AEPD (Spain) - PS/00050/2021: Difference between revisions
From GDPRhub
(→Facts) |
mNo edit summary |
||
| (One intermediate revision by the same user not shown) | |||
| Line 44: | Line 44: | ||
|Appeal_To_Link= | |Appeal_To_Link= | ||
|Initial_Contributor=Carmen Villarroel | |Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Carmen.villarroel Carmen Villarroel] | ||
| | | | ||
}} | }} | ||
| Line 75: | Line 75: | ||
According to the DPA, since biometric systems are very intrusive to data subjects' rights and freedoms, they are generally prohibited, and restrictions shall be interpreted restrictively. | According to the DPA, since biometric systems are very intrusive to data subjects' rights and freedoms, they are generally prohibited, and restrictions shall be interpreted restrictively. | ||
The DPA remarked that Article 9 GDPR establishes an exception when processing is necessary to carry out | The DPA remarked that [[Article 9 GDPR]] establishes an exception when processing is necessary to carry out obligations and exercising specific rights of the controller or of the data subject in the field of employment. Furthermore, the DPA remarks that [[Article 88 GDPR]] allows Member States to provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees' personal data in the employment context. Those rules shall include suitable and specific measures to safeguard the data subject's human dignity, legitimate interests and fundamental rights. | ||
Here, the AEPD argued that, since | Here, the AEPD argued that, since processing shall be necessary, the controller needs to substantiate such necessity. However, the DPA considered that there are alternative systems that comply with the minimization, proportionality and necessity principles, and that in order to use biometric systems the controller needs to demonstrate high levels of proactive accountability and privacy by design implementation, including a justification for the necessity and proportionality of the system, certifying that there are no less intrusive alternatives for the purposes for what the system needs to be used. | ||
Before implementing such a system, the controller should have carried out a DPIA, to determine whether an alternative less intrusive method was possible in order to attain the same results. | Before implementing such a system, the controller should have carried out a DPIA, to determine whether an alternative less intrusive method was possible in order to attain the same results. | ||
The DPA also noted that the controller did not provide the document with which they obtained the consent of the workers. The DPA also noted that the processing, contrary to what the controller had alleged, could not have been based on the legal basis from [[Article 6 GDPR|Article 6(1)(b) GDPR]], since the access control is not necessary for the performance of a contract. In any case, it could be argued that it could | The DPA also noted that the controller did not provide the document with which they obtained the consent of the workers. The DPA also noted that the processing, contrary to what the controller had alleged, could not have been based on the legal basis from [[Article 6 GDPR|Article 6(1)(b) GDPR]], since the access control is not necessary for the performance of a contract. In any case, it could be argued that it could have relied on [[Article 6 GDPR#1|Article 6(1)(c)]], on the norm that regulates access control for workers, as long as it respected the data protection principles. | ||
Subsequently, the DPA argued that consent shall be exceptional in the framework of labour relationships, since there is risk of coercion. Additionally, consent must be withdrawable without any negative consequences. There shall also be a possibility of not giving consent in the first place. | Subsequently, the DPA argued that consent shall always be exceptional in the framework of labour relationships, since there is risk of coercion. Additionally, consent must be withdrawable without any negative consequences. There shall also be a possibility of not giving consent in the first place. | ||
Finally, the DPA concluded that the controller should have carried a DPIA previous to the implementation of the biometric system. Controllers shall be able to demonstrate compliance, in accordance with the accountability principle, for which it is necessary that controllers document all the data processing activities in order to minimize risks, and that controllers analyze future processing so they can determine how data subjects' rights | Finally, the DPA concluded that the controller should have carried a DPIA previous to the implementation of the biometric system. Controllers shall be able to demonstrate compliance, in accordance with the accountability principle, for which it is necessary that controllers document all the data processing activities in order to minimize risks, and that controllers analyze future processing so they can determine how data subjects' rights will be affected. In case of high risk, as this case, the controller shall carry out a DPIA, which is a mandatory previous step to comply with this regulation, as well as complying with all the other obligations such as relying on a valid legal basis and respecting data protection principles. | ||
Since the controller had not carried out such DPIA, the AEPD decided to fine it €20,000, that were reduced to €16,000 because of voluntary payment. | Since the controller had not carried out such DPIA, the AEPD decided to fine it €20,000, that were reduced to €16,000 because of voluntary payment, for a violation of [[Article 35 GDPR]]. | ||
== Comment == | == Comment == | ||
Latest revision as of 14:28, 24 November 2022
| AEPD (Spain) - PS/00050/2021 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 35 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | 26.10.2021 |
| Fine: | 20000 EUR |
| Parties: | SERVICIOS LOGÍSTICOS MARTORELL SIGLO XXI, S.L. |
| National Case Number/Name: | PS/00050/2021 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | Carmen Villarroel |
The Spanish DPA fined a controller €20,000 (reduced to €16,000) for implementing a biometric identification system without carrying out a DPIA beforehand.
English Summary
Facts
A workers union lodged a complaint with the Spanish DPA (AEPD) against a company that had implemented a biometric identification system to control workers' access using their fingerprint, a system that was used along with a card reader system. The company had 520 workers.
According to the union, the system was:
- disproportionate, since there were already two access control systems in place;
- unnecessary, since these systems were already effective and less intrusive;
- the system is just a method of control, since it was placed only in working places;
- there was no free consent, since workers were obliged to sign the consent document.
According to the company, the system was necessary and more efficient than the old one. They argued that the working place was so big that workers needed to walk for 20 minutes in order to reach their working post, so they needed an additional control system to determine when they really accessed their post. The company also argued that the biometric system is more reliable than using cards, since people could use another worker's card. The intention was to substitute the cards with the biometric system.
The project was presented to the Workers Council, which rejected it and reported it to the Labour Inspection. This claim was archived. Additionally, the company gave the companies an informative document.
The system, according to the company, only used an encrypted biometric template, that was used to compare it with the biometric data (fingerprint) stored in the local database to verify it, but without storing any images, being it a verification/authentication system (one to one).
The company also showed a risk analysis carried out beforehand, in which the result was "low risk", and therefore a DPIA was not carried out.
Holding
Firstly, the AEPD concluded that the system was not a one-to-one system, as alleged by the company, but a one-to-many, in which the biometric data was compared to the biometric templates of all the workers in order to verify the identity of the data subject.
According to the DPA, since biometric systems are very intrusive to data subjects' rights and freedoms, they are generally prohibited, and restrictions shall be interpreted restrictively.
The DPA remarked that Article 9 GDPR establishes an exception when processing is necessary to carry out obligations and exercising specific rights of the controller or of the data subject in the field of employment. Furthermore, the DPA remarks that Article 88 GDPR allows Member States to provide for more specific rules to ensure the protection of the rights and freedoms in respect of the processing of employees' personal data in the employment context. Those rules shall include suitable and specific measures to safeguard the data subject's human dignity, legitimate interests and fundamental rights.
Here, the AEPD argued that, since processing shall be necessary, the controller needs to substantiate such necessity. However, the DPA considered that there are alternative systems that comply with the minimization, proportionality and necessity principles, and that in order to use biometric systems the controller needs to demonstrate high levels of proactive accountability and privacy by design implementation, including a justification for the necessity and proportionality of the system, certifying that there are no less intrusive alternatives for the purposes for what the system needs to be used.
Before implementing such a system, the controller should have carried out a DPIA, to determine whether an alternative less intrusive method was possible in order to attain the same results.
The DPA also noted that the controller did not provide the document with which they obtained the consent of the workers. The DPA also noted that the processing, contrary to what the controller had alleged, could not have been based on the legal basis from Article 6(1)(b) GDPR, since the access control is not necessary for the performance of a contract. In any case, it could be argued that it could have relied on Article 6(1)(c), on the norm that regulates access control for workers, as long as it respected the data protection principles.
Subsequently, the DPA argued that consent shall always be exceptional in the framework of labour relationships, since there is risk of coercion. Additionally, consent must be withdrawable without any negative consequences. There shall also be a possibility of not giving consent in the first place.
Finally, the DPA concluded that the controller should have carried a DPIA previous to the implementation of the biometric system. Controllers shall be able to demonstrate compliance, in accordance with the accountability principle, for which it is necessary that controllers document all the data processing activities in order to minimize risks, and that controllers analyze future processing so they can determine how data subjects' rights will be affected. In case of high risk, as this case, the controller shall carry out a DPIA, which is a mandatory previous step to comply with this regulation, as well as complying with all the other obligations such as relying on a valid legal basis and respecting data protection principles.
Since the controller had not carried out such DPIA, the AEPD decided to fine it €20,000, that were reduced to €16,000 because of voluntary payment, for a violation of Article 35 GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/25
File No.: PS / 00050/2021
RESOLUTION OF TERMINATION OF THE PROCEDURE BY PAYMENT
VOLUNTARY
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following
BACKGROUND
FIRST: On February 19, 2021, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure for SERVICIOS
LOGÍSTICOS MARTORELL SIGLO XXI, S.L. (hereinafter the claimed part).
The initiation agreement was notified and after analyzing the allegations presented, dated 6
October 2021, the resolution proposal was issued, which is set out below
transcribe:
<<
File number: PS / 00050/2021
Of the procedure instructed by the Spanish Agency for Data Protection and based on the
following:
BACKGROUND
FIRST: The claim filed by UNION SECTION *** SECTION 1 (in
hereinafter, the claimant) has an entry dated 02/06/2020 in the Spanish Agency for
Data Protection from the Catalan Data Protection Authority. The
claim is directed against the company, in which, they claim to represent
union: SERVICIOS LOGÍSTICOS MARTORELL SIGLO XXI, S.L., with CIF B65050247 (in
later, the claimed one), “for their opposition to the implementation of a control system
of the workers through a biometric fingerprint system in the dependencies.
of the company, through terminals that incorporate readers to capture the
fingerprint of each employee ", and" currently the system is combined with the reader of
card".
The claimed one dedicates its activity to the "transport of assembly and assembly of pieces of
motor vehicles, being the SEAT company for which they provide services as the only
customer ”with about 520 workers.
The claimant states that, in his opinion, the system that is in the "evidence" phase is not
in accordance with the regulations, by:
a) Disproportionate: “The company's premises are located
within the SEAT MARTORELL venue, which has its own ac-
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/25
cease, visits and work presence, to which the workers must be submitted ”of the
Claimed “to which must be added the card transfer system established in
the company, so a third control system is disproportionate. "
a) Unnecessary, due to the existence of other less invasive means to achieve the
presence control.
b) It is also intended with the implementation of the system, the control of the
duction by having installed the readers in the work areas.
c) Absence of consent: the company obliges workers to sign a document
document of consent for the processing of your data so it is not a manifestation of
festation of free will.
SECOND: On 03/26/2020, the claim is transferred to the claimed one, that the
07/09/2020, states:
1) As the company is located within the client's facilities, SEAT, the workers
res, to access, they have to go through the factory access control that the owner has im-
planted. From this point, to the location of the claimed business, there is a path
walk of about twenty minutes. Indicates that the work center has a total area
more than sixty thousand square meters, providing a graph with the location of the points
of hourly record.
In the spaces where the fingerprint records are implanted, there were historically two
card presence control terminals, which allowed presence control, and
the control of the working day - entries, exits and absences - and, on the other, the generation of
variable report for the preparation of payroll-overtime, nights.
He states that “during 2017, with the idea of replacing these card terminals,
five fingerprint terminals in each of the center's work areas. These new ter-
They came to replace the two cards with the same purposes and the same information.
mation ”. This measure is executed with several premises:
-to avoid the problem of staff leaving their job earlier
of the time and clock at the entrance of the workshop the exit of your shift, and,
- facilitate the check-in process by avoiding crowds at check-in points, pass-
two to five.
He adds that the fingerprint exceeds the card as it avoids cases that have been given to give the card
between employees to sign for the owner.
A single type of record of presence of working hours will be implemented, although currently
the card and the new fingerprint coexist, they are using both to verify that it works.
tions with correction before implanting it definitively. Indicates that they are going to establish a
gram to reduce the period in which both systems, card-fingerprint, will coexist, and will
make new explanations of the system to workers and their representatives.
2) On 11/13/2017, the Company Committee was convened and the project and objectives were presented
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/25
presence control by fingerprint, delivering a copy of the report of the supplier of the
technology, giving a deadline for it to issue its report. Provide documentation of the minutes
of the meeting. It indicates that on 11/20/2017, they held a second meeting in which the Sec-
Union opinion of *** SECTION.1, but not that of *** SECTION.2, opposed because it considered it dis-
provided and stated that the current card system was sufficient and requested a
mediation, which did not come to fruition, and subsequently, on 10/15/2018,
the complainant transferred the complaint to the Labor Inspectorate. On 01/14/2019, the
complaint for not crediting an infringement. Provide a copy of these documents.
3) It states that each fingerprint was collected and the system was implanted.
worker, documenting your delivery with I received. They provide a copy of that of an employee,
which is dated 01/22/2018, with the literal “information by the management of the company-
prey and acceptance by users of the fingerprint registration "," from the address of the
The human resources department informs the workers that the
implementation of a system to control access, visits and work presence through hue-
the fingerprint for which users will be asked to register it and all this in accordance with
compliance with the provisions of the Personal Data Protection Law 15/99 of
12/13 ".
4) It states that the publication of Royal Decree Law 8/2019 of March 8, on urgent measures
social protection and the fight against job insecurity in the working day, intensi-
The tasks of setting up the signing system were established, establishing a deadline for
given of four-year recorded data.
5) Provides a graphic diagram of the operation of the fingerprint treatment process
fingerprint indicating:
to. “After the worker is discharged and at the time he is informed of the collection of the
In order to control the shift, an HR technician takes the fingerprint with the reader called
nado *** READER.1 (“System based on minutiae: identifies a limited number of
forms of the footprint and its position within it. The reader captures the fingerprint and digits
talizes some landmarks and converts minutiae into a ci-footprint template.
frada (algorithm) ”.
“Fingerprint images are never stored. This footprint template does not allow
biometric identification, only biometric verification "
b. After taking the footprint, it appears that the “human resources technician associates in
program *** PROGRAM.1 the fingerprint template with employee ID ”. In the drawing
from *** PROGRAM.1 figure that “stores data on the server; Employee ID, name
Name and surname, NIF, encrypted fingerprint template, date, time of entry, time of departure, absence
cias ".
c. From *** PROGRAM.1 there is a double date to FICHADORA, and from this to
*** PROGRAM. 1. On the FICHADORA, it appears: "the worker files". From
*** PROGRAM.1 a FICHADORA consists of: “TCP automatic transfer of frame
extra decimal: employee ID, name and surname, encrypted fingerprint template ”. From FI-
CHADORA, in which it appears: “Stores data in the device: employee ID, template
the encrypted fingerprint ”, the arrow appears at *** PROGRAM.1, showing:“ Automatic transfer
TCP extradecimal frame: employee ID, date, time of entry, time of exit, automatic
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/25
sentences ".
There is an explanatory parenthesis below FICHADORA, which indicates:
“User verification is done locally against the encrypted template stored in the file.
chadora. It is never verified against the central database of *** PROGRAM.1. They are collected
date and time data automatically. The worker manually registers with a code
absences ”.
In the explanatory graph, another screen also shows the flow when the drop occurs
of the employee.
6) It states that by analyzing the reports of the Legal Office of the AEPD number
65/2015, 36/2020, of 8/05, and opinion 3/2012, of the Article 29 Group, on “evolution
of biometric technologies ”, the difference in biometric data is concluded:
- "Biometric identification: The identification of an individual by a biometric system
is normally the process of comparing your biometric data (acquired at the moment
identification) with a series of biometric templates stored in a database
cough (ie a one-to-many match search process. ”
- “Biometric verification / authentication: the verification of an individual by a biometric system
is normally the process of comparison between your biometric data (acquired in the
time of verification) with a single biometric template stored on a device
(ie a one-to-one matchmaking process). "
“Only those in which they are subjected to data would be treated as special category data
technical treatment aimed at “one-to-many” biometric identification, and not in the case of
“one-to-one” biometric verification / authentication.
They state that their system is for verification / authentication, explaining that they are only looking for the
correspondence of the biometric data provided at the time of registration by the intere-
sado to prove that it is him. "This data is stored in the device in an encrypted form
and it is consulted by the authentication system to verify that there is a match ”.
“When an employee puts his finger on the token reader, this device verifies
in local, never against the central database, which corresponds to the footprint template
encrypted that is stored on the device. In case there is a match,
collects the booking data- date, time, employee ID, absence, etc.- and sends them to the program-
transfer management system *** PROGRAM. 1. It is an authentication, similar to the one
zada with a password ”.
7) It states that to date no employee has exercised any type of right with respect to
your data.
8) Provides a copy of the risk analysis of treatment activities, (questionnaire model and
notes to it). "Applying as a first step the adaptation of the FACILITA tool
RGPD on 04/08/2019 the result of the “low risk” activity is obtained. Indicates that
evaluated the need to carry out a DPIA or not. “The result determined that it is not accurate
knew how to carry out a data protection impact assessment (DPIA) precisely because of the
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/25
interpretation that the fingerprint template encrypted by the algorithm should not frame
fall into specially protected data ”.
But if a “basic risk analysis” was carried out “to determine if it was necessary to implement
processes and protocols in addition to those designed ”:
- “09/16/2019, revision of the probability of risk number 5 due to opportunity for improvement
in the process of deletion detected as a result of the implementation plan of ISO 27001 passes valuation-
tion ”.
-In the section on specifying the categories of data processed: “Data from
personal identification character, fingerprint template, and employee: name and
surnames and NIF. In addition, the date of entry and exit, and absences are dealt with ”.
The conclusion of the analysis indicates: “it is low risk”, “when an employee puts his finger
in the token reader, the device itself verifies that it corresponds to the
the fingerprint that is stored in the device. In the event that there are coincide-
company, collects the transfer data: date, time, employee ID, absence, etc., and sends them
to the transfer management program *** PROGRAM.1 ”.
”It is considered that it is an authentication similar to that performed with a counter-
sign and not a biometric identification so it is not considered a data especially
protected how will the complete image of a fingerprint that will identify a worker
dor within a whole bag of people. "
THIRD: The Director of the Spanish Data Protection Agency agreed to admit
Processing the claim submitted by the claimant on 09/07/2020.
FOURTH: Within the framework of the actions carried out by the General Subdirectorate of
Data Inspection, in order to clarify the response of the claimed, dated
11/23/2020, your collaboration was requested to inform you about the registration system of
footprint they use.
1) They are asked to briefly explain how the recording and keeping system is produced.
da-storage of the template What is *** PROGRAM.1 ?, What is the central base of
*** PROGRAM.1 ?, and if the template converted into each employee's algorithm is saved there,
and what relationship does it have with the device called "token"
On 12/15/2020, your response was received stating:
*** PROGRAM.1, “main server for the management of the presence system, belongs to
“Grupo Sesé”, the same group to which the claimed belongs and is implemented through a
commercial application called *** PROGRAM.1, from the company TECISA ”.” The information
for management is stored in a database included with the application, and it is in this
database what the application has, where the template collected from the
paw print".
The token, or remote terminal “acts as an interface between the employee and the *** PRO-
GRAMA.1 for the validation and collection of information ”. Through this device, “we validate
we enter the system and collect information such as the time we have interacted, for
example".
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/25
2) In the drawing of the process graphic "The worker records", and "token", appears the literal "al-
store data on the device: employee ID-encrypted fingerprint template ", in this sense, clarify
Which device are you referring to? To the tokenist ?, describing if this is how it is stored
the staff of all employees in each and every one of the five they have.
It distinguishes two phases of the process, the data recording phase and the operation phase of
presence registration.
Phase 1, Data recording:
-Human Resources records the employee's data and collects his fingerprint with a reader (called
mined in this case *** READER.1). “At the moment of capture, a template is generated
with the characteristic points of that fingerprint, which is stored encoded in the database
*** PROGRAM. 1. The fingerprint image is not stored.
When the data is recorded, the synchronization process sends the necessary data from
the *** PROGRAM.1 application to the associated loggers -five- where they are stored-
two said values. The data that is sent are the employee's ID, name and surname and the
encrypted template. "
Phase 2, Operation:
- “When an employee wants to register his presence, he places his finger on the token that me-
through the built-in reader *** READER.1, carry out the same process mentioned in phase 1
when the employee was registered in the system. So it captures the
characteristic points of the employee's fingerprint, this capture is encoded and compared with
the coded template that is stored in the memory of the card maker and associated with the ID
of the employee. If it is correct- both templates match- the logger will send the pertinent data.
nents of the employee. The coded fingerprint or name is never sent, only information is sent
mation relevant to the clocking: date, time, employee ID and any defined code of
absence. These data are transmitted to the *** PROGRAM.1 application to
further processing. "
3) About your manifestation of:
“User verification is done locally against the encrypted template stored in the file.
chadora. It is never verified against the central database of *** PROGRAM.1 ”
They are requested to expand information on:
a) If your system uses the same template for each employee, registering different al-
gorithms, or different templates for each employee.
It states that when mentioning the template “it is actually the encoded information that
has been saved after reading the fingerprint, it is not stored as an image, but rather it is detected
and they save between 25 to 80 minutiae -they are the points of the footprint where a line ends or is
forks - these points are the ones that are encoded and stored as a template. Each one of
we have different points from each other, which is enough to be able to
identify ourselves and what is saved are these points, so there cannot be two codes
identical. "
a) Explain how it is possible to correlate through the system one to one (authenticate
tion) the introduction of the fingerprint in the stamp, with the template (s), explain if all the
template / s are in the tab. (Apparently there will be an internal fingerprint validation
shredded versus all templates.)
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/25
It reiterates that “Each checklist stores the templates and the ID of each employee, therefore
When an employee puts the fingerprint, it is encoded in a template and the system performs the
search to see which one is equal to the one generated. The process is carried out locally, it is not
consult the application *** PROGRAM.1 "
b) What difference would there be between the worker registering with the counter and the verification
does it locally against the encrypted template stored in the token machine, so that it does it against
the central database of *** PROGRAM.1?
“There would be no technical difference or practicality. The process would be the same, only in that
case should be compared with all the stored templates and it would be noticeably increased-
mind the time it would take to transmit the information back and forth ”.
c) Does the tokenizer have at any one time a single data packet that identifies the
person who is signing or all packages of all workers?
He answered that “The file clerk keeps the information of all the workers of the center,
that have been configured to facilitate the signing of any of them by the worker.
dor ”.
4) In the graph, from "tab" to "*** PROGRAM.1", there is a double arrow in which
literals are contained: "automatic transfer, extradecimal frame TCP etc.", it is requested
that explain the meaning of these extremes in both senses, and that they imply
arrows, if it could be understood that there is a transfer of data from the system
central ma to the tabulator. (id employee-name / surname-fingerprint).
It reiterates that: “When an employee is registered or modified, it is done from the
*** APP PROGRAM. 1. Once the data is saved, the system launches an update.
tion to the tokenders through a TCP frame where the information is transmitted (names
Employee ID, Employee ID, Fingerprint Template) by being registered in the files
chadoras ”.
Only when an employee makes a check-in at the check-in and after the validation process
tion, the clock taker, sends the information (ID, date and time, absences) to the application
*** PROGRAM. 1 ”.
They indicate that your system works like that of a password. To this end, they must detail the
elements of said idea, user, how it is verified and what would be the password element,
how, and where they are stored and how and against what element the pairing occurs.
Responds that comparing the traditional way of identifying through user / counter-
sign, indicates that the simile with the biometric fingerprint is that it allows more authentication
stronger than the simple username / password pair, since biometric data are more complex
jos to reproduce and break that password. For that reason, they indicated that it is treated as
if it were a password, since with the fingerprint “no other employee can supplant the
identity of others in a simple way. In this case, the user is the employee ID and the
password is your fingerprint template ”.
5) Other questions that they consider clarifying or convenient about the system that according to
can searches for the correspondence of the biometric data provided by the employee when
proceeds to the action of signing, with the way in which the data is recorded, after
confrontation and coincidence that it manifests is of the "authentication" type.
It states that the biometric validation system has as its sole objective and purpose the
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/25
unequivocal identification of an employee within the system providing guarantees to it
to any attempt to impersonate your identity, making it difficult to reproduce the
fingerprint by a third party.
FIFTH: On 02/19/2021 the Director of the AEPD agreed:
"START SANCTIONING PROCEDURE for MARTORELL LOGISTICS SERVICES
SIGLO XXI, S.L., with CIF B65050247, for the alleged violation of article 35 of the RGPD
in accordance with article 83.4 a) of the RGPD. "
"For the purposes specified in the art. 64.2 b) of Law 39/2015, of 1/10, of the Administrative Procedure
Common Administrative Law of Public Administrations, the sanction that may correspond to
There is an administrative fine of 20,000 euros, without prejudice to what results from the instruction. "
SIXTH: The defendant makes the following allegations:
1) Uses a minutiae-based fingerprint pattern, a limited number is identified
of footprint shapes and their position within it, associating an algorithm. The boss
it is stored encrypted, containing the position and type of minutiae, not being possible to "apply
car reverse engineering the templates to recover images from the footprints ”.
2) “A fingerprint reader is used that reads the employee's fingerprint for the first time and creates the
point pattern, but it does not save the fingerprint image as such, but a derivative algorithm
do of the points obtained in the pattern. When a worker puts his finger to clock in
the taker, the reader reads the points and compares them with the database in which they are entered.
it has the algorithm, which has also been stored in an encrypted form; what converts it
in a unique alphanumeric code associated with the pattern of the fingerprint read for the first time. That
the device reads the fingerprint and compares it against an encrypted pattern is exactly the same
identification process in a password or smart card, therefore, by not storing
the image of the fingerprint and make the identification by means of a code, we understand that it is not-
we would be talking about a biometric data according to the definition of article 4.14 RGPD. "
3) “The system used cannot always identify the person unambiguously, unlike
What would happen if, for example, a genetic piece of information that is unique was used. And that,
since the identification in the group of workers is made with coordinates that
They are not unique in the world, therefore, the identification of the employee is done without using the
biometric data, that is, the fingerprint. In conclusion, the footprint pattern does not meet the requirement
site of uniqueness. " “Therefore, the employee's fingerprint pattern is not biomedical data.
according to article 4.14 of the RGPD, therefore, it is not appropriate to apply article 9 of the
RGPD as a special category of data regarding the purpose of data processing
biometric "
4) The attendance and working hours control system, to implement the system by means of
your presence management software called *** PROGRAM. 1 was contracted with the company
sa TECISA 74, S.L. and the installation of the takers (*** FICHADORAS.1) that contain the
fingerprint readers (*** READER.1) at the accesses to the work areas. TECISA uses the
*** LECTOR.1 / IDEMIA technology in relation to the identification system through
fingerprint.
5) Hired the services of TECISA 74, S.L. for being a reference provider for the Administration
Public service, as shown on the provider's own website
*** URL.1, from which it follows that “the Ministry of Justice of Spain (Audiencia Na-
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/25
tional), the General Secretariat of Penitentiary Institutions of the Ministry of the Interior of Es-
paña, the Ministry of Employment and Social Security in the Control of access of inmates in the
Temporary Stay Centers for Immigrants from Ceuta and Melilla, Getafe City Council
and the Community of Madrid in its Campus for Justice have trusted TECISA 74, S.L.
as a provider of access control and presence services. " Also, in the same
web, specifically in the section https://www.tecisa.com/quienes-somos, it is reported that
"TECISA 74, S.L. is considered by the Spanish Public Administration as the company
manufacturer of the best software and terminals for access control and work presence, according to
This is indicated in the recent resolution of the State Heritage Catalog competition by a
After months of evaluation, all the proposals submitted by more than 100 companies
sas. Among the 195 products presented by national and international companies,
the access control and work presence terminals manufactured by Tecisa have been,
conclusively, the best valued by a group of experts from the Ministry of Finance
and Public Administrations on behalf of the Spanish State. "
The respondent acted in the belief that the information provided to her by TECISA
Regarding the fingerprint treatment, it was valid and in accordance with the RGPD. In addition, it has
an ISO 9001/2015 certification of quality management systems, an international standard that
accredits the ability to regularly provide products and services that satisfy
customer requirements and applicable legal and regulatory requirements.
On the other hand, the complainant has the ISO IEC 27001/2013 certificate, document two,
"As it has implemented and applies an information security management system
that allows the assurance, confidentiality and integrity of data and its systems
that process them, in addition to the risk assessment and application of necessary controls
to mitigate or eliminate them. "
6) It states that despite the fact that the legal basis of the treatment could be article 6.1 b) or the
6.1 c), has chosen to request the consent of its employees as indicated in article
6.1 a) and 9.2 a) of the RGPD.
They consider that there is no pressure when giving consent if it is not
provided by the employees, since the defendant first informed the representation
of the workers of the new system, who in turn informed the employees of the
company and that the vast majority of employees did not refuse to give their consent.
not even some members of *** SECTION.1 that make up the works council
who have presented the present claim, nor has anyone revoked the consent
mentor has not opposed the treatment at any time, not even the union section
*** SECTION.1 informed the workers of their disagreement in the implementation of the system.
7) It states that the presence control and the registration of working hours with fingerprint pattern
as indicated before, they coexisted with the previous system based on the use of the reader
of cards, until the moment it was suspended due to COVID-19, on 03/14/2020
The claimant union section of *** SECTION 1, recognizes the existence of the two
systems thus listed in the initiation agreement.
During the testing phase of the new attendance and working hours control system that
has been interrupted, it becomes relevant that there are employees who have made unique use of
ca and exclusively of your card according to the previous face-to-face control, not using the
fingerprint readers according to the new system due to the fact that the
two systems.
For the total number of transfers for each month and the reference days, the new transfer system was
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/25
used by 40 or 50% of the workforce and not the whole.
The action of the Labor and Safety Inspection was already provided in previous actions
Social that analyzing the face-to-face fingerprint control system did not find any irregularities
rity, the opposite of what the AEPD states.
It adds that there is no specific instruction or circular on the treatment of data through
through biometric devices for presence control, which have acted in good faith
in the belief that the control and schedule system was in accordance with the RGPD.
They carried out an audit for the certification 27001/2013 of 2019, in which it was
an evaluation and corresponding analysis of the application *** PROGRAM.1.
8) However, and what has motivated the initiation agreement, they have carried out an evaluation
impact applying the Agency's criteria that a treatment is being carried out
of a biometric data for identification purposes, also modifying the record of activities
vity of the treatment, and provide document 3 with the impact assessment and document 4
with the record of the modified treatment activity.
They indicate that the impact assessment has been carried out, despite the fact that the
presence and working hours by fingerprint pattern was only in effect from the
01/16/2020 until 03/14/2020, that is, it is inoperative from before the transfer of the start
of the transfer. It considers that it has been complying with and observing enforceable obligations and
asks that it be noted or, where appropriate, reduced to a minimum penalty, also considering
who previously analyzed in the risk analysis the assessment of whether or not to carry out
lization of the Impact Assessment.
9) It refers to other files of the AEPD on registration with biometric data in which no
The obligation to carry out an impact assessment has been imposed as indicated in the article
35 of the RGPD such as PS 7044/2019 against a Community of owners (in
In reality, it would be E77044 / 2019, no more than seven thousand records are reached or assigned.
sanctioning measures in a year) in which the proceedings were archived without stating that
had an impact assessment, according to the minutes of the owners' meeting that approved the
09/26/2017 the installation of “lathes with fingerprint recognition for access to facilities
nes ”of a Social Club with swimming pool, attached to the house. The resolution indicates that there was
another alternative of access through a photo ID and the technical system is not detailed.
single collection, storage, and storage facility and whether the
data when putting the finger to enter was identification one-one, or one several, and it is expressed that
“The legitimacy for the treatment of the fingerprint for access to the facilities by
part of the claimed we must look for it in article 9 and 6 of the RGPD. " Adding no
The prohibition will be applied by virtue of the consent, article 9.2.a), being in addition to the
detailed, a different assumption to the one that is valued here.
And he points out another similar case such as PS 145/2019 to the Ministry of Education and Sports of
the Junta de Andalucía, in a similar case a warning was imposed for infringement of the
Article 13 without there being any sanction for breach of Article 35 of the RGPD.
SIXTH: Of the actions carried out in this procedure and of the documentation
Obrante in the file, the following have been accredited:
PROVEN FACTS
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/25
1) The defendant dedicates its activity to the transport of assembly and assembly of pieces of
automobiles, being the SEAT company for which they provide services as the only customer with
about 520 workers. The company's offices are located within the
your client's premises, SEAT. The work center has a total surface area greater than sixty
thousand square meters, providing a graph with the location of the hourly registration points
River.
1) Historically there were two card presence control terminals. Duran-
te 2017, to replace these card terminals, five fingerprint terminals are installed in
each work area of the center, with the same purposes. When the claimed responds
upon transfer, 07/09/2020, reported that the card transfer methods and the new
footprint, using both to check correctness before implanting
definitely the footprint.
2) The respondent accredits having consulted the union representation on 11/13/2017, before
the use of the fingerprint system and individually to employees, from
01/22/2018, in accordance with the provisions of the law on the Protection of Character Data
personal 15/99 of 13/12. In allegations, the respondent indicated that the use of the fingerprint was
suspended due to COVID 19, on 03/14/2020, and that it was only in force since
01/16/2020 until 03/14/2020.
3) The reasons why the respondent prefers to use the fingerprint on the card, are
that avoids cases that have occurred to give the card between employees to sign for the holder, and
that an unequivocal identification of the employee is produced, avoiding the impersonation of the
cultar the reproduction of the footprint by a third party.
4) The purpose of the fingerprint registration is to control the time or day, in accordance with
with article 34.9 of the Workers' Statute.
5) The system for collecting and registering the employee's fingerprint and its use is divided into
two phases: 1 Data record, 2 Presence record operation.
Phase 1: it is carried out by an HR technician who, with the transfer management program of the
*** PROGRAM.1 application of the TECISA company, and through a reader called
*** READER.1, collects the fingerprint, captures it so that it identifies a limited number of forms
more of the footprint and its position within it (minutiae) turning them into a template
encrypted fingerprint (encoded information, between 25 to 80 minutiae-branch points are stored
cation or where a line ends). The complete image of the footprint is not stored. In the
database included in the application associates and stores the fingerprint template with the ID
of the employee, name and surname, NIF. When recording the data, the punching machines or remote terminals
five in this case, in a synchronization process associated with the application, stored
These values have these values: encrypted template, employee ID, first and last name.
Phase 2: When an employee wants to register their presence, they can do so at any-
ra of the five terminals or fingerprint reader-fingerprint readers *** READER.1-, place your finger on
the token that, through the built-in reader *** READER.1, performs the same process as
mentioned in phase 1 when the employee was registered in the system. In a way that performs
a capture of the characteristic points of the employee's fingerprint, this capture is encoded
and it is compared with the coded template that of each employee is stored in the
memory of each token and associated with the employee's ID. If correct- both templates co-
incide- the registrant will send the pertinent data of the employee. The footprint is never sent
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/25
encoded or the name, only information relevant to the signing is sent: date, time, ID
of the employee and any defined absence codes. These data are what is transmitted
Please keep the *** PROGRAM.1 application for further processing.
6) The respondent had the document on risk analysis of trafficking activities.
operation, carried out on 04/08/2019, showing the result of the “low risk” activity, with
result that it was not necessary to carry out an impact assessment on data protection
(EIPD).
The defendant indicates that while the two transfer systems were in operation, there were
employees who have made use solely and exclusively of their card with face-to-face control, and
others over 40 or 50% used the footprint.
8) Despite the fact that the fingerprint collection system for transferring from
03/14/2020, after the initiation agreement, the respondent modified the risk analysis of the activities
vities of the treatment, and the record of treatment activity to agree that
The impact evaluation that it states has been carried out although it was not provided.
FOUNDATIONS OF LAW
I
Biometric data is defined in article 4.14 of the RGPD:
"Biometric data": personal data obtained from a technical treatment
specific, related to the physical, physiological or behavioral characteristics of a person
that allow or confirm the unique identification of said person, such as images
facial or fingerprint data;
The scope of the RGPD extends its protection, as established in its article
1.2, to the fundamental rights and freedoms of natural persons and, in particular, their
right to the protection of personal data, defined in its article 4.1 as “all
information about an identified or identifiable natural person ("the data subject"); I know
Any person whose identity can be determined shall be considered an identifiable natural person,
directly or indirectly, in particular by means of an identifier, such as a
name, an identification number, location data, an online identifier or one or
various elements of the physical, physiological, genetic, psychic, economic,
cultural or social of said person. "
According to the information provided by the claimed, when entering the fingerprint in the
taking into account that each token has all the stored templates of all
two employees, so that they file in the one they want, the same is compared in order to
clear access by recording the beginning or end. It is estimated that the comparison is not
produces one against one, that of the employee who agrees with his, but with all those who are
are stored, performing a one-to-many comparison function each time they are entered.
work or go out. In this case, although the image of the footprint is not saved entirely, but some
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/25
coordinates, each of them in template form, is able to identify
unequivocally to each employee when confronting the fingerprint with the rest at the terminal
of the existing ones. The functions contained in the algorithm allow to extract the points
characteristics of the fingerprint for later comparison with an associated database
to the previously stored set of users, being able to identify their owner of
among all templates, treating personal data based on the
fingerprint processing, uniquely identifying said person.
Biometric data have the particularity of being produced by the body itself and
definitely characterize. Therefore, they are unique, permanent in time and
person cannot be freed from it, they cannot be changed in case of compromise-
loss or intrusion into the system etc.
Article 9.1 of the RGPD indicates:
"Treatment of special categories of personal data"
1. The processing of personal data that reveals ethnic origin or
racial, political opinions, religious or philosophical convictions, or union membership,
and the treatment of genetic data, biometric data aimed at identifying in a way
univocal to a natural person, data related to health or data related to sexual life or
sexual orientation of a natural person. "
Given the growing interest in using these systems in different areas and, as they are
novel and very intrusive identification systems for rights and freedoms
fundamentals of natural persons, the constant concern of this authority of
control has been shared by the rest of the authorities for years, as they
manifested the Working Document on biometrics, adopted on 08/01/2003 by the Group of
29, or the subsequent Opinion 3/2012, on the evolution of biometric technologies,
adopted on 04/27/2012, and which has led the community legislator itself to include
these data among the special categories of data in the GDPR. In this way, being
prohibited its treatment in general, any exception to said prohibition will have
to be subject to restrictive interpretation.
In this sense, recitals 51 and 52 of the RGPD make it clear: "Such data
personal should not be treated, unless their treatment is allowed in situations
specific provisions contemplated in this Regulation, taking into account that the States
Members can establish specific provisions on data protection in order to
to adapt the application of the rules of this Regulation to the fulfillment of a
legal obligation or to fulfill a mission carried out in the public interest or in the exercise
of public powers conferred on the data controller. In addition to the requirements
specific to that treatment, the general principles and other rules of the
this Regulation, especially with regard to the conditions of legality of the
treatment. Exceptions to the general prohibition of
treatment of these special categories of personal data, among other things when the
interested party give their explicit consent or in the case of specific needs, in
particularly when the treatment is carried out within the framework of legitimate activities by
certain associations or foundations whose objective is to allow the exercise of
fundamental liberties. (52) “Likewise, exceptions to the prohibition of
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 14/25
treat special categories of personal data when established by the Law of the
Union or Member States and provided that appropriate guarantees are given, in order to
protect personal data and other fundamental rights, when it is in the public interest,
in particular the processing of personal data in the field of labor legislation, the
legislation on social protection, including pensions and for security purposes,
supervision and health alert, prevention or control of communicable diseases and other
serious threats to health. (...) "
II
Faced with the prohibition of starting the treatment of biometric data that identify
univocally to the persons of article 9.1), indicates article 9.2 b) and 9.4)
2. Section 1 shall not apply when one of the circumstances occurs
following:
“B) the treatment is necessary for the fulfillment of obligations and the exercise of
specific rights of the data controller or interested party in the field of
Labor and social security and protection law, to the extent authorized by it
Union or Member State law or a collective agreement pursuant to the
Law of the Member States that establishes adequate guarantees of respect for the
fundamental rights and interests of the interested party; "
(…)
4. Member States may maintain or introduce additional conditions, including
limitations, regarding the processing of genetic data, biometric data or data
related to health. ”´
The correlation to this mention is found in article 9 of the LOPDGDD, which states:
"1. For the purposes of article 9.2.a) of Regulation (EU) 2016/679, in order to avoid
discriminatory situations, the sole consent of the affected party will not be enough to raise
the prohibition of data processing whose main purpose is to identify your ideology,
union membership, religion, sexual orientation, racial or ethnic beliefs or origin.
The provisions of the preceding paragraph will not prevent the processing of said data under
of the remaining cases contemplated in article 9.2 of Regulation (EU) 2016/679,
when appropriate. "
In this sense, Article 88 of the RGPD has established that Member States may
den, through legislative provisions or collective agreements, establish standards
more specific to guarantee the protection of rights and freedoms in relation to
with the processing of personal data of workers in the workplace, in particular
lar, among others, for the purposes of compliance with the obligations established by law or by the
collective agreement, management, planning and organization of work. These standards must
include adequate and specific measures to preserve the human dignity of stakeholders
rights, as well as their legitimate interests and fundamental rights, in particular, in
relation with, among others, the supervisory systems in the workplace.
In accordance with the provisions, the treatment must be necessary for compliance with
legal obligations, considering that the same compliance effects were satisfied
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 15/25
before the fingerprint system with the use of the cards, being the preferred fingerprint by the re
claimed by a series of issues among which the type of data was not taken into account.
intrusive coughs that are used, the risks and guarantees established.
In the first place, as in any type of treatment that is carried out, it is necessary to
accredit the need for data processing through fingerprint registration and provide
purpose for the fulfillment of the legal obligation to register the working day. Is considered
that there may be alternative systems to the one used that comply with the principles of
proportionality, necessity and minimization in data processing. It is not explained why
the identification system is necessary and preferable to the verification system. To be able to use
this system, in accordance with the parameters established in the RGPD, companies or organizations
Organizations need to demonstrate high levels of proactive responsibility and design for
Data Protection defect from before the treatment, including the fact of being
able to justify that the system used is necessary, provided in each context
in which it is going to be implemented and certify that less intrusive technical measures
you do not exist or would not work.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 16/25
Opinion 3/2012, on the evolution of biometric technologies, adopted on
04/27/2012, and that has led the community legislator itself to include these data
among the special categories of data in the RGPD states that: “When analyzing the
proportionality of a proposed biometric system, it is necessary to first consider whether
the system is necessary to respond to the identified need, that is, if it is essential
to meet that need, and not just the most suitable or profitable. A second factor
to be taken into account is the probability that the system will be effective in
respond to the need in question in light of the specific characteristics of the
biometric technology to be used. A third aspect to ponder is whether the loss
The resulting intimacy is proportional to the expected benefits. If the benefit is
relatively minor, such as greater comfort or slight savings, then the loss
privacy is not appropriate. The fourth aspect to evaluate the adequacy of a system
biometric is to consider whether a less invasive means of privacy would achieve the end
wanted".
The Opinion 2/2017 on the treatment of data in the work of the WG29 (adopted the
06/08/2017) states that “although the use of these technologies may be useful to detect
o prevent the loss of intellectual and material property of the company, improving the
productivity of workers and protecting the personal data of those who are
commissioned by the controller, it also poses significant challenges in terms of
privacy and data protection. Therefore, a new evaluation of the
balance between the legitimate interest of the employer to protect his company and the expectation
reasonable privacy of the interested parties: the workers ”.
Therefore, “Regardless of the legal basis for said treatment, before its initiation
A proportionality test should be performed in order to determine if the treatment
is necessary to achieve a legitimate purpose, as well as the measures to be taken to
guarantee that violations of the rights to privacy and to the secrecy of
communications are limited to a minimum. This may be part of an assessment of
impact relative to data protection (EIPD) ”.
Before implementing a fingerprint recognition system, the person in charge must
to assess whether there is another less intrusive system with which the same purpose is obtained. The
section 72 of CEPD Guide 3/2019 “on processing of personal data through video
devices ”, establishes in this sense that:“ The use of biometric data and in particular facial
re cognition entail heightened risks for data subjects ’rights. It is crucial that recourse to
such technologies takes place with due respect to the principles of lawfulness, necessity,
proportionality and data minimization as set forth in the GDPR. Whereas the use of these
technologies can be perceived as particularly effective, controllers should first of all assess
the impact on fundamental rights and freedoms and consider less intrusive means to
achieve their legitimate purpose of the processing ”.
(“The use of biometric data and, in particular, facial recognition entails
greater risks for the rights of the interested parties. It is essential that the use of
these technologies take place respecting the principles of legality, necessity,
proportionality and minimization of the data established in the RGPD. Considering that
the use of these technologies can be perceived as especially effective, those responsible
should, firstly, assess the impact on fundamental rights and freedoms and
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 17/25
consider less intrusive means to achieve your legitimate goal of transformation ”.
The translation is from the AEPD).
In this case, the respondent indicates that the legitimizing basis of the treatment, based on
those established in article 6.1 of the RGPD, would be that of express consent. Has not been
provided the informative clause that includes the wording of the terms of the collection of
said express consent. He adds that there are two others, the fulfillment of an obligation
legal tion, 6.1.c) of the RGPD and maintenance of compliance with the contractual relationship,
6.1 b) although the obligation does not derive from the contract but from a rule. Thus, for example, in the
employment context, the treatment of information on wages and salaries derives from the contract.
bank account details so that the salary can be paid, so that there is a
direct and objective link between the processing of the data and the purpose of the execution of the
contract. The registration of the fingerprint for the fulfillment of the registration obligation
working hours as stated by the claimed, if the prerequisites are met, it is not necessary to
necessary for the execution of the contract but, where appropriate, it would be for the fulfillment of a
legal obligation that must be adapted to the general principles of data processing,
previous overcoming of the prohibition of the treatment for the causes assessed in article 9
GDPR
Notwithstanding what has been said, consent within an employment relationship is a legal basis.
exceptional shaker by:
-The very definition of consent, “any manifestation of free will, specific,
informed and unequivocal by which the interested party accepts, either through a statement or
a clear affirmative action, the processing of personal data that concerns you ”is not
part of an equilibrium position in the relationship. As the GT29 has underlined in various
opinions, consent can only be valid if the interested party can actually elect
gir and there is no risk of deception, intimidation, coercion or significant negative consequences.
costs (for example substantial additional costs) if you do not consent. The con-
feeling will not be free in those cases where there is an element of compulsion,
pressure or inability to exercise free will.
-The fact that it can be withdrawn when the owner wishes, an element that must be
cluir in the clause before it is provided, counting on the withdrawal of consent
will not entail any cost for the interested party and, therefore, no disadvantage for those who
ns withdraw consent.
-The possibility of not granting the same must be given, and therefore offer alternatives.
-Articles 16 to 20 of the RGPD indicate that (when the data processing is based on the
consent) the interested parties have the right to the deletion of the data when the
feeling has withdrawn.
III
The respondent was charged that, treating personal data of a special category, and
there is an obligation to have an Impact Assessment on the Protection of the
Personal Data (EIPD) breached article 35 of the RGPD:
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 18/25
"1. Where a type of treatment is likely, particularly if it uses newer technologies,
logies, by their nature, scope, context or purposes, entails a high risk for the rights of
chos and freedoms of natural persons, the person responsible for the treatment will, before
treatment, an evaluation of the impact of treatment operations on the protection
tion of personal data. A single evaluation may address a series of operations
similar treatments that carry similar high risks.
2. The person responsible for the treatment will seek the advice of the protection delegate
data, if appointed, when conducting the impact assessment relating to the protection
of data.
3. The impact assessment relating to the protection of the data referred to in the ap-
tado 1 will be required in particular in case of:
a) systematic and exhaustive evaluation of personal aspects of natural persons who
is based on an automated treatment, such as the elaboration of profiles, and on whose
basis decisions are made that produce legal effects for individuals or that
affect them significantly in a similar way;
b) large-scale treatment of the special categories of data referred to in the art.
Article 9, paragraph 1, or personal data related to criminal convictions and offenses
referred to in article 10, or
c) large-scale systematic observation of a public access area.
4. The supervisory authority shall establish and publish a list of the types of operations
of treatment that require an impact assessment related to data protection
in accordance with paragraph 1. The supervisory authority shall communicate these lists to the Commission
tea referred to in article 68.
5. The supervisory authority may also establish and publish the list of types of
processing that does not require impact assessments related to data protection.
The supervisory authority will communicate these lists to the Committee.
6. Before adopting the lists referred to in paragraphs 4 and 5, the inspection authority
The competent authority shall apply the coherence mechanism contemplated in Article 63 if these
lists include processing activities related to the supply of goods or
services to interested parties or with the observation of their behavior in various States
two members, or processing activities that may substantially affect the free
circulation of personal data in the Union.
7. The evaluation must include as a minimum:
a) a systematic description of the planned processing operations and the purposes
treatment, including, where appropriate, the legitimate interest pursued by the person responsible
ble of the treatment;
b) an assessment of the necessity and proportionality of the treatment operations
with respect to its purpose;
c) an assessment of the risks to the rights and freedoms of the interested parties to whom
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 19/25
referred to in paragraph 1, and
d) the measures envisaged to deal with the risks, including guarantees, security measures
rity and mechanisms that guarantee the protection of personal data, and to demonstrate the
in accordance with this Regulation, taking into account the legal rights and interests
gitimos of the interested parties and other affected persons.
8. Compliance with the approved codes of conduct referred to in article 40
by the corresponding managers or managers, due account shall be taken of the
evaluate the repercussions of the processing operations carried out by said respon-
officers or managers, in particular for the purposes of the impact assessment related to the
data protection.
9. When appropriate, the person in charge will seek the opinion of the interested parties or their re-
applicants in relation to the planned treatment, without prejudice to the protection of the
public or commercial cattle or the security of treatment operations.
10. When the treatment in accordance with article 6, paragraph 1, letters c) or e),
has its legal basis in Union law or in the law of the Member State that
applies to the person responsible for the treatment, such Law regulates the specific operation of
treatment or set of operations in question, and an evaluation has already been carried out
data protection impact assessment as part of a general impact assessment
neral in the context of the adoption of that legal basis, paragraphs 1 to 7 shall not be
application unless the Member States consider it necessary to carry out such an assessment.
prior to treatment activities.
11. If necessary, the controller will examine whether the treatment is in accordance with the
impact assessment relating to data protection, at least when there is a change
of the risk represented by the treatment operations. "
In the development of paragraph 4, the director of the AEPD as a non-exhaustive list, the Direc-
AEP organizer published an indicative list of types of treatment that require an evaluation
impact assessment relative to data protection, stating: “At the time of analysis
To process data, it will be necessary to carry out a DPIA in most cases in
those that said treatment meets two or more criteria from the list set out below.
unless the treatment is on the list of treatments that do not require
EIPD referred to in article 35.5 of the RGPD. "
"4. Treatments that involve the use of special categories of data to which
refers to article 9.1 of the RGPD, data related to convictions or criminal offenses to the
referred to in article 10 of the RGPD or data that allow determining the financial situation
financial or financial solvency or deduce information about people related to
special categories of data.
5. Treatments that involve the use of biometric data for the purpose of identifying
tify a natural person in a unique way. "
The purpose of the impact assessment, within the regulatory compliance process
Accountability implies taking responsibility for what is done with data.
personal coughs and how the principles are complied with, incorporating appropriate measures and
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 20/25
records to be able to demonstrate compliance. Organizations should
show that they are complying with the standard, including documentation measures on
how the data is processed, for what purpose, until when, and document the treatment
procedures and procedures to focus the issue from an early point in the con-
construction of the treatment system. Its implementation makes it possible to minimize risks
at the time of processing the data, taking into account their proportionality,
the amount of data, etc. Within the DPIA, there would be the guarantees of the rights that
are affected, the analysis of how the right is affected, so that before pro-
transfer to the treatment, a document is available that endorses the subsequent management, helps-
do to identify and minimize the risks of a data processing project that is going to
put or affect in this case a high degree of risk to individuals, employees of the
claimed, given the specific form of the treatment, the nature of the context and the
sites.
The EIPD is a necessary step for data processing, and it is not the only one required, it is
a budget to which the rest of the legal requirements for the treatment must be added,
legitimizing basis and respect for the fundamental principles of data processing
seen in article 5 of the RGPD.
From the documentation in the file and as inferred from the probable facts
two, there is no evidence of the performance of the impact assessment of protection of
data.
IV
The RGPD determines in article 83.4 a): "Violations of the following provisions
will be sanctioned, in accordance with section 2, with administrative fines of 10 000 000
EUR maximum or, in the case of a company, of an amount equivalent to 2%
as a maximum of the total annual global business volume of the previous financial year,
opting for the highest amount:
the obligations of the person in charge and the person in charge in accordance with articles 8, 11, 25 a
39, 42 and 43; "
The LOPDGDD establishes in its article 73.t):
"Based on what is established in article 83.4 of Regulation (EU) 2016/679,
considered serious and will prescribe after two years the infractions that suppose a vulnerability
substantial ration of the articles mentioned therein and, in particular, the following:
t) The processing of personal data without having carried out the evaluation of the
pact of the treatment operations in the protection of personal data in the su-
positions in which it is required. "
V
Article 58.2 of the RGPD provides the following: “Each supervisory authority will have all
two the following corrective powers listed below:
d) order the person in charge or in charge of the treatment that the tra-
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 21/25
compliance with the provisions of this Regulation, where appropriate, of a
a certain way and within a specified time;
i) impose an administrative fine in accordance with article 83, in addition to or instead of
the measures mentioned in this section, according to the circumstances of each case
particular;"
SAW
The determination of the sanction to be imposed for the violation of article 35 of the
RGPD in the present case requires observing the provisions of articles 83.1 and 2 of the
RGPD, precepts that, respectively, provide the following:
"1. Each supervisory authority will guarantee that the imposition of administrative fines
in accordance with this article for the infractions of this Regulation indicated in
Sections 4, 9 and 6 are in each individual case effective, proportionate and dissuasive.
rias. "
"2. Administrative fines will be imposed, depending on the circumstances of each
individual case, as an additional or substitute for the measures contemplated in article
58, section 2, letters a) to h) and j). When deciding to impose an administrative fine and its
amount in each individual case will be duly taken into account:
a) the nature, severity and duration of the offense, taking into account the nature,
scope or purpose of the processing operation in question, as well as the number of
affected stakeholders and the level of damages they have suffered;
b) intentionality or negligence in the infringement;
c) Any measure taken by the person in charge or in charge of the treatment to alleviate
the damages suffered by the interested parties;
d) the degree of responsibility of the person in charge or the person in charge of the treatment, given
account of the technical or organizational measures that have been applied by virtue of the articles
25 and 32;
e) any previous infringement committed by the person in charge or the person in charge of the treatment;
f) the degree of cooperation with the supervisory authority in order to remedy the infringement
fraction and mitigate the possible adverse effects of the infringement;
a) the categories of personal data affected by the infringement;
b) the way in which the supervisory authority became aware of the infringement, in particular
if the controller or the processor notified the infringement and, if so, to what extent;
c) when the measures indicated in article 58, paragraph 2, have been ordered
previously against the person in charge or the person in charge in relation to the same
my matter, the fulfillment of said measures;
d) adherence to codes of conduct under article 40 or to certification mechanisms
cation approved in accordance with article 42, and
e) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or indirectly.
you, through the infraction. "
Within this section, the LOPDGDD contemplates in its article 76, entitled “Sanctions and
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 22/25
corrective measures":
"1. The sanctions provided for in paragraphs 4, 5 and 6 of article 83 of the Regulation (EU)
2016/679 will be applied taking into account the graduation criteria established in the
section 2 of the aforementioned article.
2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 also
may be taken into account:
a) The continuing nature of the offense.
b) The linking of the activity of the offender with the performance of data processing
personal.
c) The benefits obtained as a result of the commission of the offense.
d) The possibility that the affected person's conduct could have led to the commission of the
infringement.
e) The existence of a merger by absorption process after the commission of the infringement.
This cannot be attributed to the absorbing entity.
f) Affecting the rights of minors.
g) Have, when not mandatory, a data protection officer.
h) The submission by the person in charge or in charge, on a voluntary basis, to me-
canisms for alternative conflict resolution, in those cases in which there are
controversies between those and any interested party.
3. It will be possible, complementary or alternatively, the adoption, when appropriate, of the
remaining corrective measures referred to in article 83.2 of the Regulation (EU)
2016/679. "
For the assessment of the sanction, the following aggravating factors are considered:
-The nature, severity and duration of the offense, taking into account the nature, al-
cance or the purpose of the treatment operation that affects the entire workforce, about 500
employees; (83.2.a RGPD), although the complainant indicates that not all made use of the
paw print. The use of the system does not reach two months (01/16 to 03/14/2020, although
I don't know if it's still being used.)
-It includes a lack of diligence, since it prepared in advance the implantation of the system.
ma and did not foresee the impact of the implanted system (83.2.b RGPD, 83.2.d) RGPD). Has not been
provided the impact assessment document that declares it was carried out.
On the other hand, it is observed that it concurs as a mitigating factor that the claimed
is an entity of the logistics sector in which data of its employees is processed although it does not
concurs “b) The linking of the activity of the offender with the performance of treatments
of personal data. (76.2.b LOPDGDD).
As a consequence, the sanction is quantified at 20,000 euros.
On the reasons alleged by the complainant that she contracted with a Spanish company
recognized that provides software and access control terminals in its activity of
“Development, installation and maintenance of access control systems, la-
boral and security systems ”which also has ISO (ENAC) certificates and she
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 23/25
It has another certificate, it should be noted that the prohibition of
data with exceptions and a treatment designed from the caution of the type
of data that were treated, offering guarantees, elements that are not related to the
Infringement charged, and for this reason it is not possible to reduce the amount proposed.
In view of the above, the following is issued:
MOTION FOR A RESOLUTION
That the Director of the Spanish Data Protection Agency sanctions
SERVICIOS LOGÍSTICOS MARTORELL SIGLO XXI, S.L., with CIF B65050247, for a
infringement of article 35 of the RGPD, in accordance with article 83.4 a) of the RGPD, with
a fine of 20,000 euros.
Likewise, in accordance with the provisions of article 85.2 of the LPACAP,
informs that you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which will mean
a reduction of 20% of the amount thereof. With the application of this reduction, the
The penalty would be set at 16,000 euros, and its payment will imply the termination of the
process. The effectiveness of this reduction will be conditioned to the withdrawal or
waiver of any action or appeal in administrative proceedings against the sanction.
In case you choose to proceed to the voluntary payment of the specified amount
above, in accordance with the provisions of the aforementioned article 85.2, you must make it effective
by entering the restricted account number ES00 0000 0000 0000 0000 0000 open to
name of the Spanish Agency for Data Protection in the bank
CAIXABANK, S.A., indicating in the concept the reference number of the procedure
that appears in the heading of this document and the cause, by voluntary payment, of
reduction of the amount of the sanction. Likewise, you must send proof of admission to the
Subdirectorate General of Inspection to proceed to close the file.
By virtue of this, you are notified of the foregoing, and the procedure is revealed to you
so that within TEN DAYS you can claim whatever you consider in your defense and
present the documents and information it deems pertinent, in accordance with the
article 89.2 of the LPACAP).
926-280721
Angel Carralero Fernandez
INSPECTOR / INSTRUCTOR
>>
SECOND: On October 19, 2021, the claimed party has made the payment
of the sanction in the amount of 16,000 euros making use of the reduction foreseen in
the proposed resolution transcribed above.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 24/25
THIRD: The payment made entails the waiver of any action or recourse in progress.
administrative against the sanction, in relation to the facts to which the
motion for resolution.
FOUNDATIONS OF LAW
I
By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
control, and as established in art. 47 of Organic Law 3/2018, of 5 of
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), the Director of the Spanish Agency for Data Protection
is competent to sanction the infractions that are committed against said
Regulation; infractions of article 48 of Law 9/2014, of May 9, General
of Telecommunications (hereinafter LGT), in accordance with the provisions of the
article 84.3 of the LGT, and the offenses typified in articles 38.3 c), d) and i) and
38.4 d), g) and h) of Law 34/2002, of July 11, on services of the company of the
information and electronic commerce (hereinafter LSSI), as provided in article
43.1 of said Law.
II
Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), under the rubric
"Termination of sanctioning procedures" provides the following:
"1. Initiated a sanctioning procedure, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.
2. When the sanction is solely of a pecuniary nature or it is possible to impose a
pecuniary sanction and other non-pecuniary sanction but the
inadmissibility of the second, the voluntary payment by the presumed responsible, in
any time prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or to the determination of the
compensation for damages caused by the commission of the offense.
3. In both cases, when the sanction is solely of a pecuniary nature, the
competent body to resolve the procedure will apply reductions of, at least,
20% on the amount of the proposed sanction, these being cumulative among themselves.
The aforementioned reductions must be determined in the notice of initiation
of the procedure and its effectiveness will be conditional on the withdrawal or resignation of
any action or appeal in administrative proceedings against the sanction.
The percentage of reduction foreseen in this section may be increased
regulations. "
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 25/25
In accordance with the above, the Director of the Spanish Agency for the Protection of
Data
RESOLVES:
FIRST: DECLARE the termination of procedure PS / 00050/2021, of
in accordance with the provisions of article 85 of the LPACAP.
SECOND: NOTIFY this resolution to LOGISTICS SERVICES
MARTORELL SIGLO XXI, S.L ..
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.
968-160721
Mar Spain Martí
Director of the AEPD, P.O. the Deputy Director General of Data Inspection, Olga
Pérez Sanjuán, Resolution 4/10/2021
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
