AEPD (Spain) - PS/00078/2021: Difference between revisions
No edit summary |
No edit summary |
||
Line 54: | Line 54: | ||
}} | }} | ||
The Spanish DPA issued a a €30,000 fine against a hotel for a violation of [[Article 6 GDPR|Article 6 GDPR]] by a | The Spanish DPA issued a a €30,000 fine against a hotel for a violation of [[Article 6 GDPR|Article 6 GDPR]] by scanning a data subject's passport and processing their photograph without a valid legal basis. | ||
== English Summary == | == English Summary == |
Revision as of 12:35, 9 March 2022
AEPD (Spain) - PS/00078/2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(c) GDPR Article 6 GDPR Article 6(1)(f) GDPR Ley Orgánica 4/2015 de protección de la seguridad ciudadana. |
Type: | Complaint |
Outcome: | Upheld |
Started: | 08.01.2019 |
Decided: | |
Published: | 25.02.2022 |
Fine: | 30,000 EUR |
Parties: | Marins Playa S.A. |
National Case Number/Name: | PS/00078/2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Cesar Manso-Sayao |
The Spanish DPA issued a a €30,000 fine against a hotel for a violation of Article 6 GDPR by scanning a data subject's passport and processing their photograph without a valid legal basis.
English Summary
Facts
This case was initiated by a complaint filed with the Dutch DPA (Autoriteit Persoonsgegevens –AP) by a Dutch data subject against Marins Playa S.A., a hotel in Spain.
According to the data subject, when checking-in to the hotel, their passport was scanned as part of its registration process despite their objection. According to the data subject, the passport scan included more personal data than what was required for this purpose. The data subjected stated that the hotel employee which performed the registration process, claimed that this scan was performed in order to comply with local police force requirements.
The AP remitted this complaint to the Spanish DPA (AEPD), which is the competent lead DPA under Article 56 GDPR, due to the fact that the hotel’s main establishment is in Spain. When remitting their case to the AEPD, the AP asked if indeed national law required the passport scan, or if only some of the data contained in it was necessary for the hotel registration process.
The Spanish DPA initiated proceedings, and asked the hotel to inform them of its processing operations in this case. The hotel stated that the scan is made to generate text information through Optical Character Recognition (OCR), which is then introduced in the relevant fields in their hotel management software. According to the hotel, the only page scanned is the one in which the relevant data appear, which is comprised of the data subject’s passport number, issue and expiration date, name, sex, birth date and nationality, as well as the photograph. The hotel admitted that there is no specific requirement from the police force to scan the document, only to remit the information in the required fields.
According to the hotel, the scanned passport picture is used to verify the guest’s identity when using the magnetic card provided by the hotel for purchasing consumption items within its premises. The employee verifies the guest’s identity with the scanned photograph which appears in the employee’s tablet (using the hotel’s management software), to avoid fraudulent charges by third parties on the guest’s card.
The AEPD initially held that the processing of the information generated by the OCR was lawful under Article 6(1)(c) GDPR, according to the hotel’s obligations under national law. Specifically, the Spanish Law for the Protection of Citizens’ Safety (Ley Orgánica 4/2015 de protección de la seguridad ciudadana) imposes certain guest registration obligations on lodging establishments. The AEPD also held that the hotel had a legitimate interest under Article 6(1)(f) GDPR to verify the card user's identity in order to prevent fraudulent purchases within its establishment. Based on this considerations, the AEPD issued a draft decision dismissing the case.
However, the AP objected to the dismissal of the case, pointing out to the AEPD that in order to base this processing on a legitimate interest, the necessity and proportionality of the processing should be evaluated, specifically if there are reasonable and less intrusive ways to verify this information, also taking into consideration the data minimisation principle under Article 5(1)(c) GDPR.
According to the AP, less intrusive methods the hotel could use, would be to establish some verification security questions (such as name and room number), or to ask for a signature when consumption items are charged to the magnetic card. In case the card is lost, the card could be blocked to prevent fraudulent use. The AP noted that these methods require a minimum amount of data to achieve the same purpose, and are common practice in the majority of hotels. Additionally, the AP stated that the data in a scanned passport also includes special categories of data under Article 9 GDPR, and that no legal basis under this provision has been established by the hotel. Lastly, the AP highlighted that the passport scan could be used for identity theft and fraud by the hotel employees who have access to that data, so it does not seem like a proportional measure in order to prevent fraudulent charges on the guest’s card.
Based on these objections by the AP, the AEPD decided to reassess the case. The hotel responded to these points stating that employees which verify the guest’s identity for consumption only have access to their name and photograph on their software, not the actual scanned page of the passport. The hotel now claimed (as the AEPD had initially held in its draft decision) to have a legitimate interest in using the photography for verification purposes in order to prevent fraudulent charges on the guest’s magnetic card. Moreover, the hotel stated that the employees who have access to the guest’s personal data have signed a confidentiality agreement, and that it has implemented additional measures to make the processing is compliant with GDPR in this sense. Lastly, the hotel manifested that it did not process any special categories of personal data under Article 9 GDPR, since no biometric templates or facial recognition techniques are applied to the passport scan.
Holding
In their reassessment of the case, the AEPD established that the hotel had proved that the scanning of the passport just captures the required fields using OCR, as well as the photograph, and it does not retain a copy of the passport page itself.
Regarding the data processed through OCR to fill in the relevant fields in the registration process, the AEPD held that the hotel had a legal basis to process this data under Article 6(1)(b) GDPR for the performance of a contract, and reiterated what it had previously established regarding Article 6(1)(c) GDPR, in the sense that this processing was necessary to comply with a legal obligation under national law.
However, the AEPD held that the hotel did not have a legal basis to process the data subject's photography in order to verify the data subject’s identity, highlighting the fact that the hotel’s privacy policy did not mention that the photography would be used for these purposes, nor did it mention that it had a legitimate interest in doing so.
According to the AEPD, under Recital 47 GDPR, a legitimate interest to process this data would require pondering the processing activities and its purposes. The AEPD held that there was no proof that the hotel had pondered the necessity and proportionality of those processing activities, and that it had failed to inform the data subjects that legitimate interest was the legal basis for processing their photograph.
The AEPD noted that a proportionality test implies that the processing is: adequate to satisfy the legitimate interest; necessary, in the sense that there are no less intrusive means to satisfy it; and proportional, by evaluating the processing’s beneficial and detrimental aspects. The AEPD also highlighted that the data minimisation principle under Article 5(1)(c) GDPR should be observed in these cases, in order to assess that the data subject’s rights or freedoms do not prevail with regard to that legitimate interest. Considering that the data subject was unaware of the purposes or legal basis for this processing, the AEPD held that this processing was excessive, also taking into account the arguments established by the AP regarding less intrusive means to achieve the processing’s purpose.
Finally, the AEPD stated that there was no proof that the hotel had implemented additional safeguards, such as the possibility to grant a data subject’s objection to the processing, or establishing it as a voluntary option.
Based on these considerations, the AEPD issued a €30,000 fine on Marins Playa S.A. hotel for an infringement of Article 6 GDPR by lacking a lawful legal basis for the processing of the data subject’s scanned passport, and ordered them to adopt the necessary measures to ensure their processing activities comply with the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/36 File No.: PS/00078/2021 RESOLUTION OF PUNISHMENT PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: Dated 01/08/2019, through the “Market Information System Interior” (hereinafter IMI), regulated by Regulation (EU) No. 1024/2012, of the European Parliament and of the Council, of October 25, 2012 (IMI Regulation), whose objective is to promote cross-border administrative cooperation, mutual assistance between the Member States and the exchange of information, was received in this Spanish Agency for Data Protection (AEPD) a claim made by A.A.A. (hereinafter the claimant), a Dutch citizen, before the authority of Netherlands data protection (Autoriteit Persoonsgegevens -AP). The transfer of This claim to the AEPD is made in accordance with the provisions of article 56 of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/2016, regarding the Protection of Natural Persons with regard to the Processing of Personal Data and the Free Circulation of these Data (as successive General Data Protection Regulation or RGPD), taking into account its cross-border nature and that this Agency is competent to act as main controlling authority. The aforementioned claim is made against the entity MARINS PLAYA, S.A. (in hereinafter MARINS PLAYA or claimed entity), with registered office in Spain, for the following reasons: The claimant indicates that in the hotel registration process they asked for his passport, which was digitally scanned, despite his opposition. The client objects to said document was completely scanned, alleging that not all the data included in it are necessary, to which the hotel employee replied that said scanning was carried out following instructions from the police. On the other hand, He claims to have seen the hotel employees with the passport photo on their tablets. In relation to the issue raised by the complainant, the referring authority He asked if the Spanish law really obliges to scan the passport completely or only some information is necessary to complete the registration process. According to the information included in the IMI System, in accordance with the established in article 60 of the RGPD, have declared themselves interested in this procedure the supervisory authority that has communicated the case (the Netherlands). SECOND: In view of the exposed facts, the Subdirectorate General of Inspection of Data proceeded to carry out actions for its clarification, under the protection of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 2/36 investigative powers granted to the control authorities in article 57.1 of the GDPR. Within the framework of these actions, a request was addressed to the entity claimed, which reported the following: 1. Upon check-in, the client's passport is scanned in order to to pass the image to text for the incorporation of the fields corresponding to the hotel management program 2. Only the page on which the ID is found is scanned. client: the identification data of the traveler, including the number, type and date of issue of the identity document presented, name and surnames, sex, date and country of birth, as well as photography. 3. There are no specific instructions from the Security Forces and Bodies of the State on the copying of the aforementioned document, except those related to the telematic delivery of the information. 4. The information is also used, accounting, to generate the corresponding invoices; can only be accessed by administrative staff accounting. 5. When the client registers, he is provided with a magnetic card that allows, in addition to access to the room, the payment of consumption charged to your account to be paid at the end of your stay; at the time of consumption, the customer provides this card to the employee, who, by swiping it to make the charge, can check passport photo. This is to verify the identity of the customer, in order to prevent fraudulent use of the card by third parties and prevent cause serious economic damage to the customer. You can only see the photo employee who collects, on the POS tablet. 6. The applicable regulations for the identification of clients in the registration process or registration in the hotel is the Organic Law 4/2015, of March 30, on the protection of citizen security and Order INT/1922/2003 of July 3. THIRD: After reviewing the answers obtained during the previous phase of investigation, outlined in the previous Fact, this Agency considered that the processing of personal data object of the claim is legitimized by article 6.1.c) of the RGPD and is proportionate and necessary in accordance with the established in article 24 of the aforementioned Organic Law 4/2015, which provides in its First section: “The natural or legal persons who carry out relevant activities for citizen security, such as lodging… will be subject to the obligations of documentary registration and information in the terms established by the applicable provisions”. And that is detailed in the aforementioned Order (Order INT/1922/2003 of July 3). On the other hand, it was taken into account that the facts denounced were not verified. referred to the scanning of all the pages of the passport. Second, it was concluded that the processing of personal data consisting of the use of the photograph obtained from the passport in order to verify identity of the client in the consumptions that he makes, when making charges in the account of a room, and prevent fraudulent use of the hotel card by third parties other than the user of the service, is legitimized in article 6.1.f) of the RGPD, since there is a legitimate interest on the part of the hotel in charging the true user of the service and for the customer, since the cards are prevented from being used fraudulently and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 3/36 charge the account of a client the consumption made by others. Consequently, having clarified the doubts raised, it was considered that there were no indications of infraction, for which, on 09/28/2020, a Project of File resolution of the claim (Draft decision). FOURTH: On 11/10/2020, the Draft Decision was incorporated into the IMI System so that the interested authorities could express themselves in this regard. At the end of the established period, the Dutch data protection authority (Autoriteit Persoonsgegevens - AP). Regarding the facts, said supervisory authority warns that the claimant stated that the hotel staff had on their device the complete copy of your passport (first page), including your photo, and that this differs slightly from what indicated in the Draft Decision, although it does not change the evaluation carried out on the same. The AP admits that the processing of personal data collected in the passport (number, type and date of issue of the identity document presented, name and surnames, sex and the date and country of birth, as well as the photograph) is necessary for compliance with national legislation and, therefore, lawful in accordance with the article 6.1.c) of the RGPD, but questions the processing of said personal data in under the provisions of article 6.1.f) of the same RGPD, due to the existence of a legitimate interest of the responsible hotel in avoiding the fraudulent use of the card that provides to customers, which is used to make consumption in the facilities and also as a room key; and also of the client, since it prevents the cards are used fraudulently and you are charged for consumption made by others. Regarding this processing of personal data based on legitimate interest, the AP to the requirement of necessity, which requires assessing proportionality and subsidiarity of the treatment, verifying that such interests cannot be reasonably achieved effectively by other means less restrictive of the rights and freedoms of the interested parties, in particular the rights to respect for life privacy and the protection of personal data guaranteed by articles 7 and 8 of the letter. And it adds that the Court of Justice of the European Union declared, in addition, that the requirement relating to the need for treatment should be examined, together, with the principle of "minimization of data" enshrined in article 5.1.c) of the GDPR. In this case, the AP notes, there are other, less intrusive ways to check if the magnetic card holder is the legitimate card holder at the time of payment and, thus, prevent said cards from being used fraudulently. As an example of these less intrusive actions, it indicates the possibility that the employee of the hotel, when some consumption occurs, consult some data of control the customer, such as last name or room number, to verify if it matches with the legitimate cardholder; or require the signing of a receipt for consumption, which it also acts as a barrier for third parties. In case of loss of the card, it can be blocked to prevent fraudulent use C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 4/36 The combination of the above scenarios requires a minimum amount of additional data processing, is less intrusive, and conforms to the principle of data minimization. Even so, they make it possible to achieve the interests pursued with common practices in most hotels. Against this, the additional efficiency provided by the use of the personal data of the passport to prevent fraud does not overcome the invasion of data protection. You understand that this data may be used for identity fraud in the event of a data breach or abuse by hotel employees who have access to the same, so that their use is not considered proportionate to avoid possible fraud in the payment of hotel services. According to the AP, the treatment of all this data is contrary to the principle of data minimization in accordance with article 5.1.c. of the RGPD, since the treatment of only a name and room number is sufficient to minimize fraud effectively. Also, some of the data categories above mentioned may be considered special categories of personal data of in accordance with article 9 of the RGPD, without any application of the exceptions of article 9.2 of the RGPD. In short, the AP does not share that the use of passport data is allowed under article 6.1.f of the RGPD in the indicated circumstances. This could lead to the use of passport data by many hotels and service providers similar, to a broader use that could give rise to identity fraud in cases of data breaches or abuse by hotel employees who have access to them, so that, given the risk to freedoms and expressed rights, does not consider its use proportionate to avoid possible fraud in the payment of hotel services. If a hotel wants to process passport data for identity verification purposes of clients during their stay, adds the AP, the hotel must invoke another reason for the article 6 of the RGPD, such as consent, or return to the most common practice, such as has been described above. FIFTH: On 05/11/2021, by the General Subdirectorate for Data Inspection You can access the information available on the MARINS PLAYA entity in “Axesor”. (...). The aforementioned entity is registered in the economic activity code corresponding to "Hotels and similar accommodation". (...). SIXTH: On 06/03/2021, in accordance with the provisions of article 64 of the LOPDGDD, sections 2 (third paragraph) and 3, draft agreement to start sanctioning procedure, motivated by the claim received through the IMI system that is outlined in the First Precedent. This project takes consideration the objections outlined in the Fourth Precedent (draft of revised decision). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 5/36 Following the procedure established in article 60 of the RGPD, dated 06/25/2021, the aforementioned project to open the sanctioning procedure was transmitted via the IMI System to the supervisory authority concerned, making it know that if no objections are raised within two weeks from the consultation, the mandatory agreement to open the procedure would be adopted sanctioning The control authority concerned did not raise any objection to the draft agreement of opening of sanctioning procedure adopted by the AEPD, understanding, by So much so that there is agreement on it. In accordance with the provisions of article 64 of the LOPDGDD, the draft agreement to initiate the aforementioned sanctioning procedure was notified to the entity claimed. SEVENTH: On 06/15/2021, this Agency received a brief presented by the claimed entity in which it requests the file of the actions in accordance with the following considerations: 1. Describes the procedure followed in the processing of personal data of a client from his arrival at the hotel, indicating that the documentation is requested proof of the identity of all people over 16 years of age who are staying at your facility, which undergoes a scanning process for the process of registry, which completes the data collection form without saving in the systems computers the image of the document. It is an optical character recognition known by the acronym OCR (“Optical Character Recognition”), which enables the digitization of texts (the process automatically identifies the characters of a certain alphabet and stores them in data form). According to the claim, this process only applies to the page of the document in which the traveler is identified, collecting personal data relating to the number, type and date of issue of the document in question (DNI, passport, driving license, residence permit or identity card), name, surname, gender, date and country of birth, as well as the photograph. Next, collect the traveler's signature in digital format, through a Tablet, in which information is given about the personal data protection regulations; and a card is provided access to the rooms, also used for the use of hotel services. The data is processed by the administration and services staff (bar and dining room) for the payment of consumption. In addition, they are referred to the Forces and State Security Bodies, in compliance with security regulations citizen. 2. He denies that the hotel staff had on his device the complete copy of the first page of the claimant's passport, since the only data that appears in the devices used by bar and dining room staff with access to POS are the room number, date of departure, name and surname of the traveler, photograph and accommodation regime, necessary to carry out the maintenance, development and negotiation control, legitimizer of the treatment. In this regard, it highlights that, of the data available on those devices, only the name, surnames and photograph C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 6/36 are taken from check-in). 3. Taking into account the data used to control consumption and avoid the fraudulent use of the facilities, does not understand the claim that is questions the legitimate interest, especially when the Agency itself admits the treatment of personal data collected in the passport for the fulfillment of national legislation, considering it lawful in accordance with article 6.1.c) of the GDPR. On the least intrusive ways to identify the client referred to in the opening agreement, points out that verbally requesting the room number or the surname is insufficient and does not prevent another person from hearing these data and using them; the same as the signing of a receipt, which the employee could not check. It adds that for these reasons photography was included in the digital systems of the bar and dining room staff, as a means of authentication, even when the customer is not is in possession of the card due to forgetfulness, loss or theft. Regarding the risks in case of a possible data breach, it warns that it has implemented the mechanisms established in the RGPD and that the employees have signed a confidentiality agreement. 4. The claimed party does not treat special categories of personal data in any moment. On this matter, he states that the client's image is only a photograph from which biometric templates are not extracted or used to facial recognition or other specific means. Therefore, in his opinion, the treatment he makes of obtaining the photograph he takes does not fit the concept of treatment of special categories of data (Considering 51 and article 4.15 of the GDPR). Consequently, the claimed entity concludes that the processing of the data used to authenticate the identity of the person making an expense does not violate the provided in article 6.1.f) of the RGPD, as it is necessary for the satisfaction of legitimate interests pursued by the data controller (avoid damages and lawsuits for improper charges), as well as the interested party (avoid improper charges). Provides a photograph in which you can see the detail of the information available in the devices of the hotel staff on a specific person: in the section “Reservation data” includes the room number, reservation number, number of people and date of departure; in the section “Components of the reservation” it is indicated the name and surname of the person, status, type of VIP and number of visits, in addition of the client's photograph. EIGHTH: On 07/19/2021, the Director of the Spanish Protection Agency of Data agreed to initiate sanctioning proceedings against the entity MARINS PLAYA, with in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged infringement of article 6 of the RGPD, typified in article 83.5.a) of the same Regulation, and classified as very serious for prescription purposes in article 72.1.b) of the LOPDGDD; determining that the sanction that could correspond, considering the evidence existing at the time of opening and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 7/36 without prejudice to what results from the instruction, it would amount to a total of 30,000 euros (thirty thousand euros). In the same agreement to open the procedure, it was noted that the infringement charged, if confirmed, may lead to the imposition of measures, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD. NINTH: Having been notified of the aforementioned initiation agreement, the respondent submitted a written dated 07/22/2021, in which it again requests the file of the procedure sanctioning In this new letter, he literally reproduces his previous allegations, which include outlined in the Seventh Antecedent. It only adds that Recital 47 of the RGPD admits the processing of personal data necessary for the prevention of fraud based on the legitimate interest of the person in charge and that is considered fraud a economic deception carried out with the intention of making a profit, and with the which someone is harmed. TENTH: On 08/24/2021, the instructor of the procedure agreed to open a period of practice of evidence, considering reproduced for evidentiary purposes the claim filed, the documents obtained and generated by the Subdirectorate General Data Inspection and Inspection Services, and the Report of Previous Inspection Actions that are part of file E/01088/2019; and for submitting the allegations made by MARINS PLAYA and the documentation that accompanies them. Likewise, it was agreed to require the entity the entity claimed to provide the following information and/or documentation: “a) Copy of the record of all the activities of treatment of personal data of clients carried out under the responsibility of MARINS PLAYA. This register, to which the Article 30 of the RGPD, must be provided in its initial version, together with any additions, modification or exclusion in the content of the same. b) If you have them, a copy of the assessment(s) of the impact on data protection related to any type of personal data processing operations of clients made under the responsibility of MARINS PLAYA that involve a high risk for the rights and freedoms of natural persons. The initial version of this/these impact assessment(s) must be provided and, if applicable, the details of the modifications or updates that may have been made. Likewise, if there has been a change in the risk represented by the operations of treatment and if deemed necessary, you must provide the result of the examination that MARINS PLAYA has been able to carry out to determine if the treatment is in accordance with the impact assessment related to data protection (article 35.11 of the RGPD). c) Copy of the documents in which the evaluation carried out on the prevalence or not of the interests and fundamental rights of customers against the interests of MARINS PLAYA, in relation to customer personal data processing operations carried out under the responsibility of MARINS PLAYA with which satisfaction is intended of legitimate interests pursued by the MARINS PLAYA entity itself or by a third party. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 8/36 d) Copy of the information on data protection (privacy policy) provided through any channel to the clients of that entity, in its current version and versions previous ones in force as of 05/25/2018, where appropriate, with an indication of the period of validity of each version. If there were addenda or variations, or other privacy notices or additional information, regarding the processing of personal data, a copy of all documents is requested employees to report on the protection of personal data other than the privacy policy Privacy. e) Detail of the channels and procedures enabled to make known to its clients all the information regarding the protection of personal data (privacy policy or any another document). f) Information regarding the channels, mechanisms and methodology used by that entity to obtain the acceptance by its clients of the privacy policy or any other document used by that entity to report on data protection personal; as well as for the provision of the consents provided for in such documents, in your case. g) Screen prints corresponding to all the information that is registered in your information system related to the claimant in the sanctioning file of reference. h) Details of the computer program used by that entity to collect the data of customers by scanning documents and converting them to text”. In response to this request, this Agency received a letter from the respondent accompanied by the documentation indicated below. In this writing, said entity stated that it could not provide the impressions of the bar and dining room tablets with the claimant information available on these devices because This information is deleted at the time the client checks out, nor the Wi-Fi accesses, where appropriate, which are deleted after twelve months (Law 25/2007). From the content of the documentation provided, the following should be noted: 1. Registration of customer personal data processing activities. . Purpose: accounting, fiscal and administrative management; . Category of interested parties: clients and users; . Types of data: DNI or NIF, name and surnames, postal or electronic address, telephone, image and manual signature; . Other types of data: personal characteristics, social circumstances, information commercial, transactions of goods and services; . Transfers: Security Forces and Bodies. . Access to equipment: it is accessed through a personalized username and password. 2. Risk analysis on the treatment of personal data of clients. After analyzing the data structure, regulatory compliance, the organization and resources, as well as security by design and by default, it is concluded that "there is no there are risks in the resources used”. 3. Information on data protection (privacy policy) provided to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 9/36 through the website of the claimed entity. a) Provide a copy of the "Registration Sheet", which includes a section on the establishment and another to the "traveler data" (identity document number, type of document and date of issue, name, surname, gender, date of birth, country of nationality, date of entry and traveler's signature). This sheet" includes an informative legend on the protection of personal data that details, among other aspects, the identity of the person in charge, the purpose for which the data will be processed, the non-existence of data communications except for legal obligation, the rights of the interested party, mode of exercise and possibility of file a claim with the AEPD. An update of this "Registration Sheet" (2019) is attached, which contains a new informative clause. This information is provided on the collection and treatment of data for the purpose of prevention, investigation, detection or prosecution of criminal offenses under the Organic Law 4/2015, of March 30, of Protection of Citizen Security; that the data will be kept for three years and will be available to the Security Forces and bodies; rights of the interested parties and how to exercise them and the possibility of claiming before the AEPD. On the other hand, the claimed entity provides a copy of the data protection policy available on their website. It is distributed in two parts, which it calls “Policy of Privacy” and “Second layer clauses” (this last part is divided into epigraphs: reservation client file, invoices/accounting, newsletter, web users, employees, etc). The “Privacy Policy” section refers to the personal data collected from clients “in order to provide them with the contracted services consisting of the reservation of accommodation in hotel establishments”. In the information of "Second layer", epigraph "Client reservation file" it is reported that the defendant processes the information that customers provide "in order to provide them with the service and sell the requested products, make the billing of the same and manage the sending of information and commercial prospecting”. In this information, nothing is indicated about the use of the client's photograph to consumption control and avoid fraudulent use of the facilities. 4. Screen printout corresponding to the registered information regarding the claimant (data during check-in). It is presented with the label “Loading data from the client file”, and includes fields related to name and surname, number of document and date of issue, nationality, date of birth, last visits and Photography. According to this information, the entry into the claimant's hotel took place in date 08/27/2018. 5. Details of the computer program (***PROGRAMA.1”) used to take of customer data by scanning documents and converting them to text, provided by the software developer company: “Customer data capture procedure by scanning documents. At the time of entering the hotel, the client is asked for their DNI/PASSPORT to make C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 10/36 scanning that document. In this scan and through an OCR process (of the company…) the data is captured and integrated into the database as it is necessary to complete 2 essential documents in the normal operation of the hotel: 1. Fill in the passenger entry part. The collection and processing of these data will be done in accordance with Regulation (EU) 2016/679, of April 27 (GDPR) and Organic Law 3/2018, of 5 of December (LOPDGDD), for the purpose of prevention, investigation, detection or prosecution of criminal offenses, and under the Organic Law 4/2015, of 30 March, Protection of Citizen Security, article 25.1. 2. Issuance of billing for expenses incurred at the hotel. The image with the client's photo is captured and saved to secure the credit process to customers in the different departments as it makes it easier for the hotel staff to identify the customer who is using the credit or room card. Likewise, it allows identify said client by the hotel staff when controlling access to the establishment". ELEVENTH: On 11/29/2021, a resolution proposal was formulated in the following sense: 1. That the Director of the Spanish Data Protection Agency sanction the entity MARINS PLAYA, for an infringement of Article 6 of the RGPD, typified in the Article 83.5.a) of the RGPD and classified as very serious for the purposes of prescription in the article 72.1.b) of the LOPDGDD, with a fine of 30,000 euros (thirty thousand euros). 2. That the Director of the Spanish Agency for Data Protection imposes the entity MARINS PLAYA, S.A., within the period determined, the adoption of the necessary measures to adapt their actions to data protection regulations personal, with the scope expressed in the Legal Basis VI of the aforementioned resolution proposal. TWELFTH: Notification of the aforementioned resolution proposal, dated 12/15/2021 a letter is received from the entity claimed in which it reiterates its request for archive of the procedure, basing its request on the following allegations: 1. The claimant, during the registration process at the hotel establishment, who took place on 08/27/2018, three months after the entry into force of the RGPD, facilitated your passport without showing any opposition. At that time he was informed about the extremes imposed by the RGPD through an informative document written in Spanish and had at its disposal a "display" with an informative clause regarding the data processing carried out. Currently, this information is provided in the most frequent languages among the entity's clients. 2. Recital 47 of the RGPD expressly states that the treatment of personal data strictly necessary for the prevention of fraud constitutes also a legitimate interest of the controller, which operates "ex lege" when the treatment obeys this purpose and the parameters that must be be taken into account to carry out the weighting, such as whether the interested party is client or is at the service, the performance of a prior analysis and that the treatments do not occur in circumstances in which the interested party does not expect that a further treatment (the data subject's perspective). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 11/36 In this case, the first aspect is given; the second was the object of analysis when implemented the technological solution for check-in, concluding the need for inform, limit access to the image exclusively to payment operators for consumption and keep the data only during the client's stay; Besides, the identification by image has been favorably valued by customers, as they have avoided erroneous charges, especially when “all-in” stays are offered. included". 3. There are no alternatives that offer the same guarantee minimizing the treatment of the personal information. Reiterates that the proposals of the Dutch data protection authority about other less intrusive practices, such as consulting the interested party of some data (surname or room number) or the signature of a receipt, are not effective or involve the processing of other data, such as the signature, which are not less demanding of protection. 4. The image of the client is only displayed by the personnel that attends the payments by consumption, who sign a confidentiality document, no other treatment of said image and is eliminated at the end of the client's stay. 5. The arguments upheld by the respondent is the one upheld by the Agency itself when it initially considered that there were no indications of infringement. With its brief of allegations, MARINS PLAYA provides a copy of the document information to which he refers in his allegations. This document explains the check-in process and treatment of the image of the identification document using a character recognition program. In relation to photography the following is indicated: "Likewise, the photo that appears in the passport or DNI that you have provided for check-in will be registered in the hotel management system of the destination hotel. The purpose is to allow the hotel staff identify you as a guest and control the charge for consumption that you make during your stay in your room. This photo will be deleted at the time of check out. This treatment is based on our legitimate interest in identifying hosted customers for security and charge control purposes. For the weighting of this interest with respect to your rights and freedoms it has been determined that the treatment had a limited impact on your privacy, because: - There is a contractual relationship and the treatment is carried out in connection with said relationship; - This security measure benefits the customers themselves by guaranteeing the correct imputation of the charges to your room and avoid possible impersonations; - Access to your image is restricted to hotel staff; - The term of conservation of your image is limited to the time of your stay”. Of the actions carried out in this procedure and the documentation in the file, the following have been accredited: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 12/36 PROVEN FACTS 1. The entity MARINS PLAYA is dedicated to the provision of hotel services and of similar accommodation. 2. For customer registration (check-in), at the time of their arrival at the hotel, requests identification documentation and submits it to a scanning process that enables the digitization of texts (the process automatically identifies the characters of a given alphabet and stores them as data), by an optical character recognition (OCR) computer program. This process converts the image into text and incorporates the data into the hotel management program, filling in the "customer file" or "traveler entry part", with fields regarding the number, type and date of issue of the identity document presented, name and surname, sex, date and country of birth. This process applied by The claimed entity also incorporates the client's photograph into its database. At this time, the customer is provided with a magnetic card that can be used both for access to the room and to make use of the hotel services. 3. The data collected from the client by MARINS PLAYA is processed by the staff of administration and services (bar and dining room); and are sent to the Forces and Bodies of State Security, in compliance with citizen security regulations. Service personnel use a device that has embedded information regarding to clients: in the “Reservation data” section, include the room number, reservation number, number of people and departure date; in section "Components of the reservation" indicates the name and surname of the person, regime, type of VIP and number of visits, in addition to the client's photograph. The entity MARINS PLAYA has stated that the image with the client's photo is used to make it easier for hotel staff to identify the client who is doing use of the credit card or room (at the time of making a consumption, the customer provides this card to the employee, who, by swiping it to make the charge, can check the photograph), as well as to control access to the establishment. 4. The Record of Treatment Activities (RAT) provided by MARINS PLAYA includes the following information on the processing of personal customer data: . Purpose: accounting, fiscal and administrative management; . Category of interested parties: clients and users; . Types of data: DNI or NIF, name and surnames, postal or electronic address, telephone, image and manual signature; . Other types of data: personal characteristics, social circumstances, information commercial, transactions of goods and services; . Transfers: Security Forces and Bodies. . Access to equipment: it is accessed through a personalized username and password. 5. MARINS PLAYA has stated during the investigation of the procedure that after the scanning of the client's identification document, carried out during the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 13/36 registration process, the traveler's signature is collected in digital format, through a Tablet, which informs about the personal data protection regulations. MARINS PLAYA has provided the actions with a copy of the "Registration Sheet", which includes a section relating to the establishment and another to "traveler data" (number of identity document, type of document and date of issue, name, surname, gender, date of birth, country of nationality, date of entry and traveler's signature). This "Sheet" includes an informative legend on data protection that details, among other aspects, the identity of the person in charge, the purpose for which the data will be processed, the non-existence of data communications except by legal obligation, the rights of the interested party, mode of exercise and possibility of file a claim with the AEPD. There is also an update of this "Registration Sheet" (2019) that contains a new informative clause. This information is provided on the collection and treatment of data for the purpose of prevention, investigation, detection or prosecution of criminal offenses under the Organic Law 4/2015, of March 30, of Protection of Citizen Security; that the data will be kept for three years and will be available to the Security Forces and bodies; rights of the interested parties and how to exercise them and the possibility of claiming before the AEPD. 6. MARINS PLAYA has contributed to the actions the detail on the information in matter of data protection (privacy policy) that it facilitates through its website. In this information, nothing is indicated about the use of the client's photograph to consumption control and avoid fraudulent use of the facilities. 7. The personal data of the claimant are registered in the System of Information about MARINS BEACH. It is presented with the label “Loading data from the file of the client”, and includes fields related to name and surname, document number and date of issue, nationality, date of birth, last visits and photograph. According to this information, the entry into the claimant's hotel took place on the date 08/27/2018. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each Authority of Control and, as established in articles 47, 64.2 and 68.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate this procedure. Article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Agency for Data Protection will be governed by the provisions of the RGPD, in this organic law, by the regulatory provisions issued in its development and, in so far as they are not contradicted, on a subsidiary basis, by the rules general administrative procedures. Sections 1) and 2), of article 58 of the RGPD, list, respectively, the investigative and corrective powers that the supervisory authority may provide to the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 14/36 effect, mentioning in point 1.d) that of: “notify the person in charge or in charge of the treatment of alleged violations of this Regulation”; and in 2.i) that of: “impose an administrative fine under article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each case". The case examined is motivated by a cross-border claim filed with the Dutch data protection authority (Autoreit Persoonsgegevens -AP), against MARINS PLAYA, which is based in Spain. bliss Headquarters is the principal place of business of said entity, within the meaning of the definition of article 4.16 of the RGPD. Thus, in accordance with the provisions of article 56.1 of the RGPD, the AEPD is competent to act as the main control authority. The following "definitions" established in article 4 of the GDPR: “16) main establishment: a) with regard to a data controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions about the purposes and means of the treatment are taken in another establishment of the person in charge in the Union and the latter establishment has the power to enforce such decisions, in in which case the establishment that has adopted such decisions will be considered main establishment. “21) supervisory authority: the independent public authority established by a State member in accordance with the provisions of article 51”. “22) interested control authority: the control authority that is affected by the treatment of personal data because: a.- The controller or processor is established in the territory of the State member of that control authority; b.- Interested parties residing in the Member State of that control authority are substantially affected or likely to be substantially affected by the treatment, or c.- A claim has been filed with that control authority”. “23) cross-border treatment: a) the processing of personal data carried out in the context of the activities of establishments in more than one Member State of a person in charge or a person in charge of the processing in the Union, if the controller or processor is established in more than one Member state, or b) the processing of personal data carried out in the context of the activities of a single establishment of a controller or a processor in the Union, but which affects substantially or is likely to substantially affect data subjects in more than one State member". According to the information included in the IMI System, in accordance with the established in article 60 of the RGPD, in this procedure acts as of "interested control authorities" the personal data protection authority of the Netherlands (Autoriteit Persoonsgegevens -AP). II C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 15/36 Article 56.1 of the RGPD, regarding the "Competence of the supervisory authority main”, states the following: "1. Without prejudice to the provisions of article 55, the control authority of the establishment main or sole establishment of the controller or processor will be competent to act as lead supervisory authority for cross-border processing carried out by said person in charge or person in charge in accordance with the established procedure in article 60”. Said article 60 regulates the "Cooperation between the main control authority and the other interested control authorities”: "1. The main control authority will cooperate with the other control authorities stakeholders in accordance with this article, striving to reach a consensus. The main control authority and the control authorities concerned will exchange all relevant information. 2. The main control authority may at any time request other authorities of Control interested parties that provide mutual assistance in accordance with article 61, and may carry out conduct joint operations under article 62, in particular to carry out investigations or supervise the application of a measure related to a person in charge or a processor established in another Member State. 3. The main control authority shall promptly notify the other control authorities relevant information in this regard. It will transmit without delay a project of decision to the other control authorities concerned to obtain their opinion on the matter and will take due account of their views. 4. In the event that any of the interested control authorities raises an objection relevant and reasoned information on the draft decision within four weeks of consultation pursuant to paragraph 3 of this article, the lead supervisory authority will submit the matter, in case it does not follow what is indicated in the pertinent and motivated objection or considers that said objection is not pertinent or is not motivated, to the coherence mechanism referred to in article 63. 5. In the event that the main supervisory authority plans to follow what is indicated in the objection pertinent and reasoned received, it will submit to the opinion of the other control authorities stakeholders a revised draft decision. This revised draft decision is will submit to the procedure indicated in section 4 within a period of two weeks. 6. In the event that no other interested supervisory authority has objected to the draft decision transmitted by the main supervisory authority within the period indicated in the paragraphs 4 and 5, it will be considered that the main supervisory authority and the authorities of Stakeholders are in agreement with said draft decision and will be bound by East. 7. The main control authority will adopt and notify the decision to the main establishment or to the sole establishment of the person in charge or the person in charge of the treatment, as appropriate, and shall inform the interested control authorities and the Committee of the decision, including a summary of relevant facts and motivation. The supervisory authority before which the submitted a claim will inform the claimant of the decision. (…) 12. The main supervisory authority and the other interested supervisory authorities will reciprocally provide the information required within the framework of this article by electronic means, using a standardized form. On the issues regulated in these precepts, what is stated in Recitals 124, 125, 126 and 130 of the RGPD, in particular the following: 28001 – Madrid 6 sedeagpd.gob.es, 16/36 (124) “… Said authority (the main authority) must cooperate with the other authorities interested…”. (125) “As the lead authority, the supervisory authority must closely involve and coordinate the control authorities interested in the decision-making process”. (126) “The decision must be agreed jointly by the main control authority and the interested control authorities…”. (130) “When the supervisory authority before which the claim has been filed is not the lead supervisory authority, the latter must cooperate closely with the former with in accordance with the provisions on cooperation and coherence established in this Regulation. In such cases, the lead supervisory authority, by taking measures designed to produce legal effects, including the imposition of administrative fines, must take into account account to the greatest extent possible the opinion of the supervisory authority before which the filed the claim and which must remain competent to perform any investigation on the territory of its own Member State in liaison with the supervisory authority competent". In accordance with the provisions of article 4.24 of the RGPD, it is understood by "objection relevant and motivated” the following: “The objection to a proposal for a decision on the existence or not of an infringement of this Regulation, or on the conformity with the present Regulation of actions foreseen in relationship with the person in charge or the person in charge of the treatment, which clearly demonstrates the significance of the risks posed by the draft decision to the rights and freedoms of the interested parties and, where appropriate, for the free circulation of personal data within the Union. In accordance with the provisions of the previous rules, in this case, referred to a claim filed with the supervisory authority of a State member (Netherlands), in relation to processing in the context of activities of an establishment of a person in charge that affect or are likely to affect substantially to data subjects in more than one Member State (data processing cross-border), the main control authority, in this case the Spanish Agency of Data Protection, is obliged to cooperate with the other authorities interested. The Spanish Agency for Data Protection, in application of the powers that conferred by the RGPD, is competent to adopt the decisions designed to produce legal effects, whether it be the imposition of measures that guarantee the compliance with regulations or the imposition of administrative fines. Nevertheless, is obliged to closely involve and coordinate the control authorities stakeholders in the decision-making process and take their opinion into account in the greater extent. It is also established that the binding decision to be adopted jointly agreed. Article 60 of the GDPR regulates this cooperation between the main control authority and the other interested control authorities. Section 3 of this article expressly establishes that the main supervisory authority will transmit to the other control authorities concerned, without delay, a draft decision to obtain its opinion on the matter and will take due account of its views, following the procedure provided for in sections 4 and following. The interested control authorities have a period of four weeks to raise reasoned objections to the draft decision, on the understanding that C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 17/36 There is agreement on said project if no authority presents objections in the indicated period, in which case all of them are bound by the repeated project. Otherwise, that is, if any of the authorities concerned makes a relevant and reasoned objection to the draft decision, the supervisory authority principal may follow what is indicated in the objection, presenting the opinion of the other control authorities concerned a revised draft decision, which will be submitted to the procedure indicated in section 4 within two weeks. not to follow indicated in the objection or if it is considered that it is not pertinent, the authority of main control must submit the matter to the coherence mechanism contemplated in Article 63 of the GDPR. In the present case, the AEPD initially estimated that there were no indications of infraction, for which, on 09/28/2020, a Draft Decision was issued, by means of which was submitted to the consideration of the rest of the control authorities concerned on claim file (Draft decision). At the end of the established period, the Dutch data protection authority (Autoriteit Persoonsgegevens -AP), in the sense expressed in the Background of this act. Taking into account the reasons set out in the objections made, and in accordance with the provisions of section 1 of article 60 of the RGPD, before transcribed, which obliges the main supervisory authority to cooperate with the other authorities, striving to reach a consensus, the procedure was followed provided for in section 5 of the aforementioned article 60, instead of resorting to the coherence contemplated in article 63 of the RGPD. Although this Agency initially considered that there were no indications of infraction, a Once the observations or objections raised by the supervisory authority have been analyzed interested party, some circumstances were revealed that had not been sufficiently valued in the draft file of actions (Draft decision), which will be exposed in the Foundations of Law that follow. For this reason, it was appropriate to prepare a Revised Draft Decision that contemplate the opening of a sanctioning procedure against MARINS PLAYA. This action is in accordance with the cooperation procedure regulated in article 60 of the GDPR; and takes into account the provisions of article 58.4 of the same Regulation, according to which the exercise of the powers conferred on the authority of control must respect the procedural guarantees established in Union law and of the Member States. The Spanish procedural regulations, specifically, Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (LPACAP), establishes that procedures of a sanctioning nature will always be initiated ex officio by agreement of the competent body, which must contain, among other indications, the identification of the person or persons allegedly responsible, the facts that motivate the initiation of the procedure, its possible qualification and the penalties that may apply C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 18/36 The adoption of this draft agreement to initiate the sanctioning procedure is provided for in article 64 of the LOPDGDD, sections 2 (third paragraph) and 3, establishing the obligation to give formal knowledge to the interested party. This notification interrupts the prescription of the infraction. The Revised Draft Decision prepared by the AEPD, in the form of a draft opening of sanctioning procedure, was submitted to the consideration of the interested authority, in order to formulate the objections that they deem pertinent or give your consent. To do this, it was transmitted through the IMI System to these authorities, letting him know that, in case he did not raise objections in the period of two weeks from the consultation, the mandatory agreement of opening of sanctioning procedure. The interested control authority did not formulate no objection, so it was understood that there was agreement on the aforementioned project. Consequently, on 07/19/2021, the AEPD agreed to initiate this sanctioning procedure, according to the arguments and accusations contained in the Revised Draft Decision. On the other hand, section 4 of the aforementioned article 64 of the LOPDGDD establishes that The processing times established in this article will be automatically suspended when it is necessary to collect information, consultation, request for assistance or mandatory pronouncement of a body or agency of the European Union or of a or several control authorities of the Member States in accordance with the provisions in the RGPD, for the time between the request and the notification of the statement to the Spanish Data Protection Agency. III Article 6 of the RGPD refers to the "Legality of the treatment" in the terms following: Article 6 of the RGPD. "1. The treatment will only be lawful if at least one of the following conditions is met: a) the interested party gave his consent for the treatment of his personal data for one or various specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is a party or for the application at the request of the latter of pre-contractual measures; c) the treatment is necessary for the fulfillment of a legal obligation applicable to the data controller; d) the processing is necessary to protect the vital interests of the data subject or another person physical; e) the treatment is necessary for the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the data controller; f) the treatment is necessary for the satisfaction of legitimate interests pursued by the responsible for the treatment or by a third party, provided that said interests are not prevail the interests or the fundamental rights and freedoms of the interested party that require the protection of personal data, in particular when the interested party is a child. The provisions of letter f) of the first paragraph shall not apply to the treatment carried out by public authorities in the exercise of their functions. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 19/36 2. Member States may maintain or introduce more specific provisions in order to adapt the application of the rules of this Regulation with regard to the treatment in compliance with section 1, letters c) and e), establishing more precise requirements specific treatment and other measures that guarantee lawful and fair treatment, with inclusion of other specific situations of treatment under chapter IX. 3. The basis of the treatment indicated in section 1, letters c) and e), must be established by: a) Union law, or b) the law of the Member States that applies to the data controller. The purpose of the treatment must be determined in said legal basis or, as regards to the treatment referred to in section 1, letter e), will be necessary for the fulfillment of a mission carried out in the public interest or in the exercise of public powers vested in the responsible for the treatment. Said legal basis may contain specific provisions for adapt the application of the rules of this Regulation, among others: the conditions general that govern the legality of the treatment by the person in charge; data types object of treatment; affected stakeholders; the entities to which they can be communicated personal data and the purposes of such communication; purpose limitation; the terms of data conservation, as well as the operations and procedures of the treatment, including measures to ensure fair and lawful treatment, such as those relating to other specific situations of treatment under chapter IX. Union law or of the Member States shall fulfill a public interest objective and shall be proportionate to the end legitimate persecuted. 4. When the treatment for another purpose other than that for which the data was collected personal information is not based on the consent of the interested party or on Union Law or of the Member States which constitutes a necessary and proportionate measure in a society democracy to safeguard the objectives indicated in article 23, paragraph 1, the data controller, in order to determine whether processing for another purpose is compatible with the purpose for which the personal data was initially collected, will take into account account, among other things: a) any relationship between the purposes for which the personal data was collected and the purposes of the intended further processing; b) the context in which the personal data were collected, in particular with regard to to the relationship between the interested parties and the data controller; c) the nature of the personal data, specifically when dealing with special categories of personal data, in accordance with article 9, or personal data relating to convictions and criminal offenses, in accordance with article 10; d) the possible consequences for data subjects of the envisaged further processing; e) the existence of adequate guarantees, which may include encryption or pseudonymization”. It takes into account what is expressed in recitals 40 to 45 and 47 of the RGPD in in relation to the provisions of articles 6 and 7 of the GDPR outlined above. In the present case, a claim is made against the entity MARINS PLAYA for perform, during the process of registering the claimant in the hotel, a digital scan of his passport, of the entire document, despite the opposition expressed by the same; as well as for the use of the personal data contained in the aforementioned document, including a photograph, for the control and invoicing of the consumption of the client during their stay. The actions carried out have made it possible to verify that the scanning process to which the client's identification document is submitted upon arrival at the hotel does not have in order to obtain a digital image of the entire document. As detailed in Proven Fact 2, said scanning is carried out using a computer program C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 20/36 Optical Character Recognition (OCR) that automatically identifies characters of a certain alphabet and stores them as data, that is, convert the image to text. It is a support program that captures the data of the client, integrates them into the entity's information system and enables the Completion of the "client file" or "passenger entry part". There is no proof that the responsible entity has an image Complete identity document of the clients. Nor is it known that the image A scan of this document is incorporated into the devices used by the staff of hotel services (bar and dining room). If it is accredited, on the other hand, and this has been recognized by the MARINS entity itself PLAYA, which through that process the aforementioned entity collects the personal data of your clients regarding the number, type and date of issue of the identity document presented, name and surname, sex, date and country of birth, as well as the Photography; and that they are sent to the State Security Forces and Bodies in compliance with citizen security regulations and used for the "management hotel”, according to the terms used by the entity itself in its response to the AEPD Inspection Services. This includes the use of personal data by the administration staff and of services. According to the documentation provided by the claimed entity, the staff of services uses a device that has incorporated information regarding the clients, which includes the room and reservation number, number of people and departure date; name and surname of the person, status, type of VIP and number of visits, in addition to the photograph of the client, which is checked to verify the identity of the client when making consumptions in the hotel; but they don't have the scanned image of the identity document. The data collected, except for the photograph, are necessary for the execution of the contract in which the interested party is a party and for the fulfillment of an obligation law applicable to the data controller. Therefore, the treatment of these data It is protected by the provisions of article 6.1, letters b) and c), of the RGPD. The regulations that regulate the books-records and parts of entry of travelers in hotel establishments, as well as the obligation to communicate the information contained in the registration sheets to the police agencies, is constituted, Basically, by Organic Law 4/2015, of March 30, on the protection of the citizen security, and Order INT/1922/2003, of July 3, on registry books and parts of entry of travelers in hotel establishments and other analogous. Article 24 of Organic Law 4/2015 provides in its first section the following: “Individuals or legal entities that carry out activities relevant to the security citizen, such as lodging ... will be subject to registration obligations documentation and information in the terms established by the provisions applicable”. This rule, and the aforementioned Order, in which those obligations are detailed, legitimizes the collection of personal data related to the document number of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 21/36 identity, type of document and date of issue, name and surname, sex, date of birth and country of nationality, date of entry and signature of the traveler; which must be incorporated into the "Registration sheet" that the entity responsible for the hotel must transfer to the State Security Forces and Bodies. It remains, therefore, to determine the scope that should be granted, from the point of view of the protection of personal data, the collection and use of photographs of clients carried out by MARINS PLAYA. On this issue, the first thing to note is that the information on protection of personal data that the claimed entity provided to customers not included no details about the collection and use of the photograph, so they were unknown to those interested. In fact, not even the data processing to which The photograph is submitted and appears in the Registry of Treatment Activities. Therefore, what MARINS PLAYA stated in its letter of allegations to the motion for a resolution when it points out that the clients were informed during the registration process at the hotel establishment. It is true that With this pleadings brief, it has provided an informative document that does reference to the registration of the photograph in the entity's systems, but it has not accredited the delivery of this document to clients and has not justified When did you implement its use? In this regard, it is interesting to note that in the evidence phase of the procedure the The instructor expressly required the respondent entity to copy its policy on privacy, in all its versions effective as of 05/25/2018 and any notice of privacy or additional information, as well as a detail about the channels empowered to disclose this information, and said entity did not provide the informative document that now contributes with its allegations to the proposal of resolution. In relation to the photographs of the clients, MARINS PLAYA has stated that This image is used to make it easier for hotel staff to identify the client. that you are using the credit or room card (at the time of making a consumption, the client provides that card to the employee, who, when passing it to carry out the charge, you can check the photo), as well as to control access to the establishment. When the customer registers, he is provided with a magnetic card that allows you, in addition to access to the room, the payment of consumption with charge to your account, which will be paid at the end of your stay. At the time of making a consumption, the customer provides that card to the employee, who, by swiping it through his device to charge, view the customer's photo. The collection and use of customer photographs are not covered by the legal bases indicated above (execution of the contract and fulfillment of a legal obligation). According to MARINS PLAYA, the aim is to verify the identity of the client in order to avoid fraudulent use of the card by third parties and prevent causing serious damage economical to the customer; that expenses are not paid with a lost card that is not corresponds to the user of the service. Based on this, the aforementioned entity considers that C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 22/36 This treatment is covered by the provisions of article 6.1.f) of the RGPD, since there is a legitimate interest of the person in charge in charging the true user of the service and of the client, avoiding the use of the cards in a fraudulent way and that they are loaded in the accounts of some customers the consumption made by third parties. The existence of a legitimate interest of the responsible entity and of the client as a legal basis that provides coverage for the treatment of the photograph of the customers. In relation to the legal basis of legitimate interest, article 6 cited establishes: "1. The treatment will only be lawful if at least one of the following conditions is met: f) the treatment is necessary for the satisfaction of legitimate interests pursued by the responsible for the treatment or by a third party, provided that said interests are not prevail the interests or the fundamental rights and freedoms of the interested party that require the protection of personal data, in particular when the interested party is a child...”. Recital 47 of the RGPD specifies the content and scope of this base legitimizer of the treatment: “(47) The legitimate interest of a controller, including that of a controller to whom may communicate personal data, or of a third party, may constitute a legal basis for treatment, provided that the interests or the rights and freedoms of the user do not prevail. data subject, taking into account the reasonable expectations of data subjects based on their relationship with the person in charge. Such legitimate interest could occur, for example, when there is a relevant and appropriate relationship between the data subject and the controller, such as in situations where which the interested party is a client or is at the service of the person in charge. In any case, the existence of a legitimate interest would require careful assessment, even if a The interested party can reasonably foresee, at the time and in the context of the collection of personal data, which may be processed for this purpose. In particular, the interests and the fundamental rights of the interested party could prevail over the interests of the responsible for the treatment when proceeding to the treatment of personal data in circumstances in which the data subject does not reasonably expect that a further treatment. Since it is up to the legislator to establish by law the legal basis for the processing of personal data by public authorities, this legal basis does not should apply to processing carried out by public authorities in the exercise of their duties. functions. The processing of personal data strictly necessary for the prevention of fraud also constitutes a legitimate interest of the data controller. that it is The processing of personal data for direct marketing purposes may be considered carried out for legitimate interest”. The interpretative criteria that are extracted from this Considering are, among others, (i) that the legitimate interest of the person in charge prevails over the interests or rights and fundamental freedoms of the owner of the data, in view of the expectations reasonable that he has, based on the relationship he maintains with the person in charge of the treatment; (ii) it will be essential to carry out a "meticulous evaluation" of the rights and interests at stake, also in those cases in which the interested party can reasonably foresee, at the time and in the context of the data collection, which may be processed for this purpose; (iii) interest and fundamental rights of the owner of the personal data could prevail against the legitimate interests of the person in charge when the processing of the data is carried out in such circumstances in which the data subject "does not reasonably expect" carry out further processing of your personal data. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 23/36 MARINS PLAYA has not justified this legitimate interest sufficiently to allow the weighting test between the interest of the person in charge and the rights of the interested, necessary to determine the legality of the treatments carried out. On In this case, moreover, there is no evidence that the aforementioned entity has carried out this test of weighting and has duly informed the claimant on this basis legitimizing. During the test phase of the procedure, the instructor expressly requested the requested to provide a "Copy of the documents in which the evaluation carried out on the prevalence or not of the interests and fundamental rights of the clients against the interests of MARINS PLAYA, in relation to the operations of processing of personal data of clients carried out under the responsibility of MARINS PLAYA with which the satisfaction of legitimate interests is intended persecuted by the MARINS PLAYA entity itself or by a third party”. this entity responded to the agreed request for evidence, but did not provide any documentation regarding the processing of personal data based on legitimate interest. The respondent entity did not carry out this prior analysis, although it refers to it in its writing of allegations to the proposal, and at no time informs the clients on this legal basis of the treatment. About the informative document provided with said letter of allegations, which contains a reference to the legitimate interest, we We refer to what was indicated above about said informative writing. In the absence of information regarding the weighting test, the interested party is deprived of their right to know the legal basis of the treatment alleged by the person in charge, and specifically, when referring to the legitimate interest, he is deprived of his right to know what are said legitimate interests alleged by the person in charge or by a third party that would justify processing without taking your consent into account. In the same way, the interested party is deprived of his right to claim for what reasons Said legitimate interest alleged by the person in charge could be counteracted by the rights or interests of the interested party. Not having given the interested party an opportunity to allege them against the person in charge, any weighing carried out by the person in charge without taking into account the circumstances that the interested party could allege, to whom it was not allowed to do so would be vitiated, as it is an act contrary to a mandatory norm. It is difficult to accept that a treatment is based on the legitimate interest of the controller when that treatment is carried out in a hidden way. It is not possible, therefore, to invoke this legal basis of legitimate interest on the occasion of a administrative procedure, such as transfer of the claim or allegations to the opening of the sanctioning procedure. Accepting it would be the same as admitting an interest legitimate supervening, or a posteriori, in respect of which the requirements set forth in the personal data protection regulations and on which stakeholders are not informed. Although the legitimate interest is not applicable, it is interesting to analyze the terms in which it must carry out the weighting provided for in article 6.1.f) of the RGPD between the legitimate interest of the person responsible for the data and the protection of personal data of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 24/36 interested, that is, how it plays said legitimate interest, if applicable. The CJEU, in its ruling of 05/04/2017, C-13/16, Rigas Satskime, sections 28 to 34, determined what are the requirements for a treatment to be lawful on the basis of legitimate interest. The CJEU ruling of 07/29/2019, C-40/17, Fashion ID, Echoing the sentence cited, it collects said requirements. 28. In this regard, article 7, letter f), of Directive 95/46 -(current article 6.1.f) of the RGPD)- sets three cumulative requirements for the processing of personal data to be lawful: first, that the data controller or the third party or third parties to whom they are communicated the data pursues a legitimate interest; second, that the treatment is necessary for the satisfaction of that legitimate interest and, third, that the rights and freedoms fundamentals of the interested party in the protection of data. This legal basis requires the existence of real interests, not speculative and that, Also, they are legitimate. And not only does the existence of that legitimate interest mean that those treatment operations can be carried out. It is also necessary that these treatments are necessary to satisfy that interest and consider the repercussion for the interested party, the level of intrusion on their privacy and the effects that may negatively impact it. Regarding the first of the requirements, that is, that the data controller or third parties pursue a legitimate interest, such as preventing fraudulent use of the card that the claimed delivery to its customers, we are faced with an interest that could considered legitimate in itself, although said interest must be weighed against the of the individuals. That is, even if the person in charge has said legitimate interest, this does not mean, in itself considered, that this basis can simply be invoked legal as a basis for processing. The legitimacy of this interest is only a starting point, only one of the elements to be weighed. Regarding the second of the requirements, however, it is considered that the treatment of personal data carried out by MARINS PLAYA is not necessary or strictly necessary for the satisfaction of the alleged legitimate interest (the cited judgment of 05/04/2017, C-13/16, Rigas Satskime, in its section 30, declares “As regards the requirement that data processing is necessary, it should be remembered that the exceptions and restrictions to the principle of protection of personal data personnel must be established without exceeding the limits of what is strictly necessary"). This principle, according to which the treatment must be strictly necessary for the satisfaction of legitimate interest, it must be interpreted in accordance with what established in article 5.1.c) RGPD, which refers to the principle of data minimization, noting that personal data will be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are treaties”. Thus, less invasive means of serving a patient should always be preferred. same end. Necessity implies here that the treatment is essential for the satisfaction of said interest, so that, if said objective can be achieved reasonable manner in another manner that is less impactful or less intrusive, the Legitimate interest cannot be invoked. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 25/36 The term “necessity” used in article 6.1 f) of the RGPD has, in the opinion of the CJEU, a own and independent meaning in Community law. It's about a “autonomous concept of Community Law” (STJUE of 12/16/2008, case C- 524/2006, section 52). On the other hand, the European Court of Human Rights (ECHR) has also offered guidelines to interpret the concept of necessity. On its Judgment of 03/25/1983 specified that, without prejudice to the treatment of the data of the claimants is "useful", "desirable" or "reasonable", as specified by the ECHR in its Judgment of 3/25/1983, the term “necessary” does not have the flexibility that is implicit in those expressions. The more "negative" or "uncertain" the impact of treatment may be, the more It is unlikely that the processing as a whole can be considered legitimate. As can be seen, what was stated above is in line with the doctrine of Constitutional Court on the proportionality trial that must be carried out on a restrictive measure of a fundamental right. According to this doctrine, they should three requirements must be verified: suitability (if the measure allows the objective proposed); necessity (that there is no other more moderate measure); proportionality in strict sense (more benefits or advantages than harm). In short, leaving aside the fact that the interested party does not know for what purposes or on what legal basis your data has been collected, it is understood that the collection and use of the photograph of the clients that MARINS PLAYA carries out supposes a excessive processing of personal data. In relation to this question, all the arguments put forward by the data protection authority of the Netherlands, outlined in the Background Fourth, to challenge the processing of said personal data under the established in article 6.1.f) of the same RGPD, considering that there are other Less intrusive ways to verify if the magnetic card holder is the legitimate one holder of the same at the time of payment and, thus, prevent said cards from being used fraudulently. On the other hand, the proceedings do not show that MARINS PAYA has established additional guarantees that could favor the acceptance of this base legal data processing, such as favoring the right of opposition of the interested party or even establish voluntary exclusion mechanisms. In short, the legitimate interest invoked by MARINS PLAYA does not prevail against the fundamental rights and freedoms of those interested in the protection of their data personal, so it cannot be considered that the processing of personal data that carried out is protected by the legitimate interest provided for in article 6.1.f) of the GDPR. Nor does the interested party give their consent for said data processing. From In accordance with what is expressed in the aforementioned regulations, the data processing object of the claim require the existence of a legal basis that legitimate, such as the consent of the interested party validly given, necessary C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 26/36 when there is no other legal basis mentioned in article 6.1 of the RGPD or the treatment pursues a purpose compatible with that for which they were collected the data. Article 4 of the GDPR defines "consent" in the following terms: “Article 4 Definitions For the purposes of this Regulation, the following shall be understood as: 11. «consent of the interested party»: any manifestation of free will, specific, informed and unequivocal by which the interested party accepts, either by means of a declaration or a clear affirmative action, the treatment of personal data that concerns you”. In relation to the provision of consent, what is established in the article 6 of the RGPD, already mentioned, and in articles 7 of the RGPD and 7 of the LOPDGDD. Article 7 “Conditions for consent” of the RGPD: "1. When the treatment is based on the consent of the interested party, the person in charge must be able to demonstrate that they consented to the processing of their personal data. 2. If the data subject's consent is given in the context of a written statement that also refers to other matters, the request for consent will be presented in such a way clearly distinguishable from other matters, in an intelligible and easily accessible manner and using clear and simple language. No part of the declaration will be binding. constitutes an infringement of this Regulation. 3. The interested party shall have the right to withdraw their consent at any time. The retreat of consent will not affect the legality of the treatment based on the consent prior to his withdrawal. Before giving their consent, the interested party will be informed of it. it will be so easy Withdraw consent as give it. 4. When assessing whether consent has been freely given, it will be taken into account to the greatest extent possible whether, among other things, the performance of a contract, including the provision of a service, is subject to consent to the processing of personal data that are not necessary for the execution of said contract”. Article 6 “Treatment based on the consent of the affected party” of the LOPDGDD: "1. In accordance with the provisions of article 4.11 of Regulation (EU) 2016/679, consent of the affected party means any manifestation of free will, specific, informed and unequivocal by which it accepts, either through a statement or a clear affirmative action, the treatment of personal data that concerns you. 2. When the data processing is intended to be based on the consent of the affected party for a plurality of purposes it will be necessary to state specifically and unequivocally that said consent is granted for all of them. 3. The execution of the contract may not be subject to the affected party consenting to the treatment of personal data for purposes that are not related to the maintenance, development or control of the contractual relationship”. Consent is understood as a clear affirmative act that reflects a free, specific, informed and unequivocal manifestation of the interested party's accept the treatment of personal data that concerns you, provided with sufficient guarantees to prove that the interested party is aware of the fact that you give your consent and the extent to which you do so. And it must be given to all treatment activities carried out with the same or the same purposes, so that, when the treatment has several purposes, consent must be given for all C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 27/36 them in a specific and unequivocal manner, without the execution of the contract that the affected party consents to the processing of their personal data for purposes that are not related to the maintenance, development or control of the business relationship. In this regard, the legality of the treatment requires that the interested party be informed about the purposes for which the data is intended (consent informed). Consent must be given freely. It is understood that consent is free when the interested party does not enjoy true or free choice or cannot deny or withdraw your consent without prejudice; or when you don't know allows separate authorization of the different data processing operations despite being appropriate in the specific case, or when the fulfillment of a contract or provision of service is dependent on consent, even when it not necessary for such compliance. This occurs when consent is included as a non-negotiable part of the general conditions or when imposes the obligation to agree to the use of additional personal data to those strictly necessary. Without these conditions, the provision of consent would not offer the data subject a true control over your personal data and its destination, and this would Illegal treatment activity. The Article 29 Working Group analyzed these issues in its document “Guidelines on consent under Regulation 2016/679”, revised and approved on 04/10/2018; which has been updated by the European Committee for Data Protection on 05/04/2020 through the document “Guidelines 05/2020 on consent in accordance with Regulation 2016/679”. From what is stated in this document, it is now interesting to highlight some aspects related to the validity of the consent, specifically on the elements “specific”, “informed” and "unequivocal": “3.2. Specific declaration of will Article 6, paragraph 1, letter a), confirms that the consent of the interested party for the processing of your data must be given "for one or more specific purposes" and that an interested party may choose with respect to each of such purposes. The requirement that consent should be 'specific' is intended to ensure a level of control and transparency for the interested. This requirement has not been changed by the GDPR and remains closely linked to the requirement of “informed” consent. At the same time, it must be interpreted in line with the “dissociation” requirement to obtain “free” consent. In sum, In order to comply with the “specific” character, the data controller must apply: i) specification of the purpose as a guarantee against deviation from use, ii) dissociation in consent requests, and iii) a clear separation between information related to obtaining consent for data processing activities and information relating to other matters. Ad. i): In accordance with article 5, paragraph 1, letter b), of the RGPD, obtaining the Valid consent is always preceded by the determination of a specific, explicit and legitimate for the intended treatment activity. The need for specific consent in combination with the notion of purpose limitation in Article 5, paragraph 1, letter b), works as a guarantee against the gradual expansion or blurring of the purposes for which the data processing is carried out once an interested party has given their C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 28/36 Authorization for the initial data collection. This phenomenon, also known as deviation of the use, supposes a risk for the interested parties since it can give rise to a use unforeseen personal data by the data controller or third parties parties and the loss of control by the interested party. If the data controller relies on Article 6(1)(a), the data subjects They must always give their consent for a specific purpose for data processing. In line with the concept of purpose limitation, with Article 5, paragraph 1, letter b), and with recital 32, the consent may cover different operations, provided that these operations have the same purpose. It goes without saying that the specific consent can only be obtained when the interested parties are expressly informed about the purposes provided for the use of data concerning them. Without prejudice to the provisions on the compatibility of purposes, the consent must Be specific for each purpose. The interested parties will give their consent on the understanding that they have control over your data and that these will only be processed for those specific purposes. If a responsible processes data based on consent and, in addition, wishes to process said data for another purpose, you must obtain consent for that other purpose, unless there is another basis law that best reflects the situation... Ad. ii) Consent mechanisms should not only be separated in order to comply the requirement of “free” consent, but must also comply with the requirement of "specific" consent. This means that a data controller seeking the consent for several different purposes, you must facilitate the possibility of opting for each purpose, so that users can give specific consent for specific purposes. Ad. iii) Finally, data controllers must provide, with each data request, separate consent, specific information on the data to be processed for each purpose, in order that the interested parties know the repercussion of the different options that have. In this way, data subjects are allowed to give specific consent. This issue overlaps with the requirement that controllers provide clear information, as as discussed above in section 3.3”. “3.3. Manifestation of informed will The GDPR reinforces the requirement that consent must be informed. in accordance with article 5 of the RGPD, the requirement of transparency is one of the principles fundamental, closely related to the principles of loyalty and legality. To ease information to the interested parties before obtaining their consent is essential so that they can make informed decisions, understand what they are authorizing and, for example, exercise your right to withdraw your consent. If the controller does not provide information accessible, user control will be illusory and consent will not constitute a valid basis for data processing. If the requirements for informed consent are not met, the consent is not will be valid and the person in charge may be in breach of article 6 of the RGPD. 3.3.1. Minimum content requirements for consent to be “informed” In order for the consent to be informed, it is necessary to communicate to the interested party certain elements that are crucial to be able to choose. Therefore, the WG29 is of the opinion that it is required, least, the following information to obtain valid consent: i) the identity of the data controller, ii) the purpose of each of the treatment operations for which the authorization is requested. consent, iii) what (type of) data will be collected and used, iv) the existence of the right to withdraw consent, v) information on the use of data for automated decisions in accordance with the article 22, paragraph 2, letter c), when relevant, and vi) information on the possible risks of data transfer due to the absence of a decision of adequacy and adequate guarantees, as described in the article 46”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 29/36 In the alleged case, there is no evidence of the provision of a valid consent on the part of MARINS PLAYA clients that protects the processing of personal data that MARINS PLAYA carries out with the photograph of these clients. This entity does not even report on this use of the photography, nor has it established any mechanism so that customers can consent this use by means of a separate affirmative act for these specific treatment operations, which are also not included in the Registry of Treatment Activities. Consequently, in accordance with the exposed evidence, the aforementioned facts represent a violation of the provisions of article 6 of the RGPD, which gives rise to the application of the corrective powers that article 58 of the aforementioned Regulation grants to the Spanish Data Protection Agency. As can be seen from the above, the conclusions obtained on the facts analyzed go beyond the specific action of MARINS PLAYA regarding the collection and processing of personal data of the claimant, and have to do with the personal data management process implemented by this entity in general. Therefore, contrary to what was stated by this entity in his brief of arguments to the motion for a resolution, it is irrelevant whether the Whether or not the claimant objected to the delivery of his passport at the time of registration in the hotel. It is equally irrelevant that the photograph of the clients is only view by service personnel. What matters is the treatment that is carried out, that entails the registration of the photograph in the information systems of the claimed, and the circumstances in which such registration is carried out. Finally, it should be noted that the tests completed in the procedure allow reject the statement made by MARINS PLAYA in its pleadings brief to the motion for a resolution, on the conservation of the photograph only during the the client's stay at the hotel and its subsequent elimination. The card itself claimant, which was required by the instructor, proves that currently his photograph continues to be preserved in the information system of the claimed person. IV In the event that there is an infringement of the provisions of the RGPD, between the corrective powers available to the Spanish Data Protection Agency, as a control authority, article 58.2 of said Regulation contemplates the following: "two. Each control authority will have all the following corrective powers indicated below: continuation: (…) b) send a warning to any person responsible or in charge of the treatment when the treatment operations have violated the provisions of this Regulation; (...) d) order the person responsible or in charge of the treatment that the treatment operations be C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 30/36 comply with the provisions of this Regulation, where appropriate, of a given manner and within a specified time; (…) i) impose an administrative fine under article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each case particular;". According to the provisions of article 83.2 of the RGPD, the measure provided for in letter d) above is compatible with the sanction consisting of an administrative fine. v The exposed facts do not comply with the provisions of article 6 of the RGPD, which involves the commission of an offense classified in section 5.a) of article 83 of the RGPD, which under the heading “General conditions for the imposition of fines administrative” provides the following: "5. Violations of the following provisions will be sanctioned, in accordance with the section 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, of an amount equivalent to a maximum of 4% of the total annual turnover of the previous financial year, opting for the highest amount: a) the basic principles for the treatment, including the conditions for the consent to tenor of articles 5, 6, 7 and 9”. In this regard, the LOPDGDD, in its article 71 establishes that "They constitute infractions the acts and behaviors referred to in sections 4, 5 and 6 of the Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the present organic law”. For the purposes of the limitation period, article 72 of the LOPDGDD indicates: “Article 72. Infractions considered very serious. 1. Based on the provisions of article 83.5 of Regulation (EU) 2016/679, they are considered very serious and will prescribe after three years the infractions that suppose a violation substance of the articles mentioned therein and, in particular, the following: (…) b) The processing of personal data without the concurrence of any of the conditions of legality of the treatment established in article 6 of Regulation (EU) 2016/679”. In order to determine the administrative fine to be imposed, the provisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate: "1. Each control authority will guarantee that the imposition of administrative fines with in accordance with this article for the infringements of this Regulation indicated in the sections 4, 9 and 6 are in each individual case effective, proportionate and dissuasive. 2. Administrative fines will be imposed, depending on the circumstances of each case individually, in addition to or as a substitute for the measures referred to in article 58, section 2, letters a) to h) and j). When deciding to impose an administrative fine and its amount In each individual case, due account shall be taken of: a) the nature, seriousness and duration of the offence, taking into account the nature, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 31/36 scope or purpose of the treatment operation in question as well as the number of affected parties and the level of damages they have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the person responsible or in charge of the treatment to alleviate the damages suffered by the interested parties; d) the degree of responsibility of the data controller or processor, taking into account of the technical or organizational measures that they have applied by virtue of articles 25 and 32; e) any previous infringement committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular if the The person responsible or the person in charge notified the infringement and, if so, to what extent; i) when the measures indicated in article 58, section 2, have been ordered previously against the person in charge or the person in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under Article 40 or certification mechanisms approved under article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infraction”. For its part, article 76 “Sanctions and corrective measures” of the LOPDGDD has: "1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679 will be applied taking into account the graduation criteria established in the section 2 of the aforementioned article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679, also may be taken into account: a) The continuing nature of the offence. b) The link between the activity of the offender and the performance of data processing personal. c) The profits obtained as a result of committing the offence. d) The possibility that the conduct of the affected party could have induced the commission of the crime. infringement. e) The existence of a merger by absorption process subsequent to the commission of the infraction, that cannot be attributed to the absorbing entity. f) Affectation of the rights of minors. g) Have, when not mandatory, a data protection officer. h) Submission by the person in charge or person in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which there are controversies between them and any interested party”. In accordance with the precepts indicated, in order to set the amount of the penalty to impose in the present case, it is considered appropriate to graduate said sanction from according to the following criteria: The following graduation criteria are considered concurrent as aggravating: . Article 83.2.a) of the RGPD: “a) the nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the operation of treatment in question as well as the number of interested parties affected and the 28001 – Madrid 6 sedeagpd.gob.es, 32/36 level of damages they have suffered. . In relation to the duration of the infringement, it is stated in the proceedings that the collection of personal data carried out by the claimed party, which includes the collection of the client's photograph, there has been at least one from 08/27/2018, date of entry into the claimant's hotel, and currently maintains. . Number of interested parties: the infraction affects all the clients of the entity. . The nature of the damage caused to the interested persons, which have seen increased risk to their privacy. . Article 83.2.b) of the RGPD: "b) the intention or negligence in the infringement". It should be noted that the procedure for collecting personal data implemented by MARINS PLAYA supposes, from the point of view of the interested holders of the data collected, the loss of the disposition and control about their data, because they do not even know that this data collection includes the photograph that appears on the identification document provided by the client to your arrival at the hotel. These circumstances, in addition to those meant in the previous section, revealed the negligent action of MARINS PLAYA. In this regard, it takes into account what was declared in the Judgment of the National High Court of 10/17/2007 (rec. 63/2006) that, based on the fact that these are entities whose activity has coupled with the continuous processing of customer data, indicates that "... the Court Supreme has understood that there is imprudence whenever it is neglected a legal duty of care, that is, when the offender does not behave with the due diligence. And in assessing the degree of diligence, it must be weighed especially the professionalism or not of the subject, and there is no doubt that, in the case now examined, when the activity of the appellant is constant and abundant handling of personal data, it must be insisted on the rigor and exquisite care to adjust to the legal precautions in this regard”. It is a company that processes the personal data of its clients in a systematic and continuous manner and that extreme care must be taken in the compliance with its data protection obligations. In addition, it is considered that he has had knowledge on several occasions, during the processing of the claim, about the possible irregularity of its action and not No action has been taken to correct it. . Article 83.2.d) of the RGPD: “d) the degree of responsibility of the person in charge or of the data processor, taking into account the technical or organizational measures that they have applied by virtue of articles 25 and 32”. The imputed entity does not have adequate procedures in place for performance in the collection and processing of personal data, so that the infringement is not the result of an anomaly in the functioning of these procedures but a defect in the data management system C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 33/36 personal designed by the person in charge. . Article 83.2.g) of the RGPD: “g) the categories of personal data affected by the infringement. Although “Special categories of personal data” have not been affected, as defined by the RGPD in article 9, this does not mean that the stolen data is not were sensitive in nature. The personal data affected by the treatment (the photography of clients) has a particularly sensitive nature, in that allows the prompt identification of the interested parties and increases the risks on their privacy, especially when it is registered associated with all the data that appear on the holder's identity document, as in this case. . Article 76.2.a) of the LOPDGDD: “a) The continuous nature of the infraction”. The procedure for collecting and processing personal data implemented by the claimed applies to all customers during, at least, the period indicated in the refer to the duration of the infraction. It is a plurality of actions that follow the action designed by MARINS PLAYA, which violate the same precept. . Article 76.2.b) of the LOPDGDD: “b) The link between the activity of the offender with the processing of personal data”. The high link between the activity of the offender and the performance of treatment of personal data, considering the activity carried out in the sector hotelier and its volume of activity (in the Fifth Antecedent, some details about it). . Article 83.2.k) of the RGPD: “k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or losses avoided, directly or indirectly, through the infringement”. The medium-sized company and business volume of MARINS PLAYA (in the Fifth Antecedent contains some details in this regard). It is also considered that there are extenuating circumstances following: . Article 83.2.k) of the RGPD: “k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or losses avoided, directly or indirectly, through the infringement”. Although the collection of personal data related to photography is considered excessive of the client and the subsequent use that is made of it, is taken into account the purpose intended by the claimed entity, to avoid fraud in the consumption of services, and that no other use other than this data has been accredited personal. Considering the exposed factors, the valuation reached by the fine, for the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 34/36 Violation of article 6 of the RGPD, it is 30,000 euros (thirty thousand euros). It is interesting to note that MARINS PLAYA has not made any allegation regarding the graduation of the sanction in the brief presented in response to the proposal of resolution prepared by the instructor of the procedure. SAW The infractions committed may lead to the imposition of the person responsible for the adoption of appropriate measures to adjust its actions to the aforementioned regulations in this act, in accordance with the provisions of the aforementioned article 58.2.d) of the RGPD, according to which each control authority may "order the person in charge or in charge of the treatment that the treatment operations comply with the provisions of the this Regulation, where appropriate, in a certain way and within a specified period…”. In this case, it is appropriate to require the responsible entity so that, within the term indicates in the operative part, cessation in the collection and treatment of the photograph of its customers. In another case, you must adapt the information on data protection data offered to customers, especially that relating to the collection and use of the photograph and the legal basis that supports the treatment, establishing mechanisms that allow proving that said information is accessed by the interested; and carry out the necessary adaptation of the treatment operations to which this act refers to the requirements contemplated in article 6.1 of the RGPD, with the scope expressed in the previous Legal Foundations. Likewise, it must correct the effects of the infraction committed, which entails the deletion of all photographs collected from customers in the circumstances that have determined the declaration of the infraction that is sanctioned in this act. It is warned that not meeting the requirements of this organization may be considered as a serious administrative infraction by “not cooperating with the Authority of control” before the requirements made, being able to be valued such behavior to the time of the opening of an administrative sanctioning procedure with a fine pecuniary Therefore, in accordance with the applicable legislation and having assessed the criteria for graduation of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE the entity MARINS PLAYA, S.A., with CIF A07158223, for an infringement of Article 6 of the RGPD, typified in Article 83.5.a) of the RGPD and classified as very serious for prescription purposes in article 72.1.b) of the LOPDGDD, a fine of 30,000 euros (thirty thousand euros). SECOND: Require the entity MARINS PLAYA, S.A. so that, within a month, adopt the necessary measures to adapt its actions to the regulations of protection of personal data, with the scope expressed in the Foundation of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 35/36 Right VI. Within the indicated period, the aforementioned entity must justify before this Agency Spanish Data Protection the attention of this requirement. THIRD: NOTIFY this resolution to the entity MARINS PLAYA, S.A. FOURTH: Warn the sanctioned party that he must make the imposed sanction effective once Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter LPACAP), within the payment term voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, through its entry, indicating the NIF of the sanctioned and the number of procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000, opened on behalf of the Agency Spanish Department of Data Protection in the banking entity CAIXABANK, S.A.. In case Otherwise, it will be collected in the executive period. Received the notification and once executed, if the date of execution is between the 1st and 15th of each month, both inclusive, the term to make the payment voluntary will be until the 20th day of the following month or immediately after, and if between the 16th and last day of each month, both inclusive, the payment term It will be until the 5th of the second following month or immediately after. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month from counting from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the firm resolution in administrative proceedings if the The interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact by writing addressed to the Spanish Agency for Data Protection, presenting it through Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registers provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would end the precautionary suspension. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 36/36 938-231221 Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es