AEPD (Spain) - PS/00043/2020: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00...") |
m (Ar moved page AEPD - PS/00043/2020 to AEPD (Spain) - PS/00043/2020) |
||
(One intermediate revision by one other user not shown) | |||
Line 52: | Line 52: | ||
}} | }} | ||
The Spanish DPA (AEPD) imposed a warning sanction on a private individual for failing to comply with the right to information | The Spanish DPA (AEPD) imposed a warning sanction on a private individual for failing to comply with the right to information (Article 13 GDPR) when collecting personal data on its website. | ||
== English Summary == | ==English Summary== | ||
=== Facts === | ===Facts=== | ||
A citizen brought to the attention of the AEPD that the website that the respondent used as a platform for the position of president of a professional association in Madrid in 2019, did not have a privacy policy or legal notice, and therefore could be in breach of the right to information of visitors to the website. | A citizen brought to the attention of the AEPD that the website that the respondent used as a platform for the position of president of a professional association in Madrid in 2019, did not have a privacy policy or legal notice, and therefore could be in breach of the right to information of visitors to the website. | ||
Line 63: | Line 63: | ||
The respondent stopped the data processing when it was warned of the possible unlawfulness of the conduct, and the AEPD was able to verify that the personal data collection form had been removed. | The respondent stopped the data processing when it was warned of the possible unlawfulness of the conduct, and the AEPD was able to verify that the personal data collection form had been removed. | ||
=== Dispute === | ===Dispute=== | ||
Is collecting personal data without the required privacy policy a breach of Article 13 GDPR? | Is collecting personal data without the required privacy policy a breach of Article 13 GDPR? | ||
=== Holding === | ===Holding=== | ||
The AEPD considered that, in the present case, it was sufficient to impose a warning sanction for breach of the duty to provide information on the processing of data, as set out in article 13 GDPR. | The AEPD considered that, in the present case, it was sufficient to impose a warning sanction for breach of the duty to provide information on the processing of data, as set out in article 13 GDPR. | ||
In order to determine the level of the sanction, the AEPD took into account the fact that this is a natural person whose main activity is not linked to the processing of personal data and that there is no evidence of recidivism, as there is no record of the commission of previous infringements. | In order to determine the level of the sanction, the AEPD took into account the fact that this is a natural person whose main activity is not linked to the processing of personal data and that there is no evidence of recidivism, as there is no record of the commission of previous infringements. | ||
== Comment == | ==Comment== | ||
''Share your comments here!'' | ''Share your comments here!'' | ||
== Further Resources == | ==Further Resources== | ||
''Share blogs or news articles here!'' | ''Share blogs or news articles here!'' | ||
== English Machine Translation of the Decision == | ==English Machine Translation of the Decision== | ||
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. | The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. | ||
Latest revision as of 13:51, 13 December 2023
AEPD - PS/00043/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 13 GDPR Article 83(5) GDPR 11 LOPDGDD |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 10.12.2020 |
Published: | |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | PS/00043/2020 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Francesc Julve Falcó |
The Spanish DPA (AEPD) imposed a warning sanction on a private individual for failing to comply with the right to information (Article 13 GDPR) when collecting personal data on its website.
English Summary
Facts
A citizen brought to the attention of the AEPD that the website that the respondent used as a platform for the position of president of a professional association in Madrid in 2019, did not have a privacy policy or legal notice, and therefore could be in breach of the right to information of visitors to the website.
The website contained a form to collect personal data (name, telephone number, and e-mail address) from those interested in the project led by the defendant.
The respondent stopped the data processing when it was warned of the possible unlawfulness of the conduct, and the AEPD was able to verify that the personal data collection form had been removed.
Dispute
Is collecting personal data without the required privacy policy a breach of Article 13 GDPR?
Holding
The AEPD considered that, in the present case, it was sufficient to impose a warning sanction for breach of the duty to provide information on the processing of data, as set out in article 13 GDPR.
In order to determine the level of the sanction, the AEPD took into account the fact that this is a natural person whose main activity is not linked to the processing of personal data and that there is no evidence of recidivism, as there is no record of the commission of previous infringements.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/9 Procedure Nº: PS / 00043/2020 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: A.A.A. (hereinafter, the claimant) dated August 27, 2019 filed a claim with the Spanish Agency for Data Protection. The complaint is directed against the website *** URL.1. The reason in relation to Data protection regulations on which the claim is based is as follows: “[…] SECOND: The indicated page does not include the PRIVACY POLICY or LEGAL NOTICE, in breach of the existing regulations (art. 13 of the Regulation of Data protection and art. 5 LOPD). " Along with the claim, it provides screenshots of the aforementioned website. SECOND: In view of the facts reported in the claim and the documents provided by the claimant and documents of which he has had knowledge of this Agency, the Subdirectorate General for Data Inspection proceeded to carry out preliminary investigation actions to clarify the facts in question, by virtue of the investigative powers granted to the control authorities in article 57.1 of Regulation (EU) 2016/679 (Regulation General Data Protection, hereinafter RGPD), and in accordance with the established in Title VII, Chapter I, Second Section, of Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of rights digital (hereinafter LOPDGDD). As a result of the investigative actions carried out, it is verified that the responsible for the treatment is B.B.B. with NIF *** NIF.1 since the website claimed is constituted as a platform for the candidacy for the elections of the Official College of Graduates of E.F. and Sciences of Physical Activity and Sports the Community of Madrid held in 2019 to which the respondent applied as president. THIRD: Prior to the admission for processing of this claim, transferred the claimed to the professional address that advertises it on the internet, in accordance with the provisions of article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter, LOPDGDD), being returned as "unknown" on 12/20/2019. In view of the foregoing, the State Tax Administration Agency is requested to Tax address of the claimed, being provided on 02/26/2020. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/9 FOURTH: In view of the facts denounced in the claim and the documents provided by the claimant, it is observed that the website contains a personal data collection form (name, telephone number and email address electronic) of those people who were interested in the project led by the claimed. Consulted on February 24, 2020 the web page *** URL.1, it is verified that the website is still open and maintains the situation revealed in the claim Submitted Aug 27, 2019 by A.A.A. FIFTH: Consulted on February 25, 2020, the application of the AEPD was verifies that the only sanctioning procedure in which the claim appears as mercantile B.B.B. with NIF *** URL.1, is the present procedure. SIXTH: On March 6, 2020, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure to the claimed, by the alleged infringement of article 13 of the RGPD, typified in article 83.5 of the RGPD. SEVENTH: Once the aforementioned commencement agreement was notified, the defendant submitted a written allegations on March 20, 2020, in which it stated that: “[…] First. - That at no time has this party intended to breach with the regulations governing Data Protection. Second. That as soon as you receive the initiation agreement that gives rise to the present allegations, for my part the data processing was ended, eliminating the form and those data that had been collected by this means. Third. - Having said the above, it is worth noting that this part had developed the appropriate form where the requirements of the RGPD were complied with, but at the appear to be due to a computer error that we were not warned about by anyone, could have occurred the situation imputed to me. Insist on the lack of intentionality on my part in the commission of the facts. […] " EIGHTH: On June 12, 2020, the procedure instructor agreed to the opening of a period of practical tests, taking as incorporated the claim submitted by the claimant and his documentation, the documents obtained by the General Subdirectorate for Data Inspection and the allegations presented by the claimed. NINTH: On August 5, 2020, the website *** URL.1 is accessed with object of verifying what is stated by the claimed in his allegations. TENTH: On September 18, 2020, a resolution proposal was formulated, proposing that a penalty of warning be imposed on the defendant, for a infringement of article 13 of the RGPD, typified in article 83.5 of the same rule. The defendant has not submitted allegations to this proposal. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/9 In view of all the actions, by the Spanish Agency for Data Protection In this proceeding, the following are considered proven facts, ACTS FIRST: The web page *** URL.1 provided me with a data collection form personal data of possible people interested in the candidacy project elections to the elections of the Official College of Graduates of E. F. and Sciences of the Physical and Sports Activities of Madrid held on September 6, 2019 without having a Privacy Policy. SECOND: B.B.B. with NIF *** NIF.1. THIRD: The respondent asserts that he has withdrawn the aforementioned form and post end of data processing. FOURTH: It is proven, after the verification carried out on August 4, 2020, that the data collection form has been effectively withdrawn. FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of control, and as established in arts. 47 and 48.1 of the LOPDGDD, the Director of The Spanish Agency for Data Protection is competent to resolve this process. II The defendant is charged with committing an offense for violation of article 13 of the RGPD, regarding the information that must be provided when the data is obtained from the interested party, which establishes that: "one. When personal data relating to him are obtained from an interested party, the responsible for the treatment, at the time these are obtained, will provide all the information indicated below: a) the identity and contact details of the person in charge and, where appropriate, their representative; b) the contact details of the data protection officer, if applicable; c) the purposes of the treatment to which the personal data are destined and the legal basis of the treatment; C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/9 d) when the treatment is based on article 6, paragraph 1, letter f), the interests legitimate rights of the person in charge or a third party; e) the recipients or categories of recipients of the personal data, in their case; f) where appropriate, the intention of the person responsible to transfer personal data to a third party country or international organization and the existence or absence of a decision of adequacy of the Commission, or, in the case of transfers indicated in the Articles 46 or 47 or Article 49, paragraph 1, second subparagraph, reference to the adequate or appropriate warranties and the means to obtain a copy of these or to the fact that they have been borrowed. 2. In addition to the information mentioned in section 1, the person responsible for the treatment will facilitate the interested party, at the time the data is obtained personal information, the following information necessary to guarantee data processing loyal and transparent: a) the period during which the personal data will be kept or, when it is not possible, the criteria used to determine this period; b) the existence of the right to request the data controller access to the personal data relating to the interested party, and its rectification or deletion, or the limitation of its treatment, or to oppose the treatment, as well as the right to portability of the data; c) when the treatment is based on article 6, paragraph 1, letter a), or article 9, paragraph 2, letter a), the existence of the right to withdraw consent in at any time, without affecting the legality of the treatment based on the consent prior to its withdrawal; d) the right to file a claim with a supervisory authority; e) if the communication of personal data is a legal or contractual requirement, or a necessary requirement to sign a contract, and if the interested party is obliged to provide personal data and is informed of the possible consequences of not provide such data; f) the existence of automated decisions, including profiling, to be referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information significant on the applied logic, as well as the importance and consequences provided for said treatment for the interested party. 3.When the controller plans the further processing of data personal data for a purpose other than that for which they were collected, will provide the interested party, prior to said further processing, information on that other purpose and any additional pertinent information pursuant to section 2. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/9 4.The provisions of paragraphs 1, 2 and 3 shall not apply when and in the to the extent that the interested party already has the information. " The violation of this article is classified as an infringement in article 83.5 of the RGPD, which it considers as such: "Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of up to EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the highest amount: […] B) the rights of the interested parties pursuant to Articles 12 to 22; […]. " For the purposes of the statute of limitations for the offense, article 72.1 of the LOPDGDD establishes: "Based on what is established in article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein, and, in particular, the following: […] H) The omission of the duty to inform the affected party about the treatment of their personal data in accordance with the provisions of articles 13 and 14 of the Regulation (EU) 2016/679. […] ”. III In accordance with the evidence available in the present sanctioning procedure, it is considered that the website www.unionccafyde.site123.me, responsibility of the claimed, kept a form collection of personal data without providing in any way the information that establishes article 13 of the RGPD. Regarding the allegations presented by the defendant - in which points out that there had been no intentionality on his part, the form had been originally designed in compliance with the provisions of the RGPD and that for a computer error had occurred the events object of the present procedure (without provide evidence in this regard) -, it should be noted that article 5.1.a) of the RGPD states the principle of "lawfulness, loyalty and transparency", a principle on which the Recital 39: «All processing of personal data must be lawful and fair. For it must be fully clear to natural persons that they are collecting, using, consulting or otherwise processing personal data that concerns them, as well as the extent to which such data is or will be processed. The principle of transparency requires that all information and communication regarding the processing of said data be easily accessible and easy to understand, and that simple and clear language is used. This principle refers in particular to the information of the interested parties about the identity of the person responsible for the treatment and the purposes of the same and the information added to ensure fair and transparent treatment with respect to people C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/9 affected individuals and their right to obtain confirmation and communication of the data personal that concern them that are object of treatment. Natural persons must be aware of the risks, rules, safeguards and rights relating to the processing of personal data as well as the way to enforce their rights in relation to the treatment. In particular, the specific purposes of the processing of personal data must be explicit and legitimate, and must be determined at the time of collection. Personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are treaties. This requires, in particular, to ensure that its use is limited to a strict minimum. conservation period. Personal data should only be processed if the purpose of the treatment could not reasonably be accomplished by other means. To ensure that personal data is not kept longer than necessary, the person responsible for the Treatment must establish deadlines for its deletion or periodic review. Must all reasonable measures are taken to ensure that they are rectified or deleted personal data that is inaccurate. Personal data must be a a way that ensures adequate data security and confidentiality personal data, including to prevent unauthorized access or use of said data and of the equipment used in the treatment. " Recital 60 links the duty of information with the principle of transparency, by establishing that “The principles of fair and transparent treatment require that inform the interested party of the existence of the treatment operation and its purposes. The data controller must provide the interested party with all the information is necessary to guarantee fair and transparent treatment, taking into account the specific circumstances and context in which the personal information. The interested party must also be informed of the profiling and the consequences of such elaboration. If personal data is obtained from interested parties, should also be informed if they are obliged to provide them and of the consequences if they do not […] '. In this order, article 12.1 of the RGPD regulates the conditions to ensure its effective implementation and article 13 specifies what information should be provided when the data is obtained from the interested. In turn, article 11 LOPDGDD introduces the information rule by layers when you have: "one. When personal data is obtained from the affected party, the person responsible for the treatment may comply with the duty of information established in article 13 of Regulation (EU) 2016/679, providing the affected party with basic information to the referred to in the following section and indicating an email address or other means that allows easy and immediate access to the rest of the information. 2. The basic information to which the previous section refers must contain, at the less: a) The identity of the person responsible for the treatment and their representative, if applicable. b) The purpose of the treatment. c) The possibility of exercising the rights established in articles 15 to 22 of the Regulation (EU) 2016/679. […] » C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/9 Thus established the duty of information and the obligation, on the part of the person responsible for carry out a transparent treatment, it cannot be ignored that article 5.2 of the RGPD establishes that «the data controller will be responsible for the compliance with the provisions of section 1 and capable of demonstrating it (“Proactive responsibility”) ». This means that, according to Articles 24 and 25 of the same legal text, the person in charge must guarantee the effective application of the principles of treatment both at the time of determining the means of treatment as during the treatment itself through the joint of a series of measures, which must be periodically reviewed and updated. This being the case, and even though in the present case the defendant had proceeded, at the time of determining the means to design and implement measures in accordance with guaranteeing compliance with the principle of transparency and duty of information, this would not exempt you from continuing to be responsible for the effectiveness of these measures during the entire time in which the collection and processing of personal data, especially when in this case there has not been a commissioning of the treatment to other actors. IV The corrective powers available to the Spanish Agency for the Protection of Data, as a control authority, are established in article 58.2 of the RGPD. Between They have the power to sanction with warning - article 58.2 b) -, the Power to impose an administrative fine in accordance with article 83 of the RGPD -article 58.2 i) -, or the power to order the person in charge of the treatment that the processing operations comply with the provisions of the RGPD, when proceed, in a certain way and within a specified period - article 58. 2 d) -. According to the provisions of article 83.2 of the RGPD, the measure provided for in article 58.2 d) of the aforementioned Regulation is compatible with the sanction consisting of a fine administrative. Likewise, without prejudice to the provisions of article 83, the aforementioned RGPD provides the possibility of sanctioning with warning, in relation to what is indicated in the Recital 148: "In the event of a minor offense, or if the fine likely to be imposed constitutes a disproportionate burden for an individual, rather than sanction by fine may be imposed a warning. It must however pay special attention to the nature, severity and duration of the offense, its intentional character, to the measures taken to alleviate the damages suffered, the degree of responsibility or any relevant prior infringement, the way in which that the supervisory authority has had knowledge of the infraction, to the fulfillment of measures ordered against the person in charge or in charge, adherence to codes of conduct and any other aggravating or mitigating circumstance. " In the present case, when deciding the sanction to impose, they have taken into account counts the following elements: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/9 That it is a natural person whose main activity is not related to the processing of personal data. That no recidivism is appreciated, as the commission of infractions is not recorded previous. Therefore, it is considered that the sanction that would correspond to impose is warning, in accordance with the provisions of article 58.2 b) of the RGPD, in relation to what is stated in Considering 148, cited above. Therefore, in accordance with the applicable legislation and the criteria of graduation of the sanctions whose existence has been accredited, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: IMPOSE B.B.B., with NIF *** NIF.1, for an infraction of article 13 of the RGPD, typified in article 83.5 of the RGPD, a sanction of APERCIBIMENTO. SECOND: NOTIFY this resolution to B.B.B. and inform A.A.A .. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may file, optionally, an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to count from the day after notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through letter addressed to the Spanish Agency for Data Protection, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web /], or through any of the other records provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation proving the effective filing of the contentious appeal- administrative. If the Agency was not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/9 938-131120 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es