APDCAT (Catalonia) - PS 28/2021: Difference between revisions
(→Facts) |
(Hyperlinks added to GDPR and National Law provisions. Changed all DPA to APDCAT for consistency, and minor changes and corrections in wording.) |
||
Line 61: | Line 61: | ||
The data subject had joined the group via a link that was shared through WhatsApp with a text that indicated that people would receive information related to the city council and that anyone could access the group through the following link if they wanted to join. | The data subject had joined the group via a link that was shared through WhatsApp with a text that indicated that people would receive information related to the city council and that anyone could access the group through the following link if they wanted to join. | ||
The | The APDCAT verified that, when joining the group, the participants were offered information about the identity of the controller, the legal basis fro the processing, the data retention period, the possibility of exercising the data subject's rights, and a link to the city council's web, where one could exercise their rights or contact the DPO (although not about the possibility of filing a complaint with the APDCAT). | ||
This information was also included on the description of the group and on the information of the group. On the information of the group, the names, phone numbers and profile pictures of the participants could also be seen. | This information was also included on the description of the group and on the information of the group. On the information of the group, the names, phone numbers and profile pictures of the participants could also be seen. | ||
The city council claimed that they were using as a legal basis [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]], i.e. processing is necessary for the performance of a task carried out in the public interest, since Article 25 of the Law regulating the Bases of the Local Administration Regime ( | The city council claimed that they were using as a legal basis [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]], i.e. processing is necessary for the performance of a task carried out in the public interest, since [https://www.boe.es/buscar/act.php?id=BOE-A-1985-5392 Article 25 of the Law regulating the Bases of the Local Administration Regime (Ley reguladora de las Bases del Régimen Local - LBRL)], that allows city council to engage in institutional communication with their citizens. According to the city council, participants were informed that participants in the group could see names, phone numbers and profile pictures of other participants. However, the city council had already decided to continue informing their citizens rather via a WhatsApp broadcast list, instead of a group. | ||
The | The APDCAT considered [[Article 6 GDPR#1e|Article 6(1)(e) GDPR]] as a valid legal basis, as well as [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]], since participants had consented. | ||
=== Holding === | === Holding === | ||
Firstly, the | Firstly, the APDCAT determined that, when the group was created, the information required by [[Article 13 GDPR|Article 13 GDPR]] had not been provided. | ||
When such information was provided, two days after the creation of the group, | When such information was provided, two days after the creation of the group, some information required by [[Article 13 GDPR#2d|Article 13(2)(d) GDPR]] was still missing, specifically the the right to lodge a complaint with a supervisory authority, which in this case would be the APDCAT. | ||
Additionally, the information provided could not be considered to be provided in a concise, transparent, intelligible and easily accessible form, as required by [[Article 12 GDPR#1|Article 12(1) GDPR]] | Additionally, the information provided could not be considered to be provided in a concise, transparent, intelligible and easily accessible form, as required by [[Article 12 GDPR#1|Article 12(1) GDPR]]. The information was also not provided in an immediate manner as required by [https://www.boe.es/boe/dias/2018/12/06/pdfs/BOE-A-2018-16673.pdf Article 11 LOPDGDD (the Spanish Data Protection Act)], since the data subjects should not need to look for the information, but rather be able to know how and where to access it immediately. This was not the case, since data subjects were referred to the city council's website, without specifying where they could access the information. Also, some information was missing in the first layer of information. | ||
Also, when creating the group, the city council had not implemented appropriate technical or organisational measures to ensure the confidentiality of personal data, since all the participants could see the names, phone numbers and profile pictures of other participants. | Also, when creating the group, the city council had not implemented appropriate technical or organisational measures to ensure the confidentiality of personal data, since all the participants could see the names, phone numbers and profile pictures of other participants. | ||
During the allegations process, the city council admitted that they had created the group without foreseeing any measures in order to prevent the participants from | During the allegations process, the city council admitted that they had created the group without foreseeing any measures in order to prevent the participants from seeing the names, phone numbers and profile pictures of other participants. | ||
According to the | According to the APDCAT, the city council should have considered the data protection by design principle from [[Article 25 GDPR#1|Article 25(1) GDPR]], and should have realised that, since they should have prevented the participants from seeing the names, phone numbers and profile pictures of other participants, they should have refrained from using a WhatsApp group as an appropriate tool for these purposes. | ||
The city council claimed that they had stop using | The city council claimed that they had stop using the group, but the APDCAT verified that although the group was not active anymore, it still existed, and personal data could still be accessed. | ||
Therefore, according to the | Therefore, according to the APDCAT, the city council had violated [[Article 13 GDPR|Article 13 GDPR]] and [[Article 25 GDPR#1|Article 25(1) GDPR]]. | ||
However, since the deficiencies regarding [[Article 13 GDPR|Article 13 GDPR]] were corrected before the end of the procedure, the | However, since the deficiencies regarding [[Article 13 GDPR|Article 13 GDPR]] were corrected before the end of the procedure, the APDCAT considered that no further action had to be taken in this respect. | ||
On the other hand, the | On the other hand, the APDCAT ordered the city council to delete the WhatsApp group and issued a reprimand for the violation of [[Article 13 GDPR|Article 13 GDPR]] and [[Article 25 GDPR#1|Article 25(1) GDPR]]. | ||
== Comment == | == Comment == |
Revision as of 16:27, 17 January 2022
APDCAT (Catalonia) - PS 28/2021 | |
---|---|
Authority: | APDCAT (Catalonia) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Article 13 GDPR Article 25(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | 13.09.2021 |
Published: | |
Fine: | None |
Parties: | Ajuntament de Tiana |
National Case Number/Name: | PS 28/2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Catalan, Valencian |
Original Source: | APDCAT (in CA) |
Initial Contributor: | Carmen Villarroel |
The Catalan DPA issued a reprimand to a city council for creating a WhatsApp group that allowed participants to see the names, phone numbers and profile pictures of other participants, without taking into account the data protection by design principle and without properly providing the information required by Article 13 GDPR.
English Summary
Facts
A data subject filed a complaint with the Catalan DPA (APDCAT) reporting that a City Council had created a WhastApp group without gathering the explicit consent of the participants and without providing the information required by the GDPR; although two days later, a privacy policy was included in the description of the group. The claimant alleged that the telephone number, name and images of the participants were visible to all of them.
The data subject had joined the group via a link that was shared through WhatsApp with a text that indicated that people would receive information related to the city council and that anyone could access the group through the following link if they wanted to join.
The APDCAT verified that, when joining the group, the participants were offered information about the identity of the controller, the legal basis fro the processing, the data retention period, the possibility of exercising the data subject's rights, and a link to the city council's web, where one could exercise their rights or contact the DPO (although not about the possibility of filing a complaint with the APDCAT).
This information was also included on the description of the group and on the information of the group. On the information of the group, the names, phone numbers and profile pictures of the participants could also be seen.
The city council claimed that they were using as a legal basis Article 6(1)(e) GDPR, i.e. processing is necessary for the performance of a task carried out in the public interest, since Article 25 of the Law regulating the Bases of the Local Administration Regime (Ley reguladora de las Bases del Régimen Local - LBRL), that allows city council to engage in institutional communication with their citizens. According to the city council, participants were informed that participants in the group could see names, phone numbers and profile pictures of other participants. However, the city council had already decided to continue informing their citizens rather via a WhatsApp broadcast list, instead of a group.
The APDCAT considered Article 6(1)(e) GDPR as a valid legal basis, as well as Article 6(1)(a) GDPR, since participants had consented.
Holding
Firstly, the APDCAT determined that, when the group was created, the information required by Article 13 GDPR had not been provided.
When such information was provided, two days after the creation of the group, some information required by Article 13(2)(d) GDPR was still missing, specifically the the right to lodge a complaint with a supervisory authority, which in this case would be the APDCAT.
Additionally, the information provided could not be considered to be provided in a concise, transparent, intelligible and easily accessible form, as required by Article 12(1) GDPR. The information was also not provided in an immediate manner as required by Article 11 LOPDGDD (the Spanish Data Protection Act), since the data subjects should not need to look for the information, but rather be able to know how and where to access it immediately. This was not the case, since data subjects were referred to the city council's website, without specifying where they could access the information. Also, some information was missing in the first layer of information.
Also, when creating the group, the city council had not implemented appropriate technical or organisational measures to ensure the confidentiality of personal data, since all the participants could see the names, phone numbers and profile pictures of other participants.
During the allegations process, the city council admitted that they had created the group without foreseeing any measures in order to prevent the participants from seeing the names, phone numbers and profile pictures of other participants.
According to the APDCAT, the city council should have considered the data protection by design principle from Article 25(1) GDPR, and should have realised that, since they should have prevented the participants from seeing the names, phone numbers and profile pictures of other participants, they should have refrained from using a WhatsApp group as an appropriate tool for these purposes.
The city council claimed that they had stop using the group, but the APDCAT verified that although the group was not active anymore, it still existed, and personal data could still be accessed.
Therefore, according to the APDCAT, the city council had violated Article 13 GDPR and Article 25(1) GDPR.
However, since the deficiencies regarding Article 13 GDPR were corrected before the end of the procedure, the APDCAT considered that no further action had to be taken in this respect.
On the other hand, the APDCAT ordered the city council to delete the WhatsApp group and issued a reprimand for the violation of Article 13 GDPR and Article 25(1) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Catalan, Valencian original. Please refer to the Catalan, Valencian original for more details.
PS 28/2021 Carrer Rosselló, 214, esc. A, 1st 1st 08008 Barcelona File identification Resolution of the sanctioning procedure no. PS 28/2021, referring to Tiana City Council. Background 1. On 20/07/2020, one had access to the Catalan Data Protection Authority written by a person against whom he filed a complaint against Tiana City Council, with alleged breach of personal data protection regulations. Specifically, the complainant stated that, on 13/07/2020, the City Council went create a WhatsApp group to communicate information to the public and access to the group was carried out without the explicit consent of the person concerned and without giving effect to the right information in data collection. In the latter sense, the complainant stated that, on 15/07/2020 (two days after the creation of the group), the policy was included in the description of the group data protection. In turn, the complainant stated that the members of the WhatsApp group, could see the phone number, name and profile pictures of the WhatsApp other members. 2. The Authority opened a prior information phase (IP No 212/2020), in accordance with provides for Article 7 of Decree 278/1993, of 9 November, on the procedure sanction of application to the areas of competence of the Generalitat, and article 55.2 of the Law 39/2015, of 1 October, on the common administrative procedure of administrations (hereinafter, LPAC), to determine whether the facts were likely to motivate the initiation of a sanctioning procedure, the identification of the person or persons who could be responsible and the relevant circumstances involved. 3. In this information phase, on 28/07/2020 the person was requested denouncing that it contributed the diverse documentation that indicated in its writing of complaint; as well as to specify if they had included it in the WhatsApp group that is the subject of complaint, or if you had accessed it through a link. 4. On 28/07/2020, the letter of the complainant for which he contributed was received the requested documentation and stated that he had accessed the group through a link that was circulated via WhatsApp with the following content: Hello, I am the (...), Mayor of Tiana. I created this channel from Whatsapp to share with the neighbors you want, information municipal that I think will be of interest to you and very useful. If you want participate and agree to receive this information, just click here and it will open on your phone so you can sign up. https://chat.whatsapp.com/ (...) (...) Page 1 of 13 PS 28/2021 Carrer Rosselló, 214, esc. A, 1st 1st 08008 Barcelona This is a one-way channel of information, remember that if what you want is contact Tiana City Council to send us any incident, question, query (or congratulation) you always have WhatsApp operational municipal at 600 00 (...). Share this message with everyone you think they may be interested in receiving this information from Tiana. Thank you so much and have a great day! (...), Mayor of Tiana (...) @ tiana.cat ” Among the documents provided by the complainant were several seizures of WhatsApp group screen, of which it is found that the complainant is going join the group on 14/07/2020, the description of the group was modified on 15/07/2020 and also on 15/07/2020 the group was full. In turn, the person complainant provided a copy of the writ of the City of Tiana of 16/07/2020 by which is gave answers to the questions she had asked on 15/07/2020 regarding in the WhatsApp group and compliance with data protection regulations. 5. On 30/07/2020, also within this phase of prior information, the Inspection Area of the Authority carried out a series of checks on the Internet on the facts which are the subject of complaint. Through the link provided by the complainant in his writing complaint (https://chat.whatsapp.com/ (...) (...)), the WhatsApp group was accessed called "Tiana News" and found, among other things, the following: - That at the time of joining the group, information was provided about the identity of the responsible for the processing, the legal basis, the purpose of the processing, the term of data retention; on the possibility of exercising the rights of access, rectification, suppression, opposition and limitation; as well as a link to the City Council’s electronic headquarters (a http://tiana.eadministracio.cat) to exercise the rights or contact the Data Protection Officer (was not informed, however, of the right to file a complaint to the Catalan Data Protection Authority). - That this same information was also included in the "Description of the group" section, which it was visible at the top of the screen where the messages were displayed; as well as in the “Group Information” section. - That through the section "Group information", you could also access the number of mobile and profile picture of all members of that WhatsApp group (257 in the time to do the verification). That section also states that the group was created on 13/07/2020 at 6:35 p.m. 6. On 08/09/2020 and still in the framework of this phase of prior information, leaves require the denounced entity to report, inter alia, on the legal basis that Page 2 of 13 PS 28/2021 Carrer Rosselló, 214, esc. A, 1st 1st 08008 Barcelona would legitimize the collection of data from people who had subscribed to the group WhatsApp; on how the right to information to the people who joined became effective to the group on 13/07/2020 and 14/07/2020 at the time of the collection of their data; as well as what measures had been implemented to prevent members from subscribing in the WhatsApp group could check the mobile number and profile picture of the rest in through the "Group Information" section. 7. On 30/09/2020, Tiana City Council responded to the request mentioned in in a letter stating the following: - That, as indicated in the information clause that was included, the legal basis for the processing of the contact details of interested citizens is the fulfillment of a public interest mission. Specifically, the one that refers to the promotion and compliance of municipal powers in accordance with article 25 of Law 7/1985, of April 2, regulating the Bases of the Local Regime (hereinafter, LBRL) therefore the purpose persecuted is the communication of institutional information to the citizens of the municipality. - That the WhatsApp channel was created on 13/07/2020 and that it started on be operational on 15/07/2020 when protection information was provided of data. - That the information note included states that the other members of the group could have access to contact details (picture, first and last name and phone number). - However, a mailing list was generated so that it could be followed informing citizens and that their data could not be viewed by others of group members. The accused entity attached various documents to the letter. 8. On 17/02/2021, the Inspection Area of the Authority tried to re-access the group WhatsApp “Tiana News” (via the link https://chat.whatsapp.com/ (...) (...)), noting that the group still consisted of 257 members and that it was not possible to join in the group "because it's full." 9. On 07/05/2021, the director of the Catalan Data Protection Authority went agree to initiate disciplinary proceedings against Tiana City Council for two alleged infringements: an infringement provided for in Article 83.5.b) in relation to Article 13; i another offense under Article 83.4 (a) in relation to Article 25; all of them from Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2007 on the protection of individuals with regard to the processing of personal and free data circulation of these (hereinafter, RGPD). This initiation agreement was notified to the imputed entity on 11/05/2021. The initiation agreement set out the reasons why no charges were brought with respect to the alleged fact of failure to obtain the explicit consent of the affected people, when they joined the reported WhatsApp group. In Page 3 of 13 PS 28/2021 Carrer Rosselló, 214, esc. A, 1st 1st 08008 Barcelona specifically, the treatment was considered lawful as it was necessary for compliance of a mission in the public interest (art. 6.1.e RGPD) and that could even be reached consider that the treatment was also based on the consent of the people affected (art. 6.1.a RGPD), which should not be explicit insofar as it is not they dealt with special categories of data. On 18/05/2021, Tiana City Council filed allegations against the initiation agreement. 10. On 02/07/2021, the person instructing this procedure filed a proposed resolution, by which it proposed that the director of the Catalan Authority of Data Protection has warned Tiana City Council to be responsible, in the first place, for an infringement provided for in Article 83.5.b) in relation to Article 13; and secondly, one infringement provided for in Article 83.4.a) in relation to Article 25.1, all of them of the RGPD. This motion for a resolution was notified on 07/02/2021 and a deadline was granted 10 days to make allegations. 11. On 19/07/2021, the defendant filed a writ for which, without effect no allegation on the merits of the alleged violation of the proposed resolution, reported on the actions taken to comply with the requirement of corrective measures proposed by the instructor in the motion for a resolution. Proven facts 1. On 13/07/2020, Tiana City Council created the so-called WhatsApp group "Tiana News" in order to communicate institutional information to citizens. In the time of collection of data of persons who joined the said group before the 15/07/2020 (date on which the City Council incorporated an information clause on data protection and in which the group was also full), the City Council did not provide all the information required by Article 13 of the RGPD. I only reported through the message that contained the link to join the group on the person in charge of the treatment and how to contact them (art. 13.1.a RGPD); as well as on the purpose of the treatment (part of the information provided in art. 13.1.c RGPD). 2. Also in relation to the said WhatsApp group, Tiana City Council did not implement in the time to determine the means of treatment, as at the time of treatment itself, the appropriate technical and organizational measures to effectively implement the principle of confidentiality. Specifically, there is no guarantee that people who joined the group will WhatsApp created by the City Council, could not access the mobile number, profile picture and username of other members. Fundamentals of law Page 4 of 13 PS 28/2021 Carrer Rosselló, 214, esc. A, 1st 1st 08008 Barcelona 1. The provisions of the LPAC and Article 15 of the Decree apply to this procedure. 278/1993, in accordance with the provisions of DT 2a of Law 32/2010, of 1 October, of the Authority Catalan Data Protection. In accordance with Articles 5 and 8 of Law 32/2010, the resolution of the sanctioning procedure corresponds to the director of the Catalan Authority of Data Protection. 2. As stated above, the defendant entity filed a writ dated 7/19/2021 by accredit the adoption of the corrective measures proposed by the instructor require the City Council in the motion for a resolution. In the written finger, however, it was not formulated no allegations regarding the motion for a resolution. On the other hand, the accused entity did make allegations against the initiation agreement. In this regard, it is considered appropriate to reiterate below the most relevant of the answer motivated by the instructor to these allegations. 2.1. About the right to information. In the 1st section of his writ of allegations before the initiation agreement, the imputed entity stated that he provided certain information through the message transcribed in the 4th antecedent and through a tweet to the account of the Tiana City Council, carried out on 07/09/2019, with the following content: “Whatsapp to communicate through direct messages with the City Council. We'll move you to the appropriate area and give you one reply as soon as possible. Keep it in your address book: 600 00 (...) or wa.me/34600002233 # TianaIsCommunication ” Well, the transcribed tweet did not refer to the WhatsApp group that is the subject of the present sanctioning procedure, which was created on 13/07/2020 (one year after the tweet invoked). That said, in the motion for a resolution it was agreed that the message transcribed in the 4th antecedent, which was circulated via WhatsApp and contained the link to join in the “Tiana News” group, it contained certain information about data processing, circumstance which has already been set out in the Proven Facts section of the proposal and which has been maintained in this resolution. Specifically, as indicated by the City Council in its written allegations before the agreement initiation, the information provided for in Article 13.1.a) of the RGPD, since the person subscribing to the message was the mayor of Tiana and is they provided contact details; as well as partially reported the limit set out in Article 13.1.c) of the RGPD, as it was stated that the purpose was communicate municipal information (on the other hand, no information was provided on the legal basis, information also provided for in art. 13.1.c RGPD). Page 5 of 13 PS 28/2021 Carrer Rosselló, 214, esc. A, 1st 1st 08008 Barcelona Therefore, it was decided whether the City Council provided the right to information in layers, in the terms provided for in Article 11 of Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD). In this regard, when the City Council created the WhatsApp group mentioned on 13/07/2020 (i until 15/07/2020), did not indicate an email address or other means that would allow the interested parties have easy and immediate access to the rest of the information (art. 11.1 LOPDGDD); nor did it report on the possibility of exercising the rights that established in articles 15 to 22 of the RGPD (art. 11.2.c LOPDGDD). In this last sense, it cannot be admitted, as the accused entity claimed, that the information on the exercise of the rights (art. 11.2.c LOPDGDD) can be understood as coverage, simply by providing a channel of communication. Therefore, it should be concluded that until 15/07/2020, Tiana City Council did not provide to the persons concerned all the information required by Article 13 of the RGPD and, in in particular, that not even the basic information provided for in Article 11 of the LOPDGDD. Based on the above, on 15/07/2020 (date on which the group was also full) the City Council included a clause in the “Group Description” and “Group Information” sections data protection policy, which was in line with Article 13 of the RGPD except for the fact that neither there, nor on the main page of the electronic headquarters to which it was referred (http://tiana.eadministracio.cat), the people affected were not informed of the possibility to lodge a complaint with this Authority (art. 13.2.d RGPD). However, Tiana City Council stated in its letter of allegations before the agreement that this information was provided in a specific section of the headquarters and, in particular, its “Privacy Policy” (https://tiana.eadministracio.cat/privacy), where information on the possibility of submitting a complaint to the Spanish Data Protection Agency (AEPD). Despite this admitted that this information was inaccurate given that the supervisory authority competent authority to hear claims in this matter is the Catalan Authority of Data Protection (APDCAT). It is worth noting, however, that the information on the supervisory authority competent authority to which to lodge a complaint, has already been amended accordingly accredited by the City of Tiana. On the other hand, Article 12.1 of the RGPD determines that the information indicated in Article 13 of the RGPD the RGPD must be provided in a concise, transparent, intelligible and easily accessible manner. I Article 11.1 of the LOPDGDD states that, when the right to information becomes effective layers, the e-mail address (or other means) must be indicated in the 1st layer (or basic information) which allows you to access the rest of the information easily and immediately. Page 6 of 13 PS 28/2021 08008 Barcelona, 214, esc. A, 1st 1st In the present case, access to the rest of the treatment information (2nd layer) was not possible consider that it was easy (art. 12.1 RGPD) or immediate (art. 11.1 LOPDGDD). These requirements imply that the person concerned should not search for the information, but should to be able to immediately recognize where and how to access other information about the processing of your personal data. That is, to comply with them, Tiana City Council had to provide the specific address where the affected person could consult the rest of the information on the treatment (https://tiana.eadministracio.cat/privacy), or at least report that your content could be accessed by selecting the “Policy of privacy ”from the bottom menu of the electronic headquarters. In turn, it should also be specified which of the two information clauses does the privacy policy contain? processing of your data. So, the mere reference to the main page of the electronic headquarters (http://tiana.eadministracio.cat), without specifying the specific email address where could consult the rest of the information about the treatment (privacy policy) no would comply with the requirements set out in Articles 12.1 of the RGPD and 11.1 of the LOPDGDD, which just mentioned. That is why, in the motion for a resolution and in the event that it is continue to process the data of the people included in said WhatsApp group with the purpose of communicating institutional information and the right to information is provided by layers, it was proposed to require the City Council to specify in the 1st layer the specific email address where you can get the rest of the information about the treatment. Ultimately, the motion for a resolution considered the allegations to have been made addressed in this section could not thrive, except for those relating to information on the treatment contained in the message that contained the link to join the group of WhatsApp and in terms of that from 15/07/2020 the information was also provided concerning the submission of a complaint to the supervisory authority (art. 13.2.d RGPD), although the authority identified there was not competent. 2.2. About data protection from design. The accused entity then admitted in its written statement of allegations to the agreement was aware that he had created a WhatsApp group without anticipating one security measure to prevent the data of the people involved from being accessible to other participants. However, he considered that the City Council could not prevent people who joined the WhatsApp group from being able to access the WhatsApp group mobile number, profile picture and username of other members, “since any user of the WhatsApp Platform already knows that this fact will happen in the moment which accesses a distribution list ”. It should be noted that Tiana City Council did not create a list dissemination or distribution as indicated in his statement of allegations, but a group in which he goes limit who could send messages and who could edit group information (only could do group administrators). Page 7 of 13 PS 28/2021 Carrer Rosselló, 214, esc. A, 1st 1st 08008 Barcelona Based on the above and regardless of the operation of WhatsApp that the City Council detailed in his written allegations before the initiation agreement, in compliance with the principle of data protection from the design (art. 25.1 RGPD), if it was aware which could not guarantee the principle of confidentiality with the creation of a WhatsApp group to send institutional information, all you had to do was refrain from using it tool and look for others that do not violate this principle. But even that all WhatsApp has an option to ensure the principle of confidentiality when you want to send messages to multiple recipients or contacts. Indeed, if one is created mailing list sent messages appear to each contact in the mailing list as an individual message, so that people included in the mailing list they do not know who the other members of the list are and therefore cannot access them data from other people. On the other hand, the City Council argued in that letter of allegations that it had already adopted the corrective measures to correct the effects of the infringement addressed here. However, the WhatsApp group "Tiana News" was still active at the time of writing of allegations before the initiation agreement and could continue to access mobile number, photo profile and username of the other members of the group. 3. In relation to the facts described in point 1 of the section on proven facts, it is necessary to go to the paragraphs 1 and 2 of Article 13 of the RGPD, set out the information to be provided when personal data is obtained from the person concerned: “1. When personal data concerning him are obtained from an interested party, the responsible for the treatment, at the time they are obtained, you provide all of the following information: (a) the identity and contact details of the person responsible and, where applicable, his / her contact details; representative; (b) the contact details of the data protection officer, if any; c) the purposes of the processing for which the personal data are intended and the basis treatment law; (d) where the treatment is based on Article 6 (1) (f), legitimate interests of the controller or a third party; e) the recipients or categories of recipients of the personal data, in your case; f) where applicable, the intention of the controller to transfer personal data to a third country or international organization and the existence or absence of one Commission adjustment decision, or, in the case of transfers referred to in Articles 46 or 47 or Article 49 (1), subparagraph second, reference to adequate or appropriate safeguards and means to obtain a copy of these or the fact that they have been lent. 2. In addition to the information referred to in paragraph 1, the person responsible of the treatment will facilitate the interested party, at the time they are obtained Page 8 of 13 PS 28/2021 Carrer Rosselló, 214, esc. A, 1st 1st 08008 Barcelona personal data, the following information necessary to secure a Fair and transparent data processing: a) the period during which the personal data will be kept or, when not if possible, the criteria used to determine this deadline; b) the existence of the right to request the controller access to personal data relating to the data subject, and its rectification or suppression, or limitation of its treatment, or to oppose treatment as well such as the right to data portability; (c) where the treatment is based on Article 6 (1) (a), or Article 9 (2) (a), the existence of the right to withdraw the consent at any time, without affecting the lawfulness of the treatment based on prior consent for withdrawal; (d) the right to lodge a complaint with a supervisory authority; e) whether the communication of personal data is a legal or contractual requirement, or a requirement for signing a contract, and if the interested party is obliged to provide personal data and is informed of possible consequences of not providing such data; f) the existence of automated decisions, including profiling, referred to in Article 22 (1) and (4) and, at least in such cases, significant information on the logic applied, as well as the importance and the intended consequences of such treatment for the person concerned. " For its part, paragraphs 1 and 2 of Article 11 of the LOPDGDD, concerning the transparency and information of the affected party, provide that: “1. When personal data is obtained from the data subject, the person responsible for it treatment may comply with the duty of information set out in the article 13 of Regulation (EU) 2016/679 providing the data subject with basic information a referred to in the next section and indicating one email address or another means that allow you to easily and immediately access the rest information. 2. The basic information referred to in the preceding paragraph shall contain, at least: a) The identity of the controller and his representative, if if applicable. b) The purpose of the treatment. c) The possibility of exercising the rights established in articles 15 to 22 of the Regulation (EU) 2016/679. If the data obtained from the affected party must be processed for the preparation of profiles, the basic information must also understand this circumstance. In this case, the data subject must be informed of his / her right to to make automated individual decisions that produce legal effects on him or significantly affect him in a similar way, when Page 9 of 13 PS 28/2021 Carrer Rosselló, 214, esc. A, 1st 1st 08008 Barcelona this right is granted in accordance with the provisions of Article 22 of the Regulation (EU) 2016/679. ” The fact described in this point has been duly substantiated during the processing of this procedure 1st of the section of proven facts, which constitutes the infraction provided for in article 83.5.b) of the RGPD, which criminalizes the violation of “the rights of those concerned under the Articles 12 to 22 ”, including the right to information provided for in Article 13 of the RGPD. The conduct addressed herein has been found to be a minor violation of Article 74 (a) of the LOPDGDD, as follows: “A) Failure to comply with the principle of transparency of information or the law information of the affected party so as not to provide all the information required by the Articles 13 and 14 of Regulation (EU) 2016/679. ” 4. With regard to the fact described in point 2 of the section on proven facts, relating to the protection of data from the design, it is necessary to go to article 25.1 of the RGPD that establishes the following: “1.Considering the state of the art, the cost of the application and the nature, scope, context and purposes of the treatment, as well as the risks of varying probability and severity of treatment for rights and freedoms of individuals, the controller will apply, both when determining the means of treatment and at the time of the treatment itself, technical and organizational measures appropriate, such as pseudonymization, designed to apply formally effective data protection principles, such as minimizing data protection data, and integrate the necessary guarantees in the treatment, in order to comply the requirements of this Regulation and to protect the rights of interested parties. ” In accordance with the above, the fact set out in point 2 of the section on proven facts constitutes the infringement provided for in Article 83.4.a) of the RGPD, which classifies as such the violation of “the obligations of the person in charge and the person in charge under Article 8, 11, 25 to 39, 42 and 43 ”, among which is the protection of data from the design (art. 25.1 RGPD). The conduct addressed herein has been found to be a serious violation of Article 73.d) of the LOPDGDD, as follows: "D) Failure to adopt any technical and organizational measures appropriate to effectively apply the principles of protection of data from the design, as well as the non-integration of the necessary guarantees treatment, in the terms required by Article 25 of Regulation (EU) 2016/679. ” Page 10 of 13 PS 28/2021 Carrer Rosselló, 214, esc. A, 1st 1st 08008 Barcelona 5. Article 77.2 LOPDGDD provides that, in the case of offenses committed by the responsible or in charge listed in art. 77.1 LOPDGDD, the protection authority of competent data: "(...) he must issue a resolution sanctioning them with a reprimand. The resolution must also set out the appropriate measures to be taken because cease the conduct or correct the effects of the infringement How is it. The decision must be notified to the controller or controller, a the body on which it depends hierarchically, if any, and those affected who have the status of interested party, if any. " In terms similar to the LOPDGDD, article 21.2 of Law 32/2010, determines the following: “2. In the case of infringements committed in relation to publicly owned files, the director of the Catalan Data Protection Authority must issue a resolution declaring the infringement and establishing the measures to be taken to correct its effects. In addition, it may propose, as appropriate, initiation disciplinary action in accordance with current legislation on the disciplinary regime of the personnel in the service of the administrations public. This decision must be notified to the person responsible for it file or of the processing, to the person in charge of the processing, if applicable, to the body of the and the people affected, if any. " As announced, on 07/19/2021, Tiana City Council submitted a brief by which it reports on the actions carried out in relation to the measures correctors proposed to require the instructor in the motion for a resolution. Among other things, the City Council states that it has proceeded to modify the information that is provides the affected persons through the electronic headquarters, in terms of authority before which you have the right to file a complaint (the APDCAT), which has been found. So, bottom line is that we're really looking forward to Tiana City Council action it is not necessary to maintain the requirement of corrective measures proposed in this regard by the instructing person in the motion for a resolution. On the other hand, and as far as it is concerned here, the City Council also reports that it has proceeded to delete the WhatsApp group "Tiana News". However, it is known that this group has not been deleted, but has been left inactive. Specifically, it consists of this Authority that on 09/07/2021 a message was posted to the said group indicating that it remained inactive and that on 29/07/2021 (20 days later) there were still 142 members in the Page 11 of 13 PS 28/2021 Carrer Rosselló, 214, esc. A, 1st 1st 08008 Barcelona group, so you could still access your mobile number, profile picture, and username of these group members. Given the above, although it is appropriate to positively assess the will of the City of Tiana de correct the effects of the infringement before the issuance of this resolution, it may be necessary to because as soon as possible, and in any case within a maximum period of 10 days from the day after notification of this resolution, delete the WhatsApp group “News Tiana ”created on 07/13/2020, or in the case of leaving it inactive, take the relevant measures so that group members cannot access the personal data of others. Once the described corrective action has been taken, within the specified period, it is necessary to within 10 days, Tiana City Council will inform the Authority, without prejudice to the faculty inspection of this Authority to carry out the corresponding verifications. For all this, I resolve: 1. To warn the City Council of Tiana of being responsible for two infractions: one infraction provided for in Article 83.5.b) in relation to Article 13; and another violation of the article 83.4.a) in relation to Article 25.1; all of them from the RGPD. 2. To request the City Council of Tiana to adopt the corrective measure indicated in 5th basis of law and accredit before this Authority the actions carried out by comply with them. 3. Notify Tiana City Council of this resolution. 4. Communicate the resolution to the Catalan Ombudsman, in accordance with the provisions of the article 77.5 of the LOPDGDD. 5. Order that this resolution be published on the Authority’s website (apdcat.gencat.cat), of in accordance with Article 17 of Law 32/2010, of 1 October. Against this resolution, which terminates the administrative procedure in accordance with Articles 26.2 of Law 32/2010, of 1 October, of the Catalan Data Protection Authority, and 14.3 Decree 48/2003, of 20 February, approving the Statute of the Catalan Agency for Data Protection, the imputed entity may file, on an optional basis, an appeal replacement before the director of the Catalan Data Protection Authority, within the deadline one month from the day after its notification, in accordance with the provisions Article 123 et seq. of the LPAC. You can also lodge a contentious appeal directly administrative before the contentious administrative courts, within two months a count from the day after its notification, in accordance with Articles 8, 14 and 46 of the Law 29/1998, of 13 July, regulating administrative contentious jurisdiction. Page 12 of 13 PS 28/2021 Carrer Rosselló, 214, esc. A, 1st 1st 08008 Barcelona If the accused entity declares to the Authority its intention to lodge a contentious appeal administrative against the firm resolution in administrative proceedings, the resolution will be suspended precautionarily in the terms provided for in Article 90.3 of the LPAC. Likewise, the accused entity may file any other appeal it deems appropriate to defend their interests. The director, Page 13 of 13