AEPD (Spain) - EXP202200429: Difference between revisions
(→Facts) |
No edit summary |
||
Line 122: | Line 122: | ||
In 2017, the Municipality of Ibiza (the data controller) started a sanctioning procedure against the data subject due to an unauthorized construction. After demolishing the construction, the data subject requested the end of the procedure and filed a application for a license. Not satisfied, the data subject decided to report some neighbours who were also carrying out irregular constructions. | In 2017, the Municipality of Ibiza (the data controller) started a sanctioning procedure against the data subject due to an unauthorized construction. After demolishing the construction, the data subject requested the end of the procedure and filed a application for a license. Not satisfied, the data subject decided to report some neighbours who were also carrying out irregular constructions. | ||
Based on this report, the controller opened | Based on this report, the controller opened investigations. Subsequently, it informed the neighbors of the investigation and disclosed the identity of the complainant. The data data subject made an access request to the controller and required it to delete all their personal data, including their name from all the complaints. However, the controller did not respond. | ||
The data subject filed a complaint with the | The data subject filed a complaint with the DPA alleging that the controller illegally disclosed their personal data to the neighbors. According to the data subject, these neighbors were threatening them because of the complaint. In addition, the data subject informed that their requests for access and deletion of personal data were not answered. | ||
In defense, the controller argued that it was necessary to inform the neighbors about the investigations and attributed the lack of response to changes in its staff. | |||
=== Holding === | === Holding === | ||
The DPA held that the sharing of personal data with third parties was not necessary for the purposes of following the investigation of irregular construction since the investigated persons could have been notified without being provided with information about the complainant. In addition, the DPA highlighted that the failure to respond to the data subject's requests was illegal. Thus, the DPA found a violation of [[Article 12 GDPR|Articles 12]] and [[Article 5 GDPR#1c|5(1)(c) GDPR]], issuing a reprimand to the controller and ordering it to respond to the data subject's requests. | The DPA held that the sharing of personal data with third parties was not necessary for the purposes of following the investigation of irregular construction since the investigated persons could have been notified without being provided with information about the complainant. | ||
In addition, the DPA highlighted that the failure to respond to the data subject's requests was illegal. Thus, the DPA found a violation of [[Article 12 GDPR|Articles 12]] and [[Article 5 GDPR#1c|5(1)(c) GDPR]], issuing a reprimand to the controller and ordering it to respond to the data subject's requests. | |||
== Comment == | == Comment == |
Revision as of 14:08, 19 April 2023
AEPD - AEPD PS-00137-2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(c) GDPR Article 12 GDPR Article 15(1) GDPR Article 17 GDPR Article 17 GDPR Article 58(2) GDPR Article 83(5) GDPR Article 83(5)(a) GDPR Article 83(5)(b) GDPR Article 83(6) GDPR Article 83(7) GDPR Article 4 Ley 39/2015 Article 123 Ley 39/2015 Article 13 Ley 39/2015 Article 13 LOPDGDD Article 48(6) LOPDGDD Article 53 Ley 39/2015 Article 62 Ley 39/2015 Article 64(1) LOPDGG Article 64(2)(b) Ley 39/2015 Article 65(4) LOPDGDD Article 71 LOPDDGG Article 71(1)(a) LOPDGDD Article 72(1)(k) LOPDGDD Article 74(c) LOPDGDD Article 77 Ley 39/2015 Article 78 Ley 39/2015 |
Type: | Complaint |
Outcome: | Upheld |
Started: | 29.11.2021 |
Decided: | |
Published: | 11.04.2023 |
Fine: | n/a |
Parties: | Data subject Municipality of Ibiza |
National Case Number/Name: | AEPD PS-00137-2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | isabela.maria.rosal |
Based on a complaint, the Municipality of Ibiza opened investigations about irregular constructions and notified the investigated persons providing them with personal data of the complainant. The DPA found a violation of 5(1)(c) and 12 GDPR due to lack of response to an access/erasure request.
English Summary
Facts
In 2017, the Municipality of Ibiza (the data controller) started a sanctioning procedure against the data subject due to an unauthorized construction. After demolishing the construction, the data subject requested the end of the procedure and filed a application for a license. Not satisfied, the data subject decided to report some neighbours who were also carrying out irregular constructions.
Based on this report, the controller opened investigations. Subsequently, it informed the neighbors of the investigation and disclosed the identity of the complainant. The data data subject made an access request to the controller and required it to delete all their personal data, including their name from all the complaints. However, the controller did not respond.
The data subject filed a complaint with the DPA alleging that the controller illegally disclosed their personal data to the neighbors. According to the data subject, these neighbors were threatening them because of the complaint. In addition, the data subject informed that their requests for access and deletion of personal data were not answered.
In defense, the controller argued that it was necessary to inform the neighbors about the investigations and attributed the lack of response to changes in its staff.
Holding
The DPA held that the sharing of personal data with third parties was not necessary for the purposes of following the investigation of irregular construction since the investigated persons could have been notified without being provided with information about the complainant.
In addition, the DPA highlighted that the failure to respond to the data subject's requests was illegal. Thus, the DPA found a violation of Articles 12 and 5(1)(c) GDPR, issuing a reprimand to the controller and ordering it to respond to the data subject's requests.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/19 File No.: EXP202200429 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on the following BACKGROUND FIRST: A.A.A. (hereinafter, the claimant) on 11/29/2021 filed claim before the Spanish Data Protection Agency. The claim is directed against EIVISSA CITY COUNCIL with NIF P0702600H (hereinafter, the party claimed). The reasons on which the claim is based are the following: In 2016, a disciplinary file of XXXXXXXXXXXXX, for placing some architectural elements without enabling title (violation of articles 133 and 134 of Law 2/2014 of 03/25, on the management and use of soil of the Balearic Islands, according to the copy of the resolution of XX/XX/2017 of the Mayor's Office from Eivissa, which accompanies (origin complaint from the Local Police of 05/24/2016). He states that he made allegations and presented in said proceeding, on X/XX/2016, a writing, model: "general instance" (attaches a copy), informing the claimed that "all (...) are irregularly", in the request "that it be verified and if it is illegal, act accordingly”. The document contains your name and surname, address, (...), and NIF number. It does not refer to any procedure with which relate, and contains the literal: "The data collected may be used by the owner of the file for the exercise of the own functions within the scope of their powers" and information on the exercise of the rights on the LOPD. The claimant indicates that: "After a few months a neighbor appeared threatening", alleging that I had denounced them in the City Hall and that my name appeared in the complaint. To prove it, attach a partial copy (a sheet of the resolution of XX/XX/2019 addressed to that other neighbor, coinciding with the address of the irregularity planning with one of those that appeared in the claimant's brief of X/XX/2016). As one of the points, figure: "Having seen the XXXX/2016 report issued by the municipal technical services on 09/1/2016, of the tenor "Subject: Technical Report at the request of the Delegate Councilor of XXXXXXXXXXXX activities and housing, in relation to the denounced facts constituting a possible urban infraction "...." Considering the complaint filed by (data of the claimant Ms. A.A.A.) by letter dated X/XX/2016 by the which is brought to the attention of this Regiduría the execution of the works consistent in… presumably without protection of enabling title…”” In application of articles 69.2 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/19 of Law 30/1992 and 149 of Law 2/2014 of 25/03 on the planning and use of the land of the Illes Balears…”REPORT: First: that once a visit to the indicated property in dated 08/31/2016, it has been possible to verify that the roof of the building on the street... observe…” The claimant states that "I called the City Council to ask for explanations and they did not they understood. I never got a response from the council. “ "Apparently, in this process they have sent to some XXXX neighbors the complaint of the City Council using my name to file said complaint instead of being They are the ones to do it and not in my name.” On date XX/X/2019, he submitted a letter to the City Council requesting the deletion of your data. Attach a copy of the letter in which it appears: "In 2016 I presented a complaint to the Department of XXXXXXXXXXXXX of the Ibiza Town Hall on the occasion of a file initiated by him in which he urged me to demolish a wall built in my home. As a result of this, my identification data has appeared in various files of third parties, neighbors of my street, in which I was indicated as complainant person“ “the complaint presented in my 2016 brief did not refer to no concrete person, manifested some visible and verifiable facts by any person who walked down the street and at no time did I file a complaint” “Your personal data has been communicated to third parties without a legal basis for it." “As a consequence of the communication of my personal data to third parties, I have suffered threats and insults from various people.” He states that he did not receive a response to that exercise. He continues stating that on ***DATE.1, he submitted a new document, without having obtained answer. It is, according to the accompanying copy, indicating that it received a complaint in question of XXXXXXXXXX (a wall that was being built to put a XXXXXXX) , and made a "complaint", alluding to his letter of X/XX/2016 as an allegation and irregularities ”I made a complaint alleging that in my group there were more people with irregularities” (colla: term in Catalan to refer to a group of acquaintances or friends), "I never gave names." Add again, on the back of the document that "received threats from several neighbors who showed up at his home", and another neighbor showed him the complaint with her name, coincides with the partial copy of the one she provides, so XX/XX/2019, who "found threatening notes in the car", had to "rent a parking" to avoid damage to the car and "I have moved house for fear of suffering damage". He requested the deletion of his data and no one answered him. Request: "All documentation corresponding to my case and all the complaints that appear in my name…" The claimant considers that her personal data has been unlawfully disclosed and have met their data protection rights. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5/12, of Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), said claim was transferred to the claimed party, so that C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/19 proceed to its analysis and inform this Agency within a month of the actions carried out to adapt to the requirements established in the regulations of Data Protection. The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of 1/10, of the Common Administrative Procedure of Public Administrations (in hereafter, LPACAP), was collected on 01/21/2022, as stated in the acknowledgment of receipt that works in the file. The claimed party responds to the transfer of the claim dated 02/21/2022, which following: -The deletion of data was not addressed "due to a human error derived from the month in which the that we were (August) and the change of staff due to the holidays summer.” -"Regarding the right of access presented on ***DATE.1, it was transferred to the responsible for the file, and due to internal ignorance, no response was given to the applicant." -Provides doc 1, of 02/18/2022, expte. ***FILE.1, copy of response to claimant, stating: On the request of ***DATE.1, "we have to convey to you...our most sincere apologies, since although it is true, they contacted you by telephone, to indicate the error made on our part, however, we do not reply in writing indicating that we had proceeded to delete your personal data. "…we have proceeded to correct the error committed.” It is noted that in said letter it was not the one in which he exercised the right to suppress his data, it was in one of 2019. It does not provide documentary evidence of having proceeded to the deletion that he claims to have executed. “By Decree we proceed to make your request for access to information effective, as established in article 13 of the LOPDGDD, and once the information, taking into account the right of access formulated by you, we will proceed to the exercise of data deletion requested in accordance with the current legislation of the Public administrations." Attached, copy of Decree of 02/18/2022, number XXXX/2022, which indicates: "for his request of ***DATE.1 in which access is requested to all the corresponding documentation to my case and all the complaints where my name appears” "...as established in article 13 of the LOPDGDD", it is agreed: -Informs you of the data it possesses about her, as they have been presented differently formalities. Access consists of a brief reference to the procedure in question and a identification number. Among them, it appears "presents general instance of denunciation due to irregular works on the terraces of the numbers…. of the street…, XXXXX/2016”, which matches your instance of X/XX/2016. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/19 -“Once this is sent, in accordance with the right of access formulated by you, proceed to the exercise of data deletion requested in accordance with the legislation in force of the Public Administrations.” It also provides a document of delivery to the claimant of 02/19/2022, "response to the Right of access". It is noted that what the claimant was asking for was to know the files open to other people in whom his reference as a complainant was contemplated, just like the one who is provided together with this claim, dated XX/XX/2019, from one of them. -They indicate that despite having a procedure for attention to the exercise of rights, it has prepared and approved on 02/16/2022 a new one, to "prevent situations from occurring Similar". They have sent a statement to all employees informing them of this and remembering deadlines to respond. Provide a copy of the second version of 02/14/2022. -In 2021, training was given on the exercise of data protection rights, provides certificate. THIRD: On 02/28/2022, in accordance with article 65 of the LOPDGDD, the admitted for processing the claim presented by the claimant. FOURTH: On 03/03/2022, the claimant provides a copy of what was received from the City hall: a) Decree of the Mayor's Office XXXX/2022 that gives summary access to your data in relation to with the procedures requested, and that "proceeds to the requested data deletion exercise". b) Copy of the response to your brief of XX/XX/2020, from the claimed party, of 02/18/2022, exte ***FILE.1. You state that you want the procedure to continue. FIFTH: On 06/2/2022 it was agreed by the Director of the AEPD: "START SANCTION PROCEDURE for EIVISSA CITY COUNCIL, with NIF P0702600H, for the alleged infringement of the GDPR, articles: -12 of the GDPR, in accordance with article 83.5.b) of the GDPR and 72.1.k) of the LOPDGDD, and -5.1.c) of the GDPR, in accordance with article 83.5.a) of the GDPR and 72.1.a) of the LOPDGDD.” "For the purposes specified in the art. 64.2 b) of Law 39/2015, of 1/10, on Procedure Common Administrative Law of Public Administrations, the sanction that could to correspond would be a warning, without prejudice to what results from the instruction.” No claims were received. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/19 SIXTH: On 11/24/2022, it is agreed to open a test practice period, according to the provisions of article 77 and 78 of the LPACAP. It is agreed to practice the following evidence: 1. Consider reproduced for evidentiary purposes the claim filed by the claimant and its documentation, the documents obtained and generated during the phase of admission to process the claim, and those of transfer actions that form part of procedure AT/00174/2022. 2. Likewise, the writings presented by the claimant after the commencement agreement. 3. The defendant is requested to report or provide the following: a) The Ibiza Town Hall initiated a procedure against the claimant for works illegal/construction on the roof without enabling title/, complaint date X/XX/2016, with report of "municipal XXXXXXX from which it can be deduced that the claimant performs work... still unfinished", as can be seen from the letter to the claimant, from the Town Hall of XX/XX/2017. It is also included in it, that on 01/24/2017, the claimant submitted a project requesting a license. The brief of XX/XX/2017 agreed initiate a disciplinary file for commission of urban infraction and initiate the reposition to altered physical reality. Regarding the document -which is attached to this brief of evidence of the claimant -of X/XX/2016 and its content and references and information, you are requested to report: -If said document of X/XX/2016, is part of, or is included in the process of any procedure initiated to the claimant, as allegations made by the claimant. -If before the aforementioned letter of XX/XX/2017, any action had been communicated related to the facts of that file to the claimant, indicating the date and type of communication and related to what matter. b) Inform the number of files in which the letter of the claimant of X/XX/2016 as an initiating cause of procedures or actions against other people, and the dates on which the proceedings began against each of them. c) If the content in the writings of initiation of proceedings has changed by complaints in matters of XXXXXXXXXXXX in which natural persons put into question knowledge of the City Council allegedly illegal events, so that in front of the alleged infringers reported do not contain data of the person who puts it in knowledge of the City. d) In writing addressed to the claimant dated 02/18/2022, exte ***EXPEDIENTE.1, they state at the end that: "once the information is sent to you, taking into account the right of access formulated by you, the exercise of data deletion requested from accordance with the current legislation of the Public Administrations.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/19 You are requested to report providing a copy of the response on this right of deletion that are supposed to have responded to the claimant, with proof of their delivery. After the allotted time, no response was received. SEVENTH: On 12/20/2022, the following proposed resolution was issued: "1-That the Director of the Spanish Data Protection Agency sanctions EIVISSA CITY COUNCIL, with NIF P0702600H: -with a warning, for the infringement of article 12 of the GDPR, in accordance with the Article 83.5.b) of the GDPR and 72.1.k) of the LOPDGDD. -with a warning, for the infringement of article 5.1.c) of the GDPR, in accordance with article 83.5.a) of the GDPR and 72.1.a) of the LOPDGDD. 2-That in application of article 58.2.c) of the RGPD that establishes corrective powers to the AEPD to: "order the person in charge or person in charge of the treatment to attend to the requests to exercise the rights of the interested party under this Regulation;", you are urged to prove the content of the right of deletion that has been carried out with the claimant, and if it has been communicated to her.” EIGHTH: On 12/20/2022, a literal resolution proposal was issued. "1-That the Director of the Spanish Data Protection Agency sanctions EIVISSA CITY COUNCIL, with NIF P0702600H: -with a warning, for the infringement of article 12 of the GDPR, in accordance with the Article 83.5.b of the GDPR and 72.1.k) of the LOPDGDD. -with a warning, for the infringement of article 5.1.c) of the GDPR, in accordance with article 83.5.a) of the GDPR and 72.1.a) of the LOPDGDD. 2-That in application of article 58.2.c) of the RGPD that establishes corrective powers to the AEPD to: "order the person in charge or person in charge of the treatment to attend to the requests to exercise the rights of the interested party under this Regulation;", you are urged to prove the content of the right of deletion that has been carried out with the claimant, and if it has been communicated to her.” NINTH: On 01/04/2023, the following allegations are received: -They understand that the violation of article 12 of the GDPR, would be of 83.5.b) of the GDPR, not of letter a) of the same article 83.5 that is dragging on the file. The conduct that typifies said infraction does not occur, because it is not explained clearly. motivated which consists of the impediment, obstruction, or reiterated non-attention of the exercise of the established rights, Explains the literal meaning that the RAE gives to each one of the words, and it may be considered in any case that said word must be completed response or not, but not qualify as non-attention. He adds that in fact claimant exercised the right and the defendant did not put up an obstacle to said exercise. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/19 -He considers that only a single right of deletion has been exercised (08/22/2019) and a only right of access (***DATE.1), which are both answered on 02/18/2022, both in writing and by phone. In the configuration of the consideration of the facts as a violation of article 12 of the GDPR, it cannot be treated as a reiteration of the petition, the fact that on the occasion of the request for access to documents mentions that he had requested the right of deletion and had not been answered, since this has to be considered as a new request, in this case, for access. In any case, it cannot be classify as ignoring the request when he was told that after giving him access, he was leaving to proceed with the deletion, so it cannot be described as reiterated. -Indicates that article 64.1 of the LOPDGG talks about the procedure of lack of attention of a request to exercise rights that is related to articles 15 to 22 and does not It is classified as very serious. The aforementioned non-motivation would give rise to its classification as mild in article 74.c of the LOPDGDD. Counting from the date on which the deletion could be considered as not addressed, 09/22/2019, more than a year has passed from the period that would entail its qualification as mild, so it must be considered prescribed. It shows that the same is true of regarding the right of access, prescribed on 01/17/2022. -Regarding the infringement of article 5.1.c) of the GDPR, the provision of the The identity of the complainant is in accordance with Article 62 of the LPCAP, since complaints must be express the identity of the people who inform the Administration the facts and, from this moment, it is the Public Administration that gives the course that the Law establishes, taking into account the form of initiation. We are before a complaint whose purpose is to maintain legality and observance of the law planning, in which the complainant can acquire the status of interested party. Esteem that the claimant would have a direct interest and it affects her interests, since she was object of an administrative file for the same facts, which, if allowed with with respect to the rest of the neighbors it would suppose a comparative grievance. "In this scenario, it is preferential application of the LPCAP and transparency legislation. Article 53 LPACP prevails over data protection regulations.” The defendant has the right to access to the file and obtain a copy of it. The AEPD affirms that "the interference in the data of the claimant, because it is not precise, necessary, adequate or proportional, must not be made known in the procedure that start the administration of the defendant", but the City Council cannot be required to eliminate said information as it would imply the non-satisfaction of a right to complainant. In addition, if the Administration included the complainant's data, it was in For the sake of maximum transparency in the exercise of its sanctioning power. -Provides indications of AEPD procedures in which it reproduces parts that indicate that it is in accordance with the LOPD to obtain a copy of the file including the identity of the complaining party that is delivered to the accused. One of them indicates that it is a case like this, report 197/2006. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/19 -Ends by indicating that: "Taking into account that the administrative files have completed, the City Council, complementing the response given on 02/18/2022, has given instructions for the deletion of the data of the complainant from the files administrative documents in which it is recorded. A letter will be provided confirming this point.” TENTH: In view of all the proceedings, by the Spanish Protection Agency of Data in this procedure the following are considered proven facts: PROVEN FACTS 1) The Ibiza Town Hall initiated on XX/XX/2017 a disciplinary procedure against the claimed for illegal works / construction on the roof without enabling title /, and initiate the restoration to the altered physical reality, dated complaint X/XX/2016, with report of "XXXXXXX municipal from which it can be deduced that the claimant is carrying out works... even without conclude". It is also stated therein that on 01/24/2017, the claimant filed a project requesting license. Related to this, it appears that on 10/26/2017, the claimant sent a letter to the claimed requesting that the file be archived because it has complied by demolishing what built. 2) The claimant completed a claimant's form dated X/XX/2016, “general instance”, informing the defendant that three addresses that identified by street (same as yours) and numbers, have architectural elements irregular, describing what these are. The document contains the literal: "The data collected may be used by the owner of the file for the exercise of the own functions within the scope of their powers”, and information on the exercise of the rights on the LOPD. In the "I request", it appears: "That it be verified and in the case of be illegal to act accordingly." In addition, the document contains your data personal, ID and address. 3) The claimant claims that her data has been delivered to files that have been opened as of his letter of X/XX/2016, since one of the accused appeared in Your domicile. The claimant provides a partial copy, with only one page, of a resolution of XX/XX/2019 that the City Council addressed to one of the owners of the houses that complainant indicated in its brief of X/XX/2016. As one of the points, figure: "seen the XXXX/2016 report issued by the municipal technical services on 09/1/2016, of the tenor "Subject: Technical Report at the request of the Delegate Councilor of XXXXXXXXXXXX activities and housing, in relation to the denounced facts constituting a possible urban infraction "...." Considering the complaint filed by (data of the claimant Ms. A.A.A., the claimant) by writing dated X/XX/ 2016, by which the execution of the works is made known to this Councilor consisting of... presumably without protection of enabling title..."" In application of the Articles 69.2 of Law 30/1992 and 149 of Law 2/2014 of 25/03 on the management and use of soil of the Balearic Islands…” REPORT: First: that once a visit to the indicated C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/19 property on 08/31/2016, it has been verified that the roof of the building of the street ... it is observed ... On date XX/X/2019, the claimant submits a letter to the City Council requesting the deletion of your data, specifying that it is your identity that has been included in disciplinary resolutions of third parties, and that some of the denounced appeared in your address, and that: "as a result of the communication of my personal data to third parties, I have suffered threats and insults from various people”. The request was not met. 4) On ***DATE.1, the claimant requests: “all documentation corresponding to my case and all the complaints that appear in my name”. points at the letter that "several neighbors showed up at her home threatening her" The petition was not attended. 5) In the transfer of the claim, the claimed party declares that in writing of 02/18/2022, on the request of *** DATE.1, they have answered the request for access to your data. In said response, he informs her of the data he possesses about her, for having been presented different procedures. The access consists of the brief reference of the procedure of that it is, and an identification number. Among them, it appears "presents instance general denunciation for irregular works on the terraces of the numbers…. of the calle…, XXXXX/2016”, which refers to your instance of X/XX/2016. It is also observed that what the claimant was asking for was to know the files open to other people in which included his reference as complainant, as well as the documentation of the same. 6) In the same response to the access, on 02/18/2022, he indicates the part claimed to the claimant, without any reference to her request for suppression of XX/X/2019, and the terms in which it was requested, that: "Once the present is forwarded, in response to the right of access formulated by you, proceed to the exercise of deletion of data requested in accordance with the current legislation of Public Administrations.", without know the scope of the supposed deletion of data carried out by the party claimed. -In allegations to the proposal, the defendant stated that "Taking into account that the administrative files have concluded, the City Council, complementing the response given on 02/18/2022, has given instructions for the deletion of the data from the complainant of the administrative files in which it is recorded. Written will be provided confirming this point." FUNDAMENTALS OF LAW Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Law Organic 3/2018, of 12/5, Protection of Personal Data and guarantee of rights (hereinafter, LOPDGDD), is competent to initiate and resolve this C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/19 procedure the Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with character subsidiary, by the general rules on administrative procedures." II Article 12 of the GDPR establishes: 1. The person in charge of the treatment will take the appropriate measures to facilitate the interested all information indicated in articles 13 and 14, as well as any communication pursuant to articles 15 to 22 and 34 relating to processing, in the form concise, transparent, intelligible and easily accessible, with clear and simple language, in particular any information directed specifically to a child. The information will be provided in writing or by other means, including, if applicable, by electronic means. When requested by the interested party, the information may be provided orally provided that the identity of the interested party is proven by other means. 2. The data controller will facilitate the interested party to exercise their rights in virtue of articles 15 to 22… 3. The person responsible for the treatment will provide the interested party with information regarding their proceedings on the basis of a request under articles 15 to 22, without delay improper and, in any case, within a period of one month from receipt of the application…" 4. If the person in charge of the treatment does not process the request of the interested party, he will inform him without delay, and no later than one month after receipt of the request, of the ra- reasons for their failure to act and the possibility of filing a claim before an auto- control and exercise judicial actions. Regarding the lack of attention to the right of deletion requested on 08/22/2019, the article 17 of the GDPR indicates: "1. The interested party shall have the right to obtain without undue delay from the person responsible for the treatment the deletion of personal data that concerns you, which will be obliged to delete personal data without undue delay when any of the the following circumstances..." The claimant in her request for deletion makes it based on the same facts that explained in this claim. It is about the appearance of your data in files with your data as a complainant, clarifying that she did not file any complaint. The claimant indicates that he is making known some facts. It is also observed that the competent authority through its employees, visited the address that The claimant provided in its brief of X/XX/2016 to verify the legality of the buildings. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/19 One of the points that favors deletion is that of point d of the aforementioned article 17: “d) the personal data have been processed unlawfully;” although it is also stated that "3. Sections 1 and 2 will not apply when the treatment is necessary: a) to exercise the right to freedom of expression and information; b) for compliance with a legal obligation that requires data processing imposed by the law of the Union or of the Member States that applies to the responsible for the treatment, or for the fulfillment of a mission carried out in the interest public or in the exercise of public powers conferred on the person responsible; c) for reasons of public interest in the field of public health in accordance with the Article 9, paragraph 2, letters h) and i), and paragraph 3; d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in accordance with Article 89(1), to the extent that the right indicated in paragraph 1 could make impossible or seriously impede the achievement of the objectives of such processing, or e) for the formulation, exercise or defense of claims.” In accordance with the ruling of the National Court, contentious court administrative section 1, resource 165/2005 of 12/14/2006 "Regulates art. 15 of the LO 15/1999 the right called habeas data or habeas scriptum which consists of the fact that the affected may require the person responsible for the file to make a service consisting of the mere display of your data and, where appropriate, its rectification or cancellation. Is about an essential right in the matter that is included in art.8.b) and c) of the Convention 108 of the Council of Europe and 12 and 13 of Directive 95/46/CE”" For the rest, It is indisputable that the right of access constitutes the essential core of the regulated law in art.18.4 of the Constitution -STC 292/2000” The defendant did not process in any way the claimant's exercise of rights, nor when the suppression first entered, on 08/22/2019 (the resolution in which their data appear in one of the denounced was from XX/XX/2019), nor when in the letter subsequent request for documentation and access, *** DATE.1 also made reference and recalled in numerous details the one he had presented earlier, noting including the date of the aforementioned deletion, without obtaining his attention in any of them. Presumably, given the omission in the response provided and not being taken into account of the deletion, your data could have continued to be provided in other files of other defendants. This could be deduced from the statement made by about what: "Taking into account that the administrative files have concluded, the City Council, complementing the answer given on 02/18/2022, has given instructions for the deletion of the data of the complainant from the administrative files in which for the record A letter will be provided confirming this point.” On the other hand, for the first petition, the defendant indicates that "they began to carry out actions to respond to his request, but no written response was received in C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/19 term and form, due to a human error derived from the month in which we were (August) and the change of staff due to the summer holidays. “ Regarding her exercise of access, presented on ***DATE.1, the defendant states that "the person responsible for the file was transferred, and due to internal ignorance, no response to the applicant. Both reasons do not agree with the content of this right, which in this case implies a non-response in either of them, which implies a refusal to facilitate the requested information, resulting in the fact that it does not seem possible to be a major impediment other than the absolute disregard for the exercise of rights, in such a way that said right becomes useless or completely ineffective. Understands the defendant, who has given effect to it on 02/18/2022, by telephone and in a writing stating: "Once the information is sent to you, in accordance with the right of access formulated by you, the requested data deletion exercise will be carried out in accordance with the current legislation of Public Administrations.", without the wording being fortunate, since the exercise of the right corresponds to the claimant, and without having any accredited writing of attention in any sense of said right, consigning in their allegations that "Taking into account that the administrative files have completed, the City Council, complementing the response given on 02/18/2022, has given instructions for the deletion of the data of the complainant from the files administrative documents in which it is recorded. A written document will be provided confirming this point.", and In addition, both the claimant and this AEPD are unaware of the number of files in which your data was included and if the complete copy of your writ of X/XX/2016, which was one of the key points of his access exercise. "The interested party shall have the right to obtain from the data controller confirmation of whether or not personal data concerning you is being processed and, in such a case, the right to access to personal data and the following information:”, article 15.1 of the GDPR. Regarding telephone information, based on the principle of meeting the requirement of proactive responsibility established in article 5.2 of the GDPR, is not guaranteed nor that it had been produced, nor of the same content, considering in this case that it satisfies the right. Summarizing, the fact is that it was not answered, which implies a refusal to facilitate the information requested within the established period and manner. However, this absolute inattention has made law illusory, in which the completion of the response, waiting for the moment in which it has been considered that the files, The defendant has stated that it was going to proceed with the suppression of the data, although the terms in which they have been carried out, the scope and the how you have deleted the data. Regarding the exercise of the right of access, nor is the response contemplated as to whether their data appeared in other files. This supposes the commission of the infringement of article 12 of the GDPR that is attributed to the claimed. II C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/19 The defendant considered the claimant as a complainant in the X/XX/2016 form and yielded such data, in the record of his name and surname at the beginning of procedures to third parties. With the mention of (...) that the houses to which he referred on the aforementioned form, it could have been identified without great difficulty. The LPACAP, states in its article 62, "Initiation of the complaint procedure": 1. A complaint is understood to be the act by which any person, in compliance or not of a legal obligation, notifies an administrative body of the existence of a certain fact that could justify the ex officio initiation of a procedure administrative. 2. The complaints must express the identity of the person or persons presenting them. so and the account of the facts that are brought to the attention of the Administration. When said facts could constitute an administrative infraction, they will collect the date of their commission and, when possible, the identification of the alleged perpetrators. […]” "5. The presentation of a complaint does not confer, by itself, the condition of interested party in the procedure." And in article 13: "Rights of individuals in their relations with Public administrations: Those who, in accordance with article 3, have the capacity to act before the Public Administrations, are holders, in their relations with them, of the following rights: h) To the protection of personal data, and in particular to the security and confidentiality of the data contained in the files, systems and applications of the Public administrations." Article 4 of the LPCAP attributes the status of interested party in a procedure administrative to: “a) Those who promote it as holders of rights or legitimate individual interests or collective. b) Those who, without having initiated the procedure, have rights that may be affected by the decision adopted therein. c) Those whose legitimate interests, individual or collective, may be affected by the resolution and appear in the procedure as long as no resolution has been handed down definitive.” Seen from the perspective of the defendant, as an interested party (art 64.1 LPCAP), affected directly because a sanctioning procedure in urban matters is initiated, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/19 Article 53.1 of the LPCAP, grants the right to "access and obtain a copy of the documents contained in the aforementioned procedures”. Obviously, this aspect is different from the content of the resolutions and agreements that are notified, which is the case which is dealt with here. Access to a copy of the documents in the file should be to the essential data, not giving access to data not necessary for the exercise of the right of defense or that have nothing to do with the matter, which must, if applicable, remain anonymous. As an example, give in the copy of the file the data of the NIF or of the address could constitute data processing that, depending on the circumstances, could not be necessary for this purpose. However, what is being analyzed here is that the data of the name and surname in the agreement that the claimant provided as proof of access to her data, violates article 5.1.c of the GDPR, which indicates: 1. Personal data will be: c) adequate, pertinent and limited to what is necessary in relation to the purposes for which are processed ("data minimization"); The claimant informs the City Council of some facts, so that the verify, circumstance that it performs, in some addresses of (...). irregularities urban planning evidenced by the claimant, were thus verified by the inspection authority with competences in the matter, who enjoy the status of agent of the authority, in order to attest to the facts as thus formalized in the aforementioned agreement to start the procedure. The issue could affect the defendants who are mentioned in the agreements identity of the complainant. In at least one of the cases it was found that the claimant was referred to. Although from the partial copy of the resolution of a defendant provided by the claimant, it is confirms that only his name and first surname were listed, it is enough to be identified, especially when the (...) and the claimant alludes to the fact that they are part of her "colla" "group". The mention of your data proceeding to your identification or being identifiable, puts evidence of the conflict between the claimant's right to privacy and preservation and reserve of knowledge of your data, against the right of the accused to that in the agreement to initiate a disciplinary procedure, it relates C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/19 the specific origin of the claimant's identification data, with the category of complainant. There is no question in an initiation agreement of disclosing or not to the person denounced the identity of the complainant, but if in accordance with the purpose of the agreement communication and the rights at stake, if such is necessary, proportional and appropriate. communication with such content. Considering that the status of complainant does not attribute per se the quality of interested party. In this case, given that the purpose of disclosing the facts was the protection of urban legality and its eventual restoration to a previous situation, situation in which the claimant was not involved. Taking into account that the urban planning authority verified the facts and initiated the disciplinary procedure ex officio (Article 63.1 LPCAP: ”The procedures of a sanctioning nature will begin always ex officio by agreement of the competent body"). It is considered that giving Knowing the identity data of the person claiming may cause damage As in this case, it is not estimated that the data that the defendant had collected and that were brought to the attention of at least one denounced person, were the appropriate ones, relevant and limited to what is necessary for the purpose for which the processing is carried out of data. Its incorporation in cases like this, can give rise to the same or similar effects on the people who make known facts such as those here are analyzed that may give rise to disciplinary proceedings. Add the claimed, which complied with the provisions of the LPCAP, but, among the content of the agreement to start the disciplinary procedure of the LPCAP, article 64, does not appear to give know the identity of the person complaining. In a case like the one analyzed here, proof of identification of the person in the agreement addressed to the sanctioned party, does not contribute anything substantial to it, nor does it imply a loss of his right to defense, stating below that the facts were verified by the urban authority. Lack of any effect for the defendant, which prevents the data processing of the claimed party. Although it is not possible to generalize, and must be analyzed on a case-by-case basis, in accordance with the circumstances, in this case, the reconciliation of the rights of the parties leads to resolve that it was not appropriate, pertinent or necessary for said agreement to contain the identification data of the claimant. This extreme can only be reached analyzing the various elements that come together in the rights in dispute of the parties. The consequence must be that the interference with the data of the claimant, which is embodied in the record in an agreement to start a disciplinary file, It can happen in environments where everyone knows each other, and it could also cause serious risks for claimants and discourage this type of claim in addition to may suffer other consequences. In this way, it is only estimated that the aforementioned constancy would be precise if the knowledge of the identity were determinant in the configuration of the facts or was related to them, affecting the rights to exercise by the defendant, especially his right of defense. Not being the one case, it is determined that the aforementioned article 5.1.c) is infringed) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/19 IV. Violations of articles 12 and 5.1.c) of the GDPR are typified in article 83.5.a) of the GDPR, which indicates: Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of of a company, in an amount equivalent to a maximum of 4% of the volume of overall annual total business of the previous financial year, opting for the one with the highest amount: a) the basic principles for the treatment, including the conditions for the consent under articles 5, 6, 7 and 9; b) the rights of the interested parties in accordance with articles 12 to 22;” The LOPDGDD also contemplates these infractions in terms of the term of their prescription in the following articles: 71 "Infractions are the acts and conducts referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the present organic law.” article 72 "1. Based on what is established in article 83.5 of Regulation (EU) 2016/679, are considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: a) The processing of personal data in violation of the established principles and guarantees in article 5 of Regulation (EU) 2016/679.” "k) The impediment or the obstruction or the reiterated non-attention of the exercise of the rights established in articles 15 to 22 of Regulation (EU) 2016/679.” Regarding the allegation that the infringement typified in 72.1.k) of the LOPDGDD, not having been motivated, should be classified as minor, for obeying article 74 c) of the LOPDGDD that indicates: "Not responding to requests for the exercise of rights established in articles 15 to 22 of Regulation (EU) 2016/679, unless it is application of the provisions of article 72.1.k) of this organic law.", it must be indicated that it has been explained that it falls within a substantial non-compliance, total of two years of law, and that when answered on 02/18/2022 it has not been fully provided, for what is incardinated in this type the referred conduct. V C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/19 Article 58.2 of the GDPR indicates as powers of the control authority: "c) order the person in charge or person in charge of the treatment to attend to the requests for exercise of the rights of the interested party under this Regulation;” “i) impose an administrative fine in accordance with article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each case particular" The claimed party has not explained how and when it proceeded to delete the data of the claimant in the specific sense in which it was requested, without knowing the scope of compliance of the exercise that was carried out. It is also not known if your data was provided in the course of the proceedings. open with cause in his brief of X/XX/2016, which was one of the motions in the Exercise of the right of access. The imposition of this measure is compatible with the sanction, according to the provisions of art. 83.2 of the GDPR. Article 83.7 of the GDPR adds: "Without prejudice to the corrective powers of the control authorities under the Article 58(2), each Member State may lay down rules on whether can, and to what extent, impose administrative fines on authorities and bodies public establishments established in that Member State.” The Spanish legal system has chosen not to penalize entities public, as indicated in article 77.1. c) and 2. 4. 5. and 6. of the LOPDDGG: "1. The regime established in this article will be applicable to the treatment of who are responsible or in charge: "c) The General Administration of the State, the Administrations of the communities autonomous entities and the entities that make up the Local Administration.” "2. When the managers or managers listed in section 1 commit any of the offenses referred to in articles 72 to 74 of this organic law, the competent data protection authority will issue a resolution sanctioning them with warning. The resolution will also establish the measures that should be adopted to cease the conduct or to correct the effects of the offense that was committed. The resolution will be notified to the person in charge or in charge of the treatment, to the body of the that depends hierarchically, where appropriate, and those affected who have the status of interested, if any. 3. Without prejudice to what is established in the previous section, the data protection authority data will also propose the initiation of disciplinary actions when there are enough evidence for it. In this case, the procedure and the sanctions to be applied will be those established in the legislation on the disciplinary or sanctioning regime that C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/19 be applicable. Likewise, when the infractions are attributable to authorities and executives, and certify the existence of technical reports or recommendations for treatment that do not have been duly attended to, in the resolution in which the sanction is imposed a reprimand will be included with the name of the responsible position and the publication in the corresponding Official State or regional Gazette. 4. The data protection authority must be informed of the resolutions that fall in relation to the measures and actions referred to in the sections previous. 5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions of the autonomous communities the actions carried out and the resolutions issued to the under this article. 6. When the competent authority is the Spanish Data Protection Agency, This will publish on its website with the proper separation the resolutions referring to the entities of section 1 of this article, with express indication of the identity of the responsible or in charge of the treatment that had committed the infringement.” Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of sanctions whose existence has been accredited. the Director of the Spanish Data Protection Agency RESOLVES: FIRST: SANCTION THE CITY COUNCIL OF EIVISSA, with NIF P0702600H, with a warning for each of the following infractions: -article 12 of the GDPR, in accordance with article 83.5.b) of the GDPR, and for the purposes of prescription, typified in article 72.1.k) of the LOPDGDD. -article 5.1.c) of the GDPR, in accordance with article 83.5.a) of the GDPR, and for the purposes of prescription, typified in article 72.1.a) of the LOPDGDD. SECOND: In accordance with the provisions of article 58.2.c) of the GDPR, you must complete the rights subject to claim in the sense that is included in the last foundation of law, for which a term of ten days is granted, having to inform of its compliance. It is noted that not meeting the requirements of this body may be considered as an administrative offense in accordance with the provisions of the GDPR, classified as an infraction in its article 83.5 and 83.6, being able to motivate such conduct the opening of a subsequent administrative sanctioning procedure. THIRD: NOTIFY this resolution to EIVISSA CITY COUNCIL. FOURTH: COMMUNICATE this resolution to the Ombudsman, in accordance with the provisions of article 77.5 of the LOPDGDD. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/19 In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once the interested parties have been notified. Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for replacement before the Director of the Spanish Agency for Data Protection within a period of one month from the day following the notification of this resolution or directly contentious appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the additional provision fourth of Law 29/1998, of July 13, regulating the Contentious Jurisdiction- administration, within a period of two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the firm resolution in administrative proceedings if the interested party expresses its intention to file a contentious-administrative appeal. If this is the one case, the interested party must formally communicate this fact by writing to the Spanish Data Protection Agency, presenting it through the Registry Email from the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other records provided for in art. 16.4 of the aforementioned Law 39/2015, of 1 October. You must also transfer to the Agency the documentation proving the effective filing of the contentious-administrative appeal. If the Agency did not have knowledge of the filing of the contentious-administrative appeal within the period of two months from the day following the notification of this resolution, it would consider the injunction has ended. 938-181022 Mar Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es