AEPD (Spain) - PS/00427/2020: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD (Spain) |DPA_With_Country=AEPD (Spain) |Case_Number_Na...") |
|||
(2 intermediate revisions by 2 users not shown) | |||
Line 50: | Line 50: | ||
}} | }} | ||
The Spanish | The Spanish DPA warned a Spanish city council for infringing Article 30 GDPR by not maintaining a record of its processing activities, and Article 31 of the Spanish Data Protection Act by not making a record of its processing activities available by electronic means. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
This decision is a consequence of a complaint submitted by a citizen stating that they requested via email the defendant’s Data Protection Officer access to the record of processing activities, but the controller never replied to the request. Four months after the request the claimant brought the dispute to the Spanish Data Protection Authority (AEPD). The AEPD found that the Council did not have a record of processing activities, what was confirmed by the controller. | |||
=== Dispute === | === Dispute === | ||
The | The controller answered to the AEPD's investigation requests confirming that it had not implemented a record of processing activities, due to political issues and the pandemic situation. | ||
The AEPD | With regards to the lack of answer to the data subject, the controller stated that the request was not addressed by the means required by the Spanish Administrative Law. | ||
The AEPD launched a sanctioning procedure, remaking that the GDPR entered into force in 2016 and is fully applicable since 2018, so the controller had had enough time to adapt to it. | |||
=== Holding === | === Holding === | ||
In the allegations process, the controller argued that it had started implementing the record of processing activities during the duration of this procedure and was compliant with Article 30 GDPR and Article 31 of the [https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 Spanish Data Protection Act]. | |||
The DPA concluded that there had been no record of processing activities, and that consequently the controller had infringed Article 30 GDPR and Article 31 of the [https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 Spanish Data Protection Act]. Since the City Council is a public body, the AEPD imposed a warning on the controller, and compelled it to comply with the GDPR. | |||
== Comment == | == Comment == |
Latest revision as of 12:40, 7 July 2021
AEPD (Spain) - PS/00427/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 30 GDPR Article 31 Spanish Data Protection Act |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 29.06.2021 |
Published: | 01.07.2021 |
Fine: | None |
Parties: | AYUNTAMIENTO DE GIJÓN |
National Case Number/Name: | PS/00427/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The Spanish DPA warned a Spanish city council for infringing Article 30 GDPR by not maintaining a record of its processing activities, and Article 31 of the Spanish Data Protection Act by not making a record of its processing activities available by electronic means.
English Summary
Facts
This decision is a consequence of a complaint submitted by a citizen stating that they requested via email the defendant’s Data Protection Officer access to the record of processing activities, but the controller never replied to the request. Four months after the request the claimant brought the dispute to the Spanish Data Protection Authority (AEPD). The AEPD found that the Council did not have a record of processing activities, what was confirmed by the controller.
Dispute
The controller answered to the AEPD's investigation requests confirming that it had not implemented a record of processing activities, due to political issues and the pandemic situation.
With regards to the lack of answer to the data subject, the controller stated that the request was not addressed by the means required by the Spanish Administrative Law.
The AEPD launched a sanctioning procedure, remaking that the GDPR entered into force in 2016 and is fully applicable since 2018, so the controller had had enough time to adapt to it.
Holding
In the allegations process, the controller argued that it had started implementing the record of processing activities during the duration of this procedure and was compliant with Article 30 GDPR and Article 31 of the Spanish Data Protection Act.
The DPA concluded that there had been no record of processing activities, and that consequently the controller had infringed Article 30 GDPR and Article 31 of the Spanish Data Protection Act. Since the City Council is a public body, the AEPD imposed a warning on the controller, and compelled it to comply with the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/11 Procedure No.: PS / 00427/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: D. A.A.A. (hereinafter, the claimant) on 06/17/2020 filed claim before the Spanish Agency for Data Protection. The claim is directed against CITY COUNCIL OF GIJÓN, with NIF P3302400A (hereinafter, the reclaimed). The reasons on which the claim is based are, in summary: that the 02/14/2020 sent an email to the DPD of the claimed person to check where the can access the record of treatment activities and if the activities of treatment of the Municipal Sports Board of the aforementioned City Council (which does not have declared DPD) depend on the DPD itself (that of the City Council), and where it can access them. There is no response from the DPD. SECOND: On 08/14/2020, the claim was transferred to the defendant, from in accordance with the provisions of article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter, LOPDGDD), in order to proceed with its analysis, notify the complainant of the adopted decision and will provide this Agency with information in this regard. On 09/22/2020, the respondent sent a response in which he sets out the functions of the DPO, response times for the actions that concern you, how to contact. I know It follows from this answer that the City Council has not established the registry of treatment activities. On the other hand, it points out that the query directed by the complainant to the DPD was not produced by the means established by the local entity (municipal website or citizen attention, as explained in the link “contact with the Delegate of Data Protection ”), so it cannot be understood that there was a lack of response. Y nor was there a breach of the deadline, foreseen solely for the purposes of answer claims ex art.37 LOPDGDD; when the affected person goes to the DPD in claim, the response period will be two months or one month, depending on present directly or received through the AEPD; and for what they are not claims (inquiries, resolution of doubts, etc.), it is a procedure without term set by what will govern article 21.3 Law 39/2015. It adds that it is the data controller who must provide the interested party with the access to the register of treatment activities and that said register is in validation and publication process; that to date the works related to the record of treatment activities have not yet reached the publication phase, due to the delays derived from the beginning of a new mandate of the corporation and its consequent readjustments of competences, together with the difficulties of the current C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/11 socio-sanitary crisis. THIRD: On 11/16/2020, in accordance with article 65 of the LOPDGDD, the Director of the Spanish Agency for Data Protection agreed to admit for processing the claim. FOURTH: On 01/25/2021 the Director of the Spanish Data Protection Agency agreed to initiate a sanctioning procedure for the claimed person for the alleged infraction of the Article 30 of the RGPD, typified in article 83.4.a) of the aforementioned RGPD. FIFTH: The commencement agreement was notified, dated 02/10/2021, the defendant presented brief of allegations stating, in summary, the following: . The GIJÓN CITY COUNCIL indicates that on 03/15/2019 the Roadmap was approved for the adaptation to the new LOPDGDD, among whose measures was the preparation of the RAT, and attach an email about the preparatory work carried out finished. On this matter, it expressly states that “work has begun even when you are not in a position to do so (the record of treatment) accessible to the public through its publication ”; . That the configuration of the municipal government team in mid-2019 entailed a series of changes in the municipal internal organization. Thus, by agreement of the Local Government Board of 07/28/2020, the list of jobs was approved, eliminating the Planning and Modernization Service and creating the Service of Strategy and Coordination of Resources, to whom is attributed the assistance, support technical and material to the Data Protection Delegate; . That the defendant has had limited staff growth in recent years and difficulties in the optimal performance of services, to which the current socio-sanitary crisis derived from COVI-19, which has caused delays in some processes based on the most urgent and urgent needs; . That, however, has decided to promote and implement the policies of security and data protection by tendering a contract, currently in process, to perimeter security management solutions, event correlation security, training in security measures, adaptation to the National Scheme of Security (ENS) and the General Data Protection Regulation (RGPD); . That the immaturity of the RAT, which prevents its publication, contrasts with the commitment of the claimed with the protection of the rights of minors, having adopted measures aimed at proactively ensuring the protection of minors in your relationship with the entity. SIXTH: On 03/02/2021 a test practice period began, remembering the following - To consider reproduced for evidentiary purposes the claim filed by the claimant and its documentation, the documents obtained and generated by the Inspection services that are part of file E / 06737/2020. - To consider reproduced for evidentiary purposes, the allegations to the initiation agreement C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/3 presented by the claimed and the accompanying documentation. SEVENTH: On 06/03/2021 a resolution proposal was formulated in the sense of that the Director of the Spanish Data Protection Agency addresses a warning to the GIJÓN CITY COUNCIL, for an infringement of the Articles 30 of the RGPD and 31 of the LOPDGDD, typified in Article 83.4.a) of the GDPR. Likewise, it was proposed that by the Director of the Spanish Agency for the Protection of Data is required from the GIJÓN CITY COUNCIL so that, within the period established determine, adopt the necessary measures to adapt its performance to the regulations protection of personal data, with the scope expressed in the Fundamentals of Rights of the aforementioned resolution proposal. EIGHTH: GIJÓN CITY COUNCIL has been notified of the proposed resolution, dated 06/17/2021, this Agency received a written statement of allegations in the one that requests that the obligations regarding the registration of treatment activities and the file of the actions is agreed based on the following considerations: . He questions what was expressed in the Second Proven Fact, since he understands that it does not include the circumstances expressed in the allegations made to the agreement to initiate the process. It considers that the process of adaptation to the GDPR. . In accordance with Recital 82 of the RGPD, the registration of activities of Treatment is an instrument to prove that the action of the controller complies with the normative, so that the mere absence of publicity of this inventory of activities does not imply a breach. The opposite would suppose a luck of strict liability. . In the same way, the criteria for the imposition of a fine established in the Article 83 of the RGPD are also revealing of the non-existence of conduct punishable, including the means and measures implemented, as well as the practices of treatment of the Municipal Sports Council that were provided as exemplary, in accordance with the RGPD and with the principle of proactive responsibility. . In any case, on 06/04/2021, by Resolution of the Mayor's Office, the "Instruction 2/2021, on the Register of personal data processing activities", according to which the Inventory of treatment activities will be proposed by the General Directorate of Services for its final approval by Resolution of Mayor's Office and Publication. The Inventory will be accessible by electronic means in various official media and channels (Official Gazette of the Principality of Asturias, municipal website of transparency and in the municipal Intranet); and will be kept up to date. And on 06/16/2021 said “Inventory of the registry of personal data processing activities ”by Resolution of the Mayor's Office, and published in writing and in electronic format, as can be verified through the web “gijon.es” (url “https://www.gijon.es/es/publicaciones/inventario-del-registro-de- personal-data-processing-activities ”). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/11 As indicated by the claimed, this Inventory, which is subject to a process of adaptation and continuous improvement, groups the treatments by common and own subjects of areas, services or administrative units, amounting to a total of forty-five categories, which also include those that keep relationship with the claim and initiation of the present sanctioning procedure, regarding to the Municipal Sports Board. The brief of allegations includes a link to the aforementioned "Inventory", in its initial edition, which is accessible through the url mentioned above. It is found that for Each treatment activity details its purpose, legal basis, category of data personal, category of interested parties, recipients of communications, international transfers, retention periods and technical measures and organizational. The identity of the person responsible for the treatment is also detailed. (GIJÓN CITY COUNCIL) and the contact details of the Protection Delegate of data. Of the actions carried out in this proceeding, there have been accredited the following: PROVEN FACTS FIRST: On 06/17/2020 you have entry into the Spanish Agency for the Protection of Written data of the claimant stating that on 02-14-2020 he sent mail email to the DPD of the claimed party to see where the Registry can be accessed of the entity's Treatment Activities. SECOND: To date, the Gijón City Council does not have the Registry of Treatment Activities. The claimed entity itself, in the writings that it has addressed to the Spanish Agency for Data Protection on the occasion of the claim outlined in the First Proven Fact, has recognized that the Activity Register Treatment is in the process of validation and that the related works with said Registry they have not reached the publication phase. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in articles 47 and 48 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate and to solve this procedure. II The claimed facts materialize in the absence of the Registry of Activities of Treatment by the claimed party. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/11 Article 30, "Registration of treatment activities", of the RGPD establishes that: "1. Each person in charge and, where appropriate, their representative will keep a record of the activities of treatment carried out under your responsibility. Said record must contain all the information listed below: a) the name and contact details of the controller and, where appropriate, the joint controller, the representative of the person in charge, and of the data protection delegate; b) the purposes of the treatment; c) a description of the categories of data subjects and of the categories of personal data; d) the categories of recipients to whom the data was communicated or will be communicated personal, including recipients in third countries or international organizations; e) where appropriate, transfers of personal data to a third country or an organization international organization, including the identification of said third country or international organization and, in the In the case of transfers indicated in article 49, paragraph 1, second subparagraph, the documentation of adequate guarantees; f) When possible, the terms provided for the elimination of the different categories of data; g) where possible, a general description of the technical and organizational measures of security referred to in article 32, paragraph 1. 2. Each manager and, where appropriate, the manager's representative, will keep a record of all the categories of processing activities carried out on behalf of a controller who contain: a) the name and contact details of the person in charge or managers and of each person responsible for account of which the person in charge acts, and, where appropriate, of the representative of the person in charge or of the manager, and the data protection officer; b) the categories of processing carried out on behalf of each controller; c) where appropriate, transfers of personal data to a third country or organization international organization, including the identification of said third country or international organization and, in the In the case of transfers indicated in article 49, paragraph 1, second subparagraph, the documentation of adequate guarantees; d) where possible, a general description of the technical and organizational measures of security referred to in article 30, paragraph 1. 3. The records referred to in sections 1 and 2 shall be in writing, including in the format electronic. 4. The person in charge or the person in charge of the treatment and, where appropriate, the representative of the The person in charge or the person in charge shall make the record available to the supervisory authority that I requested. 5. The obligations indicated in sections 1 and 2 shall not apply to any company or organization employing fewer than 250 people, unless the processing it performs may involve a risk to the rights and freedoms of the interested parties, not occasional, or include special categories of personal data indicated in article 9, paragraph 1, or personal data related to convictions and criminal offenses referred to in article 10 ”. On the other hand, article 31 of the LOPDGDD establishes the following: "1. Those responsible and in charge of the treatment or, where appropriate, their representatives must maintain the record of treatment activities referred to in article 30 of the Regulation (EU) 2016/679, unless the exception provided for in its section applies 28001 - Madrid 6 sedeagpd.gob.es 6/11 5. The registry, which may be organized around structured data sets, must specify, according to their purposes, the processing activities carried out and the other circumstances established in the aforementioned regulation. When the person in charge or the person in charge of the treatment has designated a delegate of data protection must notify you of any addition, modification or exclusion in the registry content. 2. The subjects listed in article 77.1 of this organic law will make public an inventory of its treatment activities accessible by electronic means, which will include the information established in article 30 of Regulation (EU) 2016/679 and its legal basis ”. III The aforementioned standards establish the obligation of those responsible and in charge of the processing of personal data to keep a record of the activities of the treatment. In addition, in the case of the subjects listed in article 77.1 of the LOPDGDD, which includes the entities that make up the Administration Local, like the one claimed, is also obliged to make said record public and accessible by electronic means. In this case, the documentation in the file certifies that the claimed violated article 30 of the RGPD, "Registration of treatment activities", by not have prepared and published this registry until June 2021. As recorded in the brief of allegations to the proposal and in the attached documentation, the "Inventory of the registry of personal data processing activities" of the GIJÓN CITY COUNCIL was approved by Resolution of the Mayor's Office and 06/16/2021. The defendant himself, prior to the aforementioned hearing procedure, had recognized that it is the responsibility of the data controller to provide the interested party with access to the RAT; and that, where appropriate, said record was in the process of validation, without date on which he formulates his allegations at the opening of the procedure, the works related to said registry have reached the publication phase. And raised these initial allegations at the opening in accordance with this fact, noting that This was due to delays derived from the beginning of a new mandate of the municipal corporation in mid-2019, of its consequent readjustments competences and the difficulties caused by the current socio-sanitary crisis. According to the claimed entity, the configuration of the Municipal Government team to mid-2019, motivated by local elections, led to a series of changes in the municipal internal organization. Through the Governing Board Agreement Local, of 07/28/2020, the current job list was approved, eliminating the Planning and Modernization Service and creating the Service of Strategy and Coordination of Resources, who is attributed, among others, the assistance, technical and material support to the Data Protection Delegate for the performance of their duties. On the other hand, the defendant pointed out that he has seen how in recent years by C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/11 certain circumstances have imposed a series of limitations and difficulties in the optimal performance of services, which has been joined by the current crisis health care derived from COVI-19, which has caused delays in some processes ongoing, based on more urgent and urgent needs. The complainant explained that on 03/15/2019 he approved the "Roadmap" for adaptation to the new LOPDGDD, among whose measures was the preparation of the registry of treatment activities, and expressly stated that he was not in conditions to make it accessible to citizens through publication. He also reported that security and data protection policies were being promoted through the tendering of a contract to try to provide solutions for management derived from perimeter security, correlation of security events, training in security measures, adaptation to the National Security Scheme (ENS) and the RGPD, currently in process. Finally, I point out that "immaturity" current record of treatment activities prevented its publication. Ultimately, the defendant, in his responses to this body, attached evidence that would show the existence of the preparatory work for the elaboration of the indicated registration, although such work had not been completed at the time the present procedure, so that said Registry had not been prepared at that time. date, nor at the moment in which the allegations are presented at the opening. It was expressly admitted that it was not in a position to make the registration of treatment activities for citizens through publication. These circumstances are referred to in the Second Proven Fact, which is of the information provided by the claimed entity itself. They do not understand each other, in Consequently, the allegations in the motion for a resolution question the expressed in this proven fact. Regarding the circumstances alleged to justify this delay in adapting to the RGPD, the proposed resolution warned the defendant that said Regulation is It has been in force since 05/24/2016 and fully applicable since 05/25/2018. Therefore, the obligation to prepare the record of treatment activities is very prior to the constitution of the new municipal corporation and the outbreak of the pandemic. If the aforementioned City Council claimed, to overcome the alleged limitations, recently started the procedures for the bidding of a contract that aims to development of the necessary tasks to fulfill that adaptation to the RGPD, either he could have formalized such a contract years before. On the other hand, in its brief of allegations to the proposed resolution, the entity complained considers that the lack of publicity of the record of activities of treatment does not imply a breach, taking into account that this record is configured in Recital 82 of the RGPD only as an instrument "(82) To demonstrate compliance with these Regulations, the controller or the processor must keep records of processing activities under its responsibility". This instrumental nature of the record of treatment activities is true, but so is the obligation to maintain it. Failure to comply with this obligation is C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/11 constituting an infringement, as set out in the following Legal Basis. Therefore, in the present case, the breach of the provisions is proven. in articles 30 of the RGPD and 31 of the LOPDGDD. IV Article 83.4 a) of the RGPD, considers that the infringement of “the obligations of the responsible and the person in charge in accordance with articles 8, 11, 25 to 39, 42 and 43 ”is punishable in accordance with section 4 of the aforementioned article 83 of the aforementioned RGPD, “with administrative fines of a maximum of € 10,000,000 or, in the case of a company, of an amount equivalent to a maximum of 2% of the turnover global annual total for the previous financial year, opting for the highest amount ”. In this regard, the LOPDGDD, in its article 71 establishes that “They constitute offenses the acts and conducts referred to in sections 4, 5 and 6 of the Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the present organic law ”. For the purposes of the statute of limitations, article 73 of the LOPDGDD indicates: "Based on what is established in article 83.4 of Regulation (EU) 2016/679, they are considered serious and will prescribe after two years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: (…) n) Not having the record of treatment activities established in article 30 of the Regulation (EU) 2016/679. (…) ”. V The LOPDGDD in its article 77, “Regime applicable to certain categories of responsible or in charge of the treatment ”, establishes the following: "1. The regime established in this article will be applicable to the treatments of which are responsible or in charge: a) The constitutional bodies or those with constitutional relevance and the institutions of the autonomous communities analogous to them. b) The jurisdictional bodies. c) The General State Administration, the Administrations of the autonomous communities and the entities that make up the Local Administration. d) Public bodies and public law entities linked or dependent on the Public administrations. e) The independent administrative authorities. f) The Bank of Spain. g) Public law corporations when the purposes of the treatment are related with the exercise of powers of public law. h) Public sector foundations. i) Public Universities. j) Consortia. k) The parliamentary groups of the Cortes Generales and the Legislative Assemblies autonomic, as well as the political groups of the Local Corporations. 2. When the managers or managers listed in section 1 commit any of the offenses referred to in articles 72 to 74 of this organic law, the authority of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/11 data protection that is competent shall issue a resolution sanctioning them with warning. The resolution will also establish the measures to be adopted so that the conduct ceases or the effects of the offense that had been committed are corrected. The resolution will be notified to the person in charge or in charge of the treatment, the body of which hierarchically depends, where appropriate, and those affected who had the status of interested, if applicable. 3. Without prejudice to the provisions of the previous section, the data protection authority will also propose the initiation of disciplinary actions when there are indications enough for it. In this case, the procedure and the sanctions to be applied will be the established in the legislation on disciplinary or sanctioning regime that results from app. Likewise, when the infractions are attributable to authorities and managers, and the existence of technical reports or recommendations for treatment that had not been duly attended to, the resolution imposing the sanction will include a reprimand with the name of the responsible position and the publication will be ordered in the Official Gazette of the State or autonomous region that corresponds. 4. The data protection authority must be notified of the resolutions that fall in relation to the measures and actions referred to in the previous sections. 5. They will be communicated to the Ombudsman or, where appropriate, to the analogous institutions of the autonomous communities the actions carried out and the resolutions issued under the this article. 6. When the competent authority is the Spanish Agency for Data Protection, this will publish on its website with due separation the resolutions referring to the entities of section 1 of this article, expressly indicating the identity of the person responsible or person in charge of the treatment that had committed the infringement. When the competence corresponds to an autonomous data protection authority, It will be, as far as the publicity of these resolutions is concerned, to what its regulations provide specific ”. In the case at hand, it is found that the defendant, as he has confirmed in its response to the informative request of this AEPD, it has breached the obligation to have the RAT established, as well as to make it public by means of electronic Said conduct constitutes, on the part of the defendant, an infringement of the provided in articles 30 of the RGPD and 31 of the LOPDGDD. It should be noted that the RGPD, without prejudice to the provisions of its article 83, contemplates in its article 77 the possibility of directing a warning to correct the breaches of the provisions set forth in said Regulation and in the aforementioned Organic Law by those responsible or in charge listed in section 1. This being the case, the established circumstances cannot be applied in the present case. to graduate the administrative fines, to which the CITY COUNCIL OF GIJÓN in its brief of allegations to the resolution proposal. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/11 On the other hand, it is contemplated that the resolution issued may establish the measures to be taken to stop the behavior, correcting the effects of the infraction that had been committed and the necessary adaptation is carried out, in this case, to the requirements contemplated in article 30 of the RGPD, as well as the Provision of means of accreditation of compliance with what is required. Thus, in accordance with the provisions of the aforementioned article 77 of the LOPD, by the instructor of the procedure, a resolution proposal was formulated so that the Director of the AEPD agrees to require the responsible entity to adapt its action to the personal data protection regulations, proceeding to prepare the registry of treatment activities and providing what is necessary to make it accessible by electronic media. However, on the occasion of the hearing procedure on the proposed resolution, the claimed has proven to have fulfilled these obligations. It is proven that, By Resolution of the Mayor's Office dated 06/16/2021, the said "Inventory of the registry of personal data processing activities" and published Through the web “gijon.es” (url “https://www.gijon.es/es/publicaciones/inventario-del- registry-of-activities-of-treatment-of-personal-data ”). The brief of allegations included a link to the aforementioned "Inventory", in its initial edition. It is verified that the treatments are grouped by common subjects and specific to administrative areas, services or units; and that for each treatment activity Its purpose, legal basis, category of personal data, category of interested parties, recipients of communications, international transfers, retention periods and technical and organizational measures. It also details the identity of the person responsible for the treatment (GIJÓN CITY COUNCIL) and the data of contact of the Data Protection Delegate. This "Inventory", due to its content and structure, conforms to the regulated provisions of articles 30 of the RGPD and 31 of the LOPD. Therefore, as of the current date, it is understood the obligation to keep a record of processing activities has been fulfilled carried out under the responsibility of the GIJÓN CITY COUNCIL, not resulting from the imposition of additional measures. This declaration does not imply any pronouncement on the regularity or legality of the treatment activities described in the registry provided by the claimed, nor on its purpose or legal basis, as they are aspects that exceed the object of the present proceeding. Therefore, in accordance with the applicable legislation, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DIRECT AN APPOINTMENT to the entity GIJÓN CITY COUNCIL, with NIF P3302400A, for a violation of articles 30 of the RGPD and 31 of the LOPDGDD, typified in Article 83.4.a) of the RGPD. SECOND: NOTIFY this resolution to the entity CITY COUNCIL OF GIJÓN. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/11 THIRD: COMMUNICATE this resolution to the Ombudsman, of in accordance with the provisions of article 77.5 of the LOPDGDD. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to counting from the day after the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Agency for Data Protection, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web /], or through any of the other records provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal- administrative. If the Agency is not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. 938-131120 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es