AEPD (Spain) - PS/00003/2021: Difference between revisions

From GDPRhub
(Added hyperlinks. Restructured summary. Removed unnecessary information. Added explanation on the height of the fines)
No edit summary
 
(2 intermediate revisions by the same user not shown)
Line 17: Line 17:
|Type=Complaint
|Type=Complaint
|Outcome=Upheld
|Outcome=Upheld
|Date_Started=
|Date_Started=23/12/2018
|Date_Decided=
|Date_Decided=
|Date_Published=
|Date_Published=25/02/2022
|Year=
|Year=2022
|Fine=300000
|Fine=300000
|Currency=EUR
|Currency=EUR


|GDPR_Article_1=Article 5(1)(c) GDPR
|GDPR_Article_1=Article 4(16) GDPR
|GDPR_Article_Link_1=Article 5 GDPR#1c
|GDPR_Article_Link_1=Article 4 GDPR#16
|GDPR_Article_2=Article 12 GDPR
|GDPR_Article_2=Article 5(1)(c) GDPR
|GDPR_Article_Link_2=Article 12 GDPR
|GDPR_Article_Link_2=Article 5 GDPR#1c
|GDPR_Article_3=Article 12(2) GDPR
|GDPR_Article_Link_3=Article 12 GDPR#2
|GDPR_Article_4=Article 12(3) GDPR
|GDPR_Article_Link_4=Article 12 GDPR#3
|GDPR_Article_5=Article 12(6) GDPR
|GDPR_Article_Link_5=Article 12 GDPR#6
|GDPR_Article_6=Article 25 GDPR
|GDPR_Article_Link_6=Article 25 GDPR
|GDPR_Article_7=Article 32 GDPR
|GDPR_Article_Link_7=Article 32 GDPR
|GDPR_Article_8=Article 56(1) GDPR
|GDPR_Article_Link_8=Article 56 GDPR#1


 
|Party_Name_1=PageGroup Europe
 
|Party_Link_1=https://www.page.com/
|Party_Name_1=
|Party_Link_1=
|Party_Name_2=
|Party_Name_2=
|Party_Link_2=
|Party_Link_2=

Latest revision as of 11:58, 16 March 2022

AEPD (Spain) - PS/00003/2021
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 4(16) GDPR
Article 5(1)(c) GDPR
Article 12(2) GDPR
Article 12(3) GDPR
Article 12(6) GDPR
Article 25 GDPR
Article 32 GDPR
Article 56(1) GDPR
Type: Complaint
Outcome: Upheld
Started: 23/12/2018
Decided:
Published: 25/02/2022
Fine: 300000 EUR
Parties: PageGroup Europe
National Case Number/Name: PS/00003/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Jennifer Vidal

The Spanish DPA fined PageGroup Europe €300,000 for violating Articles 12 and 5(1)(c) GDPR, because it lacked an adequate procedure to comply with data subjects' rights, and required data subjects to provide additional identification documentation, without there being reasonable doubt regarding their identity.

English Summary

Facts

The controller is Michael Page International, a company based in the United Kingdom, and the parent company of the PageGroup business group. It is an employment agency and operates under various brands, including “Michael Page”. It has subsidiaries in many European countries, with the Dutch subsidiary being the Michael Page entity International - Nederland B.V. The data subject, who is a Dutch citizen that had created an account and had uploaded her CV on the web portal of the controller, submitted an access request on 28 September 2018. The controller, however, requested the data subject's ID to verify the identity of the data subject. Since the data subject found this request to be excessive, she lodged a complaint with the Dutch DPA (AP).

After the AP contacted the Dutch subsidiary, the subsidiary explained that, although the corporate group's headquarters are located in the United Kingdom, the legal department (compliance team, responsible for managing access requests exercised by data subjects) is located in Barcelona, Spain. Hence, according to the Spanish DPA (AEPD), this establishment is the main establishment by the definition of Article 4(16) GDPR, and therefore declared its competency to act as the lead supervisory authority under Article 56(1) GDPR.

The AEPD then investigated the controller's procedure of dealing with access requests and concluded that these procedures complied with the GDPR. Hence, the DPA considered that there were no indications of infringement and that no further action was necessary. After sharing this draft decision with the other interested DPA's (see more info in comment), the Portuguese DPA (CNPD) and The Berlin DPA (BInBDI) opposed this conclusion after reviewing the contents of the Draft Resolution as interested authorities. They considered that there were multiple violations (Articles 12, 5(1)(c), 25, and 32 GDPR) because, in order to make access to data subjects' personal data feasible, additional information should only be requested in case of doubts about the identity of the interested party.

The AEPD then reconsidered their initial decision.

Holding

The AEPD upheld the complaint.

First, the AEPD concluded that the controller violated Article 12(2) and Article 12(3) GDPR. The DPA stipulated that the entitlement verification process must take place only when there are reasonable doubts regarding the identity of the person who made the request, and that this verification request must be necessary and appropriate. The controller did not prove the existence of reasonable doubts that justified the request of additional information to verify the data subject's identity. Instead, it was their standard procedure to ask for an ID. The AEPD stressed that it is clear from the case at hand that there are no doubts about the identity of the applicant, since the request for access to personal data was made from the same e-mail address used by the data subject when he registered an account, and uploaded his CV, on their web portal. Additionally, the controller only actually complied with the access request after the DPA had started to investigate the complaint.

Second, the AEPD concluded that the controller violated Article 5(1)(c) GDPR. It stated that the controller's procedure to comply with the rights of data subjects goes beyond of what is laid down in the GDPR. Hence, this results in inappropriate personal data processing activities that are not relevant and not necessary for the purpose of the case, and is contrary to what Article 25 GDPR states regarding the context, risk and purposes of the processing activities.

Third, the AEPD considered the seriousness of the case and decided to impose a fine for both violations. Regarding the fine for the violation of Article 12 GDPR, the DPA stated that the nature of the infringement affected the data subject to "exercise real control" over her personal data. Moreover, this violation was the result of a lack of an adequate procedure in place to deal with such requests. The DPA concluded that a fine of €50,000 was sufficient. Regarding the fine for the violation of Article 5(1)(c) GDPR, the DPA stated that nature of the violation was very serious, due to the fundamental aspect of the data minimisation principle, as well as the number of affected data subjects. Moreover, it considered the fact that the violation occurred because of the controller's negligence, and the absence of an adequate procedure to comply with the data protection principles. The DPA concluded that a fine of €250,000 was sufficient.

Therefore, the DPA imposed a fine of €300,000 on the controller pursuant to Article 58(2) GDPR. Moreover, it ordered the controller to bring its processing operations into compliance pursuant to Article 58(2)(d) GDPR.

Comment

On sharing info with other DPA's - IMI System

In Article 60 cases (where there is cooperation between the lead DPA and other DPA's), the DPA's share information via the so-called IMI System. The AP corresponded information on the case via this system initially, and also the draft- and final decision where shared in this system for other DPA's to provide comments. In this procedure, many DPA's "declared their interest", namely the DPA's of the Netherlands; Belgium; Ireland; Poland; Italy; Hungary; Portugal; Cyprus; Austria, as well as the German states North Rhine-Westphalia; Rhineland-Palatinate, Mecklenburg-Western Pomerania; Berlin; and Bavaria.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                 1/37









     File No.: PS/00003/2021



                RESOLUTION OF PUNISHMENT PROCEDURE


Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


                                   BACKGROUND


FIRST: Dated 03/03/2020, through the “Market Information System

Interior” (hereinafter IMI), regulated by Regulation (EU) No. 1024/2012, of the
European Parliament and of the Council, of October 25, 2012 (IMI Regulation), whose
objective is to promote cross-border administrative cooperation, mutual assistance
between the Member States and the exchange of information, was received in this
Spanish Agency for Data Protection (AEPD) a claim dated
12/23/2018, formulated by A.A.A. (hereinafter the claimant) before the authority of

Netherlands data protection (Autoreit Persoonsgegevens -AP). The transfer of
This claim to the AEPD is made in accordance with the provisions of article
56 of Regulation (EU) 2016/679, of the European Parliament and of the Council, of
04/27/2016, regarding the Protection of Natural Persons with regard to the
Processing of Personal Data and the Free Circulation of these Data (as

successive General Data Protection Regulation or RGPD), taking into account
its cross-border nature and that this Agency is competent to act as
main controlling authority.

The aforementioned claim is made against the entity "Michael Page International" for the

following reasons:

. The claimant, a Dutch citizen, opened an account in the Dutch version of the
web portal of Michael Page International, accessible at the URL “***URL.1”, and sent by
that channel, in March 2018, a Curriculum Vitae (CV) to obtain a position
of work offered by the Dutch branch of the group PageGroup. a few months

later, he requested access to his personal data through the e-mail address
indicated in the Privacy Policy of the web portal, “***EMAIL.1”.

In response to the aforementioned request for access, initially, the entity
responsible required the claimant to contribute (...). However, after protesting

the applicant, who considered the request for documentation excessive, Michael Page
International rectified (…).

. The claimant considers that there is no reason to request that information
identification, (...), nor to send a CV in order to apply for a job.

The claimant understands that authenticated access to the account, which is still active,
should be sufficient to understand exercised the right of conformity and accredited
the identity of the applicant in a system such as the one used by the person in charge, based on
the use of a private account.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 2/37









A copy of the correspondence maintained by the
complainant with the data controller following the request for access,
formulated on 09/28/2018, which was also attached. this correspondence
It is outlined in Proven Facts 4 to 9.


The documentation for this claim was completed through an assistance
volunteer in IMI, sent by the entity Autoreit Persoonsgegevens dated
05/12/2020, incorporating the query that the Dutch authority made to the
establishment that the PageGroup group has in the Netherlands (Michael Page
International - Nederland Bv), in the Dutch language, on decision making

related to the means and purposes of the processing of personal data that affect
residents of the Member States.

In the response offered by that establishment to the aforementioned query, in the
English, it is indicated that, despite the fact that the headquarters of the business group is in

United Kingdom, the department in charge of managing requests for access
for continental Europe is the Legal Compliance team, located in the
Shared Services located in Barcelona (Spain). The mailing address of said
department is indicated in the Privacy Policy of the Dutch version of the
web page of the person in charge, accessible at the URL “***URL.2”.


According to said answer, the Spanish establishment of the business group
would be the main establishment, in the sense of the definition of article 4.16 of the
GDPR. Thus, in accordance with the provisions of article 56.1 of the RGPD, dated
05/21/2020, the AEPD declared itself competent to act as a control authority
main (LSA).


According to the information included in the IMI System, in accordance with the
established in article 60 of the RGPD, have declared themselves interested in this
procedure, in addition to the control authority that has communicated the case (Countries
the Netherlands), those of Belgium, Ireland, Poland, Italy, Hungary, Portugal, Cyprus and Austria, as well
such as the German regions of North Rhine-Westphalia, Rhineland-Palatinate,
Mecklenburg-Western Pomerania, Berlin and Bavaria Private Sector.


SECOND: In accordance with the procedure established in the internal national legislation
(article 64.3 of Organic Law 3/2018, of December 5, on Data Protection
Personal Rights and Guarantee of Digital Rights -LOPDGDD), dated 06/11/2020,
the AEPD transferred the aforementioned claim to the Spanish establishment of the group
PageGroup based in ***LOCALITY.1, that is, the company PAGE GROUP

EUROPE, S.L. (hereinafter PAGE GROUP EUROPE or claimed entity), to
that within a period of one month prove that they have responded to the request of the
claimant, report on the causes that led to the incidence produced and
detail the measures adopted to avoid similar situations.


In response to this request, PAGE GROUP EUROPE provided the
communications maintained with the claimant and stated the following:

. They explain that they are a company that is part of a business group dedicated to
Human Resources services, specifically, to the selection of personnel. for this

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 3/37








reason, they process personal data of a large number of candidates in many
countries of the world, being very common the exercise of rights by
candidates. For the processing of the corresponding requests, in compliance

of its duty of confidentiality and secrecy, has implemented a strict process of
identity verification to ensure that candidates' personal data is not
are transferred to third parties, who have been able to obtain the access credentials of
people registered in their systems with the purpose of supplanting their identity and
make the request on your behalf, through phishing attacks or social engineering.


In the particular case of the claimant, they have not tried to put obstacles to the exercise
of your rights, but to protect your personal data. (...).

(...).


On this question, provide a copy of the "Answer Models" used
currently to verify the identity of the interested parties. (...).

Subsequently, by letter dated 08/14/2020, this Agency requested PAGE
GROUP EUROPE “copy of the response to the request for access raised by the
claimant, since his identity has been proven through the process of

claim, initiated before the control authority of the Netherlands and continued in
this Agency”. After this request, the aforementioned entity proceeded to answer the
request for access made by the claimant and provided this Agency with a copy of the
communication, dated 08/27/2020, through which it informs it about the
aspects of the treatment established in article 15 of the RGPD, as well as the annex

with the personal data of the claimant in their possession. In the writing of
response to this Agency indicates that the information was sent by mail
electronic.

THIRD: After reviewing the response provided by the claimed company,

outlined in the previous Fact, this Agency appreciated that, at present, the
procedures followed by PAGE GROUP EUROPE for the attention of rights
in terms of data protection, in relation to the identification of applicants,
conform to the applicable regulations. (...).

In addition, it was taken into account that, after the intervention of this Agency, the request for

claimant's access was addressed.

Consequently, it was considered that there were no indications of infringement and that there was no
no further action was necessary, nor was it necessary to urge the adoption of measures
additional, therefore, on 11/10/2020, a Draft Resolution of

claim file (Draft decision).

FOURTH: On 11/10/2020, the Draft Decision was incorporated into the IMI System
so that the interested authorities could express themselves in this regard.


At the end of the established term, they formulated objections to the aforementioned file project
the data protection authorities of Portugal (CNPD) and Berlin (The Berlin
Commissioner for Data Protection and Freedom of Information -Berlin DPA).


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 4/37








The CNPD states that PAGE GROUP EUROPE has implemented a
rights attention procedure (...)., not having specified that in the case
of the claimant had doubts regarding her identity. Consider that the

The aforementioned entity has not adjusted its actions to the provisions of article 12.2 of the
RGPD, which obliges the controller to facilitate the exercise of rights, unless
can identify the applicant, in which case article 12.6 of the RGPD allows requesting
additional identifying information.

The CNPD also understands that the procedure followed by the entity responsible

does not protect the data of the applicants, since the treatment of the documents
identification requirements increases the risks for those affected (eg possible use
for identity theft); (...). The Portuguese authority thinks that this violates
the principle of minimization (article 5.1.c) of the RGPD), that of privacy by default and
from the design (article 25 of the RGPD) and that of security measures (article 32 of the

GDPR).

The CNPD advocates a less intrusive way of verifying the identity of the
applicant (e.g. electronic identification or submit the application through the account of
user together with an additional authentication factor sent by a different channel).


Berlin DPA, for its part, also appreciates infringement of article 12 of the RGPD,
paragraphs 2, 3 and 6, for reasons similar to those stated by the Portuguese authority.
Considers that additional information should only be requested if there are doubts about
the identity of the interested party, requesting necessary and appropriate information for that
verification, based on the applicant's available data; and do not share

alleged justification on the possible risk of spoofing e-mail addresses.
Likewise, (...), Berlin DPA understands that it cannot be used to carry out verifications,
or, at least, it would not be the most appropriate way, and declares itself in accordance with the
the claimant's appreciation according to which the registered access to the private account
it would be more than enough.


Berlin DPA points out a possible infringement of article 12.3 of the RGPD because the
person in charge did not answer within a month counted from the remission of the
request.

He opposes the claim being rejected and considers it appropriate to identify the

infractions and adopt corrective actions against the person in charge, so that it can
correct their procedures to avoid putting the rights of others at risk
applicants or the obstacles in their exercise.

FIFTH: The objections raised by the authorities of the

protection of data indicated in the previous Antecedent and, on 12/11/2020, it was
agrees to admit for processing the claim communicated by the authority for the protection of
data from the Netherlands (Autoreit Persoonsgegevens -AP), for the alleged infringement of
what is established in article 15 of the RGPD, without prejudice to what may be determined
in the course of processing said claim.


SIXTH: Dated 02/26/2021, by the General Subdirectorate for Data Inspection
you access the website "www.michaelpage.es" and obtain information available on
PageGroup.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 5/37









In the corporate information that appears in the “Who we are” section of said
website indicates:


“PageGroup is the leading international consulting firm in the selection of qualified managers,
intermediate and managers on a temporary and indefinite basis. It was established in the UK in
1976 and since 2001 listed on the London Stock Exchange. With a network of 140 own offices,
We operate in 36 countries around the world. In Spain we offer nationwide coverage with
physical offices in Madrid, Barcelona, Valencia, Seville, Bilbao and Zaragoza through the
which we provide recruitment services and career opportunities at the local, regional and
global. Within the group we have different brands, each an expert in its market”


(...).

(...).

(...).


SEVENTH: Dated 06/02/2021, in accordance with the provisions of article 64
of the LOPDGDD, sections 2 (third paragraph) and 3, a draft resolution of
start of sanctioning procedure, motivated by the claim received through the
IMI system that is outlined in the First Precedent. This project takes
consideration the objections outlined in the Fourth Precedent (draft of

revised decision).

Following the procedure established in article 60 of the RGPD, dated
03/13/2020, the aforementioned project to open the sanctioning procedure was
transmitted via the IMI System to the supervisory authorities concerned,

letting them know that, in the event that no objections are raised within the
two weeks from the consultation, the mandatory agreement to open the
penalty procedure.

None of the control authorities concerned has raised any objection to the
draft agreement to open sanctioning proceedings adopted by the

AEPD, understanding, therefore, that there is an agreement on it.

EIGHTH: On 06/29/2021, the Director of the Spanish Protection Agency
of Data agreed to initiate a sanctioning procedure against the entity PAGE GROUP
EUROPE, in accordance with the provisions of articles 63 and 64 of Law 39/2015, of 1

of October, of the Common Administrative Procedure of the Public Administrations
(hereinafter, LPACAP), for the alleged violation of articles 5.1.c) and 12 of the
RGPD, typified in articles 83.5.a) and b) of the same Regulation,
respectively; determining that the sanction that could correspond would amount to
a total of 300,000 euros (250,000 euros for the infringement of article 5.1.c) and 50,000

euros for the infringement of article 12, both of the RGPD), without prejudice to what results
of instruction.

In the same agreement to open the procedure, it was warned that the infractions
imputed, if confirmed, may lead to the imposition of measures, in accordance
with the provisions of the aforementioned article 58.2 d) of the RGPD.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 6/37








NINTH: Notification of the aforementioned initial agreement and extension of the term granted for
make allegations, PAGE GROUP EUROPE filed a brief dated 07/21/2021,
in which he requests that the initial criteria of the AEPD be maintained and that the file be agreed

of the sanctioning procedure or, alternatively, that the fine be reconsidered
proposal assessing the warning provided by the regulations. In short, the aforementioned
entity bases its request on the following considerations:

1. Previously, it highlights the good faith and willingness to comply that has governed
its actions and the internal policies applied, and expresses its intention to contribute with

their allegations more information and clarity on the case, despite the fact that it entails
a waiver of application of the proposed sanction reduction, in the
convinced that they have followed the recommendations of the authorities and that their
motivation was none other than an excess of zeal in the protection of personal data
not to deliver data to a person other than the real owner of the data. He adds that the

The question raised has to do with an interpretation of the norm, still recently
application.

2. Understands contradictory that is expressed in the Foundations of Law of the
opening agreement that the result of the transfer process “was not satisfactory”,
when in the Second and Third Records it is indicated that the respondent gave

response to the request for access made by the claimant, (...), concluding
that there were no indications of infringement nor was it necessary to adopt measures
additional.

Based on this, it requests that the documents in the file be reviewed again.

file, clarifying in this regard, in the event that that statement is
motivated by the absence of a response to the first requirement of the authority of
Netherlands, which in June 2019 provided access to the address ***EMAIL.2 to
people from the Legal Compliance team on a temporary basis, (...), although, for
some technical reason the connection was not effective until the end of August, without it being

possible to retrieve emails received in the meantime.

As soon as you became aware that the data protection authority of
The Netherlands (Autoreit Persoonsgegevens -AP) had sent 2 emails on 07/23/2019,
proceeded to contact it, although there is no record of having received a response.


Subsequently, on 08/30/2019, the entity Autoreit Persoonsgegevens sent a
letter directly to Michael Page International - Nederland Bv, to which he gave
reply dated 09/27/2019.

3. In relation to the alleged infringement of article 5.1.c), he values the review of

its internal policies that it carried out in 2016-2018 to adapt them to the new
regulations, on which there were no guiding criteria at the time of
interpret novel concepts such as the principle of data minimization or the
privacy by design or by default, so it tried to combine measures and
recommendations that remained in force with an interpretation of the new

regulation aimed at strict compliance with it.

(...).


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 7/37








(...).

(...).


On the other hand, on the interpretation that Berlin DPA makes on the appropriate form
To verify the identity of the interested parties who exercise a right, the entity
claimed understands that such assessments derive from the local idiosyncrasy and can
be motivated by historical issues, inherited from previous local regulations,
cultural or compliance aspects, which will be defined and homogenized in

the next years.

(...).

(...).


On the other hand, the respondent entity claims to have studied that the authority of Countries
The Netherlands has been active in regards to the illegal treatment of the BSN (number of
personal identification) and has taken various enforcement measures prior to entry
in force of the RGPD, among them:
. Airbnb illegally treated the BSN (through complete copies of the documents of

identity) and the DPA published its conclusions on the matter. No fine was imposed
nor was any investigative report published after Airbnb changed its
operations.
. A freight company called Nippon Express processed copies
complete identity documents and BSNs of the truck drivers entering

on the premises to pick up the cargo. This was illegal according to the Dutch DPA and
published an investigative report without sanctioning the company after modifying its
procedures.

As can be understood, and will be developed later, the claimed entity does not

derives no benefit from delaying or allegedly hindering the exercise of a
right that implies the delivery of information to the interested party. It's not about a
low in a service or an opposition to a certain treatment that the entity
had an interest in keeping.

(...).


Based on this, he requests that the allegations of the Berlin DPA and the CNPD be reconsidered.
that changed the criteria of the AEPD, which decided to file the file as it did not
appreciate intentionality in the action carried out by PAGE GROUP EUROPE, for
the absence of benefit and the improvement implemented.


(...).

Considering this absence of further treatment and that the treatment carried out
was very limited in time, as was the access to the information in question, the

entity complained against considers that what is indicated in Considering 156 of the
RGPD: “The conditions and guarantees in question may entail procedures
specific for the interested parties to exercise said rights if it is appropriate to the
light of the purposes pursued by the specific treatment, together with the measures

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 8/37








technical and organizational measures aimed at minimizing the processing of personal data

attending to the principles of proportionality and necessity”; understood, after
study it, that this measure was necessary, proportional and appropriate to protect the
rights of the interested party.


5. With the aforementioned requirement, the respondent did not try to delay, hinder or
hinder the exercise of rights by the affected party, nor did he obtain benefit from
that practice, which required designing a specific procedure and investing resources
in management and monitoring. If finally, it is determined that such procedure does not

was designed correctly, the only thing that can be blamed is an excess of
zeal in its willingness to comply, to ensure that data was not delivered to
person other than its owner, but not that with this request they wanted to put
obstacles to exercise.


(...).

6. Regarding the alleged infringement of article 12 of the RGPD, the complainant formulates
allegations with which it intends to respond to the arguments put forward

manifest by the data protection authorities of Berlin and Portugal, without
begins by insisting that the entity treats requests for access with care
because they are not frequent in their activity, since it is the interested parties themselves
who directly provide their personal data and have the information at their disposal.

available in your personal area.

Regarding what was indicated by Berlin DPA, which does not share the possible risk of
impersonation of e-mail addresses, the claimed one shows that there are
studies and statistics that demonstrate the hypothesis that the request for the right of

GDPR access can be a point of vulnerability to engineering attacks
Social.

And adds:


“To cite some of the aforementioned studies, James Pavur (DPhil Researcher Oxford University) and
Casey Knerr (Security Consultant Dionach LTD) indicate in their publication “GDPArrrrr: Using
Privacy Laws to Steal Identities” (the translation is ours for the purposes of homogeneity in the
document language):
“In this work, we have hypothesized that the right to request access can
be a point of vulnerability to social engineering attacks. through an experiment
spanning 150 organizations, we demonstrated the real-world feasibility of such attacks.

We found that a large proportion of organizations do not adequately verify the
identity of origin of access requests and that, as a result, the information
deeply sensitive can be acquired in a repeatable and scalable manner by engineering
Social. We suggest a series of corrective measures focused on individuals, companies
and legislators, to help mitigate these attacks.
(…)
Applying for a government-issued photo ID is probably the most
solid way of preventing this attack. However, organizations that are unable to

adequately protect this data, or to verify its authenticity, should consider the
possibility of subcontracting these services to a third party.
Companies should also periodically evaluate their process for requesting access to the
subject for vulnerabilities and train individual service representatives on the
detection and response to such attacks. Incorporating access requests

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 9/37








malicious…”

Recital 64 of the RGPD itself establishes that "the data controller

must use all reasonable measures to verify the identity of the
interested parties requesting access. Likewise, article 12.6 of the RGPD establishes that
“When the person responsible for the treatment has reasonable doubts in relation to the
Identity of the natural person making the request referred to in articles 15
to 21, you may request that additional information necessary to confirm the
identity of the interested party.


In Spain, the need to provide the DNI or equivalent document by the
interested party was provided for in article 25 of the repealed, almost in its entirety, Real
Decree 1720/2007. Said article indicated that the communication of the exercise of
rights addressed to the controller should be accompanied by a photocopy of the

national identity document of the interested party, or his passport or other document
valid to identify you.

The Spanish Agency for Data Protection (AEPD), in its "Guide for the
Citizen” indicates that, “if the person in charge has doubts about the identity of the
interested, you may request additional information to confirm it, such as the

photocopy of ID, passport or other valid document.

Likewise, the forms that the AEPD designed as models for the exercise of
rights and which presents as models to be used by citizens,
include the following statement:

"two. It will be necessary to provide a photocopy of the D.N.I. or equivalent document that proves
identity and is considered valid in law, in those cases in which the
person in charge has doubts about his identity. In case of acting through
Legal representation must also provide a DNI and a document accrediting the
representation of the representative”.


Therefore, it is a common practice, at least in Spain, the residence of our
company, which does not violate the principle of data minimization, which requires that the
personal data is adequate, pertinent and limited to what is necessary in relation to
with the purposes for which they are processed.


(...).

(...).

(...).


7. Emphasizes once again the good faith and degree of collaboration shown, having
modified the internal rights management procedure as follows:

(...).


(...).

8. Refers to the filing of the proceedings initially adopted by the AEPD and the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 10/37








objections from the Portuguese (CNPD) and German (Berlin DPA) authorities, to put
reveals the uncertainty caused by the lack of unity of criteria to verify
online identity during the management of an access right.


The RGPD does not establish, as the previous regulation did, the list of security measures.
security that those responsible must adopt; now each person in charge must carry out
your own risk analysis and determine what measures you need to take to mitigate them, and
this was recognized by the AEPD, (...).


This is an interpretation made based on risk analysis and from the
good faith and the conviction of a good performance, applying the principles of
minimization, privacy by design and by default, on a specific subject
(request for identification in the right of access) on which there is no criterion or guide
published.


9. Regarding the graduation criteria of the sanction, it states the following:

. The negligence in the commission of the infraction must be appreciated when the conduct is
away from recognized standards and, (...). In addition, he considers that it should be taken into account
account the proactive attitude and demonstrated improvement.


(...).

. The assessment of the number of interested parties must consider the requests for exercises
of rights received since the RGPD is fully applicable, already detailed.


. It is the first time that the claimed entity is the subject of a procedure
sanctioning party, thus far complying with the obligations set forth in the regulations
applicable, as well as the criteria established by the supervisory authorities.


In this regard, it requests that the imposition of a special warning be assessed
attention to the nature, low seriousness and short duration of the infringement, to its
unintentional character, to the measures taken to alleviate the damages
suffered and the degree of responsibility demonstrated by the entity.

PAGE GROUP EUROPE, with its statement of arguments at the opening of the

procedure, provided the following documents:

. Copy of the document called “Data request process of the RGPD of the
EU". The provisions it contains on the validation of requests for rights and
verification of the identity of the applicants are outlined in Fact

tested 12.
. Record of emails received during the interim of the technical failure in email from the DPD.
. Mail dated 08/26/2019, sent to the authority of the Netherlands requesting the sending of
missed communication.
. Mail with the documentation sent in September 2019 to the authority of

Netherlands data protection.

TENTH: On 11/24/2021, a resolution proposal was issued in the sense
following:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 11/37









1. That the Director of the AEPD sanction PAGE GROUP EUROPE, for a
infringement of article 12 of the RGPD, typified in Article 83.5.b) of the RGPD and

classified as minor for prescription purposes in article 74.c) of the LOPDGDD,
with a fine amounting to 50,000 euros (fifty thousand euros).

2. That the Director of the AEPD sanction PAGE GROUP EUROPE, for a
infringement of article 5.1.c) of the RGPD, typified in article 83.5.a) and qualified
as very serious for prescription purposes in article 72.1.a) of the LOPDGDD, with

a fine amounting to 250,000 euros (two hundred and fifty thousand euros).

The aforementioned resolution proposal was notified to the entity PAGE GROUP EUROPE
on the same date of 11/24/2021. In this notification, said entity was informed
that, in accordance with the provisions of article 85.2 of the LPACAP, may, in

any time prior to the resolution of the procedure, carry out the payment
voluntary of the proposed penalty, which would mean a reduction of 20% of the
amount of it. With the application of this reduction, the sanction would be
established at 240,000 euros (two hundred and forty thousand euros) and its payment would imply the
termination of the procedure. Likewise, it was noted that the effectiveness of this
reduction is conditional upon the withdrawal or waiver of any action or remedy

administratively against the sanction.

ELEVENTH: On 12/02/2021, the claimed party has proceeded to pay the
the sanction in the amount of 240,000 euros, making use of the reduction foreseen in the
Article 85 of the LPACAP, which implies the termination of the procedure and entails the

waiver of any administrative action or recourse against the sanction.

TWELFTH: On 12/03/2021, this Agency received a document
of the entity PAGE GROUP EUROPE, of 12/02/2021, through which it provides a copy
of the receipt of the payment made, with which it intends to "close" the

process. In this same letter, the aforementioned entity warns about the
confidentiality of internal corporate processes.


Of the actions carried out in this procedure and the documentation
in the file, the following have been accredited:



                                PROVEN FACTS



1. The entity Michael Page International is a company based in the United Kingdom,
parent company of the PageGroup business group. It is dedicated to the selection of personnel and
operates under various brands, including “Michael Page”. It has subsidiaries in
many European countries, with the Dutch subsidiary being the Michael Page entity
International - Nederland B.V.


One of the Spanish subsidiaries of the Group, with headquarters in ***LOCALIDAD.1, PAGE
GROUP EUROPE, S.L., is responsible, through its Compliance department
Legal, to manage requests for the exercise of rights in terms of protection

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 12/37








of personal data that the interested parties formulate before the entities of the group
PageGroup in Europe. The postal address of this Spanish subsidiary is indicated as data
of contact for the exercise of these rights in the Privacy Policy of the

entity, both in Spain and in the Netherlands version.

2. PageGroup websites include a form enabled for users to
Interested parties can send their CV to the corresponding subsidiary entity.

3. The claimant, a Dutch citizen, opened an account on the web portal of Michael

Page International - Nederland B.V., accessible at the URL “***URL.1”, and referred by that
channel, in March 2018, a Curriculum Vitae (CV) to obtain a position of
job offered by this Dutch subsidiary of the PageGroup group.

4. By email dated 09/28/2018, sent from the address

“***EMAIL.3”, the same one that is registered in the PageGroup database, the
claimant requested access to their personal data, expressly detailing in their
request to be sent a copy of your data and your interest in knowing the purposes for which
that the data is processed, the categories of personal data submitted to
treatment, the recipients, as well as the legal basis of each operation of
treatment. Said email was sent to the address “***EMAIL.1”, which

coincides with the one indicated for such purposes in the Privacy Policy accessible through
of the web portal.

In this email, the claimant warns that she receives regular emails from the entity and
that this proves that it has your personal data.


5. By email dated 10/02/2018, sent from the address
“***EMAIL.1”, PageGroup responded to the complainant's email dated 09/28/2018
noting that in order to meet the request for access made, it was necessary
confirm your identity and prove your address. (...). It is also indicated that said

documentation can be sent to the address “***EMAIL.1” or to the department of
Legal Compliance, by postal mail addressed to the address of PAGE GROUP
EUROPE in ***LOCATION.1.

(...).


(...).

7. On 10/22/2018, the Legal Compliance Department of PageGRoup
sent an email to the claimant, from the address “***EMAIL.1”, in the
who reiterate the need to verify their identity and insist on the request for

previous documentation.

8. Dated 11/11/2018, by email sent to the address
“***EMAIL.1”, the claimant, after summarizing the facts and highlighting her interest in
know the communications of personal data made to third parties and the data

concrete shared, reiterated its previous statements on the documentation
required to meet that request, which he considers excessive, and warned about the
possibility of making a claim before the data protection authority of the countries
Low.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 13/37









9. On 11/12/2018, PageGRoup's Legal Compliance Department
sent an email to the claimant, from the address “***EMAIL.1”,

reporting that they have reviewed their (...).

10. By letter dated 08/14/2020, this Agency requested PAGE GROUP EUROPE
“Copy of the response to the request for access made by the claimant, all
Once your identity has been proven through the claim process,
initiated before the control authority of the Netherlands and continued in this Agency”.

Following this request, the aforementioned entity proceeded to respond to the request for
access formulated by the claimant and provided this Agency with a copy of the communication,
dated 08/27/2020, which responds to the request for access made by the
claimant, as well as the annex with the personal data of the same that are in
power of PageGroup. In the response letter to this Agency, it is indicated that the

Information was sent by email.

(...).

(...).


12. The entity PAGE GROUP EUROPE, with its brief of allegations at the opening
of the procedure, has provided a copy of the document called "Process of
EU GDPR data request.

(...).


(...).

(...).


(...).

Regarding the delivery of the document through which the right of
access and the corresponding information is provided to the interested party, the procedure
designed by the claimed entity contemplates its sending by email,
protected with a password that is sent in a different mail.



                           FOUNDATIONS OF LAW

                                            I


By virtue of the powers that article 58.2 of the RGPD recognizes to each Authority of
Control and, as established in articles 47, 64.2 and 68.1 of the LOPDGDD, the
Director of the Spanish Data Protection Agency is competent to initiate
this procedure.


Article 63.2 of the LOPDGDD determines that: "The procedures processed by the
Spanish Agency for Data Protection will be governed by the provisions of the RGPD, in
this organic law, by the regulatory provisions issued in its

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 14/37









development and, in so far as they are not contradicted, on a subsidiary basis, by the rules
general administrative procedures.

Sections 1) and 2), of article 58 of the RGPD, list, respectively, the

investigative and corrective powers that the supervisory authority may provide to the
effect, mentioning in point 1.d), that of "notifying the person in charge or in charge of the
treatment of alleged violations of this Regulation”; And in 2.i), the
“impose an administrative fine under article 83, in addition to or instead of the

measures mentioned in this section, according to the circumstances of each
case".

The case examined is motivated by a cross-border claim

filed with the Dutch data protection authority (Autoreit
Persoonsgegevens -AP), against a business group based in the United Kingdom.
However, the department in charge of managing requests for access
for continental Europe is the Legal Compliance team of the Group subsidiary

PAGE GROUP EUROPE, based in Spain. This Spanish establishment
PageGroup is the principal establishment of the Group, within the meaning of the definition of the
article 4.16 of the RGPD. Thus, in accordance with the provisions of article 56.1 of the RGPD, the
AEPD is the competent authority to act as the main control authority.


The following "definitions" established in article 4 of the
GDPR:

“16) main establishment:

a) with regard to a data controller with establishments in more than one
Member State, the place of its central administration in the Union, unless the decisions
about the purposes and means of the treatment are taken in another establishment of the person in charge
in the Union and the latter establishment has the power to enforce such decisions, in
in which case the establishment that has adopted such decisions will be considered
main establishment.


“21) supervisory authority: the independent public authority established by a State
member in accordance with the provisions of article 51”.

“22) interested control authority: the control authority that is affected by the treatment of
personal data because:
a.- The controller or processor is established in the territory of the State
member of that control authority;
b.- Interested parties residing in the Member State of that control authority are

substantially affected or likely to be substantially affected by the
treatment, or
c.- A claim has been filed with that control authority”.

“23) cross-border treatment:
a) the processing of personal data carried out in the context of the activities of
establishments in more than one Member State of a person in charge or a person in charge of the

processing in the Union, if the controller or processor is established in more than one
Member state,
or b) the processing of personal data carried out in the context of the activities of a single
establishment of a controller or a processor in the Union, but which affects
substantially or is likely to substantially affect data subjects in more than one State
member".

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 15/37










According to the information included in the IMI System, in accordance with the
established in article 60 of the RGPD, in this procedure they act in
quality of "interested control authorities" the data protection authorities

personals from the Netherlands, Belgium, Ireland, Poland, Italy, Hungary, Portugal, Cyprus
and Austria, as well as the German regions of North Rhine-Westphalia, Rhineland-
Palatinate, Mecklenburg-Western Pomerania, Berlin and Bavaria Private Sector.



                                                II


Article 56.1 of the RGPD, regarding the "Competence of the supervisory authority
main”, states the following:

"1. Without prejudice to the provisions of article 55, the control authority of the establishment
main or sole establishment of the controller or processor will be

competent to act as lead supervisory authority for cross-border processing
carried out by said person in charge or person in charge in accordance with the established procedure
in article 60”.

Said article 60 regulates the "Cooperation between the main control authority and the

other interested control authorities”:

"1. The main control authority will cooperate with the other control authorities
stakeholders in accordance with this article, striving to reach a consensus. The
main control authority and the control authorities concerned will exchange all
relevant information.

2. The main control authority may at any time request other authorities of
Control interested parties that provide mutual assistance in accordance with article 61, and may carry out
conduct joint operations under article 62, in particular to carry out
investigations or supervise the application of a measure related to a person in charge or a
processor established in another Member State.
3. The main control authority shall promptly notify the other control authorities
relevant information in this regard. It will transmit without delay a project of

decision to the other control authorities concerned to obtain their opinion on the matter
and will take due account of their views.
4. In the event that any of the interested control authorities raises an objection
relevant and reasoned information on the draft decision within four weeks from
consultation pursuant to paragraph 3 of this article, the lead supervisory authority
will submit the matter, in case it does not follow what is indicated in the pertinent and motivated objection or

considers that said objection is not pertinent or is not motivated, to the coherence mechanism
referred to in article 63.
5. In the event that the main supervisory authority plans to follow what is indicated in the objection
pertinent and reasoned received, it will submit to the opinion of the other control authorities
stakeholders a revised draft decision. This revised draft decision is
will submit to the procedure indicated in section 4 within a period of two weeks.
6. In the event that no other interested supervisory authority has objected to the

draft decision transmitted by the main supervisory authority within the period indicated in the
paragraphs 4 and 5, it will be considered that the main supervisory authority and the authorities of
Stakeholders are in agreement with said draft decision and will be bound by
East.
7. The main control authority will adopt and notify the decision to the main establishment
or to the sole establishment of the person in charge or the person in charge of the treatment, as appropriate, and
shall inform the interested control authorities and the Committee of the decision, including a

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 16/37








summary of relevant facts and motivation. The supervisory authority before which the
submitted a claim will inform the claimant of the decision.

(…)
12. The main supervisory authority and the other interested supervisory authorities
will reciprocally provide the information required within the framework of this article by
electronic means, using a standardized form.

On the issues regulated in these precepts, what is stated in

Recitals 124, 125, 126 and 130 of the RGPD, in particular the following:

(124) “… Said authority (the main authority) must cooperate with the other authorities
interested…”.
(125) “As the lead authority, the supervisory authority must closely involve
and coordinate the control authorities interested in the decision-making process”.
(126) “The decision must be agreed jointly by the main control authority and the

interested control authorities…”.
(130) “When the supervisory authority before which the claim has been filed is not the
lead supervisory authority, the latter must cooperate closely with the former with
in accordance with the provisions on cooperation and coherence established in this
Regulation. In such cases, the lead supervisory authority, by taking measures designed
to produce legal effects, including the imposition of administrative fines, must take into account
account to the greatest extent possible the opinion of the supervisory authority before which the
filed the claim and which must remain competent to perform any

investigation on the territory of its own Member State in liaison with the supervisory authority
competent".

In accordance with the provisions of article 4.24 of the RGPD, it is understood by
“pertinent and motivated objection” the following:


“The objection to a proposal for a decision on the existence or not of an infringement of this
Regulation, or on the conformity with the present Regulation of actions foreseen in
relationship with the person in charge or the person in charge of the treatment, which clearly demonstrates the
significance of the risks posed by the draft decision to the rights and freedoms
of the interested parties and, where appropriate, for the free circulation of personal data
within the Union”.


In accordance with the provisions of the previous rules, in this case,
referred to a claim filed with the supervisory authority of a State
member (Netherlands), in relation to processing in the context of activities

of an establishment of a person in charge that affect or are likely to affect
substantially to data subjects in more than one Member State (data processing
cross-border), the main control authority, in this case the Spanish Agency
of Data Protection, is obliged to cooperate with the other authorities
interested.


The Spanish Agency for Data Protection, in application of the powers that
conferred by the RGPD, is competent to adopt the decisions designed to
produce legal effects, whether it be the imposition of measures that guarantee the

compliance with regulations or the imposition of administrative fines. Nevertheless,
is obliged to closely involve and coordinate the control authorities
stakeholders in the decision-making process and take their opinion into account in the
greater extent. It is also established that the binding decision to be adopted

jointly agreed.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 17/37









Article 60 of the GDPR regulates this cooperation between the main control authority
and the other interested control authorities. Section 3 of this article

expressly establishes that the main supervisory authority will transmit to the other
control authorities concerned, without delay, a draft decision to obtain
its opinion on the matter and will take due account of its views,
following the procedure provided for in sections 4 and following. The
interested control authorities have a period of four weeks to
raise reasoned objections to the draft decision, on the understanding that

There is agreement on said project if no authority presents objections in the
indicated period, in which case all of them are bound by the repeated project.

Otherwise, that is, if any of the authorities concerned makes a
relevant and reasoned objection to the draft decision, the supervisory authority

principal may follow what is indicated in the objection, presenting the opinion of the other
control authorities concerned a revised draft decision, which will be submitted
to the procedure indicated in section 4 within two weeks. not to follow
indicated in the objection or if it is considered that it is not pertinent, the authority of
main control must submit the matter to the coherence mechanism contemplated in
Article 63 of the GDPR.


In the present case, the AEPD initially considered that there were no indications of infringement
nor was it necessary to urge the adoption of additional measures to those implemented
by PAGE GROUP EUROPE, for which, on 11/10/2020, a Project of
Decision, by means of which it was submitted to the consideration of the rest of the authorities of

interested control the file of the claim (Draft decision).

At the end of the established period, they objected to the aforementioned Draft Decision
the data protection authorities of Portugal (CNPD) and Berlin (The Berlin
Commissioner for Data Protection and Freedom of Information -Berlin DPA), in the

sense expressed in the Background of this agreement.

Taking into account the reasons set out in the objections made, and
in accordance with the provisions of section 1 of article 60 of the RGPD, before
transcribed, which obliges the main supervisory authority to cooperate with the other
authorities, striving to reach a consensus, the procedure was followed

provided for in section 5 of the aforementioned article 60, instead of resorting to the
coherence contemplated in article 63 of the RGPD.

Although this Agency, as indicated by the entity complained of in its allegations,
initially considered that there were no indications of infringement, once analyzed the

observations or objections raised by the control authorities concerned
revealed some circumstances that had not been sufficiently
valued in the project file of actions (Draft decision), which will be
set forth in the Foundations of Law that follow.


For this reason, it was appropriate to prepare a Revised Draft Decision that
contemplate the opening of a sanctioning procedure against PAGE GROUP EUROPE.

This action is in accordance with the cooperation procedure regulated in article

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 18/37








60 of the GDPR; and takes into account the provisions of article 58.4 of the same
Regulation, according to which the exercise of the powers conferred on the authority of
control must respect the procedural guarantees established in Union law

and of the Member States.

The Spanish procedural regulations, specifically, Law 39/2015, of October 1, of the
Common Administrative Procedure of Public Administrations (LPACAP),
establishes that procedures of a sanctioning nature will always be initiated
ex officio by agreement of the competent body, which must contain, among other

indications, the identification of the person or persons allegedly responsible,
the facts that motivate the initiation of the procedure, its possible qualification and the
penalties that may apply

The adoption of the draft agreement to initiate the sanctioning procedure is

provided for in article 64 of the LOPDGDD, sections 2 (third paragraph) and 3,
establishing the obligation to give formal knowledge to the interested party. This
notification interrupts the prescription of the infraction.

The Revised Draft Decision prepared by the AEPD, in the form of a draft
opening of sanctioning procedure, was submitted to the consideration of the

interested authorities, so that they could formulate the objections that
they deem pertinent or give their consent. For this, it was transmitted through
of the IMI System to those authorities, letting them know that, in the event that the
raised objections within two weeks of the consultation, the
mandatory agreement to open sanctioning proceedings. None of the

interested control authorities raised any objection, so it was understood
that there was agreement on the aforementioned project.

Consequently, on 06/29/2021, the AEPD agreed to initiate this
sanctioning procedure, according to the arguments and accusations

contained in the Revised Draft Decision.

On the other hand, section 4 of the aforementioned article 64 of the LOPDGDD establishes that
The processing times established in this article will be automatically
suspended when it is necessary to collect information, consultation, request for assistance or
mandatory pronouncement of a body or agency of the European Union or of a

or several control authorities of the Member States in accordance with the provisions
in the RGPD, for the time between the request and the notification of the
statement to the Spanish Data Protection Agency.



                                           III

In accordance with the provisions of article 55 of the RGPD, the Spanish Agency for
Data Protection is competent to perform the functions assigned to it
in its article 57, among them, that of enforcing the Regulation and promoting the

awareness of controllers and data processors about the
obligations incumbent on them, as well as dealing with the claims presented by a
concerned and investigate the reason for them.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 19/37








Correlatively, article 31 of the RGPD establishes the obligation of those responsible
and those in charge of the treatment to cooperate with the control authority that requests it in

the performance of their duties. In the event that they have appointed a
data protection delegate, article 39 of the RGPD attributes to it the function of
cooperate with that authority.

Similarly, the domestic legal system, in article 65.4 of the LOPDGDD, has

foreseen a mechanism prior to the admission to processing of the claims that are
formulated before the Spanish Agency for Data Protection, which consists of giving
transfer of the same to the data protection delegates designated by the
responsible or in charge of the treatment, for the purposes provided in article 37 of
the aforementioned norm, or to these when they have not been designated, so that they proceed to the

analysis of said claims and to respond to them within a month.

In accordance with this regulation, prior to the admission for processing of the
claim that gives rise to this procedure, it was transferred to the
responsible entity to proceed with its analysis, respond to this Agency

within a month and prove that they have provided the claimant with the due response,
in the event of exercising the rights regulated in articles 15 to 22 of the
GDPR.

The result of said transfer was not satisfactory, considering the procedure followed

by the project file of actions (Draft decision) and the objections formulated
in this regard, so that the continuation of actions for the
purification of the possible responsibilities revealed. In consecuense,
dated 12/11/2020, for the purposes provided in article 64.2 of the LOPDGDD, the
Spanish Agency for Data Protection agreed to admit the claim for processing

communicated by the Dutch data protection authority (Autoreit
Persoonsgegevens -AP) for alleged infractions related to the exercise of the
rights recognized to the holders of personal data. Said admission agreement
The procedure determined the opening of this sanctioning procedure.


Dealing exclusively with a claim for lack of attention to a request
of exercise of the rights established in articles 15 to 22 of the RGPD, it follows
the procedure regulated in article 64.1 of the LOPDGDD, according to which:

"1. When the procedure refers exclusively to the lack of attention to a request for
exercise of the rights established in articles 15 to 22 of Regulation (EU) 2016/679,
will be initiated by agreement of admission to processing, which will be adopted in accordance with the provisions of the

next article.
In this case, the term to resolve the procedure will be six months from the
date on which the claimant was notified of the agreement for admission to processing.
After this period, the interested party may consider their claim upheld.”

On the contrary, when the procedure does not refer exclusively to the
attention to a request for the exercise of rights, the purging of

administrative responsibilities in the framework of a sanctioning procedure,
being the exclusive competence of this Agency to assess whether there are responsibilities
administrative that must be purged in a procedure of this nature and, in
consequently, the decision on its opening.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 20/37








In this case, there are elements that justify the exercise of the activity
penalty, considering that with the procedure provided for in article 64.1 of the
The aforementioned LOPDGDD would not duly restore the guarantees and rights of

the interested.

The origin of the actions is determined by a claim made by a
specific interested party, whose purpose is the lack of attention to the right of access
exercised by the claimant before the claimed entity. With this, it could be thought that
We are facing the procedure regulated in article 64.1 of the LOPDGDD.


However, this claim by an individual person has revealed a
general action of the person in charge, resulting in this specific case being the reflection of
a common guideline or policy applied to all those affected persons who are in
the same case as the claimant. When an action that is considered wrong

derives from a general policy adopted by the data controller, so
that it is not a matter of punctual errors in a case, the infraction does not reside
exclusively in the case examined but in that general action adopted by the
responsable.

To do otherwise would be inconsistent with the purpose and will of the Community legislator,

expressly embodied in the RGPD when it indicates that it corresponds to the
control authorities enforce the rule.

Consequently, this procedure analyzes the impact of the general action
followed by PAGE GROUP EUROPE in the management and resolution of requests for

exercises of rights of access and portability formulated by the interested parties,
(...).

In view of the deficiencies noted in the procedure designed by the entity
claimed regarding data protection regulations, it turns out that such

deficiencies have a general scope, so that all the
interested parties who had formulated the indicated requests, and not only the claimant.

Thus, it is concluded in view of the information and statements that the entity itself
claimed has provided this Agency, in which it recognizes that the process of
attention of rights responded to the design made by it and exposes the reasons

that led him to implement a strict identity verification process, which
It is based, among other reasons that are outlined in the Background, on the
nature of the Human Resources services it provides, (...). Defend your
system arguing that it responds to an excess of zeal of the entity.


(...).

The information provided by the respondent entity, moreover, is consistent with the
action developed in relation to the specific request for access of the
claimant


Therefore, it is not understood that PAGE GROUP EUROPE, in its allegations to the
opening of the procedure, state that you made a mistake in explaining the aforementioned
rights management process and to modify its earlier approach to

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 21/37








expose circumstances that do not conform to reality. The truth, according to
accredited in the proceedings, is that the identity verification scheme

designed by the respondent applied to all cases of exercise of rights of
access and portability, in general, and not only in cases where there are
doubts about the identity of the applicant, as he now points out in his allegations; (...).

On the other hand, PAGE GROUP EUROPE states in its pleadings that

has followed the recommendations of the authorities, however, it does not mention what they are
those recommendations that would justify the procedure that follows.

Throughout the text of his pleadings brief, he only refers to the “Guide for
El Ciudadano” prepared by the AEPD and the instructions contained in the forms

for the exercise of rights that this Agency makes available to citizens through
through your website. In both cases, as the respondent entity points out,
informs citizens about the possibility that those responsible may request
photocopy of the DNI or equivalent document, but it is warned that this must be considered
when the person in charge has doubts about the identity of the applicant and also that

The electronic signature can be used instead of the identification document.

The content of those documents does not contradict the criteria set out in
This act. It should be noted that the specific objective covered by these guides
is to provide guidance on best practices in the most general cases, so that

cover all the specific assumptions that may arise and this means that the
guidance they contain should be completed as appropriate.

Finally, it is interesting to highlight at this time that the conclusions presented
They are then obtained by applying the rules established by the RGPD and

the LOPDGDD, without considering repealed regulations, such as Royal Decree 1720/2007,
nor cultural aspects or historical issues inherited from local regulations, to which
referred to by the entity claimed in its pleadings brief.



                                            IV

The rights of individuals regarding the protection of personal data are
regulated in articles 15 to 22 of the RGPD and 13 to 18 of the LOPDGDD. I know
contemplate the rights of access, rectification, deletion, opposition, right to

limitation of treatment and right to portability.

The formal aspects related to the exercise of these rights are established in the
articles 12 of the RGPD and 12 of the LOPDGDD.


Article 12 “Transparency of information, communication and modalities of
exercise of rights” of the RGPD establishes the following:

"1. The person responsible for the treatment will take the appropriate measures to facilitate the interested party
all information indicated in articles 13 and 14, as well as any communication with
in accordance with articles 15 to 22 and 34 regarding the treatment, in a concise, transparent,
intelligible and easily accessible, in clear and simple language, in particular any information
specifically targeted at a child. The information will be provided in writing or by other

means, including, if applicable, by electronic means. When requested by the interested party, the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 22/37









Information may be provided verbally as long as the identity of the interested party is proven.
By other means.


2. The person responsible for the treatment will facilitate the interested party in the exercise of their rights under
of articles 15 to 22. In the cases referred to in article 11, paragraph 2, the person responsible
will not refuse to act at the request of the data subject in order to exercise their rights under
Articles 15 to 22, unless you can show that you are unable to identify the
interested.


3. The data controller will provide the interested party with information regarding their actions
on the basis of a request under articles 15 to 22, and, in any case, in the
period of one month from receipt of the request. This period may be extended for another
two months if necessary, taking into account the complexity and number of requests. The
responsible will inform the interested party of any of said extensions within a month to
from receipt of the request, indicating the reasons for the delay. When the interested

submit the application electronically, the information will be provided electronically.
electronic when possible, unless the interested party requests that it be provided in another way.
mode."

4. If the person in charge of the treatment does not process the request of the interested party, he will inform him without
delay, and no later than one month after receipt of the request, of the reasons for

its non-action and the possibility of presenting a claim before a control authority
and to exercise legal actions.

5. The information provided under articles 13 and 14 as well as all communication and
any action carried out under articles 15 to 22 and 34 will be free of charge.

When the requests are manifestly unfounded or excessive, especially due to
its repetitive nature, the data controller may: a) charge a reasonable fee in
depending on the administrative costs incurred to facilitate the information or communication
or perform the requested action, or b) refuse to act on the request. The responsible
of the treatment will bear the burden of demonstrating the manifestly unfounded or
excessive request.


6. Without prejudice to the provisions of article 11, when the data controller has
reasonable doubts in relation to the identity of the natural person who makes the request to which
referred to in articles 15 to 21, you may request that additional information be provided
necessary to confirm the identity of the interested party.


7. The information that must be provided to the interested parties under articles 13 and 14
may be transmitted in combination with standardized icons that allow the provision of
easily visible, intelligible and clearly legible form an adequate overview of the
planned treatment. The icons that are presented in electronic format will be legible
mechanically.


8. The Commission shall be empowered to adopt delegated acts in accordance with Article 92
in order to specify the information to be presented through icons and the
procedures for providing standardized icons”.


For its part, article 12 “General provisions on the exercise of rights”
of the LOPDGDD, in sections 2 and 4, adds the following:

"two. The person responsible for the treatment will be obliged to inform the affected party about the means at its disposal.

disposition to exercise the corresponding rights. Media should be easily
accessible to the affected. The exercise of the right may not be denied for the sole reason
for the affected party to opt for another means”.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 23/37









"4. Proof of compliance with the duty to respond to the request to exercise their
rights formulated by the affected party will fall on the person responsible”.

It also takes into account what is expressed in Considerations 59 and following of the
GDPR.


In accordance with the provisions of these rules, the data controller
must arbitrate formulas and mechanisms to facilitate the interested party in the exercise of their
rights, which will be free (without prejudice to the provisions of articles 12.5 and 15.3

of the GDPR); is obliged to respond to requests made no later than one
month, unless you can show that you are unable to identify the
interested; as well as to express their reasons in case they do not respond to the request.


From the foregoing, it follows that the request for the exercise of rights made by the
The interested party must be answered in any case, falling on the person in charge
proof of compliance with this duty.


This obligation to act is not enforceable when the data controller
can demonstrate that it is not in a position to identify the interested party (in cases
referred to in article 11.2 of the RGPD). In cases other than those provided for in this
article, in which the data controller has reasonable doubts in relation to

with the identity of the applicant, may require additional information necessary to
confirm that identity.

In this regard, Recital 64 of the RGPD is expressed in the following terms:


“(64) The controller must use all reasonable measures to verify the
identity of data subjects requesting access, in particular in the context of services
online and online identifiers. The person in charge must not keep personal data with
the sole purpose of being able to respond to possible requests.


Regarding the right of access, the RGPD stipulates in its article 15 what
following:

"1. The interested party shall have the right to obtain confirmation from the data controller as to whether
Personal data concerning you is being processed or not and, in such a case, the right of access to

personal data and the following information:

a) the purposes of the treatment;
b) the categories of personal data in question;
c) the recipients or categories of recipients to whom they were communicated or will be
communicated the personal data, in particular recipients in third parties or organizations

international;
d) if possible, the expected term of conservation of the personal data or, if not
possible, the criteria used to determine this period;
e) the existence of the right to request from the controller the rectification or deletion of data
or the limitation of the processing of personal data relating to the interested party, or to
object to such processing;
f) the right to file a claim with a supervisory authority;
g) when the personal data has not been obtained from the interested party, any information

available on its origin;
h) the existence of automated decisions, including profiling, to which

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 24/37








refers to article 22, sections 1 and 4, and, at least in such cases, significant information
on the logic applied, as well as the importance and the foreseen consequences of said
treatment for the interested party.


2.When personal data is transferred to a third country or an international organization,
the interested party shall have the right to be informed of the appropriate guarantees under article
46 relating to the transfer.

3. The data controller will provide a copy of the personal data subject to
treatment. The person in charge may receive for any other copy requested by the interested party
a reasonable fee based on administrative costs. When the interested party submits the
request by electronic means, and unless he requests that it be provided in another way, the
Information will be provided in a commonly used electronic format.


4. The right to obtain a copy mentioned in section 3 will not negatively affect the
rights and freedoms of others”.

Like the rest of the rights of the interested party, the right of access is a
personal right. Allows the citizen to obtain information about the treatment

that is being made of your personal data, the possibility of obtaining a copy of
the personal data that concerns you and that is being processed, as well
as the information listed in the article cited above.

In the present case, the claimant, a Dutch citizen, opened an account in the

Dutch version of the web portal of the entity Michael Page International, accessible
at the URL “***URL.1”, and sent through that channel, in March 2018, a Curriculum Vitae
(CV) for the achievement of a job offered by the Dutch subsidiary of the
PageGroup group.


Subsequently, on 09/28/2018, you exercised the right of access to your data
by email sent to the address "***EMAIL.1", which
coincides with the one indicated for such purposes in the Privacy Policy of the web portal,
expressly indicating in this request your interest in knowing the data processed, the

purposes for which they are processed, the recipients and the shared data, as well as the
legal basis of each treatment operation (this request is adjusted to the content of the
right of access established by the aforementioned article 15 of the RGPD, which, according to
been exposed, not only implies informing the applicant about the personal data or

categories of data that are processed, so that the character is not understood
exception attributed to it by the entity complained against when it alleges that these requests
of access are not frequent since it is the interested parties themselves who facilitate
directly your personal data and have the information available to you in your area
personal).


The request made by the claimant is sent from the same email address
email of the claimant that is registered in the PageGroup database,
which, according to the interested party, had been used by the subsidiary
of the Group to send you job offers and commercial communications.


(...).

Also on two occasions, by email, dated 10/20 and

11/11//2018, the claimant warned that the required identification constitutes a
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 25/37








excessive data processing or an impediment to the exercise of your right and pointed out
expressly that the identification process is simplified considering that it has
account on the entity's website.


It would not be until 11/12/2018, once the claimant communicated her intention to
lodge a complaint with the Dutch data protection authority,
when PAGE GROUP EUROPE modified its initial requirements, (…).

On the issue of verifying the identity of applicants for rights,

the rules set forth above are clear in stating that this verification process
should be limited to the specific cases in which the controller has doubts
"reasonable" in relation to the identity of the natural person making the request.

Article 12.6 of the RGPD refers to all requests for rights and admits the

possibility of requesting, in those cases, "additional information" necessary to
confirm the identity of the interested party. In particular, in relation to requests
of access in the context of online services, Recital 64 of the same
Regulation refers to the possibility that the person in charge uses all the “measures
reasonable” to verify the identity of the interested parties.


The rules that regulate the exercise of rights do not establish, therefore, the
need to provide any specific identification document so that they can be
served, they do not even require that verification of identity be carried out through
documentation. They refer to the possibility of collecting “additional information” and to the
use of “reasonable measures”, corresponding to the person in charge to determine what

information and what measures are reasonable in each case, taking into account the
concurrent circumstances and always resorting to the least invasive means to
the privacy of applicants. All this, under the previous condition that
It is a case in which there are “reasonable doubts” about the identity of the
applicant.


PAGE GROUP EUROPE has not justified that these reasonable doubts existed in
relation to the identity of the claimant. On the contrary, the actions of this entity
responds to the rights management procedure designed by itself, in its
condition of responsible, (...), without previously analyzing whether or not those
reasonable doubts.


(...).

The circumstance occurs, in this case, that the claimant was registered in the
information systems of the responsible entity, which had a wide

information about it; and that the request for access to personal data is
formulated from the same e-mail address of the claimant that already
was in the database of said entity.

It is not understood, therefore, that this case has been treated as one of those assumptions

in which there are doubts about the identity of the applicant (...), when he had
least intrusive means to ensure that the information would be forwarded to the data subject
the data in question, such as having contrasted some of the data already available.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 26/37








PAGE GROUP EUROPE knew the contact details of the complainant, so
that the request received from the email address that said entity
had registered in its systems and the sending to this address of the requested information

with the access offered sufficient guarantees, in the opinion of this Agency, to have
responded to the request received. Furthermore, considering that no
circumstance that led the claimed entity to think of an impersonation of
identity or in a computer attack.

The rigorous requirements imposed on the claimant to process her request for

access motivated this request to remain unanswered, despite the two
warnings made by the claimant herself about excessive requests for
documentation that was sent to him; which determined that the claimant
choose to go to the Dutch data protection authority instead of
continue with the processing of your request, as you had warned in your email

email dated 11/11/2018.

Consequently, PAGE GROUP EUROPE is responsible for ensuring that the term
established to meet the claimant's request had elapsed without
given the due response, providing the information requested.


The right of access was finally attended to on 08/27/2020, during the
processing of the claim carried out by this Agency as the authority of
main control, prior express request of this Agency dated 08/14/2020. TO
In this regard, it should be specified that the corresponding response to the request
of access cannot be manifested on the occasion of a mere administrative procedure,

as is the transfer of the claim to the claimed party in compliance with what
established in article 64.3 of the LOPDGDD.

Consequently, in accordance with the exposed evidence, the aforementioned facts
represent a violation of the provisions of article 12, sections 2 and 3, of the RGPD,

due to non-compliance with the right of access exercised by the claimant, which gives rise to
the application of the corrective powers that article 58 of the aforementioned Regulation
granted to the Spanish Data Protection Agency.


                                           v


(...).

As stated in the previous Legal Basis, this action of
the claimed entity responds to the rights management procedure designed by

herself, as data controller, (...).

The claimant considered that there was no reason to require that information
identification as necessary for the attention of the right, considering that it was not
required to open an account on the web portal or to submit your CV. understand the

claimant that authenticated access to the account, which was still active in the
time the request is addressed to the responsible entity, it should be sufficient
to understand exercised the right and accredited their identity in a system such as the
used by the controller, based on the use of a private account.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 27/37










Regarding this matter, the arguments expressed by the authorities of
control CNPD and Berlin DPA, which are listed in the Fourth Precedent, (...);
that this procedure does not protect applicants' data and increases the risks

for those affected; that this documentation is not required of the interested parties to
open an account or send a CV; that additional information should only be requested if
there are doubts about the identity of the interested party, requesting necessary information and
appropriate for that verification, based on the applicant's available data.


Both control authorities advocate a less intrusive way of checking the
identity of the applicant, (...), (eg electronic identification or send the application to
via the user account along with an additional authentication factor submitted

by a different channel); and agree with the claimant that access to the account
private should be understood enough.

And they also serve, because they coincide, the arguments expressed in the foundation of

preceding right, on the possibility of requesting additional information necessary
to confirm the identity of the interested party only when the person in charge has
reasonable doubts in relation to the identity of the applicant of the right (article 12.6
of the GDPR).


(...).



The assessment of these facts requires taking into account, likewise, what is established in
Articles 25 and 32 of the RGPD, which establish the following:

“Article 25. Data protection by design and by default.
1. Taking into account the state of the art, the cost of the application and the nature, scope,
context and purposes of the treatment, as well as the risks of varying probability and severity that

involves processing for the rights and freedoms of natural persons, the controller
of the treatment will apply, both at the time of determining the means of treatment and in
the time of the treatment itself, appropriate technical and organizational measures, such as
pseudonymization, designed to effectively apply the principles of protection of
data, such as data minimization, and integrate the necessary guarantees in the treatment, to
In order to comply with the requirements of this Regulation and to protect the rights of
interested.


2. The data controller will apply the appropriate technical and organizational measures with
with a view to guaranteeing that, by default, only the personal data that
are necessary for each of the specific purposes of the treatment. This obligation is
will apply to the amount of personal data collected, the extent of its treatment, its
term of conservation and its accessibility. Such measures shall in particular ensure that, for
default, the personal data are not accessible, without the intervention of the person, to a
indeterminate number of natural persons.


3.A certification mechanism approved under Article 42 may be used as a
element that proves compliance with the obligations established in sections 1 and 2
of this article.

“Article 32. Security of the treatment.

1. Taking into account the state of the art, the application costs, and the nature, the
scope, context and purposes of the treatment, as well as risks of probability and severity
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 28/37








variables for the rights and freedoms of natural persons, the person in charge and the person in charge
of the treatment will apply appropriate technical and organizational measures to guarantee a level

appropriate to the risk, which, where appropriate, includes, among others:
a) pseudonymization and encryption of personal data;
b) the ability to ensure confidentiality, integrity, availability and resilience
permanent treatment systems and services;
c) the ability to restore the availability and access to personal data in a
fast in the event of a physical or technical incident;
d) a process of regular verification, evaluation and assessment of the effectiveness of the measures
technical and organizational to guarantee the security of the treatment.

2. When evaluating the adequacy of the level of security, particular consideration will be given to the
risks presented by the processing of data, in particular as a consequence of the
accidental or unlawful destruction, loss or alteration of transmitted personal data,
stored or otherwise processed, or unauthorized communication or access to such
data.
(…)”.


In this case, the system designed by PAGE GROUP EUROPE establishes
demands for the attention of the rights of the interested parties that go beyond what is
foreseen in the regulations that regulate these rights; and they don't respond to any of
the criteria and factors referred to in the aforementioned article 25.1 of the RGPD, such as the

context, the risks or the purpose of the treatment.

(...).

(...).

(...).

(...).



As a result of all this, (...), it gives rise, in the indicated circumstances, to the
processing of personal data that is inappropriate, irrelevant and not necessary for
this specific purpose of the treatment, contrary to the principles of data protection,

especially, to the principle of "data minimization", regulated in article 5.1.c)
of the GDPR:

“Article 5 Principles relating to the treatment
1.The personal data will be:
c) adequate, pertinent and limited to what is necessary in relation to the purposes for which they are

processed (“data minimization”)”.

Regarding the scope of this principle, Recital 39 of the RGPD indicates that "the data
personal data should only be processed if the purpose of the processing cannot be achieved

reasonably by other means.

There is no need to insist on the fact that in the cases analyzed it is not necessary to
collection of identification documentation of the people requesting a right, to the
other, less intrusive, reliable means of identification exist; and even less necessary

is the collection of various identity documents.

(...).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 29/37











It also considers the claim that (...), make their action compatible with the
respect for the principle of minimization, as necessary, proportional and suitable for
protect the rights of the interested party, thus complying with what is indicated in the
Recital 156 of the RGPD, according to which "The conditions and guarantees in question

may entail specific procedures for the interested parties to exercise said rights.
rights if it is appropriate in light of the purposes pursued by the treatment
together with the technical and organizational measures aimed at minimizing the
processing of personal data in accordance with the principles of proportionality and
need". However, this Recital refers to processing for

archive in the public interest and it cannot be brought up in the case at hand.

Consequently, the facts cited, in relation to the processing of data that
entails the rights management procedure followed by PAGE GROUP

EUROPE for the verification of the identity of the interested parties, suppose a
violation of the provisions of article 5.1.c) of the RGPD, which gives rise to the application
of the corrective powers that article 58 of the aforementioned Regulation grants to the
Spanish Data Protection Agency.


                                             SAW

In the event that there is an infringement of the provisions of the RGPD, between the
corrective powers available to the Spanish Data Protection Agency,
as a control authority, article 58.2 of said Regulation contemplates the

following:

“2 Each control authority will have all the following corrective powers indicated below:
continuation:
(…)
b) sanction any person responsible or in charge of the treatment with a warning when the
treatment operations have violated the provisions of this Regulation;”

(...)
d) order the person responsible or in charge of the treatment that the treatment operations be
comply with the provisions of this Regulation, where appropriate, of a given
manner and within a specified time;
(…)
i) impose an administrative fine under article 83, in addition to or instead of the
measures mentioned in this section, according to the circumstances of each case
particular;".


According to the provisions of article 83.2 of the RGPD, the measure provided for in letter d)
above is compatible with the sanction consisting of an administrative fine.



                                            7th

The exposed facts do not comply with the provisions of articles 12 and 5.1.c) of the RGPD,
with the scope expressed in the previous Legal Foundations, which means
the commission of offenses typified, respectively, in sections 5.b)

and 5.a), of article 83 of the RGPD, which under the heading “General conditions for the
imposition of administrative fines” provides the following:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 30/37










"5. Violations of the following provisions will be sanctioned, in accordance with the
section 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a
company, of an amount equivalent to a maximum of 4% of the total annual turnover
of the previous financial year, opting for the highest amount:


a) the basic principles for the treatment, including the conditions for the consent to
tenor of articles 5, 6, 7 and 9.
b) the rights of the interested parties according to articles 12 to 22”.

In this regard, the LOPDGDD, in its article 74, considers a "minor" infraction to

effects of prescription the infractions of a merely formal nature of the articles
mentioned in article 83.5 of the RGPD and, specifically, "c) Not attending to the
requests to exercise the rights established in articles 15 to 22 of the

Regulation (EU) 2016/679, unless the provisions of the
article 72.1.k) of this Organic Law”.

For its part, section 1.a) of article 72 of the LOPDGDD considers, as “very

serious”, for purposes of prescription:

"1. Based on the provisions of article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that suppose a
substantial violation of the articles mentioned therein and, in particular, the following:


a) The processing of personal data violating the principles and guarantees established in the
Article 5 of Regulation (EU) 2016/679” .

In order to determine the administrative fine to be imposed, the

provisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate:

"1. Each control authority will guarantee that the imposition of administrative fines with
in accordance with this article for the infringements of this Regulation indicated in the
sections 4, 9 and 6 are in each individual case effective, proportionate and dissuasive.


2. Administrative fines will be imposed, depending on the circumstances of each case
individually, in addition to or as a substitute for the measures referred to in article 58,
section 2, letters a) to h) and j). When deciding to impose an administrative fine and its amount
In each individual case, due account shall be taken of:
a) the nature, seriousness and duration of the offence, taking into account the nature,
scope or purpose of the treatment operation in question as well as the number of

affected parties and the level of damages they have suffered;
b) intentionality or negligence in the infringement;
c) any measure taken by the person responsible or in charge of the treatment to alleviate the
damages suffered by the interested parties;
d) the degree of responsibility of the data controller or processor, taking into account
of the technical or organizational measures that they have applied by virtue of articles 25 and 32;
e) any previous infringement committed by the person in charge or the person in charge of the treatment;

f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority became aware of the infringement, in particular if the
The person responsible or the person in charge notified the infringement and, if so, to what extent;
i) when the measures indicated in article 58, section 2, have been ordered
previously against the person in charge or the person in charge in question in relation to the same

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 31/37









matter, compliance with said measures;
j) adherence to codes of conduct under Article 40 or certification mechanisms
approved under article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as
financial benefits obtained or losses avoided, directly or indirectly, through
the infraction”.


For its part, article 76 “Sanctions and corrective measures” of the LOPDGDD
has:

"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of the Regulation (EU)
2016/679 will be applied taking into account the graduation criteria established in the
section 2 of the aforementioned article.

2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679, also
may be taken into account:

a) The continuing nature of the offence.
b) The link between the activity of the offender and the performance of data processing
personal.
c) The profits obtained as a result of committing the offence.

d) The possibility that the conduct of the affected party could have induced the commission of the crime.
infringement.
e) The existence of a merger by absorption process subsequent to the commission of the infraction,
that cannot be attributed to the absorbing entity.
f) Affectation of the rights of minors.
g) Have, when not mandatory, a data protection officer.
h) Submission by the person in charge or person in charge, on a voluntary basis, to
alternative conflict resolution mechanisms, in those cases in which there are

controversies between them and any interested party”.

In this case, considering the seriousness of the infractions found, the
imposition of a fine and, where appropriate, the adoption of measures. cannot accept the

request made by PAGE GROUP EUROPE for the imposition of other powers
corrective measures, such as the warning, which is planned for natural persons and
when the sanction constitutes a disproportionate burden (considering 148 of the
GDPR). In this respect, this Agency does not agree that the infringements declared

are of little seriousness, considering the effects that have been determined in the
exercise of the rights recognized to the interested parties; nor the short duration of the
same alleged by the respondent, given that the irregular process of managing
those rights has been imposed since the moment it was

GDPR applies.

In accordance with the precepts indicated, in order to set the amount of the penalties
to impose in the present case, it is considered appropriate to graduate the fines of

according to the following criteria:

1. Infringement of article 12 of the RGPD, typified in article 83.5.b) and qualified as
minor for purposes of prescription in article 74.c) of the LOPDGDD:


The following graduation criteria are considered concurrent as aggravating:

     . Article 83.2.a) of the RGPD: “a) the nature, seriousness and duration of the
     infringement, taking into account the nature, scope or purpose of the operation

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 32/37








     of treatment in question as well as the number of interested parties affected and the
     level of damages they have suffered.


         . The nature of the infraction, since the lack of attention to the right of
         access, due to its content, affects the ability of the claimant to exercise
         true control over your personal data.
         . The nature of the damage caused to the interested person, who saw
         unattended one of your basic rights in terms of data protection
         personal, despite the communications sent by the same insisting

         in your interest.

     . Article 83.2.d) of the RGPD: “d) the degree of responsibility of the person in charge or of the
     data processor, taking into account the technical or organizational measures
     that they have applied by virtue of articles 25 and 32”.


     The imputed entity does not have adequate procedures in place for
     performance in the collection and processing of personal data, in what
     refers to the management of requests for the exercise of rights, so that the
     infringement is not the consequence of an anomaly in the functioning of said
     procedures but a defect in the personal data management system

     designed by the person in charge. Said procedure was adopted by the respondent to
     own initiative establishing requirements that exceeded the forecasts
     applicable regulations.

     . Article 76.2.b) of the LOPDGDD: “b) The link between the activity of the offender

     with the processing of personal data”.

     The high link between the activity of the offender and the performance of treatment
     of personal data, considering the activity that it develops in the sector of
     Human Resources and the level of implementation of the entity (in the Background

     Sixth, some details about this implantation are collected).

     . Article 83.2.k) of the RGPD: “k) any other aggravating or mitigating factor
     applicable to the circumstances of the case, such as the financial benefits obtained
     or losses avoided, directly or indirectly, through the infringement”.


     The large company status and turnover of PageGroup and PAGE
     GROUP EUROPE (in the Sixth Antecedent some details are collected when
     respect).

It is also considered that there are extenuating circumstances

following:

     . Article 83.2.f) of the RGPD: “f) the degree of cooperation with the control authority
     in order to remedy the infringement and mitigate possible adverse effects
     of the offence”.


     The right of access exercised by the claimant was finally addressed by the
     claimed entity, although it was necessary the intervention of the authorities of
     control.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 33/37









PAGE GROUP EUROPE, in its pleadings brief, has not made any statement
any regarding the criteria and factors assessed to classify this infraction.


Considering the exposed factors, the valuation reached by the fine, for the
Violation of article 12 of the RGPD, it is 50,000 euros (fifty thousand euros).


2. Infringement due to non-compliance with the provisions of article 5.1.c) of the RGPD,

typified in article 83.5.a) and classified as very serious for prescription purposes
in article 72.1.a) of the LOPDGDD:

The following graduation criteria are considered concurrent as aggravating:


     . Article 83.2.a) of the RGPD: “a) the nature, seriousness and duration of the
     infringement, taking into account the nature, scope or purpose of the operation
     of treatment in question as well as the number of interested parties affected and the
     level of damages they have suffered.

         . The nature, seriousness and duration of the offence, taking into account the

         nature, scope or purpose of the processing operations to be carried out
         treats. The infringement affects fundamental aspects of data protection
         (...), according to the rights management procedure implemented by the
         claimed at the time the GDPR became applicable, which has not
         remained rectified until the opening of the procedure.

         . The number of interested parties: the infringement affects all the interested parties that
         have exercised the right of access or portability, although it is necessary
         consider the significance that the offending conduct may have had on
         all the entity's clients, very numerous considering the level of
         its international implementation.

         . The nature of the damage caused to the interested persons, which
         their rights have been limited and the risk to their privacy has increased.

     . Article 83.2.b) of the RGPD: "b) the intention or negligence in the infringement".

     The negligence appreciated in the commission of the infraction.


     In this respect, the argument made by PAGE GROUP cannot be accepted
     EUROPE, according to which negligence must be assessed when the conduct is
     deviate from recognized standards. If a performance deviates from the established
     by the norm it cannot be said that it responds to the standards.


     In addition, in relation to the claimant's request for access, the aforementioned entity,
     (...), he did not attend to the right until the intervention of the control authorities.

     . Article 83.2.d) of the RGPD: “d) the degree of responsibility of the person in charge or of the

     data processor, taking into account the technical or organizational measures
     that they have applied by virtue of articles 25 and 32”.

     The imputed entity does not have adequate procedures in place for

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 34/37








    performance in the collection and processing of personal data, so
    that the infringement is not the result of an anomaly in the functioning of
    these procedures but a defect in the data management system

    personal designed by the person in charge.

    . Article 76.2.a) of the LOPDGDD: “a) The continuous nature of the infraction”.

    (...). It is a plurality of actions that follow the performance designed by
    PAGE GROUP EUROPE, which violate the same precept.


    . Article 76.2.b) of the LOPDGDD: “b) The link between the activity of the offender
    with the processing of personal data”.

    The high link between the activity of the offender and the performance of treatment

    of personal data, taking into account the reasons already expressed when exposing the
    prior offense ranking factors.

    . Article 83.2.k) of the RGPD: “k) any other aggravating or mitigating factor
    applicable to the circumstances of the case, such as the financial benefits obtained
    or losses avoided, directly or indirectly, through the infringement”.


         . The volume of data and processing that constitutes the object of the file,
         taking into account the level of information that the requested person has
         accessing its services.
         . The large company status and turnover of PageGroup and PAGE

         EUROPE GROUP.

It is also considered that there are extenuating circumstances
following:


    . Article 83.2.c) of the RGPD: “Any measure taken by the person in charge or
    in charge of the treatment to alleviate the damages suffered by the
    interested”.
    . Article 83.2.f) of the RGPD: “The degree of cooperation with the control authority
    in order to remedy the infringement and mitigate possible adverse effects
    of the offence”.


    PAGE GROUP EUROPE has designed a new management procedure for
    rights that corrects the objections that have given rise to the commission of the
    infractions. However, it is taken into account that this remedy has not been
    produced until after the opening of the procedure has been agreed.


Considering the exposed factors, the valuation reached by the fine, for the
Violation of article 5.1.c) of the RGPD, is 250,000 euros (two hundred and fifty thousand
euros).



None of the considered graduation factors is attenuated by the fact that
that the claimed entity has not been subject to a sanctioning procedure with
previously, a circumstance that has been alleged by the claimed entity so that

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 35/37








be considered a mitigating factor.

In this regard, the AN Judgment of 05/05/2021, rec. 1437/2020, indicates that

“Considers, on the other hand, that the non-commission of a crime should be considered as mitigating
previous offense. Well, article 83.2 of the RGPD establishes that you must have
into account for the imposition of the administrative fine, among others, the
circumstance "e) any previous infraction committed by the person in charge or the person in charge
of the treatment". This is an aggravating circumstance, the fact that
concurrence of the budget for its application entails that it cannot be taken into

consideration, but does not imply or allow, as claimed by the plaintiff, its application
as a mitigating factor”.

PAGE GROUP EUROPE also refers in its allegations to two actions
followed by the Dutch data protection authority for processing

illegal identification documents in which companies were not sanctioned
involved, although, according to the claimed entity itself, it is about
actions prior to the entry into force of the GDPR. In addition, they are not provided
details that determined said agreements.

                                          viii


The infractions committed may lead to the imposition of the person responsible for the
adoption of appropriate measures to adjust its actions to the aforementioned regulations
in this act, in accordance with the provisions of the aforementioned article 58.2.d) of the RGPD,
according to which each control authority may "order the person in charge or in charge

of the treatment that the treatment operations comply with the provisions of the
this Regulation, where appropriate, in a certain way and within a
specified period…”. The non-attention of the requirements of this organism can
be considered as a serious administrative infraction by “not cooperating with the
Control authority” in the face of such requirements, and such conduct may be assessed

the time of opening an administrative sanctioning procedure with a fine
pecuniary

In such a case, in the resolution that is adopted, this Agency may require the entity
responsible so that, within the period determined, it adapts to the regulations of
protection of personal data the treatment operations carried out and the

mechanisms and procedures that it follows to deal with requests to exercise
rights formulated by the interested parties, with the scope expressed in the
Legal basis of this agreement.

Likewise, the measures that could be adopted in the resolution that puts an end to the

procedure, in relation to the treatment activities and the exercise of
rights, will be applicable in all the countries of the European Union in which
operates PageGroup.

(...).


(...).

(...).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 36/37










(...).


However, the aforementioned entity has contributed with its brief of allegations to the opening

of the procedure the document called “RGPD data request process
of the EU”, through which it establishes the management that it currently follows in relation to
requests to exercise rights. (...).


(...).

(...).



It is considered that these new measures implemented by PAGE GROUP EUROPE
conform to the criteria assessed in these actions, in relation to the
procedures for managing requests for the exercise of rights and the means to
validate the identity of the applicants, not resulting in the imposition of

additional measures.

                                              IX


Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common to Public Administrations (LPACAP), under the heading "Termination in
sanctioning procedures” provides the following:

"1. Once a sanctioning procedure has been initiated, if the offender acknowledges his responsibility,
resolve the procedure with the imposition of the appropriate sanction.


2. When the sanction is solely pecuniary in nature or it is possible to impose a sanction
pecuniary and another of a non-pecuniary nature but the inadmissibility of the
second, the voluntary payment by the alleged perpetrator, at any time prior to the
resolution, will imply the termination of the procedure, except in relation to the replacement of the
altered situation or the determination of compensation for damages caused
for committing the offence.


3. In both cases, when the sanction is solely pecuniary in nature, the
competent to resolve the procedure will apply reductions of at least 20% on the
amount of the proposed sanction, these being cumulative with each other. The aforementioned reductions
must be determined in the notification of initiation of the procedure and its effectiveness
will be conditioned to the withdrawal or renunciation of any action or resource in via
administrative against the sanction.

The reduction percentage provided for in this section may be increased

regulations”.

The entity PAGE GROUP EUROPE, during the period granted to it for
formulate allegations to the proposed resolution, has proceeded to the voluntary payment of

sanction with the legally foreseen reduction, which determines the end of the
procedure and entails the waiver of any action or resource in administrative
against the penalty.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 37/37










Therefore, in accordance with the applicable legislation, the Director of the Agency
Spanish Data Protection RESOLVES:

FIRST: DECLARE the termination of procedure PS/00003/2021, followed

against the entity PAGE GROUP EUROPE, S.L. for violations of articles 12
and 5.1.c) of the RGPD, typified in articles 83.5.b) and 83.5.a) of the same Regulation,
respectively; in accordance with the provisions of article 85 of the LPACAP.


SECOND: NOTIFY this resolution to the entity PAGE GROUP EUROPE,
SL

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure as prescribed by
Articles 48.6 of the LOPDGDD and 114.1.c) of Law 39/2015, of October 1, of the
Common Administrative Procedure of the Public Administrations, the interested parties

may file a contentious-administrative appeal before the Contentious Chamber.
of the National High Court, in accordance with the provisions of article 25 and
in section 5 of the fourth additional provision of Law 29/1998, of July 13,
regulation of the Contentious-Administrative Jurisdiction, within a period of two months to

count from the day following the notification of this act, as provided in the
Article 46.1 of the aforementioned Law.

                                                                                    938-231221
Sea Spain Marti
Director of the Spanish Data Protection Agency





























C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es