AEPD (Spain) - EXP202309109: Difference between revisions
m (verbal tenses) |
m (Ar moved page AEPD (Spain) - PS/00331/2023 to AEPD (Spain) - EXP202309109) |
||
(One intermediate revision by one other user not shown) | |||
Line 66: | Line 66: | ||
=== Facts === | === Facts === | ||
Two data subjects tried to check in at the hotel (the data controller), but the accommodation manager told them that they could not check in because someone had already taken the room they had booked. The data subjects asked for a complaint form, but the data controller did not have one. As a result, the data subjects reported the hotel to the Municipal Police of the Torrevieja Town Hall (Alicante). | Two data subjects tried to check in at the hotel (the data controller), but the accommodation manager told them that they could not check in because someone had already taken the room they had booked, using their personal data. The data subjects asked for a complaint form, but the data controller did not have one. As a result, the data subjects reported the hotel to the Municipal Police of the Torrevieja Town Hall (Alicante). | ||
The police inspected the hotel and discovered that in the Guest Register Book there was no numerical annotation of the registers, but only loose sheets with scanned ID cards. The police also found that the hotel did not report such searches to the security forces as required by law. | The police inspected the hotel and discovered that in the Guest Register Book there was no numerical annotation of the registers, but only loose sheets with scanned ID cards. The police also found that the hotel did not report such searches to the security forces as required by law. |
Latest revision as of 13:18, 13 December 2023
AEPD - PS/00331/2023 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(c) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 18.10.2023 |
Fine: | 2,000 EUR |
Parties: | UNIQUE HOTEL APARTMENT. S.L. |
National Case Number/Name: | PS/00331/2023 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | CSO |
Spain's supervisory authority (the AEPD) fined a hotel €2,000 for scanning the ID cards of its customers where not required by applicable law and, therefore, in breach of the Article 5(1)(c) GDPR on the principle of minimisation.
English Summary
Facts
Two data subjects tried to check in at the hotel (the data controller), but the accommodation manager told them that they could not check in because someone had already taken the room they had booked, using their personal data. The data subjects asked for a complaint form, but the data controller did not have one. As a result, the data subjects reported the hotel to the Municipal Police of the Torrevieja Town Hall (Alicante).
The police inspected the hotel and discovered that in the Guest Register Book there was no numerical annotation of the registers, but only loose sheets with scanned ID cards. The police also found that the hotel did not report such searches to the security forces as required by law.
Consequently, the Police reported the facts to the AEPD regarding the misuse of the hotel guests' ID cards.
Holding
The AEPD acknowledges that there is legislation in Spain concerning the registration of hotel guests. However, the AEPD stresses that this legislation does not oblige hotels to scan their customers' ID cards. Therefore, the AEPD concludes that the data controller has engaged in excessive processing of the data subjects contrary to the minimisation principle of Article 5(1)(c) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/6 File No.: EXP202309109 (PS/00331/2023) RESOLUTION OF THE SANCTIONING PROCEDURE Of the actions carried out by the Spanish Data Protection Agency and in based on the following: BACKGROUND FIRST: On 05/15/23, this Spanish Agency for the Protection of Written data from the Municipal Police of the Torrevieja City Council (Alicante), regarding some events that occurred at the UNIQUE hotel establishment HOTEL APARTMENT. S.L with CIF.: B54915855 of said town, for the alleged violation of data protection regulations: Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/16, regarding the Protection of Natural Persons with regard to the Processing of Personal Data and the Free Circulation of these Data (RGPD) and Organic Law 3/2018, of December 5, of Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD) The events described by the Local Police deal, among other issues, with a complaint they received for not providing the Aparthotel complaint forms to some clients. The events occurred on ***DATE.1, when a young couple He went to the reception of the aparthotel to carry out the “CHECKIN” and the The person in charge of the establishment did not give them accommodation, citing that another person had registered before them with their personal data. The inspection was carried out by the Local Police, regarding the Registration Book of Clients, it was verified that there was no numerical annotation of the records. In the case of loose sheets and with scanned DNI. It was also found that the establishment did not communicate such records to the security forces. security as mandated by current legislation. Along with the letter, a loose sheet of a registration/checkin form is attached. with the logo of the Aparthotel and the scanned DNI documents of both young people who filed a complaint with the Municipal Police. SECOND: On 07/27/23, by the Directorate of the Spanish Agency for Data Protection, sanctioning procedure begins against the entity UNIQUE HOTEL APARTMENT. S.L., when appreciating reasonable indications of violation of the provisions of article 5.1.c) RGPD, due to a possible processing of excessive personal data when scan clients' IDs. The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, of the Common Administrative Procedure of Administrations Public (LPACAP) and RD 203/2021, of March 30, which approves the Regulations for action and operation of the public sector by electronic means, through electronic notification that was made on 07/28/23. THIRD: Notified of the aforementioned initiation agreement in accordance with the established rules in Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP) and after the period granted C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/6 for the formulation of allegations, it has been verified that no allegation has been received any by the claimed party. Article 64.2.f) of the LPACAP - provision of which the claimed party was informed in the agreement to open the procedure - establishes that if no allegations within the stipulated period regarding the content of the initiation agreement, when This contains a precise statement about the imputed responsibility, may be considered a proposal for a resolution. In the present case, the agreement beginning of the sanctioning file determined the facts in which the imputation, the violation of the RGPD attributed to the person complained of and the sanction that could be impose Therefore, taking into consideration that the claimed party has not made allegations to the agreement to initiate the file and in response to what established in article 64.2.f) of the LPACAP, the aforementioned initial agreement is considered in the present case proposed resolution. In view of everything that has been done, by the Spanish Data Protection Agency In this procedure, the following are considered proven facts: PROVEN FACTS First: According to the Municipal Police of the Torrevieja City Council (Alicante), inspection carried out at the UNIQUE HOTEL hotel establishment APARTMENT, it was found that, in the Client Record Book, there was no numerical annotation of the records in the case of loose sheets, with the DNI scanned. Along with the document, a loose sheet of a form is attached. registration/checkin, with the aparthotel logo and scanned DNI documents. FOUNDATIONS OF LAW Yo Competence: The Director of the Spanish Agency is competent to resolve this procedure. of Data Protection, by virtue of the powers that art 58.2 of the RGPD recognizes to each Control Authority and, as established in arts. 47, 64.2 and 68.1 LOPDGDD. II Previous issues In the present case, in accordance with the provisions of article 4.1 and 4.2 of the RGPD, involves processing personal data, since the entity UNIQUE HOTEL APARTMENT. S.L carries out the collection and conservation of data clients' personal data and carries out this activity in its capacity as responsible for the treatment, given that it is the one who determines the purposes and means of such activity, by virtue of article 4.7 of the GDPR. For its part, article 5.1.c) of the GDPR regulates the “principles relating to processing” establishing that: “1. Personal data will be: c) adequate, relevant and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/6 limited to what is necessary in relation to the purposes for which they are processed (“data minimization”)” This article states that personal data will be “adequate, relevant and limited to the need” for which they were collected, in such a way that, if the objective pursued can be achieved without excessive treatment of data, this is how it should be done. In turn, recital 39 of the GDPR indicates that: “Personal data must only be processed if the purpose of the processing could not reasonably be achieved by others media." Therefore, only data that is “adequate, relevant and not excessive in relation to the purpose for which they are obtained or processed.” The categories of data selected for processing must be the strictly necessary to achieve the stated objective and the person responsible for the processing must strictly limit data collection to that information that is directly related to the specific goal that is intended to be achieved. In this case, it is confirmed that the entity UNIQUE HOTEL APARTMENT. S.L performs a scan of the clients' DNI and that it does not comply with the regulations in force in relation to the obligation you have to communicate the data to the State security forces and bodies. Organic Law 4/2015, on the protection of citizen security, establishes, in its article 25.1 “Documentary registration obligations” the following: “Natural or legal persons who carry out activities relevant to the citizen security, such as accommodation, transportation of people, access commercial use of telephone or telematic services for public use through establishments open to the public, trade or repair of used objects, rental or scrapping of motor vehicles, purchase and sale of jewelry and metals, whether whether precious or not, objects or works of art, security locksmithing, centers metal waste managers, wholesale trade establishments scrap metal or waste products, or sale of hazardous chemicals to individuals, will be subject to the obligations of documentary registration and information in the terms established by the applicable provisions.” Likewise, Order INT/1922/2003, of July 3, on record books and parts of entry of travelers into hospitality and other similar establishments includes, in its Annex the “Traveller entry part model”, and the traveler data indicates that the following data will be collected from travelers: “number. of document identity, type of document, date of issue of the document, first surname, second surname, first name, sex, date of birth, country of nationality, date of entrance". III Administrative violation C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/6 In this way, from the documentation in the file it can be concluded that the copy of the identification document is not a necessary treatment to carry out the registration, and comply with Organic Law 4/2015, constituting said action a violation of article 5.1.c) RGPD, since it would not be necessary data for the processing that is carried out, considering that excessive data has been processed that are not necessary for the purpose for which they are intended. IV Sanction The violation of art. 5.1.c) of the RGPD implies the commission of one of the infractions typified in art. 83.5 of the RGPD, which provides the following: “Violations of the following provisions will be sanctioned, in accordance with section 2, with fines administrative expenses of €20000000 maximum or, in the case of a company, a amount equivalent to a maximum of 4% of the total global annual turnover of the previous financial year, opting for the highest amount: “a) the principles basics for the treatment, including the conditions for consent under of the arts. 5, 6, 7 9”. For the purposes of the limitation period, article 72 “Infringements considered “very serious” of the LOPDGDD indicates: “1. Based on what is established in article 83.5 of the Regulation (EU) 2016/679 are considered very serious and will expire after three years. infringements that involve a substantial violation of the articles mentioned in that and, in particular, the following: a) The processing of data personal data violating the principles and guarantees established in article 5 of the Regulation (EU) 2016/679.” The balance of the circumstances contemplated, with respect to the infraction committed By violating the provisions of article 5.1.c) of the RGPD, it allows setting a penalty of 2,000 euros (two thousand euros). V Measures Article 58.2 of the GDPR establishes the corrective powers available to a control authority and section d) of the aforementioned provision establishes that it may consist in, “order the person responsible or in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, where applicable, in a certain way and within a specified period.” Therefore, it is appropriate to impose the corrective measure described in article 58.2.d) of the RGPD and order the complained party to, within a period of one month, establish the appropriate measures to adapt the management of the customer registry in the hotel establishment as stipulated in article 5.1.c) of the RGPD. Therefore, in accordance with the applicable legislation and evaluated the criteria of graduation of the sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency, RESOLVES: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/6 FIRST: IMPOSE on the entity UNIQUE HOTEL APARTMENT. S.L., with CIF.: B54915855, for the violation of article 5.1.c) of the RGPD, typified in 83.5 of the cited GDPR, a fine of 2,000 euros (two thousand euros). SECOND: ORDER the entity UNIQUE HOTEL APARTMENT. S.L., with CIF.: B54915855, to implement, within one month, the necessary corrective measures to adapt the management of clients' personal data to what is stipulated in the article 5.1.c) of the RGPD, as well as to inform this Agency within the same period on the measures taken. THIRD: NOTIFY this resolution to the entity UNIQUE HOTEL APARTMENT. S.L. FOURTH: Warn the sanctioned person that the sanction imposed must be made effective once this resolution is enforceable, in accordance with the provisions of the article 98.1.b) of law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, within the voluntary payment period indicated in the Article 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, by depositing it into the restricted account No. ES00 0000 0000 0000 0000 0000, opened in the name of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A. or otherwise, it will proceed to collection in executive period. Once the notification is received and once enforceable, if the enforceable date is between the 1st and 15th of each month, both inclusive, the deadline to make the payment voluntary will be until the 20th of the following month or immediately following business month, and if The payment period is between the 16th and last day of each month, both inclusive. It will be until the 5th of the second following or immediately following business month. In accordance With the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative route (article 48.6 of the LOPDGDD), and in accordance with the provisions of articles 112 and 123 of the Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations, interested parties may optionally file appeal for replacement by the Director of the Spanish Data Protection Agency in the period of one month counting from the day following the notification of this resolution or directly administrative contentious appeal before the Contentious Chamber. administrative of the National Court, in accordance with the provisions of article 25 and in section 5 of the fourth additional provision of Law 29/1998, of July 13, regulatory authority of the Contentious-Administrative Jurisdiction, within a period of two months to count from the day following the notification of this act, as provided in the article 46.1 of the aforementioned legal text. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations Public, the final resolution may be provisionally suspended administratively if The interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/6 writing addressed to the Spanish Data Protection Agency, presenting it through of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronicaweb/], or through any of the other registries provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the documentation that accredits the filing. effectiveness of the contentious-administrative appeal. If the Agency was not aware of the filing of the contentious-administrative appeal within a period of two months From the day following notification of this resolution, the precautionary suspension. Sea Spain Martí Director of the Spanish Data Protection Agency. 28001 – Madrid 6 Seeagpd.gob.es