AEPD (Spain) - PS/00257/2020: Difference between revisions

Latest revision as of 14:23, 13 December 2023

AEPD - PS/00257/2020

Authority:	AEPD (Spain)
Jurisdiction:	Spain
Relevant Law:	Article 37 GDPR LOPDGDD
Type:	Investigation
Outcome:	Violation Found
Started:
Decided:
Published:	11.01.2021
Fine:	None
Parties:	Ayuntamiento de Arroyomolinos
National Case Number/Name:	PS/00257/2020
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Spanish
Original Source:	AEPD (in ES)
Initial Contributor:	n/a

The Spanish DPA (AEPD) issued a reprimand against the Spanish municipality Ayuntamiento de Arroyomolinos for lacking a Data Protection Officer (DPO) for more than two years after the entry into force of the GDPR. This breached Article 37 GDPR.

English Summary

Facts

Ayuntamiento de Arroyomolinos was found lacking a Data Protection Officer (DPO).

The defendant has since adopted corrective measures. A DPO has been appointed pursuant to a service contract from 28.09.2020.

Dispute

Was the municipality Ayuntamiento de Arroyomolinos under the obligation to appoint a DPO?

Holding

The Spanish DPA recalled that the public administrations act as controllers for the processing of personal data and on some occasions as processors. As a result, they are subject to the GDPR and must fulfill all its obligations, including the obligation to appoint a data protection officer (Article 37 GDPR). This obligation had to be fulfilled starting from 28.05.2018, the date of entry into force of the GDPR.

The Spanish DPA issued a reprimand against Ayuntamiento de Arroyomolinos for violating Article 37 GDPR. The reprimand was issued by virtue of the power conferred by Article 58(2)(b) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                                1/7


    Procedure No.: PS/00257/2020

                RESOLUTION OF SANCTIONING PROCEDURE


From the procedure instructed by the Spanish Data Protection Agency and based
to the following:

                                  BACKGROUND



FIRST: D. A.A.A. (hereinafter the complainant) dated 20 January 2020
filed a complaint with the Spanish Data Protection Agency. The
claim is directed against the Town Hall of Arroyomolinos with NIF P2801500F
(hereinafter referred to as the Respondent).


       The complainant states that he received on his behalf a notification from
City Council, and it contains the data and facts that motivate the imposition
from a sanction to another person.


       On the other hand, it points out that the consistory does not have a Delegate for the Protection of
Data.

       Together with the complaint, you will provide the notification that you have been sent.


SECOND: In view of the facts denounced in the complaint and the
the documents provided by the claimant are transferred to the claimant.

       On 24 July 2020, the petitioner states: "that on 20 January
2020 the complainant was informed that on the day of notification of the Resolution there was
a computer failure, and in the notification of its procedure the body of the

resolution of the previous notification. The department proceeded to review
the notifications generated, finding none more erroneous, also
proceeded to add further revision controls on the documents generated so that
this situation will not be repeated.


       You were also informed that your data have not been transferred to third parties,
have only been used for the notification of the procedure between
claimant and this Town Hall".

THIRD: On 25 September 2020, the Director of the Spanish Agency

of Data Protection agreed to initiate sanctioning proceedings against the respondent, with
in accordance with Articles 63 and 64 of Law 39/2015 of 1 October on the
Common Administrative Procedure for Public Administrations (hereinafter referred to as the "Common Administrative Procedure"),
LPACAP), for the alleged violation of Article 37 of the GPRS, typified in Article
83.4 of the RGPD.


FOURTH: Once the above-mentioned agreement to initiate the proceedings had been notified, the respondent submitted a letter of
in which he stated, in summary: "that on 28 September
2020 was awarded by Decree No 2497/2020 for technical assistance services
for information security (ENS) support and updating, and

C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/7








protection of personal data (RGPD-LOPDGDD) and Delegate Service of
Data Protection, for a period of 12 months.


       In good time before the date of termination of the contract and having
on the basis of the work carried out by the DPD during this time, it is already planned to call for tenders
publicly for a maximum of 4 years the Data Protection Delegate, with
the aim is for this Town Hall to have this figure permanently.

       In compliance with the duty to communicate the appointment of the DPD by

this City Council to the AEPD in accordance with the provisions of Article 34.3 LOPDGDD, is
the following information is provided: START UP, S.L. CIF B33667494

       Attached to this letter: Decree No. 2497/2020 on the award of
service contract and technical-economic proposal of the company Start up CDF S.L.

which details the content of the services to be provided".

FIFTH: On 13 October 2020, the instructor of the procedure agreed on the
opening of a trial period, with the incorporation of the
preliminary investigation proceedings, E/02287/2020, as well as documents
provided by the respondent on 8 October 2020.


SIXTH: A motion for resolution was tabled on 18 November 2020,
proposing to sanction the Town Hall of Arroyomolinos with a warning
NIF P2801500F, for an infringement of Article 37 of the RGPD, typified in Article
83.4 of the RGPD.


SEVENTH: After notification of the motion for a resolution, the respondent submitted a letter of
allegations in which, in summary, he stated

"FIRST - That on September 28, 2020, it was awarded by Decree No
2497/2020 technical assistance service contract for support and updates in

information security (ENS) and personal data protection
(RGPD-LOPGDD) and the Data Protection Officer Service, for a period of
12 months to the company Start up CDF S.L.

SECOND: The duty to communicate the appointment of the

DPD by this City Council to the AEPD in accordance with the provisions of Article 34.3
LOPDGDD.

THIRD: The proposal for a resolution of the AEPD indicates that "In this case
the evidence is based on the documents provided with their
allegations to the agreement of initiation that the respondent has appointed as Delegate of

Data Protection: START UP, S.L. CIF B33667494."

FOURTH - Taking into consideration the Judgment of the Audiencia Nacional de
29/11/2013, (ECR 455/2011), on the basis of the Sixth
warning regulated in article 45.6 of the LOPD and regarding its nature

legal warns that it "does not constitute a penalty" and that these are "measures
corrective measures for the cessation of the activity constituting the infringement" replacing
sanction. The Decision understands that Article 45.6 of the LOPD confers on the AEPD

C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/7








a "power" different from the sanctioning power, the exercise of which is conditional on the
concurrence of the special circumstances described in the precept. At
congruence with the nature attributed to the warning as an alternative to

penalty when, in view of the circumstances of the case, the subject of the offence is not
and considering that the object of the warning is the
imposition of corrective measures, the above-mentioned SAN concludes that where these measures have already
have been adopted, it is appropriate in law to agree to the closure of the
performances".


In view of all that has been done, by the Spanish Data Protection Agency
the following are regarded as established facts in these proceedings,


                                      FACTS


FIRST: The person claimed lacks the figure of a data protection representative.

SECOND: The City Council of Arroyomolinos, has contributed in the present
the measures it has taken, including the penalties it has imposed:

       Technical assistance service contract for support and updates in

information security (ENS) and personal data protection
(RGPD-LOPDGDD) and the Data Protection Officer Service, for a period of
12 months.

       Communication of the appointment of the Data Protection Officer: START

UP, S.L. CIF B33667494

       Decree No 2497/2020 on the award of service contracts and proposals
technical-economic of the company START UP CDF S.L.



                           LEGAL FOUNDATIONS

                                           I

By virtue of the powers conferred on each authority in Article 58(2) of the GPRS

control, and in accordance with the provisions of Articles 47 and 48.1 of the LOPDGDD, the
the Spanish Data Protection Agency is competent to resolve this
procedure.
                                           II


Public administrations act as data controllers of

and, in some cases, they are in charge of the management of the
processing, for which they are responsible, in accordance with the principle of
proactive, to meet the obligations detailed in the RGPD, including the
obligation to appoint a data protection officer and to notify the latter of his or her
AEPD

The obligation is imposed by Article 37 of the RGPD, which states

C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/7








"1. The data controller and the processor shall appoint a delegate of
data protection whenever:

(a) the processing is carried out by a public authority or body, except

courts acting in their judicial capacity

Article 37.3 and 4 of the RGPD states about the designation of the DPD "When the
the controller or the person responsible for the processing is a public authority or
may appoint a single data protection officer for several of these

authorities or bodies, taking into account their organisational structure and size.

4. In cases other than those referred to in paragraph 1, the person responsible or
processing agent or associations and other bodies representing
categories of managers or supervisors may appoint a delegate of protection
or must designate it if required by Union or national law

members. The Data Protection Officer may act on behalf of these
associations and other bodies representing decision-makers or managers"

The LOPDGDD determines in its article 34.1 and 3: "Designation of a delegate of

data protection "

1. Data controllers and processors must appoint a delegate of
data protection in the cases provided for in article 37.1 of the Regulation
(EU) 2016/679 and, in any case, in the case of the following entities:

3. Data controllers and processors shall communicate within ten
days to the Spanish Data Protection Agency or, where appropriate, to the authorities

data protection, appointments, appointments and dismissals of employees
the data protection delegates both in cases where they are
obliged to be appointed as in the case of voluntary appointment.



The infringement is contemplated as such in Article 83.4.a of the RGPD which states: "4. The
infringements of the following provisions shall be penalised in accordance with the
paragraph 2, with administrative fines of up to EUR 10 000 000 or
in the case of an enterprise, an amount equivalent to a maximum of 2 % of
total annual turnover for the previous financial year, opting for
the largest:


(a) the obligations of the person responsible and of the person appointed under Articles 8, 11, 25 to
39, 42 y 43;”


Article 83.7 of the RGPD states:

"Without prejudice to the corrective powers of the supervisory authorities under the ar-
in accordance with Article 58(2), each Member State may lay down rules as to whether or not a
of, and to what extent, imposing administrative fines on public authorities and bodies

public bodies established in that Member State"


Article 58(2) of the GPRS states: "Each supervisory authority shall have all the
C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/7








the following corrective powers are indicated below:

(b) sanction any person responsible for or in charge of the processing, with a warning as to how
if the processing operations have infringed the provisions of this Regulation, the
mento;

(d) order the controller or processor to carry out the processing operations
treatment are in accordance with the provisions of this Regulation, where appropriate,
in a certain way and within a specified time".


In this sense, Article 77.1 c) and 2, 4 and 5 of the LOPGDD, indicates:

1. The regime established in this article shall apply to the processing of
who are responsible or in charge:

c) The General State Administration, the Community Administrations

the local authorities and the entities that make up the local administration.

2 "Where the persons responsible for, or in charge of, the activities listed in paragraph 1 commit
any of the offences referred to in articles 72 to 74 of this law
authority shall issue an opinion on the matter
resolution sanctioning them with a warning. The resolution will establish

also the measures to be taken to ensure that the conduct ceases or is corrected
the effects of the infringement that has been committed.

The decision shall be notified to the controller or processor, to the
that is hierarchically dependent, where appropriate, and to those affected who have the status
of interested party, if any."


4.The data protection authority must be informed of decisions that
be made in connection with the measures and actions referred to in paragraphs
previous.

5.They shall be communicated to the Ombudsman or, where appropriate, to similar institutions

of the autonomous communities the actions taken and the decisions handed down
under this article."


                                             III


Article 73 of the LOPDDG states Infringements considered serious:

"In accordance with Article 83(4) of Regulation (EU) 2016/679, the
consider serious and will prescribe after two years any infringements involving a
substantial breach of the articles mentioned in that one, and in particular the

following:

(v) Failure to comply with the obligation to appoint a data protection representative
when his appointment is required in accordance with Article 37 of the Regulation
(EU) 2016/679 and article 34 of this organic law"



C/ Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/7








By means of a statement of claim, the respondent has stated that he has already designated
Data Protection Delegate.




In spite of this, the Spanish Data Protection Agency has sanctioned the complainant with
a penalty of a warning, since the latter must have had a delegate from
data protection in accordance with article 37 of the RGPD,
from 25 May 2018, when the RGPD came into force.




Therefore, in accordance with the applicable legislation and assessed on the basis of
graduation of the sanctions whose existence has been accredited, the Director of
Spanish Data Protection Agency RESOLVES:


FIRST: IMPOSE on the ARROYOMOLINOS CITY COUNCIL, with NIF
P2801500F, for a violation of Article 37 of the GPRS, as defined in Article 83.4
of the RGPD, a warning sanction.


SECOND: TO NOTIFY this resolution to the CITY COUNCIL OF
ARROYOMOLINOS.

THIRD: To communicate this resolution to the Ombudsman, of

in accordance with the provisions of Article 77.5 of the LOPDGDD

In accordance with the provisions of Article 50 of the LOPDGDD, this
The decision will be made public after it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the

LOPDGDD, and in accordance with Article 123 of the LPACAP, the
the interested parties may, on an optional basis, lodge an appeal for reversal with the
Director of the Spanish Data Protection Agency within one month to
counting from the day following notification of this resolution or directly
contentious-administrative appeal to the Administrative Chamber of the

Audiencia Nacional, in accordance with Article 25 and paragraph 5 of
the fourth additional provision of Law 29/1998 of 13 July 1998, regulating
Contentious-Administrative Jurisdiction, within two months from
day following notification of this act, as provided for in Article 46(1) of the
referred to Law.


Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, it is
may suspend, as a precautionary measure, the final administrative decision if the
the applicant states that he intends to bring an administrative appeal.
If this is the case, the interested party must formally communicate this fact by
written to the Spanish Data Protection Agency, submitting it through

from the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronica-
web/], or through any of the other registers provided for in Article 16.4 of the
the aforementioned Law 39/2015 of 1 October. It must also transfer to the Agency the
documentation proving the effective filing of the contentious action
administrative. If the Agency is not aware that the action has been brought

administrative proceedings within two months of the day following the
notification of the present resolution, would terminate the precautionary suspension.
                                                                                              938-131120
Mar Spain Martí

Director of the Spanish Data Protection Agency

@@ Line 50: / Line 50: @@
 }}
-The Spanish DPA (AEPD) issued a reprimand to the Spanish municipality Ayuntamiento de Arroyomolinos for lacking a DPO for more than two years after the entry into force of the GDPR.
+The Spanish DPA (AEPD) issued a reprimand against the Spanish municipality Ayuntamiento de Arroyomolinos for lacking a Data Protection Officer (DPO) for more than two years after the entry into force of the GDPR. This breached Article 37 GDPR.
-== English Summary ==
+==English Summary==
-=== Facts ===
+===Facts===
-Ayuntamiento de Arroyomolinos was found lacking a DPO.
+Ayuntamiento de Arroyomolinos was found lacking a Data Protection Officer (DPO).
-The defendant has provided the measures it has in the meantime adopted: with a service contract from 28.09.2020 a DPO has been appointed.
+The defendant has since adopted corrective measures. A DPO has been appointed pursuant to a service contract from 28.09.2020.
+===Dispute===
+Was the municipality Ayuntamiento de Arroyomolinos under the obligation to appoint a DPO?
+===Holding===
+The Spanish DPA recalled that the public administrations act as controllers for the processing of personal data and on some occasions as processors. As a result, they are subject to the GDPR and must fulfill all its obligations, including the obligation to appoint a data protection officer (Article 37 GDPR). This obligation had to be fulfilled starting from 28.05.2018, the date of entry into force of the GDPR.
-=== Dispute ===
+The Spanish DPA issued a reprimand against Ayuntamiento de Arroyomolinos for violating Article 37 GDPR. The reprimand was issued by virtue of the power conferred by Article 58(2)(b) GDPR.
-Was this municipality under the obligation of appointing a DPO?
+==Comment==
+''Share your comments here!''
+==Further Resources==
+''Share blogs or news articles here!''
+==English Machine Translation of the Decision==
+The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
+<pre>
+/7
-=== Holding ===
+    Procedure No.: PS/00257/2020
-The Spanish DPA recalled that the public administrations act as controllers for the processing of personal data and on some occasions as processors. As a result, they are subject to the GDPR and must fulfill all its obligations, including the obligation to appoint a data protection officer. This obligation had to be fulfilled starting from 28.05.2018, the date of entry into force of the GDPR.
-The Spanish DPA issued a reprimand to Ayuntamiento de Arroyomolinos for violating Article 37 GDPR.
-The reprimand was issued by virtue of the power conferred by Article 58(2)(b) GDPR.
-== Comment ==
+                RESOLUTION OF SANCTIONING PROCEDURE
-''Share your comments here!''
-== Further Resources ==
-''Share blogs or news articles here!''
-/7
+From the procedure instructed by the Spanish Data Protection Agency and based
- Procedure Nº: PS / 00257/2020
-RESOLUTION OF SANCTIONING PROCEDURE
-Of the procedure instructed by the Spanish Agency for Data Protection and based on
 to the following:
-BACKGROUND
-FIRST: D. A.A.A. (hereinafter, the claimant) dated January 20, 2020
+                                  BACKGROUND
-filed a claim with the Spanish Agency for Data Protection. The
-claim is directed against the Arroyomolinos City Council with NIF P2801500F
-(hereinafter, the claimed).
-The claimant states that he received on his behalf a notification from the
+FIRST: D. A.A.A. (hereinafter the complainant) dated 20 January 2020
+filed a complaint with the Spanish Data Protection Agency. The
+claim is directed against the Town Hall of Arroyomolinos with NIF P2801500F
+(hereinafter referred to as the Respondent).
+       The complainant states that he received on his behalf a notification from
 City Council, and it contains the data and facts that motivate the imposition
-of a sanction to another person.
+from a sanction to another person.
-On the other hand, he points out that the consistory does not have a Delegate for the Protection of
+       On the other hand, it points out that the consistory does not have a Delegate for the Protection of
 Data.
-Together with the claim, he provides the notification that they have sent him.
-SECOND: In view of the facts reported in the claim and the
+       Together with the complaint, you will provide the notification that you have been sent.
-Documents provided by the claimant are transferred to the claimed claim.
-On July 24, 2020, the defendant states: “that on January 20,
-, the claimant was informed that on the day of notification of the Resolution there was
+SECOND: In view of the facts denounced in the complaint and the
+the documents provided by the claimant are transferred to the claimant.
+       On 24 July 2020, the petitioner states: "that on 20 January
+the complainant was informed that on the day of notification of the Resolution there was
 a computer failure, and in the notification of its procedure the body of the
 resolution of the previous notification. The department proceeded to review
-generated notifications, not finding any more erroneous, likewise
+the notifications generated, finding none more erroneous, also
-proceeded to add more revision controls of the documents generated so that
+proceeded to add further revision controls on the documents generated so that
-this situation is not repeated.
+this situation will not be repeated.
-Likewise, he was informed that his data has not been disclosed to third parties,
-have only been used for the notification of the procedure between the
-claimant and this City Council ”.
+       You were also informed that your data have not been transferred to third parties,
-THIRD: On September 25, 2020, the Director of the Spanish Agency
+have only been used for the notification of the procedure between
-of Data Protection agreed to initiate a sanctioning procedure for the claimed party, with
+claimant and this Town Hall".
-in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the
-Common Administrative Procedure of Public Administrations (hereinafter,
+THIRD: On 25 September 2020, the Director of the Spanish Agency
-LPACAP), for the alleged violation of Article 37 of the RGPD, typified in Article
+of Data Protection agreed to initiate sanctioning proceedings against the respondent, with
+in accordance with Articles 63 and 64 of Law 39/2015 of 1 October on the
+Common Administrative Procedure for Public Administrations (hereinafter referred to as the "Common Administrative Procedure"),
+LPACAP), for the alleged violation of Article 37 of the GPRS, typified in Article
 .4 of the RGPD.
-FOURTH: Once the aforementioned commencement agreement was notified, the defendant submitted a
-allegations in which he, in short, he stated: “that on September 28,
-was awarded by Decree No. 2497/2020 technical assistance services contract
+FOURTH: Once the above-mentioned agreement to initiate the proceedings had been notified, the respondent submitted a letter of
-to support and update information security (ENS) and
+in which he stated, in summary: "that on 28 September
-C / Jorge Juan, 6 www.aepd.es
+was awarded by Decree No 2497/2020 for technical assistance services
-- Madrid sedeagpd.gob.es
+for information security (ENS) support and updating, and
-/7
+C/ Jorge Juan, 6 www.aepd.es
+- Madrid sedeagpd.gob.es 2/7
 protection of personal data (RGPD-LOPDGDD) and Delegate Service of
 Data Protection, for a period of 12 months.
-Sufficiently in advance of the contract end date and having
-As a basis for the work carried out by the DPD during that time, it is already planned to tender
-publicly for a maximum of 4 years the Data Protection Officer, with
+       In good time before the date of termination of the contract and having
-The aim is that this City Council permanently have this figure.
+on the basis of the work carried out by the DPD during this time, it is already planned to call for tenders
-In compliance with the duty to communicate the appointment of the DPO by
+publicly for a maximum of 4 years the Data Protection Delegate, with
-this City Council to the AEPD in accordance with the provisions of article 34.3 LOPDGDD,
+the aim is for this Town Hall to have this figure permanently.
-The following details indicate: START UP, S.L. CIF B33667494
-Attached to this document is: Decree No. 2497/2020 awarding of
+       In compliance with the duty to communicate the appointment of the DPD by
+this City Council to the AEPD in accordance with the provisions of Article 34.3 LOPDGDD, is
+the following information is provided: START UP, S.L. CIF B33667494
+       Attached to this letter: Decree No. 2497/2020 on the award of
 service contract and technical-economic proposal of the company Start up CDF S.L.
-in which the content of the services to be carried out is detailed ”.
-FIFTH: On October 13, 2020, the instructor of the procedure agreed to the
+which details the content of the services to be provided".
-opening of a period of practical tests, taking as incorporated the
-preliminary investigation actions, E / 02287/2020, as well as the documents
+FIFTH: On 13 October 2020, the instructor of the procedure agreed on the
-provided by the defendant on October 8, 2020.
+opening of a trial period, with the incorporation of the
-SIXTH: On November 18, 2020, a resolution proposal was formulated,
+preliminary investigation proceedings, E/02287/2020, as well as documents
-proposing that the Arroyomolinos City Council be sanctioned with a warning
+provided by the respondent on 8 October 2020.
-NIF P2801500F, for an infraction of Article 37 of the RGPD, typified in Article
+SIXTH: A motion for resolution was tabled on 18 November 2020,
+proposing to sanction the Town Hall of Arroyomolinos with a warning
+NIF P2801500F, for an infringement of Article 37 of the RGPD, typified in Article
 .4 of the RGPD.
-SEVENTH: Once the resolution proposal was notified, the defendant submitted a written
-allegations in which, in summary, it stated:
-"FIRST.- That on September 28, 2020 it was awarded by Decree No.
+SEVENTH: After notification of the motion for a resolution, the respondent submitted a letter of
-/2020 technical assistance service contract for support and update in
+allegations in which, in summary, he stated
+"FIRST - That on September 28, 2020, it was awarded by Decree No
+/2020 technical assistance service contract for support and updates in
 information security (ENS) and personal data protection
-(RGPD-LOPGDD) and Data Protection Delegate Service, for a period of
+(RGPD-LOPGDD) and the Data Protection Officer Service, for a period of
 months to the company Start up CDF S.L.
-SECOND.- The duty of communication of the appointment of the
-DPD by this City Council to the AEPD in accordance with the provisions of article 34.3
+SECOND: The duty to communicate the appointment of the
+DPD by this City Council to the AEPD in accordance with the provisions of Article 34.3
 LOPDGDD.
-THIRD.- In the proposed resolution of the AEPD it is indicated that “In this case
-specifically, it has been accredited by virtue of the documents provided with their
+THIRD: The proposal for a resolution of the AEPD indicates that "In this case
-allegations to the initiation agreement that the complainant has appointed Delegate of
+the evidence is based on the documents provided with their
-Data Protection: START UP, S.L. CIF B33667494. "
+allegations to the agreement of initiation that the respondent has appointed as Delegate of
-FOURTH.- Taking into consideration the Judgment of the National Court of
-/29/2013, (Rec. 455/2011), Sixth Law Foundation,what about him
+Data Protection: START UP, S.L. CIF B33667494."
+FOURTH - Taking into consideration the Judgment of the Audiencia Nacional de
+/11/2013, (ECR 455/2011), on the basis of the Sixth
 warning regulated in article 45.6 of the LOPD and regarding its nature
-legal notice that "does not constitute a sanction" and that it is "measures
-corrective measures for the cessation of the activity constituting the offense ”that replace the
+legal warns that it "does not constitute a penalty" and that these are "measures
-sanction. The Judgment understands that article 45.6 of the LOPD confers on the AEPD
+corrective measures for the cessation of the activity constituting the infringement" replacing
-C / Jorge Juan, 6 www.aepd.es
+sanction. The Decision understands that Article 45.6 of the LOPD confers on the AEPD
-- Madrid sedeagpd.gob.es
-/7
+C/ Jorge Juan, 6 www.aepd.es
-a “power” different from the sanctioning one whose exercise is conditioned to the
+- Madrid sedeagpd.gob.es 3/7
-concurrence of the special circumstances described in the precept. In
-congruence with the nature attributed to awareness as an alternative to
-sanction when, given the circumstances of the case, the subject of the offense is not
-deserving of that, and considering that the object of the warning is the
-imposition of corrective measures, the aforementioned SAN concludes that when they already
-had been adopted, the procedure in Law is to agree on the file of the
-performances ”.
-In view of all the actions, by the Spanish Agency for Data Protection
-In this proceeding, the following are considered proven facts,
+a "power" different from the sanctioning power, the exercise of which is conditional on the
-ACTS
+concurrence of the special circumstances described in the precept. At
-FIRST: The claimed person lacks the figure of a data protection delegate.
+congruence with the nature attributed to the warning as an alternative to
-SECOND: The Arroyomolinos City Council, has contributed in the present
-sanctioning procedure the measures it has adopted, including:
+penalty when, in view of the circumstances of the case, the subject of the offence is not
-Technical assistance services contract for support and update in
+and considering that the object of the warning is the
+imposition of corrective measures, the above-mentioned SAN concludes that where these measures have already
+have been adopted, it is appropriate in law to agree to the closure of the
+performances".
+In view of all that has been done, by the Spanish Data Protection Agency
+the following are regarded as established facts in these proceedings,
+                                      FACTS
+FIRST: The person claimed lacks the figure of a data protection representative.
+SECOND: The City Council of Arroyomolinos, has contributed in the present
+the measures it has taken, including the penalties it has imposed:
+       Technical assistance service contract for support and updates in
 information security (ENS) and personal data protection
-(RGPD-LOPDGDD) and Data Protection Delegate Service, for a period of
+(RGPD-LOPDGDD) and the Data Protection Officer Service, for a period of
 months.
-Communication of the appointment of the Data Protection Officer: START
+       Communication of the appointment of the Data Protection Officer: START
 UP, S.L. CIF B33667494
-Decree No. 2497/2020 awarding the service contract and proposal
+       Decree No 2497/2020 on the award of service contracts and proposals
 technical-economic of the company START UP CDF S.L.
-FOUNDATIONS OF LAW
-I
-By virtue of the powers that article 58.2 of the RGPD recognizes to each authority of
-control, and as established in arts. 47 and 48.1 of the LOPDGDD, the Director of
+                           LEGAL FOUNDATIONS
-The Spanish Agency for Data Protection is competent to resolve this
-process.
+                                           I
-II
-The public administrations act as data controllers of
+By virtue of the powers conferred on each authority in Article 58(2) of the GPRS
-personal character and, on some occasions, they perform functions of managers
-treatment, for what corresponds to them, following the principle of responsibility
+control, and in accordance with the provisions of Articles 47 and 48.1 of the LOPDGDD, the
-proactively, meet the obligations that the RGPD details, among which is included, the
+the Spanish Data Protection Agency is competent to resolve this
-Obligation to appoint a data protection officer and communicate it to this
+procedure.
+                                           II
+Public administrations act as data controllers of
+and, in some cases, they are in charge of the management of the
+processing, for which they are responsible, in accordance with the principle of
+proactive, to meet the obligations detailed in the RGPD, including the
+obligation to appoint a data protection officer and to notify the latter of his or her
 AEPD
-The obligation is imposed by article 37 of the RGPD, which indicates:
-C / Jorge Juan, 6 www.aepd.es
+The obligation is imposed by Article 37 of the RGPD, which states
-- Madrid sedeagpd.gob.es
-/7
+C/ Jorge Juan, 6 www.aepd.es
-"1. The person in charge and the person in charge of the treatment will designate a delegate of
+- Madrid sedeagpd.gob.es 4/7
-data protection provided that:
-a) the treatment is carried out by a public authority or body, except those
-courts that act in the exercise of their judicial function; "
-Article 37.3 and 4 of the RGPD indicates on the designation of the DPD “When the
-responsible or the person in charge of the treatment is an authority or public body,
-may designate a single data protection officer for several of these
-authorities or bodies, taking into account their organizational structure and size.
-. In cases other than those contemplated in section 1, the controller or the
-in charge of the treatment or the associations and other bodies that represent
+"1. The data controller and the processor shall appoint a delegate of
-categories of managers or managers may designate a protection delegate
+data protection whenever:
-data or must designate it if required by Union or State law
-members. The data protection officer may act on their behalf
+(a) the processing is carried out by a public authority or body, except
-associations and other organizations that represent managers or managers. "
-The LOPDGDD determines in its article 34.1 and 3: ”Appointment of a delegate of
+courts acting in their judicial capacity
-Data Protection "
-. Those responsible and in charge of the treatment must designate a delegate of
+Article 37.3 and 4 of the RGPD states about the designation of the DPD "When the
+the controller or the person responsible for the processing is a public authority or
+may appoint a single data protection officer for several of these
+authorities or bodies, taking into account their organisational structure and size.
+. In cases other than those referred to in paragraph 1, the person responsible or
+processing agent or associations and other bodies representing
+categories of managers or supervisors may appoint a delegate of protection
+or must designate it if required by Union or national law
+members. The Data Protection Officer may act on behalf of these
+associations and other bodies representing decision-makers or managers"
+The LOPDGDD determines in its article 34.1 and 3: "Designation of a delegate of
+data protection "
+. Data controllers and processors must appoint a delegate of
 data protection in the cases provided for in article 37.1 of the Regulation
 (EU) 2016/679 and, in any case, in the case of the following entities:
-. Those responsible and in charge of the treatment will communicate within ten
+. Data controllers and processors shall communicate within ten
 days to the Spanish Data Protection Agency or, where appropriate, to the authorities
-autonomic data protection, appointments, appointments and terminations of
-the data protection delegates both in the cases in which they are
+data protection, appointments, appointments and dismissals of employees
-obligated to their appointment as in the case in which it is voluntary.
+the data protection delegates both in cases where they are
-The infringement is considered as such in article 83.4.a of the RGPD which states: ”4. The
+obliged to be appointed as in the case of voluntary appointment.
-Infractions of the following provisions will be sanctioned, in accordance with the
-paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
-in the case of a company, an amount equivalent to a maximum of 2% of the
-total annual global business volume of the previous financial year, opting for
+The infringement is contemplated as such in Article 83.4.a of the RGPD which states: "4. The
-the highest amount:
+infringements of the following provisions shall be penalised in accordance with the
-a) The obligations of the person in charge and the person in charge in accordance with articles 8, 11, 25 a
+paragraph 2, with administrative fines of up to EUR 10 000 000 or
-, 42 and 43; "
+in the case of an enterprise, an amount equivalent to a maximum of 2 % of
-He Article 83.7 of the RGPD indicates:
+total annual turnover for the previous financial year, opting for
-“Without prejudice to the corrective powers of the supervisory authorities under Article 58 (2), each Member State may establish rules on whether, and to what extent, administrative fines can be imposed on public authorities and bodies established in that Member State. "
+the largest:
-Article 58.2 of the RGPD states: “Each control authority will have all the
-C / Jorge Juan, 6 www.aepd.es
-- Madrid sedeagpd.gob.es
+(a) the obligations of the person responsible and of the person appointed under Articles 8, 11, 25 to
-/7
+, 42 y 43;”
-following corrective powers listed below:
-b) punish any person in charge or in charge of the treatment with warning when the treatment operations have violated the provisions of this Regulation;
-d) order the person in charge of the treatment that the operations of
+Article 83.7 of the RGPD states:
+"Without prejudice to the corrective powers of the supervisory authorities under the ar-
+in accordance with Article 58(2), each Member State may lay down rules as to whether or not a
+of, and to what extent, imposing administrative fines on public authorities and bodies
+public bodies established in that Member State"
+Article 58(2) of the GPRS states: "Each supervisory authority shall have all the
+C/ Jorge Juan, 6 www.aepd.es
+- Madrid sedeagpd.gob.es 5/7
+the following corrective powers are indicated below:
+(b) sanction any person responsible for or in charge of the processing, with a warning as to how
+if the processing operations have infringed the provisions of this Regulation, the
+mento;
+(d) order the controller or processor to carry out the processing operations
 treatment are in accordance with the provisions of this Regulation, where appropriate,
-in a certain way and within a specified period ”.
+in a certain way and within a specified time".
-In this sense, article 77.1 c) and 2, 4 and 5 of the LOPGDD, indicates:
-. The regime established in this article will apply to the treatment of
+In this sense, Article 77.1 c) and 2, 4 and 5 of the LOPGDD, indicates:
+. The regime established in this article shall apply to the processing of
 who are responsible or in charge:
-c) The General Administration of the State, the Administrations of the Communities
-autonomous entities and the entities that make up the Local Administration.
+c) The General State Administration, the Community Administrations
-“When the managers or managers listed in section 1 commit
-any of the infractions referred to in articles 72 to 74 of this law
+the local authorities and the entities that make up the local administration.
-organic, the competent data protection authority will dictate
-resolution sanctioning them with warning. The resolution will establish
+"Where the persons responsible for, or in charge of, the activities listed in paragraph 1 commit
-Likewise, the measures to be adopted to stop the conduct or to correct
+any of the offences referred to in articles 72 to 74 of this law
-the effects of the offense that had been committed.
+authority shall issue an opinion on the matter
-The resolution will be notified to the person in charge of the treatment, the body of the
+resolution sanctioning them with a warning. The resolution will establish
-that depends hierarchically, where appropriate, and those affected who had the condition
-interested party, if applicable. "
+also the measures to be taken to ensure that the conduct ceases or is corrected
-.The resolutions that
+the effects of the infringement that has been committed.
-fall in relation to the measures and actions referred to in the sections
+The decision shall be notified to the controller or processor, to the
+that is hierarchically dependent, where appropriate, and to those affected who have the status
+of interested party, if any."
+.The data protection authority must be informed of decisions that
+be made in connection with the measures and actions referred to in paragraphs
 previous.
-will be communicated to the Ombudsman or, where appropriate, to similar institutions
-of the autonomous communities the actions carried out and the resolutions issued
+.They shall be communicated to the Ombudsman or, where appropriate, to similar institutions
-under this article. "
-III
+of the autonomous communities the actions taken and the decisions handed down
-Article 73 of the LOPDDG indicates: Violations considered serious:
+under this article."
-"Based on what is established in article 83.4 of Regulation (EU) 2016/679,
-considered serious and will prescribe after two years the infractions that suppose a
-substantial violation of the articles mentioned therein and, in particular, the
+                                             III
+Article 73 of the LOPDDG states Infringements considered serious:
+"In accordance with Article 83(4) of Regulation (EU) 2016/679, the
+consider serious and will prescribe after two years any infringements involving a
+substantial breach of the articles mentioned in that one, and in particular the
 following:
-v) Failure to comply with the obligation to appoint a data protection officer
-when the appointment of him is required in accordance with article 37 of the Regulations
+(v) Failure to comply with the obligation to appoint a data protection representative
-(EU) 2016/679 and article 34 of this organic law. "
+when his appointment is required in accordance with Article 37 of the Regulation
-C / Jorge Juan, 6 www.aepd.es
+(EU) 2016/679 and article 34 of this organic law"
-- Madrid sedeagpd.gob.es
-/7
-By means of a written statement, the complainant has stated that he has already designated
-Delegate of Data Protection.
+C/ Jorge Juan, 6 www.aepd.es
-Despite this, the Spanish Agency for Data Protection, sanctions the claimed with
+- Madrid sedeagpd.gob.es 6/7
-a warning sanction since it had to have a delegate from
-data protection in accordance with the provisions of article 37 of the RGPD,
-since May 25, 2018, when the RGPD entered into force.
-Therefore, in accordance with the applicable legislation and the criteria of
-graduation of the sanctions whose existence has been accredited, the Director of the
-Spanish Agency for Data Protection RESOLVES:
-FIRST: IMPOSE the CITY COUNCIL OF ARROYOMOLINOS, with NIF
-P2801500F, for a violation of Article 37 of the RGPD, typified in Article 83.4
+By means of a statement of claim, the respondent has stated that he has already designated
+Data Protection Delegate.
+In spite of this, the Spanish Data Protection Agency has sanctioned the complainant with
+a penalty of a warning, since the latter must have had a delegate from
+data protection in accordance with article 37 of the RGPD,
+from 25 May 2018, when the RGPD came into force.
+Therefore, in accordance with the applicable legislation and assessed on the basis of
+graduation of the sanctions whose existence has been accredited, the Director of
+Spanish Data Protection Agency RESOLVES:
+FIRST: IMPOSE on the ARROYOMOLINOS CITY COUNCIL, with NIF
+P2801500F, for a violation of Article 37 of the GPRS, as defined in Article 83.4
 of the RGPD, a warning sanction.
-SECOND: NOTIFY this resolution to the CITY COUNCIL OF
+SECOND: TO NOTIFY this resolution to the CITY COUNCIL OF
 ARROYOMOLINOS.
- THIRD: COMMUNICATE this resolution to the Ombudsman, of
-in accordance with the provisions of article 77.5 of the LOPDGDD.
+THIRD: To communicate this resolution to the Ombudsman, of
-In accordance with the provisions of article 50 of the LOPDGDD, this
-Resolution will be made public once it has been notified to the interested parties.
+in accordance with the provisions of Article 77.5 of the LOPDGDD
+In accordance with the provisions of Article 50 of the LOPDGDD, this
+The decision will be made public after it has been notified to the interested parties.
 Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
-LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
-Interested parties may file, optionally, an appeal for reconsideration before the
+LOPDGDD, and in accordance with Article 123 of the LPACAP, the
-Director of the Spanish Agency for Data Protection within a month to
+the interested parties may, on an optional basis, lodge an appeal for reversal with the
-count from the day after notification of this resolution or directly
+Director of the Spanish Data Protection Agency within one month to
-contentious-administrative appeal before the Contentious-Administrative Chamber of the
+counting from the day following notification of this resolution or directly
-National High Court, in accordance with the provisions of article 25 and section 5 of
+contentious-administrative appeal to the Administrative Chamber of the
-the fourth additional provision of Law 29/1998, of July 13, regulating the
-Contentious-administrative jurisdiction, within a period of two months from the
+Audiencia Nacional, in accordance with Article 25 and paragraph 5 of
-day following notification of this act, as provided in article 46.1 of the
+the fourth additional provision of Law 29/1998 of 13 July 1998, regulating
-referred Law.
+Contentious-Administrative Jurisdiction, within two months from
-Finally, it is pointed out that according to to the provisions of art. 90.3 a) of the LPACAP,
+day following notification of this act, as provided for in Article 46(1) of the
-may provisionally suspend the final resolution through administrative channels if the
+referred to Law.
-interested party expresses his intention to file contentious-administrative appeal.
-If this is the case, the interested party must formally communicate this fact through
-letter addressed to the Spanish Agency for Data Protection, presenting it through
+Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, it is
-of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronicaweb/], or through any of the other registries provided for in art. 16.4 of the
+may suspend, as a precautionary measure, the final administrative decision if the
-cited Law 39/2015, of October 1. You must also transfer to the Agency the
+the applicant states that he intends to bring an administrative appeal.
-documentation proving the effective filing of the contentious appeal C / Jorge Juan, 6 www.aepd.es
+If this is the case, the interested party must formally communicate this fact by
-- Madrid sedeagpd.gob.es
+written to the Spanish Data Protection Agency, submitting it through
-/7
-administrative. If the Agency was not aware of the filing of the appeal
+from the Agency's Electronic Register [https://sedeagpd.gob.es/sede-electronica-
-contentious-administrative within a period of two months from the day following the
+web/], or through any of the other registers provided for in Article 16.4 of the
-notification of this resolution would terminate the precautionary suspension.
+the aforementioned Law 39/2015 of 1 October. It must also transfer to the Agency the
--131120
+documentation proving the effective filing of the contentious action
+administrative. If the Agency is not aware that the action has been brought
+administrative proceedings within two months of the day following the
+notification of the present resolution, would terminate the precautionary suspension.
+-131120
 Mar Spain Martí
-Director of the Spanish Agency for Data Protection
-C / Jorge Juan, 6 www.aepd.es
+Director of the Spanish Data Protection Agency
-- Madrid sedeagpd.gob.es
+</pre>