide, based on the responsibility<br />
<br />
proactive and risk-focused, how to comply with the GDPR and the LOPDGDD.<br />
<br />
However, in this case, regardless of the foregoing, it is proposed that in the<br />
resolution that is adopted, this Agency requires the responsible entity so that in<br />
the term to be determined accredits having proceeded to delete from the "Questionnaire" the<br />
<br />
collection of personal data related to ethnicity and disability of those affected; So<br />
such as the cessation of the use of those previously collected.<br />
<br />
It is noted that not meeting the requirements of this body may be<br />
considered as a serious administrative infraction by "not cooperating with the Authority<br />
of control" before the requirements made, and such conduct can be assessed at the<br />
<br />
time of the opening of an administrative procedure penalizing with a fine<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 40/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
pecuniary<br />
<br />
<br />
<br />
In view of the foregoing, the following is issued<br />
<br />
<br />
PROPOSED RESOLUTION<br />
<br />
<br />
<br />
FIRST: That by the Director of the Spanish Data Protection Agency<br />
penalize THOMAS INTERNATIONAL SYSTEMS, S.A., with NIF A81603391, for a<br />
breach of Article 9 of the GDPR, typified in Article 83.5.a) of the GDPR, and<br />
<br />
classified as very serious for the purposes of prescription in article 72.1.e) of the<br />
LOPDGDD, with a fine of 50,000 euros (fifty thousand euros).<br />
<br />
SECOND: That by the Director of the Spanish Data Protection Agency<br />
imposes on THOMAS INTERNATIONAL SYSTEMS, S.A., within the term<br />
<br />
determine, the adoption of the necessary measures to adapt its performance to the<br />
personal data protection regulations, with the scope expressed in the<br />
Legal basis IX of this proposed resolution.<br />
<br />
Likewise, in accordance with the provisions of article 85.2 of the LPACAP, you will be<br />
<br />
informs that it may, at any time prior to the resolution of this<br />
procedure, carry out the voluntary payment of the proposed sanction, which<br />
It will mean a reduction of 20% of the amount of the same. With the application of this<br />
reduction, the sanction would be established at 40,000 euros (forty thousand euros), and its<br />
payment will imply the termination of the procedure. The effectiveness of this reduction<br />
<br />
will be conditioned to the withdrawal or resignation of any action or appeal via<br />
administrative against the sanction.<br />
<br />
In case you choose to proceed to the voluntary payment of the specified amount<br />
above, in accordance with the provisions of the aforementioned article 85.2, you must do it<br />
<br />
effective by depositing it in the restricted account no. ES00 0000 0000 0000 0000<br />
0000 open in the name of the Spanish Data Protection Agency in the entity<br />
bank CAIXABANK, S.A., indicating in the concept the reference number of the<br />
procedure that appears in the heading of this document and the cause, for<br />
voluntary payment, reduction of the amount of the sanction. You must also send the<br />
<br />
Proof of admission to the Sub-Directorate General of Inspection to proceed to close<br />
The file.<br />
<br />
By virtue of this, you are notified of the foregoing, and the procedure is revealed.<br />
so that within TEN DAYS you can allege whatever you consider in your defense and<br />
<br />
present the documents and information that it deems pertinent, in accordance with<br />
Article 89.2 of the LPACAP.<br />
926-050522<br />
B.B.B.<br />
INSTRUCTOR<br />
>><br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 41/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
SECOND: On November 18, 2022, the claimed party has proceeded to the<br />
payment of the penalty in the amount of 40,000 euros using the reduction<br />
provided for in the motion for a resolution transcribed above.<br />
<br />
<br />
THIRD: The payment made entails the waiver of any action or resource in the<br />
against the sanction, in relation to the facts referred to in the<br />
resolution proposal.<br />
<br />
FOURTH: In the previously transcribed resolution proposal, the<br />
<br />
acts constituting an infringement, and it was proposed that, by the Director, the<br />
responsible for adopting adequate measures to adjust its performance to the<br />
regulations, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to<br />
which each control authority may "order the person responsible or in charge of the<br />
processing that the processing operations comply with the provisions of the<br />
<br />
this Regulation, where appropriate, in a certain way and within a certain<br />
specified term…”.<br />
<br />
FUNDAMENTALS OF LAW<br />
Yo<br />
Competence<br />
<br />
<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
(General Data Protection Regulation, hereinafter GDPR), grants each<br />
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the<br />
Organic Law 3/2018, of December 5, Protection of Personal Data and<br />
<br />
guarantee of digital rights (hereinafter, LOPDGDD), is competent to<br />
initiate and resolve this procedure the Director of the Spanish Protection Agency<br />
of data.<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures<br />
<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
regulations dictated in its development and, insofar as they do not contradict them, with character<br />
subsidiary, by the general rules on administrative procedures."<br />
<br />
II<br />
<br />
Termination of the procedure<br />
<br />
Article 85 of Law 39/2015, of October 1, on Administrative Procedure<br />
Common for Public Administrations (hereinafter, LPACAP), under the heading<br />
"Termination in disciplinary proceedings" provides the following:<br />
<br />
<br />
"one. Initiated a disciplinary procedure, if the offender acknowledges his responsibility,<br />
The procedure may be resolved with the imposition of the appropriate sanction.<br />
<br />
2. When the sanction has only a pecuniary nature or it is possible to impose a<br />
<br />
pecuniary sanction and another of a non-pecuniary nature but the<br />
inadmissibility of the second, the voluntary payment by the presumed perpetrator, in<br />
any moment prior to the resolution, will imply the termination of the procedure,<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 42/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
except in relation to the replacement of the altered situation or the determination of the<br />
compensation for damages caused by the commission of the offence.<br />
<br />
<br />
3. In both cases, when the sanction is solely pecuniary in nature, the<br />
The competent body to resolve the procedure will apply reductions of at least<br />
20% of the amount of the proposed penalty, these being cumulative among themselves.<br />
The aforementioned reductions must be determined in the notification of initiation<br />
<br />
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of<br />
any administrative action or resource against the sanction.<br />
<br />
The percentage reduction provided for in this section may be increased<br />
according to regulations."<br />
<br />
<br />
According to what has been indicated, the Director of the Spanish Agency for the Protection of<br />
Data RESOLVES:<br />
<br />
FIRST: DECLARE the termination of procedure PS/00214/2022, in<br />
<br />
in accordance with the provisions of article 85 of the LPACAP.<br />
<br />
SECOND: REQUEST THOMAS INTERNATIONAL SYSTEMS, S.A. so that in<br />
within one month notify the Agency of the adoption of the measures described<br />
on the legal grounds of the proposed resolution transcribed in this<br />
<br />
resolution.<br />
<br />
THIRD: NOTIFY this resolution to THOMAS INTERNATIONAL<br />
SYSTEMS, S.A.<br />
<br />
<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
Resolution will be made public once the interested parties have been notified.<br />
<br />
Against this resolution, which puts an end to the administrative process as prescribed by<br />
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure<br />
<br />
Common of Public Administrations, interested parties may file an appeal<br />
administrative litigation before the Administrative Litigation Chamber of the<br />
National Court, in accordance with the provisions of article 25 and section 5 of<br />
the fourth additional provision of Law 29/1998, of July 13, regulating the<br />
Contentious-Administrative Jurisdiction, within a period of two months from the<br />
<br />
day following the notification of this act, as provided for in article 46.1 of the<br />
referred Law.<br />
<br />
1331-281122<br />
Mar Spain Marti<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
</pre></div>Teresa.lopezhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_PS/00214/2022&diff=30937AEPD (Spain) - PS/00214/20222023-02-03T12:42:31Z<p>Teresa.lopez: Edits to improve conciseness and readability.</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=PS 00214-2022<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00214-2022.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=26.02.2021<br />
|Date_Decided=<br />
|Date_Published=16.01.2023<br />
|Year=<br />
|Fine=40,000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 6(1) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1<br />
|GDPR_Article_2=Article 9(2) GDPR<br />
|GDPR_Article_Link_2=Article 9 GDPR#2<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=AGROXARXA, S.L.<br />
|Party_Link_1=https://www.agroxarxa.com/<br />
|Party_Name_2=THOMAS INTERNATIONAL SYSTEMS, S.A.<br />
|Party_Link_2=https://www.thomas.co/<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Teresa López<br />
|<br />
}}<br />
<br />
The Spanish DPA fined a talent acquisition company €40,000 for collecting data on ethnicity and disability of data subjects during their aptitude testing process without a valid exception as per [[Article 9 GDPR#2|Article 9(2) GDPR]].<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
THOMAS INTERNATIONAL SYSTEMS, S.A. (the Controller 1) is a talent acquisition company that carries out aptitude testing on behalf of the entities that contract such services. In this context, AGROXARXA, S.L. (the Controller 2), requested a job candidate (the data subject) to complete a behavioural survey accessible through the website of the Controller 1 in order to carry out a selection process.<br />
<br />
Following the instructions received, the data subject completed the assessment presented by Controller 1 on behalf of Controller 2 for the purposes of assessing their suitability for the open position in Controller's 2 company. Once they completed the survey, Controller 1 asked them to fill in a second questionnaire for the purposes of research and improvement of the evaluations. This second questionnaire collected several personal data: gender, year of birth, disability, ethnicity, mother tongue, level of education, current employment status, current industry, current role, current level of leadership, level of job happiness, job rating, description of disability and consideration of leadership. To answer each question, except for that related to description of disability, the data subject was presented with a drop-down that included the option “''I prefer not to answer''”.<br />
<br />
Additionally, before accessing this second questionnaire, the data subject was presented with an informative text that stated that their participation was entirely voluntary, being able to skip any question they did not wish to answer.<br />
<br />
On 21 February 2021, the data subject filled a complaint with the Spanish Data Protection Authority against Controller 2 for the request of disability and ethnicity data in the questionnaire sent by its human resources department. The data subject stated that they were unaware of what uses would the company make of such data. <br />
<br />
After a request from the DPA, Controller 2 furnished the data protection agreement in place with Controller 1. In this sense, the Agreement identified Controller 1 as a data processor for the purposes of carrying out the behavioural survey on behalf of the Controller 2. With respect to the second questionnaire, Controller 1 identified as a controller, since it was aimed at ensuring the assessment tools were designed in such a way that they do not discriminate against the persons being assessed.<br />
<br />
=== Holding ===<br />
The DPA held that Controller 1 processed data relating to ethnicity and disability without justifying the applicability of any circumstances or exceptions established in [[Article 9 GDPR#2|Article 9(2) GDPR]], therefore not overcoming the prohibition on the processing of such personal data. <br />
<br />
Firstly, the DPA held that the exception alleged by Controller 1, that of [[Article 9 GDPR|Article 9(2)(j)]] “''scientific research purposes''”, did not apply. Controller 1 could not invoke any legal rule covering such data processing, not fulfilling Article 9(2)(j) of the GDPR, according to which the processing of special category data for scientific research purposes must be carried out 'on the basis of Union or Member State law. <br />
<br />
The DPA also dismissed the claim that the processing of sensitive data was based on consent due to the optative nature of the survey. A mere indication of voluntariness does not meet the requirements of [[Article 9 GDPR|Article 9(2)(a) GDPR]], that states that consent to the processing of special categories of personal data must be “explicit”. Additionally, Controller 1 did not duly inform the data subject about purpose, legal basis or the right to withdraw consent in accordance with the provisions of [[Article 13 GDPR]], and the privacy policy was only provided in English.<br />
<br />
Secondly, the DPA held that it was unclear if Controller 1 even had an appropriate [[Article 6 GDPR]] legal basis. The information contained in their privacy policy was too generic and limited to listing the types of legitimate basis, but without specifying which of these corresponded to each specific processing operations carried out.<br />
<br />
Additionally, the DPA held that Controller 1 had also failed to provide sufficient evidence to prove that proportionality requirements were met. Based on the information provided, it could not be concluded whether the processing was appropriate for the proposed purpose, whether it was necessary or not, or whether there were less intrusive alternative measures.<br />
<br />
For all these reasons, the DPA found that Controller 1 had breached [[Article 9 GDPR]], imposing a sanction according to [[Article 83 GDPR#5a|Article 83(5)(a) GDPR]] and Article 72(1)(e) Spanish Data Protection Law. The following were considered aggravating factors:<br />
<br />
* Based on Article 83(2)(a) of the GDPR: (1) The nature and gravity of the offence, given that the data subject was clearly not aware of the controller of the processing and the use to be made of the personal data. This had an impact on the ability of data subjects to exercise effective control over their personal data. (2) The duration of the infringement, since the data processing actions subject of this procedure, dated as early as July 2019. (3) The number of data subjects: the infringement affects all data subjects who are assessed by the Controller 1. (4) The harm suffered by the data subjects: the data subjects saw increased risks to their privacy.<br />
* Based on Article 83(2)(b) of the GDPR: Negligence in the commission of the offence. The DPA understood that Controller 1 processes personal data systematically and continuously and should have taken great care to comply with its data protection obligations.<br />
* Based on Article 83(2)(d) of the GDPR: Controller 1 did not have adequate procedures in place for the collection and processing of ethnicity and disability data. The infringement was not the result of an anomaly in the operation of those procedures, but a defect in the personal data management system designed by the controller on its own initiative.<br />
* Based on Article 76(2)(b) Spanish Data Protection Law: The close link between the controller's activity and the processing of personal data.<br />
<br />
Considering the above factors, the DPA set a fine of €50,000 euros. The DPA also ordered Controller 1 to delete from the survey the collection of personal data relating to ethnicity and disability; as well as to cease the use of the data it had previously collected on this basis. Controller 1 ended paying €40,000 making use of the reduction due to voluntary payment of the proposed penalty provided for in Spanish administrative law.<br />
<br />
== Comment ==<br />
The Spanish Data Protection Authority gave an example of what measures would have constituted an adequate remedy and mitigation to the breach according to [[Article 83 GDPR#2f|Article 83(2)(f) GDPR]]: “''Mitigating the adverse effects or mitigating the damage caused by breaches involves restoring the rights of data subjects, which in this case entails deleting the ethnicity and disability data collected from data subjects and suspending their collection''”.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
File No.: PS/00214/2022<br />
<br />
<br />
RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT<br />
VOLUNTEER<br />
<br />
Of the procedure instructed by the Spanish Agency for Data Protection and based on<br />
to the following<br />
<br />
<br />
BACKGROUND<br />
<br />
FIRST: On May 5, 2022, the Director of the Spanish Agency for<br />
Data Protection agreed to initiate sanction proceedings against THOMAS<br />
<br />
INTERNATIONAL SYSTEMS, S.A. (hereinafter the claimed party). Notified on<br />
initiation agreement and after analyzing the allegations presented, on December 14,<br />
November 2022, the proposed resolution was issued as follows:<br />
transcribe:<br />
<br />
<<<br />
<br />
<br />
<br />
File No.: PS/00214/2022<br />
<br />
<br />
<br />
PROPOSED RESOLUTION OF SANCTION PROCEDURE<br />
<br />
Of the procedure instructed by the Spanish Agency for Data Protection and based on<br />
to the following:<br />
<br />
<br />
BACKGROUND<br />
<br />
<br />
FIRST: On 02/26/2021, he entered this Spanish Agency for<br />
Data Protection a document presented by A.A.A. (hereinafter, the part<br />
claimant), for which he files a claim against the entity Agroxarxa, S.L., with<br />
<br />
NIF B25269358 (hereinafter, Agroxarxa), for the processing of personal data of<br />
special categories.<br />
<br />
The complaining party states that (...) it should have carried out psychotechnical tests, accessible<br />
through a link from an entity specialized in these services. As he claims,<br />
<br />
in one of the forms used to carry out the process, they requested data<br />
sensitive (disability and ethnicity), ignoring the use that the company would make of<br />
these dates. It adds that the completion of these forms was required by the<br />
Agroxarxa Human Resources department.<br />
<br />
<br />
Provide a screenshot of the questionnaire in which the data is requested<br />
controversial, available on the web "***URL.1" (hereinafter "Questionnaire of<br />
Thomas Research” or “Questionnaire”), the content of which is outlined in the<br />
Fact Proven Second. In its upper left corner is the logo of the entity<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 2/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
"Thomas International Ltd.", to which said form belongs according to the indication<br />
inserted therein (“Copyright”). On the screen provided by the claimant<br />
the options detailed in Proven Fact Six are selected.<br />
<br />
SECOND: During the phase of admission for processing of the claim reviewed, by the<br />
<br />
General Subdirectorate of Data Inspection accessed the Privacy Policy of<br />
the entity "Thomas International Ltd.", dated 07/03/2019 and in English (the<br />
detail of the content of this document, in what interests the present<br />
procedure, is outlined in the Fourth Proven Fact).<br />
<br />
<br />
THIRD: In accordance with article 65.4 of Organic Law 3/2018, of 5<br />
December, Protection of Personal Data and guarantee of digital rights (in<br />
forward LOPDGDD), the claim made was transferred to the entity Agroxarxa<br />
to proceed with its analysis and inform this Agency, within a month,<br />
<br />
of the actions carried out to adapt to the requirements established in the<br />
data protection regulations.<br />
<br />
The term granted for this to Agroxarxa elapsed without this Agency<br />
receive any written response.<br />
<br />
<br />
FOURTH: On 06/29/2021, in accordance with article 65 of the LOPDGDD,<br />
The claim presented by the complaining party was admitted for processing.<br />
<br />
FIFTH: In view of the facts denounced in the claim and the documents<br />
provided by the complaining party, the General Subdirectorate of Data Inspection<br />
proceeded to carry out preliminary investigation actions for the<br />
<br />
clarification of the facts in question, by virtue of the investigative powers<br />
granted to control authorities in article 57.1 of Regulation (EU)<br />
2016/679 (General Data Protection Regulation, hereinafter GDPR), and<br />
in accordance with the provisions of Title VII, Chapter I, Second Section, of the<br />
LOPDGDD. The inspection services of the AEPD carried out the actions<br />
following:<br />
<br />
<br />
1. The Inspection Services of this Agency sent Agroxarxa a<br />
information request, which was attended by said entity by means of a written<br />
12/21/2021, in which he reports the following:<br />
<br />
. (…).<br />
<br />
<br />
. In reference to the personnel selection process, it warns that it does not request or require<br />
to the candidates the inclusion in the curricula of personal data<br />
concerning race, ethnicity or disability.<br />
<br />
Explain the process that follows to select the finalists, who are<br />
<br />
requests that they complete a "behavioral survey" with the aim of<br />
know if the candidate adjusts -in terms of skills and competencies- to<br />
the conditions required for the job, which is done through the<br />
platform owned by the company "Thomas International Ltd", who informs of<br />
its terms and conditions, privacy policy, cookies and other legal requirements<br />
<br />
in the mail that candidates receive to complete the survey.<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 3/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Once the candidates carry out the survey on the "Thomas<br />
<br />
International Ltd.”, and based on the analysis of the result it issues, a<br />
Final interview to select the person to be hired.<br />
<br />
. In reference to the information provided to the candidates.<br />
<br />
<br />
The company "Thomas International Ltd.", when sending the mail to participate in the<br />
survey sends the link to its rules where you can see in detail the treatment<br />
of data.<br />
<br />
<br />
Agroxarxa incorporates one of these emails as an example, whose text is the following:<br />
<br />
“Dear…<br />
…(name), from Agroxarxa, SLU has invited you to complete a brief evaluation of<br />
behaviour.<br />
Click on the following link or copy and paste it into your browser to start the<br />
evaluation<br />
<br />
https://open.***URL.1/Login/Login...<br />
There is a possibility that you will be asked to enter the following user data and<br />
password:<br />
User…<br />
Password…<br />
Visit the Thomas candidate area https://www.***URL.1/en-us/candidates.aspx for<br />
Learn more about this evaluation.<br />
Regards<br />
… (Name)<br />
Agroxarxa, SLU<br />
<br />
… (phone)<br />
rrhh_desenvolupament@Agroxarxa.com<br />
See our privacy policy www.***URL.1/es-es/Privacycookies.as.x”<br />
<br />
According to Agroxarxa, this makes it clear that "the information available to the<br />
<br />
candidates and the processing of data that informs the company, not<br />
Agroxarxa, SLU”.<br />
<br />
. In reference to the contract signed with "Thomas International Ltd.".<br />
<br />
<br />
Those responsible for the entity provide a copy of the contract for the provision of services and<br />
contract for data processing (“Data Processing Agreement”) signed in<br />
dated 05/30/2018 with the entity THOMAS INTERNACIONAL SYSTEMS, S.A. (in<br />
hereinafter THOMAS INTERNATIONAL SYSTEMS). The content of this "Agreement of<br />
<br />
data processing", as far as this procedure is concerned, consists of<br />
detailed in the Third Proven Fact.<br />
<br />
. In reference to the reason why "Thomas International Ltd." collect ethnicity data<br />
<br />
and disability.<br />
<br />
As indicated by the representatives of Agroxarxa, they are not expressly collected<br />
this data for the entity. Thomas International Ltd. uses the same<br />
"Questionnaire" for all your customers.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 4/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In addition, the data requested in the "Questionnaire" regarding "disability" and<br />
“ethnic group” are voluntary, the person surveyed can choose the option “I prefer not to<br />
to answer". They provide the image of said "Questionnaire", whose content coincides with the<br />
<br />
described in the Second Proven Fact. The answers are in this image.<br />
following:<br />
<br />
. Sex: "Female".<br />
. Year of birth: “2017”.<br />
. Disability: "I prefer not to answer."<br />
<br />
. Ethnicity: "I prefer not to answer."<br />
<br />
Thomas International Ltd. only has the information that people<br />
Candidates contribute voluntarily, without it being mandatory and necessary to<br />
Agroxarxa have the data in question. Agroxarxa at no time has<br />
<br />
requested that this information be collected for any selection process.<br />
<br />
Therefore, “Thomas International Ltd.” only have information regarding<br />
ethnicity and disability when the candidate expressly and completely<br />
voluntarily and informed, provides it, without this information being provided to Agroxarxa,<br />
to which only the corresponding competency profile report is sent and<br />
<br />
skills, but never the answers.<br />
<br />
. In reference to the treatments carried out by Agroxarxa with the data related to ethnicity<br />
and disability and retention period.<br />
<br />
<br />
The application of “Thomas International Ltd.” not expressly designed<br />
for Agroxarxa selection processes, who (like the rest of the clients) do not<br />
participates in the preparation of the forms used by said company.<br />
<br />
That is why Agroxarxa does not collect, process or keep data related to ethnicity and<br />
<br />
disability.<br />
<br />
. In reference to the data contained in Agroxarxa relating to the complaining party.<br />
<br />
It does not have data related to ethnicity or disability of the complaining party. (…).<br />
<br />
<br />
<br />
With its response, Agroxarxa provided a copy of two reports as an example of the<br />
information about the candidates that “Thomas International Ltd.” facilitates the<br />
Agroxarxa:<br />
<br />
<br />
a) The first of them contains some graphics and scores related to "Mask of<br />
work”, “Behavior under pressure” and “self-image”.<br />
<br />
b) The second describes the "APP Profile" of the person assessed in relation to the<br />
“Self-image”, “Self-motivation”, “Work emphasis”, “Descriptive words”, “Mask”<br />
<br />
(“how others see you”), “Behavior under pressure” and “General comments”.<br />
<br />
<br />
2. On 12/30/2021, the Inspection Services of this Agency sent to<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 5/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Agroxarxa a new request for information, which was answered as follows:<br />
<br />
. In the selection process, Agroxarxa at no time gives data to the entity<br />
<br />
"Thomas International Ltd.", but hires this company to carry out a<br />
analysis of skills and competencies.<br />
<br />
The only data that Agroxarxa communicates to "Thomas Internacional Ltd." are the<br />
name and surname and contact email, used to facilitate access<br />
to the platform.<br />
<br />
<br />
. It is in your interest to proceed to a reassessment of the selection process and protocol<br />
of people with the aim of simplifying and improving the process, as well as facilitating the<br />
candidates more and better information.<br />
<br />
<br />
<br />
3. (…):<br />
<br />
Its activity is to provide psychometric tools for companies to use.<br />
apply in their evaluation and recruitment processes.<br />
<br />
<br />
On 05/30/2018, a "Data Processing Agreement" was signed with the company<br />
Agroxarxa (provide a copy).<br />
<br />
(…).<br />
<br />
<br />
In the contract signed between the parties (Annex 1), it is contemplated that "Thomas<br />
International" will process, by order of Agroxarxa, the data information<br />
personal information of candidates selected by it and will be stored and controlled<br />
by the person responsible for the data, Agroxarxa, in the “Thomas International” hub that<br />
has previously been hired. Agroxarxa has tools for the<br />
<br />
maintenance of personal data resulting from the evaluation processes and<br />
during the time that Agroxarxa deems appropriate.<br />
<br />
In section 2.3 of the Contract it is specified that Agroxarxa is the one who controls the<br />
information of the personal data entered in the evaluation systems of<br />
Thomas International Ltd. through the tools provided by it, and that<br />
<br />
the data of the candidates (results of the evaluations) will be processed by<br />
indication of Agroxarxa, having the latter the only access to the processed results<br />
by “Thomas International” systems.<br />
<br />
In section 2.4 it is indicated that Agroxarxa is responsible for personal data<br />
<br />
that are introduced in the evaluation processes of "Thomas International" so that<br />
are processed and evaluation results are obtained that are analyzed and<br />
received by Agroxarxa for the development of its business activity. Likewise,<br />
Agroxarxa has previously contracted tools for unique access and<br />
exclusive to the "Thomas International" hub (where the results of the<br />
<br />
evaluations) to analyze, view, delete, maintain, etc. information<br />
processed by "Thomas International" by indication of Agroxarxa.<br />
<br />
According to section 3.1.1, the “Thomas International” systems process the data<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 6/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
personal information of Agroxarxa candidates by indication and following the instructions<br />
provided by it.<br />
<br />
<br />
And section 3.1.2 stipulates that “Thomas International” acts according to the instructions<br />
provided by the client, Agroxarxa.<br />
<br />
Section 3.2 provides that they must promptly comply with the instructions<br />
provided by Agroxarxa.<br />
<br />
<br />
In section 4 Agroxarxa authorizes "Thomas International Ltd." to send a<br />
form for permitted research purposes, to be filled out<br />
voluntarily and anonymously by the people who access the procedures<br />
authorized and contracted by Agroxarxa as long as the three<br />
sections 4.1; 4.2 and 4.3.<br />
<br />
<br />
THOMAS INTERNATIONAL SYSTEMS ends by noting that, according to the agreement<br />
signed between the parties, "Thomas International" is not obliged to provide information<br />
to the candidates that are going to be evaluated for Agroxarxa, which is the owner of the<br />
information relating thereto, and “Thomas International Ltd.” only processes the<br />
information that is provided by Agroxarxa and at its request. Thomas<br />
<br />
International Ltd.” does not know the personal data of the candidates who are going to be<br />
evaluated according to the needs determined by Agroxarxa in its policies of<br />
evaluation of candidates for certain jobs.<br />
<br />
In relation to the data on ethnic origin and disability, it indicates that they were collected from<br />
<br />
voluntarily and optionally, with the option not to respond. Any information<br />
collected through this optional survey is part of the psychometric evaluation<br />
and does not affect the results obtained by the candidate in his evaluation. All the<br />
information collected by the aforementioned optional survey would be used by the research team<br />
“Thomas International Sciences” to ensure that their assessment tools<br />
<br />
Psychometrics are designed in such a way that they do not discriminate against the people evaluated.<br />
<br />
THOMAS INTERNATIONAL SYSTEMS provides a copy of the form "authorized by<br />
part of Agroxarxa to be sent to the personnel who access the systems of<br />
Thomas International Ltd. according to the assumptions of section 4” (“the Questionnaire”),<br />
whose content coincides with that outlined in the Second Proven Fact, and a copy of the<br />
<br />
following prior information that you provide. After the informative text are included the<br />
“I disagree” and “Next” buttons.<br />
<br />
SIXTH: On 04/25/2022, by the General Sub-Directorate of Data Inspection<br />
the information available about the entity THOMAS INTERNACIONAL is accessed<br />
<br />
SYSTEMS in “Axesor”. (…).<br />
<br />
SEVENTH: On May 5, 2022, the Director of the Spanish Agency for<br />
Data Protection agreed to initiate sanction proceedings against THOMAS<br />
INTERNACIONAL SYSTEMS, in accordance with the provisions of articles 63 and 64 of the<br />
<br />
LPACAP, for the alleged violation of article 9 of the GDPR, typified in article<br />
83.5.a) of the aforementioned Regulation; and classified as very serious for prescription purposes<br />
in article 72.1.e) of the LOPDGDD.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 7/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In the opening agreement it was determined that the sanction that could correspond,<br />
attention to the existing evidence at the time of opening and without prejudice to the<br />
resulting from the instruction, would amount to a total of 50,000 euros.<br />
<br />
Likewise, it was warned that the imputed infractions, if confirmed, may<br />
<br />
entail the imposition of measures, according to the aforementioned article 58.2 d) of the GDPR.<br />
<br />
EIGHTH: Notification of the aforementioned initiation agreement in accordance with the established regulations<br />
at the LPACAP, THOMAS INTERNATIONAL SYSTEMS submitted a brief of<br />
allegations in which it requests the filing of the procedure or, alternatively, that it be<br />
issue a warning, based on the following considerations:<br />
<br />
<br />
1. From the actions of THOMAS INTERNATIONAL SYSTEMS.<br />
<br />
THOMAS INTERNATIONAL SYSTEMS is a Spanish company that<br />
provides services to different entities in Spain consisting of facilitating the use of the<br />
<br />
platform specialized in the evaluation, training and consulting of users of<br />
said clients “www.***URL.1”. Client entities access a restricted area<br />
on the platform using a username and password and are in charge of managing the<br />
candidates, selecting those who performed the evaluations, and obtaining<br />
the final reports made on said valuations.<br />
<br />
<br />
Based on the foregoing, it concludes that THOMAS INTERNATIONAL<br />
SYSTEMS has not carried out any processing of personal data on the part<br />
claimant.<br />
<br />
2. From the performances of “Thomas”.<br />
<br />
<br />
The “Thomas International group”, as a group, and specifically the parent company<br />
“Thomas International Limited LTD”, provides psychometric, evaluation,<br />
training and/or auditing to those clients who contract it through the platform<br />
www.***URL.1.<br />
<br />
Said platform offers said psychometric evaluation services, fulfilling<br />
<br />
all current legislation, the strictest international standards of<br />
psychometrics, as well as the strictest technical and organizational security measures<br />
and legal in general, and especially in matters of data protection and<br />
psychometry.<br />
<br />
Precisely, one of the measures adopted to guarantee compliance with the<br />
<br />
international standards and norms of psychometrics is the "Questionnaire of<br />
Thomas investigation" object of this procedure, which is carried out<br />
completely independent of user evaluations: only once you<br />
When the evaluation is finished and it is closed irreversibly, the user is offered to perform<br />
questionnaire". The user can choose to do it or not, without having any<br />
<br />
conditioning or consequence its completion or not, nor its responses, which are not<br />
are shared with client entities or with third parties.<br />
<br />
The sole purpose of this "Questionnaire" is to be able to comply with the standards<br />
international psychometrics required by regulations and protocols<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 8/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
international; as well as being able to guarantee the reliability of the evaluations and<br />
demoscopic questionnaires carried out by "Thomas International" through its<br />
platform.<br />
<br />
Customers are informed about this questionnaire through the order contract of the<br />
<br />
treatment (clause 4). Also to users who, before completing<br />
access a notice stating that “Thomas International” is the<br />
responsible for it, which has the purpose of scientific research, of the<br />
independence and conditionality of carrying it out or not of any evaluation that<br />
carried out previously, of the anonymous and confidential nature in the treatment of<br />
the information and that no information will be shared with the entity or person<br />
<br />
would have invited you to carry out the evaluation (in no case the data collected<br />
through the "Questionnaire" are known by the clients of the platform or other<br />
third parties and not even by those partners or employees of the Group).<br />
<br />
On this issue of transparency in the processing of data that entails the<br />
<br />
"Questionnaire", THOMAS INTERNATIONAL SYSTEMS states that it has<br />
entrusted to new professionals and a new DPD to perfect the<br />
compliance with data protection regulations. Provide a copy of the new<br />
informative clause, which is reproduced in the Second Proven Fact.<br />
<br />
3. Of the legitimacy of the treatment of the questionnaire.<br />
<br />
<br />
The processing of personal data that is carried out in the "Questionnaire" object of the<br />
This file is carried out legitimately and in accordance with the provisions of the<br />
article 9.2 j) of the GDPR, in relation to article 89.1 of the same Regulation, and<br />
other regulations applicable to the sector in which the entity is dedicated.<br />
<br />
<br />
The "International company", prior to carrying out the "Questionnaire", has<br />
taken all necessary technical, organizational and legal measures to:<br />
<br />
a) Process data of a sensitive nature that obeys exclusively<br />
for the purpose of scientific research and to comply with the requirements demanded in<br />
international standards and norms of psychometrics, in order to guarantee the<br />
<br />
reliability required in its evaluations (limitation of the purpose), without the entity<br />
get any benefit from completing the questionnaire.<br />
b) Treat, in any case, the minimum data possible to fulfill said purposes and<br />
needs. The "Thomas Research Questionnaire" is carried out by the minimum<br />
necessary people, during the time strictly necessary and the data is processed<br />
strictly necessary for the fulfillment of the indicated purpose, fulfilling<br />
<br />
scrupulously observe the principle of data minimization and anonymization of the<br />
identifying data. Applies robust pseudo-anonymization processes and<br />
amonimization to their treatments.<br />
c) Apply all technical, organizational and legal measures necessary for a<br />
correct treatment of said information; establishing a robust system of<br />
<br />
minimization of information, access restricted to professional collegiate personnel of<br />
psychologists, who have duly signed the agreements of rules of use of the<br />
necessary information, confidentiality agreements and codes of ethics; Y<br />
also applying a system of anonymization of the information obtained,<br />
previously tested and continuously monitored.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 9/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
d) Applying equally robust security systems, encrypting the<br />
"Questionnaire", applying the highest security measures that guarantee the<br />
confidentiality, integrity and availability of information. Once<br />
Once completed, the form is stored in encrypted servers of the entity,<br />
with the highest security measures and anonymously in three tables. The<br />
<br />
system has obtained the ISO 9001 Certificates.<br />
e) Analyze and previously evaluate all possible risks and incidents, with<br />
adoption of the necessary measures to evidence and/or mitigate any incidence, and<br />
complying with all measures and/or obligations regarding data protection,<br />
concretely the principles established in article 5 of the GDPR.<br />
f) Respect the principle of accuracy of the data: the need for accuracy in the<br />
<br />
evaluations provided by "Thomas" through its platform makes it necessary to<br />
existence of the “Thomas Research Questionnaire”. Likewise, they have established<br />
all necessary measures to ensure accuracy in the collection process,<br />
storage and conservation of the processed data.<br />
g) Keep the data strictly for the purpose described. By anonymizing the<br />
<br />
data and irreversibly break down the identifying data of the responses<br />
given, the minimum conservation period is fully guaranteed, as it is<br />
securely and irreversibly destroy personal data immediately in<br />
the system of three tables. Therefore, only non-personal data that<br />
meet the purpose of scientific research and compliance with standards<br />
required scientists.<br />
<br />
<br />
In relation to the legality and loyalty of the data processing of the questionnaire, it indicates the<br />
Next:<br />
<br />
The data required through the "Questionnaire", among which are data from<br />
sensitive character (such as ethnicity and possible disabilities), it is necessary to<br />
<br />
in compliance with the requirements of international standards and regulations of<br />
psychometry; in such a way that the evaluations carried out on the platform measure with<br />
scientific rigor what they say they do, they do it accurately and they do it<br />
fair. And at the same time ensure they meet the right demographic<br />
and that no discrimination is made, as required by the standards and<br />
international standards listed below:<br />
<br />
<br />
. The “Questionnaire” is validated in accordance with the Federation Guidelines<br />
European Associations of Psychologists (FEAP) or EFPA in its acronym in English<br />
(European Federation Psychologists Associations). EFPA is an organization<br />
European Union of which most of the European associations of<br />
psychology. Its proof review model is used throughout Europe, and serves as a<br />
<br />
tool to evaluate psychometric evaluations from two points of view:<br />
on the one hand, to check if a group or sample is representative of a population<br />
broader and calculate the relative position in that sample of examinees; and by<br />
other hand, to ensure the fairness of the test.<br />
<br />
<br />
. International Testing Commission (ITC), Guidelines on the use of tests, which<br />
they also refer to the fairness of the tests, whether they are fair for use with<br />
various groups; and the need to control changes in the population through the<br />
demographic information provided by test takers.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 10/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
. Code of Conduct of the Business Psychology Association ***URL.2.<br />
<br />
It adds that the information collected is necessary, according to the aforementioned formulation<br />
survey (CIT or ITC in its acronym in English), since it allows to ensure, through<br />
anonymous statistical studies, that their psychometric assessment tools<br />
<br />
(personality, intelligence, aptitudes, emotional intelligence, etc.) do not discriminate against<br />
people evaluated, precisely for reasons of ethnicity or disability, among others<br />
circumstances. Therefore, it understands that "Thomas International", as designer of<br />
evaluations and questionnaires, is legitimized and protected in its objectives by the<br />
art.89.1 of the GDPR, which accepts the collection of data for research purposes and<br />
global statistics, with the guarantee that this data is anonymized and is<br />
<br />
impossible for them to be associated with a specific candidate, through the aforementioned<br />
CIT.<br />
<br />
The relevance of the activity of “Thomas International” and its CIT survey is based on<br />
the requirements of guaranteeing good practices in the design, development and monitoring<br />
<br />
of psychometric tests, according to the standards defined by the BPS (British<br />
Psychological Society), the EFPA (European Federation Psychologists Associations) or<br />
the COP (Official Association of Psychologists), who ensure good practices in<br />
psychometrics, certify the validity and reliability of a test and demand that the standards of<br />
quality are kept up-to-date through macro-statistical studies parallel to<br />
throughout the technical life of these tests, using statistical meta-analyses<br />
<br />
obligatorily anonymous, global and longitudinal. There has recently emerged a<br />
new application standard in this field, ISO.30414 Human Resources Management,<br />
that results in the requirement of carrying out an adequate use of the tests<br />
psychometrics, as well as the requirement of their discriminating power.<br />
<br />
In addition, it adds that "Thomas International" carried out the analyzes and evaluations of<br />
<br />
necessary impact, having assessed the proportionality of data processing and<br />
the need for them for scientific research, before making the<br />
platform evaluations.<br />
<br />
Likewise, both the evaluations and the questionnaires have been designed<br />
exclusively by prestigious collegiate psychology professionals who<br />
<br />
carry out their activity in "Thomas International", which are the ones that deal exclusively with<br />
the questionnaire data. These professionals are covered by agreements of<br />
confidentiality and strict compliance with standards and regulations<br />
International Psychometrics.<br />
<br />
4. Bearing in mind that (...) without any discrimination, he did not suffer an infraction or damage<br />
<br />
(...), without having expressed any objection to the treatment of the "Questionnaire of<br />
Thomas investigation”; that Agroxarxa did not know whether or not the interested party made said<br />
"Questionnaire" or what you answered; that “Thomas International” has not obtained any<br />
benefit or harm; and has not had any claim or incident;<br />
THOMAS INTERNATIONAL SYSTEMS understands that there is no infringement and/or<br />
<br />
breach of data protection.<br />
<br />
5. Of the non-existence of illegality in the treatment of information: it also understands,<br />
THOMAS INTERNATIONAL SYSTEMS that data processing is carried out<br />
personal data of a sensitive nature in accordance with article 9.2 j) of the GDPR; and once they have<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 11/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
anonymized the data; therefore, it cannot be considered that there is a treatment of<br />
personal information.<br />
<br />
6. From the lack of intent and/or fault of "Thomas International": for there to be<br />
a punishable offence, there must be not only an unlawful act but also a<br />
<br />
intentionality in the commission or omission that causes it, as stated in the<br />
Resolutions and Judgments of the National Court of 02/25/2010, (which establishes<br />
that is not admissible in administrative law sanctioning responsibility<br />
objective, which is proscribed, after STC 76/1999; Judgment of the Hearing<br />
National 04/29/2010), 04/29/2020, 10/19/2010 and 02/10/2011.<br />
<br />
<br />
"Thomas International" has had a proactive attitude and compliant with its<br />
obligations regarding data protection in all the treatments it carries out,<br />
applying the highest safety standards in their treatments.<br />
<br />
7. Of the non-existence of seriousness of "Thomas International": in the hypothetical case that<br />
<br />
it is considered that "Thomas International" has not informed correctly, so<br />
subsidiary, the attitude of "Thomas International" cannot be sanctioned with a<br />
serious infraction, since all the indicated circumstances that occur in the present<br />
case and that have been accredited, lead to determine the total non-existence of<br />
Serious offense.<br />
<br />
<br />
In addition, as a result of what is known in this case, it has taken additional measures<br />
to avoid any incident or infringement, such as appointing a new Delegate<br />
of Data Protection of proven experience and knowledge (ANNEX No. 15);<br />
initiate a new risk analysis and impact assessment on the treatments of<br />
personal data in order to identify possible risks and apply the measures<br />
necessary to avoid and/or mitigate its damages; write new informative clauses<br />
<br />
on the treatment carried out in the "Thomas Research Questionnaire";<br />
reinforce the information and training of all the agents involved in the treatments<br />
of personal data, such as clients, collegiate psychological staff and personal<br />
technology, people who agree to carry out the evaluations and questionnaires.<br />
<br />
Therefore, it considers that the provisions of Recital<br />
<br />
148 of the GDPR, as stated in the following AEPD resolutions:<br />
<br />
a) In the Resolution issued in procedure E/00660/2020, regarding a<br />
very serious infringement for illegal data processing, the proceedings for the<br />
adaptation to the regulations carried out before the presentation of the claim<br />
before the AEPD.<br />
<br />
<br />
b) In the procedures indicated with the numbers PS/00077/2021 and<br />
PS/00416/2020, regarding serious infractions due to security breaches of the<br />
information, is sanctioned with a warning for the measures adopted to resolve<br />
the problem and for the suspension of the website involved in the events, which was migrated to<br />
<br />
another server, adopting measures to avoid events similar to those that motivated<br />
the claim.<br />
<br />
c) In the actions followed with the number E/05039/2018, the procedure<br />
sanctioning is transformed into a file according to the measures adopted to<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 12/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
solve the problem and the low relevance of the deficiencies.<br />
<br />
d) In the case of procedures PS/00040/2021, PS/00041/2021, PS/00067/2021,<br />
<br />
PS/00071/2021, PS/00240/2020, PS/00366/2020, PS/00285/2020, PS/00311/2020,<br />
PS/00355/2020, PS/00371/2020, PS/00381/2020, PS/00399/2020, PS/00414/2020,<br />
PS/00441/2020, PS/00453/2020, PS/00454/2020, PS/00455/2020, PS/00457/2020 and<br />
PS/00490/2020, the disciplinary procedure becomes a warning in<br />
based on fundamentals such as those expressed below:<br />
<br />
<br />
. It is verified that the claimed party updated the information.<br />
. The Privacy Policy is prepared after the claim.<br />
. The consent is express because the treatment of the data is based on the<br />
Consent given by filling in and submitting the form and checking the box<br />
accepting data processing (PS/00040/2021).<br />
<br />
. The fine is considered disproportionate for the claimed party, whose activity<br />
principal is not directly linked to the processing of personal data, and that it does not<br />
there is evidence of the commission of any previous infraction in terms of data protection<br />
(PS/00041/2021 and others).<br />
. The provisions of article 58.2 of the GDPR (PS/00067/2021 and others) are complied with.<br />
. Absence of intentionality; adoption of measures to comply with the GDPR;<br />
<br />
appointment of a DPO; there is no recidivism; appropriate measures have been taken<br />
and reasonable to avoid incidents such as the claimed party (PS/00071/2021).<br />
. Rectification, once the file has been initiated, of the deficiency found in the<br />
existing form on the web and acceptance of the privacy conditions before the<br />
sending said form and enabling a box to consent to the sending of<br />
<br />
commercial communications (PS/00311/2020).<br />
. There is no record of any previous violation of data protection.<br />
. The privacy policies were conveniently modified.<br />
<br />
Finally, he highlights that he has a proactive attitude; all your staff are<br />
<br />
duly trained; its activity has not caused damage to the rights of the<br />
interested parties, that they have not received any claim or incidence or breach of<br />
security up to date; and that, upon learning of the matter, has initiated a<br />
review of its protocols, analyzes and evaluations, and has proceeded to appoint<br />
proven specialists in the field.<br />
<br />
<br />
With its allegations, it provides the following documentation:<br />
<br />
. Contract signed with Agroxarxa.<br />
. Partner agreement between "Thomas IS" and "Thomas LTD".<br />
. Explanation of the anonymization and minimization process in three tables that are<br />
<br />
performs the "Thomas Research Questionnaire".<br />
. Protocols and security policy applied, including a version of the<br />
Privacy Policy dated 03/31/2020.<br />
. EFPA Guidelines.<br />
. ICT Guidelines.<br />
<br />
. Code of conduct.<br />
. Executive summary of Thomas International's practices and compliance with the<br />
GDPR.<br />
. Protocol for the preparation of tests for Dyslexia and Occupational Tests.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 13/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
. Deontological Code.<br />
. Psychologist contract.<br />
<br />
<br />
<br />
PROVEN FACTS<br />
<br />
<br />
<br />
FIRST: The entity THOMAS INTERNATIONAL SYSTEMS provides services of<br />
evaluation and consultancy in personnel selection processes carried out by the<br />
entities that contract such services.<br />
<br />
The evaluation of candidates by THOMAS INTERNATIONAL SYSTEMS<br />
<br />
requires them to complete accessible behavioral tests or surveys<br />
through the website of said entity, "***URL.1", for, based on the information<br />
obtained, assess the suitability of the candidate for the job offered.<br />
<br />
The entity that summons the selection process makes a pre-selection of the<br />
<br />
Candidates who must be evaluated by THOMAS INTERNATIONAL SYSTEMS.<br />
These finalist candidates receive an email from the latter entity with the<br />
instructions to access your platform, the "candidate area", and be able to carry out the<br />
poll. The username and password that you must use for the<br />
access and includes a link to start the evaluation; and others that lead to<br />
<br />
information available on the "candidate area" and the Privacy Policy<br />
available on the web “***URL.1”.<br />
<br />
As a result of the provision of the service, THOMAS INTERNATIONAL SYSTEMS<br />
provides client entities with a report or profile on skills and abilities of<br />
<br />
the candidate person.<br />
<br />
SECOND: Once the candidates finish completing the tests<br />
necessary to carry out the evaluation, THOMAS INTERNATIONAL SYSTEMS<br />
asks them to fill in a new questionnaire, which he calls the "Questionnaire<br />
<br />
of Thomas Research”, which includes questions related to sex, year of<br />
birth, disability, ethnicity, mother tongue, educational level, employment status<br />
current sector currently working in current role current level of command<br />
level of happiness in the job (on a scale from 1 to 7), qualification of your work (with<br />
scale from 1 to 7), description of the disability (text field) and consideration<br />
<br />
about leadership. To answer each question, except for the description of the<br />
disability, a drop-down is shown with the options that the interested party can<br />
select, including the option “I prefer not to answer”.<br />
<br />
Prior to completing this "Questionnaire", the<br />
<br />
interested parties the following information regarding the protection of personal data:<br />
<br />
Thank you for completing the form.<br />
A notification has been sent to the person who invited you to take the assessment. Please,<br />
contact him for more information on this evaluation Thomas.<br />
Welcome to the Thomas Research Quiz.<br />
At Thomas International, we are committed to continuous improvement of our<br />
evaluations. As part of our research and development initiative, we ask that you<br />
provide us with information to help us improve our assessments. Information<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 14/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
collected will be used for research purposes only and will not be provided to your employer.<br />
Our psychologists abide by ethical guidelines and all information we collect will be<br />
confidential and only global results will be reported. Participation is entirely<br />
voluntary and you can choose to skip any question you do not want to answer.<br />
<br />
After the informative text, the buttons "I do not agree" and<br />
<br />
"Next".<br />
<br />
The entity THOMAS INTERNACIONAL SYSTEMS, on the occasion of the process of<br />
<br />
allegations at the opening of the procedure, has reported that the informative clause<br />
above has been modified, remaining as follows:<br />
<br />
Thank you for completing the form.<br />
A notification has been sent to the person who invited you to take the assessment. Please,<br />
<br />
contact him for more information on this evaluation Thomas.<br />
Welcome to the Thomas Research Quiz.<br />
At Thomas International we are committed to the continuous improvement of our<br />
evaluations. As part of this, Thomas International, as the controller of the<br />
data, regularly conducts research to ensure that our assessments<br />
are valid, reliable and, above all, fair. This allows us to ensure that we adhere to the<br />
international best practice standards. We would appreciate your help in this<br />
<br />
important research by filling in the following questionnaire.<br />
Completion of the questionnaire is voluntary and independent of the person who has<br />
asked to do the evaluation. In no case will the information of this<br />
questionnaire to the person who invited you to carry out the mentioned evaluation. Information<br />
collected in this questionnaire will be used solely for scientific research purposes, it will be<br />
treated only by Thomas International registered psychologists and will be treated<br />
anonymously. To exercise your rights and/or for more information, consult our<br />
<br />
privacy policy (***URL.3), or contact our Privacy Policy<br />
Data Protection in ***EMAIL.1. Our psychologists are governed by ethical guidelines and all<br />
information we collect will be kept confidential and only the results will be communicated<br />
anonymous aggregates. Participation is completely voluntary and you can choose to skip<br />
any questions you don't want to answer."<br />
<br />
<br />
After the informative text, the buttons "I do not agree" and<br />
"Next".<br />
<br />
THIRD: To formalize the provision of the services outlined in the Fact<br />
<br />
Tried First, the entity has arranged a form called “Agreement of<br />
data processing" that it signs with its clients.<br />
<br />
<br />
Of the stipulations contained in this agreement, which is declared reproduced at<br />
evidentiary purposes, the following should be noted:<br />
<br />
Background<br />
<br />
<br />
(...)<br />
(...)<br />
<br />
(…)<br />
<br />
(…)<br />
<br />
<br />
Thomas's Duties<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 15/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
(…):<br />
<br />
<br />
(…);<br />
(…);<br />
(…);<br />
<br />
(…)<br />
<br />
<br />
Research<br />
<br />
(…):<br />
<br />
(…);<br />
<br />
<br />
(…);<br />
<br />
(…).<br />
<br />
(...)”.<br />
<br />
<br />
FOURTH: The Privacy Policy available on the web "***URL.1", in its version of<br />
dated 07/03/2019, includes the following information:<br />
<br />
<br />
“1.3 Do we always act as data controllers? Although Thomas acts<br />
often as data controller, in some of our activities<br />
We can also act as data processor or sub-processor...<br />
<br />
Among the examples of cases where Thomas acts as data controller<br />
<br />
Data includes, but is not limited to, the following:<br />
(…)<br />
. Processing of personal data of candidates for research purposes.<br />
. Processing of personal data of candidates to create an anonymous form of<br />
Personal information…<br />
<br />
<br />
2.5 Do we use personal data in our research?<br />
We are committed to continually improving our assessments. To do this, we ask the<br />
Candidates who provide us with additional information, such as age group, educational level,<br />
ethnicity and similar issues. Providing this information is voluntary and is not<br />
necessary to complete an assessment.<br />
When we process any of this personal data for research, we do so as<br />
<br />
responsible for data processing.<br />
Any personal information provided to us for research will be used exclusively<br />
for research purposes and will not be disclosed to third parties. Both during and after<br />
our psychologists evaluate your personal information, we will store it safely and with<br />
the highest confidence. If we share our results with third parties, only the results will be shared.<br />
anonymous and aggregate results from which no individual can be identified.<br />
<br />
<br />
2.6 In case we are data controller: What legal basis<br />
we have to use your personal data?<br />
(…)<br />
. you have consented to the use of your personal data;<br />
<br />
. the use we make of your personal data is in our legitimate interest as<br />
business organization; In these cases, we will process your information at all times<br />
manner that is proportionate and respectful of your right to privacy. You will also have the right to<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 16/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
object to the processing, as explained in section 7;<br />
. the use of your personal data is necessary to perform a contract or take steps to<br />
enter into a contract with you; either<br />
. our use of your personal data is necessary to comply with a legal obligation or<br />
pertinent regulatory…” (Unofficial translation).<br />
<br />
<br />
The content of the transcribed sections is similar to that included in the version of the<br />
Privacy Policy dated 03/31/2020, contributed to the proceedings by THOMAS<br />
INTERNATIONAL SYSTEMS.<br />
<br />
<br />
FIFTH: Agroxarxa called a personnel selection process and hired the<br />
services of THOMAS INTERNATIONAL SYSTEMS to carry out the<br />
evaluations of the candidates shortlisted by Agroxarxa. For this reason,<br />
both entities signed a contract (“Data Processing Agreement”) in<br />
dated 05/30/2018, in the terms indicated in the Third Proven Fact.<br />
<br />
<br />
SIXTH: The complaining party participated in a personnel selection process<br />
summoned by Agroxaxa indicated in the Fifth Proven Fact and was selected<br />
as a finalist to be evaluated by THOMAS INTERNATIONAL SYSTEMS.<br />
After carrying out the surveys arranged to carry out this evaluation to<br />
<br />
Through the web "***URL.1", he was asked to fill in the "Questionnaire of<br />
Thomas Investigation", through which the claimed party provided the data<br />
following:<br />
<br />
. Sex: “XXXXXX”.<br />
<br />
. Year of birth: “XXXX”.<br />
. Disability: “XX”.<br />
. Ethnicity: “XXXXXXXXXXXX”.<br />
<br />
<br />
<br />
FUNDAMENTALS OF LAW<br />
<br />
Yo<br />
<br />
By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of<br />
<br />
control, and as established in articles 47 and 48 of Organic Law 3/2018, of 5<br />
December, Protection of Personal Data and guarantee of digital rights<br />
(hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency<br />
is competent to initiate and resolve this procedure.<br />
<br />
<br />
Article 63.2 of the LOPDGDD determines that: "The procedures processed by the<br />
Spanish Data Protection Agency will be governed by the provisions of the GDPR, in<br />
this organic law, by the regulatory provisions issued in its<br />
development and, as long as they do not contradict them, on a subsidiary basis, by the rules<br />
general on administrative procedures”.<br />
<br />
<br />
II<br />
<br />
The claim that has motivated these proceedings questions the treatment of<br />
personal data relating to ethnicity and disability carried out by THOMAS<br />
<br />
INTERNACIONAL SYSTEMS during the candidate selection process for a<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 17/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
job offered by the entity Agroxarxa, constituting this question the<br />
sole purpose of this proceeding.<br />
<br />
<br />
Thus, the conclusions derived from the procedure do not imply any<br />
pronouncement regarding issues unrelated to said object.<br />
<br />
<br />
<br />
II<br />
<br />
The personnel selection process (...) begins with the publication, for this reason<br />
entity, of and with the following examination of the profile of the candidates who have<br />
interested in the position to select the finalists, who are asked to<br />
<br />
complete a “behavioral survey.”<br />
<br />
This "behavioral survey" is carried out through the entity's platform<br />
THOMAS INTERNATIONAL SYSTEMS. These are psychological tests that<br />
value intelligence, personality, emotional intelligence, and the potential of<br />
<br />
candidates.<br />
<br />
THOMAS INTERNATIONAL SYSTEMS sends an email to the candidate with access to<br />
your platform. In this email you warn that the reason is to carry out an evaluation of<br />
behavior for Agroxarxa, indicates the link to access the platform, as well<br />
<br />
as the username and password to use. In addition, it indicates the links for<br />
access the information contained in the candidate area and the privacy policy.<br />
<br />
As a result of this action, THOMAS INTERNATIONAL SYSTEMS sends to<br />
Agroxarxa a report on the profile of skills and abilities of the person<br />
<br />
candidate.<br />
<br />
The selection process ends with a final interview carried out by Agroxarxa.<br />
<br />
The tasks that THOMAS INTERNATIONAL SYSTEMS performs within the framework of this<br />
<br />
process were entrusted to him by Agroxarxa through a contract for the provision of<br />
services subscribed by both entities. Said contract includes an "Agreement of<br />
data processing", formalized on 05/30/2018, which defines the role of<br />
THOMAS INTERNATIONAL SYSTEMS as the person in charge of the treatment and points out that<br />
Said entity follows the instructions of Agroxarxa, which intervenes as<br />
<br />
responsible for the treatment.<br />
<br />
The figures of "responsible for the treatment" and "in charge of the treatment" are defined<br />
in article 4 of the GDPR as follows:<br />
<br />
. "Responsible for the treatment or responsible: the natural or legal person, public authority,<br />
<br />
service or other body which, alone or jointly with others, determines the ends and means of the<br />
treatment; if the law of the Union or of the Member States determines the ends and means<br />
of the treatment, the person in charge of the treatment or the specific criteria for their appointment<br />
they may be established by the law of the Union or of the Member States”.<br />
<br />
. "In charge of the treatment or in charge: the natural or legal person, public authority,<br />
service or other body that processes personal data on behalf of the data controller<br />
treatment".<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 18/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Article 24 of the GDPR, referring to the "Liability of the person responsible for the<br />
treatment”, states the following:<br />
<br />
"one. Taking into account the nature, scope, context and purposes of the treatment as well as<br />
<br />
risks of varying probability and severity for the rights and freedoms of individuals<br />
physical, the person in charge of the treatment will apply appropriate technical and organizational measures to<br />
In order to guarantee and be able to demonstrate that the treatment is in accordance with this<br />
Regulation. These measures will be reviewed and updated when necessary.<br />
2. When they are provided in relation to the treatment activities, among the<br />
measures mentioned in section 1 will include the application, by the person responsible for the<br />
treatment, of the appropriate data protection policies…”.<br />
<br />
<br />
Report 0064/2020 of the Legal Office of the AEPD has emphatically expressed<br />
that "The GDPR has meant a paradigm shift when addressing the regulation of the<br />
right to the protection of personal data, which is based on the<br />
<br />
principle of "accountability" or "proactive responsibility" as indicated<br />
repeatedly by the AEPD (Report 17/2019, among many others) and is included in the<br />
Explanation of reasons for the Organic Law 3/2018, of December 5, Protection of<br />
Personal Data and guarantee of digital rights (LOPDGDD)”.<br />
<br />
<br />
The said report goes on to say the following:<br />
<br />
“…the criteria on how to attribute the different roles remain the same (paragraph 11),<br />
reiterates that these are functional concepts, which are intended to assign responsibilities<br />
<br />
according to the real roles of the parties (paragraph 12), which implies that in most<br />
of the assumptions must be addressed to the circumstances of the specific case (case by case)<br />
based on their actual activities rather than the formal designation of an actor as<br />
"responsible" or "in charge" (for example, in a contract), as well as autonomous concepts,<br />
whose interpretation must be carried out under the European regulations on the protection of<br />
personal data (section 13), and taking into account (section 24) that the need for a<br />
factual assessment also means that the role of a controller is not<br />
derives from the nature of an entity that is processing data but from its activities<br />
<br />
concrete in a specific context…”.<br />
<br />
The concepts of data controller and data processor are not formal, but<br />
functional and must attend to the specific case.<br />
<br />
<br />
The person responsible for the treatment is from the moment he decides the purposes and the<br />
means of treatment, not losing such condition by the fact of leaving a certain margin<br />
of action to the person in charge of the treatment or for not having access to the databases<br />
<br />
of the manager<br />
<br />
This is undoubtedly expressed in the Guidelines 07/2020 of the European Committee of<br />
Data Protection (CEPD) on the concepts of data controller and<br />
<br />
in charge in the GDPR:<br />
<br />
“A controller is the one who determines the purposes and means of the processing.<br />
treatment, that is, the why and how of the treatment. The data controller must<br />
decide on both purposes and means. However, some more practical aspects of the<br />
implementation ("non-essential media") can be left to the person in charge of<br />
treatment. It is not necessary for the controller to actually have access to the data that is<br />
<br />
they are trying to qualify themselves as responsible” (the translation is ours).<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 19/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In the present case, it is clear that Agroxarxa is responsible for the processing of<br />
personal data that have a cause in the personnel selection process in which<br />
<br />
the complaining party participated, since, as defined in article 4.7 of the GDPR,<br />
is the entity that determines the purpose and means of the treatments carried out. In its<br />
condition of controller is obliged to comply with the provisions of<br />
the transcribed article 24 of the RGPD and, especially, that related to the effective control and<br />
of the “appropriate technical and organizational measures in order to guarantee and<br />
be able to demonstrate that the processing is in accordance with this Regulation”, among<br />
<br />
which are those provided in article 28 of the GDPR in relation to the<br />
person in charge of the treatment that acts in the name and on behalf of the person in charge.<br />
<br />
Agroxarxa is responsible for data processing for the purpose of<br />
solve the selection process even if you do not have access to said data. In<br />
<br />
In this sense, in Directives 07/2020 of the European Committee for Data Protection<br />
(CEPD), on the concepts of data controller and processor in the GDPR,<br />
it is indicated that “42. It is not necessary for the data controller to actually have<br />
access to the data being processed. Whoever outsources an activity<br />
treatment and, in doing so, have a determining influence on the purpose and<br />
(essential) means of treatment (for example, adjusting the parameters of a<br />
<br />
service in such a way as to influence whose personal data will be processed), it must be<br />
considered as responsible although it will never have real access to the data” (the<br />
translation is ours).<br />
<br />
On the other hand, the existence of a data processor depends on a decision<br />
<br />
adopted by the person responsible for the treatment, which he may decide to carry out himself<br />
certain processing operations or hire all or part of the<br />
treatment with a manager.<br />
<br />
The essence of the function of the person in charge of the treatment is that the personal data<br />
<br />
are processed in the name and on behalf of the data controller. In practice,<br />
it is the person in charge who determines the purpose and the means, at least the essential ones,<br />
while the person in charge of the treatment has the function of providing services to the<br />
data controllers. In other words, “acting in the name and on behalf of<br />
of the person in charge of the treatment” means that the person in charge of the treatment is aware of the<br />
serving the interest of the controller in carrying out a task<br />
<br />
specific and, therefore, follows the instructions established by it, at least in<br />
regarding the purpose and the essential means of the treatment entrusted.<br />
<br />
The person responsible for the treatment is the one who has the obligation to guarantee the application<br />
of data protection regulations and the protection of the rights of<br />
<br />
interested parties, as well as being able to prove it (articles 5.2, 24, 28 and 32 of the GDPR).<br />
The control of compliance with the law extends throughout the treatment,<br />
From the beginning to the end. The data controller must act, in<br />
any case, in a diligent, conscious, committed and active way.<br />
<br />
<br />
This mandate of the legislator is independent of the fact that the treatment is carried out<br />
directly the person in charge of the treatment or to carry it out using a<br />
treatment manager.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 20/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In addition, the treatment carried out materially by a person in charge of treatment by<br />
account of the person responsible for the treatment belongs to the sphere of action of the latter<br />
last, in the same way as if he did it directly himself. The person in charge of<br />
<br />
Treatment, in the case examined, is an extension of the person responsible for the<br />
treatment, and may only perform treatment on documented instructions<br />
of the controller, unless he is required to do so by Union law or by<br />
a Member State, which is not the case (Article 29 of the GDPR).<br />
<br />
Therefore, the data controller must establish clear modalities for<br />
<br />
said assistance and give precise instructions to the person in charge of the treatment on how<br />
comply with them adequately and document it previously through a contract or<br />
either in another (binding) agreement and verify at all times the development of the<br />
contract compliance in the manner established therein.<br />
<br />
<br />
Only the person in charge of the treatment will be fully responsible when it is<br />
fully responsible for the damages caused in terms of the rights and<br />
freedoms of the affected parties.<br />
<br />
By establishing the responsibility of the person in charge of the treatment in the commission of<br />
infringements of the GDPR, its article 28.10 also meets the criterion of determining<br />
<br />
of the purposes and means of processing. Pursuant to this article, if the manager<br />
determines the purposes and means of treatment will be considered responsible for it:<br />
<br />
“10. Without prejudice to the provisions of articles 82, 83 and 84, if a data processor<br />
infringes this Regulation when determining the purposes and means of processing, it will be<br />
considered responsible for the treatment with respect to said treatment”.<br />
<br />
<br />
In the present case, the correct legal classification under the GDPR of THOMAS<br />
INTERNACIONAL SYSTEMS is in charge of the treatment, since it acts in<br />
name and on behalf of Agroxarxa.<br />
<br />
However, the proceedings have revealed that THOMAS<br />
<br />
INTERNACIONAL SYSTEMS performs, for its own benefit, data processing<br />
of the candidates for the position offered by Agroxarxa or, in general, by<br />
any other client. Regarding these treatments, THOMAS INTERNATIONAL<br />
SYSTEMS determines the measures and purposes and holds the status of person responsible for the<br />
treatment, according to the provisions of the aforementioned article 28.10 of the GDPR.<br />
<br />
<br />
When carrying out the behavioral surveys commissioned by Agroxarxa, the entity<br />
THOMAS INTERNATIONAL SYSTEMS includes a "Questionnaire" for you to<br />
completed by the applicants for the job through which the applicants are requested to<br />
interested personal data related to sex, year of birth, disability, ethnicity,<br />
mother tongue, educational level, current employment status, sector in which you work<br />
<br />
currently, current role, current level of command, level of job happiness (with<br />
scale from 1 to 7), qualification of your work (on a scale from 1 to 7), description of the<br />
disability (text field) and leadership consideration. In order to respond<br />
For each question, except for the description of the disability, a<br />
drop-down menu with the options that the interested party can select (in the<br />
<br />
The specific "Questionnaire" provided by the claimant appears selected<br />
following options: Sex: “XXXXX”; Year of birth: “XXXX”; Disability:<br />
"XX"; Ethnicity: “XXXXXXXXXXXX”).<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 21/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
It is THOMAS INTERNATIONAL SYSTEMS who decides the collection of this data<br />
personal data and their use for their own purposes (research purposes and improvement of<br />
evaluations), for their own benefit. Ultimately, it is said entity that<br />
determines to carry out these personal data processing operations. is it<br />
<br />
same as saying that THOMAS INTERNATIONAL SYSTEMS is the entity that<br />
determines why (purpose) and how (means) such personal data is processed<br />
to achieve the intended purpose.<br />
<br />
<br />
Regarding the "means of treatment", the Directives 07/2020 of the European Committee<br />
of Data Protection (CEPD) on the concepts of data controller and<br />
in charge of the GDPR, already cited, state the following:<br />
<br />
As regards the determination of the means, a distinction can be made between<br />
essential and non-essential media. "Essential media" are traditionally and inherently<br />
<br />
reserved for the data controller. While non-essential media also<br />
can be determined by the manager, the essential means must be determined by<br />
the data controller. "Essential media" means media that are closely<br />
related to the purpose and scope of the treatment, such as the type of personal data that<br />
are processed ("what data will be processed?"), the duration of the treatment ("for how long will<br />
will they treat?"), categories of recipients ("who will have access to them?"), and categories<br />
of data subjects ("whose personal data is being processed"). Along with the purpose of<br />
treatment, the essential means are also closely related to the issue<br />
<br />
Whether the processing is lawful, necessary and proportionate. "Non-essential media" refers to<br />
to more practical aspects of the application, such as choosing a particular type of<br />
software or detailed security measures that can be left to the developer.<br />
treatment for you to decide” (the translation is ours.<br />
<br />
THOMAS INTERNATIONAL SYSTEMS holds the status of person in charge of the<br />
<br />
treatment regarding the collection and use of personal data relating to<br />
ethnicity and disability to which the claim refers, as well as that same entity<br />
has recognized and according to the record accredited by the documentation incorporated into the<br />
performances.<br />
<br />
<br />
The "Data processing agreement" formalized by Agroxarxa and THOMAS<br />
INTERNATIONAL SYSTEMS, referred to above, contemplates in its stipulation 4 the<br />
use of personal data as controller by THOMAS<br />
<br />
INTERNATIONAL SYSTEMS for research purposes. It is expressly said:<br />
<br />
“Thomas may act as a data controller in relation to the Personal Data<br />
of the Company and such processing may be carried out solely for the Purposes of<br />
investigation allowed.<br />
<br />
<br />
Likewise, in the Privacy Policy available on the web "***URL.1" the<br />
following information:<br />
<br />
2.5 Do we use personal data in our research?<br />
We are committed to continually improving our assessments. To do this, we ask the<br />
Candidates who provide us with additional information, such as age group, educational level,<br />
<br />
ethnicity and similar issues. Providing this information is voluntary and is not<br />
necessary to complete an assessment.<br />
When we process any of this personal data for research, we do so as<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 22/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
responsible for data processing.<br />
Any personal information provided to us for research will be used exclusively<br />
for research purposes and will not be disclosed to third parties…” (Unofficial translation).<br />
<br />
<br />
This condition of responsible for the treatment of the response is also deduced<br />
provided by THOMAS INTERNATIONAL SYSTEMS to the Inspection Services of<br />
this Agency, when it states that data on ethnic origin and disability do not form<br />
part of the psychometric evaluation nor do they affect the results obtained by the<br />
<br />
candidate in his evaluation; and that said information is used by the team of “Thomas<br />
International Sciences” to ensure that their assessment tools<br />
Psychometrics are designed in such a way that they do not discriminate against the people evaluated.<br />
<br />
<br />
With this response, said entity provided a copy of the "Questionnaire" whose<br />
completion requests the interested parties (candidates for the position offered) and the<br />
previous information that In this information the form is referred to as<br />
"Thomas Research Questionnaire" and warn that the data will be used with<br />
research purposes, to improve their assessments.<br />
<br />
<br />
On the other hand, the entity Agroxarxa has reported that it does not collect data on ethnicity and<br />
disability, that these data are not collected by THOMAS INTERNATIONAL<br />
SYSTEMS for Agroxarxa nor are you provided with the answers contained in the form<br />
in question. Likewise, it has declared that THOMAS INTERNATIONAL SYSTEMS<br />
<br />
uses the same form for all its clients.<br />
<br />
THOMAS INTERNATIONAL SYSTEMS, in its allegations at the opening of the<br />
procedure, has not questioned the previous arguments, which were already set out in<br />
<br />
said opening agreement.<br />
<br />
IV.<br />
<br />
Personal data related to ethnicity and disability, by its nature, belongs to<br />
<br />
special categories of data, regulated in article 9 of the GDPR, which establishes<br />
a general prohibition of its treatment. This article provides the following:<br />
<br />
“Processing of special categories of personal data<br />
<br />
1. The processing of personal data that reveals ethnic or racial origin, the<br />
<br />
political opinions, religious or philosophical convictions, or trade union membership, and the<br />
treatment of genetic data, biometric data aimed at uniquely identifying a person<br />
natural person, data relating to health or data relating to sexual life or sexual orientation<br />
of a physical person.<br />
<br />
2. Section 1 shall not apply when one of the following circumstances occurs:<br />
<br />
a) the interested party gave his explicit consent for the processing of said personal data<br />
for one or more of the specified purposes, except where the law of the Union or of the<br />
<br />
Member States provide that the prohibition referred to in paragraph 1 cannot be<br />
raised by the interested party;<br />
b) the treatment is necessary for the fulfillment of obligations and the exercise of rights<br />
specific to the person responsible for the treatment or the interested party in the field of labor law and<br />
security and social protection, to the extent that it is authorized by Union Law or<br />
of the Member States or a collective agreement under the law of the Member States<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 23/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
members that establish adequate guarantees of respect for fundamental rights and<br />
the interests of the interested party;<br />
c) the processing is necessary to protect vital interests of the data subject or of another person<br />
physically, in the event that the interested party is not able, physically or legally, to give his/her<br />
consent;<br />
<br />
d) the treatment is carried out, within the scope of its legitimate activities and with the due<br />
guarantees, by a foundation, an association or any other non-profit organization, whose<br />
purpose is political, philosophical, religious or trade union, provided that the treatment refers to<br />
exclusively to current or former members of such bodies or to persons who<br />
maintain regular contact with them in relation to their purposes and provided that the data<br />
personal data are not communicated outside of them without the consent of the interested parties;<br />
<br />
e) the treatment refers to personal data that the interested party has manifestly made<br />
public;<br />
f) the treatment is necessary for the formulation, exercise or defense of claims or<br />
when the courts act in the exercise of their judicial function;<br />
g) the processing is necessary for reasons of essential public interest, on the basis of the<br />
Union or Member State law, which must be proportional to the objective<br />
<br />
persecuted, essentially respect the right to data protection and establish measures<br />
adequate and specific to protect the interests and fundamental rights of the interested party;<br />
h) the treatment is necessary for the purposes of preventive or occupational medicine, evaluation of the<br />
work capacity of the worker, medical diagnosis, provision of assistance or treatment of<br />
health or social type, or management of health and social care systems and services, on<br />
the basis of Union or Member State law or by virtue of a contract with a<br />
<br />
health professional and without prejudice to the conditions and guarantees contemplated inthe paragraph<br />
3;<br />
i) the processing is necessary for reasons of public interest in the field of public health,<br />
such as protection against serious cross-border threats to health, or to ensure<br />
high levels of quality and safety of health care and medicines or<br />
medical devices, on the basis of Union or Member State law that<br />
establish appropriate and specific measures to protect the rights and freedoms of the<br />
<br />
concerned, in particular professional secrecy,<br />
j) processing is necessary for archiving purposes in the public interest, research purposes<br />
scientific or historical or statistical purposes, in accordance with article 89, paragraph 1, on the<br />
basis of Union or Member State law, which must be proportional to the objective<br />
persecuted, essentially respect the right to data protection and establish measures<br />
appropriate and specific to protect the interests and fundamental rights of the interested party.<br />
<br />
<br />
3. The personal data referred to in section 1 may be processed for the purposes mentioned in the<br />
section 2, letter h), when your treatment is carried out by a professional subject to the obligation<br />
of professional secrecy, or under its responsibility, in accordance with the Law of the Union or of<br />
Member States or with the rules established by national bodies<br />
authorities, or by any other person also subject to the obligation of secrecy in accordance<br />
<br />
with the law of the Union or of the Member States or of the rules established by the<br />
competent national bodies.<br />
<br />
4. Member States may maintain or introduce additional conditions, including<br />
limitations, regarding the treatment of genetic data, biometric data or data related to<br />
to health”.<br />
<br />
<br />
In general, this precept prohibits the performance of treatment of<br />
special categories of data, unless such treatment can be covered by<br />
any of the exceptions regulated in article 9.2 of the GDPR.<br />
<br />
<br />
Thus, a general prohibition of personal data processing is established that<br />
reveal ethnic or racial origin and health-related data, such as those relating to<br />
<br />
28001 – Madrid 6 sedeagpd.gob.es 24/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
the disability of the person (Recital 35 and article 4.15 of the GDPR); and, in his<br />
Section 2 regulates the exceptions that lift said prohibition, some of them<br />
<br />
on the basis of Union or Member State law, which must<br />
incorporate into their own regulation the adequate guarantees so that the right to<br />
data protection is respected, also respect the principle of proportionality and<br />
establish adequate and specific measures to safeguard the rights<br />
fundamentals and the interests of the people affected.<br />
<br />
<br />
Specifically, for the processing of special categories of data that are<br />
necessary for scientific research purposes referred to in letter j) of the aforementioned<br />
Article 9.2 of the GDPR, the person in charge must inevitably go to a specific<br />
legal norm that protects it and, in addition, comply with the aforementioned principles and establish<br />
<br />
additional guarantees that safeguard the rights of the affected persons.<br />
<br />
In relation to the processing of personal data related to health, the provision<br />
additional seventeenth of the LOPDGDD establishes that they are covered by<br />
letters g), h), i) and j) of the aforementioned article 9.2 of the GDPR the treatments that are<br />
<br />
regulated in the laws that it lists, among which is the consolidated text of the Law<br />
General of the rights of people with disabilities and their social inclusion,<br />
approved by Royal Legislative Decree 1/2013 of November 29. Nonetheless<br />
does not rule out those data treatments that are carried out in application of other<br />
standards other than those indicated in the aforementioned additional provision.<br />
<br />
<br />
Article 89 of the GDPR expressly refers to "Guarantees and exceptions<br />
applicable to processing for archiving purposes in the public interest, research purposes<br />
scientific or historical or statistical purposes”:<br />
<br />
1. Processing for archiving purposes in the public interest, scientific research purposes or<br />
<br />
historical or statistical purposes will be subject to the appropriate guarantees, in accordance with this<br />
Regulation, for the rights and freedoms of the interested parties. Such guarantees will<br />
technical and organizational measures are in place, in particular to ensure respect for the<br />
principle of minimization of personal data. Such measures may include the<br />
pseudonymization, provided that such purposes can be achieved in this way. As long as<br />
those purposes can be achieved through further processing that does not or no longer allows<br />
the identification of the interested parties, those purposes will be achieved in this way.<br />
<br />
(…)”.<br />
<br />
<br />
The GDPR includes the principles related to treatment in its article 5: legality, loyalty and<br />
transparency; purpose limitation; data minimization; accuracy; limitation of<br />
conservation period; and integrity and confidentiality.<br />
<br />
On the other hand, once the general prohibition with the coverage of the<br />
<br />
Article 9.2 of the GDPR, to legalize the processing of special category data<br />
it is necessary to resort to the cases of article 6 of the same Regulation. So indicated<br />
the Article 29 Working Group (whose functions have been assumed by the Committee<br />
European Union of Data Protection) in its opinion "Guidelines on decisions<br />
<br />
automated individuals and profiling for the purposes of the Regulation<br />
2016/679”, adopted on 10/03/2017 and revised on 02/06/2018, indicating that “The<br />
Data controllers can only process category personal data<br />
especially if one of the conditions provided for in Article 9(2) is met, as well as<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 25/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
as a condition of article 6”.<br />
<br />
This article 6 of the GDPR establishes the assumptions that allow the treatment of<br />
<br />
data is considered lawful:<br />
<br />
"Article 6. Legality of the treatment<br />
<br />
<br />
1. Processing will only be lawful if at least one of the following conditions is met:<br />
<br />
a) the interested party gave his consent for the processing of his personal data for one or<br />
various specific purposes;<br />
b) the treatment is necessary for the execution of a contract in which the interested party is a party<br />
or for the application at his request of pre-contractual measures;<br />
<br />
c) the processing is necessary for compliance with a legal obligation applicable to the<br />
responsible for the treatment;<br />
d) the processing is necessary to protect the vital interests of the data subject or of another person<br />
physical;<br />
e) the processing is necessary for the fulfillment of a task carried out in the public interest<br />
or in the exercise of public powers conferred on the data controller;<br />
f) the treatment is necessary for the satisfaction of legitimate interests pursued by the user.<br />
<br />
responsible for the treatment or by a third party, provided that such interests are not<br />
the interests or fundamental rights and freedoms of the data subject prevail<br />
require the protection of personal data, in particular when the data subject is a child.<br />
<br />
The provisions of letter f) of the first paragraph shall not apply to the treatment carried out by<br />
public authorities in the exercise of their functions.<br />
<br />
<br />
2. Member States may maintain or introduce more specific provisions in order to<br />
adapt the application of the rules of this Regulation with respect to the treatment in<br />
compliance with section 1, letters c) and e), setting more precisely requirements<br />
treatment and other measures that guarantee lawful and equitable treatment, with<br />
inclusion of other specific treatment situations under chapter IX.<br />
<br />
<br />
3. The basis of the treatment indicated in section 1, letters c) and e), must be established by:<br />
<br />
a) Union law, or<br />
b) the law of the Member States that applies to the data controller.<br />
<br />
<br />
The purpose of the treatment must be determined in said legal basis or, as regards<br />
to the treatment referred to in section 1, letter e), will be necessary for the fulfillment of<br />
a mission carried out in the public interest or in the exercise of public powers vested in the<br />
responsible for the treatment. Said legal basis may contain specific provisions for<br />
adapt the application of the rules of this Regulation, among others: the conditions<br />
general rules that govern the legality of the treatment by the person in charge; data types<br />
object of treatment; affected stakeholders; the entities to which you can communicate<br />
<br />
personal data and the purposes of such communication; purpose limitation; the terms of<br />
data storage, as well as processing operations and procedures,<br />
including measures to ensure lawful and equitable treatment, such as those relating to<br />
other specific situations of treatment according to chapter IX. Union law or<br />
of the Member States will meet a public interest objective and be proportionate to the end<br />
legitimate pursued.<br />
<br />
<br />
4. When the treatment for a purpose other than that for which the data was collected<br />
personal information is not based on the consent of the interested party or on Union Law or<br />
of the Member States which constitutes a necessary and proportional measure in a company<br />
<br />
28001 – Madrid 6 sedeagpd.gob.es 26/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
democracy to safeguard the objectives indicated in article 23, paragraph 1, the<br />
responsible for the treatment, in order to determine if the treatment for another purpose is<br />
compatible with the purpose for which the personal data was initially collected, will take into account<br />
account, among other things:<br />
<br />
<br />
a) any relationship between the purposes for which the personal data was collected and<br />
the purposes of the intended further processing;<br />
b) the context in which the personal data was collected, in particular with regard to<br />
to the relationship between the interested parties and the data controller;<br />
c) the nature of the personal data, in particular when dealing with special categories<br />
of personal data, in accordance with article 9, or personal data relating to convictions<br />
and criminal offenses, in accordance with article 10;<br />
d) the possible consequences for data subjects of the planned further processing;<br />
<br />
e) the existence of adequate guarantees, which may include encryption or pseudonymization”.<br />
<br />
<br />
V<br />
<br />
<br />
In the present case, THOMAS INTERNATIONAL SYSTEMS performs<br />
a treatment of data related to ethnicity and disability, for which we find ourselves<br />
in the case of treatment of special categories of personal data subject<br />
to the general rule of prohibition established in article 9.1 of the GDPR.<br />
<br />
<br />
On the other hand, it does not appear in the proceedings, nor has it been justified by the<br />
entity THOMAS INTERNATIONAL SYSTEMS, that none of the<br />
circumstances or exceptions established in section 2 of said article that<br />
save the prohibition of treatment of such personal data.<br />
<br />
<br />
The aforementioned entity considers the exception provided for in article 9.2.j) applicable.<br />
considering that those data of ethnicity and disability are subjected to treatment<br />
for scientific research purposes, and dedicates its allegations to justify the need<br />
and proportionality of that treatment and the additional guarantees established for<br />
<br />
respect the right to data protection of the affected persons, among them, the<br />
regarding the security, technical and organizational measures implemented, the non-<br />
communication of data to third parties, or compliance with the limitation principles<br />
of the purpose, minimization, limitation of the conservation and accuracy of the data.<br />
<br />
<br />
However, THOMAS INTERNATIONAL SYSTEMS does not invoke any legal norms<br />
that covers such data processing, in the context in which it is carried out, in<br />
so that the basic budget established in article 9.2.j) of the<br />
GDPR, according to which the treatment of data of special categories for the purpose of<br />
<br />
Scientific research must be carried out “on the basis of Union law or of the<br />
Member States, which must be proportional to the objective pursued, respect as far as<br />
the right to data protection is essential and establish appropriate measures and<br />
to protect the interests and fundamental rights of the interested party”.<br />
<br />
<br />
In this regard, the aforementioned entity has limited itself to stating that it complies with the<br />
international psychometric standards recommended by the European Federation<br />
Associations of Psychologists (FEAP), the International Testing Commission (ITC) or<br />
Association of Business Psychology, which do not constitute norms "of the Law of<br />
<br />
the Union or of the Member States.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 27/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
This requirement cannot be saved, as THOMAS INTERNATIONAL claims.<br />
SYSTEMS, for the establishment of the guarantees referred to in its letter of<br />
<br />
allegations or for compliance with the principles relating to treatment, nor for the<br />
measures that it claims to have taken as a result of this case, with which it has sought to<br />
improve the information offered to the interested parties and mitigate the possible damages with<br />
new risk assessments.<br />
<br />
<br />
The legal basis that legitimizes the treatment of these<br />
data in accordance with the provisions of article 6 of the GDPR, nor THOMAS<br />
INTERNACIONAL SYSTEMS clearly informs the interested parties in this regard. The<br />
information contained in the Privacy Policy in relation to this aspect is<br />
<br />
generic, limiting itself to enumerating the types of legitimation base, but without<br />
specify which of them corresponds to the specific treatments carried out:<br />
<br />
“2.6 In case we are responsible for data processing: What legal basis<br />
we have to use your personal data?<br />
<br />
<br />
We will only collect, use and share your personal data if we are convinced<br />
that we have an adequate legal basis for it. Based on the variety of<br />
services we provide, we may rely on one of the following legal bases for the<br />
treatment of your data:<br />
. you have consented to the use of your personal data;<br />
. the use we make of your personal data is in our legitimate interest as<br />
business organization; In these cases, we will process your information at all times<br />
manner that is proportionate and respectful of your right to privacy. You will also have the right to<br />
object to the processing, as explained in section 7;<br />
. the use of your personal data is necessary to perform a contract or take steps to<br />
<br />
enter into a contract with you; either<br />
. our use of your personal data is necessary to comply with a legal obligation or<br />
pertinent regulatory…” (Unofficial translation).<br />
<br />
The processing of data object of the proceedings is not necessary for the<br />
<br />
compliance with the contractual relationship that THOMAS INTERNATIONAL SYSTEMS<br />
formalizes with its clients as a service provider, since said treatment<br />
is carried out outside of said commercial relationship, for the exclusive benefit of THOMAS<br />
INTERNATIONAL SYSTEMS; nor does it respond to the fulfillment of an obligation<br />
legal; nor is a legitimate interest invoked that prevails over the rights and freedoms<br />
<br />
stakeholder fundamentals.<br />
<br />
THOMAS INTERNATIONAL SYSTEMS has only stated in this regard that<br />
ethnicity and disability data were collected on a voluntary and optional basis,<br />
<br />
offering the interested party the option not to respond.<br />
<br />
From this, it seems to be deduced that the legal basis invoked by this entity to<br />
legitimize the data processing that it carries out is the consent of the interested parties.<br />
<br />
<br />
However, in relation to the processing of personal data relating to ethnicity and<br />
disability, the provision of valid consent has not been justified by the<br />
interested.<br />
<br />
It is true that the information offered prior to completing the<br />
<br />
form warns interested parties that "participation is entirely voluntary and<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 28/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
You may choose to skip any question you do not want to answer”; and what after<br />
<br />
the informative text includes the buttons "I do not agree" and "Next".<br />
In addition, in the dropdown of answers that are shown for any of the<br />
questions also includes the option "I prefer not to answer".<br />
<br />
<br />
But there is no mechanism that allows the interested party to lend their<br />
consent and the mere completion of the form, in this case, cannot<br />
be accepted as a rendering of such consent.<br />
<br />
<br />
In accordance with the provisions of article 9.2.a) of the GDPR, the consent to<br />
processing of special categories of personal data must be “explicit”, so<br />
in such a way that a mere affirmative action that can be<br />
conclude that the interested party consents to the treatment, but it is necessary to have<br />
formal proof of the provision of said consent, a declaration or<br />
<br />
express confirmation of consent.<br />
<br />
The most obvious way would be to make a written statement, although in the environment<br />
digital or online forms can be enabled that could imply consent<br />
<br />
valid explicit: fill in an electronic form, send an email that<br />
contains the consent, use the electronic signature or upload a document<br />
scanned with handwritten signature. Similarly, in the case of web pages, this<br />
explicit consent could be collected by inserting some boxes with the options<br />
<br />
to accept and not accept together with a text referring to the consent that is clear to<br />
the interested.<br />
<br />
This is how the European Data Protection Committee understands it in the document<br />
"Guidelines 05/2020 on consent under Regulation 2016/679",<br />
<br />
updating the guidelines on consent adopted by the Group of<br />
Work of Article 29 on 11/28/2017, revised and approved on 04/10/2018:<br />
<br />
“91. Explicit consent is required in certain situations where there is a<br />
serious risk in relation to data protection and in which it is considered appropriate that<br />
<br />
there is a high level of control over personal data. Under the GDPR, the<br />
explicit consent has an important role in article 9 on the treatment of<br />
special categories of personal data…<br />
<br />
92. The GDPR stipulates that the prerequisite for “normal” consent is “a statement<br />
or clear affirmative action. Since the “normal” consent requirement in the GDPR is no longer<br />
has been raised to a higher level compared to the consent requirement<br />
referred to in Directive 95/46/EC, it should be clarified what additional efforts should be<br />
perform the data controller in order to obtain the explicit consent of the<br />
<br />
interested in line with the GDPR.<br />
<br />
93. The explicit term refers to the way in which the interested party expresses consent.<br />
It means that the interested party must make an express declaration of consent. A<br />
obvious way to ensure that consent is explicit would be to confirm<br />
express such consent in a written statement. When appropriate, the person in charge<br />
could ensure that the data subject signs the written statement, in order to remove<br />
any possible doubts or lack of proof in the future.<br />
<br />
<br />
94. However, said signed statement is not the only way to obtain consent<br />
explicit and the GDPR cannot be said to prescribe written and signed declarations in all<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 29/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
circumstances requiring valid explicit consent. For example, in the context<br />
digitally or online, an interested party can issue the required declaration by filling out a form<br />
by sending an email, uploading a scanned document with your signature, or<br />
using an electronic signature. In theory, the use of verbal statements can also be<br />
a sufficiently manifest way of expressing explicit consent, however,<br />
It may be difficult for the controller to demonstrate that all the requirements have been met.<br />
conditions for valid explicit consent when the statement was recorded”.<br />
<br />
<br />
And other requirements that grant validity to the consent are not met, according to the<br />
definition contained in article 4 of the GDPR:<br />
<br />
“Article 4 Definitions<br />
<br />
For the purposes of this Regulation, the following shall be understood as:<br />
11. "consent of the interested party": any expression of free, specific, informed will<br />
and unequivocal by which the interested party accepts, either by means of a declaration or a clear<br />
affirmative action, the processing of personal data that concerns you”.<br />
<br />
In relation to the provision of consent, the following must be taken into account:<br />
<br />
established in article 6 of the GDPR and in articles 7 of the GDPR and 7 of the<br />
LOPDGDD.<br />
<br />
Article 7 "Conditions for consent" of the GDPR:<br />
<br />
<br />
"one. When the treatment is based on the consent of the interested party, the person in charge must<br />
be able to demonstrate that he consented to the processing of his personal data”.<br />
<br />
Article 6 "Treatment based on the consent of the affected party" of the LOPDGDD:<br />
<br />
<br />
"one. In accordance with the provisions of article 4.11 of Regulation (EU) 2016/679,<br />
The consent of the affected person is understood to be any manifestation of free, specific,<br />
informed and unequivocal by which he accepts, either by means of a declaration or a clear<br />
affirmative action, the processing of personal data concerning you.<br />
2. When it is intended to base the processing of the data on the consent of the affected party<br />
for a plurality of purposes it will be necessary to state in a specific and unequivocal way<br />
<br />
that said consent is granted for all of them.<br />
3. The execution of the contract may not be made subject to the fact that the affected party consents to the processing of<br />
personal data for purposes that are not related to the maintenance, development<br />
or control of the contractual relationship”.<br />
<br />
Consent is understood as a clear affirmative act that reflects a<br />
<br />
expression of free, specific, informed and unequivocal will of the interested party<br />
accept the processing of personal data that concerns you, provided with<br />
sufficient guarantees to prove that the interested party is aware of the fact that<br />
give your consent and to the extent that you do so. And it must be given to all<br />
<br />
treatment activities carried out for the same purpose or purposes, so that,<br />
where processing is for multiple purposes, consent must be given for all<br />
them in a specific and unequivocal manner, without the execution of the<br />
contract to which the affected party consents to the processing of their personal data for<br />
<br />
purposes that are not related to the maintenance, development or control of the<br />
business relationship. In this regard, the legality of the treatment requires that the interested party be<br />
informed about the purposes for which the data is intended (consent<br />
informed).<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 30/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Consent must be given freely. It is understood that the consent<br />
is free when the interested party does not enjoy true or free choice or cannot<br />
deny or withdraw your consent without prejudice; or when you don't know<br />
allows separate authorization of the different data processing operations<br />
<br />
despite being appropriate in the specific case, or when compliance with a<br />
contract or provision of service is dependent on consent, even when it<br />
is not necessary for such compliance. This occurs when consent is<br />
included as a non-negotiable part of the general conditions or when<br />
<br />
imposes the obligation to agree to the use of additional personal data to<br />
those strictly necessary.<br />
<br />
Without these conditions, the provision of consent would not offer the interested party a<br />
<br />
true control over your personal data and its destination, and this would<br />
illegal processing activity.<br />
<br />
The European Committee for Data Protection analyzed these issues in its document<br />
<br />
"Guidelines 05/2020 on consent in accordance with Regulation 2016/679", of<br />
05/04/2020 From what is indicated in this document, it is now interesting to highlight some<br />
aspects related to the validity of consent, specifically regarding the<br />
“specific”, “informed” and “unambiguous” elements:<br />
<br />
<br />
“3.2. Expression of specific will<br />
Article 6(1)(a) confirms that the data subject's consent to the<br />
The processing of your data must be given "for one or more specific purposes" and that an interested party<br />
may choose with respect to each such purpose. The requirement that consent<br />
should be "specific" is intended to ensure a level of control and transparency for the<br />
interested. This requirement has not been changed by the GDPR and remains closely<br />
linked to the requirement of "informed" consent. At the same time, it must be interpreted<br />
<br />
in line with the “disassociation” requirement to obtain “free” consent. In sum,<br />
To comply with the "specific" character, the data controller must apply:<br />
<br />
i) the specification of the purpose as a guarantee against the deviation of the use,<br />
ii) dissociation in consent requests, and<br />
iii) a clear separation between information related to obtaining consent<br />
for data processing activities and information relating to other matters.<br />
<br />
<br />
(…)<br />
<br />
“3.3. Manifestation of informed will<br />
The GDPR reinforces the requirement that consent must be informed. in accordance<br />
with article 5 of the GDPR, the requirement of transparency is one of the principles<br />
fundamental, closely related to the principles of loyalty and legality. To ease<br />
<br />
information to the interested parties before obtaining their consent is essential so that they can<br />
make informed decisions, understand what they are authorizing, and, for example,<br />
exercise your right to withdraw your consent. If the person in charge does not provide information<br />
accessible, user control will be illusory and consent will not constitute a valid basis<br />
for data processing.<br />
If the requirements for informed consent are not met, the consent will not<br />
will be valid and the person in charge may be in breach of article 6 of the GDPR.<br />
<br />
<br />
3.3.1. Minimum content requirements for consent to be "informed"<br />
For the consent to be informed, it is necessary to communicate to the interested party certain<br />
elements that are crucial to be able to choose. Therefore, GT29 is of the opinion that it is required, at<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 31/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
least, the following information to obtain valid consent:<br />
i) the identity of the data controller,<br />
ii) the purpose of each of the processing operations for which the authorization is requested;<br />
consent,<br />
iii) what (type of) data is to be collected and used,<br />
iv) the existence of the right to withdraw consent,<br />
<br />
v) information on the use of data for automated decisions in accordance with the<br />
Article 22(2)(c), where relevant, and<br />
vi) information on the possible risks of data transfer due to the absence of<br />
an adequacy decision and adequate guarantees, as described in article<br />
46”.<br />
<br />
In the alleged case, there is no evidence of the provision of a<br />
<br />
valid consent on the part of the interested parties that covers the treatments of<br />
personal data object of the claim. This entity does not even report<br />
duly about this data processing, about its purpose and legal basis or the<br />
right to withdraw consent, where appropriate, in accordance with the provisions of<br />
Article 13 of the GDPR; nor has it established any mechanism for interested parties to<br />
<br />
can give explicit consent.<br />
<br />
Regarding the information, it should be noted that only the Privacy Policy is presented.<br />
Privacy of the British parent of the Group, Thomas International Ltd., in language<br />
English, and that it does not duly inform about the legal basis of the treatment and the<br />
<br />
purpose of the treatment, which is described simply by referring to the purposes of<br />
research.<br />
<br />
Finally, the entity THOMAS INTERNACIONAL SYSTEMS has not contributed<br />
sufficient elements to determine compliance with the judgment of the<br />
<br />
proportionality requirements demanded by the Constitutional Court, so that<br />
The suitability of the treatment for the proposed purpose can be concluded, if the same<br />
whether or not it is necessary or whether there are alternative, less intrusive measures.<br />
<br />
In this sense, the Constitutional Court has indicated (Judgment 14/2003, of 28<br />
<br />
January) that "to verify if a restrictive measure of a fundamental right<br />
passes the proportionality judgment, it is necessary to verify if it complies with the three<br />
following requirements or conditions: if such a measure is likely to achieve the<br />
proposed objective (suitability judgement); if, moreover, it is necessary, in the sense of<br />
that there is no other more moderate measure for the achievement of said purpose with<br />
<br />
equal efficacy (judgment of necessity); and, finally, if it is weighted or<br />
balanced, because it derives from it more benefits or advantages for the general interest than<br />
damages to other goods or values in conflict (judgment of proportionality in<br />
Strict sense)".<br />
<br />
<br />
In this regard, the principle of minimum intervention must be taken into account (art. 5.1.c)<br />
and art. 25.1 GDPR), since it is necessary to prove that there is no other measure<br />
moderate to achieve the intended purpose with equal effectiveness, in the<br />
framework of the proactive responsibility of the data controller.<br />
<br />
<br />
Therefore, from the facts and legal grounds set forth, it results that, on the part<br />
of THOMAS INTERNATIONAL SYSTEMS, data processing is carried out<br />
personal of special categories against the prohibition established in the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 32/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Article 9 of the GDPR and without any of the exceptions provided for<br />
lift that ban. This breach of what is established in article 9 of the<br />
<br />
GDPR gives rise to the application of the corrective powers that article 58 of the aforementioned<br />
Regulation grants the Spanish Data Protection Agency.<br />
<br />
<br />
<br />
SAW<br />
<br />
THOMAS INTERNATIONAL SYSTEMS has indicated that there is no infringement<br />
punishable in the absence of intentionality in the commission or omission that causes said<br />
infraction, adding that it has had a proactive attitude and complied with its<br />
<br />
obligations.<br />
<br />
In this regard, it should be noted, first of all, that the incident occurs in the<br />
scope of responsibility of THOMAS INTERNATIONAL SYSTEMS and this entity<br />
<br />
you must answer for it. In no way can it be considered that the lack of<br />
alleged intentionality excludes its responsibility, especially when the<br />
infraction could have been avoided by the use of greater diligence. In this case, the<br />
offense committed is incompatible with the diligence that said entity is obliged to<br />
To watch.<br />
<br />
<br />
This diligence must be manifested in the specific case being analyzed, and not in the<br />
general circumstances that the entity alleges to justify a proactive action,<br />
which cannot be taken as circumstances that prevent demanding the<br />
responsibilities that derive from the concrete irregular action.<br />
<br />
<br />
Accept the approach made by THOMAS INTERNATIONAL SYSTEMS in its<br />
allegations would amount to admitting that the application of the GDPR and the<br />
LOPDGDD, distorting the entire system established on the legality of the<br />
<br />
processing of personal data.<br />
<br />
It should be remembered, on the other hand, that the offense may be committed intentionally or<br />
guilty. The National Court in Judgment of September 21, 2004 (RCA<br />
937/2003), is pronounced in the following terms:<br />
<br />
<br />
"Furthermore, as regards the application of the principle of guilt, it results (following the criterion of<br />
this Chamber in other Judgments such as the one dated January 21, 2004 issued in the appeal<br />
1139/2001) that the commission of the offense provided for in article 44.3.d) can be both<br />
fraudulent as culpable... because although in penalizing matters the principle of guilt governs,<br />
As can be inferred from the simple reading of Article 130 of Law 30/1992, the truth is that the expression<br />
"simple non-observance" of Art. 130.1 of Law 30/1992, allows the imposition of the sanction, without<br />
doubt in fraudulent cases, and also in culpable cases, sufficing the non-observance of the<br />
<br />
duty of care”.<br />
<br />
In this line it is worth mentioning the SAN of January 21, 2010, in which the Court<br />
exposes:<br />
<br />
<br />
“The appellant also maintains that there is no guilt in her actions. Is<br />
true that the principle of guilt prevents the admission in administrative law<br />
sanctioning of strict liability, it is also true that the absence of<br />
intentionality is secondary since this type of infraction is normally committed<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 33/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
due to negligent or negligent action, which is enough to integrate the subjective element<br />
of guilt. XXX's performance is clearly negligent because... he must know... the<br />
obligations imposed by the LOPD on all those who handle personal data of third parties.<br />
XXX is obliged to guarantee the fundamental right to the protection of personal data<br />
of its clients and hypothetical clients with the intensity required by the content of its own<br />
<br />
right".<br />
<br />
The principle of guilt is required in the disciplinary procedure and thus the STC<br />
246/1991 considers it inadmissible in the field of penalizing administrative law<br />
a responsibility without fault. But the fault principle does not imply that it can only<br />
<br />
punish an intentional or voluntary action, and in this regard article 28<br />
of Law 40/2015 on the Legal Regime of the Public Sector, under the rubric<br />
"Responsibility" provides the following:<br />
<br />
"one. They may only be penalized for acts constituting an administrative offense<br />
physical and legal persons, as well as, when a Law recognizes their capacity to act, the<br />
affected groups, unions and entities without legal personality and estates<br />
independent or self-employed, who are responsible for them by way of fraud or<br />
<br />
fault".<br />
<br />
The facts set forth in the preceding Basis show that<br />
THOMAS INTERNATIONAL SYSTEMS did not act with the diligence to which it came<br />
obliged, who acted with a lack of diligence. The Supreme Court (Sentences of 16 and<br />
<br />
04/22/1991) considers that from the guilty element it follows “...that the action or<br />
omission, classified as an administratively punishable infraction, must be, in all<br />
case, attributable to its author, due to intent or imprudence, negligence or ignorance<br />
inexcusable". The same Court reasons that "it is not enough... for exculpation against<br />
a typically unlawful behavior the invocation of the absence of guilt" but<br />
<br />
that it is necessary "that the diligence that was required by the person claiming his<br />
non-existence” (STS January 23, 1998).<br />
<br />
Also connected to the degree of diligence that the data controller is<br />
obliged to deploy in compliance with the obligations imposed by the<br />
<br />
data protection regulations can be cited the SAN of 10/17/2007 (Rec. 63/2006),<br />
which specified: "(...) the Supreme Court has been understanding that there is imprudence<br />
whenever a legal duty of care is neglected, that is, when the offender does not<br />
behaves with the required diligence”.<br />
<br />
<br />
In addition, the National Court on data protection of<br />
personal nature, has declared that "simple negligence or breach of<br />
the duties that the Law imposes on the persons responsible for files or the<br />
data processing to be extremely diligent..." (SAN 06/29/2001).<br />
<br />
<br />
It is therefore concluded, contrary to what was objected to by the defendant entity, that the<br />
subjective element is present in the declared infringement.<br />
<br />
<br />
VII<br />
<br />
<br />
In the event of an infringement of the provisions of the GDPR, among the<br />
corrective powers available to the Spanish Data Protection Agency,<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 34/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
as supervisory authority, article 58.2 of said Regulation contemplates the<br />
following:<br />
<br />
"2 Each control authority will have all the following corrective powers indicated to<br />
continuation:<br />
<br />
(…)<br />
b) send a warning to any person in charge or person in charge of the treatment when the<br />
processing operations have infringed the provisions of this Regulation;”<br />
(...)<br />
d) order the person in charge or in charge of the treatment that the treatment operations are<br />
conform to the provisions of this Regulation, where appropriate, of a given<br />
manner and within a specified period;<br />
(…)<br />
<br />
i) impose an administrative fine in accordance with article 83, in addition to or instead of the<br />
measures mentioned in this section, according to the circumstances of each case<br />
particular;".<br />
<br />
According to the provisions of article 83.2 of the GDPR, the measure provided for in letter d)<br />
<br />
above is compatible with the sanction consisting of an administrative fine.<br />
<br />
<br />
VIII<br />
<br />
<br />
It is considered that the facts exposed fail to comply with the provisions of article 9 of the<br />
GDPR, which implies the commission of an infringement classified in section 5.a) of the<br />
Article 83 of the GDPR.<br />
<br />
<br />
Article 83.5.a) of the GDPR, under the heading "General conditions for the<br />
imposition of administrative fines" provides the following:<br />
<br />
"5. Violations of the following provisions will be penalized, in accordance with the<br />
<br />
paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a<br />
company, of an amount equivalent to a maximum of 4% of the total annual turnover<br />
of the previous financial year, opting for the highest amount:<br />
<br />
a) the basic principles for treatment, including the conditions for consent to<br />
tenor of articles 5, 6, 7 and 9”.<br />
<br />
<br />
On the other hand, Article 71 of the LOPDGDD considers any offense<br />
breach of this Organic Law:<br />
<br />
"Infractions are the acts and conducts referred to in sections 4, 5 and 6 of the<br />
<br />
Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this<br />
organic Law".<br />
<br />
Section 1.e) of article 72 of the LOPDGDD considers, as “very serious”, a<br />
prescription effects:<br />
<br />
<br />
"one. Based on what is established in article 83.5 of Regulation (EU) 2016/679,<br />
are considered very serious and will prescribe after three years the infractions that suppose a<br />
substantial violation of the articles mentioned therein and, in particular, the following:<br />
<br />
e) The processing of personal data of the categories referred to in article 9 of the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 35/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Regulation (EU) 2016/679, without the occurrence of any of the circumstances provided for in said<br />
precept and in article 9 of this Organic Law.<br />
<br />
<br />
In order to determine the administrative fine to be imposed, the<br />
provisions of articles 83.1 and 83.2 of the GDPR, precepts that state:<br />
<br />
"one. Each control authority will guarantee that the imposition of administrative fines with<br />
under this article for the infringements of this Regulation indicated in the<br />
<br />
paragraphs 4, 9 and 6 are in each individual case effective, proportionate and dissuasive.<br />
<br />
2. Administrative fines will be imposed, depending on the circumstances of each case<br />
individually, in addition to or in lieu of the measures contemplated in article 58,<br />
section 2, letters a) to h) and j). When deciding to impose an administrative fine and its amount<br />
in each individual case due account shall be taken of:<br />
a) the nature, seriousness and duration of the offence, taking into account the<br />
<br />
nature, scope or purpose of the processing operation in question<br />
such as the number of interested parties affected and the level of damages that<br />
have suffered;<br />
b) intentionality or negligence in the infraction;<br />
c) any measure taken by the controller or processor to<br />
<br />
alleviate the damages and losses suffered by the interested parties;<br />
d) the degree of responsibility of the controller or processor,<br />
taking into account the technical or organizational measures that they have applied under<br />
of articles 25 and 32;<br />
e) any previous infringement committed by the controller or processor;<br />
<br />
f) the degree of cooperation with the supervisory authority in order to remedy the<br />
infringement and mitigate the potential adverse effects of the infringement;<br />
g) the categories of personal data affected by the infringement;<br />
h) the way in which the supervisory authority became aware of the infringement, in<br />
<br />
particular whether the person in charge or the person in charge notified the infringement and, if so, in what<br />
extent;<br />
i) when the measures indicated in article 58, paragraph 2, have been ordered<br />
previously against the person in charge or the person in charge in relation to the<br />
same matter, compliance with said measures;<br />
<br />
j) adherence to codes of conduct under article 40 or to mechanisms of<br />
certification approved in accordance with article 42, and<br />
k) any other aggravating or mitigating factor applicable to the circumstances of the case,<br />
such as financial benefits obtained or losses avoided, directly or<br />
<br />
indirectly, through the infringement.”<br />
<br />
For its part, article 76 "Sanctions and corrective measures" of the LOPDGDD<br />
has:<br />
<br />
<br />
"one. The sanctions provided for in sections 4, 5 and 6 of article 83 of Regulation (EU)<br />
2016/679 will be applied taking into account the graduation criteria established in the<br />
section 2 of said article.<br />
2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 also<br />
may be taken into account:<br />
<br />
a) The continuing nature of the offence.<br />
b) Linking the offender's activity with data processing<br />
personal.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 36/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
c) The benefits obtained as a consequence of the commission of the infraction.<br />
d) The possibility that the conduct of the affected party could have led to the commission of the<br />
infringement.<br />
e) The existence of a merger process by absorption subsequent to the commission of the infraction,<br />
<br />
that cannot be attributed to the absorbing entity.<br />
f) The affectation of the rights of minors.<br />
g) Have, when it is not mandatory, a data protection delegate.<br />
h) Submission by the person responsible or in charge, on a voluntary basis, to<br />
alternative conflict resolution mechanisms, in those cases in which there are<br />
disputes between those and any interested party”.<br />
<br />
<br />
Regarding the infringement of article 9 of the GDPR, based on the facts<br />
exposed, it is considered that the sanction that would correspond to be imposed is a fine<br />
administrative.<br />
<br />
The fine imposed must be, in each individual case, effective, proportionate<br />
<br />
and dissuasive, in accordance with the provisions of article 83.1 of the GDPR. Thus<br />
considers, in advance, the condition of small business and volume of<br />
business of THOMAS INTERNATIONAL SYSTEMS (Recorded in the proceedings that<br />
said entity (…).<br />
<br />
<br />
In accordance with the precepts indicated, for the purpose of setting the amount of the sanction to<br />
imposed in the present case, the following criteria are considered applicable:<br />
<br />
The following graduation criteria are considered concurrent as aggravating factors:<br />
<br />
<br />
. Article 83.2.a) of the GDPR: "a) the nature, seriousness and duration of the<br />
infringement, taking into account the nature, scope or purpose of the operation<br />
treatment in question as well as the number of interested parties affected and the<br />
level of damages they have suffered”.<br />
<br />
<br />
. The nature and seriousness of the infringement, taking into account that the interested party does not<br />
clearly knows the entity responsible for the treatment and the use that is<br />
will make of the personal data, which affects the ability of the<br />
<br />
interested in exercising true control over their personal data.<br />
<br />
. In relation to the duration of the infringement, it is stated in the proceedings that the<br />
Privacy Policy that includes data processing actions<br />
personal data that it carries out, including those that are the subject of this<br />
<br />
procedure, is dated 07/03/2019.<br />
<br />
. The number of interested parties: the infringement affects all the interested parties who<br />
are evaluated by the entity THOMAS INTERNATIONAL SYSTEMS.<br />
<br />
<br />
. The damages suffered by the interested parties: taking into account all<br />
the exposed circumstances, it is clear that the interested parties have seen<br />
increased risks to your privacy.<br />
<br />
<br />
. Article 83.2.b) of the GDPR: "b) intentionality or negligence in the infringement".<br />
<br />
The negligence appreciated in the commission of the infraction. In this respect, one has<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 37/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
taking into account what was declared in the National Court Judgment of 10/17/2007 (rec.<br />
63/2006) that, based on the fact that these are entities whose activity<br />
coupled with continuous data processing, indicates that "...the Supreme Court<br />
<br />
has been understanding that imprudence exists whenever a duty is neglected<br />
legal care, that is, when the offender does not behave with due diligence<br />
callable. And in assessing the degree of diligence, consideration must be<br />
especially the professionalism or not of the subject, and there is no doubt that, in the<br />
case now examined, when the appellant's activity is constant and<br />
copious handling of personal data must insist on rigor and<br />
<br />
Exquisite care to comply with the legal provisions in this regard”.<br />
<br />
It is a company that performs personal data processing in a<br />
systematic and continuous in the workplace and that extreme care should be taken in the<br />
compliance with its obligations regarding data protection.<br />
<br />
<br />
. Article 83.2.d) of the GDPR: "d) the degree of responsibility of the controller or the<br />
processor, taking into account technical or organizational measures<br />
that they have applied by virtue of articles 25 and 32”.<br />
<br />
The accused entity does not have adequate procedures in place<br />
<br />
action in the collection and processing of personal data, in what<br />
refers to data relating to ethnicity and disability, so the offense<br />
is not the consequence of an anomaly in the operation of said<br />
procedures but a defect in the personal data management system<br />
designed by the person in charge at his initiative.<br />
<br />
<br />
. Article 76.2.b) of the LOPDGDD: "b) Linking the offender's activity<br />
with the processing of personal data”.<br />
<br />
The high link between the activity of the offender and the performance of treatments<br />
<br />
of personal data. The level of implementation of the Group at which<br />
belongs to THOMAS INTERNATIONAL SYSTEMS and the activity it develops.<br />
This circumstance determines a greater degree of demand and professionalism and,<br />
consequently, of the responsibility of said entity in relation to the<br />
data treatment.<br />
<br />
<br />
Considering the exposed factors, the valuation that reaches the fine, for the<br />
Violation of article 9 of the GDPR, is 50,000 euros (fifty thousand euros).<br />
<br />
THOMAS INTERNATIONAL SYSTEMS, in its statement of allegations at the opening of the<br />
procedure has not made any statement on the criteria of<br />
<br />
graduation exposed, which were exposed in said agreement with the same amplitude and<br />
detail.<br />
<br />
However, it has requested that, instead of sanctioning with an administrative fine,<br />
issues a warning considering that it has taken additional measures to<br />
<br />
avoid any incident, such as appointing a new data protection delegate<br />
data, carry out a new risk analysis and impact assessment, and write<br />
new informative clauses on the treatments involved in the "Questionnaire",<br />
in addition to reinforcing the information and training of its staff.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 38/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In support of his approach, he cites various precedents processed by this Agency,<br />
that are mentioned in the Eighth Antecedent, in which the<br />
<br />
actions or a warning was addressed in accordance with the regulatory adequacy<br />
carried out by the responsible entity.<br />
<br />
THOMAS INTERNACIONAL SYSTEMS highlights the actions developed by the<br />
complaining party in the precedents that cites, among them, the suspension of the web<br />
implicated in the facts, the updating of the information regarding the protection of<br />
<br />
data offered to the interested parties, the improvement of the mechanisms to grant the<br />
consent by checking a box, appointment of a delegate<br />
of data protection, or the non-commission of any previous infraction by the party<br />
claimed.<br />
<br />
<br />
Finally, he highlights that he has a proactive attitude; all your staff are<br />
duly trained; its activity has not caused damage to the rights of the<br />
interested parties, that they have not received any claim or incidence or breach of<br />
security up to date; and that, upon learning of the matter, has initiated a<br />
review of its protocols, analyzes and evaluations, and has proceeded to appoint<br />
proven specialists in the field.<br />
<br />
<br />
In response to these allegations, it is reiterated that, in this case, considering the<br />
seriousness of the verified infringement, the imposition of a fine is appropriate, in addition to the<br />
adoption of measures. The request made by THOMAS cannot be accepted<br />
INTERNATIONAL SYSTEMS to impose other corrective powers that<br />
<br />
would have allowed the correction of the irregular situation, such as the warning,<br />
which is provided, in general, for natural persons and when the sanction<br />
constitutes a disproportionate burden (recital 148 of the GDPR).<br />
<br />
In addition, THOMAS INTERNATIONAL SYSTEMS has not justified, or even<br />
<br />
mentioned, what are the similarities between the present case and the assumptions of<br />
fact examined in the precedents that it invokes.<br />
<br />
In any case, it should be noted that the measures adopted are insufficient for the<br />
intended effects, since they do not restore the rights of the interested parties.<br />
THOMAS INTERNATIONAL SYSTEMS has not raised in any way the termination<br />
<br />
of conduct that violates the legal system.<br />
<br />
Nor can the measures that said entity has adopted be assessed as<br />
a mitigation. These measures are not adequate to "remedy the<br />
infringement and mitigate the possible adverse effects of the infringement”, according to the terms<br />
<br />
of article 83.2.f) of the GDPR, or "to alleviate the damages suffered by the<br />
interested parties" as a consequence of the infringement, according to section 2.c) of the same<br />
Article. Mitigate the adverse effects or alleviate the damages caused by the<br />
infringements implies restoring the rights of the interested parties, which in this<br />
case entails the suppression of the ethnicity and disability data collected from the<br />
<br />
interested and suspend their collection.<br />
<br />
On the other hand, none of the grading factors considered is attenuated<br />
due to the fact that the entity THOMAS INTERNATIONAL SYSTEMS has not been<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 39/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
previously subject to a disciplinary procedure.<br />
<br />
In this regard, the Judgment of the AN, of 05/05/2021, rec. 1437/2020, indicates:<br />
<br />
<br />
"It considers, on the other hand, that the non-commission of a<br />
previous violation. Well, article 83.2 of the GDPR establishes that it must be taken into account<br />
for the imposition of the administrative fine, among others, the circumstance "e) any infraction<br />
committed by the person in charge or the person in charge of the treatment". It is a<br />
aggravating circumstance, the fact that the budget for its application does not exist<br />
entails that it cannot be taken into consideration, but it does not imply or allow, as it claims<br />
the plaintiff, its application as attenuated.e”<br />
<br />
<br />
According to the aforementioned article 83.2 of the GDPR, when deciding to impose a fine<br />
administration and its amount must take into account "any previous infraction committed<br />
by the person responsible." It is a normative provision that does not include the inexistence of<br />
previous infractions as a factor for grading the fine, which must be<br />
be understood as a criterion close to recidivism, although broader.<br />
<br />
<br />
Nor can it be accepted that there has been no damage to the rights of the<br />
interested parties, since they have seen an increased risk in their<br />
privacy.<br />
<br />
<br />
<br />
IX<br />
<br />
If the infringement is confirmed, it could be agreed to impose on the person responsible the adoption of<br />
adequate measures to adjust its performance to the regulations mentioned in this<br />
act, in accordance with the provisions of the aforementioned article 58.2.d) of the GDPR, according to the<br />
<br />
which each control authority may "order the person responsible or in charge of the<br />
processing that the processing operations comply with the provisions of the<br />
this Regulation, where appropriate, in a certain way and within a certain<br />
specified term…”.<br />
<br />
This act establishes the offense committed and the facts that<br />
<br />
give rise to the violation of data protection regulations, from which it can be inferred<br />
clearly what are the measures to adopt, notwithstanding that the type of<br />
specific procedures, mechanisms or instruments to implement them<br />
corresponds to the sanctioned party, since it is the person responsible for the treatment who<br />
He fully knows his organization and has to decide, based on the responsibility<br />
<br />
proactive and risk-focused, how to comply with the GDPR and the LOPDGDD.<br />
<br />
However, in this case, regardless of the foregoing, it is proposed that in the<br />
resolution that is adopted, this Agency requires the responsible entity so that in<br />
the term to be determined accredits having proceeded to delete from the "Questionnaire" the<br />
<br />
collection of personal data related to ethnicity and disability of those affected; So<br />
such as the cessation of the use of those previously collected.<br />
<br />
It is noted that not meeting the requirements of this body may be<br />
considered as a serious administrative infraction by "not cooperating with the Authority<br />
of control" before the requirements made, and such conduct can be assessed at the<br />
<br />
time of the opening of an administrative procedure penalizing with a fine<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 40/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
pecuniary<br />
<br />
<br />
<br />
In view of the foregoing, the following is issued<br />
<br />
<br />
PROPOSED RESOLUTION<br />
<br />
<br />
<br />
FIRST: That by the Director of the Spanish Data Protection Agency<br />
penalize THOMAS INTERNATIONAL SYSTEMS, S.A., with NIF A81603391, for a<br />
breach of Article 9 of the GDPR, typified in Article 83.5.a) of the GDPR, and<br />
<br />
classified as very serious for the purposes of prescription in article 72.1.e) of the<br />
LOPDGDD, with a fine of 50,000 euros (fifty thousand euros).<br />
<br />
SECOND: That by the Director of the Spanish Data Protection Agency<br />
imposes on THOMAS INTERNATIONAL SYSTEMS, S.A., within the term<br />
<br />
determine, the adoption of the necessary measures to adapt its performance to the<br />
personal data protection regulations, with the scope expressed in the<br />
Legal basis IX of this proposed resolution.<br />
<br />
Likewise, in accordance with the provisions of article 85.2 of the LPACAP, you will be<br />
<br />
informs that it may, at any time prior to the resolution of this<br />
procedure, carry out the voluntary payment of the proposed sanction, which<br />
It will mean a reduction of 20% of the amount of the same. With the application of this<br />
reduction, the sanction would be established at 40,000 euros (forty thousand euros), and its<br />
payment will imply the termination of the procedure. The effectiveness of this reduction<br />
<br />
will be conditioned to the withdrawal or resignation of any action or appeal via<br />
administrative against the sanction.<br />
<br />
In case you choose to proceed to the voluntary payment of the specified amount<br />
above, in accordance with the provisions of the aforementioned article 85.2, you must do it<br />
<br />
effective by depositing it in the restricted account no. ES00 0000 0000 0000 0000<br />
0000 open in the name of the Spanish Data Protection Agency in the entity<br />
bank CAIXABANK, S.A., indicating in the concept the reference number of the<br />
procedure that appears in the heading of this document and the cause, for<br />
voluntary payment, reduction of the amount of the sanction. You must also send the<br />
<br />
Proof of admission to the Sub-Directorate General of Inspection to proceed to close<br />
The file.<br />
<br />
By virtue of this, you are notified of the foregoing, and the procedure is revealed.<br />
so that within TEN DAYS you can allege whatever you consider in your defense and<br />
<br />
present the documents and information that it deems pertinent, in accordance with<br />
Article 89.2 of the LPACAP.<br />
926-050522<br />
B.B.B.<br />
INSTRUCTOR<br />
>><br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 41/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
SECOND: On November 18, 2022, the claimed party has proceeded to the<br />
payment of the penalty in the amount of 40,000 euros using the reduction<br />
provided for in the motion for a resolution transcribed above.<br />
<br />
<br />
THIRD: The payment made entails the waiver of any action or resource in the<br />
against the sanction, in relation to the facts referred to in the<br />
resolution proposal.<br />
<br />
FOURTH: In the previously transcribed resolution proposal, the<br />
<br />
acts constituting an infringement, and it was proposed that, by the Director, the<br />
responsible for adopting adequate measures to adjust its performance to the<br />
regulations, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to<br />
which each control authority may "order the person responsible or in charge of the<br />
processing that the processing operations comply with the provisions of the<br />
<br />
this Regulation, where appropriate, in a certain way and within a certain<br />
specified term…”.<br />
<br />
FUNDAMENTALS OF LAW<br />
Yo<br />
Competence<br />
<br />
<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
(General Data Protection Regulation, hereinafter GDPR), grants each<br />
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the<br />
Organic Law 3/2018, of December 5, Protection of Personal Data and<br />
<br />
guarantee of digital rights (hereinafter, LOPDGDD), is competent to<br />
initiate and resolve this procedure the Director of the Spanish Protection Agency<br />
of data.<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures<br />
<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
regulations dictated in its development and, insofar as they do not contradict them, with character<br />
subsidiary, by the general rules on administrative procedures."<br />
<br />
II<br />
<br />
Termination of the procedure<br />
<br />
Article 85 of Law 39/2015, of October 1, on Administrative Procedure<br />
Common for Public Administrations (hereinafter, LPACAP), under the heading<br />
"Termination in disciplinary proceedings" provides the following:<br />
<br />
<br />
"one. Initiated a disciplinary procedure, if the offender acknowledges his responsibility,<br />
The procedure may be resolved with the imposition of the appropriate sanction.<br />
<br />
2. When the sanction has only a pecuniary nature or it is possible to impose a<br />
<br />
pecuniary sanction and another of a non-pecuniary nature but the<br />
inadmissibility of the second, the voluntary payment by the presumed perpetrator, in<br />
any moment prior to the resolution, will imply the termination of the procedure,<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 42/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
except in relation to the replacement of the altered situation or the determination of the<br />
compensation for damages caused by the commission of the offence.<br />
<br />
<br />
3. In both cases, when the sanction is solely pecuniary in nature, the<br />
The competent body to resolve the procedure will apply reductions of at least<br />
20% of the amount of the proposed penalty, these being cumulative among themselves.<br />
The aforementioned reductions must be determined in the notification of initiation<br />
<br />
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of<br />
any administrative action or resource against the sanction.<br />
<br />
The percentage reduction provided for in this section may be increased<br />
according to regulations."<br />
<br />
<br />
According to what has been indicated, the Director of the Spanish Agency for the Protection of<br />
Data RESOLVES:<br />
<br />
FIRST: DECLARE the termination of procedure PS/00214/2022, in<br />
<br />
in accordance with the provisions of article 85 of the LPACAP.<br />
<br />
SECOND: REQUEST THOMAS INTERNATIONAL SYSTEMS, S.A. so that in<br />
within one month notify the Agency of the adoption of the measures described<br />
on the legal grounds of the proposed resolution transcribed in this<br />
<br />
resolution.<br />
<br />
THIRD: NOTIFY this resolution to THOMAS INTERNATIONAL<br />
SYSTEMS, S.A.<br />
<br />
<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
Resolution will be made public once the interested parties have been notified.<br />
<br />
Against this resolution, which puts an end to the administrative process as prescribed by<br />
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure<br />
<br />
Common of Public Administrations, interested parties may file an appeal<br />
administrative litigation before the Administrative Litigation Chamber of the<br />
National Court, in accordance with the provisions of article 25 and section 5 of<br />
the fourth additional provision of Law 29/1998, of July 13, regulating the<br />
Contentious-Administrative Jurisdiction, within a period of two months from the<br />
<br />
day following the notification of this act, as provided for in article 46.1 of the<br />
referred Law.<br />
<br />
1331-281122<br />
Mar Spain Marti<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
</pre></div>Teresa.lopezhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_PS/00214/2022&diff=30936AEPD (Spain) - PS/00214/20222023-02-03T12:14:19Z<p>Teresa.lopez: Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS 00..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=PS 00214-2022<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00214-2022.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=26.02.2021<br />
|Date_Decided=<br />
|Date_Published=16.01.2023<br />
|Year=<br />
|Fine=40,000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 6(1) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1<br />
|GDPR_Article_2=Article 9(2) GDPR<br />
|GDPR_Article_Link_2=Article 9 GDPR#2<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=AGROXARXA, S.L.<br />
|Party_Link_1=https://www.agroxarxa.com/<br />
|Party_Name_2=THOMAS INTERNATIONAL SYSTEMS, S.A.<br />
|Party_Link_2=https://www.thomas.co/<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
|Party_Name_4=<br />
|Party_Link_4=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Teresa López<br />
|<br />
}}<br />
<br />
The Spanish DPA fined a talent acquisition company €40,000 for collecting data on ethnicity and disability of the data subjects during the aptitude testing process without a valid exception as per [[Article 9 GDPR#2|Article 9(2) GDPR]].<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
THOMAS INTERNATIONAL SYSTEMS, S.A. (the controller 1) is a personnel selection consultancy company that carries out aptitude testing on behalf of the entities that contract such services. In this context, AGROXARXA, S.L. (the Controller 2), requested a job candidate (the data subject) to complete a behavioural survey accessible through the website of the controller 1 in order to carry out a selection process.<br />
<br />
Once the data subject completed the assessment presented by Controller 1 on behalf of Controller 2 for the purposes of assessing the suitability of the data subject for the open position in the Controller's 2 company, controller 1 asked them to fill in a second questionnaire for the purposes of research and improvement of the evaluations. The second questionnaire included questions relating to various topics: Gender, year of birth, disability, ethnicity, mother tongue, level of education, current employment status, current industry, current role, current level of leadership, level of job happiness, job rating, description of disability and consideration of leadership. To answer each question, except for the description of disability, the data subject was presented with a drop-down that included the option “I prefer not to answer”.<br />
<br />
Before filling in this second questionnaire, the data subject was presented with a first layer of data protection information that stated that their participation was entirely voluntary, and they may choose to skip any question they did not wish to answer.<br />
<br />
On 21 February 2021, the data subject filled a complaint with the Spanish Data Protection Authority against the Controller 2 due to the request of disability and ethnicity data in the questionnaire sent by its human resources department, since they were unaware of what uses would the company make of such data. <br />
<br />
After a request from the DPA, Controller 2 furnished the data protection agreement in place with Controller 1, in which it was clear that Controller 1 identified as a data processor for the purposes of carrying out the behavioural survey on behalf of the Controller 2, but as a data controller for the purposes of the second questionnaire, which was aimed at ensuring its psychometric assessment tools are designed in such a way that they do not discriminate against the persons being assessed.<br />
<br />
=== Holding ===<br />
The DPA found that Controller 1 processed data relating to ethnicity and disability without justifying the applicability of any circumstances or exceptions established in [[Article 9 GDPR#2|Article 9(2) GDPR]] that would overcome the prohibition on the processing of such personal data. In particular, the DPA held that the exception alleged by Controller 1, that of Article 9(2)(j) or "scientific research purposes", did not apply since Controller 1 could not invoke any legal rule covering such data processing, so that the basic assumption laid down in Article 9(2)(j) of the GDPR, according to which the processing of special category data for scientific research purposes must be carried out 'on the basis of Union or Member State law', was not fulfilled.<br />
<br />
Moreover, the DPA held that it was unclear if Controller 1 had an appropriate [[Article 6 GDPR|Article 6 GDPR]] legal basis since the information contained in their Privacy Policy in relation to this aspect was generic and limited to listing the types of legitimate basis, but without specifying which of these corresponded to the specific processing operations carried out.<br />
<br />
The DPA also dismissed the claim that the processing of sensitive data was based on consent due to its optative nature, since it does not meet the requirements of Article 9(2)(a) of the GDPR, that states that consent to the processing of special categories of personal data must be "explicit". Moreover, the DPA held that Controller 1 did not duly inform the data subject about the purpose and legal basis or the right to withdraw consent in accordance with the provisions of Article 13 of the GDPR, and the Privacy Policy was only provided in English.<br />
<br />
Finally, the DPA held that Controller 1 had also failed to provide sufficient evidence to prove that proportionality requirements were met, so that it could not be concluded whether the processing was appropriate for the proposed purpose, whether it was necessary or not, or whether there were less intrusive alternative measures.<br />
<br />
The AEPD found that Controller 1 had breached Article 9 of the GDPR, imposed a sanction according to [[Article 83 GDPR#5a|Article 83(5)(a) GDPR]] and Article 72(1)(e) of the Spanish Data Protection Law. The following were considered aggravating factors:<br />
<br />
Based on Article 83(2)(a) of the GDPR: (1) The nature and gravity of the offence, given that the data subject was clearly not aware of the entity controller of the processing and the use that to be made of the personal data, had an impact on the ability of data subjects to exercise effective control over their personal data. (2) The duration of the infringement, since the data processing actions subject of this procedure, dated as early as July 2019. (3) The number of data subjects: the infringement affects all data subjects who are assessed by the Controller 1. (4) The harm suffered by the data subjects: taking into account all the circumstances set out above, it is clear that the data subjects have seen increased risks to their privacy.<br />
<br />
Based on Article 83(2)(b) of the GDPR: Negligence in the commission of the offence. The DPA understood that Controller 1 processes personal data systematically and continuously and should have taken great care to comply with its data protection obligations.<br />
<br />
Based on Article 83(2)(d) of the GDPR: The DPA found that Controller 1 did not have adequate procedures in place for the collection and processing of data relating to ethnicity and disability, so that the infringement was not the result of an anomaly in the operation of those procedures but a defect in the personal data management system designed by the controller on its own initiative.<br />
<br />
Based on Article 76.2.b) of the Spanish Data Protection Law: The close link between the controller's activity and the processing of personal data. <br />
<br />
Considering the above factors, the DPA set a fine of €50,000 euros. The DPA also ordered Controller 1 to delete from the survey the collection of personal data relating to the ethnicity and disability; as well as to cease the use of the data it had previously collected. Controller ended paying €40,000 making use of the reduction due to voluntary payment of the proposed penalty provided in Spanish administrative law.<br />
<br />
== Comment ==<br />
The Spanish Data Protection Authority gave an example of what measures would have constituted an adequate remedy and mitigation to the breach according to [[Article 83 GDPR#2f|Article 83(2)(f) GDPR]]: "Mitigating the adverse effects or mitigating the damage caused by breaches involves restoring the rights of data subjects, which in this case entails deleting the ethnicity and disability data collected from data subjects and suspending their collection".<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
File No.: PS/00214/2022<br />
<br />
<br />
RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT<br />
VOLUNTEER<br />
<br />
Of the procedure instructed by the Spanish Agency for Data Protection and based on<br />
to the following<br />
<br />
<br />
BACKGROUND<br />
<br />
FIRST: On May 5, 2022, the Director of the Spanish Agency for<br />
Data Protection agreed to initiate sanction proceedings against THOMAS<br />
<br />
INTERNATIONAL SYSTEMS, S.A. (hereinafter the claimed party). Notified on<br />
initiation agreement and after analyzing the allegations presented, on December 14,<br />
November 2022, the proposed resolution was issued as follows:<br />
transcribe:<br />
<br />
<<<br />
<br />
<br />
<br />
File No.: PS/00214/2022<br />
<br />
<br />
<br />
PROPOSED RESOLUTION OF SANCTION PROCEDURE<br />
<br />
Of the procedure instructed by the Spanish Agency for Data Protection and based on<br />
to the following:<br />
<br />
<br />
BACKGROUND<br />
<br />
<br />
FIRST: On 02/26/2021, he entered this Spanish Agency for<br />
Data Protection a document presented by A.A.A. (hereinafter, the part<br />
claimant), for which he files a claim against the entity Agroxarxa, S.L., with<br />
<br />
NIF B25269358 (hereinafter, Agroxarxa), for the processing of personal data of<br />
special categories.<br />
<br />
The complaining party states that (...) it should have carried out psychotechnical tests, accessible<br />
through a link from an entity specialized in these services. As he claims,<br />
<br />
in one of the forms used to carry out the process, they requested data<br />
sensitive (disability and ethnicity), ignoring the use that the company would make of<br />
these dates. It adds that the completion of these forms was required by the<br />
Agroxarxa Human Resources department.<br />
<br />
<br />
Provide a screenshot of the questionnaire in which the data is requested<br />
controversial, available on the web "***URL.1" (hereinafter "Questionnaire of<br />
Thomas Research” or “Questionnaire”), the content of which is outlined in the<br />
Fact Proven Second. In its upper left corner is the logo of the entity<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 2/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
"Thomas International Ltd.", to which said form belongs according to the indication<br />
inserted therein (“Copyright”). On the screen provided by the claimant<br />
the options detailed in Proven Fact Six are selected.<br />
<br />
SECOND: During the phase of admission for processing of the claim reviewed, by the<br />
<br />
General Subdirectorate of Data Inspection accessed the Privacy Policy of<br />
the entity "Thomas International Ltd.", dated 07/03/2019 and in English (the<br />
detail of the content of this document, in what interests the present<br />
procedure, is outlined in the Fourth Proven Fact).<br />
<br />
<br />
THIRD: In accordance with article 65.4 of Organic Law 3/2018, of 5<br />
December, Protection of Personal Data and guarantee of digital rights (in<br />
forward LOPDGDD), the claim made was transferred to the entity Agroxarxa<br />
to proceed with its analysis and inform this Agency, within a month,<br />
<br />
of the actions carried out to adapt to the requirements established in the<br />
data protection regulations.<br />
<br />
The term granted for this to Agroxarxa elapsed without this Agency<br />
receive any written response.<br />
<br />
<br />
FOURTH: On 06/29/2021, in accordance with article 65 of the LOPDGDD,<br />
The claim presented by the complaining party was admitted for processing.<br />
<br />
FIFTH: In view of the facts denounced in the claim and the documents<br />
provided by the complaining party, the General Subdirectorate of Data Inspection<br />
proceeded to carry out preliminary investigation actions for the<br />
<br />
clarification of the facts in question, by virtue of the investigative powers<br />
granted to control authorities in article 57.1 of Regulation (EU)<br />
2016/679 (General Data Protection Regulation, hereinafter GDPR), and<br />
in accordance with the provisions of Title VII, Chapter I, Second Section, of the<br />
LOPDGDD. The inspection services of the AEPD carried out the actions<br />
following:<br />
<br />
<br />
1. The Inspection Services of this Agency sent Agroxarxa a<br />
information request, which was attended by said entity by means of a written<br />
12/21/2021, in which he reports the following:<br />
<br />
. (…).<br />
<br />
<br />
. In reference to the personnel selection process, it warns that it does not request or require<br />
to the candidates the inclusion in the curricula of personal data<br />
concerning race, ethnicity or disability.<br />
<br />
Explain the process that follows to select the finalists, who are<br />
<br />
requests that they complete a "behavioral survey" with the aim of<br />
know if the candidate adjusts -in terms of skills and competencies- to<br />
the conditions required for the job, which is done through the<br />
platform owned by the company "Thomas International Ltd", who informs of<br />
its terms and conditions, privacy policy, cookies and other legal requirements<br />
<br />
in the mail that candidates receive to complete the survey.<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 3/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Once the candidates carry out the survey on the "Thomas<br />
<br />
International Ltd.”, and based on the analysis of the result it issues, a<br />
Final interview to select the person to be hired.<br />
<br />
. In reference to the information provided to the candidates.<br />
<br />
<br />
The company "Thomas International Ltd.", when sending the mail to participate in the<br />
survey sends the link to its rules where you can see in detail the treatment<br />
of data.<br />
<br />
<br />
Agroxarxa incorporates one of these emails as an example, whose text is the following:<br />
<br />
“Dear…<br />
…(name), from Agroxarxa, SLU has invited you to complete a brief evaluation of<br />
behaviour.<br />
Click on the following link or copy and paste it into your browser to start the<br />
evaluation<br />
<br />
https://open.***URL.1/Login/Login...<br />
There is a possibility that you will be asked to enter the following user data and<br />
password:<br />
User…<br />
Password…<br />
Visit the Thomas candidate area https://www.***URL.1/en-us/candidates.aspx for<br />
Learn more about this evaluation.<br />
Regards<br />
… (Name)<br />
Agroxarxa, SLU<br />
<br />
… (phone)<br />
rrhh_desenvolupament@Agroxarxa.com<br />
See our privacy policy www.***URL.1/es-es/Privacycookies.as.x”<br />
<br />
According to Agroxarxa, this makes it clear that "the information available to the<br />
<br />
candidates and the processing of data that informs the company, not<br />
Agroxarxa, SLU”.<br />
<br />
. In reference to the contract signed with "Thomas International Ltd.".<br />
<br />
<br />
Those responsible for the entity provide a copy of the contract for the provision of services and<br />
contract for data processing (“Data Processing Agreement”) signed in<br />
dated 05/30/2018 with the entity THOMAS INTERNACIONAL SYSTEMS, S.A. (in<br />
hereinafter THOMAS INTERNATIONAL SYSTEMS). The content of this "Agreement of<br />
<br />
data processing", as far as this procedure is concerned, consists of<br />
detailed in the Third Proven Fact.<br />
<br />
. In reference to the reason why "Thomas International Ltd." collect ethnicity data<br />
<br />
and disability.<br />
<br />
As indicated by the representatives of Agroxarxa, they are not expressly collected<br />
this data for the entity. Thomas International Ltd. uses the same<br />
"Questionnaire" for all your customers.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 4/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In addition, the data requested in the "Questionnaire" regarding "disability" and<br />
“ethnic group” are voluntary, the person surveyed can choose the option “I prefer not to<br />
to answer". They provide the image of said "Questionnaire", whose content coincides with the<br />
<br />
described in the Second Proven Fact. The answers are in this image.<br />
following:<br />
<br />
. Sex: "Female".<br />
. Year of birth: “2017”.<br />
. Disability: "I prefer not to answer."<br />
<br />
. Ethnicity: "I prefer not to answer."<br />
<br />
Thomas International Ltd. only has the information that people<br />
Candidates contribute voluntarily, without it being mandatory and necessary to<br />
Agroxarxa have the data in question. Agroxarxa at no time has<br />
<br />
requested that this information be collected for any selection process.<br />
<br />
Therefore, “Thomas International Ltd.” only have information regarding<br />
ethnicity and disability when the candidate expressly and completely<br />
voluntarily and informed, provides it, without this information being provided to Agroxarxa,<br />
to which only the corresponding competency profile report is sent and<br />
<br />
skills, but never the answers.<br />
<br />
. In reference to the treatments carried out by Agroxarxa with the data related to ethnicity<br />
and disability and retention period.<br />
<br />
<br />
The application of “Thomas International Ltd.” not expressly designed<br />
for Agroxarxa selection processes, who (like the rest of the clients) do not<br />
participates in the preparation of the forms used by said company.<br />
<br />
That is why Agroxarxa does not collect, process or keep data related to ethnicity and<br />
<br />
disability.<br />
<br />
. In reference to the data contained in Agroxarxa relating to the complaining party.<br />
<br />
It does not have data related to ethnicity or disability of the complaining party. (…).<br />
<br />
<br />
<br />
With its response, Agroxarxa provided a copy of two reports as an example of the<br />
information about the candidates that “Thomas International Ltd.” facilitates the<br />
Agroxarxa:<br />
<br />
<br />
a) The first of them contains some graphics and scores related to "Mask of<br />
work”, “Behavior under pressure” and “self-image”.<br />
<br />
b) The second describes the "APP Profile" of the person assessed in relation to the<br />
“Self-image”, “Self-motivation”, “Work emphasis”, “Descriptive words”, “Mask”<br />
<br />
(“how others see you”), “Behavior under pressure” and “General comments”.<br />
<br />
<br />
2. On 12/30/2021, the Inspection Services of this Agency sent to<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 5/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Agroxarxa a new request for information, which was answered as follows:<br />
<br />
. In the selection process, Agroxarxa at no time gives data to the entity<br />
<br />
"Thomas International Ltd.", but hires this company to carry out a<br />
analysis of skills and competencies.<br />
<br />
The only data that Agroxarxa communicates to "Thomas Internacional Ltd." are the<br />
name and surname and contact email, used to facilitate access<br />
to the platform.<br />
<br />
<br />
. It is in your interest to proceed to a reassessment of the selection process and protocol<br />
of people with the aim of simplifying and improving the process, as well as facilitating the<br />
candidates more and better information.<br />
<br />
<br />
<br />
3. (…):<br />
<br />
Its activity is to provide psychometric tools for companies to use.<br />
apply in their evaluation and recruitment processes.<br />
<br />
<br />
On 05/30/2018, a "Data Processing Agreement" was signed with the company<br />
Agroxarxa (provide a copy).<br />
<br />
(…).<br />
<br />
<br />
In the contract signed between the parties (Annex 1), it is contemplated that "Thomas<br />
International" will process, by order of Agroxarxa, the data information<br />
personal information of candidates selected by it and will be stored and controlled<br />
by the person responsible for the data, Agroxarxa, in the “Thomas International” hub that<br />
has previously been hired. Agroxarxa has tools for the<br />
<br />
maintenance of personal data resulting from the evaluation processes and<br />
during the time that Agroxarxa deems appropriate.<br />
<br />
In section 2.3 of the Contract it is specified that Agroxarxa is the one who controls the<br />
information of the personal data entered in the evaluation systems of<br />
Thomas International Ltd. through the tools provided by it, and that<br />
<br />
the data of the candidates (results of the evaluations) will be processed by<br />
indication of Agroxarxa, having the latter the only access to the processed results<br />
by “Thomas International” systems.<br />
<br />
In section 2.4 it is indicated that Agroxarxa is responsible for personal data<br />
<br />
that are introduced in the evaluation processes of "Thomas International" so that<br />
are processed and evaluation results are obtained that are analyzed and<br />
received by Agroxarxa for the development of its business activity. Likewise,<br />
Agroxarxa has previously contracted tools for unique access and<br />
exclusive to the "Thomas International" hub (where the results of the<br />
<br />
evaluations) to analyze, view, delete, maintain, etc. information<br />
processed by "Thomas International" by indication of Agroxarxa.<br />
<br />
According to section 3.1.1, the “Thomas International” systems process the data<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 6/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
personal information of Agroxarxa candidates by indication and following the instructions<br />
provided by it.<br />
<br />
<br />
And section 3.1.2 stipulates that “Thomas International” acts according to the instructions<br />
provided by the client, Agroxarxa.<br />
<br />
Section 3.2 provides that they must promptly comply with the instructions<br />
provided by Agroxarxa.<br />
<br />
<br />
In section 4 Agroxarxa authorizes "Thomas International Ltd." to send a<br />
form for permitted research purposes, to be filled out<br />
voluntarily and anonymously by the people who access the procedures<br />
authorized and contracted by Agroxarxa as long as the three<br />
sections 4.1; 4.2 and 4.3.<br />
<br />
<br />
THOMAS INTERNATIONAL SYSTEMS ends by noting that, according to the agreement<br />
signed between the parties, "Thomas International" is not obliged to provide information<br />
to the candidates that are going to be evaluated for Agroxarxa, which is the owner of the<br />
information relating thereto, and “Thomas International Ltd.” only processes the<br />
information that is provided by Agroxarxa and at its request. Thomas<br />
<br />
International Ltd.” does not know the personal data of the candidates who are going to be<br />
evaluated according to the needs determined by Agroxarxa in its policies of<br />
evaluation of candidates for certain jobs.<br />
<br />
In relation to the data on ethnic origin and disability, it indicates that they were collected from<br />
<br />
voluntarily and optionally, with the option not to respond. Any information<br />
collected through this optional survey is part of the psychometric evaluation<br />
and does not affect the results obtained by the candidate in his evaluation. All the<br />
information collected by the aforementioned optional survey would be used by the research team<br />
“Thomas International Sciences” to ensure that their assessment tools<br />
<br />
Psychometrics are designed in such a way that they do not discriminate against the people evaluated.<br />
<br />
THOMAS INTERNATIONAL SYSTEMS provides a copy of the form "authorized by<br />
part of Agroxarxa to be sent to the personnel who access the systems of<br />
Thomas International Ltd. according to the assumptions of section 4” (“the Questionnaire”),<br />
whose content coincides with that outlined in the Second Proven Fact, and a copy of the<br />
<br />
following prior information that you provide. After the informative text are included the<br />
“I disagree” and “Next” buttons.<br />
<br />
SIXTH: On 04/25/2022, by the General Sub-Directorate of Data Inspection<br />
the information available about the entity THOMAS INTERNACIONAL is accessed<br />
<br />
SYSTEMS in “Axesor”. (…).<br />
<br />
SEVENTH: On May 5, 2022, the Director of the Spanish Agency for<br />
Data Protection agreed to initiate sanction proceedings against THOMAS<br />
INTERNACIONAL SYSTEMS, in accordance with the provisions of articles 63 and 64 of the<br />
<br />
LPACAP, for the alleged violation of article 9 of the GDPR, typified in article<br />
83.5.a) of the aforementioned Regulation; and classified as very serious for prescription purposes<br />
in article 72.1.e) of the LOPDGDD.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 7/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In the opening agreement it was determined that the sanction that could correspond,<br />
attention to the existing evidence at the time of opening and without prejudice to the<br />
resulting from the instruction, would amount to a total of 50,000 euros.<br />
<br />
Likewise, it was warned that the imputed infractions, if confirmed, may<br />
<br />
entail the imposition of measures, according to the aforementioned article 58.2 d) of the GDPR.<br />
<br />
EIGHTH: Notification of the aforementioned initiation agreement in accordance with the established regulations<br />
at the LPACAP, THOMAS INTERNATIONAL SYSTEMS submitted a brief of<br />
allegations in which it requests the filing of the procedure or, alternatively, that it be<br />
issue a warning, based on the following considerations:<br />
<br />
<br />
1. From the actions of THOMAS INTERNATIONAL SYSTEMS.<br />
<br />
THOMAS INTERNATIONAL SYSTEMS is a Spanish company that<br />
provides services to different entities in Spain consisting of facilitating the use of the<br />
<br />
platform specialized in the evaluation, training and consulting of users of<br />
said clients “www.***URL.1”. Client entities access a restricted area<br />
on the platform using a username and password and are in charge of managing the<br />
candidates, selecting those who performed the evaluations, and obtaining<br />
the final reports made on said valuations.<br />
<br />
<br />
Based on the foregoing, it concludes that THOMAS INTERNATIONAL<br />
SYSTEMS has not carried out any processing of personal data on the part<br />
claimant.<br />
<br />
2. From the performances of “Thomas”.<br />
<br />
<br />
The “Thomas International group”, as a group, and specifically the parent company<br />
“Thomas International Limited LTD”, provides psychometric, evaluation,<br />
training and/or auditing to those clients who contract it through the platform<br />
www.***URL.1.<br />
<br />
Said platform offers said psychometric evaluation services, fulfilling<br />
<br />
all current legislation, the strictest international standards of<br />
psychometrics, as well as the strictest technical and organizational security measures<br />
and legal in general, and especially in matters of data protection and<br />
psychometry.<br />
<br />
Precisely, one of the measures adopted to guarantee compliance with the<br />
<br />
international standards and norms of psychometrics is the "Questionnaire of<br />
Thomas investigation" object of this procedure, which is carried out<br />
completely independent of user evaluations: only once you<br />
When the evaluation is finished and it is closed irreversibly, the user is offered to perform<br />
questionnaire". The user can choose to do it or not, without having any<br />
<br />
conditioning or consequence its completion or not, nor its responses, which are not<br />
are shared with client entities or with third parties.<br />
<br />
The sole purpose of this "Questionnaire" is to be able to comply with the standards<br />
international psychometrics required by regulations and protocols<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 8/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
international; as well as being able to guarantee the reliability of the evaluations and<br />
demoscopic questionnaires carried out by "Thomas International" through its<br />
platform.<br />
<br />
Customers are informed about this questionnaire through the order contract of the<br />
<br />
treatment (clause 4). Also to users who, before completing<br />
access a notice stating that “Thomas International” is the<br />
responsible for it, which has the purpose of scientific research, of the<br />
independence and conditionality of carrying it out or not of any evaluation that<br />
carried out previously, of the anonymous and confidential nature in the treatment of<br />
the information and that no information will be shared with the entity or person<br />
<br />
would have invited you to carry out the evaluation (in no case the data collected<br />
through the "Questionnaire" are known by the clients of the platform or other<br />
third parties and not even by those partners or employees of the Group).<br />
<br />
On this issue of transparency in the processing of data that entails the<br />
<br />
"Questionnaire", THOMAS INTERNATIONAL SYSTEMS states that it has<br />
entrusted to new professionals and a new DPD to perfect the<br />
compliance with data protection regulations. Provide a copy of the new<br />
informative clause, which is reproduced in the Second Proven Fact.<br />
<br />
3. Of the legitimacy of the treatment of the questionnaire.<br />
<br />
<br />
The processing of personal data that is carried out in the "Questionnaire" object of the<br />
This file is carried out legitimately and in accordance with the provisions of the<br />
article 9.2 j) of the GDPR, in relation to article 89.1 of the same Regulation, and<br />
other regulations applicable to the sector in which the entity is dedicated.<br />
<br />
<br />
The "International company", prior to carrying out the "Questionnaire", has<br />
taken all necessary technical, organizational and legal measures to:<br />
<br />
a) Process data of a sensitive nature that obeys exclusively<br />
for the purpose of scientific research and to comply with the requirements demanded in<br />
international standards and norms of psychometrics, in order to guarantee the<br />
<br />
reliability required in its evaluations (limitation of the purpose), without the entity<br />
get any benefit from completing the questionnaire.<br />
b) Treat, in any case, the minimum data possible to fulfill said purposes and<br />
needs. The "Thomas Research Questionnaire" is carried out by the minimum<br />
necessary people, during the time strictly necessary and the data is processed<br />
strictly necessary for the fulfillment of the indicated purpose, fulfilling<br />
<br />
scrupulously observe the principle of data minimization and anonymization of the<br />
identifying data. Applies robust pseudo-anonymization processes and<br />
amonimization to their treatments.<br />
c) Apply all technical, organizational and legal measures necessary for a<br />
correct treatment of said information; establishing a robust system of<br />
<br />
minimization of information, access restricted to professional collegiate personnel of<br />
psychologists, who have duly signed the agreements of rules of use of the<br />
necessary information, confidentiality agreements and codes of ethics; Y<br />
also applying a system of anonymization of the information obtained,<br />
previously tested and continuously monitored.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 9/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
d) Applying equally robust security systems, encrypting the<br />
"Questionnaire", applying the highest security measures that guarantee the<br />
confidentiality, integrity and availability of information. Once<br />
Once completed, the form is stored in encrypted servers of the entity,<br />
with the highest security measures and anonymously in three tables. The<br />
<br />
system has obtained the ISO 9001 Certificates.<br />
e) Analyze and previously evaluate all possible risks and incidents, with<br />
adoption of the necessary measures to evidence and/or mitigate any incidence, and<br />
complying with all measures and/or obligations regarding data protection,<br />
concretely the principles established in article 5 of the GDPR.<br />
f) Respect the principle of accuracy of the data: the need for accuracy in the<br />
<br />
evaluations provided by "Thomas" through its platform makes it necessary to<br />
existence of the “Thomas Research Questionnaire”. Likewise, they have established<br />
all necessary measures to ensure accuracy in the collection process,<br />
storage and conservation of the processed data.<br />
g) Keep the data strictly for the purpose described. By anonymizing the<br />
<br />
data and irreversibly break down the identifying data of the responses<br />
given, the minimum conservation period is fully guaranteed, as it is<br />
securely and irreversibly destroy personal data immediately in<br />
the system of three tables. Therefore, only non-personal data that<br />
meet the purpose of scientific research and compliance with standards<br />
required scientists.<br />
<br />
<br />
In relation to the legality and loyalty of the data processing of the questionnaire, it indicates the<br />
Next:<br />
<br />
The data required through the "Questionnaire", among which are data from<br />
sensitive character (such as ethnicity and possible disabilities), it is necessary to<br />
<br />
in compliance with the requirements of international standards and regulations of<br />
psychometry; in such a way that the evaluations carried out on the platform measure with<br />
scientific rigor what they say they do, they do it accurately and they do it<br />
fair. And at the same time ensure they meet the right demographic<br />
and that no discrimination is made, as required by the standards and<br />
international standards listed below:<br />
<br />
<br />
. The “Questionnaire” is validated in accordance with the Federation Guidelines<br />
European Associations of Psychologists (FEAP) or EFPA in its acronym in English<br />
(European Federation Psychologists Associations). EFPA is an organization<br />
European Union of which most of the European associations of<br />
psychology. Its proof review model is used throughout Europe, and serves as a<br />
<br />
tool to evaluate psychometric evaluations from two points of view:<br />
on the one hand, to check if a group or sample is representative of a population<br />
broader and calculate the relative position in that sample of examinees; and by<br />
other hand, to ensure the fairness of the test.<br />
<br />
<br />
. International Testing Commission (ITC), Guidelines on the use of tests, which<br />
they also refer to the fairness of the tests, whether they are fair for use with<br />
various groups; and the need to control changes in the population through the<br />
demographic information provided by test takers.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 10/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
. Code of Conduct of the Business Psychology Association ***URL.2.<br />
<br />
It adds that the information collected is necessary, according to the aforementioned formulation<br />
survey (CIT or ITC in its acronym in English), since it allows to ensure, through<br />
anonymous statistical studies, that their psychometric assessment tools<br />
<br />
(personality, intelligence, aptitudes, emotional intelligence, etc.) do not discriminate against<br />
people evaluated, precisely for reasons of ethnicity or disability, among others<br />
circumstances. Therefore, it understands that "Thomas International", as designer of<br />
evaluations and questionnaires, is legitimized and protected in its objectives by the<br />
art.89.1 of the GDPR, which accepts the collection of data for research purposes and<br />
global statistics, with the guarantee that this data is anonymized and is<br />
<br />
impossible for them to be associated with a specific candidate, through the aforementioned<br />
CIT.<br />
<br />
The relevance of the activity of “Thomas International” and its CIT survey is based on<br />
the requirements of guaranteeing good practices in the design, development and monitoring<br />
<br />
of psychometric tests, according to the standards defined by the BPS (British<br />
Psychological Society), the EFPA (European Federation Psychologists Associations) or<br />
the COP (Official Association of Psychologists), who ensure good practices in<br />
psychometrics, certify the validity and reliability of a test and demand that the standards of<br />
quality are kept up-to-date through macro-statistical studies parallel to<br />
throughout the technical life of these tests, using statistical meta-analyses<br />
<br />
obligatorily anonymous, global and longitudinal. There has recently emerged a<br />
new application standard in this field, ISO.30414 Human Resources Management,<br />
that results in the requirement of carrying out an adequate use of the tests<br />
psychometrics, as well as the requirement of their discriminating power.<br />
<br />
In addition, it adds that "Thomas International" carried out the analyzes and evaluations of<br />
<br />
necessary impact, having assessed the proportionality of data processing and<br />
the need for them for scientific research, before making the<br />
platform evaluations.<br />
<br />
Likewise, both the evaluations and the questionnaires have been designed<br />
exclusively by prestigious collegiate psychology professionals who<br />
<br />
carry out their activity in "Thomas International", which are the ones that deal exclusively with<br />
the questionnaire data. These professionals are covered by agreements of<br />
confidentiality and strict compliance with standards and regulations<br />
International Psychometrics.<br />
<br />
4. Bearing in mind that (...) without any discrimination, he did not suffer an infraction or damage<br />
<br />
(...), without having expressed any objection to the treatment of the "Questionnaire of<br />
Thomas investigation”; that Agroxarxa did not know whether or not the interested party made said<br />
"Questionnaire" or what you answered; that “Thomas International” has not obtained any<br />
benefit or harm; and has not had any claim or incident;<br />
THOMAS INTERNATIONAL SYSTEMS understands that there is no infringement and/or<br />
<br />
breach of data protection.<br />
<br />
5. Of the non-existence of illegality in the treatment of information: it also understands,<br />
THOMAS INTERNATIONAL SYSTEMS that data processing is carried out<br />
personal data of a sensitive nature in accordance with article 9.2 j) of the GDPR; and once they have<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 11/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
anonymized the data; therefore, it cannot be considered that there is a treatment of<br />
personal information.<br />
<br />
6. From the lack of intent and/or fault of "Thomas International": for there to be<br />
a punishable offence, there must be not only an unlawful act but also a<br />
<br />
intentionality in the commission or omission that causes it, as stated in the<br />
Resolutions and Judgments of the National Court of 02/25/2010, (which establishes<br />
that is not admissible in administrative law sanctioning responsibility<br />
objective, which is proscribed, after STC 76/1999; Judgment of the Hearing<br />
National 04/29/2010), 04/29/2020, 10/19/2010 and 02/10/2011.<br />
<br />
<br />
"Thomas International" has had a proactive attitude and compliant with its<br />
obligations regarding data protection in all the treatments it carries out,<br />
applying the highest safety standards in their treatments.<br />
<br />
7. Of the non-existence of seriousness of "Thomas International": in the hypothetical case that<br />
<br />
it is considered that "Thomas International" has not informed correctly, so<br />
subsidiary, the attitude of "Thomas International" cannot be sanctioned with a<br />
serious infraction, since all the indicated circumstances that occur in the present<br />
case and that have been accredited, lead to determine the total non-existence of<br />
Serious offense.<br />
<br />
<br />
In addition, as a result of what is known in this case, it has taken additional measures<br />
to avoid any incident or infringement, such as appointing a new Delegate<br />
of Data Protection of proven experience and knowledge (ANNEX No. 15);<br />
initiate a new risk analysis and impact assessment on the treatments of<br />
personal data in order to identify possible risks and apply the measures<br />
necessary to avoid and/or mitigate its damages; write new informative clauses<br />
<br />
on the treatment carried out in the "Thomas Research Questionnaire";<br />
reinforce the information and training of all the agents involved in the treatments<br />
of personal data, such as clients, collegiate psychological staff and personal<br />
technology, people who agree to carry out the evaluations and questionnaires.<br />
<br />
Therefore, it considers that the provisions of Recital<br />
<br />
148 of the GDPR, as stated in the following AEPD resolutions:<br />
<br />
a) In the Resolution issued in procedure E/00660/2020, regarding a<br />
very serious infringement for illegal data processing, the proceedings for the<br />
adaptation to the regulations carried out before the presentation of the claim<br />
before the AEPD.<br />
<br />
<br />
b) In the procedures indicated with the numbers PS/00077/2021 and<br />
PS/00416/2020, regarding serious infractions due to security breaches of the<br />
information, is sanctioned with a warning for the measures adopted to resolve<br />
the problem and for the suspension of the website involved in the events, which was migrated to<br />
<br />
another server, adopting measures to avoid events similar to those that motivated<br />
the claim.<br />
<br />
c) In the actions followed with the number E/05039/2018, the procedure<br />
sanctioning is transformed into a file according to the measures adopted to<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 12/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
solve the problem and the low relevance of the deficiencies.<br />
<br />
d) In the case of procedures PS/00040/2021, PS/00041/2021, PS/00067/2021,<br />
<br />
PS/00071/2021, PS/00240/2020, PS/00366/2020, PS/00285/2020, PS/00311/2020,<br />
PS/00355/2020, PS/00371/2020, PS/00381/2020, PS/00399/2020, PS/00414/2020,<br />
PS/00441/2020, PS/00453/2020, PS/00454/2020, PS/00455/2020, PS/00457/2020 and<br />
PS/00490/2020, the disciplinary procedure becomes a warning in<br />
based on fundamentals such as those expressed below:<br />
<br />
<br />
. It is verified that the claimed party updated the information.<br />
. The Privacy Policy is prepared after the claim.<br />
. The consent is express because the treatment of the data is based on the<br />
Consent given by filling in and submitting the form and checking the box<br />
accepting data processing (PS/00040/2021).<br />
<br />
. The fine is considered disproportionate for the claimed party, whose activity<br />
principal is not directly linked to the processing of personal data, and that it does not<br />
there is evidence of the commission of any previous infraction in terms of data protection<br />
(PS/00041/2021 and others).<br />
. The provisions of article 58.2 of the GDPR (PS/00067/2021 and others) are complied with.<br />
. Absence of intentionality; adoption of measures to comply with the GDPR;<br />
<br />
appointment of a DPO; there is no recidivism; appropriate measures have been taken<br />
and reasonable to avoid incidents such as the claimed party (PS/00071/2021).<br />
. Rectification, once the file has been initiated, of the deficiency found in the<br />
existing form on the web and acceptance of the privacy conditions before the<br />
sending said form and enabling a box to consent to the sending of<br />
<br />
commercial communications (PS/00311/2020).<br />
. There is no record of any previous violation of data protection.<br />
. The privacy policies were conveniently modified.<br />
<br />
Finally, he highlights that he has a proactive attitude; all your staff are<br />
<br />
duly trained; its activity has not caused damage to the rights of the<br />
interested parties, that they have not received any claim or incidence or breach of<br />
security up to date; and that, upon learning of the matter, has initiated a<br />
review of its protocols, analyzes and evaluations, and has proceeded to appoint<br />
proven specialists in the field.<br />
<br />
<br />
With its allegations, it provides the following documentation:<br />
<br />
. Contract signed with Agroxarxa.<br />
. Partner agreement between "Thomas IS" and "Thomas LTD".<br />
. Explanation of the anonymization and minimization process in three tables that are<br />
<br />
performs the "Thomas Research Questionnaire".<br />
. Protocols and security policy applied, including a version of the<br />
Privacy Policy dated 03/31/2020.<br />
. EFPA Guidelines.<br />
. ICT Guidelines.<br />
<br />
. Code of conduct.<br />
. Executive summary of Thomas International's practices and compliance with the<br />
GDPR.<br />
. Protocol for the preparation of tests for Dyslexia and Occupational Tests.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 13/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
. Deontological Code.<br />
. Psychologist contract.<br />
<br />
<br />
<br />
PROVEN FACTS<br />
<br />
<br />
<br />
FIRST: The entity THOMAS INTERNATIONAL SYSTEMS provides services of<br />
evaluation and consultancy in personnel selection processes carried out by the<br />
entities that contract such services.<br />
<br />
The evaluation of candidates by THOMAS INTERNATIONAL SYSTEMS<br />
<br />
requires them to complete accessible behavioral tests or surveys<br />
through the website of said entity, "***URL.1", for, based on the information<br />
obtained, assess the suitability of the candidate for the job offered.<br />
<br />
The entity that summons the selection process makes a pre-selection of the<br />
<br />
Candidates who must be evaluated by THOMAS INTERNATIONAL SYSTEMS.<br />
These finalist candidates receive an email from the latter entity with the<br />
instructions to access your platform, the "candidate area", and be able to carry out the<br />
poll. The username and password that you must use for the<br />
access and includes a link to start the evaluation; and others that lead to<br />
<br />
information available on the "candidate area" and the Privacy Policy<br />
available on the web “***URL.1”.<br />
<br />
As a result of the provision of the service, THOMAS INTERNATIONAL SYSTEMS<br />
provides client entities with a report or profile on skills and abilities of<br />
<br />
the candidate person.<br />
<br />
SECOND: Once the candidates finish completing the tests<br />
necessary to carry out the evaluation, THOMAS INTERNATIONAL SYSTEMS<br />
asks them to fill in a new questionnaire, which he calls the "Questionnaire<br />
<br />
of Thomas Research”, which includes questions related to sex, year of<br />
birth, disability, ethnicity, mother tongue, educational level, employment status<br />
current sector currently working in current role current level of command<br />
level of happiness in the job (on a scale from 1 to 7), qualification of your work (with<br />
scale from 1 to 7), description of the disability (text field) and consideration<br />
<br />
about leadership. To answer each question, except for the description of the<br />
disability, a drop-down is shown with the options that the interested party can<br />
select, including the option “I prefer not to answer”.<br />
<br />
Prior to completing this "Questionnaire", the<br />
<br />
interested parties the following information regarding the protection of personal data:<br />
<br />
Thank you for completing the form.<br />
A notification has been sent to the person who invited you to take the assessment. Please,<br />
contact him for more information on this evaluation Thomas.<br />
Welcome to the Thomas Research Quiz.<br />
At Thomas International, we are committed to continuous improvement of our<br />
evaluations. As part of our research and development initiative, we ask that you<br />
provide us with information to help us improve our assessments. Information<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 14/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
collected will be used for research purposes only and will not be provided to your employer.<br />
Our psychologists abide by ethical guidelines and all information we collect will be<br />
confidential and only global results will be reported. Participation is entirely<br />
voluntary and you can choose to skip any question you do not want to answer.<br />
<br />
After the informative text, the buttons "I do not agree" and<br />
<br />
"Next".<br />
<br />
The entity THOMAS INTERNACIONAL SYSTEMS, on the occasion of the process of<br />
<br />
allegations at the opening of the procedure, has reported that the informative clause<br />
above has been modified, remaining as follows:<br />
<br />
Thank you for completing the form.<br />
A notification has been sent to the person who invited you to take the assessment. Please,<br />
<br />
contact him for more information on this evaluation Thomas.<br />
Welcome to the Thomas Research Quiz.<br />
At Thomas International we are committed to the continuous improvement of our<br />
evaluations. As part of this, Thomas International, as the controller of the<br />
data, regularly conducts research to ensure that our assessments<br />
are valid, reliable and, above all, fair. This allows us to ensure that we adhere to the<br />
international best practice standards. We would appreciate your help in this<br />
<br />
important research by filling in the following questionnaire.<br />
Completion of the questionnaire is voluntary and independent of the person who has<br />
asked to do the evaluation. In no case will the information of this<br />
questionnaire to the person who invited you to carry out the mentioned evaluation. Information<br />
collected in this questionnaire will be used solely for scientific research purposes, it will be<br />
treated only by Thomas International registered psychologists and will be treated<br />
anonymously. To exercise your rights and/or for more information, consult our<br />
<br />
privacy policy (***URL.3), or contact our Privacy Policy<br />
Data Protection in ***EMAIL.1. Our psychologists are governed by ethical guidelines and all<br />
information we collect will be kept confidential and only the results will be communicated<br />
anonymous aggregates. Participation is completely voluntary and you can choose to skip<br />
any questions you don't want to answer."<br />
<br />
<br />
After the informative text, the buttons "I do not agree" and<br />
"Next".<br />
<br />
THIRD: To formalize the provision of the services outlined in the Fact<br />
<br />
Tried First, the entity has arranged a form called “Agreement of<br />
data processing" that it signs with its clients.<br />
<br />
<br />
Of the stipulations contained in this agreement, which is declared reproduced at<br />
evidentiary purposes, the following should be noted:<br />
<br />
Background<br />
<br />
<br />
(...)<br />
(...)<br />
<br />
(…)<br />
<br />
(…)<br />
<br />
<br />
Thomas's Duties<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 15/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
(…):<br />
<br />
<br />
(…);<br />
(…);<br />
(…);<br />
<br />
(…)<br />
<br />
<br />
Research<br />
<br />
(…):<br />
<br />
(…);<br />
<br />
<br />
(…);<br />
<br />
(…).<br />
<br />
(...)”.<br />
<br />
<br />
FOURTH: The Privacy Policy available on the web "***URL.1", in its version of<br />
dated 07/03/2019, includes the following information:<br />
<br />
<br />
“1.3 Do we always act as data controllers? Although Thomas acts<br />
often as data controller, in some of our activities<br />
We can also act as data processor or sub-processor...<br />
<br />
Among the examples of cases where Thomas acts as data controller<br />
<br />
Data includes, but is not limited to, the following:<br />
(…)<br />
. Processing of personal data of candidates for research purposes.<br />
. Processing of personal data of candidates to create an anonymous form of<br />
Personal information…<br />
<br />
<br />
2.5 Do we use personal data in our research?<br />
We are committed to continually improving our assessments. To do this, we ask the<br />
Candidates who provide us with additional information, such as age group, educational level,<br />
ethnicity and similar issues. Providing this information is voluntary and is not<br />
necessary to complete an assessment.<br />
When we process any of this personal data for research, we do so as<br />
<br />
responsible for data processing.<br />
Any personal information provided to us for research will be used exclusively<br />
for research purposes and will not be disclosed to third parties. Both during and after<br />
our psychologists evaluate your personal information, we will store it safely and with<br />
the highest confidence. If we share our results with third parties, only the results will be shared.<br />
anonymous and aggregate results from which no individual can be identified.<br />
<br />
<br />
2.6 In case we are data controller: What legal basis<br />
we have to use your personal data?<br />
(…)<br />
. you have consented to the use of your personal data;<br />
<br />
. the use we make of your personal data is in our legitimate interest as<br />
business organization; In these cases, we will process your information at all times<br />
manner that is proportionate and respectful of your right to privacy. You will also have the right to<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 16/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
object to the processing, as explained in section 7;<br />
. the use of your personal data is necessary to perform a contract or take steps to<br />
enter into a contract with you; either<br />
. our use of your personal data is necessary to comply with a legal obligation or<br />
pertinent regulatory…” (Unofficial translation).<br />
<br />
<br />
The content of the transcribed sections is similar to that included in the version of the<br />
Privacy Policy dated 03/31/2020, contributed to the proceedings by THOMAS<br />
INTERNATIONAL SYSTEMS.<br />
<br />
<br />
FIFTH: Agroxarxa called a personnel selection process and hired the<br />
services of THOMAS INTERNATIONAL SYSTEMS to carry out the<br />
evaluations of the candidates shortlisted by Agroxarxa. For this reason,<br />
both entities signed a contract (“Data Processing Agreement”) in<br />
dated 05/30/2018, in the terms indicated in the Third Proven Fact.<br />
<br />
<br />
SIXTH: The complaining party participated in a personnel selection process<br />
summoned by Agroxaxa indicated in the Fifth Proven Fact and was selected<br />
as a finalist to be evaluated by THOMAS INTERNATIONAL SYSTEMS.<br />
After carrying out the surveys arranged to carry out this evaluation to<br />
<br />
Through the web "***URL.1", he was asked to fill in the "Questionnaire of<br />
Thomas Investigation", through which the claimed party provided the data<br />
following:<br />
<br />
. Sex: “XXXXXX”.<br />
<br />
. Year of birth: “XXXX”.<br />
. Disability: “XX”.<br />
. Ethnicity: “XXXXXXXXXXXX”.<br />
<br />
<br />
<br />
FUNDAMENTALS OF LAW<br />
<br />
Yo<br />
<br />
By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of<br />
<br />
control, and as established in articles 47 and 48 of Organic Law 3/2018, of 5<br />
December, Protection of Personal Data and guarantee of digital rights<br />
(hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency<br />
is competent to initiate and resolve this procedure.<br />
<br />
<br />
Article 63.2 of the LOPDGDD determines that: "The procedures processed by the<br />
Spanish Data Protection Agency will be governed by the provisions of the GDPR, in<br />
this organic law, by the regulatory provisions issued in its<br />
development and, as long as they do not contradict them, on a subsidiary basis, by the rules<br />
general on administrative procedures”.<br />
<br />
<br />
II<br />
<br />
The claim that has motivated these proceedings questions the treatment of<br />
personal data relating to ethnicity and disability carried out by THOMAS<br />
<br />
INTERNACIONAL SYSTEMS during the candidate selection process for a<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 17/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
job offered by the entity Agroxarxa, constituting this question the<br />
sole purpose of this proceeding.<br />
<br />
<br />
Thus, the conclusions derived from the procedure do not imply any<br />
pronouncement regarding issues unrelated to said object.<br />
<br />
<br />
<br />
II<br />
<br />
The personnel selection process (...) begins with the publication, for this reason<br />
entity, of and with the following examination of the profile of the candidates who have<br />
interested in the position to select the finalists, who are asked to<br />
<br />
complete a “behavioral survey.”<br />
<br />
This "behavioral survey" is carried out through the entity's platform<br />
THOMAS INTERNATIONAL SYSTEMS. These are psychological tests that<br />
value intelligence, personality, emotional intelligence, and the potential of<br />
<br />
candidates.<br />
<br />
THOMAS INTERNATIONAL SYSTEMS sends an email to the candidate with access to<br />
your platform. In this email you warn that the reason is to carry out an evaluation of<br />
behavior for Agroxarxa, indicates the link to access the platform, as well<br />
<br />
as the username and password to use. In addition, it indicates the links for<br />
access the information contained in the candidate area and the privacy policy.<br />
<br />
As a result of this action, THOMAS INTERNATIONAL SYSTEMS sends to<br />
Agroxarxa a report on the profile of skills and abilities of the person<br />
<br />
candidate.<br />
<br />
The selection process ends with a final interview carried out by Agroxarxa.<br />
<br />
The tasks that THOMAS INTERNATIONAL SYSTEMS performs within the framework of this<br />
<br />
process were entrusted to him by Agroxarxa through a contract for the provision of<br />
services subscribed by both entities. Said contract includes an "Agreement of<br />
data processing", formalized on 05/30/2018, which defines the role of<br />
THOMAS INTERNATIONAL SYSTEMS as the person in charge of the treatment and points out that<br />
Said entity follows the instructions of Agroxarxa, which intervenes as<br />
<br />
responsible for the treatment.<br />
<br />
The figures of "responsible for the treatment" and "in charge of the treatment" are defined<br />
in article 4 of the GDPR as follows:<br />
<br />
. "Responsible for the treatment or responsible: the natural or legal person, public authority,<br />
<br />
service or other body which, alone or jointly with others, determines the ends and means of the<br />
treatment; if the law of the Union or of the Member States determines the ends and means<br />
of the treatment, the person in charge of the treatment or the specific criteria for their appointment<br />
they may be established by the law of the Union or of the Member States”.<br />
<br />
. "In charge of the treatment or in charge: the natural or legal person, public authority,<br />
service or other body that processes personal data on behalf of the data controller<br />
treatment".<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 18/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Article 24 of the GDPR, referring to the "Liability of the person responsible for the<br />
treatment”, states the following:<br />
<br />
"one. Taking into account the nature, scope, context and purposes of the treatment as well as<br />
<br />
risks of varying probability and severity for the rights and freedoms of individuals<br />
physical, the person in charge of the treatment will apply appropriate technical and organizational measures to<br />
In order to guarantee and be able to demonstrate that the treatment is in accordance with this<br />
Regulation. These measures will be reviewed and updated when necessary.<br />
2. When they are provided in relation to the treatment activities, among the<br />
measures mentioned in section 1 will include the application, by the person responsible for the<br />
treatment, of the appropriate data protection policies…”.<br />
<br />
<br />
Report 0064/2020 of the Legal Office of the AEPD has emphatically expressed<br />
that "The GDPR has meant a paradigm shift when addressing the regulation of the<br />
right to the protection of personal data, which is based on the<br />
<br />
principle of "accountability" or "proactive responsibility" as indicated<br />
repeatedly by the AEPD (Report 17/2019, among many others) and is included in the<br />
Explanation of reasons for the Organic Law 3/2018, of December 5, Protection of<br />
Personal Data and guarantee of digital rights (LOPDGDD)”.<br />
<br />
<br />
The said report goes on to say the following:<br />
<br />
“…the criteria on how to attribute the different roles remain the same (paragraph 11),<br />
reiterates that these are functional concepts, which are intended to assign responsibilities<br />
<br />
according to the real roles of the parties (paragraph 12), which implies that in most<br />
of the assumptions must be addressed to the circumstances of the specific case (case by case)<br />
based on their actual activities rather than the formal designation of an actor as<br />
"responsible" or "in charge" (for example, in a contract), as well as autonomous concepts,<br />
whose interpretation must be carried out under the European regulations on the protection of<br />
personal data (section 13), and taking into account (section 24) that the need for a<br />
factual assessment also means that the role of a controller is not<br />
derives from the nature of an entity that is processing data but from its activities<br />
<br />
concrete in a specific context…”.<br />
<br />
The concepts of data controller and data processor are not formal, but<br />
functional and must attend to the specific case.<br />
<br />
<br />
The person responsible for the treatment is from the moment he decides the purposes and the<br />
means of treatment, not losing such condition by the fact of leaving a certain margin<br />
of action to the person in charge of the treatment or for not having access to the databases<br />
<br />
of the manager<br />
<br />
This is undoubtedly expressed in the Guidelines 07/2020 of the European Committee of<br />
Data Protection (CEPD) on the concepts of data controller and<br />
<br />
in charge in the GDPR:<br />
<br />
“A controller is the one who determines the purposes and means of the processing.<br />
treatment, that is, the why and how of the treatment. The data controller must<br />
decide on both purposes and means. However, some more practical aspects of the<br />
implementation ("non-essential media") can be left to the person in charge of<br />
treatment. It is not necessary for the controller to actually have access to the data that is<br />
<br />
they are trying to qualify themselves as responsible” (the translation is ours).<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 19/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In the present case, it is clear that Agroxarxa is responsible for the processing of<br />
personal data that have a cause in the personnel selection process in which<br />
<br />
the complaining party participated, since, as defined in article 4.7 of the GDPR,<br />
is the entity that determines the purpose and means of the treatments carried out. In its<br />
condition of controller is obliged to comply with the provisions of<br />
the transcribed article 24 of the RGPD and, especially, that related to the effective control and<br />
of the “appropriate technical and organizational measures in order to guarantee and<br />
be able to demonstrate that the processing is in accordance with this Regulation”, among<br />
<br />
which are those provided in article 28 of the GDPR in relation to the<br />
person in charge of the treatment that acts in the name and on behalf of the person in charge.<br />
<br />
Agroxarxa is responsible for data processing for the purpose of<br />
solve the selection process even if you do not have access to said data. In<br />
<br />
In this sense, in Directives 07/2020 of the European Committee for Data Protection<br />
(CEPD), on the concepts of data controller and processor in the GDPR,<br />
it is indicated that “42. It is not necessary for the data controller to actually have<br />
access to the data being processed. Whoever outsources an activity<br />
treatment and, in doing so, have a determining influence on the purpose and<br />
(essential) means of treatment (for example, adjusting the parameters of a<br />
<br />
service in such a way as to influence whose personal data will be processed), it must be<br />
considered as responsible although it will never have real access to the data” (the<br />
translation is ours).<br />
<br />
On the other hand, the existence of a data processor depends on a decision<br />
<br />
adopted by the person responsible for the treatment, which he may decide to carry out himself<br />
certain processing operations or hire all or part of the<br />
treatment with a manager.<br />
<br />
The essence of the function of the person in charge of the treatment is that the personal data<br />
<br />
are processed in the name and on behalf of the data controller. In practice,<br />
it is the person in charge who determines the purpose and the means, at least the essential ones,<br />
while the person in charge of the treatment has the function of providing services to the<br />
data controllers. In other words, “acting in the name and on behalf of<br />
of the person in charge of the treatment” means that the person in charge of the treatment is aware of the<br />
serving the interest of the controller in carrying out a task<br />
<br />
specific and, therefore, follows the instructions established by it, at least in<br />
regarding the purpose and the essential means of the treatment entrusted.<br />
<br />
The person responsible for the treatment is the one who has the obligation to guarantee the application<br />
of data protection regulations and the protection of the rights of<br />
<br />
interested parties, as well as being able to prove it (articles 5.2, 24, 28 and 32 of the GDPR).<br />
The control of compliance with the law extends throughout the treatment,<br />
From the beginning to the end. The data controller must act, in<br />
any case, in a diligent, conscious, committed and active way.<br />
<br />
<br />
This mandate of the legislator is independent of the fact that the treatment is carried out<br />
directly the person in charge of the treatment or to carry it out using a<br />
treatment manager.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 20/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In addition, the treatment carried out materially by a person in charge of treatment by<br />
account of the person responsible for the treatment belongs to the sphere of action of the latter<br />
last, in the same way as if he did it directly himself. The person in charge of<br />
<br />
Treatment, in the case examined, is an extension of the person responsible for the<br />
treatment, and may only perform treatment on documented instructions<br />
of the controller, unless he is required to do so by Union law or by<br />
a Member State, which is not the case (Article 29 of the GDPR).<br />
<br />
Therefore, the data controller must establish clear modalities for<br />
<br />
said assistance and give precise instructions to the person in charge of the treatment on how<br />
comply with them adequately and document it previously through a contract or<br />
either in another (binding) agreement and verify at all times the development of the<br />
contract compliance in the manner established therein.<br />
<br />
<br />
Only the person in charge of the treatment will be fully responsible when it is<br />
fully responsible for the damages caused in terms of the rights and<br />
freedoms of the affected parties.<br />
<br />
By establishing the responsibility of the person in charge of the treatment in the commission of<br />
infringements of the GDPR, its article 28.10 also meets the criterion of determining<br />
<br />
of the purposes and means of processing. Pursuant to this article, if the manager<br />
determines the purposes and means of treatment will be considered responsible for it:<br />
<br />
“10. Without prejudice to the provisions of articles 82, 83 and 84, if a data processor<br />
infringes this Regulation when determining the purposes and means of processing, it will be<br />
considered responsible for the treatment with respect to said treatment”.<br />
<br />
<br />
In the present case, the correct legal classification under the GDPR of THOMAS<br />
INTERNACIONAL SYSTEMS is in charge of the treatment, since it acts in<br />
name and on behalf of Agroxarxa.<br />
<br />
However, the proceedings have revealed that THOMAS<br />
<br />
INTERNACIONAL SYSTEMS performs, for its own benefit, data processing<br />
of the candidates for the position offered by Agroxarxa or, in general, by<br />
any other client. Regarding these treatments, THOMAS INTERNATIONAL<br />
SYSTEMS determines the measures and purposes and holds the status of person responsible for the<br />
treatment, according to the provisions of the aforementioned article 28.10 of the GDPR.<br />
<br />
<br />
When carrying out the behavioral surveys commissioned by Agroxarxa, the entity<br />
THOMAS INTERNATIONAL SYSTEMS includes a "Questionnaire" for you to<br />
completed by the applicants for the job through which the applicants are requested to<br />
interested personal data related to sex, year of birth, disability, ethnicity,<br />
mother tongue, educational level, current employment status, sector in which you work<br />
<br />
currently, current role, current level of command, level of job happiness (with<br />
scale from 1 to 7), qualification of your work (on a scale from 1 to 7), description of the<br />
disability (text field) and leadership consideration. In order to respond<br />
For each question, except for the description of the disability, a<br />
drop-down menu with the options that the interested party can select (in the<br />
<br />
The specific "Questionnaire" provided by the claimant appears selected<br />
following options: Sex: “XXXXX”; Year of birth: “XXXX”; Disability:<br />
"XX"; Ethnicity: “XXXXXXXXXXXX”).<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 21/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
It is THOMAS INTERNATIONAL SYSTEMS who decides the collection of this data<br />
personal data and their use for their own purposes (research purposes and improvement of<br />
evaluations), for their own benefit. Ultimately, it is said entity that<br />
determines to carry out these personal data processing operations. is it<br />
<br />
same as saying that THOMAS INTERNATIONAL SYSTEMS is the entity that<br />
determines why (purpose) and how (means) such personal data is processed<br />
to achieve the intended purpose.<br />
<br />
<br />
Regarding the "means of treatment", the Directives 07/2020 of the European Committee<br />
of Data Protection (CEPD) on the concepts of data controller and<br />
in charge of the GDPR, already cited, state the following:<br />
<br />
As regards the determination of the means, a distinction can be made between<br />
essential and non-essential media. "Essential media" are traditionally and inherently<br />
<br />
reserved for the data controller. While non-essential media also<br />
can be determined by the manager, the essential means must be determined by<br />
the data controller. "Essential media" means media that are closely<br />
related to the purpose and scope of the treatment, such as the type of personal data that<br />
are processed ("what data will be processed?"), the duration of the treatment ("for how long will<br />
will they treat?"), categories of recipients ("who will have access to them?"), and categories<br />
of data subjects ("whose personal data is being processed"). Along with the purpose of<br />
treatment, the essential means are also closely related to the issue<br />
<br />
Whether the processing is lawful, necessary and proportionate. "Non-essential media" refers to<br />
to more practical aspects of the application, such as choosing a particular type of<br />
software or detailed security measures that can be left to the developer.<br />
treatment for you to decide” (the translation is ours.<br />
<br />
THOMAS INTERNATIONAL SYSTEMS holds the status of person in charge of the<br />
<br />
treatment regarding the collection and use of personal data relating to<br />
ethnicity and disability to which the claim refers, as well as that same entity<br />
has recognized and according to the record accredited by the documentation incorporated into the<br />
performances.<br />
<br />
<br />
The "Data processing agreement" formalized by Agroxarxa and THOMAS<br />
INTERNATIONAL SYSTEMS, referred to above, contemplates in its stipulation 4 the<br />
use of personal data as controller by THOMAS<br />
<br />
INTERNATIONAL SYSTEMS for research purposes. It is expressly said:<br />
<br />
“Thomas may act as a data controller in relation to the Personal Data<br />
of the Company and such processing may be carried out solely for the Purposes of<br />
investigation allowed.<br />
<br />
<br />
Likewise, in the Privacy Policy available on the web "***URL.1" the<br />
following information:<br />
<br />
2.5 Do we use personal data in our research?<br />
We are committed to continually improving our assessments. To do this, we ask the<br />
Candidates who provide us with additional information, such as age group, educational level,<br />
<br />
ethnicity and similar issues. Providing this information is voluntary and is not<br />
necessary to complete an assessment.<br />
When we process any of this personal data for research, we do so as<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 22/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
responsible for data processing.<br />
Any personal information provided to us for research will be used exclusively<br />
for research purposes and will not be disclosed to third parties…” (Unofficial translation).<br />
<br />
<br />
This condition of responsible for the treatment of the response is also deduced<br />
provided by THOMAS INTERNATIONAL SYSTEMS to the Inspection Services of<br />
this Agency, when it states that data on ethnic origin and disability do not form<br />
part of the psychometric evaluation nor do they affect the results obtained by the<br />
<br />
candidate in his evaluation; and that said information is used by the team of “Thomas<br />
International Sciences” to ensure that their assessment tools<br />
Psychometrics are designed in such a way that they do not discriminate against the people evaluated.<br />
<br />
<br />
With this response, said entity provided a copy of the "Questionnaire" whose<br />
completion requests the interested parties (candidates for the position offered) and the<br />
previous information that In this information the form is referred to as<br />
"Thomas Research Questionnaire" and warn that the data will be used with<br />
research purposes, to improve their assessments.<br />
<br />
<br />
On the other hand, the entity Agroxarxa has reported that it does not collect data on ethnicity and<br />
disability, that these data are not collected by THOMAS INTERNATIONAL<br />
SYSTEMS for Agroxarxa nor are you provided with the answers contained in the form<br />
in question. Likewise, it has declared that THOMAS INTERNATIONAL SYSTEMS<br />
<br />
uses the same form for all its clients.<br />
<br />
THOMAS INTERNATIONAL SYSTEMS, in its allegations at the opening of the<br />
procedure, has not questioned the previous arguments, which were already set out in<br />
<br />
said opening agreement.<br />
<br />
IV.<br />
<br />
Personal data related to ethnicity and disability, by its nature, belongs to<br />
<br />
special categories of data, regulated in article 9 of the GDPR, which establishes<br />
a general prohibition of its treatment. This article provides the following:<br />
<br />
“Processing of special categories of personal data<br />
<br />
1. The processing of personal data that reveals ethnic or racial origin, the<br />
<br />
political opinions, religious or philosophical convictions, or trade union membership, and the<br />
treatment of genetic data, biometric data aimed at uniquely identifying a person<br />
natural person, data relating to health or data relating to sexual life or sexual orientation<br />
of a physical person.<br />
<br />
2. Section 1 shall not apply when one of the following circumstances occurs:<br />
<br />
a) the interested party gave his explicit consent for the processing of said personal data<br />
for one or more of the specified purposes, except where the law of the Union or of the<br />
<br />
Member States provide that the prohibition referred to in paragraph 1 cannot be<br />
raised by the interested party;<br />
b) the treatment is necessary for the fulfillment of obligations and the exercise of rights<br />
specific to the person responsible for the treatment or the interested party in the field of labor law and<br />
security and social protection, to the extent that it is authorized by Union Law or<br />
of the Member States or a collective agreement under the law of the Member States<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 23/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
members that establish adequate guarantees of respect for fundamental rights and<br />
the interests of the interested party;<br />
c) the processing is necessary to protect vital interests of the data subject or of another person<br />
physically, in the event that the interested party is not able, physically or legally, to give his/her<br />
consent;<br />
<br />
d) the treatment is carried out, within the scope of its legitimate activities and with the due<br />
guarantees, by a foundation, an association or any other non-profit organization, whose<br />
purpose is political, philosophical, religious or trade union, provided that the treatment refers to<br />
exclusively to current or former members of such bodies or to persons who<br />
maintain regular contact with them in relation to their purposes and provided that the data<br />
personal data are not communicated outside of them without the consent of the interested parties;<br />
<br />
e) the treatment refers to personal data that the interested party has manifestly made<br />
public;<br />
f) the treatment is necessary for the formulation, exercise or defense of claims or<br />
when the courts act in the exercise of their judicial function;<br />
g) the processing is necessary for reasons of essential public interest, on the basis of the<br />
Union or Member State law, which must be proportional to the objective<br />
<br />
persecuted, essentially respect the right to data protection and establish measures<br />
adequate and specific to protect the interests and fundamental rights of the interested party;<br />
h) the treatment is necessary for the purposes of preventive or occupational medicine, evaluation of the<br />
work capacity of the worker, medical diagnosis, provision of assistance or treatment of<br />
health or social type, or management of health and social care systems and services, on<br />
the basis of Union or Member State law or by virtue of a contract with a<br />
<br />
health professional and without prejudice to the conditions and guarantees contemplated inthe paragraph<br />
3;<br />
i) the processing is necessary for reasons of public interest in the field of public health,<br />
such as protection against serious cross-border threats to health, or to ensure<br />
high levels of quality and safety of health care and medicines or<br />
medical devices, on the basis of Union or Member State law that<br />
establish appropriate and specific measures to protect the rights and freedoms of the<br />
<br />
concerned, in particular professional secrecy,<br />
j) processing is necessary for archiving purposes in the public interest, research purposes<br />
scientific or historical or statistical purposes, in accordance with article 89, paragraph 1, on the<br />
basis of Union or Member State law, which must be proportional to the objective<br />
persecuted, essentially respect the right to data protection and establish measures<br />
appropriate and specific to protect the interests and fundamental rights of the interested party.<br />
<br />
<br />
3. The personal data referred to in section 1 may be processed for the purposes mentioned in the<br />
section 2, letter h), when your treatment is carried out by a professional subject to the obligation<br />
of professional secrecy, or under its responsibility, in accordance with the Law of the Union or of<br />
Member States or with the rules established by national bodies<br />
authorities, or by any other person also subject to the obligation of secrecy in accordance<br />
<br />
with the law of the Union or of the Member States or of the rules established by the<br />
competent national bodies.<br />
<br />
4. Member States may maintain or introduce additional conditions, including<br />
limitations, regarding the treatment of genetic data, biometric data or data related to<br />
to health”.<br />
<br />
<br />
In general, this precept prohibits the performance of treatment of<br />
special categories of data, unless such treatment can be covered by<br />
any of the exceptions regulated in article 9.2 of the GDPR.<br />
<br />
<br />
Thus, a general prohibition of personal data processing is established that<br />
reveal ethnic or racial origin and health-related data, such as those relating to<br />
<br />
28001 – Madrid 6 sedeagpd.gob.es 24/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
the disability of the person (Recital 35 and article 4.15 of the GDPR); and, in his<br />
Section 2 regulates the exceptions that lift said prohibition, some of them<br />
<br />
on the basis of Union or Member State law, which must<br />
incorporate into their own regulation the adequate guarantees so that the right to<br />
data protection is respected, also respect the principle of proportionality and<br />
establish adequate and specific measures to safeguard the rights<br />
fundamentals and the interests of the people affected.<br />
<br />
<br />
Specifically, for the processing of special categories of data that are<br />
necessary for scientific research purposes referred to in letter j) of the aforementioned<br />
Article 9.2 of the GDPR, the person in charge must inevitably go to a specific<br />
legal norm that protects it and, in addition, comply with the aforementioned principles and establish<br />
<br />
additional guarantees that safeguard the rights of the affected persons.<br />
<br />
In relation to the processing of personal data related to health, the provision<br />
additional seventeenth of the LOPDGDD establishes that they are covered by<br />
letters g), h), i) and j) of the aforementioned article 9.2 of the GDPR the treatments that are<br />
<br />
regulated in the laws that it lists, among which is the consolidated text of the Law<br />
General of the rights of people with disabilities and their social inclusion,<br />
approved by Royal Legislative Decree 1/2013 of November 29. Nonetheless<br />
does not rule out those data treatments that are carried out in application of other<br />
standards other than those indicated in the aforementioned additional provision.<br />
<br />
<br />
Article 89 of the GDPR expressly refers to "Guarantees and exceptions<br />
applicable to processing for archiving purposes in the public interest, research purposes<br />
scientific or historical or statistical purposes”:<br />
<br />
1. Processing for archiving purposes in the public interest, scientific research purposes or<br />
<br />
historical or statistical purposes will be subject to the appropriate guarantees, in accordance with this<br />
Regulation, for the rights and freedoms of the interested parties. Such guarantees will<br />
technical and organizational measures are in place, in particular to ensure respect for the<br />
principle of minimization of personal data. Such measures may include the<br />
pseudonymization, provided that such purposes can be achieved in this way. As long as<br />
those purposes can be achieved through further processing that does not or no longer allows<br />
the identification of the interested parties, those purposes will be achieved in this way.<br />
<br />
(…)”.<br />
<br />
<br />
The GDPR includes the principles related to treatment in its article 5: legality, loyalty and<br />
transparency; purpose limitation; data minimization; accuracy; limitation of<br />
conservation period; and integrity and confidentiality.<br />
<br />
On the other hand, once the general prohibition with the coverage of the<br />
<br />
Article 9.2 of the GDPR, to legalize the processing of special category data<br />
it is necessary to resort to the cases of article 6 of the same Regulation. So indicated<br />
the Article 29 Working Group (whose functions have been assumed by the Committee<br />
European Union of Data Protection) in its opinion "Guidelines on decisions<br />
<br />
automated individuals and profiling for the purposes of the Regulation<br />
2016/679”, adopted on 10/03/2017 and revised on 02/06/2018, indicating that “The<br />
Data controllers can only process category personal data<br />
especially if one of the conditions provided for in Article 9(2) is met, as well as<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 25/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
as a condition of article 6”.<br />
<br />
This article 6 of the GDPR establishes the assumptions that allow the treatment of<br />
<br />
data is considered lawful:<br />
<br />
"Article 6. Legality of the treatment<br />
<br />
<br />
1. Processing will only be lawful if at least one of the following conditions is met:<br />
<br />
a) the interested party gave his consent for the processing of his personal data for one or<br />
various specific purposes;<br />
b) the treatment is necessary for the execution of a contract in which the interested party is a party<br />
or for the application at his request of pre-contractual measures;<br />
<br />
c) the processing is necessary for compliance with a legal obligation applicable to the<br />
responsible for the treatment;<br />
d) the processing is necessary to protect the vital interests of the data subject or of another person<br />
physical;<br />
e) the processing is necessary for the fulfillment of a task carried out in the public interest<br />
or in the exercise of public powers conferred on the data controller;<br />
f) the treatment is necessary for the satisfaction of legitimate interests pursued by the user.<br />
<br />
responsible for the treatment or by a third party, provided that such interests are not<br />
the interests or fundamental rights and freedoms of the data subject prevail<br />
require the protection of personal data, in particular when the data subject is a child.<br />
<br />
The provisions of letter f) of the first paragraph shall not apply to the treatment carried out by<br />
public authorities in the exercise of their functions.<br />
<br />
<br />
2. Member States may maintain or introduce more specific provisions in order to<br />
adapt the application of the rules of this Regulation with respect to the treatment in<br />
compliance with section 1, letters c) and e), setting more precisely requirements<br />
treatment and other measures that guarantee lawful and equitable treatment, with<br />
inclusion of other specific treatment situations under chapter IX.<br />
<br />
<br />
3. The basis of the treatment indicated in section 1, letters c) and e), must be established by:<br />
<br />
a) Union law, or<br />
b) the law of the Member States that applies to the data controller.<br />
<br />
<br />
The purpose of the treatment must be determined in said legal basis or, as regards<br />
to the treatment referred to in section 1, letter e), will be necessary for the fulfillment of<br />
a mission carried out in the public interest or in the exercise of public powers vested in the<br />
responsible for the treatment. Said legal basis may contain specific provisions for<br />
adapt the application of the rules of this Regulation, among others: the conditions<br />
general rules that govern the legality of the treatment by the person in charge; data types<br />
object of treatment; affected stakeholders; the entities to which you can communicate<br />
<br />
personal data and the purposes of such communication; purpose limitation; the terms of<br />
data storage, as well as processing operations and procedures,<br />
including measures to ensure lawful and equitable treatment, such as those relating to<br />
other specific situations of treatment according to chapter IX. Union law or<br />
of the Member States will meet a public interest objective and be proportionate to the end<br />
legitimate pursued.<br />
<br />
<br />
4. When the treatment for a purpose other than that for which the data was collected<br />
personal information is not based on the consent of the interested party or on Union Law or<br />
of the Member States which constitutes a necessary and proportional measure in a company<br />
<br />
28001 – Madrid 6 sedeagpd.gob.es 26/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
democracy to safeguard the objectives indicated in article 23, paragraph 1, the<br />
responsible for the treatment, in order to determine if the treatment for another purpose is<br />
compatible with the purpose for which the personal data was initially collected, will take into account<br />
account, among other things:<br />
<br />
<br />
a) any relationship between the purposes for which the personal data was collected and<br />
the purposes of the intended further processing;<br />
b) the context in which the personal data was collected, in particular with regard to<br />
to the relationship between the interested parties and the data controller;<br />
c) the nature of the personal data, in particular when dealing with special categories<br />
of personal data, in accordance with article 9, or personal data relating to convictions<br />
and criminal offenses, in accordance with article 10;<br />
d) the possible consequences for data subjects of the planned further processing;<br />
<br />
e) the existence of adequate guarantees, which may include encryption or pseudonymization”.<br />
<br />
<br />
V<br />
<br />
<br />
In the present case, THOMAS INTERNATIONAL SYSTEMS performs<br />
a treatment of data related to ethnicity and disability, for which we find ourselves<br />
in the case of treatment of special categories of personal data subject<br />
to the general rule of prohibition established in article 9.1 of the GDPR.<br />
<br />
<br />
On the other hand, it does not appear in the proceedings, nor has it been justified by the<br />
entity THOMAS INTERNATIONAL SYSTEMS, that none of the<br />
circumstances or exceptions established in section 2 of said article that<br />
save the prohibition of treatment of such personal data.<br />
<br />
<br />
The aforementioned entity considers the exception provided for in article 9.2.j) applicable.<br />
considering that those data of ethnicity and disability are subjected to treatment<br />
for scientific research purposes, and dedicates its allegations to justify the need<br />
and proportionality of that treatment and the additional guarantees established for<br />
<br />
respect the right to data protection of the affected persons, among them, the<br />
regarding the security, technical and organizational measures implemented, the non-<br />
communication of data to third parties, or compliance with the limitation principles<br />
of the purpose, minimization, limitation of the conservation and accuracy of the data.<br />
<br />
<br />
However, THOMAS INTERNATIONAL SYSTEMS does not invoke any legal norms<br />
that covers such data processing, in the context in which it is carried out, in<br />
so that the basic budget established in article 9.2.j) of the<br />
GDPR, according to which the treatment of data of special categories for the purpose of<br />
<br />
Scientific research must be carried out “on the basis of Union law or of the<br />
Member States, which must be proportional to the objective pursued, respect as far as<br />
the right to data protection is essential and establish appropriate measures and<br />
to protect the interests and fundamental rights of the interested party”.<br />
<br />
<br />
In this regard, the aforementioned entity has limited itself to stating that it complies with the<br />
international psychometric standards recommended by the European Federation<br />
Associations of Psychologists (FEAP), the International Testing Commission (ITC) or<br />
Association of Business Psychology, which do not constitute norms "of the Law of<br />
<br />
the Union or of the Member States.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 27/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
This requirement cannot be saved, as THOMAS INTERNATIONAL claims.<br />
SYSTEMS, for the establishment of the guarantees referred to in its letter of<br />
<br />
allegations or for compliance with the principles relating to treatment, nor for the<br />
measures that it claims to have taken as a result of this case, with which it has sought to<br />
improve the information offered to the interested parties and mitigate the possible damages with<br />
new risk assessments.<br />
<br />
<br />
The legal basis that legitimizes the treatment of these<br />
data in accordance with the provisions of article 6 of the GDPR, nor THOMAS<br />
INTERNACIONAL SYSTEMS clearly informs the interested parties in this regard. The<br />
information contained in the Privacy Policy in relation to this aspect is<br />
<br />
generic, limiting itself to enumerating the types of legitimation base, but without<br />
specify which of them corresponds to the specific treatments carried out:<br />
<br />
“2.6 In case we are responsible for data processing: What legal basis<br />
we have to use your personal data?<br />
<br />
<br />
We will only collect, use and share your personal data if we are convinced<br />
that we have an adequate legal basis for it. Based on the variety of<br />
services we provide, we may rely on one of the following legal bases for the<br />
treatment of your data:<br />
. you have consented to the use of your personal data;<br />
. the use we make of your personal data is in our legitimate interest as<br />
business organization; In these cases, we will process your information at all times<br />
manner that is proportionate and respectful of your right to privacy. You will also have the right to<br />
object to the processing, as explained in section 7;<br />
. the use of your personal data is necessary to perform a contract or take steps to<br />
<br />
enter into a contract with you; either<br />
. our use of your personal data is necessary to comply with a legal obligation or<br />
pertinent regulatory…” (Unofficial translation).<br />
<br />
The processing of data object of the proceedings is not necessary for the<br />
<br />
compliance with the contractual relationship that THOMAS INTERNATIONAL SYSTEMS<br />
formalizes with its clients as a service provider, since said treatment<br />
is carried out outside of said commercial relationship, for the exclusive benefit of THOMAS<br />
INTERNATIONAL SYSTEMS; nor does it respond to the fulfillment of an obligation<br />
legal; nor is a legitimate interest invoked that prevails over the rights and freedoms<br />
<br />
stakeholder fundamentals.<br />
<br />
THOMAS INTERNATIONAL SYSTEMS has only stated in this regard that<br />
ethnicity and disability data were collected on a voluntary and optional basis,<br />
<br />
offering the interested party the option not to respond.<br />
<br />
From this, it seems to be deduced that the legal basis invoked by this entity to<br />
legitimize the data processing that it carries out is the consent of the interested parties.<br />
<br />
<br />
However, in relation to the processing of personal data relating to ethnicity and<br />
disability, the provision of valid consent has not been justified by the<br />
interested.<br />
<br />
It is true that the information offered prior to completing the<br />
<br />
form warns interested parties that "participation is entirely voluntary and<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 28/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
You may choose to skip any question you do not want to answer”; and what after<br />
<br />
the informative text includes the buttons "I do not agree" and "Next".<br />
In addition, in the dropdown of answers that are shown for any of the<br />
questions also includes the option "I prefer not to answer".<br />
<br />
<br />
But there is no mechanism that allows the interested party to lend their<br />
consent and the mere completion of the form, in this case, cannot<br />
be accepted as a rendering of such consent.<br />
<br />
<br />
In accordance with the provisions of article 9.2.a) of the GDPR, the consent to<br />
processing of special categories of personal data must be “explicit”, so<br />
in such a way that a mere affirmative action that can be<br />
conclude that the interested party consents to the treatment, but it is necessary to have<br />
formal proof of the provision of said consent, a declaration or<br />
<br />
express confirmation of consent.<br />
<br />
The most obvious way would be to make a written statement, although in the environment<br />
digital or online forms can be enabled that could imply consent<br />
<br />
valid explicit: fill in an electronic form, send an email that<br />
contains the consent, use the electronic signature or upload a document<br />
scanned with handwritten signature. Similarly, in the case of web pages, this<br />
explicit consent could be collected by inserting some boxes with the options<br />
<br />
to accept and not accept together with a text referring to the consent that is clear to<br />
the interested.<br />
<br />
This is how the European Data Protection Committee understands it in the document<br />
"Guidelines 05/2020 on consent under Regulation 2016/679",<br />
<br />
updating the guidelines on consent adopted by the Group of<br />
Work of Article 29 on 11/28/2017, revised and approved on 04/10/2018:<br />
<br />
“91. Explicit consent is required in certain situations where there is a<br />
serious risk in relation to data protection and in which it is considered appropriate that<br />
<br />
there is a high level of control over personal data. Under the GDPR, the<br />
explicit consent has an important role in article 9 on the treatment of<br />
special categories of personal data…<br />
<br />
92. The GDPR stipulates that the prerequisite for “normal” consent is “a statement<br />
or clear affirmative action. Since the “normal” consent requirement in the GDPR is no longer<br />
has been raised to a higher level compared to the consent requirement<br />
referred to in Directive 95/46/EC, it should be clarified what additional efforts should be<br />
perform the data controller in order to obtain the explicit consent of the<br />
<br />
interested in line with the GDPR.<br />
<br />
93. The explicit term refers to the way in which the interested party expresses consent.<br />
It means that the interested party must make an express declaration of consent. A<br />
obvious way to ensure that consent is explicit would be to confirm<br />
express such consent in a written statement. When appropriate, the person in charge<br />
could ensure that the data subject signs the written statement, in order to remove<br />
any possible doubts or lack of proof in the future.<br />
<br />
<br />
94. However, said signed statement is not the only way to obtain consent<br />
explicit and the GDPR cannot be said to prescribe written and signed declarations in all<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 29/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
circumstances requiring valid explicit consent. For example, in the context<br />
digitally or online, an interested party can issue the required declaration by filling out a form<br />
by sending an email, uploading a scanned document with your signature, or<br />
using an electronic signature. In theory, the use of verbal statements can also be<br />
a sufficiently manifest way of expressing explicit consent, however,<br />
It may be difficult for the controller to demonstrate that all the requirements have been met.<br />
conditions for valid explicit consent when the statement was recorded”.<br />
<br />
<br />
And other requirements that grant validity to the consent are not met, according to the<br />
definition contained in article 4 of the GDPR:<br />
<br />
“Article 4 Definitions<br />
<br />
For the purposes of this Regulation, the following shall be understood as:<br />
11. "consent of the interested party": any expression of free, specific, informed will<br />
and unequivocal by which the interested party accepts, either by means of a declaration or a clear<br />
affirmative action, the processing of personal data that concerns you”.<br />
<br />
In relation to the provision of consent, the following must be taken into account:<br />
<br />
established in article 6 of the GDPR and in articles 7 of the GDPR and 7 of the<br />
LOPDGDD.<br />
<br />
Article 7 "Conditions for consent" of the GDPR:<br />
<br />
<br />
"one. When the treatment is based on the consent of the interested party, the person in charge must<br />
be able to demonstrate that he consented to the processing of his personal data”.<br />
<br />
Article 6 "Treatment based on the consent of the affected party" of the LOPDGDD:<br />
<br />
<br />
"one. In accordance with the provisions of article 4.11 of Regulation (EU) 2016/679,<br />
The consent of the affected person is understood to be any manifestation of free, specific,<br />
informed and unequivocal by which he accepts, either by means of a declaration or a clear<br />
affirmative action, the processing of personal data concerning you.<br />
2. When it is intended to base the processing of the data on the consent of the affected party<br />
for a plurality of purposes it will be necessary to state in a specific and unequivocal way<br />
<br />
that said consent is granted for all of them.<br />
3. The execution of the contract may not be made subject to the fact that the affected party consents to the processing of<br />
personal data for purposes that are not related to the maintenance, development<br />
or control of the contractual relationship”.<br />
<br />
Consent is understood as a clear affirmative act that reflects a<br />
<br />
expression of free, specific, informed and unequivocal will of the interested party<br />
accept the processing of personal data that concerns you, provided with<br />
sufficient guarantees to prove that the interested party is aware of the fact that<br />
give your consent and to the extent that you do so. And it must be given to all<br />
<br />
treatment activities carried out for the same purpose or purposes, so that,<br />
where processing is for multiple purposes, consent must be given for all<br />
them in a specific and unequivocal manner, without the execution of the<br />
contract to which the affected party consents to the processing of their personal data for<br />
<br />
purposes that are not related to the maintenance, development or control of the<br />
business relationship. In this regard, the legality of the treatment requires that the interested party be<br />
informed about the purposes for which the data is intended (consent<br />
informed).<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 30/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Consent must be given freely. It is understood that the consent<br />
is free when the interested party does not enjoy true or free choice or cannot<br />
deny or withdraw your consent without prejudice; or when you don't know<br />
allows separate authorization of the different data processing operations<br />
<br />
despite being appropriate in the specific case, or when compliance with a<br />
contract or provision of service is dependent on consent, even when it<br />
is not necessary for such compliance. This occurs when consent is<br />
included as a non-negotiable part of the general conditions or when<br />
<br />
imposes the obligation to agree to the use of additional personal data to<br />
those strictly necessary.<br />
<br />
Without these conditions, the provision of consent would not offer the interested party a<br />
<br />
true control over your personal data and its destination, and this would<br />
illegal processing activity.<br />
<br />
The European Committee for Data Protection analyzed these issues in its document<br />
<br />
"Guidelines 05/2020 on consent in accordance with Regulation 2016/679", of<br />
05/04/2020 From what is indicated in this document, it is now interesting to highlight some<br />
aspects related to the validity of consent, specifically regarding the<br />
“specific”, “informed” and “unambiguous” elements:<br />
<br />
<br />
“3.2. Expression of specific will<br />
Article 6(1)(a) confirms that the data subject's consent to the<br />
The processing of your data must be given "for one or more specific purposes" and that an interested party<br />
may choose with respect to each such purpose. The requirement that consent<br />
should be "specific" is intended to ensure a level of control and transparency for the<br />
interested. This requirement has not been changed by the GDPR and remains closely<br />
linked to the requirement of "informed" consent. At the same time, it must be interpreted<br />
<br />
in line with the “disassociation” requirement to obtain “free” consent. In sum,<br />
To comply with the "specific" character, the data controller must apply:<br />
<br />
i) the specification of the purpose as a guarantee against the deviation of the use,<br />
ii) dissociation in consent requests, and<br />
iii) a clear separation between information related to obtaining consent<br />
for data processing activities and information relating to other matters.<br />
<br />
<br />
(…)<br />
<br />
“3.3. Manifestation of informed will<br />
The GDPR reinforces the requirement that consent must be informed. in accordance<br />
with article 5 of the GDPR, the requirement of transparency is one of the principles<br />
fundamental, closely related to the principles of loyalty and legality. To ease<br />
<br />
information to the interested parties before obtaining their consent is essential so that they can<br />
make informed decisions, understand what they are authorizing, and, for example,<br />
exercise your right to withdraw your consent. If the person in charge does not provide information<br />
accessible, user control will be illusory and consent will not constitute a valid basis<br />
for data processing.<br />
If the requirements for informed consent are not met, the consent will not<br />
will be valid and the person in charge may be in breach of article 6 of the GDPR.<br />
<br />
<br />
3.3.1. Minimum content requirements for consent to be "informed"<br />
For the consent to be informed, it is necessary to communicate to the interested party certain<br />
elements that are crucial to be able to choose. Therefore, GT29 is of the opinion that it is required, at<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 31/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
least, the following information to obtain valid consent:<br />
i) the identity of the data controller,<br />
ii) the purpose of each of the processing operations for which the authorization is requested;<br />
consent,<br />
iii) what (type of) data is to be collected and used,<br />
iv) the existence of the right to withdraw consent,<br />
<br />
v) information on the use of data for automated decisions in accordance with the<br />
Article 22(2)(c), where relevant, and<br />
vi) information on the possible risks of data transfer due to the absence of<br />
an adequacy decision and adequate guarantees, as described in article<br />
46”.<br />
<br />
In the alleged case, there is no evidence of the provision of a<br />
<br />
valid consent on the part of the interested parties that covers the treatments of<br />
personal data object of the claim. This entity does not even report<br />
duly about this data processing, about its purpose and legal basis or the<br />
right to withdraw consent, where appropriate, in accordance with the provisions of<br />
Article 13 of the GDPR; nor has it established any mechanism for interested parties to<br />
<br />
can give explicit consent.<br />
<br />
Regarding the information, it should be noted that only the Privacy Policy is presented.<br />
Privacy of the British parent of the Group, Thomas International Ltd., in language<br />
English, and that it does not duly inform about the legal basis of the treatment and the<br />
<br />
purpose of the treatment, which is described simply by referring to the purposes of<br />
research.<br />
<br />
Finally, the entity THOMAS INTERNACIONAL SYSTEMS has not contributed<br />
sufficient elements to determine compliance with the judgment of the<br />
<br />
proportionality requirements demanded by the Constitutional Court, so that<br />
The suitability of the treatment for the proposed purpose can be concluded, if the same<br />
whether or not it is necessary or whether there are alternative, less intrusive measures.<br />
<br />
In this sense, the Constitutional Court has indicated (Judgment 14/2003, of 28<br />
<br />
January) that "to verify if a restrictive measure of a fundamental right<br />
passes the proportionality judgment, it is necessary to verify if it complies with the three<br />
following requirements or conditions: if such a measure is likely to achieve the<br />
proposed objective (suitability judgement); if, moreover, it is necessary, in the sense of<br />
that there is no other more moderate measure for the achievement of said purpose with<br />
<br />
equal efficacy (judgment of necessity); and, finally, if it is weighted or<br />
balanced, because it derives from it more benefits or advantages for the general interest than<br />
damages to other goods or values in conflict (judgment of proportionality in<br />
Strict sense)".<br />
<br />
<br />
In this regard, the principle of minimum intervention must be taken into account (art. 5.1.c)<br />
and art. 25.1 GDPR), since it is necessary to prove that there is no other measure<br />
moderate to achieve the intended purpose with equal effectiveness, in the<br />
framework of the proactive responsibility of the data controller.<br />
<br />
<br />
Therefore, from the facts and legal grounds set forth, it results that, on the part<br />
of THOMAS INTERNATIONAL SYSTEMS, data processing is carried out<br />
personal of special categories against the prohibition established in the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 32/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Article 9 of the GDPR and without any of the exceptions provided for<br />
lift that ban. This breach of what is established in article 9 of the<br />
<br />
GDPR gives rise to the application of the corrective powers that article 58 of the aforementioned<br />
Regulation grants the Spanish Data Protection Agency.<br />
<br />
<br />
<br />
SAW<br />
<br />
THOMAS INTERNATIONAL SYSTEMS has indicated that there is no infringement<br />
punishable in the absence of intentionality in the commission or omission that causes said<br />
infraction, adding that it has had a proactive attitude and complied with its<br />
<br />
obligations.<br />
<br />
In this regard, it should be noted, first of all, that the incident occurs in the<br />
scope of responsibility of THOMAS INTERNATIONAL SYSTEMS and this entity<br />
<br />
you must answer for it. In no way can it be considered that the lack of<br />
alleged intentionality excludes its responsibility, especially when the<br />
infraction could have been avoided by the use of greater diligence. In this case, the<br />
offense committed is incompatible with the diligence that said entity is obliged to<br />
To watch.<br />
<br />
<br />
This diligence must be manifested in the specific case being analyzed, and not in the<br />
general circumstances that the entity alleges to justify a proactive action,<br />
which cannot be taken as circumstances that prevent demanding the<br />
responsibilities that derive from the concrete irregular action.<br />
<br />
<br />
Accept the approach made by THOMAS INTERNATIONAL SYSTEMS in its<br />
allegations would amount to admitting that the application of the GDPR and the<br />
LOPDGDD, distorting the entire system established on the legality of the<br />
<br />
processing of personal data.<br />
<br />
It should be remembered, on the other hand, that the offense may be committed intentionally or<br />
guilty. The National Court in Judgment of September 21, 2004 (RCA<br />
937/2003), is pronounced in the following terms:<br />
<br />
<br />
"Furthermore, as regards the application of the principle of guilt, it results (following the criterion of<br />
this Chamber in other Judgments such as the one dated January 21, 2004 issued in the appeal<br />
1139/2001) that the commission of the offense provided for in article 44.3.d) can be both<br />
fraudulent as culpable... because although in penalizing matters the principle of guilt governs,<br />
As can be inferred from the simple reading of Article 130 of Law 30/1992, the truth is that the expression<br />
"simple non-observance" of Art. 130.1 of Law 30/1992, allows the imposition of the sanction, without<br />
doubt in fraudulent cases, and also in culpable cases, sufficing the non-observance of the<br />
<br />
duty of care”.<br />
<br />
In this line it is worth mentioning the SAN of January 21, 2010, in which the Court<br />
exposes:<br />
<br />
<br />
“The appellant also maintains that there is no guilt in her actions. Is<br />
true that the principle of guilt prevents the admission in administrative law<br />
sanctioning of strict liability, it is also true that the absence of<br />
intentionality is secondary since this type of infraction is normally committed<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 33/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
due to negligent or negligent action, which is enough to integrate the subjective element<br />
of guilt. XXX's performance is clearly negligent because... he must know... the<br />
obligations imposed by the LOPD on all those who handle personal data of third parties.<br />
XXX is obliged to guarantee the fundamental right to the protection of personal data<br />
of its clients and hypothetical clients with the intensity required by the content of its own<br />
<br />
right".<br />
<br />
The principle of guilt is required in the disciplinary procedure and thus the STC<br />
246/1991 considers it inadmissible in the field of penalizing administrative law<br />
a responsibility without fault. But the fault principle does not imply that it can only<br />
<br />
punish an intentional or voluntary action, and in this regard article 28<br />
of Law 40/2015 on the Legal Regime of the Public Sector, under the rubric<br />
"Responsibility" provides the following:<br />
<br />
"one. They may only be penalized for acts constituting an administrative offense<br />
physical and legal persons, as well as, when a Law recognizes their capacity to act, the<br />
affected groups, unions and entities without legal personality and estates<br />
independent or self-employed, who are responsible for them by way of fraud or<br />
<br />
fault".<br />
<br />
The facts set forth in the preceding Basis show that<br />
THOMAS INTERNATIONAL SYSTEMS did not act with the diligence to which it came<br />
obliged, who acted with a lack of diligence. The Supreme Court (Sentences of 16 and<br />
<br />
04/22/1991) considers that from the guilty element it follows “...that the action or<br />
omission, classified as an administratively punishable infraction, must be, in all<br />
case, attributable to its author, due to intent or imprudence, negligence or ignorance<br />
inexcusable". The same Court reasons that "it is not enough... for exculpation against<br />
a typically unlawful behavior the invocation of the absence of guilt" but<br />
<br />
that it is necessary "that the diligence that was required by the person claiming his<br />
non-existence” (STS January 23, 1998).<br />
<br />
Also connected to the degree of diligence that the data controller is<br />
obliged to deploy in compliance with the obligations imposed by the<br />
<br />
data protection regulations can be cited the SAN of 10/17/2007 (Rec. 63/2006),<br />
which specified: "(...) the Supreme Court has been understanding that there is imprudence<br />
whenever a legal duty of care is neglected, that is, when the offender does not<br />
behaves with the required diligence”.<br />
<br />
<br />
In addition, the National Court on data protection of<br />
personal nature, has declared that "simple negligence or breach of<br />
the duties that the Law imposes on the persons responsible for files or the<br />
data processing to be extremely diligent..." (SAN 06/29/2001).<br />
<br />
<br />
It is therefore concluded, contrary to what was objected to by the defendant entity, that the<br />
subjective element is present in the declared infringement.<br />
<br />
<br />
VII<br />
<br />
<br />
In the event of an infringement of the provisions of the GDPR, among the<br />
corrective powers available to the Spanish Data Protection Agency,<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 34/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
as supervisory authority, article 58.2 of said Regulation contemplates the<br />
following:<br />
<br />
"2 Each control authority will have all the following corrective powers indicated to<br />
continuation:<br />
<br />
(…)<br />
b) send a warning to any person in charge or person in charge of the treatment when the<br />
processing operations have infringed the provisions of this Regulation;”<br />
(...)<br />
d) order the person in charge or in charge of the treatment that the treatment operations are<br />
conform to the provisions of this Regulation, where appropriate, of a given<br />
manner and within a specified period;<br />
(…)<br />
<br />
i) impose an administrative fine in accordance with article 83, in addition to or instead of the<br />
measures mentioned in this section, according to the circumstances of each case<br />
particular;".<br />
<br />
According to the provisions of article 83.2 of the GDPR, the measure provided for in letter d)<br />
<br />
above is compatible with the sanction consisting of an administrative fine.<br />
<br />
<br />
VIII<br />
<br />
<br />
It is considered that the facts exposed fail to comply with the provisions of article 9 of the<br />
GDPR, which implies the commission of an infringement classified in section 5.a) of the<br />
Article 83 of the GDPR.<br />
<br />
<br />
Article 83.5.a) of the GDPR, under the heading "General conditions for the<br />
imposition of administrative fines" provides the following:<br />
<br />
"5. Violations of the following provisions will be penalized, in accordance with the<br />
<br />
paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a<br />
company, of an amount equivalent to a maximum of 4% of the total annual turnover<br />
of the previous financial year, opting for the highest amount:<br />
<br />
a) the basic principles for treatment, including the conditions for consent to<br />
tenor of articles 5, 6, 7 and 9”.<br />
<br />
<br />
On the other hand, Article 71 of the LOPDGDD considers any offense<br />
breach of this Organic Law:<br />
<br />
"Infractions are the acts and conducts referred to in sections 4, 5 and 6 of the<br />
<br />
Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this<br />
organic Law".<br />
<br />
Section 1.e) of article 72 of the LOPDGDD considers, as “very serious”, a<br />
prescription effects:<br />
<br />
<br />
"one. Based on what is established in article 83.5 of Regulation (EU) 2016/679,<br />
are considered very serious and will prescribe after three years the infractions that suppose a<br />
substantial violation of the articles mentioned therein and, in particular, the following:<br />
<br />
e) The processing of personal data of the categories referred to in article 9 of the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 35/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Regulation (EU) 2016/679, without the occurrence of any of the circumstances provided for in said<br />
precept and in article 9 of this Organic Law.<br />
<br />
<br />
In order to determine the administrative fine to be imposed, the<br />
provisions of articles 83.1 and 83.2 of the GDPR, precepts that state:<br />
<br />
"one. Each control authority will guarantee that the imposition of administrative fines with<br />
under this article for the infringements of this Regulation indicated in the<br />
<br />
paragraphs 4, 9 and 6 are in each individual case effective, proportionate and dissuasive.<br />
<br />
2. Administrative fines will be imposed, depending on the circumstances of each case<br />
individually, in addition to or in lieu of the measures contemplated in article 58,<br />
section 2, letters a) to h) and j). When deciding to impose an administrative fine and its amount<br />
in each individual case due account shall be taken of:<br />
a) the nature, seriousness and duration of the offence, taking into account the<br />
<br />
nature, scope or purpose of the processing operation in question<br />
such as the number of interested parties affected and the level of damages that<br />
have suffered;<br />
b) intentionality or negligence in the infraction;<br />
c) any measure taken by the controller or processor to<br />
<br />
alleviate the damages and losses suffered by the interested parties;<br />
d) the degree of responsibility of the controller or processor,<br />
taking into account the technical or organizational measures that they have applied under<br />
of articles 25 and 32;<br />
e) any previous infringement committed by the controller or processor;<br />
<br />
f) the degree of cooperation with the supervisory authority in order to remedy the<br />
infringement and mitigate the potential adverse effects of the infringement;<br />
g) the categories of personal data affected by the infringement;<br />
h) the way in which the supervisory authority became aware of the infringement, in<br />
<br />
particular whether the person in charge or the person in charge notified the infringement and, if so, in what<br />
extent;<br />
i) when the measures indicated in article 58, paragraph 2, have been ordered<br />
previously against the person in charge or the person in charge in relation to the<br />
same matter, compliance with said measures;<br />
<br />
j) adherence to codes of conduct under article 40 or to mechanisms of<br />
certification approved in accordance with article 42, and<br />
k) any other aggravating or mitigating factor applicable to the circumstances of the case,<br />
such as financial benefits obtained or losses avoided, directly or<br />
<br />
indirectly, through the infringement.”<br />
<br />
For its part, article 76 "Sanctions and corrective measures" of the LOPDGDD<br />
has:<br />
<br />
<br />
"one. The sanctions provided for in sections 4, 5 and 6 of article 83 of Regulation (EU)<br />
2016/679 will be applied taking into account the graduation criteria established in the<br />
section 2 of said article.<br />
2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 also<br />
may be taken into account:<br />
<br />
a) The continuing nature of the offence.<br />
b) Linking the offender's activity with data processing<br />
personal.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 36/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
c) The benefits obtained as a consequence of the commission of the infraction.<br />
d) The possibility that the conduct of the affected party could have led to the commission of the<br />
infringement.<br />
e) The existence of a merger process by absorption subsequent to the commission of the infraction,<br />
<br />
that cannot be attributed to the absorbing entity.<br />
f) The affectation of the rights of minors.<br />
g) Have, when it is not mandatory, a data protection delegate.<br />
h) Submission by the person responsible or in charge, on a voluntary basis, to<br />
alternative conflict resolution mechanisms, in those cases in which there are<br />
disputes between those and any interested party”.<br />
<br />
<br />
Regarding the infringement of article 9 of the GDPR, based on the facts<br />
exposed, it is considered that the sanction that would correspond to be imposed is a fine<br />
administrative.<br />
<br />
The fine imposed must be, in each individual case, effective, proportionate<br />
<br />
and dissuasive, in accordance with the provisions of article 83.1 of the GDPR. Thus<br />
considers, in advance, the condition of small business and volume of<br />
business of THOMAS INTERNATIONAL SYSTEMS (Recorded in the proceedings that<br />
said entity (…).<br />
<br />
<br />
In accordance with the precepts indicated, for the purpose of setting the amount of the sanction to<br />
imposed in the present case, the following criteria are considered applicable:<br />
<br />
The following graduation criteria are considered concurrent as aggravating factors:<br />
<br />
<br />
. Article 83.2.a) of the GDPR: "a) the nature, seriousness and duration of the<br />
infringement, taking into account the nature, scope or purpose of the operation<br />
treatment in question as well as the number of interested parties affected and the<br />
level of damages they have suffered”.<br />
<br />
<br />
. The nature and seriousness of the infringement, taking into account that the interested party does not<br />
clearly knows the entity responsible for the treatment and the use that is<br />
will make of the personal data, which affects the ability of the<br />
<br />
interested in exercising true control over their personal data.<br />
<br />
. In relation to the duration of the infringement, it is stated in the proceedings that the<br />
Privacy Policy that includes data processing actions<br />
personal data that it carries out, including those that are the subject of this<br />
<br />
procedure, is dated 07/03/2019.<br />
<br />
. The number of interested parties: the infringement affects all the interested parties who<br />
are evaluated by the entity THOMAS INTERNATIONAL SYSTEMS.<br />
<br />
<br />
. The damages suffered by the interested parties: taking into account all<br />
the exposed circumstances, it is clear that the interested parties have seen<br />
increased risks to your privacy.<br />
<br />
<br />
. Article 83.2.b) of the GDPR: "b) intentionality or negligence in the infringement".<br />
<br />
The negligence appreciated in the commission of the infraction. In this respect, one has<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 37/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
taking into account what was declared in the National Court Judgment of 10/17/2007 (rec.<br />
63/2006) that, based on the fact that these are entities whose activity<br />
coupled with continuous data processing, indicates that "...the Supreme Court<br />
<br />
has been understanding that imprudence exists whenever a duty is neglected<br />
legal care, that is, when the offender does not behave with due diligence<br />
callable. And in assessing the degree of diligence, consideration must be<br />
especially the professionalism or not of the subject, and there is no doubt that, in the<br />
case now examined, when the appellant's activity is constant and<br />
copious handling of personal data must insist on rigor and<br />
<br />
Exquisite care to comply with the legal provisions in this regard”.<br />
<br />
It is a company that performs personal data processing in a<br />
systematic and continuous in the workplace and that extreme care should be taken in the<br />
compliance with its obligations regarding data protection.<br />
<br />
<br />
. Article 83.2.d) of the GDPR: "d) the degree of responsibility of the controller or the<br />
processor, taking into account technical or organizational measures<br />
that they have applied by virtue of articles 25 and 32”.<br />
<br />
The accused entity does not have adequate procedures in place<br />
<br />
action in the collection and processing of personal data, in what<br />
refers to data relating to ethnicity and disability, so the offense<br />
is not the consequence of an anomaly in the operation of said<br />
procedures but a defect in the personal data management system<br />
designed by the person in charge at his initiative.<br />
<br />
<br />
. Article 76.2.b) of the LOPDGDD: "b) Linking the offender's activity<br />
with the processing of personal data”.<br />
<br />
The high link between the activity of the offender and the performance of treatments<br />
<br />
of personal data. The level of implementation of the Group at which<br />
belongs to THOMAS INTERNATIONAL SYSTEMS and the activity it develops.<br />
This circumstance determines a greater degree of demand and professionalism and,<br />
consequently, of the responsibility of said entity in relation to the<br />
data treatment.<br />
<br />
<br />
Considering the exposed factors, the valuation that reaches the fine, for the<br />
Violation of article 9 of the GDPR, is 50,000 euros (fifty thousand euros).<br />
<br />
THOMAS INTERNATIONAL SYSTEMS, in its statement of allegations at the opening of the<br />
procedure has not made any statement on the criteria of<br />
<br />
graduation exposed, which were exposed in said agreement with the same amplitude and<br />
detail.<br />
<br />
However, it has requested that, instead of sanctioning with an administrative fine,<br />
issues a warning considering that it has taken additional measures to<br />
<br />
avoid any incident, such as appointing a new data protection delegate<br />
data, carry out a new risk analysis and impact assessment, and write<br />
new informative clauses on the treatments involved in the "Questionnaire",<br />
in addition to reinforcing the information and training of its staff.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 38/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In support of his approach, he cites various precedents processed by this Agency,<br />
that are mentioned in the Eighth Antecedent, in which the<br />
<br />
actions or a warning was addressed in accordance with the regulatory adequacy<br />
carried out by the responsible entity.<br />
<br />
THOMAS INTERNACIONAL SYSTEMS highlights the actions developed by the<br />
complaining party in the precedents that cites, among them, the suspension of the web<br />
implicated in the facts, the updating of the information regarding the protection of<br />
<br />
data offered to the interested parties, the improvement of the mechanisms to grant the<br />
consent by checking a box, appointment of a delegate<br />
of data protection, or the non-commission of any previous infraction by the party<br />
claimed.<br />
<br />
<br />
Finally, he highlights that he has a proactive attitude; all your staff are<br />
duly trained; its activity has not caused damage to the rights of the<br />
interested parties, that they have not received any claim or incidence or breach of<br />
security up to date; and that, upon learning of the matter, has initiated a<br />
review of its protocols, analyzes and evaluations, and has proceeded to appoint<br />
proven specialists in the field.<br />
<br />
<br />
In response to these allegations, it is reiterated that, in this case, considering the<br />
seriousness of the verified infringement, the imposition of a fine is appropriate, in addition to the<br />
adoption of measures. The request made by THOMAS cannot be accepted<br />
INTERNATIONAL SYSTEMS to impose other corrective powers that<br />
<br />
would have allowed the correction of the irregular situation, such as the warning,<br />
which is provided, in general, for natural persons and when the sanction<br />
constitutes a disproportionate burden (recital 148 of the GDPR).<br />
<br />
In addition, THOMAS INTERNATIONAL SYSTEMS has not justified, or even<br />
<br />
mentioned, what are the similarities between the present case and the assumptions of<br />
fact examined in the precedents that it invokes.<br />
<br />
In any case, it should be noted that the measures adopted are insufficient for the<br />
intended effects, since they do not restore the rights of the interested parties.<br />
THOMAS INTERNATIONAL SYSTEMS has not raised in any way the termination<br />
<br />
of conduct that violates the legal system.<br />
<br />
Nor can the measures that said entity has adopted be assessed as<br />
a mitigation. These measures are not adequate to "remedy the<br />
infringement and mitigate the possible adverse effects of the infringement”, according to the terms<br />
<br />
of article 83.2.f) of the GDPR, or "to alleviate the damages suffered by the<br />
interested parties" as a consequence of the infringement, according to section 2.c) of the same<br />
Article. Mitigate the adverse effects or alleviate the damages caused by the<br />
infringements implies restoring the rights of the interested parties, which in this<br />
case entails the suppression of the ethnicity and disability data collected from the<br />
<br />
interested and suspend their collection.<br />
<br />
On the other hand, none of the grading factors considered is attenuated<br />
due to the fact that the entity THOMAS INTERNATIONAL SYSTEMS has not been<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 39/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
previously subject to a disciplinary procedure.<br />
<br />
In this regard, the Judgment of the AN, of 05/05/2021, rec. 1437/2020, indicates:<br />
<br />
<br />
"It considers, on the other hand, that the non-commission of a<br />
previous violation. Well, article 83.2 of the GDPR establishes that it must be taken into account<br />
for the imposition of the administrative fine, among others, the circumstance "e) any infraction<br />
committed by the person in charge or the person in charge of the treatment". It is a<br />
aggravating circumstance, the fact that the budget for its application does not exist<br />
entails that it cannot be taken into consideration, but it does not imply or allow, as it claims<br />
the plaintiff, its application as attenuated.e”<br />
<br />
<br />
According to the aforementioned article 83.2 of the GDPR, when deciding to impose a fine<br />
administration and its amount must take into account "any previous infraction committed<br />
by the person responsible." It is a normative provision that does not include the inexistence of<br />
previous infractions as a factor for grading the fine, which must be<br />
be understood as a criterion close to recidivism, although broader.<br />
<br />
<br />
Nor can it be accepted that there has been no damage to the rights of the<br />
interested parties, since they have seen an increased risk in their<br />
privacy.<br />
<br />
<br />
<br />
IX<br />
<br />
If the infringement is confirmed, it could be agreed to impose on the person responsible the adoption of<br />
adequate measures to adjust its performance to the regulations mentioned in this<br />
act, in accordance with the provisions of the aforementioned article 58.2.d) of the GDPR, according to the<br />
<br />
which each control authority may "order the person responsible or in charge of the<br />
processing that the processing operations comply with the provisions of the<br />
this Regulation, where appropriate, in a certain way and within a certain<br />
specified term…”.<br />
<br />
This act establishes the offense committed and the facts that<br />
<br />
give rise to the violation of data protection regulations, from which it can be inferred<br />
clearly what are the measures to adopt, notwithstanding that the type of<br />
specific procedures, mechanisms or instruments to implement them<br />
corresponds to the sanctioned party, since it is the person responsible for the treatment who<br />
He fully knows his organization and has to decide, based on the responsibility<br />
<br />
proactive and risk-focused, how to comply with the GDPR and the LOPDGDD.<br />
<br />
However, in this case, regardless of the foregoing, it is proposed that in the<br />
resolution that is adopted, this Agency requires the responsible entity so that in<br />
the term to be determined accredits having proceeded to delete from the "Questionnaire" the<br />
<br />
collection of personal data related to ethnicity and disability of those affected; So<br />
such as the cessation of the use of those previously collected.<br />
<br />
It is noted that not meeting the requirements of this body may be<br />
considered as a serious administrative infraction by "not cooperating with the Authority<br />
of control" before the requirements made, and such conduct can be assessed at the<br />
<br />
time of the opening of an administrative procedure penalizing with a fine<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 40/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
pecuniary<br />
<br />
<br />
<br />
In view of the foregoing, the following is issued<br />
<br />
<br />
PROPOSED RESOLUTION<br />
<br />
<br />
<br />
FIRST: That by the Director of the Spanish Data Protection Agency<br />
penalize THOMAS INTERNATIONAL SYSTEMS, S.A., with NIF A81603391, for a<br />
breach of Article 9 of the GDPR, typified in Article 83.5.a) of the GDPR, and<br />
<br />
classified as very serious for the purposes of prescription in article 72.1.e) of the<br />
LOPDGDD, with a fine of 50,000 euros (fifty thousand euros).<br />
<br />
SECOND: That by the Director of the Spanish Data Protection Agency<br />
imposes on THOMAS INTERNATIONAL SYSTEMS, S.A., within the term<br />
<br />
determine, the adoption of the necessary measures to adapt its performance to the<br />
personal data protection regulations, with the scope expressed in the<br />
Legal basis IX of this proposed resolution.<br />
<br />
Likewise, in accordance with the provisions of article 85.2 of the LPACAP, you will be<br />
<br />
informs that it may, at any time prior to the resolution of this<br />
procedure, carry out the voluntary payment of the proposed sanction, which<br />
It will mean a reduction of 20% of the amount of the same. With the application of this<br />
reduction, the sanction would be established at 40,000 euros (forty thousand euros), and its<br />
payment will imply the termination of the procedure. The effectiveness of this reduction<br />
<br />
will be conditioned to the withdrawal or resignation of any action or appeal via<br />
administrative against the sanction.<br />
<br />
In case you choose to proceed to the voluntary payment of the specified amount<br />
above, in accordance with the provisions of the aforementioned article 85.2, you must do it<br />
<br />
effective by depositing it in the restricted account no. ES00 0000 0000 0000 0000<br />
0000 open in the name of the Spanish Data Protection Agency in the entity<br />
bank CAIXABANK, S.A., indicating in the concept the reference number of the<br />
procedure that appears in the heading of this document and the cause, for<br />
voluntary payment, reduction of the amount of the sanction. You must also send the<br />
<br />
Proof of admission to the Sub-Directorate General of Inspection to proceed to close<br />
The file.<br />
<br />
By virtue of this, you are notified of the foregoing, and the procedure is revealed.<br />
so that within TEN DAYS you can allege whatever you consider in your defense and<br />
<br />
present the documents and information that it deems pertinent, in accordance with<br />
Article 89.2 of the LPACAP.<br />
926-050522<br />
B.B.B.<br />
INSTRUCTOR<br />
>><br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 41/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
SECOND: On November 18, 2022, the claimed party has proceeded to the<br />
payment of the penalty in the amount of 40,000 euros using the reduction<br />
provided for in the motion for a resolution transcribed above.<br />
<br />
<br />
THIRD: The payment made entails the waiver of any action or resource in the<br />
against the sanction, in relation to the facts referred to in the<br />
resolution proposal.<br />
<br />
FOURTH: In the previously transcribed resolution proposal, the<br />
<br />
acts constituting an infringement, and it was proposed that, by the Director, the<br />
responsible for adopting adequate measures to adjust its performance to the<br />
regulations, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to<br />
which each control authority may "order the person responsible or in charge of the<br />
processing that the processing operations comply with the provisions of the<br />
<br />
this Regulation, where appropriate, in a certain way and within a certain<br />
specified term…”.<br />
<br />
FUNDAMENTALS OF LAW<br />
Yo<br />
Competence<br />
<br />
<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
(General Data Protection Regulation, hereinafter GDPR), grants each<br />
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the<br />
Organic Law 3/2018, of December 5, Protection of Personal Data and<br />
<br />
guarantee of digital rights (hereinafter, LOPDGDD), is competent to<br />
initiate and resolve this procedure the Director of the Spanish Protection Agency<br />
of data.<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures<br />
<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
regulations dictated in its development and, insofar as they do not contradict them, with character<br />
subsidiary, by the general rules on administrative procedures."<br />
<br />
II<br />
<br />
Termination of the procedure<br />
<br />
Article 85 of Law 39/2015, of October 1, on Administrative Procedure<br />
Common for Public Administrations (hereinafter, LPACAP), under the heading<br />
"Termination in disciplinary proceedings" provides the following:<br />
<br />
<br />
"one. Initiated a disciplinary procedure, if the offender acknowledges his responsibility,<br />
The procedure may be resolved with the imposition of the appropriate sanction.<br />
<br />
2. When the sanction has only a pecuniary nature or it is possible to impose a<br />
<br />
pecuniary sanction and another of a non-pecuniary nature but the<br />
inadmissibility of the second, the voluntary payment by the presumed perpetrator, in<br />
any moment prior to the resolution, will imply the termination of the procedure,<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 42/42<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
except in relation to the replacement of the altered situation or the determination of the<br />
compensation for damages caused by the commission of the offence.<br />
<br />
<br />
3. In both cases, when the sanction is solely pecuniary in nature, the<br />
The competent body to resolve the procedure will apply reductions of at least<br />
20% of the amount of the proposed penalty, these being cumulative among themselves.<br />
The aforementioned reductions must be determined in the notification of initiation<br />
<br />
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of<br />
any administrative action or resource against the sanction.<br />
<br />
The percentage reduction provided for in this section may be increased<br />
according to regulations."<br />
<br />
<br />
According to what has been indicated, the Director of the Spanish Agency for the Protection of<br />
Data RESOLVES:<br />
<br />
FIRST: DECLARE the termination of procedure PS/00214/2022, in<br />
<br />
in accordance with the provisions of article 85 of the LPACAP.<br />
<br />
SECOND: REQUEST THOMAS INTERNATIONAL SYSTEMS, S.A. so that in<br />
within one month notify the Agency of the adoption of the measures described<br />
on the legal grounds of the proposed resolution transcribed in this<br />
<br />
resolution.<br />
<br />
THIRD: NOTIFY this resolution to THOMAS INTERNATIONAL<br />
SYSTEMS, S.A.<br />
<br />
<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
Resolution will be made public once the interested parties have been notified.<br />
<br />
Against this resolution, which puts an end to the administrative process as prescribed by<br />
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure<br />
<br />
Common of Public Administrations, interested parties may file an appeal<br />
administrative litigation before the Administrative Litigation Chamber of the<br />
National Court, in accordance with the provisions of article 25 and section 5 of<br />
the fourth additional provision of Law 29/1998, of July 13, regulating the<br />
Contentious-Administrative Jurisdiction, within a period of two months from the<br />
<br />
day following the notification of this act, as provided for in article 46.1 of the<br />
referred Law.<br />
<br />
1331-281122<br />
Mar Spain Marti<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
</pre></div>Teresa.lopezhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202102778&diff=30402AEPD (Spain) - EXP2021027782023-01-17T15:04:01Z<p>Teresa.lopez: Links added</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=AEPD PS-00508-2022<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00508-2022.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=04.11.2021<br />
|Date_Decided=<br />
|Date_Published=10.01.2023<br />
|Year=<br />
|Fine=24,000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 6(1)(f) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1f<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=FACTOR ENERGIA, S.A.<br />
|Party_Link_1=https://www.factorenergia.com/es/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Teresa López<br />
|<br />
}}<br />
<br />
The Spanish DPA fined a controller €24,000 for lack of legitimate basis when processing a data subject's personal data for direct postal marketing.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The data subject received an advertising message by post from Factor Energía, S.A. (the controller), in which they were addressed by their full name, and were given a personalised recommendation based on the characteristics of their energy supply point and consumption habits.<br />
<br />
Since the controller was not the data subject's energy provider, they contacted the company to request information on the processing of their data. After the period given by [[Article 12(3) GPDR]] had elapsed, the controller informed the data subject that their data was obtained from the database that electricity and natural gas distribution companies make available to marketing companies, for the purposes of being able to make offers on the market (SIPS or Supply Point Information System, in English).<br />
<br />
The data subject contacted the entity that manages the Supply Point Information System, the Spanish National Markets and Competition Commission. This entity ensured the data subject that the current legislation prohibits marketers from accessing any information that directly identifies the holder of the supply point.<br />
<br />
After enquiries from the Spanish Data Protection Authority, the controller stated that the reply given to the data subject had been delayed due to an informatic virus attack which had encrypted their systems. Moreover, the controller indicated that the first answer given to the data subject had been provided by a trainee, since it was received during the holiday period. The controller justified this way the following changes to their reply: That the personal data relating to name, surname and postal address were obtained from publicly accessible sources. The controller was unable to specify the source as a result of the computer virus. On the other hand, the data relating to the technical conditions of the supply point were lawfully obtained from the SIPS. Moreover, the controller added that the consumption data provided to the data subject were estimations not reflecting their real consumption habits, but an aggregated value based on their postal code.<br />
<br />
According to the information provided to the DPA, the controller based the processing of the data in their legitimate interest (customer acquisition and an increase of its visibility in the market). Also, the controller shared the legitimate interest assessment where it argued that the data subject's rights did not prevail due to the low impact of the means used (post) and the little or no effect on their legal sphere.<br />
<br />
=== Holding ===<br />
The Data Protection Authority held that the controller had violated [[Article 6 GDPR#1|Article 6(1) GDPR]] since the legitimate interest assessment on which the processing was based was understood as insufficient, therefore not being able to rely on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] as a legal basis.<br />
<br />
Contrary to the controller's position, the DPA held that the rights of the data subject prevailed to the controller's interests on several grounds. <br />
<br />
First, the DPA noted that the alleged additional safeguards were not an additional layer of protection provided by the controller, but simply protections already mandatory by data protection law. <br />
<br />
Second, the DPA rejected the controller's argument stating that post marketing was less invasive than cold calling. The Authority pointed out that with such methods, the data subject may believe that the caller does not have their identification data, whereas the receipt of a postal communication that identifies them gives the data subject the certainty that the sender of the communication has such data. Furthermore, uncertainty arises in the data subject as to what the source of their data may have been, which leads to doubt about their power of disposal of the data.<br />
<br />
Third, the DPA found that post marketing being an habitual practice in the industry was an insufficient basis to establish a reasonable expectation in the data subject. The Authority recalled their own [https://www.aepd.es/documento/2018-0173.pdf report 2018/0173], which analyses the legitimacy of direct marketing actions in both electronic and non-electronic media. This report concluded that, even if the data subject has previously been a customer, the criterion for the sending of commercial communications is restrictive (to the products contracted). Therefore, this is even more so in the case of not having been a customer (as in the present case).<br />
<br />
Fourth, the DPA rejected the controller's argument that the nature of the data processed (contact details) was an indicator of the prevalence of the company's legitimate interest. In this sense, the Authority quoted [https://www.dataprotection.ro/servlet/ViewDocument?id=1086 ART29WP's 06/2014 Opinion]: "''In general, the more sensitive the information involved, the more consequences there may be for the data subject. This, however, does not mean that data that may in and of themselves seem innocuous, can be freely processed based on [[Article 7 GDPR|Article 7(f) GDPR]]. Indeed, even such data, depending on the way they are processed, can have significant impact on individuals (...)''". <br />
<br />
Fifth, the controller argued that there was no other less-impact method that allowed to achieve the legitimate interest, to which the DPA disagreed, stating that the post could have been sent without including the personal data.<br />
<br />
Finally, the Data Protection Authority noted the existence of a situation of imbalance between the data subject (consumer) and the controller (electricity supply company).<br />
<br />
For these reasons, the DPA held that the infringement in question was serious for the purposes of the GDPR and that the sanction to be imposed should be graduated with the aggravation of negligence ([[Article 83(2)(b) GDPR]]), since the controller could not point out the public access source of the personal data, and the link between the controller's activity and the processing of personal data ([[Article 76(1)(b) Spanish Data Protection Law]]). The DPA initially contemplated a €40,000 fine, but offered two grounds for reduction: the possibility of voluntary payment of the fine and the acknowledgment of guilt. The controller invoked both and finally paid €24,000.<br />
<br />
== Comment ==<br />
The Spanish Data Protection Authority did not reflect on other grounds of infringement found in this case, such as the lack of a reply within the due period, the data breach, etc. which could have potentially led to fines by their own right.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
File No.: EXP202102778<br />
<br />
<br />
RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT<br />
VOLUNTEER<br />
<br />
Of the procedure instructed by the Spanish Agency for Data Protection and based on<br />
<br />
to the following<br />
<br />
BACKGROUND<br />
<br />
FIRST: On October 31, 2022, the Director of the Spanish Agency for<br />
Data Protection agreed to start a sanctioning procedure against FACTOR ENERGÍA,<br />
<br />
S.A. (hereinafter, the claimed party), through the transcribed Agreement:<br />
<br />
<<<br />
<br />
File No.: EXP202102778<br />
<br />
<br />
<br />
AGREEMENT TO START THE SANCTION PROCEDURE<br />
<br />
Of the actions carried out by the Spanish Data Protection Agency and in<br />
<br />
based on the following<br />
<br />
FACTS<br />
<br />
FIRST: A.A.A. (hereinafter, the claiming party) dated August 16, 2021<br />
filed a claim with the Spanish Data Protection Agency. The<br />
<br />
The claim is directed against FACTOR ENERGÍA, S.A. with NIF A61893871 (in<br />
forward, ENERGY FACTOR). The reasons on which the claim is based are the following:<br />
following:<br />
<br />
-The claimant has received an advertising message by post, from<br />
<br />
ENERGY FACTOR, where they address him by his first and last name, and they ask him a<br />
personalized recommendation based on the characteristics of your supply point<br />
and their consumption habits.<br />
- Considering that the advertising company is illegally processing your data,<br />
since he has no relationship with it, the affected person has contacted<br />
<br />
contact her to request information, and her Data Protection Officer will<br />
has answered that the data comes from the Information System of Points of<br />
Supply (SIPS). This, as they have explained, is the database that the<br />
distribution companies of electricity and natural gas make available to the<br />
trading companies, for the purpose of being able to make offers in the market.<br />
- As it has been able to find out from the Internet, the complaining party explains that the system<br />
<br />
SIPS is regulated by Royal Decree 1435/2002 and the exchange of information<br />
that takes place in its context is managed by the National Markets Commission and the<br />
Competition (CNMC). This body has assured the data subject in writing that it will not<br />
has available data on electricity users since, on the 27th of<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 2/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
November 2015, Royal Decree 1074/2015 was approved, which modified different<br />
provisions in the electricity sector. Said decree incorporated the prohibition that the<br />
trading companies and the CNMC could access any information that<br />
<br />
directly identify the owner of the supply point.<br />
-The complaining party continues to believe that illegal treatment is taking place<br />
of your personal data. Either the company is getting them from another source, or<br />
you are extracting them from the SIPS, but if so, even your distribution company should not<br />
provide these data, nor the CNMC consult them, nor the other companies<br />
distributors should be able to access them for any treatment, much<br />
<br />
less for commercial actions.<br />
<br />
Along with the notification is provided:<br />
-Front of a commercial communication sent by FACTORENERGIA, with your<br />
translation into Spanish, in which there are boxes in red that<br />
<br />
would correspond to anonymous data.<br />
-Email sent from the address: DPO@factorenergia.com that includes<br />
a spreadsheet with anonymized data.<br />
-Email that the claimant sent to the National Market Commission,<br />
and response from the Data Protection Officer, from the address dpd@cnmc.es<br />
<br />
<br />
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5<br />
December, Protection of Personal Data and guarantee of digital rights (in<br />
hereinafter LOPDGDD), said claim was forwarded to FACTOR ENERGIA,<br />
to proceed with its analysis and inform this Agency within a month,<br />
of the actions carried out to adapt to the requirements established in the<br />
<br />
data protection regulations.<br />
<br />
The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of<br />
October 1, of the Common Administrative Procedure of the Administrations<br />
Public (hereinafter, LPACAP), was collected on 10/04/2021, as stated in the<br />
<br />
acknowledgment of receipt in the file.<br />
<br />
On 10/05/2021, this Agency received a written response indicating that<br />
notification has been received with transfer of claim and request for information, but<br />
A copy of the claim submitted and attached documents (if applicable) are not attached.<br />
but only an extract of the relevant information from it, and therefore<br />
<br />
interests the right of the undersigned to have access to and obtain a complete copy of said<br />
claim, with the aim of being able to evacuate the information requirement of the<br />
detailed, complete and truthful way possible, verifying the identity and correct<br />
identification of the claimant, as well as the facts described in the request for<br />
information and in the claim submitted.<br />
<br />
<br />
THIRD: On November 4, 2021, in accordance with article 65 of<br />
the LOPDGDD, the claim presented by the complaining party was admitted for processing.<br />
<br />
FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out<br />
<br />
of previous investigative actions to clarify the facts in<br />
matter, by virtue of the functions assigned to the control authorities in the<br />
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)<br />
2016/679 (General Data Protection Regulation, hereinafter GDPR), and<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 3/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
in accordance with the provisions of Title VII, Chapter I, Second Section, of the<br />
LOPDGDD, having knowledge of the following extremes:<br />
<br />
Relevant documentation provided by the claimant:<br />
- Copy of the obverse of a commercial communication with header of<br />
<br />
ENERGY FACTOR. Written in Catalan, it is anonymous (not<br />
contains the recipient's data and no reference to the date). The complaining party<br />
provides translation and reference to the inclusion of the following categories of<br />
data: name, surname, address of the recipient, address of the point of<br />
supply. The communication recommends a type of electrical installation of<br />
self-consumption (solar panels) based on "a study of your data and habits of<br />
<br />
electrical consumption”.<br />
- Transcription of part of the response to the exercise of the right of access<br />
addressed by FACTOR ENERGIA to the claimant, dated August 2<br />
of 2021. Regarding the origin of the data processed, it expresses:<br />
“[…] your personal data, and specifically those related to technical conditions of your<br />
<br />
point of supply, such as the CUPS (identification number of the point of<br />
supply), access fee, power, etc. (detailed in the attached Excel) have<br />
status obtained lawfully through the Points of Information System<br />
Subministro (SIPS), which is the database that distributor companies of<br />
electricity and natural gas make available to companies<br />
marketers, for the purpose of being able to make offers in the market.<br />
<br />
Regarding the consumption habits to which we refer in the communication<br />
business, as we indicated at the bottom of it in point 2, are estimated data<br />
and standardized, not specifically customized according to the<br />
specific characteristics neither of their home nor of their specific consumption habits.”<br />
- Transcription of the data provided to the claimant by FACTOR<br />
ENERGY as a response to the right of access. It's not the spreadsheet<br />
<br />
original, but rather the list of categories of data that would have been provided to you.<br />
Includes the categories name, surname, and address of the supply point,<br />
in addition to technical data (tariff, power, etc.).<br />
- Email response from the DPD of the CNMC to the claimant of<br />
dated August 16, 2021 containing the following paragraphs:<br />
"In strict compliance with the applicable regulations that you point out, the<br />
<br />
CNMC does not have data on electricity users since, on December 27,<br />
November 2015, Royal Decree 1074/2015 was approved, which modifies<br />
different provisions in the electricity sector. Said RD incorporated the prohibition that<br />
the trading companies and the CNMC could access any information<br />
that directly identifies the owner of the supply point. Therefore, and in the<br />
assumption that data of this type were being exchanged between companies in the<br />
<br />
sector, these data do not come in any case from the CNMC.<br />
The CNMC only has the data of end users of gas (DB of points of<br />
supply), and the marketers do obtain them legally through our<br />
body, but the use they make of them is, logically, their responsibility in<br />
exclusive. However, the user may object to their data being made available.<br />
<br />
available to other gas trading companies, expressly indicating it to the<br />
company that supplies you.”<br />
<br />
The antecedents that appear in the information systems are the following:<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 4/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
FACTOR ENERGIA submitted two briefs (of October 5, 2021 and of<br />
November 2021) in which he states:<br />
<br />
<br />
- That in July 2021 Mrs. B.B.B. exercised the right of access from the mail<br />
email from the complaining party.<br />
<br />
- That said exercise could not be attended to normally since on the 24th of<br />
<br />
June 2021, the computer systems of FACTOR ENERGIA were<br />
affected by a virus that caused a great impact by encrypting systems and<br />
Company data.<br />
<br />
<br />
- That on August 2, 2021, a response to the right exercised was sent, although,<br />
states that "the person who was in charge of responding to the applicant was<br />
a trainee since the date coincided with the period<br />
<br />
vacation on the part of the company's personnel, and that such a response lacks<br />
of a certain lack of accuracy and/or specificity”.<br />
<br />
- That the personal data related to name, surname, and postal address<br />
<br />
They were obtained from publicly available sources. He adds that he cannot specify<br />
the source of public access as a result of the impact of the virus<br />
computer.<br />
<br />
<br />
- That the data relating to the<br />
technical conditions of the supply point. Add that you can download the<br />
SIPS "of the distribution companies and the CNMC periodically in their capacity<br />
<br />
marketer and that does not include the personal data of the applicant<br />
relating to the name and surnames or their postal address”.<br />
<br />
- That it is still (as of the date of writing -November 3, 2021-)<br />
<br />
immersed in the file recovery process.<br />
<br />
In addition, he attached the following relevant documentation:<br />
<br />
- Emails exchanged on June 30, 2021 between the<br />
<br />
IT manager at FACTOR ENERGIA and INCIBE in which<br />
refers to the ransomware attack suffered by the entity.<br />
<br />
- Writing signed by B.B.B. exercising the right of access against FACTOR<br />
<br />
ENERGIA on July 2, 2021 from the email address of<br />
the complaining party.<br />
<br />
- Email addressed on August 2, 2021 by FACTOR ENERGIA<br />
<br />
to B.B.B. (to the email address of the complaining party) at<br />
response to the exercise of the right of access referred to in the previous point.<br />
<br />
Provide a copy of the original in Catalan and a translation into Spanish. Includes the<br />
following paragraphs:<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 5/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
“On the other hand, we want to clarify that in no case have we carried out a<br />
precise and exact study with your data and specific consumption habits, but<br />
<br />
that, as indicated at the bottom of the aforementioned communication (point 2),<br />
your data is estimated and standardized, not personalized or calculated<br />
according to the specific characteristics of your home, or your habits of<br />
<br />
consumption, with the understanding that our intention was to highlight<br />
the advantages offered by photovoltaic self-consumption.<br />
<br />
[…] Specifically, in relation to art. 5.1 a) referred to, in our<br />
<br />
communication indicated that your data has been processed lawfully,<br />
loyal and transparent at all times, since they were collected from sources to which<br />
which we have access as a marketer and from sources accessible to the<br />
<br />
public, complying with the requirements demanded by the General Regulation of<br />
Data Protection (RGPD) and Organic Law 3/2018, of December 5, of<br />
<br />
Protection of Personal Data and Guarantee of Digital Rights<br />
(LOPDGDD).<br />
<br />
[...] Specifically, on our website, it is indicated within the purposes of<br />
<br />
processing of personal data with regard to "Non-customers", the purpose<br />
following: "Inform about services, promotions and products related to<br />
our activity".<br />
<br />
<br />
[…] Your personal data, and specifically those related to conditions<br />
techniques of your point of supply, such as the CUPS (identification number<br />
point of supply), access fee, power, etc. (detailed in the Excel<br />
<br />
attached) have been legally obtained through the Information System<br />
of Supply Points (SIPS), which is the database that companies<br />
electricity and natural gas distributors make available to the<br />
<br />
marketing companies, for the purpose of being able to make offers in the<br />
market.<br />
<br />
Regarding the consumption habits to which we refer in the<br />
<br />
commercial communication, as we indicate at the bottom of it in point 2,<br />
are estimated and standardized data, not specially personalized<br />
<br />
according to the specific characteristics of your home, or your specific habits<br />
of consumption.<br />
<br />
[…] If possible, the expected period of conservation of personal data,<br />
<br />
or, if not possible, the criteria used to determine this term:<br />
while you do not exercise any of your rights”<br />
<br />
It also refers in this letter to the internet address<br />
<br />
www.factorenergia.com to consult the privacy policy.<br />
<br />
INVESTIGATED ENTITIES<br />
During these proceedings, the following entities have been investigated:<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 6/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
- FACTOR ENERGY, S.A. with NIF A61893871 with address at<br />
***ADDRESS.1 (BARCELONA)<br />
<br />
RESULT OF INVESTIGATION ACTIONS<br />
<br />
In addition to the documentation mentioned above, information is collected from the<br />
following sources:<br />
<br />
- Letter from FACTOR ENERGIA dated June 28, 2022,<br />
hereinafter Written#1.<br />
<br />
<br />
- Letter from FACTOR ENERGIA dated July 19, 2022, in<br />
forward Writing#2.<br />
<br />
- Proceedings with relevant information for these proceedings<br />
<br />
(Diligence References).<br />
<br />
About sending postal advertising to people who are not FACTOR customers<br />
ENERGY<br />
<br />
<br />
FACTOR ENERGIA states (Written #2) that sending postal communications to<br />
non-customers is not a frequent practice of the company, but is carried out "in<br />
occasions and addressed to a small number of recipients”. It further states that "in<br />
<br />
Most of the time the data is obtained from the interested parties themselves. Of<br />
in a more residual manner, and to a lesser extent, commercial communication has been sent by<br />
via post to non-customers whose data was obtained from publicly accessible sources without<br />
<br />
restrictions”.<br />
<br />
ENERGY FACTOR (Written#2) specifies the conditions that must be met to<br />
use for marketing purposes:<br />
<br />
<br />
- "(1) that the recipient has not previously exercised the right of<br />
opposition".<br />
<br />
- "(2) that the sources to be consulted are updated." Regarding this<br />
point clarifies FACTOR ENERGIA that these sources of public access are<br />
<br />
correspond to "repertoires or telephone directories whose consultation can be<br />
performed, by any person and without restrictions, not prevented by a<br />
<br />
limiting norm”. On July 22, 2022, a letter was addressed to FACTOR<br />
ENERGIA requesting specification in relation to these sources of public access<br />
which uses. As of the date of signing this report, no response has been received.<br />
<br />
regard.<br />
<br />
- "(3) that the Robinson List advertising exclusion list has been consulted<br />
(to which we are subscribed) and verify that the interested party to whom it will be sent<br />
<br />
advertising does not appear in it ”. Regarding this, FACTOR ENERGIA points out that<br />
consult the advertising exclusion system prior to sending and attach<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 7/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
(document 1 of Brief #2) copy of the service subscription invoices<br />
Adigital's Robinson list of 2021 and 2022.<br />
<br />
<br />
- "(4) comply with the duty of information to the affected party in accordance with the GDPR and the<br />
LOPDGDD”. Information is detailed later in this report.<br />
included in commercial communications that, in relation to the origin of<br />
<br />
personal data states that "they come from sources obtained lawfully<br />
and/or sources of public access available without restrictions”.<br />
<br />
In relation to the volume of recipients of the advertising campaign, he states<br />
<br />
ENERGY FACTOR (Written #2) the following:<br />
<br />
"In relation to the above, to record that in the month of June 2021 a<br />
advertising campaign by post to publicize the advantages of incorporating the<br />
<br />
self-consumption in the electricity supply. Within the target group were<br />
a segment of the campaign targeted at customers (and power supply customers)<br />
electricity, with a communication model) and another target group aimed at<br />
<br />
not clients […]:<br />
<br />
June 2021: self-consumption advertising campaign to obtain savings on<br />
the cost of light.<br />
<br />
<br />
No. of recipients: 42,670 recipients (total)<br />
<br />
In relation to the foregoing, it should be noted that said campaign had as its territorial scope the<br />
autonomous community of Catalonia (not the entire national territory).”<br />
<br />
<br />
Information recorded in the Record of Treatment Activities (RAT):<br />
<br />
Attach ENERGY FACTOR (document 1 attached to Brief #1) the information included<br />
in the Registry of Treatment Activities (RAT) on the "Activity of management of<br />
<br />
not clients”. The record includes the following information:<br />
<br />
- Categories of personal data: name and surname, DNI/NIF, address/mail,<br />
phone, CUPS. Includes the following annotation: "Includes all<br />
<br />
possible categories of data that it can contain according to the source or lead of<br />
Contact."<br />
<br />
- Purpose: attracting new customers / managing and responding to requests for<br />
<br />
information, requests or commercial offers, budgets, etc. / report and<br />
send offers about services, promotions and products related to<br />
our activity.<br />
<br />
<br />
- Legal basis: consent of the interested party / legitimate interest -provided that<br />
such interests are not overridden by the interests or the rights and freedoms<br />
<br />
of the interested party that require data protection<br />
personal-.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 8/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Legitimate interest as the legal basis for processing:<br />
<br />
In relation to the use of legitimate interest as a legal basis for processing<br />
<br />
of the personal data of people who are not customers in order to send them<br />
advertising by post, provided by FACTOR ENERGIA (document 3 attached to the<br />
Brief #1) a weighting of interests report dated February 12, 2021.<br />
<br />
It includes the following paragraphs:<br />
<br />
“2.1. Evaluation of the benefit obtained by Factor Energía<br />
<br />
On the part of Factor Energía, the processing of the personal data of the interested parties<br />
<br />
(potential customers/non-customers) for the purpose of direct marketing,<br />
previously indicated, aims to reach by postal mail those<br />
non-customer interested parties in order for them to know the services offered by Factor<br />
<br />
Energía, making them interested in hiring Factor Energía as<br />
your new electric retailer.<br />
<br />
In this sense, the benefits obtained by Factor Energía from the treatment of said<br />
<br />
personal data consists of obtaining:<br />
<br />
An increase in the contracting of its services;<br />
<br />
Greater customer acquisition;<br />
<br />
<br />
An increase in visibility in the competitive market of marketers<br />
electrical.<br />
<br />
2.2. Evaluation of the interest or rights and freedoms of the interested party<br />
<br />
<br />
[…] The direct marketing action by postal mail that is intended to be carried out is<br />
will be made based on personal data obtained in accordance with the regulations for the protection of<br />
applicable data (identification data and contact data) and with standardized data<br />
<br />
and anonymized of a technical nature.<br />
<br />
In order to configure the different commercial offers, the<br />
unprotected public data obtained from the Cadastre, as well as statistical information<br />
<br />
and not personnel of a technical nature obtained through the Information System of<br />
Supply Points (SIPS) using the postal code of residence. In this way<br />
Generic information will be obtained to make a standardized estimate of the<br />
<br />
voltage, rates and contracted power in certain geographical areas, which<br />
will allow you to carry out advertising communications sent by postal mail, since it is<br />
considers it logical and appropriate that the advertising of an electricity supplier<br />
<br />
include information on possible savings in electricity consumption.<br />
<br />
The personal data of the interested parties processed for the purpose of marketing<br />
<br />
directly refer only to the data necessary to send them the communication<br />
by postal mail (identification data and contact data).<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 9/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The treatment will in no case have legal or similar effects on the<br />
interested, since the purpose of direct marketing by postal mail does not affect the<br />
<br />
access to services, nor to the execution of a contract.<br />
<br />
From Factor Energía it is considered that the sending of advertising communications by<br />
postal mail has a minimal impact on the interested parties who will be seen<br />
<br />
impacted exclusively by one contact channel: postal mail. said channel<br />
should be considered a less aggressive and invasive method than other channels<br />
commonly used to send advertising, such as commercial calls and/or<br />
<br />
or sending emails. Likewise, this type of campaigns are foreseen as<br />
specific actions, which may be reinforced by carrying out other campaigns<br />
subsequent similar ones (after at least a period of six (6) months has elapsed<br />
<br />
from the sending of the communications of the previous campaign).<br />
<br />
In this weighting, the reasonable expectation of the<br />
<br />
interested in the processing of their personal data with this<br />
purpose. In this sense, we must bear in mind that it is common practice in the<br />
market to send advertising by postal mail to potential customers, but also,<br />
<br />
In view of the uses of the market, the interested parties are perfectly aware of<br />
the possibility that such communications may appear in your mailbox and that<br />
In addition, they can be beneficial or provide added value to those interested in<br />
<br />
their role as consumers in the Spanish electricity market, since such communications<br />
may be of your interest or adjusted to your specific needs, resulting in a<br />
improvement of their economic situation by discovering an electricity trader that<br />
<br />
fit more to your needs.<br />
<br />
Taking into account all of the aforementioned, from Factor Energía it is not<br />
finds in our assessment no alternative method that allows us to communicate<br />
<br />
our interest in offering our services and that likewise allows us to comply with<br />
our legal obligations (inform about the processing of personal data<br />
stakeholders) and with the least impact to stakeholders.<br />
<br />
<br />
For all these reasons, it is considered that the impact that the treatment has or may have on<br />
the interests, fundamental rights and freedoms of the interested parties is LOW, and not<br />
<br />
would result in adverse and negative consequences for them.<br />
<br />
23. Guarantees applied to the treatment<br />
<br />
Factor Energía has implemented the technical and organizational measures<br />
to carry out the treatment maintaining the security standards of the Company<br />
<br />
Among the guarantees applied directly to the treatment are the following:<br />
<br />
Factor Energía has implemented technical security measures and<br />
necessary organizational measures to guarantee the integrity, availability and<br />
<br />
confidentiality of the information, having also designated a Delegate<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 10/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
of Data Protection, in compliance with the provisions of article 37<br />
of the GDPR.<br />
<br />
<br />
Communications by postal mail are sent only to interested parties who<br />
have not exercised their right of opposition and that do not appear on lists of<br />
advertising exclusion (Robinson List). Those interested who are in<br />
<br />
advertising exclusion lists and/or have exercised their right of opposition before<br />
Factor Energía, will not be recipients of advertising campaigns of any<br />
type.<br />
<br />
<br />
The commercial communications received by the interested parties allow them to exercise<br />
their rights to oppose the sending of advertising in such a way that<br />
simply and free of charge, interested parties can inform Factor Energía that they are not<br />
<br />
they wish to receive publicity from it.<br />
<br />
These campaigns are foreseen as a specific action, which may be reinforced<br />
with the realization of other similar campaigns later, having<br />
<br />
At least a period of six (6) months has elapsed from the sending of the<br />
communications from the previous campaign.<br />
<br />
Factor Energía reinforces the channels to guarantee adequate exercise by<br />
<br />
those interested in the rights established in the regulations for the protection of<br />
data, establishing both the postal and electronic channels, without prejudice to<br />
<br />
that, in accordance with the provisions of the data protection regulations, the<br />
The interested party may exercise their rights through the channel they deem<br />
convenient.<br />
<br />
<br />
All communications contain information about the treatment of your<br />
personal data in accordance with the requirements of articles 13 or 14 of the GDPR.<br />
<br />
3. Result<br />
<br />
<br />
Based on all of the above, it is determined that Factor Energía can carry out the<br />
treatment consisting of the sending by postal mail of advertising communications to<br />
potential customers (direct marketing).<br />
<br />
<br />
It is a treatment that will have a positive impact on the Energy Factor and that<br />
In turn, it supposes a low impact on the rights and freedoms of the interested parties.”<br />
<br />
The use of SIPS data:<br />
<br />
Regarding the use of SIPS data, it is provided by FACTOR ENERGIA (document 5<br />
<br />
attached to Letter #1) the copy of the code of conduct on data processing<br />
included in the SIPS dated April 24, 2019, from which the following are extracted<br />
<br />
paragraphs:<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 11/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
"Specifically, this RD 1435/2002 contemplates the possibility that all<br />
electric power marketers access to consult the available information<br />
<br />
in the Supply Point Information System (SIPS) managed by the<br />
distributors, as reading managers, and specifically to certain data there<br />
contents. Therefore, and as can be deduced from the preamble to the aforementioned<br />
<br />
RD 1435/2002, the SIPS was configured as a tool to encourage greater<br />
competition in the retail electricity market.<br />
<br />
Subsequently, Royal Decree 1074/2015, of November 27, by which<br />
<br />
modify different provisions in the electricity sector, introduced some changes in<br />
the regulation of the electricity SIPS database, partially modifying the<br />
art. 7 of Royal Decree 1435/2002, and specifically eliminating the possibility of having<br />
<br />
marketers access to certain data from the SIPS database of the<br />
distributors and establishing the obligation of marketers of<br />
<br />
sign a code of conduct and guarantee the confidentiality of information<br />
contained in said database.<br />
<br />
Regarding the regulation of natural gas, Royal Decree 1434/2002, of 27<br />
<br />
December, which regulates the activities of transportation, distribution,<br />
marketing, supply and authorization procedures for gas installations<br />
natural (RD 1434/2002) established in its art. 43 similar regulation, although with some<br />
<br />
differences, RD 1434/2002 not being affected by the modifications of RD<br />
1074/2015.<br />
<br />
[…] The Company assumes the firm commitment to comply with the following<br />
<br />
obligations:<br />
<br />
[…] - Process the SIPS Data only for the purposes of the activity of<br />
marketing (electricity and gas, respectively), both in relation to customers<br />
<br />
potential/non-customers and customer management, regardless of their<br />
access fee and specific regime applicable in each case (including those covered by<br />
self-consumption in the case of electricity), not using them for a purpose other than the<br />
<br />
that justifies its assignment to the Company in its capacity as marketer by<br />
the corresponding distribution company or CNMC.”<br />
<br />
Article 7 of Royal Decree 1435/2002 that regulates the content of the SIPS in the sector<br />
<br />
electrical specifies the following:<br />
<br />
"one. The distribution companies must have a database referring to<br />
all the supply points connected to their networks and to the transport networks of<br />
<br />
its area, permanently complete and up-to-date, containing at least the<br />
Following data:<br />
<br />
a) Universal Supply Point Code, that is, the complete “CUPS”.<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 12/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
[…] c) Location of the supply point, which includes full address (type of road,<br />
street name, number, floor and door). This information should refer to all<br />
<br />
moment to the point of supply and not to the location, population and province of the holder of<br />
said supply point that is required in letter aa) of this same article.<br />
<br />
d) Town of the supply point, which includes the name of the town and the<br />
<br />
Postal Code. This information must refer at all times to the point of supply<br />
and not to the location, population and province of the owner of said supply point.<br />
<br />
e) Name of the Province of the supply point. This information should refer to<br />
<br />
at all times to the point of supply and not to the location, population and province of the<br />
owner of said supply point.<br />
<br />
[...] z) Name and surnames, or in its case company name and corporate form, of the<br />
<br />
owner of the supply point.<br />
<br />
[…] aa) Full address of the owner of the supply point. This information should<br />
refer at all times to the owner of the supply point and not to the location,<br />
<br />
population and province of said supply point that is required in letter c) of this<br />
same article.<br />
<br />
[…] ac) Trading company that currently supplies<br />
<br />
<br />
[…] In any case, neither the marketing companies nor the National Commission for<br />
Markets and the Competition may access any information that directly<br />
identify the owner of the supply point, and in particular, the data collected in<br />
<br />
sections c), z) and aa) of section 1.<br />
<br />
Additionally, trading companies will not be able to access the information<br />
of section ac), being accessible to the National Commission of Markets and the<br />
<br />
Competition, in the exercise of its functions.”<br />
<br />
In relation to the use of electrical SIPS data in order to carry out the<br />
commercial communications to non-customers, expresses FACTOR ENERGIA that uses them<br />
<br />
to "obtain estimated and standardized data on the consumption habits of the<br />
population according to household characteristics”. It clarifies that "they do not refer to data<br />
<br />
personalized or linked to the personal data of the people to whom<br />
whom the commercial or advertising communication was addressed to”. Thus, it facilitates (document 8<br />
attached to Brief #1) a description of the estimation process that is carried out to<br />
<br />
adapt, together with the "installers", the supply of self-consumption<br />
(infrastructure of solar panels, etc.). For this, according to this document,<br />
use:<br />
<br />
<br />
- The unprotected public data of the cadastre (mapping and cadastral consultation<br />
descriptive and graphic -surface, cadastral reference, address, soil class,<br />
year of construction-).<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 13/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Examples of the information have been obtained from the electronic headquarters of the cadastre.<br />
publicly available.<br />
<br />
<br />
- Information not individualized (anonymized) from the SIPS database of<br />
the distribution company, which allows through aggregation by postal code,<br />
assign an average installed power, average contracted power,<br />
<br />
estimated average annual consumption to the supplies of a given area,<br />
according to type of supply.<br />
<br />
Article 43 of Royal Decree 1434/2002 that regulates the content of the "System of<br />
<br />
exchange of information for the management of the change of supplier" in the sector<br />
gas operator specifies the following:<br />
<br />
"2. The distribution companies must have as support the system of<br />
<br />
exchange of information from a database referring to all points of<br />
supply connected to their networks and to the transport networks in their area,<br />
permanently complete and updated, containing at least the following<br />
<br />
data related to the point of supply:<br />
<br />
1st Supply point identification code, that is, the complete “CUPS”.<br />
<br />
[…] 3rd Location of the supply point: address, population and province, which includes<br />
<br />
complete address (type of road, name of the road, number, floor and door), name of the<br />
population, postal code and name of the province. This information should refer to<br />
at all times to the point of supply and not to the location, population and province of the<br />
<br />
owner of said supply point that is required in ordinal 16 of this same<br />
pulled apart<br />
<br />
[…] 14. Data relating to the owner of the supply point: natural person or person<br />
<br />
legal.<br />
<br />
15. Name and surname, or, where appropriate, company name and corporate form, of the<br />
<br />
owner of the supply point.<br />
<br />
16. Full address of the owner of the supply point. This information should<br />
refer at all times to the owner of the supply point and not to the location,<br />
<br />
population and province of said supply point that is required in ordinal 3 of<br />
this same section.<br />
<br />
5. Traders registered in the corresponding section of the Registry<br />
<br />
Administrative of Distributors, Marketers and Direct Consumers in<br />
Market, as well as the Supplier Changes Office, in accordance with the standard<br />
regulating its operation, they will be able to freely access the databases<br />
<br />
of supply points of each distribution company”<br />
<br />
Thus, according to the CNMC website (see Diligence References):<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 14/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
"However, it must be clarified that the CNMC's electrical SIPS does not have<br />
information that identifies the owner of a supply point. This information was<br />
<br />
eliminated by Royal Decree 1074/2015, of November 27, which modifies<br />
different provisions in the electricity sector. In the second article of the aforementioned Royal<br />
Decree, a modification of article 7.2 of Royal Decree 1435/2002 was approved,<br />
<br />
including that: «In any case, neither the marketing companies nor the Commission<br />
National Markets and Competition will be able to access any information<br />
that directly identifies the owner of the supply point […]”.<br />
<br />
<br />
[…] In the field of natural gas, the SIPS accessed contains the identification<br />
of the owner of the supply point and his address.”<br />
<br />
FACTOR ENERGIA is registered in the List of Electricity Suppliers and<br />
<br />
of gas from the CNMC.<br />
<br />
In relation to the duty of information to the interested party:<br />
<br />
ENERGY FACTOR declares that it is fulfilled through the consignment, in the<br />
<br />
advertising communication, of the following text: "In accordance with the regulations of<br />
protection of personal data, that is, in accordance with the Regulation<br />
General Data Protection (RGPD) and Organic Law 3/2018, of December 5,<br />
<br />
Protection of Personal Data and guarantee of digital rights (LOPDGDD),<br />
We indicate that the data comes from sources obtained lawfully and/or sources of<br />
<br />
public access available without restrictions, and that this communication is made<br />
according to the admissible requirements in the indicated regulations. You can exercise your<br />
rights of access, rectification, cancellation, opposition, transparency of the<br />
<br />
information, deletion, limitation and portability by contacting FACTOR ENERGIA,<br />
SA by postal mail to the address av. Diagonal, 612 Entl. 08021 of Barcelona or by<br />
email to dpo@factorenergia.com. Likewise, you will have the right to direct your<br />
<br />
claims before the data protection authorities. For more information<br />
consult our privacy policy on our website www.factorenergia.com.”<br />
It also states that its website (www.factorenergia.com) includes the<br />
<br />
privacy policy (document 4 attached to Brief #1). It contains sections with<br />
information on: data of the person in charge and contact of the DPO; purposes of the<br />
<br />
treatments; bases of legitimacy of the treatments; recipients; possibility of<br />
exercise rights and file a claim with the AEPD; conservation periods;<br />
additional information (indication of implementation of security measures and guarantees<br />
<br />
with those in charge of article 28 of the GDPR).<br />
<br />
Regarding the specific case that is the object of the claim<br />
<br />
FACTOR ENERGIA (Written #1) states that the personal data of the party<br />
<br />
claimant that appear in their systems are: name and surname; postal address.<br />
It reiterates that the origin of these data are "public sources, without the fact that to date<br />
we can accurately identify its exact traceability”. It states that the period of<br />
<br />
Data retention is one year, although "in this case there are<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 15/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
blocked and are only kept by the fact of having responded to the<br />
previous requirement related to the file at the referred margin and without the company<br />
<br />
carry out or will carry out any other treatment of said data.”<br />
<br />
As previously seen, FACTOR ENERGIA states that it also has<br />
the technical data of the supply points extracted from the SIPS (article 7 of the Royal<br />
<br />
Decree 1435/2002) that periodically unloads from the distribution companies. With<br />
them, as has been seen, obtains "estimated and standardized data on the habits of<br />
consumption of the population according to the characteristics of the households" that "do not refer to<br />
<br />
to personalized data or linked to the personal data of people<br />
to whom the commercial or advertising communication was directed.<br />
<br />
In relation to compliance with the duty of information, FACTOR ENERGIA provides<br />
<br />
(document 7 attached to Brief #1) the one that manifests would be the reverse of the<br />
Communication provided by the complaining party, which includes the aforementioned paragraph<br />
<br />
previously (translation into Spanish of the original in Catalan):<br />
<br />
In accordance with the personal data protection regulations, it is<br />
that is, in accordance with the General Data Protection Regulation (RGPD) and the Law<br />
<br />
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of<br />
digital rights (LOPDGDD), we indicate that the data comes from sources<br />
lawfully obtained and/or publicly accessible sources available without restriction, and<br />
<br />
that this communication is carried out according to the admissible requirements in the regulations<br />
marked. You can exercise your rights of access, rectification, cancellation,<br />
opposition, transparency of information, deletion, limitation and portability<br />
<br />
by contacting FACTOR ENERGIA, SA by postal mail at the address av. Diagonal,<br />
612 Int. 08021 Barcelona or by email at dpo@factorenergia.com.<br />
Likewise, you will have the right to direct your claims before the authorities of<br />
<br />
Data Protection. For more information see our privacy policy at<br />
our website www.factorenergia.com.”)<br />
<br />
FUNDAMENTALS OF LAW<br />
<br />
<br />
Yo<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
(General Data Protection Regulation, hereinafter GDPR), grants each<br />
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the<br />
<br />
Organic Law 3/2018, of December 5, Protection of Personal Data and<br />
guarantee of digital rights (hereinafter, LOPDGDD), is competent to<br />
initiate and resolve this procedure the Director of the Spanish Protection Agency<br />
of data.<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures<br />
<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
regulations dictated in its development and, insofar as they do not contradict them, with character<br />
subsidiary, by the general rules on administrative procedures."<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 16/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
II<br />
Article 6 of the GDPR, Lawfulness of the treatment, establishes in point 1 that:<br />
<br />
<br />
"one. Processing will only be lawful if at least one of the following is fulfilled<br />
conditions:<br />
a) the interested party gave his consent for the processing of his data<br />
personal for one or more specific purposes;<br />
b) the processing is necessary for the performance of a contract in which the<br />
<br />
interested party or for the application at the request of this of measures<br />
pre-contractual;<br />
c) the processing is necessary for compliance with a legal obligation<br />
applicable to the data controller;<br />
d) the processing is necessary to protect vital interests of the data subject or<br />
<br />
of another physical person;<br />
e) the treatment is necessary for the fulfillment of a mission carried out in<br />
public interest or in the exercise of public powers conferred on the person responsible<br />
of the treatment;<br />
f) the processing is necessary for the satisfaction of legitimate interests<br />
pursued by the data controller or by a third party, provided that<br />
<br />
such interests are not overridden by the interests or the rights and freedoms<br />
of the interested party that require the protection of personal data,<br />
in particular when the interested party is a child.<br />
<br />
The provisions of letter f) of the first paragraph shall not apply to the<br />
<br />
processing carried out by public authorities in the exercise of their<br />
functions.”<br />
<br />
On the other hand, article 4 of the GDPR, Definitions, in its sections 1, 2 and 11,<br />
notes that:<br />
<br />
<br />
“1) “personal data” means any information about an identified natural person<br />
or identifiable ("the data subject"); Any identifiable natural person shall be considered<br />
person whose identity can be determined, directly or indirectly, in<br />
by means of an identifier, such as a name, a number<br />
identification, location data, an online identifier, or one or more<br />
<br />
elements of physical, physiological, genetic, psychological,<br />
economic, cultural or social of said person; “<br />
<br />
2) "processing": any operation or set of operations carried out<br />
about personal data or sets of personal data, either by<br />
<br />
automated procedures or not, such as the collection, registration, organization,<br />
structuring, conservation, adaptation or modification, extraction, consultation,<br />
use, communication by transmission, diffusion or any other form of<br />
authorization of access, comparison or interconnection, limitation, deletion or<br />
destruction; “<br />
<br />
<br />
11) "consent of the interested party": any manifestation of free will,<br />
specific, informed and unequivocal for which the interested party accepts, either<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 17/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
by means of a declaration or a clear affirmative action, the processing of data<br />
personal matters that concern you."<br />
<br />
<br />
In the present case, in order to analyze the validity of this legitimizing basis,<br />
examine each of the elements that concur in it to prove the<br />
legality of the treatment. The criteria established for this should be taken into account.<br />
in Opinion 06/2014, of April 9, on the concept of legitimate interest of the<br />
data controller under Article 7 of the Directive<br />
95/46/CE, of the Article 29 Working Group (hereinafter, Opinion 06/2014)<br />
<br />
<br />
1. Legitimate interest of the controller<br />
<br />
Recital 47 of the GDPR establishes the following:<br />
<br />
<br />
“The legitimate interest of a data controller, including that of a data controller<br />
that personal data may be communicated, or that of a third party, may constitute a<br />
legal basis for the treatment, provided that the interests or interests of the<br />
rights and freedoms of the data subject, taking into account reasonable expectations<br />
of the interested parties based on their relationship with the controller. Such legitimate interest<br />
This could occur, for example, when there is a relevant and appropriate relationship between the<br />
<br />
interested party and the controller, such as in situations where the interested party is a customer or<br />
is at the service of the person in charge. In any case, the existence of a legitimate interest<br />
would require careful evaluation, even if a stakeholder can clearly foresee<br />
reasonable, at the time and in the context of the collection of personal data, that<br />
processing can take place for this purpose. In particular, the interests and rights<br />
<br />
Fundamentals of the interested party could prevail over the interests of the person in charge<br />
of the treatment when proceeding to the processing of personal data in<br />
circumstances in which the data subject does not reasonably expect that a<br />
further treatment. Since it corresponds to the legislator to establish by law the basis<br />
law for the processing of personal data by public authorities,<br />
<br />
this legal basis should not apply to processing carried out by authorities<br />
public in the exercise of their functions. Processing of personal data<br />
strictly necessary for the prevention of fraud is also an interest<br />
lawful name of the person responsible for the treatment in question. Data processing<br />
personal information for direct marketing purposes may be considered made by<br />
legitimate interest.”<br />
<br />
<br />
For its part, Opinion 06/2014 contains a similar pronouncement. Initially<br />
indicates that:<br />
<br />
“An interest must be articulated clearly enough to allow evidence to be<br />
<br />
of balancing is carried out against the interests and rights<br />
fundamentals of the interested party. In addition, the interest at stake must also be<br />
"persecuted by the data controller". This requires a real and current interest,<br />
that corresponds to present activities or expected benefits in a<br />
very near future. In other words, interests that are too vague or<br />
<br />
speculative will not suffice.”<br />
<br />
In this sense, the opinion clarifies, a legitimate interest that is relevant must:<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 18/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
- Be lawful (i.e. in accordance with national and EU law<br />
applicable);<br />
- Be articulated clearly enough to allow proof of<br />
<br />
balancing is carried out against the interests and rights<br />
fundamentals of the data subject (i.e. sufficiently specific);<br />
- represent a real and current interest (ie not speculative).<br />
<br />
And then it includes a non-exhaustive list of some of the most<br />
common areas where the question of legitimate interest within the meaning of Article<br />
<br />
article 7, letter f). Among them it includes "conventional prospecting and other forms of<br />
marketing or advertising.<br />
<br />
In principle, it could be considered that the performance of data processing for<br />
of “direct marketing” and “business prospecting and other forms of advertising”<br />
<br />
would constitute a principle of legitimate interest. This does not imply that it can be considered<br />
all treatment for said purpose as covered by the legitimizing basis of the<br />
legitimate interest. Indeed, Opinion 06/2014 clarifies:<br />
<br />
“The legitimacy of the interest of the data controller is only a starting point,<br />
one of the elements to be analyzed under article 7, letter f). If he<br />
<br />
Article 7(f) can be used as a legal basis or not will depend on the<br />
result of the following weighing test”<br />
<br />
Therefore, the person responsible for the treatment of the information remains<br />
weighting provided for in article 6.1.f) GDPR, by virtue of which the treatment will be<br />
<br />
lawful if "it is necessary for the satisfaction of legitimate interests pursued by the<br />
responsible for the treatment or by a third party, provided that such interests are not<br />
the interests or fundamental rights and freedoms of the data subject prevail<br />
that require the protection of personal data, in particular when the interested party<br />
be a child.”<br />
<br />
<br />
1. Weighting of rights and interests<br />
<br />
In order to carry out the weighting provided for in the Regulation, the defendant has<br />
argued:<br />
<br />
<br />
- As an interest of the person in charge: attracting customers and an "increase in their<br />
visibility in the market<br />
<br />
- As a possible affectation of rights of the complaining party. The responsible<br />
minimized with various arguments. Among them: scarcity and minor<br />
<br />
of the data processed (identity and contact details); the absence of effects<br />
legal on the interested party (hiring, access to services); affectation<br />
minimum in the sphere of the interested party (receipt of a postal communication, of<br />
less invasive than other routes); the existence of guarantees applicable to the<br />
treatment; respect for those who exercise their right of opposition; the<br />
<br />
existence of channels for the exercise of rights in terms of protection of<br />
data, guarantees that are imposed by law, not because the person responsible<br />
bestow graciously<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 19/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
1. Rights of the data owner<br />
<br />
<br />
If the legitimate interest alleged by the person in charge of the<br />
treatment, it must also be analyzed in what way the rights and<br />
interests of the interested party, so that the weighting judgment can be concluded<br />
<br />
In this regard, special attention should be paid to the impact that the treatment may<br />
generate the interested The claimed party focuses on declaring that this would not be<br />
<br />
significant depending on the means used (postal) and the little or no affectation<br />
in the legal sphere of the owner of the data. However, they are not the only ones<br />
parameters to take into account. In this regard, Opinion 06/2014 states:<br />
<br />
"The legitimate interest of the data controller, when it is minor and not very<br />
<br />
compelling, in general, only annuls the interests and rights of those interested in<br />
cases where the impact on these rights and interests is even more trivial.”<br />
<br />
In the case at hand, it is clear that the interest of the person responsible cannot<br />
qualified as "pressing", since as he himself indicates, it leads back to his<br />
interest in attracting new customers. This means, as the opinion indicates, that it should be<br />
<br />
more demanding in terms of the affected rights of the claimant. The opinion<br />
continues:<br />
<br />
“The term «impact» as used in this Opinion covers any possible<br />
consequence (potential or actual) of data processing. The concept is not<br />
<br />
related to the notion of breach of personal data and is much broader<br />
than the repercussions that may derive from said violation.”<br />
<br />
And as for the type of affectation that the processing of the data may cause in your<br />
holder, declares the following:<br />
<br />
<br />
“In addition to adverse outcomes that may be specifically anticipated,<br />
the more emotional repercussions must also be taken into consideration.<br />
general, such as anger, fear and anguish that may result from the loss<br />
of control over personal information by the interested party or knowledge<br />
that such personal information has been or may be misused or is seen<br />
<br />
compromised, for example, through its exposure on the Internet. The effect<br />
intimidating statement about protected behavior, such as freedom of investigation or<br />
freedom of expression, which may result from supervision or monitoring<br />
continuous must also be taken into account.”<br />
<br />
<br />
It cannot be forgotten that the claim was filed by the claimant before the<br />
event of having received a postal communication of a promotional nature, which was<br />
directly addressed to her because it contains her identification and contact information. For<br />
Therefore, the criterion used by the claimed party cannot be shared in the sense of<br />
state that "This [postal] channel should be considered a less aggressive and<br />
<br />
invasive than other channels commonly used to send advertising, such as<br />
commercial calls and/or sending emails”.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 20/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In this regard, it is necessary to indicate that, although channels such as the telephone could in<br />
principle be considered more "invasive", the truth is that whoever receives the<br />
call may believe that the caller does not have their data<br />
<br />
identifiers, while receiving a postal communication with data<br />
identification and contact details, makes the data owner certain that whoever<br />
sends the communication has said data. Not being a client of the entity,<br />
In addition, uncertainty arises about what could have been the source of knowledge of<br />
the data, which leads the owner to doubt his power to dispose of them<br />
<br />
<br />
This leads us to the concept of "reasonable expectation" as a criterion to be taken into account.<br />
in the processing of data based on legitimate interest<br />
<br />
2. Reasonable expectation in data processing<br />
<br />
<br />
As previously mentioned, Recital 47 GDPR establishes in<br />
relation to the legitimizing basis of the legitimate interest that this could concur when<br />
the interest of the person in charge does not prevail over the rights of the interested party "taking into account<br />
account the reasonable expectations of data subjects based on their relationship with the<br />
responsible. Such legitimate interest could arise, for example, where there is a<br />
relevant and appropriate relationship between the data subject and the controller, as in<br />
<br />
situations in which the interested party is a client or is at the service of the person in charge”.<br />
<br />
The reasonable expectation that the interested party may have in the processing of the data<br />
It is crucial in the balance judgment between the interests of the person responsible and the rights of the<br />
interested. Opinion 06/2014 states:<br />
<br />
<br />
“The reasonable expectations of the data subject in relation to the use and disclosure of<br />
Data is also very relevant in this regard. As it was put<br />
manifest with respect to the analysis of the purpose limitation principle, it is<br />
It is important to consider whether the position of the data controller, the nature of the<br />
<br />
relationship or the service provided, or the applicable legal or contractual obligations<br />
(or other promises made at the time of data collection) could give<br />
give rise to reasonable expectations of stricter confidentiality and limitations<br />
more stringent regarding its further use.”<br />
<br />
The clearest example of reasonable expectation in cases of receipt of<br />
<br />
advertising communications comes from the fact of having previously been a client of a<br />
company or at least have contacted it to inquire about the<br />
products or services marketed by it.<br />
<br />
In the present case, the claiming party has not been a client of the claimed party and<br />
<br />
nor has he contacted her to inquire about the services of the<br />
business questioned Hence his surprise at the receipt of a communication<br />
commercial with your identification and contact information<br />
<br />
The defendant, for its part, alleges that:<br />
<br />
<br />
"In this consideration, the reasonable expectation of the<br />
interested in the processing of their personal data with this<br />
purpose. In this sense, we must bear in mind that it is common practice in the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 21/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
market to send advertising by postal mail to potential customers, but also,<br />
In view of the uses of the market, the interested parties are perfectly aware of<br />
the possibility that such communications may appear in your mailbox and that<br />
<br />
In addition, they can be beneficial or provide added value to those interested in<br />
their role as consumers<br />
<br />
That is, it does not provide any justification for the existence of a reasonable expectation,<br />
beyond indicating that any citizen can expect to receive a communication<br />
advertising postcard in your mailbox, without previously being a customer or being interested in the<br />
<br />
services of a company.<br />
<br />
It is worth mentioning the Report of the Legal Department of this Agency 2018/0173,<br />
that analyzes the legitimacy of direct marketing actions insofar as in the field<br />
the use of electronic media like others. In this regard, even if<br />
<br />
an interested party has previously been a client of a company, or has been interested<br />
for their goods or services, clarifies that direct marketing actions must<br />
limited to goods or services similar to those previously contracted.<br />
<br />
“As indicated in the report just reproduced, the general criteria for<br />
consider that the treatment of the data can be based on the rule of equilibrium of the<br />
<br />
legitimate interest of the person in charge would be that the services and products offered<br />
were those of the person in charge. In this sense, it was clarified that, when talking about<br />
financial credit institutions, such publicity should be understood as referring to the<br />
that entity's own asset or liability products, but not to other products<br />
financial, such as, expressly indicated, insurance. This is based on<br />
<br />
that in relation to such products there is no reasonable expectation of the<br />
interested in having their data processed by the bank for the offer of<br />
products that in principle are not related to those contracted when going to<br />
she."<br />
<br />
<br />
Bearing in mind that even having previously been a client, the criterion is<br />
restrictive for the sending of commercial communications (and must be restricted to the<br />
contracted products), even more so in the event that there has not been<br />
been a customer, in which said products and services do not exist.<br />
<br />
<br />
<br />
3. Data processed<br />
<br />
Another of the defendant's arguments consists of insisting on the nature<br />
of the data, which would consist only of the identity of the claimant and his address<br />
Postcard. In this regard, it should be noted that, although it is true that they are not involved<br />
<br />
data of special protection of article 9 GDPR, Opinion 06/2014 clarifies that<br />
<br />
“In general, the more sensitive the information in question, the more consequences<br />
may have for the interested party. However, this does not mean that the data you<br />
seem in and of themselves innocuous can be treated freely<br />
<br />
based on article 7, letter f). Of course, even such data, depending<br />
the way they are treated, they can have a significant impact on people”<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 22/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
This, in combination with the absence of a reasonable expectation of the data subject in<br />
the processing of your data, means that the nature of the data processed, by itself, does not<br />
can justify the legitimate interest in the treatment.<br />
<br />
<br />
<br />
4. How the data is processed<br />
<br />
Another aspect to take into account when weighing rights and interests would be the<br />
judgment of necessity, suitability and proportionality in data processing. To this<br />
<br />
Regarding Opinion 06/2014, it indicates the following:<br />
<br />
“In general, the more negative and uncertain the impact of treatment may be, the more<br />
it is unlikely that the processing will be considered, on the whole, legitimate. Disponibility<br />
of alternative methods to achieve the objectives pursued by the person in charge<br />
<br />
of the treatment, with less negative impact on the interested party, should be, without<br />
Certainly a pertinent consideration in this context."<br />
<br />
In this regard, the defendant alleges that "from Factor Energía there is no<br />
in our assessment no alternative method that allows us to communicate our<br />
interest in offering our services and that likewise allows us to comply with<br />
<br />
our legal obligations (inform about the processing of personal data<br />
stakeholders) and with the least impact to stakeholders.”<br />
<br />
Suffice it to say that it would have been enough to carry out a mailing activity, without<br />
Inclusion of the claimant's data. This is especially so when the claimed party itself has<br />
<br />
clarified that the indication of appropriate rates based on consumption, which is<br />
included in the letter, are not based on specific data from the complaining party, but on<br />
zone estimates. Based on this statement, it would not be necessary for the letter<br />
be accompanied by identification data.<br />
<br />
<br />
With this, the treatment carried out does not exceed the judgment of proportionality, nor the principle<br />
minimal intervention, as there are methods that would not require treatment.<br />
<br />
5. Position of the controller and the interested party<br />
<br />
Facing the judgment of weighting, it is necessary to pay attention to the position of<br />
<br />
claimant vs. defendant. Thus, in the first case we find<br />
a citizen or user, while the claimed party is a company<br />
electricity marketer.<br />
<br />
In this regard, Opinion 06/2014 advises paying attention to the situation of<br />
<br />
imbalance between the two<br />
<br />
"Depending on whether the data controller is a person or a<br />
small organization, a large multinational company or an industry body<br />
public, and from the specific circumstances, his position may be more or less<br />
<br />
dominant with respect to the interested party<br />
<br />
The fact of whether the interested party is an employee, a student, a patient, or if he exists<br />
otherwise an imbalance in the relationship between the position of the person concerned and that of the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 23/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
controller must, of course, also be considered relevant. Is<br />
It is important to assess the effect of actual treatment on individual individuals.”<br />
<br />
<br />
6. Conclusions on the weighting of rights and interests<br />
<br />
Based on the factors analysed, it cannot be concluded that in the present case the<br />
defense of legitimate interests, in comparison with the affectation of the rights of the<br />
claimant, justify the use of the legitimizing basis of the legitimate interest for the<br />
processing of data for direct marketing purposes. This is based on:<br />
<br />
<br />
- The existence of an impact has been determined in the field of rights and<br />
interests of the complaining party. This has received a commercial communication<br />
of a company of which he was not a client, processing his personal data<br />
name and surname and address, causing a situation of uncertainty<br />
<br />
about the origin of the data and whether they could be available to other<br />
entities<br />
<br />
- The existence of a reasonable expectation on the part of the<br />
complaining party that their data may be being processed by this<br />
company for these purposes. This is above all due to the fact that, in the case of<br />
<br />
of a direct marketing action, it has not been justified that the<br />
claimant was previously a customer and had not been interested in the services<br />
of the claimed party.<br />
<br />
- The non-existence of alternative methods has not been justified, in application of the<br />
<br />
principle of minimal intervention, which did not involve data processing<br />
personal, to carry out marketing activities in the<br />
conditions in which they were being carried out by the claimant<br />
<br />
- The existence of an unbalanced situation has been determined between the<br />
<br />
position of the claimant (consumer) and of the claimed party (company<br />
distributor of the electricity sector)<br />
<br />
II<br />
In accordance with the evidence available at the present time of<br />
agreement to start the disciplinary procedure, and without prejudice to what results from the<br />
<br />
investigation, it is considered that the known facts could constitute a<br />
infringement, attributable to the claimed party, for violation of article 6.1 of the GDPR,<br />
since the data processing carried out, that is, the activity of<br />
marketing by postal mail, addressed to the complaining party with his name,<br />
surnames and address, has been made without legitimizing cause.<br />
<br />
<br />
IV.<br />
If confirmed, the aforementioned infringement of article 6.1 of the GDPR could lead to the<br />
commission of the offenses typified in article 83.5 of the GDPR that under the<br />
The heading "General conditions for the imposition of administrative fines" provides:<br />
<br />
<br />
Violations of the following provisions will be sanctioned, in accordance with the<br />
paragraph 2, with administrative fines of maximum EUR 20,000,000 or,<br />
in the case of a company, an amount equivalent to a maximum of 4% of the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 24/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
total annual global business volume of the previous financial year, opting for<br />
the highest amount:<br />
<br />
<br />
a) the basic principles for the treatment, including the conditions for the<br />
consent under articles 5, 6, 7 and 9; (…)”<br />
<br />
In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that:<br />
<br />
"The acts and behaviors referred to in sections 4,<br />
<br />
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result<br />
contrary to this organic law”.<br />
<br />
For the purposes of the limitation period, article 72 "Infractions considered very<br />
serious” of the LOPDGDD indicates:<br />
<br />
<br />
"one. Based on what is established in article 83.5 of Regulation (EU) 2016/679,<br />
are considered very serious and will prescribe after three years the infractions that<br />
a substantial violation of the articles mentioned therein and, in particular, the<br />
following:<br />
<br />
<br />
b) The processing of personal data without the fulfillment of any of the conditions of<br />
legitimacy established in article 6 of Regulation (EU) 2016/679. (…)”<br />
<br />
V<br />
For the purposes of deciding on the imposition of an administrative fine and its amount,<br />
<br />
In accordance with the evidence available at the present time of<br />
agreement to start disciplinary proceedings, and without prejudice to what results from the<br />
investigation, it is considered that the offense in question is serious for the purposes of the<br />
GDPR and that it is appropriate to graduate the sanction to be imposed in accordance with the following<br />
criteria established in article 83.2 of the GDPR:<br />
<br />
<br />
As aggravating factors:<br />
-Negligence in the offence. (Art. 83.2.b). It must be taken into account that FACTOR<br />
ENERGIA has not even been able to prove the source from which it obtained the data<br />
of the complaining party, indicating that they were obtained from "sources of<br />
public access”, without being able to specify the specific source. This indicates when<br />
<br />
least, a considerable lack of diligence.<br />
<br />
Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the<br />
following criteria established in section 2 of article 76 "Sanctions and measures<br />
corrective measures" of the LOPDGDD:<br />
<br />
<br />
As aggravating factors:<br />
- Linking the activity of the offender with the processing of<br />
personal information. (Art. 76.1.b). FACTOR ENERGIA, a company dedicated to<br />
electricity trade, handles a high number of personal data for<br />
<br />
which must have extensive knowledge of the regulations relating to the protection of<br />
data and its management.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 25/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The balance of the circumstances contemplated in article 83.2 of the GDPR and the<br />
Article 76.2 of the LOPDGDD, with respect to the offense committed by violating the<br />
established in article 6.1 of the GDPR, allows the initial setting of a penalty of<br />
<br />
€40,000 (FORTY THOUSAND euros).<br />
<br />
<br />
SAW<br />
If the infringement is confirmed, it could be agreed to impose on the person responsible the adoption of<br />
adequate measures to adjust its performance to the regulations mentioned in this<br />
<br />
act, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to the<br />
which each control authority may "order the person responsible or in charge of the<br />
processing that the processing operations comply with the provisions of the<br />
this Regulation, where appropriate, in a certain way and within a certain<br />
specified term…”. The imposition of this measure is compatible with the sanction<br />
<br />
consisting of an administrative fine, according to the provisions of art. 83.2 of the GDPR.<br />
<br />
It is noted that not meeting the requirements of this body may be<br />
considered as an administrative offense in accordance with the provisions of the GDPR,<br />
classified as an infraction in its article 83.5 and 83.6, being able to motivate such conduct the<br />
opening of a subsequent administrative sanctioning procedure.<br />
<br />
<br />
Therefore, in accordance with the foregoing, by the Director of the Agency<br />
Spanish Data Protection,<br />
HE REMEMBERS:<br />
<br />
<br />
FIRST: INITIATE SANCTION PROCEDURE against FACTOR ENERGÍA, S.A.,<br />
with NIF A61893871, for the alleged violation of Article 6.1 of the GDPR, typified in<br />
Article 83.5 of the GDPR.<br />
<br />
SECOND: APPOINT as instructor C.C.C. and, as secretary, D.D.D.,<br />
<br />
indicating that any of them may be challenged, if applicable, in accordance with the<br />
established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime<br />
Legal Department of the Public Sector (LRJSP).<br />
<br />
THIRD: INCORPORATE into the disciplinary file, for evidentiary purposes, the<br />
claim filed by the claimant and its documentation, as well as the<br />
<br />
documents obtained and generated by the Sub-directorate General of Inspection of<br />
Data in the actions prior to the start of this sanctioning procedure.<br />
<br />
FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1<br />
October, of the Common Administrative Procedure of Public Administrations, the<br />
<br />
sanction that could correspond would be, for the alleged violation of article 6.1 of the<br />
GDPR, typified in article 83.5 of said regulation, administrative fine of amount<br />
€40,000.00<br />
<br />
FIFTH: NOTIFY this agreement to FACTOR ENERGÍA, S.A., with NIF<br />
A61893871, granting a hearing period of ten business days to formulate<br />
<br />
the allegations and present the evidence it deems appropriate. In his writing of<br />
allegations must provide your NIF and the procedure number that appears in the<br />
heading of this document.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 26/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
If, within the stipulated period, he does not make allegations to this initial agreement, the same<br />
may be considered a resolution proposal, as established in article<br />
<br />
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of<br />
Public Administrations (hereinafter, LPACAP).<br />
<br />
In accordance with the provisions of article 85 of the LPACAP, you may recognize your<br />
responsibility within the period granted for the formulation of allegations to the<br />
present initiation agreement; which will entail a reduction of 20% of the<br />
<br />
sanction that should be imposed in this proceeding. With the application of this<br />
reduction, the sanction would be established at 32,000.00 euros, resolving the<br />
procedure with the imposition of this sanction.<br />
<br />
In the same way, it may, at any time prior to the resolution of this<br />
<br />
procedure, carry out the voluntary payment of the proposed sanction, which<br />
will mean a reduction of 20% of its amount. With the application of this reduction,<br />
the sanction would be established at 32,000.00 euros and its payment will imply the termination<br />
of the procedure.<br />
<br />
The reduction for the voluntary payment of the penalty is cumulative to the corresponding<br />
<br />
apply for acknowledgment of responsibility, provided that this acknowledgment<br />
of the responsibility is revealed within the period granted to formulate<br />
allegations at the opening of the procedure. Voluntary payment of the referred amount<br />
in the previous paragraph may be done at any time prior to the resolution. In<br />
In this case, if both reductions were to be applied, the amount of the penalty would remain<br />
<br />
established at 24,000.00 euros.<br />
<br />
In any case, the effectiveness of any of the two aforementioned reductions will be<br />
conditioned to the withdrawal or resignation of any action or appeal via<br />
administrative against the sanction.<br />
<br />
<br />
In the event that you choose to proceed with the voluntary payment of any of the amounts<br />
indicated above (32,000.00 euros or 40,000.00 euros), you must make it effective<br />
by depositing it in the account number ES00 0000 0000 0000 0000 0000 opened to<br />
name of the Spanish Data Protection Agency in the bank<br />
CAIXABANK, S.A., indicating in the concept the reference number of the<br />
<br />
procedure that appears in the heading of this document and the cause of<br />
reduction of the amount to which it receives.<br />
<br />
Likewise, you must send proof of income to the General Subdirectorate of<br />
Inspection to continue with the procedure in accordance with the quantity<br />
<br />
entered.<br />
<br />
The procedure will have a maximum duration of nine months from the<br />
date of the initiation agreement or, where appropriate, of the draft initiation agreement.<br />
After this period, its expiration will occur and, consequently, the file of<br />
<br />
performances; in accordance with the provisions of article 64 of the LOPDGDD.<br />
<br />
Finally, it is noted that in accordance with the provisions of article 112.1 of the<br />
LPACAP, there is no administrative appeal against this act.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 27/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
935-110422<br />
Mar Spain Marti<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
>><br />
<br />
SECOND: On November 17, 2022, the claimed party has proceeded to the<br />
<br />
payment of the penalty in the amount of 24,000 euros using the two reductions<br />
provided for in the initiation Agreement transcribed above, which implies the<br />
recognition of responsibility.<br />
<br />
THIRD: The payment made, within the period granted to formulate allegations to<br />
<br />
the opening of the procedure, entails the waiver of any action or appeal via<br />
against the sanction and acknowledgment of responsibility in relation to<br />
the facts referred to in the Commencement Agreement.<br />
<br />
<br />
<br />
FUNDAMENTALS OF LAW<br />
<br />
Yo<br />
Competence<br />
<br />
<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
(General Data Protection Regulation, hereinafter GDPR), grants each<br />
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the<br />
Organic Law 3/2018, of December 5, Protection of Personal Data and<br />
<br />
guarantee of digital rights (hereinafter, LOPDGDD), is competent to<br />
initiate and resolve this procedure the Director of the Spanish Protection Agency<br />
of data.<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures<br />
<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
regulations dictated in its development and, insofar as they do not contradict them, with character<br />
subsidiary, by the general rules on administrative procedures."<br />
<br />
<br />
II<br />
Termination of the procedure<br />
<br />
Article 85 of Law 39/2015, of October 1, on Administrative Procedure<br />
Common for Public Administrations (hereinafter, LPACAP), under the heading<br />
<br />
"Termination in disciplinary proceedings" provides the following:<br />
<br />
"one. Initiated a disciplinary procedure, if the offender acknowledges his responsibility,<br />
The procedure may be resolved with the imposition of the appropriate sanction.<br />
<br />
<br />
2. When the sanction has only a pecuniary nature or it is possible to impose a<br />
pecuniary sanction and another of a non-pecuniary nature but the<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 28/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
inadmissibility of the second, the voluntary payment by the presumed perpetrator, in<br />
any moment prior to the resolution, will imply the termination of the procedure,<br />
<br />
except in relation to the replacement of the altered situation or the determination of the<br />
compensation for damages caused by the commission of the offence.<br />
<br />
3. In both cases, when the sanction is solely pecuniary in nature, the<br />
<br />
The competent body to resolve the procedure will apply reductions of at least<br />
20% of the amount of the proposed penalty, these being cumulative among themselves.<br />
The aforementioned reductions must be determined in the notification of initiation<br />
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of<br />
any administrative action or resource against the sanction.<br />
<br />
<br />
The percentage reduction provided for in this section may be increased<br />
according to regulations."<br />
<br />
<br />
According to what has been stated,<br />
the Director of the Spanish Data Protection Agency RESOLVES:<br />
<br />
FIRST: DECLARE the termination of procedure EXP202102778, in<br />
in accordance with the provisions of article 85 of the LPACAP.<br />
<br />
<br />
SECOND: NOTIFY this resolution to FACTOR ENERGÍA, S.A.<br />
<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
Resolution will be made public once the interested parties have been notified.<br />
<br />
<br />
Against this resolution, which puts an end to the administrative process as prescribed by<br />
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure<br />
Common of Public Administrations, interested parties may file an appeal<br />
<br />
administrative litigation before the Administrative Litigation Chamber of the<br />
National Court, in accordance with the provisions of article 25 and section 5 of<br />
the fourth additional provision of Law 29/1998, of July 13, regulating the<br />
Contentious-Administrative Jurisdiction, within a period of two months from the<br />
day following the notification of this act, as provided for in article 46.1 of the<br />
<br />
referred Law.<br />
<br />
<br />
936-040822<br />
Mar Spain Marti<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
</pre></div>Teresa.lopezhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202102778&diff=30401AEPD (Spain) - EXP2021027782023-01-17T14:52:03Z<p>Teresa.lopez: Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=AEPD..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=AEPD PS-00508-2022<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00508-2022.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=04.11.2021<br />
|Date_Decided=<br />
|Date_Published=10.01.2023<br />
|Year=<br />
|Fine=24,000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 6(1)(f) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1f<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=FACTOR ENERGIA, S.A.<br />
|Party_Link_1=https://www.factorenergia.com/es/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Teresa López<br />
|<br />
}}<br />
<br />
The Spanish DPA fined a controller €24,000 for lack of legitimate basis when processing a data subject's personal data for direct postal marketing.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The data subject received an advertising message by post from Factor Energía, S.A. (the controller), in which they were addressed by their full name, and were given a personalised recommendation based on the characteristics of their energy supply point and consumption habits.<br />
<br />
Since the controller was not the data subject's energy provider, they contacted the company to request information on the processing of their data. After the period given by Article 12(3) GPDR had elapsed, the controller informed the data subject that their data was obtained from the database that electricity and natural gas distribution companies make available to marketing companies, for the purposes of being able to make offers on the market (SIPS or Supply Point Information System, in English).<br />
<br />
The data subject contacted the entity that manages the Supply Point Information System, the Spanish National Markets and Competition Commission. This entity ensured the data subject that the current legislation prohibits marketers from accessing any information that directly identifies the holder of the supply point.<br />
<br />
After enquiries from the Spanish Data Protection Authority, the controller stated that the reply given to the data subject had been delayed due to an informatic virus attack which had encrypted their systems. Moreover, the controller indicated that the first answer given to the data subject had been provided by a trainee, since it was received during the holiday period. The controller justified this way the following changes to their reply: That the personal data relating to name, surname and postal address were obtained from publicly accessible sources. The controller was unable to specify the source as a result of the computer virus. On the other hand, the data relating to the technical conditions of the supply point were lawfully obtained from the SIPS. Moreover, the controller added that the consumption data provided to the data subject were estimations not reflecting their real consumption habits, but an aggregated value based on their postal code.<br />
<br />
According to the information provided to the DPA, the controller based the processing of the data in their legitimate interest (customer acquisition and an increase of its visibility in the market). Also, the controller shared the legitimate interest assessment where it argued that the data subject's rights did not prevail due to the low impact of the means used (post) and the little or no effect on their legal sphere.<br />
<br />
=== Holding ===<br />
The Data Protection Authority held that the controller had violated [[Article 6 GDPR#1|Article 6(1) GDPR]] since the legitimate interest assessment on which the processing was based was understood as insufficient, therefore not being able to rely on [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] as a legal basis.<br />
<br />
Contrary to the controller's position, the DPA held that the rights of the data subject prevailed to the controller's interests on several grounds. <br />
<br />
First, the DPA noted that the alleged additional safeguards were not an additional layer of protection provided by the controller, but simply protections already mandatory by data protection law. <br />
<br />
Second, the DPA rejected the controller's argument stating that post marketing was less invasive than cold calling. The Authority pointed out that with such methods, the data subject may believe that the caller does not have their identification data, whereas the receipt of a postal communication that identifies them gives the data subject the certainty that the sender of the communication has such data. Furthermore, uncertainty arises in the data subject as to what the source of their data may have been, which leads to doubt about their power of disposal of the data.<br />
<br />
Third, the DPA found that post marketing being an habitual practice in the industry was an insufficient basis to establish a reasonable expectation in the data subject. The Authority recalled their own report 2018/0173, which analyses the legitimacy of direct marketing actions in both electronic and non-electronic media. This report concluded that, even if the data subject has previously been a customer, the criterion for the sending of commercial communications is restrictive (to the products contracted). Therefore, this is even more so in the case of not having been a customer (as in the present case).<br />
<br />
Fourth, the DPA rejected the controller's argument that the nature of the data processed (contact details) was an indicator of the prevalence of the company's legitimate interest. In this sense, the Authority quoted ART29WP's 06/2014 Opinion: "In general, the more sensitive the information involved, the more consequences there may be for the data subject. This, however, does not mean that data that may in and of themselves seem innocuous, can be freely processed based on Article 7(f). Indeed, even such data, depending on the way they are processed, can have significant impact on individuals (...)". <br />
<br />
Fifth, the controller argued that there was no other less-impact method that allowed to achieve the legitimate interest, to which the DPA disagreed, stating that the post could have been sent without including the personal data.<br />
<br />
Finally, the Data Protection Authority noted the existence of a situation of imbalance between the data subject (consumer) and the controller (electricity supply company).<br />
<br />
For these reasons, the DPA held that the infringement in question was serious for the purposes of the GDPR and that the sanction to be imposed should be graduated with the aggravation of negligence (Article 83(2)(b) GDPR), since the controller could not point out the public access source of the personal data, and the link between the controller's activity and the processing of personal data (Article 76(1)(b) Spanish Data Protection Law). The DPA initially contemplated a €40,000 fine, but offered two grounds for reduction: the possibility of voluntary payment of the fine and the acknowledgment of guilt. The controller invoked both and finally paid €24,000.<br />
<br />
== Comment ==<br />
The Spanish Data Protection Authority did not reflect on other grounds of infringement found in this case, such as the lack of a reply within the due period, the data breach, etc. which could have potentially led to fines by their own right.<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
File No.: EXP202102778<br />
<br />
<br />
RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT<br />
VOLUNTEER<br />
<br />
Of the procedure instructed by the Spanish Agency for Data Protection and based on<br />
<br />
to the following<br />
<br />
BACKGROUND<br />
<br />
FIRST: On October 31, 2022, the Director of the Spanish Agency for<br />
Data Protection agreed to start a sanctioning procedure against FACTOR ENERGÍA,<br />
<br />
S.A. (hereinafter, the claimed party), through the transcribed Agreement:<br />
<br />
<<<br />
<br />
File No.: EXP202102778<br />
<br />
<br />
<br />
AGREEMENT TO START THE SANCTION PROCEDURE<br />
<br />
Of the actions carried out by the Spanish Data Protection Agency and in<br />
<br />
based on the following<br />
<br />
FACTS<br />
<br />
FIRST: A.A.A. (hereinafter, the claiming party) dated August 16, 2021<br />
filed a claim with the Spanish Data Protection Agency. The<br />
<br />
The claim is directed against FACTOR ENERGÍA, S.A. with NIF A61893871 (in<br />
forward, ENERGY FACTOR). The reasons on which the claim is based are the following:<br />
following:<br />
<br />
-The claimant has received an advertising message by post, from<br />
<br />
ENERGY FACTOR, where they address him by his first and last name, and they ask him a<br />
personalized recommendation based on the characteristics of your supply point<br />
and their consumption habits.<br />
- Considering that the advertising company is illegally processing your data,<br />
since he has no relationship with it, the affected person has contacted<br />
<br />
contact her to request information, and her Data Protection Officer will<br />
has answered that the data comes from the Information System of Points of<br />
Supply (SIPS). This, as they have explained, is the database that the<br />
distribution companies of electricity and natural gas make available to the<br />
trading companies, for the purpose of being able to make offers in the market.<br />
- As it has been able to find out from the Internet, the complaining party explains that the system<br />
<br />
SIPS is regulated by Royal Decree 1435/2002 and the exchange of information<br />
that takes place in its context is managed by the National Markets Commission and the<br />
Competition (CNMC). This body has assured the data subject in writing that it will not<br />
has available data on electricity users since, on the 27th of<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 2/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
November 2015, Royal Decree 1074/2015 was approved, which modified different<br />
provisions in the electricity sector. Said decree incorporated the prohibition that the<br />
trading companies and the CNMC could access any information that<br />
<br />
directly identify the owner of the supply point.<br />
-The complaining party continues to believe that illegal treatment is taking place<br />
of your personal data. Either the company is getting them from another source, or<br />
you are extracting them from the SIPS, but if so, even your distribution company should not<br />
provide these data, nor the CNMC consult them, nor the other companies<br />
distributors should be able to access them for any treatment, much<br />
<br />
less for commercial actions.<br />
<br />
Along with the notification is provided:<br />
-Front of a commercial communication sent by FACTORENERGIA, with your<br />
translation into Spanish, in which there are boxes in red that<br />
<br />
would correspond to anonymous data.<br />
-Email sent from the address: DPO@factorenergia.com that includes<br />
a spreadsheet with anonymized data.<br />
-Email that the claimant sent to the National Market Commission,<br />
and response from the Data Protection Officer, from the address dpd@cnmc.es<br />
<br />
<br />
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5<br />
December, Protection of Personal Data and guarantee of digital rights (in<br />
hereinafter LOPDGDD), said claim was forwarded to FACTOR ENERGIA,<br />
to proceed with its analysis and inform this Agency within a month,<br />
of the actions carried out to adapt to the requirements established in the<br />
<br />
data protection regulations.<br />
<br />
The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of<br />
October 1, of the Common Administrative Procedure of the Administrations<br />
Public (hereinafter, LPACAP), was collected on 10/04/2021, as stated in the<br />
<br />
acknowledgment of receipt in the file.<br />
<br />
On 10/05/2021, this Agency received a written response indicating that<br />
notification has been received with transfer of claim and request for information, but<br />
A copy of the claim submitted and attached documents (if applicable) are not attached.<br />
but only an extract of the relevant information from it, and therefore<br />
<br />
interests the right of the undersigned to have access to and obtain a complete copy of said<br />
claim, with the aim of being able to evacuate the information requirement of the<br />
detailed, complete and truthful way possible, verifying the identity and correct<br />
identification of the claimant, as well as the facts described in the request for<br />
information and in the claim submitted.<br />
<br />
<br />
THIRD: On November 4, 2021, in accordance with article 65 of<br />
the LOPDGDD, the claim presented by the complaining party was admitted for processing.<br />
<br />
FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out<br />
<br />
of previous investigative actions to clarify the facts in<br />
matter, by virtue of the functions assigned to the control authorities in the<br />
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)<br />
2016/679 (General Data Protection Regulation, hereinafter GDPR), and<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 3/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
in accordance with the provisions of Title VII, Chapter I, Second Section, of the<br />
LOPDGDD, having knowledge of the following extremes:<br />
<br />
Relevant documentation provided by the claimant:<br />
- Copy of the obverse of a commercial communication with header of<br />
<br />
ENERGY FACTOR. Written in Catalan, it is anonymous (not<br />
contains the recipient's data and no reference to the date). The complaining party<br />
provides translation and reference to the inclusion of the following categories of<br />
data: name, surname, address of the recipient, address of the point of<br />
supply. The communication recommends a type of electrical installation of<br />
self-consumption (solar panels) based on "a study of your data and habits of<br />
<br />
electrical consumption”.<br />
- Transcription of part of the response to the exercise of the right of access<br />
addressed by FACTOR ENERGIA to the claimant, dated August 2<br />
of 2021. Regarding the origin of the data processed, it expresses:<br />
“[…] your personal data, and specifically those related to technical conditions of your<br />
<br />
point of supply, such as the CUPS (identification number of the point of<br />
supply), access fee, power, etc. (detailed in the attached Excel) have<br />
status obtained lawfully through the Points of Information System<br />
Subministro (SIPS), which is the database that distributor companies of<br />
electricity and natural gas make available to companies<br />
marketers, for the purpose of being able to make offers in the market.<br />
<br />
Regarding the consumption habits to which we refer in the communication<br />
business, as we indicated at the bottom of it in point 2, are estimated data<br />
and standardized, not specifically customized according to the<br />
specific characteristics neither of their home nor of their specific consumption habits.”<br />
- Transcription of the data provided to the claimant by FACTOR<br />
ENERGY as a response to the right of access. It's not the spreadsheet<br />
<br />
original, but rather the list of categories of data that would have been provided to you.<br />
Includes the categories name, surname, and address of the supply point,<br />
in addition to technical data (tariff, power, etc.).<br />
- Email response from the DPD of the CNMC to the claimant of<br />
dated August 16, 2021 containing the following paragraphs:<br />
"In strict compliance with the applicable regulations that you point out, the<br />
<br />
CNMC does not have data on electricity users since, on December 27,<br />
November 2015, Royal Decree 1074/2015 was approved, which modifies<br />
different provisions in the electricity sector. Said RD incorporated the prohibition that<br />
the trading companies and the CNMC could access any information<br />
that directly identifies the owner of the supply point. Therefore, and in the<br />
assumption that data of this type were being exchanged between companies in the<br />
<br />
sector, these data do not come in any case from the CNMC.<br />
The CNMC only has the data of end users of gas (DB of points of<br />
supply), and the marketers do obtain them legally through our<br />
body, but the use they make of them is, logically, their responsibility in<br />
exclusive. However, the user may object to their data being made available.<br />
<br />
available to other gas trading companies, expressly indicating it to the<br />
company that supplies you.”<br />
<br />
The antecedents that appear in the information systems are the following:<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 4/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
FACTOR ENERGIA submitted two briefs (of October 5, 2021 and of<br />
November 2021) in which he states:<br />
<br />
<br />
- That in July 2021 Mrs. B.B.B. exercised the right of access from the mail<br />
email from the complaining party.<br />
<br />
- That said exercise could not be attended to normally since on the 24th of<br />
<br />
June 2021, the computer systems of FACTOR ENERGIA were<br />
affected by a virus that caused a great impact by encrypting systems and<br />
Company data.<br />
<br />
<br />
- That on August 2, 2021, a response to the right exercised was sent, although,<br />
states that "the person who was in charge of responding to the applicant was<br />
a trainee since the date coincided with the period<br />
<br />
vacation on the part of the company's personnel, and that such a response lacks<br />
of a certain lack of accuracy and/or specificity”.<br />
<br />
- That the personal data related to name, surname, and postal address<br />
<br />
They were obtained from publicly available sources. He adds that he cannot specify<br />
the source of public access as a result of the impact of the virus<br />
computer.<br />
<br />
<br />
- That the data relating to the<br />
technical conditions of the supply point. Add that you can download the<br />
SIPS "of the distribution companies and the CNMC periodically in their capacity<br />
<br />
marketer and that does not include the personal data of the applicant<br />
relating to the name and surnames or their postal address”.<br />
<br />
- That it is still (as of the date of writing -November 3, 2021-)<br />
<br />
immersed in the file recovery process.<br />
<br />
In addition, he attached the following relevant documentation:<br />
<br />
- Emails exchanged on June 30, 2021 between the<br />
<br />
IT manager at FACTOR ENERGIA and INCIBE in which<br />
refers to the ransomware attack suffered by the entity.<br />
<br />
- Writing signed by B.B.B. exercising the right of access against FACTOR<br />
<br />
ENERGIA on July 2, 2021 from the email address of<br />
the complaining party.<br />
<br />
- Email addressed on August 2, 2021 by FACTOR ENERGIA<br />
<br />
to B.B.B. (to the email address of the complaining party) at<br />
response to the exercise of the right of access referred to in the previous point.<br />
<br />
Provide a copy of the original in Catalan and a translation into Spanish. Includes the<br />
following paragraphs:<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 5/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
“On the other hand, we want to clarify that in no case have we carried out a<br />
precise and exact study with your data and specific consumption habits, but<br />
<br />
that, as indicated at the bottom of the aforementioned communication (point 2),<br />
your data is estimated and standardized, not personalized or calculated<br />
according to the specific characteristics of your home, or your habits of<br />
<br />
consumption, with the understanding that our intention was to highlight<br />
the advantages offered by photovoltaic self-consumption.<br />
<br />
[…] Specifically, in relation to art. 5.1 a) referred to, in our<br />
<br />
communication indicated that your data has been processed lawfully,<br />
loyal and transparent at all times, since they were collected from sources to which<br />
which we have access as a marketer and from sources accessible to the<br />
<br />
public, complying with the requirements demanded by the General Regulation of<br />
Data Protection (RGPD) and Organic Law 3/2018, of December 5, of<br />
<br />
Protection of Personal Data and Guarantee of Digital Rights<br />
(LOPDGDD).<br />
<br />
[...] Specifically, on our website, it is indicated within the purposes of<br />
<br />
processing of personal data with regard to "Non-customers", the purpose<br />
following: "Inform about services, promotions and products related to<br />
our activity".<br />
<br />
<br />
[…] Your personal data, and specifically those related to conditions<br />
techniques of your point of supply, such as the CUPS (identification number<br />
point of supply), access fee, power, etc. (detailed in the Excel<br />
<br />
attached) have been legally obtained through the Information System<br />
of Supply Points (SIPS), which is the database that companies<br />
electricity and natural gas distributors make available to the<br />
<br />
marketing companies, for the purpose of being able to make offers in the<br />
market.<br />
<br />
Regarding the consumption habits to which we refer in the<br />
<br />
commercial communication, as we indicate at the bottom of it in point 2,<br />
are estimated and standardized data, not specially personalized<br />
<br />
according to the specific characteristics of your home, or your specific habits<br />
of consumption.<br />
<br />
[…] If possible, the expected period of conservation of personal data,<br />
<br />
or, if not possible, the criteria used to determine this term:<br />
while you do not exercise any of your rights”<br />
<br />
It also refers in this letter to the internet address<br />
<br />
www.factorenergia.com to consult the privacy policy.<br />
<br />
INVESTIGATED ENTITIES<br />
During these proceedings, the following entities have been investigated:<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 6/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
- FACTOR ENERGY, S.A. with NIF A61893871 with address at<br />
***ADDRESS.1 (BARCELONA)<br />
<br />
RESULT OF INVESTIGATION ACTIONS<br />
<br />
In addition to the documentation mentioned above, information is collected from the<br />
following sources:<br />
<br />
- Letter from FACTOR ENERGIA dated June 28, 2022,<br />
hereinafter Written#1.<br />
<br />
<br />
- Letter from FACTOR ENERGIA dated July 19, 2022, in<br />
forward Writing#2.<br />
<br />
- Proceedings with relevant information for these proceedings<br />
<br />
(Diligence References).<br />
<br />
About sending postal advertising to people who are not FACTOR customers<br />
ENERGY<br />
<br />
<br />
FACTOR ENERGIA states (Written #2) that sending postal communications to<br />
non-customers is not a frequent practice of the company, but is carried out "in<br />
occasions and addressed to a small number of recipients”. It further states that "in<br />
<br />
Most of the time the data is obtained from the interested parties themselves. Of<br />
in a more residual manner, and to a lesser extent, commercial communication has been sent by<br />
via post to non-customers whose data was obtained from publicly accessible sources without<br />
<br />
restrictions”.<br />
<br />
ENERGY FACTOR (Written#2) specifies the conditions that must be met to<br />
use for marketing purposes:<br />
<br />
<br />
- "(1) that the recipient has not previously exercised the right of<br />
opposition".<br />
<br />
- "(2) that the sources to be consulted are updated." Regarding this<br />
point clarifies FACTOR ENERGIA that these sources of public access are<br />
<br />
correspond to "repertoires or telephone directories whose consultation can be<br />
performed, by any person and without restrictions, not prevented by a<br />
<br />
limiting norm”. On July 22, 2022, a letter was addressed to FACTOR<br />
ENERGIA requesting specification in relation to these sources of public access<br />
which uses. As of the date of signing this report, no response has been received.<br />
<br />
regard.<br />
<br />
- "(3) that the Robinson List advertising exclusion list has been consulted<br />
(to which we are subscribed) and verify that the interested party to whom it will be sent<br />
<br />
advertising does not appear in it ”. Regarding this, FACTOR ENERGIA points out that<br />
consult the advertising exclusion system prior to sending and attach<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 7/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
(document 1 of Brief #2) copy of the service subscription invoices<br />
Adigital's Robinson list of 2021 and 2022.<br />
<br />
<br />
- "(4) comply with the duty of information to the affected party in accordance with the GDPR and the<br />
LOPDGDD”. Information is detailed later in this report.<br />
included in commercial communications that, in relation to the origin of<br />
<br />
personal data states that "they come from sources obtained lawfully<br />
and/or sources of public access available without restrictions”.<br />
<br />
In relation to the volume of recipients of the advertising campaign, he states<br />
<br />
ENERGY FACTOR (Written #2) the following:<br />
<br />
"In relation to the above, to record that in the month of June 2021 a<br />
advertising campaign by post to publicize the advantages of incorporating the<br />
<br />
self-consumption in the electricity supply. Within the target group were<br />
a segment of the campaign targeted at customers (and power supply customers)<br />
electricity, with a communication model) and another target group aimed at<br />
<br />
not clients […]:<br />
<br />
June 2021: self-consumption advertising campaign to obtain savings on<br />
the cost of light.<br />
<br />
<br />
No. of recipients: 42,670 recipients (total)<br />
<br />
In relation to the foregoing, it should be noted that said campaign had as its territorial scope the<br />
autonomous community of Catalonia (not the entire national territory).”<br />
<br />
<br />
Information recorded in the Record of Treatment Activities (RAT):<br />
<br />
Attach ENERGY FACTOR (document 1 attached to Brief #1) the information included<br />
in the Registry of Treatment Activities (RAT) on the "Activity of management of<br />
<br />
not clients”. The record includes the following information:<br />
<br />
- Categories of personal data: name and surname, DNI/NIF, address/mail,<br />
phone, CUPS. Includes the following annotation: "Includes all<br />
<br />
possible categories of data that it can contain according to the source or lead of<br />
Contact."<br />
<br />
- Purpose: attracting new customers / managing and responding to requests for<br />
<br />
information, requests or commercial offers, budgets, etc. / report and<br />
send offers about services, promotions and products related to<br />
our activity.<br />
<br />
<br />
- Legal basis: consent of the interested party / legitimate interest -provided that<br />
such interests are not overridden by the interests or the rights and freedoms<br />
<br />
of the interested party that require data protection<br />
personal-.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 8/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Legitimate interest as the legal basis for processing:<br />
<br />
In relation to the use of legitimate interest as a legal basis for processing<br />
<br />
of the personal data of people who are not customers in order to send them<br />
advertising by post, provided by FACTOR ENERGIA (document 3 attached to the<br />
Brief #1) a weighting of interests report dated February 12, 2021.<br />
<br />
It includes the following paragraphs:<br />
<br />
“2.1. Evaluation of the benefit obtained by Factor Energía<br />
<br />
On the part of Factor Energía, the processing of the personal data of the interested parties<br />
<br />
(potential customers/non-customers) for the purpose of direct marketing,<br />
previously indicated, aims to reach by postal mail those<br />
non-customer interested parties in order for them to know the services offered by Factor<br />
<br />
Energía, making them interested in hiring Factor Energía as<br />
your new electric retailer.<br />
<br />
In this sense, the benefits obtained by Factor Energía from the treatment of said<br />
<br />
personal data consists of obtaining:<br />
<br />
An increase in the contracting of its services;<br />
<br />
Greater customer acquisition;<br />
<br />
<br />
An increase in visibility in the competitive market of marketers<br />
electrical.<br />
<br />
2.2. Evaluation of the interest or rights and freedoms of the interested party<br />
<br />
<br />
[…] The direct marketing action by postal mail that is intended to be carried out is<br />
will be made based on personal data obtained in accordance with the regulations for the protection of<br />
applicable data (identification data and contact data) and with standardized data<br />
<br />
and anonymized of a technical nature.<br />
<br />
In order to configure the different commercial offers, the<br />
unprotected public data obtained from the Cadastre, as well as statistical information<br />
<br />
and not personnel of a technical nature obtained through the Information System of<br />
Supply Points (SIPS) using the postal code of residence. In this way<br />
Generic information will be obtained to make a standardized estimate of the<br />
<br />
voltage, rates and contracted power in certain geographical areas, which<br />
will allow you to carry out advertising communications sent by postal mail, since it is<br />
considers it logical and appropriate that the advertising of an electricity supplier<br />
<br />
include information on possible savings in electricity consumption.<br />
<br />
The personal data of the interested parties processed for the purpose of marketing<br />
<br />
directly refer only to the data necessary to send them the communication<br />
by postal mail (identification data and contact data).<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 9/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The treatment will in no case have legal or similar effects on the<br />
interested, since the purpose of direct marketing by postal mail does not affect the<br />
<br />
access to services, nor to the execution of a contract.<br />
<br />
From Factor Energía it is considered that the sending of advertising communications by<br />
postal mail has a minimal impact on the interested parties who will be seen<br />
<br />
impacted exclusively by one contact channel: postal mail. said channel<br />
should be considered a less aggressive and invasive method than other channels<br />
commonly used to send advertising, such as commercial calls and/or<br />
<br />
or sending emails. Likewise, this type of campaigns are foreseen as<br />
specific actions, which may be reinforced by carrying out other campaigns<br />
subsequent similar ones (after at least a period of six (6) months has elapsed<br />
<br />
from the sending of the communications of the previous campaign).<br />
<br />
In this weighting, the reasonable expectation of the<br />
<br />
interested in the processing of their personal data with this<br />
purpose. In this sense, we must bear in mind that it is common practice in the<br />
market to send advertising by postal mail to potential customers, but also,<br />
<br />
In view of the uses of the market, the interested parties are perfectly aware of<br />
the possibility that such communications may appear in your mailbox and that<br />
In addition, they can be beneficial or provide added value to those interested in<br />
<br />
their role as consumers in the Spanish electricity market, since such communications<br />
may be of your interest or adjusted to your specific needs, resulting in a<br />
improvement of their economic situation by discovering an electricity trader that<br />
<br />
fit more to your needs.<br />
<br />
Taking into account all of the aforementioned, from Factor Energía it is not<br />
finds in our assessment no alternative method that allows us to communicate<br />
<br />
our interest in offering our services and that likewise allows us to comply with<br />
our legal obligations (inform about the processing of personal data<br />
stakeholders) and with the least impact to stakeholders.<br />
<br />
<br />
For all these reasons, it is considered that the impact that the treatment has or may have on<br />
the interests, fundamental rights and freedoms of the interested parties is LOW, and not<br />
<br />
would result in adverse and negative consequences for them.<br />
<br />
23. Guarantees applied to the treatment<br />
<br />
Factor Energía has implemented the technical and organizational measures<br />
to carry out the treatment maintaining the security standards of the Company<br />
<br />
Among the guarantees applied directly to the treatment are the following:<br />
<br />
Factor Energía has implemented technical security measures and<br />
necessary organizational measures to guarantee the integrity, availability and<br />
<br />
confidentiality of the information, having also designated a Delegate<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 10/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
of Data Protection, in compliance with the provisions of article 37<br />
of the GDPR.<br />
<br />
<br />
Communications by postal mail are sent only to interested parties who<br />
have not exercised their right of opposition and that do not appear on lists of<br />
advertising exclusion (Robinson List). Those interested who are in<br />
<br />
advertising exclusion lists and/or have exercised their right of opposition before<br />
Factor Energía, will not be recipients of advertising campaigns of any<br />
type.<br />
<br />
<br />
The commercial communications received by the interested parties allow them to exercise<br />
their rights to oppose the sending of advertising in such a way that<br />
simply and free of charge, interested parties can inform Factor Energía that they are not<br />
<br />
they wish to receive publicity from it.<br />
<br />
These campaigns are foreseen as a specific action, which may be reinforced<br />
with the realization of other similar campaigns later, having<br />
<br />
At least a period of six (6) months has elapsed from the sending of the<br />
communications from the previous campaign.<br />
<br />
Factor Energía reinforces the channels to guarantee adequate exercise by<br />
<br />
those interested in the rights established in the regulations for the protection of<br />
data, establishing both the postal and electronic channels, without prejudice to<br />
<br />
that, in accordance with the provisions of the data protection regulations, the<br />
The interested party may exercise their rights through the channel they deem<br />
convenient.<br />
<br />
<br />
All communications contain information about the treatment of your<br />
personal data in accordance with the requirements of articles 13 or 14 of the GDPR.<br />
<br />
3. Result<br />
<br />
<br />
Based on all of the above, it is determined that Factor Energía can carry out the<br />
treatment consisting of the sending by postal mail of advertising communications to<br />
potential customers (direct marketing).<br />
<br />
<br />
It is a treatment that will have a positive impact on the Energy Factor and that<br />
In turn, it supposes a low impact on the rights and freedoms of the interested parties.”<br />
<br />
The use of SIPS data:<br />
<br />
Regarding the use of SIPS data, it is provided by FACTOR ENERGIA (document 5<br />
<br />
attached to Letter #1) the copy of the code of conduct on data processing<br />
included in the SIPS dated April 24, 2019, from which the following are extracted<br />
<br />
paragraphs:<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 11/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
"Specifically, this RD 1435/2002 contemplates the possibility that all<br />
electric power marketers access to consult the available information<br />
<br />
in the Supply Point Information System (SIPS) managed by the<br />
distributors, as reading managers, and specifically to certain data there<br />
contents. Therefore, and as can be deduced from the preamble to the aforementioned<br />
<br />
RD 1435/2002, the SIPS was configured as a tool to encourage greater<br />
competition in the retail electricity market.<br />
<br />
Subsequently, Royal Decree 1074/2015, of November 27, by which<br />
<br />
modify different provisions in the electricity sector, introduced some changes in<br />
the regulation of the electricity SIPS database, partially modifying the<br />
art. 7 of Royal Decree 1435/2002, and specifically eliminating the possibility of having<br />
<br />
marketers access to certain data from the SIPS database of the<br />
distributors and establishing the obligation of marketers of<br />
<br />
sign a code of conduct and guarantee the confidentiality of information<br />
contained in said database.<br />
<br />
Regarding the regulation of natural gas, Royal Decree 1434/2002, of 27<br />
<br />
December, which regulates the activities of transportation, distribution,<br />
marketing, supply and authorization procedures for gas installations<br />
natural (RD 1434/2002) established in its art. 43 similar regulation, although with some<br />
<br />
differences, RD 1434/2002 not being affected by the modifications of RD<br />
1074/2015.<br />
<br />
[…] The Company assumes the firm commitment to comply with the following<br />
<br />
obligations:<br />
<br />
[…] - Process the SIPS Data only for the purposes of the activity of<br />
marketing (electricity and gas, respectively), both in relation to customers<br />
<br />
potential/non-customers and customer management, regardless of their<br />
access fee and specific regime applicable in each case (including those covered by<br />
self-consumption in the case of electricity), not using them for a purpose other than the<br />
<br />
that justifies its assignment to the Company in its capacity as marketer by<br />
the corresponding distribution company or CNMC.”<br />
<br />
Article 7 of Royal Decree 1435/2002 that regulates the content of the SIPS in the sector<br />
<br />
electrical specifies the following:<br />
<br />
"one. The distribution companies must have a database referring to<br />
all the supply points connected to their networks and to the transport networks of<br />
<br />
its area, permanently complete and up-to-date, containing at least the<br />
Following data:<br />
<br />
a) Universal Supply Point Code, that is, the complete “CUPS”.<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 12/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
[…] c) Location of the supply point, which includes full address (type of road,<br />
street name, number, floor and door). This information should refer to all<br />
<br />
moment to the point of supply and not to the location, population and province of the holder of<br />
said supply point that is required in letter aa) of this same article.<br />
<br />
d) Town of the supply point, which includes the name of the town and the<br />
<br />
Postal Code. This information must refer at all times to the point of supply<br />
and not to the location, population and province of the owner of said supply point.<br />
<br />
e) Name of the Province of the supply point. This information should refer to<br />
<br />
at all times to the point of supply and not to the location, population and province of the<br />
owner of said supply point.<br />
<br />
[...] z) Name and surnames, or in its case company name and corporate form, of the<br />
<br />
owner of the supply point.<br />
<br />
[…] aa) Full address of the owner of the supply point. This information should<br />
refer at all times to the owner of the supply point and not to the location,<br />
<br />
population and province of said supply point that is required in letter c) of this<br />
same article.<br />
<br />
[…] ac) Trading company that currently supplies<br />
<br />
<br />
[…] In any case, neither the marketing companies nor the National Commission for<br />
Markets and the Competition may access any information that directly<br />
identify the owner of the supply point, and in particular, the data collected in<br />
<br />
sections c), z) and aa) of section 1.<br />
<br />
Additionally, trading companies will not be able to access the information<br />
of section ac), being accessible to the National Commission of Markets and the<br />
<br />
Competition, in the exercise of its functions.”<br />
<br />
In relation to the use of electrical SIPS data in order to carry out the<br />
commercial communications to non-customers, expresses FACTOR ENERGIA that uses them<br />
<br />
to "obtain estimated and standardized data on the consumption habits of the<br />
population according to household characteristics”. It clarifies that "they do not refer to data<br />
<br />
personalized or linked to the personal data of the people to whom<br />
whom the commercial or advertising communication was addressed to”. Thus, it facilitates (document 8<br />
attached to Brief #1) a description of the estimation process that is carried out to<br />
<br />
adapt, together with the "installers", the supply of self-consumption<br />
(infrastructure of solar panels, etc.). For this, according to this document,<br />
use:<br />
<br />
<br />
- The unprotected public data of the cadastre (mapping and cadastral consultation<br />
descriptive and graphic -surface, cadastral reference, address, soil class,<br />
year of construction-).<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 13/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Examples of the information have been obtained from the electronic headquarters of the cadastre.<br />
publicly available.<br />
<br />
<br />
- Information not individualized (anonymized) from the SIPS database of<br />
the distribution company, which allows through aggregation by postal code,<br />
assign an average installed power, average contracted power,<br />
<br />
estimated average annual consumption to the supplies of a given area,<br />
according to type of supply.<br />
<br />
Article 43 of Royal Decree 1434/2002 that regulates the content of the "System of<br />
<br />
exchange of information for the management of the change of supplier" in the sector<br />
gas operator specifies the following:<br />
<br />
"2. The distribution companies must have as support the system of<br />
<br />
exchange of information from a database referring to all points of<br />
supply connected to their networks and to the transport networks in their area,<br />
permanently complete and updated, containing at least the following<br />
<br />
data related to the point of supply:<br />
<br />
1st Supply point identification code, that is, the complete “CUPS”.<br />
<br />
[…] 3rd Location of the supply point: address, population and province, which includes<br />
<br />
complete address (type of road, name of the road, number, floor and door), name of the<br />
population, postal code and name of the province. This information should refer to<br />
at all times to the point of supply and not to the location, population and province of the<br />
<br />
owner of said supply point that is required in ordinal 16 of this same<br />
pulled apart<br />
<br />
[…] 14. Data relating to the owner of the supply point: natural person or person<br />
<br />
legal.<br />
<br />
15. Name and surname, or, where appropriate, company name and corporate form, of the<br />
<br />
owner of the supply point.<br />
<br />
16. Full address of the owner of the supply point. This information should<br />
refer at all times to the owner of the supply point and not to the location,<br />
<br />
population and province of said supply point that is required in ordinal 3 of<br />
this same section.<br />
<br />
5. Traders registered in the corresponding section of the Registry<br />
<br />
Administrative of Distributors, Marketers and Direct Consumers in<br />
Market, as well as the Supplier Changes Office, in accordance with the standard<br />
regulating its operation, they will be able to freely access the databases<br />
<br />
of supply points of each distribution company”<br />
<br />
Thus, according to the CNMC website (see Diligence References):<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 14/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
"However, it must be clarified that the CNMC's electrical SIPS does not have<br />
information that identifies the owner of a supply point. This information was<br />
<br />
eliminated by Royal Decree 1074/2015, of November 27, which modifies<br />
different provisions in the electricity sector. In the second article of the aforementioned Royal<br />
Decree, a modification of article 7.2 of Royal Decree 1435/2002 was approved,<br />
<br />
including that: «In any case, neither the marketing companies nor the Commission<br />
National Markets and Competition will be able to access any information<br />
that directly identifies the owner of the supply point […]”.<br />
<br />
<br />
[…] In the field of natural gas, the SIPS accessed contains the identification<br />
of the owner of the supply point and his address.”<br />
<br />
FACTOR ENERGIA is registered in the List of Electricity Suppliers and<br />
<br />
of gas from the CNMC.<br />
<br />
In relation to the duty of information to the interested party:<br />
<br />
ENERGY FACTOR declares that it is fulfilled through the consignment, in the<br />
<br />
advertising communication, of the following text: "In accordance with the regulations of<br />
protection of personal data, that is, in accordance with the Regulation<br />
General Data Protection (RGPD) and Organic Law 3/2018, of December 5,<br />
<br />
Protection of Personal Data and guarantee of digital rights (LOPDGDD),<br />
We indicate that the data comes from sources obtained lawfully and/or sources of<br />
<br />
public access available without restrictions, and that this communication is made<br />
according to the admissible requirements in the indicated regulations. You can exercise your<br />
rights of access, rectification, cancellation, opposition, transparency of the<br />
<br />
information, deletion, limitation and portability by contacting FACTOR ENERGIA,<br />
SA by postal mail to the address av. Diagonal, 612 Entl. 08021 of Barcelona or by<br />
email to dpo@factorenergia.com. Likewise, you will have the right to direct your<br />
<br />
claims before the data protection authorities. For more information<br />
consult our privacy policy on our website www.factorenergia.com.”<br />
It also states that its website (www.factorenergia.com) includes the<br />
<br />
privacy policy (document 4 attached to Brief #1). It contains sections with<br />
information on: data of the person in charge and contact of the DPO; purposes of the<br />
<br />
treatments; bases of legitimacy of the treatments; recipients; possibility of<br />
exercise rights and file a claim with the AEPD; conservation periods;<br />
additional information (indication of implementation of security measures and guarantees<br />
<br />
with those in charge of article 28 of the GDPR).<br />
<br />
Regarding the specific case that is the object of the claim<br />
<br />
FACTOR ENERGIA (Written #1) states that the personal data of the party<br />
<br />
claimant that appear in their systems are: name and surname; postal address.<br />
It reiterates that the origin of these data are "public sources, without the fact that to date<br />
we can accurately identify its exact traceability”. It states that the period of<br />
<br />
Data retention is one year, although "in this case there are<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 15/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
blocked and are only kept by the fact of having responded to the<br />
previous requirement related to the file at the referred margin and without the company<br />
<br />
carry out or will carry out any other treatment of said data.”<br />
<br />
As previously seen, FACTOR ENERGIA states that it also has<br />
the technical data of the supply points extracted from the SIPS (article 7 of the Royal<br />
<br />
Decree 1435/2002) that periodically unloads from the distribution companies. With<br />
them, as has been seen, obtains "estimated and standardized data on the habits of<br />
consumption of the population according to the characteristics of the households" that "do not refer to<br />
<br />
to personalized data or linked to the personal data of people<br />
to whom the commercial or advertising communication was directed.<br />
<br />
In relation to compliance with the duty of information, FACTOR ENERGIA provides<br />
<br />
(document 7 attached to Brief #1) the one that manifests would be the reverse of the<br />
Communication provided by the complaining party, which includes the aforementioned paragraph<br />
<br />
previously (translation into Spanish of the original in Catalan):<br />
<br />
In accordance with the personal data protection regulations, it is<br />
that is, in accordance with the General Data Protection Regulation (RGPD) and the Law<br />
<br />
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of<br />
digital rights (LOPDGDD), we indicate that the data comes from sources<br />
lawfully obtained and/or publicly accessible sources available without restriction, and<br />
<br />
that this communication is carried out according to the admissible requirements in the regulations<br />
marked. You can exercise your rights of access, rectification, cancellation,<br />
opposition, transparency of information, deletion, limitation and portability<br />
<br />
by contacting FACTOR ENERGIA, SA by postal mail at the address av. Diagonal,<br />
612 Int. 08021 Barcelona or by email at dpo@factorenergia.com.<br />
Likewise, you will have the right to direct your claims before the authorities of<br />
<br />
Data Protection. For more information see our privacy policy at<br />
our website www.factorenergia.com.”)<br />
<br />
FUNDAMENTALS OF LAW<br />
<br />
<br />
Yo<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
(General Data Protection Regulation, hereinafter GDPR), grants each<br />
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the<br />
<br />
Organic Law 3/2018, of December 5, Protection of Personal Data and<br />
guarantee of digital rights (hereinafter, LOPDGDD), is competent to<br />
initiate and resolve this procedure the Director of the Spanish Protection Agency<br />
of data.<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures<br />
<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
regulations dictated in its development and, insofar as they do not contradict them, with character<br />
subsidiary, by the general rules on administrative procedures."<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 16/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
II<br />
Article 6 of the GDPR, Lawfulness of the treatment, establishes in point 1 that:<br />
<br />
<br />
"one. Processing will only be lawful if at least one of the following is fulfilled<br />
conditions:<br />
a) the interested party gave his consent for the processing of his data<br />
personal for one or more specific purposes;<br />
b) the processing is necessary for the performance of a contract in which the<br />
<br />
interested party or for the application at the request of this of measures<br />
pre-contractual;<br />
c) the processing is necessary for compliance with a legal obligation<br />
applicable to the data controller;<br />
d) the processing is necessary to protect vital interests of the data subject or<br />
<br />
of another physical person;<br />
e) the treatment is necessary for the fulfillment of a mission carried out in<br />
public interest or in the exercise of public powers conferred on the person responsible<br />
of the treatment;<br />
f) the processing is necessary for the satisfaction of legitimate interests<br />
pursued by the data controller or by a third party, provided that<br />
<br />
such interests are not overridden by the interests or the rights and freedoms<br />
of the interested party that require the protection of personal data,<br />
in particular when the interested party is a child.<br />
<br />
The provisions of letter f) of the first paragraph shall not apply to the<br />
<br />
processing carried out by public authorities in the exercise of their<br />
functions.”<br />
<br />
On the other hand, article 4 of the GDPR, Definitions, in its sections 1, 2 and 11,<br />
notes that:<br />
<br />
<br />
“1) “personal data” means any information about an identified natural person<br />
or identifiable ("the data subject"); Any identifiable natural person shall be considered<br />
person whose identity can be determined, directly or indirectly, in<br />
by means of an identifier, such as a name, a number<br />
identification, location data, an online identifier, or one or more<br />
<br />
elements of physical, physiological, genetic, psychological,<br />
economic, cultural or social of said person; “<br />
<br />
2) "processing": any operation or set of operations carried out<br />
about personal data or sets of personal data, either by<br />
<br />
automated procedures or not, such as the collection, registration, organization,<br />
structuring, conservation, adaptation or modification, extraction, consultation,<br />
use, communication by transmission, diffusion or any other form of<br />
authorization of access, comparison or interconnection, limitation, deletion or<br />
destruction; “<br />
<br />
<br />
11) "consent of the interested party": any manifestation of free will,<br />
specific, informed and unequivocal for which the interested party accepts, either<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 17/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
by means of a declaration or a clear affirmative action, the processing of data<br />
personal matters that concern you."<br />
<br />
<br />
In the present case, in order to analyze the validity of this legitimizing basis,<br />
examine each of the elements that concur in it to prove the<br />
legality of the treatment. The criteria established for this should be taken into account.<br />
in Opinion 06/2014, of April 9, on the concept of legitimate interest of the<br />
data controller under Article 7 of the Directive<br />
95/46/CE, of the Article 29 Working Group (hereinafter, Opinion 06/2014)<br />
<br />
<br />
1. Legitimate interest of the controller<br />
<br />
Recital 47 of the GDPR establishes the following:<br />
<br />
<br />
“The legitimate interest of a data controller, including that of a data controller<br />
that personal data may be communicated, or that of a third party, may constitute a<br />
legal basis for the treatment, provided that the interests or interests of the<br />
rights and freedoms of the data subject, taking into account reasonable expectations<br />
of the interested parties based on their relationship with the controller. Such legitimate interest<br />
This could occur, for example, when there is a relevant and appropriate relationship between the<br />
<br />
interested party and the controller, such as in situations where the interested party is a customer or<br />
is at the service of the person in charge. In any case, the existence of a legitimate interest<br />
would require careful evaluation, even if a stakeholder can clearly foresee<br />
reasonable, at the time and in the context of the collection of personal data, that<br />
processing can take place for this purpose. In particular, the interests and rights<br />
<br />
Fundamentals of the interested party could prevail over the interests of the person in charge<br />
of the treatment when proceeding to the processing of personal data in<br />
circumstances in which the data subject does not reasonably expect that a<br />
further treatment. Since it corresponds to the legislator to establish by law the basis<br />
law for the processing of personal data by public authorities,<br />
<br />
this legal basis should not apply to processing carried out by authorities<br />
public in the exercise of their functions. Processing of personal data<br />
strictly necessary for the prevention of fraud is also an interest<br />
lawful name of the person responsible for the treatment in question. Data processing<br />
personal information for direct marketing purposes may be considered made by<br />
legitimate interest.”<br />
<br />
<br />
For its part, Opinion 06/2014 contains a similar pronouncement. Initially<br />
indicates that:<br />
<br />
“An interest must be articulated clearly enough to allow evidence to be<br />
<br />
of balancing is carried out against the interests and rights<br />
fundamentals of the interested party. In addition, the interest at stake must also be<br />
"persecuted by the data controller". This requires a real and current interest,<br />
that corresponds to present activities or expected benefits in a<br />
very near future. In other words, interests that are too vague or<br />
<br />
speculative will not suffice.”<br />
<br />
In this sense, the opinion clarifies, a legitimate interest that is relevant must:<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 18/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
- Be lawful (i.e. in accordance with national and EU law<br />
applicable);<br />
- Be articulated clearly enough to allow proof of<br />
<br />
balancing is carried out against the interests and rights<br />
fundamentals of the data subject (i.e. sufficiently specific);<br />
- represent a real and current interest (ie not speculative).<br />
<br />
And then it includes a non-exhaustive list of some of the most<br />
common areas where the question of legitimate interest within the meaning of Article<br />
<br />
article 7, letter f). Among them it includes "conventional prospecting and other forms of<br />
marketing or advertising.<br />
<br />
In principle, it could be considered that the performance of data processing for<br />
of “direct marketing” and “business prospecting and other forms of advertising”<br />
<br />
would constitute a principle of legitimate interest. This does not imply that it can be considered<br />
all treatment for said purpose as covered by the legitimizing basis of the<br />
legitimate interest. Indeed, Opinion 06/2014 clarifies:<br />
<br />
“The legitimacy of the interest of the data controller is only a starting point,<br />
one of the elements to be analyzed under article 7, letter f). If he<br />
<br />
Article 7(f) can be used as a legal basis or not will depend on the<br />
result of the following weighing test”<br />
<br />
Therefore, the person responsible for the treatment of the information remains<br />
weighting provided for in article 6.1.f) GDPR, by virtue of which the treatment will be<br />
<br />
lawful if "it is necessary for the satisfaction of legitimate interests pursued by the<br />
responsible for the treatment or by a third party, provided that such interests are not<br />
the interests or fundamental rights and freedoms of the data subject prevail<br />
that require the protection of personal data, in particular when the interested party<br />
be a child.”<br />
<br />
<br />
1. Weighting of rights and interests<br />
<br />
In order to carry out the weighting provided for in the Regulation, the defendant has<br />
argued:<br />
<br />
<br />
- As an interest of the person in charge: attracting customers and an "increase in their<br />
visibility in the market<br />
<br />
- As a possible affectation of rights of the complaining party. The responsible<br />
minimized with various arguments. Among them: scarcity and minor<br />
<br />
of the data processed (identity and contact details); the absence of effects<br />
legal on the interested party (hiring, access to services); affectation<br />
minimum in the sphere of the interested party (receipt of a postal communication, of<br />
less invasive than other routes); the existence of guarantees applicable to the<br />
treatment; respect for those who exercise their right of opposition; the<br />
<br />
existence of channels for the exercise of rights in terms of protection of<br />
data, guarantees that are imposed by law, not because the person responsible<br />
bestow graciously<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 19/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
1. Rights of the data owner<br />
<br />
<br />
If the legitimate interest alleged by the person in charge of the<br />
treatment, it must also be analyzed in what way the rights and<br />
interests of the interested party, so that the weighting judgment can be concluded<br />
<br />
In this regard, special attention should be paid to the impact that the treatment may<br />
generate the interested The claimed party focuses on declaring that this would not be<br />
<br />
significant depending on the means used (postal) and the little or no affectation<br />
in the legal sphere of the owner of the data. However, they are not the only ones<br />
parameters to take into account. In this regard, Opinion 06/2014 states:<br />
<br />
"The legitimate interest of the data controller, when it is minor and not very<br />
<br />
compelling, in general, only annuls the interests and rights of those interested in<br />
cases where the impact on these rights and interests is even more trivial.”<br />
<br />
In the case at hand, it is clear that the interest of the person responsible cannot<br />
qualified as "pressing", since as he himself indicates, it leads back to his<br />
interest in attracting new customers. This means, as the opinion indicates, that it should be<br />
<br />
more demanding in terms of the affected rights of the claimant. The opinion<br />
continues:<br />
<br />
“The term «impact» as used in this Opinion covers any possible<br />
consequence (potential or actual) of data processing. The concept is not<br />
<br />
related to the notion of breach of personal data and is much broader<br />
than the repercussions that may derive from said violation.”<br />
<br />
And as for the type of affectation that the processing of the data may cause in your<br />
holder, declares the following:<br />
<br />
<br />
“In addition to adverse outcomes that may be specifically anticipated,<br />
the more emotional repercussions must also be taken into consideration.<br />
general, such as anger, fear and anguish that may result from the loss<br />
of control over personal information by the interested party or knowledge<br />
that such personal information has been or may be misused or is seen<br />
<br />
compromised, for example, through its exposure on the Internet. The effect<br />
intimidating statement about protected behavior, such as freedom of investigation or<br />
freedom of expression, which may result from supervision or monitoring<br />
continuous must also be taken into account.”<br />
<br />
<br />
It cannot be forgotten that the claim was filed by the claimant before the<br />
event of having received a postal communication of a promotional nature, which was<br />
directly addressed to her because it contains her identification and contact information. For<br />
Therefore, the criterion used by the claimed party cannot be shared in the sense of<br />
state that "This [postal] channel should be considered a less aggressive and<br />
<br />
invasive than other channels commonly used to send advertising, such as<br />
commercial calls and/or sending emails”.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 20/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In this regard, it is necessary to indicate that, although channels such as the telephone could in<br />
principle be considered more "invasive", the truth is that whoever receives the<br />
call may believe that the caller does not have their data<br />
<br />
identifiers, while receiving a postal communication with data<br />
identification and contact details, makes the data owner certain that whoever<br />
sends the communication has said data. Not being a client of the entity,<br />
In addition, uncertainty arises about what could have been the source of knowledge of<br />
the data, which leads the owner to doubt his power to dispose of them<br />
<br />
<br />
This leads us to the concept of "reasonable expectation" as a criterion to be taken into account.<br />
in the processing of data based on legitimate interest<br />
<br />
2. Reasonable expectation in data processing<br />
<br />
<br />
As previously mentioned, Recital 47 GDPR establishes in<br />
relation to the legitimizing basis of the legitimate interest that this could concur when<br />
the interest of the person in charge does not prevail over the rights of the interested party "taking into account<br />
account the reasonable expectations of data subjects based on their relationship with the<br />
responsible. Such legitimate interest could arise, for example, where there is a<br />
relevant and appropriate relationship between the data subject and the controller, as in<br />
<br />
situations in which the interested party is a client or is at the service of the person in charge”.<br />
<br />
The reasonable expectation that the interested party may have in the processing of the data<br />
It is crucial in the balance judgment between the interests of the person responsible and the rights of the<br />
interested. Opinion 06/2014 states:<br />
<br />
<br />
“The reasonable expectations of the data subject in relation to the use and disclosure of<br />
Data is also very relevant in this regard. As it was put<br />
manifest with respect to the analysis of the purpose limitation principle, it is<br />
It is important to consider whether the position of the data controller, the nature of the<br />
<br />
relationship or the service provided, or the applicable legal or contractual obligations<br />
(or other promises made at the time of data collection) could give<br />
give rise to reasonable expectations of stricter confidentiality and limitations<br />
more stringent regarding its further use.”<br />
<br />
The clearest example of reasonable expectation in cases of receipt of<br />
<br />
advertising communications comes from the fact of having previously been a client of a<br />
company or at least have contacted it to inquire about the<br />
products or services marketed by it.<br />
<br />
In the present case, the claiming party has not been a client of the claimed party and<br />
<br />
nor has he contacted her to inquire about the services of the<br />
business questioned Hence his surprise at the receipt of a communication<br />
commercial with your identification and contact information<br />
<br />
The defendant, for its part, alleges that:<br />
<br />
<br />
"In this consideration, the reasonable expectation of the<br />
interested in the processing of their personal data with this<br />
purpose. In this sense, we must bear in mind that it is common practice in the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 21/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
market to send advertising by postal mail to potential customers, but also,<br />
In view of the uses of the market, the interested parties are perfectly aware of<br />
the possibility that such communications may appear in your mailbox and that<br />
<br />
In addition, they can be beneficial or provide added value to those interested in<br />
their role as consumers<br />
<br />
That is, it does not provide any justification for the existence of a reasonable expectation,<br />
beyond indicating that any citizen can expect to receive a communication<br />
advertising postcard in your mailbox, without previously being a customer or being interested in the<br />
<br />
services of a company.<br />
<br />
It is worth mentioning the Report of the Legal Department of this Agency 2018/0173,<br />
that analyzes the legitimacy of direct marketing actions insofar as in the field<br />
the use of electronic media like others. In this regard, even if<br />
<br />
an interested party has previously been a client of a company, or has been interested<br />
for their goods or services, clarifies that direct marketing actions must<br />
limited to goods or services similar to those previously contracted.<br />
<br />
“As indicated in the report just reproduced, the general criteria for<br />
consider that the treatment of the data can be based on the rule of equilibrium of the<br />
<br />
legitimate interest of the person in charge would be that the services and products offered<br />
were those of the person in charge. In this sense, it was clarified that, when talking about<br />
financial credit institutions, such publicity should be understood as referring to the<br />
that entity's own asset or liability products, but not to other products<br />
financial, such as, expressly indicated, insurance. This is based on<br />
<br />
that in relation to such products there is no reasonable expectation of the<br />
interested in having their data processed by the bank for the offer of<br />
products that in principle are not related to those contracted when going to<br />
she."<br />
<br />
<br />
Bearing in mind that even having previously been a client, the criterion is<br />
restrictive for the sending of commercial communications (and must be restricted to the<br />
contracted products), even more so in the event that there has not been<br />
been a customer, in which said products and services do not exist.<br />
<br />
<br />
<br />
3. Data processed<br />
<br />
Another of the defendant's arguments consists of insisting on the nature<br />
of the data, which would consist only of the identity of the claimant and his address<br />
Postcard. In this regard, it should be noted that, although it is true that they are not involved<br />
<br />
data of special protection of article 9 GDPR, Opinion 06/2014 clarifies that<br />
<br />
“In general, the more sensitive the information in question, the more consequences<br />
may have for the interested party. However, this does not mean that the data you<br />
seem in and of themselves innocuous can be treated freely<br />
<br />
based on article 7, letter f). Of course, even such data, depending<br />
the way they are treated, they can have a significant impact on people”<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 22/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
This, in combination with the absence of a reasonable expectation of the data subject in<br />
the processing of your data, means that the nature of the data processed, by itself, does not<br />
can justify the legitimate interest in the treatment.<br />
<br />
<br />
<br />
4. How the data is processed<br />
<br />
Another aspect to take into account when weighing rights and interests would be the<br />
judgment of necessity, suitability and proportionality in data processing. To this<br />
<br />
Regarding Opinion 06/2014, it indicates the following:<br />
<br />
“In general, the more negative and uncertain the impact of treatment may be, the more<br />
it is unlikely that the processing will be considered, on the whole, legitimate. Disponibility<br />
of alternative methods to achieve the objectives pursued by the person in charge<br />
<br />
of the treatment, with less negative impact on the interested party, should be, without<br />
Certainly a pertinent consideration in this context."<br />
<br />
In this regard, the defendant alleges that "from Factor Energía there is no<br />
in our assessment no alternative method that allows us to communicate our<br />
interest in offering our services and that likewise allows us to comply with<br />
<br />
our legal obligations (inform about the processing of personal data<br />
stakeholders) and with the least impact to stakeholders.”<br />
<br />
Suffice it to say that it would have been enough to carry out a mailing activity, without<br />
Inclusion of the claimant's data. This is especially so when the claimed party itself has<br />
<br />
clarified that the indication of appropriate rates based on consumption, which is<br />
included in the letter, are not based on specific data from the complaining party, but on<br />
zone estimates. Based on this statement, it would not be necessary for the letter<br />
be accompanied by identification data.<br />
<br />
<br />
With this, the treatment carried out does not exceed the judgment of proportionality, nor the principle<br />
minimal intervention, as there are methods that would not require treatment.<br />
<br />
5. Position of the controller and the interested party<br />
<br />
Facing the judgment of weighting, it is necessary to pay attention to the position of<br />
<br />
claimant vs. defendant. Thus, in the first case we find<br />
a citizen or user, while the claimed party is a company<br />
electricity marketer.<br />
<br />
In this regard, Opinion 06/2014 advises paying attention to the situation of<br />
<br />
imbalance between the two<br />
<br />
"Depending on whether the data controller is a person or a<br />
small organization, a large multinational company or an industry body<br />
public, and from the specific circumstances, his position may be more or less<br />
<br />
dominant with respect to the interested party<br />
<br />
The fact of whether the interested party is an employee, a student, a patient, or if he exists<br />
otherwise an imbalance in the relationship between the position of the person concerned and that of the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 23/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
controller must, of course, also be considered relevant. Is<br />
It is important to assess the effect of actual treatment on individual individuals.”<br />
<br />
<br />
6. Conclusions on the weighting of rights and interests<br />
<br />
Based on the factors analysed, it cannot be concluded that in the present case the<br />
defense of legitimate interests, in comparison with the affectation of the rights of the<br />
claimant, justify the use of the legitimizing basis of the legitimate interest for the<br />
processing of data for direct marketing purposes. This is based on:<br />
<br />
<br />
- The existence of an impact has been determined in the field of rights and<br />
interests of the complaining party. This has received a commercial communication<br />
of a company of which he was not a client, processing his personal data<br />
name and surname and address, causing a situation of uncertainty<br />
<br />
about the origin of the data and whether they could be available to other<br />
entities<br />
<br />
- The existence of a reasonable expectation on the part of the<br />
complaining party that their data may be being processed by this<br />
company for these purposes. This is above all due to the fact that, in the case of<br />
<br />
of a direct marketing action, it has not been justified that the<br />
claimant was previously a customer and had not been interested in the services<br />
of the claimed party.<br />
<br />
- The non-existence of alternative methods has not been justified, in application of the<br />
<br />
principle of minimal intervention, which did not involve data processing<br />
personal, to carry out marketing activities in the<br />
conditions in which they were being carried out by the claimant<br />
<br />
- The existence of an unbalanced situation has been determined between the<br />
<br />
position of the claimant (consumer) and of the claimed party (company<br />
distributor of the electricity sector)<br />
<br />
II<br />
In accordance with the evidence available at the present time of<br />
agreement to start the disciplinary procedure, and without prejudice to what results from the<br />
<br />
investigation, it is considered that the known facts could constitute a<br />
infringement, attributable to the claimed party, for violation of article 6.1 of the GDPR,<br />
since the data processing carried out, that is, the activity of<br />
marketing by postal mail, addressed to the complaining party with his name,<br />
surnames and address, has been made without legitimizing cause.<br />
<br />
<br />
IV.<br />
If confirmed, the aforementioned infringement of article 6.1 of the GDPR could lead to the<br />
commission of the offenses typified in article 83.5 of the GDPR that under the<br />
The heading "General conditions for the imposition of administrative fines" provides:<br />
<br />
<br />
Violations of the following provisions will be sanctioned, in accordance with the<br />
paragraph 2, with administrative fines of maximum EUR 20,000,000 or,<br />
in the case of a company, an amount equivalent to a maximum of 4% of the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 24/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
total annual global business volume of the previous financial year, opting for<br />
the highest amount:<br />
<br />
<br />
a) the basic principles for the treatment, including the conditions for the<br />
consent under articles 5, 6, 7 and 9; (…)”<br />
<br />
In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that:<br />
<br />
"The acts and behaviors referred to in sections 4,<br />
<br />
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result<br />
contrary to this organic law”.<br />
<br />
For the purposes of the limitation period, article 72 "Infractions considered very<br />
serious” of the LOPDGDD indicates:<br />
<br />
<br />
"one. Based on what is established in article 83.5 of Regulation (EU) 2016/679,<br />
are considered very serious and will prescribe after three years the infractions that<br />
a substantial violation of the articles mentioned therein and, in particular, the<br />
following:<br />
<br />
<br />
b) The processing of personal data without the fulfillment of any of the conditions of<br />
legitimacy established in article 6 of Regulation (EU) 2016/679. (…)”<br />
<br />
V<br />
For the purposes of deciding on the imposition of an administrative fine and its amount,<br />
<br />
In accordance with the evidence available at the present time of<br />
agreement to start disciplinary proceedings, and without prejudice to what results from the<br />
investigation, it is considered that the offense in question is serious for the purposes of the<br />
GDPR and that it is appropriate to graduate the sanction to be imposed in accordance with the following<br />
criteria established in article 83.2 of the GDPR:<br />
<br />
<br />
As aggravating factors:<br />
-Negligence in the offence. (Art. 83.2.b). It must be taken into account that FACTOR<br />
ENERGIA has not even been able to prove the source from which it obtained the data<br />
of the complaining party, indicating that they were obtained from "sources of<br />
public access”, without being able to specify the specific source. This indicates when<br />
<br />
least, a considerable lack of diligence.<br />
<br />
Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the<br />
following criteria established in section 2 of article 76 "Sanctions and measures<br />
corrective measures" of the LOPDGDD:<br />
<br />
<br />
As aggravating factors:<br />
- Linking the activity of the offender with the processing of<br />
personal information. (Art. 76.1.b). FACTOR ENERGIA, a company dedicated to<br />
electricity trade, handles a high number of personal data for<br />
<br />
which must have extensive knowledge of the regulations relating to the protection of<br />
data and its management.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 25/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The balance of the circumstances contemplated in article 83.2 of the GDPR and the<br />
Article 76.2 of the LOPDGDD, with respect to the offense committed by violating the<br />
established in article 6.1 of the GDPR, allows the initial setting of a penalty of<br />
<br />
€40,000 (FORTY THOUSAND euros).<br />
<br />
<br />
SAW<br />
If the infringement is confirmed, it could be agreed to impose on the person responsible the adoption of<br />
adequate measures to adjust its performance to the regulations mentioned in this<br />
<br />
act, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to the<br />
which each control authority may "order the person responsible or in charge of the<br />
processing that the processing operations comply with the provisions of the<br />
this Regulation, where appropriate, in a certain way and within a certain<br />
specified term…”. The imposition of this measure is compatible with the sanction<br />
<br />
consisting of an administrative fine, according to the provisions of art. 83.2 of the GDPR.<br />
<br />
It is noted that not meeting the requirements of this body may be<br />
considered as an administrative offense in accordance with the provisions of the GDPR,<br />
classified as an infraction in its article 83.5 and 83.6, being able to motivate such conduct the<br />
opening of a subsequent administrative sanctioning procedure.<br />
<br />
<br />
Therefore, in accordance with the foregoing, by the Director of the Agency<br />
Spanish Data Protection,<br />
HE REMEMBERS:<br />
<br />
<br />
FIRST: INITIATE SANCTION PROCEDURE against FACTOR ENERGÍA, S.A.,<br />
with NIF A61893871, for the alleged violation of Article 6.1 of the GDPR, typified in<br />
Article 83.5 of the GDPR.<br />
<br />
SECOND: APPOINT as instructor C.C.C. and, as secretary, D.D.D.,<br />
<br />
indicating that any of them may be challenged, if applicable, in accordance with the<br />
established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime<br />
Legal Department of the Public Sector (LRJSP).<br />
<br />
THIRD: INCORPORATE into the disciplinary file, for evidentiary purposes, the<br />
claim filed by the claimant and its documentation, as well as the<br />
<br />
documents obtained and generated by the Sub-directorate General of Inspection of<br />
Data in the actions prior to the start of this sanctioning procedure.<br />
<br />
FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1<br />
October, of the Common Administrative Procedure of Public Administrations, the<br />
<br />
sanction that could correspond would be, for the alleged violation of article 6.1 of the<br />
GDPR, typified in article 83.5 of said regulation, administrative fine of amount<br />
€40,000.00<br />
<br />
FIFTH: NOTIFY this agreement to FACTOR ENERGÍA, S.A., with NIF<br />
A61893871, granting a hearing period of ten business days to formulate<br />
<br />
the allegations and present the evidence it deems appropriate. In his writing of<br />
allegations must provide your NIF and the procedure number that appears in the<br />
heading of this document.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 26/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
If, within the stipulated period, he does not make allegations to this initial agreement, the same<br />
may be considered a resolution proposal, as established in article<br />
<br />
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of<br />
Public Administrations (hereinafter, LPACAP).<br />
<br />
In accordance with the provisions of article 85 of the LPACAP, you may recognize your<br />
responsibility within the period granted for the formulation of allegations to the<br />
present initiation agreement; which will entail a reduction of 20% of the<br />
<br />
sanction that should be imposed in this proceeding. With the application of this<br />
reduction, the sanction would be established at 32,000.00 euros, resolving the<br />
procedure with the imposition of this sanction.<br />
<br />
In the same way, it may, at any time prior to the resolution of this<br />
<br />
procedure, carry out the voluntary payment of the proposed sanction, which<br />
will mean a reduction of 20% of its amount. With the application of this reduction,<br />
the sanction would be established at 32,000.00 euros and its payment will imply the termination<br />
of the procedure.<br />
<br />
The reduction for the voluntary payment of the penalty is cumulative to the corresponding<br />
<br />
apply for acknowledgment of responsibility, provided that this acknowledgment<br />
of the responsibility is revealed within the period granted to formulate<br />
allegations at the opening of the procedure. Voluntary payment of the referred amount<br />
in the previous paragraph may be done at any time prior to the resolution. In<br />
In this case, if both reductions were to be applied, the amount of the penalty would remain<br />
<br />
established at 24,000.00 euros.<br />
<br />
In any case, the effectiveness of any of the two aforementioned reductions will be<br />
conditioned to the withdrawal or resignation of any action or appeal via<br />
administrative against the sanction.<br />
<br />
<br />
In the event that you choose to proceed with the voluntary payment of any of the amounts<br />
indicated above (32,000.00 euros or 40,000.00 euros), you must make it effective<br />
by depositing it in the account number ES00 0000 0000 0000 0000 0000 opened to<br />
name of the Spanish Data Protection Agency in the bank<br />
CAIXABANK, S.A., indicating in the concept the reference number of the<br />
<br />
procedure that appears in the heading of this document and the cause of<br />
reduction of the amount to which it receives.<br />
<br />
Likewise, you must send proof of income to the General Subdirectorate of<br />
Inspection to continue with the procedure in accordance with the quantity<br />
<br />
entered.<br />
<br />
The procedure will have a maximum duration of nine months from the<br />
date of the initiation agreement or, where appropriate, of the draft initiation agreement.<br />
After this period, its expiration will occur and, consequently, the file of<br />
<br />
performances; in accordance with the provisions of article 64 of the LOPDGDD.<br />
<br />
Finally, it is noted that in accordance with the provisions of article 112.1 of the<br />
LPACAP, there is no administrative appeal against this act.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 27/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
935-110422<br />
Mar Spain Marti<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
>><br />
<br />
SECOND: On November 17, 2022, the claimed party has proceeded to the<br />
<br />
payment of the penalty in the amount of 24,000 euros using the two reductions<br />
provided for in the initiation Agreement transcribed above, which implies the<br />
recognition of responsibility.<br />
<br />
THIRD: The payment made, within the period granted to formulate allegations to<br />
<br />
the opening of the procedure, entails the waiver of any action or appeal via<br />
against the sanction and acknowledgment of responsibility in relation to<br />
the facts referred to in the Commencement Agreement.<br />
<br />
<br />
<br />
FUNDAMENTALS OF LAW<br />
<br />
Yo<br />
Competence<br />
<br />
<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
(General Data Protection Regulation, hereinafter GDPR), grants each<br />
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the<br />
Organic Law 3/2018, of December 5, Protection of Personal Data and<br />
<br />
guarantee of digital rights (hereinafter, LOPDGDD), is competent to<br />
initiate and resolve this procedure the Director of the Spanish Protection Agency<br />
of data.<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures<br />
<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
regulations dictated in its development and, insofar as they do not contradict them, with character<br />
subsidiary, by the general rules on administrative procedures."<br />
<br />
<br />
II<br />
Termination of the procedure<br />
<br />
Article 85 of Law 39/2015, of October 1, on Administrative Procedure<br />
Common for Public Administrations (hereinafter, LPACAP), under the heading<br />
<br />
"Termination in disciplinary proceedings" provides the following:<br />
<br />
"one. Initiated a disciplinary procedure, if the offender acknowledges his responsibility,<br />
The procedure may be resolved with the imposition of the appropriate sanction.<br />
<br />
<br />
2. When the sanction has only a pecuniary nature or it is possible to impose a<br />
pecuniary sanction and another of a non-pecuniary nature but the<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 28/28<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
inadmissibility of the second, the voluntary payment by the presumed perpetrator, in<br />
any moment prior to the resolution, will imply the termination of the procedure,<br />
<br />
except in relation to the replacement of the altered situation or the determination of the<br />
compensation for damages caused by the commission of the offence.<br />
<br />
3. In both cases, when the sanction is solely pecuniary in nature, the<br />
<br />
The competent body to resolve the procedure will apply reductions of at least<br />
20% of the amount of the proposed penalty, these being cumulative among themselves.<br />
The aforementioned reductions must be determined in the notification of initiation<br />
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of<br />
any administrative action or resource against the sanction.<br />
<br />
<br />
The percentage reduction provided for in this section may be increased<br />
according to regulations."<br />
<br />
<br />
According to what has been stated,<br />
the Director of the Spanish Data Protection Agency RESOLVES:<br />
<br />
FIRST: DECLARE the termination of procedure EXP202102778, in<br />
in accordance with the provisions of article 85 of the LPACAP.<br />
<br />
<br />
SECOND: NOTIFY this resolution to FACTOR ENERGÍA, S.A.<br />
<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
Resolution will be made public once the interested parties have been notified.<br />
<br />
<br />
Against this resolution, which puts an end to the administrative process as prescribed by<br />
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure<br />
Common of Public Administrations, interested parties may file an appeal<br />
<br />
administrative litigation before the Administrative Litigation Chamber of the<br />
National Court, in accordance with the provisions of article 25 and section 5 of<br />
the fourth additional provision of Law 29/1998, of July 13, regulating the<br />
Contentious-Administrative Jurisdiction, within a period of two months from the<br />
day following the notification of this act, as provided for in article 46.1 of the<br />
<br />
referred Law.<br />
<br />
<br />
936-040822<br />
Mar Spain Marti<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
</pre></div>Teresa.lopezhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_PS/00006/2022&diff=30211AEPD (Spain) - PS/00006/20222023-01-09T12:18:25Z<p>Teresa.lopez: Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=AEPD..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=AEPD PS-00006-2022<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00006-2022.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=19.02.2019<br />
|Date_Decided=<br />
|Date_Published=02.01.2023<br />
|Year=<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 12 GDPR<br />
|GDPR_Article_Link_1=Article 12 GDPR<br />
|GDPR_Article_2=Article 17 GDPR<br />
|GDPR_Article_Link_2=Article 17 GDPR<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=COOLTRA MOTOSHARING, S.L.U.<br />
|Party_Link_1=https://cooltra.com/en/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Teresa López<br />
|<br />
}}<br />
<br />
The Spanish DPA issued a warning against a controller for failure to meet a data deletion request despite 6 different attempts of the data subject.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
On 19 February 2019, the data subject filed a complaint before the Italian Data Protection Authority against COOLTRA MOTOSHARING, S.L.U. (the controller). <br />
<br />
In the process of registering for an account through the controller's website, a motorcycle sharing company, the data subject was asked for further personal information besides that already provided, and thus decided to cancel their account. Since neither the controller's website nor app provided for an account cancellation option, the data subject requested the deletion of all their data and payment details at a generic email address of the company. Despite the request, the company requested the missing personal details several times. <br />
<br />
The complainant used the customer service chat, which confirmed that the deletion of their data had been carried out. To formally register his request, they were asked to email another generic mailbox, which did not accept incoming mail. The data subject then addressed the quest to the controller's GDPR address stated in the privacy policy for the exercise of data protection rights, but received no reply either. <br />
<br />
Despite all this, the data subject subsequently received various commercial messages from the controller.<br />
<br />
On 19 October 2020, the data subject's complaint was forwarded and registered at the Spanish Data Protection Agency on 22 October 2020. The Spanish Data Protection Authority was, therefore, the lead supervisory authority and the Italian Data Protection Authority was a concerned authority.<br />
<br />
=== Holding ===<br />
The Spanish Authority held that the controller had failed to delete the data subject's personal data in due time, breaching Article 12 and [[Article 17 GDPR|Article 17 GDPR]].<br />
<br />
The Authority considered that the infringement was minor for the purposes of Article 83.2 of the GDPR given that the controller had no previous history of non-compliance, the exceptional circumstances (temporary lay-offs due to COVID-19 pandemic), the fact that the data subject sent some requests to an e-mail address that was not the one indicated in the corresponding privacy policy, the fact that the erasure had been dealt with in March 2019 even though the data subject had not been duly notified and that, as soon as the controller became aware of the complaint, it informed the data subject of the deletion and modified its protocols to avoid a repetition of an incident of this nature. A warning therefore substituted the fine.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/18<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
File No.: PS/00006/2022<br />
<br />
IMI Reference: A56ID 157580- Case Register 354215<br />
<br />
<br />
<br />
RESOLUTION OF SANCTIONING PROCEDURE<br />
<br />
<br />
Of the procedure instructed by the Spanish Agency for Data Protection and based on<br />
to the following<br />
<br />
BACKGROUND<br />
<br />
FIRST: A.A.A. (hereinafter, the complaining party) dated February 19, 2019<br />
<br />
filed a claim with the Italian data protection authority. The<br />
The claim is directed against COOLTRA MOTOSHARING S.L.U., with NIF B65874877<br />
(hereinafter, COOLTRA). The reasons on which the claim is based are the following:<br />
<br />
In the account registration process in the ECOOLTRA services available to<br />
<br />
Through its web portal, the company requested information from the complaining party<br />
after you have provided your driver's license and credit card details<br />
credit. At that time, the complaining party decided to cancel his account. since<br />
no way was offered to delete the profile either on the web or in the app, the part<br />
claimant contacted COOLTRA through the email address<br />
<br />
info@ecooltra.com and requested the deletion of all your data and payment details,<br />
stored in their systems.<br />
<br />
However, the company did not agree to respond to his request, and again requested the<br />
same additional information multiple times. The complaining party resorted to the<br />
"chat" with the Customer Service, and there they confirmed that the deletion of<br />
<br />
their data had been realized. To formally register your request,<br />
They urged us to send it to a mailbox, ciao@ecooltra.com, which turned out to not accept<br />
input emails. The complaining party addressed the address rgpd@ecooltra.com,<br />
indicated in the privacy policy for the exercise of rights of protection of<br />
data, but received no reply either. Instead, later they have arrived<br />
<br />
commercial messages from ECOOLTRA to your account.<br />
<br />
The temporary description of what happened provided by the complaining party indicates what<br />
Next:<br />
<br />
<br />
On October 18, 2018, COOLTRA registered the claimant's account, but<br />
requested additional information about his address and driver's license.<br />
<br />
That same day the complaining party requested by email - no offer<br />
no profile deletion function either on the website or through the app -<br />
to info@ecooltra.com to delete your profile along with all your data and details of<br />
<br />
payment stored on your website, without providing the additional information that<br />
they had requested.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 2/18<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
On October 20, 2018, COOLTRA requested, once again, the information before<br />
mentioned to finalize the record.<br />
<br />
<br />
On October 21, 2018, COOLTRA requested, once again, the information before<br />
mentioned to finalize the record.<br />
<br />
On October 22, 2018, the complaining party requested by email - there was no<br />
no profiling feature available either on the website or through the<br />
application - to info@ecooltra.com that your request be granted according to your email dated 18<br />
<br />
October 2018.<br />
<br />
On October 28, 2018 COOLTRA requested, once again, the information before<br />
mentioned to finalize the record.<br />
<br />
<br />
On October 30, 2018, the complaining party requested by email - there was no<br />
no profiling feature available on the website or through the<br />
application - to info@ecooltra.com that your request be granted according to your emails<br />
emails of October 18 and 22, 2018.<br />
<br />
On October 30, 2018, the claimant contacted COOLTRA at<br />
<br />
through the chat available on their website, in which they assured him that all his data<br />
they had been erased. However, you were informed that your request for deletion<br />
it should also be sent to ciao@ecooltra.com to be safe.<br />
<br />
It seems that the emails sent to ciao@ecooltra.com are not delivered since that<br />
<br />
account is not enabled to receive emails. The part<br />
claimant wrote a message, once again, to info@ecooltra.com.<br />
<br />
On November 22, 2018, the claimant received notices sent by mail<br />
email from the COOLTRA website.<br />
<br />
<br />
On November 23, 2018, the claimant sent an email to<br />
rgpd@ecooltra.com - there is no delete profile feature available on the site<br />
web or through the application - requesting according to the 'Privacy Policy' on the site<br />
website that your profile is deleted along with all your data and payment details<br />
stored on the website. He also attached his identification.<br />
<br />
<br />
On December 24 and 31, 2018 and February 11 and 19, 2019, the claimant<br />
received more announcements sent by email from the COOLTRA website.<br />
<br />
Along with the claim, provide:<br />
<br />
<br />
- Copy of your ID<br />
<br />
- Copy of the COOLTRA privacy policy<br />
<br />
<br />
- Screenshot with the aforementioned exchange of emails between the party<br />
claimant and COOLTRA.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 3/18<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
SECOND: Through the "Internal Market Information System" (hereinafter<br />
IMI), regulated by Regulation (EU) No. 1024/2012, of the European Parliament and of the<br />
Council, of October 25, 2012 (IMI Regulation), whose objective is to promote the<br />
<br />
cross-border administrative cooperation, mutual assistance between States<br />
members and the exchange of information, as of October 19, 2020,<br />
transmitted the aforementioned claim and was given a date of entry registration at the Agency<br />
Spanish Data Protection Agency (AEPD) on October 22, 2020. The transfer of<br />
This claim to the AEPD is made in accordance with the provisions of article<br />
56 of Regulation (EU) 2016/679, of the European Parliament and of the Council, of<br />
<br />
04/27/2016, regarding the Protection of Physical Persons with regard to the<br />
Processing of Personal Data and the Free Circulation of these Data (in the<br />
hereinafter, GDPR), taking into account its cross-border nature and that this Agency<br />
is competent to act as main control authority, since COOLTRA<br />
has its registered office and unique establishment in Spain.<br />
<br />
<br />
The data processing that is carried out affects interested parties in various<br />
Member states. According to the information incorporated into the IMI System, of<br />
in accordance with the provisions of article 60 of the GDPR, acts as<br />
“control authority concerned” only the Italian data protection authority<br />
data.<br />
<br />
<br />
THIRD: On January 26, 2021, in accordance with article 64.3 of the<br />
Organic Law 3/2018, of December 5, Protection of Personal Data and<br />
guarantee of digital rights (LOPDGDD), the claim was admitted for processing<br />
submitted by the complaining party.<br />
<br />
<br />
FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out<br />
of previous investigative actions to clarify the facts in<br />
matter, by virtue of the functions assigned to the control authorities in the<br />
article 57.1 and of the powers granted in article 58.1 of the GDPR, and of<br />
<br />
in accordance with the provisions of Title VII, Chapter I, Second Section, of the<br />
LOPDGDD, having knowledge of the following extremes:<br />
<br />
1. Decision adopted regarding this claim<br />
<br />
Upon receiving this claim, the COOLTRA DPD has reviewed all the<br />
<br />
attached documentation, has contrasted it with the affected departments within<br />
the organization (specifically, Legal, Marketing, Costumer Service and HR), has<br />
checked the enclosed communications and has verified the operation of the<br />
response system to the exercise of rights of those affected.<br />
<br />
<br />
After collecting the information, a change in the protocol has been established.<br />
current and is that the email rgpd@ecooltra.com will be managed directly<br />
by the DPD, being until then initially managed by the Department of<br />
Customer Service.<br />
<br />
<br />
2. Proof of the response provided to the request of the complaining party, regarding<br />
to the exercise of the rights regulated in articles 15 to 22 of the GDPR<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 4/18<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
COOLTRA representatives have verified that no express response was given to<br />
the complaining party, beyond the indications of the Costumer department<br />
Service via chat dated October 30, 2018 that he should go to the mail<br />
<br />
ciao@ecooltra.com.<br />
<br />
As stated in the entity:<br />
<br />
The complaining party sent the first claims to the address<br />
info@ecooltra.com, not being the address indicated in the Privacy Policy (this<br />
<br />
was rgpd@ecooltra.com). Although unsubscriptions are also managed in this email, the<br />
The volume of communications is so high that it can happen that some of them are passed, for<br />
it is important that the exercise of rights be done through the established channels<br />
in the Privacy Policy that is accessible on the COOLTRA home page.<br />
Subsequently, via chat, he was told that he could request the cancellation without problems in the<br />
<br />
address ciao@ecooltra.com. However, the complaining party erred in<br />
enter the email, as it put ciao@ecooltra.it. Therefore, it was never received.<br />
<br />
The complainant's profile remained active, although it was pending verification.<br />
However, having accepted the sending of communications related to the service<br />
cio kept receiving them.<br />
<br />
<br />
In the communications an almost automatic link was provided to unsubscribe,<br />
but it was not used.<br />
<br />
Finally, the complaining party correctly sent the email to find out<br />
<br />
unsubscribed to rgpd@ecooltra.com on November 28, 2018, but was not attended in<br />
due to a specific error and because the company was in full implementation<br />
of new protocols.<br />
<br />
Subsequently, it was detected that this email had not been answered and the Department<br />
<br />
Marketing simply removed him from the system, without proceeding to give him a response.<br />
put. The withdrawal was made on March 1, 2019.<br />
<br />
On February 17, 2021, an email has been sent to the claiming party.<br />
keep informing of the cancellation of your data.<br />
<br />
<br />
3. Report on the causes that have motivated the incidence that has originated the<br />
claim<br />
<br />
The claim filed by the claimant took place in the month of October of<br />
year 2018, year of implementation of the GDPR, and when the law was not yet in force<br />
<br />
Organic Law 3/2018, of December 5, Protection of Personal Data and<br />
guarantee of digital rights.<br />
<br />
The company was in a moment of full implementation of new processes,<br />
there were still many practical doubts about how the new regulations would operate and,<br />
<br />
although there was adequate external advice, COOLTRA still did not<br />
he had named no DPD, something he did the following year.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 5/18<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
As the first relevant fact, it should be noted that the emails dated 18,<br />
October 20 and 30, 2018 were all sent to info@ecooltra.com, and not by email<br />
that was already indicated at that time in the privacy policy, which is that of<br />
<br />
rgpd@ecooltra.com. (Previously there was also a policy stating the mail<br />
ciao@ecooltra.com).<br />
<br />
COOLTRA is a company that has more than 1,200,000 users, and despite the fact that<br />
From the email info@ecooltra.com, a response is always given to users who<br />
want to unsubscribe, it is not the channel indicated in the privacy policy to exercise<br />
<br />
the rights of interested persons, which specifically indicates the email<br />
rgpd@ecooltra.com since the exercises of user rights are channeled to<br />
through a priority channel, in order to guarantee that full compliance is given<br />
in time and form of each and every one of the requests and is answered, by<br />
protocol, in less than 24 hours, as well as forwarded, if necessary, to the<br />
<br />
Legal Department or DPD.<br />
<br />
When the complaining party contacted Costumer Care and after explaining the situation,<br />
he was instructed to send an email to ciao@ecooltra.com. This happened in<br />
full process of implementation of data protection measures, and that the<br />
workers had not yet received all the new organizational protocols and<br />
<br />
security, for this reason he was provided with the old email enabled to carry out the cancellations<br />
(ciao@ecooltra.com), which also worked, coexisting with the recently implemented<br />
rgpd@ecooltra.com until 2020.<br />
<br />
However, the claiming party made a mistake in the addressee and sent the email<br />
<br />
email to ciao@ecooltra.it (.it and not .com), and therefore the address came out as<br />
invalid. If you had sent the email to the correct address, the cancellation would have been<br />
done right the first time.<br />
<br />
In relation to the communications you received after requesting the withdrawal, the<br />
<br />
Representatives of the entity state the following:<br />
<br />
The claimant registered with a very particular service, the one that provided the<br />
Possibility of using company mopeds parked in your catchment area<br />
just by reserving them through the App for that purpose. By regulation, offering this<br />
service obliges to request specific personal information, which allows not<br />
<br />
not only verify the identity, but that the user has the corresponding permission to<br />
driving.<br />
<br />
That is why it is common for there to be users who have started to register,<br />
have accepted the terms and conditions, but are in a provisional situation<br />
<br />
because they have not sent all the documentation.<br />
<br />
The user, when requesting the service, can accept the remission of information from<br />
interest related to the service. In no case is indiscriminate "advertising" sent, if not<br />
important communications for the correct execution of the service or communications<br />
<br />
that contains objectively interesting information for the user (free kilometers,<br />
contamination levels, etc.).<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 6/18<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Especially at the beginning, when you have not yet submitted all the necessary information,<br />
Communications are sent to remind you that the system has not allowed you to validate your<br />
identity and suitability and that you are not yet an active user. In parallel, it<br />
<br />
send communications directly related to the service (not for the sale of<br />
alternative services of the company) or simply information of interest with the<br />
objective of informing and retaining the user.<br />
<br />
As the cancellation was not processed correctly and the service was subscribed to, he received some<br />
communications (those that appear in the file, all related to the service<br />
<br />
for which he registered), taking into account that he had accepted the same<br />
previously and in the emails I had the clear option in the footer of<br />
“unsubscribe”.<br />
<br />
COOLTRA acknowledges that a mistake was made, because Ms. A.A.A. states that,<br />
<br />
finally, he sent email correctly to rgpd@ecooltra.com and this was not<br />
answered within the 30-day period required by law. However, the cancellation was finally<br />
processed, specifically on March 1, 2019, the day the claimant was given<br />
deregistration as stated in the COOLTRA user management platform.<br />
<br />
This fact is that it was a specific error as has been verified by the company<br />
<br />
that you have reviewed all the communications received and how they have been managed. And the<br />
There are thousands of communications and all of them are recorded as having been managed<br />
correctly.<br />
<br />
During the first months of mandatory GDPR, two directions coexisted,<br />
<br />
the ciao@ and the rgpd@. The change was not immediate, and the first months the<br />
employees, accustomed, kept indicating the first. But this was not a<br />
problem, because it worked correctly.<br />
<br />
But in this case the complaining party made a mistake in the address of the ciao@ and the<br />
<br />
address rgpd@, in tests, it was not attended in time due to not being very clear about the<br />
receiver at that moment what should be done (almost everything was still received by ciao@).<br />
<br />
The reality is that, with the entry into force of Organic Law 3/2018, of 5<br />
December, and in application of the organizational and technical measures that<br />
A clear action protocol was implemented, facilitated and improved in the event that<br />
<br />
Any user would like to exercise their rights of access, rectification, opposition,<br />
limitation and, where appropriate, portability or cancellation.<br />
<br />
This protocol was implemented throughout the Department of Costumer Service, and<br />
indicated that it was mandatory for any related application, regardless of the<br />
<br />
channel, outside in the rgpd@, in the info@, by phone or by chat.<br />
<br />
On the other hand, COOLTRA, to manage communications to its users, gave up<br />
registration in an external management platform, from which the user cancellation circuit<br />
became controlled by the marketing department, being the department<br />
<br />
of the Costumer Service, which is in charge of forwarding the unsubscription requests of the users<br />
to the marketing department.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 7/18<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The entity considers that this system works perfectly since its implementation<br />
given that the volume of cancellations and requests that are managed is enormous, and in both<br />
years and two months of application has only failed in the case of the complaining party.<br />
<br />
<br />
4. Report on the measures taken to prevent incidents from occurring<br />
similar, dates of implementation and controls carried out to verify their effectiveness<br />
<br />
COOLTRA has 1,200,000 users registered on its platform and the claim<br />
of the claiming party is the only claim that COOLTRA has had since it<br />
<br />
It started its activity in 2016.<br />
<br />
With such a high number of users, the volume of unsubscribe requests is very<br />
high: in 2018, 58,638 cancellations were processed, in 2019 66,313 cancellations and in the<br />
year 2020 43,781 user cancellations. All this without counting the automatic cancellations<br />
<br />
derived from the unsubscribe of the emails with information about the service.<br />
<br />
During the month of January 2021, only in the email enabled for such<br />
effect rgpd@cooltra.com 22 cancellations have been requested that have proceeded to be carried out in<br />
a maximum period of 24 hours.<br />
<br />
<br />
The Costumer Service team answers all the people who want to register<br />
unsubscribe from the system, whether they request it from the email rgpd@cooltra.com,<br />
as from the emails info@cooltra.com, hello@cooltra.com and<br />
ciao@cooltra.com (specifically for Italy) and inform the department of<br />
marketing so that the user unsubscribes from commercial communications.<br />
<br />
<br />
The user can also unsubscribe from communications through the link of the<br />
footer of their email. When requested through that channel, the process<br />
It's automatic.<br />
<br />
<br />
The entity considers that the protocols followed in COOLTRA and the measures<br />
organizational and technical procedures established as a result of the entry into force of the LOPDGDD are<br />
reliable since of 168,732 applications received since 2018, only one<br />
person has filed a claim with the Data Protection Agency and<br />
Said claim coincides with the months in which the company was<br />
<br />
implementing all the security mechanisms so that compliance with the GDPR<br />
and LOPDGDD were optimal.<br />
<br />
As a result of this problem, it has been decided that it is the DPD who directly receives the<br />
email rgpd@ecooltra.com, in order to filter those emails to which you should<br />
Pay special attention and avoid doubts to Costumer Service and Marketing or delays<br />
<br />
unnecessary in its management.<br />
<br />
5. In relation to the transfer of the claim dated October 26, 2020<br />
<br />
The representatives of the entity indicate that there are several circumstances that have<br />
<br />
matched:<br />
<br />
1.- First of all, we must bear in mind that COOLTRA is a company that<br />
dedicated to renting motorcycles by the minute whose users are, in a proportion<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 8/18<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
quite important, coming from tourism, for this reason it is found in the main<br />
European capitals.<br />
<br />
<br />
Since the start of the SARS COVID 19 pandemic, COOLTRA has been seen<br />
seriously affected in its sales, and has had to make a plan of<br />
restructuring to adapt its workforce to the new world reality, resorting to<br />
ERTES for a very important part of its workforce. This has made many<br />
months of 2020 (and the ones we have been in 2021) the active personnel was seen, on occasions,<br />
assuming tasks that were not his own and assuming some responsibilities that<br />
<br />
They were not the usual ones, which undoubtedly entails malfunctions.<br />
<br />
Even so, the Costumer Service Dept. has always remained active and the staff has<br />
registration status almost completely, guaranteeing as always that the rights of the<br />
affected were safe.<br />
<br />
<br />
2.- In addition, it was decided by business on the same date (October 2020) to unify<br />
all business lines under the same trade name "Cooltra", which includes<br />
both the services offered by COOLTRA and by other brands and business lines<br />
that the company has Therefore, the months from October to December 2020 were<br />
months of structural changes, and this added to the fact that part of the employees were<br />
<br />
in a situation of ERTE, partially collapsed certain Departments, especially the<br />
Legal Dept.<br />
<br />
3.- Between October 23 and 24, the DPD for companies in the<br />
Group that had not yet registered it (previously, it was only registered in the company<br />
<br />
Parent, which is the manager of the others, considering that the rest had no obligation<br />
till the date).<br />
<br />
Precisely with dates October 26-27, 2020, the same date that was issued by the<br />
Agency the requirement not met, the DPO registrations of the rest of the<br />
<br />
group, state and European companies.<br />
<br />
The DPD warned the COOLTRA Legal Dept. that during the following days (between<br />
26 and 29 October) would receive quite a few notifications from the AEPD, but they were<br />
DPD discharge confirmations and the DPD himself was also notified, so<br />
they would receive them and check that everything was correct.<br />
<br />
<br />
Who is in charge of receiving official notifications in the case of COOLTRA is<br />
***COMPANY.1, consultancy that handles COOLTRA's tax issues, since the<br />
Most of the notifications received in this mailbox are from the AEAT.<br />
<br />
<br />
On October 26, 2020, COOLTRA's external advisory office downloaded and forwarded to the<br />
legal department 6 notifications in zip format from the AEPD, including<br />
found 5 DPD discharges of those carried out the previous days and the requirement<br />
that was not attended to and is now being answered.<br />
<br />
<br />
The legal department when opening a pair and seeing that it was the confirmations of<br />
discharge register that we had warned her about, she did not open any more, convinced that all<br />
they were the same since a total of 12 were expected, and therefore he did not realize that between<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 9/18<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
the same was the claim and request for information E / 08509/2020. for that<br />
reason the requirement went unnoticed and was not met.<br />
<br />
<br />
Upon receipt of an email sent dated February 2, 2021 by Don<br />
B.B.B., Data Inspector of the General Subdirectorate of Data Inspection of the<br />
Spanish Data Protection Agency, to the email address info@cooltra.com,<br />
Customer service proceeded to forward to the appropriate departments in<br />
less than an hour from receipt.<br />
<br />
<br />
This email was given the normal course, receiving the warning by the DPD for<br />
telephone by Mr. B.B.B. and proceeding to respond to the request in time and<br />
form.<br />
<br />
FIFTH: On January 10, 2022, the Director of the AEPD adopted a<br />
<br />
Proposal for a draft decision to initiate disciplinary proceedings. Following<br />
the process established in article 60 of the GDPR, on January 12, 2022<br />
transmitted through the IMI system this proposal for a draft decision as<br />
informal consultation and concerned authorities were made aware that they had two<br />
weeks from that time for comment.<br />
<br />
<br />
SIXTH: On January 24, 2022, the Director of the AEPD adopted a project<br />
decision to initiate disciplinary proceedings. Following the established process<br />
in article 60 of the GDPR, that same day this<br />
draft decision and the authorities concerned were informed that they had<br />
four weeks from that time to raise pertinent objections and<br />
<br />
motivated. Within the term for this purpose, the control authorities concerned shall not<br />
presented pertinent and reasoned objections in this regard, for which reason it is considered<br />
that all authorities agree with said draft decision and are<br />
linked by it, in accordance with the provisions of section 6 of article 60<br />
of the GDPR.<br />
<br />
<br />
This draft decision was notified to COOLTRA in accordance with the established rules<br />
in the LPACAP on February 4, 2022, as stated in the acknowledgment that<br />
work on file.<br />
<br />
SEVENTH: On July 20, 2022, the Director of the Spanish Agency for<br />
<br />
Data Protection agreed to initiate a sanctioning procedure against COOLTRA in order to<br />
issue a warning, in accordance with the provisions of articles 63 and 64 of the<br />
LPACAP, for the alleged violation of Article 12 of the GDPR, typified in Article<br />
83.5 of the GDPR, in which it is indicated that you have a period of ten days to present<br />
allegations.<br />
<br />
<br />
This start-up agreement, which was notified to COOLTRA in accordance with the rules<br />
established in Law 39/2015, of October 1, on Administrative Procedure<br />
Common Public Administrations (LPACAP), was collected on July 21<br />
of 2022, as stated in the acknowledgment of receipt that is in the file.<br />
<br />
<br />
EIGHTH: Notification of the aforementioned initiation agreement in accordance with the established regulations<br />
in the LPACAP and after the period granted for the formulation of allegations, the<br />
has verified that no claim has been received from COOLTRA.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 10/18<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Article 64.2.f) of the LPACAP -provision of which COOLTRA was informed in the<br />
agreement to open the procedure - establishes that if no allegations are made<br />
<br />
within the period provided for the content of the initiation agreement, when it<br />
contains a precise pronouncement about the imputed responsibility, it may<br />
be considered a motion for a resolution. In the present case, the agreement to initiate the<br />
disciplinary file determined the facts in which the<br />
imputation, the infringement of the GDPR attributed to COOLTRA and the sanction that could<br />
impose. Therefore, taking into consideration that COOLTRA has not formulated<br />
<br />
allegations to the agreement to start the file and in attention to what is established in the<br />
Article 64.2.f) of the LPACAP, the aforementioned initiation agreement is considered in the<br />
present case proposed resolution.<br />
<br />
In view of all the proceedings, by the Spanish Agency for Data Protection<br />
<br />
In this proceeding, the following are considered proven facts<br />
<br />
<br />
PROVEN FACTS<br />
<br />
FIRST: On February 18, 2018 at 6:27 p.m. an email was sent<br />
from the address ecooltra@email.ecooltra.com to ***USER.1@gmail.com, with the<br />
<br />
subject (in Italian the original) "Confirm your email" with the following text<br />
(in Italian the original):<br />
“Welcome to eCooltra<br />
Press the button to confirm<br />
CONFIRM"<br />
<br />
<br />
SECOND: On October 18, 2018 at 6:27 p.m. an email was sent<br />
from the address ***USUARIO.1@gmail.com to info@ecooltra.com, with the subject (in<br />
Italian the original) “Deletion of the profile” in which you can read the following text (in<br />
Italian the original): “I request the deletion of my profile, of all the data and of the method<br />
<br />
payment registered on your site. Thank you, A.A.A. (…)<br />
<br />
THIRD: On October 18, 2018 at 6:37 p.m. an email was sent<br />
from the address ecooltra@email.ecooltra.com to ***USER.1@gmail.com, with the<br />
subject (in Italian the original) "You are about to achieve freedom" and the message (in<br />
Italian the original): “Now it's our turn! We are validating your data so that<br />
<br />
you can access our website.<br />
eCooltra and make the planet more eco-sustainable.<br />
Can't wait and want to use the eCooltra today? Then get in<br />
Contact us and we will check your details together at this time.<br />
GET IN CONTACT WITH US"<br />
<br />
<br />
FOURTH: On October 18, 2018 at 7:06 p.m. an email was sent<br />
from the address registration@ecooltra.com to ***USER.1@gmail.com, with the<br />
subject “[Ticket#(…)] eCooltra” and the message (in Italian the original):<br />
Thank you for signing up! To activate your account, we need the following<br />
<br />
information:<br />
Complete address: street, no., city, postal code<br />
Front and back photo of the current license (from which the date is shown<br />
until it will be valid)<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 11/18<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Since the photos uploaded to the app get confused and can't be distinguished<br />
correctly the data according to the state, you can attach your driver's license. Tea<br />
<br />
We ask that you register on the page attached below and provide the<br />
certificate of your document, when you have the certificate we ask you to send it to<br />
email so you can activate your account.<br />
<br />
***URL.1<br />
<br />
<br />
For any clarification, please do not hesitate to contact us!<br />
Regards<br />
C.C.C.”<br />
<br />
FIFTH: On October 19, 2018 at 01:02 an email was sent<br />
<br />
from the address ***USUARIO.1@gmail.com to info@ecooltra.com, with the subject (in<br />
Italian the original) “Deletion of the profile” in which you can read the following text (in<br />
Italian the original): “I request the deletion of my profile, of all the data and of the method<br />
payment registered on your site. Thank you, A.A.A. (…)”.<br />
<br />
SIXTH: On October 21, 2018 at 00:07 an email was sent from<br />
<br />
the address ecooltra@email.ecooltra.com to ***USER.1@gmail.com, with the subject<br />
(in Italian the original) "Complete your registration to start driving with us" in<br />
which can be read the following text (in Italian the original):<br />
"Hello!<br />
Before you start driving, you must complete your registration. we need some<br />
<br />
minutes of your time, so you can use eCooltra for the first time<br />
Please check the following steps:<br />
1. You have confirmed your email<br />
2. You have entered the photo of your license and tax code (health card).<br />
3. You have entered your payment details<br />
<br />
COMPLETE REGISTRATION (…)”<br />
<br />
SEVENTH: On October 22, 2018 at 00:07 an email was sent<br />
from the address ecooltra@email.ecooltra.com to ***USER.1@gmail.com, with the<br />
subject (in Italian the original) "A.A.A., there is little left" in which the following can be read<br />
text (in Italian the original):<br />
<br />
"Hello!<br />
You are not far from being part of eCooltra! Remember that we need some data<br />
so you can move around the city with our scooters.<br />
Please check the following steps:<br />
1. You have confirmed your email<br />
<br />
2. You have entered the photo of your license and tax code (health card).<br />
3. You have entered your payment details<br />
COMPLETE REGISTRATION (…)”<br />
<br />
EIGHTH: On October 22, 2018 at 11:52 p.m. an email was sent<br />
<br />
from the address ***USUARIO.1@gmail.com to info@ecooltra.com, with the subject (in<br />
Italian the original) “Fwd: Deletion of the profile” in which you can read the following<br />
text (in Italian the original): “By continuing to receive emails, I request the<br />
what I asked for."<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 12/18<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
NINTH: On October 29, 2018 at 00:08 an email was sent<br />
from the address ecooltra@email.ecooltra.com to ***USER.1@gmail.com, with the<br />
subject (in Italian the original) “A.A.A., you are one step away from feeling the wind on your face”<br />
in which the following text can be read (in Italian the original):<br />
<br />
"Hello!<br />
More than 3,000 electric scooters await you to move around the city.<br />
Please check the following steps:<br />
1. You have confirmed your email<br />
2. You have entered the photo of your license and tax code (health card).<br />
3. You have entered your payment details<br />
<br />
COMPLETE REGISTRATION (…)”<br />
<br />
TENTH: On October 30, 2018 at 3:23 p.m., the claiming party contacted<br />
contact with http://www.ecooltra.com/ through its chat, in which it indicates that<br />
asked several days ago about the cancellation of his profile by email, but<br />
<br />
to date it had not happened. And again ask for its cancellation. they tell him that he is<br />
requested but please send an email to ciao@ecooltra.com for<br />
there is evidence that you no longer want to use the account.<br />
<br />
ELEVENTH: On October 30, 2018 at 4:26 p.m. an email was sent<br />
email from the address ***USUARIO.1@gmail.com to info@ecooltra.com, with<br />
<br />
the subject (in Italian the original) “Fwd: Delete the profile” in which you can read the<br />
following text (in Italian the original): “I request again the deletion of my profile and<br />
all personal data, otherwise, since the site does not allow it, I will have to<br />
report it to the guarantor for privacy”.<br />
<br />
TWELFTH: On November 3, 2018 at 02:24 an email was sent<br />
<br />
email from mailer-daemon@googlemail.com to<br />
***USER.1@gmail.com, with the subject (in English the original) "Notification of<br />
delivery status (Failure)”, with the following text (in Italian and English the original): “There was<br />
a problem during message delivery<br />
at ciao@ecooltra.it. See technical details below or try submitting<br />
new in a few minutes.<br />
<br />
MORE INFORMATION<br />
Response: The receiving server did not accept our connection requests. get<br />
more information at https://support.google.com/mail/answer/7720 [ecooltra.it<br />
37.152.88.55:generic:failed_precondition:connect error (0): error]”<br />
<br />
THIRTEENTH: On November 5, 2018 at 09:36 an email was sent<br />
<br />
email from the address ***USUARIO.1@gmail.com to info@ecooltra.com, with<br />
the subject (in Italian the original) "Re: Deletion of the profile" in which you can read the<br />
following text (in Italian the original): “You asked me to write to ciao@ecooltra.it,<br />
but the mailbox does not accept emails.<br />
On Tuesday, Oct 30, 2018 at 4:26 p.m. A.A.A. wrote: [Cited text hidden]”.<br />
<br />
<br />
FOURTEENTH: On November 23, 2018 at 04:02 an email was sent<br />
email from the address ecooltra@email.ecooltra.com to<br />
***USUARIO.1@gmail.com, with the subject (in Italian the original) “A.A.A., the<br />
Black Friday and we bring you a lot of discounts!”, with advertising by COOLTRA.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 13/18<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
FIFTEENTH: On November 23, 2018 at 6:05 p.m. an email was sent<br />
email from the address ***USUARIO.1@gmail.com to rgpd@ecooltra.com, with<br />
the subject (in Italian the original) “Fwd: Delete the profile” in which you can read the<br />
following text (in Italian the original): “I see that my demands have not yet been<br />
<br />
attended. I request the immediate deletion of all my data (including the<br />
credit card and driver's license information). I'm waiting<br />
confirmation. Otherwise, I will feel obliged to resort to the guarantor of the<br />
privacy. Best regards".<br />
<br />
SIXTEENTH: On November 23, 2018 at 6:09 p.m. an email was sent<br />
<br />
email from the address ***USUARIO.1@gmail.com to rgpd@ecooltra.com, with<br />
the subject (in Italian the original) "Re: Deletion of the profile" in which you can read the<br />
following text (in Italian the original): “I also attach my identity document,<br />
as indicated in its privacy policy. In which is attached a document with the<br />
name “<4- Carta di identita.pdf>”.<br />
<br />
<br />
SEVENTEENTH: On December 24, 2018 at 10:01 p.m. an email was sent<br />
email from the address ecooltra@email.ecooltra.com to<br />
***USUARIO.1@gmail.com, with the subject (in Italian the original) “Happy green<br />
Christmas”, congratulating Christmas.<br />
<br />
<br />
EIGHTEENTH: On December 31, 2018 at 8:01 p.m. an email was sent<br />
email from the address ecooltra@email.ecooltra.com to<br />
***USUARIO.1@gmail.com, with the subject (in Italian the original) “Good news<br />
to start 2019”, with advertising by COOLTRA.<br />
<br />
NINETEENTH: On February 12, 2019 at 02:00 an email was sent<br />
<br />
email from the address ecooltra@email.ecooltra.com to<br />
***USER.1@gmail.com, with the subject (in Italian the original) “AAA, win 1,000<br />
free minutes”, with COOLTRA advertising.<br />
<br />
TWELFTH: On February 19, 2019 at 9:04 p.m. an email was sent<br />
from the address ***USER.1@gmail.com to rgpd@ecooltra.com, with the subject<br />
<br />
(in Italian the original) “Last hour: 45 min. at 9.99 EUR, buy the MiniPack here”,<br />
with COOLTRA advertising.<br />
<br />
<br />
FUNDAMENTALS OF LAW<br />
<br />
<br />
Yo<br />
Competition and applicable legislation<br />
<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
(General Data Protection Regulation, hereinafter GDPR), grants each<br />
<br />
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the<br />
Organic Law 3/2018, of December 5, Protection of Personal Data and<br />
guarantee of digital rights (hereinafter, LOPDGDD), is competent to<br />
initiate and resolve this procedure the Director of the Spanish Protection Agency<br />
of data.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 14/18<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
regulations dictated in its development and, insofar as they do not contradict them, with character<br />
subsidiary, by the general rules on administrative procedures."<br />
<br />
<br />
II<br />
<br />
previous questions<br />
<br />
In the present case, in accordance with the provisions of article 4.1 of the GDPR, there is<br />
the processing of personal data, since COOLTRA performs<br />
the collection and conservation of, among others, the following personal data of<br />
<br />
natural persons: name and surname and email, among other treatments.<br />
<br />
COOLTRA carries out this activity in its capacity as data controller, given<br />
who is the one who determines the purposes and means of such activity, by virtue of article 4.7 of the<br />
GDPR. In addition, it is a cross-border treatment, since COOLTRA is<br />
established in Spain, although it provides services to other countries of the European Union<br />
<br />
<br />
The GDPR provides, in its article 56.1, for cases of cross-border processing,<br />
provided for in its article 4.23), in relation to the competence of the authority of<br />
main control, that, without prejudice to the provisions of article 55, the authority of<br />
control of the main establishment or of the only establishment of the person in charge or of the<br />
<br />
The person in charge of the treatment will be competent to act as control authority<br />
for the cross-border processing carried out by said controller or<br />
commissioned in accordance with the procedure established in article 60. In the case<br />
examined, as has been exposed, COOLTRA has its unique establishment in<br />
Spain, so the Spanish Agency for Data Protection is competent to<br />
<br />
act as the main supervisory authority.<br />
<br />
For its part, the right to delete personal data is regulated in article<br />
17 of the RGPD and the modalities of exercise of the rights of the interested parties are<br />
detailed in article 12 of the GDPR.<br />
<br />
<br />
II<br />
Right of erasure<br />
<br />
Article 17 “Right to erasure (“the right to be forgotten”)” of the GDPR establishes:<br />
<br />
<br />
"one. The interested party shall have the right to obtain without undue delay from the person responsible for the<br />
treatment the deletion of personal data that concerns you, which will be<br />
obliged to delete without undue delay the personal data when any<br />
of the following circumstances:<br />
a) the personal data is no longer necessary in relation to the purposes for which<br />
<br />
those that were collected or otherwise treated;<br />
b) the interested party withdraws the consent on which the treatment of<br />
in accordance with Article 6(1)(a) or Article 9(2),<br />
letter a), and this is not based on another legal basis;<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 15/18<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
c) the data subject opposes the processing in accordance with article 21, paragraph 1,<br />
and no other legitimate reasons for the treatment prevail, or the interested party<br />
object to the processing pursuant to Article 21(2);<br />
<br />
d) the personal data have been unlawfully processed;<br />
e) the personal data must be deleted for the fulfillment of a<br />
legal obligation established in the Law of the Union or of the States<br />
members that applies to the data controller;<br />
f) the personal data have been obtained in connection with the offer of services<br />
of the information society mentioned in article 8, paragraph 1.<br />
<br />
(…)<br />
3. Sections 1 and 2 will not apply when the treatment is necessary:<br />
a) to exercise the right to freedom of expression and information;<br />
b) for compliance with a legal obligation that requires data processing<br />
imposed by the law of the Union or of the Member States that applies to the<br />
<br />
responsible for the treatment, or for the fulfillment of a mission carried out in the interest<br />
public or in the exercise of public powers conferred on the person responsible;<br />
c) for reasons of public interest in the field of public health in accordance with<br />
Article 9, paragraph 2, letters h) and i), and paragraph 3;<br />
d) for archiving purposes in the public interest, scientific or historical research purposes or<br />
statistical purposes, in accordance with Article 89(1), to the extent that<br />
<br />
the right indicated in paragraph 1 could make it impossible or hinder<br />
seriously impair the achievement of the objectives of such treatment, or<br />
e) for the formulation, exercise or defense of claims.”<br />
<br />
In the present case, it is clear that the complaining party had requested COOLTRA the<br />
<br />
deletion of your personal data on numerous occasions.<br />
<br />
IV.<br />
Exercise of the rights of the interested party<br />
<br />
<br />
Article 12 "Transparency of information, communication and modalities of<br />
exercise of the rights of the interested party" of the GDPR establishes:<br />
<br />
"one. The person in charge of the treatment will take the appropriate measures to facilitate the<br />
interested all information indicated in articles 13 and 14, as well as any<br />
communication pursuant to articles 15 to 22 and 34 relating to processing, in the form<br />
<br />
concise, transparent, intelligible and easily accessible, with clear and simple language, in<br />
particular any information directed specifically to a child. Information<br />
shall be provided in writing or by other means, including, if applicable, by<br />
electronics. When requested by the interested party, the information may be provided<br />
verbally as long as the identity of the interested party is proven by other means.<br />
<br />
2. The person responsible for the treatment will facilitate the exercise of their rights by the interested party.<br />
under articles 15 to 22. In the cases referred to in article 11, paragraph<br />
2, the person in charge will not refuse to act at the request of the interested party in order to exercise<br />
your rights under articles 15 to 22, unless you can show that you do not<br />
is in a position to identify the interested party.<br />
<br />
3. The person responsible for the treatment will provide the interested party with information regarding their<br />
proceedings on the basis of a request under articles 15 to 22, without<br />
undue delay and, in any case, within one month of receipt<br />
of the request. This period may be extended by another two months if necessary,<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 16/18<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
taking into account the complexity and number of requests. The responsible<br />
will inform the interested party of any of said extensions within a period of one month from<br />
from receipt of the request, indicating the reasons for the delay. when the<br />
<br />
interested party submits the application by electronic means, the information will be provided by<br />
electronic means when possible, unless the interested party requests that it be<br />
facilitate otherwise.<br />
4. If the person responsible for the treatment does not process the request of the interested party, he will<br />
will inform without delay, and no later than one month after receipt of the<br />
application, the reasons for not acting and the possibility of presenting a<br />
<br />
claim before a control authority and take legal action. (…)”<br />
<br />
In the present case, it is clear that the complaining party requested the deletion of his account<br />
and your personal data up to 6 times. The last one on the 23rd of<br />
November 2018. And just on February 17, 2021 COOLTRA has sent a<br />
<br />
email to the complaining party informing him of the cancellation of his data,<br />
after receiving a request for information from this Agency, together with<br />
the corresponding claim. However, it was not until March 1, 2019 that<br />
COOLTRA removed the personal data of the claimant from its<br />
systems.<br />
<br />
<br />
Therefore, according to the evidence available at this time<br />
resolution of the disciplinary procedure, it is considered that the known facts<br />
are constitutive of an infraction, attributable to COOLTRA, for violation of the<br />
Article 12 of the GDPR, in conjunction with Article 17 of the GDPR.<br />
<br />
<br />
V<br />
Classification of the infringement of article 12 of the GDPR<br />
<br />
The aforementioned infringement of article 12 of the GDPR supposes the commission of the infringements<br />
typified in article 83.5 of the GDPR that under the heading "General conditions<br />
<br />
for the imposition of administrative fines” provides:<br />
<br />
Violations of the following provisions will be sanctioned, in accordance with the<br />
paragraph 2, with administrative fines of maximum EUR 20,000,000 or,<br />
in the case of a company, an amount equivalent to a maximum of 4% of the<br />
total annual global business volume of the previous financial year, opting for<br />
<br />
the highest amount:<br />
(…)<br />
b) the rights of the interested parties in accordance with articles 12 to 22; (…)”<br />
<br />
In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that:<br />
<br />
<br />
"The acts and behaviors referred to in sections 4,<br />
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result<br />
contrary to this organic law”.<br />
<br />
<br />
For the purposes of the limitation period, article 72 "Infractions considered very<br />
serious” of the LOPDGDD indicates:<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 17/18<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
"one. Based on what is established in article 83.5 of Regulation (EU) 2016/679,<br />
are considered very serious and will prescribe after three years the infractions that<br />
a substantial violation of the articles mentioned therein and, in particular, the<br />
<br />
following:<br />
(…)<br />
<br />
k) The impediment or the obstruction or the repeated non-attention of the exercise<br />
of the rights established in articles 15 to 22 of Regulation (EU)<br />
2016/679. (…)”.<br />
<br />
<br />
SAW<br />
Penalty for violation of article 12 of the GDPR<br />
<br />
Without prejudice to the provisions of article 83 of the GDPR, the aforementioned Regulation provides<br />
<br />
in section 2.b) of article 58 "Powers" the following:<br />
<br />
"Each control authority will have all the following corrective powers<br />
indicated below:<br />
(…)<br />
b) send a warning to any person in charge or person in charge of the treatment<br />
<br />
when the processing operations have infringed the provisions of the<br />
this Regulation; (…)”<br />
<br />
For its part, recital 148 of the GDPR indicates:<br />
<br />
<br />
“In the event of a minor infraction, or if the fine likely to be imposed<br />
constitutes a disproportionate burden on a natural person, rather than<br />
sanction by means of a fine, a warning may be imposed. should however<br />
special attention should be paid to the nature, seriousness and duration of the infringement, to its<br />
intentional nature, to the measures taken to alleviate the damages suffered,<br />
<br />
to the degree of responsibility or any relevant prior infringement, to the manner in which<br />
that the supervisory authority has become aware of the infringement, to compliance<br />
of measures ordered against the person in charge or in charge, to adherence to codes of<br />
conduct and any other aggravating or mitigating circumstances.”<br />
<br />
According to the evidence available at the present time of<br />
<br />
disciplinary procedure resolution, it is considered that the offense in question<br />
is slight for the purposes of article 83.2 of the GDPR given that in the present case,<br />
taking into account that there is no record in this Agency of COOLTRA for not<br />
having duly attended to a right of deletion, to the circumstances so<br />
exceptional circumstances that were the cause of such request not having been duly<br />
<br />
attended, to the fact that the complaining party sent some of its requests to an address<br />
email that was not indicated in the privacy policy<br />
corresponding, to the fact that the deletion had been addressed in March 2019 although it did not<br />
had been duly communicated to the complaining party and that, as soon as it had<br />
knowledge of the claim, COOLTRA notified the claimant of the withdrawal<br />
<br />
and modified its protocols to prevent an incident of these characteristics from being<br />
repeat, it can be considered a reduction of guilt in the facts, so it is<br />
considers it in accordance with the law not to impose a sanction consisting of an administrative fine<br />
and replace it by directing a warning to COOLTRA.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 18/18<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Therefore, in accordance with the applicable legislation and assessed the criteria of<br />
graduation of sanctions whose existence has been accredited,<br />
the Director of the Spanish Data Protection Agency RESOLVES:<br />
<br />
FIRST: ADDRESS COOLTRA MOTOSHARING S.L.U., with NIF B65874877, for<br />
<br />
an infringement of Article 12 of the GDPR, typified in Article 83.5 of the GDPR, a<br />
warning.<br />
<br />
SECOND: NOTIFY this resolution to COOLTRA MOTOSHARING S.L.U.<br />
<br />
<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
Resolution will be made public once the interested parties have been notified.<br />
<br />
In accordance with the provisions of article 60.7 of the GDPR, this information will be<br />
resolution, once it is final, to the control authorities concerned and to the Committee<br />
<br />
European Data Protection.<br />
<br />
Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the<br />
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the<br />
Interested parties may optionally file an appeal for reversal before the<br />
<br />
Director of the Spanish Agency for Data Protection within a period of one month from<br />
count from the day following the notification of this resolution or directly<br />
contentious-administrative appeal before the Contentious-administrative Chamber of the<br />
National Court, in accordance with the provisions of article 25 and section 5 of<br />
the fourth additional provision of Law 29/1998, of July 13, regulating the<br />
<br />
Contentious-administrative jurisdiction, within a period of two months from the<br />
day following the notification of this act, as provided for in article 46.1 of the<br />
referred Law.<br />
<br />
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,<br />
<br />
may provisionally suspend the firm resolution in administrative proceedings if the<br />
The interested party expresses his intention to file a contentious-administrative appeal.<br />
If this is the case, the interested party must formally communicate this fact through<br />
writing addressed to the Spanish Data Protection Agency, presenting it through<br />
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-<br />
<br />
web/], or through any of the other registries provided for in art. 16.4 of the<br />
aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the<br />
documentation proving the effective filing of the contentious appeal-<br />
administrative. If the Agency was not aware of the filing of the appeal<br />
contentious-administrative proceedings within a period of two months from the day following the<br />
<br />
Notification of this resolution would terminate the precautionary suspension.<br />
<br />
<br />
938-181022<br />
Mar Spain Marti<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
</pre></div>Teresa.lopezhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202204492&diff=30114AEPD (Spain) - EXP2022044922023-01-02T12:09:45Z<p>Teresa.lopez: Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=AEPD..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=AEPD PS-00344-2022<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00344-2022.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=31.03.2022<br />
|Date_Decided=<br />
|Date_Published=21.12.2022<br />
|Year=<br />
|Fine=30000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 6(1) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=ORANGE ESPAGNE, S.A.U.<br />
|Party_Link_1=https://www.orange.es/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Teresa López<br />
|<br />
}}<br />
<br />
The Spanish Authority fined a controller €30,000 for formalising a telephone contract placing the data subject as the contract holder without duly verifying their data, giving rise to the theft of the data subject's identity.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
On 31 March 2022, the data subject filed a complaint with the Spanish Data Protection Authority against ORANGE ESPAGNE, S.A.U. (the controller). The controller registered a telephone line using the data subject's personal data without their consent. The data subject came to know the theft of their identity after receiving a call from the police informing them that a fraudulent offence had been committed with the fraudulently contracted telephone number. <br />
<br />
On 10 June 2022, the Spanish Authority received a written reply from the controller indicating that as soon as it became aware of the facts, it classified the number as an irregular activation, ordering the corresponding adjustments in favour of the data subject.<br />
<br />
=== Holding ===<br />
The Spanish Authority held that the controller had violated Article 6.1 GDPR, since it formalised a telephone contract placing the data subject as the contract holder without duly verifying the data, giving rise to the theft of the data subject's identity.<br />
<br />
The Authority based the fine in Article 83.5 a) GDPR and considered applicable the aggravating circumstance provided in Article 83.2 GDPR, in accordance with Article 76.2 b) of the Spanish Data Protection Law (link of the data controller with the processing of personal data), setting a fine of €50,000. However, the controller benefited from reductions due to voluntary payment of the penalty and acknowledgement of liability, having the fined amount finally set to €30,000.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/10<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
File No.: EXP202204492<br />
<br />
RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT<br />
<br />
VOLUNTEER<br />
<br />
Of the procedure instructed by the Spanish Agency for Data Protection and based on<br />
to the following<br />
<br />
<br />
BACKGROUND<br />
<br />
FIRST: On September 15, 2022, the Director of the Spanish Agency<br />
of Data Protection agreed to initiate a sanctioning procedure against ORANGE<br />
ESPAGNE, S.A.U. (hereinafter, the claimed party), through the Agreement that<br />
transcribe:<br />
<br />
<br />
<<<br />
<br />
<br />
File No.: EXP202204492<br />
<br />
<br />
<br />
AGREEMENT TO START THE SANCTION PROCEDURE<br />
<br />
Of the actions carried out by the Spanish Data Protection Agency and in<br />
<br />
based on the following<br />
<br />
ACTS<br />
<br />
FIRST: On March 31, 2022 A.A.A. (hereinafter, the claiming party)<br />
filed a claim with the Spanish Data Protection Agency.<br />
<br />
<br />
The claim is directed against ORANGE ESPAGNE, S.A.U. with NIF A82009812 (in<br />
below, the claimed party).<br />
<br />
The reasons on which it is based is the registration of a telephone line with the claimed entity<br />
<br />
using your personal data without your consent.<br />
<br />
He indicates that he has been the victim of a crime of identity theft in hiring,<br />
receiving a call from the Granada Police in which they inform him that<br />
produced a crime of fraud with the fraudulently contracted telephone number.<br />
<br />
<br />
Accompany your complaint letter with a police report and presentation of<br />
claim before the Secretary of State for Telecommunications and Infrastructures<br />
Digital, of March 31, 2022.<br />
<br />
Likewise, provide the contracted telephone number- ***NIF.1.<br />
<br />
<br />
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5<br />
December, Protection of Personal Data and guarantee of digital rights (in<br />
hereafter LOPDGDD), on May 9, 2022, said claim was transferred to the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 2/10<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
claimed party, to proceed with its analysis and inform this Agency in the<br />
period of one month, of the actions carried out to adapt to the requirements<br />
provided for in the data protection regulations.<br />
<br />
<br />
The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of<br />
October 1, of the Common Administrative Procedure of the Administrations<br />
Public (hereinafter, LPACAP), was collected on May 10, 2022 as<br />
It appears in the acknowledgment of receipt that is in the file.<br />
<br />
<br />
On June 10, 2022, this Agency received a written response<br />
indicating that as soon as the facts exposed<br />
With the entry of this information requirement, the requested entity has<br />
transferred to the Risk Analysis Group of this company, which after carrying out<br />
the corresponding investigations, proceeded to classify as irregular activation the<br />
<br />
numbering ***NIF.1 associated with the claimant's DNI, ordering the corresponding<br />
economic adjustments in favor of the claimant, by virtue of which he has been left<br />
current payment with this company.<br />
<br />
Likewise, it is indicated that all recovery actions that<br />
may exist and, that the claimant's data has never been transferred to files of<br />
<br />
patrimonial solvency at the request of this company.<br />
<br />
They are manifested as concrete measures aimed at avoiding this type of<br />
fraudulent practices the following:<br />
<br />
<br />
• Controls in applications for registration/portability/in-flight migration: rules applied in<br />
scoring.<br />
<br />
Therefore, if it is rejected before activation, the registration would not take place.<br />
<br />
<br />
These actions are carried out by an external platform.<br />
<br />
• Daily controls on orders processed from CCNNPP (teleshopping and eshop).<br />
<br />
As in the previous case, if it is rejected before activation, there is no registration.<br />
<br />
<br />
• Audits on FIDE provider platforms, by provider analysts, who<br />
They report at the time of detection and weekly.<br />
<br />
The solution varies depending on the case, being able to find ourselves before: cancellations of<br />
orders and/or requests for portability, suspension of lines, cancellations of<br />
<br />
fixed provision, to cite a few examples.<br />
<br />
• Periodic checks of unpaid customers or concentration of bank accounts in<br />
JAZZTEL.<br />
<br />
<br />
• Management in the CRMs (company systems) of claims, escalated by<br />
different functional groups by unrecognized lines/orders.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 3/10<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
• Daily registration validation controls and identity portability, verifying<br />
in the census if the NIE or NIF coincides with the name and surnames that appear in the<br />
application.<br />
<br />
<br />
• Management of claims for inclusion in asset solvency files.<br />
<br />
As evidenced, through the control systems created, ORANGE has<br />
knowledge of the existence of possible irregularities in the contracting of<br />
services, and after the corresponding studies and analysis, is in a position to<br />
<br />
classify it as fraudulent, proceeding to stop any<br />
recovery action, as well as the rectification of all those invoices issued<br />
inappropriately.<br />
<br />
THIRD: On June 22, 2022, in accordance with article 65 of the<br />
<br />
LOPDGDD, the claim presented by the claimant party was admitted for processing.<br />
<br />
FUNDAMENTALS OF LAW<br />
<br />
Yo<br />
<br />
<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
(General Data Protection Regulation, hereinafter GDPR), grants each<br />
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the<br />
Organic Law 3/2018, of December 5, Protection of Personal Data and<br />
guarantee of digital rights (hereinafter, LOPDGDD), is competent to<br />
<br />
initiate and resolve this procedure the Director of the Spanish Protection Agency<br />
of data.<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
regulations dictated in its development and, insofar as they do not contradict them, with character<br />
subsidiary, by the general rules on administrative procedures."<br />
<br />
II<br />
<br />
<br />
Article 6.1 of the GDPR establishes the following:<br />
<br />
"1. Processing will only be lawful if at least one of the following conditions is met:<br />
<br />
nes:<br />
a) the interested party gave his consent for the processing of his personal data<br />
<br />
for one or more specific purposes;<br />
<br />
b) the treatment is necessary for the execution of a contract in which the interested party<br />
is part of or for the application at the request of the latter of pre-contractual measures;<br />
<br />
c) the processing is necessary for compliance with a legal obligation applicable to the<br />
responsible for the treatment;<br />
<br />
d) the processing is necessary to protect the vital interests of the data subject or of another<br />
Physical person;<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 4/10<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
e) the treatment is necessary for the fulfillment of a mission carried out in the interest<br />
public or in the exercise of public powers conferred on the data controller;<br />
<br />
f) the treatment is necessary for the satisfaction of legitimate interests pursued<br />
by the person in charge of the treatment or by a third party, provided that on said interests<br />
the interests or the fundamental rights and freedoms of the interested party do not prevail.<br />
<br />
that require the protection of personal data, particularly when the interest<br />
sado be a child<br />
<br />
The provisions of letter f) of the first paragraph shall not apply to the treatment carried out<br />
by public authorities in the exercise of their functions.”<br />
<br />
Article 72.1 b) of the LOPDGDD states that "according to what is established in the<br />
Article 83.5 of Regulation (EU) 2016/679 are considered very serious and will prescribe<br />
after three years, the infractions that suppose a substantial violation of the<br />
articles mentioned therein and, in particular, the following:<br />
<br />
<br />
b) The processing of personal data without the fulfillment of any of the conditions of<br />
legality of the treatment established in article 6 of Regulation (EU) 2016/679.”<br />
<br />
II<br />
<br />
<br />
In accordance with the evidence available at this time, and<br />
without prejudice to what results from the investigation of this disciplinary procedure, it is<br />
considers that the claimed entity has violated the lawfulness of data processing<br />
personal, since it has formalized a contract of mobile telephony putting as holder<br />
of the same to the claimant, without duly verifying the data of the claimant, giving<br />
<br />
lead to the identity theft of the claimant.<br />
<br />
Thus, this Agency considers that the claimed entity has violated the<br />
Article 6.1 of the GDPR, which guarantees that personal data is processed<br />
lawfully, since the claimed entity appears to have processed the personal data of the<br />
<br />
claimant, without having the necessary legitimacy for it.<br />
<br />
IV.<br />
<br />
Article 58.2 of the GDPR provides the following: "Each control authority shall have<br />
<br />
of all of the following corrective powers listed below:<br />
<br />
d) order the person in charge or person in charge of the treatment that the operations of<br />
treatment comply with the provisions of this Regulation, where appropriate,<br />
in a certain way and within a specified period;<br />
<br />
<br />
i) impose an administrative fine in accordance with article 83, in addition to or instead of the<br />
measures mentioned in this section, according to the circumstances of each case<br />
particular;<br />
<br />
V<br />
<br />
<br />
Violation of article 6.1 of the GDPR can be sanctioned with a fine of 20,000<br />
€000 maximum or, in the case of a company, an amount equivalent to 4%<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 5/10<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
maximum of the overall annual total turnover of the financial year<br />
above, opting for the one with the highest amount, in accordance with article 83.5 a) of the<br />
<br />
GDPR, which includes "breach of the basic principles for treatment,<br />
including the conditions for consent under articles 5,6,7 and 9”.<br />
<br />
<br />
<br />
<br />
Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the<br />
following criteria established in article 83.2 of the GDPR, considering as<br />
aggravating circumstance according to article 76.2 b) LOPDGDD, the relationship of the person responsible with the<br />
<br />
processing of personal data.<br />
<br />
SAW<br />
<br />
<br />
<br />
The fine imposed must be, in each individual case, effective, proportionate<br />
and dissuasive, in accordance with the provisions of article 83.1 of the GDPR.<br />
<br />
<br />
<br />
<br />
Therefore, it is appropriate to graduate the sanction to be imposed according to the criteria that<br />
establishes article 83.2 of the GDPR, and with the provisions of article 76 of the<br />
LOPDGDD, with respect to section k) of the aforementioned article 83.2 GDPR.<br />
<br />
<br />
<br />
Article 83.2 of the GDPR establishes that:<br />
<br />
"Administrative fines will be imposed, depending on the circumstances of each<br />
individual case, as an addition to or substitute for the measures contemplated in article<br />
<br />
Article 58, section 2, letters a) to h) and j).<br />
<br />
When deciding to impose an administrative fine and its amount in each individual case<br />
dual will be duly taken into account:<br />
<br />
<br />
a) the nature, seriousness and duration of the offence, taking into account the<br />
nature, scope or purpose of the processing operation in question<br />
such as the number of interested parties affected and the level of damages that<br />
<br />
have suffered;<br />
<br />
<br />
<br />
b) intentionality or negligence in the infraction;<br />
<br />
<br />
<br />
<br />
c) any measure taken by the controller or processor to<br />
alleviate the damages and losses suffered by the interested parties;<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 6/10<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
d) the degree of responsibility of the controller or processor,<br />
<br />
taking into account the technical or organizational measures that they have applied under<br />
of articles 25 and 32;<br />
<br />
<br />
<br />
<br />
e) any previous infringement committed by the controller or processor;<br />
<br />
<br />
<br />
f) the degree of cooperation with the supervisory authority in order to remedy the<br />
<br />
infringement and mitigate the potential adverse effects of the infringement;<br />
<br />
<br />
<br />
<br />
g) the categories of personal data affected by the infringement;<br />
<br />
<br />
<br />
h) the way in which the supervisory authority became aware of the infringement, in<br />
<br />
particular whether the person in charge or the person in charge notified the infringement and, if so, in what<br />
measure;<br />
<br />
<br />
<br />
<br />
i) when the measures indicated in article 58, paragraph 2, have been ordered<br />
previously against the person in charge or the person in charge in relation to the<br />
<br />
same matter, compliance with said measures;<br />
<br />
<br />
<br />
j) adherence to codes of conduct under article 40 or to mechanisms of<br />
<br />
certification approved in accordance with article 42, and<br />
<br />
<br />
<br />
k) any other aggravating or mitigating factor applicable to the circumstances of the case,<br />
<br />
such as financial benefits obtained or losses avoided, directly or<br />
indirectly, through the infringement.”<br />
<br />
<br />
<br />
In the present case, without prejudice to what results from the instruction, it has been taken into account<br />
counts as an aggravating circumstance, the link of the person in charge with the data processing<br />
<br />
according to article 76.2 b) of the LOPDGDD.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 7/10<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
For all these reasons, it is considered appropriate to impose a fine of €50,000 for the<br />
processing of personal data as the requested entity lacks legitimacy to<br />
<br />
it.<br />
<br />
<br />
Therefore, based on the foregoing,<br />
<br />
<br />
By the Director of the Spanish Data Protection Agency,<br />
<br />
HE REMEMBERS:<br />
<br />
FIRST: INITIATE SANCTION PROCEDURE against ORANGE ESPAGNE,<br />
S.A.U. with NIF A82009812, in accordance with the provisions of article 58.2.i) of the<br />
<br />
GDPR, for the alleged infringement of article 6.1 of the GDPR, typified in article<br />
83.5.b) of the GDPR.<br />
<br />
SECOND: APPOINT as instructor R.R.R. and, as secretary, to S.S.S.,<br />
indicating that any of them may be challenged, if applicable, in accordance with the<br />
<br />
established in articles 23 and 24 of Law 40/2015, of October 1, on the Regime<br />
Legal Department of the Public Sector (LRJSP).<br />
<br />
THIRD: INCORPORATE into the disciplinary file, for evidentiary purposes, the<br />
claim filed by the claimant and its documentation, the documents<br />
<br />
obtained and generated by the General Sub-directorate of Data Inspection during the<br />
investigation phase, as well as the report of previous inspection actions.<br />
<br />
FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1<br />
October, of the Common Administrative Procedure of Public Administrations,<br />
would correspond a sanction of €50,000 (fifty thousand euros) without prejudice to what<br />
<br />
results from the instruction.<br />
<br />
FIFTH: NOTIFY this agreement to ORANGE ESPAGNE, S.A.U. with NIF<br />
A82009812, granting a hearing period of ten business days to formulate<br />
the allegations and present the evidence it deems appropriate. In his writing of<br />
allegations must provide your NIF and the procedure number that appears in the<br />
<br />
heading of this document<br />
<br />
If, within the stipulated period, he does not make allegations to this initial agreement, the same<br />
may be considered a resolution proposal, as established in article<br />
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of<br />
<br />
Public Administrations (hereinafter, LPACAP).<br />
<br />
In accordance with the provisions of article 85 of the LPACAP, you may recognize your<br />
responsibility within the period granted for the formulation of allegations to the<br />
present initiation agreement; which will entail a reduction of 20% of the<br />
<br />
sanction that should be imposed in this proceeding. With the application of this<br />
reduction, the sanction would be established at €40,000, resolving the<br />
procedure with the imposition of both sanctions.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 8/10<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In the same way, it may, at any time prior to the resolution of this<br />
procedure, carry out the voluntary payment of the proposed sanction, which<br />
<br />
will mean a reduction of 20% of its amount. With the application of this reduction,<br />
the sanction would be established at €40,000 and its payment will imply the termination of the<br />
process.<br />
<br />
The reduction for the voluntary payment of the penalty is cumulative to the corresponding<br />
<br />
apply for acknowledgment of responsibility, provided that this acknowledgment<br />
of the responsibility is revealed within the period granted to formulate<br />
allegations at the opening of the procedure. Voluntary payment of the referred amount<br />
in the previous paragraph may be done at any time prior to the resolution. In<br />
In this case, if both reductions were to be applied, the amount of the penalty would remain<br />
<br />
established at 30,000 euros.<br />
<br />
In any case, the effectiveness of any of the two aforementioned reductions will be<br />
conditioned to the withdrawal or resignation of any action or appeal via<br />
administrative against the sanction.<br />
<br />
<br />
In the event that you choose to proceed with the voluntary payment of any of the amounts<br />
previously indicated €40,000 or €30,000, you must pay it through your<br />
deposit in the account number ES00 0000 0000 0000 0000 0000 opened in the name of the<br />
Spanish Data Protection Agency at the bank CAIXABANK, S.A.,<br />
<br />
indicating in the concept the reference number of the procedure that appears in the<br />
heading of this document and the reason for reducing the amount to which<br />
welcomes.<br />
<br />
Likewise, you must send proof of income to the General Subdirectorate of<br />
<br />
Inspection to continue with the procedure in accordance with the quantity<br />
entered.<br />
<br />
The procedure will have a maximum duration of nine months from the<br />
date of the initiation agreement or, where appropriate, of the draft initiation agreement.<br />
<br />
After this period, its expiration will occur and, consequently, the file of<br />
performances; in accordance with the provisions of article 64 of the LOPDGDD.<br />
<br />
Finally, it is noted that in accordance with the provisions of article 112.1 of the<br />
LPACAP, there is no administrative appeal against this act.<br />
<br />
<br />
<br />
935-260122<br />
Mar Spain Marti<br />
Director of the Spanish Data Protection Agency<br />
<br />
>><br />
<br />
<br />
SECOND: On October 26, 2022, the claimed party has proceeded to pay<br />
of the sanction in the amount of 30,000 euros making use of the two reductions<br />
provided for in the initiation Agreement transcribed above, which implies the<br />
recognition of responsibility.<br />
<br />
<br />
THIRD: The payment made, within the period granted to formulate allegations to<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 9/10<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
the opening of the procedure, entails the waiver of any action or appeal via<br />
against the sanction and acknowledgment of responsibility in relation to<br />
the facts referred to in the Commencement Agreement.<br />
<br />
<br />
<br />
FUNDAMENTALS OF LAW<br />
<br />
Yo<br />
Competence<br />
<br />
<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
(General Data Protection Regulation, hereinafter GDPR), grants each<br />
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the<br />
Organic Law 3/2018, of December 5, Protection of Personal Data and<br />
<br />
guarantee of digital rights (hereinafter, LOPDGDD), is competent to<br />
initiate and resolve this procedure the Director of the Spanish Protection Agency<br />
of data.<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
regulations dictated in its development and, insofar as they do not contradict them, with character<br />
subsidiary, by the general rules on administrative procedures."<br />
<br />
II<br />
<br />
Termination of the procedure<br />
<br />
Article 85 of Law 39/2015, of October 1, on Administrative Procedure<br />
Common for Public Administrations (hereinafter, LPACAP), under the heading<br />
"Termination in disciplinary proceedings" provides the following:<br />
<br />
<br />
"1. Initiated a disciplinary procedure, if the offender acknowledges his responsibility,<br />
The procedure may be resolved with the imposition of the appropriate sanction.<br />
<br />
2. When the sanction has only a pecuniary nature or it is possible to impose a<br />
pecuniary sanction and another of a non-pecuniary nature but the<br />
<br />
inadmissibility of the second, the voluntary payment by the presumed perpetrator, in<br />
any moment prior to the resolution, will imply the termination of the procedure,<br />
except in relation to the replacement of the altered situation or the determination of the<br />
compensation for damages caused by the commission of the offence.<br />
<br />
<br />
3. In both cases, when the sanction is solely pecuniary in nature, the<br />
The competent body to resolve the procedure will apply reductions of at least<br />
20% of the amount of the proposed penalty, these being cumulative among themselves.<br />
The aforementioned reductions must be determined in the notification of initiation<br />
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of<br />
<br />
any administrative action or resource against the sanction.<br />
<br />
The percentage reduction provided for in this section may be increased<br />
according to regulations."<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 10/10<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
According to what has been stated,<br />
the Director of the Spanish Data Protection Agency RESOLVES:<br />
<br />
<br />
FIRST: DECLARE the termination of procedure EXP202204492, in<br />
in accordance with the provisions of article 85 of the LPACAP.<br />
<br />
SECOND: NOTIFY this resolution to ORANGE ESPAGNE, S.A.U..<br />
<br />
<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
Resolution will be made public once the interested parties have been notified.<br />
<br />
<br />
Against this resolution, which puts an end to the administrative process as prescribed by<br />
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure<br />
Common of Public Administrations, interested parties may file an appeal<br />
administrative litigation before the Administrative Litigation Chamber of the<br />
<br />
National Court, in accordance with the provisions of article 25 and section 5 of<br />
the fourth additional provision of Law 29/1998, of July 13, regulating the<br />
Contentious-Administrative Jurisdiction, within a period of two months from the<br />
day following the notification of this act, as provided for in article 46.1 of the<br />
<br />
referred Law.<br />
<br />
<br />
936-040822<br />
Mar Spain Marti<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
</pre></div>Teresa.lopezhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202203914&diff=30000AEPD (Spain) - EXP2022039142022-12-19T12:46:05Z<p>Teresa.lopez: typo</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=AEPD PS-00290-2022<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00290-2022.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=07.03.2022<br />
|Date_Decided=<br />
|Date_Published=15.12.2022<br />
|Year=<br />
|Fine=70,000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 6(1) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=VODAFONE ESPAÑA, S.A.U.<br />
|Party_Link_1=https://www.vodafone.es/c/conocenos/es/vodafone-espana/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Teresa Lopez Carro<br />
|<br />
}}<br />
<br />
Spanish DPA fined Vodafone Spain €70,000 for duplicating a customer's SIM card without their consent or knowledge.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
On 17 February 2022, Vodafone España, S.A.U (the controller), provided a duplicate of the data subject's SIM card to a third party without their authorisation. The data subject found out after receiving an SMS of the controller corroborating the correct activation of the new SIM card.<br />
<br />
Later on, the controller's fraud department contacted the data subject to confirm the fraudulence of the SIM duplicate, and proceeded to block the new SIM card.<br />
<br />
Before the deactivation, the third party, using the fraudulent SIM card, acceded the data subject husband's bank account and made a transfer of an undisclosed amount.<br />
<br />
=== Holding ===<br />
The Spanish DPA held that the controller had violated [[Index.php?title=Article 6 GDPR#1|Article 6(1) GDPR]] by duplicating the data subject's SIM card without their consent and without verifying the identity of the requesting third party. In this sense, the DPA questioned the diligence of the controller in identifying the person who requested a duplicate SIM card.<br />
<br />
The DPA found the controller's infringement of [[Article 6 GDPR#1|Article 6(1) GDPR]] was “very serious” and imposed a €70,000 fine. The DPA took into account the aggravating circumstance of the link between the controller's business activity and the processing of personal data of customers or third parties; and the mitigating circumstance of the rapid handle and resolution of the data subject's complaint by the controller.<br />
<br />
Benefiting from a Spanish administrative law provision, which allows for voluntary payment of the penalty, the controller paid €56,000 for the termination of the procedure. The controller refused the Spanish DPA's offer of admission of guilt, which would have further reduced the amount to €42,000.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
File No.: EXP202203914<br />
<br />
RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT<br />
VOLUNTEER<br />
<br />
<br />
Of the procedure instructed by the Spanish Agency for Data Protection and based on<br />
to the following<br />
<br />
BACKGROUND<br />
<br />
<br />
FIRST: On September 23, 2022, the Director of the Spanish Agency<br />
of Data Protection agreed to start a sanctioning procedure against VODAFONE<br />
SPAIN, S.A. (hereinafter, the claimed party), through the Agreement that<br />
transcribe:<br />
<br />
<br />
<<<br />
<br />
<br />
<br />
File No.: EXP202203914<br />
<br />
<br />
<br />
AGREEMENT TO START THE SANCTION PROCEDURE<br />
<br />
Of the actions carried out by the Spanish Data Protection Agency and in<br />
<br />
based on the following:<br />
<br />
FACTS<br />
<br />
<br />
<br />
FIRST: Ms. A.A.A. (hereinafter, the claiming party) dated March 7,<br />
2022 filed a claim with the Spanish Data Protection Agency. The<br />
claim is directed against VODAFONE ESPAÑA, S.A.U. with NIF A80907397 (in<br />
forward, the claimed party or Vodafone). The reasons on which the claim is based<br />
are the following:<br />
<br />
<br />
The claimant states that on February 17, 2022, the entity claimed, without its<br />
authorization, you provided a duplicate of your SIM card to a third party. He had knowledge of<br />
the facts, after receiving an SMS from said entity informing them of the successful activation<br />
of your new SIM.<br />
<br />
<br />
Later he receives a call from the fraud department indicating that they had<br />
detected a duplication of the suspicious SIM card and, after confirming the claimant<br />
that she had not requested it, the new SIM card was blocked,<br />
keeping the old one active.<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 2/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
On the other hand, it states that said third party, using the information contained in the<br />
mobile phone, accessed her husband's bank account and made a transfer<br />
through BIZUM for a value of X.XXX euros.<br />
<br />
<br />
Along with the notification, the following relevant documentation is provided:<br />
<br />
Screenshot of the SMS received regarding the activation of the SIM card.<br />
<br />
Copy of the telephone bill showing a charge for the disputed duplicate<br />
<br />
of the SIM card.<br />
<br />
Complaint filed with the Ertzain-etxea of ***LOCALIDAD.1, on the 18th of<br />
February 2022.<br />
<br />
<br />
Claim filed with the bank, details of the movements<br />
banking.<br />
<br />
Complaint filed with the Kontsumobide-Basque Consumer Institute against<br />
Vodafone.<br />
<br />
<br />
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5<br />
December, Protection of Personal Data and guarantee of digital rights (in<br />
forward LOPDGDD), said claim was transferred to the claimed party, for<br />
to proceed with its analysis and inform this Agency within a month of the<br />
actions carried out to adapt to the requirements established in the regulations of<br />
<br />
Data Protection.<br />
<br />
The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of<br />
October 1, of the Common Administrative Procedure of the Administrations<br />
Public (hereinafter, LPACAP), was collected on April 26, 2022 as<br />
<br />
It appears in the acknowledgment of receipt that is in the file.<br />
<br />
On May 13, 2022, this Agency received a written response from<br />
Vodafone stating the following: "A letter has been sent to the<br />
claimant by means of which he has proceeded to inform him about the steps that<br />
were carried out by Vodafone to solve the incident and that it was<br />
<br />
is currently resolved.<br />
<br />
In this sense, attached as Document number 1, a copy of said letter sent<br />
to the claimant, through which she is informed, in particular, of the privacy policies<br />
security available to Vodafone to prevent the making of duplicates of<br />
<br />
SIM card and that what happened has been classified as fraud by the Department<br />
Vodafone Fraud.<br />
<br />
In addition, you are informed that you regained full control over the affected line on<br />
same day February 17, 2022 and that the amount of 5 euros was reimbursed<br />
that were charged as a result of the realization of the duplicate SIM in<br />
question.<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 3/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
After analyzing the claim and investigating what happened, Vodafone has been able to verify<br />
that, on February 17, 2022, a SIM change was processed on the line<br />
***PHONE.1, associated with customer ID ***ID.1 belonging to the claimant.<br />
<br />
Said SIM change was requested by telephone.<br />
<br />
<br />
My client managed to solve the incident that is the object of the claim effectively<br />
and completely on February 17, 2022, that is, prior to the receipt of the<br />
present request for information by the Agency.<br />
<br />
In order to prevent similar incidents from occurring, Vodafone works<br />
continues to improve Security Policies for its change processes and<br />
SIM duplicates as well as for any other process that carries potential risks<br />
<br />
of fraud or irregular actions for our clients.<br />
<br />
In this sense, since March 14, 2012, Vodafone acts under the Policy<br />
Security for the Contracting of Individuals, which has been updated<br />
progressively, and whose last modification has been implemented on the 4th of<br />
January 2022. Through said Security Policy, my client establishes what<br />
type of information must be required from the client for each requested management.<br />
<br />
<br />
Likewise, it is included how to proceed in case a user does not pass the<br />
Security Policy, as well as preventive actions in fraud situations.<br />
The aforementioned Security Policy is mandatory for all<br />
Vodafone After-Sales Services, who are in charge of applying and respecting it.<br />
<br />
Attached as Document number 4 is a copy of the Security Policy for<br />
Vodafone individuals. As far as SIM card duplicates are concerned, it should be<br />
<br />
indicate that Vodafone's objective is that all duplicate or card changes<br />
be done in person, since it is the safest way to guarantee that<br />
produce irregular or fraudulent processes.<br />
<br />
Likewise, with regard to the processing of a duplicate SIM, in accordance with<br />
with said Policies, and as was already exposed before the Agency within the<br />
<br />
File E/11418/2019, to make a SIM change by telephone, it is<br />
necessary to carry out and overcome the Vodafone Security Policy in order to<br />
such scenarios. Said Policy foresees three specific scenarios for which<br />
The change of SIM card will proceed by telephone: (i) in those cases in which<br />
that the platform in charge of managing the change of the SIM card fails in such a way<br />
so that the SIM change cannot be made in our stores; (ii) if the client is<br />
<br />
company and therefore prefers to make the change from the platform ***PLATAFORMA.1,<br />
In these cases, the SIM card is sent to the address of the company that appears in<br />
our systems; and (iii) if the customer is prepaid and therefore the shipment can be made<br />
of the SIM card in cases of breakdown, loss/theft, incidence in the store and for<br />
Clients petition.<br />
<br />
<br />
Likewise, and prior to verifying whether the applicant is under<br />
the scope of the three previous cases, the Customer Service Department of<br />
Vodafone, in accordance with said Security Policy, must invite you to attend<br />
to manage the change of SIM before a Vodafone After-Sales Service (“SPV”) to<br />
give the maximum guarantee of security to the process. In case the client is<br />
find yourself in one of the three scenarios considered above, the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 4/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Vodafone Customer Service Department will check prior to<br />
SIM change management that none of the following circumstances exist:<br />
(i) there must not be any change of address in the last month; (ii) there must not have been<br />
<br />
requested previous SIM card shipments. It can be said that, in accordance with<br />
our Security Policies, non-compliance with any of the two<br />
above requirements will lead to the need to process the change of SIM in a<br />
in person in our stores. In those cases in which the applicant complies with<br />
the requirements of the previous paragraphs, the processing of the SIM change will depend<br />
of the following: (i) if the applicant calls from the same number on which he is going to<br />
<br />
request the change of SIM you will be asked for the access code of the Customer Service<br />
Client or ID; however, (ii) if the client does not call from the same number,<br />
will request the telephone number associated with the SIM (“MSISDN”) together with the password<br />
access to Customer Service or DNI.<br />
<br />
Additionally, it should be noted that all employees in the Department of<br />
Customer Service have received training on the steps to follow to carry out<br />
<br />
SIM changes, through the guide available to all agents on the portal<br />
called "REDPLANET", which includes all the processes and procedures<br />
of Vodafone that are applicable to them and the steps to follow in each case, according to the<br />
circumstances.<br />
<br />
Therefore, if the processing of a SIM change and/or a change of ownership exceeds<br />
<br />
the previous Vodafone Security Policies, we will proceed to carry out<br />
such procedures in accordance with what is indicated in said Policies, when considering my<br />
represented the change as authentic, real and truthful. Without prejudice of the previous,<br />
since February 17, 2022, my client carried out the procedures<br />
in order to protect the claimant as a Vodafone customer. In this<br />
sense, my client, at the request of the interested party, proceeded to declare what happened<br />
<br />
as a fraud, adopting the appropriate security measures on your account, and<br />
to solve the different incidents that occurred with respect to the SIM card of the<br />
line ***PHONE.1 affected.<br />
<br />
As a consequence of the classification of the facts as fraudulent by part of<br />
Vodafone and in order to prevent future fraudulent practices on the<br />
<br />
services associated with the claimant, my client proceeded, on February 17<br />
of 2022, to be noted in the claimant's client file that only<br />
make modifications, sim changes, new registrations, portability and orders if the<br />
The interlocutor calls from the line associated with the claimant and manages to exceed an additional<br />
process of reinforced security measures on your client ID.<br />
<br />
In addition, internal processes are being reviewed to ensure compliance with the<br />
<br />
Defined Security Policies or introduce the necessary changes when<br />
consider pertinent.<br />
<br />
Specifically, my client is working on the continuous improvement of: • Review of<br />
internal processes to ensure compliance with Security Policies and<br />
verification controls that have been defined and incorporated, both in channel<br />
face-to-face and by telephone, for duplicate SIM scenarios.<br />
<br />
<br />
• Periodic reinforcement of communication of Security Policies and verifications<br />
that have been defined by Vodafone for SIM duplicates and that must be<br />
applied by agencies, commercial stores and agents.<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 5/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
• Sending periodic communications to the face-to-face and telephone channel, as well as to the<br />
logistics operator, where it is alerted to the risk scenarios detected, its<br />
characteristics and behavior patterns to prevent new cases. In these<br />
<br />
communications include details of how these requests are produced, channels to<br />
through which they are requested, documentation they provide, description of the<br />
handling, geographic areas where the cards are being collected/delivered<br />
Duplicate SIMs.<br />
<br />
• Application -if applicable-, of the existing Penalty Policy for agents or<br />
distributors who carry out any duplicate or change of a SIM card without having<br />
<br />
required documentation or to carry out any SIM change management without<br />
Follow all the steps defined in the Security Policy.<br />
<br />
Regarding the carrying out of transactions of the entity "BIZUM" of<br />
fraudulent nature revealed by the claimant in her claim, it is<br />
opportune to express that the change of a SIM card only implies access to the<br />
telephone line associated with it, and not the bank details of the holder.<br />
<br />
<br />
Therefore, it does not seem possible that there is a correlation between the events that occurred in<br />
relationship with my client and what happened with the bank of which he is a client<br />
the claimant. In this sense, the bank movements that he alleges in his<br />
claim do not have their origin, nor have they been caused by invoices for<br />
Vodafone services that he had contracted, but are due to accesses<br />
made through your bank account. Therefore, Vodafone cannot<br />
<br />
be responsible for the accesses and banking movements that could have been<br />
made fraudulently.<br />
<br />
With all this, we can confirm that currently my client has carried out<br />
all pertinent actions to resolve the claim, estimating that<br />
has been correctly resolved prior to the receipt of this<br />
<br />
written. Attached, as Document number 5, report of the investigations<br />
internal actions carried out by Vodafone to solve this incident”.<br />
<br />
THIRD: On May 30, 2022, in accordance with article 65 of the<br />
LOPDGDD, the claim presented by the claimant party was admitted for processing.<br />
<br />
<br />
<br />
FUNDAMENTALS OF LAW<br />
<br />
Yo<br />
<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
(General Data Protection Regulation, hereinafter GDPR), grants each<br />
<br />
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the<br />
Organic Law 3/2018, of December 5, Protection of Personal Data and<br />
guarantee of digital rights (hereinafter, LOPDGDD), is competent to<br />
initiate and resolve this procedure the Director of the Spanish Protection Agency<br />
of data.<br />
<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: "Procedures<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 6/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
regulations dictated in its development and, insofar as they do not contradict them, with character<br />
subsidiary, by the general rules on administrative procedures.”<br />
<br />
<br />
II<br />
<br />
The defendant is accused of committing an infraction for violation of article 6<br />
of the RGPD, "Legacy of the treatment", which indicates in its section 1 the assumptions in which<br />
that the processing of data by third parties is considered lawful:<br />
<br />
"1. Processing will only be lawful if at least one of the following is fulfilled<br />
conditions:<br />
<br />
<br />
a) the interested party gave his consent for the processing of his personal data<br />
for one or more specific purposes;<br />
<br />
b) the treatment is necessary for the execution of a contract in which the interested party<br />
is part of or for the application at the request of the latter of pre-contractual measures;<br />
c) the processing is necessary for compliance with a legal obligation applicable to the<br />
responsible for the treatment;<br />
<br />
d) the processing is necessary to protect the vital interests of the data subject or of another<br />
<br />
Physical person;<br />
<br />
e) the treatment is necessary for the fulfillment of a mission carried out in the interest<br />
public or in the exercise of public powers conferred on the data controller;<br />
<br />
f) the treatment is necessary for the satisfaction of legitimate interests pursued<br />
by the person in charge of the treatment or by a third party, provided that on said<br />
interests do not outweigh the interests or fundamental rights and freedoms of the<br />
<br />
interested party that require the protection of personal data, in particular when the<br />
interested is a child. The provisions of letter f) of the first paragraph shall not apply.<br />
application to processing carried out by public authorities in the exercise of their<br />
functions”.<br />
<br />
The infringement is typified in article 83.5 of the GDPR, which considers as such:<br />
<br />
<br />
<br />
<br />
"5. Violations of the following provisions will be penalized, in accordance with the<br />
section 2, with administrative fines of a maximum of 20,000,000 EUR or,<br />
in the case of a company, an amount equivalent to a maximum of 4% of the<br />
total annual global business volume of the previous financial year, opting for<br />
the highest amount:<br />
<br />
<br />
a) The basic principles for the treatment, including the conditions for the<br />
consent in accordance with articles 5,6,7 and 9.”<br />
<br />
<br />
The Organic Law 3/2018, of Protection of Personal Data and Guarantee of the<br />
Digital Rights (LOPDGDD) in its article 72, under the heading "Infractions<br />
considered very serious” provides:<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 7/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
"1. Based on what is established in article 83.5 of Regulation (U.E.) 2016/679,<br />
are considered very serious and will prescribe after three years the infractions that<br />
a substantial violation of the articles mentioned therein and, in particular, the<br />
<br />
following:<br />
<br />
(…)<br />
<br />
a) The processing of personal data without the fulfillment of any of the conditions<br />
of legality of the treatment established in article 6 of Regulation (EU) 2016/679.”<br />
<br />
<br />
<br />
II<br />
<br />
In the present case, it is proven that Vodafone provided a duplicate of the card<br />
SIM of the claiming party to a third party, without their consent and without verifying the<br />
<br />
identity of said third party, which has accessed information contained in the phone<br />
mobile, such as bank details, passwords, email address and others<br />
personal data associated with the terminal. Thus, the defendant did not verify the<br />
personality of the person who requested the duplicate SIM card, did not take precautions<br />
necessary for these events not to occur.<br />
<br />
<br />
Based on the foregoing, in the case analyzed, the<br />
diligence used by the defendant to identify the person who requested<br />
a duplicate SIM card.<br />
<br />
Well, it is accredited as recognized by the claimed party in its writ of<br />
response to this Agency dated May 13, 2022, <<that after analyzing the<br />
claim and investigate what happened, Vodafone has been able to verify that, as of<br />
<br />
February 17, 2022, a SIM change was processed on the line ***TELEPHONE.1,<br />
associated with the customer ID ***ID.1 belonging to the claimant.<br />
<br />
Said SIM change was requested by telephone.<br />
<br />
My client managed to solve the incident that is the object of the claim effectively<br />
and completely on February 17, 2022, that is, prior to the receipt of the<br />
present request for information by the Agency>>.<br />
<br />
<br />
In accordance with the evidence available at this procedural moment and<br />
without prejudice to what results from the investigation of the procedure, it is estimated that the<br />
conduct of the claimed party could violate article 6.1 of the GDPR and may be<br />
constituting the offense classified in article 83.5.a) of the aforementioned Regulation<br />
2016/679.<br />
<br />
In this sense, Recital 40 of the GDPR states:<br />
<br />
<br />
"(40) For processing to be lawful, personal data must be processed with the<br />
consent of the interested party or on some other legitimate basis established in accordance<br />
a Law, either in this Regulation or under other Union law<br />
or of the Member States referred to in this Regulation, including the<br />
the need to comply with the legal obligation applicable to the data controller or the<br />
<br />
need to execute a contract to which the interested party is a party or for the purpose of<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 8/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
take measures at the request of the interested party prior to the conclusion of a<br />
contract."<br />
<br />
IV.<br />
<br />
The determination of the sanction that should be imposed in the present case requires<br />
<br />
observe the provisions of articles 83.1 and 2 of the GDPR, precepts that,<br />
respectively, provide the following:<br />
<br />
"1. Each control authority will guarantee that the imposition of fines<br />
administrative proceedings under this article for violations of this<br />
Regulations indicated in sections 4, 9 and 6 are in each individual case<br />
effective, proportionate and dissuasive.”<br />
<br />
"two. Administrative fines will be imposed, depending on the circumstances of each<br />
individual case, in addition to or in lieu of the measures contemplated in<br />
<br />
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine<br />
administration and its amount in each individual case shall be duly taken into account:<br />
<br />
a) the nature, seriousness and duration of the offence, taking into account the<br />
<br />
nature, scope or purpose of the processing operation in question, as well as<br />
such as the number of interested parties affected and the level of damages that<br />
have suffered;<br />
<br />
b) intentionality or negligence in the infringement;<br />
<br />
<br />
c) any measure taken by the person in charge or in charge of the treatment to<br />
settle the damages suffered by the interested parties;<br />
<br />
d) the degree of responsibility of the person in charge or of the person in charge of the treatment, habi-<br />
gives an account of the technical or organizational measures that have been applied by virtue of the<br />
articles 25 and 32;<br />
<br />
<br />
e) any previous infringement committed by the controller or processor;<br />
<br />
f) the degree of cooperation with the supervisory authority in order to remedy the<br />
infringement and mitigate the potential adverse effects of the infringement;<br />
<br />
<br />
g) the categories of personal data affected by the infringement;<br />
<br />
h) the way in which the supervisory authority became aware of the infringement, in<br />
particular whether the person in charge or the person in charge notified the infringement and, if so, in what<br />
measure;<br />
<br />
<br />
i) when the measures indicated in article 58, paragraph 2, have been ordered<br />
previously against the person in charge or the person in charge in relation to the<br />
same matter, compliance with said measures;<br />
<br />
j) adherence to codes of conduct under article 40 or to certification mechanisms.<br />
fications approved in accordance with article 42, and<br />
<br />
<br />
k) any other aggravating or mitigating factor applicable to the circumstances of the case,<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 9/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
as the financial benefits obtained or the losses avoided, directly or indirectly.<br />
mind, through infraction.”<br />
<br />
Within this section, the LOPDGDD contemplates in its article 76, entitled "Sancio-<br />
<br />
and corrective measures”:<br />
<br />
"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation<br />
(UE) 2016/679 will be applied taking into account the graduation criteria<br />
established in section 2 of said article.<br />
<br />
<br />
2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679<br />
may also be taken into account:<br />
<br />
a) The continuing nature of the offence.<br />
<br />
b) The link between the activity of the offender and the performance of data processing.<br />
<br />
personal information.<br />
<br />
c) The benefits obtained as a consequence of the commission of the infraction.<br />
<br />
d) The possibility that the conduct of the affected party could have led to the commission<br />
of the offence.<br />
<br />
<br />
e) The existence of a merger by absorption process subsequent to the commission of the<br />
violation, which cannot be attributed to the absorbing entity.<br />
<br />
f) The affectation of the rights of minors.<br />
<br />
<br />
g) Have, when it is not mandatory, a data protection delegate.<br />
<br />
h) Submission by the person responsible or in charge, on a voluntary basis, to<br />
alternative conflict resolution mechanisms, in those cases in which<br />
there are controversies between those and any interested party.<br />
<br />
<br />
3. It will be possible, complementary or alternatively, the adoption, when appropriate, of<br />
the remaining corrective measures referred to in article 83.2 of the Regulation<br />
(EU) 2016/679.”<br />
<br />
In accordance with the transcribed precepts, and without prejudice to what results from the<br />
instruction of the procedure, in order to set the amount of the fine to<br />
<br />
impose on the entity claimed as responsible for an infringement classified in the<br />
article 83.5.a) of the GDPR and 72.1 b) of the LOPDGDD, in an initial assessment,<br />
The following factors are considered concurrent in this case:<br />
<br />
As aggravating factors:<br />
<br />
<br />
- The evident link between the business activity of the defendant and the<br />
treatment of personal data of clients or third parties (article 83.2.k, of the<br />
GDPR in relation to article 76.2.b, of the LOPDGDD).<br />
<br />
The Judgment of the National Court of 10/17/2007 (rec. 63/2006), in which,<br />
with respect to entities whose activity entails the continuous processing of<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 10/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
customer data, indicates that "...the Supreme Court has understood that<br />
recklessness exists whenever a legal duty of care is neglected, that is<br />
that is, when the offender does not behave with the required diligence. And in the<br />
<br />
assessment of the degree of diligence, special consideration must be given to the<br />
professionalism or not of the subject, and there is no doubt that, in the case now<br />
examined, when the appellant's activity is constant and abundant<br />
handling of personal data must insist on rigor and exquisite<br />
Be careful to comply with the legal provisions in this regard.”<br />
<br />
As mitigations:<br />
<br />
<br />
The claimed party proceeded to resolve the incident that is the subject of the claim<br />
effective and in full on February 17, 2022 as soon as it became aware of the<br />
facts (art. 83.2 c).<br />
<br />
It is appropriate to graduate the sanction to be imposed on the defendant and set it at the amount of 70,000<br />
€ for the alleged violation of article 6.1) typified in article 83.5.a) of the<br />
<br />
cited GDPR.<br />
<br />
Therefore, in accordance with the foregoing, by the Director of the Agency<br />
Spanish Data Protection.<br />
<br />
HE REMEMBERS:<br />
<br />
FIRST: INITIATE SANCTION PROCEDURE against VODAFONE SPAIN,<br />
S.A.U. with NIF A80907397, for the alleged violation of article 6.1) typified in the<br />
Article 83.5.a) of the aforementioned GDPR.<br />
<br />
<br />
SECOND: APPOINT as instructor D. B.B.B. and as secretary to Ms. C.C.C.,<br />
indicating that any of them may be challenged, if applicable, in accordance with the provisions<br />
established in articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime<br />
co of the Public Sector (LRJSP).<br />
<br />
THIRD: INCORPORATE into the disciplinary file, for evidentiary purposes, the<br />
claim filed by the claimant and its documentation, the documents<br />
<br />
obtained and generated by the General Subdirectorate of Data Inspection.<br />
<br />
FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1<br />
October, of the Common Administrative Procedure of Public Administrations, the<br />
sanction that could correspond would be for the infringement of article 6.1 of the GDPR,<br />
typified in article 83.5 a) of the GDPR, the sanction that would correspond would be a<br />
<br />
fine for an amount of 70,000 euros (seventy thousand euros) without prejudice to what is<br />
of the instruction.<br />
<br />
FIFTH: NOTIFY this agreement to VODAFONE ESPAÑA, S.A.U. with NIF<br />
A80907397 granting a hearing period of ten business days to formulate<br />
the allegations and present the evidence it deems appropriate. In his writing of<br />
allegations must provide your NIF and the procedure number that appears in the<br />
<br />
heading of this document.<br />
<br />
If, within the stipulated period, he does not make allegations to this initial agreement, the same<br />
may be considered a resolution proposal, as established in article<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 11/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of<br />
Public Administrations (hereinafter, LPACAP).<br />
<br />
In accordance with the provisions of article 85 of the LPACAP, in the event that the<br />
sanction to be imposed other than a fine, may recognize its responsibility within the<br />
<br />
term granted for the formulation of allegations to the present initiation agreement; it<br />
which will entail a reduction of 20% for the sanction that should be imposed<br />
in this proceeding, equivalent in this case to fourteen thousand euros (€14,000).<br />
With the application of this reduction, the amount of the sanction would be established in<br />
fifty-six thousand euros (€56,000), resolving the procedure with the imposition<br />
<br />
of this sanction.<br />
In the same way, it may, at any time prior to the resolution of this<br />
procedure, carry out the voluntary payment of the proposed sanction, in<br />
<br />
accordance with the provisions of article 85.2 LPACAP, which will mean a<br />
reduction of 20% of the amount of the same, equivalent in this case to fourteen thousand<br />
euros (€14,000), for the alleged offence. With the application of this reduction, the<br />
amount of the sanction would be established at fifty-six thousand euros (€56,000) and<br />
Your payment will imply the termination of the procedure.<br />
<br />
The reduction for the voluntary payment of the penalty is cumulative to the corresponding<br />
apply for acknowledgment of responsibility, provided that this acknowledgment<br />
<br />
of the responsibility is revealed within the period granted to formulate<br />
allegations at the opening of the procedure. Voluntary payment of the referred amount<br />
in the previous paragraph may be done at any time prior to the resolution. In<br />
In this case, if both reductions were to be applied, the amount of the penalty would remain<br />
established at forty-two thousand euros (€42,000).<br />
<br />
In any case, the effectiveness of any of the two aforementioned reductions will be<br />
conditioned to the withdrawal or resignation of any action or appeal via<br />
administrative against the sanction.<br />
<br />
In the event that you choose to proceed with the voluntary payment of any of the amounts<br />
previously indicated, 56,000 euros or 42,000 euros, you must make it effective<br />
<br />
by depositing it in the account number ES00 0000 0000 0000 0000 0000 opened to<br />
name of the Spanish Data Protection Agency at CAIXABANK Bank,<br />
S.A., indicating in the concept the reference number of the procedure that appears in<br />
the heading of this document and the reason for reducing the amount to which<br />
welcomes.<br />
<br />
Likewise, you must send proof of income to the General Subdirectorate of<br />
<br />
Inspection to continue with the procedure in accordance with the quantity<br />
entered.<br />
<br />
The procedure will have a maximum duration of nine months from the<br />
date of the initiation agreement or, where appropriate, of the draft initiation agreement.<br />
After this period, its expiration will occur and, consequently, the file of<br />
performances; in accordance with the provisions of article 64 of the LOPDGDD.<br />
<br />
<br />
Finally, it is noted that in accordance with the provisions of article 112.1 of the<br />
LPACAP, there is no administrative appeal against this act.<br />
<br />
Mar Spain Marti<br />
Director of the Spanish Data Protection Agency<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 12/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
>><br />
<br />
SECOND: On October 21, 2022, the claimed party has proceeded to pay<br />
<br />
of the sanction in the amount of 56,000 euros using one of the two<br />
reductions provided for in the Commencement Agreement transcribed above. Therefore, there has not<br />
The acknowledgment of responsibility has been accredited.<br />
<br />
THIRD: The payment made entails the waiver of any action or resource in the<br />
against the sanction, in relation to the facts referred to in the<br />
<br />
Commencement Agreement.<br />
<br />
FUNDAMENTALS OF LAW<br />
<br />
Yo<br />
<br />
Competition<br />
<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
(General Data Protection Regulation, hereinafter GDPR), grants each<br />
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the<br />
<br />
Organic Law 3/2018, of December 5, Protection of Personal Data and<br />
guarantee of digital rights (hereinafter, LOPDGDD), is competent to<br />
initiate and resolve this procedure the Director of the Spanish Protection Agency<br />
of data.<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures<br />
<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
regulations dictated in its development and, insofar as they do not contradict them, with character<br />
subsidiary, by the general rules on administrative procedures."<br />
<br />
<br />
<br />
II<br />
Termination of the procedure<br />
<br />
Article 85 of Law 39/2015, of October 1, on Administrative Procedure<br />
Common for Public Administrations (hereinafter LPACAP), under the heading<br />
<br />
"Termination in disciplinary proceedings" provides the following:<br />
<br />
"1. Initiated a disciplinary procedure, if the offender acknowledges his responsibility,<br />
The procedure may be resolved with the imposition of the appropriate sanction.<br />
<br />
<br />
2. When the sanction has only a pecuniary nature or it is possible to impose a<br />
pecuniary sanction and another of a non-pecuniary nature but the<br />
inadmissibility of the second, the voluntary payment by the presumed perpetrator, in<br />
any moment prior to the resolution, will imply the termination of the procedure,<br />
except in relation to the replacement of the altered situation or the determination of the<br />
<br />
compensation for damages caused by the commission of the offence.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 13/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
3. In both cases, when the sanction is solely pecuniary in nature, the<br />
The competent body to resolve the procedure will apply reductions of at least<br />
<br />
20% of the amount of the proposed penalty, these being cumulative among themselves.<br />
The aforementioned reductions must be determined in the notification of initiation<br />
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of<br />
any administrative action or resource against the sanction.<br />
<br />
<br />
The percentage reduction provided for in this section may be increased<br />
according to regulations."<br />
<br />
According to what has been stated,<br />
<br />
the Director of the Spanish Data Protection Agency RESOLVES:<br />
<br />
FIRST: DECLARE the termination of procedure EXP202203914, in<br />
in accordance with the provisions of article 85 of the LPACAP.<br />
<br />
<br />
SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, S.A..<br />
<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
Resolution will be made public once the interested parties have been notified.<br />
<br />
<br />
Against this resolution, which puts an end to the administrative process as prescribed by<br />
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure<br />
Common of Public Administrations, interested parties may file an appeal<br />
administrative litigation before the Administrative Litigation Chamber of the<br />
<br />
National Court, in accordance with the provisions of article 25 and section 5 of<br />
the fourth additional provision of Law 29/1998, of July 13, regulating the<br />
Contentious-Administrative Jurisdiction, within a period of two months from the<br />
day following the notification of this act, as provided for in article 46.1 of the<br />
<br />
referred Law.<br />
<br />
<br />
937-181022<br />
Mar Spain Marti<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
</pre></div>Teresa.lopezhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202203914&diff=29999AEPD (Spain) - EXP2022039142022-12-19T12:44:47Z<p>Teresa.lopez: Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=AEPD..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=AEPD PS-00290-2022<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00290-2022.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=07.03.2022<br />
|Date_Decided=<br />
|Date_Published=15.12.2022<br />
|Year=<br />
|Fine=70,000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 6(1) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1<br />
|GDPR_Article_2=<br />
|GDPR_Article_Link_2=<br />
|GDPR_Article_3=<br />
|GDPR_Article_Link_3=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=<br />
|National_Law_Link_1=<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
<br />
|Party_Name_1=VODAFONE ESPAÑA, S.A.U.<br />
|Party_Link_1=https://www.vodafone.es/c/conocenos/es/vodafone-espana/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Teresa Lopez Carro<br />
|<br />
}}<br />
<br />
Spanish DPA fined Vodafone Spain €70,000 for duplicating a customer's SIM card without their consent or knowledge.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
On 17 February 2022, Vodafone España, S.A.U (the controller), provided a duplicate of the data subject's SIM card to a third party without their authorisation. The data subject found out after receiving an SMS of the controller corroborating the correct activation of the new SIM card.<br />
<br />
Later on, the controller's fraud department contacted the data subject to confirm the fraudulence of the SIM duplicate, and proceeded to block the new SIM card.<br />
<br />
Before the deactivation, the third party, using the fraudulent SIM card, acceded the data subject husband's bank account and made a transfer of an undisclosed amount.<br />
<br />
=== Holding ===<br />
The Spanish DPA held that the controller had violated article 6(1) GDPR by duplicating the data subject's SIM card without their consent and without verifying the identity of the requesting third party. In this sense, the DPA questioned the diligence of the controller in identifying the person who requested a duplicate SIM card.<br />
<br />
The DPA found the controller's infringement of [[Article 6 GDPR#1|Article 6(1) GDPR]] was “very serious” and imposed a €70,000 fine. The DPA took into account the aggravating circumstance of the link between the controller's business activity and the processing of personal data of customers or third parties; and the mitigating circumstance of the rapid handle and resolution of the data subject's complaint by the controller.<br />
<br />
Benefiting from a Spanish administrative law provision, which allows for voluntary payment of the penalty, the controller paid a €56,000 for the termination of the procedure. The controller refused the Spanish DPA's offer of admission of guilt, which would have further reduced the amount to €42,000.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
File No.: EXP202203914<br />
<br />
RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT<br />
VOLUNTEER<br />
<br />
<br />
Of the procedure instructed by the Spanish Agency for Data Protection and based on<br />
to the following<br />
<br />
BACKGROUND<br />
<br />
<br />
FIRST: On September 23, 2022, the Director of the Spanish Agency<br />
of Data Protection agreed to start a sanctioning procedure against VODAFONE<br />
SPAIN, S.A. (hereinafter, the claimed party), through the Agreement that<br />
transcribe:<br />
<br />
<br />
<<<br />
<br />
<br />
<br />
File No.: EXP202203914<br />
<br />
<br />
<br />
AGREEMENT TO START THE SANCTION PROCEDURE<br />
<br />
Of the actions carried out by the Spanish Data Protection Agency and in<br />
<br />
based on the following:<br />
<br />
FACTS<br />
<br />
<br />
<br />
FIRST: Ms. A.A.A. (hereinafter, the claiming party) dated March 7,<br />
2022 filed a claim with the Spanish Data Protection Agency. The<br />
claim is directed against VODAFONE ESPAÑA, S.A.U. with NIF A80907397 (in<br />
forward, the claimed party or Vodafone). The reasons on which the claim is based<br />
are the following:<br />
<br />
<br />
The claimant states that on February 17, 2022, the entity claimed, without its<br />
authorization, you provided a duplicate of your SIM card to a third party. He had knowledge of<br />
the facts, after receiving an SMS from said entity informing them of the successful activation<br />
of your new SIM.<br />
<br />
<br />
Later he receives a call from the fraud department indicating that they had<br />
detected a duplication of the suspicious SIM card and, after confirming the claimant<br />
that she had not requested it, the new SIM card was blocked,<br />
keeping the old one active.<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 2/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
On the other hand, it states that said third party, using the information contained in the<br />
mobile phone, accessed her husband's bank account and made a transfer<br />
through BIZUM for a value of X.XXX euros.<br />
<br />
<br />
Along with the notification, the following relevant documentation is provided:<br />
<br />
Screenshot of the SMS received regarding the activation of the SIM card.<br />
<br />
Copy of the telephone bill showing a charge for the disputed duplicate<br />
<br />
of the SIM card.<br />
<br />
Complaint filed with the Ertzain-etxea of ***LOCALIDAD.1, on the 18th of<br />
February 2022.<br />
<br />
<br />
Claim filed with the bank, details of the movements<br />
banking.<br />
<br />
Complaint filed with the Kontsumobide-Basque Consumer Institute against<br />
Vodafone.<br />
<br />
<br />
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5<br />
December, Protection of Personal Data and guarantee of digital rights (in<br />
forward LOPDGDD), said claim was transferred to the claimed party, for<br />
to proceed with its analysis and inform this Agency within a month of the<br />
actions carried out to adapt to the requirements established in the regulations of<br />
<br />
Data Protection.<br />
<br />
The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of<br />
October 1, of the Common Administrative Procedure of the Administrations<br />
Public (hereinafter, LPACAP), was collected on April 26, 2022 as<br />
<br />
It appears in the acknowledgment of receipt that is in the file.<br />
<br />
On May 13, 2022, this Agency received a written response from<br />
Vodafone stating the following: "A letter has been sent to the<br />
claimant by means of which he has proceeded to inform him about the steps that<br />
were carried out by Vodafone to solve the incident and that it was<br />
<br />
is currently resolved.<br />
<br />
In this sense, attached as Document number 1, a copy of said letter sent<br />
to the claimant, through which she is informed, in particular, of the privacy policies<br />
security available to Vodafone to prevent the making of duplicates of<br />
<br />
SIM card and that what happened has been classified as fraud by the Department<br />
Vodafone Fraud.<br />
<br />
In addition, you are informed that you regained full control over the affected line on<br />
same day February 17, 2022 and that the amount of 5 euros was reimbursed<br />
that were charged as a result of the realization of the duplicate SIM in<br />
question.<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 3/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
After analyzing the claim and investigating what happened, Vodafone has been able to verify<br />
that, on February 17, 2022, a SIM change was processed on the line<br />
***PHONE.1, associated with customer ID ***ID.1 belonging to the claimant.<br />
<br />
Said SIM change was requested by telephone.<br />
<br />
<br />
My client managed to solve the incident that is the object of the claim effectively<br />
and completely on February 17, 2022, that is, prior to the receipt of the<br />
present request for information by the Agency.<br />
<br />
In order to prevent similar incidents from occurring, Vodafone works<br />
continues to improve Security Policies for its change processes and<br />
SIM duplicates as well as for any other process that carries potential risks<br />
<br />
of fraud or irregular actions for our clients.<br />
<br />
In this sense, since March 14, 2012, Vodafone acts under the Policy<br />
Security for the Contracting of Individuals, which has been updated<br />
progressively, and whose last modification has been implemented on the 4th of<br />
January 2022. Through said Security Policy, my client establishes what<br />
type of information must be required from the client for each requested management.<br />
<br />
<br />
Likewise, it is included how to proceed in case a user does not pass the<br />
Security Policy, as well as preventive actions in fraud situations.<br />
The aforementioned Security Policy is mandatory for all<br />
Vodafone After-Sales Services, who are in charge of applying and respecting it.<br />
<br />
Attached as Document number 4 is a copy of the Security Policy for<br />
Vodafone individuals. As far as SIM card duplicates are concerned, it should be<br />
<br />
indicate that Vodafone's objective is that all duplicate or card changes<br />
be done in person, since it is the safest way to guarantee that<br />
produce irregular or fraudulent processes.<br />
<br />
Likewise, with regard to the processing of a duplicate SIM, in accordance with<br />
with said Policies, and as was already exposed before the Agency within the<br />
<br />
File E/11418/2019, to make a SIM change by telephone, it is<br />
necessary to carry out and overcome the Vodafone Security Policy in order to<br />
such scenarios. Said Policy foresees three specific scenarios for which<br />
The change of SIM card will proceed by telephone: (i) in those cases in which<br />
that the platform in charge of managing the change of the SIM card fails in such a way<br />
so that the SIM change cannot be made in our stores; (ii) if the client is<br />
<br />
company and therefore prefers to make the change from the platform ***PLATAFORMA.1,<br />
In these cases, the SIM card is sent to the address of the company that appears in<br />
our systems; and (iii) if the customer is prepaid and therefore the shipment can be made<br />
of the SIM card in cases of breakdown, loss/theft, incidence in the store and for<br />
Clients petition.<br />
<br />
<br />
Likewise, and prior to verifying whether the applicant is under<br />
the scope of the three previous cases, the Customer Service Department of<br />
Vodafone, in accordance with said Security Policy, must invite you to attend<br />
to manage the change of SIM before a Vodafone After-Sales Service (“SPV”) to<br />
give the maximum guarantee of security to the process. In case the client is<br />
find yourself in one of the three scenarios considered above, the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 4/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Vodafone Customer Service Department will check prior to<br />
SIM change management that none of the following circumstances exist:<br />
(i) there must not be any change of address in the last month; (ii) there must not have been<br />
<br />
requested previous SIM card shipments. It can be said that, in accordance with<br />
our Security Policies, non-compliance with any of the two<br />
above requirements will lead to the need to process the change of SIM in a<br />
in person in our stores. In those cases in which the applicant complies with<br />
the requirements of the previous paragraphs, the processing of the SIM change will depend<br />
of the following: (i) if the applicant calls from the same number on which he is going to<br />
<br />
request the change of SIM you will be asked for the access code of the Customer Service<br />
Client or ID; however, (ii) if the client does not call from the same number,<br />
will request the telephone number associated with the SIM (“MSISDN”) together with the password<br />
access to Customer Service or DNI.<br />
<br />
Additionally, it should be noted that all employees in the Department of<br />
Customer Service have received training on the steps to follow to carry out<br />
<br />
SIM changes, through the guide available to all agents on the portal<br />
called "REDPLANET", which includes all the processes and procedures<br />
of Vodafone that are applicable to them and the steps to follow in each case, according to the<br />
circumstances.<br />
<br />
Therefore, if the processing of a SIM change and/or a change of ownership exceeds<br />
<br />
the previous Vodafone Security Policies, we will proceed to carry out<br />
such procedures in accordance with what is indicated in said Policies, when considering my<br />
represented the change as authentic, real and truthful. Without prejudice of the previous,<br />
since February 17, 2022, my client carried out the procedures<br />
in order to protect the claimant as a Vodafone customer. In this<br />
sense, my client, at the request of the interested party, proceeded to declare what happened<br />
<br />
as a fraud, adopting the appropriate security measures on your account, and<br />
to solve the different incidents that occurred with respect to the SIM card of the<br />
line ***PHONE.1 affected.<br />
<br />
As a consequence of the classification of the facts as fraudulent by part of<br />
Vodafone and in order to prevent future fraudulent practices on the<br />
<br />
services associated with the claimant, my client proceeded, on February 17<br />
of 2022, to be noted in the claimant's client file that only<br />
make modifications, sim changes, new registrations, portability and orders if the<br />
The interlocutor calls from the line associated with the claimant and manages to exceed an additional<br />
process of reinforced security measures on your client ID.<br />
<br />
In addition, internal processes are being reviewed to ensure compliance with the<br />
<br />
Defined Security Policies or introduce the necessary changes when<br />
consider pertinent.<br />
<br />
Specifically, my client is working on the continuous improvement of: • Review of<br />
internal processes to ensure compliance with Security Policies and<br />
verification controls that have been defined and incorporated, both in channel<br />
face-to-face and by telephone, for duplicate SIM scenarios.<br />
<br />
<br />
• Periodic reinforcement of communication of Security Policies and verifications<br />
that have been defined by Vodafone for SIM duplicates and that must be<br />
applied by agencies, commercial stores and agents.<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 5/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
• Sending periodic communications to the face-to-face and telephone channel, as well as to the<br />
logistics operator, where it is alerted to the risk scenarios detected, its<br />
characteristics and behavior patterns to prevent new cases. In these<br />
<br />
communications include details of how these requests are produced, channels to<br />
through which they are requested, documentation they provide, description of the<br />
handling, geographic areas where the cards are being collected/delivered<br />
Duplicate SIMs.<br />
<br />
• Application -if applicable-, of the existing Penalty Policy for agents or<br />
distributors who carry out any duplicate or change of a SIM card without having<br />
<br />
required documentation or to carry out any SIM change management without<br />
Follow all the steps defined in the Security Policy.<br />
<br />
Regarding the carrying out of transactions of the entity "BIZUM" of<br />
fraudulent nature revealed by the claimant in her claim, it is<br />
opportune to express that the change of a SIM card only implies access to the<br />
telephone line associated with it, and not the bank details of the holder.<br />
<br />
<br />
Therefore, it does not seem possible that there is a correlation between the events that occurred in<br />
relationship with my client and what happened with the bank of which he is a client<br />
the claimant. In this sense, the bank movements that he alleges in his<br />
claim do not have their origin, nor have they been caused by invoices for<br />
Vodafone services that he had contracted, but are due to accesses<br />
made through your bank account. Therefore, Vodafone cannot<br />
<br />
be responsible for the accesses and banking movements that could have been<br />
made fraudulently.<br />
<br />
With all this, we can confirm that currently my client has carried out<br />
all pertinent actions to resolve the claim, estimating that<br />
has been correctly resolved prior to the receipt of this<br />
<br />
written. Attached, as Document number 5, report of the investigations<br />
internal actions carried out by Vodafone to solve this incident”.<br />
<br />
THIRD: On May 30, 2022, in accordance with article 65 of the<br />
LOPDGDD, the claim presented by the claimant party was admitted for processing.<br />
<br />
<br />
<br />
FUNDAMENTALS OF LAW<br />
<br />
Yo<br />
<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
(General Data Protection Regulation, hereinafter GDPR), grants each<br />
<br />
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the<br />
Organic Law 3/2018, of December 5, Protection of Personal Data and<br />
guarantee of digital rights (hereinafter, LOPDGDD), is competent to<br />
initiate and resolve this procedure the Director of the Spanish Protection Agency<br />
of data.<br />
<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: "Procedures<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 6/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
regulations dictated in its development and, insofar as they do not contradict them, with character<br />
subsidiary, by the general rules on administrative procedures.”<br />
<br />
<br />
II<br />
<br />
The defendant is accused of committing an infraction for violation of article 6<br />
of the RGPD, "Legacy of the treatment", which indicates in its section 1 the assumptions in which<br />
that the processing of data by third parties is considered lawful:<br />
<br />
"1. Processing will only be lawful if at least one of the following is fulfilled<br />
conditions:<br />
<br />
<br />
a) the interested party gave his consent for the processing of his personal data<br />
for one or more specific purposes;<br />
<br />
b) the treatment is necessary for the execution of a contract in which the interested party<br />
is part of or for the application at the request of the latter of pre-contractual measures;<br />
c) the processing is necessary for compliance with a legal obligation applicable to the<br />
responsible for the treatment;<br />
<br />
d) the processing is necessary to protect the vital interests of the data subject or of another<br />
<br />
Physical person;<br />
<br />
e) the treatment is necessary for the fulfillment of a mission carried out in the interest<br />
public or in the exercise of public powers conferred on the data controller;<br />
<br />
f) the treatment is necessary for the satisfaction of legitimate interests pursued<br />
by the person in charge of the treatment or by a third party, provided that on said<br />
interests do not outweigh the interests or fundamental rights and freedoms of the<br />
<br />
interested party that require the protection of personal data, in particular when the<br />
interested is a child. The provisions of letter f) of the first paragraph shall not apply.<br />
application to processing carried out by public authorities in the exercise of their<br />
functions”.<br />
<br />
The infringement is typified in article 83.5 of the GDPR, which considers as such:<br />
<br />
<br />
<br />
<br />
"5. Violations of the following provisions will be penalized, in accordance with the<br />
section 2, with administrative fines of a maximum of 20,000,000 EUR or,<br />
in the case of a company, an amount equivalent to a maximum of 4% of the<br />
total annual global business volume of the previous financial year, opting for<br />
the highest amount:<br />
<br />
<br />
a) The basic principles for the treatment, including the conditions for the<br />
consent in accordance with articles 5,6,7 and 9.”<br />
<br />
<br />
The Organic Law 3/2018, of Protection of Personal Data and Guarantee of the<br />
Digital Rights (LOPDGDD) in its article 72, under the heading "Infractions<br />
considered very serious” provides:<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 7/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
"1. Based on what is established in article 83.5 of Regulation (U.E.) 2016/679,<br />
are considered very serious and will prescribe after three years the infractions that<br />
a substantial violation of the articles mentioned therein and, in particular, the<br />
<br />
following:<br />
<br />
(…)<br />
<br />
a) The processing of personal data without the fulfillment of any of the conditions<br />
of legality of the treatment established in article 6 of Regulation (EU) 2016/679.”<br />
<br />
<br />
<br />
II<br />
<br />
In the present case, it is proven that Vodafone provided a duplicate of the card<br />
SIM of the claiming party to a third party, without their consent and without verifying the<br />
<br />
identity of said third party, which has accessed information contained in the phone<br />
mobile, such as bank details, passwords, email address and others<br />
personal data associated with the terminal. Thus, the defendant did not verify the<br />
personality of the person who requested the duplicate SIM card, did not take precautions<br />
necessary for these events not to occur.<br />
<br />
<br />
Based on the foregoing, in the case analyzed, the<br />
diligence used by the defendant to identify the person who requested<br />
a duplicate SIM card.<br />
<br />
Well, it is accredited as recognized by the claimed party in its writ of<br />
response to this Agency dated May 13, 2022, <<that after analyzing the<br />
claim and investigate what happened, Vodafone has been able to verify that, as of<br />
<br />
February 17, 2022, a SIM change was processed on the line ***TELEPHONE.1,<br />
associated with the customer ID ***ID.1 belonging to the claimant.<br />
<br />
Said SIM change was requested by telephone.<br />
<br />
My client managed to solve the incident that is the object of the claim effectively<br />
and completely on February 17, 2022, that is, prior to the receipt of the<br />
present request for information by the Agency>>.<br />
<br />
<br />
In accordance with the evidence available at this procedural moment and<br />
without prejudice to what results from the investigation of the procedure, it is estimated that the<br />
conduct of the claimed party could violate article 6.1 of the GDPR and may be<br />
constituting the offense classified in article 83.5.a) of the aforementioned Regulation<br />
2016/679.<br />
<br />
In this sense, Recital 40 of the GDPR states:<br />
<br />
<br />
"(40) For processing to be lawful, personal data must be processed with the<br />
consent of the interested party or on some other legitimate basis established in accordance<br />
a Law, either in this Regulation or under other Union law<br />
or of the Member States referred to in this Regulation, including the<br />
the need to comply with the legal obligation applicable to the data controller or the<br />
<br />
need to execute a contract to which the interested party is a party or for the purpose of<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 8/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
take measures at the request of the interested party prior to the conclusion of a<br />
contract."<br />
<br />
IV.<br />
<br />
The determination of the sanction that should be imposed in the present case requires<br />
<br />
observe the provisions of articles 83.1 and 2 of the GDPR, precepts that,<br />
respectively, provide the following:<br />
<br />
"1. Each control authority will guarantee that the imposition of fines<br />
administrative proceedings under this article for violations of this<br />
Regulations indicated in sections 4, 9 and 6 are in each individual case<br />
effective, proportionate and dissuasive.”<br />
<br />
"two. Administrative fines will be imposed, depending on the circumstances of each<br />
individual case, in addition to or in lieu of the measures contemplated in<br />
<br />
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine<br />
administration and its amount in each individual case shall be duly taken into account:<br />
<br />
a) the nature, seriousness and duration of the offence, taking into account the<br />
<br />
nature, scope or purpose of the processing operation in question, as well as<br />
such as the number of interested parties affected and the level of damages that<br />
have suffered;<br />
<br />
b) intentionality or negligence in the infringement;<br />
<br />
<br />
c) any measure taken by the person in charge or in charge of the treatment to<br />
settle the damages suffered by the interested parties;<br />
<br />
d) the degree of responsibility of the person in charge or of the person in charge of the treatment, habi-<br />
gives an account of the technical or organizational measures that have been applied by virtue of the<br />
articles 25 and 32;<br />
<br />
<br />
e) any previous infringement committed by the controller or processor;<br />
<br />
f) the degree of cooperation with the supervisory authority in order to remedy the<br />
infringement and mitigate the potential adverse effects of the infringement;<br />
<br />
<br />
g) the categories of personal data affected by the infringement;<br />
<br />
h) the way in which the supervisory authority became aware of the infringement, in<br />
particular whether the person in charge or the person in charge notified the infringement and, if so, in what<br />
measure;<br />
<br />
<br />
i) when the measures indicated in article 58, paragraph 2, have been ordered<br />
previously against the person in charge or the person in charge in relation to the<br />
same matter, compliance with said measures;<br />
<br />
j) adherence to codes of conduct under article 40 or to certification mechanisms.<br />
fications approved in accordance with article 42, and<br />
<br />
<br />
k) any other aggravating or mitigating factor applicable to the circumstances of the case,<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 9/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
as the financial benefits obtained or the losses avoided, directly or indirectly.<br />
mind, through infraction.”<br />
<br />
Within this section, the LOPDGDD contemplates in its article 76, entitled "Sancio-<br />
<br />
and corrective measures”:<br />
<br />
"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation<br />
(UE) 2016/679 will be applied taking into account the graduation criteria<br />
established in section 2 of said article.<br />
<br />
<br />
2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679<br />
may also be taken into account:<br />
<br />
a) The continuing nature of the offence.<br />
<br />
b) The link between the activity of the offender and the performance of data processing.<br />
<br />
personal information.<br />
<br />
c) The benefits obtained as a consequence of the commission of the infraction.<br />
<br />
d) The possibility that the conduct of the affected party could have led to the commission<br />
of the offence.<br />
<br />
<br />
e) The existence of a merger by absorption process subsequent to the commission of the<br />
violation, which cannot be attributed to the absorbing entity.<br />
<br />
f) The affectation of the rights of minors.<br />
<br />
<br />
g) Have, when it is not mandatory, a data protection delegate.<br />
<br />
h) Submission by the person responsible or in charge, on a voluntary basis, to<br />
alternative conflict resolution mechanisms, in those cases in which<br />
there are controversies between those and any interested party.<br />
<br />
<br />
3. It will be possible, complementary or alternatively, the adoption, when appropriate, of<br />
the remaining corrective measures referred to in article 83.2 of the Regulation<br />
(EU) 2016/679.”<br />
<br />
In accordance with the transcribed precepts, and without prejudice to what results from the<br />
instruction of the procedure, in order to set the amount of the fine to<br />
<br />
impose on the entity claimed as responsible for an infringement classified in the<br />
article 83.5.a) of the GDPR and 72.1 b) of the LOPDGDD, in an initial assessment,<br />
The following factors are considered concurrent in this case:<br />
<br />
As aggravating factors:<br />
<br />
<br />
- The evident link between the business activity of the defendant and the<br />
treatment of personal data of clients or third parties (article 83.2.k, of the<br />
GDPR in relation to article 76.2.b, of the LOPDGDD).<br />
<br />
The Judgment of the National Court of 10/17/2007 (rec. 63/2006), in which,<br />
with respect to entities whose activity entails the continuous processing of<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 10/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
customer data, indicates that "...the Supreme Court has understood that<br />
recklessness exists whenever a legal duty of care is neglected, that is<br />
that is, when the offender does not behave with the required diligence. And in the<br />
<br />
assessment of the degree of diligence, special consideration must be given to the<br />
professionalism or not of the subject, and there is no doubt that, in the case now<br />
examined, when the appellant's activity is constant and abundant<br />
handling of personal data must insist on rigor and exquisite<br />
Be careful to comply with the legal provisions in this regard.”<br />
<br />
As mitigations:<br />
<br />
<br />
The claimed party proceeded to resolve the incident that is the subject of the claim<br />
effective and in full on February 17, 2022 as soon as it became aware of the<br />
facts (art. 83.2 c).<br />
<br />
It is appropriate to graduate the sanction to be imposed on the defendant and set it at the amount of 70,000<br />
€ for the alleged violation of article 6.1) typified in article 83.5.a) of the<br />
<br />
cited GDPR.<br />
<br />
Therefore, in accordance with the foregoing, by the Director of the Agency<br />
Spanish Data Protection.<br />
<br />
HE REMEMBERS:<br />
<br />
FIRST: INITIATE SANCTION PROCEDURE against VODAFONE SPAIN,<br />
S.A.U. with NIF A80907397, for the alleged violation of article 6.1) typified in the<br />
Article 83.5.a) of the aforementioned GDPR.<br />
<br />
<br />
SECOND: APPOINT as instructor D. B.B.B. and as secretary to Ms. C.C.C.,<br />
indicating that any of them may be challenged, if applicable, in accordance with the provisions<br />
established in articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime<br />
co of the Public Sector (LRJSP).<br />
<br />
THIRD: INCORPORATE into the disciplinary file, for evidentiary purposes, the<br />
claim filed by the claimant and its documentation, the documents<br />
<br />
obtained and generated by the General Subdirectorate of Data Inspection.<br />
<br />
FOURTH: THAT for the purposes provided for in art. 64.2 b) of Law 39/2015, of 1<br />
October, of the Common Administrative Procedure of Public Administrations, the<br />
sanction that could correspond would be for the infringement of article 6.1 of the GDPR,<br />
typified in article 83.5 a) of the GDPR, the sanction that would correspond would be a<br />
<br />
fine for an amount of 70,000 euros (seventy thousand euros) without prejudice to what is<br />
of the instruction.<br />
<br />
FIFTH: NOTIFY this agreement to VODAFONE ESPAÑA, S.A.U. with NIF<br />
A80907397 granting a hearing period of ten business days to formulate<br />
the allegations and present the evidence it deems appropriate. In his writing of<br />
allegations must provide your NIF and the procedure number that appears in the<br />
<br />
heading of this document.<br />
<br />
If, within the stipulated period, he does not make allegations to this initial agreement, the same<br />
may be considered a resolution proposal, as established in article<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 11/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of<br />
Public Administrations (hereinafter, LPACAP).<br />
<br />
In accordance with the provisions of article 85 of the LPACAP, in the event that the<br />
sanction to be imposed other than a fine, may recognize its responsibility within the<br />
<br />
term granted for the formulation of allegations to the present initiation agreement; it<br />
which will entail a reduction of 20% for the sanction that should be imposed<br />
in this proceeding, equivalent in this case to fourteen thousand euros (€14,000).<br />
With the application of this reduction, the amount of the sanction would be established in<br />
fifty-six thousand euros (€56,000), resolving the procedure with the imposition<br />
<br />
of this sanction.<br />
In the same way, it may, at any time prior to the resolution of this<br />
procedure, carry out the voluntary payment of the proposed sanction, in<br />
<br />
accordance with the provisions of article 85.2 LPACAP, which will mean a<br />
reduction of 20% of the amount of the same, equivalent in this case to fourteen thousand<br />
euros (€14,000), for the alleged offence. With the application of this reduction, the<br />
amount of the sanction would be established at fifty-six thousand euros (€56,000) and<br />
Your payment will imply the termination of the procedure.<br />
<br />
The reduction for the voluntary payment of the penalty is cumulative to the corresponding<br />
apply for acknowledgment of responsibility, provided that this acknowledgment<br />
<br />
of the responsibility is revealed within the period granted to formulate<br />
allegations at the opening of the procedure. Voluntary payment of the referred amount<br />
in the previous paragraph may be done at any time prior to the resolution. In<br />
In this case, if both reductions were to be applied, the amount of the penalty would remain<br />
established at forty-two thousand euros (€42,000).<br />
<br />
In any case, the effectiveness of any of the two aforementioned reductions will be<br />
conditioned to the withdrawal or resignation of any action or appeal via<br />
administrative against the sanction.<br />
<br />
In the event that you choose to proceed with the voluntary payment of any of the amounts<br />
previously indicated, 56,000 euros or 42,000 euros, you must make it effective<br />
<br />
by depositing it in the account number ES00 0000 0000 0000 0000 0000 opened to<br />
name of the Spanish Data Protection Agency at CAIXABANK Bank,<br />
S.A., indicating in the concept the reference number of the procedure that appears in<br />
the heading of this document and the reason for reducing the amount to which<br />
welcomes.<br />
<br />
Likewise, you must send proof of income to the General Subdirectorate of<br />
<br />
Inspection to continue with the procedure in accordance with the quantity<br />
entered.<br />
<br />
The procedure will have a maximum duration of nine months from the<br />
date of the initiation agreement or, where appropriate, of the draft initiation agreement.<br />
After this period, its expiration will occur and, consequently, the file of<br />
performances; in accordance with the provisions of article 64 of the LOPDGDD.<br />
<br />
<br />
Finally, it is noted that in accordance with the provisions of article 112.1 of the<br />
LPACAP, there is no administrative appeal against this act.<br />
<br />
Mar Spain Marti<br />
Director of the Spanish Data Protection Agency<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 12/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
>><br />
<br />
SECOND: On October 21, 2022, the claimed party has proceeded to pay<br />
<br />
of the sanction in the amount of 56,000 euros using one of the two<br />
reductions provided for in the Commencement Agreement transcribed above. Therefore, there has not<br />
The acknowledgment of responsibility has been accredited.<br />
<br />
THIRD: The payment made entails the waiver of any action or resource in the<br />
against the sanction, in relation to the facts referred to in the<br />
<br />
Commencement Agreement.<br />
<br />
FUNDAMENTALS OF LAW<br />
<br />
Yo<br />
<br />
Competition<br />
<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
(General Data Protection Regulation, hereinafter GDPR), grants each<br />
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the<br />
<br />
Organic Law 3/2018, of December 5, Protection of Personal Data and<br />
guarantee of digital rights (hereinafter, LOPDGDD), is competent to<br />
initiate and resolve this procedure the Director of the Spanish Protection Agency<br />
of data.<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures<br />
<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
regulations dictated in its development and, insofar as they do not contradict them, with character<br />
subsidiary, by the general rules on administrative procedures."<br />
<br />
<br />
<br />
II<br />
Termination of the procedure<br />
<br />
Article 85 of Law 39/2015, of October 1, on Administrative Procedure<br />
Common for Public Administrations (hereinafter LPACAP), under the heading<br />
<br />
"Termination in disciplinary proceedings" provides the following:<br />
<br />
"1. Initiated a disciplinary procedure, if the offender acknowledges his responsibility,<br />
The procedure may be resolved with the imposition of the appropriate sanction.<br />
<br />
<br />
2. When the sanction has only a pecuniary nature or it is possible to impose a<br />
pecuniary sanction and another of a non-pecuniary nature but the<br />
inadmissibility of the second, the voluntary payment by the presumed perpetrator, in<br />
any moment prior to the resolution, will imply the termination of the procedure,<br />
except in relation to the replacement of the altered situation or the determination of the<br />
<br />
compensation for damages caused by the commission of the offence.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 13/13<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
3. In both cases, when the sanction is solely pecuniary in nature, the<br />
The competent body to resolve the procedure will apply reductions of at least<br />
<br />
20% of the amount of the proposed penalty, these being cumulative among themselves.<br />
The aforementioned reductions must be determined in the notification of initiation<br />
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of<br />
any administrative action or resource against the sanction.<br />
<br />
<br />
The percentage reduction provided for in this section may be increased<br />
according to regulations."<br />
<br />
According to what has been stated,<br />
<br />
the Director of the Spanish Data Protection Agency RESOLVES:<br />
<br />
FIRST: DECLARE the termination of procedure EXP202203914, in<br />
in accordance with the provisions of article 85 of the LPACAP.<br />
<br />
<br />
SECOND: NOTIFY this resolution to VODAFONE ESPAÑA, S.A..<br />
<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
Resolution will be made public once the interested parties have been notified.<br />
<br />
<br />
Against this resolution, which puts an end to the administrative process as prescribed by<br />
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure<br />
Common of Public Administrations, interested parties may file an appeal<br />
administrative litigation before the Administrative Litigation Chamber of the<br />
<br />
National Court, in accordance with the provisions of article 25 and section 5 of<br />
the fourth additional provision of Law 29/1998, of July 13, regulating the<br />
Contentious-Administrative Jurisdiction, within a period of two months from the<br />
day following the notification of this act, as provided for in article 46.1 of the<br />
<br />
referred Law.<br />
<br />
<br />
937-181022<br />
Mar Spain Marti<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
</pre></div>Teresa.lopezhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202104873&diff=29923AEPD (Spain) - EXP2021048732022-12-12T15:39:03Z<p>Teresa.lopez: Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=AEPD..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=AEPD PS-00113-2022<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00113-2022.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Upheld<br />
|Date_Started=02.11.2021<br />
|Date_Decided=<br />
|Date_Published=06.12.2022<br />
|Year=<br />
|Fine=5000<br />
|Currency=EUR<br />
<br />
|GDPR_Article_1=Article 5(1)(f) GDPR<br />
|GDPR_Article_Link_1=Article 5 GDPR#1f<br />
|GDPR_Article_2=Article 32 GDPR<br />
|GDPR_Article_Link_2=Article 32 GDPR<br />
|GDPR_Article_3=Article 83(5) GDPR<br />
|GDPR_Article_Link_3=Article 83 GDPR#5<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=Article 76(2)(b) Spanish Data Protection Law<br />
|National_Law_Link_1=https://www.boe.es/buscar/doc.php?id=BOE-A-2018-16673<br />
|National_Law_Name_2=<br />
|National_Law_Link_2=<br />
|National_Law_Name_3=<br />
|National_Law_Link_3=<br />
<br />
|Party_Name_1=INDECEMI, S.L.<br />
|Party_Link_1=https://www.sklum.com/es/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Teresa Lopez<br />
|<br />
}}<br />
<br />
AEPD fined a controller €5,000 for a breach of confidentiality in the handling of customer complaints, where a complainant received the form regarding another complaint containing personal data.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
The data subject initiated a complaint process with INDECEMI (controller) and received an email with the personal data (name, surname, national identity number, address, telephone, and email address) of another person who was also in a complaint process, who, in turn, received an email with the data subject's personal data.<br />
<br />
=== Holding ===<br />
AEPD held that the data subject's personal data in the controller's database were improperly disclosed to a third party, as the complaint forms were mishandled while existing no evidence of appropriate security measures:<br />
<br />
The penalties for infringement of Articles 5(1)(f) (€3,000) and 32 GDPR (€2,000) were modulated by means of:<br />
[[Article 83 GDPR#2a|Article 83(2)(a) GDPR]], since the AEPD found that only two persons were affected and there was no evidence that any serious prejudice was caused to them. <br />
<br />
Article 76(2)(b) Spanish Data Protection Law, since the controller's business activity, wholesale of office furniture, did not indicate the handling of numerous personal data.<br />
<br />
== Comment ==<br />
''Share your comments here!''<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/8<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
File No.: EXP202104873<br />
<br />
<br />
<br />
RESOLUTION OF SANCTIONING PROCEDURE<br />
<br />
Of the procedure instructed by the Spanish Agency for Data Protection and based on<br />
to the following<br />
<br />
<br />
BACKGROUND<br />
<br />
FIRST: A.A.A. (hereinafter, the claiming party) dated November 2,<br />
2021 filed a claim with the Spanish Data Protection Agency. The<br />
<br />
claim is directed against INDECEMI, S.L. with NIF B98845936 (INDECEMI). The<br />
The reasons on which the claim is based are the following:<br />
<br />
He started a claim process with INDECEMI and received an email with the details of<br />
another person who was also in the claim process, who, in turn, received<br />
an email with the data of the complaining party.<br />
<br />
<br />
Along with the notification, the claim sheet submitted to INDECEMI is provided, and<br />
an email received where they apologize for the mistake made.<br />
<br />
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5<br />
<br />
December, Protection of Personal Data and guarantee of digital rights (in<br />
LOPDGDD), the claim was transferred to INDECEMI so that<br />
proceed to its analysis and inform this Agency within a month of the<br />
actions carried out to adapt to the requirements established in the regulations of<br />
Data Protection.<br />
<br />
<br />
The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of<br />
October 1, of the Common Administrative Procedure of the Administrations<br />
Public (hereinafter, LPACAP) by electronic notification, was not collected by<br />
the person in charge, within the period of availability, understood as rejected<br />
in accordance with the provisions of art. 43.2 of the LPACAP dated 12/18/2021, as stated<br />
<br />
in the certificate in the file.<br />
<br />
Although the notification was validly made by electronic means, assuming that<br />
carried out the procedure in accordance with the provisions of article 41.5 of the LPACAP, under<br />
information, a copy was sent by postal mail, which was duly notified in<br />
<br />
date 01/10/2022. In said notification, he was reminded of his obligation to relate<br />
electronically with the Administration, and they were informed of the means of access to<br />
said notifications, reiterating that, henceforth, he would be notified exclusively<br />
by electronic means.<br />
<br />
<br />
No response has been received to this letter of transfer.<br />
<br />
THIRD: On February 2, 2022, in accordance with article 65 of the<br />
LOPDGDD, the claim presented by the claimant party was admitted for processing.<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 2/8<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
FOURTH: On August 22, 2022, the Director of the Spanish Agency for<br />
Data Protection agreed to initiate disciplinary proceedings against the claimed party,<br />
for the alleged violation of Article 5.1.f) of the GDPR and Article 32 of the GDPR,<br />
<br />
typified in Article 83.5 of the GDPR.<br />
<br />
FIFTH: Notified of the aforementioned start-up agreement in accordance with the rules established in<br />
Law 39/2015, of October 1, on the Common Administrative Procedure of<br />
Public Administrations (hereinafter, LPACAP), on 08/31/2022, and after<br />
the term granted for the formulation of allegations, it has been verified that there has been no<br />
<br />
received any allegation by the claimed party.<br />
<br />
Article 64.2.f) of the LPACAP -provision of which the claimed party was informed<br />
in the agreement to open the procedure - establishes that if no<br />
arguments within the established term on the content of the initiation agreement, when<br />
<br />
it contains a precise pronouncement about the imputed responsibility,<br />
may be considered a resolution proposal. In the present case, the agreement of<br />
beginning of the disciplinary file determined the facts in which the<br />
imputation, the infringement of the GDPR attributed to the defendant and the sanction that could<br />
impose. Therefore, taking into consideration that the claimed party has not<br />
made allegations to the agreement to start the file and in attention to what<br />
<br />
established in article 64.2.f) of the LPACAP, the aforementioned initiation agreement is<br />
considered in the present case resolution proposal.<br />
<br />
In view of all the proceedings, by the Spanish Agency for Data Protection<br />
In this proceeding, the following are considered proven facts:<br />
<br />
<br />
PROVEN FACTS<br />
<br />
FIRST AND ONLY: It is proven that the complaining party initiated a process of<br />
claim with INDECEMI and received an email with personal data (name,<br />
surname, NIF, address, telephone and email address) of another person<br />
<br />
who was also in the claim process, who, in turn, received an email<br />
email with the personal data of the claimant.<br />
<br />
FUNDAMENTALS OF LAW<br />
<br />
<br />
Yo<br />
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679<br />
(General Data Protection Regulation, hereinafter GDPR), grants each<br />
control authority and as established in articles 47 and 48.1 of the Law<br />
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of<br />
digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve<br />
<br />
this procedure the Director of the Spanish Data Protection Agency.<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: "Procedures<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
<br />
regulations dictated in its development and, insofar as they do not contradict them, with character<br />
subsidiary, by the general rules on administrative procedures.”<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 3/8<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
II<br />
<br />
In the present case, in accordance with the provisions of article 4.1 of the GDPR, there is<br />
the processing of personal data, since INDECEMI carries out,<br />
among other treatments, the collection, registration, use, etc. of the following data<br />
personal information of natural persons, such as: name, identification number, number<br />
phone number, email address etc.<br />
<br />
<br />
INDECEMI carries out this activity in its capacity as data controller, given<br />
who is the one who determines the purposes and means of such activity, by virtue of article 4.7 of the<br />
GDPR.<br />
<br />
Article 4 paragraph 12 of the GDPR defines, in a broad way, "violations of<br />
<br />
security of personal data" (hereinafter security breach) as "all<br />
those security violations that cause the destruction, loss or alteration<br />
accidental or unlawful personal data transmitted, stored or otherwise processed<br />
form, or unauthorized communication or access to said data.”<br />
<br />
In the present case, there is a personal data security breach in the<br />
<br />
circumstances indicated above, categorized as a breach of confidentiality, by<br />
been sent by email to another INDECEMI client, the data sheet<br />
claim of the claiming party, in which their personal data is recorded.<br />
<br />
It should be noted that the identification of a security breach does not imply the<br />
<br />
imposition of a sanction directly by this Agency, since it is necessary<br />
analyze the diligence of managers and managers and security measures<br />
applied.<br />
<br />
Within the principles of treatment provided for in article 5 of the GDPR, the<br />
<br />
integrity and confidentiality of personal data is guaranteed in section 1.f)<br />
of article 5 of the GDPR. For its part, the security of personal data comes<br />
regulated in articles 32, 33 and 34 of the GDPR, which regulate the security of the<br />
treatment, the notification of a breach of the security of personal data to<br />
the control authority, as well as the communication to the interested party, respectively.<br />
<br />
<br />
II<br />
Article 5.1.f) "Principles relating to processing" of the GDPR establishes:<br />
<br />
"1. Personal data will be:<br />
(…)<br />
<br />
<br />
f) processed in such a way as to guarantee adequate security of the<br />
personal data, including protection against unauthorized processing or<br />
illicit and against its loss, destruction or accidental damage, through the application<br />
of appropriate technical or organizational measures ("integrity and<br />
<br />
confidentiality»).”<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 4/8<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In the present case, it is clear that the personal data of the complaining party, obtained<br />
in the INDECEMI database, were improperly exposed to a third party, to the<br />
send to one person the claim form submitted by another.<br />
<br />
<br />
IV.<br />
Article 83.5 of the GDPR under the heading "General conditions for the imposition of<br />
administrative fines” provides:<br />
<br />
Violations of the following provisions will be sanctioned, in accordance with the<br />
<br />
paragraph 2, with administrative fines of maximum EUR 20,000,000 or,<br />
in the case of a company, an amount equivalent to a maximum of 4% of the<br />
total annual global business volume of the previous financial year, opting for<br />
the highest amount:<br />
<br />
<br />
a) the basic principles for the treatment, including the conditions for the<br />
consent under articles 5, 6, 7 and 9; (…)”<br />
<br />
In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that<br />
"The acts and behaviors referred to in sections 4,<br />
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result<br />
<br />
contrary to this organic law”.<br />
<br />
For the purposes of the limitation period, article 72 "Infractions considered very<br />
serious” of the LOPDGDD indicates:<br />
<br />
"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,<br />
are considered very serious and will prescribe after three years the infractions that<br />
a substantial violation of the articles mentioned therein and, in particular, the<br />
<br />
following:<br />
<br />
a) The processing of personal data in violation of the principles and guarantees<br />
established in article 5 of Regulation (EU) 2016/679. (…)”<br />
<br />
V<br />
<br />
Penalty for violation of article 5.1.f) of the GDPR<br />
<br />
For the purposes of deciding on the imposition of an administrative fine and its amount<br />
considers that the infringement in question is serious for the purposes of the GDPR, and that<br />
it is appropriate to graduate the sanction to be imposed according to the following criteria that<br />
<br />
Article 83.2 of the GDPR establishes:<br />
<br />
As mitigations:<br />
- The nature, seriousness and duration of the infringement, taking into account the<br />
nature, scope or purpose of the processing operation in question<br />
<br />
as well as the number of stakeholders affected and the level of damage and<br />
damages they have suffered (section a). In the present case, only<br />
Two people were affected, and there is no record that they were caused<br />
some serious harm.<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 5/8<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Likewise, it is considered appropriate to graduate the sanction to be imposed in accordance with the<br />
following criteria established in section 2 of article 76 "Sanctions and measures<br />
corrective measures" of the LOPDGDD:<br />
<br />
<br />
As mitigations:<br />
-The linking of the offender's activity with the performance of<br />
processing of personal data (section b): The commercial activity of<br />
INDECEMI, wholesale office furniture, does not indicate that<br />
handle a large amount of personal data<br />
<br />
<br />
The balance of the circumstances contemplated in article 83.2 of the GDPR and the<br />
Article 76.2 of the LOPDGDD, with respect to the offense committed by violating the<br />
established in article 5.1.f) of the GDPR, allows setting a penalty of €3,000 (three<br />
a thousand euros).<br />
<br />
<br />
SAW<br />
Article 32 "Security of treatment" of the GDPR establishes:<br />
<br />
"1. Taking into account the state of the art, the application costs, and the<br />
nature, scope, context and purposes of processing, as well as risks of<br />
<br />
variable probability and severity for the rights and freedoms of individuals<br />
physical, the person in charge and the person in charge of the treatment will apply technical and<br />
appropriate organizational measures to guarantee a level of security appropriate to the risk,<br />
which may include, among others:<br />
a) the pseudonymization and encryption of personal data;<br />
<br />
b) the ability to guarantee the confidentiality, integrity, availability and<br />
permanent resilience of treatment systems and services;<br />
c) the ability to restore the availability and access to personal data<br />
quickly in the event of a physical or technical incident;<br />
d) a process of regular verification, evaluation and assessment of effectiveness<br />
<br />
technical and organizational measures to guarantee the safety of the<br />
treatment.<br />
<br />
2. When evaluating the adequacy of the security level, particular consideration will be given to<br />
take into account the risks presented by data processing, in particular as<br />
consequence of the destruction, loss or accidental or illegal alteration of data<br />
<br />
personal information transmitted, preserved or processed in another way, or the communication or<br />
unauthorized access to such data.<br />
<br />
3. Adherence to an approved code of conduct pursuant to article 40 or to a<br />
certification mechanism approved under article 42 may serve as an element<br />
<br />
to demonstrate compliance with the requirements established in section 1 of the<br />
present article.<br />
<br />
4. The controller and the processor shall take measures to ensure that<br />
any person acting under the authority of the controller or processor and<br />
<br />
have access to personal data can only process such data by following<br />
instructions of the person in charge, unless it is obliged to do so by virtue of the Law of<br />
the Union or of the Member States.<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 6/8<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In the present case, at the time the breach occurred, it cannot be said that<br />
INDECEMI had the appropriate measures to avoid the incident, since it<br />
sent a claim form with personal data to a different client.<br />
<br />
<br />
VII<br />
Article 83.4 of the GDPR under the heading "General conditions for the imposition of<br />
administrative fines” provides:<br />
<br />
Violations of the following provisions will be sanctioned, in accordance with the<br />
<br />
paragraph 2, with administrative fines of maximum EUR 10,000,000 or,<br />
in the case of a company, an amount equivalent to a maximum of 2% of the<br />
total annual global business volume of the previous financial year, opting for<br />
the highest amount:<br />
<br />
<br />
a) the obligations of the person in charge and the person in charge according to articles 8,<br />
11, 25 to 39, 42 and 43; (…)”<br />
<br />
In this regard, the LOPDGDD, in its article 71 "Infractions" establishes that<br />
"The acts and behaviors referred to in sections 4,<br />
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result<br />
<br />
contrary to this organic law”.<br />
<br />
For the purposes of the limitation period, article 73 "Infractions considered serious"<br />
of the LOPDGDD indicates:<br />
<br />
"Based on what is established in article 83.4 of Regulation (EU) 2016/679,<br />
are considered serious and will prescribe after two years the infractions that suppose a<br />
substantial violation of the articles mentioned therein and, in particular, the<br />
<br />
following:<br />
f) The lack of adoption of those technical and organizational measures that<br />
are appropriate to ensure a level of security appropriate to the<br />
<br />
risk of treatment, in the terms required by article 32.1 of the<br />
Regulation (EU) 2016/679. (…)<br />
<br />
VIII<br />
For the purposes of deciding on the imposition of an administrative fine and its amount<br />
<br />
considers that the infringement in question is serious for the purposes of the GDPR, and that<br />
it is appropriate to graduate the sanction to be imposed in accordance with the criteria established by the<br />
article 83.2 of the GDPR and section 2 of article 76 “Sanctions and measures<br />
corrective measures" of the LOPDGDD:<br />
<br />
<br />
The balance of the circumstances contemplated in article 83.2 of the GDPR and the<br />
Article 76.2 of the LOPDGDD, with respect to the offense committed by violating the<br />
established in article 32 of the GDPR, allows a penalty of €2,000 (two thousand<br />
euro).<br />
<br />
Therefore, in accordance with the applicable legislation and assessed the criteria of<br />
<br />
graduation of sanctions whose existence has been accredited,<br />
the Director of the Spanish Data Protection Agency RESOLVES:<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 7/8<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
FIRST: IMPOSE INDECEMI, S.L., with NIF B98845936, for a violation of the<br />
Article 5.1.f) of the GDPR, typified in Article 83.5 of the GDPR, a fine of €3,000<br />
(THREE THOUSAND EUROS)<br />
<br />
<br />
IMONER to INDECEMI S.L. with NIF B98845936, for a violation of Article 32 of the<br />
GDPR, typified in article 83.4 of the GDPR, a fine of €2,000 (TWO THOUSAND<br />
EURO)<br />
<br />
SECOND: NOTIFY this resolution to INDECEMI, S.L.<br />
<br />
THIRD: Warn the penalized person that they must make the imposed sanction effective<br />
Once this resolution is enforceable, in accordance with the provisions of Article<br />
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure<br />
Common of Public Administrations (hereinafter LPACAP), within the payment term<br />
voluntary established in art. 68 of the General Collection Regulations, approved<br />
<br />
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,<br />
of December 17, by means of its income, indicating the NIF of the sanctioned and the number<br />
of procedure that appears in the heading of this document, in the account<br />
restricted number ES00 0000 0000 0000 0000 0000, open in the name of the Agency<br />
Spanish Data Protection Agency at the bank CAIXABANK, S.A.. In the event<br />
Otherwise, it will proceed to its collection in the executive period.<br />
<br />
<br />
Once the notification has been received and once executed, if the execution date is<br />
between the 1st and 15th of each month, both inclusive, the term to make the payment<br />
voluntary will be until the 20th day of the following or immediately following business month, and if<br />
between the 16th and the last day of each month, both inclusive, the payment term<br />
<br />
It will be until the 5th of the second following or immediately following business month.<br />
<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
Resolution will be made public once the interested parties have been notified.<br />
<br />
<br />
Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the<br />
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the<br />
Interested parties may optionally file an appeal for reversal before the<br />
Director of the Spanish Agency for Data Protection within a period of one month from<br />
count from the day following the notification of this resolution or directly<br />
contentious-administrative appeal before the Contentious-administrative Chamber of the<br />
<br />
National Court, in accordance with the provisions of article 25 and section 5 of<br />
the fourth additional provision of Law 29/1998, of July 13, regulating the<br />
Contentious-administrative jurisdiction, within a period of two months from the<br />
day following the notification of this act, as provided for in article 46.1 of the<br />
referred Law.<br />
<br />
<br />
Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,<br />
may provisionally suspend the firm resolution in administrative proceedings if the<br />
The interested party expresses his intention to file a contentious-administrative appeal.<br />
If this is the case, the interested party must formally communicate this fact through<br />
<br />
writing addressed to the Spanish Data Protection Agency, presenting it through<br />
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-<br />
web/], or through any of the other registries provided for in art. 16.4 of the<br />
aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 8/8<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
documentation proving the effective filing of the contentious appeal-<br />
administrative. If the Agency was not aware of the filing of the appeal<br />
<br />
contentious-administrative proceedings within a period of two months from the day following the<br />
Notification of this resolution would terminate the precautionary suspension.<br />
<br />
<br />
<br />
938-120722<br />
Mar Spain Marti<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
</pre></div>Teresa.lopezhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202210237&diff=29821AEPD (Spain) - EXP2022102372022-12-05T17:48:05Z<p>Teresa.lopez: Format edits + correction of typos.</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=AEPD ai-00349-2022<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/es/documento/ai-00349-2022.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Rejected<br />
|Date_Started=08.03.2022<br />
|Date_Decided=<br />
|Date_Published=28.11.2022<br />
|Year=<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 6(1) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1<br />
|GDPR_Article_2=Article 6(1)(b) GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR#1b<br />
|GDPR_Article_3=Article 6(1)(c) GDPR<br />
|GDPR_Article_Link_3=Article 6 GDPR#1c<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=Annex XII(A) General Vehicle Regulation<br />
|National_Law_Link_1=https://www.boe.es/eli/es/rd/1998/12/23/2822/con%09<br />
|National_Law_Name_2=Annex XIV General Vehicle Regulation<br />
|National_Law_Link_2=https://www.boe.es/eli/es/rd/1998/12/23/2822/con<br />
|National_Law_Name_3=Articicle 32 General Vehicle Regulation<br />
|National_Law_Link_3=https://www.boe.es/eli/es/rd/1998/12/23/2822/con<br />
|National_Law_Name_4=<br />
|National_Law_Link_4=<br />
|National_Law_Name_5=<br />
|National_Law_Link_5=<br />
<br />
|Party_Name_1=Dirección General de Tráfico<br />
|Party_Link_1=https://www.dgt.es/inicio/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Teresa López<br />
|<br />
}}<br />
<br />
The Spanish DPA held that traffic officials do not have the capacity or possibility of verifying the documentation submitted to change the ownership of a vehicle. If the documentation submitted is fraudulent, no lack of diligence can be imputed.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
On 9 August 2019, the data subject lodged a complaint with the police regarding the theft of their wallet. On 20 August 2019, someone purchased a vehicle with the data subject's ID. On 20 January 2020, the vehicle was reported for driving without the compulsory insurance and Dirección General de Tráfico (national traffic department, also known as DGT) notified the previous owner the start of the sanctioning procedure. On 31 January 2020, the new owner (with the documentation of the data subject) files for the change of ownership before the DGT. On August 2020, the data subject receives notification of the traffic offence. On 13 August 2020, the data subject lodged a new complaint with the police, stating that someone had tried to put a car in their name and that they had received notification of the traffic offence.<br />
<br />
The data subject states that the DGT did not carry out any checks to validate the change of ownership, allowing the change despite the existence of an outstanding debt on the vehicle. They also allege that the DGT processed their data without a legitimate basis.<br />
<br />
=== Holding ===<br />
The AEPD held that there was a legal basis to process the data: the documentation was required under the General Vehicle Regulation for the notification of the sale of the vehicle (Article 6(1)(c) GDPR), and, the entry in the vehicle register is made in the performance of a contract to which the data subject is a party (Article (6)(1)(b) GDPR).<br />
<br />
The AEPD also found no lack of diligence on the part of the DGT in verifying the identity of the data subject, since the General Vehicle Regulation does not require verification or comparison of signatures, and the traffic official does not have the capacity or possibility to verify them.<br />
<br />
== Comment ==<br />
The fact that the processing of the DGT relied on [[Article 6 GDPR|(Article (6)(1)(b) GDPR)]] and [[Article 6 GDPR|(Article 6(1)(c) GDPR)]] as legal basis affects the holding of the AEPD since in [[AEPD (Spain) - PS/00126/2021|PS/00126/2021]] the AEPD held: "''if there is a fraudulent contracting of a product and the consent to perfect such contract has been given by a person other than the data subject (impersonation), we cannot understand that there is contractual consent on the part of the latter, who is harmed. In legal terms, we can consider that in this situation of fraud the legal business would not have been perfected, which would determine the inexistence of legitimacy to process the personal data of the data subject. This is because, once the contract has been signed, the legal basis for the processing that legitimizes the contractor as data controller to process the personal data of the data subject in a product contract would be the one provided for in art. 6.1.b) of the GDPR.''"<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/10<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
File No.: EXP202210237<br />
<br />
<br />
<br />
RESOLUTION OF ACTIONS FILE<br />
<br />
<br />
Of the actions carried out by the Spanish Agency for Data Protection and<br />
based on the following<br />
<br />
<br />
FACTS<br />
<br />
FIRST: A.A.A., on behalf of B.B.B. (hereinafter, the part<br />
claimant) on March 8, 2022 filed a claim with the Agency<br />
Spanish Data Protection. The claim is directed against ADDRESS<br />
<br />
GENERAL OF TRAFFIC with NIF Q2816003D (hereinafter, the DGT). The reasons in<br />
on which the claim is based are as follows:<br />
<br />
On 08/09/2019, the claimant filed a complaint for the theft of his wallet.<br />
On 08/20/2019, a contract for the sale of a brand vehicle was signed.<br />
***MARK.1, model ***MODELO.1, license plate ***MATRICULA.1 in which it appears<br />
<br />
as the buyer the claiming party.<br />
On 08/28/2019, the vehicle was reported for driving without mandatory insurance, beginning<br />
the disciplinary procedure by the DGT by means of a notification sent in<br />
dated 01/20/2020 to the person who appeared as its owner in the Registry<br />
General of Vehicles. .<br />
<br />
According to the claimant, on 01/31/2020, the owner appeared at<br />
the dependencies of the DGT to carry out the change of ownership of the referred<br />
car.<br />
According to the claimant's statement, in August 2020 the DGT notified him of the<br />
Committed traffic violation.<br />
<br />
On 08/13/2020, the claimant filed a new complaint with the police at the<br />
stating that on 08/29/2019 the police informed him that they had tried to put a<br />
car in his name and that he had received notice of a traffic violation<br />
relating to a car that is not owned by you.<br />
<br />
The claimant states that the DGT did not verify<br />
<br />
any to ensure that the change of ownership complied with the requirements<br />
necessary, allowing it to be carried out without providing the supporting documentation of the<br />
buyer and there is a current debt on the vehicle.<br />
It also considers that the data protection rights of the company have been infringed.<br />
complaining party when treated by the DGT without any legitimizing basis.<br />
<br />
<br />
The claim indicates various resolutions of the AEPD in which<br />
concluded "that if fraudulent contracting of a product occurs and the<br />
consent to perfect said contract has been given by a person<br />
other than the owner of the data (identity theft), we cannot understand that<br />
<br />
there is contractual consent on the part of the latter who is harmed. (...)<br />
in this situation of fraud the legal business would not have been perfected, which<br />
would determine the lack of legitimacy to process the personal data of the<br />
interested."<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 2/10<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Along with the claim, the following is provided:<br />
-Complaint before the National Police of Mislata for the theft of the DNI.<br />
<br />
-Alleged fraudulent contract of sale of the vehicle,<br />
-Notifications made by the claimed entity to the people that were included in<br />
their records as owners<br />
-Proof of change of ownership of the vehicle by making a Notification<br />
selling.<br />
-Writ issued by the investigating court by which the opening of<br />
<br />
preliminary investigations to clarify the facts.<br />
<br />
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5<br />
December, Protection of Personal Data and guarantee of digital rights (in<br />
forward LOPDGDD), said claim was forwarded to the DGT, so that<br />
<br />
proceed to its analysis and inform this Agency within a month of the<br />
actions carried out to adapt to the requirements established in the regulations of<br />
Data Protection.<br />
<br />
The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of<br />
October 1, of the Common Administrative Procedure of the Administrations<br />
<br />
Public (hereinafter, LPACAP), was collected on 04/24/2022 as stated in the<br />
acknowledgment of receipt in the file.<br />
<br />
On 06/23/2022, this Agency received a written response indicating:<br />
<br />
<br />
"Regarding your brief, regarding the claim made before the Agency by the<br />
representative of the claimant B.B.B., and to comply with the request, in<br />
In accordance with article 65.4 of Organic Law 3/2018, of December 5, of<br />
Protection of Personal Data and guarantee of digital rights (LOPDGDD), is<br />
reports the following:<br />
<br />
<br />
As stated in the Agency's request, the facts that motivate the<br />
claim are based on the receipt of a sanction on behalf of the claimant,<br />
allegedly motivated by identity theft. Along with the claim<br />
provides documentation related to a sanction filed under the aforementioned impersonation<br />
identity and other documents associated with it.<br />
<br />
Once the documentation provided has been reviewed, it is understood that the claimant had his<br />
national identity document, a document that was later used to<br />
make a purchase-sale of a vehicle and assign ownership of it. I know<br />
attached complaint of the claimant dated 08/09/2019 in the General Directorate of the<br />
Police, in which the theft is indicated, of the national identity document. Bliss<br />
<br />
complaint is prior to the sanction and the purchase and sale of the vehicle.<br />
<br />
On 08/28/2019, there is an infraction with the vehicle ***MATRICULA.1,<br />
for driving without compulsory insurance, in the name of C.C.C., undocumented. On 01/08/2020<br />
delivery is made at the address indicated by C.C.C., of the sanction with file<br />
<br />
***FILE.1. Said sanction goes to the name of the owner of the vehicle, D.D.D. Y<br />
since she is absent, she picks up the same E.E.E..<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 3/10<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
On 01/31/2020 the purchase-sale of the vehicle is notified at the Headquarters of Valencia,<br />
in the name of the claimant. In said notification, a purchase document is provided.<br />
sale (dated prior to the sanction) and the change of ownership proceeds. the same<br />
<br />
day, the owner of the vehicle presents an allegation to the disciplinary file, indicating<br />
that the vehicle was sold before the date of the sanction and the sale has been notified.<br />
<br />
On 08/13/2020, the claimant complained to the General Directorate of the Police that he<br />
received a notification from the DGT regarding the aforementioned sanction. Also<br />
states in the complaint that on 08/29/2019 he was informed that an attempt had been made to<br />
<br />
sell a car in your name. A document of proceedings is also attached<br />
prior (act of initiation), dated 09/22/2020, of the Investigating Court number<br />
Valencia 9. The claimant files an appeal for reversal on 03/18/2021,<br />
appeal that is declared inadmissible for being filed out of time. The<br />
claimant on 06/30/2021 presents an extraordinary appeal for review, which<br />
<br />
is denied because it is not based on any of the causes related to the<br />
firm acts in administrative channels.<br />
On 01/30/2022, the claimant receives an order of urgency from the<br />
Tax Agency, in order to settle the debt of the traffic penalty in the period<br />
executive with an ordinary surcharge of 20%.<br />
<br />
<br />
In view of the facts exposed, it is understood that it was presented at the Headquarters of<br />
Valencia all the documentation referred to in Article 32 and Annex XIV, relating to the<br />
Processing and change of ownership of vehicles, of Royal Decree 2822/1998, of 23<br />
December, by which the General Vehicle Regulations are approved.<br />
If the documents presented were falsified or presented fraudulently,<br />
<br />
This fact must be denounced before the Justice. The Provincial Headquarters of the<br />
DGT does not have the capabilities required to detect such acts of<br />
illicit nature.<br />
<br />
On the other hand, the inadmissibility of the reversal appeal is understood to be correct.<br />
<br />
submitted after the deadline on 03/18/2021, even more so when it is evident that the<br />
Claimant has proof of the sanction on 08/30/2020. No sentence indicated<br />
legal firm, which may be a cause provided for in the extraordinary appeal of<br />
review filed, for which reason said appeal is also considered correct<br />
inadmissibility.<br />
<br />
<br />
In accordance with what was requested in the claim in the file ***FILE.2,<br />
reports:<br />
1.- The decision to be taken by the DGT does not apply. Once the debt has passed to<br />
be required by the Tax Agency, it must be claimed before that<br />
Agency, according to the corresponding sentence. The disciplinary procedure<br />
<br />
46-007.199.491/0 has concluded in administrative proceedings for the DGT.<br />
2.- The claimant has not requested the exercise of their rights related to the protection<br />
of data, before the DGT, for which reason no response applies.<br />
3.- The present document serves as an explanation of the causes that have motivated the<br />
incidence.<br />
<br />
4.- The implementation of measures adopted to avoid cases of a similar type does not apply,<br />
since the DGT has acted in accordance with current regulations”.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 4/10<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
THIRD: On June 8, 2022, in accordance with article 65 of the<br />
LOPDGDD, the claim presented by the claimant party was admitted for processing.<br />
<br />
<br />
<br />
FUNDAMENTALS OF LAW<br />
<br />
Yo<br />
<br />
In accordance with the functions that article 57.1 a), f) and h) of the Regulation (EU)<br />
<br />
2016/679 (General Data Protection Regulation, hereinafter GDPR) confers on<br />
each control authority and according to the provisions of articles 47 and 48.1 of the Law<br />
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of<br />
digital rights (hereinafter LOPDGDD), is competent to resolve these<br />
investigation actions the Director of the Spanish Agency for the Protection of<br />
Data.<br />
<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
regulations dictated in its development and, insofar as they do not contradict them, with character<br />
<br />
subsidiary, by the general rules on administrative procedures."<br />
<br />
II<br />
<br />
Article 6 of the GDPR, Lawfulness of the treatment, establishes in point 1 that:<br />
<br />
<br />
"1. Processing will only be lawful if at least one of the following is fulfilled<br />
conditions:<br />
a) the interested party gave his consent for the processing of his data<br />
personal for one or more specific purposes;<br />
b) the processing is necessary for the performance of a contract in which the<br />
<br />
interested party or for the application at the request of this of measures<br />
pre-contractual;<br />
c) the processing is necessary for compliance with a legal obligation<br />
applicable to the data controller;<br />
d) the processing is necessary to protect vital interests of the data subject or<br />
<br />
of another physical person;<br />
e) the treatment is necessary for the fulfillment of a mission carried out in<br />
public interest or in the exercise of public powers conferred on the person responsible<br />
of the treatment;<br />
f) the processing is necessary for the satisfaction of legitimate interests<br />
pursued by the data controller or by a third party, provided that<br />
<br />
such interests are not overridden by the interests or the rights and freedoms<br />
of the interested party that require the protection of personal data,<br />
in particular when the interested party is a child.<br />
<br />
The provisions of letter f) of the first paragraph shall not apply to the<br />
<br />
processing carried out by public authorities in the exercise of their<br />
functions.”<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 5/10<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
On the other hand, article 4 of the GDPR, Definitions, in its sections 1, 2 and 11,<br />
notes that:<br />
<br />
<br />
“1) “personal data” means any information about an identified natural person<br />
or identifiable ("the data subject"); Any identifiable natural person shall be considered<br />
person whose identity can be determined, directly or indirectly, in<br />
by means of an identifier, such as a name, a number<br />
identification, location data, an online identifier, or one or more<br />
elements of physical, physiological, genetic, psychological,<br />
<br />
economic, cultural or social of said person; “<br />
<br />
2) "processing": any operation or set of operations carried out<br />
about personal data or sets of personal data, either by<br />
automated procedures or not, such as the collection, registration, organization,<br />
<br />
structuring, conservation, adaptation or modification, extraction, consultation,<br />
use, communication by transmission, diffusion or any other form of<br />
authorization of access, comparison or interconnection, limitation, deletion or<br />
destruction; “<br />
<br />
11) "consent of the interested party": any manifestation of free will,<br />
<br />
specific, informed and unequivocal for which the interested party accepts, either<br />
by means of a declaration or a clear affirmative action, the processing of data<br />
personal matters that concern you."<br />
<br />
In the present case, the DGT, as data controller, processed<br />
<br />
the personal data of the claiming party, by registering their name in the Registry<br />
General de Vehículos a vehicle, although it cannot be affirmed that said treatment is<br />
carried out without legitimacy for it, as claimed by the claimant, since,<br />
as established by Royal Decree 2822/1998, of December 23, by which<br />
approves the General Regulation of Vehicles in its article 32:<br />
<br />
"1. Any natural or legal person who owns a vehicle registered<br />
<br />
in Spain and transmit it to another, even when it is done with reservation of<br />
ownership or any other right over the vehicle, you must notify the<br />
Traffic Headquarters of the province in which it has its legal domicile or to that<br />
in which the vehicle was registered, within ten days from the<br />
transmission, by means of a statement stating the<br />
<br />
identification and address of the transferor and acquirer, as well as the date and<br />
broadcast title<br />
<br />
Together with the notification of the transmission, the permit or license will be attached.<br />
of circulation, which will be filed in the Headquarters, as well as the document<br />
accrediting the transmission, that of compliance with the corresponding<br />
tax obligations and other documentation indicated in annex XIV<br />
<br />
(…)<br />
<br />
2. The Traffic Department to which the transmission notification is addressed with the<br />
documents mentioned in the previous section will be recorded in the Registry<br />
of Vehicles to the purchaser as the new owner, unless the vehicle is<br />
affected by any of the impediments included in section 7 of<br />
<br />
this article, a point that will be communicated to the transferor and the acquirer, in which<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 6/10<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
case, once the impediment has been canceled or resolved, the new<br />
ownership, notifying the Town Halls of the legal domiciles of<br />
those (…)<br />
<br />
7. In the event that the constitution on the vehicle is recorded in the Vehicle Registry<br />
<br />
vehicle of a mortgage registered in the Movable Mortgage Registry or the<br />
existence of an agreement prohibiting disposal or reservation of ownership<br />
registered in the Register of Installment Sale of Movable Property, only<br />
will practice the change of ownership in the Vehicle Registry when<br />
accredit the cancellation of the registration in the aforementioned Registries,<br />
<br />
submitting the documents listed in section IV of annex XIV,<br />
or the consent of the creditor or of the person favored by such<br />
registration, although in the latter case it will continue to be recorded<br />
said registration in the Vehicle Registry.<br />
<br />
The annotation on the permit or circulation license will have the same effects.<br />
of the constitution on the vehicle of a mortgage registered in the Registry of<br />
<br />
Movable Mortgage, even when it is not recorded in the Vehicle Registry.<br />
<br />
When a lease notation appears in the Vehicle Registry<br />
with the option to buy or lease in the long term, it will only be practiced<br />
the change of ownership in the Vehicle Registry when the<br />
consent of the landlord.<br />
<br />
An impediment to the change of ownership is the non-payment of the<br />
<br />
Sanctions imposed for violations of Law 16/1987, of July 30, on<br />
Ordinance of Terrestrial Transport, regarding the vehicles with which<br />
that those had been committed, provided that they appear noted in the<br />
Vehicle Registration.<br />
<br />
Any impediment to the change of ownership will be communicated by the<br />
Traffic Department to the purchaser (...)<br />
<br />
<br />
For its part, Annex XIV of the aforementioned Regulation establishes:<br />
<br />
"1. Transmissions between people who are not engaged in the sale of<br />
vehicles.<br />
<br />
A) Obligations of the transferor:<br />
<br />
In accordance with the provisions of article 32, section 1 of this Regulation,<br />
the transferor of a vehicle must, within ten days from the<br />
<br />
transmission, communicate it to the Traffic Department with the documentation that<br />
it is related below:<br />
<br />
1st A statement stating the identifications and addresses<br />
of the transferor and transferee.<br />
<br />
In your case, the documents that on the identity and representation are<br />
specified in section A, numbers 1 and 3 of annex XIII, on the<br />
<br />
registration.<br />
<br />
2nd Fee for the legally established amount.<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 7/10<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
3rd The permit or circulation license.<br />
<br />
4th Document accrediting the transmission, except in the case that the<br />
seller and buyer submit their applications jointly.<br />
<br />
5th Original and photocopy of the document accrediting the payment of the<br />
<br />
Last receipt posted for the collection of Traction Vehicle Tax<br />
Mechanics, or proof of its exemption.<br />
<br />
6th Withdrawal form, duly completed, of change of ownership to<br />
effects of the Tax on Mechanical Traction Vehicles.<br />
<br />
7th If the vehicle being transferred is affected by rights that limit the<br />
power to dispose of the transferor, in accordance with the provisions of the<br />
<br />
section 7 of article 32 of this Regulation, a document must be presented<br />
certifying the cancellation of the impediment in the corresponding Registry or<br />
in which the consent of the creditor or of the person favored by<br />
the inscription.<br />
<br />
8th In the case of a special agricultural vehicle, document<br />
accrediting the deregistration in the Official Register of Agricultural Machinery.”<br />
<br />
<br />
Likewise, and in terms of documents referring to identity and representation,<br />
indicates Annex XIII in its section A:<br />
<br />
"A) Ordinary registration: In accordance with the provisions of articles 27,<br />
section 2.c and 28, section 2 of this Regulation, for the registration of<br />
Vehicles will be accompanied by the following documents:<br />
<br />
1st Application signed by the interested party in the official model form that<br />
<br />
will facilitate the Headquarters of Traffic.<br />
<br />
If the applicant is a minor or disabled, they must be included in the<br />
application, in addition, the data and signature of the person representing it, as well as<br />
as the concept in which it does.<br />
<br />
2nd Fee for the legally established amount.<br />
<br />
3rd National identity document in force or, failing that, receipt of<br />
have requested it, as well as the Family Book or other document that certifies the<br />
<br />
data that appears in the national identity document that does not present.<br />
<br />
If the applicant is a foreigner, they must present a Residence Card, as well as<br />
Declaration of ownership of other vehicles registered in Spain, or<br />
Spanish driving license of which he is or would have been the holder, or the number<br />
Provincial registration of foreign drivers, if any.<br />
<br />
In the case of foreigners who do not have a Residence Card,<br />
<br />
They will present an identity document from the country of origin, if it is<br />
citizens of States party to the Economic Area Agreement<br />
European Union (EEA), or Passport or Certificate of Nationality if it is a<br />
citizens of third countries, and they will also justify their domicile in Spain<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 8/10<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
through any document that proves it, such as ownership or<br />
renting a home, or being registered in a Municipality.<br />
<br />
When the applicant is a Legal Entity, he will submit a Number of<br />
Fiscal Identification, as well as the National Identity Document, Passport<br />
o Residence Card of the person who represents them and document that<br />
<br />
certify that they have power to act on your behalf.<br />
<br />
The originals of the aforementioned documents may be replaced by<br />
photocopies of the same that the interested parties or their representatives must<br />
provide at the time of submitting your application, provided they are<br />
duly collated by the records of the bodies in which the<br />
submitted the corresponding application, in accordance with the provisions of the<br />
<br />
Article 38.4 a) and b) of Law 30/1992, of November 26, on the<br />
Legal of Public Administrations and Administrative Procedure<br />
Common, without prejudice to the possibility of exercising this function by<br />
a Collegiate Administrative Manager in the terms determined in the<br />
agreements that can be established with the Associations of Managers<br />
Administrative.<br />
<br />
Applications submitted by Bodies or Entities dependent on the<br />
<br />
Public Administrations, General State, Autonomous, Provincial or<br />
Municipal, will be signed by the Head of the Agency or Entity to which<br />
belongs to the vehicle or person to whom it delegates, accompanied by the<br />
required documentation."<br />
<br />
Bearing in mind that the Provincial Traffic Headquarters of Valencia presented<br />
a request for notification of sale of the vehicle, which was accompanied by the<br />
<br />
documentation required in the General Vehicle Regulations to carry out said<br />
procedure, including a sales contract where the seller is identified<br />
and the buyer, it cannot be affirmed that the DGT has incurred in an illegitimate treatment<br />
of data of the claimant, since the registration in the Vehicle Registry<br />
is carried out in compliance with a legal obligation applicable to the person responsible for the<br />
treatment, and, likewise, based on the execution of a contract in which the<br />
<br />
interested is part.<br />
<br />
II<br />
<br />
The complaining party adds that the DGT did not act with due diligence as it had not<br />
verified if the identification of the complaining party was correctly carried out.<br />
However, having analyzed in the previous section the articles of the Regulation of<br />
<br />
Vehicles applicable to the notification of sale, it must be concluded that, in the notification<br />
of sale, the aforementioned legal text does not require verification and collation of signatures, given<br />
also note that it is not necessary for the buyer and the seller to meet<br />
at the same time at the Traffic Headquarters, since according to Annex XIV of the<br />
aforementioned Regulation, with regard to the figure of the acquirer:<br />
<br />
<br />
"B) Obligations of the purchaser:<br />
In accordance with the provisions of article 32, section 3 of this Regulation,<br />
the purchaser of a vehicle must, within thirty days from the date<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 9/10<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
of its acquisition, request from the Traffic Department the renewal of the permit or<br />
driving license, presenting the following documents:<br />
1st Application in official model form that will be provided by the Traffic Headquarters,<br />
<br />
in which the identity and address of the transferor and acquirer is stated.<br />
2nd Rate or rates for the legally established amount.<br />
3rd The documents that on the identity and representation are specified in<br />
section A, numbers 1 and 3 of annex XIII, on registration.<br />
4th technical inspection card or certificate of characteristics, with<br />
valid recognition.<br />
<br />
5th Original of the self-assessment of the Transfer Tax<br />
Patrimonial and Documented Legal Acts, or proof of the exemption or<br />
not subject to it, and photocopy.<br />
6th Self-assessment of the Special Tax on Certain Means of<br />
Transportation or justification of non-subjection or exemption in cases of<br />
<br />
transmission of a vehicle before four years have elapsed since its<br />
first definitive registration with exemption or non-subjection.<br />
7th Form of registration in the Tax on Mechanical Traction Vehicles.<br />
8th Original and photocopy of proof of payment or exemption from Tax on<br />
Mechanical Traction Vehicles, in the event that the transferor has not<br />
fulfilled the obligation to notify the transmission provided for in article 32,<br />
<br />
section 1 of this Regulation.<br />
9th Document proving the acquisition, except in the case that the seller<br />
and the buyer submit their applications jointly.”<br />
<br />
Therefore, lack of diligence cannot be imputed, beyond the verification that<br />
<br />
Provide all the documentation required in the Vehicle Regulations to carry out the<br />
corresponding procedure. If the documentation presented is fraudulent, you do not have the<br />
acting official capacity or possibility of verifying it.<br />
<br />
IV.<br />
<br />
<br />
Therefore, based on what is indicated in the previous paragraphs, no<br />
Evidence proving the existence of an infringement in the area of competence of the<br />
Spanish Data Protection Agency.<br />
<br />
Thus, in accordance with what has been indicated, by the Director of the Spanish Agency for<br />
<br />
Data Protection,<br />
HE REMEMBERS:<br />
<br />
FIRST: PROCEED TO THE ARCHIVE of the present proceedings.<br />
<br />
<br />
SECOND: NOTIFY this resolution to B.B.B. and GENERAL DIRECTORATE OF<br />
TRAFFIC.<br />
<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
Resolution will be made public once the interested parties have been notified.<br />
<br />
<br />
Against this resolution, which puts an end to the administrative process as prescribed by<br />
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure<br />
Common for Public Administrations, and in accordance with the provisions of the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 10/10<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may<br />
<br />
file, optionally, an appeal for reinstatement before the Director of the Agency<br />
Spanish Data Protection Agency within a period of one month from the day<br />
following the notification of this resolution or directly contentious appeal<br />
before the Contentious-Administrative Chamber of the National Court,<br />
<br />
in accordance with the provisions of article 25 and paragraph 5 of the provision<br />
additional fourth of Law 29/1998, of July 13, regulating the Jurisdiction<br />
Contentious-Administrative, within a period of two months from the day following<br />
<br />
to the notification of this act, as provided in article 46.1 of the aforementioned Law.<br />
<br />
<br />
940-110422<br />
Mar Spain Marti<br />
<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
</pre></div>Teresa.lopezhttps://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202210237&diff=29820AEPD (Spain) - EXP2022102372022-12-05T17:37:52Z<p>Teresa.lopez: Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=AEPD..."</p>
<hr />
<div>{{DPAdecisionBOX<br />
<br />
|Jurisdiction=Spain<br />
|DPA-BG-Color=background-color:#ffffff;<br />
|DPAlogo=LogoES.jpg<br />
|DPA_Abbrevation=AEPD<br />
|DPA_With_Country=AEPD (Spain)<br />
<br />
|Case_Number_Name=AEPD ai-00349-2022<br />
|ECLI=<br />
<br />
|Original_Source_Name_1=AEPD<br />
|Original_Source_Link_1=https://www.aepd.es/es/documento/ai-00349-2022.pdf<br />
|Original_Source_Language_1=Spanish<br />
|Original_Source_Language__Code_1=ES<br />
|Original_Source_Name_2=<br />
|Original_Source_Link_2=<br />
|Original_Source_Language_2=<br />
|Original_Source_Language__Code_2=<br />
<br />
|Type=Complaint<br />
|Outcome=Rejected<br />
|Date_Started=08.03.2022<br />
|Date_Decided=<br />
|Date_Published=28.11.2022<br />
|Year=<br />
|Fine=<br />
|Currency=<br />
<br />
|GDPR_Article_1=Article 6(1) GDPR<br />
|GDPR_Article_Link_1=Article 6 GDPR#1<br />
|GDPR_Article_2=Article 6(1)(b) GDPR<br />
|GDPR_Article_Link_2=Article 6 GDPR#1b<br />
|GDPR_Article_3=Article 6(1)(c) GDPR<br />
|GDPR_Article_Link_3=Article 6 GDPR#1c<br />
|GDPR_Article_4=<br />
|GDPR_Article_Link_4=<br />
|GDPR_Article_5=<br />
|GDPR_Article_Link_5=<br />
<br />
|EU_Law_Name_1=<br />
|EU_Law_Link_1=<br />
|EU_Law_Name_2=<br />
|EU_Law_Link_2=<br />
<br />
|National_Law_Name_1=Annex XII(A) General Vehicle Regulation<br />
|National_Law_Link_1=https://www.boe.es/eli/es/rd/1998/12/23/2822/con%09<br />
|National_Law_Name_2=Annex XIV General Vehicle Regulation<br />
|National_Law_Link_2=https://www.boe.es/eli/es/rd/1998/12/23/2822/con<br />
|National_Law_Name_3=Articicle 32 General Vehicle Regulation<br />
|National_Law_Link_3=https://www.boe.es/eli/es/rd/1998/12/23/2822/con<br />
|National_Law_Name_4=<br />
|National_Law_Link_4=<br />
|National_Law_Name_5=<br />
|National_Law_Link_5=<br />
<br />
|Party_Name_1=Dirección General de Tráfico<br />
|Party_Link_1=https://www.dgt.es/inicio/<br />
|Party_Name_2=<br />
|Party_Link_2=<br />
|Party_Name_3=<br />
|Party_Link_3=<br />
<br />
|Appeal_To_Body=<br />
|Appeal_To_Case_Number_Name=<br />
|Appeal_To_Status=Unknown<br />
|Appeal_To_Link=<br />
<br />
|Initial_Contributor=Teresa López<br />
|<br />
}}<br />
<br />
The Spanish DPA held that traffic officials do not have the capacity or possibility of verifying the documentation presented to change the ownership of a vehicle. If the documentation presented is fraudulent, no lack of diligence can be imputed.<br />
<br />
== English Summary ==<br />
<br />
=== Facts ===<br />
On 9 August 2019, the data subject lodged a complaint with the police about the theft of their wallet. On 20 August 2019, a contract for the sale and purchase of a vehicle was signed with the data subject as the buyer. On 20 January 2020, the purchased vehicle was reported for driving without the compulsory insurance and Dirección General de Tráfico (national traffic department also known as DGT) notified the previous owner the start of the sanctioning procedure. On 31 January 2020, the new owner (with the documentation of the data subject) files the change of ownership documentation before the DGT. On August 2020, the data subject receives notification of the traffic offence. On 13 August 2020, the data subject lodged a new complaint with the police, stating that they had tried to put a car in their name and that they had received notification of the traffic offence.<br />
<br />
The interested party states that the DGT did not carry out any checks to validate the change of ownership, allowing the change despite the existence of an outstanding debt on the vehicle. They also allege that the DGT processed their data without a legitimate basis.<br />
<br />
=== Holding ===<br />
AEPD held that there was a legal basis to process the data, since the documentation was required under the General Vehicle Regulation for the notification of the sale of the vehicle (Article 6(1)(c) GDPR), and, the entry in the vehicle register is made in the performance of a contract to which the data subject is a party (Article (6)(1)(b) GDPR).<br />
<br />
AEPD also found no lack of diligence on the part of the DGT in verifying the identity of the data subject, since the General Vehicle Regulations do not require verification or comparison of signatures, and the traffic official does not have the capacity or possibility to verify them.<br />
<br />
== Comment ==<br />
The fact that the processing of the DGT relied on (Article (6)(1)(b) GDPR) and (Article 6(1)(c) GDPR) as legal basis affects the holding of the AEPD since in PS/00126/2021 the AEPD held: "if there is a fraudulent contracting of a product and the consent to perfect such contract has been given by a person other than the data subject (impersonation), we cannot understand that there is contractual consent on the part of the latter, who is harmed. In legal terms, we can consider that in this situation of fraud the legal business would not have been perfected, which would determine the inexistence of legitimacy to process the personal data of the data subject. This is because, once the contract has been signed, the legal basis for the processing that legitimizes the contractor as data controller to process the personal data of the data subject in a product contract would be the one provided for in art. 6.1.b) of the GDPR."<br />
<br />
== Further Resources ==<br />
''Share blogs or news articles here!''<br />
<br />
== English Machine Translation of the Decision ==<br />
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.<br />
<br />
<pre><br />
1/10<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
File No.: EXP202210237<br />
<br />
<br />
<br />
RESOLUTION OF ACTIONS FILE<br />
<br />
<br />
Of the actions carried out by the Spanish Agency for Data Protection and<br />
based on the following<br />
<br />
<br />
FACTS<br />
<br />
FIRST: A.A.A., on behalf of B.B.B. (hereinafter, the part<br />
claimant) on March 8, 2022 filed a claim with the Agency<br />
Spanish Data Protection. The claim is directed against ADDRESS<br />
<br />
GENERAL OF TRAFFIC with NIF Q2816003D (hereinafter, the DGT). The reasons in<br />
on which the claim is based are as follows:<br />
<br />
On 08/09/2019, the claimant filed a complaint for the theft of his wallet.<br />
On 08/20/2019, a contract for the sale of a brand vehicle was signed.<br />
***MARK.1, model ***MODELO.1, license plate ***MATRICULA.1 in which it appears<br />
<br />
as the buyer the claiming party.<br />
On 08/28/2019, the vehicle was reported for driving without mandatory insurance, beginning<br />
the disciplinary procedure by the DGT by means of a notification sent in<br />
dated 01/20/2020 to the person who appeared as its owner in the Registry<br />
General of Vehicles. .<br />
<br />
According to the claimant, on 01/31/2020, the owner appeared at<br />
the dependencies of the DGT to carry out the change of ownership of the referred<br />
car.<br />
According to the claimant's statement, in August 2020 the DGT notified him of the<br />
Committed traffic violation.<br />
<br />
On 08/13/2020, the claimant filed a new complaint with the police at the<br />
stating that on 08/29/2019 the police informed him that they had tried to put a<br />
car in his name and that he had received notice of a traffic violation<br />
relating to a car that is not owned by you.<br />
<br />
The claimant states that the DGT did not verify<br />
<br />
any to ensure that the change of ownership complied with the requirements<br />
necessary, allowing it to be carried out without providing the supporting documentation of the<br />
buyer and there is a current debt on the vehicle.<br />
It also considers that the data protection rights of the company have been infringed.<br />
complaining party when treated by the DGT without any legitimizing basis.<br />
<br />
<br />
The claim indicates various resolutions of the AEPD in which<br />
concluded "that if fraudulent contracting of a product occurs and the<br />
consent to perfect said contract has been given by a person<br />
other than the owner of the data (identity theft), we cannot understand that<br />
<br />
there is contractual consent on the part of the latter who is harmed. (...)<br />
in this situation of fraud the legal business would not have been perfected, which<br />
would determine the lack of legitimacy to process the personal data of the<br />
interested."<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 2/10<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Along with the claim, the following is provided:<br />
-Complaint before the National Police of Mislata for the theft of the DNI.<br />
<br />
-Alleged fraudulent contract of sale of the vehicle,<br />
-Notifications made by the claimed entity to the people that were included in<br />
their records as owners<br />
-Proof of change of ownership of the vehicle by making a Notification<br />
selling.<br />
-Writ issued by the investigating court by which the opening of<br />
<br />
preliminary investigations to clarify the facts.<br />
<br />
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5<br />
December, Protection of Personal Data and guarantee of digital rights (in<br />
forward LOPDGDD), said claim was forwarded to the DGT, so that<br />
<br />
proceed to its analysis and inform this Agency within a month of the<br />
actions carried out to adapt to the requirements established in the regulations of<br />
Data Protection.<br />
<br />
The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of<br />
October 1, of the Common Administrative Procedure of the Administrations<br />
<br />
Public (hereinafter, LPACAP), was collected on 04/24/2022 as stated in the<br />
acknowledgment of receipt in the file.<br />
<br />
On 06/23/2022, this Agency received a written response indicating:<br />
<br />
<br />
"Regarding your brief, regarding the claim made before the Agency by the<br />
representative of the claimant B.B.B., and to comply with the request, in<br />
In accordance with article 65.4 of Organic Law 3/2018, of December 5, of<br />
Protection of Personal Data and guarantee of digital rights (LOPDGDD), is<br />
reports the following:<br />
<br />
<br />
As stated in the Agency's request, the facts that motivate the<br />
claim are based on the receipt of a sanction on behalf of the claimant,<br />
allegedly motivated by identity theft. Along with the claim<br />
provides documentation related to a sanction filed under the aforementioned impersonation<br />
identity and other documents associated with it.<br />
<br />
Once the documentation provided has been reviewed, it is understood that the claimant had his<br />
national identity document, a document that was later used to<br />
make a purchase-sale of a vehicle and assign ownership of it. I know<br />
attached complaint of the claimant dated 08/09/2019 in the General Directorate of the<br />
Police, in which the theft is indicated, of the national identity document. Bliss<br />
<br />
complaint is prior to the sanction and the purchase and sale of the vehicle.<br />
<br />
On 08/28/2019, there is an infraction with the vehicle ***MATRICULA.1,<br />
for driving without compulsory insurance, in the name of C.C.C., undocumented. On 01/08/2020<br />
delivery is made at the address indicated by C.C.C., of the sanction with file<br />
<br />
***FILE.1. Said sanction goes to the name of the owner of the vehicle, D.D.D. Y<br />
since she is absent, she picks up the same E.E.E..<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 3/10<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
On 01/31/2020 the purchase-sale of the vehicle is notified at the Headquarters of Valencia,<br />
in the name of the claimant. In said notification, a purchase document is provided.<br />
sale (dated prior to the sanction) and the change of ownership proceeds. the same<br />
<br />
day, the owner of the vehicle presents an allegation to the disciplinary file, indicating<br />
that the vehicle was sold before the date of the sanction and the sale has been notified.<br />
<br />
On 08/13/2020, the claimant complained to the General Directorate of the Police that he<br />
received a notification from the DGT regarding the aforementioned sanction. Also<br />
states in the complaint that on 08/29/2019 he was informed that an attempt had been made to<br />
<br />
sell a car in your name. A document of proceedings is also attached<br />
prior (act of initiation), dated 09/22/2020, of the Investigating Court number<br />
Valencia 9. The claimant files an appeal for reversal on 03/18/2021,<br />
appeal that is declared inadmissible for being filed out of time. The<br />
claimant on 06/30/2021 presents an extraordinary appeal for review, which<br />
<br />
is denied because it is not based on any of the causes related to the<br />
firm acts in administrative channels.<br />
On 01/30/2022, the claimant receives an order of urgency from the<br />
Tax Agency, in order to settle the debt of the traffic penalty in the period<br />
executive with an ordinary surcharge of 20%.<br />
<br />
<br />
In view of the facts exposed, it is understood that it was presented at the Headquarters of<br />
Valencia all the documentation referred to in Article 32 and Annex XIV, relating to the<br />
Processing and change of ownership of vehicles, of Royal Decree 2822/1998, of 23<br />
December, by which the General Vehicle Regulations are approved.<br />
If the documents presented were falsified or presented fraudulently,<br />
<br />
This fact must be denounced before the Justice. The Provincial Headquarters of the<br />
DGT does not have the capabilities required to detect such acts of<br />
illicit nature.<br />
<br />
On the other hand, the inadmissibility of the reversal appeal is understood to be correct.<br />
<br />
submitted after the deadline on 03/18/2021, even more so when it is evident that the<br />
Claimant has proof of the sanction on 08/30/2020. No sentence indicated<br />
legal firm, which may be a cause provided for in the extraordinary appeal of<br />
review filed, for which reason said appeal is also considered correct<br />
inadmissibility.<br />
<br />
<br />
In accordance with what was requested in the claim in the file ***FILE.2,<br />
reports:<br />
1.- The decision to be taken by the DGT does not apply. Once the debt has passed to<br />
be required by the Tax Agency, it must be claimed before that<br />
Agency, according to the corresponding sentence. The disciplinary procedure<br />
<br />
46-007.199.491/0 has concluded in administrative proceedings for the DGT.<br />
2.- The claimant has not requested the exercise of their rights related to the protection<br />
of data, before the DGT, for which reason no response applies.<br />
3.- The present document serves as an explanation of the causes that have motivated the<br />
incidence.<br />
<br />
4.- The implementation of measures adopted to avoid cases of a similar type does not apply,<br />
since the DGT has acted in accordance with current regulations”.<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 4/10<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
THIRD: On June 8, 2022, in accordance with article 65 of the<br />
LOPDGDD, the claim presented by the claimant party was admitted for processing.<br />
<br />
<br />
<br />
FUNDAMENTALS OF LAW<br />
<br />
Yo<br />
<br />
In accordance with the functions that article 57.1 a), f) and h) of the Regulation (EU)<br />
<br />
2016/679 (General Data Protection Regulation, hereinafter GDPR) confers on<br />
each control authority and according to the provisions of articles 47 and 48.1 of the Law<br />
Organic 3/2018, of December 5, Protection of Personal Data and guarantee of<br />
digital rights (hereinafter LOPDGDD), is competent to resolve these<br />
investigation actions the Director of the Spanish Agency for the Protection of<br />
Data.<br />
<br />
<br />
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures<br />
processed by the Spanish Data Protection Agency will be governed by the provisions<br />
in Regulation (EU) 2016/679, in this organic law, by the provisions<br />
regulations dictated in its development and, insofar as they do not contradict them, with character<br />
<br />
subsidiary, by the general rules on administrative procedures."<br />
<br />
II<br />
<br />
Article 6 of the GDPR, Lawfulness of the treatment, establishes in point 1 that:<br />
<br />
<br />
"1. Processing will only be lawful if at least one of the following is fulfilled<br />
conditions:<br />
a) the interested party gave his consent for the processing of his data<br />
personal for one or more specific purposes;<br />
b) the processing is necessary for the performance of a contract in which the<br />
<br />
interested party or for the application at the request of this of measures<br />
pre-contractual;<br />
c) the processing is necessary for compliance with a legal obligation<br />
applicable to the data controller;<br />
d) the processing is necessary to protect vital interests of the data subject or<br />
<br />
of another physical person;<br />
e) the treatment is necessary for the fulfillment of a mission carried out in<br />
public interest or in the exercise of public powers conferred on the person responsible<br />
of the treatment;<br />
f) the processing is necessary for the satisfaction of legitimate interests<br />
pursued by the data controller or by a third party, provided that<br />
<br />
such interests are not overridden by the interests or the rights and freedoms<br />
of the interested party that require the protection of personal data,<br />
in particular when the interested party is a child.<br />
<br />
The provisions of letter f) of the first paragraph shall not apply to the<br />
<br />
processing carried out by public authorities in the exercise of their<br />
functions.”<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 5/10<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
On the other hand, article 4 of the GDPR, Definitions, in its sections 1, 2 and 11,<br />
notes that:<br />
<br />
<br />
“1) “personal data” means any information about an identified natural person<br />
or identifiable ("the data subject"); Any identifiable natural person shall be considered<br />
person whose identity can be determined, directly or indirectly, in<br />
by means of an identifier, such as a name, a number<br />
identification, location data, an online identifier, or one or more<br />
elements of physical, physiological, genetic, psychological,<br />
<br />
economic, cultural or social of said person; “<br />
<br />
2) "processing": any operation or set of operations carried out<br />
about personal data or sets of personal data, either by<br />
automated procedures or not, such as the collection, registration, organization,<br />
<br />
structuring, conservation, adaptation or modification, extraction, consultation,<br />
use, communication by transmission, diffusion or any other form of<br />
authorization of access, comparison or interconnection, limitation, deletion or<br />
destruction; “<br />
<br />
11) "consent of the interested party": any manifestation of free will,<br />
<br />
specific, informed and unequivocal for which the interested party accepts, either<br />
by means of a declaration or a clear affirmative action, the processing of data<br />
personal matters that concern you."<br />
<br />
In the present case, the DGT, as data controller, processed<br />
<br />
the personal data of the claiming party, by registering their name in the Registry<br />
General de Vehículos a vehicle, although it cannot be affirmed that said treatment is<br />
carried out without legitimacy for it, as claimed by the claimant, since,<br />
as established by Royal Decree 2822/1998, of December 23, by which<br />
approves the General Regulation of Vehicles in its article 32:<br />
<br />
"1. Any natural or legal person who owns a vehicle registered<br />
<br />
in Spain and transmit it to another, even when it is done with reservation of<br />
ownership or any other right over the vehicle, you must notify the<br />
Traffic Headquarters of the province in which it has its legal domicile or to that<br />
in which the vehicle was registered, within ten days from the<br />
transmission, by means of a statement stating the<br />
<br />
identification and address of the transferor and acquirer, as well as the date and<br />
broadcast title<br />
<br />
Together with the notification of the transmission, the permit or license will be attached.<br />
of circulation, which will be filed in the Headquarters, as well as the document<br />
accrediting the transmission, that of compliance with the corresponding<br />
tax obligations and other documentation indicated in annex XIV<br />
<br />
(…)<br />
<br />
2. The Traffic Department to which the transmission notification is addressed with the<br />
documents mentioned in the previous section will be recorded in the Registry<br />
of Vehicles to the purchaser as the new owner, unless the vehicle is<br />
affected by any of the impediments included in section 7 of<br />
<br />
this article, a point that will be communicated to the transferor and the acquirer, in which<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 6/10<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
case, once the impediment has been canceled or resolved, the new<br />
ownership, notifying the Town Halls of the legal domiciles of<br />
those (…)<br />
<br />
7. In the event that the constitution on the vehicle is recorded in the Vehicle Registry<br />
<br />
vehicle of a mortgage registered in the Movable Mortgage Registry or the<br />
existence of an agreement prohibiting disposal or reservation of ownership<br />
registered in the Register of Installment Sale of Movable Property, only<br />
will practice the change of ownership in the Vehicle Registry when<br />
accredit the cancellation of the registration in the aforementioned Registries,<br />
<br />
submitting the documents listed in section IV of annex XIV,<br />
or the consent of the creditor or of the person favored by such<br />
registration, although in the latter case it will continue to be recorded<br />
said registration in the Vehicle Registry.<br />
<br />
The annotation on the permit or circulation license will have the same effects.<br />
of the constitution on the vehicle of a mortgage registered in the Registry of<br />
<br />
Movable Mortgage, even when it is not recorded in the Vehicle Registry.<br />
<br />
When a lease notation appears in the Vehicle Registry<br />
with the option to buy or lease in the long term, it will only be practiced<br />
the change of ownership in the Vehicle Registry when the<br />
consent of the landlord.<br />
<br />
An impediment to the change of ownership is the non-payment of the<br />
<br />
Sanctions imposed for violations of Law 16/1987, of July 30, on<br />
Ordinance of Terrestrial Transport, regarding the vehicles with which<br />
that those had been committed, provided that they appear noted in the<br />
Vehicle Registration.<br />
<br />
Any impediment to the change of ownership will be communicated by the<br />
Traffic Department to the purchaser (...)<br />
<br />
<br />
For its part, Annex XIV of the aforementioned Regulation establishes:<br />
<br />
"1. Transmissions between people who are not engaged in the sale of<br />
vehicles.<br />
<br />
A) Obligations of the transferor:<br />
<br />
In accordance with the provisions of article 32, section 1 of this Regulation,<br />
the transferor of a vehicle must, within ten days from the<br />
<br />
transmission, communicate it to the Traffic Department with the documentation that<br />
it is related below:<br />
<br />
1st A statement stating the identifications and addresses<br />
of the transferor and transferee.<br />
<br />
In your case, the documents that on the identity and representation are<br />
specified in section A, numbers 1 and 3 of annex XIII, on the<br />
<br />
registration.<br />
<br />
2nd Fee for the legally established amount.<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 7/10<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
3rd The permit or circulation license.<br />
<br />
4th Document accrediting the transmission, except in the case that the<br />
seller and buyer submit their applications jointly.<br />
<br />
5th Original and photocopy of the document accrediting the payment of the<br />
<br />
Last receipt posted for the collection of Traction Vehicle Tax<br />
Mechanics, or proof of its exemption.<br />
<br />
6th Withdrawal form, duly completed, of change of ownership to<br />
effects of the Tax on Mechanical Traction Vehicles.<br />
<br />
7th If the vehicle being transferred is affected by rights that limit the<br />
power to dispose of the transferor, in accordance with the provisions of the<br />
<br />
section 7 of article 32 of this Regulation, a document must be presented<br />
certifying the cancellation of the impediment in the corresponding Registry or<br />
in which the consent of the creditor or of the person favored by<br />
the inscription.<br />
<br />
8th In the case of a special agricultural vehicle, document<br />
accrediting the deregistration in the Official Register of Agricultural Machinery.”<br />
<br />
<br />
Likewise, and in terms of documents referring to identity and representation,<br />
indicates Annex XIII in its section A:<br />
<br />
"A) Ordinary registration: In accordance with the provisions of articles 27,<br />
section 2.c and 28, section 2 of this Regulation, for the registration of<br />
Vehicles will be accompanied by the following documents:<br />
<br />
1st Application signed by the interested party in the official model form that<br />
<br />
will facilitate the Headquarters of Traffic.<br />
<br />
If the applicant is a minor or disabled, they must be included in the<br />
application, in addition, the data and signature of the person representing it, as well as<br />
as the concept in which it does.<br />
<br />
2nd Fee for the legally established amount.<br />
<br />
3rd National identity document in force or, failing that, receipt of<br />
have requested it, as well as the Family Book or other document that certifies the<br />
<br />
data that appears in the national identity document that does not present.<br />
<br />
If the applicant is a foreigner, they must present a Residence Card, as well as<br />
Declaration of ownership of other vehicles registered in Spain, or<br />
Spanish driving license of which he is or would have been the holder, or the number<br />
Provincial registration of foreign drivers, if any.<br />
<br />
In the case of foreigners who do not have a Residence Card,<br />
<br />
They will present an identity document from the country of origin, if it is<br />
citizens of States party to the Economic Area Agreement<br />
European Union (EEA), or Passport or Certificate of Nationality if it is a<br />
citizens of third countries, and they will also justify their domicile in Spain<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 8/10<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
through any document that proves it, such as ownership or<br />
renting a home, or being registered in a Municipality.<br />
<br />
When the applicant is a Legal Entity, he will submit a Number of<br />
Fiscal Identification, as well as the National Identity Document, Passport<br />
o Residence Card of the person who represents them and document that<br />
<br />
certify that they have power to act on your behalf.<br />
<br />
The originals of the aforementioned documents may be replaced by<br />
photocopies of the same that the interested parties or their representatives must<br />
provide at the time of submitting your application, provided they are<br />
duly collated by the records of the bodies in which the<br />
submitted the corresponding application, in accordance with the provisions of the<br />
<br />
Article 38.4 a) and b) of Law 30/1992, of November 26, on the<br />
Legal of Public Administrations and Administrative Procedure<br />
Common, without prejudice to the possibility of exercising this function by<br />
a Collegiate Administrative Manager in the terms determined in the<br />
agreements that can be established with the Associations of Managers<br />
Administrative.<br />
<br />
Applications submitted by Bodies or Entities dependent on the<br />
<br />
Public Administrations, General State, Autonomous, Provincial or<br />
Municipal, will be signed by the Head of the Agency or Entity to which<br />
belongs to the vehicle or person to whom it delegates, accompanied by the<br />
required documentation."<br />
<br />
Bearing in mind that the Provincial Traffic Headquarters of Valencia presented<br />
a request for notification of sale of the vehicle, which was accompanied by the<br />
<br />
documentation required in the General Vehicle Regulations to carry out said<br />
procedure, including a sales contract where the seller is identified<br />
and the buyer, it cannot be affirmed that the DGT has incurred in an illegitimate treatment<br />
of data of the claimant, since the registration in the Vehicle Registry<br />
is carried out in compliance with a legal obligation applicable to the person responsible for the<br />
treatment, and, likewise, based on the execution of a contract in which the<br />
<br />
interested is part.<br />
<br />
II<br />
<br />
The complaining party adds that the DGT did not act with due diligence as it had not<br />
verified if the identification of the complaining party was correctly carried out.<br />
However, having analyzed in the previous section the articles of the Regulation of<br />
<br />
Vehicles applicable to the notification of sale, it must be concluded that, in the notification<br />
of sale, the aforementioned legal text does not require verification and collation of signatures, given<br />
also note that it is not necessary for the buyer and the seller to meet<br />
at the same time at the Traffic Headquarters, since according to Annex XIV of the<br />
aforementioned Regulation, with regard to the figure of the acquirer:<br />
<br />
<br />
"B) Obligations of the purchaser:<br />
In accordance with the provisions of article 32, section 3 of this Regulation,<br />
the purchaser of a vehicle must, within thirty days from the date<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 9/10<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
of its acquisition, request from the Traffic Department the renewal of the permit or<br />
driving license, presenting the following documents:<br />
1st Application in official model form that will be provided by the Traffic Headquarters,<br />
<br />
in which the identity and address of the transferor and acquirer is stated.<br />
2nd Rate or rates for the legally established amount.<br />
3rd The documents that on the identity and representation are specified in<br />
section A, numbers 1 and 3 of annex XIII, on registration.<br />
4th technical inspection card or certificate of characteristics, with<br />
valid recognition.<br />
<br />
5th Original of the self-assessment of the Transfer Tax<br />
Patrimonial and Documented Legal Acts, or proof of the exemption or<br />
not subject to it, and photocopy.<br />
6th Self-assessment of the Special Tax on Certain Means of<br />
Transportation or justification of non-subjection or exemption in cases of<br />
<br />
transmission of a vehicle before four years have elapsed since its<br />
first definitive registration with exemption or non-subjection.<br />
7th Form of registration in the Tax on Mechanical Traction Vehicles.<br />
8th Original and photocopy of proof of payment or exemption from Tax on<br />
Mechanical Traction Vehicles, in the event that the transferor has not<br />
fulfilled the obligation to notify the transmission provided for in article 32,<br />
<br />
section 1 of this Regulation.<br />
9th Document proving the acquisition, except in the case that the seller<br />
and the buyer submit their applications jointly.”<br />
<br />
Therefore, lack of diligence cannot be imputed, beyond the verification that<br />
<br />
Provide all the documentation required in the Vehicle Regulations to carry out the<br />
corresponding procedure. If the documentation presented is fraudulent, you do not have the<br />
acting official capacity or possibility of verifying it.<br />
<br />
IV.<br />
<br />
<br />
Therefore, based on what is indicated in the previous paragraphs, no<br />
Evidence proving the existence of an infringement in the area of competence of the<br />
Spanish Data Protection Agency.<br />
<br />
Thus, in accordance with what has been indicated, by the Director of the Spanish Agency for<br />
<br />
Data Protection,<br />
HE REMEMBERS:<br />
<br />
FIRST: PROCEED TO THE ARCHIVE of the present proceedings.<br />
<br />
<br />
SECOND: NOTIFY this resolution to B.B.B. and GENERAL DIRECTORATE OF<br />
TRAFFIC.<br />
<br />
In accordance with the provisions of article 50 of the LOPDGDD, this<br />
Resolution will be made public once the interested parties have been notified.<br />
<br />
<br />
Against this resolution, which puts an end to the administrative process as prescribed by<br />
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure<br />
Common for Public Administrations, and in accordance with the provisions of the<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es 10/10<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, interested parties may<br />
<br />
file, optionally, an appeal for reinstatement before the Director of the Agency<br />
Spanish Data Protection Agency within a period of one month from the day<br />
following the notification of this resolution or directly contentious appeal<br />
before the Contentious-Administrative Chamber of the National Court,<br />
<br />
in accordance with the provisions of article 25 and paragraph 5 of the provision<br />
additional fourth of Law 29/1998, of July 13, regulating the Jurisdiction<br />
Contentious-Administrative, within a period of two months from the day following<br />
<br />
to the notification of this act, as provided in article 46.1 of the aforementioned Law.<br />
<br />
<br />
940-110422<br />
Mar Spain Marti<br />
<br />
Director of the Spanish Data Protection Agency<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
C/ Jorge Juan, 6 www.aepd.es<br />
28001 – Madrid sedeagpd.gob.es<br />
</pre></div>Teresa.lopezhttps://gdprhub.eu/index.php?title=User:Teresa.lopez&diff=29813User:Teresa.lopez2022-12-05T15:28:15Z<p>Teresa.lopez: Introduced my name, position and contact details.</p>
<hr />
<div>== '''Teresa López Carro''', lawyer and data protection officer. ==<br />
<br />
===== Contact details =====<br />
https://www.linkedin.com/in/lopezcarroteresa/</div>Teresa.lopez