AEPD (Spain) - PS/00257/2020: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00...")
 
 
(5 intermediate revisions by 2 users not shown)
Line 50: Line 50:
}}
}}


The Spanish DPA (AEPD) issued a reprimand to the Spanish municipality Ayuntamiento de Arroyomolinos for lacking a DPO for more than two years after the entry into force of the GDPR.
The Spanish DPA (AEPD) issued a reprimand against the Spanish municipality Ayuntamiento de Arroyomolinos for lacking a Data Protection Officer (DPO) for more than two years after the entry into force of the GDPR. This breached Article 37 GDPR.


== English Summary ==
==English Summary==


=== Facts ===
===Facts===
Ayuntamiento de Arroyomolinos was found lacking a DPO.  
Ayuntamiento de Arroyomolinos was found lacking a Data Protection Officer (DPO).
The defendant has provided the measures it has in the meantime adopted: with a service contract from 28.09.2020 a DPO has been appointed.


The defendant has since adopted corrective measures. A DPO has been appointed pursuant to a service contract from 28.09.2020.
===Dispute===
Was the municipality Ayuntamiento de Arroyomolinos under the obligation to appoint a DPO?
===Holding===
The Spanish DPA recalled that the public administrations act as controllers for the processing of personal data and on some occasions as processors. As a result, they are subject to the GDPR and must fulfill all its obligations, including the obligation to appoint a data protection officer (Article 37 GDPR). This obligation had to be fulfilled starting from 28.05.2018, the date of entry into force of the GDPR.


=== Dispute ===
The Spanish DPA issued a reprimand against Ayuntamiento de Arroyomolinos for violating Article 37 GDPR. The reprimand was issued by virtue of the power conferred by Article 58(2)(b) GDPR.
Was this municipality under the obligation of appointing a DPO?


 
==Comment==
=== Holding ===
The Spanish DPA recalled that the public administrations act as controllers for the processing of personal data and on some occasions as processors. As a result, they are subject to the GDPR and must fulfill all its obligations, including the obligation to appoint a data protection officer. This obligation had to be fulfilled starting from 28.05.2018, the date of entry into force of the GDPR.
The Spanish DPA issued a reprimand to Ayuntamiento de Arroyomolinos for violating Article 37 GDPR.
The reprimand was issued by virtue of the power conferred by Article 58(2)(b) GDPR.
 
== Comment ==
''Share your comments here!''
''Share your comments here!''


== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


<pre>
<pre>
1/7
                                                                                1/7
 Procedimiento Nº: PS/00257/2020
 
RESOLUCIÓN DE PROCEDIMIENTO SANCIONADOR
 
Del procedimiento instruido por la Agencia Española de Protección de Datos y en base
    Procedure No.: PS/00257/2020
a los siguientes:
 
ANTECEDENTES
                RESOLUTION OF SANCTIONING PROCEDURE
PRIMERO: D. A.A.A. (en adelante, el reclamante) con fecha 20 de enero de 2020
 
interpuso reclamación ante la Agencia Española de Protección de Datos. La
 
reclamación se dirige contra el Ayuntamiento de Arroyomolinos con NIF P2801500F
From the procedure instructed by the Spanish Data Protection Agency and based
(en adelante, el reclamado).
to the following:
El reclamante manifiesta que recibió a su nombre una notificación del
 
Ayuntamiento, y en la misma constan los datos y los hechos que motivan la imposición
                                  BACKGROUND
de una sanción a otra persona.
 
Por otra parte, señala que el consistorio no tiene Delegado de Protección de
 
Datos.
 
Junto a la reclamación aporta la notificación que le han remitido.
FIRST: D. A.A.A. (hereinafter the complainant) dated 20 January 2020
SEGUNDO: A la vista de los hechos denunciados en la reclamación y de los
filed a complaint with the Spanish Data Protection Agency. The
documentos aportados por el reclamante se traslada al reclamado la reclamación.
claim is directed against the Town Hall of Arroyomolinos with NIF P2801500F
Con fecha 24 de julio de 2020 el reclamado manifiesta: “que el 20 de enero de
(hereinafter referred to as the Respondent).
2020 se le comunico al reclamante que el día de la notificación de la Resolución hubo
 
un fallo informático, y en la notificación de su procedimiento se fusionó el cuerpo de la
 
resolución de la anterior notificación. Se procedió por parte del departamento a revisar
      The complainant states that he received on his behalf a notification from
las notificaciones generadas, no encontrando ninguna más errónea, asimismo se
City Council, and it contains the data and facts that motivate the imposition
procedió a añadir más controles revisorios de los documentos generados para que
from a sanction to another person.
esta situación no se repita.
 
Asimismo, se le comunicó que sus datos no han sido cedidos a terceros,
 
únicamente han sido utilizados para la notificación del procedimiento entre el
      On the other hand, it points out that the consistory does not have a Delegate for the Protection of
reclamante y este Ayuntamiento”.
Data.
TERCERO: Con fecha 25 de septiembre de 2020, la Directora de la Agencia Española
 
de Protección de Datos acordó iniciar procedimiento sancionador al reclamado, con
      Together with the complaint, you will provide the notification that you have been sent.
arreglo a lo dispuesto en los artículos 63 y 64 de la Ley 39/2015, de 1 de octubre, del
 
Procedimiento Administrativo Común de las Administraciones Públicas (en adelante,
 
LPACAP), por la presunta infracción del Artículo 37 del RGPD, tipificada en el Artículo
SECOND: In view of the facts denounced in the complaint and the
83.4 del RGPD.
the documents provided by the claimant are transferred to the claimant.
CUARTO: Notificado el citado acuerdo de inicio, el reclamado presentó escrito de
 
alegaciones en el que, en síntesis, manifestaba: “que con fecha 28 de septiembre de
      On 24 July 2020, the petitioner states: "that on 20 January
2020 se adjudicó por Decreto nº 2497/2020 contrato de servicios de asistencia técnica
2020 the complainant was informed that on the day of notification of the Resolution there was
para el soporte y actualización en materia de seguridad de la información (ENS) y
a computer failure, and in the notification of its procedure the body of the
 
resolution of the previous notification. The department proceeded to review
the notifications generated, finding none more erroneous, also
proceeded to add further revision controls on the documents generated so that
this situation will not be repeated.
 
 
      You were also informed that your data have not been transferred to third parties,
have only been used for the notification of the procedure between
claimant and this Town Hall".
 
THIRD: On 25 September 2020, the Director of the Spanish Agency
 
of Data Protection agreed to initiate sanctioning proceedings against the respondent, with
in accordance with Articles 63 and 64 of Law 39/2015 of 1 October on the
Common Administrative Procedure for Public Administrations (hereinafter referred to as the "Common Administrative Procedure"),
LPACAP), for the alleged violation of Article 37 of the GPRS, typified in Article
83.4 of the RGPD.
 
 
FOURTH: Once the above-mentioned agreement to initiate the proceedings had been notified, the respondent submitted a letter of
in which he stated, in summary: "that on 28 September
2020 was awarded by Decree No 2497/2020 for technical assistance services
for information security (ENS) support and updating, and
 
C/ Jorge Juan, 6 www.aepd.es
C/ Jorge Juan, 6 www.aepd.es
28001 Madrid sedeagpd.gob.es
28001 - Madrid sedeagpd.gob.es 2/7
2/7
 
protección de datos personales (RGPD-LOPDGDD) y Servicio de Delegado de
 
Protección de Datos, por un período de 12 meses.
 
Con antelación suficiente a la fecha de finalización del contrato y teniendo
 
como base el trabajo realizado por el DPD durante ese tiempo, ya está previsto licitar
 
públicamente por un máximo de 4 años el Delegado de Protección de Datos, con
 
objeto de que este Ayuntamiento cuente permanente con dicha figura.
 
En cumplimiento con el deber de comunicación de la designación del DPD por
 
este Ayuntamiento a la AEPD a tenor de lo previsto en el artículo 34.3 LOPDGDD, se
protection of personal data (RGPD-LOPDGDD) and Delegate Service of
le indican a continuación los datos del mismo: START UP, S.L. CIF B33667494
Data Protection, for a period of 12 months.
Se adjunta al presente escrito: Decreto nº 2497/2020 de adjudicación de
 
contrato de servicio y propuesta técnica-económica de la empresa Start up CDF S.L.
 
en la que se detalla el contenido de las prestaciones a realizar”.
      In good time before the date of termination of the contract and having
QUINTO: Con fecha 13 de octubre de 2020, el instructor del procedimiento acordó la
on the basis of the work carried out by the DPD during this time, it is already planned to call for tenders
apertura de un período de práctica de pruebas, teniéndose por incorporadas las
publicly for a maximum of 4 years the Data Protection Delegate, with
actuaciones previas de investigación, E/02287/2020, así como los documentos
the aim is for this Town Hall to have this figure permanently.
aportados por el reclamado en fecha 8 de octubre de 2020.
 
SEXTO: Con fecha 18 de noviembre de 2020 se formuló propuesta de resolución,
      In compliance with the duty to communicate the appointment of the DPD by
proponiendo se sancione con apercibimiento al Ayuntamiento de Arroyomolinos con
 
NIF P2801500F, por una infracción del Artículo 37 del RGPD, tipificada en el Artículo
this City Council to the AEPD in accordance with the provisions of Article 34.3 LOPDGDD, is
83.4 del RGPD.
the following information is provided: START UP, S.L. CIF B33667494
SÉPTIMO: Notificada la propuesta de resolución, el reclamado presentó escrito de
 
alegaciones en el que, en síntesis, manifestaba:
      Attached to this letter: Decree No. 2497/2020 on the award of
“PRIMERO.- Que con fecha 28 de septiembre de 2020 se adjudicó por Decreto nº
service contract and technical-economic proposal of the company Start up CDF S.L.
2497/2020 contrato de servicio de asistencia técnica para el soporte y actualización en
 
materia de seguridad de la información (ENS) y protección de datos personales
which details the content of the services to be provided".
(RGPD-LOPGDD) y Servicio de Delegado de Protección de Datos, por un periodo de
 
12 meses a la empresa Start up CDF S.L.
FIFTH: On 13 October 2020, the instructor of the procedure agreed on the
SEGUNDO.- Se dio cumplimiento al deber de comunicación de la designación del
opening of a trial period, with the incorporation of the
DPD por este Ayuntamiento a la AEPD a tenor de lo previsto en el artículo 34.3
preliminary investigation proceedings, E/02287/2020, as well as documents
provided by the respondent on 8 October 2020.
 
 
SIXTH: A motion for resolution was tabled on 18 November 2020,
proposing to sanction the Town Hall of Arroyomolinos with a warning
NIF P2801500F, for an infringement of Article 37 of the RGPD, typified in Article
83.4 of the RGPD.
 
 
SEVENTH: After notification of the motion for a resolution, the respondent submitted a letter of
allegations in which, in summary, he stated
 
"FIRST - That on September 28, 2020, it was awarded by Decree No
2497/2020 technical assistance service contract for support and updates in
 
information security (ENS) and personal data protection
(RGPD-LOPGDD) and the Data Protection Officer Service, for a period of
12 months to the company Start up CDF S.L.
 
SECOND: The duty to communicate the appointment of the
 
DPD by this City Council to the AEPD in accordance with the provisions of Article 34.3
LOPDGDD.
LOPDGDD.
TERCERO.- En la propuesta de resolución de la AEPD se indica que “En este caso
 
concreto, se ha acreditado en virtud de los documentos aportados con sus
THIRD: The proposal for a resolution of the AEPD indicates that "In this case
alegaciones al acuerdo de inicio que el reclamado ha designado Delegado de
the evidence is based on the documents provided with their
Protección de Datos: START UP, S.L. CIF B33667494.
allegations to the agreement of initiation that the respondent has appointed as Delegate of
CUARTO.- Tomando en consideración la Sentencia de la Audiencia Nacional de
 
29/11/2013, (Rec. 455/2011), Fundamento de Derecho Sexto, que sobre el
Data Protection: START UP, S.L. CIF B33667494."
apercibimiento regulado en el artículo 45.6 de la LOPD y a propósito de su naturaleza
 
jurídica advierte que “no constituye una sanción” y que se trata de “medidas
FOURTH - Taking into consideration the Judgment of the Audiencia Nacional de
correctoras de cesación de la actividad constitutiva de la infracción” que sustituyen a la
29/11/2013, (ECR 455/2011), on the basis of the Sixth
sanción. La Sentencia entiende que el artículo 45.6 de la LOPD confiere a la AEPD
warning regulated in article 45.6 of the LOPD and regarding its nature
 
legal warns that it "does not constitute a penalty" and that these are "measures
corrective measures for the cessation of the activity constituting the infringement" replacing
sanction. The Decision understands that Article 45.6 of the LOPD confers on the AEPD
 
C/ Jorge Juan, 6 www.aepd.es
C/ Jorge Juan, 6 www.aepd.es
28001 Madrid sedeagpd.gob.es
28001 - Madrid sedeagpd.gob.es 3/7
3/7
 
una “potestad” diferente de la sancionadora cuyo ejercicio se condiciona a la
 
concurrencia de las especiales circunstancias descritas en el precepto. En
 
congruencia con la naturaleza atribuida al apercibimiento como una alternativa a la
 
sanción cuando, atendidas las circunstancias del caso, el sujeto de la infracción no es
 
merecedor de aquella, y considerando que el objeto del apercibimiento es la
 
imposición de medidas correctoras, la SAN citada concluye que cuando éstas ya
 
hubieran sido adoptadas, lo procedente en Derecho es acordar el archivo de las
 
actuaciones”.
a "power" different from the sanctioning power, the exercise of which is conditional on the
A la vista de todo lo actuado, por parte de la Agencia Española de Protección de Datos
concurrence of the special circumstances described in the precept. At
en el presente procedimiento se consideran hechos probados los siguientes,
congruence with the nature attributed to the warning as an alternative to
HECHOS
 
PRIMERO: El reclamado carece de la figura de delegado de protección de datos.
penalty when, in view of the circumstances of the case, the subject of the offence is not
SEGUNDO: El Ayuntamiento de Arroyomolinos, ha aportado en el presente
and considering that the object of the warning is the
procedimiento sancionador las medidas que ha adoptado, entre las mismas consta:
imposition of corrective measures, the above-mentioned SAN concludes that where these measures have already
Contrato de servicios de asistencia técnica para el soporte y actualización en
have been adopted, it is appropriate in law to agree to the closure of the
materia de seguridad de la información (ENS) y protección de datos personales
performances".
(RGPD-LOPDGDD) y Servicio de Delegado de Protección de Datos, por un período de
 
12 meses.
 
Comunicación de la designación del Delegado de Protección de Datos: START
In view of all that has been done, by the Spanish Data Protection Agency
the following are regarded as established facts in these proceedings,
 
 
                                      FACTS
 
 
FIRST: The person claimed lacks the figure of a data protection representative.
 
SECOND: The City Council of Arroyomolinos, has contributed in the present
the measures it has taken, including the penalties it has imposed:
 
      Technical assistance service contract for support and updates in
 
information security (ENS) and personal data protection
(RGPD-LOPDGDD) and the Data Protection Officer Service, for a period of
12 months.
 
      Communication of the appointment of the Data Protection Officer: START
 
UP, S.L. CIF B33667494
UP, S.L. CIF B33667494
Decreto nº 2497/2020 de adjudicación de contrato de servicio y propuesta
 
técnica-económica de la empresa START UP CDF S.L.
      Decree No 2497/2020 on the award of service contracts and proposals
FUNDAMENTOS DE DERECHO
technical-economic of the company START UP CDF S.L.
I
 
En virtud de los poderes que el artículo 58.2 del RGPD reconoce a cada autoridad de
 
control, y según lo establecido en los arts. 47 y 48.1 de la LOPDGDD, la Directora de
 
la Agencia Española de Protección de Datos es competente para resolver este
                          LEGAL FOUNDATIONS
procedimiento.
 
II
                                          I
Las Administraciones públicas actúan como responsables de tratamientos de datos de
 
carácter personal y, en algunas ocasiones, ejercen funciones de encargados de
By virtue of the powers conferred on each authority in Article 58(2) of the GPRS
tratamiento, por lo que les corresponde, siguiendo el principio de responsabilidad
 
proactiva, atender las obligaciones que el RGPD detalla, entre las que se incluye, la
control, and in accordance with the provisions of Articles 47 and 48.1 of the LOPDGDD, the
obligación de nombrar a un delegado de protección de datos y comunicarlo a esta
the Spanish Data Protection Agency is competent to resolve this
procedure.
                                          II
 
 
Public administrations act as data controllers of
 
and, in some cases, they are in charge of the management of the
processing, for which they are responsible, in accordance with the principle of
proactive, to meet the obligations detailed in the RGPD, including the
obligation to appoint a data protection officer and to notify the latter of his or her
AEPD
AEPD
La obligación viene impuesta por el artículo 37 del RGPD, que indica:
 
The obligation is imposed by Article 37 of the RGPD, which states
 
C/ Jorge Juan, 6 www.aepd.es
C/ Jorge Juan, 6 www.aepd.es
28001 Madrid sedeagpd.gob.es
28001 - Madrid sedeagpd.gob.es 4/7
4/7
 
“1. El responsable y el encargado del tratamiento designarán un delegado de
 
protección de datos siempre que:
 
a) el tratamiento lo lleve a cabo una autoridad u organismo público, excepto los
 
tribunales que actúen en ejercicio de su función judicial;”
 
El Articulo 37.3 y 4 del RGPD señala sobre la designación del DPD “Cuando el
 
responsable o el encargado del tratamiento sea una autoridad u organismo público, se
 
podrá designar un único delegado de protección de datos para varias de estas
 
autoridades u organismos, teniendo en cuenta su estructura organizativa y tamaño.
"1. The data controller and the processor shall appoint a delegate of
4. En casos distintos de los contemplados en el apartado 1, el responsable o el
data protection whenever:
encargado del tratamiento o las asociaciones y otros organismos que representen a
 
categorías de responsables o encargados podrán designar un delegado de protección
(a) the processing is carried out by a public authority or body, except
de datos o deberán designarlo si así lo exige el Derecho de la Unión o de los Estados
 
miembros. El delegado de protección de datos podrá actuar por cuenta de estas
courts acting in their judicial capacity
asociaciones y otros organismos que representen a responsables o encargados.”
 
La LOPDGDD determina en su artículo 34.1 y 3: ”Designación de un delegado de
Article 37.3 and 4 of the RGPD states about the designation of the DPD "When the
protección de datos “
the controller or the person responsible for the processing is a public authority or
1. Los responsables y encargados del tratamiento deberán designar un delegado de
may appoint a single data protection officer for several of these
protección de datos en los supuestos previstos en el artículo 37.1 del Reglamento
 
(UE) 2016/679 y, en todo caso, cuando se trate de las siguientes entidades:
authorities or bodies, taking into account their organisational structure and size.
3. Los responsables y encargados del tratamiento comunicarán en el plazo de diez
 
días a la Agencia Española de Protección de Datos o, en su caso, a las autoridades
4. In cases other than those referred to in paragraph 1, the person responsible or
autonómicas de protección de datos, las designaciones, nombramientos y ceses de
processing agent or associations and other bodies representing
los delegados de protección de datos tanto en los supuestos en que se encuentren
categories of managers or supervisors may appoint a delegate of protection
obligadas a su designación como en el caso en que sea voluntaria.
or must designate it if required by Union or national law
La infracción se contempla como tal en el artículo 83.4.a del RGPD que señala:”4. Las
 
infracciones de las disposiciones siguientes se sancionarán, de acuerdo con el
members. The Data Protection Officer may act on behalf of these
apartado 2, con multas administrativas de 10 000 000 EUR como máximo o,
associations and other bodies representing decision-makers or managers"
tratándose de una empresa, de una cuantía equivalente al 2 % como máximo del
 
volumen de negocio total anual global del ejercicio financiero anterior, optándose por
The LOPDGDD determines in its article 34.1 and 3: "Designation of a delegate of
la de mayor cuantía:
 
a) las obligaciones del responsable y del encargado a tenor de los artículos 8, 11, 25 a
data protection "
 
1. Data controllers and processors must appoint a delegate of
data protection in the cases provided for in article 37.1 of the Regulation
(EU) 2016/679 and, in any case, in the case of the following entities:
 
3. Data controllers and processors shall communicate within ten
days to the Spanish Data Protection Agency or, where appropriate, to the authorities
 
data protection, appointments, appointments and dismissals of employees
the data protection delegates both in cases where they are
obliged to be appointed as in the case of voluntary appointment.
 
 
 
The infringement is contemplated as such in Article 83.4.a of the RGPD which states: "4. The
infringements of the following provisions shall be penalised in accordance with the
paragraph 2, with administrative fines of up to EUR 10 000 000 or
in the case of an enterprise, an amount equivalent to a maximum of 2 % of
total annual turnover for the previous financial year, opting for
the largest:
 
 
(a) the obligations of the person responsible and of the person appointed under Articles 8, 11, 25 to
39, 42 y 43;”
39, 42 y 43;”
El artículo 83.7 del RGPD indica:
 
“Sin perjuicio de los poderes correctivos de las autoridades de control en virtud del artículo 58, apartado 2, cada Estado miembro podrá establecer normas sobre si se puede, y en qué medida, imponer multas administrativas a autoridades y organismos públicos establecidos en dicho Estado miembro”
 
El artículo 58.2 del RGPD indica: “Cada autoridad de control dispondrá de todos los
Article 83.7 of the RGPD states:
 
"Without prejudice to the corrective powers of the supervisory authorities under the ar-
in accordance with Article 58(2), each Member State may lay down rules as to whether or not a
of, and to what extent, imposing administrative fines on public authorities and bodies
 
public bodies established in that Member State"
 
 
Article 58(2) of the GPRS states: "Each supervisory authority shall have all the
C/ Jorge Juan, 6 www.aepd.es
C/ Jorge Juan, 6 www.aepd.es
28001 Madrid sedeagpd.gob.es
28001 - Madrid sedeagpd.gob.es 5/7
5/7
 
siguientes poderes correctivos indicados a continuación:
 
b) sancionar a todo responsable o encargado del tratamiento con apercibimiento cuando las operaciones de tratamiento hayan infringido lo dispuesto en el presente Reglamento;
 
d) ordenar al responsable o encargado del tratamiento que las operaciones de
 
tratamiento se ajusten a las disposiciones del presente Reglamento, cuando proceda,
 
de una determinada manera y dentro de un plazo especificado”.
 
En tal sentido, el artículo 77.1 c) y 2, 4 y 5 de la LOPGDD, indica:
 
1. El régimen establecido en este artículo será de aplicación a los tratamientos de los
 
que sean responsables o encargados:
the following corrective powers are indicated below:
c) La Administración General del Estado, las Administraciones de las Comunidades
 
autónomas y las entidades que integran la Administración Local.
(b) sanction any person responsible for or in charge of the processing, with a warning as to how
2 “Cuando los responsables o encargados enumerados en el apartado 1 cometiesen
if the processing operations have infringed the provisions of this Regulation, the
alguna de las infracciones a las que se refieren los artículos 72 a 74 de esta ley
mento;
orgánica, la autoridad de protección de datos que resulte competente dictará
 
resolución sancionando a las mismas con apercibimiento. La resolución establecerá
(d) order the controller or processor to carry out the processing operations
asimismo las medidas que proceda adoptar para que cese la conducta o se corrijan
treatment are in accordance with the provisions of this Regulation, where appropriate,
los efectos de la infracción que se hubiese cometido.
in a certain way and within a specified time".
La resolución se notificará al responsable o encargado del tratamiento, al órgano del
 
que dependa jerárquicamente, en su caso, y a los afectados que tuvieran la condición
 
de interesado, en su caso.
In this sense, Article 77.1 c) and 2, 4 and 5 of the LOPGDD, indicates:
4.Se deberán comunicar a la autoridad de protección de datos las resoluciones que
 
recaigan en relación con las medidas y actuaciones a que se refieren los apartados
1. The regime established in this article shall apply to the processing of
anteriores.
who are responsible or in charge:
5.Se comunicarán al Defensor del Pueblo o, en su caso, a las instituciones análogas
 
de las comunidades autónomas las actuaciones realizadas y las resoluciones dictadas
c) The General State Administration, the Community Administrations
al amparo de este artículo.
 
III
the local authorities and the entities that make up the local administration.
El artículo 73 de la LOPDDG indica: Infracciones consideradas graves:
 
“En función de lo que establece el artículo 83.4 del Reglamento (UE) 2016/679 se
2 "Where the persons responsible for, or in charge of, the activities listed in paragraph 1 commit
consideran graves y prescribirán a los dos años las infracciones que supongan una
any of the offences referred to in articles 72 to 74 of this law
vulneración sustancial de los artículos mencionados en aquel y, en particular, las
authority shall issue an opinion on the matter
siguientes:
resolution sanctioning them with a warning. The resolution will establish
v) El incumplimiento de la obligación de designar un delegado de protección de datos
 
cuando sea exigible su nombramiento de acuerdo con el artículo 37 del Reglamento
also the measures to be taken to ensure that the conduct ceases or is corrected
(UE) 2016/679 y el artículo 34 de esta ley orgánica.”
the effects of the infringement that has been committed.
 
The decision shall be notified to the controller or processor, to the
that is hierarchically dependent, where appropriate, and to those affected who have the status
of interested party, if any."
 
 
4.The data protection authority must be informed of decisions that
be made in connection with the measures and actions referred to in paragraphs
previous.
 
5.They shall be communicated to the Ombudsman or, where appropriate, to similar institutions
 
of the autonomous communities the actions taken and the decisions handed down
under this article."
 
 
                                            III
 
 
Article 73 of the LOPDDG states Infringements considered serious:
 
"In accordance with Article 83(4) of Regulation (EU) 2016/679, the
consider serious and will prescribe after two years any infringements involving a
substantial breach of the articles mentioned in that one, and in particular the
 
following:
 
(v) Failure to comply with the obligation to appoint a data protection representative
when his appointment is required in accordance with Article 37 of the Regulation
(EU) 2016/679 and article 34 of this organic law"
 
 
 
C/ Jorge Juan, 6 www.aepd.es
C/ Jorge Juan, 6 www.aepd.es
28001 Madrid sedeagpd.gob.es
28001 - Madrid sedeagpd.gob.es 6/7
6/7
 
Mediante escrito de alegaciones el reclamado, ha manifestado que tiene ya designado
 
Delegado de Protección de Datos.
 
Pese a ello, la Agencia Española de Protección de Datos, sanciona al reclamado con
 
una sanción de apercibimiento ya que éste debió contar con un delegado de
 
protección de datos de conformidad con lo establecido en el artículo 37 del RGPD,
 
desde el 25 de mayo de 2018, momento en el que entró en vigor el RGPD.
 
Por lo tanto, de acuerdo con la legislación aplicable y valorados los criterios de
 
graduación de las sanciones cuya existencia ha quedado acreditada, la Directora de la
By means of a statement of claim, the respondent has stated that he has already designated
Agencia Española de Protección de Datos RESUELVE:
Data Protection Delegate.
PRIMERO: IMPONER al AYUNTAMIENTO DE ARROYOMOLINOS, con NIF
 
P2801500F, por una infracción del Artículo 37 del RGPD, tipificada en el Artículo 83.4
 
del RGPD, una sanción de apercibimiento.
 
SEGUNDO: NOTIFICAR la presente resolución al AYUNTAMIENTO DE
 
In spite of this, the Spanish Data Protection Agency has sanctioned the complainant with
a penalty of a warning, since the latter must have had a delegate from
data protection in accordance with article 37 of the RGPD,
from 25 May 2018, when the RGPD came into force.
 
 
 
 
Therefore, in accordance with the applicable legislation and assessed on the basis of
graduation of the sanctions whose existence has been accredited, the Director of
Spanish Data Protection Agency RESOLVES:
 
 
FIRST: IMPOSE on the ARROYOMOLINOS CITY COUNCIL, with NIF
P2801500F, for a violation of Article 37 of the GPRS, as defined in Article 83.4
of the RGPD, a warning sanction.
 
 
SECOND: TO NOTIFY this resolution to the CITY COUNCIL OF
ARROYOMOLINOS.
ARROYOMOLINOS.
TERCERO: COMUNICAR la presente resolución al Defensor del Pueblo, de
 
conformidad con lo establecido en el artículo 77.5 de la LOPDGDD.
THIRD: To communicate this resolution to the Ombudsman, of
De conformidad con lo establecido en el artículo 50 de la LOPDGDD, la presente
 
Resolución se hará pública una vez haya sido notificada a los interesados.
in accordance with the provisions of Article 77.5 of the LOPDGDD
Contra esta resolución, que pone fin a la vía administrativa conforme al art. 48.6 de la
 
LOPDGDD, y de acuerdo con lo establecido en el artículo 123 de la LPACAP, los
In accordance with the provisions of Article 50 of the LOPDGDD, this
interesados podrán interponer, potestativamente, recurso de reposición ante la
The decision will be made public after it has been notified to the interested parties.
Directora de la Agencia Española de Protección de Datos en el plazo de un mes a
 
contar desde el día siguiente a la notificación de esta resolución o directamente
Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
recurso contencioso administrativo ante la Sala de lo Contencioso-administrativo de la
 
Audiencia Nacional, con arreglo a lo dispuesto en el artículo 25 y en el apartado 5 de
LOPDGDD, and in accordance with Article 123 of the LPACAP, the
la disposición adicional cuarta de la Ley 29/1998, de 13 de julio, reguladora de la
the interested parties may, on an optional basis, lodge an appeal for reversal with the
Jurisdicción Contencioso-administrativa, en el plazo de dos meses a contar desde el
Director of the Spanish Data Protection Agency within one month to
día siguiente a la notificación de este acto, según lo previsto en el artículo 46.1 de la
counting from the day following notification of this resolution or directly
referida Ley.
contentious-administrative appeal to the Administrative Chamber of the
Finalmente, se señala que conforme a lo previsto en el art. 90.3 a) de la LPACAP, se
 
podrá suspender cautelarmente la resolución firme en vía administrativa si el
Audiencia Nacional, in accordance with Article 25 and paragraph 5 of
interesado manifiesta su intención de interponer recurso contencioso-administrativo.
the fourth additional provision of Law 29/1998 of 13 July 1998, regulating
De ser éste el caso, el interesado deberá comunicar formalmente este hecho mediante
Contentious-Administrative Jurisdiction, within two months from
escrito dirigido a la Agencia Española de Protección de Datos, presentándolo a través
day following notification of this act, as provided for in Article 46(1) of the
del Registro Electrónico de la Agencia [https://sedeagpd.gob.es/sede-electronicaweb/], o a través de alguno de los restantes registros previstos en el art. 16.4 de la
referred to Law.
citada Ley 39/2015, de 1 de octubre. También deberá trasladar a la Agencia la
 
documentación que acredite la interposición efectiva del recurso contenciosoC/ Jorge Juan, 6 www.aepd.es
 
28001 – Madrid sedeagpd.gob.es
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, it is
7/7
may suspend, as a precautionary measure, the final administrative decision if the
administrativo. Si la Agencia no tuviese conocimiento de la interposición del recurso
the applicant states that he intends to bring an administrative appeal.
contencioso-administrativo en el plazo de dos meses desde el día siguiente a la
If this is the case, the interested party must formally communicate this fact by
notificación de la presente resolución, daría por finalizada la suspensión cautelar.
written to the Spanish Data Protection Agency, submitting it through
938-131120
 
Mar España Martí
from the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronica-
Directora de la Agencia Española de Protección de Datos
web/], or through any of the other registers provided for in Article 16.4 of the
C/ Jorge Juan, 6 www.aepd.es
the aforementioned Law 39/2015 of 1 October. It must also transfer to the Agency the
28001 – Madrid sedeagpd.gob.es
documentation proving the effective filing of the contentious action
administrative. If the Agency is not aware that the action has been brought
 
administrative proceedings within two months of the day following the
notification of the present resolution, would terminate the precautionary suspension.
                                                                                              938-131120
Mar Spain Martí
 
Director of the Spanish Data Protection Agency
 
</pre>
</pre>

Latest revision as of 14:23, 13 December 2023

AEPD - PS/00257/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 37 GDPR
LOPDGDD
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 11.01.2021
Fine: None
Parties: Ayuntamiento de Arroyomolinos
National Case Number/Name: PS/00257/2020
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: n/a

The Spanish DPA (AEPD) issued a reprimand against the Spanish municipality Ayuntamiento de Arroyomolinos for lacking a Data Protection Officer (DPO) for more than two years after the entry into force of the GDPR. This breached Article 37 GDPR.

English Summary

Facts

Ayuntamiento de Arroyomolinos was found lacking a Data Protection Officer (DPO).

The defendant has since adopted corrective measures. A DPO has been appointed pursuant to a service contract from 28.09.2020.

Dispute

Was the municipality Ayuntamiento de Arroyomolinos under the obligation to appoint a DPO?

Holding

The Spanish DPA recalled that the public administrations act as controllers for the processing of personal data and on some occasions as processors. As a result, they are subject to the GDPR and must fulfill all its obligations, including the obligation to appoint a data protection officer (Article 37 GDPR). This obligation had to be fulfilled starting from 28.05.2018, the date of entry into force of the GDPR.

The Spanish DPA issued a reprimand against Ayuntamiento de Arroyomolinos for violating Article 37 GDPR. The reprimand was issued by virtue of the power conferred by Article 58(2)(b) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.


                                                                                1/7


    Procedure No.: PS/00257/2020

                RESOLUTION OF SANCTIONING PROCEDURE


From the procedure instructed by the Spanish Data Protection Agency and based
to the following:

                                  BACKGROUND



FIRST: D. A.A.A. (hereinafter the complainant) dated 20 January 2020
filed a complaint with the Spanish Data Protection Agency. The
claim is directed against the Town Hall of Arroyomolinos with NIF P2801500F
(hereinafter referred to as the Respondent).


       The complainant states that he received on his behalf a notification from
City Council, and it contains the data and facts that motivate the imposition
from a sanction to another person.


       On the other hand, it points out that the consistory does not have a Delegate for the Protection of
Data.

       Together with the complaint, you will provide the notification that you have been sent.


SECOND: In view of the facts denounced in the complaint and the
the documents provided by the claimant are transferred to the claimant.

       On 24 July 2020, the petitioner states: "that on 20 January
2020 the complainant was informed that on the day of notification of the Resolution there was
a computer failure, and in the notification of its procedure the body of the

resolution of the previous notification. The department proceeded to review
the notifications generated, finding none more erroneous, also
proceeded to add further revision controls on the documents generated so that
this situation will not be repeated.


       You were also informed that your data have not been transferred to third parties,
have only been used for the notification of the procedure between
claimant and this Town Hall".

THIRD: On 25 September 2020, the Director of the Spanish Agency

of Data Protection agreed to initiate sanctioning proceedings against the respondent, with
in accordance with Articles 63 and 64 of Law 39/2015 of 1 October on the
Common Administrative Procedure for Public Administrations (hereinafter referred to as the "Common Administrative Procedure"),
LPACAP), for the alleged violation of Article 37 of the GPRS, typified in Article
83.4 of the RGPD.


FOURTH: Once the above-mentioned agreement to initiate the proceedings had been notified, the respondent submitted a letter of
in which he stated, in summary: "that on 28 September
2020 was awarded by Decree No 2497/2020 for technical assistance services
for information security (ENS) support and updating, and

C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/7








protection of personal data (RGPD-LOPDGDD) and Delegate Service of
Data Protection, for a period of 12 months.


       In good time before the date of termination of the contract and having
on the basis of the work carried out by the DPD during this time, it is already planned to call for tenders
publicly for a maximum of 4 years the Data Protection Delegate, with
the aim is for this Town Hall to have this figure permanently.

       In compliance with the duty to communicate the appointment of the DPD by

this City Council to the AEPD in accordance with the provisions of Article 34.3 LOPDGDD, is
the following information is provided: START UP, S.L. CIF B33667494

       Attached to this letter: Decree No. 2497/2020 on the award of
service contract and technical-economic proposal of the company Start up CDF S.L.

which details the content of the services to be provided".

FIFTH: On 13 October 2020, the instructor of the procedure agreed on the
opening of a trial period, with the incorporation of the
preliminary investigation proceedings, E/02287/2020, as well as documents
provided by the respondent on 8 October 2020.


SIXTH: A motion for resolution was tabled on 18 November 2020,
proposing to sanction the Town Hall of Arroyomolinos with a warning
NIF P2801500F, for an infringement of Article 37 of the RGPD, typified in Article
83.4 of the RGPD.


SEVENTH: After notification of the motion for a resolution, the respondent submitted a letter of
allegations in which, in summary, he stated

"FIRST - That on September 28, 2020, it was awarded by Decree No
2497/2020 technical assistance service contract for support and updates in

information security (ENS) and personal data protection
(RGPD-LOPGDD) and the Data Protection Officer Service, for a period of
12 months to the company Start up CDF S.L.

SECOND: The duty to communicate the appointment of the

DPD by this City Council to the AEPD in accordance with the provisions of Article 34.3
LOPDGDD.

THIRD: The proposal for a resolution of the AEPD indicates that "In this case
the evidence is based on the documents provided with their
allegations to the agreement of initiation that the respondent has appointed as Delegate of

Data Protection: START UP, S.L. CIF B33667494."

FOURTH - Taking into consideration the Judgment of the Audiencia Nacional de
29/11/2013, (ECR 455/2011), on the basis of the Sixth
warning regulated in article 45.6 of the LOPD and regarding its nature

legal warns that it "does not constitute a penalty" and that these are "measures
corrective measures for the cessation of the activity constituting the infringement" replacing
sanction. The Decision understands that Article 45.6 of the LOPD confers on the AEPD

C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/7








a "power" different from the sanctioning power, the exercise of which is conditional on the
concurrence of the special circumstances described in the precept. At
congruence with the nature attributed to the warning as an alternative to

penalty when, in view of the circumstances of the case, the subject of the offence is not
and considering that the object of the warning is the
imposition of corrective measures, the above-mentioned SAN concludes that where these measures have already
have been adopted, it is appropriate in law to agree to the closure of the
performances".


In view of all that has been done, by the Spanish Data Protection Agency
the following are regarded as established facts in these proceedings,


                                      FACTS


FIRST: The person claimed lacks the figure of a data protection representative.

SECOND: The City Council of Arroyomolinos, has contributed in the present
the measures it has taken, including the penalties it has imposed:

       Technical assistance service contract for support and updates in

information security (ENS) and personal data protection
(RGPD-LOPDGDD) and the Data Protection Officer Service, for a period of
12 months.

       Communication of the appointment of the Data Protection Officer: START

UP, S.L. CIF B33667494

       Decree No 2497/2020 on the award of service contracts and proposals
technical-economic of the company START UP CDF S.L.



                           LEGAL FOUNDATIONS

                                           I

By virtue of the powers conferred on each authority in Article 58(2) of the GPRS

control, and in accordance with the provisions of Articles 47 and 48.1 of the LOPDGDD, the
the Spanish Data Protection Agency is competent to resolve this
procedure.
                                           II


Public administrations act as data controllers of

and, in some cases, they are in charge of the management of the
processing, for which they are responsible, in accordance with the principle of
proactive, to meet the obligations detailed in the RGPD, including the
obligation to appoint a data protection officer and to notify the latter of his or her
AEPD

The obligation is imposed by Article 37 of the RGPD, which states

C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/7








"1. The data controller and the processor shall appoint a delegate of
data protection whenever:

(a) the processing is carried out by a public authority or body, except

courts acting in their judicial capacity

Article 37.3 and 4 of the RGPD states about the designation of the DPD "When the
the controller or the person responsible for the processing is a public authority or
may appoint a single data protection officer for several of these

authorities or bodies, taking into account their organisational structure and size.

4. In cases other than those referred to in paragraph 1, the person responsible or
processing agent or associations and other bodies representing
categories of managers or supervisors may appoint a delegate of protection
or must designate it if required by Union or national law

members. The Data Protection Officer may act on behalf of these
associations and other bodies representing decision-makers or managers"

The LOPDGDD determines in its article 34.1 and 3: "Designation of a delegate of

data protection "

1. Data controllers and processors must appoint a delegate of
data protection in the cases provided for in article 37.1 of the Regulation
(EU) 2016/679 and, in any case, in the case of the following entities:

3. Data controllers and processors shall communicate within ten
days to the Spanish Data Protection Agency or, where appropriate, to the authorities

data protection, appointments, appointments and dismissals of employees
the data protection delegates both in cases where they are
obliged to be appointed as in the case of voluntary appointment.



The infringement is contemplated as such in Article 83.4.a of the RGPD which states: "4. The
infringements of the following provisions shall be penalised in accordance with the
paragraph 2, with administrative fines of up to EUR 10 000 000 or
in the case of an enterprise, an amount equivalent to a maximum of 2 % of
total annual turnover for the previous financial year, opting for
the largest:


(a) the obligations of the person responsible and of the person appointed under Articles 8, 11, 25 to
39, 42 y 43;”


Article 83.7 of the RGPD states:

"Without prejudice to the corrective powers of the supervisory authorities under the ar-
in accordance with Article 58(2), each Member State may lay down rules as to whether or not a
of, and to what extent, imposing administrative fines on public authorities and bodies

public bodies established in that Member State"


Article 58(2) of the GPRS states: "Each supervisory authority shall have all the
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/7








the following corrective powers are indicated below:

(b) sanction any person responsible for or in charge of the processing, with a warning as to how
if the processing operations have infringed the provisions of this Regulation, the
mento;

(d) order the controller or processor to carry out the processing operations
treatment are in accordance with the provisions of this Regulation, where appropriate,
in a certain way and within a specified time".


In this sense, Article 77.1 c) and 2, 4 and 5 of the LOPGDD, indicates:

1. The regime established in this article shall apply to the processing of
who are responsible or in charge:

c) The General State Administration, the Community Administrations

the local authorities and the entities that make up the local administration.

2 "Where the persons responsible for, or in charge of, the activities listed in paragraph 1 commit
any of the offences referred to in articles 72 to 74 of this law
authority shall issue an opinion on the matter
resolution sanctioning them with a warning. The resolution will establish

also the measures to be taken to ensure that the conduct ceases or is corrected
the effects of the infringement that has been committed.

The decision shall be notified to the controller or processor, to the
that is hierarchically dependent, where appropriate, and to those affected who have the status
of interested party, if any."


4.The data protection authority must be informed of decisions that
be made in connection with the measures and actions referred to in paragraphs
previous.

5.They shall be communicated to the Ombudsman or, where appropriate, to similar institutions

of the autonomous communities the actions taken and the decisions handed down
under this article."


                                             III


Article 73 of the LOPDDG states Infringements considered serious:

"In accordance with Article 83(4) of Regulation (EU) 2016/679, the
consider serious and will prescribe after two years any infringements involving a
substantial breach of the articles mentioned in that one, and in particular the

following:

(v) Failure to comply with the obligation to appoint a data protection representative
when his appointment is required in accordance with Article 37 of the Regulation
(EU) 2016/679 and article 34 of this organic law"



C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/7








By means of a statement of claim, the respondent has stated that he has already designated
Data Protection Delegate.




In spite of this, the Spanish Data Protection Agency has sanctioned the complainant with
a penalty of a warning, since the latter must have had a delegate from
data protection in accordance with article 37 of the RGPD,
from 25 May 2018, when the RGPD came into force.




Therefore, in accordance with the applicable legislation and assessed on the basis of
graduation of the sanctions whose existence has been accredited, the Director of
Spanish Data Protection Agency RESOLVES:


FIRST: IMPOSE on the ARROYOMOLINOS CITY COUNCIL, with NIF
P2801500F, for a violation of Article 37 of the GPRS, as defined in Article 83.4
of the RGPD, a warning sanction.


SECOND: TO NOTIFY this resolution to the CITY COUNCIL OF
ARROYOMOLINOS.

THIRD: To communicate this resolution to the Ombudsman, of

in accordance with the provisions of Article 77.5 of the LOPDGDD

In accordance with the provisions of Article 50 of the LOPDGDD, this
The decision will be made public after it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the

LOPDGDD, and in accordance with Article 123 of the LPACAP, the
the interested parties may, on an optional basis, lodge an appeal for reversal with the
Director of the Spanish Data Protection Agency within one month to
counting from the day following notification of this resolution or directly
contentious-administrative appeal to the Administrative Chamber of the

Audiencia Nacional, in accordance with Article 25 and paragraph 5 of
the fourth additional provision of Law 29/1998 of 13 July 1998, regulating
Contentious-Administrative Jurisdiction, within two months from
day following notification of this act, as provided for in Article 46(1) of the
referred to Law.


Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, it is
may suspend, as a precautionary measure, the final administrative decision if the
the applicant states that he intends to bring an administrative appeal.
If this is the case, the interested party must formally communicate this fact by
written to the Spanish Data Protection Agency, submitting it through

from the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registers provided for in Article 16.4 of the
the aforementioned Law 39/2015 of 1 October. It must also transfer to the Agency the
documentation proving the effective filing of the contentious action
administrative. If the Agency is not aware that the action has been brought

administrative proceedings within two months of the day following the
notification of the present resolution, would terminate the precautionary suspension.
                                                                                              938-131120
Mar Spain Martí

Director of the Spanish Data Protection Agency