AEPD (Spain) - PS/00003/2021: Difference between revisions
mNo edit summary |
No edit summary |
||
(8 intermediate revisions by the same user not shown) | |||
Line 17: | Line 17: | ||
|Type=Complaint | |Type=Complaint | ||
|Outcome=Upheld | |Outcome=Upheld | ||
|Date_Started= | |Date_Started=23/12/2018 | ||
|Date_Decided= | |Date_Decided= | ||
|Date_Published= | |Date_Published=25/02/2022 | ||
|Year= | |Year=2022 | ||
|Fine=300000 | |Fine=300000 | ||
|Currency=EUR | |Currency=EUR | ||
|GDPR_Article_1=Article 5(1)(c) GDPR | |GDPR_Article_1=Article 4(16) GDPR | ||
| | |GDPR_Article_Link_1=Article 4 GDPR#16 | ||
| | |GDPR_Article_2=Article 5(1)(c) GDPR | ||
| | |GDPR_Article_Link_2=Article 5 GDPR#1c | ||
|GDPR_Article_3=Article 12(2) GDPR | |||
|GDPR_Article_Link_3=Article 12 GDPR#2 | |||
|GDPR_Article_4=Article 12(3) GDPR | |||
|GDPR_Article_Link_4=Article 12 GDPR#3 | |||
|GDPR_Article_5=Article 12(6) GDPR | |||
|GDPR_Article_Link_5=Article 12 GDPR#6 | |||
|GDPR_Article_6=Article 25 GDPR | |||
|GDPR_Article_Link_6=Article 25 GDPR | |||
|GDPR_Article_7=Article 32 GDPR | |||
|GDPR_Article_Link_7=Article 32 GDPR | |||
|GDPR_Article_8=Article 56(1) GDPR | |||
|GDPR_Article_Link_8=Article 56 GDPR#1 | |||
|Party_Name_1=PageGroup Europe | |||
|Party_Link_1=https://www.page.com/ | |||
|Party_Name_1= | |||
|Party_Link_1= | |||
|Party_Name_2= | |Party_Name_2= | ||
|Party_Link_2= | |Party_Link_2= | ||
Line 51: | Line 61: | ||
}} | }} | ||
The Spanish DPA fined | The Spanish DPA fined PageGroup Europe €300,000 for violating [[Article 12 GDPR|Articles 12]] and [[Article 5 GDPR#1c|5(1)(c) GDPR]], because it lacked an adequate procedure to comply with data subjects' rights, and required data subjects to provide additional identification documentation, without there being reasonable doubt regarding their identity. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The controller is Michael Page International, a company based in the United Kingdom, and the parent company of the PageGroup business group. It is an employment agency and operates under various brands, including “Michael Page”. It has subsidiaries in many European countries, with the Dutch subsidiary being the Michael Page entity International - Nederland B.V. The data subject, who is a Dutch citizen that had created an account on the web portal of the controller, submitted an access request on 28 September 2018. The controller, however, requested | The controller is Michael Page International, a company based in the United Kingdom, and the parent company of the PageGroup business group. It is an employment agency and operates under various brands, including “Michael Page”. It has subsidiaries in many European countries, with the Dutch subsidiary being the Michael Page entity International - Nederland B.V. The data subject, who is a Dutch citizen that had created an account and had uploaded her CV on the web portal of the controller, submitted an access request on 28 September 2018. The controller, however, requested the data subject's ID to verify the identity of the data subject. Since the data subject found this request to be excessive, she lodged a complaint with the Dutch DPA (AP). | ||
After the AP contacted the Dutch subsidiary, the subsidiary explained that, although the corporate group's headquarters are located in the United Kingdom, the legal department (compliance team, responsible for managing access requests exercised by data subjects) is located in Barcelona, Spain. Hence, according to the Spanish DPA (AEPD), this establishment is the main establishment by the definition of [[Article 4 GDPR#16|Article 4(16) GDPR]], and therefore declared its competency to act as the lead supervisory authority under [[Article 56 GDPR#1|Article 56(1) GDPR]]. | |||
The AEPD then investigated the controller's procedure of dealing with access requests and concluded that these procedures complied with the GDPR. Hence, the DPA considered that there were no indications of infringement and that no further action was necessary. After sharing this draft decision with the other interested DPA's (see more info in comment), the Portuguese DPA (CNPD) and The Berlin DPA (BInBDI) opposed this conclusion after reviewing the contents of the Draft Resolution as interested authorities. They considered that there were multiple violations ([[Article 12 GDPR|Articles 12]], [[Article 5 GDPR#1c|5(1)(c)]], [[Article 25 GDPR#|25]], and [[Article 32 GDPR#|32 GDPR]]) because, in order to make access to data subjects' personal data feasible, additional information should only be requested in case of doubts about the identity of the interested party. | |||
The AEPD then reconsidered their initial decision. | |||
=== Holding === | === Holding === | ||
The AEPD | The AEPD upheld the complaint. | ||
First, the AEPD concluded that the controller violated [[Article 12 GDPR#2|Article 12(2)]] and [[Article 12 GDPR#3|Article 12(3) GDPR]]. The DPA stipulated that the entitlement verification process must take place '''only when there are reasonable doubts''' regarding the identity of the person who made the request, and that this verification request must be necessary and appropriate. The controller did not prove the existence of reasonable doubts that justified the request of additional information to verify the data subject's identity. Instead, it was their standard procedure to ask for an ID. The AEPD stressed that it is clear from the case at hand that there are no doubts about the identity of the applicant, since the request for access to personal data was made from the same e-mail address used by the data subject when he registered an account, and uploaded his CV, on their web portal. Additionally, the controller only actually complied with the access request after the DPA had started to investigate the complaint. | |||
Second, the AEPD concluded that the controller violated [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. It stated that the controller's procedure to comply with the rights of data subjects goes ''beyond'' of what is laid down in the GDPR. Hence, this results in inappropriate personal data processing activities that are not relevant and not necessary for the purpose of the case, and is contrary to what [[Article 25 GDPR]] states regarding the context, risk and purposes of the processing activities. | |||
Third, the AEPD considered the seriousness of the case and decided to impose a fine for both violations. Regarding the fine for the violation of [[Article 12 GDPR]], the DPA stated that the nature of the infringement affected the data subject to "''exercise real control''" over her personal data. Moreover, this violation was the result of a lack of an adequate procedure in place to deal with such requests. The DPA concluded that a fine of €50,000 was sufficient. Regarding the fine for the violation of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], the DPA stated that nature of the violation was very serious, due to the fundamental aspect of the data minimisation principle, as well as the number of affected data subjects. Moreover, it considered the fact that the violation occurred because of the controller's negligence, and the absence of an adequate procedure to comply with the data protection principles. The DPA concluded that a fine of €250,000 was sufficient. | |||
Therefore, the DPA imposed a fine of €300,000 on the controller pursuant to [[Article 58 GDPR#2|Article 58(2) GDPR]]. Moreover, it ordered the controller to bring its processing operations into compliance pursuant to [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]]. | |||
== Comment == | == Comment == | ||
'' | '''On sharing info with other DPA's - IMI System''' | ||
In Article 60 cases (where there is cooperation between the lead DPA and other DPA's), the DPA's share information via the so-called IMI System. The AP corresponded information on the case via this system initially, and also the draft- and final decision where shared in this system for other DPA's to provide comments. In this procedure, many DPA's "declared their interest", namely the DPA's of the Netherlands; Belgium; Ireland; Poland; Italy; Hungary; Portugal; Cyprus; Austria, as well as the German states North Rhine-Westphalia; Rhineland-Palatinate, Mecklenburg-Western Pomerania; Berlin; and Bavaria. | |||
== Further Resources == | == Further Resources == | ||
''Share blogs or news articles here!'' | ''Share blogs or news articles here!'' |
Latest revision as of 11:58, 16 March 2022
AEPD (Spain) - PS/00003/2021 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 4(16) GDPR Article 5(1)(c) GDPR Article 12(2) GDPR Article 12(3) GDPR Article 12(6) GDPR Article 25 GDPR Article 32 GDPR Article 56(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 23/12/2018 |
Decided: | |
Published: | 25/02/2022 |
Fine: | 300000 EUR |
Parties: | PageGroup Europe |
National Case Number/Name: | PS/00003/2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Jennifer Vidal |
The Spanish DPA fined PageGroup Europe €300,000 for violating Articles 12 and 5(1)(c) GDPR, because it lacked an adequate procedure to comply with data subjects' rights, and required data subjects to provide additional identification documentation, without there being reasonable doubt regarding their identity.
English Summary
Facts
The controller is Michael Page International, a company based in the United Kingdom, and the parent company of the PageGroup business group. It is an employment agency and operates under various brands, including “Michael Page”. It has subsidiaries in many European countries, with the Dutch subsidiary being the Michael Page entity International - Nederland B.V. The data subject, who is a Dutch citizen that had created an account and had uploaded her CV on the web portal of the controller, submitted an access request on 28 September 2018. The controller, however, requested the data subject's ID to verify the identity of the data subject. Since the data subject found this request to be excessive, she lodged a complaint with the Dutch DPA (AP).
After the AP contacted the Dutch subsidiary, the subsidiary explained that, although the corporate group's headquarters are located in the United Kingdom, the legal department (compliance team, responsible for managing access requests exercised by data subjects) is located in Barcelona, Spain. Hence, according to the Spanish DPA (AEPD), this establishment is the main establishment by the definition of Article 4(16) GDPR, and therefore declared its competency to act as the lead supervisory authority under Article 56(1) GDPR.
The AEPD then investigated the controller's procedure of dealing with access requests and concluded that these procedures complied with the GDPR. Hence, the DPA considered that there were no indications of infringement and that no further action was necessary. After sharing this draft decision with the other interested DPA's (see more info in comment), the Portuguese DPA (CNPD) and The Berlin DPA (BInBDI) opposed this conclusion after reviewing the contents of the Draft Resolution as interested authorities. They considered that there were multiple violations (Articles 12, 5(1)(c), 25, and 32 GDPR) because, in order to make access to data subjects' personal data feasible, additional information should only be requested in case of doubts about the identity of the interested party.
The AEPD then reconsidered their initial decision.
Holding
The AEPD upheld the complaint.
First, the AEPD concluded that the controller violated Article 12(2) and Article 12(3) GDPR. The DPA stipulated that the entitlement verification process must take place only when there are reasonable doubts regarding the identity of the person who made the request, and that this verification request must be necessary and appropriate. The controller did not prove the existence of reasonable doubts that justified the request of additional information to verify the data subject's identity. Instead, it was their standard procedure to ask for an ID. The AEPD stressed that it is clear from the case at hand that there are no doubts about the identity of the applicant, since the request for access to personal data was made from the same e-mail address used by the data subject when he registered an account, and uploaded his CV, on their web portal. Additionally, the controller only actually complied with the access request after the DPA had started to investigate the complaint.
Second, the AEPD concluded that the controller violated Article 5(1)(c) GDPR. It stated that the controller's procedure to comply with the rights of data subjects goes beyond of what is laid down in the GDPR. Hence, this results in inappropriate personal data processing activities that are not relevant and not necessary for the purpose of the case, and is contrary to what Article 25 GDPR states regarding the context, risk and purposes of the processing activities.
Third, the AEPD considered the seriousness of the case and decided to impose a fine for both violations. Regarding the fine for the violation of Article 12 GDPR, the DPA stated that the nature of the infringement affected the data subject to "exercise real control" over her personal data. Moreover, this violation was the result of a lack of an adequate procedure in place to deal with such requests. The DPA concluded that a fine of €50,000 was sufficient. Regarding the fine for the violation of Article 5(1)(c) GDPR, the DPA stated that nature of the violation was very serious, due to the fundamental aspect of the data minimisation principle, as well as the number of affected data subjects. Moreover, it considered the fact that the violation occurred because of the controller's negligence, and the absence of an adequate procedure to comply with the data protection principles. The DPA concluded that a fine of €250,000 was sufficient.
Therefore, the DPA imposed a fine of €300,000 on the controller pursuant to Article 58(2) GDPR. Moreover, it ordered the controller to bring its processing operations into compliance pursuant to Article 58(2)(d) GDPR.
Comment
On sharing info with other DPA's - IMI System
In Article 60 cases (where there is cooperation between the lead DPA and other DPA's), the DPA's share information via the so-called IMI System. The AP corresponded information on the case via this system initially, and also the draft- and final decision where shared in this system for other DPA's to provide comments. In this procedure, many DPA's "declared their interest", namely the DPA's of the Netherlands; Belgium; Ireland; Poland; Italy; Hungary; Portugal; Cyprus; Austria, as well as the German states North Rhine-Westphalia; Rhineland-Palatinate, Mecklenburg-Western Pomerania; Berlin; and Bavaria.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/37 File No.: PS/00003/2021 RESOLUTION OF PUNISHMENT PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: Dated 03/03/2020, through the “Market Information System Interior” (hereinafter IMI), regulated by Regulation (EU) No. 1024/2012, of the European Parliament and of the Council, of October 25, 2012 (IMI Regulation), whose objective is to promote cross-border administrative cooperation, mutual assistance between the Member States and the exchange of information, was received in this Spanish Agency for Data Protection (AEPD) a claim dated 12/23/2018, formulated by A.A.A. (hereinafter the claimant) before the authority of Netherlands data protection (Autoreit Persoonsgegevens -AP). The transfer of This claim to the AEPD is made in accordance with the provisions of article 56 of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/2016, regarding the Protection of Natural Persons with regard to the Processing of Personal Data and the Free Circulation of these Data (as successive General Data Protection Regulation or RGPD), taking into account its cross-border nature and that this Agency is competent to act as main controlling authority. The aforementioned claim is made against the entity "Michael Page International" for the following reasons: . The claimant, a Dutch citizen, opened an account in the Dutch version of the web portal of Michael Page International, accessible at the URL “***URL.1”, and sent by that channel, in March 2018, a Curriculum Vitae (CV) to obtain a position of work offered by the Dutch branch of the group PageGroup. a few months later, he requested access to his personal data through the e-mail address indicated in the Privacy Policy of the web portal, “***EMAIL.1”. In response to the aforementioned request for access, initially, the entity responsible required the claimant to contribute (...). However, after protesting the applicant, who considered the request for documentation excessive, Michael Page International rectified (…). . The claimant considers that there is no reason to request that information identification, (...), nor to send a CV in order to apply for a job. The claimant understands that authenticated access to the account, which is still active, should be sufficient to understand exercised the right of conformity and accredited the identity of the applicant in a system such as the one used by the person in charge, based on the use of a private account. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 2/37 A copy of the correspondence maintained by the complainant with the data controller following the request for access, formulated on 09/28/2018, which was also attached. this correspondence It is outlined in Proven Facts 4 to 9. The documentation for this claim was completed through an assistance volunteer in IMI, sent by the entity Autoreit Persoonsgegevens dated 05/12/2020, incorporating the query that the Dutch authority made to the establishment that the PageGroup group has in the Netherlands (Michael Page International - Nederland Bv), in the Dutch language, on decision making related to the means and purposes of the processing of personal data that affect residents of the Member States. In the response offered by that establishment to the aforementioned query, in the English, it is indicated that, despite the fact that the headquarters of the business group is in United Kingdom, the department in charge of managing requests for access for continental Europe is the Legal Compliance team, located in the Shared Services located in Barcelona (Spain). The mailing address of said department is indicated in the Privacy Policy of the Dutch version of the web page of the person in charge, accessible at the URL “***URL.2”. According to said answer, the Spanish establishment of the business group would be the main establishment, in the sense of the definition of article 4.16 of the GDPR. Thus, in accordance with the provisions of article 56.1 of the RGPD, dated 05/21/2020, the AEPD declared itself competent to act as a control authority main (LSA). According to the information included in the IMI System, in accordance with the established in article 60 of the RGPD, have declared themselves interested in this procedure, in addition to the control authority that has communicated the case (Countries the Netherlands), those of Belgium, Ireland, Poland, Italy, Hungary, Portugal, Cyprus and Austria, as well such as the German regions of North Rhine-Westphalia, Rhineland-Palatinate, Mecklenburg-Western Pomerania, Berlin and Bavaria Private Sector. SECOND: In accordance with the procedure established in the internal national legislation (article 64.3 of Organic Law 3/2018, of December 5, on Data Protection Personal Rights and Guarantee of Digital Rights -LOPDGDD), dated 06/11/2020, the AEPD transferred the aforementioned claim to the Spanish establishment of the group PageGroup based in ***LOCALITY.1, that is, the company PAGE GROUP EUROPE, S.L. (hereinafter PAGE GROUP EUROPE or claimed entity), to that within a period of one month prove that they have responded to the request of the claimant, report on the causes that led to the incidence produced and detail the measures adopted to avoid similar situations. In response to this request, PAGE GROUP EUROPE provided the communications maintained with the claimant and stated the following: . They explain that they are a company that is part of a business group dedicated to Human Resources services, specifically, to the selection of personnel. for this C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 3/37 reason, they process personal data of a large number of candidates in many countries of the world, being very common the exercise of rights by candidates. For the processing of the corresponding requests, in compliance of its duty of confidentiality and secrecy, has implemented a strict process of identity verification to ensure that candidates' personal data is not are transferred to third parties, who have been able to obtain the access credentials of people registered in their systems with the purpose of supplanting their identity and make the request on your behalf, through phishing attacks or social engineering. In the particular case of the claimant, they have not tried to put obstacles to the exercise of your rights, but to protect your personal data. (...). (...). On this question, provide a copy of the "Answer Models" used currently to verify the identity of the interested parties. (...). Subsequently, by letter dated 08/14/2020, this Agency requested PAGE GROUP EUROPE “copy of the response to the request for access raised by the claimant, since his identity has been proven through the process of claim, initiated before the control authority of the Netherlands and continued in this Agency”. After this request, the aforementioned entity proceeded to answer the request for access made by the claimant and provided this Agency with a copy of the communication, dated 08/27/2020, through which it informs it about the aspects of the treatment established in article 15 of the RGPD, as well as the annex with the personal data of the claimant in their possession. In the writing of response to this Agency indicates that the information was sent by mail electronic. THIRD: After reviewing the response provided by the claimed company, outlined in the previous Fact, this Agency appreciated that, at present, the procedures followed by PAGE GROUP EUROPE for the attention of rights in terms of data protection, in relation to the identification of applicants, conform to the applicable regulations. (...). In addition, it was taken into account that, after the intervention of this Agency, the request for claimant's access was addressed. Consequently, it was considered that there were no indications of infringement and that there was no no further action was necessary, nor was it necessary to urge the adoption of measures additional, therefore, on 11/10/2020, a Draft Resolution of claim file (Draft decision). FOURTH: On 11/10/2020, the Draft Decision was incorporated into the IMI System so that the interested authorities could express themselves in this regard. At the end of the established term, they formulated objections to the aforementioned file project the data protection authorities of Portugal (CNPD) and Berlin (The Berlin Commissioner for Data Protection and Freedom of Information -Berlin DPA). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 4/37 The CNPD states that PAGE GROUP EUROPE has implemented a rights attention procedure (...)., not having specified that in the case of the claimant had doubts regarding her identity. Consider that the The aforementioned entity has not adjusted its actions to the provisions of article 12.2 of the RGPD, which obliges the controller to facilitate the exercise of rights, unless can identify the applicant, in which case article 12.6 of the RGPD allows requesting additional identifying information. The CNPD also understands that the procedure followed by the entity responsible does not protect the data of the applicants, since the treatment of the documents identification requirements increases the risks for those affected (eg possible use for identity theft); (...). The Portuguese authority thinks that this violates the principle of minimization (article 5.1.c) of the RGPD), that of privacy by default and from the design (article 25 of the RGPD) and that of security measures (article 32 of the GDPR). The CNPD advocates a less intrusive way of verifying the identity of the applicant (e.g. electronic identification or submit the application through the account of user together with an additional authentication factor sent by a different channel). Berlin DPA, for its part, also appreciates infringement of article 12 of the RGPD, paragraphs 2, 3 and 6, for reasons similar to those stated by the Portuguese authority. Considers that additional information should only be requested if there are doubts about the identity of the interested party, requesting necessary and appropriate information for that verification, based on the applicant's available data; and do not share alleged justification on the possible risk of spoofing e-mail addresses. Likewise, (...), Berlin DPA understands that it cannot be used to carry out verifications, or, at least, it would not be the most appropriate way, and declares itself in accordance with the the claimant's appreciation according to which the registered access to the private account it would be more than enough. Berlin DPA points out a possible infringement of article 12.3 of the RGPD because the person in charge did not answer within a month counted from the remission of the request. He opposes the claim being rejected and considers it appropriate to identify the infractions and adopt corrective actions against the person in charge, so that it can correct their procedures to avoid putting the rights of others at risk applicants or the obstacles in their exercise. FIFTH: The objections raised by the authorities of the protection of data indicated in the previous Antecedent and, on 12/11/2020, it was agrees to admit for processing the claim communicated by the authority for the protection of data from the Netherlands (Autoreit Persoonsgegevens -AP), for the alleged infringement of what is established in article 15 of the RGPD, without prejudice to what may be determined in the course of processing said claim. SIXTH: Dated 02/26/2021, by the General Subdirectorate for Data Inspection you access the website "www.michaelpage.es" and obtain information available on PageGroup. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 5/37 In the corporate information that appears in the “Who we are” section of said website indicates: “PageGroup is the leading international consulting firm in the selection of qualified managers, intermediate and managers on a temporary and indefinite basis. It was established in the UK in 1976 and since 2001 listed on the London Stock Exchange. With a network of 140 own offices, We operate in 36 countries around the world. In Spain we offer nationwide coverage with physical offices in Madrid, Barcelona, Valencia, Seville, Bilbao and Zaragoza through the which we provide recruitment services and career opportunities at the local, regional and global. Within the group we have different brands, each an expert in its market” (...). (...). (...). SEVENTH: Dated 06/02/2021, in accordance with the provisions of article 64 of the LOPDGDD, sections 2 (third paragraph) and 3, a draft resolution of start of sanctioning procedure, motivated by the claim received through the IMI system that is outlined in the First Precedent. This project takes consideration the objections outlined in the Fourth Precedent (draft of revised decision). Following the procedure established in article 60 of the RGPD, dated 03/13/2020, the aforementioned project to open the sanctioning procedure was transmitted via the IMI System to the supervisory authorities concerned, letting them know that, in the event that no objections are raised within the two weeks from the consultation, the mandatory agreement to open the penalty procedure. None of the control authorities concerned has raised any objection to the draft agreement to open sanctioning proceedings adopted by the AEPD, understanding, therefore, that there is an agreement on it. EIGHTH: On 06/29/2021, the Director of the Spanish Protection Agency of Data agreed to initiate a sanctioning procedure against the entity PAGE GROUP EUROPE, in accordance with the provisions of articles 63 and 64 of Law 39/2015, of 1 of October, of the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP), for the alleged violation of articles 5.1.c) and 12 of the RGPD, typified in articles 83.5.a) and b) of the same Regulation, respectively; determining that the sanction that could correspond would amount to a total of 300,000 euros (250,000 euros for the infringement of article 5.1.c) and 50,000 euros for the infringement of article 12, both of the RGPD), without prejudice to what results of instruction. In the same agreement to open the procedure, it was warned that the infractions imputed, if confirmed, may lead to the imposition of measures, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 6/37 NINTH: Notification of the aforementioned initial agreement and extension of the term granted for make allegations, PAGE GROUP EUROPE filed a brief dated 07/21/2021, in which he requests that the initial criteria of the AEPD be maintained and that the file be agreed of the sanctioning procedure or, alternatively, that the fine be reconsidered proposal assessing the warning provided by the regulations. In short, the aforementioned entity bases its request on the following considerations: 1. Previously, it highlights the good faith and willingness to comply that has governed its actions and the internal policies applied, and expresses its intention to contribute with their allegations more information and clarity on the case, despite the fact that it entails a waiver of application of the proposed sanction reduction, in the convinced that they have followed the recommendations of the authorities and that their motivation was none other than an excess of zeal in the protection of personal data not to deliver data to a person other than the real owner of the data. He adds that the The question raised has to do with an interpretation of the norm, still recently application. 2. Understands contradictory that is expressed in the Foundations of Law of the opening agreement that the result of the transfer process “was not satisfactory”, when in the Second and Third Records it is indicated that the respondent gave response to the request for access made by the claimant, (...), concluding that there were no indications of infringement nor was it necessary to adopt measures additional. Based on this, it requests that the documents in the file be reviewed again. file, clarifying in this regard, in the event that that statement is motivated by the absence of a response to the first requirement of the authority of Netherlands, which in June 2019 provided access to the address ***EMAIL.2 to people from the Legal Compliance team on a temporary basis, (...), although, for some technical reason the connection was not effective until the end of August, without it being possible to retrieve emails received in the meantime. As soon as you became aware that the data protection authority of The Netherlands (Autoreit Persoonsgegevens -AP) had sent 2 emails on 07/23/2019, proceeded to contact it, although there is no record of having received a response. Subsequently, on 08/30/2019, the entity Autoreit Persoonsgegevens sent a letter directly to Michael Page International - Nederland Bv, to which he gave reply dated 09/27/2019. 3. In relation to the alleged infringement of article 5.1.c), he values the review of its internal policies that it carried out in 2016-2018 to adapt them to the new regulations, on which there were no guiding criteria at the time of interpret novel concepts such as the principle of data minimization or the privacy by design or by default, so it tried to combine measures and recommendations that remained in force with an interpretation of the new regulation aimed at strict compliance with it. (...). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 7/37 (...). (...). On the other hand, on the interpretation that Berlin DPA makes on the appropriate form To verify the identity of the interested parties who exercise a right, the entity claimed understands that such assessments derive from the local idiosyncrasy and can be motivated by historical issues, inherited from previous local regulations, cultural or compliance aspects, which will be defined and homogenized in the next years. (...). (...). On the other hand, the respondent entity claims to have studied that the authority of Countries The Netherlands has been active in regards to the illegal treatment of the BSN (number of personal identification) and has taken various enforcement measures prior to entry in force of the RGPD, among them: . Airbnb illegally treated the BSN (through complete copies of the documents of identity) and the DPA published its conclusions on the matter. No fine was imposed nor was any investigative report published after Airbnb changed its operations. . A freight company called Nippon Express processed copies complete identity documents and BSNs of the truck drivers entering on the premises to pick up the cargo. This was illegal according to the Dutch DPA and published an investigative report without sanctioning the company after modifying its procedures. As can be understood, and will be developed later, the claimed entity does not derives no benefit from delaying or allegedly hindering the exercise of a right that implies the delivery of information to the interested party. It's not about a low in a service or an opposition to a certain treatment that the entity had an interest in keeping. (...). Based on this, he requests that the allegations of the Berlin DPA and the CNPD be reconsidered. that changed the criteria of the AEPD, which decided to file the file as it did not appreciate intentionality in the action carried out by PAGE GROUP EUROPE, for the absence of benefit and the improvement implemented. (...). Considering this absence of further treatment and that the treatment carried out was very limited in time, as was the access to the information in question, the entity complained against considers that what is indicated in Considering 156 of the RGPD: “The conditions and guarantees in question may entail procedures specific for the interested parties to exercise said rights if it is appropriate to the light of the purposes pursued by the specific treatment, together with the measures C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 8/37 technical and organizational measures aimed at minimizing the processing of personal data attending to the principles of proportionality and necessity”; understood, after study it, that this measure was necessary, proportional and appropriate to protect the rights of the interested party. 5. With the aforementioned requirement, the respondent did not try to delay, hinder or hinder the exercise of rights by the affected party, nor did he obtain benefit from that practice, which required designing a specific procedure and investing resources in management and monitoring. If finally, it is determined that such procedure does not was designed correctly, the only thing that can be blamed is an excess of zeal in its willingness to comply, to ensure that data was not delivered to person other than its owner, but not that with this request they wanted to put obstacles to exercise. (...). 6. Regarding the alleged infringement of article 12 of the RGPD, the complainant formulates allegations with which it intends to respond to the arguments put forward manifest by the data protection authorities of Berlin and Portugal, without begins by insisting that the entity treats requests for access with care because they are not frequent in their activity, since it is the interested parties themselves who directly provide their personal data and have the information at their disposal. available in your personal area. Regarding what was indicated by Berlin DPA, which does not share the possible risk of impersonation of e-mail addresses, the claimed one shows that there are studies and statistics that demonstrate the hypothesis that the request for the right of GDPR access can be a point of vulnerability to engineering attacks Social. And adds: “To cite some of the aforementioned studies, James Pavur (DPhil Researcher Oxford University) and Casey Knerr (Security Consultant Dionach LTD) indicate in their publication “GDPArrrrr: Using Privacy Laws to Steal Identities” (the translation is ours for the purposes of homogeneity in the document language): “In this work, we have hypothesized that the right to request access can be a point of vulnerability to social engineering attacks. through an experiment spanning 150 organizations, we demonstrated the real-world feasibility of such attacks. We found that a large proportion of organizations do not adequately verify the identity of origin of access requests and that, as a result, the information deeply sensitive can be acquired in a repeatable and scalable manner by engineering Social. We suggest a series of corrective measures focused on individuals, companies and legislators, to help mitigate these attacks. (…) Applying for a government-issued photo ID is probably the most solid way of preventing this attack. However, organizations that are unable to adequately protect this data, or to verify its authenticity, should consider the possibility of subcontracting these services to a third party. Companies should also periodically evaluate their process for requesting access to the subject for vulnerabilities and train individual service representatives on the detection and response to such attacks. Incorporating access requests C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 9/37 malicious…” Recital 64 of the RGPD itself establishes that "the data controller must use all reasonable measures to verify the identity of the interested parties requesting access. Likewise, article 12.6 of the RGPD establishes that “When the person responsible for the treatment has reasonable doubts in relation to the Identity of the natural person making the request referred to in articles 15 to 21, you may request that additional information necessary to confirm the identity of the interested party. In Spain, the need to provide the DNI or equivalent document by the interested party was provided for in article 25 of the repealed, almost in its entirety, Real Decree 1720/2007. Said article indicated that the communication of the exercise of rights addressed to the controller should be accompanied by a photocopy of the national identity document of the interested party, or his passport or other document valid to identify you. The Spanish Agency for Data Protection (AEPD), in its "Guide for the Citizen” indicates that, “if the person in charge has doubts about the identity of the interested, you may request additional information to confirm it, such as the photocopy of ID, passport or other valid document. Likewise, the forms that the AEPD designed as models for the exercise of rights and which presents as models to be used by citizens, include the following statement: "two. It will be necessary to provide a photocopy of the D.N.I. or equivalent document that proves identity and is considered valid in law, in those cases in which the person in charge has doubts about his identity. In case of acting through Legal representation must also provide a DNI and a document accrediting the representation of the representative”. Therefore, it is a common practice, at least in Spain, the residence of our company, which does not violate the principle of data minimization, which requires that the personal data is adequate, pertinent and limited to what is necessary in relation to with the purposes for which they are processed. (...). (...). (...). 7. Emphasizes once again the good faith and degree of collaboration shown, having modified the internal rights management procedure as follows: (...). (...). 8. Refers to the filing of the proceedings initially adopted by the AEPD and the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 10/37 objections from the Portuguese (CNPD) and German (Berlin DPA) authorities, to put reveals the uncertainty caused by the lack of unity of criteria to verify online identity during the management of an access right. The RGPD does not establish, as the previous regulation did, the list of security measures. security that those responsible must adopt; now each person in charge must carry out your own risk analysis and determine what measures you need to take to mitigate them, and this was recognized by the AEPD, (...). This is an interpretation made based on risk analysis and from the good faith and the conviction of a good performance, applying the principles of minimization, privacy by design and by default, on a specific subject (request for identification in the right of access) on which there is no criterion or guide published. 9. Regarding the graduation criteria of the sanction, it states the following: . The negligence in the commission of the infraction must be appreciated when the conduct is away from recognized standards and, (...). In addition, he considers that it should be taken into account account the proactive attitude and demonstrated improvement. (...). . The assessment of the number of interested parties must consider the requests for exercises of rights received since the RGPD is fully applicable, already detailed. . It is the first time that the claimed entity is the subject of a procedure sanctioning party, thus far complying with the obligations set forth in the regulations applicable, as well as the criteria established by the supervisory authorities. In this regard, it requests that the imposition of a special warning be assessed attention to the nature, low seriousness and short duration of the infringement, to its unintentional character, to the measures taken to alleviate the damages suffered and the degree of responsibility demonstrated by the entity. PAGE GROUP EUROPE, with its statement of arguments at the opening of the procedure, provided the following documents: . Copy of the document called “Data request process of the RGPD of the EU". The provisions it contains on the validation of requests for rights and verification of the identity of the applicants are outlined in Fact tested 12. . Record of emails received during the interim of the technical failure in email from the DPD. . Mail dated 08/26/2019, sent to the authority of the Netherlands requesting the sending of missed communication. . Mail with the documentation sent in September 2019 to the authority of Netherlands data protection. TENTH: On 11/24/2021, a resolution proposal was issued in the sense following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 11/37 1. That the Director of the AEPD sanction PAGE GROUP EUROPE, for a infringement of article 12 of the RGPD, typified in Article 83.5.b) of the RGPD and classified as minor for prescription purposes in article 74.c) of the LOPDGDD, with a fine amounting to 50,000 euros (fifty thousand euros). 2. That the Director of the AEPD sanction PAGE GROUP EUROPE, for a infringement of article 5.1.c) of the RGPD, typified in article 83.5.a) and qualified as very serious for prescription purposes in article 72.1.a) of the LOPDGDD, with a fine amounting to 250,000 euros (two hundred and fifty thousand euros). The aforementioned resolution proposal was notified to the entity PAGE GROUP EUROPE on the same date of 11/24/2021. In this notification, said entity was informed that, in accordance with the provisions of article 85.2 of the LPACAP, may, in any time prior to the resolution of the procedure, carry out the payment voluntary of the proposed penalty, which would mean a reduction of 20% of the amount of it. With the application of this reduction, the sanction would be established at 240,000 euros (two hundred and forty thousand euros) and its payment would imply the termination of the procedure. Likewise, it was noted that the effectiveness of this reduction is conditional upon the withdrawal or waiver of any action or remedy administratively against the sanction. ELEVENTH: On 12/02/2021, the claimed party has proceeded to pay the the sanction in the amount of 240,000 euros, making use of the reduction foreseen in the Article 85 of the LPACAP, which implies the termination of the procedure and entails the waiver of any administrative action or recourse against the sanction. TWELFTH: On 12/03/2021, this Agency received a document of the entity PAGE GROUP EUROPE, of 12/02/2021, through which it provides a copy of the receipt of the payment made, with which it intends to "close" the process. In this same letter, the aforementioned entity warns about the confidentiality of internal corporate processes. Of the actions carried out in this procedure and the documentation in the file, the following have been accredited: PROVEN FACTS 1. The entity Michael Page International is a company based in the United Kingdom, parent company of the PageGroup business group. It is dedicated to the selection of personnel and operates under various brands, including “Michael Page”. It has subsidiaries in many European countries, with the Dutch subsidiary being the Michael Page entity International - Nederland B.V. One of the Spanish subsidiaries of the Group, with headquarters in ***LOCALIDAD.1, PAGE GROUP EUROPE, S.L., is responsible, through its Compliance department Legal, to manage requests for the exercise of rights in terms of protection C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 12/37 of personal data that the interested parties formulate before the entities of the group PageGroup in Europe. The postal address of this Spanish subsidiary is indicated as data of contact for the exercise of these rights in the Privacy Policy of the entity, both in Spain and in the Netherlands version. 2. PageGroup websites include a form enabled for users to Interested parties can send their CV to the corresponding subsidiary entity. 3. The claimant, a Dutch citizen, opened an account on the web portal of Michael Page International - Nederland B.V., accessible at the URL “***URL.1”, and referred by that channel, in March 2018, a Curriculum Vitae (CV) to obtain a position of job offered by this Dutch subsidiary of the PageGroup group. 4. By email dated 09/28/2018, sent from the address “***EMAIL.3”, the same one that is registered in the PageGroup database, the claimant requested access to their personal data, expressly detailing in their request to be sent a copy of your data and your interest in knowing the purposes for which that the data is processed, the categories of personal data submitted to treatment, the recipients, as well as the legal basis of each operation of treatment. Said email was sent to the address “***EMAIL.1”, which coincides with the one indicated for such purposes in the Privacy Policy accessible through of the web portal. In this email, the claimant warns that she receives regular emails from the entity and that this proves that it has your personal data. 5. By email dated 10/02/2018, sent from the address “***EMAIL.1”, PageGroup responded to the complainant's email dated 09/28/2018 noting that in order to meet the request for access made, it was necessary confirm your identity and prove your address. (...). It is also indicated that said documentation can be sent to the address “***EMAIL.1” or to the department of Legal Compliance, by postal mail addressed to the address of PAGE GROUP EUROPE in ***LOCATION.1. (...). (...). 7. On 10/22/2018, the Legal Compliance Department of PageGRoup sent an email to the claimant, from the address “***EMAIL.1”, in the who reiterate the need to verify their identity and insist on the request for previous documentation. 8. Dated 11/11/2018, by email sent to the address “***EMAIL.1”, the claimant, after summarizing the facts and highlighting her interest in know the communications of personal data made to third parties and the data concrete shared, reiterated its previous statements on the documentation required to meet that request, which he considers excessive, and warned about the possibility of making a claim before the data protection authority of the countries Low. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 13/37 9. On 11/12/2018, PageGRoup's Legal Compliance Department sent an email to the claimant, from the address “***EMAIL.1”, reporting that they have reviewed their (...). 10. By letter dated 08/14/2020, this Agency requested PAGE GROUP EUROPE “Copy of the response to the request for access made by the claimant, all Once your identity has been proven through the claim process, initiated before the control authority of the Netherlands and continued in this Agency”. Following this request, the aforementioned entity proceeded to respond to the request for access formulated by the claimant and provided this Agency with a copy of the communication, dated 08/27/2020, which responds to the request for access made by the claimant, as well as the annex with the personal data of the same that are in power of PageGroup. In the response letter to this Agency, it is indicated that the Information was sent by email. (...). (...). 12. The entity PAGE GROUP EUROPE, with its brief of allegations at the opening of the procedure, has provided a copy of the document called "Process of EU GDPR data request. (...). (...). (...). (...). Regarding the delivery of the document through which the right of access and the corresponding information is provided to the interested party, the procedure designed by the claimed entity contemplates its sending by email, protected with a password that is sent in a different mail. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each Authority of Control and, as established in articles 47, 64.2 and 68.1 of the LOPDGDD, the Director of the Spanish Data Protection Agency is competent to initiate this procedure. Article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Agency for Data Protection will be governed by the provisions of the RGPD, in this organic law, by the regulatory provisions issued in its C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 14/37 development and, in so far as they are not contradicted, on a subsidiary basis, by the rules general administrative procedures. Sections 1) and 2), of article 58 of the RGPD, list, respectively, the investigative and corrective powers that the supervisory authority may provide to the effect, mentioning in point 1.d), that of "notifying the person in charge or in charge of the treatment of alleged violations of this Regulation”; And in 2.i), the “impose an administrative fine under article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each case". The case examined is motivated by a cross-border claim filed with the Dutch data protection authority (Autoreit Persoonsgegevens -AP), against a business group based in the United Kingdom. However, the department in charge of managing requests for access for continental Europe is the Legal Compliance team of the Group subsidiary PAGE GROUP EUROPE, based in Spain. This Spanish establishment PageGroup is the principal establishment of the Group, within the meaning of the definition of the article 4.16 of the RGPD. Thus, in accordance with the provisions of article 56.1 of the RGPD, the AEPD is the competent authority to act as the main control authority. The following "definitions" established in article 4 of the GDPR: “16) main establishment: a) with regard to a data controller with establishments in more than one Member State, the place of its central administration in the Union, unless the decisions about the purposes and means of the treatment are taken in another establishment of the person in charge in the Union and the latter establishment has the power to enforce such decisions, in in which case the establishment that has adopted such decisions will be considered main establishment. “21) supervisory authority: the independent public authority established by a State member in accordance with the provisions of article 51”. “22) interested control authority: the control authority that is affected by the treatment of personal data because: a.- The controller or processor is established in the territory of the State member of that control authority; b.- Interested parties residing in the Member State of that control authority are substantially affected or likely to be substantially affected by the treatment, or c.- A claim has been filed with that control authority”. “23) cross-border treatment: a) the processing of personal data carried out in the context of the activities of establishments in more than one Member State of a person in charge or a person in charge of the processing in the Union, if the controller or processor is established in more than one Member state, or b) the processing of personal data carried out in the context of the activities of a single establishment of a controller or a processor in the Union, but which affects substantially or is likely to substantially affect data subjects in more than one State member". C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 15/37 According to the information included in the IMI System, in accordance with the established in article 60 of the RGPD, in this procedure they act in quality of "interested control authorities" the data protection authorities personals from the Netherlands, Belgium, Ireland, Poland, Italy, Hungary, Portugal, Cyprus and Austria, as well as the German regions of North Rhine-Westphalia, Rhineland- Palatinate, Mecklenburg-Western Pomerania, Berlin and Bavaria Private Sector. II Article 56.1 of the RGPD, regarding the "Competence of the supervisory authority main”, states the following: "1. Without prejudice to the provisions of article 55, the control authority of the establishment main or sole establishment of the controller or processor will be competent to act as lead supervisory authority for cross-border processing carried out by said person in charge or person in charge in accordance with the established procedure in article 60”. Said article 60 regulates the "Cooperation between the main control authority and the other interested control authorities”: "1. The main control authority will cooperate with the other control authorities stakeholders in accordance with this article, striving to reach a consensus. The main control authority and the control authorities concerned will exchange all relevant information. 2. The main control authority may at any time request other authorities of Control interested parties that provide mutual assistance in accordance with article 61, and may carry out conduct joint operations under article 62, in particular to carry out investigations or supervise the application of a measure related to a person in charge or a processor established in another Member State. 3. The main control authority shall promptly notify the other control authorities relevant information in this regard. It will transmit without delay a project of decision to the other control authorities concerned to obtain their opinion on the matter and will take due account of their views. 4. In the event that any of the interested control authorities raises an objection relevant and reasoned information on the draft decision within four weeks from consultation pursuant to paragraph 3 of this article, the lead supervisory authority will submit the matter, in case it does not follow what is indicated in the pertinent and motivated objection or considers that said objection is not pertinent or is not motivated, to the coherence mechanism referred to in article 63. 5. In the event that the main supervisory authority plans to follow what is indicated in the objection pertinent and reasoned received, it will submit to the opinion of the other control authorities stakeholders a revised draft decision. This revised draft decision is will submit to the procedure indicated in section 4 within a period of two weeks. 6. In the event that no other interested supervisory authority has objected to the draft decision transmitted by the main supervisory authority within the period indicated in the paragraphs 4 and 5, it will be considered that the main supervisory authority and the authorities of Stakeholders are in agreement with said draft decision and will be bound by East. 7. The main control authority will adopt and notify the decision to the main establishment or to the sole establishment of the person in charge or the person in charge of the treatment, as appropriate, and shall inform the interested control authorities and the Committee of the decision, including a C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 16/37 summary of relevant facts and motivation. The supervisory authority before which the submitted a claim will inform the claimant of the decision. (…) 12. The main supervisory authority and the other interested supervisory authorities will reciprocally provide the information required within the framework of this article by electronic means, using a standardized form. On the issues regulated in these precepts, what is stated in Recitals 124, 125, 126 and 130 of the RGPD, in particular the following: (124) “… Said authority (the main authority) must cooperate with the other authorities interested…”. (125) “As the lead authority, the supervisory authority must closely involve and coordinate the control authorities interested in the decision-making process”. (126) “The decision must be agreed jointly by the main control authority and the interested control authorities…”. (130) “When the supervisory authority before which the claim has been filed is not the lead supervisory authority, the latter must cooperate closely with the former with in accordance with the provisions on cooperation and coherence established in this Regulation. In such cases, the lead supervisory authority, by taking measures designed to produce legal effects, including the imposition of administrative fines, must take into account account to the greatest extent possible the opinion of the supervisory authority before which the filed the claim and which must remain competent to perform any investigation on the territory of its own Member State in liaison with the supervisory authority competent". In accordance with the provisions of article 4.24 of the RGPD, it is understood by “pertinent and motivated objection” the following: “The objection to a proposal for a decision on the existence or not of an infringement of this Regulation, or on the conformity with the present Regulation of actions foreseen in relationship with the person in charge or the person in charge of the treatment, which clearly demonstrates the significance of the risks posed by the draft decision to the rights and freedoms of the interested parties and, where appropriate, for the free circulation of personal data within the Union”. In accordance with the provisions of the previous rules, in this case, referred to a claim filed with the supervisory authority of a State member (Netherlands), in relation to processing in the context of activities of an establishment of a person in charge that affect or are likely to affect substantially to data subjects in more than one Member State (data processing cross-border), the main control authority, in this case the Spanish Agency of Data Protection, is obliged to cooperate with the other authorities interested. The Spanish Agency for Data Protection, in application of the powers that conferred by the RGPD, is competent to adopt the decisions designed to produce legal effects, whether it be the imposition of measures that guarantee the compliance with regulations or the imposition of administrative fines. Nevertheless, is obliged to closely involve and coordinate the control authorities stakeholders in the decision-making process and take their opinion into account in the greater extent. It is also established that the binding decision to be adopted jointly agreed. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 17/37 Article 60 of the GDPR regulates this cooperation between the main control authority and the other interested control authorities. Section 3 of this article expressly establishes that the main supervisory authority will transmit to the other control authorities concerned, without delay, a draft decision to obtain its opinion on the matter and will take due account of its views, following the procedure provided for in sections 4 and following. The interested control authorities have a period of four weeks to raise reasoned objections to the draft decision, on the understanding that There is agreement on said project if no authority presents objections in the indicated period, in which case all of them are bound by the repeated project. Otherwise, that is, if any of the authorities concerned makes a relevant and reasoned objection to the draft decision, the supervisory authority principal may follow what is indicated in the objection, presenting the opinion of the other control authorities concerned a revised draft decision, which will be submitted to the procedure indicated in section 4 within two weeks. not to follow indicated in the objection or if it is considered that it is not pertinent, the authority of main control must submit the matter to the coherence mechanism contemplated in Article 63 of the GDPR. In the present case, the AEPD initially considered that there were no indications of infringement nor was it necessary to urge the adoption of additional measures to those implemented by PAGE GROUP EUROPE, for which, on 11/10/2020, a Project of Decision, by means of which it was submitted to the consideration of the rest of the authorities of interested control the file of the claim (Draft decision). At the end of the established period, they objected to the aforementioned Draft Decision the data protection authorities of Portugal (CNPD) and Berlin (The Berlin Commissioner for Data Protection and Freedom of Information -Berlin DPA), in the sense expressed in the Background of this agreement. Taking into account the reasons set out in the objections made, and in accordance with the provisions of section 1 of article 60 of the RGPD, before transcribed, which obliges the main supervisory authority to cooperate with the other authorities, striving to reach a consensus, the procedure was followed provided for in section 5 of the aforementioned article 60, instead of resorting to the coherence contemplated in article 63 of the RGPD. Although this Agency, as indicated by the entity complained of in its allegations, initially considered that there were no indications of infringement, once analyzed the observations or objections raised by the control authorities concerned revealed some circumstances that had not been sufficiently valued in the project file of actions (Draft decision), which will be set forth in the Foundations of Law that follow. For this reason, it was appropriate to prepare a Revised Draft Decision that contemplate the opening of a sanctioning procedure against PAGE GROUP EUROPE. This action is in accordance with the cooperation procedure regulated in article C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 18/37 60 of the GDPR; and takes into account the provisions of article 58.4 of the same Regulation, according to which the exercise of the powers conferred on the authority of control must respect the procedural guarantees established in Union law and of the Member States. The Spanish procedural regulations, specifically, Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (LPACAP), establishes that procedures of a sanctioning nature will always be initiated ex officio by agreement of the competent body, which must contain, among other indications, the identification of the person or persons allegedly responsible, the facts that motivate the initiation of the procedure, its possible qualification and the penalties that may apply The adoption of the draft agreement to initiate the sanctioning procedure is provided for in article 64 of the LOPDGDD, sections 2 (third paragraph) and 3, establishing the obligation to give formal knowledge to the interested party. This notification interrupts the prescription of the infraction. The Revised Draft Decision prepared by the AEPD, in the form of a draft opening of sanctioning procedure, was submitted to the consideration of the interested authorities, so that they could formulate the objections that they deem pertinent or give their consent. For this, it was transmitted through of the IMI System to those authorities, letting them know that, in the event that the raised objections within two weeks of the consultation, the mandatory agreement to open sanctioning proceedings. None of the interested control authorities raised any objection, so it was understood that there was agreement on the aforementioned project. Consequently, on 06/29/2021, the AEPD agreed to initiate this sanctioning procedure, according to the arguments and accusations contained in the Revised Draft Decision. On the other hand, section 4 of the aforementioned article 64 of the LOPDGDD establishes that The processing times established in this article will be automatically suspended when it is necessary to collect information, consultation, request for assistance or mandatory pronouncement of a body or agency of the European Union or of a or several control authorities of the Member States in accordance with the provisions in the RGPD, for the time between the request and the notification of the statement to the Spanish Data Protection Agency. III In accordance with the provisions of article 55 of the RGPD, the Spanish Agency for Data Protection is competent to perform the functions assigned to it in its article 57, among them, that of enforcing the Regulation and promoting the awareness of controllers and data processors about the obligations incumbent on them, as well as dealing with the claims presented by a concerned and investigate the reason for them. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 19/37 Correlatively, article 31 of the RGPD establishes the obligation of those responsible and those in charge of the treatment to cooperate with the control authority that requests it in the performance of their duties. In the event that they have appointed a data protection delegate, article 39 of the RGPD attributes to it the function of cooperate with that authority. Similarly, the domestic legal system, in article 65.4 of the LOPDGDD, has foreseen a mechanism prior to the admission to processing of the claims that are formulated before the Spanish Agency for Data Protection, which consists of giving transfer of the same to the data protection delegates designated by the responsible or in charge of the treatment, for the purposes provided in article 37 of the aforementioned norm, or to these when they have not been designated, so that they proceed to the analysis of said claims and to respond to them within a month. In accordance with this regulation, prior to the admission for processing of the claim that gives rise to this procedure, it was transferred to the responsible entity to proceed with its analysis, respond to this Agency within a month and prove that they have provided the claimant with the due response, in the event of exercising the rights regulated in articles 15 to 22 of the GDPR. The result of said transfer was not satisfactory, considering the procedure followed by the project file of actions (Draft decision) and the objections formulated in this regard, so that the continuation of actions for the purification of the possible responsibilities revealed. In consecuense, dated 12/11/2020, for the purposes provided in article 64.2 of the LOPDGDD, the Spanish Agency for Data Protection agreed to admit the claim for processing communicated by the Dutch data protection authority (Autoreit Persoonsgegevens -AP) for alleged infractions related to the exercise of the rights recognized to the holders of personal data. Said admission agreement The procedure determined the opening of this sanctioning procedure. Dealing exclusively with a claim for lack of attention to a request of exercise of the rights established in articles 15 to 22 of the RGPD, it follows the procedure regulated in article 64.1 of the LOPDGDD, according to which: "1. When the procedure refers exclusively to the lack of attention to a request for exercise of the rights established in articles 15 to 22 of Regulation (EU) 2016/679, will be initiated by agreement of admission to processing, which will be adopted in accordance with the provisions of the next article. In this case, the term to resolve the procedure will be six months from the date on which the claimant was notified of the agreement for admission to processing. After this period, the interested party may consider their claim upheld.” On the contrary, when the procedure does not refer exclusively to the attention to a request for the exercise of rights, the purging of administrative responsibilities in the framework of a sanctioning procedure, being the exclusive competence of this Agency to assess whether there are responsibilities administrative that must be purged in a procedure of this nature and, in consequently, the decision on its opening. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 20/37 In this case, there are elements that justify the exercise of the activity penalty, considering that with the procedure provided for in article 64.1 of the The aforementioned LOPDGDD would not duly restore the guarantees and rights of the interested. The origin of the actions is determined by a claim made by a specific interested party, whose purpose is the lack of attention to the right of access exercised by the claimant before the claimed entity. With this, it could be thought that We are facing the procedure regulated in article 64.1 of the LOPDGDD. However, this claim by an individual person has revealed a general action of the person in charge, resulting in this specific case being the reflection of a common guideline or policy applied to all those affected persons who are in the same case as the claimant. When an action that is considered wrong derives from a general policy adopted by the data controller, so that it is not a matter of punctual errors in a case, the infraction does not reside exclusively in the case examined but in that general action adopted by the responsable. To do otherwise would be inconsistent with the purpose and will of the Community legislator, expressly embodied in the RGPD when it indicates that it corresponds to the control authorities enforce the rule. Consequently, this procedure analyzes the impact of the general action followed by PAGE GROUP EUROPE in the management and resolution of requests for exercises of rights of access and portability formulated by the interested parties, (...). In view of the deficiencies noted in the procedure designed by the entity claimed regarding data protection regulations, it turns out that such deficiencies have a general scope, so that all the interested parties who had formulated the indicated requests, and not only the claimant. Thus, it is concluded in view of the information and statements that the entity itself claimed has provided this Agency, in which it recognizes that the process of attention of rights responded to the design made by it and exposes the reasons that led him to implement a strict identity verification process, which It is based, among other reasons that are outlined in the Background, on the nature of the Human Resources services it provides, (...). Defend your system arguing that it responds to an excess of zeal of the entity. (...). The information provided by the respondent entity, moreover, is consistent with the action developed in relation to the specific request for access of the claimant Therefore, it is not understood that PAGE GROUP EUROPE, in its allegations to the opening of the procedure, state that you made a mistake in explaining the aforementioned rights management process and to modify its earlier approach to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 21/37 expose circumstances that do not conform to reality. The truth, according to accredited in the proceedings, is that the identity verification scheme designed by the respondent applied to all cases of exercise of rights of access and portability, in general, and not only in cases where there are doubts about the identity of the applicant, as he now points out in his allegations; (...). On the other hand, PAGE GROUP EUROPE states in its pleadings that has followed the recommendations of the authorities, however, it does not mention what they are those recommendations that would justify the procedure that follows. Throughout the text of his pleadings brief, he only refers to the “Guide for El Ciudadano” prepared by the AEPD and the instructions contained in the forms for the exercise of rights that this Agency makes available to citizens through through your website. In both cases, as the respondent entity points out, informs citizens about the possibility that those responsible may request photocopy of the DNI or equivalent document, but it is warned that this must be considered when the person in charge has doubts about the identity of the applicant and also that The electronic signature can be used instead of the identification document. The content of those documents does not contradict the criteria set out in This act. It should be noted that the specific objective covered by these guides is to provide guidance on best practices in the most general cases, so that cover all the specific assumptions that may arise and this means that the guidance they contain should be completed as appropriate. Finally, it is interesting to highlight at this time that the conclusions presented They are then obtained by applying the rules established by the RGPD and the LOPDGDD, without considering repealed regulations, such as Royal Decree 1720/2007, nor cultural aspects or historical issues inherited from local regulations, to which referred to by the entity claimed in its pleadings brief. IV The rights of individuals regarding the protection of personal data are regulated in articles 15 to 22 of the RGPD and 13 to 18 of the LOPDGDD. I know contemplate the rights of access, rectification, deletion, opposition, right to limitation of treatment and right to portability. The formal aspects related to the exercise of these rights are established in the articles 12 of the RGPD and 12 of the LOPDGDD. Article 12 “Transparency of information, communication and modalities of exercise of rights” of the RGPD establishes the following: "1. The person responsible for the treatment will take the appropriate measures to facilitate the interested party all information indicated in articles 13 and 14, as well as any communication with in accordance with articles 15 to 22 and 34 regarding the treatment, in a concise, transparent, intelligible and easily accessible, in clear and simple language, in particular any information specifically targeted at a child. The information will be provided in writing or by other means, including, if applicable, by electronic means. When requested by the interested party, the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 22/37 Information may be provided verbally as long as the identity of the interested party is proven. By other means. 2. The person responsible for the treatment will facilitate the interested party in the exercise of their rights under of articles 15 to 22. In the cases referred to in article 11, paragraph 2, the person responsible will not refuse to act at the request of the data subject in order to exercise their rights under Articles 15 to 22, unless you can show that you are unable to identify the interested. 3. The data controller will provide the interested party with information regarding their actions on the basis of a request under articles 15 to 22, and, in any case, in the period of one month from receipt of the request. This period may be extended for another two months if necessary, taking into account the complexity and number of requests. The responsible will inform the interested party of any of said extensions within a month to from receipt of the request, indicating the reasons for the delay. When the interested submit the application electronically, the information will be provided electronically. electronic when possible, unless the interested party requests that it be provided in another way. mode." 4. If the person in charge of the treatment does not process the request of the interested party, he will inform him without delay, and no later than one month after receipt of the request, of the reasons for its non-action and the possibility of presenting a claim before a control authority and to exercise legal actions. 5. The information provided under articles 13 and 14 as well as all communication and any action carried out under articles 15 to 22 and 34 will be free of charge. When the requests are manifestly unfounded or excessive, especially due to its repetitive nature, the data controller may: a) charge a reasonable fee in depending on the administrative costs incurred to facilitate the information or communication or perform the requested action, or b) refuse to act on the request. The responsible of the treatment will bear the burden of demonstrating the manifestly unfounded or excessive request. 6. Without prejudice to the provisions of article 11, when the data controller has reasonable doubts in relation to the identity of the natural person who makes the request to which referred to in articles 15 to 21, you may request that additional information be provided necessary to confirm the identity of the interested party. 7. The information that must be provided to the interested parties under articles 13 and 14 may be transmitted in combination with standardized icons that allow the provision of easily visible, intelligible and clearly legible form an adequate overview of the planned treatment. The icons that are presented in electronic format will be legible mechanically. 8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92 in order to specify the information to be presented through icons and the procedures for providing standardized icons”. For its part, article 12 “General provisions on the exercise of rights” of the LOPDGDD, in sections 2 and 4, adds the following: "two. The person responsible for the treatment will be obliged to inform the affected party about the means at its disposal. disposition to exercise the corresponding rights. Media should be easily accessible to the affected. The exercise of the right may not be denied for the sole reason for the affected party to opt for another means”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 23/37 "4. Proof of compliance with the duty to respond to the request to exercise their rights formulated by the affected party will fall on the person responsible”. It also takes into account what is expressed in Considerations 59 and following of the GDPR. In accordance with the provisions of these rules, the data controller must arbitrate formulas and mechanisms to facilitate the interested party in the exercise of their rights, which will be free (without prejudice to the provisions of articles 12.5 and 15.3 of the GDPR); is obliged to respond to requests made no later than one month, unless you can show that you are unable to identify the interested; as well as to express their reasons in case they do not respond to the request. From the foregoing, it follows that the request for the exercise of rights made by the The interested party must be answered in any case, falling on the person in charge proof of compliance with this duty. This obligation to act is not enforceable when the data controller can demonstrate that it is not in a position to identify the interested party (in cases referred to in article 11.2 of the RGPD). In cases other than those provided for in this article, in which the data controller has reasonable doubts in relation to with the identity of the applicant, may require additional information necessary to confirm that identity. In this regard, Recital 64 of the RGPD is expressed in the following terms: “(64) The controller must use all reasonable measures to verify the identity of data subjects requesting access, in particular in the context of services online and online identifiers. The person in charge must not keep personal data with the sole purpose of being able to respond to possible requests. Regarding the right of access, the RGPD stipulates in its article 15 what following: "1. The interested party shall have the right to obtain confirmation from the data controller as to whether Personal data concerning you is being processed or not and, in such a case, the right of access to personal data and the following information: a) the purposes of the treatment; b) the categories of personal data in question; c) the recipients or categories of recipients to whom they were communicated or will be communicated the personal data, in particular recipients in third parties or organizations international; d) if possible, the expected term of conservation of the personal data or, if not possible, the criteria used to determine this period; e) the existence of the right to request from the controller the rectification or deletion of data or the limitation of the processing of personal data relating to the interested party, or to object to such processing; f) the right to file a claim with a supervisory authority; g) when the personal data has not been obtained from the interested party, any information available on its origin; h) the existence of automated decisions, including profiling, to which C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 24/37 refers to article 22, sections 1 and 4, and, at least in such cases, significant information on the logic applied, as well as the importance and the foreseen consequences of said treatment for the interested party. 2.When personal data is transferred to a third country or an international organization, the interested party shall have the right to be informed of the appropriate guarantees under article 46 relating to the transfer. 3. The data controller will provide a copy of the personal data subject to treatment. The person in charge may receive for any other copy requested by the interested party a reasonable fee based on administrative costs. When the interested party submits the request by electronic means, and unless he requests that it be provided in another way, the Information will be provided in a commonly used electronic format. 4. The right to obtain a copy mentioned in section 3 will not negatively affect the rights and freedoms of others”. Like the rest of the rights of the interested party, the right of access is a personal right. Allows the citizen to obtain information about the treatment that is being made of your personal data, the possibility of obtaining a copy of the personal data that concerns you and that is being processed, as well as the information listed in the article cited above. In the present case, the claimant, a Dutch citizen, opened an account in the Dutch version of the web portal of the entity Michael Page International, accessible at the URL “***URL.1”, and sent through that channel, in March 2018, a Curriculum Vitae (CV) for the achievement of a job offered by the Dutch subsidiary of the PageGroup group. Subsequently, on 09/28/2018, you exercised the right of access to your data by email sent to the address "***EMAIL.1", which coincides with the one indicated for such purposes in the Privacy Policy of the web portal, expressly indicating in this request your interest in knowing the data processed, the purposes for which they are processed, the recipients and the shared data, as well as the legal basis of each treatment operation (this request is adjusted to the content of the right of access established by the aforementioned article 15 of the RGPD, which, according to been exposed, not only implies informing the applicant about the personal data or categories of data that are processed, so that the character is not understood exception attributed to it by the entity complained against when it alleges that these requests of access are not frequent since it is the interested parties themselves who facilitate directly your personal data and have the information available to you in your area personal). The request made by the claimant is sent from the same email address email of the claimant that is registered in the PageGroup database, which, according to the interested party, had been used by the subsidiary of the Group to send you job offers and commercial communications. (...). Also on two occasions, by email, dated 10/20 and 11/11//2018, the claimant warned that the required identification constitutes a C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 25/37 excessive data processing or an impediment to the exercise of your right and pointed out expressly that the identification process is simplified considering that it has account on the entity's website. It would not be until 11/12/2018, once the claimant communicated her intention to lodge a complaint with the Dutch data protection authority, when PAGE GROUP EUROPE modified its initial requirements, (…). On the issue of verifying the identity of applicants for rights, the rules set forth above are clear in stating that this verification process should be limited to the specific cases in which the controller has doubts "reasonable" in relation to the identity of the natural person making the request. Article 12.6 of the RGPD refers to all requests for rights and admits the possibility of requesting, in those cases, "additional information" necessary to confirm the identity of the interested party. In particular, in relation to requests of access in the context of online services, Recital 64 of the same Regulation refers to the possibility that the person in charge uses all the “measures reasonable” to verify the identity of the interested parties. The rules that regulate the exercise of rights do not establish, therefore, the need to provide any specific identification document so that they can be served, they do not even require that verification of identity be carried out through documentation. They refer to the possibility of collecting “additional information” and to the use of “reasonable measures”, corresponding to the person in charge to determine what information and what measures are reasonable in each case, taking into account the concurrent circumstances and always resorting to the least invasive means to the privacy of applicants. All this, under the previous condition that It is a case in which there are “reasonable doubts” about the identity of the applicant. PAGE GROUP EUROPE has not justified that these reasonable doubts existed in relation to the identity of the claimant. On the contrary, the actions of this entity responds to the rights management procedure designed by itself, in its condition of responsible, (...), without previously analyzing whether or not those reasonable doubts. (...). The circumstance occurs, in this case, that the claimant was registered in the information systems of the responsible entity, which had a wide information about it; and that the request for access to personal data is formulated from the same e-mail address of the claimant that already was in the database of said entity. It is not understood, therefore, that this case has been treated as one of those assumptions in which there are doubts about the identity of the applicant (...), when he had least intrusive means to ensure that the information would be forwarded to the data subject the data in question, such as having contrasted some of the data already available. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 26/37 PAGE GROUP EUROPE knew the contact details of the complainant, so that the request received from the email address that said entity had registered in its systems and the sending to this address of the requested information with the access offered sufficient guarantees, in the opinion of this Agency, to have responded to the request received. Furthermore, considering that no circumstance that led the claimed entity to think of an impersonation of identity or in a computer attack. The rigorous requirements imposed on the claimant to process her request for access motivated this request to remain unanswered, despite the two warnings made by the claimant herself about excessive requests for documentation that was sent to him; which determined that the claimant choose to go to the Dutch data protection authority instead of continue with the processing of your request, as you had warned in your email email dated 11/11/2018. Consequently, PAGE GROUP EUROPE is responsible for ensuring that the term established to meet the claimant's request had elapsed without given the due response, providing the information requested. The right of access was finally attended to on 08/27/2020, during the processing of the claim carried out by this Agency as the authority of main control, prior express request of this Agency dated 08/14/2020. TO In this regard, it should be specified that the corresponding response to the request of access cannot be manifested on the occasion of a mere administrative procedure, as is the transfer of the claim to the claimed party in compliance with what established in article 64.3 of the LOPDGDD. Consequently, in accordance with the exposed evidence, the aforementioned facts represent a violation of the provisions of article 12, sections 2 and 3, of the RGPD, due to non-compliance with the right of access exercised by the claimant, which gives rise to the application of the corrective powers that article 58 of the aforementioned Regulation granted to the Spanish Data Protection Agency. v (...). As stated in the previous Legal Basis, this action of the claimed entity responds to the rights management procedure designed by herself, as data controller, (...). The claimant considered that there was no reason to require that information identification as necessary for the attention of the right, considering that it was not required to open an account on the web portal or to submit your CV. understand the claimant that authenticated access to the account, which was still active in the time the request is addressed to the responsible entity, it should be sufficient to understand exercised the right and accredited their identity in a system such as the used by the controller, based on the use of a private account. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 27/37 Regarding this matter, the arguments expressed by the authorities of control CNPD and Berlin DPA, which are listed in the Fourth Precedent, (...); that this procedure does not protect applicants' data and increases the risks for those affected; that this documentation is not required of the interested parties to open an account or send a CV; that additional information should only be requested if there are doubts about the identity of the interested party, requesting necessary information and appropriate for that verification, based on the applicant's available data. Both control authorities advocate a less intrusive way of checking the identity of the applicant, (...), (eg electronic identification or send the application to via the user account along with an additional authentication factor submitted by a different channel); and agree with the claimant that access to the account private should be understood enough. And they also serve, because they coincide, the arguments expressed in the foundation of preceding right, on the possibility of requesting additional information necessary to confirm the identity of the interested party only when the person in charge has reasonable doubts in relation to the identity of the applicant of the right (article 12.6 of the GDPR). (...). The assessment of these facts requires taking into account, likewise, what is established in Articles 25 and 32 of the RGPD, which establish the following: “Article 25. Data protection by design and by default. 1. Taking into account the state of the art, the cost of the application and the nature, scope, context and purposes of the treatment, as well as the risks of varying probability and severity that involves processing for the rights and freedoms of natural persons, the controller of the treatment will apply, both at the time of determining the means of treatment and in the time of the treatment itself, appropriate technical and organizational measures, such as pseudonymization, designed to effectively apply the principles of protection of data, such as data minimization, and integrate the necessary guarantees in the treatment, to In order to comply with the requirements of this Regulation and to protect the rights of interested. 2. The data controller will apply the appropriate technical and organizational measures with with a view to guaranteeing that, by default, only the personal data that are necessary for each of the specific purposes of the treatment. This obligation is will apply to the amount of personal data collected, the extent of its treatment, its term of conservation and its accessibility. Such measures shall in particular ensure that, for default, the personal data are not accessible, without the intervention of the person, to a indeterminate number of natural persons. 3.A certification mechanism approved under Article 42 may be used as a element that proves compliance with the obligations established in sections 1 and 2 of this article. “Article 32. Security of the treatment. 1. Taking into account the state of the art, the application costs, and the nature, the scope, context and purposes of the treatment, as well as risks of probability and severity C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 28/37 variables for the rights and freedoms of natural persons, the person in charge and the person in charge of the treatment will apply appropriate technical and organizational measures to guarantee a level appropriate to the risk, which, where appropriate, includes, among others: a) pseudonymization and encryption of personal data; b) the ability to ensure confidentiality, integrity, availability and resilience permanent treatment systems and services; c) the ability to restore the availability and access to personal data in a fast in the event of a physical or technical incident; d) a process of regular verification, evaluation and assessment of the effectiveness of the measures technical and organizational to guarantee the security of the treatment. 2. When evaluating the adequacy of the level of security, particular consideration will be given to the risks presented by the processing of data, in particular as a consequence of the accidental or unlawful destruction, loss or alteration of transmitted personal data, stored or otherwise processed, or unauthorized communication or access to such data. (…)”. In this case, the system designed by PAGE GROUP EUROPE establishes demands for the attention of the rights of the interested parties that go beyond what is foreseen in the regulations that regulate these rights; and they don't respond to any of the criteria and factors referred to in the aforementioned article 25.1 of the RGPD, such as the context, the risks or the purpose of the treatment. (...). (...). (...). (...). As a result of all this, (...), it gives rise, in the indicated circumstances, to the processing of personal data that is inappropriate, irrelevant and not necessary for this specific purpose of the treatment, contrary to the principles of data protection, especially, to the principle of "data minimization", regulated in article 5.1.c) of the GDPR: “Article 5 Principles relating to the treatment 1.The personal data will be: c) adequate, pertinent and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”)”. Regarding the scope of this principle, Recital 39 of the RGPD indicates that "the data personal data should only be processed if the purpose of the processing cannot be achieved reasonably by other means. There is no need to insist on the fact that in the cases analyzed it is not necessary to collection of identification documentation of the people requesting a right, to the other, less intrusive, reliable means of identification exist; and even less necessary is the collection of various identity documents. (...). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 29/37 It also considers the claim that (...), make their action compatible with the respect for the principle of minimization, as necessary, proportional and suitable for protect the rights of the interested party, thus complying with what is indicated in the Recital 156 of the RGPD, according to which "The conditions and guarantees in question may entail specific procedures for the interested parties to exercise said rights. rights if it is appropriate in light of the purposes pursued by the treatment together with the technical and organizational measures aimed at minimizing the processing of personal data in accordance with the principles of proportionality and need". However, this Recital refers to processing for archive in the public interest and it cannot be brought up in the case at hand. Consequently, the facts cited, in relation to the processing of data that entails the rights management procedure followed by PAGE GROUP EUROPE for the verification of the identity of the interested parties, suppose a violation of the provisions of article 5.1.c) of the RGPD, which gives rise to the application of the corrective powers that article 58 of the aforementioned Regulation grants to the Spanish Data Protection Agency. SAW In the event that there is an infringement of the provisions of the RGPD, between the corrective powers available to the Spanish Data Protection Agency, as a control authority, article 58.2 of said Regulation contemplates the following: “2 Each control authority will have all the following corrective powers indicated below: continuation: (…) b) sanction any person responsible or in charge of the treatment with a warning when the treatment operations have violated the provisions of this Regulation;” (...) d) order the person responsible or in charge of the treatment that the treatment operations be comply with the provisions of this Regulation, where appropriate, of a given manner and within a specified time; (…) i) impose an administrative fine under article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each case particular;". According to the provisions of article 83.2 of the RGPD, the measure provided for in letter d) above is compatible with the sanction consisting of an administrative fine. 7th The exposed facts do not comply with the provisions of articles 12 and 5.1.c) of the RGPD, with the scope expressed in the previous Legal Foundations, which means the commission of offenses typified, respectively, in sections 5.b) and 5.a), of article 83 of the RGPD, which under the heading “General conditions for the imposition of administrative fines” provides the following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 30/37 "5. Violations of the following provisions will be sanctioned, in accordance with the section 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, of an amount equivalent to a maximum of 4% of the total annual turnover of the previous financial year, opting for the highest amount: a) the basic principles for the treatment, including the conditions for the consent to tenor of articles 5, 6, 7 and 9. b) the rights of the interested parties according to articles 12 to 22”. In this regard, the LOPDGDD, in its article 74, considers a "minor" infraction to effects of prescription the infractions of a merely formal nature of the articles mentioned in article 83.5 of the RGPD and, specifically, "c) Not attending to the requests to exercise the rights established in articles 15 to 22 of the Regulation (EU) 2016/679, unless the provisions of the article 72.1.k) of this Organic Law”. For its part, section 1.a) of article 72 of the LOPDGDD considers, as “very serious”, for purposes of prescription: "1. Based on the provisions of article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: a) The processing of personal data violating the principles and guarantees established in the Article 5 of Regulation (EU) 2016/679” . In order to determine the administrative fine to be imposed, the provisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate: "1. Each control authority will guarantee that the imposition of administrative fines with in accordance with this article for the infringements of this Regulation indicated in the sections 4, 9 and 6 are in each individual case effective, proportionate and dissuasive. 2. Administrative fines will be imposed, depending on the circumstances of each case individually, in addition to or as a substitute for the measures referred to in article 58, section 2, letters a) to h) and j). When deciding to impose an administrative fine and its amount In each individual case, due account shall be taken of: a) the nature, seriousness and duration of the offence, taking into account the nature, scope or purpose of the treatment operation in question as well as the number of affected parties and the level of damages they have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the person responsible or in charge of the treatment to alleviate the damages suffered by the interested parties; d) the degree of responsibility of the data controller or processor, taking into account of the technical or organizational measures that they have applied by virtue of articles 25 and 32; e) any previous infringement committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular if the The person responsible or the person in charge notified the infringement and, if so, to what extent; i) when the measures indicated in article 58, section 2, have been ordered previously against the person in charge or the person in charge in question in relation to the same C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 31/37 matter, compliance with said measures; j) adherence to codes of conduct under Article 40 or certification mechanisms approved under article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infraction”. For its part, article 76 “Sanctions and corrective measures” of the LOPDGDD has: "1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679 will be applied taking into account the graduation criteria established in the section 2 of the aforementioned article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679, also may be taken into account: a) The continuing nature of the offence. b) The link between the activity of the offender and the performance of data processing personal. c) The profits obtained as a result of committing the offence. d) The possibility that the conduct of the affected party could have induced the commission of the crime. infringement. e) The existence of a merger by absorption process subsequent to the commission of the infraction, that cannot be attributed to the absorbing entity. f) Affectation of the rights of minors. g) Have, when not mandatory, a data protection officer. h) Submission by the person in charge or person in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which there are controversies between them and any interested party”. In this case, considering the seriousness of the infractions found, the imposition of a fine and, where appropriate, the adoption of measures. cannot accept the request made by PAGE GROUP EUROPE for the imposition of other powers corrective measures, such as the warning, which is planned for natural persons and when the sanction constitutes a disproportionate burden (considering 148 of the GDPR). In this respect, this Agency does not agree that the infringements declared are of little seriousness, considering the effects that have been determined in the exercise of the rights recognized to the interested parties; nor the short duration of the same alleged by the respondent, given that the irregular process of managing those rights has been imposed since the moment it was GDPR applies. In accordance with the precepts indicated, in order to set the amount of the penalties to impose in the present case, it is considered appropriate to graduate the fines of according to the following criteria: 1. Infringement of article 12 of the RGPD, typified in article 83.5.b) and qualified as minor for purposes of prescription in article 74.c) of the LOPDGDD: The following graduation criteria are considered concurrent as aggravating: . Article 83.2.a) of the RGPD: “a) the nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the operation C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 32/37 of treatment in question as well as the number of interested parties affected and the level of damages they have suffered. . The nature of the infraction, since the lack of attention to the right of access, due to its content, affects the ability of the claimant to exercise true control over your personal data. . The nature of the damage caused to the interested person, who saw unattended one of your basic rights in terms of data protection personal, despite the communications sent by the same insisting in your interest. . Article 83.2.d) of the RGPD: “d) the degree of responsibility of the person in charge or of the data processor, taking into account the technical or organizational measures that they have applied by virtue of articles 25 and 32”. The imputed entity does not have adequate procedures in place for performance in the collection and processing of personal data, in what refers to the management of requests for the exercise of rights, so that the infringement is not the consequence of an anomaly in the functioning of said procedures but a defect in the personal data management system designed by the person in charge. Said procedure was adopted by the respondent to own initiative establishing requirements that exceeded the forecasts applicable regulations. . Article 76.2.b) of the LOPDGDD: “b) The link between the activity of the offender with the processing of personal data”. The high link between the activity of the offender and the performance of treatment of personal data, considering the activity that it develops in the sector of Human Resources and the level of implementation of the entity (in the Background Sixth, some details about this implantation are collected). . Article 83.2.k) of the RGPD: “k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or losses avoided, directly or indirectly, through the infringement”. The large company status and turnover of PageGroup and PAGE GROUP EUROPE (in the Sixth Antecedent some details are collected when respect). It is also considered that there are extenuating circumstances following: . Article 83.2.f) of the RGPD: “f) the degree of cooperation with the control authority in order to remedy the infringement and mitigate possible adverse effects of the offence”. The right of access exercised by the claimant was finally addressed by the claimed entity, although it was necessary the intervention of the authorities of control. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 33/37 PAGE GROUP EUROPE, in its pleadings brief, has not made any statement any regarding the criteria and factors assessed to classify this infraction. Considering the exposed factors, the valuation reached by the fine, for the Violation of article 12 of the RGPD, it is 50,000 euros (fifty thousand euros). 2. Infringement due to non-compliance with the provisions of article 5.1.c) of the RGPD, typified in article 83.5.a) and classified as very serious for prescription purposes in article 72.1.a) of the LOPDGDD: The following graduation criteria are considered concurrent as aggravating: . Article 83.2.a) of the RGPD: “a) the nature, seriousness and duration of the infringement, taking into account the nature, scope or purpose of the operation of treatment in question as well as the number of interested parties affected and the level of damages they have suffered. . The nature, seriousness and duration of the offence, taking into account the nature, scope or purpose of the processing operations to be carried out treats. The infringement affects fundamental aspects of data protection (...), according to the rights management procedure implemented by the claimed at the time the GDPR became applicable, which has not remained rectified until the opening of the procedure. . The number of interested parties: the infringement affects all the interested parties that have exercised the right of access or portability, although it is necessary consider the significance that the offending conduct may have had on all the entity's clients, very numerous considering the level of its international implementation. . The nature of the damage caused to the interested persons, which their rights have been limited and the risk to their privacy has increased. . Article 83.2.b) of the RGPD: "b) the intention or negligence in the infringement". The negligence appreciated in the commission of the infraction. In this respect, the argument made by PAGE GROUP cannot be accepted EUROPE, according to which negligence must be assessed when the conduct is deviate from recognized standards. If a performance deviates from the established by the norm it cannot be said that it responds to the standards. In addition, in relation to the claimant's request for access, the aforementioned entity, (...), he did not attend to the right until the intervention of the control authorities. . Article 83.2.d) of the RGPD: “d) the degree of responsibility of the person in charge or of the data processor, taking into account the technical or organizational measures that they have applied by virtue of articles 25 and 32”. The imputed entity does not have adequate procedures in place for C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 34/37 performance in the collection and processing of personal data, so that the infringement is not the result of an anomaly in the functioning of these procedures but a defect in the data management system personal designed by the person in charge. . Article 76.2.a) of the LOPDGDD: “a) The continuous nature of the infraction”. (...). It is a plurality of actions that follow the performance designed by PAGE GROUP EUROPE, which violate the same precept. . Article 76.2.b) of the LOPDGDD: “b) The link between the activity of the offender with the processing of personal data”. The high link between the activity of the offender and the performance of treatment of personal data, taking into account the reasons already expressed when exposing the prior offense ranking factors. . Article 83.2.k) of the RGPD: “k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or losses avoided, directly or indirectly, through the infringement”. . The volume of data and processing that constitutes the object of the file, taking into account the level of information that the requested person has accessing its services. . The large company status and turnover of PageGroup and PAGE EUROPE GROUP. It is also considered that there are extenuating circumstances following: . Article 83.2.c) of the RGPD: “Any measure taken by the person in charge or in charge of the treatment to alleviate the damages suffered by the interested”. . Article 83.2.f) of the RGPD: “The degree of cooperation with the control authority in order to remedy the infringement and mitigate possible adverse effects of the offence”. PAGE GROUP EUROPE has designed a new management procedure for rights that corrects the objections that have given rise to the commission of the infractions. However, it is taken into account that this remedy has not been produced until after the opening of the procedure has been agreed. Considering the exposed factors, the valuation reached by the fine, for the Violation of article 5.1.c) of the RGPD, is 250,000 euros (two hundred and fifty thousand euros). None of the considered graduation factors is attenuated by the fact that that the claimed entity has not been subject to a sanctioning procedure with previously, a circumstance that has been alleged by the claimed entity so that C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 35/37 be considered a mitigating factor. In this regard, the AN Judgment of 05/05/2021, rec. 1437/2020, indicates that “Considers, on the other hand, that the non-commission of a crime should be considered as mitigating previous offense. Well, article 83.2 of the RGPD establishes that you must have into account for the imposition of the administrative fine, among others, the circumstance "e) any previous infraction committed by the person in charge or the person in charge of the treatment". This is an aggravating circumstance, the fact that concurrence of the budget for its application entails that it cannot be taken into consideration, but does not imply or allow, as claimed by the plaintiff, its application as a mitigating factor”. PAGE GROUP EUROPE also refers in its allegations to two actions followed by the Dutch data protection authority for processing illegal identification documents in which companies were not sanctioned involved, although, according to the claimed entity itself, it is about actions prior to the entry into force of the GDPR. In addition, they are not provided details that determined said agreements. viii The infractions committed may lead to the imposition of the person responsible for the adoption of appropriate measures to adjust its actions to the aforementioned regulations in this act, in accordance with the provisions of the aforementioned article 58.2.d) of the RGPD, according to which each control authority may "order the person in charge or in charge of the treatment that the treatment operations comply with the provisions of the this Regulation, where appropriate, in a certain way and within a specified period…”. The non-attention of the requirements of this organism can be considered as a serious administrative infraction by “not cooperating with the Control authority” in the face of such requirements, and such conduct may be assessed the time of opening an administrative sanctioning procedure with a fine pecuniary In such a case, in the resolution that is adopted, this Agency may require the entity responsible so that, within the period determined, it adapts to the regulations of protection of personal data the treatment operations carried out and the mechanisms and procedures that it follows to deal with requests to exercise rights formulated by the interested parties, with the scope expressed in the Legal basis of this agreement. Likewise, the measures that could be adopted in the resolution that puts an end to the procedure, in relation to the treatment activities and the exercise of rights, will be applicable in all the countries of the European Union in which operates PageGroup. (...). (...). (...). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 36/37 (...). However, the aforementioned entity has contributed with its brief of allegations to the opening of the procedure the document called “RGPD data request process of the EU”, through which it establishes the management that it currently follows in relation to requests to exercise rights. (...). (...). (...). It is considered that these new measures implemented by PAGE GROUP EUROPE conform to the criteria assessed in these actions, in relation to the procedures for managing requests for the exercise of rights and the means to validate the identity of the applicants, not resulting in the imposition of additional measures. IX Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common to Public Administrations (LPACAP), under the heading "Termination in sanctioning procedures” provides the following: "1. Once a sanctioning procedure has been initiated, if the offender acknowledges his responsibility, resolve the procedure with the imposition of the appropriate sanction. 2. When the sanction is solely pecuniary in nature or it is possible to impose a sanction pecuniary and another of a non-pecuniary nature but the inadmissibility of the second, the voluntary payment by the alleged perpetrator, at any time prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or the determination of compensation for damages caused for committing the offence. 3. In both cases, when the sanction is solely pecuniary in nature, the competent to resolve the procedure will apply reductions of at least 20% on the amount of the proposed sanction, these being cumulative with each other. The aforementioned reductions must be determined in the notification of initiation of the procedure and its effectiveness will be conditioned to the withdrawal or renunciation of any action or resource in via administrative against the sanction. The reduction percentage provided for in this section may be increased regulations”. The entity PAGE GROUP EUROPE, during the period granted to it for formulate allegations to the proposed resolution, has proceeded to the voluntary payment of sanction with the legally foreseen reduction, which determines the end of the procedure and entails the waiver of any action or resource in administrative against the penalty. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es, 37/37 Therefore, in accordance with the applicable legislation, the Director of the Agency Spanish Data Protection RESOLVES: FIRST: DECLARE the termination of procedure PS/00003/2021, followed against the entity PAGE GROUP EUROPE, S.L. for violations of articles 12 and 5.1.c) of the RGPD, typified in articles 83.5.b) and 83.5.a) of the same Regulation, respectively; in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to the entity PAGE GROUP EUROPE, SL In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by Articles 48.6 of the LOPDGDD and 114.1.c) of Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations, the interested parties may file a contentious-administrative appeal before the Contentious Chamber. of the National High Court, in accordance with the provisions of article 25 and in section 5 of the fourth additional provision of Law 29/1998, of July 13, regulation of the Contentious-Administrative Jurisdiction, within a period of two months to count from the day following the notification of this act, as provided in the Article 46.1 of the aforementioned Law. 938-231221 Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es