AEPD (Spain) - PS/00257/2020: Difference between revisions

From GDPRhub
(Blanked the page)
Tag: Blanking
Line 1: Line 1:
{{DPAdecisionBOX


|Jurisdiction=Spain
|DPA-BG-Color=background-color:#ffffff;
|DPAlogo=LogoES.jpg
|DPA_Abbrevation=AEPD
|DPA_With_Country=AEPD (Spain)
|Case_Number_Name=PS/00257/2020
|ECLI=
|Original_Source_Name_1=AEPD
|Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00257-2020.pdf
|Original_Source_Language_1=Spanish
|Original_Source_Language__Code_1=ES
|Type=Investigation
|Outcome=Violation Found
|Date_Decided=
|Date_Published=11.01.2021
|Year=
|Fine=None
|Currency=
|GDPR_Article_1=Article 37 GDPR
|GDPR_Article_Link_1=Article 37 GDPR
|National_Law_Name_1=LOPDGDD
|National_Law_Link_1=https://www.boe.es/boe/dias/2018/12/06/pdfs/BOE-A-2018-16673.pdf
|Party_Name_1=Ayuntamiento de Arroyomolinos
|Party_Link_1=
|Party_Name_2=
|Party_Link_2=
|Party_Name_3=
|Party_Link_3=
|Party_Name_4=
|Party_Link_4=
|Party_Name_5=
|Party_Link_5=
|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=
|Appeal_To_Link=
|Initial_Contributor=n/a
|
}}
The Spanish DPA (AEPD) issued a reprimand to the Spanish municipality Ayuntamiento de Arroyomolinos for lacking a DPO for more than two years after the entry into force of the GDPR.
== English Summary ==
=== Facts ===
Ayuntamiento de Arroyomolinos was found lacking a DPO.
The defendant has provided the measures it has in the meantime adopted: with a service contract from 28.09.2020 a DPO has been appointed.
=== Dispute ===
Was this municipality under the obligation of appointing a DPO?
=== Holding ===
The Spanish DPA recalled that the public administrations act as controllers for the processing of personal data and on some occasions as processors. As a result, they are subject to the GDPR and must fulfill all its obligations, including the obligation to appoint a data protection officer. This obligation had to be fulfilled starting from 28.05.2018, the date of entry into force of the GDPR.
The Spanish DPA issued a reprimand to Ayuntamiento de Arroyomolinos for violating Article 37 GDPR.
The reprimand was issued by virtue of the power conferred by Article 58(2)(b) GDPR.
== Comment ==
''Share your comments here!''
== Further Resources ==
''Share blogs or news articles here!''
1/7
 Procedure Nº: PS / 00257/2020
RESOLUTION OF SANCTIONING PROCEDURE
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following:
BACKGROUND
FIRST: D. A.A.A. (hereinafter, the claimant) dated January 20, 2020
filed a claim with the Spanish Agency for Data Protection. The
claim is directed against the Arroyomolinos City Council with NIF P2801500F
(hereinafter, the claimed).
The claimant states that he received on his behalf a notification from the
City Council, and it contains the data and facts that motivate the imposition
of a sanction to another person.
On the other hand, he points out that the consistory does not have a Delegate for the Protection of
Data.
Together with the claim, he provides the notification that they have sent him.
SECOND: In view of the facts reported in the claim and the
Documents provided by the claimant are transferred to the claimed claim.
On July 24, 2020, the defendant states: “that on January 20,
2020, the claimant was informed that on the day of notification of the Resolution there was
a computer failure, and in the notification of its procedure the body of the
resolution of the previous notification. The department proceeded to review
generated notifications, not finding any more erroneous, likewise
proceeded to add more revision controls of the documents generated so that
this situation is not repeated.
Likewise, he was informed that his data has not been disclosed to third parties,
have only been used for the notification of the procedure between the
claimant and this City Council ”.
THIRD: On September 25, 2020, the Director of the Spanish Agency
of Data Protection agreed to initiate a sanctioning procedure for the claimed party, with
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the
Common Administrative Procedure of Public Administrations (hereinafter,
LPACAP), for the alleged violation of Article 37 of the RGPD, typified in Article
83.4 of the RGPD.
FOURTH: Once the aforementioned commencement agreement was notified, the defendant submitted a
allegations in which he, in short, he stated: “that on September 28,
2020 was awarded by Decree No. 2497/2020 technical assistance services contract
to support and update information security (ENS) and
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
2/7
protection of personal data (RGPD-LOPDGDD) and Delegate Service of
Data Protection, for a period of 12 months.
Sufficiently in advance of the contract end date and having
As a basis for the work carried out by the DPD during that time, it is already planned to tender
publicly for a maximum of 4 years the Data Protection Officer, with
The aim is that this City Council permanently have this figure.
In compliance with the duty to communicate the appointment of the DPO by
this City Council to the AEPD in accordance with the provisions of article 34.3 LOPDGDD,
The following details indicate: START UP, S.L. CIF B33667494
Attached to this document is: Decree No. 2497/2020 awarding of
service contract and technical-economic proposal of the company Start up CDF S.L.
in which the content of the services to be carried out is detailed ”.
FIFTH: On October 13, 2020, the instructor of the procedure agreed to the
opening of a period of practical tests, taking as incorporated the
preliminary investigation actions, E / 02287/2020, as well as the documents
provided by the defendant on October 8, 2020.
SIXTH: On November 18, 2020, a resolution proposal was formulated,
proposing that the Arroyomolinos City Council be sanctioned with a warning
NIF P2801500F, for an infraction of Article 37 of the RGPD, typified in Article
83.4 of the RGPD.
SEVENTH: Once the resolution proposal was notified, the defendant submitted a written
allegations in which, in summary, it stated:
"FIRST.- That on September 28, 2020 it was awarded by Decree No.
2497/2020 technical assistance service contract for support and update in
information security (ENS) and personal data protection
(RGPD-LOPGDD) and Data Protection Delegate Service, for a period of
12 months to the company Start up CDF S.L.
SECOND.- The duty of communication of the appointment of the
DPD by this City Council to the AEPD in accordance with the provisions of article 34.3
LOPDGDD.
THIRD.- In the proposed resolution of the AEPD it is indicated that “In this case
specifically, it has been accredited by virtue of the documents provided with their
allegations to the initiation agreement that the complainant has appointed Delegate of
Data Protection: START UP, S.L. CIF B33667494. "
FOURTH.- Taking into consideration the Judgment of the National Court of
11/29/2013, (Rec. 455/2011), Sixth Law Foundation,what about him
warning regulated in article 45.6 of the LOPD and regarding its nature
legal notice that "does not constitute a sanction" and that it is "measures
corrective measures for the cessation of the activity constituting the offense ”that replace the
sanction. The Judgment understands that article 45.6 of the LOPD confers on the AEPD
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
3/7
a “power” different from the sanctioning one whose exercise is conditioned to the
concurrence of the special circumstances described in the precept. In
congruence with the nature attributed to awareness as an alternative to
sanction when, given the circumstances of the case, the subject of the offense is not
deserving of that, and considering that the object of the warning is the
imposition of corrective measures, the aforementioned SAN concludes that when they already
had been adopted, the procedure in Law is to agree on the file of the
performances ”.
In view of all the actions, by the Spanish Agency for Data Protection
In this proceeding, the following are considered proven facts,
ACTS
FIRST: The claimed person lacks the figure of a data protection delegate.
SECOND: The Arroyomolinos City Council, has contributed in the present
sanctioning procedure the measures it has adopted, including:
Technical assistance services contract for support and update in
information security (ENS) and personal data protection
(RGPD-LOPDGDD) and Data Protection Delegate Service, for a period of
12 months.
Communication of the appointment of the Data Protection Officer: START
UP, S.L. CIF B33667494
Decree No. 2497/2020 awarding the service contract and proposal
technical-economic of the company START UP CDF S.L.
FOUNDATIONS OF LAW
I
By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in arts. 47 and 48.1 of the LOPDGDD, the Director of
The Spanish Agency for Data Protection is competent to resolve this
process.
II
The public administrations act as data controllers of
personal character and, on some occasions, they perform functions of managers
treatment, for what corresponds to them, following the principle of responsibility
proactively, meet the obligations that the RGPD details, among which is included, the
Obligation to appoint a data protection officer and communicate it to this
AEPD
The obligation is imposed by article 37 of the RGPD, which indicates:
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
4/7
"1. The person in charge and the person in charge of the treatment will designate a delegate of
data protection provided that:
a) the treatment is carried out by a public authority or body, except those
courts that act in the exercise of their judicial function; "
Article 37.3 and 4 of the RGPD indicates on the designation of the DPD “When the
responsible or the person in charge of the treatment is an authority or public body,
may designate a single data protection officer for several of these
authorities or bodies, taking into account their organizational structure and size.
4. In cases other than those contemplated in section 1, the controller or the
in charge of the treatment or the associations and other bodies that represent
categories of managers or managers may designate a protection delegate
data or must designate it if required by Union or State law
members. The data protection officer may act on their behalf
associations and other organizations that represent managers or managers. "
The LOPDGDD determines in its article 34.1 and 3: ”Appointment of a delegate of
Data Protection "
1. Those responsible and in charge of the treatment must designate a delegate of
data protection in the cases provided for in article 37.1 of the Regulation
(EU) 2016/679 and, in any case, in the case of the following entities:
3. Those responsible and in charge of the treatment will communicate within ten
days to the Spanish Data Protection Agency or, where appropriate, to the authorities
autonomic data protection, appointments, appointments and terminations of
the data protection delegates both in the cases in which they are
obligated to their appointment as in the case in which it is voluntary.
The infringement is considered as such in article 83.4.a of the RGPD which states: ”4. The
Infractions of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
in the case of a company, an amount equivalent to a maximum of 2% of the
total annual global business volume of the previous financial year, opting for
the highest amount:
a) The obligations of the person in charge and the person in charge in accordance with articles 8, 11, 25 a
39, 42 and 43; "
He Article 83.7 of the RGPD indicates:
“Without prejudice to the corrective powers of the supervisory authorities under Article 58 (2), each Member State may establish rules on whether, and to what extent, administrative fines can be imposed on public authorities and bodies established in that Member State. "
Article 58.2 of the RGPD states: “Each control authority will have all the
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
5/7
following corrective powers listed below:
b) punish any person in charge or in charge of the treatment with warning when the treatment operations have violated the provisions of this Regulation;
d) order the person in charge of the treatment that the operations of
treatment are in accordance with the provisions of this Regulation, where appropriate,
in a certain way and within a specified period ”.
In this sense, article 77.1 c) and 2, 4 and 5 of the LOPGDD, indicates:
1. The regime established in this article will apply to the treatment of
who are responsible or in charge:
c) The General Administration of the State, the Administrations of the Communities
autonomous entities and the entities that make up the Local Administration.
2 “When the managers or managers listed in section 1 commit
any of the infractions referred to in articles 72 to 74 of this law
organic, the competent data protection authority will dictate
resolution sanctioning them with warning. The resolution will establish
Likewise, the measures to be adopted to stop the conduct or to correct
the effects of the offense that had been committed.
The resolution will be notified to the person in charge of the treatment, the body of the
that depends hierarchically, where appropriate, and those affected who had the condition
interested party, if applicable. "
4.The resolutions that
fall in relation to the measures and actions referred to in the sections
previous.
5 will be communicated to the Ombudsman or, where appropriate, to similar institutions
of the autonomous communities the actions carried out and the resolutions issued
under this article. "
III
Article 73 of the LOPDDG indicates: Violations considered serious:
"Based on what is established in article 83.4 of Regulation (EU) 2016/679,
considered serious and will prescribe after two years the infractions that suppose a
substantial violation of the articles mentioned therein and, in particular, the
following:
v) Failure to comply with the obligation to appoint a data protection officer
when the appointment of him is required in accordance with article 37 of the Regulations
(EU) 2016/679 and article 34 of this organic law. "
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
6/7
By means of a written statement, the complainant has stated that he has already designated
Delegate of Data Protection.
Despite this, the Spanish Agency for Data Protection, sanctions the claimed with
a warning sanction since it had to have a delegate from
data protection in accordance with the provisions of article 37 of the RGPD,
since May 25, 2018, when the RGPD entered into force.
Therefore, in accordance with the applicable legislation and the criteria of
graduation of the sanctions whose existence has been accredited, the Director of the
Spanish Agency for Data Protection RESOLVES:
FIRST: IMPOSE the CITY COUNCIL OF ARROYOMOLINOS, with NIF
P2801500F, for a violation of Article 37 of the RGPD, typified in Article 83.4
of the RGPD, a warning sanction.
SECOND: NOTIFY this resolution to the CITY COUNCIL OF
ARROYOMOLINOS.
THIRD: COMMUNICATE this resolution to the Ombudsman, of
in accordance with the provisions of article 77.5 of the LOPDGDD.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may file, optionally, an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to
count from the day after notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.
Finally, it is pointed out that according to to the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
letter addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronicaweb/], or through any of the other registries provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
7/7
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.
938-131120
Mar Spain Martí
Director of the Spanish Agency for Data Protection
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es

Revision as of 16:43, 15 January 2021