AEPD (Spain) - PS/00068/2021: Difference between revisions
(I made some minor changes to the phrasing for comprehension and consistency. I also added hyperlinks to the relevant GDPR provisions within the text.) |
No edit summary |
||
(One intermediate revision by the same user not shown) | |||
Line 31: | Line 31: | ||
|Party_Name_1=URBAN PLANET | |Party_Name_1=URBAN PLANET | ||
|Party_Link_1= | |Party_Link_1=https://urbanplanetjump.es/ | ||
|Party_Name_2= | |Party_Name_2= | ||
|Party_Link_2= | |Party_Link_2= | ||
Line 58: | Line 58: | ||
=== Holding === | === Holding === | ||
The AEPD recalled that the necessity test for any limitation of data protection rights should be strict, and processing should be carried out only where strictly necessary. Any data processing operation (such as collection, storage, use, disclosure of data) provided for by law limits the right to the protection of personal data, irrespective of whether such a limitation may be justified. The AEPD considered that the purpose underlying the taking of photographs for visitor's access to the park | The AEPD recalled that the necessity test for any limitation of data protection rights should be strict, and processing should be carried out only where strictly necessary. Any data processing operation (such as collection, storage, use, disclosure of data) provided for by law limits the right to the protection of personal data, irrespective of whether such a limitation may be justified or not. The AEPD considered that the purpose underlying the taking of photographs for visitor's access to the park in this case was neither covered by the processing purposes, nor was it necessary or proportionate. The AEPD stated that the photos requested to access the park and to confirm knowledge of the park's rules of use are not adequate, pertinent and relevant data according to these purposes. Therefor, the AEPD held that [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] was infringed, and issued a reprimand to URBAN PLANET as per [[Article 58 GDPR#2b|Article 58(2)(b) GDPR]]. | ||
Latest revision as of 10:36, 21 December 2021
AEPD (Spain) - PS/00068/2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(c) GDPR Article 58(2)(b) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | None |
Parties: | URBAN PLANET |
National Case Number/Name: | PS/00068/2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The Spanish DPA issued a reprimand to URBAN PLANET trampoline park for asking customers to provide photos at the entrance to the park with every visit.
English Summary
Facts
A complaint was filed against URBAN PLANET (a trampoline park) for asking a disproportionate amount of data in order to access its premises. Specifically, the user must fill in a registration form with: name and surname, ID number, address, telephone number, e-mail address, date of birth and photograph. URBAN PLANET explained that the identity verification was put in place as a cost effective way to verify the identity of the visitors. The Spanish DPA (AEPD) assessed whether the criteria of data minimisation as per Article 5(1)(c) GDPR was met in the case.
Holding
The AEPD recalled that the necessity test for any limitation of data protection rights should be strict, and processing should be carried out only where strictly necessary. Any data processing operation (such as collection, storage, use, disclosure of data) provided for by law limits the right to the protection of personal data, irrespective of whether such a limitation may be justified or not. The AEPD considered that the purpose underlying the taking of photographs for visitor's access to the park in this case was neither covered by the processing purposes, nor was it necessary or proportionate. The AEPD stated that the photos requested to access the park and to confirm knowledge of the park's rules of use are not adequate, pertinent and relevant data according to these purposes. Therefor, the AEPD held that Article 5(1)(c) GDPR was infringed, and issued a reprimand to URBAN PLANET as per Article 58(2)(b) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/16 File No.: PS / 00068/2021 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on the following BACKGROUND FIRST: On 09/10/2019, A.A.A. (hereinafter, the claimant) completed a claim sheet and at the request of the Consumer Service is transferred to this AEPD, having entry on 10/23/2019. The reasons on which you base the claim are that for access the leisure area, with mats, trampolines and trampolines "URBAN PLANET ”, Vigo, (activity according to the park website located in different towns of Spain) a disproportionate amount of data, ID and photography are requested. Along with the claim, it provides: -Copy of claims sheet dated 09/10/2019 in which TURIA OCIO Y COMERCIO SL (CIF B 88334222) noted as allegations that the person who enters URBAN PLANET must be previously registered with the data requested for the security of each one of the users. “We always offer the possibility that, when leaving our facilities, tions, all the data provided is deleted ”. -Screen printing (data platform) of the registration sheet and personal data collection sonals in which at first glance the ownership of the person in charge is not seen, appearing in two tados, to mark, one of "I have read and accept the privacy policy, read", and another of "I have read and accepted the waiver ”. In the collection, the fields with asteris- following: name and surname, ID, date of birth, address, postal code, city province, mobile phone, email, password and photo (“use the camera or add a picture of your face from your device ”). In the upper left, the form bears the literal "Your data", in the one below "finish registration". -Ticket of the service, of 09/10/2019, with data from URBAN PLANET, address c Miradoiro, at the one that appears the same CIF as that of TURIA OCIO Y COMERCIO SL., shop.urbanplanetjump.es/online. SECOND: In view of the facts reported in the claim and the documents provided by the claimant in accordance with the provisions of Title VII, Chapter I, Second section, of the Organic Law 3/2018, of 5/12, of Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), the claim is transferred to TURIA OCIO Y COMERCIO S.L. and URBAN PLANET ENTERTAINMENT SL, both of which are Accessed submission content on 12/4/2019. THIRD: On 01/02/2020 TURIA OCIO Y COMERCIO S.L., from the address c / Ra- Fael Botí 2 of Madrid, states that they have received “two letters attached to the registered office of URBAN PLANET ENTERTAINMENT SL and TURIA OCIO Y COMERCIO SL but both C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/16 they derive from the same in reference number and for the same facts ”. In the answer that is given, it carries the literal URBAN PLANET ENTERTAINTMENT SL, and below the web address www.urbanplanet.es, responds the legal representative of URBAN PLANET ENTERTAINMENT SL, with a CIF different from that of TURIA OCIO, and head office calle Rafael Boti, 2 de Madrid, “and its branch TURIA OCIO Y COMERCIO SL whose administrative headquarters It is located in the Gran Vía de Vigo shopping center, floor two, local 226, Rúa Miradoiro 2 of Vigo ”. Indicates that URBAN PLANET ENTERTAINMENT is responsible for the treatment (hereinafter the claimed). It provides in electronic format, together with the answer hash, four more so-called documents ment 1 to 4 to which he refers in his explanations. Manifests: 1) Regarding the decision made regarding the claim, the main one has been acted upon. lize the registration processes at its different parks to homogenize and centralize the training that is provided to the user “so that it is accessible in various ways. " There is a "previous step" to access the facilities of the company in which the user has to register as shown in DOCUMENT 1 that provides, registration form, which It must be completed with: name and surname DNI address telephone email fe- birth certificate and photograph. It coincides with the one provided by the claimant as a "sheet of registration ", at the top left is" Your data. Are you already registered? It has to also mark the privacy policy section. “The data contained in the question nary are described in the privacy policy, being a necessary condition to know and have read the privacy policy. " 2) Regarding the causes that have motivated the incident that originates the claim, they state "We do not consider the amount of data excessive", since the purpose is to identify with accuracy to who accesses the leisure centers. Identity verification is to avoid possible cases of impersonation, being the collection of the ideal image to achieve the objective and identify them, and it is not very onerous. Also, as a facilitating means of defense of the user against others and against the claimed, as a way of accrediting the physical state in which the users are within the belt or in the event that someone who is injured outside the facilities, comes to the nally to the park to allege that the injury was produced within the facilities, proceeds to a PRIOR REGISTRATION OF THE USER. Provides document 2 containing a registration with "Clients-Client Administration" that collects the data of name and surname. two, in this case of the claimant, the e-mail, the date of the visit to the leisure center and the name mination or name of this center. He adds that in practice it is an optional requirement because “in the parks” if the user manifests party your disagreement with the taking of the photo, the registration ends up being carried out the same with the taking the photo in another direction, or with the taking of a photo in which the user actually It is not portrayed as was the case of the claimant. 3) On the measures adopted to prevent similar incidents from occurring on dates implementation and controls carried out to verify its effectiveness, manifest in application tion of the principle contained in article 5 of the RGPD, in order to “rectify the damages C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/16 that are inaccurate with respect to the purposes for which they are treated ", and" taking a proactive liability policy ”“ have modified the treatment activity to which they go affected the data collected, which was previously called “acceptance of standards for accessing so to parks and use of facilities ”(provides copy of document 4) and that is now being separated in various treatment activities (provides a copy of document 3). In document 4, previous situation, provides a document of “explicit consent for the data processing ”in which there are spaces to sign and complete the sections: name Name and surname, NIF, address, telephone. "The interested party authorizes the collection of information of personal data of the following processing activities: registration for ac- cease to parks and use of facilities and whose location is in ww.urbanplane- tjump.es ". The purpose of collecting and processing the information "is to record data for access to the enjoyment of the parks, online sales, acceptance of rules of use and acceptance video recordings for security purposes in the facilities. Communications ad- ministerial through WhatsApp, SMS and email. "The typology of the data of the interested party that will be treated by the person in charge are name and surname, NIF, DNI, NIE, te- phone number, address, voice image, email, password, passport number, age ”. In document 3, it provides the informative clauses that respond to different activities of treatment, being in all of them the person in charge of the treatment the claimed one, and its base of legitimation of consent. Is about: - Treatment activity of “acceptance of use of facilities whose location is located tran urbanplanetjump.es ”,“ the purpose of collecting and processing information from the inte- resado is to inform the correct use of the facilities and video recording for the purposes security ”, collecting“ name and surname, signature ”. - "Registration for access to parks" whose location is at "urbanplanetjump.es", The purpose of the collection and treatment being that of the “data record for access to the dis- fruit of the parks, photo registration for user identification, video recording to security effects in the facilities ”, indicating that the data collected is named Name and surname NIF, DNI, address, voice image, email, password, number of passport, age. - "online sale on the website" being the purpose of the collection and treatment of "management of online ticket sales ”. The type of data of the interested party that will be processed are Names and surnames, NIF, DNI, telephone numbers, address, email, date of birth. - "sending newsletter", for the purpose of advertising and commercial prospecting, in the case of- Name and surname, NIF, DNI, NIE, telephone numbers, address, email. FOURTH: On 03/30/2020 the claim is admitted for processing. FIFTH: On 03/24/2021 the director of the AEPD agreed: "INITIATE SANCTIONING PROCEDURE to URBAN PLANET ENTERTAINMENT S.L., with NIF B-87223822, for the alleged violation of article 5.1.c) of the RGPD, of in accordance with article 83.5.a) of the RGPD and 72.1.a) of the LOPDGDD. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/16 "For the purposes specified in the art. 64.2 b) of Law 39/2015, of 1/10, on the Procedure Common Administrative Procedure of Public Administrations, the sanction that may correspond to ponder would be a warning. " Notified the agreement, no allegations are received. SIXTH: On 10/7/2021 an access procedure to the website of the claimed person is carried out and the me the data protection and privacy policy. SEVENTH: On 10/8/2021 a test practice period begins, incorporating the of proceedings prior to the initiation agreement, and the diligence of 10/7/2021 of acce- or to the claimed website, legal notice, privacy policy and personal data. In addition, it was decided to request the claimed: 1. Copy of the register of treatment activities updated, since May 2018, explaining- do if there have been variations, dates and explanation of the reasons. On 10/28/2021 a response was received, providing document 1 the registration of activities. des of treatment. With relevance for access, the list of activities created in 2018 are: - CONTACTS VIA WEB -VIDEO SURVEILLANCE -ACCEPTANCE OF RULES FOR ACCESS TO PARKS AND USE OF FACILITIES. The “treatment activity, acceptance of standards for access to parks and use of facilities tions was a very extensive purpose and was separated in the modifications of 2019. The list of activities created or modified in the year 2019-2020 are: - ACCEPTANCE OF USE OF FACILITIES-discharge 12/30/2019 - REGISTRATION FOR PARKS ACCESS - ONLINE SALE ON THE WEBSITE-discharge 12/27/2019 2. Reason why on its website, in legal notice, data protection and privacy policy valence, there is no mention of the processing activity of: "Registration for access to par- which "purpose" data record for access to the enjoyment of the parks, photo record - trust for user identification, video recording for security purposes in the facilities nes ”indicating that the data collected are name and surname NIF, DNI, address, image voice, email, password, passport number, age. It states that it is currently in the process of updating and depends on the parks to carried out in one way or another, puts the examples of Alicante in which when making the purchase on line, is when the data has to be provided. Selecting the center and the number of entries and time leads to another screen that indicates, according to the copy provided, “Complete the following following fields to finalize your purchase ”“ Your data, are you already registered ?: e-mail, name and surnames, mobile phone: There is NO section referring to a photo. There is an almost- The “I have read and accepted the privacy policy” ”that if clicked leads to the information C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/16 of said treatment, seeing the information sheet to be accepted, and at the end a box with "I accept", containing the statement: "duty to inform about the treatment, about" the relation of registration treatment activities for access to parks ”, stating that“ it is records the photograph for user identification, Video recording for security purposes in the facilities ", and also · telephone, address, email, NIF," The legal basis ca of the treatment, the unequivocal consent. He adds that in the Las Rozas park “the privacy policy notice refers to the legal notice gal and "the acceptance of the use of rules is made either through the computer or in the park at through a QR code. " 3. Reason why in relation to your website, in legal notice, data protection and policy ca of privacy, treatment activity of - “registration for access to parks and use of ins- talaciones ", in their allegations they state that they will collect name and surname, signature and on the web figure being collected image. The treatment of "registration for access to parks and use of facilities" is the product of the breakdown of treatment activities produced in 2019 2020. Now it is about "registration for access to parks ”, and in the“ acceptance of use of the facilities ”. In both it is known that the image is collected. Also before breaking down the image was collected. 4. Please detail when and by what means the data collection for the treatment occurs. statement of the "acceptance of use of facilities", which documents or instructions are given to inform users, and because it is necessary to treat as stated on the web: Name and surnames; Image; Firm; Connection metadata; mobile phone. He states that “the image is not currently being collected. "Currently the data through the computer, if it is done from home or in centers that have codes go QR to do it through the customers' phones and that lead to a referral URL. register. For this reason, the name and surname are included in the metadata of connection, mobile phone, necessary data to know who is the person who enters the center, who reserves a birthday, who to turn to if you need their help etc. " "Previously they requested through some tablets that were available at the reception desk "" In the centers there are also posters where the rules of use are indicated ”. 5. In what distinguishes the treatment of "previous registration of clients to access facilities. tions ", of the treatment that appears on its website of" acceptance of use of facilities ", and if this already existed when the events took place. In his allegations to the transfer of the claim tion do not indicate the name of "acceptance of use of facilities". The treatment activity "registration for access to parks" "is aimed at registering the interested to know who is the person who enters the center, who reserves a birthday years etc., and it is a prerequisite before accessing the facilities and to avoid Undue claims, it is punctual every time you enter a park. " The treatment activity called "acceptance of use of facilities", supposes the acceptance of the rules of use and once done is valid for all parks. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/16 “These two activities were created as a result of our reply to the allegations. December 30, 2019 as a proactive responsibility measure but has always there has been a mandatory register where the use of the facilities was accepted. " 6. Regarding the document that, at the time of the events, was used for the “re registration for access to parks and use of facilities, document 1 that you provided, In whose upper left header it appears with: "Your data, are you already registered?" point out the ways to fill it in: before going to the premises, on the web or at the premises, and how it is obtained I had the photograph that was requested, and if it is still requested. Also, if that record is the one that refers to or coincides with that of the "acceptance of use of facilities ”, where did the general conditions of use of facilities appear or how The conditions of use of the facilities were considered accepted since in no document ment, 1 or 2 that contributed in the transfer of the claim, it is pointed out that this is cificidad ?, referring only to the section of the privacy policy. It states that “the document could be completed through the web or locally through through a Tablet. The photograph was taken on the premises through the tablet that was used for registration. Ac- Photography is not usually required. In the same registry, in addition to appearing the policy of privacy appear the norms of use. In addition, in the center there are signs where The rules of use are also indicated ”. 7. Why do you need to register personal data to accept the use of facilities? Yes Wouldn't it be enough to read and mark them at the time of completing registration for access? What relationship does this purpose have with the assignment to assurance entities? guradoras and because it appears as an assignment in both treatment activities. "Personal data is requested to accept the use of facilities since once accepted- you give the rules allow you to access any park ”. “Regarding the activities, registration for access to parks is carried out every time you go to a park since it is necessary to know who is the person who enters the center, who Book a birthday or other event to whom to go if you need their help if for example is a parent who has registered is helpful to be able to locate him in case of be necessary. As for the recipients, there are insurance entities since it is the insurance that is in charge of reviewing and analyzing the causes of a possible accident and determining the possible culprit. to detect any broken material or incidence in the facilities and it has been included as a recipients in the most activities ”. 8. Although nothing was requested in the procedure regarding the taking of images by video surveillance- of the people captured when they access the facilities, they are requested to detail the purpose of collecting the images, how long the images are kept, and if they are used zed for accident claim cases. Number of cases they have had. He states that “the video surveillance system focuses on the playground and is used to recognize ger accident information. The images are kept for a period of 10 days. His C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/16 The purpose is contained in the treatment activity called "registration for access to parks ”where, among other things, video recording for security purposes in the facilities nes. They indicate that they keep a control of each case, but not a total sum of cases. 9. If the request for the image, photograph, the collection of "DNI", "address" and of the “electronic mail” for the treatment of document 1, since in this informative literal vo obtained on 10/7/2021 does not appear on the web in privacy policy and personal data the “customer registration for access” activity, and why is photography still required? If there is video surveillance from the moment it is accessed.? He states that currently photography is not required of those interested. At first by insurance recommendation was requested, but later it was decided not to collect that fact. 10. If when accessing the leisure center, with the tickets purchased on the web, the sitting of the DNI upon entering. It indicates that “the DNI number is requested to verify the previous registration made by the user once they enter the park ”. 11. Regarding the collection of data such as user registration, document 1, which indicates It is also necessary to collect the image, photography to ensure safety of the user and the rest to guarantee that people “enter the park and initiate the activi- fullness of physical capabilities ”” no one can claim that another entered the venue with injuries acquired with the aim of avoiding possible liabilities that arise of a negligent use of the facilities against other users and against the claimed ”, is say questions of liability for accidents, injuries etc., however they do not report of said purpose, detailing if so, the need and the reasons. After receiving the transfer of the claim, in their allegations they specified that the activity of treatment called then "acceptance of rules for access to parks and use of facilities ”was broken down into four other treatment activities. In the new "regis- tro for access to parks ", was included" as a purpose, among others: "registration of photography for user identification ”. In the activity called “acceptance of use of facilities tions ”, the purpose is:“ To inform about the correct use of the facilities and of the deo-recording for security purposes ”. "It is reported through the document of use of mandatory standards for all customers, of Mandatory signature when you first enter a center and where it indicates the exemption of responsibility in case of non-compliance with the rules ”. 12. How are those affected informed about issues related to accidents? or injuries produced in the development of the activity, exemptions from liability, exemption sas etc. "It is reported through the document of use of mandatory standards for all customers, of Mandatory signature when you first enter a center and where it indicates the exemption of responsibility in case of breach of the norm " EIGHTH: On 11/11/2021 a resolution proposal is issued, from the literal: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/16 "That URBAN be sanctioned by the Director of the Spanish Data Protection Agency PLANET ENTERTAINMENT S.L., with NIF B87223822, for a violation of article 5.1.c) of the RGPD, with warning. " Faced with the same allegations. Of the actions carried out in the present procedure and of the documentation obtained in the file, the following have been accredited: PROVEN FACTS 1) The defendant is dedicated to offering in leisure parks in Spain activities with mats, trampolines and trampolines, with various locations. At the time if the events occurred, 09/10/2019, the defendant had an activity of trafficking in called “registry for access to parks and use of facilities, whose purpose consisted as: “Data registration for access to the enjoyment of the parks, online sales, acceptance of norms more use and acceptance of video recordings for the security of the facilities. Administrative communications through whatsapp, sms and email ”. In document 1 of the collection of said type of data provided by the claimant, it appeared in the upper left header: "Your data, are you already registered?" that could be completed by the user "through the web or on the premises through a Tablet". It was essential fill in the registration before accessing the activity, the facilities. The data that had to be completed as mandatory, marked with an asterisk were those of: name and surname two DNI address, telephone, email, date of birth and photograph. The photograph fía was taken on the premises through the tablet that was used for registration. In the same re I also registered the privacy policy and the rules of use. In the center There are posters where the rules of use are also indicated. However, the records of treatment activity, stated the claimed in the transfer of the claim, that the purpose of collecting the user's photo was their identification unequivocal when accessing, in order to avoid impersonations, in case of injuries in the activity (correlation of name and data taken, plus the photo, contributes to the precision in case of inci- tooth or injury) as well as “facility safety”. The complainant adds that, in practice, the requirement of the photo was optional and that when the user expressed his disagreement, it was not implemented, “as was the case of the claim mante ", who" decided to put his hand in front of the camera in the process ", and was not prevented the access. There is no image of it in their files. 2) After the transfer of the claim, on 01/02/2020, the defendant specifies that the activity of treatment called until then: "acceptance of rules for access to parks and use of facilities ”begins to be differentiated and broken down, in terms of data necessary to access to carry out the activity, in: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/16 - "registration for access to parks", they are collected each time a park is accessed to do an activity. The data indicated are collected are: Nif / DNI. / Nie; Telephone; Direction; Image, photography / voice; Email; Password; Passport number; Age. The photograph for "user identification", purpose "for access to the enjoyment of the par- ques, "registration of photography for user identification." In some parks like the one in Alicante, the data is completed when the tickets are purchased on the web, although it has the option that asks if you are already registered. It contains the data to be filled in, among which photography is not mentioned. In the same purchase leads to "I have read the privacy policy", that by clicking the information of this treatment activity is read where it is indicated again that "the photograph is registered to identify the user." The defendant indicated after the initiation agreement that the photo is no longer required. Faced with the statement of the complainant that “Regarding registration activities to access so to parks is done every time you go to a park since it is necessary to know who is the person who enters the center, who reserves a birthday or other event to who to turn to if you need their help if, for example, it is a parent who has registered traced is helpful to be able to locate you if necessary. ”, it is observed, however, you, that when buying tickets on the web, with a reservation of day and time, there are data to be fulfilled. mention that at no time is it inferred that it is the person or subject who is going to participate in the activity, or he has to be the one who participates in it. If you buy multiple tickets It is also not clear the identification of the subject who is going to use the tickets. - "Acceptance of use of facilities", the purpose is: "To inform of the correct use of the facilities and of the video recording for security purposes ”. Assumes acceptance of the rules of use and once carried out is valid for all parks. After the agreement Initially, the defendant stated that the image is not being collected for this treatment. gen. The rules for the use of facilities were included in the privacy policy, and it could be cir at the same moment in which the installation was accessed, together with the collection of the tro for access to parks " 3) In addition, the defendant has a video surveillance system inside his facilities. lance that focuses on the playground and is used to collect information on accidents. The images are kept for a period of 10 days. Its purpose is included in the activi- treatment entity called "registry for access to parks" where it consists, among others, "Video recording for security purposes at the facilities." They indicate that “they keep a control of each in case of accident claim in case from which responsibility is derived in the development of the activity. " 4) The defendant indicated after the initiation agreement that the photo that was required before each time access to a park, part of the treatment "registration for access to parks" it is no longer required. At first, it was collected on the recommendation of the insurance. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/16 5) Asked the claimed if when accessing the leisure center, with the tickets purchased at the web, the presentation of the DNI was requested, indicated in evidence that “the number of the DNI to verify the previous registration made by the user once they enter the park ”. 6) The defendant informs clients about matters related to accidents or injuries. tions produced in the development of the activity, exemptions from liability, causes of exemption etc. Through the document of rules of use, "mandatory for all customers", mandatory signature when accessing “for the first time to a center and where it indicates the exemption ration of responsibility in case of breach of the norm "" In the centers, there are also posters indicating the rules of use ”. Information on mandatory use rules that occurs in the posters may be related to the treatment activity called "Acceptance of use of facilities", which implies acceptance of the rules of use and a Once carried out, it is valid for all parks, although data was collected for this, between them the picture. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in arts. 47 and 48.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to resolve this procedure. II The defendant is accused of violating article 5.1.c) of the RGPD, which provides: "The personal data will be: b) adequate, relevant and limited to what is necessary in relation to the purposes for which are processed ("data minimization"); The "Practical guide to risk analysis in the processing of personal data subject to the RGPD ”published by the AEPD in its section 3,“ Data Protection from the design and risk management what should be the route to follow? Section: "definition and design of activities des of treatment ”, reproduces, on the treatment activity: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 11/16 “Defining a treatment activity is a fundamental step that requires having clear what are the purposes of the processing of personal data. It corresponds to each organization, in accordance with the principle of proactive responsibility (accountability), decide the level of aggregation or segregation to prepare the record of treatment activities and must assess to what extent that aggregation or segregation corresponds to purposes, legal bases and different groups of individuals. Likewise, it is necessary to weigh, as did before when defining files, the optimization of the management of the data protection within your organization so that it is useful, agile, effective and allows to achieve the objectives that the legislation seeks: that the individuals whose data are object of treatment may have, where appropriate, an effective knowledge of the treatments that the organization performs on them. Once all those activities have been incorporated into the entity's treatment registry that correspond to the work or functions that it performs on the character data staff of the groups of people he manages, he should pay attention to the new obligations that the RGPD describes about the person responsible for the treatment and the person in charge of treatment. Do these new obligations entail the generation of new business activities? treatment that should be described and incorporated into the activity register? The GDPR establishes in article 5 the following principles regarding data processing personal you need to consider Data minimization: Data must be adequate, relevant and limited to what necessary in relation to the purposes for which they are processed. Additionally, article 5 of the RPGD establishes that the person responsible for the treatment must ensure compliance with the principles relating to treatment, as well as the figure responsible for proving it. Therefore, it is essential to adequately define the treatment activities and document the analyzes carried out, as well as leave traceability of the same and the conclusions that support them in order to guarantee the proactive responsibility. " Regarding the principle of the need to process personal data, it should be said that Any data processing implies per se and from the start, the restriction of the right fundamental, when the collection and disposal of the same by the responsible who will operate with them. According to jurisprudence, due to the affectation that the processing of personal data involves a series of fundamental rights, the limitation of the fundamental right to the protection of personal data should be the strictly necessary. This implies that if the achievement of the intended purposes can carried out without processing of personal data, this route will be preferable and will assume that it is not necessary to carry out any data processing, which will mean that such right, with the limitations that it entails, it would not be at stake, as there is no data. The collection, storage and use constitutes per se a limitation of the right to data protection which must comply with the regulations. This therefore requires first of all analyzing and ensuring that the data collection is necessary for the established or intended purpose and that it is proportional. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 12/16 This need must be justified in the compliance documentation that the responsible must dispose of in accordance with article 5.2. of the GDPR. The need must determine whether personal data is processed on the basis of objective evidence, according to the purposes has to determine, if such personal data is unavoidably required or if the purpose can be fulfilled without processing that personal data. Also that the request for the data that you already have. The achievement of the legitimate objective pursued does not offer more advantages if data is used personal data that if not used, and the data processing implies risks with the themselves, and ultimately an unjustified intrusion compared to the other option. The proof of the need for treatment for any limitation of the exercise of rights to Protection of personal data must be strict, and they must be treated only in the strictly necessary cases, since in principle, any data processing operation data (such as the collection, storage, use, disclosure of data) established by the legislation limits the right to the protection of personal data, regardless of that such limitation may be justified. On the one hand, the record of treatment activity expressly includes the collection of the image, photograph, for two different treatment operations, although connected. A, materializes on each occasion that each leisure park is visited, trying to verify with the photo and the data that are given, your identity, to avoid requests for damages by people who pose as them, (although it does not explain the degree of importance or evidence of the alleged incidence that motivates this type of collection to be essential). From In fact, this detail explained by the claimed does not appear in the purpose of the treatment. Another taking or collection of the photo would be or assume that it is only provided on one occasion and Its purpose is to know the rules of use of the facilities. Both connected because it is intended to identify the person who accesses. When the ticket (s) is acquired On the web you have to fill in "I have read the privacy policy", which by clicking. read the information of that treatment activity where it is indicated that "the photograph is registered to identify the user ”, without adding that it would be when accessing when asked, should correspond the information that is given with the moment and act in which it is going to be developed, and the affected subject, also considering that the person who acquires the tickets can not be the end user of the activity, and that no reference to data from fathers. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 13/16 On the other hand, since the transfer of the claim, it is recognized that even if the taking of photography, in fact in many cases it is not collected. Finally, after the initial agreement, it was decided not to use the photo. All this, in addition, having the taking of images that is done with the camera Indoor video surveillance, destined, during the recording period, to the games area, to the eventual events related to incidents that may imply responsibility in the installation use. The collection of the image of the people who accessed the parks on each occasion, to Through photography, which was also stored, it was done mainly by the issue of damage claims and insurance, only then does the idea of avoiding impersonations or identify who really intends to access, for assurance of eventual accidents in order to avoid possible impersonations, as can be deduced. This seems relevant, in terms of the relationship with the intended purpose, and that it is not made explicit specifically in the activity register, since the control of the identity of The person would be credited with the data given and, where appropriate, the display of the DNI, not the mere repetition of the number, and the taking of the photo is not appropriate, also including the interior recording of images. When the same end can be achieved with other means or with those already available, it does not seem necessary to accumulate more data. Limited to what is necessary, the taking the photo for insurance reasons or proof of what happened, since it has been identified before the accessing identity bearer or can be identified, and there are already enough data that is considered adequate and is already relevant to identify the person who agrees. The adequacy, relevance and limitation of the data is related as indicated, with the purpose that according to the RGPD article 5.1.b) indicates, that they must be “ collected for specific, explicit and legitimate purposes ”. Thus, for example, the treatment of acceptance of use of facilities: "with the purpose of report the correct use of the facilities and video recording for security purposes. Being the type of data collected: Name and surname; Image; Firm. "Being a mere information, one might wonder if a specific treatment has to be carried out for this, differentiated or if data are to be used for it. It could consist of a box mark in the same section that is contained in the access record. On the other hand, video recording has an information system with an informational poster in the establishment and its purpose and basis of legitimation is not similar to that of access control or acceptance of mandatory standards. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 14/16 Regarding the treatment of the registry for access to parks; for the purpose of registering data for access to the enjoyment of the parks, registration of photography for identification of the Username. Being the type of data collected: Name and surname; Nif / DNI. / Nie; Phones; Direction; Image / voice; Email; Password; Passport number; Age. The access relationship is not specified, enjoy the park with the need to provide the rest of the data, being too brief and generic in terms of the explicit purpose and the purpose of the treatment cannot be classified as a specific purpose. Obviously the non-collection of the photo must be contained in the record of activities of treatment so that it is updated, with the assessment of the reason documented in its case leading to such a conclusion. The covert purpose behind the making of photographs for access are not contemplated in the purpose of the treatments, nor is it necessary or proportional. It is accredited that the implementation of the need to provide photos at the entrances to the park, each time they are visited and accessed, and the taking of photos to prove the knowledge of the rules of use is not adequate, pertinent and relevant data in this assumption, proving the infringement related to the processing of data in the cited context. III Article 83.5.a) of the RGPD refers to said infringement, which indicates: "Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, of an amount equivalent to a maximum of 4% of the total turnover annual global of the previous financial year, opting for the highest amount: a) the basic principles for the treatment, including the conditions for consent- under the terms of articles 5, 6, 7 and 9; " Article 58.2 b) of the RGPD provides the possibility of sanctioning with warning, in in relation to what is stated in Considering 148: "In the event of a minor offense, or if the fine that is likely to be imposed constitutes a disproportionate burden for a natural person, instead of a fine can be impose a warning. However, special attention must be paid to nature, severity and duration of the offense, to its intentional nature, to the measures taken to mitigate the damages suffered, to the degree of responsibility or any infraction relevant above, to the way in which the supervisory authority has had knowledge of the infringement, to the fulfillment of measures ordered against the person in charge or in charge, to the adherence to codes of conduct and any other aggravating or mitigating circumstance. " In this case, considering the context in which the data is collected, a leisure activity, the absence of damages to the claimant, and that it has been chosen not to request or collect said photo, the penalty of warning, as stated agreed in the start-up agreement. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 15/16 For the purposes of calculating the prescription, the LOPDGDD states in its article 72: "one. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: a) The processing of personal data violating the principles and guarantees established in Article 5 of Regulation (EU) 2016/679. " Therefore, in accordance with the applicable legislation and the graduation criteria assessed of the sanctions whose existence has been proven, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: DIRECT URBAN PLANET ENTERTAINMENT S.L., with NIF B87223822, by an infringement of article 5.1.c) of the RGPD, in accordance with article 83.5 a) of the RGPD, and for the purposes of prescription, of article 72.1.a) of the LOPDGDD, a sanction of warning, in accordance with article 58.2.b) of the RGPD. SECOND: NOTIFY this resolution to URBAN PLANET ENTERTAINMENT S.L .. THIRD: In accordance with the provisions of article 50 of the LOPDGDD, the This Resolution will be made public once it has been notified to the interested parties. Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month from the day following notification of this resolution or directly contentious appeal administrative before the Contentious-Administrative Chamber of the National Court, with in accordance with the provisions of article 25 and paragraph 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within two months from the day following notification of this act, as provided in article 46.1 of the aforementioned Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, you may provisionally suspend the final administrative resolution if the interested party manifests his intention to file a contentious-administrative appeal. If this is the case, the The interested party must formally communicate this fact by writing to the Agency Spanish Data Protection, presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the remaining records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also send the Agency the documentation that proves the filing effective contentious-administrative appeal. If the Agency is not aware of the filing of the contentious-administrative appeal within a period of two months from the following the notification of this resolution, it would terminate the suspension precautionary. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 16/16 938-26102021 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es