AEPD (Spain) - EXP202200429: Difference between revisions

From GDPRhub
(The text was well written, I just made stylistic changes to the narrative to make the facts more interesting.)
Line 120: Line 120:


=== Facts ===
=== Facts ===
In 2017, the Municipality of Ibiza (the data controller) started a sanctioning procedure against the data subject due to an unauthorized construction. After demolishing the construction, the data subject requested the end of the procedure and filed a application for a license. Not satisfied, the data subject decided to report some neighbors who were also carrying out irregular constructions.
In 2017, the Municipality of Ibiza (the data controller) started a sanctioning procedure against the data subject due to an unauthorized construction. After demolishing the construction, the data subject requested the end of the procedure and filed a application for a license. Not satisfied, the data subject decided to report some neighbours who were also carrying out irregular constructions.


It turns out that, based on this report, the controller opened an investigation against the neighbors and recorded the personal data of the data subject as the complainant. Then, the controller notified the neighbors about the opening of the procedure for investigating the complaint, providing them with the personal data of the data subject and identifying them as the complainant.  Apparently, these neighbors were furious and went to the data subject's address to threaten them. The data data subject made an access request to the controller and required it to delete all their personal data, including their name from all the complaints, but the controller did not respond.   
Based on this report, the controller opened an investigation against the neighbours and informed them about it and the complainant's identity. The data data subject made an access request to the controller and required it to delete all their personal data, including their name from all the complaints, but the controller did not respond.   


The data subject filed a complaint with the Spanish DPA, claiming that they were being threatened by the neighbors due to the unauthorized sharing of their personal data with third parties. Finally, the controller responded and informed that it would comply with the resquests. In defense, it argued that it was necessary to inform the investigated person about the opening of the procedure  and attributed the lack of response to changes in its staff.
The data subject filed a complaint with the Spanish DPA, claiming that they were being threatened by the neighbors due to the unauthorized sharing of their personal data with third parties. Finally, the controller responded and informed that it would comply with the resquests. In defense, it argued that it was necessary to inform the investigated person about the opening of the procedure  and attributed the lack of response to changes in its staff.


=== Holding ===
=== Holding ===
The DPA held that the sharing of personal data with third parties was not necessary for the purposes of following the investigation of  irregular construction since the investigated persons could have been notified without being provided with information about the complainant.  
The DPA held that the sharing of personal data with third parties was not necessary for the purposes of following the investigation of  irregular construction since the investigated persons could have been notified without being provided with information about the complainant. In addition, the DPA highlighted that the failure to respond to the data subject's requests was illegal. Thus, the DPA found a violation of [[Article 12 GDPR|Articles 12]] and [[Article 5 GDPR#1c|5(1)(c) GDPR]], issuing a reprimand to the controller and ordering it to respond to the data subject's requests.  
 
In addition, the DPA highlighted that the failure to respond to the data subject's requests was illegal.  
 
Thus, the DPA found a violation of [[Article 12 GDPR|Articles 12]] and [[Article 5 GDPR#1c|5(1)(c) GDPR]], issuing a reprimand to the controller and ordering it to respond to the data subject's requests.


== Comment ==
== Comment ==

Revision as of 10:32, 19 April 2023

AEPD - AEPD PS-00137-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(c) GDPR
Article 12 GDPR
Article 15(1) GDPR
Article 17 GDPR
Article 17 GDPR
Article 58(2) GDPR
Article 83(5) GDPR
Article 83(5)(a) GDPR
Article 83(5)(b) GDPR
Article 83(6) GDPR
Article 83(7) GDPR
Article 4 Ley 39/2015
Article 123 Ley 39/2015
Article 13 Ley 39/2015
Article 13 LOPDGDD
Article 48(6) LOPDGDD
Article 53 Ley 39/2015
Article 62 Ley 39/2015
Article 64(1) LOPDGG
Article 64(2)(b) Ley 39/2015
Article 65(4) LOPDGDD
Article 71 LOPDDGG
Article 71(1)(a) LOPDGDD
Article 72(1)(k) LOPDGDD
Article 74(c) LOPDGDD
Article 77 Ley 39/2015
Article 78 Ley 39/2015
Type: Complaint
Outcome: Upheld
Started: 29.11.2021
Decided:
Published: 11.04.2023
Fine: n/a
Parties: Data subject
Municipality of Ibiza
National Case Number/Name: AEPD PS-00137-2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: isabela.maria.rosal

Based on a complaint, the Municipality of Ibiza opened investigations about irregular constructions and notified the investigated persons providing them with personal data of the complainant. The DPA found a violation of 5(1)(c) and 12 GDPR due to lack of response to an access/erasure request.

English Summary

Facts

In 2017, the Municipality of Ibiza (the data controller) started a sanctioning procedure against the data subject due to an unauthorized construction. After demolishing the construction, the data subject requested the end of the procedure and filed a application for a license. Not satisfied, the data subject decided to report some neighbours who were also carrying out irregular constructions.

Based on this report, the controller opened an investigation against the neighbours and informed them about it and the complainant's identity. The data data subject made an access request to the controller and required it to delete all their personal data, including their name from all the complaints, but the controller did not respond.

The data subject filed a complaint with the Spanish DPA, claiming that they were being threatened by the neighbors due to the unauthorized sharing of their personal data with third parties. Finally, the controller responded and informed that it would comply with the resquests. In defense, it argued that it was necessary to inform the investigated person about the opening of the procedure and attributed the lack of response to changes in its staff.

Holding

The DPA held that the sharing of personal data with third parties was not necessary for the purposes of following the investigation of irregular construction since the investigated persons could have been notified without being provided with information about the complainant. In addition, the DPA highlighted that the failure to respond to the data subject's requests was illegal. Thus, the DPA found a violation of Articles 12 and 5(1)(c) GDPR, issuing a reprimand to the controller and ordering it to respond to the data subject's requests.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/19










 File No.: EXP202200429



                 RESOLUTION OF SANCTIONING PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on
the following


                                    BACKGROUND


  FIRST: A.A.A. (hereinafter, the claimant) on 11/29/2021 filed

claim before the Spanish Data Protection Agency. The claim is directed
against EIVISSA CITY COUNCIL with NIF P0702600H (hereinafter, the party
claimed). The reasons on which the claim is based are the following:

In 2016, a disciplinary file of
XXXXXXXXXXXXX, for placing some architectural elements without enabling title

(violation of articles 133 and 134 of Law 2/2014 of 03/25, on the management and use of
soil of the Balearic Islands, according to the copy of the resolution of XX/XX/2017 of the Mayor's Office
from Eivissa, which accompanies (origin complaint from the Local Police of 05/24/2016).

He states that he made allegations and presented in said proceeding, on X/XX/2016, a

writing, model: "general instance" (attaches a copy), informing the
claimed that "all (...) are irregularly", in the request "that it be verified
and if it is illegal, act accordingly”. The document contains your name
and surname, address, (...), and NIF number. It does not refer to any procedure with which
relate, and contains the literal:


 "The data collected may be used by the owner of the file for the exercise of the
own functions within the scope of their powers" and information on the exercise of
the rights on the LOPD.

The claimant indicates that: "After a few months a neighbor appeared threatening",

alleging that I had denounced them in the City Hall and that my name appeared in
the complaint. To prove it, attach a partial copy (a sheet of the resolution of
XX/XX/2019 addressed to that other neighbor, coinciding with the address of the irregularity
planning with one of those that appeared in the claimant's brief of X/XX/2016).


As one of the points, figure:

"Having seen the XXXX/2016 report issued by the municipal technical services on
09/1/2016, of the tenor "Subject: Technical Report at the request of the Delegate Councilor of
XXXXXXXXXXXX activities and housing, in relation to the denounced facts

constituting a possible urban infraction "...." Considering the complaint filed
by (data of the claimant Ms. A.A.A.) by letter dated X/XX/2016 by the
which is brought to the attention of this Regiduría the execution of the works consistent
in… presumably without protection of enabling title…”” In application of articles 69.2

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/19








of Law 30/1992 and 149 of Law 2/2014 of 25/03 on the planning and use of the land of the
Illes Balears…”REPORT: First: that once a visit to the indicated property in
dated 08/31/2016, it has been possible to verify that the roof of the building on the street...

observe…”

The claimant states that "I called the City Council to ask for explanations and they did not
they understood. I never got a response from the council. “

"Apparently, in this process they have sent to some XXXX neighbors the complaint of the

City Council using my name to file said complaint instead of being
They are the ones to do it and not in my name.”

On date XX/X/2019, he submitted a letter to the City Council requesting the deletion of
your data. Attach a copy of the letter in which it appears: "In 2016 I presented a

complaint to the Department of XXXXXXXXXXXXX of the Ibiza Town Hall on the occasion
of a file initiated by him in which he urged me to demolish a wall built in
my home. As a result of this, my identification data has appeared in various
files of third parties, neighbors of my street, in which I was indicated as
complainant person“ “the complaint presented in my 2016 brief did not refer to
no concrete person, manifested some visible and verifiable facts by any

person who walked down the street and at no time did I file a complaint”

“Your personal data has been communicated to third parties without a legal basis for
it."
“As a consequence of the communication of my personal data to third parties,

I have suffered threats and insults from various people.”

He states that he did not receive a response to that exercise.

He continues stating that on ***DATE.1, he submitted a new document, without having obtained

answer. It is, according to the accompanying copy, indicating that it received a complaint in
question of XXXXXXXXXX (a wall that was being built to put a
XXXXXXX) , and made a "complaint", alluding to his letter of X/XX/2016 as an allegation and
irregularities ”I made a complaint alleging that in my group there were more people with
irregularities” (colla: term in Catalan to refer to a group of acquaintances or friends),
"I never gave names." Add again, on the back of the document that "received

threats from several neighbors who showed up at his home", and another neighbor showed him
the complaint with her name, coincides with the partial copy of the one she provides, so
XX/XX/2019, who "found threatening notes in the car", had to "rent a
parking" to avoid damage to the car and "I have moved house for fear of suffering
damage". He requested the deletion of his data and no one answered him. Request: "All

documentation corresponding to my case and all the complaints that appear in my
name…"

The claimant considers that her personal data has been unlawfully disclosed and
have met their data protection rights.


SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5/12, of
Protection of Personal Data and guarantee of digital rights (hereinafter
LOPDGDD), said claim was transferred to the claimed party, so that

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/19








proceed to its analysis and inform this Agency within a month of the
actions carried out to adapt to the requirements established in the regulations of
Data Protection.


The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of
1/10, of the Common Administrative Procedure of Public Administrations (in
hereafter, LPACAP), was collected on 01/21/2022, as stated in the acknowledgment of
receipt that works in the file.


The claimed party responds to the transfer of the claim dated 02/21/2022, which
following:

-The deletion of data was not addressed "due to a human error derived from the month in which the
that we were (August) and the change of staff due to the holidays

summer.”

-"Regarding the right of access presented on ***DATE.1, it was transferred to the
responsible for the file, and due to internal ignorance, no response was given to the
applicant."


-Provides doc 1, of 02/18/2022, expte. ***FILE.1, copy of response to
claimant, stating:

On the request of ***DATE.1, "we have to convey to you...our most sincere
apologies, since although it is true, they contacted you by telephone, to

indicate the error made on our part, however, we do not reply in writing
indicating that we had proceeded to delete your personal data. "…we have
proceeded to correct the error committed.”

It is noted that in said letter it was not the one in which he exercised the right to suppress

his data, it was in one of 2019. It does not provide documentary evidence of having proceeded to the
deletion that he claims to have executed.

“By Decree we proceed to make your request for access to information effective,
as established in article 13 of the LOPDGDD, and once the
information, taking into account the right of access formulated by you, we will proceed to the

exercise of data deletion requested in accordance with the current legislation of the
Public administrations."

Attached, copy of Decree of 02/18/2022, number XXXX/2022, which indicates: "for his
request of ***DATE.1 in which access is requested to all the corresponding documentation

to my case and all the complaints where my name appears”

"...as established in article 13 of the LOPDGDD", it is agreed:

-Informs you of the data it possesses about her, as they have been presented differently

formalities. Access consists of a brief reference to the procedure in question and a
identification number. Among them, it appears "presents general instance of denunciation
due to irregular works on the terraces of the numbers…. of the street…, XXXXX/2016”, which
matches your instance of X/XX/2016.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/19









-“Once this is sent, in accordance with the right of access formulated by you,
proceed to the exercise of data deletion requested in accordance with the legislation

in force of the Public Administrations.”

It also provides a document of delivery to the claimant of 02/19/2022, "response to the
Right of access".

It is noted that what the claimant was asking for was to know the files open to other

people in whom his reference as a complainant was contemplated, just like the one who is
provided together with this claim, dated XX/XX/2019, from one of them.

-They indicate that despite having a procedure for attention to the exercise of rights, it has
prepared and approved on 02/16/2022 a new one, to "prevent situations from occurring

Similar". They have sent a statement to all employees informing them of this and
remembering deadlines to respond. Provide a copy of the second version of 02/14/2022.

-In 2021, training was given on the exercise of data protection rights,
provides certificate.


THIRD: On 02/28/2022, in accordance with article 65 of the LOPDGDD, the
admitted for processing the claim presented by the claimant.

FOURTH: On 03/03/2022, the claimant provides a copy of what was received from the
City hall:


a) Decree of the Mayor's Office XXXX/2022 that gives summary access to your data in relation to
with the procedures requested, and that "proceeds to the requested data deletion exercise".

b) Copy of the response to your brief of XX/XX/2020, from the claimed party, of 02/18/2022,

exte ***FILE.1.

You state that you want the procedure to continue.

FIFTH: On 06/2/2022 it was agreed by the Director of the AEPD:


"START SANCTION PROCEDURE for EIVISSA CITY COUNCIL, with NIF
P0702600H, for the alleged infringement of the GDPR, articles:

-12 of the GDPR, in accordance with article 83.5.b) of the GDPR and 72.1.k) of the
LOPDGDD, and

-5.1.c) of the GDPR, in accordance with article 83.5.a) of the GDPR and 72.1.a) of the
LOPDGDD.”

"For the purposes specified in the art. 64.2 b) of Law 39/2015, of 1/10, on Procedure
Common Administrative Law of Public Administrations, the sanction that could

to correspond would be a warning, without prejudice to what results from the instruction.”

No claims were received.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/19








SIXTH: On 11/24/2022, it is agreed to open a test practice period, according to
the provisions of article 77 and 78 of the LPACAP. It is agreed to practice the following
evidence:


1. Consider reproduced for evidentiary purposes the claim filed by the
claimant and its documentation, the documents obtained and generated during the phase
of admission to process the claim, and those of transfer actions that form
part of procedure AT/00174/2022.


2. Likewise, the writings presented by
the claimant after the commencement agreement.

3. The defendant is requested to report or provide the following:


a) The Ibiza Town Hall initiated a procedure against the claimant for works
illegal/construction on the roof without enabling title/, complaint date X/XX/2016, with
report of "municipal XXXXXXX from which it can be deduced that the claimant performs
work... still unfinished", as can be seen from the letter to the claimant, from the
Town Hall of XX/XX/2017. It is also included in it, that on 01/24/2017, the
claimant submitted a project requesting a license. The brief of XX/XX/2017 agreed

initiate a disciplinary file for commission of urban infraction and initiate the
reposition to altered physical reality.

Regarding the document -which is attached to this brief of evidence of the claimant -of
X/XX/2016 and its content and references and information, you are requested to report:


-If said document of X/XX/2016, is part of, or is included in the process of any
procedure initiated to the claimant, as allegations made by the claimant.

-If before the aforementioned letter of XX/XX/2017, any action had been communicated

related to the facts of that file to the claimant, indicating the date and type of
communication and related to what matter.

b) Inform the number of files in which the letter of the
claimant of X/XX/2016 as an initiating cause of procedures or actions
against other people, and the dates on which the proceedings began against each of them.


c) If the content in the writings of initiation of proceedings has changed by
complaints in matters of XXXXXXXXXXXX in which natural persons put into question
knowledge of the City Council allegedly illegal events, so that in front of the
alleged infringers reported do not contain data of the person who puts it in

knowledge of the City.

d) In writing addressed to the claimant dated 02/18/2022, exte ***EXPEDIENTE.1, they state
at the end that: "once the information is sent to you, taking into account the right of access
formulated by you, the exercise of data deletion requested from

accordance with the current legislation of the Public Administrations.”




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/19








You are requested to report providing a copy of the response on this right of
deletion that are supposed to have responded to the claimant, with proof of their
delivery.


After the allotted time, no response was received.

SEVENTH: On 12/20/2022, the following proposed resolution was issued:

"1-That the Director of the Spanish Data Protection Agency sanctions

EIVISSA CITY COUNCIL, with NIF P0702600H:

-with a warning, for the infringement of article 12 of the GDPR, in accordance with the
Article 83.5.b) of the GDPR and 72.1.k) of the LOPDGDD.


-with a warning, for the infringement of article 5.1.c) of the GDPR, in accordance
with article 83.5.a) of the GDPR and 72.1.a) of the LOPDGDD.

2-That in application of article 58.2.c) of the RGPD that establishes corrective powers to the
AEPD to: "order the person in charge or person in charge of the treatment to attend to the
requests to exercise the rights of the interested party under this
Regulation;", you are urged to prove the content of the right of deletion that has been
carried out with the claimant, and if it has been communicated to her.”


EIGHTH: On 12/20/2022, a literal resolution proposal was issued.


"1-That the Director of the Spanish Data Protection Agency sanctions
EIVISSA CITY COUNCIL, with NIF P0702600H:

-with a warning, for the infringement of article 12 of the GDPR, in accordance with the
Article 83.5.b of the GDPR and 72.1.k) of the LOPDGDD.

 -with a warning, for the infringement of article 5.1.c) of the GDPR, in accordance
with article 83.5.a) of the GDPR and 72.1.a) of the LOPDGDD.

2-That in application of article 58.2.c) of the RGPD that establishes corrective powers to the

AEPD to: "order the person in charge or person in charge of the treatment to attend to the
requests to exercise the rights of the interested party under this
Regulation;", you are urged to prove the content of the right of deletion that has been
carried out with the claimant, and if it has been communicated to her.”

NINTH: On 01/04/2023, the following allegations are received:


-They understand that the violation of article 12 of the GDPR, would be of 83.5.b) of the GDPR, not
of letter a) of the same article 83.5 that is dragging on the file.

The conduct that typifies said infraction does not occur, because it is not explained clearly.
motivated which consists of the impediment, obstruction, or reiterated non-attention of the

exercise of the established rights, Explains the literal meaning that the RAE gives to each
one of the words, and it may be considered in any case that said word must be completed
response or not, but not qualify as non-attention. He adds that in fact
claimant exercised the right and the defendant did not put up an obstacle to said exercise.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/19









-He considers that only a single right of deletion has been exercised (08/22/2019) and a
only right of access (***DATE.1), which are both answered on 02/18/2022, both

in writing and by phone. In the configuration of the consideration of the facts
as a violation of article 12 of the GDPR, it cannot be treated as a reiteration of the
petition, the fact that on the occasion of the request for access to documents mentions
that he had requested the right of deletion and had not been answered, since this has to be
considered as a new request, in this case, for access. In any case, it cannot be
classify as ignoring the request when he was told that after giving him access, he was leaving

to proceed with the deletion, so it cannot be described as reiterated.

-Indicates that article 64.1 of the LOPDGG talks about the procedure of lack of attention
of a request to exercise rights that is related to articles 15 to 22 and does not
It is classified as very serious.


The aforementioned non-motivation would give rise to its classification as mild in article 74.c of the
LOPDGDD.

Counting from the date on which the deletion could be considered as not addressed,
09/22/2019, more than a year has passed from the period that would entail its qualification as

mild, so it must be considered prescribed. It shows that the same is true of
regarding the right of access, prescribed on 01/17/2022.

-Regarding the infringement of article 5.1.c) of the GDPR, the provision of the
The identity of the complainant is in accordance with Article 62 of the LPCAP, since complaints must be

express the identity of the people who inform the Administration
the facts and, from this moment, it is the Public Administration that gives the course
that the Law establishes, taking into account the form of initiation. We are before a
complaint whose purpose is to maintain legality and observance of the law
planning, in which the complainant can acquire the status of interested party. Esteem

that the claimant would have a direct interest and it affects her interests, since she was
object of an administrative file for the same facts, which, if allowed with
with respect to the rest of the neighbors it would suppose a comparative grievance. "In this scenario, it is
preferential application of the LPCAP and transparency legislation. Article 53 LPACP
prevails over data protection regulations.” The defendant has the right to
access to the file and obtain a copy of it.


The AEPD affirms that "the interference in the data of the claimant, because it is not precise,
necessary, adequate or proportional, must not be made known in the procedure that
start the administration of the defendant", but the City Council cannot be required to
eliminate said information as it would imply the non-satisfaction of a right to

complainant. In addition, if the Administration included the complainant's data, it was in
For the sake of maximum transparency in the exercise of its sanctioning power.

-Provides indications of AEPD procedures in which it reproduces parts that
indicate that it is in accordance with the LOPD to obtain a copy of the file including the identity

of the complaining party that is delivered to the accused. One of them indicates that it is a
case like this, report 197/2006.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/19








-Ends by indicating that: "Taking into account that the administrative files have
completed, the City Council, complementing the response given on 02/18/2022, has given
instructions for the deletion of the data of the complainant from the files

administrative documents in which it is recorded. A letter will be provided confirming this point.”

TENTH: In view of all the proceedings, by the Spanish Protection Agency
of Data in this procedure the following are considered proven facts:



                                PROVEN FACTS


1) The Ibiza Town Hall initiated on XX/XX/2017 a disciplinary procedure against the
claimed for illegal works / construction on the roof without enabling title /, and initiate the
restoration to the altered physical reality, dated complaint X/XX/2016, with report of

"XXXXXXX municipal from which it can be deduced that the claimant is carrying out works... even without
conclude". It is also stated therein that on 01/24/2017, the claimant filed a
project requesting license.

Related to this, it appears that on 10/26/2017, the claimant sent a letter to the

claimed requesting that the file be archived because it has complied by demolishing what
built.


2) The claimant completed a claimant's form dated X/XX/2016,
“general instance”, informing the defendant that three addresses that

identified by street (same as yours) and numbers, have architectural elements
irregular, describing what these are. The document contains the literal:
"The data collected may be used by the owner of the file for the exercise of the
own functions within the scope of their powers”, and information on the exercise of
the rights on the LOPD. In the "I request", it appears: "That it be verified and in the case of

be illegal to act accordingly." In addition, the document contains your data
personal, ID and address.


3) The claimant claims that her data has been delivered to files that have been

opened as of his letter of X/XX/2016, since one of the accused appeared in
Your domicile. The claimant provides a partial copy, with only one page, of a resolution of
XX/XX/2019 that the City Council addressed to one of the owners of the houses that
complainant indicated in its brief of X/XX/2016. As one of the points, figure: "seen
the XXXX/2016 report issued by the municipal technical services on 09/1/2016,
of the tenor "Subject: Technical Report at the request of the Delegate Councilor of

XXXXXXXXXXXX activities and housing, in relation to the denounced facts
constituting a possible urban infraction "...." Considering the complaint filed
by (data of the claimant Ms. A.A.A., the claimant) by writing dated X/XX/
2016, by which the execution of the works is made known to this Councilor
consisting of... presumably without protection of enabling title..."" In application of the

Articles 69.2 of Law 30/1992 and 149 of Law 2/2014 of 25/03 on the management and use of
soil of the Balearic Islands…” REPORT: First: that once a visit to the indicated


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/19








property on 08/31/2016, it has been verified that the roof of the building of the
street ... it is observed ...

On date XX/X/2019, the claimant submits a letter to the City Council requesting the
deletion of your data, specifying that it is your identity that has been included in

disciplinary resolutions of third parties, and that some of the denounced appeared in
your address, and that: "as a result of the communication of my personal data to
third parties, I have suffered threats and insults from various people”.
The request was not met.

4) On ***DATE.1, the claimant requests: “all documentation

corresponding to my case and all the complaints that appear in my name”. points at
the letter that "several neighbors showed up at her home threatening her" The petition
was not attended.



5) In the transfer of the claim, the claimed party declares that in writing of
02/18/2022, on the request of *** DATE.1, they have answered the request for access to
your data. In said response, he informs her of the data he possesses about her, for having been
presented different procedures. The access consists of the brief reference of the procedure of
that it is, and an identification number. Among them, it appears "presents instance
general denunciation for irregular works on the terraces of the numbers…. of the

calle…, XXXXX/2016”, which refers to your instance of X/XX/2016. It is also observed
that what the claimant was asking for was to know the files open to other people in
which included his reference as complainant, as well as the documentation of
the same.

6) In the same response to the access, on 02/18/2022, he indicates the part

claimed to the claimant, without any reference to her request for suppression of XX/X/2019, and
the terms in which it was requested, that: "Once the present is forwarded, in response to the
right of access formulated by you, proceed to the exercise of deletion of data
requested in accordance with the current legislation of Public Administrations.", without
know the scope of the supposed deletion of data carried out by the party
claimed.


-In allegations to the proposal, the defendant stated that "Taking into account that the
administrative files have concluded, the City Council, complementing the
response given on 02/18/2022, has given instructions for the deletion of the data from the
complainant of the administrative files in which it is recorded. Written will be provided
confirming this point."


                           FUNDAMENTALS OF LAW

                                           Yo

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679

(General Data Protection Regulation, hereinafter GDPR), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Law
Organic 3/2018, of 12/5, Protection of Personal Data and guarantee of rights
(hereinafter, LOPDGDD), is competent to initiate and resolve this

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/19








procedure the Director of the Spanish Data Protection Agency.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures

processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with character
subsidiary, by the general rules on administrative procedures."

                                            II



Article 12 of the GDPR establishes:


1. The person in charge of the treatment will take the appropriate measures to facilitate the
interested all information indicated in articles 13 and 14, as well as any
communication pursuant to articles 15 to 22 and 34 relating to processing, in the form
concise, transparent, intelligible and easily accessible, with clear and simple language, in

particular any information directed specifically to a child. The information will be
provided in writing or by other means, including, if applicable, by electronic means.
When requested by the interested party, the information may be provided orally provided that
the identity of the interested party is proven by other means.

2. The data controller will facilitate the interested party to exercise their rights in
virtue of articles 15 to 22…

3. The person responsible for the treatment will provide the interested party with information regarding their
proceedings on the basis of a request under articles 15 to 22, without delay

improper and, in any case, within a period of one month from receipt of the
application…"


4. If the person in charge of the treatment does not process the request of the interested party, he will inform him
without delay, and no later than one month after receipt of the request, of the ra-
reasons for their failure to act and the possibility of filing a claim before an auto-
control and exercise judicial actions.


Regarding the lack of attention to the right of deletion requested on 08/22/2019, the article
17 of the GDPR indicates:

"1. The interested party shall have the right to obtain without undue delay from the person responsible for the

treatment the deletion of personal data that concerns you, which will be
obliged to delete personal data without undue delay when any of the
the following circumstances..."

The claimant in her request for deletion makes it based on the same facts that
explained in this claim. It is about the appearance of your data in files with your

data as a complainant, clarifying that she did not file any complaint. The
claimant indicates that he is making known some facts. It is also observed that the
competent authority through its employees, visited the address that
The claimant provided in its brief of X/XX/2016 to verify the legality of the
buildings.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/19








One of the points that favors deletion is that of point d of the aforementioned article 17:

“d) the personal data have been processed unlawfully;” although it is also stated that


"3. Sections 1 and 2 will not apply when the treatment is necessary:

 a) to exercise the right to freedom of expression and information;

b) for compliance with a legal obligation that requires data processing
imposed by the law of the Union or of the Member States that applies to the

responsible for the treatment, or for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers conferred on the person responsible;

c) for reasons of public interest in the field of public health in accordance with the
Article 9, paragraph 2, letters h) and i), and paragraph 3;


  d) for archiving purposes in the public interest, scientific or historical research purposes or
statistical purposes, in accordance with Article 89(1), to the extent that the
right indicated in paragraph 1 could make impossible or seriously impede the
achievement of the objectives of such processing, or

  e) for the formulation, exercise or defense of claims.”


In accordance with the ruling of the National Court, contentious court
administrative section 1, resource 165/2005 of 12/14/2006 "Regulates art. 15 of the LO
15/1999 the right called habeas data or habeas scriptum which consists of the fact that the
affected may require the person responsible for the file to make a service consisting of

the mere display of your data and, where appropriate, its rectification or cancellation. Is about
an essential right in the matter that is included in art.8.b) and c) of the
Convention 108 of the Council of Europe and 12 and 13 of Directive 95/46/CE”" For the rest,
It is indisputable that the right of access constitutes the essential core of the regulated law
in art.18.4 of the Constitution -STC 292/2000”


The defendant did not process in any way the claimant's exercise of rights, nor
when the suppression first entered, on 08/22/2019 (the resolution in which
their data appear in one of the denounced was from XX/XX/2019), nor when in the letter
subsequent request for documentation and access, *** DATE.1 also made
reference and recalled in numerous details the one he had presented earlier, noting
including the date of the aforementioned deletion, without obtaining his attention in any of them.

Presumably, given the omission in the response provided and not being taken into
account of the deletion, your data could have continued to be provided in other
files of other defendants. This could be deduced from the statement made by
about what:


"Taking into account that the administrative files have concluded, the City Council,
complementing the answer given on 02/18/2022, has given instructions for the
deletion of the data of the complainant from the administrative files in which
for the record A letter will be provided confirming this point.”

On the other hand, for the first petition, the defendant indicates that "they began to carry out

actions to respond to his request, but no written response was received in
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/19








term and form, due to a human error derived from the month in which we were
(August) and the change of staff due to the summer holidays. “

Regarding her exercise of access, presented on ***DATE.1, the defendant states

that "the person responsible for the file was transferred, and due to internal ignorance, no
response to the applicant.

Both reasons do not agree with the content of this right, which in this case implies
a non-response in either of them, which implies a refusal to facilitate the

requested information, resulting in the fact that it does not seem possible to be a major impediment other than the
absolute disregard for the exercise of rights, in such a way that said right becomes
useless or completely ineffective.

Understands the defendant, who has given effect to it on 02/18/2022, by telephone and in a
writing stating:

"Once the information is sent to you, in accordance with the right of access formulated by
you, the requested data deletion exercise will be carried out in accordance with the
current legislation of Public Administrations.", without the wording being
fortunate, since the exercise of the right corresponds to the claimant, and without having

any accredited writing of attention in any sense of said right, consigning in
their allegations that "Taking into account that the administrative files have
completed, the City Council, complementing the response given on 02/18/2022, has given
instructions for the deletion of the data of the complainant from the files
administrative documents in which it is recorded. A written document will be provided confirming this point.", and

In addition, both the claimant and this AEPD are unaware of the number of files
in which your data was included and if the complete copy of your writ of
X/XX/2016, which was one of the key points of his access exercise.

"The interested party shall have the right to obtain from the data controller confirmation of
whether or not personal data concerning you is being processed and, in such a case, the right to
access to personal data and the following information:”, article 15.1 of the GDPR.


Regarding telephone information, based on the principle of meeting the requirement of
proactive responsibility established in article 5.2 of the GDPR, is not guaranteed
nor that it had been produced, nor of the same content, considering in this case that it
satisfies the right.

Summarizing, the fact is that it was not answered, which implies a refusal to facilitate the

information requested within the established period and manner. However, this absolute
inattention has made law illusory, in which the completion of the
response, waiting for the moment in which it has been considered that the
files, The defendant has stated that it was going to proceed with the suppression of the
data, although the terms in which they have been carried out, the scope and the

how you have deleted the data. Regarding the exercise of the right of access,
nor is the response contemplated as to whether their data appeared in other files.

This supposes the commission of the infringement of article 12 of the GDPR that is attributed to the
claimed.

                                           II


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/19









The defendant considered the claimant as a complainant in the X/XX/2016 form
and yielded such data, in the record of his name and surname at the beginning of

procedures to third parties. With the mention of (...) that the houses to which he referred
on the aforementioned form, it could have been identified without great difficulty.

 The LPACAP, states in its article 62, "Initiation of the complaint procedure":

1. A complaint is understood to be the act by which any person, in compliance or not
of a legal obligation, notifies an administrative body of the existence
of a certain fact that could justify the ex officio initiation of a procedure
administrative.


2. The complaints must express the identity of the person or persons presenting them.
so and the account of the facts that are brought to the attention of the Administration. When
said facts could constitute an administrative infraction, they will collect the date of their
commission and, when possible, the identification of the alleged perpetrators.

[…]”


"5. The presentation of a complaint does not confer, by itself, the condition of interested party
in the procedure."

And in article 13: "Rights of individuals in their relations with
Public administrations:

Those who, in accordance with article 3, have the capacity to act before the

Public Administrations, are holders, in their relations with them, of the following
rights:

h) To the protection of personal data, and in particular to the security and
confidentiality of the data contained in the files, systems and applications of the
Public administrations."


Article 4 of the LPCAP attributes the status of interested party in a procedure
administrative to:


“a) Those who promote it as holders of rights or legitimate individual interests or
collective.



b) Those who, without having initiated the procedure, have rights that may be
affected by the decision adopted therein.



c) Those whose legitimate interests, individual or collective, may be affected
by the resolution and appear in the procedure as long as no resolution has been handed down
definitive.”


Seen from the perspective of the defendant, as an interested party (art 64.1 LPCAP), affected
directly because a sanctioning procedure in urban matters is initiated,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/19








Article 53.1 of the LPCAP, grants the right to "access and obtain a copy of the
documents contained in the aforementioned procedures”. Obviously, this aspect is
different from the content of the resolutions and agreements that are notified, which is the case

which is dealt with here. Access to a copy of the documents in the file should be to the
essential data, not giving access to data not necessary for the exercise of the
right of defense or that have nothing to do with the matter, which must, if applicable,
remain anonymous. As an example, give in the copy of the file the data of the NIF or
of the address could constitute data processing that, depending on the circumstances, could
not be necessary for this purpose.


However, what is being analyzed here is that the data of the name and surname in the agreement
that the claimant provided as proof of access to her data, violates article 5.1.c
of the GDPR, which indicates:


1. Personal data will be:

c) adequate, pertinent and limited to what is necessary in relation to the purposes for which
are processed ("data minimization");








The claimant informs the City Council of some facts, so that the
verify, circumstance that it performs, in some addresses of (...). irregularities
urban planning evidenced by the claimant, were thus verified by the
inspection authority with competences in the matter, who enjoy the status of

agent of the authority, in order to attest to the facts as thus formalized in
the aforementioned agreement to start the procedure.



The issue could affect the defendants who are mentioned in the agreements

identity of the complainant. In at least one of the cases it was found that
the claimant was referred to.



Although from the partial copy of the resolution of a defendant provided by the claimant, it is

confirms that only his name and first surname were listed, it is enough to be
identified, especially when the (...) and the claimant alludes to the fact that they are part of her
"colla" "group".




The mention of your data proceeding to your identification or being identifiable, puts
evidence of the conflict between the claimant's right to privacy and
preservation and reserve of knowledge of your data, against the right of the accused to
that in the agreement to initiate a disciplinary procedure, it relates

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/19








the specific origin of the claimant's identification data,
with the category of complainant.

There is no question in an initiation agreement of disclosing or not to the person denounced the

identity of the complainant, but if in accordance with the purpose of the agreement
communication and the rights at stake, if such is necessary, proportional and appropriate.
communication with such content.




Considering that the status of complainant does not attribute per se the quality of interested party.
In this case, given that the purpose of disclosing the facts was the
protection of urban legality and its eventual restoration to a previous situation,
situation in which the claimant was not involved. Taking into account that the
urban planning authority verified the facts and initiated the disciplinary procedure ex officio

(Article 63.1 LPCAP: ”The procedures of a sanctioning nature will begin
always ex officio by agreement of the competent body"). It is considered that giving
Knowing the identity data of the person claiming may cause damage
As in this case, it is not estimated that the data that the defendant had collected and that
were brought to the attention of at least one denounced person, were the appropriate ones,
relevant and limited to what is necessary for the purpose for which the processing is carried out

of data. Its incorporation in cases like this, can give rise to the same or
similar effects on the people who make known facts such as those
here are analyzed that may give rise to disciplinary proceedings.


Add the claimed, which complied with the provisions of the LPCAP, but, among the content
of the agreement to start the disciplinary procedure of the LPCAP, article 64, does not appear to give
know the identity of the person complaining.


In a case like the one analyzed here, proof of identification of the person in the

agreement addressed to the sanctioned party, does not contribute anything substantial to it, nor does it imply a
loss of his right to defense, stating below that the facts were
verified by the urban authority. Lack of any effect for the defendant, which
prevents the data processing of the claimed party.

Although it is not possible to generalize, and must be analyzed on a case-by-case basis, in accordance with the

circumstances, in this case, the reconciliation of the rights of the parties leads to
resolve that it was not appropriate, pertinent or necessary for said agreement to
contain the identification data of the claimant. This extreme can only be reached
analyzing the various elements that come together in the rights in dispute of the parties.
The consequence must be that the interference with the data of the claimant, which is

embodied in the record in an agreement to start a disciplinary file,
It can happen in environments where everyone knows each other, and it could also cause serious
risks for claimants and discourage this type of claim in addition to
may suffer other consequences. In this way, it is only estimated that the aforementioned
constancy would be precise if the knowledge of the identity were determinant in the
configuration of the facts or was related to them, affecting the rights to

exercise by the defendant, especially his right of defense. Not being the one
case, it is determined that the aforementioned article 5.1.c) is infringed)

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/19










                                            IV.


Violations of articles 12 and 5.1.c) of the GDPR are typified in article
83.5.a) of the GDPR, which indicates:

Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of
of a company, in an amount equivalent to a maximum of 4% of the volume of

overall annual total business of the previous financial year, opting for the one with the highest
amount:

a) the basic principles for the treatment, including the conditions for the
consent under articles 5, 6, 7 and 9;


b) the rights of the interested parties in accordance with articles 12 to 22;”

The LOPDGDD also contemplates these infractions in terms of the term of their
prescription in the following articles:

71


"Infractions are the acts and conducts referred to in sections 4, 5 and
6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to
the present organic law.”

article 72


"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
are considered very serious and will prescribe after three years the infractions that suppose a
substantial violation of the articles mentioned therein and, in particular, the
following:

a) The processing of personal data in violation of the established principles and guarantees

in article 5 of Regulation (EU) 2016/679.”

"k) The impediment or the obstruction or the reiterated non-attention of the exercise of the
rights established in articles 15 to 22 of Regulation (EU) 2016/679.”


Regarding the allegation that the infringement typified in 72.1.k) of the LOPDGDD,
not having been motivated, should be classified as minor, for obeying article 74 c) of
the LOPDGDD that indicates: "Not responding to requests for the exercise of rights
established in articles 15 to 22 of Regulation (EU) 2016/679, unless it is

application of the provisions of article 72.1.k) of this organic law.", it must be indicated that
it has been explained that it falls within a substantial non-compliance, total of two years
of law, and that when answered on 02/18/2022 it has not been fully provided, for
what is incardinated in this type the referred conduct.

                                            V


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/19








Article 58.2 of the GDPR indicates as powers of the control authority:

"c) order the person in charge or person in charge of the treatment to attend to the requests for
exercise of the rights of the interested party under this Regulation;”

“i) impose an administrative fine in accordance with article 83, in addition to or instead of the

measures mentioned in this section, according to the circumstances of each case
particular"

The claimed party has not explained how and when it proceeded to delete the data
of the claimant in the specific sense in which it was requested, without knowing the
scope of compliance of the exercise that was carried out.


It is also not known if your data was provided in the course of the proceedings.
open with cause in his brief of X/XX/2016, which was one of the motions in the
Exercise of the right of access.

The imposition of this measure is compatible with the sanction, according to the provisions of art.
83.2 of the GDPR.

Article 83.7 of the GDPR adds:


"Without prejudice to the corrective powers of the control authorities under the
Article 58(2), each Member State may lay down rules on whether
can, and to what extent, impose administrative fines on authorities and bodies
public establishments established in that Member State.”


The Spanish legal system has chosen not to penalize entities
public, as indicated in article 77.1. c) and 2. 4. 5. and 6. of the LOPDDGG:


"1. The regime established in this article will be applicable to the treatment of
who are responsible or in charge:

  "c) The General Administration of the State, the Administrations of the communities

autonomous entities and the entities that make up the Local Administration.”

  "2. When the managers or managers listed in section 1 commit
any of the offenses referred to in articles 72 to 74 of this organic law,
the competent data protection authority will issue a resolution
sanctioning them with warning. The resolution will also establish the

measures that should be adopted to cease the conduct or to correct the effects of the
offense that was committed.

  The resolution will be notified to the person in charge or in charge of the treatment, to the body of the
that depends hierarchically, where appropriate, and those affected who have the status of
interested, if any.


  3. Without prejudice to what is established in the previous section, the data protection authority
data will also propose the initiation of disciplinary actions when there are
enough evidence for it. In this case, the procedure and the sanctions to be applied
will be those established in the legislation on the disciplinary or sanctioning regime that

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/19








be applicable.

  Likewise, when the infractions are attributable to authorities and executives, and
certify the existence of technical reports or recommendations for treatment that do not

have been duly attended to, in the resolution in which the sanction is imposed
a reprimand will be included with the name of the responsible position and the
publication in the corresponding Official State or regional Gazette.

  4. The data protection authority must be informed of the resolutions that

fall in relation to the measures and actions referred to in the sections
previous.

  5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions
of the autonomous communities the actions carried out and the resolutions issued to the
under this article.


  6. When the competent authority is the Spanish Data Protection Agency,
This will publish on its website with the proper separation the resolutions referring to the
entities of section 1 of this article, with express indication of the identity of the
responsible or in charge of the treatment that had committed the infringement.”


Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been accredited.


the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: SANCTION THE CITY COUNCIL OF EIVISSA, with NIF P0702600H, with a
warning for each of the following infractions:

-article 12 of the GDPR, in accordance with article 83.5.b) of the GDPR, and for the purposes of

prescription, typified in article 72.1.k) of the LOPDGDD.

-article 5.1.c) of the GDPR, in accordance with article 83.5.a) of the GDPR, and for the purposes
of prescription, typified in article 72.1.a) of the LOPDGDD.


SECOND: In accordance with the provisions of article 58.2.c) of the GDPR, you must complete
the rights subject to claim in the sense that is included in the last foundation
of law, for which a term of ten days is granted, having to inform of its
compliance.


It is noted that not meeting the requirements of this body may be
considered as an administrative offense in accordance with the provisions of the GDPR,
classified as an infraction in its article 83.5 and 83.6, being able to motivate such conduct the
opening of a subsequent administrative sanctioning procedure.

THIRD: NOTIFY this resolution to EIVISSA CITY COUNCIL.


FOURTH: COMMUNICATE this resolution to the Ombudsman, in accordance
with the provisions of article 77.5 of the LOPDGDD.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/19








In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once the interested parties have been notified.


Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for replacement before the Director
of the Spanish Agency for Data Protection within a period of one month from the

day following the notification of this resolution or directly contentious appeal
before the Contentious-Administrative Chamber of the National Court,
in accordance with the provisions of article 25 and section 5 of the additional provision
fourth of Law 29/1998, of July 13, regulating the Contentious Jurisdiction-
administration, within a period of two months from the day following the notification

of this act, as provided in article 46.1 of the aforementioned Law.

Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the firm resolution in administrative proceedings if the interested party
expresses its intention to file a contentious-administrative appeal. If this is the one

case, the interested party must formally communicate this fact by writing to
the Spanish Data Protection Agency, presenting it through the Registry
Email from the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through
any of the other records provided for in art. 16.4 of the aforementioned Law 39/2015, of 1
October. You must also transfer to the Agency the documentation proving the

effective filing of the contentious-administrative appeal. If the Agency did not have
knowledge of the filing of the contentious-administrative appeal within the period of
two months from the day following the notification of this resolution, it would consider
the injunction has ended.



                                                                               938-181022
Mar Spain Marti
Director of the Spanish Data Protection Agency
























C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es